Hello again!. I'm setting up my internet vrf and i have a problem. I have some routers on my pop which are involved in transit and peering. By now, i cannot include them in MPLS, so I have to keep them in a pure IP environment.
To transmit internet routes, i have to set up ibgp between PE's and internet routers (working as CE's).
To avoid ibgp split horizont issues, the PE is also a route reflector, so it reflects all the routes learnt by ibgp to the others PE's.
Routes are reflected but, as route reflector rules, next-hop is unchanged, so every PE in the internet VRF receives the MP-BGP route with the correct route target and a nex-hop ip included in the internet vrf, but not in the global table, so the router does not import it to the vrf.
If I install a static route in the global routing table, it works.
does anyone have a good idea of how carring out this?
There are two things II would suggest. Either you have all the BGP next-hop addresses in the IGP as host routes. This requires a second link or logical subinterface between PE and internet CE routers. This link would then carry all the internet traffic.
A somewhat different approach is transporting internet BGP table as address-family IPv4 on the PE routers. Your customers requiring BGP peering to the internet would have a separate link terminating in the global routing table, which can be seen as a drawback.
On the other hand you typically can not import internet routes into customer VRFs as this would create a copy of the internet BGP table per VRF, which could easily deplete the physical memory on a PE (import into ten VRFs would mean ten times full BGP table on a PE).
So typically the VRF solution also requires a separate link (or subinterface) for each customer to the internet VRF.
For customers requiring a default route, you can implement packet leaking.
Personally I would favor the latter solution, as this is pretty much standard BGP setup for internet access and also requires less memory (no RDs, RTs etc.).
- The scenary with default routing.. Why is so necessary to have two separate interfaces or imlementing packet leaking? if every remote office needs direct access to the internet, using public IP's, they will be exposed to the internet audience: so i maybe could use a private VPN importing default internet route from the internet VPN. Data from the offices should be enclosed to the VPN (route-driven), and only travel out the VPN (to the internet VPN) just when going to a prefix not included in the VPN. (with direct connection to the internet, they would need a firewall in every office and some strict politics)
- If two interfaces are needed: Wouldn't it be possible to use a tunnel GRE as a second (logincal) interface. Traffic between offices would use private addressing, and i would close a tunnel ending in the PE, belonging to the internet VPN and having public IP's. Even maybe i could use a loopback address and close all the tunnel ending in that address. Every client could see between them in the public addressing.... but they are connected to the internet
- By last, I think a client needing internet routes will be seen as an AS, so he would have any kind of centralized access (most of the times), so he could stablish multihop bgp sessions through a MPLS VPN with the internet POP (or better, with a router, one side connected to the pop, and the other to the different clients)
A1) default routing will be possible over one link. There is just a little security issue for the customer: every decent internet firewall blocks f.e. RFC1918 source IPs from the internet. This is not possible, if the link also carries internal VPN routes. So from a security perspective a separate link with a separate rule set would be better.
A2) A GRE tunnel is also OK. Speaking of a "link" I did not mean physical link, but different interface (subint, VLAN, GRE tunnel ...)
A3) multi-hop BGP would work for a BGP session, but this would potentially create the classical "BGP black hole" scenario: how would intermediate routers forward internet IP packets? Maybe a default route would help here, but you will need redundancy and default routing is very limitted when it comes to path selection.
Cisco's implementation of route reflectors is in line with RFC, which says that RR should not modify next-hop, MED and AS-PATH attributes.
As mheusinger said, common solution is customers using dedicated link configured in global IPv4 address family on PE (possibly via a firewall hosted at provider site).
If you really want to go with your topology solution, just use confederation - configure your inet routers to be in different sub-AS. But this looks cumbersome to me in general (not confed but your approach of implementing inet access).
With XR 4.2.0 the ASR9000 is releasing a new line of hardware models. This amongst others is the RSP440, the next generation RSP with faster switch fabric along with Typhoon based Linecards, the next generation network processor.
The Cisco EPN system incorporates a network architecture designed to consolidate multiples services on a single Multiprotocol Label Switching (MPLS) transport network. This network is designed primarily based on...
Internet security is important with the increasing attacks that are happening every day. Many internet and browsing security solutions exist, but some are not very easy to use or maybe the question is how can I enable them?