© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Integrating Internet Access with MPLS VPNs Introducing Internet Access Models with MPLS VPNs

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Outline Overview Customer Internet Connectivity Scenarios Internet Design Models for Service Providers Internet Access Through Global Routing Internet Access as a separate VPN Disadvantages of Providing Internet Access Through Route Leaking Summary

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Classical Internet Access Customer connects to the Internet through a central site firewall. –Firewall provides NAT or proxy services as needed. Since all Internet traffic goes across the central site, flow to Internet is not optimal.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Multisite Internet Access Customers have Internet access directly from every site. There is optimum traffic flow to and from Internet sites. Each site has to be secured against unauthorized Internet access.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Wholesale Internet Access Customers chose ISP and get address space from that ISP. The wholesale Internet access provider may have to use a different address pool for every upstream service provider.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Service Provider Shared Backbone

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Major Design Models Two major design models: Internet access separate from VPN services Internet access as a separate VPN

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Internet Access Through Global Routing Implementation via separate interfaces that are not placed in any VRF, via either: –Static default routing on a PE –BGP between CE and PE Benefits: –Well-known setup; equivalent to classical Internet service –Easy to implement; offers a wide range of design options Drawback: –Requires separate physical links or WAN encapsulation that supports subinterfaces

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Internet Access Through a Separate VPN Service Implementation through a separate VPN Benefit: –The provider backbone is isolated from the Internet; increased security is realized. Drawback: –All Internet routes are carried as VPN routes; full Internet routing cannot be implemented because of scalability problems.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Internet Access Through Route Leaking Implementation through corporate VPN Benefit: –Does not use a separate connection for Internet traffic Drawback: –Insecure because Internet traffic is mingled with corporate traffic in the VPN –Harder to apply security policies on mingled traffic –Cannot implement full Internet routing because of scalability problems

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Summary Classical Internet access connects through a central firewall. You can use a centralized ISP managed firewall service. Multisite Internet access connects the firewall of every site. You can use a centralized ISP-managed firewall service. Wholesale Internet access service offers connectivity to multiple ISPs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Summary (Cont.) There are two recommended service provider designs for combining Internet access with MPLS VPN services: –Global routing (Internet access not from a VPN), which uses separate interfaces that are not placed in any VRF –Internet services as a separate VPN, which allows for service provider separation of backbone and Internet traffic Route leaking is insecure and not recommended because of this approach negates isolation of the corporate VPN.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v