On (2012-03-07 07:07 +0000), Leigh Porter wrote:
What's the nicest way of allowing the ops servers all talk to each VPN instance? At the moment I just us pretty normal L3VPN techniques so that every VPN sees routes tagged with the ops VPN target community and so that the ops VPN sees all the other VPN routes but the division between VPNs is maintained.
You might want to peek at MPLS VPN Security book by Behringer for some ideas[0]. But personally I'd do it by having RT for MGMT servers and different RT for addresses needing centralized MGMT. So two special-use RTs. The NMS network would export routes with this RT:Servers (only the servers actually poking the VPN network, not everything) And the customer VRFs would import this RT:Servers. The customer VRFs would export (only the nodes actually needing NSM, not whole network) routes with RT:CPEs. And the NMS network would import RT:CPEs. One way to do latter part is JunOS: set routing-instance FOO rib FOO.inet.0 static route CPE/32 qualified-next-hop CPE interface xe-4/2/0.42 tag 2000 IOS: ip route vrf FOO CPE 255.255.255.255 ten4/2/0.42 CPE tag 2000 And have policy which matches to 2000 and add RT:CPE. Annoyingly in JunOS you cannot easily import more than one RT, I hope they'll fix it so that you can do IOS style RT + policy imports. So in JunOS you almost certainly want chained import policy like 'vrf-import [ VRFOO-IMPORT VRF-MGMT-IMPORT ]' where VRFOO-IMPORT is just 'from community VRFFOO; then default-action accept' and VRF-MGMT-IMPORT is 'from community RT:Servers; then default-action accept' [0] http://www.amazon.co.uk/MPLS-VPN-Security-Cisco-Press/dp/8177586998/ref=sr_1_1?ie=UTF8&qid=1331110165&sr=8-1
Or, would it be nicer to have the firewall have a foot in each VPN, advertise routes to ops systems to each VPN instance and receive routes from all the other VPNs?
-- Leigh
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
-- ++ytti