[c-nsp] Managed internet VPN solution

Ibrahim Abo Zaid ibrahim.abozaid at gmail.com
Mon Apr 21 04:45:46 EDT 2008


Hi Oliver

Site A connects to the Internet through managed Internet CE which acts as
Internet GW for all VPN sites but the customer don't want
Site B to connect in that way , he need Site B Internet traffic to pass
through Site A first then back to Site B , so Site A will be Internet GW for
Site A instead of managed CE .

and regarding PBR point , for sure i agree with you that PE has other many
routing tasks to take care about so its resources should be directed
to major core routing tasks aside of any customers solutions and that will
drive us to the 2nd solution of overlapping VPN

but is there any IOS feature can be used in this setup ?


Thanks
--Abo Zaid


On 4/21/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>
> Thanks for the addtl. info. How does Site A connect to the Internet?
> Can't you just replicate whatever you did there and apply it to Site B?
>
> I don't know of PBR is a solution, it really depends on the routing
> setup. Please bear in mind that the PE performs another routing lookup,
> so PBR on the CE site B alone will likely not help.
>
>        oli
>
> Ibrahim Abo Zaid <mailto:ibrahim.abozaid at gmail.com> wrote on Monday,
> April 21, 2008 10:09 AM:
>
> > Thanks Oliver for your interset , you'll find the topology attached
> >
> >
> > both HQ and Site A connect to the internet through managed internet
> > CE and the customer needs Site B to connect through Site A then
> > managed internet CE , about the PBR point , i plan to configure it
> > under Site B PE interface
> >
> > i hope that will clarify my whole solution and thanks for your help :)
> >
> >
> > best regards
> > --Abo Zaid
> >
> >
> > On 4/21/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> >
> >       Ibrahim Abo Zaid <> wrote on Sunday, April 20, 2008 10:30 PM:
> >
> >       > Hi All
> >       >
> >       > one of my clients has a managed Internet solution with his
> simple
> >       > MPLS VPN and Internet access in granted to a selected group of
> >       sites > including HQ through managed internet router hosted at
> his
> >       ISP but he > has a bit weired request as he needs a site to
> connect
> >       to the > Internet using Internet connection of other site not
> >       directly to > provider Internet gateway
> >
> >       I'm not entirely sure I understand the topology. Can you put a
> >       diagram somewhere?
> >
> >       > i thought about two solution how this solution can be
> implemented
> >       >
> >       > 1-use PBR under this site PE interface and direct the Internet
> >       > traffic to the other site network using set key *set next-hop
> >       > recursive* and point to one of the remote site IPs so MPLS
> labels
> >       > will do the work and route the traffic to the remote CE and
> then to
> >       > the Internet and of course reverse reachability will be
> maintained
> > .
> >
> >       Where exactly are you planning to apply the PBR route-map? Not
> sure
> >       if this will work on the PE.
> >
> >       > 2- isolate these two site into a different VRF and set up
> >       overlapping > VPN between the overall simple VPN and the special
> >       managed Internet > VPN composed of those 2 sites
> >
> >       sounds like a feasible approach (need to understand the topology
> >       better).
> >
> >       > any suggestion how this solution can be met will be welcomed
> :)
> >       >
> >
> >       If the "hub" site has the Internet connection, you could also
> have
> >       this site inject a default-route into the VPN  so all sites can
> >       follow it (and use ACLs or route filters if you want to restrict
> >       this access to only certain sites).
> >
> >              oli
>


More information about the cisco-nsp mailing list