Internet Access in MPLS VPN scenario

Hi,
I do have topology CE8-PE2(AS 65001)-PE1(AS 65001)-ASBR1(AS1).
Now PE2 and PE1 both are in same AS and PE1 has ebgp with ASBR1, ASBR1 is my internet router.
I do have vrf ce on router PE2 and have attached that vrf on PE2 interface where CE8 is connected.
and all the config are in attachment.
regards
Devang

Hi,
Some config is missing from the BGP vrf, you have not generated the VPNV4 routes for the vrf, please add on PE2;
router bg 65001
address-family ipv4 vrf ce
red connected
red static
can you post ;
show ip route
show ip bgp
From the PE1 & PE2?
+ show ip bg vpn all from PE2 only
Thanks,
LR

Similar Messages

Centralize internet access in MPLS VPN

Can i implement Centralize internet access (the Hub CE Router to performs NAT) in cisco MPLS VPN solution?
If so, is there any example about that? i can't find it at CCO~
Thanks a lot~

If you run dynamic routing protocol in PE-CE,like rip2,ospf,bgp,do the following task.
1:set a default route in HUB CE;and generate the default route under its dynamic protocol.
2:in other CEs, make sure they can learn this route.
If you run static route and vrf static route between CE and PE,do the following task.
1.set default route in HUB CE, and set default route in other CEs.
2.In all PEs,redistribute the connected and static rotues to address-family ipv4 of customer vrf.
3.set the customer vrf default route in all PE which connected your all CEs.
Note: make sure all PEs can reach the GW address of vrf deafult route. GW IP address is the interface of which HUB CE towards PE.
command: "ip route vrf 0.0.0.0 0.0.0.0 global.
TRY

Redundant access from MPLS VPN to global routing table

Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

Hi Andris,
I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
dot1q will be ok as well.
This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
Example:
PE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0/0.1 point-to-point
description customer VPN access
ip vrf customer
ip address 10.1.1.1 255.255.255.252
interface Serial0/0.2 point-to-point
description customer Internet access
ip address 192.168.1.1 255.255.255.252
router rip
address-family ipv4 vrf customer
version 2
network 10.0.0.0
no auto-summary
redistribute bgp 65000 metric 5
router bgp 65000
neighbor 192.168.1.2 remote-as 65001
address-family ipv4 vrf customer
redistribute rip
CE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0.1 point-to-point
description VPN access
ip address 10.1.1.2 255.255.255.252
interface Serial0.2 point-to-point
description Internet access
ip address 192.168.1.2 255.255.255.252
router bgp 65001
neighbor 192.168.1.1 remote-as 65000
router rip
version 2
network 10.0.0.0
no auto-summary
Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
Regards
Martin

Central Site Internet Connectivity for MPLS VPN User

What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

Hello,
Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
Kind Regards,
M.

No Internet access after cisco vpn client connection

Hi Experts,
Kindly check below config.the problem is vpn is connected but no internet access
on computer after connecting vpn
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.10.10 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.14.12 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.240 255.255.2
55.240
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool testpool 192.168.14.240-192.168.14.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
username testuser password IqY6lTColo8VIF24 encrypted
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
address-pool testpool
tunnel-group mphone ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
: end
ciscoasa#

Hi Harish,
Please check the o/ps below and route print in attached file
Latest ASA Config
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.10.10 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.14.12 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.0 255.255.255
.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.15.240-192.168.15.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
group-policy mphone internal
group-policy mphone attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dubai_splitTunnelAcl
username testuser password IqY6lTColo8VIF24 encrypted privilege 15
username testuser attributes
vpn-group-policy mphone
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
username khans attributes
vpn-group-policy mphone
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
address-pool testpool
tunnel-group mphone ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:12308d7ff6c6df3d71181248e8d38ba8
: end
ciscoasa#
Route Print after vpn connection
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x40003 ...00 24 01 a2 e6 f1 ...... D-Link DFE-520TX PCI Fast Ethernet Adapter -
Packet Scheduler Miniport
0x250004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.211 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.211 192.168.10.211 20
192.168.10.211 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.211 192.168.10.211 20
192.168.14.0 255.255.255.0 192.168.15.1 192.168.15.240 1
192.168.15.0 255.255.255.0 192.168.15.240 192.168.15.240 20
192.168.15.240 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.15.255 255.255.255.255 192.168.15.240 192.168.15.240 20
213.42.233.97 255.255.255.255 192.168.10.1 192.168.10.211 1
224.0.0.0 240.0.0.0 192.168.10.211 192.168.10.211 20
224.0.0.0 240.0.0.0 192.168.15.240 192.168.15.240 20
255.255.255.255 255.255.255.255 192.168.10.211 192.168.10.211 1
255.255.255.255 255.255.255.255 192.168.15.240 192.168.15.240 1
Default Gateway: 192.168.10.1
===========================================================================
Persistent Routes:
None
C:\>
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : asu
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-520TX PCI Fast Ethernet A
dapter
Physical Address. . . . . . . . . : 00-24-01-A2-E6-F1
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.211
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 213.42.20.20
195.229.241.222
Ethernet adapter Local Area Connection 8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.15.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

No Internet access when easy vpn tunnel is down.

