Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2131
Views
0
Helpful
8
Replies

MPLS scenario for enterprise/banks

Go to solution
Tahir Ali
Level 1
Level 1

‎07-01-2008 08:14 AM

Dear All,

I know mpls is good for SPs but how can we implement and justify mpls for an enterprise/banks with branches over 1k.

Is there any existing "private" mpls based enterprise network implemented for such a scenario and how is it justified besides using fast switching which cef can also achieve.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
guruprasadr
Level 7
Level 7
In response to Tahir Ali

‎07-02-2008 01:45 AM

HI, [Pls Rate if HELPS]

Justify the MPLS VPN as scenario:

VPN services can be offered based on two major models:

Overlay VPNs, in which the service provider provides virtual point-to-point links between customer sites

Peer-to-peer VPNs, in which the service provider participates in the customer routing

About Overlay VPN's:

=====================

VPN is implemented with IP-over-IP tunnels:

Tunnels are established with GRE or IPSec.

GRE is simpler (and quicker); IPSec provides authentication and security.

VPN is implemented with PPP-over-IP tunnels.

Usually used in access environments (dialup, digital subscriber line).

Service provider infrastructure appears as point-to-point links to customer routes.

Routing protocols run directly between customer routers.

Service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.

About Peer to Peer VPN's:

===========================

The only difference is: Here the Service Provider participates in the Customer Routing. PE Router exchanges Customer routers through the core network.

How to treat VPN's:

=====================

Here you need to consider every branch router as CE ie., Spoke Router but not the application itself. If the application are hosted only @ HO means access will be easy.

If the applications are hosted @ various offices using of RD & RT Values in MPLS-VPN will help a lot in implementation.

How to Implement:

==================

You can implement using pure MPLS-VPN Services. The HUB can be implented and all SPoke are treated as CE Routers. The IPSec session are to be established as said before.

The SP will implement the VRF with FRD & RT Values. The same will be imported @ spoke locations to access the Servers @ HO.

Hope I am Informative.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

View solution in original post

0 Helpful

Go to solution
mmarchuk
Level 1
Level 1
In response to Tahir Ali

‎07-02-2008 07:31 AM

Unless you're planning on implementing other clients on the network, what is the purpose of the MPLS? Standard routing would work well if you segment the network into several major "hubs" to which many branch "spokes" are attached and managed using OSPF. Then interconnect the hubs together using iBGP. It would be straightforward and permit the connectivity you require. If you NEED IPSEC type of security on the circuits, you could create individual encrypted sessions back to a VPN concentrator and then encrypt the traffic across the backbone between hubs. However, I would assume that all of your banking applications are already encrypted using HTTPS or something similar for their communications, in which case, the additional encryption would be overkill.

View solution in original post

0 Helpful

Go to solution
vdadlaney
Level 1
Level 1
In response to Tahir Ali

‎07-02-2008 07:48 PM

Hi, it all depends on what you want to achieve. So take for example you have multiple departments within the bank and there is some requirement that one department should not be able to talk to another department. In this case you can create VRF's per department and limit each department to talk to only other parts of the same department. The users might be diverse so one section of that department is located in location XYZ and the other section of that department is located in location ABC. If you have a relatively small network than you can accomplish the same with VRF-Lite without using label switching. If you have users spread across than ideally you would want to use label switching and VPNv4 sessions between your PE routers to provide connectivity. This way your Core routers do not have to know about every network and they can just label switch the traffic to the next hop eventually getting to your PE routers. Hope that was what you were looking for in terms of usability. Thx

View solution in original post

0 Helpful
8 Replies 8

Go to solution
guruprasadr
Level 7
Level 7

‎07-01-2008 09:31 AM

HI, [Pls Rate if HELPS]

For Banks with branches more than 1000 are recommended to have HUB-SPOKE Methodology.

Using of IPSec Crypo Session between the HUB-SPOKE Routers will ensure secure data communication with higher encryption standard. Either Static (Pre-Shared) or Dynamic key Exchange (CA) can be used for secure data communications, since Banking applications are more sensitive.

For Enterprise, you can use CSC (Carrier Supporting Carrier) Techniq, to extend the SP's VRF until the CSC-CE Router.

A X-Connect to be established between the actual-CE and CSC-CE Router. The CSC-CE Router can be placed @ Customer Premessis where the Original WAN LINK Terminates. The MPLS Labels are extended till here. This will also ensure secured Communication for Enterprise Network. Please follow the below link for details about CSC:

http://www.cisco.com/en/US/docs/net_mgmt/ip_solution_center/4.0/mpls/user/guide/9_iscqsg.html

Hope I am Informative.

