Enterprise network as an ISP with a single huge customer
Hello, I'm sure lots of you work for big enterprises, and some of you work for biggest of them. How many of you architect your network as an ISP, with that enterprise as the biggest customer ? Office networks in l3vpn, VPLS/EVPN on top of your own network for DCI, etc ? Or is it usually just a single IGP domain with no unnecessary bells and whistles ? Do you think one approach is better than the other ? If so, why ? I understand that it usually comes down to specific circumstances and most likely scale but I'd still love to hear about your experience.
On Fri, Jun 12, 2015 at 1:08 PM, Stepan Kucherenko <twh@megagroup.ru> wrote:
Hello,
I'm sure lots of you work for big enterprises, and some of you work for biggest of them.
How many of you architect your network as an ISP, with that enterprise as the biggest customer ? Office networks in l3vpn, VPLS/EVPN on top of your own network for DCI, etc ? Or is it usually just a single IGP domain with no unnecessary bells and whistles ?
it's nice to have the tools to segregate traffic/users/things... mpls/etc is one method to do that... I don't know that many enterprises pursue this path though :( which is sad (I think).
it's nice to have the tools to segregate traffic/users/things... mpls/etc is one method to do that... I don't know that many enterprises pursue this path though :( which is sad (I think).
i have seen a lot of this done with firewall devices and vlans. with vlans or mpls, you can make spaghetti without wires, one wheat and one semolina. randy
On Fri, Jun 12, 2015 at 10:04 PM, Randy Bush <randy@psg.com> wrote:
it's nice to have the tools to segregate traffic/users/things... mpls/etc is one method to do that... I don't know that many enterprises pursue this path though :( which is sad (I think).
i have seen a lot of this done with firewall devices and vlans. with vlans or mpls, you can make spaghetti without wires, one wheat and one semolina.
oh absolutely. you can use many tools to lop off your fingers, my point was that things like mpls (or vlans) provide a nice other tool to use along with your firewalls and such. of course you ought not willy-nilly go crazy with this, but... imagine if the 'hr department' were in one contiguous 'VRF' which had a defined set of 2-3 exit points to control access through... while those willy 'engineers' could be stuck in their own ghetto/VRF and have a different set of 2-3 exit points to control. Expand your network over many locations and in large buildings and ... it can be attractive to run a 2547 network that the company is a 'customer' of, or so I was thinking :)
i have seen a lot of this done with firewall devices and vlans. with vlans or mpls, you can make spaghetti without wires, one wheat and one semolina.
oh absolutely. you can use many tools to lop off your fingers, my point was that things like mpls (or vlans) provide a nice other tool to use along with your firewalls and such.
of course you ought not willy-nilly go crazy with this, but... imagine if the 'hr department' were in one contiguous 'VRF' which had a defined set of 2-3 exit points to control access through... while those willy 'engineers' could be stuck in their own ghetto/VRF and have a different set of 2-3 exit points to control.
Expand your network over many locations and in large buildings and ... it can be attractive to run a 2547 network that the company is a 'customer' of, or so I was thinking :)
i have seen people successful with this with mpls and with vlans with non-mpls tunnel tech (e.g. ipsec for the paranoid). i have seen them screw the pooch with both. randy
13.06.2015 05:35, Randy Bush wrote:
i have seen a lot of this done with firewall devices and vlans. with vlans or mpls, you can make spaghetti without wires, one wheat and one semolina.
oh absolutely. you can use many tools to lop off your fingers, my point was that things like mpls (or vlans) provide a nice other tool to use along with your firewalls and such.
of course you ought not willy-nilly go crazy with this, but... imagine if the 'hr department' were in one contiguous 'VRF' which had a defined set of 2-3 exit points to control access through... while those willy 'engineers' could be stuck in their own ghetto/VRF and have a different set of 2-3 exit points to control.
