MPLS VRF Routes Leaking

Unanswered Question
Dec 30th, 2009
User Badges:

I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.


Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).


Customer is requiring the access for internet along with VPN services to all the 2000+ locations.


What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 12/31/2009 - 10:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Smiteshah,


the PE router can advertise a default route in VRF because it has a default static route pointing to the FWSM interface in VRF.


the FWSM routed context performs routing to/from  GRT (Global Routing Table), NAT for customer1 IP subnets in VRF and can implemente stateful access control.


The customer can perfom its own NAT to present to your devices with agreed IP address blocks.



For redundancy you should use two PE nodes each with a FWSM that are a failover pair.


We are doing so to provide internet services to VRFs used for a part of the company.


Technically it is not a form of route leaking but a third device the FWSM routed context interconnects VRF and GRT.



Hope to help

Giuseppe

Marwan ALshawi Thu, 12/31/2009 - 21:15
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

you could do one of the following ways to implement Internet access for L3 MPLS VPN


1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs


2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.


inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface


3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values


good luck

if helpful Rate

Actions

This Discussion