My company has bought MPLS VPN service from ISP, that connects several sites around Europe. I want to start IGP protocol inside it and tract the entire company as one AS. ISP tells me that we could use his BGP from a MPLS and tract each site as a different AS. Sites aren’t big: mostly 3 persons on site, two bigger with 50 employers. What approach would be the best? Connecting each sites using GRE tunnels over MPLS and start using OSPF or BGP from ISP?
Fast convergence and faster response to failures in the network (switch to IPSec tunnel if MPLS is down) has a big factor to choose the solution.
BGP with the ISP is the usual approach. It gives you the most control with regards to routing, and is generally easier and more stable for the ISP since another IGP would need to be redistributed into their BGP anyway. I’ve used both and have found that I prefer BGP for the reasons of more control. If you’re concerned about failover time you can see if they support BFD or customized timers.
The ISP should be able to use OSPF to pair with your edge router and exchange routes to your other sites. You can also use DMVPN or BGP. I’d say use what you feel comfortable with and know that way you aren’t outside of your staff expertise if an issue does arise and you need to troubleshoot
LISP is actually a great use case for this type of design. All you need is a default route pointing to the WAN on each edge box, and LISP is used to advertise routing.
Is this a L2 or L3 service? Typically “MPLS” is some flavor of L3VPN and the carrier does dynamic routing, so you speak BGP to them. L2 services are possible too, but more rare from what I’ve seen.
I run this exact MPLS style wan with Cisco’s DMVPN, which uses dynamic GRE tunnels and isolates the ISP routing on separate VRF instances, which makes it really easy to run a single eigrp AS everywhere without mucking about with BGP or routing import/export. It also allows the spoke sites to communicate between themselves without using bandwidth from the hub, and works equally well with backup Internet or cell links, which makes it easy to master the one technique and use it everywhere.
Do you mean “area” instead of “AS”? If you’re a single company, you’d normally use the same ASN across all sites, unless you have something else in mind. My company does L2 MPLS. All WAN routers are area 0 but all downstream routers at each site are in a different area.
Others have chimed in about how you’d tackle L3 MPLS.
I would suggest the GRE tunnels and run OSPF, with so few potential routes to learn from each branch office this would be a easy to support solution as you could have all sites in area 0.
If you were running Cisco gear DMVPN would be a better option and implementing and supporting this is straight forward enough.
another IGP would need to be redistributed into their BGP anyway
I have on mind if I could say to my MPLS service provider: okay you can drop any routing information about my network prefixes on each sites in your BGP, just take care about routing between endpoints. I would make GRE tunnels between those endpoints (my firewalls), that would be established using MPLS routing (done by this BGP). Then I would put OSPF on those GRE interfaces. I could use hub-to-spoke topology (if it is possible on GRE), which in turn I could also reflect and easy redundant/failover through IPSec hub-to-spoke (each site has additional internet connection). There would be no need to re-advertise my network prefixes into MPLS service provider as I would be self-sufficient in doing dynamic routing. He (MPLS service provider) would need only to take care about routing between endpoints, that he still imposes addressing.
Is it a good approach?
But I got mixed feelings about my solution:
I dunno if its efficient (I think not because GRE takes 24bytes overhead and I would need to manipulate with MSS)
I dunno if its “best practice”
what else possibly would go wrong?
BTW, I’m using Juniper SRXes on each sites as an endpoint if this is information would be crucial.
I’d say use what you feel comfortable with and know that way you aren’t outside of your staff expertise if an issue does arise and you need to troubleshoot
got L3. and I’m using currently two static routes on each sites: default to internet, second for my company prefix to MPLS. want to do MPLS redundancy using internet connection and IPSec
Oh I see what you’re saying. Yeah, that’s also an approach that some people take, similar to using DMVPN on Cisco.
The downside in your case, when you’re not using DMVPN, is that all the spoke to spoke traffic is forced back to the hub, which is a poor use of resources when the underlying MPLS network is already full mesh. It also adds a layer of complexity to the design which may not be required.
Both are valid approaches with their benefits and drawbacks. The nice thing about running over GRE is that you can encrypt the traffic easily, if that’s a concern. The nice thing about running BGP is that it’s the native protocol used for route distribution in MPLS by the ISP anyway, so you’re not introducing any more complexity or points of failure into the system. With BGP you also have more control over the paths taken, but this is not a concern if each site only has one circuit. If in the future you think that some sites may have multiple WAN circuits it would be worthwhile to consider BGP given it’s greater flexibility, policy-wise.
thanks.