04-23-2003 11:16 PM
Hi,
how can I avoid that another provider inserts itself into my VPN.
I have VPNs which should not be imported or exported by other carriers. I would like to avoid this within my configuration.
Is there any practical solution to so that no other provider can connect ifself to my VPNs. Should only be possible to connect to VPNs I allow.
Regards,
Chris
04-24-2003 03:50 AM
Hi, Chris
If you configure a back to back VRF configuration, you should be fine.
In fact what it is is that you configure the interface to the other provider with multiple subinterfaces on which you configure the VRF's you want the other provider to be able to connect to.
In fact you configure the provider as a customer of yours.
Hope this helps,
-Ives-
04-24-2003 04:27 AM
Hi Ives,
so there is no possibility for an "RD/RT access-control" if the link is tag-switched. Using Subif / VRF does not scale very well and stops any exchange of BGP-attributes, right.
It would be best if the vrf-import/export could be controlled on the ASBR and if there would also be a possibility if anybody tries a hack.
Regards,
Chris
04-24-2003 05:15 AM
What you can do is configure only the VRF's that you want to exchange on the PE-ASBR's, the automatic route filtering feature will then filter all routes that are not needed on the PE to be exchanged.
As such you have a kind of RT filter.
Hope this helps,
-Ives-
04-24-2003 07:34 AM
The only problem I have is that the VRFs I want to secure are defined on the ASBR-routers.
Regards,
Chris
04-24-2003 11:25 PM
Hi Chris,
What you could try is the following :
router bgp 65000
neighbor 10.0.0.1 remote 1
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 set ext
neighbor 10.0.0.1 route-map permitted_RT
route-map permitted_RT
match extcommunity 1
ip extcommunity-list 1 permit rt 65000:1
I have never needed this though it might work.
Hope this helps,
-Ives-
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: