2 Internet Access from a VPN 23-2 World Wide Training Word Templates v1 Copyright  1999, Cisco Systems, Inc. Integrating Internet Access with the MPLS VPN Solution Review Questions n Describe four major customer requirements for Internet access services. Classical Internet access implemented through a central firewall. Internet access from every VPN site, where each customer has its own independent Internet access. Internet access through a central firewall service (Internet access VPN). Wholesale Internet access service, where an ISP uses IP transport infrastructure of another Service Provider to reach the end-users n What are the addressing requirements for classical Internet access service? Private addresses on the inside of a firewall, public addresses on the outside and the firewall is doing NAT. n What are the security implications of having Internet access from every VPN site? It is hard to implement and maintain a single security policy for the entire VPN. VPN sites could possibly use the Internet as transit between themselves. n What are the addressing requirements when every VPN site has direct Internet access? Each customer site needs public IP addresses. Some public IP addresses and Network Address Translation between the customer private IP addresses and the public IP addresses. n What are the benefits of giving Internet access to every VPN site as compared to having a central exit point to the Internet? The provider backbone does not need to carry the traffic twice The access line to the central site needs not to carry the entire VPN's Internet traffic Response time will benefit since the traffic is optimally routed n What are the benefits of central firewall service? The central firewall is managed by the service provider releaving the customer of this task in a more cost effective way. n What are the addressing requirements of central firewall service? Copyright  1999, Cisco Systems, Inc. Release Date: 2/1/99 23-3 The use of private addresses must be coordinated by the service provider just like public addresses are. n How can customers with private address space use the central firewall service? Private addresses must be coordinated by the service provider to ensure that addresses do not overlap between VPNs using the same central firewall service. n What are the benefits of Wholesale Internet Access service? The upstream ISP can use the infrastructure of the access service provider to reach the end-user. n Who assigns the customer address space in the Wholesale Internet Access setup? The upstream ISP 23-4 World Wide Training Word Templates v1 Copyright  1999, Cisco Systems, Inc. Design Options for Integrating Internet Access with MPLS VPN Review Questions n List two major Internet access design models. Internet access through global routing on the PE routers Internet access through yet another VPN n What are the benefits of running an Internet backbone inside a VPN? The provider backbone is isolated from the Internet, which gives increased security. n What are the benefits of running an Internet backbone in the global routing table? Better scalability when full Internet routing is required compared to using a VPN for all Internet routes n Describe two major implementation options for implementing Internet access in the global routing table. Internet access via a separate interface that is not placed in any VRF Packet leaking between a VRF and the global table Copyright  1999, Cisco Systems, Inc. Release Date: 2/1/99 23-5 Leaking Between VPN and Global Backbone Routing Review Questions n Which IOS mechanisms are used to implement packet leaking between a VRF and a global address space? Static routes n How is the leaking from a VRF into the global address space accomplished? By a static route in the VRF with a next hop in the global routing table. n How do you configure leaking from global address space toward a CE router? By a static route to the customer's public address prefix pointing to an interface belonging to the customer's VRF. n How is packet leaking used to implement Internet access service for VPN customers? The static route which is used to leak packets from the VRF into the global routing table is configured as a default route pointing to a next-hop address where the Internet can be reached. n What label is used to forward packets toward a global next-hop? The LDP/TDP derived label to the next-hop n What are the benefits of Internet access based on packet leaking? Reduced burden on the PE router since it does not need the full Internet routing. n Which Internet access services can be implemented with packet leaking? Wholesale Internet access Internet access from every site n Which Internet access services cannot be implemented with packet leaking? Classical Internet access service Internet access through central firewall service 23-6 World Wide Training Word Templates v1 Copyright  1999, Cisco Systems, Inc. Separating Internet Access from VPN Service Review Questions n What is the effect of MPLS VPN technology on implementing Internet access through a separate (sub)interface? One of the (sub)interfaces is connected to the VRF and the other is not connected to any VRF which implicitly means that it is connected to the global routing table. n Which WAN encapsulation types can be used to avoid using two physical links? Frame-Relay ATM n What are the benefits of using a separate (sub)interface for Internet access? Internet traffic is (logically) separated from the VPN traffic n Which Internet access services cannot be implemented within this model? Internet access through central firewall service Wholesale Internet access Internet access from every site Copyright  1999, Cisco Systems, Inc. Release Date: 2/1/99 23-7 Internet Access Backbone as a Separate VPN Review Questions n What is the basic idea behind providing Internet Access through a VPN? The Internet is separated from the MPLS VPN backbone, resulting in increased security. n Which Internet access services can be implemented by running the Internet in a separate VPN? Internet access through central firewall service Internet access from every site Wholesale Internet access Classical Internet access service n How would you implement redundant Internet access when running the Internet in a VPN? By configuring multiple Internet gateways (acting as CE routers) connected to the MPLS VPN backbone. All those Internet gateways advertise the default route to the PE routers and local Internet routes to the upstream ISP, using traditional methods to favor the desired primary path (most notably MED). n What are the limitations of this design? Full Internet routing cannot be carried in the VPN. . links? Frame-Relay ATM n What are the benefits of using a separate (sub)interface for Internet access? Internet traffic is (logically) separated from the VPN. central firewall. Internet access from every VPN site, where each customer has its own independent Internet access. Internet access through a central firewall