I appreciate your answer and will make sure that i rate your post. My question is the following:
1) I can do segregation using IPSEC , why MPLS?
2) MPLS introduces too much complexity in the enterprise network, now we need seprate devices for SP side and the CE side. Too much waste of equivment and ports. A Cat 6500 which was doing a lot before is now PE , so all it can do it vrfs.
Did you use vrf lite in combination to MPLS at the Core?
Can you give me some convincing pointers to go for Enterprise MPLS?
1) MPLS VON provides kind of a natural framework for providing segragation to different entities over a common infrastructure. You could also do it with IPsec tunnels but I do think it would require way more maintenance.
2) Well, MPLS will introduce an extra level of complexity but in large Enterprise networks, it is certainly worthwhile. You don't necesseraly need CE devices everywhere. It some cases the distribution L2/L3 device can be you PE and users can be directly connected to the VRF interfaces without a CE device as such.
VRF lite could be use in some cases but is nor necesseraly required.
As more and more Enterprises are going to a SP model, MPLS VPN does make a lot of sense as it does allow the Network Services Group to offer a variety of services just like a real SP would.
I can tell you that I have seen quite a few Entreprise customers going that way.
Hope this helps,
Harold Ritter Sr. Technical Leader CCIE 4168 (R&S, SP) firstname.lastname@example.org México móvil: +52 1 55 8312 4915 Cisco México Paseo de la Reforma 222 Piso 19 Cuauhtémoc, Juárez Ciudad de México, 06600 México
in addition to Harolds post: there are some enterprises with legal obligations to separate different departments even in the intranet. F.e. banks might run into this because of inside trading issues. Now you can separate on Layer2 by using VLANS, but the first router would interconnect them. What you could do is using firewalls everywhere but from an administrative, cost and performance point of view it is not advisable. Separating the routing control plane is a natural step, i.e. MPLS VPNs.
P.S.: many enterprise IT departments nowadays are pushed into the role of an SP with only one customer ;-) (Congratulation, You are a profit center now!)
How would the configuration look like, do you have any sample config? I like the idea of having L2/L3 as PE devices and the actual hosts as CEs. Do the organizations you are talking about following this model? or break their network in PE and CE devices?
in the enterprise environment you find very likely Cat6500 as PE and no router CEs; LAN switching design with access/distribution extending VLANs to the PE is typical. Add QoS when needed.
Just take a "normal" PE config for MPLS VPN (VRFs with RD, RTs; MBGP full mesh or with RR and LDP enabled between PEs) and take ethernet/VLAN interfaces into the VRFs. There is no problem with HSRP on a VRF interface so the hosts find themselves in their normal setup. As usual MPLS VPN is transparent to attached IP devices.
With Cat6500 in some enterprises they also use EoMPLS for some special purposes like server clustering, where IP connectivity alone would not do.
1. Introduction Internet security is important with the increasing
attacks that are happening every day. Many internet and browsing
security solutions exist, but some are not very easy to use or maybe the
question is how can I enable them? In this referen...
Cisco Software Manager Server API Guide This document describes the
programmatic interfaces, RESTful APIs, which are supported by Cisco
Software Manager Server (CSM Server). Overview CSM Server supports a set
of finite RESTful APIs. The first step to use ...
If you are using Cisco's new linux-based Cisco Software Manager server,
then you probably want to make sure there is a startup service for
it.I'll assume that you've already installed the CSM server on a
systemd-based linux system. The commands given belo...