RIP Between CPE & PE in a MPLS VPN

When RIP is used as the dynamic routing protocol between dual homed CPE and PE in a MPLS VPN scenario with a backdoor link, there are chances of loops occurring and traffic transiting low bandwidth links. What precautions or actions can be taken to prevent these behaviors with RIP?
               CPE
                  |
CPE-------PE---P
    |                      |
CPE-------PE---P
                 |
              CPE

Hi,
When you redistribute the MP-BGP routes into RIP on PE, you have an option of specifying the metric with which RIP redistributes the routes. You can make use of this feature, set the RIP metric accordingly while you redistribute the RIP of remote CE location into local CE location. Also make the metric over the backdoor link less or more preferrable (whichever way you opt for) with offset list on that specific interface. By this way local CE receives updates with two different metric (one over MPLS provider and other over backdoor link) and the one with least metric is preferred.
Also you have to stop advertising the LAN prefixes of remote CE router  to unwanted interfaces by using distribute list command. This can be done on the interface of CE connecting to PE routers where distribute list contains LAN of remote CE locations. Though split horizon stops advertising I am bit skeptical about the prefixes with different metrics works with split horizon.
If the backdoor is TDM or the ethernet link where physical layer is going down on Layer 1 issues, then better option is to have static routing with higher/lower AD than RIP over backdoor link. There is no chance of looping in this case and you have better control.
HTH
Arun

Similar Messages

  • Running RIP between CPE and PE but rip database on CPE has no vrf routes

    I am running RIP between CPE and PE and it is working - I can see the RIP routes in the VRF routing table. However I cannot see the RIP routes on the CPE, which I need to be able to do.
    PE RIP Config
    router rip
    address-family ipv4 vrf ABC
    redistribute static metric 1
    redistribute bgp 12345
    network XX.0.0.0
    no auto-summary
    exit-address-family
    CPE RIP Config
    router rip
    version 2
    redistribute connected metric 1 route-map Connected
    network XX.0.0.0
    no auto-summary
    route-map Connected permit 10
    description *** Interfaces to be advertised to MPLS Network ***
    match interface Vlan1
    route-map Connected deny 100
    description *** Deny Statement ***
    Thanks in advance for your help
    Regards
    DK

    Hi DK,
    You need to put the "metric #" command in your redistribute bgp configuration under the vrf SAFI in the RIP config on the PE router. This is done to prevent BGP MED (metric) from being used as the RIP metric, which as you would know, has a hop limit of 16.
    router rip
    address-family ipv4 vrf ABC
    redistribute static metric 1
    redistribute bgp 12345 metric 1
    network XX.0.0.0
    no auto-summary
    exit-address-family
    Try that and you should then see your VPN routes showing on the CE when the RIP process refreshes.
    HTH
    Joe.

  • Filtering methods inside a VRF in MPLS VPN

    Hi,
    we have a network with MPLS VPN and several VRFs involved.
    Inside a certain VRF I need to avoid that two particular networks can talk to each other.
    Can you give me a hint of what can be a solution to implement this ?
    Thanks
    Regards
    Marco

    Hi Marco,
    To prevent connectivity between two networks where a MPLS VPN is involved you can apply the same methods as in a "normal" router network. Just think of the complete MPLS VPN (PE to PE) as being one big "router simulator".
    You could either implement ACLs on the interfaces connecting to the PE or filter routing updates between sites - depending on your topology. When filtering routing updates seems the way to go, you should also have a look into selective import or export. With the help of a route-map one can selectively insert single networks into a VPN by selectively attaching route-targets to BGP updates.
    Regards, Martin

  • MPLS VPN L3 BGP to Customer CPE

    Hello,
    I am learning how to setup MPLS VPN L3. I am running OSPF in the MPLS Core and have configured MP-BGP between PE. I am running BGP between the PE and CPE in my lab, and I can see redistributed routes from the CPE in the vrf routing table for that customer on the PE router. My question is how to reditribute the vrf routes into my MPLS core to transmit the traffic to the customer other site on the same vpn. Below is what my config looks like.
    PE
    ip vrf customerA
    rd 100:101
    route-target export both 100:1000
    int fa0/0
    ip vrf forwarding customerA
    ip address x.x.x.x x.x.x.x
    router ospf 1
    loopback  in area0
    networks in area0
    router bgp 65000
    neighbor to other PE routers in AS 65000 (MPLS Network)
    address family vpn4
    neighbor other PE routers activate
    neighbor other PE routers send community
    ip address ipv4 vrf customerA
    neighbor to customerA in AS 55000
    CPE
    router ospf 1
    loopback in area 0
    networks in area 0
    router bgp 55000
    neighbor to PE router in AS 65000
    redistribute ospf 1

    Hi
    You dont have to redistribute your routes into mpls core. The vpnv4 bgp session that you have has already sent your ce routes to the remote pe router, provided you have the vrf configured on the other end.
    For more detaiked explanation please check a presentation available in the current running Ask The Expert event in the support community.

