Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5446
Views
0
Helpful
3
Replies

MPLS VRF Routes Leaking

smiteshah
Level 1
Level 1

‎12-30-2009 06:06 AM

I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.

Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).

Customer is requiring the access for internet along with VPN services to all the 2000+ locations.

What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-31-2009 10:23 AM

Hello Smiteshah,

the PE router can advertise a default route in VRF because it has a default static route pointing to the FWSM interface in VRF.

the FWSM routed context performs routing to/from  GRT (Global Routing Table), NAT for customer1 IP subnets in VRF and can implemente stateful access control.

The customer can perfom its own NAT to present to your devices with agreed IP address blocks.

For redundancy you should use two PE nodes each with a FWSM that are a failover pair.

We are doing so to provide internet services to VRFs used for a part of the company.

Technically it is not a form of route leaking but a third device the FWSM routed context interconnects VRF and GRT.

Hope to help

Giuseppe

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

‎12-31-2009 09:15 PM

you could do one of the following ways to implement Internet access for L3 MPLS VPN

1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs

2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.

inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface

3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values

good luck

if helpful Rate

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

‎01-09-2010 07:08 PM

see this document might help you

https://supportforums.cisco.com/docs/DOC-8403

god luck

0 Helpful
Customers Also Viewed These Support Documents