MPLS VPNs or not?

Tue Aug 7 16:18:25 UTC 2001

On Tue, 7 Aug 2001, Andy Walden wrote:

> > Experts call MPLS bad for 'Net
> >
> > http://www.nwfusion.com/news/2001/0806mpls.html
> >
>
> I think its pretty well known that multiple routing tables, ala 2547-bis,
> is not scalable. Apparently the author was fed the story and doesn't have

Why not?  Each MPLS VPN will likely not add very many routes.  Having just
setup a few MPLS VPNs, I think the only hard parts were finding clear
docs/examples on Cisco's web site and working around IOS bugs encountered
while turning up some of the VPN circuits.  We're using BGP to distribute
static and connected routes between our PE's and the CE's all have static
routes, mostly just defaults.  Once you've done one, it's really not any
harder than turning up a regular IP customer.  It's certainly easier than
dealing with the traditional VPN support in some CPE hardware.

I don't buy the security concern that we'll misconfigure VPNs and leak
routes and traffic from one to another.  I do think MPLS VPNs will give
customers a false sense of security though.  As others have mentioned,
it's not really virtual, and it's not private.  Their packets still ride
our network without encryption.  It's segregated by our routers, but not
private.

Unfortunately, a few network providers started the ball rolling by
offering this type of service, and now some customers expect it, even if
their original provider went out of business.  So we've been rushed into
figuring out and deploying it.

-- 
----------------------------------------------------------------------
 Jon Lewis *jlewis at lewis.org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________