General MPLS question (Repost)

Unanswered Question
Apr 7th, 2008

I have many separate offices connected to my access switch and I am providing their internet access. These customers do not need to "see" each other. How do I aggregate them into one pw out to the internet? I know that H-VPLS could do the same, but that requires hardware that I do not have (7600). Could I accomplish the same task with my current 6509 in the core and 3750 and 400 series access switches? Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mheusing Thu, 04/10/2008 - 03:53

Hi,

In case you want to use VRFs you can achieve this by

1) configure MP-BGP on your 6509

2) connect each separate office/VLAN in a separate VRF

3) create an Internet VRF and insert a default route

4) import all office routes into the Internet VRF and exort the default route to all office VRFs

5) connect the Internet VRF directly to a firewall preventing office to office connectivity, doing the NAT and secure everything against the internet.

The last point is important, because if you connect a router to the internet VRF, it would have all offoce routes and would again interconnect them. Basically one office A would be able to send packets to another office B by first following the default route and the CE would then send the packets back to the office B based on longest match routing.

A second option would be to use a FWSM separate the different offices by using the firewall functionality. This would also allow for greater control and optionally for office to office traffic, if this requirement would ever arise.

Hope this helps!

Regards, Martin

noroutes4u Thu, 04/10/2008 - 06:15

Thank you for the response.

I am not too familiar with MP-BGP.

Do you have a sample configuration that I can follow?

mheusing Fri, 04/11/2008 - 01:53

Hi,

Sure there are eyamples for various scenarios in the "Cisco IOS Multiprotocol Label Switching Configuration Guide".

For your scenario - many clients accessing a common service without client-client connectivity - you find the explanations and example configurations e.g. at "Configuring Scalable Hub-and-Spoke MPLS VPNs"

http://www.cisco.com/en/US/docs/ios/12_3/rewrite/mpls/mpbkhalf.html

Hope this helps! Please use the rating system.

Regards, Martin

Actions

This Discussion