Hi.
I have an error. i have a 819 router. with a Easy vpn tunnel.
And i am using the Identical Addressing feature, where i nat vlan1 over loopback0
I also have a vlan2 where i dont use identical addressing.
I have the Easy vpn tunnel configured on loopback0 and vlan2
from Vlan1 i nat to looopback0 with
ip nat inside source static Network 192.168.250.0 192.168.5.0 /24
and i nat outside with
ip nat inside source list INET interface GigabitEhternet0 Overload
ip access-list extended INET
permit ip 192.168.5.0 0.0.0.255 any
When tunnel is up, there is internet from vlan1, vlan2 and loopback0
But when the tunnel is Down, i can only get internet from Vlan2 and loopback0
The route for the tunnel is 0.0.0.0, i need all data to go to the vpn when its up. and to the internet when its Down.
Any ideas?
Thanks.

That is correct.
Config.
controller Cellular 0
no cdp run
track 1 ip sla 1 reachability
default-state up
ip tcp synwait-time 10
ip ftp source-interface Vlan1
ip ssh rsa keypair-name Router.yourdomain.com
crypto ipsec client ezvpn VPN-Cel
connect auto
group VPN key -key-
mode network-extension
peer 12.12.12.12
virtual-interface 1
username RouterCel password Password
xauth userid mode local
crypto ipsec client ezvpn VPN-Eth
connect auto
group PANTst key -key-
backup VPN-Cel track 1
mode network-extension
peer 12.12.12.12
virtual-interface 1
username Router password Password
xauth userid mode local
interface Loopback0
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
crypto ipsec client ezvpn VPN-Cel inside
crypto ipsec client ezvpn VPN-Eth inside
interface Cellular0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string hspa-R7
dialer-group 1
no peer default ip address
async mode interactive
crypto ipsec client ezvpn VPN-Cel
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 2
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface GigabitEthernet0
ip dhcp client route track 1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn VPN-Eth
interface Serial0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
interface Virtual-Template1 type tunnel
no ip address
ip nat outside
ip virtual-reassembly in
tunnel mode ipsec ipv4
interface Vlan1
ip address 192.168.250.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate
interface Vlan2
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate
crypto ipsec client ezvpn VPN-Cel inside
crypto ipsec client ezvpn VPN-Eth inside
interface Dialer2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip local policy route-map myRoutes
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list INTERNET interface GigabitEthernet0 overload
ip nat inside source static network 192.168.250.0 192.168.6.0 /24
ip route 0.0.0.0 0.0.0.0 Cellular0 254
ip route 8.8.4.4 255.255.255.255 Cellular0
ip access-list extended INTERNET
permit ip 192.168.6.0 0.0.0.255 any
permit ip 192.168.16.0 0.0.0.255 any
ip sla auto discovery
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
route-map myRoutes permit 10
match ip address 101
set ip next-hop dynamic dhcp
access-list 1 permit any
access-list 23 permit 12.12.12.12
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 101 permit icmp any host 8.8.8.8 echo
control-plane

Selective Route Import/Export in MPLS VPN

Champs
I have multiple brach locations and 3 DC locations.DC locations host my internal applications , DC's also have central Internet breakout for the region. My requirement is to have full mesh MPLS-VPN but at same time brach location Internet access should be from nearest IDC in the region if nearest IDC is not availalbe it should go to second nearest DC for internet.I have decided which are primary and seconday DC for Internet breakout. How can this be achieved in MPLS-VPN scenario.Logically i feel , i have to announce specific LAN subnet and default route(with different BGP attribute like AS Path) from all 3 DCs. Spokes in the specific region should be able to import default route from primary DC and secondary DCs only using some route filter?
Regards
V

