Inter-VPN Connectivity

Unanswered Question
Apr 29th, 2009


In the case of Enterprise MPLS where VPN's are used to separate business units (a few dozen), with the entry points all firewalled, what is "best practise" regarding the inter-VPN communication?

I've seen a couple of approaches, but they all involve some kind of external "fusion router" concept - I'm thinking that perhaps having another VPN dedicated purely for transit might be an option?

Can anyone share their experience on how they tackled the issue of inter-vpn communication when the VPN's are all firewalled? (There will likely be a number of firewall concentration points on multiple locations.)



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Laurent Aubert Thu, 04/30/2009 - 05:27

Hi Andrew,

As you said, VRFs are deployed to separate naturally networks so they can't exchange information. It also allows the support of overlapping IP addressing plan.

If you want different VRFs to start exchanging traffic, you can on each PE import the routes of the other VRFs and upodate all your FWs rules.

But it's like merging all the VPNs into one and you loose the main advantage of having several VPNs. Also it's not possible to do that if you have addresses overlapping between your VPNs

That's why we prefer deploying dedicated CEs as inter-vpn gateway so you allow the communication but you keep the control. Usually the CE is associated to a FW. This design is commonly used to provide Extranet VPN services.

This design supports overlapping as well if you configure VRF aware NAT.




This Discussion