Questions for the community: from a Application Service Provider perspective - how / can one provide application access to a group of Enterprises where the ASP provider provides ASP like applications to all Enterprise customers who have multiple locations and who may or may not have overlapping addresses? Each Enterprise is it's own business and we cannot allow connectivity between each other We've struggled internally with this. MPLS and using BGP communities seems to be the solution. But I am trying to understand / think through the configuration of it from a CE and PE side perspective. Lab configs to follow but here's what I'm thinking: - From the CE side we could ask for 2 frame PVC's - each in it's own VRF on the PE side. Call 1 VRF private and 2nd VRF public. In the Private VRF advertise all CE routes between customer A for example. Each CE customer would have their own VRF on the MPLS providers network. - From the CE, In Public VRF advertise a network range we provide the clients and NAT traffic destined for the shared environment to the public range - On each CE router only permit route updates on the Public VRF for BGP communities that belong to that customer and our shared segments. Could also do this with just route filtering by ACL/prefix lists. On the Private VRF no need to filter incoming but filter outgoing to contain routing domain consistency (only send updates for CE networks) - In the Public VRF from ASP side - advertise all shared services routes. Accept all updates on Public VRF. No access to Private VRF's here. Thoughts? Thanks, Kenny
This might give you some ideas (also solves the overlapping customer address problem): http://www.nil.com/ipcorner/FlexExtraImplement/ Ivan http://www.ioshints.info/about http://blog.ioshints.info/
-----Original Message----- From: Kenny Sallee [mailto:kenny.sallee@gmail.com] Sent: Friday, August 28, 2009 6:28 PM To: nanog@nanog.org Subject: MPLS Services
Questions for the community: from a Application Service Provider perspective - how / can one provide application access to a group of Enterprises where the ASP provider provides ASP like applications to all Enterprise customers who have multiple locations and who may or may not have overlapping addresses? Each Enterprise is it's own business and we cannot allow connectivity between each other We've struggled internally with this. MPLS and using BGP communities seems to be the solution. But I am trying to understand / think through the configuration of it from a CE and PE side perspective. Lab configs to follow but here's what I'm thinking:
- From the CE side we could ask for 2 frame PVC's - each in it's own VRF on the PE side. Call 1 VRF private and 2nd VRF public. In the Private VRF advertise all CE routes between customer A for example. Each CE customer would have their own VRF on the MPLS providers network.
- From the CE, In Public VRF advertise a network range we provide the clients and NAT traffic destined for the shared environment to the public range
- On each CE router only permit route updates on the Public VRF for BGP communities that belong to that customer and our shared segments. Could also do this with just route filtering by ACL/prefix lists. On the Private VRF no need to filter incoming but filter outgoing to contain routing domain consistency (only send updates for CE networks)
- In the Public VRF from ASP side - advertise all shared services routes. Accept all updates on Public VRF. No access to Private VRF's here.
Thoughts? Thanks, Kenny
On Fri, Aug 28, 2009 at 11:52 AM, Ivan Pepelnjak <ip@ioshints.info> wrote:
This might give you some ideas (also solves the overlapping customer address problem):
http://www.nil.com/ipcorner/FlexExtraImplement/
Ivan
That looks very interesting. But it assumes we have a physical interface in the core for every remote customer correct? I guess that can be accomplished via GRE tunnels over a providers MPLS cloud. What about a MPLS provider being the transport where the exCore has a single interface to that provider? That's what I *think* we need to do and why I consider NAT and advertising of a public segment from each customer and using BGP communities to keep each customer from 'knowing' about each other. So in the core router(s) we'd only have unique IP's, each Customer could have a single MPLS drop that reaches our shared segments as well as their internal segments.
On Fri, Aug 28, 2009 at 1:27 PM, Kenny Sallee <kenny.sallee@gmail.com>wrote:
On Fri, Aug 28, 2009 at 11:52 AM, Ivan Pepelnjak <ip@ioshints.info> wrote:
This might give you some ideas (also solves the overlapping customer address problem):
http://www.nil.com/ipcorner/FlexExtraImplement/
Ivan
BTW - that was an awesome write up - thanks for sharing
participants (2)
-
Ivan Pepelnjak -
Kenny Sallee