Tài liệu Internet Access from a VPN docx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (24.77 KB, 7 trang )
2
Internet Access from a
VPN
23-2 World Wide Training Word Templates v1 Copyright 1999, Cisco Systems, Inc.
Integrating Internet Access with the MPLS VPN
Solution
Review Questions
n Describe four major customer requirements for Internet access services.
Classical Internet access implemented through a central firewall.
Internet access from every VPN site, where each customer has its own
independent Internet access.
Internet access through a central firewall service (Internet access
VPN).
Wholesale Internet access service, where an ISP uses IP transport
infrastructure of another Service Provider to reach the end-users
n What are the addressing requirements for classical Internet access service?
Private addresses on the inside of a firewall, public addresses on the
outside and the firewall is doing NAT.
n What are the security implications of having Internet access from every VPN
site?
It is hard to implement and maintain a single security policy for the entire
VPN.
VPN sites could possibly use the Internet as transit between themselves.
n What are the addressing requirements when every VPN site has direct
Internet access?
Each customer site needs public IP addresses.
Some public IP addresses and Network Address Translation between
the customer private IP addresses and the public IP addresses.
n What are the benefits of giving Internet access to every VPN site as
compared to having a central exit point to the Internet?
The provider backbone does not need to carry the traffic twice
The access line to the central site needs not to carry the entire VPN's
Internet traffic
Response time will benefit since the traffic is optimally routed
n What are the benefits of central firewall service?
The central firewall is managed by the service provider releaving the
customer of this task in a more cost effective way.
n What are the addressing requirements of central firewall service?
Copyright 1999, Cisco Systems, Inc. Release Date: 2/1/99 23-3
The use of private addresses must be coordinated by the service provider
just like public addresses are.
n How can customers with private address space use the central firewall
service?
Private addresses must be coordinated by the service provider to ensure
that addresses do not overlap between VPNs using the same central
firewall service.
n What are the benefits of Wholesale Internet Access service?
The upstream ISP can use the infrastructure of the access service
provider to reach the end-user.
n Who assigns the customer address space in the Wholesale Internet Access
setup?
The upstream ISP
23-4 World Wide Training Word Templates v1 Copyright 1999, Cisco Systems, Inc.
Design Options for Integrating Internet Access
with MPLS VPN
Review Questions
n List two major Internet access design models.
Internet access through global routing on the PE routers
Internet access through yet another VPN
n What are the benefits of running an Internet backbone inside a VPN?
The provider backbone is isolated from the Internet, which gives
increased security.
n What are the benefits of running an Internet backbone in the global routing
table?
Better scalability when full Internet routing is required compared to using
a VPN for all Internet routes
n Describe two major implementation options for implementing Internet access in
the global routing table.
Internet access via a separate interface that is not placed in any VRF
Packet leaking between a VRF and the global table
Copyright 1999, Cisco Systems, Inc. Release Date: 2/1/99 23-5
Leaking Between VPN and Global Backbone
Routing
Review Questions
n Which IOS mechanisms are used to implement packet leaking between a VRF
and a global address space?
Static routes
n How is the leaking from a VRF into the global address space accomplished?
By a static route in the VRF with a next hop in the global routing table.
n How do you configure leaking from global address space toward a CE router?
By a static route to the customer's public address prefix pointing to an
interface belonging to the customer's VRF.
n How is packet leaking used to implement Internet access service for VPN
customers?
The static route which is used to leak packets from the VRF into the
global routing table is configured as a default route pointing to a next-hop
address where the Internet can be reached.
n What label is used to forward packets toward a global next-hop?
The LDP/TDP derived label to the next-hop
n What are the benefits of Internet access based on packet leaking?
Reduced burden on the PE router since it does not need the full Internet
routing.
n Which Internet access services can be implemented with packet leaking?
Wholesale Internet access
Internet access from every site
n Which Internet access services cannot be implemented with packet leaking?
Classical Internet access service
Internet access through central firewall service
