[c-nsp] IPSEC Remote access to MPLS VPN

Jeff Kell jeff-kell at utc.edu
Wed Feb 15 11:18:54 EST 2012


On 2/15/2012 3:09 AM, ar wrote:
> I would like to setup a remote access IPSEC/SSL VPN then maps to MPLS VPN/VRFs.
> I'm thinking of using 7206VXR as the concentrator/PE for this.
> Remote clients will use cisco/microsoft vpn clients.
> Site-to-site vpn will be supported too.

I'm sure there are numerous 7206 options...

At the Catalyst level (6500/7600) we have used ASAs to terminate
different VPN profiles, and point the default inside gateway to a 6500
SVI interface configured for "VRF Selection using Policy-Based
Routing".  The SVI is configured as "ip vrf receive <vrfname>" for each
VRF you have a VPN profile.  You then use policy-based routing to
"match" the traffic by profile, and "set VRF / set global" accordingly.

The ASA essentially has no clue about the VRFs, the 6500 does the split.

For site-to-site, you need a similar "split" on the other end, if you
are running more than one VRF over the link.

Jeff


More information about the cisco-nsp mailing list