[c-nsp] Managed internet VPN solution

Ibrahim Abo Zaid ibrahim.abozaid at gmail.com
Mon Apr 21 04:08:45 EDT 2008


Thanks Oliver for your interset , you'll find the topology attached


both HQ and Site A connect to the internet through managed internet CE and
the customer needs Site B to connect through Site A then managed internet CE
, about the PBR point , i plan to configure it under Site B PE interface

i hope that will clarify my whole solution and thanks for your help :)


best regards
--Abo Zaid


On 4/21/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>
> Ibrahim Abo Zaid <> wrote on Sunday, April 20, 2008 10:30 PM:
>
> > Hi All
> >
> > one of my clients has a managed Internet solution with his simple
> > MPLS VPN and Internet access in granted to a selected group of sites
> > including HQ through managed internet router hosted at his ISP but he
> > has a bit weired request as he needs a site to connect to the
> > Internet using Internet connection of other site not directly to
> > provider Internet gateway
>
> I'm not entirely sure I understand the topology. Can you put a diagram
> somewhere?
>
> > i thought about two solution how this solution can be implemented
> >
> > 1-use PBR under this site PE interface and direct the Internet
> > traffic to the other site network using set key *set next-hop
> > recursive* and point to one of the remote site IPs so MPLS labels
> > will do the work and route the traffic to the remote CE and then to
> > the Internet and of course reverse reachability will be maintained .
>
> Where exactly are you planning to apply the PBR route-map? Not sure if
> this will work on the PE.
>
> > 2- isolate these two site into a different VRF and set up overlapping
> > VPN between the overall simple VPN and the special managed Internet
> > VPN composed of those 2 sites
>
> sounds like a feasible approach (need to understand the topology
> better).
>
> > any suggestion how this solution can be met will be welcomed :)
> >
>
> If the "hub" site has the Internet connection, you could also have this
> site inject a default-route into the VPN  so all sites can follow it
> (and use ACLs or route filters if you want to restrict this access to
> only certain sites).
>
>        oli
>


More information about the cisco-nsp mailing list