Hello All,
We have deployed VPN's via ethernet and we integrate that via dot1q VLAN's on a subinterface on a GigEthernet. We then make those a member of a specific vrf forwarding VPN for example.
interface GigabitEthernet0/1.101
description VPN-CUST1
encapsulation dot1Q 101
ip vrf forwarding VPN-CUST1
ip address 192.168.125.1 255.255.255.252
ip address 192.168.126.1 255.255.255.252 secondary
no cdp enable
end
The client only wants the Head Office to see the branches, but not branch to branch for commercial and technical reasons eg. viruses/snooping etc. In our ATM subinterfaces, each branch has one subif so each has a different VRF and RD, we then just import the RD to the head office. But with VLAN based branches, we can't do it like this. I hope I had made it clear somehow. The question is, is there any other option to achieve this on a VLAN based subif VPN's? We are thinking of creating a subif VLAN for each branch but what if there are thousand branches, our VLANs will be exhausted easily. Hoping for your insights regarding this.
Thanks!