Expand your network over many locations and in large buildings and ... it can be attractive to run a 2547 network that the company is a 'customer' of, or so I was thinking :)
i have seen people successful with this with mpls and with vlans with non-mpls tunnel tech (e.g. ipsec for the paranoid). i have seen them screw the pooch with both.
randy
You can compartmentalize your network in lots of ways. What I'd like to know is what ways failed harder in other peoples experience (or at least faster). I'm not sure doing it ISP style is better, but I think it has some benefits. Then again, the opposite is true as well, less complexity means more stability. Usually.
It will also depend greatly on the knowledge of the design team / person and the operations team. If the designer is ex-SP or has a strong knowledge of both SP and Enterprise then yes, a good design may result. There are plenty of people out there that will use MPLS / multiple tables for the wrong reasons just so they can say that's what they're doing. Regards, Tim Raphael
On 13 Jun 2015, at 10:48 am, Stepan Kucherenko <twh@megagroup.ru> wrote:
13.06.2015 05:35, Randy Bush wrote:
i have seen a lot of this done with firewall devices and vlans. with vlans or mpls, you can make spaghetti without wires, one wheat and one semolina.
oh absolutely. you can use many tools to lop off your fingers, my point was that things like mpls (or vlans) provide a nice other tool to use along with your firewalls and such.
of course you ought not willy-nilly go crazy with this, but... imagine if the 'hr department' were in one contiguous 'VRF' which had a defined set of 2-3 exit points to control access through... while those willy 'engineers' could be stuck in their own ghetto/VRF and have a different set of 2-3 exit points to control.
Expand your network over many locations and in large buildings and ... it can be attractive to run a 2547 network that the company is a 'customer' of, or so I was thinking :)
i have seen people successful with this with mpls and with vlans with non-mpls tunnel tech (e.g. ipsec for the paranoid). i have seen them screw the pooch with both.
randy
You can compartmentalize your network in lots of ways. What I'd like to know is what ways failed harder in other peoples experience (or at least faster).
I'm not sure doing it ISP style is better, but I think it has some benefits. Then again, the opposite is true as well, less complexity means more stability. Usually.
On 13 Jun 2015, at 10:00, Tim Raphael wrote:
There are plenty of people out there that will use MPLS / multiple tables for the wrong reasons just so they can say that's what they're doing.
Concur 100%. I also agree with both Chris and with Randy with regards to pros and cons of this general approach. In my subjective experience, relatively few enterprises have the technical and operational savvy to design, deploy, operate, and troubleshoot a network designed in such a manner, or even understand the appropriate usage of these technologies, much less reap the benefits thereof. Unless they've invested in hiring people with the right skillsets and breadth/depth of actual operational experience, this can be a path fraught with significant risk. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
In my subjective experience, relatively few enterprises have the technical and operational savvy to design, deploy, operate, and troubleshoot a network designed in such a manner, or even understand the appropriate usage of these technologies, much less reap the benefits thereof.
i have seen many universities and large enterprises with as much clue as your serious isp. where they fall behind your avaerage nanogger is testosterone poisoning. randy
On 13 Jun 2015, at 17:49, Randy Bush wrote:
i have seen many universities and large enterprises with as much clue as your serious isp.
I've seen a few, but not many. All of the ones I've seen who fall into that category operate significant public-facing infrastructure, so they have personnel with the necessary skillsets and experience.
where they fall behind your avaerage nanogger is testosterone poisoning.
I couldn't agree more. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
What I have done is leverage the production data center redundancy to provide connectivity services to any nearby offices in the same region, basically using our colo as the office ISP for internet connectivity but as far as doing vpls services and the like, it has been so far cheaper to contract that out as the places where I have worked have had many more offices than production internet sites with one might call "hardened" internet services. It's just cheaper in most cases to go with a third party vendor to provide a VPLS mesh of all of the offices globally than it is for us to do it. Offices move, close, colos change locations. I can call a vendor, tell them we are moving an office to a different building, they worry about moving the circuit. Trying to mesh everything from Sydney to Bangalore to London to San Francisco and all the branch offices in between is great if you have a bunch of people sitting around who are otherwise unoccupied but if you run a lean headcount anyway, farming this out pays in the long run for the shops where I have worked. Not saying this holds true for every scenario, though. If we had production PoPs in the cities where we had offices, yeah, it might make some sense. On Fri, Jun 12, 2015 at 7:35 PM, Randy Bush <randy@psg.com> wrote:
i have seen a lot of this done with firewall devices and vlans. with vlans or mpls, you can make spaghetti without wires, one wheat and one semolina.
