I appreciate your answer and will make sure that i rate your post. My question is the following:

1) I can do segregation using IPSEC , why MPLS?

2) MPLS introduces too much complexity in the enterprise network, now we need seprate devices for SP side and the CE side. Too much waste of equivment and ports. A Cat 6500 which was doing a lot before is now PE , so all it can do it vrfs.

Did you use vrf lite in combination to MPLS at the Core?

Can you give me some convincing pointers to go for Enterprise MPLS?

Thanks

1) MPLS VON provides kind of a natural framework for providing segragation to different entities over a common infrastructure. You could also do it with IPsec tunnels but I do think it would require way more maintenance.

2) Well, MPLS will introduce an extra level of complexity but in large Enterprise networks, it is certainly worthwhile. You don't necesseraly need CE devices everywhere. It some cases the distribution L2/L3 device can be you PE and users can be directly connected to the VRF interfaces without a CE device as such.

VRF lite could be use in some cases but is nor necesseraly required.

As more and more Enterprises are going to a SP model, MPLS VPN does make a lot of sense as it does allow the Network Services Group to offer a variety of services just like a real SP would.

I can tell you that I have seen quite a few Entreprise customers going that way.

Hope this helps,

Hi,

in addition to Harolds post: there are some enterprises with legal obligations to separate different departments even in the intranet. F.e. banks might run into this because of inside trading issues. Now you can separate on Layer2 by using VLANS, but the first router would interconnect them. What you could do is using firewalls everywhere but from an administrative, cost and performance point of view it is not advisable. Separating the routing control plane is a natural step, i.e. MPLS VPNs.

Regards

Martin

P.S.: many enterprise IT departments nowadays are pushed into the role of an SP with only one customer ;-) (Congratulation, You are a profit center now!)

Martin,

How would the configuration look like, do you have any sample config? I like the idea of having L2/L3 as PE devices and the actual hosts as CEs. Do the organizations you are talking about following this model? or break their network in PE and CE devices?

Sample config would he HIGHLY appreciated.

Hi,

in the enterprise environment you find very likely Cat6500 as PE and no router CEs; LAN switching design with access/distribution extending VLANs to the PE is typical. Add QoS when needed.

Just take a "normal" PE config for MPLS VPN (VRFs with RD, RTs; MBGP full mesh or with RR and LDP enabled between PEs) and take ethernet/VLAN interfaces into the VRFs. There is no problem with HSRP on a VRF interface so the hosts find themselves in their normal setup. As usual MPLS VPN is transparent to attached IP devices.

With Cat6500 in some enterprises they also use EoMPLS for some special purposes like server clustering, where IP connectivity alone would not do.

Hope this helps

Martin

Martin,

Can you please contact me at karanprakash2004@yahoo.com. I want to clarify something with you. Please e-mail me.

Thanks,

Parwal

Martin,

Could you please emphasis on EoMPLS concept. I did not understand when you said cluster which requires more than ip connectivity.

Also for enterprise MPLS model, would you recommend SP run link state protcol? even though no TE tunnels

and the VRFs run different protocol.

OR may be run eigrp with different AS for the SP and the VRF?