I'm fortunate enough to be in a position to completely rebuild our enterprise WAN from the ground up. What we have now I inherited a while back and, while it works, we've all decided it's time for change due to trouble surrounding our current provider.
Today we have a Layer 3 MPLS VPN. We use BGP to peer with our provider over a /30 at each site. They don't support multicast, they don't support IPv6, and they don't support jumbo frames.
We're now looking at a Layer 2 MPLS VPN from another provider where we can use multicast, IPv6 (since they just do layer 2), and full jumbo frames.
Anyways, just looking for a second opinion on some of the design implementation.
WAN Network
The Layer 2 WAN will be a single /24 (or /16, as we're planning for growth) and IPv6 /64 (. Things like CDP, LLDP, Proxy ARP, and other broadcast traffic from the WAN interface will be disabled as we don't want to flood our WAN with garbage.
iBGP
Our datacenter router(s) will act as route-reflectors for the locations. This keeps the location BGP configs clean as they only need one adjacency to our datacenter. I also want to BGP to peer with the loopback address of each router, therefore I will use an IGP to announce loopback addresses such that each router can reach each others loopbacks without static routes.
IGP
Today we don't use an IGP at the individual locations since it's just a single router and then we eBGP to our carrier. I'm not comfortable with OSPF and began looking into IS-IS for our IGP. It looks like IS-IS is less "chatty" which will reduce the amount of bandwidth being used for updates. Each site will be an IS-IS Level 2 router and both the WAN and Loopback interface will have IS-IS enabled. I've tested this out already and it works well, but will it scale to 100 locations? 200? 500?
VLANS
Instead of treating the WAN as one giant broadcast domain, we have the ability to VLAN off clusters of sites into a VLAN, then our datacenter would have each regions VLAN come in over a different sub interface. This would reduce the broadcast domain significantly but I'm not sure that it's necessary given the current number of sites. It would also prohibit our sites in different VLANS from talking to one another without going through the datacenter first.
Would anyone do anything differently here?
No comments:
Post a Comment