  • Performance end to end testing and comparison between MPLS VPN and VPLS VPN

    Hi,
    I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
    I would appreciate any support, guidence, advice.
    Thanks
    Shahbaz

    Hi Shahbaz,
    I am not completely sure I understand your request.
    MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
    From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
    Ingress PE impose 2 labels (at least)
    Core Ps swap top most MPLS label
    Egress PE removes last label exposing underlying packet or frame.
    So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
    About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
    Riccardo

  • Redundant access from MPLS VPN to global routing table

    Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
    As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
    Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
    Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
    OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

    Hi Andris,
    I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
    dot1q will be ok as well.
    This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
    Example:
    PE config:
    interface Serial0/0
    encapsulation frame-relay
    interface Serial0/0.1 point-to-point
    description customer VPN access
    ip vrf customer
    ip address 10.1.1.1 255.255.255.252
    interface Serial0/0.2 point-to-point
    description customer Internet access
    ip address 192.168.1.1 255.255.255.252
    router rip
    address-family ipv4 vrf customer
    version 2
    network 10.0.0.0
    no auto-summary
    redistribute bgp 65000 metric 5
    router bgp 65000
    neighbor 192.168.1.2 remote-as 65001
    address-family ipv4 vrf customer
    redistribute rip
    CE config:
    interface Serial0/0
    encapsulation frame-relay
    interface Serial0.1 point-to-point
    description VPN access
    ip address 10.1.1.2 255.255.255.252
    interface Serial0.2 point-to-point
    description Internet access
    ip address 192.168.1.2 255.255.255.252
    router bgp 65001
    neighbor 192.168.1.1 remote-as 65000
    router rip
    version 2
    network 10.0.0.0
    no auto-summary
    Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
    The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
    Regards
    Martin

  • Implemting a Sprint MPLS/VPN

    Hello
    I'm implmenting a Sprint MPLS/VPN network. This is a point to point between two of my locations. The connection is handed of to me as a serial connection and I will be connecting to cisco 2800 on bothe ends. Does anyone have what a sample config might look like for my Cisco rotuer?
    Thanks in advance

    HI, [Pls Rate if HELPS]
    In addition to JOE POST,
    You need to configure as normal CE Router. You can handover your Network Traffic either via some DYNAMIC Routing Protocols (BGP, EIGRP, OSPF, RIP) or Static Routing at LAST MILE towards your Service Provider.
    At the Service Provider Side, the Connected Interface with your CE will be added with "ip vrf forwarding " command. Where seperate Routing instance will be maintained on top of Global Routing Table. The MPLS Labels are swapped over their Backbone / partner - NNI to carry your traffic over a Label Switched Path.
    For an MPLS to work, the IP-CEF will be enabled. This kind of MPLS Technology, will enable fast processing of Packets and Traffic over the Large Scale Network.
    Similarly the RT & RD Values are used to distinguish the Customer Prefixes. The RT export and Import will be done at end - to - end at Service Provider Side Routers to make the HO & BO to communicate.
    The CE Router will not involve any MPLS / VRF Configuration Technology.
    Hope I am Informative.
    Pls Rate if HELPS
    Best Regards,
    Guru Prasad R

  • Centralize internet access in MPLS VPN

    Can i implement Centralize internet access (the Hub CE Router to performs NAT) in cisco MPLS VPN solution?
    If so, is there any example about that? i can't find it at CCO~
    Thanks a lot~

    If you run dynamic routing protocol in PE-CE,like rip2,ospf,bgp,do the following task.
    1:set a default route in HUB CE;and generate the default route under its dynamic protocol.
    2:in other CEs, make sure they can learn this route.
    If you run static route and vrf static route between CE and PE,do the following task.
    1.set default route in HUB CE, and set default route in other CEs.
    2.In all PEs,redistribute the connected and static rotues to address-family ipv4 of customer vrf.
    3.set the customer vrf default route in all PE which connected your all CEs.
    Note: make sure all PEs can reach the GW address of vrf deafult route. GW IP address is the interface of which HUB CE towards PE.
    command: "ip route vrf 0.0.0.0 0.0.0.0 global.
    TRY

