Integrating Internet Access with MPLS VPNs Introducing Internet

  • Slides: 13
Download presentation
Integrating Internet Access with MPLS VPNs Introducing Internet Access Models with MPLS VPNs ©

Integrating Internet Access with MPLS VPNs Introducing Internet Access Models with MPLS VPNs © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -1

Outline • • • Overview Customer Internet Connectivity Scenarios Internet Design Models for Service

Outline • • • Overview Customer Internet Connectivity Scenarios Internet Design Models for Service Providers Internet Access Through Global Routing Internet Access as a separate VPN Disadvantages of Providing Internet Access Through Route Leaking • Summary © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -2

Classical Internet Access • Customer connects to the Internet through a central site firewall.

Classical Internet Access • Customer connects to the Internet through a central site firewall. – Firewall provides NAT or proxy services as needed. • Since all Internet traffic goes across the central site, flow to Internet is not optimal. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -3

Multisite Internet Access • Customers have Internet access directly from every site. • There

Multisite Internet Access • Customers have Internet access directly from every site. • There is optimum traffic flow to and from Internet sites. • Each site has to be secured against unauthorized Internet access. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -4

Wholesale Internet Access • Customers chose ISP and get address space from that ISP.

Wholesale Internet Access • Customers chose ISP and get address space from that ISP. • The wholesale Internet access provider may have to use a different address pool for every upstream service provider. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -5

Service Provider Shared Backbone © 2006 Cisco Systems, Inc. All rights reserved. MPLS v

Service Provider Shared Backbone © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -6

Major Design Models Two major design models: • Internet access separate from VPN services

Major Design Models Two major design models: • Internet access separate from VPN services • Internet access as a separate VPN © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -7

Internet Access Through Global Routing • Implementation via separate interfaces that are not placed

Internet Access Through Global Routing • Implementation via separate interfaces that are not placed in any VRF, via either: – Static default routing on a PE – BGP between CE and PE • Benefits: – Well-known setup; equivalent to classical Internet service – Easy to implement; offers a wide range of design options • Drawback: – Requires separate physical links or WAN encapsulation that supports subinterfaces © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -8

Internet Access Through a Separate VPN Service • Implementation through a separate VPN •

Internet Access Through a Separate VPN Service • Implementation through a separate VPN • Benefit: – The provider backbone is isolated from the Internet; increased security is realized. • Drawback: – All Internet routes are carried as VPN routes; full Internet routing cannot be implemented because of scalability problems. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -9

Internet Access Through Route Leaking • Implementation through corporate VPN • Benefit: – Does

Internet Access Through Route Leaking • Implementation through corporate VPN • Benefit: – Does not use a separate connection for Internet traffic • Drawback: – Insecure because Internet traffic is mingled with corporate traffic in the VPN – Harder to apply security policies on mingled traffic – Cannot implement full Internet routing because of scalability problems © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -10

Summary • Classical Internet access connects through a central firewall. You can use a

Summary • Classical Internet access connects through a central firewall. You can use a centralized ISP managed firewall service. • Multisite Internet access connects the firewall of every site. You can use a centralized ISP-managed firewall service. • Wholesale Internet access service offers connectivity to multiple ISPs. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -11

Summary (Cont. ) • There are two recommended service provider designs for combining Internet

Summary (Cont. ) • There are two recommended service provider designs for combining Internet access with MPLS VPN services: – Global routing (Internet access not from a VPN), which uses separate interfaces that are not placed in any VRF – Internet services as a separate VPN, which allows for service provider separation of backbone and Internet traffic • Route leaking is insecure and not recommended because of this approach negates isolation of the corporate VPN. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -12

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -13

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 7 -13