L3 VPN Management

Saku Ytti saku at ytti.fi
Wed Mar 7 02:57:09 CST 2012


On (2012-03-07 07:07 +0000), Leigh Porter wrote:

> What's the nicest way of allowing the ops servers all talk to each VPN instance? At the moment I just us pretty normal L3VPN techniques so that every VPN sees routes tagged with the ops VPN target community and so that the ops VPN sees all the other VPN routes but the division between VPNs is maintained.

You might want to peek at MPLS VPN Security book by Behringer for some
ideas[0].
But personally I'd do it by having RT for MGMT servers and different RT for
addresses needing centralized MGMT. So two special-use RTs.

The NMS network would export routes with this RT:Servers (only the servers
actually poking the VPN network, not everything)
And the customer VRFs would import this RT:Servers.

The customer VRFs would export (only the nodes actually needing NSM, not
whole network) routes with RT:CPEs.
And the NMS network would import RT:CPEs.

One way to do latter part is 
JunOS: set routing-instance FOO rib FOO.inet.0 static route CPE/32 qualified-next-hop CPE interface xe-4/2/0.42 tag 2000
  IOS: ip route vrf FOO CPE 255.255.255.255 ten4/2/0.42 CPE tag 2000

And have policy which matches to 2000 and add RT:CPE.



Annoyingly in JunOS you cannot easily import more than one RT, I hope
they'll fix it so that you can do IOS style RT + policy imports. 
So in JunOS you almost certainly want chained import policy like
'vrf-import [ VRFOO-IMPORT VRF-MGMT-IMPORT ]' where VRFOO-IMPORT is just
'from community VRFFOO; then default-action accept' and VRF-MGMT-IMPORT is
'from community RT:Servers; then default-action accept'

[0] http://www.amazon.co.uk/MPLS-VPN-Security-Cisco-Press/dp/8177586998/ref=sr_1_1?ie=UTF8&qid=1331110165&sr=8-1
> 
> Or, would it be nicer to have the firewall have a foot in each VPN, advertise routes to ops systems to each VPN instance and receive routes from all the other VPNs?
> 
> -- 
> Leigh
> 
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
> 

-- 
  ++ytti



More information about the NANOG mailing list