Re: Network Upgrade

Mohit Sharma wrote:
Thanks a million Jon, . I read about MPLS and fortunately its
available in India infact all over India by a leading and realible
ISP. I am planning to speak with them and negotiate a bulk deal.
They're also offering Managed service so no intervention and skillful
labor would be required from our side.

Could you please help me seek more clarity over the security issues
MPLS over IPsec could have??? We're ISO 27001 certified and were
working in completely isolated VSAT networks, this MPLS would change
the entire risk assessment and all. Are their any things I need to
keep in mind??

The smartest way to deploy MPLS is to have the ISP install their managed
routers at each of your locations. Your router (which should be the same
model) then simply has an ethernet connection to the ISP router. The ISP
router then handles all the MPLS. All your router has to do is to supply
the ISP router with IP packets that have the appropriate DSCP QoS value
set so that packets are appropriately prioritized.

With properly configured MPLS, you should have a semi-private VPN. The
only risk with MPLS is that someone is able to sniff the MPLS traffic
at some point in the network. That is where IPSec comes into play.

What I usually do is to set up IPSec SAs between each company site router.
Typically, the SA is applied to the router interface that connects to the
ISP router. Then, assuming that you have properly configured ESP, all the
traffic that goes to the MPLS network has IPSec encryption and
authentication. Thus, the small risk of having MPLS traffic sniffed is
essentially eliminated.

The issues I have typically encountered with using MPLS are usually
limited to dynamic routing protocols and fragmentation. Fragmentation is
especially a problem if you are using MLPPP over MPLS (to do channel
bonding). The fragmentation issue is the easiest to fix. I have found
that if I set MTU to 1416 and TCP MSS to 1376 on the LAN side of the
company's border router (before anything is encrypted, etc.), that
virtually eliminates all fragmentation (and associated PMTUD) issues.

Dynamic routing is the bigger issue. I am currently having a go-around
with a customer's ISP over just this issue. Typically most ISPs do not
allow any IGP (such as OSPF) to be propagated over MPLS (if yours does,
you are VERY lucky!). So what usually occurs is that the ISP's router
at each location redistributes your IGP into BGP and remote BGP back
into your IGP (mutual redistribution). The trick on your side is to get
the contract written such that the ISP is responsible for the transport
of your dynamic routing information, and all 'magic' that must occur
to propagate your route tables is the ISP's responsibility.

One other issue is router sizing. I have found that if the total WAN
bandwidth that a site handles is <= ~3.0Mbps, you will need something
about like a Cisco2811. For bandwidths between ~3.0Mbps and 12.0Mbps,
you need to look at something like a Cisco2821. For > 12.0Mbps, you
will need at least something like a Cisco2831. Also, you will want to
have the K9SEC IOS image (for strong crypto) and the maximum amount of
RAM the router will support. Also, the ISP should have an equivalent
router (same model) on their half of the connection using a similar
IOS release level, but the strong crypto would not be an ISP router
requirement since all the crypto is between your routers.

I hope this helps!

Jon Kibler
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
m: 843-224-2494

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

Relevant Pages

  • Re: A Sorry Tale
    ... result I now have a perfectly good ASDL router that will only work on a 10. ... certain Well-Known Trick to make sure it's not actually the ISP. ... system which *does not support DTMF*, so I can't get through the ISP's ... I notice the connection is now back up. ...
  • Re: Advice needed - running Exchange
    ... the router to your nic ... You'll need to have your ISP create two additional DNS records for your ... delivery is set to the Exchange mailbox, ... I currently only have one NIC in my SBS server ...
  • Re: NDR delivery delayed errors keep coming, any advice?
    ... If so, you might try the 'black hole router' test, as IP fragmentation can prevent successful SMTP conversations. ... Do the ping tests, but don't follow the resolution steps just yet - typically with xDSL, and where you have a PPPoE aware router, you change the MTU settings on the router. ... If the shoe fits (xDSL connection, and router with PPPoE login) you might have a look see what the MTU setting is on the router. ... The ISP will deliver when it gets around ...
  • Re: Connecting a user to AOL (anything I should know?!)
    ... presume broadband) ISP ... They have sent her a router. ... it could be the cable connecting your computer to your router (cable ... If ipconfig displays nothing more than "Windows IP configuration" i.e. ...
  • Re: Cisco ASA IPSEC Tunnelling
    ... I suggest creating a GRE tunnel between the MPLS connecting routers. ... Configure the GRE tunnel to go from a loopback IP address on one router ... DS-1/T-1 or similar connection. ...