Design validation for Internet over MPLS

Unanswered Question
May 29th, 2007

We have a Network on MPLS backbone with dual service provider.

There are 50 spoke location.

DC and DR location

Topology is hub and spoke with all sites accessing data hosted at primary DC.

ALso in case of disaster all the spoke sites will connect to DR site.

Servers at DR site are on unique IP and failover from DC to DR is taken care by BGP routing intelligence.

Aim is to give controlled internet access to all the spoke sites from DC and incase of failure internet should be available from DR site.

As per our design architecture we are planning to upgrade the last mile bandwidth and MPLS port of all spoke sites and central site MPLS port bandwidth to give integrated access on the same last mile for all the locations.

Both types of traffic private and public will ride on the same MPLS bancbone and come to the primary DC site CE router.

At CE router we will segreggate the traffic meant for datacentre and internet cloud.

We will also deploy firewall and separate internet router and proxy server for the proposed internet connectivity to control the spoke sites traffic.

Is this a good design.

Pls suggest with configuration on how are we going to achiecve this

Also currently we are using BGP between CE-PE --- it should take care of the global routing meant for Internet traffic by flooding default route across all the spoke sites

Pls fins the existing architecute attahced.

Any inputs on the same will be appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
pankajkulkarni Tue, 05/29/2007 - 01:28


Could you explain a few aspects of the design -

1. Is VLAN 5 routed to SP1 and VLAN 1 through SP2? If YES then does the end user need to change VLAN subscripton in event of failure?

2. Routing protocol used between CE edge and aggregation switch? How does the aggregation switch at spoke location determine the optimal route to reach DC?

3. Traffic from DC to DR will follow the BGP path as eBGP has a lower admin distance than all IGP. Use bgp "backdoor" to overcome this issue.

Kindly reply back.

HTH, Kindly rate all useful posts.


deepakbihari Wed, 05/30/2007 - 01:01

Hi Pankaj,

On the L3 switch PBR with multiple next hop IP is used to divert half the traffic from SP1 and rest half from SP2

on the two routers at customer remote site BGP is used.

pankajkulkarni Wed, 05/30/2007 - 05:00


PBR isn't advised as it could result in high CPU utilization. Each forwarding decision is made by the CPU bypassing other switching methods like CEF and fast switching configured on the router.

You might want to look at alternatives other than PBR.


swaroop.potdar Wed, 05/30/2007 - 10:59

As per your post you are looking for the solution to route internet via DC and on failure via DR.

To do this you can inject default routes from both DC and DR. in doing this all the PE's in SP1 and SP2 will have 2 defaults in the VRF table for you. But only 1 would be installed based on regular BGP path selection process.

To manipulate and select default from DC you can change any BGP path attribute and make the DC default favourable over DR default.

I did not understand where you are doing PBR, but anyway PBR will work in sync with CEF without putting any load on you CPU since IOS 12.0. So you can run PBR whereever you are running it.

To answer is this a good design or not, more inputs would be required as the current diagram is insufficient with legends, and the logic behind the creation of 3 vlans in the diagram is not explained in the post.

Its not clear which site are you designating as spoke site, as the remote sites box has dual routers and dual connections.

Since a good design of a network is more of what your data flow and business needs are and then based upon it, the technical design should meet the requirements put forth and scale as well at the same time. Here if you agree we dont have any of those inputs as well.




This Discussion