2 InternetAccessfromaVPN 23-2 World Wide Training Word Templates v1 Copyright 1999, Cisco Systems, Inc. Integrating InternetAccess with the MPLS VPN Solution Review Questions n Describe four major customer requirements for Internetaccess services. Classical Internetaccess implemented through a central firewall. Internetaccessfrom every VPN site, where each customer has its own independent Internet access. Internetaccess through a central firewall service (Internet access VPN). Wholesale Internetaccess service, where an ISP uses IP transport infrastructure of another Service Provider to reach the end-users n What are the addressing requirements for classical Internetaccess service? Private addresses on the inside of a firewall, public addresses on the outside and the firewall is doing NAT. n What are the security implications of having Internetaccessfrom every VPN site? It is hard to implement and maintain a single security policy for the entire VPN. VPN sites could possibly use the Internet as transit between themselves. n What are the addressing requirements when every VPN site has direct Internet access? Each customer site needs public IP addresses. Some public IP addresses and Network Address Translation between the customer private IP addresses and the public IP addresses. n What are the benefits of giving Internetaccess to every VPN site as compared to having a central exit point to the Internet? The provider backbone does not need to carry the traffic twice The access line to the central site needs not to carry the entire VPN's Internet traffic Response time will benefit since the traffic is optimally routed n What are the benefits of central firewall service? The central firewall is managed by the service provider releaving the customer of this task in a more cost effective way. n What are the addressing requirements of central firewall service? Copyright 1999, Cisco Systems, Inc. Release Date: 2/1/99 23-3 The use of private addresses must be coordinated by the service provider just like public addresses are. n How can customers with private address space use the central firewall service? Private addresses must be coordinated by the service provider to ensure that addresses do not overlap between VPNs using the same central firewall service. n What are the benefits of Wholesale InternetAccess service? The upstream ISP can use the infrastructure of the access service provider to reach the end-user. n Who assigns the customer address space in the Wholesale InternetAccess setup? The upstream ISP 23-4 World Wide Training Word Templates v1 Copyright 1999, Cisco Systems, Inc. Design Options for Integrating InternetAccess with MPLS VPN Review Questions n List two major Internetaccess design models. Internetaccess through global routing on the PE routers Internetaccess through yet another VPN n What are the benefits of running an Internet backbone inside a VPN? The provider backbone is isolated from the Internet, which gives increased security. n What are the benefits of running an Internet backbone in the global routing table? Better scalability when full Internet routing is required compared to using aVPN for all Internet routes n Describe two major implementation options for implementing Internetaccess in the global routing table. Internetaccess via a separate interface that is not placed in any VRF Packet leaking between a VRF and the global table Copyright 1999, Cisco Systems, Inc. Release Date: 2/1/99 23-5 Leaking Between VPN and Global Backbone Routing Review Questions n Which IOS mechanisms are used to implement packet leaking between a VRF and a global address space? Static routes n How is the leaking froma VRF into the global address space accomplished? By a static route in the VRF with a next hop in the global routing table. n How do you configure leaking from global address space toward a CE router? By a static route to the customer's public address prefix pointing to an interface belonging to the customer's VRF. n How is packet leaking used to implement Internetaccess service for VPN customers? The static route which is used to leak packets from the VRF into the global routing table is configured as a default route pointing to a next-hop address where the Internet can be reached. n What label is used to forward packets toward a global next-hop? The LDP/TDP derived label to the next-hop n What are the benefits of Internetaccess based on packet leaking? Reduced burden on the PE router since it does not need the full Internet routing. n Which Internetaccess services can be implemented with packet leaking? Wholesale InternetaccessInternetaccessfrom every site n Which Internetaccess services cannot be implemented with packet leaking? Classical Internetaccess service Internetaccess through central firewall service 23-6 World Wide Training Word Templates v1 Copyright 1999, Cisco Systems, Inc. Separating InternetAccessfromVPN Service Review Questions n What is the effect of MPLS VPN technology on implementing Internetaccess through a separate (sub)interface? One of the (sub)interfaces is connected to the VRF and the other is not connected to any VRF which implicitly means that it is connected to the global routing table. n Which WAN encapsulation types can be used to avoid using two physical links? Frame-Relay ATM n What are the benefits of using a separate (sub)interface for Internet access? Internet traffic is (logically) separated from the VPN traffic n Which Internetaccess services cannot be implemented within this model? Internetaccess through central firewall service Wholesale InternetaccessInternetaccessfrom every site Copyright 1999, Cisco Systems, Inc. Release Date: 2/1/99 23-7 InternetAccess Backbone as a Separate VPN Review Questions n What is the basic idea behind providing InternetAccess through a VPN? The Internet is separated from the MPLS VPN backbone, resulting in increased security. n Which Internetaccess services can be implemented by running the Internet in a separate VPN? Internetaccess through central firewall service Internetaccessfrom every site Wholesale Internetaccess Classical Internetaccess service n How would you implement redundant Internetaccess when running the Internet in a VPN? By configuring multiple Internet gateways (acting as CE routers) connected to the MPLS VPN backbone. All those Internet gateways advertise the default route to the PE routers and local Internet routes to the upstream ISP, using traditional methods to favor the desired primary path (most notably MED). n What are the limitations of this design? Full Internet routing cannot be carried in the VPN. . links? Frame-Relay ATM n What are the benefits of using a separate (sub)interface for Internet access? Internet traffic is (logically) separated from the VPN. central firewall. Internet access from every VPN site, where each customer has its own independent Internet access. Internet access through a central firewall