MPLS/VPN internet access

Answered Question
Feb 13th, 2008

Hi there, i have a rather general question. I was wondering what is the best and safest way in order to provide internet access to vpn customers? Is it using global routing table? If i already have a lot of vpn customers and not starting from scratch? Appropriate links for extra reading would be really usefull!! thanx in advance

I have this problem too.
0 votes
Correct Answer by yagnesh_tel about 8 years 9 months ago

The given example considers that a VPN customer uses a public address range that is routable in the global Internet routing table. If your customers are using private addresses, then you have to do NAT at your location. Also in given example IGW router advertise customer's network so that packets coming back from the Internet to destination customer network are routed back to IGW router and then CE 1. This is necessary considering that you need bidirectional connectivity. In your case, to give internet access to multiple customers, you need to put default route in each of these customers's VRF. Also you need to provision someway to route back packets coming from internet to customers' network. If your customers are using public addresses then this can be done by configuring static routes pointing to the customer facing interface in the global routing table on PE. But if your customers are using private addresses then you have to do NATing at your location.

Also for giving multiple customers internet access, you may want to use a shared internet VRF at your PE router which will hold necessary routes from all customers wanting internet access and the route/interface to reach internet. This solution is possible considering that your customers are using non overlapping addresses in their networks or you are doing NAT at PE before putting customers' routes in a shared internet VRF. Again this depends on your network topology and importance of security.

http://cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
yagnesh_tel Thu, 02/14/2008 - 14:21

To have internet access in MPLS VPN, a static default route with the 'global' keyword is configured in the customer VRF pointing to the Internet gateway interface. The global keyword specifies that the next hop address of the static route should resolve within the global routing table, not within the customer's VRF. So the packets that do not match any of the routes contained within customer VRF will be sent to internet gateway. This way you can avoid complexity of having Internet Routes in customer's VRF.

http://cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml

v.matiakis Thu, 02/14/2008 - 23:36

Hi and thanx for the response! I am wondering. Do i have to perform NAT anywhere? In the example IGW advertises customer networks in BGP. Isn't that a problem? What if i have many customers?

Correct Answer
yagnesh_tel Fri, 02/15/2008 - 16:04

The given example considers that a VPN customer uses a public address range that is routable in the global Internet routing table. If your customers are using private addresses, then you have to do NAT at your location. Also in given example IGW router advertise customer's network so that packets coming back from the Internet to destination customer network are routed back to IGW router and then CE 1. This is necessary considering that you need bidirectional connectivity. In your case, to give internet access to multiple customers, you need to put default route in each of these customers's VRF. Also you need to provision someway to route back packets coming from internet to customers' network. If your customers are using public addresses then this can be done by configuring static routes pointing to the customer facing interface in the global routing table on PE. But if your customers are using private addresses then you have to do NATing at your location.

Also for giving multiple customers internet access, you may want to use a shared internet VRF at your PE router which will hold necessary routes from all customers wanting internet access and the route/interface to reach internet. This solution is possible considering that your customers are using non overlapping addresses in their networks or you are doing NAT at PE before putting customers' routes in a shared internet VRF. Again this depends on your network topology and importance of security.

http://cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.shtml

Actions

This Discussion