The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Re: Fwd: FW: How to Differentiate Traffic ?
Hi Robert, I agree with you on security issues involved in this. We will try to convince customer to go for a separate physical link for non-VPN access. But due to cost constraints, availaibility of resources and most of all, since technically it is possible, customers might force us to give global access and VPN access on the same physical link. They might use ACL to secure VPN from Global Network at the merging point. But as you mentioned in your reply, to quote: --- pls see my reply above + also take a look at other ways of providing internet access for VPN customers --- I would like to know about the other alternatives for providing this kind of internet access. I would appreciate if you can send me some Links or Docs that can help. Thanks, Kishor Robert Raszuk <raszuk@cisco.com>: > Chris, > > Let's come back to my original reply: > > > > In this situation, customer is using MPLS VPN for his VPN > requirements. > >But some of his > > > traffic has to come out onto the Provider network, say for > accessing > >server located on > > > Service provider's backbone. > > > >The simplest way to separate the traffic which destination is > provider's > >global table at least from the forwarding perspective is to build a > GRE > >tunnel on the PE-CE int and therefor have additional logical > >subinterface into your PE. > > > Fundamentally allowing VPN users access any service on your global net > kill's one big advantage of VPNs which is ability to use private > address > space by their sites. Also you realize that it opens up thier sites to > all possible attacks when you are also providing an Internet access in > the global space. > > Usually this is not a problem for any VPN customer as they can get to > your global services via their Internet access connection. Now the > bottom line is how to provide secure internet access for VPN customers > pls see my reply above + also take a look at other ways of providing > internet access for VPN customers. > > R. > > > > "Chris C.," wrote: > > > > Robert, > > > > Let me clarify a little. This is for a service Providers network. Let > me > > make some comments below: > > > > > > > > > > 1. You have a CPE that does not support this? Like a DSL Bridge as > an > > > > example. > > > > > >I am surprise that you would connect DSL bridge directly into the > PE. > > >Usually it goes to NAS then via some L2 encapsulation (for example > l2tp) > > >to PEs. > > > > > > > Chris>> Need cheap CPE devices. The above was just one example. DSL > bridge > > through a DSLAM using a Bridge Group at the PE with DHCP for IP > Addressing > > so that telecommuters for an enterprise can get the same IP address > wherther > > they are at work or at home or a SOHO office. IE: The DHCP server for > that > > particular user is the actual enterprises Server > > > > > > 2. You do not have a CPE. EG: Ethernet port off a L2 LAN Switch in > a MTU > > > > model. > > > > > >Well most ethernet switches support VLANs. That's all what you need. > > >Also linux supports both GRE and vlans so you can easily use this as > > >solution as well. > > > > Chris>> Does not seem practical. Are you saying put a LINUX WS at each > site? > > That eliminates the cost advantage of using Ethernet then doesn't it?? > Also > > in the VLAN scenario would that not mean the clients Internet traffic > could > > route back to the VPN path? (Note: If the client did nothing about it > and > > was outsourcing the service to us the SP) > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > ------- > The MPLS-OPS Mailing List > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > ------------------------------------------------- This mail helped a tree grow. Know more at http://green.sify.com Want to win a PC or Palm Tops or Digital Diaries or T-Shirts? Click here http://promos.sify.com/niit/main.asp?mail ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
|
|