View
263
Download
4
Category
Tags:
Preview:
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-1
Complex MPLS VPNs
Introducing Central Services VPNs
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-2
Outline
• Overview
• What Are the Access Characteristics of a Central Services VPN?
• What Are the Routing Characteristics of a Central Services VPN?
• Identifying the Central Services VPN Data Flow Model
• Configuring a Central Services VPN
• Integrating a Central Services VPN with a Simple VPN
• Identifying the RD Requirements When Integrating Central Services and Simple VPNs
• Identifying the RT Requirements When Integrating Central Services and Simple VPN
• Summary
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-3
• Clients need access to central servers.
• Servers can communicate with each other.
• Clients can communicate with all servers but not with each other.
Central Services VPN
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-4
• Client routes need to be exported to the server site.
• Server routes need to be exported to client and server sites.
• No routes are exchanged between client sites.
Central Services VPN Routing
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-5
• Client VRFs contain server routes; clients can talk to servers.
• Server VRFs contain client routes; servers can talk to clients.
• Client VRFs do not contain routes from other clients; clients cannot communicate.
• Make sure that there is no client-to-client leakage across server sites.
Central Services VPN Data Flow Model
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-6
Steps for Configuring a Central Services VPN
Client sites:• Use a separate VRF per client site.
• Use a unique RD on each client site.
• Import and export routes with an RT that is the same value as the RD for each client site (VPN of client).
• Export routes with an RT (clients-to-server) associated with the server site.
• Import routes with the RT (server-to-clients) into client VRFs.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-7
Steps for Configuring a Central Services VPN (Cont.)
Server sites:• Use one VRF for each service type.
• Use a unique RD on each service type.
• Import and export routes with an RT that is the same value as the RD for each server site (VPN of server).
• Export server site routes with an RT (server-to-client).
• Import routes with the RT (clients-to-server) into the server VRFs.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-8
Configuring a Central Services VPN
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-9
Central Services VPN and Simple VPN Requirements
• Customers run a simple VPN:
─All A-Spoke sites in A-VPN
─All B-Spoke sites in B-VPN
• Only A-Central and B-Central need access to central servers.
• This situation results in a combination of rules from the overlapping VPN and central services VPN.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-10
• For all sites participating in a simple VPN, configure a separate VRF per set of sites participating in the same VPNs per PE router.
• For sites that are only clients of central servers, create a VRF per site.
• Create one VRF for central servers per PE router.
Central Services VPN and Simple VPN Requirements (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-11
Configuring RDs in a Central Services VPN and Simple VPN
• Configure a unique RD for every set of VRFs with unique membership requirements:– A-Spoke-1 and A-Spoke-2 can share the same RD.
– B-Spoke-1 and B-Spoke-2 can share the same RD.
– A-Central needs a unique RD.
– B-Central needs a unique RD.
• Configure one RD for all central server VRFs.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-12
• Configure the customer VPN import-export route target in all VRFs participating in customer VPN.
• Configure a unique import-export route target in every VRF that is only a client of central servers.
• Configure the central services import and export route targets in VRFs that participate in central services VPN.
Configuring RTs in a Central Services VPN and Simple VPN
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-13
Configuring VRFs in a Central Services VPN and Simple VPN
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-14
Summary
• A central services VPN is used to provide access from centralized servers to one or more customers.
• A central services VPN routing model indicates these requirements:– Client routes need to be exported to the server site.– Service routes need to be exported to client and server sites.– No routes are exchanged between client sites.
• The data flow in a central services VPN model indicates these requirements:– Client VRFs contain server routes and do not contain routes from other
clients.– Server VRFs contain client routes.
• Some of the requirements to configure a central services VPN are these:– Use a separate VRF for each client.– Use a unique RD on each client site.– Use a unique RD in each set of server sites.– Use import and export RT matching between server and client sites.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-15
Summary (Cont.)
• The hybrid of a simple VPN and a central VPN provides the following:
– Customers have intra-VPN access, including their central site.
– The central sites of each customer can access centralized servers available to multiple customers.
• Intra-VPN customer sites can share the same RD. The central site of a customer and shared centralized servers require a unique RD.
• The import-export RT must match from respective customer intra-VPN sites to a central site. A different import-export RT set must match from the central site of the respective customers to the shared centralized server site.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-16
Recommended