Pls RATE if HELPS

Best Regards,

Guru Prasad R

0 Helpful

Go to solution
Tahir Ali
Level 1
Level 1
In response to guruprasadr

‎07-01-2008 09:41 PM

well thanks Prasad, I got ur point but not to the fullest...let me rephrase my question

What if I want to design a "PRIVATE" MPLS based network for a bank with hubs at different regions, so naturally I thought of placing my core/ distribution routers region wise and OSPF as IGP.

Now the question arises is that how can a banking scenario be implemented with mpls network with this topology in mind.

The next thought which comes is that i will use mpls VPNS to justify the mpls in this scenario but how ?

do i have to treat every branch router as CEs, or every banking application in seperate VPN? etc....?

0 Helpful

Go to solution
guruprasadr
Level 7
Level 7
In response to Tahir Ali

‎07-02-2008 01:45 AM

HI, [Pls Rate if HELPS]

Justify the MPLS VPN as scenario:

VPN services can be offered based on two major models:

Overlay VPNs, in which the service provider provides virtual point-to-point links between customer sites

Peer-to-peer VPNs, in which the service provider participates in the customer routing

About Overlay VPN's:

=====================

VPN is implemented with IP-over-IP tunnels:

Tunnels are established with GRE or IPSec.

GRE is simpler (and quicker); IPSec provides authentication and security.

VPN is implemented with PPP-over-IP tunnels.

Usually used in access environments (dialup, digital subscriber line).

Service provider infrastructure appears as point-to-point links to customer routes.

Routing protocols run directly between customer routers.

Service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.

About Peer to Peer VPN's:

===========================

The only difference is: Here the Service Provider participates in the Customer Routing. PE Router exchanges Customer routers through the core network.

How to treat VPN's:

=====================

Here you need to consider every branch router as CE ie., Spoke Router but not the application itself. If the application are hosted only @ HO means access will be easy.

If the applications are hosted @ various offices using of RD & RT Values in MPLS-VPN will help a lot in implementation.

How to Implement:

==================

You can implement using pure MPLS-VPN Services. The HUB can be implented and all SPoke are treated as CE Routers. The IPSec session are to be established as said before.

The SP will implement the VRF with FRD & RT Values. The same will be imported @ spoke locations to access the Servers @ HO.

Hope I am Informative.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

0 Helpful

Go to solution
Tahir Ali
Level 1
Level 1
In response to guruprasadr

‎07-02-2008 02:56 AM

Thanks GURU,

Yes u were informative but i mentioned the word private mpls network meaning that the whole bank will use its own mpls core i.e P, PE and CE will be all bank's property.

Only media will be taken from the SPs i.e any kind of media (wimax, dsl , dxx links).

Now in this case i need a to justify banks own mpls core. and how can it be implemented.

Thanks again Guru for your help.

I hope I am clear now and there is a solution to my question

0 Helpful

Go to solution
mmarchuk
Level 1
Level 1
In response to Tahir Ali

‎07-02-2008 07:31 AM

Unless you're planning on implementing other clients on the network, what is the purpose of the MPLS? Standard routing would work well if you segment the network into several major "hubs" to which many branch "spokes" are attached and managed using OSPF. Then interconnect the hubs together using iBGP. It would be straightforward and permit the connectivity you require. If you NEED IPSEC type of security on the circuits, you could create individual encrypted sessions back to a VPN concentrator and then encrypt the traffic across the backbone between hubs. However, I would assume that all of your banking applications are already encrypted using HTTPS or something similar for their communications, in which case, the additional encryption would be overkill.

0 Helpful

Go to solution
Tahir Ali
Level 1
Level 1
In response to mmarchuk

‎07-02-2008 08:13 AM

arent there any scenario with the banking applications or the branches which can be implemented using mpls VPN?....

0 Helpful

Go to solution
vdadlaney
Level 1
Level 1
In response to Tahir Ali

‎07-02-2008 07:48 PM

Hi, it all depends on what you want to achieve. So take for example you have multiple departments within the bank and there is some requirement that one department should not be able to talk to another department. In this case you can create VRF's per department and limit each department to talk to only other parts of the same department. The users might be diverse so one section of that department is located in location XYZ and the other section of that department is located in location ABC. If you have a relatively small network than you can accomplish the same with VRF-Lite without using label switching. If you have users spread across than ideally you would want to use label switching and VPNv4 sessions between your PE routers to provide connectivity. This way your Core routers do not have to know about every network and they can just label switch the traffic to the next hop eventually getting to your PE routers. Hope that was what you were looking for in terms of usability. Thx

0 Helpful

Go to solution
Tahir Ali
Level 1
Level 1
In response to vdadlaney

‎07-02-2008 08:49 PM

Thank you all the participants,

Summarizing the above discussion i think i can only use mpls in a bank when i want to isolate traffic from different dept. or regions, or services like voice, video etc , If i want that a particular dept. can communicate with the other one then I have to use Route targets for shared vpns.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents