[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Jan 21 02:10:35 EST 2010


> I'am looking for a good solution to separate multiple branches from
each
> other by using a central firewall setup. The overall view looks like
that:
> 
[...]
> 
> The () components will be under control of the customer, all other
> systems are managed by us. The main goals are
>  1) separate the branches in general but allow the
firewalladministrator
> to route between the branches so the customer is able to control his
> internal traffic as well as his internet traffic
>  2) provide redundancy for all of our components
> 
> At the moment we're providing only ordinary Layer3-MPLS VPNs but in
this
> case this isn't enough - unless if we plan to implement a dedicated
VRF
> for each branch. But because the customer has 100+ branches, I dont
like
> to 'waste' so much VRF instances for one customer. Exist other
> approaches/BCPs for those kind of setups? Currently I investigate
L2VPN,
> AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
> far, especially because I have to deal with a lot of dynamically
> generated Virtual-Interfaces.

you might want to look at the "Half-Duplex VRF" feature, which allows to
build a hub & spoke VPN setup without having to put each "branch" on the
same PE into a different VRF. HD VRF will assign a different VRF for
upstream and downstream traffic, so packets entering the LNS from the
branch will only see the Hub routes, and not the other branches' routes.

check out
http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html

	oli


More information about the cisco-nsp mailing list