[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
Gerald Krause
gk at ax.tc
Thu Jan 21 04:41:07 EST 2010
Am 21.01.2010 08:10, Oliver Boehmer (oboehmer) schrieb:
>> I'am looking for a good solution to separate multiple branches from
> each
>> other by using a central firewall setup. The overall view looks like
> that:
> [...]
>> The () components will be under control of the customer, all other
>> systems are managed by us. The main goals are
>> 1) separate the branches in general but allow the
> firewalladministrator
>> to route between the branches so the customer is able to control his
>> internal traffic as well as his internet traffic
>> 2) provide redundancy for all of our components
>>
>> At the moment we're providing only ordinary Layer3-MPLS VPNs but in
> this
>> case this isn't enough - unless if we plan to implement a dedicated
> VRF
>> for each branch. But because the customer has 100+ branches, I dont
> like
>> to 'waste' so much VRF instances for one customer. Exist other
>> approaches/BCPs for those kind of setups? Currently I investigate
> L2VPN,
>> AToM, L2TPv3, ... but haven't found a really bullet-proof solution so
>> far, especially because I have to deal with a lot of dynamically
>> generated Virtual-Interfaces.
>
> you might want to look at the "Half-Duplex VRF" feature, which allows to
> build a hub & spoke VPN setup without having to put each "branch" on the
> same PE into a different VRF. HD VRF will assign a different VRF for
> upstream and downstream traffic, so packets entering the LNS from the
> branch will only see the Hub routes, and not the other branches' routes.
>
> check out
> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html
Ok, that sounds interesting. I'll check the docs.
Gerald
More information about the cisco-nsp
mailing list