they could get connectivity. The reason is, that f.e. traffic from VRF-A to VRF-B will follow the default route, label switched to the first router outside VRF-internet doing IP lookup. This router will have a longest match for networks in VRF-B pointing back to the internet VRF into your MPLS cloud. The path back - VRF-B to VRF-A - is established in the same manner. Thus IP connectivity can be established through the first IP router connected to the VRF-Internet.
You could prevent this by applying an access-list on the outgoing interface in VRF-Internet denying inter-VRF traffic.
MPLS LER wich is the Edge MPLS router when it runs CEF with tag switching, will attach a label to the default route learnt from the CE so in this case a label is attached to the default route and CEF will also keep a fast switched entry for the default pointing to the next hop interface which is the CE router interface from where the LER has learnt the route.
Therefore, when VRF-A or VRF-B send packets which follow the default route from VRF-Internet, then the Layer-3 lookup will not happen on the VRF-Internet LER router, it will PoP the label and CEF will send the packet to the next hop interface which will be the CE router...
Very nice explanation. Martin I quite agree with you also. My point though is that VRF-A and VRF-B cannot communicate unless the packet reaches the Internet CE router. This implies that connectivity between the 2 VPNs is dependent on the routing table of the CE for VRF-Internet.
The IP address space used by the VPNs should not be known by the Internet CE route table (This could be private IP addresses), hence connectivity would not be possible between the VPNs. However, the Public IP address, used for connectivity to the Internet would be known, and there would be connectivity between these.
However again, it is my opinion that it is desired that there should be connectivity between the public ip addresses. If not, your customers will not be able to communicate to each other. This situation can be worse, if they are locally hosting services such as email and web. You might get calls that a customer cannot access the website of another of your customer.
Anyway, with proper route-targets configuration, the SP network should have routed the packets across the core, and not through the Internet CE (via default route). This can avoid the situation noted above.
The Cisco EPN system incorporates a network architecture designed to consolidate multiples services on a single Multiprotocol Label Switching (MPLS) transport network. This network is designed primarily based on Application Engineered...
Internet security is important with the increasing attacks that are happening every day. Many internet and browsing security solutions exist, but some are not very easy to use or maybe the question is how can I enable them?
Cisco Software Manager Server
This document describes the programmatic interfaces, RESTful APIs, which are supported by Cisco Software Manager Server (CSM Server).
CSM Server supports a set of finite RESTful APIs. The fir...