Click here to load reader

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-1 Complex MPLS VPNs Introducing Central Services VPNs

  • View
    248

  • Download
    4

Embed Size (px)

Text of © 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-1 Complex MPLS VPNs Introducing Central...

  • Slide 1

2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-1 Complex MPLS VPNs Introducing Central Services VPNs Slide 2 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-2 Outline Overview What Are the Access Characteristics of a Central Services VPN? What Are the Routing Characteristics of a Central Services VPN? Identifying the Central Services VPN Data Flow Model Configuring a Central Services VPN Integrating a Central Services VPN with a Simple VPN Identifying the RD Requirements When Integrating Central Services and Simple VPNs Identifying the RT Requirements When Integrating Central Services and Simple VPN Summary Slide 3 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-3 Clients need access to central servers. Servers can communicate with each other. Clients can communicate with all servers but not with each other. Central Services VPN Slide 4 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-4 Client routes need to be exported to the server site. Server routes need to be exported to client and server sites. No routes are exchanged between client sites. Central Services VPN Routing Slide 5 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-5 Client VRFs contain server routes; clients can talk to servers. Server VRFs contain client routes; servers can talk to clients. Client VRFs do not contain routes from other clients; clients cannot communicate. Make sure that there is no client-to-client leakage across server sites. Central Services VPN Data Flow Model Slide 6 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-6 Steps for Configuring a Central Services VPN Client sites: Use a separate VRF per client site. Use a unique RD on each client site. Import and export routes with an RT that is the same value as the RD for each client site (VPN of client). Export routes with an RT (clients-to-server) associated with the server site. Import routes with the RT (server-to-clients) into client VRFs. Slide 7 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-7 Steps for Configuring a Central Services VPN (Cont.) Server sites: Use one VRF for each service type. Use a unique RD on each service type. Import and export routes with an RT that is the same value as the RD for each server site (VPN of server). Export server site routes with an RT (server-to-client). Import routes with the RT (clients-to-server) into the server VRFs. Slide 8 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-8 Configuring a Central Services VPN Slide 9 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-9 Central Services VPN and Simple VPN Requirements Customers run a simple VPN: All A-Spoke sites in A-VPN All B-Spoke sites in B-VPN Only A-Central and B-Central need access to central servers. This situation results in a combination of rules from the overlapping VPN and central services VPN. Slide 10 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-10 For all sites participating in a simple VPN, configure a separate VRF per set of sites participating in the same VPNs per PE router. For sites that are only clients of central servers, create a VRF per site. Create one VRF for central servers per PE router. Central Services VPN and Simple VPN Requirements (Cont.) Slide 11 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-11 Configuring RDs in a Central Services VPN and Simple VPN Configure a unique RD for every set of VRFs with unique membership requirements: A-Spoke-1 and A-Spoke-2 can share the same RD. B-Spoke-1 and B-Spoke-2 can share the same RD. A-Central needs a unique RD. B-Central needs a unique RD. Configure one RD for all central server VRFs. Slide 12 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-12 Configure the customer VPN import-export route target in all VRFs participating in customer VPN. Configure a unique import-export route target in every VRF that is only a client of central servers. Configure the central services import and export route targets in VRFs that participate in central services VPN. Configuring RTs in a Central Services VPN and Simple VPN Slide 13 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-13 Configuring VRFs in a Central Services VPN and Simple VPN Slide 14 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-14 Summary A central services VPN is used to provide access from centralized servers to one or more customers. A central services VPN routing model indicates these requirements: Client routes need to be exported to the server site. Service routes need to be exported to client and server sites. No routes are exchanged between client sites. The data flow in a central services VPN model indicates these requirements: Client VRFs contain server routes and do not contain routes from other clients. Server VRFs contain client routes. Some of the requirements to configure a central services VPN are these: Use a separate VRF for each client. Use a unique RD on each client site. Use a unique RD in each set of server sites. Use import and export RT matching between server and client sites. Slide 15 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-15 Summary (Cont.) The hybrid of a simple VPN and a central VPN provides the following: Customers have intra-VPN access, including their central site. The central sites of each customer can access centralized servers available to multiple customers. Intra-VPN customer sites can share the same RD. The central site of a customer and shared centralized servers require a unique RD. The import-export RT must match from respective customer intra-VPN sites to a central site. A different import-export RT set must match from the central site of the respective customers to the shared centralized server site. Slide 16 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-16