Hello Aaron,
the route example works for all routers except the one, where the VRF vpn2 is configured. What you can do for management purposes is either to connect through a neighbor router using packet leaking or configure another Loopback into VRF vpn2.
The last option (and my recommendation) is to establish another separate IP connection from your NMS to the MPLS core. Once VRFs are failing (for whatever reason, f.e. erroneously deleted) you might just not get connectivity to your backbone anymore to repair what went wrong.
So I would create an "interconnection router" with an interface in the VRF vpn2 and one interface in global IP routing table. This way you will still be able to access PEs, even if VRFs or MBGP is gone.
Hope this helps! Please rate all posts.
Regards, Martin

MPLS VPN: controlling VPN labels

Hi experts.
Is there any way to control the value of the VPN label that BGP allocates for a specific interface in an MPLS/VPN scenario?
Thank you
Michele

Found!
Feature is "VRF Aware MPLS Static Labels", IOS rel. 12.0(26)S
Thanks
Michele

RIP Between CPE & PE in a MPLS VPN

When RIP is used as the dynamic routing protocol between dual homed CPE and PE in a MPLS VPN scenario with a backdoor link, there are chances of loops occurring and traffic transiting low bandwidth links. What precautions or actions can be taken to prevent these behaviors with RIP?
               CPE
                  |
CPE-------PE---P
    |                      |
CPE-------PE---P
                 |
              CPE

Hi,
When you redistribute the MP-BGP routes into RIP on PE, you have an option of specifying the metric with which RIP redistributes the routes. You can make use of this feature, set the RIP metric accordingly while you redistribute the RIP of remote CE location into local CE location. Also make the metric over the backdoor link less or more preferrable (whichever way you opt for) with offset list on that specific interface. By this way local CE receives updates with two different metric (one over MPLS provider and other over backdoor link) and the one with least metric is preferred.
Also you have to stop advertising the LAN prefixes of remote CE router to unwanted interfaces by using distribute list command. This can be done on the interface of CE connecting to PE routers where distribute list contains LAN of remote CE locations. Though split horizon stops advertising I am bit skeptical about the prefixes with different metrics works with split horizon.
If the backdoor is TDM or the ethernet link where physical layer is going down on Layer 1 issues, then better option is to have static routing with higher/lower AD than RIP over backdoor link. There is no chance of looping in this case and you have better control.
HTH
Arun

Best internet access method over MPLS?

Hello!!
once again, i have to choose between design opinions and I'd like to hear about your exeperiences... Now referred to internet access.
I have several customer needing to learn full internet routing and stablishing bgp connection with our PE's (for access backup pourposes).
When needing to use more specific than default routes, it's said to be more conventient to use global routing tables to distribute full internet routes, in order to save memory on the PE's.
Now my doubt: if this design forces me to use diferent subinterfaces and VRF's for a client needing both VPN and internet access, and knowing that maybe I could use the same vpn for providing internet to all our customers, sho internet routes will be available in just one VRF... wouldn't it be cleaner using just one vpn (and one vrf in every PE router) for internet access for all the customer (yet Knowing it will use three times more memory)...?
know ebgp sessions in a PE could be stablished through de internet access vrf. Moreover, any client needing private VPN could use a diferent (sub)interface
what do you think about? global routes or just one vrf carrying internet routes?
Thanks in advance

Well, both are good options, and we have designed networks for SP's with both these options. The deciding factor for them however has been, the requirements form the INternet Service, Wthether this service is for A) End customer who want default or partial/full routing table. Or wtherther this service is for a B) ISP who can serve his TIer 2/3 ISP customer.
A) For End Enterprise Customers.
If its meant for end customer who simply want a default route and some customer who may want partial/full routes but who arent ISP's then You can consider the VRF solution, as it would be very easy for you to provision and deprovision within the network. Just a little more load on the memory but since its one VRF your typical PE can handle the Internet in a VRF with 1 gig of MEM.
B) For Tier2/3 ISP Customers
Now if its for your T2/T3 ISP customer, then the VRF method has certain drawbacks,
Drawback ) ISP customers dont want a single best route coming to them from a RR, Since you are their provider ISP you would be having many connection to upstream peering points and NAP/IXP. So your ISP customers want all these routes so they can themselves decide the best route for different service requirements of their end customer.
Solution) Now if you have to give all these routes to the ISP you have to assign a different RD value for ech upstream peering point,
Caveat) This ould increase your memory requirement on the PE's and RR's tremendously as they would be holding duplicates of you Internet Routing table bcos of different RD values.
Differen Approach ) Having said that, some ISP's have implemented the best of both world, but it comes with cost constraints. You can extend you IBGP of the Internet AS withing a VRF, that is infra routes only within VRF and have dedicated Internet Peering Edge Routers at all locations where you consider to provide this service to ISP's, so you extend you IBGP using the VRF, hence none of the P or PE routes hold no internet routes in any form, they only have the infra routes in the VRF. using these Infra routes, the Internet Peering Edge Routers form IBGP with a Internet RR which is your dedciated regular RR for Internet routers, and exchange all internet routes, and give them to your downstream ISP customers.
Global Routing Table )
Ntohign wrong with this, method, everything works as it was working before your MPLS network was there, except the fact that your intermediate routers dont hold Internet Tabel and its a BGP Free Core.
This is better than the VRF option A method
as you wont hold internet routing table with more memory which is bcos of the VPNV4. And the Second VRF option B is far superior to this method but with added one time cost.
Hope this info helps u to decide better.
HTH-Cheers,
Swaroop

