I am planning on using my PE as a CE also; has anyone done this in the past? are there any complications? PE/CE router is 6840 Cisco. We run vrf’s and will be providing l2/l3 vpn services.
PE = Provider Edge. CE = Customer Edge. It’s lines of demarcation and responsibility. Nothing more. It comes down to what you want to take on operationally.
Having a router play double duty as both a PE as well as P is fine as basically it just means you are terminating some LSPs as well as having transit LSPs, but IDK how/why you would double up PE and CE as the split there is the demarcation of responsibility, not really the config.
We do this, but we’re also controlling the downstream devices in most cases. Where we don’t own the downstream devices we peer via BGP to the CE.
Working for a telecom company in the US, its a policy not to have shared services on the PE device, since mocking around by either end can cause unnecessary downtime. That aside it does provide a lot of benefit running multiple vrfs for your mpls network.
We do this for DIA services. Hand off the LAN block directly.
Own whole network so operationally im all in already
vrf services to segregate customers
We are doing mpls with vrf and l2 /l3 vpn so that there is segregation between customers that span multiple areas. This is a multi site campus network with multiple customers and services that need complete segregation. The demarcation of responsibility ends at user workstations unfortunately.
Rgr that, figured as much. The short answer is no, no issue. I assume you’re just popping MPLS and breaking out VPN/VRFs on the device as well as using it for other operational tasks? Again, no issue. The PE/CE nomenclature typically describes where MPLS pops and a lot of people get wrapped into that, but MPLS VPN has no reliance upon PE/CE concepts, it’s just easier for people and contracts to be written around that concept. Pop your labels where you want or send some down a little further if it makes sense (just remember, a simpler network is easier to understand and scale).
So that seems like you don’t have any CE, but that you have a 6480 that is touching multiple customer LANs directly and landing those into different VRFs. If anything, if the box is on-site it could be termed Customer Premise Equipment (CPE), but basically you are just running a PE directly without any CE. Rather than the PE having to pick up routes from a CE, it just has connected routes and reaches them directly.
Is that right?
If so, just ensure you take proper precautions to protect your PE accordingly on the customer-facing side if you’re touching their LANs directly.
Technically, the PE doesn’t do the popping, unless PHP (penultimate hop popping) is disabled. The PE is usually simple routing from ingress interface to egress interface towards the CE and push from the CE.
What precautions are you recommending?
The PE ultimately would in this scenario as the traffic would be sent from the ingress PE as a double labelled packet. Inner label being the vrf label and the outer being the switchable mpls label to direct the packet to the right egress PE. Yes PHP would happen at the second to last P router (should it be enabled) and would pop off the outer label. But a labelled packet would still reach the egress PE. The egress PE would then use this label to direct the packet to the right vrf. For Example:
[email protected]> show route table mpls.0
mpls.0: 309 destinations, 309 routes (309 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
16 *[VPN/0] 48w4d 03:40:14
to table l3vpn1.inet.0, Pop
17 *[VPN/0] 48w4d 00:42:22
to table l3vpn2.inet.0, Pop
18 *[VPN/0] 43w0d 04:42:48
to table l3vpn3.inet.0, Pop
Ingress router would encapsulate with Outer: 664301 (or whatever) and Inner: 16.
What precautions are you recommending?
uRPF on customer-facing interfaces, control plane policing, broadcast storm control or whatever L3 separation you would use to ensure a broadcast loop or garbage traffic on the customer LAN doesn’t nuke your RE/RP, etc.