Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
2
Replies

Inter AS VPN CPE Mngt

cisco_lad2004
Level 5
Level 5

‎05-27-2008 10:53 PM

Dear all,

apologies for the long post,

I am working and an inter AS-VPN solution, the solution itself is straightforward and consist of an NNI where both our AS and peering AS establish a BGP session under address family for each VPN we wish to extend.

my question is about the different possibilities to deal with Mngt part. both my parties have agreed that hey should manage their own CPE's even when deployed at opposite sites. sho when a customer which belongs to AS1is deployed in AS2 cloud , only AS1 should have MNGT to this CPE (and other way around).

Solution 1:

AS1 and AS2 have their own mngt vrf ( mngt1 & mngt2). subnets used must be dedicated to inter AS solution so they don't get leaked to existing mngt VRFs.

AS1 terminates manages link for AS2 CPE in mngt2 and simply peer with this vpn over NNI. AS2 then leaks it into its own MNGT vpn.

Solution 2:

same as above , but no separate MNGT vrf for inter AS CPE's. so AS1 terminates AS2 CPE in AS2 MNGT vrf and peer over NNI.

I have previously used import maps under VRF definition, but this was more when there was a need to monitor a link which is already in customer VPN and leak it to mngt VPN.

I hope I managed to illustrate my examples clearly and look forward to some feedback.

TIA

Sam

Labels:
0 Helpful
2 Replies 2

attrgautam
Level 5
Level 5

‎06-02-2008 07:30 AM

Sam

I am really not sure I understood your solutions :) as in both scenarios you are actually exporting the routes into mngt2 in both cases.

Another option you could explore is [Only on Option 10a NNI] is actually not have a management VRF on the Partner network and import the selected routes per VRF on your ASBR router into your management VRF. This gives you the flexibility to choose what routes go into the Management VRF. this eliminates the need for a seperate managment VRF. CPE on partner network are connected to the standard VPN VRF.

0 Helpful

cisco_lad2004
Level 5
Level 5
In response to attrgautam

‎06-02-2008 08:23 AM

Gautam

Thanks for the reply !

you are right, both solutions looks similar and use same method.

in the 1st one, I simply peer with mgmt which is our mgmt VPN.

in 2nd one I create a new mgmt VPN, mgmt2 and then leak it to mgmt. some how I feel it gives me more control if things go wrong.

I think I will keep it simple and use same VPN across both clouds and use both import/export maps + bgp to ensure security and filtering.

Thanks

Sam

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents