It used to be…unless you work for a WAN service provider, you don’t really need to know how the MPLS cloud works at the micro-level but the Cloud Connectiv team realizes times are changing. Also to better understand and appreciate the benefits inherent in the technology, it’s good to have an understanding of the basics. To help with that, were going to use common enterprise MPLS deployment architecture, using the network diagram shown above. Our scenario shows an enterprise company that is leveraging an MPLS provider to interconnect three geographically dispersed locations.
IS SD-WAN the right fit for your infrastructure?
The use of bandwidth intensive applications, increased adoption of cloud computing and data centre consolidation all place demands on a business’ Wide Area Network (WAN). Unfortunately, network budgets are struggling to keep pace with this demand. Internet connectivity provides a reliable and cost-effective solution but security must be carefully managed due to its public nature. Cloud Connectiv’s Managed SD-WAN service lets you securely expand your WAN with Internet connectivity and dynamically route traffic for each business application through the best available path. WAN bandwidth and performance are increased and improved while costs are reduced.
MPLS – VPN
The combination of the Border Gateway Protocol (BGP) and a label distribution protocol are used to communicate prefix and label information. These protocols permit a nearly automatic set-up of the Layer 3 VPN as any-to-any or hub-and-spoke topologies. Compare this with the messy techniques required to scale and manage VLANs in large Layer 2 networks.
Although service providers have been offering managed MPLS-based VPN solutions for years, the largest enterprise customers are now beginning to investigate and deploy MPLS in their own networks to implement self-managed MPLS-based VPN services. The concept of self-managed enterprise networks is not new; many enterprise customers purchase Layer 2 TDM, Frame Relay, or ATM circuits and deploy their own routed network for these circuits. The largest of enterprise customers even manage their own core networks by implementing Frame Relay or ATM-based switching infrastructures and “selling” connectivity services to other organizations within their companies.
Both of these solutions have had disadvantages; deploying an IP-based infrastructure over leased lines offers little flexibility and segmentation capabilities that are cumbersome at best. Deploying a switched Frame Relay or ATM infrastructure to allow for resiliency and segmentation is a solution within reach of only the largest and most technically savvy enterprises.
As noted, the self-managed MPLS-based network is typically reserved for larger enterprises willing to make a significant investment in network equipment and training, with an IT staff that is comfortable with a high degree of technical complexity. A self-managed MPLS VPN can be an attractive option if a business meets these requirements and wants to fully control its own WAN or MAN and to increase segmentation across multiple sites to guarantee delivery of specific applications. The level of security between separated networks is comparable to private connectivity without needing service provider intervention, allowing for consistent network segmentation of departments, business functions, and user groups.
While the technology enables you to create the logical separation across networks, it is important to understand the reasons for creating these logical networks. Enterprise customers increasingly require segmentation for a number of different reasons:
• Closed User Groups (CUG)—The CUGs could be created based on a number of different business criterias, with guest Internet access for onsite personnel being the simplest example. Providing NAC/isolation services also creates a need to separate the non-conforming clients. While this can be done using VLANs within a Layer 2 campus network, it requires Layer 3 VPN functionality to extend it across Layer 3 boundaries. CUGs could be created with partners, either individually or as a sub-group, where the segmentation criteria are resources that are to be shared/accessed. This simplifies the information sharing with partners while still providing security and traffic separation.
• Virtualization—Segmentation to the desktop is driving virtualization in the application server space. This means that even existing employees can be segmented into different CUGs where they are provided access to internal services based on their group membership.
• Enterprise as a Service Provider—With some of the Enterprise networks expanding as their organization expands, IT departments at some of the large Enterprises have become internal Service Providers. They leverage a shared network infrastructure to provide network services to individual Business Units within the Enterprise. This not only requires creating VPNs, but also requires the ability of each of the BUs to access shared corporate applications. Such a model can be expanded to include scenarios in which a company acquires another company (possibly with an overlapping IP addressing scheme) and needs to eventually consolidate the networks, the applications, and the back office operations.
• Protecting critical applications—Another segmentation criteria could be based off the applications themselves rather than the users. An organizations that feels that its critical applications need to be separated from everyday network users can create VPNs for each or a group of applications. This not only allows it to protect them from any malicious traffic, but also more easily control user access to the applications. An example of this is creating separate VPNs for voice and data.