Hello J-listers, This is isn't specifically a Juniper question but seeing as the kit will be Juniper I am floating this here.
I am looking at a design change for a network that I work in. Currently the network is a converged MPLS network with full tables in global/inet.0 Services operated over this network are IP transit, business internet, layer 2 VPN, and layer 3 VPN. The VPN traffic is the most important thing. Currently we use four traffic classes and prioritise/queue/shape to suite NC, EF, AF, BE. We are moving all of our internet transit/global table routing out to separate boxes. The easiest way to do this is to just connect the new boxes to the existing MPLS network with separate RR's (out of the forwarding path) for the internet routing boxes. Now, the question has come up (mainly due to some other large carriers locally here in AUS doing this) that given the opportunity should we create a separate internet transit network. We would still use MPLS between all the dedicated internet boxes (LDP+RSVP-TE) but it would a separate MPLS network. We would then effectively treat the original MPLS network as a transport network creating layer 2 circuits for the internet network. In some cases we could even have circuits in the internet network away from the original MPLS network (where we have CWDM splits available etc etc). Points to/for: * Pro - VPN network is hidden from the internet completely. DOS/control plane attacks become much more difficult. - This is negated by QOS/COS and properly maintaining infrastructure ACL's. - Also, negated by global table in VRF style. Customers are however used to seeing a pretty traceroute. * Pro - can use private addressing in the VPN network and free up a decent amount of IPv4 to use. * Con - increases the amount of circuits that needs to be maintained. In theory they would not need to be touched too often. * Pro - mistake in either networks IGP is not going to effect the other. My gut feeling is that the safer option is to run things separately but I also do not wish to create an administrative nightmare for other people to work on the network. Any input, experience, or additional points would be greatly appreciated. Cheers, Mark _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp