i have an internet vrf that has only a default route(i don't want internet routing table) but the problem now is when i make customer member of this VPN (internet VPN) they will be able to route to all other customer (on other VPNs)through the internet CE that advertises default route for the internet but has specifc route for each customer (hairpin routing). How can i solve this problem?
Good Man! I thought of this. (using PIX) but i can't use PIX because i have BGP as the PE-CE routing protocol and PIX doesn't support BGP.I also thought of another solution. Using PBR (Policy Based Routing) saying anything coming for the MPLS VPN interface should be sent to the next hop (which will be a PIX firewall doing NAT to the internet and pix will drop the packet if it is for another customer.
what do u think about this. since PBR take precedence over normal routing table.
Fundamentally, your enterprises/customers wouldn't want to connect to the Internet without firewalling. Why should the fact that you're using an MPLS cloud for Internet transport change your customers' security model?
What do you call a transport network that connects to the Internet and provides full reachability (regardless of transport, topology, or provider)? The Internet!
I'd recommend that you separate the Internet VRF/VPN from the the various customers' VPNs. Provide two interfaces to the Customer site - one that is intra-site with no firewalling required, and the other that is a live Internet feed where the customer (or provider) will place a firewall.
I would like to ask about the CE facing the internet. The customer specific route that it has, is it the public ips assigned to the various customers, or the customers internal ip addressing.
This router should have routes for the assigned customers public ips. And these should also be allowed to communicate with each other. As long as it is assigned public ips, that segment of the network is a part of the internet, and communication should be allowed. If communication is denied, some other things might not work. For example, assuming that the customers have mail servers on their network. If the customers cannot communicate with each other, the mail servers hence cannot talk to each other and therefore mails will not successful between the two organisations.
However, Internet CE should not have the internal addresses of the customers. This would be a breach of their security. While exporting routes from the customer vrf into the internet vrf, you could use an export map to ensure that only the assigned public ip address are exported into the internet vrf.
However (also), if your customers are using public ips internally, then it is a necessity to have firewalls, etc for protection, unless they do not care at all about security.
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
IntroductionIn this article we'll discuss how to troubleshoot packet
loss in the asr9000 and specifically understanding the NP drop counters,
what they mean and what you can do to mitigate them. This document will
be an ongoing effort to improve troublesh...