At 09:05 PM 3/7/2003 +0000, John Neiberger wrote: >I'm at the early stages of considering migrating away from a >point-to-point frame relay network to a layer 3 MPLS-based private >network and I have a couple of questions based on some preliminary >verbal information. > >I was told that no router reconfiguration was required on our side but >I don't see how that's possible. Since our CE router connects the the >PE router they need to have common addressing and a common routing >protocol, which I think must be either OSPF or IS-IS.
For L3VPN based on 2547bis, the provider network becomes a layer three peer with your edge gear. In the frame relay model, the provider is fully transparent to you at layer three. Hence, you'll need to establish some sort of layer three peering with the providers edge routers. This could be a typical IGP, or ideally one of static or BGP. A layer two VPN, using pseudowires as defined by Luca Martini in the various draft-martini-pick-your-layer-two, would more or less emulate the type of service you have now and would not require a change in your routed topology. I tend to recommend L2VPNs where customers already have sizable frame networks, unless the customer has a strong desire to outsource its routing to the provider. >Regarding the routing protocol, it wouldn't be a big deal to change to >using one of the above but that would still be a change, right? :-) Yep >Regarding the addressing, is it common for a customer to get a new >addressing scheme for the provider for their edge links? Or, will the >provider readdress their PE connections that interface with our network? > It makes more sense to me that the provider would make us readdress. >Does one method seem to be more common than the other? Addressing in one VPN is fully abstracted from another VPN and thus there really isn't the need to migrate toward any unique IP space here. You could use your own space, or some 1918 etc. >Since this is a layer 3 VPN the provider's routers will have specific >information about our internal addressing, and I can hear our security >people groaning over this already. My boss might not like that idea, as >well. Has this been a security concern for anyone? Is there reason to >be concerned? Conversely, is there a good way for me to explain to my >boss and the security department why we shouldn't be concerned? Security is a common concern here. However, in any vpn service, you are putting some trust in the provider as they do have internal access to your traffic flows. If you are concerned about security, there is nothing to preclude the use of IPsec over the public/VPN portions of your network. >I'm still awaiting more technical information from our provider, and >we're going to have a face-to-face meeting with technical people in a >couple of weeks, but I wanted to become more familiar with this >technology before they get here. Here is the latest draft for the protocol http://www.ietf.org/internet-drafts/draft-rosen-ppvpn-2547bis-protocol-02.txt >Many thanks! >John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64781&t=64770 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
