I am deciding on a networking architecture to interconnect 16 metro sites and need to decide between a small carrier (MPLS) or a large campus (VLAN).
We lease fibre to most sites, but have some 34Mbps microwave and 2Mbps for backup. We require secure (not necessarily encrypted) VPN segregation and don't believe VLAN is as secure as MPLS VPN. IP Address clashing is not a concern, but QoS and security is. Our 16 sites operate autonomously, but do share some resources and all connect to a central data centre.
If we take the MPLS path, are we unnecessarily complicating ourselves when VLAN + QoS maybe all we require. We currently don't consider VLAN to be as secure given the dot1Q weaknesses.
Depending on the switch, vlan hopping with dot1q may or may not matter. In Cat 6500 this problem is solved - ie, if we receive a tagged frame on an access port & the tag does not match the PVID of the port, then we drop it.
The other low end cats do not do this & indeed suffer from possible vlan hopping issues, but this can all be worked around with proper configuration, ie, make sure your native vlans on the trunks are different from any of the access port vlans.
The MPLS VPN vs VLAN decision may come down to how well you think you can mitigate the VLAN hopping issue vs the possible complexity of your MPLS VPN config/management.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...