[117000] in North American Network Operators' Group
RE: MPLS Services
daemon@ATHENA.MIT.EDU (Ivan Pepelnjak)
Fri Aug 28 14:52:56 2009
From: "Ivan Pepelnjak" <ip@ioshints.info>
To: "'Kenny Sallee'" <kenny.sallee@gmail.com>,
<nanog@nanog.org>
Date: Fri, 28 Aug 2009 20:52:21 +0200
In-Reply-To: <4a80ecce0908280928i42af4129x7de956e3384ec185@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This might give you some ideas (also solves the overlapping customer address
problem):
http://www.nil.com/ipcorner/FlexExtraImplement/
Ivan
http://www.ioshints.info/about
http://blog.ioshints.info/
> -----Original Message-----
> From: Kenny Sallee [mailto:kenny.sallee@gmail.com]
> Sent: Friday, August 28, 2009 6:28 PM
> To: nanog@nanog.org
> Subject: MPLS Services
>
> Questions for the community: from a Application Service
> Provider perspective - how / can one provide application
> access to a group of Enterprises where the ASP provider
> provides ASP like applications to all Enterprise customers
> who have multiple locations and who may or may not have
> overlapping addresses? Each Enterprise is it's own business
> and we cannot allow connectivity between each other We've
> struggled internally with this. MPLS and using BGP
> communities seems to be the solution. But I am trying to
> understand / think through the configuration of it from a CE
> and PE side perspective. Lab configs to follow but here's
> what I'm thinking:
>
> - From the CE side we could ask for 2 frame PVC's - each in
> it's own VRF on the PE side. Call 1 VRF private and 2nd VRF
> public. In the Private VRF advertise all CE routes between
> customer A for example. Each CE customer would have their
> own VRF on the MPLS providers network.
>
> - From the CE, In Public VRF advertise a network range we
> provide the clients and NAT traffic destined for the shared
> environment to the public range
>
> - On each CE router only permit route updates on the Public
> VRF for BGP communities that belong to that customer and our
> shared segments. Could also do this with just route
> filtering by ACL/prefix lists. On the Private VRF no need to
> filter incoming but filter outgoing to contain routing domain
> consistency (only send updates for CE networks)
>
> - In the Public VRF from ASP side - advertise all shared
> services routes.
> Accept all updates on Public VRF. No access to Private VRF's here.
>
> Thoughts?
> Thanks,
> Kenny
>
>
