nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: MPLS Services

From: "Ivan Pepelnjak" <ip () ioshints info>
Date: Fri, 28 Aug 2009 20:52:21 +0200
This might give you some ideas (also solves the overlapping customer address
problem):

http://www.nil.com/ipcorner/FlexExtraImplement/

Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/ 


-----Original Message-----
From: Kenny Sallee [mailto:kenny.sallee () gmail com] 
Sent: Friday, August 28, 2009 6:28 PM
To: nanog () nanog org
Subject: MPLS Services

Questions for the community:  from a Application Service 
Provider perspective - how / can one provide application 
access to a group of Enterprises where the ASP provider 
provides ASP like applications to all Enterprise customers 
who have multiple locations and who may or may not have 
overlapping addresses?  Each Enterprise is it's own business 
and we cannot allow connectivity between each other We've 
struggled internally with this.  MPLS and using BGP 
communities seems to be the solution.  But I am trying to 
understand / think through the configuration of it from a CE 
and PE side perspective.  Lab configs to follow but here's 
what I'm thinking:

- From the CE side we could ask for 2 frame PVC's - each in 
it's own VRF on the PE side.  Call 1 VRF private and 2nd VRF 
public.  In the Private VRF advertise all CE routes between 
customer A for example.  Each CE customer would have their 
own VRF on the MPLS providers network.

-  From the CE, In Public VRF advertise a network range we 
provide the clients and NAT traffic destined for the shared 
environment to the public range

-  On each CE router only permit route updates on the Public 
VRF for BGP communities that belong to that customer and our 
shared segments.  Could also do this with just route 
filtering by ACL/prefix lists.  On the Private VRF no need to 
filter incoming but filter outgoing to contain routing domain 
consistency (only send updates for CE networks)

- In the Public VRF from ASP side  - advertise all shared 
services routes.
 Accept all updates on Public VRF.  No access to Private VRF's here.

Thoughts?
Thanks,
Kenny
Previous By Date Next
Previous By Thread Next

Current thread: