© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-1

Complex MPLS VPNs

Introducing Central Services VPNs

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-2

Outline

• Overview

• What Are the Access Characteristics of a Central Services VPN?

• What Are the Routing Characteristics of a Central Services VPN?

• Identifying the Central Services VPN Data Flow Model

• Configuring a Central Services VPN

• Integrating a Central Services VPN with a Simple VPN

• Identifying the RD Requirements When Integrating Central Services and Simple VPNs

• Identifying the RT Requirements When Integrating Central Services and Simple VPN

• Summary

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-3

• Clients need access to central servers.

• Servers can communicate with each other.

• Clients can communicate with all servers but not with each other.

Central Services VPN

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-4

• Client routes need to be exported to the server site.

• Server routes need to be exported to client and server sites.

• No routes are exchanged between client sites.

Central Services VPN Routing

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-5

• Client VRFs contain server routes; clients can talk to servers.

• Server VRFs contain client routes; servers can talk to clients.

• Client VRFs do not contain routes from other clients; clients cannot communicate.

• Make sure that there is no client-to-client leakage across server sites.

Central Services VPN Data Flow Model

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-6

Steps for Configuring a Central Services VPN

Client sites:• Use a separate VRF per client site.

• Use a unique RD on each client site.

• Import and export routes with an RT that is the same value as the RD for each client site (VPN of client).

• Export routes with an RT (clients-to-server) associated with the server site.

• Import routes with the RT (server-to-clients) into client VRFs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-7

Steps for Configuring a Central Services VPN (Cont.)

Server sites:• Use one VRF for each service type.

• Use a unique RD on each service type.

• Import and export routes with an RT that is the same value as the RD for each server site (VPN of server).

• Export server site routes with an RT (server-to-client).

• Import routes with the RT (clients-to-server) into the server VRFs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-8

Configuring a Central Services VPN

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-9

Central Services VPN and Simple VPN Requirements

• Customers run a simple VPN:

─All A-Spoke sites in A-VPN

─All B-Spoke sites in B-VPN

• Only A-Central and B-Central need access to central servers.

• This situation results in a combination of rules from the overlapping VPN and central services VPN.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-10

• For all sites participating in a simple VPN, configure a separate VRF per set of sites participating in the same VPNs per PE router.

• For sites that are only clients of central servers, create a VRF per site.

• Create one VRF for central servers per PE router.

Central Services VPN and Simple VPN Requirements (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-11

Configuring RDs in a Central Services VPN and Simple VPN

• Configure a unique RD for every set of VRFs with unique membership requirements:– A-Spoke-1 and A-Spoke-2 can share the same RD.

– B-Spoke-1 and B-Spoke-2 can share the same RD.

– A-Central needs a unique RD.

– B-Central needs a unique RD.

• Configure one RD for all central server VRFs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-12

• Configure the customer VPN import-export route target in all VRFs participating in customer VPN.

• Configure a unique import-export route target in every VRF that is only a client of central servers.

• Configure the central services import and export route targets in VRFs that participate in central services VPN.

Configuring RTs in a Central Services VPN and Simple VPN

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-13

Configuring VRFs in a Central Services VPN and Simple VPN

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-14

Summary

• A central services VPN is used to provide access from centralized servers to one or more customers.

• A central services VPN routing model indicates these requirements:– Client routes need to be exported to the server site.– Service routes need to be exported to client and server sites.– No routes are exchanged between client sites.

• The data flow in a central services VPN model indicates these requirements:– Client VRFs contain server routes and do not contain routes from other

clients.– Server VRFs contain client routes.

• Some of the requirements to configure a central services VPN are these:– Use a separate VRF for each client.– Use a unique RD on each client site.– Use a unique RD in each set of server sites.– Use import and export RT matching between server and client sites.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-15

Summary (Cont.)

• The hybrid of a simple VPN and a central VPN provides the following:

– Customers have intra-VPN access, including their central site.

– The central sites of each customer can access centralized servers available to multiple customers.

• Intra-VPN customer sites can share the same RD. The central site of a customer and shared centralized servers require a unique RD.

• The import-export RT must match from respective customer intra-VPN sites to a central site. A different import-export RT set must match from the central site of the respective customers to the shared centralized server site.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—6-16