Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Inter-VPN Connectivity

Hi,

In the case of Enterprise MPLS where VPN's are used to separate business units (a few dozen), with the entry points all firewalled, what is "best practise" regarding the inter-VPN communication?

I've seen a couple of approaches, but they all involve some kind of external "fusion router" concept - I'm thinking that perhaps having another VPN dedicated purely for transit might be an option?

Can anyone share their experience on how they tackled the issue of inter-vpn communication when the VPN's are all firewalled? (There will likely be a number of firewall concentration points on multiple locations.)

thanks,

Andrew

1 REPLY
Cisco Employee

Re: Inter-VPN Connectivity

Hi Andrew,

As you said, VRFs are deployed to separate naturally networks so they can't exchange information. It also allows the support of overlapping IP addressing plan.

If you want different VRFs to start exchanging traffic, you can on each PE import the routes of the other VRFs and upodate all your FWs rules.

But it's like merging all the VPNs into one and you loose the main advantage of having several VPNs. Also it's not possible to do that if you have addresses overlapping between your VPNs

That's why we prefer deploying dedicated CEs as inter-vpn gateway so you allow the communication but you keep the control. Usually the CE is associated to a FW. This design is commonly used to provide Extranet VPN services.

This design supports overlapping as well if you configure VRF aware NAT.

HTH

Laurent.

227
Views
0
Helpful
1
Replies
CreatePlease to create content