[c-nsp] VRF customers (ISP plus IP VPN)

[Oliver Boehmer (oboehmer)]

nachocheeze at gmail.com <mailto:nachocheeze at gmail.com> wrote on Tuesday,
October 07, 2008 5:27 PM:

> On Tue, Oct 7, 2008 at 12:54 AM, Oliver Boehmer (oboehmer)
> <oboehmer at cisco.com> wrote:
> 
>> What is the VPN connection for?
> 
> It's not just the one VPN; there's likely to be a need for several.
> 
> Long story short; the backbone network is going to be connected to
> several different services (the Internet and various restricted
> networks), and each downstream connector will be accessing probably
> two or more of the restricted services (Customer A gets service X and
> Y but not Z, Customer B gets service X and Z but not Y, Customer C
> gets service Z only).  

Ok, this makes sense.

> One of the 'common' services among all is
> likely to be a local 'intranet' providing connectivity between all the
> customers.

Why would this be different from the "Internet" service? see also next
comment.
  
>> Why do the two customers have to see
>> each other via the VPN link as well?
> 
> Well, they don't *have* to in this particular VPN.  I was thinking of
> the above described Intranet service.  If they're communicating
> already over the 'Intranet' service, is there any reason for them to
> also learn routes to each other via the 'Internet' service?

As mentioned above: I don't fully understand the reasoning for this
"Intranet" service. What type of "customers" are they, and what is your
business? If you indeed need/want to differentiate them (maybe because
the "customers" are actually internal departments/business units where
connectivty between them is actually quite different from "Internet"
connectivity, especially from a security perspective), you would need to
implement some routing policy to make one advertisment (i.e. from the
"Internet") better than the other (MED, AS-path prepend, something
else).. It's obviously the discretion of the customer which exit he or
she chooses, so all you can give are hints..

	oli