Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1712
Views
8
Helpful
3
Replies

MPLS/VPN internet access

Go to solution
v.matiakis
Level 1
Level 1

‎02-13-2008 06:16 AM

Hi there, i have a rather general question. I was wondering what is the best and safest way in order to provide internet access to vpn customers? Is it using global routing table? If i already have a lot of vpn customers and not starting from scratch? Appropriate links for extra reading would be really usefull!! thanx in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yagnesh_tel
Level 1
Level 1
In response to v.matiakis

‎02-15-2008 04:04 PM

The given example considers that a VPN customer uses a public address range that is routable in the global Internet routing table. If your customers are using private addresses, then you have to do NAT at your location. Also in given example IGW router advertise customer's network so that packets coming back from the Internet to destination customer network are routed back to IGW router and then CE 1. This is necessary considering that you need bidirectional connectivity. In your case, to give internet access to multiple customers, you need to put default route in each of these customers's VRF. Also you need to provision someway to route back packets coming from internet to customers' network. If your customers are using public addresses then this can be done by configuring static routes pointing to the customer facing interface in the global routing table on PE. But if your customers are using private addresses then you have to do NATing at your location.

Also for giving multiple customers internet access, you may want to use a shared internet VRF at your PE router which will hold necessary routes from all customers wanting internet access and the route/interface to reach internet. This solution is possible considering that your customers are using non overlapping addresses in their networks or you are doing NAT at PE before putting customers' routes in a shared internet VRF. Again this depends on your network topology and importance of security.

http://cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.shtml

View solution in original post

3 Replies 3

Go to solution
yagnesh_tel
Level 1
Level 1

‎02-14-2008 02:21 PM

To have internet access in MPLS VPN, a static default route with the 'global' keyword is configured in the customer VRF pointing to the Internet gateway interface. The global keyword specifies that the next hop address of the static route should resolve within the global routing table, not within the customer's VRF. So the packets that do not match any of the routes contained within customer VRF will be sent to internet gateway. This way you can avoid complexity of having Internet Routes in customer's VRF.

http://cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml

Go to solution
v.matiakis
Level 1
Level 1
In response to yagnesh_tel

‎02-14-2008 11:36 PM

Hi and thanx for the response! I am wondering. Do i have to perform NAT anywhere? In the example IGW advertises customer networks in BGP. Isn't that a problem? What if i have many customers?

0 Helpful

Go to solution
yagnesh_tel
Level 1
Level 1
In response to v.matiakis

‎02-15-2008 04:04 PM

The given example considers that a VPN customer uses a public address range that is routable in the global Internet routing table. If your customers are using private addresses, then you have to do NAT at your location. Also in given example IGW router advertise customer's network so that packets coming back from the Internet to destination customer network are routed back to IGW router and then CE 1. This is necessary considering that you need bidirectional connectivity. In your case, to give internet access to multiple customers, you need to put default route in each of these customers's VRF. Also you need to provision someway to route back packets coming from internet to customers' network. If your customers are using public addresses then this can be done by configuring static routes pointing to the customer facing interface in the global routing table on PE. But if your customers are using private addresses then you have to do NATing at your location.

Also for giving multiple customers internet access, you may want to use a shared internet VRF at your PE router which will hold necessary routes from all customers wanting internet access and the route/interface to reach internet. This solution is possible considering that your customers are using non overlapping addresses in their networks or you are doing NAT at PE before putting customers' routes in a shared internet VRF. Again this depends on your network topology and importance of security.

http://cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.shtml

Customers Also Viewed These Support Documents