[c-nsp] MPLS/VPN + Internet Setup

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Aug 3 13:36:09 EDT 2006


Mark Tinka <> wrote on Thursday, August 03, 2006 4:58 PM:

> We are deploying an MPLS/VPN network, and several of the
> customers hooking up are separating their VPN and Internet
> traffic on different routers with different access lines - which
> is easy.
> 
> However, one customer would like to use the same CE router for
> both the VPN and Internet connection.
> 
> For this, we are considering deploying VRF-Lite on the CE router.
> I'd like to ask if there exist more current best practices to
> solving this problem.
> 
> For this particular circumstance, would VRF-Lite be the most
> secure approach to follow? Customer access is provided over a
> switched Ethernet network.

yes, vrf-lite is used for this purpose in several networks I'm aware of,
so I'd call this still best current practice for most applications
(maybe not for some very security sensible folks who don't trust
VRF-lite segmentation on the CE). 

You might need to spend some thoughts on the QoS part (if needed), often
the requirement is to be able to use the full access speed for either
VRF/sub-interface, but still deploy some granular min-bw guarantees for
certain classes within the vrf.. this usually asks for a hierarchical
qos concept on the physical interface level.

	oli



More information about the cisco-nsp mailing list