We are using the IPLC links to connect our office in US,our network in india is natted to the public ip in the pix which is in US office as i donot have internet in my india office,we have a MPLS link as a backup to US office to access the US office network,but is it possible to access the internet of my US office through MPLS? if yes what network should be advertised in Service providers VRF table? can you please help me in getting solution to my problem.
Well in this case there isnt much you can do from your side, as the internet access is controlled by your office in the US. As the PIX resides there, so basically if you are getting access to the internet through a default route, which is originated form your US office through you IPLC links, then you need to verify whether the default route is received on your CE which connects to the MPLS cloud. If you dont receive the default, then you may co-ordinate with your US office and have it sorted out.
But the summary is you cannot do much as using your primary and backup links all the local subnets have reachbility to your office on the remote end, but beyond that the access to internet is controlled on the other side.
I have controle over the pix and the divices
in Us office i can configure to access internet through MPLS but my Query is Can my service provider route my internet traffic through MPLS .
1.what route should he add in his VRF table is it only my Natted ip or my public ip range of US office .
2.Should he add the default route because as we use internet we will be accessing N number of websites for which it will bw defficult for him to add the each and every route.
Udaya, Basically it is a good idea to have a default for internet.
1) Now you can ask the SP to originate a default towards the India leg pointing to the US CE router. And in turn you will be having a default pointing towards the India CE router.
2) With this the traffic will reach till the US CE router, but beyond that till the PIX you again need a default pointing to the PIX, so all internet traffic will go towards the PIX.
Apart form this you wont need to advertise any other routes from your end as the PIX since being on the US network already has reachbility to the LAN in India.
Yup to add to the post your SP can very much route your internet traffic through the MPLS VPN service, as for him its just another labelled packet wanting to go from CE at this end to the CE at other end.
if we add the default route will it wont be a security issue because of it is a shared network by other clients of my vender?
There are two options for internet access.
Option one is through your own internet access inside your network separate from the MPLS VPNs. You can announce a default route from your internet access device throughout your own routing domain including the MPLS VPNs. Having separate VPNs this could rise a security issue by interconnecting those separate VPNs: one client in one VPN could access another client in another VPN by following the default route to a central router with all client routes. You should make sure f.e. through ACLs or firewalls, that this does not happen.
In this case the SP does not have to do anything in case you have dynamic routing between PE and CE. in case static routing is in place, the SP has to add default routes in the VRFs pointing to your internet access site. As your client networks are already announced throughout your MPLS VPNs return traffic should not be an issue.
Option two is internet access through your MPLS SP. Usually the SP offers internet access service. It can be f.e. an internet VPN shared by all customers or a central firewall service. As this is SP specific you would need to contact your SP to work out a solution fitting your needs based on his offers. Depending on the solution the SP will announce your official IPs to allow access to your public servers from the internet. This might also include BGP peering with your AS. He can announce a default route pointing to the internet access device(s) or setup BGP peering with your AS. The solution will also depend on whether you have an official AS and provider independant address space or provider assigned IP addresses.
Once again you have to make sure every site is protected and that no unwanted connectivity arises.
Without detailed knowledge of your topology, IP addressing and requirements - f.e. public servers like Web, FTP VPN access and so on - it is hard to suggest a solution here.
Well there had been no mention of shared clients, but can you elaborate which shared clients or who is the vendor.
But always you can avoid advertising the default route, out of you own network and not distribute the same to your end clients.
And also since you control the PIX you also have control on which source IP's have to be natted and which not.
To put it simple, you need to receive all the routes that you receive via IPLC link, if you dont have all the routes which you receive via you existing primary then you need to have them received through your SP.
now if you are running static between your the PE-CE then you will have to ask the SP to provide reachbility for the new subnets to be added, or the second option is get a IGP running on your PE-CE and advertise all the routes that you receive on your primary.
PS: If you have a security problem with any routes on your primary link the same would exist on the MPLS link by receiving the same routes via MPLS VPN as well, by doing the above.