[c-nsp] MPLS, L2TPv3 Layer 2/3 VPN Network Options
chooweikeong at pacific.net.sg
chooweikeong at pacific.net.sg
Tue Jan 4 22:03:24 EST 2005
Hi Nick,
Ya, i've came across the cisco doc. But, for the return traffic to CE, it
requires the CE network to be redistributed to the MPLS core. This will
not be workable in the case of vpn running overlapping private address.
I think the firewall/NAT equipment might be able to solve this porblem.
But, it will incur some administrative overhead, as a trunk to the
firewall/NAT has to be created for every customer.
Another approach i came across is to setup normal ipv4 link for internet
access and run MPLS/VPN as tunnel over that same link. Not sure if there
is any drawback in this case though.
Thanks,
Wei Keong
On Wed, 5 Jan 2005, Nick Shah wrote:
> Wei
>
> Various methods have been discussed & deployed for internet access into
> VPN. Notably among these are :
>
> http://www.cisco.com/en/US/partner/tech/tk436/tk428/technologies_configu
> ration_example09186a00801445fb.shtml
>
> - Above method deals with pointing a default route to a global IGW
> (internet gateway router)
>
> Eventhough it works, it needs the security of a fortress. The not so
> common, yet deployed across service providers are the combination of :
>
> - IGW with a shared/managed firewall like a netscreen. With this method
> you (as a SP) host a firewall in the data center, which trunks
> (DOT1Q/ISL trunk) back into the PE. Have 1 x subinterface per
> customer/vrf that needs internet access. The firewall then provides
> internet access.
>
> - Managed CE router with a firewall (per customer VPN), possibly from 2
> x sites, and then leak weighted defaults into the VRF.
>
> One of the more suicidal attempt :) was to leak the internet table into
> the customer VRF...
>
> I believe a combination of NAT & the trunk interface between PE &
> firewall should cure the issue of overlapping address space you
> mentioned.
>
> rgds
>
> -----Original Message-----
> From: chooweikeong at pacific.net.sg [mailto:chooweikeong at pacific.net.sg]
> Sent: Wednesday, 5 January 2005 1:15 PM
> To: Nick Shah
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] MPLS, L2TPv3 Layer 2/3 VPN Network Options
>
>
> Hi Nick,
>
> That's a good 5000ft overview on MPLS/VPN :).
>
> I'm looking into providing internet access to MPLS/VPN. Has anyone tried
>
> to enable internet access on a MPLS/VPN? Any experience to share?
>
> I think the challenge would be how to provide internet access and
> MPLS/VPN
> over a same physical link, especially when the vpn is running on
> non-unique private IP address.
>
> Rgds,
> Wei Keong
>
>
>
> ------------------------------------------------------------------------------
> This communication, including any attachments, is confidential. If
> you are not the intended recipient, you should not read it - please
> contact me immediately, destroy it, and do not copy or use any part of
> this communication or disclose anything about it.
>
> ------------------------------------------------------------------------------
>
>
More information about the cisco-nsp
mailing list