Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1303
Views
20
Helpful
6
Replies

Does MPLS route traffic over internet?

Go to solution
jewedo828417539
Level 1
Level 1

‎09-25-2020 10:51 AM - edited ‎09-25-2020 10:53 AM

Hi all,

I have some questions regarding MPLS (which might be wrong or illogical in fact!), especially how the MPLS cloud actually works. Here they are:

1. My company has its Data Centre (DC) at Mumbai and we use MPLS for connecting the branch offices. Does the traffic from remote locations such as Delhi or Kolkata flow to the DC through something called 'MPLS over internet' or do the ISPs which maintain the MPLS cloud  have any special means to connect the various provider routers across the country, separate from the internet?

2. I used to hear a lot about "clear crypto session" whenever there is a network failure. What exactly does "clear crypto session do"? Is it a feature of IPSec or MPLS?

 

Thanks in advance..

Jewed

Labels:
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
jewedo828417539
Level 1
Level 1
In response to balaji.bandi

‎09-26-2020 12:09 AM

1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?

2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".

View solution in original post

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-26-2020 12:41 AM

1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?

 

BB - this we do not have information, how the provider will breakout., it all depends on provider and this question need to ask to your provider.

In general, MPLS providers offer internet too. ( maybe the same link or may be other link depends on the requirement).

 

2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".

BB - you have not answered my original post, who do this task? clear crypto? ( are you doing personally at branch level or head office, or from a provider ?) - if you or your head office doing then you running VPN tunnel over MPLS, this looks some config issue for me. we can not confirm due to no visibility of your setup how they connected and configured.  ( you need to ask HQ admin and see what you get an answer ?)
 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
jewedo828417539
Level 1
Level 1
In response to balaji.bandi

‎09-26-2020 12:54 AM

"Clear crypto" is done by our network team at head office, when we inform them that we are not getting connected to network. We at our branch office are not doing it bcos we dont have router access or 'enable' password.

My question is, what does this "clear crypto session" do? is it a feature of IPSec Tunnel only?

View solution in original post

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-26-2020 01:19 AM

clear crypto sa-This command deletes the active IPSec security associations between your branch office and head office create a fresh tunnel session, that is where you able to communicate with your HQ normally.

 

you can explore for your knowledge here, well documented to understand IPSEC

 

https://community.cisco.com/t5/security-documents/how-to-clear-isakmp-and-ipsec-sas-on-pix-firewalls-and-routers/ta-p/3126911

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-26-2020 07:39 AM

#1 No, generally you don't do MPLS over Internet, but the Internet might be running over MPLS.  If fact, I suspect your WAN provider is really providing your company a L3 VPN over MPLS, i.e. your devices connecting to the "MPLS" probably aren't doing actual MPLS.

#2 Interesting!  Why?  I've done a bit of VPN, using IPSec, over the Internet, and routinely didn't need to clear crypto sessions.  What the command does, as already noted by Balaji, is reset the crypto session(s).  Effectively, it's starting over.  Also it's related to IPSec, not MPLS.

BTW, MPLS is somewhat like L2 VLANs, in that a "tag" is attached to the frame/packet so that it may be forwarded, using switching techniques (fix length matching) rather than routing techniques (variable length matching).  It was originally designed to provide a way to "speed up" forwarding of L3 traffic.  With current hardware, the improvement isn't nearly as great as it once was.  However, because of the tag(s) (you can have multiple on a frame/packet), other interesting things can be done.  For example, somewhat like, for L2 VLANs, Q-in-Q, but there's much more that can be done with MPLS.

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-25-2020 11:51 AM

1. MPLS Pure Service provider network.( how they run depends on their topology and depends on network provider).

 

2. clear crypto session  - you do this task or provider do here this task? - if you doing you have IPSEC VPN with your branch office?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
jewedo828417539
Level 1
Level 1
In response to balaji.bandi

‎09-26-2020 12:09 AM

1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?

2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-26-2020 12:41 AM

1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?

 

BB - this we do not have information, how the provider will breakout., it all depends on provider and this question need to ask to your provider.

In general, MPLS providers offer internet too. ( maybe the same link or may be other link depends on the requirement).

 

2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".

BB - you have not answered my original post, who do this task? clear crypto? ( are you doing personally at branch level or head office, or from a provider ?) - if you or your head office doing then you running VPN tunnel over MPLS, this looks some config issue for me. we can not confirm due to no visibility of your setup how they connected and configured.  ( you need to ask HQ admin and see what you get an answer ?)
 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
jewedo828417539
Level 1
Level 1
In response to balaji.bandi

‎09-26-2020 12:54 AM

"Clear crypto" is done by our network team at head office, when we inform them that we are not getting connected to network. We at our branch office are not doing it bcos we dont have router access or 'enable' password.

My question is, what does this "clear crypto session" do? is it a feature of IPSec Tunnel only?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-26-2020 01:19 AM

clear crypto sa-This command deletes the active IPSec security associations between your branch office and head office create a fresh tunnel session, that is where you able to communicate with your HQ normally.

 

you can explore for your knowledge here, well documented to understand IPSEC

 

https://community.cisco.com/t5/security-documents/how-to-clear-isakmp-and-ipsec-sas-on-pix-firewalls-and-routers/ta-p/3126911

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-26-2020 07:39 AM

#1 No, generally you don't do MPLS over Internet, but the Internet might be running over MPLS.  If fact, I suspect your WAN provider is really providing your company a L3 VPN over MPLS, i.e. your devices connecting to the "MPLS" probably aren't doing actual MPLS.

#2 Interesting!  Why?  I've done a bit of VPN, using IPSec, over the Internet, and routinely didn't need to clear crypto sessions.  What the command does, as already noted by Balaji, is reset the crypto session(s).  Effectively, it's starting over.  Also it's related to IPSec, not MPLS.

BTW, MPLS is somewhat like L2 VLANs, in that a "tag" is attached to the frame/packet so that it may be forwarded, using switching techniques (fix length matching) rather than routing techniques (variable length matching).  It was originally designed to provide a way to "speed up" forwarding of L3 traffic.  With current hardware, the improvement isn't nearly as great as it once was.  However, because of the tag(s) (you can have multiple on a frame/packet), other interesting things can be done.  For example, somewhat like, for L2 VLANs, Q-in-Q, but there's much more that can be done with MPLS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents