[c-nsp] VRF customers (ISP plus IP VPN)

nachocheeze at gmail.com nachocheeze at gmail.com
Tue Oct 7 11:27:27 EDT 2008 

On Tue, Oct 7, 2008 at 12:54 AM, Oliver Boehmer (oboehmer)
<oboehmer at cisco.com> wrote:

> What is the VPN connection for?

It's not just the one VPN; there's likely to be a need for several.

Long story short; the backbone network is going to be connected to
several different services (the Internet and various restricted
networks), and each downstream connector will be accessing probably
two or more of the restricted services (Customer A gets service X and
Y but not Z, Customer B gets service X and Z but not Y, Customer C
gets service Z only).  One of the 'common' services among all is
likely to be a local 'intranet' providing connectivity between all the
customers.

The customers (as well as the PEs) are in multiple geographic
locations, but the backbone network will be connected directly over
dark fiber.

> Why do the two customers have to see
> each other via the VPN link as well?

Well, they don't *have* to in this particular VPN.  I was thinking of
the above described Intranet service.  If they're communicating
already over the 'Intranet' service, is there any reason for them to
also learn routes to each other via the 'Internet' service?

>
>You say you want to offer the
> VPN/VRF for internal services.. Then I would expect a different
> route-target import/export policy, i.e. something like a central
> services VPN:
>
> ip vrf Cust-A
>  route-target export 65001:100
>  route-target import 65001:100
>  route-target import 65001:900
>
> ip vrf Cust-B
>  route-target export 65001:200
>  route-target import 65001:200
>  route-target import 65001:900
>
> ip vrf services
>  route-target export 65001:900
>  route-target import 65001:900
>  route-target import 65001:100
>  route-target import 65001:200
>
> so both customers can communicate with your "services", but they don't
> see each other via the VPN..

I think the central services idea may be what I'm looking for.

>
> I would question the overall VPN design. Why build a VPN where your
> customers have full connectivity between each other? Why don't you just
> let them communicate via the global routing table?

They may not both subscribe to the *regular* Internet service, so
having them communicate via the local Intranet service will be
desired.

More information about the cisco-nsp mailing list