Complex MPLS VPNs Introducing Central Services VPNs 2006

Complex MPLS VPNs Introducing Central Services VPNs © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -1

Outline • Overview • What Are the Access Characteristics of a Central Services VPN? • What Are the Routing Characteristics of a Central Services VPN? • Identifying the Central Services VPN Data Flow Model • Configuring a Central Services VPN • Integrating a Central Services VPN with a Simple VPN • Identifying the RD Requirements When Integrating Central Services and Simple VPNs • Identifying the RT Requirements When Integrating Central Services and Simple VPN • Summary © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -2

Central Services VPN • Clients need access to central servers. • Servers can communicate with each other. • Clients can communicate with all servers but not with each other. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -3

Central Services VPN Routing • Client routes need to be exported to the server site. • Server routes need to be exported to client and server sites. • No routes are exchanged between client sites. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -4

Central Services VPN Data Flow Model • Client VRFs contain server routes; clients can talk to servers. • Server VRFs contain client routes; servers can talk to clients. • Client VRFs do not contain routes from other clients; clients cannot communicate. • Make sure that there is no client-to-client leakage across server sites. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -5

Steps for Configuring a Central Services VPN Client sites: • Use a separate VRF per client site. • Use a unique RD on each client site. • Import and export routes with an RT that is the same value as the RD for each client site (VPN of client). • Export routes with an RT (clients-to-server) associated with the server site. • Import routes with the RT (server-to-clients) into client VRFs. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -6

Steps for Configuring a Central Services VPN (Cont. ) Server sites: • Use one VRF for each service type. • Use a unique RD on each service type. • Import and export routes with an RT that is the same value as the RD for each server site (VPN of server). • Export server site routes with an RT (server-to-client). • Import routes with the RT (clients-to-server) into the server VRFs. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -7

Configuring a Central Services VPN © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -8

Central Services VPN and Simple VPN Requirements • Customers run a simple VPN: ─ All A-Spoke sites in A-VPN ─ All B-Spoke sites in B-VPN • Only A-Central and B-Central need access to central servers. • This situation results in a combination of rules from the overlapping VPN and central services VPN. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -9

Central Services VPN and Simple VPN Requirements (Cont. ) • For all sites participating in a simple VPN, configure a separate VRF per set of sites participating in the same VPNs per PE router. • For sites that are only clients of central servers, create a VRF per site. • Create one VRF for central servers per PE router. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -10

Configuring RDs in a Central Services VPN and Simple VPN • Configure a unique RD for every set of VRFs with unique membership requirements: – – A-Spoke-1 and A-Spoke-2 can share the same RD. B-Spoke-1 and B-Spoke-2 can share the same RD. A-Central needs a unique RD. B-Central needs a unique RD. • Configure one RD for all central server VRFs. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -11

Configuring RTs in a Central Services VPN and Simple VPN • Configure the customer VPN import-export route target in all VRFs participating in customer VPN. • Configure a unique import-export route target in every VRF that is only a client of central servers. • Configure the central services import and export route targets in VRFs that participate in central services VPN. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -12

Configuring VRFs in a Central Services VPN and Simple VPN © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -13

Summary • A central services VPN is used to provide access from centralized servers to one or more customers. • A central services VPN routing model indicates these requirements: – Client routes need to be exported to the server site. – Service routes need to be exported to client and server sites. – No routes are exchanged between client sites. • The data flow in a central services VPN model indicates these requirements: – Client VRFs contain server routes and do not contain routes from other clients. – Server VRFs contain client routes. • Some of the requirements to configure a central services VPN are these: – – Use a separate VRF for each client. Use a unique RD on each client site. Use a unique RD in each set of server sites. Use import and export RT matching between server and client sites. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -14

Summary (Cont. ) • The hybrid of a simple VPN and a central VPN provides the following: – Customers have intra-VPN access, including their central site. – The central sites of each customer can access centralized servers available to multiple customers. • Intra-VPN customer sites can share the same RD. The central site of a customer and shared centralized servers require a unique RD. • The import-export RT must match from respective customer intra-VPN sites to a central site. A different import-export RT set must match from the central site of the respective customers to the shared centralized server site. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -15

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 6 -16