The MPLS-OPS Archive

[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index][Thread Index][Author Index][Subject Index]

Re: Fwd: FW: How to Differentiate Traffic ?

From: Robert Raszuk <raszuk@cisco.com>
Date: Wed, 28 Nov 2001 11:57:41 +0100
CC: mpls-ops@mplsrc.com
Organization: Signature: http://www.employees.org/~raszuk/sig/
Resent-Date: Wed, 28 Nov 2001 08:03:44 -0500
To: ccasey@bigfoot.com

Chris,

Let's come back to my original reply:

> > In this situation, customer is using MPLS VPN for his VPN requirements.
>But some of his
> > traffic has to come out onto the Provider network, say for accessing
>server located on
> > Service provider's backbone.
>
>The simplest way to separate the traffic which destination is provider's
>global table at least from the forwarding perspective is to build a GRE
>tunnel on the PE-CE int and therefor have additional logical
>subinterface into your PE.


Fundamentally allowing VPN users access any service on your global net
kill's one big advantage of VPNs which is ability to use private address
space by their sites. Also you realize that it opens up thier sites to
all possible attacks when you are also providing an Internet access in
the global space. 

Usually this is not a problem for any VPN customer as they can get to
your global services via their Internet access connection. Now the
bottom line is how to provide secure internet access for VPN customers
pls see my reply above + also take a look at other ways of providing
internet access for VPN customers.

R.


> "Chris C.," wrote:
> 
> Robert,
> 
> Let me clarify a little. This is for a service Providers network. Let me
> make some comments below:
> 
> > >
> > > 1. You have a CPE that does not support this? Like a DSL Bridge as an
> > > example.
> >
> >I am surprise that you would connect DSL bridge directly into the PE.
> >Usually it goes to NAS then via some L2 encapsulation (for example l2tp)
> >to PEs.
> >
> 
> Chris>> Need cheap CPE devices. The above was just one example. DSL bridge
> through a DSLAM using a Bridge Group at the PE with DHCP for IP Addressing
> so that telecommuters for an enterprise can get the same IP address wherther
> they are at work or at home or a SOHO office. IE: The DHCP server for that
> particular user is the actual enterprises Server
> 
> > > 2. You do not have a CPE. EG: Ethernet port off a L2 LAN Switch in a MTU
> > > model.
> >
> >Well most ethernet switches support VLANs. That's all what you need.
> >Also linux supports both GRE and vlans so you can easily use this as
> >solution as well.
> 
> Chris>> Does not seem practical. Are you saying put a LINUX WS at each site?
> That eliminates the cost advantage of using Ethernet then doesn't it?? Also
> in the VLAN scenario would that not mean the clients Internet traffic could
> route back to the VPN path? (Note: If the client did nothing about it and
> was outsourcing the service to us the SP)
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

Follow-Ups:
- unsubscribe me from the list
  - From: "V.Padmanabha Rao" <padmanabharao_v@infy.com>
- Re: Fwd: FW: How to Differentiate Traffic ?
  - From: krishnak@sify.com

References:
- Re: Fwd: FW: How to Differentiate Traffic ?
  - From: "Chris C.," <theguber@hotmail.com>