MPLS-VPN w/NAT for Internet connectivity.

We have implemented MPLS-VPN and site-to-site connectivity seems to be working fairly well. However, we are having strange issue when trying to access the Internet. For some odd reason, we are not able to get to some sites such as ebay.com, latimes.com, nytimes.com, moviefone.com. We are running dynamic NAT and the topology looks like this:
Laptop----CE-------PE-----NAT------BR-----Internet
This is a simple layout of what we have currently in the lab. NAT router is not running MPLS but we are using VRF to create sub-interfaces on FE connecting PE and NAT router for each customers. I have access-list allowing 10.x.x.x/8.
Laptop-CE - 10.0.0.8/30
CE-PE - 10.0.0.0/30
PE-NAT - 10.0.1.0/30
Also, we are able to ping, trace, ftp, use remote desktop, pcanywhere. It seems to be only affecting http. We've been working on this for couple of days now and we've hit a wall. Any help will be greatly appreciated.
JK

I had a slightly different yet similar problem a few months ago on our mpls network with the CE devices, and turned out the DF bit had to be set to 0 to enable fragmentation _prior_ to traffic entering the core.
Fixed it right up by setting a policy on the ethernet port.
-Jeff

RRAS VPN performance and Internet access which connecting to RRAS VPN

For the first time, I setup win2008R2 RRAS VPN(L2TP and SSTP ) in Azure VM for my client.
I am running Package Application which include SQL2008 in that VM.
I plan that remote user connect from client application using RRAS VPN to Application server in Azure VM.
But I am worrying about the performance bottle net due to network speed reason.
I am not yet make sure network environment of my client ( my client is living in USA ).
1
But if we decide to use RRAS VPN for that application , which kind of VPN(PPTP,L2TP,SSTP,IKE) will be better in network speed?
2
I noticed that which connecting to RRAS VPN, I could not connect to the Internet from remote client PC.
Is there any way to enable RRAS VPN access and Internet access at same time ?

Hi,
1. PPTP is the easiest protocol to use for setting up VPN. And it have minimal security.
L2TP/IPSec, SSTP and IKEv2 was more security than PPTP.
IKEv2 can provide a secured uninterrupted ubiquitous VPN connectivity.
Here are good article about comparing four types of VPN,
Different VPN tunnel types in Windows - which one to use?
http://blogs.technet.com/b/rrasblog/archive/2009/01/30/different-vpn-tunnel-types-in-windows-which-one-to-use.aspx
2. Two common scenarios cause the problem that connected client can’t browse the Internet. First, the VPN server might not let remote clients access the Internet when they have a connection. In this case, when we close the VPN connection,
the client can browse the Internet because the default gateway reverts to the gateway that ISP defines. Second, Windows might overwrite the ISP gateway with the VPN server-defined gateway when the client connects, so the client has no path to the Internet.
We may need to uncheck the use default gateway on remote network to solve this problem.
Best Regards,
Tina

Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

Greetings,
I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
OR
Am I forced to put the ASA behind the filtering device somehow?

Hi Jim,
You can use tunnel default route for vpn traffic:
ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
This route is applicable for only vpn traffic.
HTH,
Shetty

No Internet Access thru VPN w/ Windows 8.1

I had VPN working with Internet access & then all of a sudden it stopped working. I suspect one of the Windows AUTO update changed something that made it stop working, but can not be sure.
Per other blogs: I tried to temporary disable firewall and antivirus program on Windows 8.
Furthermore, tried to right click your VPN connection---properties---Networking---IPv4 or IPv6---Properties---Advanced---IP settings---Use default gateway on remote network.
Nothing worked. When VPN has no Internet connection - I can still successfully ping 8.8.8.8 in CMD window.
Next thing I suppose is to post RAS traces?? But I'm not sure which log file I should post.
Please help.

