[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall

Gerald Krause gk at ax.tc
Wed Jan 20 18:45:20 EST 2010


I'am looking for a good solution to separate multiple branches from each
other by using a central firewall setup. The overall view looks like that:


Branch-1       Branch-n
(PC1)          (PCn)
  |              |
(SW1)          (SWn)
  |              |
 CPE1   ...    CPEn
  |              |
:::::::::::::::::::::
    DSL-CLOUD/PPP
:::::::::::::::::::::
  |              |
LNSa/PE        LNSb/PE
  |              |
=====================
   MPLS-BACKBONE
=====================
  |              |
RTRa/PE        RTRb/PE
  |              |
 SWa------------SWb
  |              |
(FW-prim)----(FW-standby)
  |              |
,,,,,,,,,,,,,,,,,,,,,
      INTERNET
,,,,,,,,,,,,,,,,,,,,,

 - each branch has 1-3 IPv4 networks
 - PPP-Sessions are terminated on the LNS via L2TP
   and configured via RADIUS
 - LNSs & RTRs are C7200 Systems
 - firewalls have VLAN capabilities

The () components will be under control of the customer, all other
systems are managed by us. The main goals are
 1) separate the branches in general but allow the firewalladministrator
to route between the branches so the customer is able to control his
internal traffic as well as his internet traffic
 2) provide redundancy for all of our components

At the moment we're providing only ordinary Layer3-MPLS VPNs but in this
case this isn't enough - unless if we plan to implement a dedicated VRF
for each branch. But because the customer has 100+ branches, I dont like
to 'waste' so much VRF instances for one customer. Exist other
approaches/BCPs for those kind of setups? Currently I investigate L2VPN,
AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
far, especially because I have to deal with a lot of dynamically
generated Virtual-Interfaces.

For now I see 3 options for us:

a) implement dedicated VRFs for each branch and map VRFn<->VLANn on the RTRs
b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
Firewall-Ethernet Interface (how? bad idea?)
c) some other brilliant approach... ;-)

Any hints and thoughts are welcome.

Thx,
Gerald


More information about the cisco-nsp mailing list