  • Ask the Expert:Concepts, Configuration and Troubleshooting Layer 2 MPLS VPN – Any Transport over MPLS (AToM)

    With Vignesh R. P.
    Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about  concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
    Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
    Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
    Remember to use the rating system to let Vignesh know if you have received an adequate response. 
    Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    Hi Tenaro,
    AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
    The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
    AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
    The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
    Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
    Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
    Hope the above explanation helps you. Kindly revert incase of further clarification required.
    Thanks & Regards,
    Vignesh R P

  • GRE with VRF on MPLS/VPN

    Hi.
    Backbone network is running MPLS/VPN.
    I have one VRF (VRF-A) for client VPN network.
    One requirement is to configure another VRF (VRF-B) for this client for a separate public VRF connection.
    Sub-interfacing not allowed on CE-to-PE due to access provider limitation.
    So GRE is our option.
    CE config:
    Note: CE is running on global. VRF-A is configured at PE.
    But will add VRF-B here for the  requirement.
    interface Tunnel0
      ip vrf forwarding VRF-B
    ip address 10.12.25.22 255.255.255.252
    tunnel source GigabitEthernet0/1
    tunnel destination 10.12.0.133
    PE1 config:
    interface Tunnel0
    ip vrf forwarding VRF-B
    ip address 10.12.25.21 255.255.255.252
    tunnel source Loopback133
    tunnel destination 10.12.26.54
    tunnel vrf VRF-A
    Tunnel works and can ping point-to-point IP address.
    CE LAN IP for VRF-B  is configured as static route at PE1
    PE1:
    ip route vrf VRF-B 192.168.96.0 255.255.255.0 Tunnel0 10.12.25.22
    But from PE2 which is directly connected to PE1 (MPLS/LDP running), connectivity doesnt works.
    From PE2:
    - I can ping tunnel0 interface of PE1
    - I cant ping tunnel0 interface of CE
    Routing is all good and present in the routing table.
    From CE:
    - I can ping any VRF-B loopback interface of PE1
    - But not VRF-B loopback interfaces PE2 (even if routing is all good)
    PE1/PE2 are 7600 SRC3/SRD6.
    Any problem with 7600 on this?
    Need comments/suggestions.

    Hi Allan,
    what is running between PE1 and PE2 ( what I mean is any routing protocol).
    If No, then PE2 has no ways of knowing GRE tunnel IP prefixes and hence I suppose those will not be in its CEF table...
    If Yes, then check are those Prefixes available in LDP table...
    Regards,
    Smitesh

  • How can I find the all path available for a MPLS VPN in SP network

    How can I find the all path available for a MPLS VPN in SP network between PE to PE and CE to CE?

    Hi There
    If we need to find all the available paths for a remote CE from a local PE it will depend upon whether its a RR or non-RR design. If the MP-iBGP deisgn is non-RR  the below vrf specific command
    sh ip bgp vpnv4 vrf "vrf_name"  will show us the MP-iBGP RT for that particular VPN. It will show us the next hop. Checking the route for same in the Global RT will show us the path(s) available for same ( load-balancing considered) .Then we can do a trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback to get the physical Hops involved.
    However if the design is RR-based there might be complications involved when the RR is in the forwarding path ie we have NHS being set to RR-MP-iBGP loopback and the  trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback will get us the physical Hops involved.
    If we have redundant RRs being used with NHS being set then the output of sh ip bgp vpnv4 vrf "vrf_name" will show us two different available paths for the remote CE destination but just one being used.
    RR-based design with no NHS being used will always to cater to single path for the remote CE detsination.
    So in any case the actual path used for the remote CE connectivity would be a single unless we are using load-balancing.
    Hope this helps you a bit on your requirement
    Thanks & Regards
    Vaibhava Varma

  • MPLS/VPN network load balancing in the core

    Hi,
    I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
    CE---PE===P===PE---CE
    I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
    Thank you for your help!
    Gabor

    Hi,
    On the PE router you could set different types and 2 levels of load-balancing.
    For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
    PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
    PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
                                 eBGP
                         PE1 ---------CE1
    PE3----------P1                          Subnet A
                         PE2----------CE2 /
                                eBGP
    Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
    The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
    2 MP-BGP routes are received on PE3:
    PE3->PE1->CE1->subnet A
    PE3->PE2->CE2->subnet A
    To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
    But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
    So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
    By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
    Then a 2nd load-sharing level can occur.
    For instance:
             __P1__PE1__CE1
    PE3           \/                   Subnet A
            \ __P2__PE2__CE2
    There is still 2 MP-BGP paths :
    PE3->P1->PE1->CE1->subnet A
    PE3->P1->PE2->CE2->subnet A
    But this time for 2 MP-BGP paths 4 IGP path are available:
    PE3->P1->PE1->CE1->subnet A
    PE3->P1->PE2->CE2->subnet A
    PE3->P2->PE1->CE1->subnet A
    PE3->P2->PE2->CE2->subnet A
    For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
    Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
    On an LSP each LSR could use this feature.
    BR

