© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Complex MPLS VPNs Introducing Central Services VPNs
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Outline Overview What Are the Access Characteristics of a Central Services VPN? What Are the Routing Characteristics of a Central Services VPN? Identifying the Central Services VPN Data Flow Model Configuring a Central Services VPN Integrating a Central Services VPN with a Simple VPN Identifying the RD Requirements When Integrating Central Services and Simple VPNs Identifying the RT Requirements When Integrating Central Services and Simple VPN Summary
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Clients need access to central servers. Servers can communicate with each other. Clients can communicate with all servers but not with each other. Central Services VPN
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Client routes need to be exported to the server site. Server routes need to be exported to client and server sites. No routes are exchanged between client sites. Central Services VPN Routing
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Client VRFs contain server routes; clients can talk to servers. Server VRFs contain client routes; servers can talk to clients. Client VRFs do not contain routes from other clients; clients cannot communicate. Make sure that there is no client-to-client leakage across server sites. Central Services VPN Data Flow Model
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Steps for Configuring a Central Services VPN Client sites: Use a separate VRF per client site. Use a unique RD on each client site. Import and export routes with an RT that is the same value as the RD for each client site (VPN of client). Export routes with an RT (clients-to-server) associated with the server site. Import routes with the RT (server-to-clients) into client VRFs.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Steps for Configuring a Central Services VPN (Cont.) Server sites: Use one VRF for each service type. Use a unique RD on each service type. Import and export routes with an RT that is the same value as the RD for each server site (VPN of server). Export server site routes with an RT (server-to-client). Import routes with the RT (clients-to-server) into the server VRFs.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Configuring a Central Services VPN
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Central Services VPN and Simple VPN Requirements Customers run a simple VPN: All A-Spoke sites in A-VPN All B-Spoke sites in B-VPN Only A-Central and B-Central need access to central servers. This situation results in a combination of rules from the overlapping VPN and central services VPN.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v For all sites participating in a simple VPN, configure a separate VRF per set of sites participating in the same VPNs per PE router. For sites that are only clients of central servers, create a VRF per site. Create one VRF for central servers per PE router. Central Services VPN and Simple VPN Requirements (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Configuring RDs in a Central Services VPN and Simple VPN Configure a unique RD for every set of VRFs with unique membership requirements: –A-Spoke-1 and A-Spoke-2 can share the same RD. –B-Spoke-1 and B-Spoke-2 can share the same RD. –A-Central needs a unique RD. –B-Central needs a unique RD. Configure one RD for all central server VRFs.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Configure the customer VPN import-export route target in all VRFs participating in customer VPN. Configure a unique import-export route target in every VRF that is only a client of central servers. Configure the central services import and export route targets in VRFs that participate in central services VPN. Configuring RTs in a Central Services VPN and Simple VPN
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Configuring VRFs in a Central Services VPN and Simple VPN
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Summary A central services VPN is used to provide access from centralized servers to one or more customers. A central services VPN routing model indicates these requirements: –Client routes need to be exported to the server site. –Service routes need to be exported to client and server sites. –No routes are exchanged between client sites. The data flow in a central services VPN model indicates these requirements: –Client VRFs contain server routes and do not contain routes from other clients. –Server VRFs contain client routes. Some of the requirements to configure a central services VPN are these: –Use a separate VRF for each client. –Use a unique RD on each client site. –Use a unique RD in each set of server sites. –Use import and export RT matching between server and client sites.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Summary (Cont.) The hybrid of a simple VPN and a central VPN provides the following: – Customers have intra-VPN access, including their central site. – The central sites of each customer can access centralized servers available to multiple customers. Intra-VPN customer sites can share the same RD. The central site of a customer and shared centralized servers require a unique RD. The import-export RT must match from respective customer intra-VPN sites to a central site. A different import-export RT set must match from the central site of the respective customers to the shared centralized server site.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v