Thanks for your reply.
I have Windows auto update & the last time it worked was months ago (but not sure which version).
Yes, if I ping 8.8.8.8, I get response, but I cannot connect to internet when I try to browse. In response to your questions:
1. I tried ping www.google.com, and I got "Ping request cannot find host www.google.com" message.
2. Yes, by no internet access I meant I cannot browse the internet.
3. No, I don't use any IE proxy server.
CMD line response to "ipconfig -all"& "route print" are listed below:
C:\windows\system32>ipconfig -all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : MediaCenter-PC
   Primary Dns Suffix . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
PPP adapter FreeVPNme:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : FreeVPNme
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.11.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 209.244.0.3
                                       208.67.222.222
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter VPN - VPN Client:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : VPN Client Adapter - VPN
   Physical Address. . . . . . . . . : 00-AC-7E-07-A5-B9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-DB-B6-5D-B9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 3:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtua
   Physical Address. . . . . . . . . : B8-EE-65-D3-4B-4E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : 1x1 11b/g/n Wireless LAN PCI
Mini Card Adapter
   Physical Address. . . . . . . . . : B8-EE-65-D3-4B-4E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c832:af51:4c8a:4c9f%5(P
   IPv4 Address. . . . . . . . . . . : 10.223.116.122(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.223.116.71
   DHCPv6 IAID . . . . . . . . . . . : 146337381
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-0B-5D-5B-50-AF
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Ethernet:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : gateway.2wire.net
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Contr
   Physical Address. . . . . . . . . : 50-AF-73-23-82-1E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Inter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{3AAF9E59-6992-41E1-AB34-710700639118}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{53183BE1-A0E4-4B92-A4B9-0B03F54C8EAE}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
C:\windows\system32>route print
====================================================================
Interface List
52...........................FreeVPNme
18...00 ac 7e 07 a5 b9 ......VPN Client Adapter - VPN
8...00 ff db b6 5d b9 ......TAP-Windows Adapter V9
6...b8 ee 65 d3 4b 4e ......Microsoft Wi-Fi Direct Virtual Adapter
5...b8 ee 65 d3 4b 4e ......1x1 11b/g/n Wireless LAN PCI Express H
d Adapter
3...50 af 73 23 82 1e ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
4...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
7...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
====================================================================
IPv4 Route Table
====================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface
          0.0.0.0          0.0.0.0    10.223.116.71   10.223.116.122
          0.0.0.0          0.0.0.0         On-link         10.11.0.2
        10.11.0.2 255.255.255.255         On-link         10.11.0.2
     10.223.116.0    255.255.255.0         On-link    10.223.116.122
   10.223.116.122 255.255.255.255         On-link    10.223.116.122
   10.223.116.255 255.255.255.255         On-link    10.223.116.122
    93.115.83.250 255.255.255.255    10.223.116.71   10.223.116.122
        127.0.0.0        255.0.0.0         On-link         127.0.0.1
        127.0.0.1 255.255.255.255         On-link         127.0.0.1
127.255.255.255 255.255.255.255         On-link         127.0.0.1
        224.0.0.0        240.0.0.0         On-link         127.0.0.1
        224.0.0.0        240.0.0.0         On-link    10.223.116.122
        224.0.0.0        240.0.0.0         On-link         10.11.0.2
255.255.255.255 255.255.255.255         On-link         127.0.0.1
255.255.255.255 255.255.255.255         On-link    10.223.116.122
255.255.255.255 255.255.255.255         On-link         10.11.0.2
====================================================================
Persistent Routes:
Network Address          Netmask Gateway Address Metric
          0.0.0.0          0.0.0.0    10.223.116.71 Default
====================================================================
IPv6 Route Table
====================================================================
Active Routes:
If Metric Network Destination      Gateway
1    306 ::1/128                  On-link
5    281 fe80::/64                On-link
5    281 fe80::c832:af51:4c8a:4c9f/128
                                    On-link
1    306 ff00::/8                 On-link
5    281 ff00::/8                 On-link
====================================================================
Persistent Routes:
None
Thanks again for your quick reply. Let me know if you need other info.
Jackson

Static NAT - VPN - Internet Access

Does anyone know how to configure the following?
1. An static NAT from an inside ip address to another inside ip address (not physical subnet).
2. The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
My router just have two interfaces a WAN and a LAN.
I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
in an extract:
LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
BTW. I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.

Why do you need an inside host to be natted to another inside IP address?
You need to configure a "no nat" policy, for the internet traffic.

Internet Access in MPLS VPN scenario

Similar Messages

Maybe you are looking for