Inter AS VPN CPE Mngt

Unanswered Question
May 27th, 2008

Dear all,

apologies for the long post,

I am working and an inter AS-VPN solution, the solution itself is straightforward and consist of an NNI where both our AS and peering AS establish a BGP session under address family for each VPN we wish to extend.

my question is about the different possibilities to deal with Mngt part. both my parties have agreed that hey should manage their own CPE's even when deployed at opposite sites. sho when a customer which belongs to AS1is deployed in AS2 cloud , only AS1 should have MNGT to this CPE (and other way around).

Solution 1:

AS1 and AS2 have their own mngt vrf ( mngt1 & mngt2). subnets used must be dedicated to inter AS solution so they don't get leaked to existing mngt VRFs.

AS1 terminates manages link for AS2 CPE in mngt2 and simply peer with this vpn over NNI. AS2 then leaks it into its own MNGT vpn.

Solution 2:

same as above , but no separate MNGT vrf for inter AS CPE's. so AS1 terminates AS2 CPE in AS2 MNGT vrf and peer over NNI.

I have previously used import maps under VRF definition, but this was more when there was a need to monitor a link which is already in customer VPN and leak it to mngt VPN.

I hope I managed to illustrate my examples clearly and look forward to some feedback.

TIA

Sam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
attrgautam Mon, 06/02/2008 - 07:30

Sam

I am really not sure I understood your solutions :) as in both scenarios you are actually exporting the routes into mngt2 in both cases.

Another option you could explore is [Only on Option 10a NNI] is actually not have a management VRF on the Partner network and import the selected routes per VRF on your ASBR router into your management VRF. This gives you the flexibility to choose what routes go into the Management VRF. this eliminates the need for a seperate managment VRF. CPE on partner network are connected to the standard VPN VRF.

cisco_lad2004 Mon, 06/02/2008 - 08:23

Gautam

Thanks for the reply !

you are right, both solutions looks similar and use same method.

in the 1st one, I simply peer with mgmt which is our mgmt VPN.

in 2nd one I create a new mgmt VPN, mgmt2 and then leak it to mgmt. some how I feel it gives me more control if things go wrong.

I think I will keep it simple and use same VPN across both clouds and use both import/export maps + bgp to ensure security and filtering.

Thanks

Sam

Actions

This Discussion