In the case of Enterprise MPLS where VPN's are used to separate business units (a few dozen), with the entry points all firewalled, what is "best practise" regarding the inter-VPN communication?
I've seen a couple of approaches, but they all involve some kind of external "fusion router" concept - I'm thinking that perhaps having another VPN dedicated purely for transit might be an option?
Can anyone share their experience on how they tackled the issue of inter-vpn communication when the VPN's are all firewalled? (There will likely be a number of firewall concentration points on multiple locations.)
As you said, VRFs are deployed to separate naturally networks so they can't exchange information. It also allows the support of overlapping IP addressing plan.
If you want different VRFs to start exchanging traffic, you can on each PE import the routes of the other VRFs and upodate all your FWs rules.
But it's like merging all the VPNs into one and you loose the main advantage of having several VPNs. Also it's not possible to do that if you have addresses overlapping between your VPNs
That's why we prefer deploying dedicated CEs as inter-vpn gateway so you allow the communication but you keep the control. Usually the CE is associated to a FW. This design is commonly used to provide Extranet VPN services.
This design supports overlapping as well if you configure VRF aware NAT.
1. Introduction Internet security is important with the increasing
attacks that are happening every day. Many internet and browsing
security solutions exist, but some are not very easy to use or maybe the
question is how can I enable them? In this referen...
Cisco Software Manager Server API Guide This document describes the
programmatic interfaces, RESTful APIs, which are supported by Cisco
Software Manager Server (CSM Server). Overview CSM Server supports a set
of finite RESTful APIs. The first step to use ...
If you are using Cisco's new linux-based Cisco Software Manager server,
then you probably want to make sure there is a startup service for
it.I'll assume that you've already installed the CSM server on a
systemd-based linux system. The commands given belo...