[c-nsp] MPLS, L2TPv3 Layer 2/3 VPN Network Options

Nick Shah Nick.Shah at aapt.com.au
Tue Jan 4 21:25:40 EST 2005 

Wei

Various methods have been discussed & deployed for internet access into
VPN. Notably among these are :

http://www.cisco.com/en/US/partner/tech/tk436/tk428/technologies_configu
ration_example09186a00801445fb.shtml

- Above method deals with pointing a default route to a global IGW
(internet gateway router)

Eventhough it works, it needs the security of a fortress. The not so
common, yet deployed across service providers are the combination of :

- IGW with a shared/managed firewall like a netscreen. With this method
you (as a SP) host a firewall in the data center, which trunks
(DOT1Q/ISL trunk) back into the PE. Have 1 x subinterface per
customer/vrf that needs internet access. The firewall then provides
internet access.

- Managed CE router with a firewall (per customer VPN), possibly from 2
x sites, and then leak weighted defaults into the VRF. 

One of the more suicidal attempt :) was to leak the internet table into
the customer VRF...

I believe a combination of NAT & the trunk interface between PE &
firewall should cure the issue of overlapping address space you
mentioned.

rgds

-----Original Message-----
From: chooweikeong at pacific.net.sg [mailto:chooweikeong at pacific.net.sg] 
Sent: Wednesday, 5 January 2005 1:15 PM
To: Nick Shah
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] MPLS, L2TPv3 Layer 2/3 VPN Network Options


Hi Nick,

That's a good 5000ft overview on MPLS/VPN :).

I'm looking into providing internet access to MPLS/VPN. Has anyone tried

to enable internet access on a MPLS/VPN? Any experience to share?

I think the challenge would be how to provide internet access and
MPLS/VPN 
over a same physical link, especially when the vpn is running on 
non-unique private IP address.

Rgds,
Wei Keong



------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If 
 you are not the intended recipient, you should not read it - please 
 contact me immediately, destroy it, and do not copy or use any part of 
 this communication or disclose anything about it.

------------------------------------------------------------------------------

More information about the cisco-nsp mailing list