Hi there, i have a rather general question. I was wondering what is the best and safest way in order to provide internet access to vpn customers? Is it using global routing table? If i already have a lot of vpn customers and not starting from scratch? Appropriate links for extra reading would be really usefull!! thanx in advance
The given example considers that a VPN customer uses a public address range that is routable in the global Internet routing table. If your customers are using private addresses, then you have to do NAT at your location. Also in given example IGW router advertise customer's network so that packets coming back from the Internet to destination customer network are routed back to IGW router and then CE 1. This is necessary considering that you need bidirectional connectivity. In your case, to give internet access to multiple customers, you need to put default route in each of these customers's VRF. Also you need to provision someway to route back packets coming from internet to customers' network. If your customers are using public addresses then this can be done by configuring static routes pointing to the customer facing interface in the global routing table on PE. But if your customers are using private addresses then you have to do NATing at your location.
Also for giving multiple customers internet access, you may want to use a shared internet VRF at your PE router which will hold necessary routes from all customers wanting internet access and the route/interface to reach internet. This solution is possible considering that your customers are using non overlapping addresses in their networks or you are doing NAT at PE before putting customers' routes in a shared internet VRF. Again this depends on your network topology and importance of security.