VPLS Question

[J001]

Hello,

Need some help understanding concepts of VPLS and Multi-VRF.

We are in the process of implementing VPLS.

We have two main sites A&B and each site has smaller offices.

With the new VPLS cloud all the sites and offices are meshed and can connect to each other, where as before each of the smaller offices could not talk to each other and could only do this by explicit rules on firewalls between sites A & B that were connected using P2P circuits.

Ideally we want to improve security with VPLS solution and only allow VoIP traffic between smaller offices between A&B for now and look as other application connections later.

Can we do this with Multi-VRF ? and how ?

If not do we set up Vlans or use pseudo wire etc...with firewalls ?

Any help appreciated.

 

[unclerico]

Please clarify the physical location of the sites. You say that there are two main sites and then both of these sites are comprised of multiple smaller offices? Is this a multi tennant situation? I guess I'm just trying to determine if you have a single POP in a building or if each of these sites are geographically separate.

 

[J001]

All the sites including smaller offices are geographically separate.

They all have different POP.

Site A and B are effectively different domains.

 

[unclerico]

you want to get on the horn with your provider and describe your situation. tell them that you want a shared services vpn amongst your sites so the voip traffic can "leak" between each. they will know exactly what they need to do in order to make this happen.

 

[J001]

Yes we are speaking with provider but in terms of design need to know if anyone has VPLS currently and alternate options to over come issues without making it too complex.

 

[VinceWhirlwind]

Basically, think of it as a VPN, EXCEPT, instead of it being a tunnel with an entrance in two locations, it's a tunnel with as many entrances as you ask your provider to add to it.

They segregate your traffic from all their other customers' traffic by adding a label on it on their Provider Edge (PE) router. Once it has the label added to it, it is passed in to their network where the P routers switch it by label until they get it to the PE router at the remote end. At that point, the egress PE router gets rid of the label and hands over the frame to your Customer Equipment (CE).

So, the issues are:

1/ QoS - make sure you are getting QoS. Check your CoS is (a) being preserved and (b) being honoured. Providers are great at ignoring your CoS unless you test it and show them they're not doing it right.

2/ Security - what's your classification level? Do you need encryption? If so, get a layer 3 service. If not, then why would you break your mesh to restrict traffic for no good reason?

 

[unclerico]

This is extremely simple in terms of design and implementation. All you need to do is identify the prefixes that comprise the VoIP networks at each location and tell your service provider. They should then in turn modify the VRF configs on the PE devices and incorporate some sort of export map (I say some sort because if it's not Cisco PE the the other vendor may call it something else) and then add an additional import statement... Pretty easy. The only thing you will run into is that the path between each VoIP network is 100% open so you may need some security added to filter ports/protocols between each.

 

[J001]

In terms of security we are effectly still two different domains.

All EMEA smaller offices come into UK data Center Site A. US has offices in different states plus some Asia sites come into US Data Center Site B.

Since we are moving into one big meshed environment (cloud) there are still concerns from security aspects as to how to prevent smaller offices in US accessing devices in EMEA or Uk. VoIP is required between all sites but only certain application access will be restricted from either side. Having 2 separate clouds will not work which was discussed.

We have 2 data centres at site A i.e UK and similar in US site B.
Primary and BackUp circuits is required.

Encryption and QOS is something that we will need to look at. QOS for VoIP.

Vlans is something to consider plus we would need a Firewall but it would have to be on the Internal LAN ? as all sites terminate to same VPLS router at both data centres at each site.

 

[VinceWhirlwind]

there are still concerns from security aspects as to how to prevent smaller offices in US accessing devices in EMEA or Uk"

There's been this thing called Windows NT since over 20 years ago for that. AD/LDAP, etc....

It's called role-based permissions (not location) and it is the way it is now done.
Sadly, a lot of people go to Uni where they are taught how to do IT 1980's-style. They are a challenge, that's for sure....