MPLS scenario for enterprise/banks

Answered Question
Jul 1st, 2008
User Badges:

Dear All,


I know mpls is good for SPs but how can we implement and justify mpls for an enterprise/banks with branches over 1k.


Is there any existing "private" mpls based enterprise network implemented for such a scenario and how is it justified besides using fast switching which cef can also achieve.

Correct Answer by vdadlaney about 8 years 10 months ago

Hi, it all depends on what you want to achieve. So take for example you have multiple departments within the bank and there is some requirement that one department should not be able to talk to another department. In this case you can create VRF's per department and limit each department to talk to only other parts of the same department. The users might be diverse so one section of that department is located in location XYZ and the other section of that department is located in location ABC. If you have a relatively small network than you can accomplish the same with VRF-Lite without using label switching. If you have users spread across than ideally you would want to use label switching and VPNv4 sessions between your PE routers to provide connectivity. This way your Core routers do not have to know about every network and they can just label switch the traffic to the next hop eventually getting to your PE routers. Hope that was what you were looking for in terms of usability. Thx

Correct Answer by mmarchuk about 8 years 10 months ago

Unless you're planning on implementing other clients on the network, what is the purpose of the MPLS? Standard routing would work well if you segment the network into several major "hubs" to which many branch "spokes" are attached and managed using OSPF. Then interconnect the hubs together using iBGP. It would be straightforward and permit the connectivity you require. If you NEED IPSEC type of security on the circuits, you could create individual encrypted sessions back to a VPN concentrator and then encrypt the traffic across the backbone between hubs. However, I would assume that all of your banking applications are already encrypted using HTTPS or something similar for their communications, in which case, the additional encryption would be overkill.

Correct Answer by guruprasadr about 8 years 10 months ago

HI, [Pls Rate if HELPS]


Justify the MPLS VPN as scenario:


VPN services can be offered based on two major models:


Overlay VPNs, in which the service provider provides virtual point-to-point links between customer sites


Peer-to-peer VPNs, in which the service provider participates in the customer routing


About Overlay VPN's:

=====================

VPN is implemented with IP-over-IP tunnels:


Tunnels are established with GRE or IPSec.

GRE is simpler (and quicker); IPSec provides authentication and security.


VPN is implemented with PPP-over-IP tunnels.

Usually used in access environments (dialup, digital subscriber line).


Service provider infrastructure appears as point-to-point links to customer routes.


Routing protocols run directly between customer routers.


Service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.


About Peer to Peer VPN's:

===========================

The only difference is: Here the Service Provider participates in the Customer Routing. PE Router exchanges Customer routers through the core network.


How to treat VPN's:

=====================

Here you need to consider every branch router as CE ie., Spoke Router but not the application itself. If the application are hosted only @ HO means access will be easy.


If the applications are hosted @ various offices using of RD & RT Values in MPLS-VPN will help a lot in implementation.


How to Implement:

==================

You can implement using pure MPLS-VPN Services. The HUB can be implented and all SPoke are treated as CE Routers. The IPSec session are to be established as said before.


The SP will implement the VRF with FRD & RT Values. The same will be imported @ spoke locations to access the Servers @ HO.


Hope I am Informative.


PLS RATE if HELPS


Best Regards,


Guru Prasad R

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
guruprasadr Tue, 07/01/2008 - 09:31
User Badges:
  • Gold, 750 points or more

HI, [Pls Rate if HELPS]


For Banks with branches more than 1000 are recommended to have HUB-SPOKE Methodology.


Using of IPSec Crypo Session between the HUB-SPOKE Routers will ensure secure data communication with higher encryption standard. Either Static (Pre-Shared) or Dynamic key Exchange (CA) can be used for secure data communications, since Banking applications are more sensitive.


For Enterprise, you can use CSC (Carrier Supporting Carrier) Techniq, to extend the SP's VRF until the CSC-CE Router.


A X-Connect to be established between the actual-CE and CSC-CE Router. The CSC-CE Router can be placed @ Customer Premessis where the Original WAN LINK Terminates. The MPLS Labels are extended till here. This will also ensure secured Communication for Enterprise Network. Please follow the below link for details about CSC:


http://www.cisco.com/en/US/docs/net_mgmt/ip_solution_center/4.0/mpls/user/guide/9_iscqsg.html


Hope I am Informative.


