Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Default route in internet VRF

Hi,

i have an internet vrf that has only a default route(i don't want internet routing table) but the problem now is when i make customer member of this VPN (internet VPN) they will be able to route to all other customer (on other VPNs)through the internet CE that advertises default route for the internet but has specifc route for each customer (hairpin routing). How can i solve this problem?

8 REPLIES

Re: Default route in internet VRF

Hello,

there is no nice solution to your problem, I suppose.

You can use access-lists or a PIX firewall. Packets coming in on a PIX interface will not be sent out through the same interface. This will deny connectivity between your customers.

In the end, routing wise this VPN means "internet", i.e. everyone connects to everyone else.

So from a routing perspective this is ok. If you do not want this situation use filters as described above.

Hope this helps! PLease rate all posts.

Regards, Martin

New Member

Re: Default route in internet VRF

Good Man! I thought of this. (using PIX) but i can't use PIX because i have BGP as the PE-CE routing protocol and PIX doesn't support BGP.I also thought of another solution. Using PBR (Policy Based Routing) saying anything coming for the MPLS VPN interface should be sent to the next hop (which will be a PIX firewall doing NAT to the internet and pix will drop the packet if it is for another customer.

what do u think about this. since PBR take precedence over normal routing table.

Re: Default route in internet VRF

Hello,

a simple incoming access-list on the CE interface could also do the job, just deny all traffic sent to customer addresses (private IPs?).

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: Default route in internet VRF

Well, I didn't want to use access-list on the wan interface facing the MPLS cloud. access-list at times gives CPU problems (depending on traffic and on the platform)

Regards,

Re: Default route in internet VRF

Hello,

refering to my first post, routing alone will not solve your problem. So some sort of filter seems to be the best option in case you have one PE-CE interface.

Regards, Martin

Re: Default route in internet VRF

Martin's absolutely right, Akinsola.

Fundamentally, your enterprises/customers wouldn't want to connect to the Internet without firewalling. Why should the fact that you're using an MPLS cloud for Internet transport change your customers' security model?

What do you call a transport network that connects to the Internet and provides full reachability (regardless of transport, topology, or provider)? The Internet!

I'd recommend that you separate the Internet VRF/VPN from the the various customers' VPNs. Provide two interfaces to the Customer site - one that is intra-site with no firewalling required, and the other that is a live Internet feed where the customer (or provider) will place a firewall.

Michael

Silver

Re: Default route in internet VRF

I do like your definition of the Internet.

I would like to ask about the CE facing the internet. The customer specific route that it has, is it the public ips assigned to the various customers, or the customers internal ip addressing.

This router should have routes for the assigned customers public ips. And these should also be allowed to communicate with each other. As long as it is assigned public ips, that segment of the network is a part of the internet, and communication should be allowed. If communication is denied, some other things might not work. For example, assuming that the customers have mail servers on their network. If the customers cannot communicate with each other, the mail servers hence cannot talk to each other and therefore mails will not successful between the two organisations.

However, Internet CE should not have the internal addresses of the customers. This would be a breach of their security. While exporting routes from the customer vrf into the internet vrf, you could use an export map to ensure that only the assigned public ip address are exported into the internet vrf.

However (also), if your customers are using public ips internally, then it is a necessity to have firewalls, etc for protection, unless they do not care at all about security.

Hope this helps.

Silver

Re: Default route in internet VRF

If each customer connects to this PE using a specific interface (or a logical i/f such as PVC) why can't they each be put into their own vrf?

Thanks.

162
Views
3
Helpful
8
Replies