2
Internet Access from a
VPN
23-2 World Wide Training Word Templates v1 Copyright  1999, Cisco Systems, Inc.
Integrating Internet Access with the MPLS VPN
Solution
Review Questions
n Describe four major customer requirements for Internet access services.
Classical Internet access implemented through a central firewall.
Internet access from every VPN site, where each customer has its own
independent Internet access.
Internet access through a central firewall service (Internet access
VPN).
Wholesale Internet access service, where an ISP uses IP transport
infrastructure of another Service Provider to reach the end-users
n What are the addressing requirements for classical Internet access service?
Private addresses on the inside of a firewall, public addresses on the
outside and the firewall is doing NAT.
n What are the security implications of having Internet access from every VPN
site?
It is hard to implement and maintain a single security policy for the entire
VPN.
VPN sites could possibly use the Internet as transit between themselves.
n What are the addressing requirements when every VPN site has direct
Internet access?
Each customer site needs public IP addresses.
Some public IP addresses and Network Address Translation between
the customer private IP addresses and the public IP addresses.
n What are the benefits of giving Internet access to every VPN site as
compared to having a central exit point to the Internet?
The provider backbone does not need to carry the traffic twice

n What are the benefits of running an Internet backbone inside a VPN?
The provider backbone is isolated from the Internet, which gives
increased security.
n What are the benefits of running an Internet backbone in the global routing
table?
Better scalability when full Internet routing is required compared to using
a VPN for all Internet routes
n Describe two major implementation options for implementing Internet access in
the global routing table.
Internet access via a separate interface that is not placed in any VRF
Packet leaking between a VRF and the global table
Copyright  1999, Cisco Systems, Inc. Release Date: 2/1/99 23-5
Leaking Between VPN and Global Backbone
Routing
Review Questions
n Which IOS mechanisms are used to implement packet leaking between a VRF
and a global address space?
Static routes
n How is the leaking from a VRF into the global address space accomplished?
By a static route in the VRF with a next hop in the global routing table.
n How do you configure leaking from global address space toward a CE router?
By a static route to the customer's public address prefix pointing to an
interface belonging to the customer's VRF.
n How is packet leaking used to implement Internet access service for VPN
customers?
The static route which is used to leak packets from the VRF into the
global routing table is configured as a default route pointing to a next-hop
address where the Internet can be reached.
n What label is used to forward packets toward a global next-hop?
The LDP/TDP derived label to the next-hop