The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] RE: Re: Internet access
I have been researching this issue for quite a bit. If you are OK with providing real IP addresses to every location of VPN customer (which is not the case with Tomasz), then the cheapest workable solution would be to make an Internet VPN and to play with bgp extended communities (rd export and import), to inject VPN route into Internet VPN and legal customers route into internet VPN I have done exactly that in the beginning. Than I figured, that I want to provide choice of several ISPs for my VPN customers, and possibly security also. This brought me to the NAT gateway solution. The ideal thing in this case is to have your internet gateway integrated into your MPLS cloud - this is what Cosine does (but for lots of $$), and this is what cisco g o i n g to do (not yet; it is announced but not implemented yet). Maybe several other vendors also. In cisco case, it is going to be a PE router, with multiple VRFs and NAT running for each of them. If you also want to provide security service to your VPN customers, than (besides Cosine) Checkpoint VSX might be a good option. It runs virtual firewalls per customer VLAN. So you terminate your VRFs into vlans, and run them into your VSX. Costs about 1.5K per vlan (options for 10, 25, 50 ...) Cheers, Yuly -----Original Message----- From: NOC Ops [mailto:theguber@hotmail.com] Sent: Thursday, September 19, 2002 19:04 To: alok.dube@apara.com; ostaszewskit@wp.pl Cc: Yuly Milner Subject: Re: Re: [MPLS-OPS]: Internet access I laugh when I see this since traditional routgers always have an ikssue with it. Cosine does it very nicely.. Look at the attached. Not overtky marketing Cosine here but with Virtual Routers it makes a nice clean solution of it and can be done network wide distributed. >From: "alok" <alok.dube@apara.com> >To: "Tomasz Ostaszewski" <ostaszewskit@wp.pl> >CC: "Yuly Milner" <ymilner@unistars.lv>, < > >Subject: Re: Re: [MPLS-OPS]: Internet access >Date: Thu, 19 Sep 2002 17:25:36 +0530 > >yes the same is possible > >look for a box which gives u this functionality : > >a huge NAT box.... interface to MPLS network..... > >the box support MPLS based VRFs or u can give the functionality of multiple >GRE/VLAN tunnels on the MPLS side... > >the remote side to the internet needs to have an association > >VLAN-1/VPN-1(if ur box supports MPLS ecnap)/GRE-tunnel-1 which is coming >from vrf -1 of customer -1 has NATed public ip -1 > >vlan-2/VPN-2 (if ur box supports MPLS encap)/GRE-tunnel-2 which is coming >from vrf-2 of customer-2 has NATed public ip -2 > >and so on... > >the BOX is what connects to the internet and NAT's/PAT's each customer >VRF... it can be done at a central site..no problems... > >-rgds >Alok >----- Original Message ----- >From: Tomasz Ostaszewski <ostaszewskit@wp.pl> >To: alok <alok.dube@apara.com> >Cc: Yuly Milner <ymilner@unistars.lv>; <mpls-ops@mplsrc.com> >Sent: Thursday, September 19, 2002 3:07 PM >Subject: Odp: Re: [MPLS-OPS]: Internet access > > >Alok, > >I wonder about design of internet access from MPLS VPN. I want >that only central site (hub) has registered IP address and I >wonder if it possible not to give registered segment between >others PE-CE pairs (spokes). > >Tomasz > >Dnia 19-09-2002 o godz. 10:38 alok napisa3(a): > > does your this "one site already have a public ip? > > > > and you want to connect it out to public and figure out how to >do it? or do > > u want to know how give it a public ip? > > -rgds > > Alok > > ----- Original Message ----- > > Wrom: SKVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJ > > To: 'Tomasz Ostaszewski' <ostaszewskit@wp.pl>; <mpls- >ops@mplsrc.com> > > Sent: Thursday, September 19, 2002 12:36 PM > > Subject: RE: [MPLS-OPS]: Internet access > > > > > > Only by using NAT gateway within this VPN > > > > -----Original Message----- > > Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNB > > Sent: Thursday, September 19, 2002 00:59 > > To: mpls-ops@mplsrc.com > > Subject: [MPLS-OPS]: Internet access > > > > > > Hi > > Is it possible to create internet access within MPLS VPN >through > > one central site without giving registered (internet) IP >address > > to all other sites within this VPN but only to central one? > > > > Tomasz > > > > > > > > --------------------------------------------------------------- >------------- > > Austin Powers i Z3oty Cz3onek. W kinach od 13 września! > > Zobacz! < http://film.wp.pl/p/film.html?id=1872 > > > > > ------- > > The MPLS-OPS Mailing List > > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > > ------- > > The MPLS-OPS Mailing List > > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > > > > > > > >--------------------------------------------------------------------------- - >Austin Powers i Z3oty Cz3onek. W kinach od 13 września! >Zobacz! < http://film.wp.pl/p/film.html?id=1872 > > >------- >The MPLS-OPS Mailing List >Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > >------- >The MPLS-OPS Mailing List >Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
|
|