oh absolutely. you can use many tools to lop off your fingers, my point was that things like mpls (or vlans) provide a nice other tool to use along with your firewalls and such.
of course you ought not willy-nilly go crazy with this, but... imagine if the 'hr department' were in one contiguous 'VRF' which had a defined set of 2-3 exit points to control access through... while those willy 'engineers' could be stuck in their own ghetto/VRF and have a different set of 2-3 exit points to control.
Expand your network over many locations and in large buildings and ... it can be attractive to run a 2547 network that the company is a 'customer' of, or so I was thinking :)
i have seen people successful with this with mpls and with vlans with non-mpls tunnel tech (e.g. ipsec for the paranoid). i have seen them screw the pooch with both.
randy
On 12/Jun/15 19:08, Stepan Kucherenko wrote:
How many of you architect your network as an ISP, with that enterprise as the biggest customer ? Office networks in l3vpn, VPLS/EVPN on top of your own network for DCI, etc ? Or is it usually just a single IGP domain with no unnecessary bells and whistles ?
We run a commercial ISP network that provides IP and other non-IP services to our customers. On top of that, our corporate/enterprise network is a customer. Implementation is l3vpn with firewalls at each office sitting between the l3vpn and public Internet. Enterprise and Internet traffic is routed accordingly. DCN network is a combination of l2vpn and l3vpn, depending on what part of the network the DCN needs to touch. Mark.
Subject: Enterprise network as an ISP with a single huge customer Date: Fri, Jun 12, 2015 at 08:08:29PM +0300 Quoting Stepan Kucherenko (twh@megagroup.ru):
Hello,
I'm sure lots of you work for big enterprises, and some of you work for biggest of them.
How many of you architect your network as an ISP, with that enterprise as the biggest customer ? Office networks in l3vpn, VPLS/EVPN on top of your own network for DCI, etc ? Or is it usually just a single IGP domain with no unnecessary bells and whistles ?
We do at $dayjob (public service radio station network). We try to stay away from the TE side of MPLS, but the other knobs are in pretty much use. A lot of our newer uses for the network are realtime audio in hi-fi quality. Latency is our enemy, and so we don't do TCP, we skip retransmits, buffers to be able to wait for a late packet are so short it rarely matters, etc. That means a lot of prioritisation being done. It is easier in our "isp-type" network. As a very distributed company (in meatspace, but at the same time very unified in infrastructure) we sure need the flexibility. Doing this on usual VLAN/routing would not fly very well. A lot of the devices we run aren't really fit for living with other networked devices, especially those devices fondled by Users. We usually just push them in another VRF.
Do you think one approach is better than the other ? If so, why ?
I'd love to have a single flat routing domain. But I do not think it works with the kind of legacy stuff (some of it brand new...) we run.
I understand that it usually comes down to specific circumstances and most likely scale but I'd still love to hear about your experience.
-- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Concentrate on th'cute, li'l CARTOON GUYS! Remember the SERIAL NUMBERS!! Follow the WHIPPLE AVE. EXIT!! Have a FREE PEPSI!! Turn LEFT at th'HOLIDAY INN!! JOIN the CREDIT WORLD!! MAKE me an OFFER!!!
participants (8)
-
Christopher Morrow -
G B -
Mark Tinka -
Måns Nilsson -
Randy Bush -
Roland Dobbins -
Stepan Kucherenko -
Tim Raphael