[c-nsp] Managed internet VPN solution

Ibrahim Abo Zaid ibrahim.abozaid at gmail.com
Mon Apr 21 08:58:36 EDT 2008 

Thanks Oliver for your help and detailed reply :)


best luck to you
--Abo Zaid


On 4/21/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>
> Hi Ibrahim,
>
> I would use VPN topology options to address this, not sure if you can
> use regular hub & spoke route-target import/export to address this, but
> it's worth looking at.
>
> An alternative would be a GRE tunnel between Site B and A, but watch for
> MTU issues (http://www.cisco.com/en/US/ts/fn/610/fn61935.html).
>
> I don't know if PBR on the PE would help, I doubt next-hop recursive can
> be used on the PE (haven't looked at the vrf-aware PBR feature which is
> relatively new).
>
>        oli
>
> Ibrahim Abo Zaid <mailto:ibrahim.abozaid at gmail.com> wrote on Monday,
> April 21, 2008 10:46 AM:
>
> > Hi Oliver
> >
> > Site A connects to the Internet through managed Internet CE which
> > acts as Internet GW for all VPN sites but the customer don't want
> > Site B to connect in that way , he need Site B Internet traffic to
> > pass through Site A first then back to Site B , so Site A will be
> > Internet GW for Site A instead of managed CE .
> >
> > and regarding PBR point , for sure i agree with you that PE has other
> > many routing tasks to take care about so its resources should be
> > directed to major core routing tasks aside of any customers solutions
> > and that will drive us to the 2nd solution of overlapping VPN
> >
> > but is there any IOS feature can be used in this setup ?
> >
> >
> > Thanks
> > --Abo Zaid
> >
> >
> > On 4/21/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> >
> >       Thanks for the addtl. info. How does Site A connect to the
> Internet?
> >       Can't you just replicate whatever you did there and apply it to
> Site
> > B?
> >
> >       I don't know of PBR is a solution, it really depends on the
> routing
> >       setup. Please bear in mind that the PE performs another routing
> >       lookup, so PBR on the CE site B alone will likely not help.
> >
> >              oli
> >
> >       Ibrahim Abo Zaid <mailto:ibrahim.abozaid at gmail.com> wrote on
> Monday,
> >       April 21, 2008 10:09 AM:
> >
> >       > Thanks Oliver for your interset , you'll find the topology
> attached
> >       >
> >       >
> >       > both HQ and Site A connect to the internet through managed
> internet
> >       > CE and the customer needs Site B to connect through Site A
> then
> >       > managed internet CE , about the PBR point , i plan to
> configure it
> >       > under Site B PE interface
> >       >
> >       > i hope that will clarify my whole solution and thanks for your
> >       help :) >
> >       >
> >       > best regards
> >       > --Abo Zaid
> >       >
> >       >
> >       > On 4/21/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com>
> wrote:
> >       >
> >       >       Ibrahim Abo Zaid <> wrote on Sunday, April 20, 2008
> 10:30 PM:
> >       >
> >       >       > Hi All
> >       >       >
> >       >       > one of my clients has a managed Internet solution with
> his
> >       simple
> >       >       > MPLS VPN and Internet access in granted to a selected
> >       group of >       sites > including HQ through managed internet
> >       router hosted at his
> >       >       ISP but he > has a bit weired request as he needs a site
> to
> >       connect
> >       >       to the > Internet using Internet connection of other
> site not
> >       >       directly to > provider Internet gateway
> >       >
> >       >       I'm not entirely sure I understand the topology. Can you
> put
> >       a >       diagram somewhere?
> >       >
> >       >       > i thought about two solution how this solution can be
> >       implemented
> >       >       >
> >       >       > 1-use PBR under this site PE interface and direct the
> >       Internet >       > traffic to the other site network using set
> key
> >       *set next-hop >       > recursive* and point to one of the
> remote
> >       site IPs so MPLS labels
> >       >       > will do the work and route the traffic to the remote
> CE and
> >       then to
> >       >       > the Internet and of course reverse reachability will
> be
> >       maintained
> >       > .
> >       >
> >       >       Where exactly are you planning to apply the PBR
> route-map?
> >       Not sure
> >       >       if this will work on the PE.
> >       >
> >       >       > 2- isolate these two site into a different VRF and set
> up
> >       >       overlapping > VPN between the overall simple VPN and the
> >       special >       managed Internet > VPN composed of those 2 sites
> >       >
> >       >       sounds like a feasible approach (need to understand the
> >       topology >       better).
> >       >
> >       >       > any suggestion how this solution can be met will be
> >       welcomed :)
> >       >       >
> >       >
> >       >       If the "hub" site has the Internet connection, you could
> also
> >       have
> >       >       this site inject a default-route into the VPN  so all
> sites
> >       can >       follow it (and use ACLs or route filters if you want
> to
> >       restrict >       this access to only certain sites).
> >       >
> >       >              oli
>

More information about the cisco-nsp mailing list