 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
9 messages in net.nether.puck.cisco-nsp[c-nsp] MPLS, L2TPv3 Layer 2/3 VPN Ne...| From | Sent On | Attachments |
|---|---|---|
| Eric Kagan | Jan 4, 2005 6:56 am | |
| John Osmon | Jan 4, 2005 11:39 am | |
| Nick Shah | Jan 4, 2005 6:41 pm | |
| choo...@pacific.net.sg | Jan 4, 2005 9:14 pm | |
| Nick Shah | Jan 4, 2005 9:26 pm | |
| choo...@pacific.net.sg | Jan 4, 2005 10:02 pm | |
| Jon Lewis | Jan 4, 2005 10:51 pm | |
| Oliver Boehmer (oboehmer) | Jan 5, 2005 3:15 am | |
| Chris Cappuccio | Jan 5, 2005 10:15 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [c-nsp] MPLS, L2TPv3 Layer 2/3 VPN Network Options | Actions... |
|---|---|---|
| From: | choo...@pacific.net.sg (choo...@pacific.net.sg) | |
| Date: | Jan 4, 2005 10:02:58 pm | |
| List: | net.nether.puck.cisco-nsp | |
Hi Nick,
Ya, i've came across the cisco doc. But, for the return traffic to CE, it requires the CE network to be redistributed to the MPLS core. This will not be workable in the case of vpn running overlapping private address.
I think the firewall/NAT equipment might be able to solve this porblem. But, it will incur some administrative overhead, as a trunk to the firewall/NAT has to be created for every customer.
Another approach i came across is to setup normal ipv4 link for internet access and run MPLS/VPN as tunnel over that same link. Not sure if there is any drawback in this case though.
Thanks, Wei Keong
On Wed, 5 Jan 2005, Nick Shah wrote:
Wei
Various methods have been discussed & deployed for internet access into VPN. Notably among these are :
http://www.cisco.com/en/US/partner/tech/tk436/tk428/technologies_configu ration_example09186a00801445fb.shtml
- Above method deals with pointing a default route to a global IGW (internet gateway router)
Eventhough it works, it needs the security of a fortress. The not so common, yet deployed across service providers are the combination of :
- IGW with a shared/managed firewall like a netscreen. With this method you (as a SP) host a firewall in the data center, which trunks (DOT1Q/ISL trunk) back into the PE. Have 1 x subinterface per customer/vrf that needs internet access. The firewall then provides internet access.
- Managed CE router with a firewall (per customer VPN), possibly from 2 x sites, and then leak weighted defaults into the VRF.
One of the more suicidal attempt :) was to leak the internet table into the customer VRF...
I believe a combination of NAT & the trunk interface between PE & firewall should cure the issue of overlapping address space you mentioned.
rgds
-----Original Message----- From: choo...@pacific.net.sg [mailto:choo...@pacific.net.sg] Sent: Wednesday, 5 January 2005 1:15 PM To: Nick Shah Cc: cisc...@puck.nether.net Subject: RE: [c-nsp] MPLS, L2TPv3 Layer 2/3 VPN Network Options
Hi Nick,
That's a good 5000ft overview on MPLS/VPN :).
I'm looking into providing internet access to MPLS/VPN. Has anyone tried
to enable internet access on a MPLS/VPN? Any experience to share?
I think the challenge would be how to provide internet access and MPLS/VPN over a same physical link, especially when the vpn is running on non-unique private IP address.
Rgds, Wei Keong
------------------------------------------------------------------------------ This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it.
------------------------------------------------------------------------------