[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall

Gerald Krause gk at ax.tc
Thu Jan 21 04:39:18 EST 2010


Am 21.01.2010 07:43, John Kougoulos schrieb:
> 
> 
> On Thu, 21 Jan 2010, Gerald Krause wrote:
>> For now I see 3 options for us:
>>
>> a) implement dedicated VRFs for each branch and map VRFn<->VLANn on
>> the RTRs
>> b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
>> Firewall-Ethernet Interface (how? bad idea?)
>> c) some other brilliant approach... ;-)
>>
> 
> 
> GRE or Ipsec or whatever tunnel from the CPE to (or near) the firewall?

Jep, that might be a way, even not "beautiful" for us. We're moving this
customer from an ugly partial/fully IPSec-tunnel meshed setup with many
firewalls and IPSec tunnels and I don't want to implement and manage a
bunch of IPSec tunnels again.
I thought already about some pseudowire or other basic tunnel service
(like GRE) from the CPEs to the firewall but I have to deal with
redundant tunnel-endpoints as well - the tunneling setup must have an
fail-over/redundancy concept. That makes me think about implementing 2
tunnels from each CPE on to 2 additional tunnel-endpoints (between RTR
and FW) and configure a basic routing protokoll on top of the tunnels...

Hm, that "is" an solution but I'll check further if I have other options
before going that way.

Gerald


More information about the cisco-nsp mailing list