Pls RATE if HELPS


Best Regards,


Guru Prasad R



Tahir Ali Tue, 07/01/2008 - 21:41
User Badges:

well thanks Prasad, I got ur point but not to the fullest...let me rephrase my question


What if I want to design a "PRIVATE" MPLS based network for a bank with hubs at different regions, so naturally I thought of placing my core/ distribution routers region wise and OSPF as IGP.


Now the question arises is that how can a banking scenario be implemented with mpls network with this topology in mind.


The next thought which comes is that i will use mpls VPNS to justify the mpls in this scenario but how ?


do i have to treat every branch router as CEs, or every banking application in seperate VPN? etc....?

Correct Answer
guruprasadr Wed, 07/02/2008 - 01:45
User Badges:
  • Gold, 750 points or more

HI, [Pls Rate if HELPS]


Justify the MPLS VPN as scenario:


VPN services can be offered based on two major models:


Overlay VPNs, in which the service provider provides virtual point-to-point links between customer sites


Peer-to-peer VPNs, in which the service provider participates in the customer routing


About Overlay VPN's:

=====================

VPN is implemented with IP-over-IP tunnels:


Tunnels are established with GRE or IPSec.

GRE is simpler (and quicker); IPSec provides authentication and security.


VPN is implemented with PPP-over-IP tunnels.

Usually used in access environments (dialup, digital subscriber line).


Service provider infrastructure appears as point-to-point links to customer routes.


Routing protocols run directly between customer routers.


Service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.


About Peer to Peer VPN's:

===========================

The only difference is: Here the Service Provider participates in the Customer Routing. PE Router exchanges Customer routers through the core network.


How to treat VPN's:

=====================

Here you need to consider every branch router as CE ie., Spoke Router but not the application itself. If the application are hosted only @ HO means access will be easy.


If the applications are hosted @ various offices using of RD & RT Values in MPLS-VPN will help a lot in implementation.


How to Implement:

==================

You can implement using pure MPLS-VPN Services. The HUB can be implented and all SPoke are treated as CE Routers. The IPSec session are to be established as said before.


The SP will implement the VRF with FRD & RT Values. The same will be imported @ spoke locations to access the Servers @ HO.


Hope I am Informative.


PLS RATE if HELPS


Best Regards,


Guru Prasad R

Tahir Ali Wed, 07/02/2008 - 02:56
User Badges:

Thanks GURU,


Yes u were informative but i mentioned the word private mpls network meaning that the whole bank will use its own mpls core i.e P, PE and CE will be all bank's property.


Only media will be taken from the SPs i.e any kind of media (wimax, dsl , dxx links).


Now in this case i need a to justify banks own mpls core. and how can it be implemented.


Thanks again Guru for your help.


I hope I am clear now and there is a solution to my question

Correct Answer
mmarchuk Wed, 07/02/2008 - 07:31
User Badges:

Unless you're planning on implementing other clients on the network, what is the purpose of the MPLS? Standard routing would work well if you segment the network into several major "hubs" to which many branch "spokes" are attached and managed using OSPF. Then interconnect the hubs together using iBGP. It would be straightforward and permit the connectivity you require. If you NEED IPSEC type of security on the circuits, you could create individual encrypted sessions back to a VPN concentrator and then encrypt the traffic across the backbone between hubs. However, I would assume that all of your banking applications are already encrypted using HTTPS or something similar for their communications, in which case, the additional encryption would be overkill.

Tahir Ali Wed, 07/02/2008 - 08:13
User Badges:

arent there any scenario with the banking applications or the branches which can be implemented using mpls VPN?....

Correct Answer
vdadlaney Wed, 07/02/2008 - 19:48
User Badges:

Hi, it all depends on what you want to achieve. So take for example you have multiple departments within the bank and there is some requirement that one department should not be able to talk to another department. In this case you can create VRF's per department and limit each department to talk to only other parts of the same department. The users might be diverse so one section of that department is located in location XYZ and the other section of that department is located in location ABC. If you have a relatively small network than you can accomplish the same with VRF-Lite without using label switching. If you have users spread across than ideally you would want to use label switching and VPNv4 sessions between your PE routers to provide connectivity. This way your Core routers do not have to know about every network and they can just label switch the traffic to the next hop eventually getting to your PE routers. Hope that was what you were looking for in terms of usability. Thx

Tahir Ali Wed, 07/02/2008 - 20:49
User Badges:

Thank you all the participants,


Summarizing the above discussion i think i can only use mpls in a bank when i want to isolate traffic from different dept. or regions, or services like voice, video etc , If i want that a particular dept. can communicate with the other one then I have to use Route targets for shared vpns.

Actions

This Discussion