1 / 16

Complex MPLS VPNs

Complex MPLS VPNs. Introducing Central Services VPNs. Outline. Overview What Are the Access Characteristics of a Central Services VPN ? What Are the Routing Characteristics of a Central Services VPN ? Identifying the Central Services VPN Data Flow Model

irish
Download Presentation

Complex MPLS VPNs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Complex MPLS VPNs Introducing Central Services VPNs

  2. Outline • Overview • What Are the Access Characteristics of a Central Services VPN? • What Are the Routing Characteristics of a Central Services VPN? • Identifying the Central Services VPN Data Flow Model • Configuring a Central Services VPN • Integrating a Central Services VPN with a Simple VPN • Identifying the RD Requirements When Integrating Central Services and Simple VPNs • Identifying the RT Requirements When Integrating Central Services and Simple VPN • Summary

  3. Central Services VPN • Clients need access to central servers. • Servers can communicate with each other. • Clients can communicate with all servers but not with each other.

  4. Central Services VPN Routing • Client routes need to be exported to the server site. • Server routes need to be exported to client and server sites. • No routes are exchanged between client sites.

  5. Central Services VPN Data Flow Model • Client VRFs contain server routes; clients can talk to servers. • Server VRFs contain client routes; servers can talk to clients. • Client VRFs do not contain routes from other clients; clients cannot communicate. • Make sure that there is no client-to-client leakage across server sites.

  6. Steps for Configuring a Central Services VPN • Client sites: • Use a separate VRF per client site. • Use a unique RD on each client site. • Import and export routes with an RTthat is the same value as the RD for each client site (VPN of client). • Export routes with an RT(clients-to-server) associated with the server site. • Import routes with the RT(server-to-clients) intoclient VRFs.

  7. Steps for Configuring a Central Services VPN (Cont.) • Server sites: • Use one VRF for each service type. • Use a unique RD on each service type. • Import and export routes with an RTthat is the same value as the RD for each server site (VPN of server). • Export server site routes with an RT (server-to-client). • Import routes with the RT (clients-to-server) into the server VRFs.

  8. Configuring a Central Services VPN

  9. Central Services VPN and Simple VPN Requirements • Customers run a simple VPN: • All A-Spoke sites in A-VPN • All B-Spoke sites in B-VPN • Only A-Central and B-Central need access to central servers. • This situation results in a combination of rules from the overlapping VPN and central services VPN.

  10. Central Services VPN and Simple VPN Requirements (Cont.) • For all sites participating in a simple VPN, configure a separate VRF per set of sites participating in the same VPNs per PE router. • For sites that are only clients of central servers, create a VRF per site. • Create one VRF for central servers per PE router.

  11. Configuring RDs in a Central Services VPN and Simple VPN • Configure a unique RD for every set of VRFs with unique membership requirements: • A-Spoke-1 and A-Spoke-2 can share the same RD. • B-Spoke-1 and B-Spoke-2 can share the same RD. • A-Central needs a unique RD. • B-Central needs a unique RD. • Configure one RD for all central server VRFs.

  12. Configuring RTs in a Central Services VPN and Simple VPN • Configure the customer VPN import-export route target in all VRFs participating in customer VPN. • Configure a unique import-export route target in every VRF that is only a client of central servers. • Configure the central services import and export route targets in VRFs that participate in central services VPN.

  13. Configuring VRFs in a Central Services VPN and Simple VPN

  14. Summary • A central services VPN is used to provide access from centralized servers to one or more customers. • A central services VPN routing model indicates these requirements: • Client routes need to be exported to the server site. • Service routes need to be exported to client and server sites. • No routes are exchanged between client sites. • The data flow in a central services VPN model indicates these requirements: • Client VRFs contain server routes and do not contain routes from other clients. • Server VRFs contain client routes. • Some of the requirements to configure a central services VPN are these: • Use a separate VRF for each client. • Use a unique RD on each client site. • Use a unique RD in each set of server sites. • Use import and export RT matching between server and client sites.

  15. Summary (Cont.) • The hybrid of a simple VPN and a central VPN provides the following: • Customers have intra-VPN access, including their central site. • The central sites of each customer can access centralized servers available to multiple customers. • Intra-VPN customer sites can share the same RD. The central site of a customer and shared centralized servers require a unique RD. • The import-export RT must match from respective customer intra-VPN sites to a central site. A different import-export RT set must match from the central site of the respective customers to the shared centralized server site.

More Related