[c-nsp] Managed internet VPN solution

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Mon Apr 21 05:37:53 EDT 2008 

Hi Ibrahim,

I would use VPN topology options to address this, not sure if you can
use regular hub & spoke route-target import/export to address this, but
it's worth looking at.

An alternative would be a GRE tunnel between Site B and A, but watch for
MTU issues (http://www.cisco.com/en/US/ts/fn/610/fn61935.html).

I don't know if PBR on the PE would help, I doubt next-hop recursive can
be used on the PE (haven't looked at the vrf-aware PBR feature which is
relatively new).

	oli

Ibrahim Abo Zaid <mailto:ibrahim.abozaid at gmail.com> wrote on Monday,
April 21, 2008 10:46 AM:

> Hi Oliver
> 
> Site A connects to the Internet through managed Internet CE which
> acts as Internet GW for all VPN sites but the customer don't want 
> Site B to connect in that way , he need Site B Internet traffic to
> pass through Site A first then back to Site B , so Site A will be
> Internet GW for Site A instead of managed CE .  
> 
> and regarding PBR point , for sure i agree with you that PE has other
> many routing tasks to take care about so its resources should be
> directed to major core routing tasks aside of any customers solutions
> and that will drive us to the 2nd solution of overlapping VPN   
> 
> but is there any IOS feature can be used in this setup ?
> 
> 
> Thanks
> --Abo Zaid
> 
> 
> On 4/21/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> 
> 	Thanks for the addtl. info. How does Site A connect to the
Internet?
> 	Can't you just replicate whatever you did there and apply it to
Site
> B? 
> 
> 	I don't know of PBR is a solution, it really depends on the
routing
> 	setup. Please bear in mind that the PE performs another routing
> 	lookup, so PBR on the CE site B alone will likely not help.
> 
> 	       oli
> 
> 	Ibrahim Abo Zaid <mailto:ibrahim.abozaid at gmail.com> wrote on
Monday,
> 	April 21, 2008 10:09 AM:
> 
> 	> Thanks Oliver for your interset , you'll find the topology
attached
> 	>
> 	>
> 	> both HQ and Site A connect to the internet through managed
internet
> 	> CE and the customer needs Site B to connect through Site A
then
> 	> managed internet CE , about the PBR point , i plan to
configure it
> 	> under Site B PE interface
> 	>
> 	> i hope that will clarify my whole solution and thanks for your
> 	help :) >
> 	>
> 	> best regards
> 	> --Abo Zaid
> 	>
> 	>
> 	> On 4/21/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com>
wrote:
> 	>
> 	>       Ibrahim Abo Zaid <> wrote on Sunday, April 20, 2008
10:30 PM:
> 	>
> 	>       > Hi All
> 	>       >
> 	>       > one of my clients has a managed Internet solution with
his
> 	simple
> 	>       > MPLS VPN and Internet access in granted to a selected
> 	group of >       sites > including HQ through managed internet
> 	router hosted at his
> 	>       ISP but he > has a bit weired request as he needs a site
to
> 	connect
> 	>       to the > Internet using Internet connection of other
site not
> 	>       directly to > provider Internet gateway
> 	>
> 	>       I'm not entirely sure I understand the topology. Can you
put
> 	a >       diagram somewhere?
> 	>
> 	>       > i thought about two solution how this solution can be
> 	implemented
> 	>       >
> 	>       > 1-use PBR under this site PE interface and direct the
> 	Internet >       > traffic to the other site network using set
key
> 	*set next-hop >       > recursive* and point to one of the
remote
> 	site IPs so MPLS labels
> 	>       > will do the work and route the traffic to the remote
CE and
> 	then to
> 	>       > the Internet and of course reverse reachability will
be
> 	maintained
> 	> .
> 	>
> 	>       Where exactly are you planning to apply the PBR
route-map?
> 	Not sure
> 	>       if this will work on the PE.
> 	>
> 	>       > 2- isolate these two site into a different VRF and set
up
> 	>       overlapping > VPN between the overall simple VPN and the
> 	special >       managed Internet > VPN composed of those 2 sites
> 	>
> 	>       sounds like a feasible approach (need to understand the
> 	topology >       better).
> 	>
> 	>       > any suggestion how this solution can be met will be
> 	welcomed :)
> 	>       >
> 	>
> 	>       If the "hub" site has the Internet connection, you could
also
> 	have
> 	>       this site inject a default-route into the VPN  so all
sites
> 	can >       follow it (and use ACLs or route filters if you want
to
> 	restrict >       this access to only certain sites).
> 	>
> 	>              oli

More information about the cisco-nsp mailing list