MPLS Services

Questions for the community: from a Application Service Provider
perspective - how / can one provide application access to a group of
Enterprises where the ASP provider provides ASP like applications to all
Enterprise customers who have multiple locations and who may or may not have
overlapping addresses? Each Enterprise is it's own business and we cannot
allow connectivity between each other
We've struggled internally with this. MPLS and using BGP communities seems
to be the solution. But I am trying to understand / think through the
configuration of it from a CE and PE side perspective. Lab configs to
follow but here's what I'm thinking:

- From the CE side we could ask for 2 frame PVC's - each in it's own VRF on
the PE side. Call 1 VRF private and 2nd VRF public. In the Private VRF
advertise all CE routes between customer A for example. Each CE customer
would have their own VRF on the MPLS providers network.

- From the CE, In Public VRF advertise a network range we provide the
clients and NAT traffic destined for the shared environment to the public

- On each CE router only permit route updates on the Public VRF for BGP
communities that belong to that customer and our shared segments. Could
also do this with just route filtering by ACL/prefix lists. On the Private
VRF no need to filter incoming but filter outgoing to contain routing domain
consistency (only send updates for CE networks)

- In the Public VRF from ASP side - advertise all shared services routes.
Accept all updates on Public VRF. No access to Private VRF's here.


This might give you some ideas (also solves the overlapping customer address


That looks very interesting. But it assumes we have a physical interface in
the core for every remote customer correct? I guess that can be
accomplished via GRE tunnels over a providers MPLS cloud. What about a MPLS
provider being the transport where the exCore has a single interface to that
provider? That's what I *think* we need to do and why I consider NAT and
advertising of a public segment from each customer and using BGP communities
to keep each customer from 'knowing' about each other. So in the core
router(s) we'd only have unique IP's, each Customer could have a single MPLS
drop that reaches our shared segments as well as their internal segments.

BTW - that was an awesome write up - thanks for sharing