  • MPLS VPN without Signalling Protocol in CORE

    Hi,
    I heard its possible to run L3 MPLS VPN between two sites across SP core without having any Signalling protocol (TDP/LDP)enabled on the core,the only constraint is running two TE tunnels between the two PE routers connected to CE. Is it possible. Can someone explain elaborately, pls?

    Some more details regarding the behavior as to why LDP/TDP is not required in case of end-to-end TE tunnel between the PE's.
    Using TE also the LSP is dynamically built untill and unless you are using explicitly defined TE tunnels.
    Also do note that when you have TE tunnels end to end your egress PE receives the packet with the VPN label only and then takes the appropriate action as per the VPN forwarding table.
    In case you dont have end to end TE tunnels you will have to enable LDP on the tunnels to carry the VPN labels untouched till the egress PE.( As in case if the tunnels are not end to end and are terminating on a P' which doesnt have any VPN information the packet would be dropped, so enabling LDP becomes a must.)
    Here is a detailed document explaining the beahaviour in more detail and explains when LDP should be enabled or disabled with illustrations.
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_tech_note09186a0080125b01.shtml
    HTH-Cheers,
    Swaroop

  • L3-MPLS VPN Convergence

    Perhaps someone on this group can identify the missing timers/processing-delays in end-to-end client route convergence
    Scenarios:
    a) BGP New route Advertised by Cleint(CPE1)
    b) BGP Route withdrawn by Client(CPE1)
    PE-to-RR i-M-BGP (Logical)
    ========= ----RR------ ======
    " | | "
    CPE1---->PE1------->P1-------->P2---->PE2----->CPE2
    | |
    --------->P3-------->P4-------
    Routing:
    - eBGP btw CPE and PE (any routing prot within Cust site),
    - OSPF, LDP in Core,
    Timers/Steps I'm aware of:
    - Advertisement of routes from CE to PE and placement into VRF
    - Propagation of routes across the MPLS VPN backbone
    - Import process of these routes into relevant VRFs
    - Advertisement of VRF routes to attached VPN sites
    - BGP advertisement-interval: Default = 5 seconds for iBGP, 30 for eBGP
    - BGP Import Process: Default = 15 seconds
    - BGP Scanner Process Default = 60 seconds
    Would appreciate if you someone can identify any missing process-delay, timers? specially w.r.t RR.
    Thanks
    SH

    Check the LDP/TDP timers in the core. Remember if a link fails in the core, reroute occurs, LDP/TDP binding needs to be renewed. tags are binded on those routes being in the routing table (IGP). So, there is a delay possible from a core prespective:
    mpls ldp holdtime
    mpls ldp discovery hello [holdtime | interval]
    In case you are using TE check these:
    mpls traffic-eng topology holddown
    mpls traffic-eng signalling forwarding sync
    mpls traffic-eng fast-reroute timers promotion
    I believe the latter one onyl applies to SDH. In which you use segment loss feature.
    Regards,
    Frank

  • Central Site Internet Connectivity for MPLS VPN User

    What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

    Hello,
    Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
    Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
    One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
    Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
    The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
    Kind Regards,
    M.

Maybe you are looking for

  • How to reduce the number of crossjoin in my webi query

    All, I am running some publication base of a webi report notes that i have a profile for each of the recipient for example in the profile i have a detail objects with: recipient 1 can only see 901 recipient 2 can only see 902 In my publication I do t

  • Hai how to debug smartforms using SFTRACE .

    how to debug smartforms using SFTRACE .

  • My Music App not avail for iCloud?

    I just noticed my storage selections for the iCloud does not include the MyMusic App.  Ive tried everything and cant figure out why.  Even bought 10GB more storage space thinking it was the size of my music.  Anybody have this issue and a solution?

  • IPhoto 08 - Editing Event Titles

    Okay I consider myself rather computer savvy but i'm beginning to think my new iPhoto 08 simply has a bug. I keep trying to edit the titles for events, I click on them and the title loads into a text bar and even has the cursor used to highlight/writ

  • Logging to Teststand log

    I am running a test sequence.  How do I log from the test sequence to the Teststand datalog? Solved! Go to Solution.