We've been building a MPLS network that connects few customers to each other and then to our datacenter. Customers also want their network to be segmented and that all the traffic should go via firewalls (because of the nature of the customers and some regulatory stuff).
We run BGP between the VRFs and firewalls, and try to route the networks everywhere we can to avoid NAT and then limit the traffic with firewalls and routes with prefix lists. As it's a lot of legacy stuff and private IP address networks from here and there we can't really do summarization like "Customer A: 10.128.0.0/14, Customer B 10.132.0.0/14" etc.
The actual question being is that how do you manage such prefix lists between networks? Do you only allow the actual subnets being used, or allow larger prefix and hope that there are no collisions? (For example if customer has 10.128.0.0/24, 10.128.5.0/24 and 10.128.11.0/24 used do you just add 10.128.0.0/20 to the prefix list?)
I know ISPs can use DBs that have routes added by every party, but as it is private networks I'm not really sure if we can do this
Or should we still try to have a centralized database where every subnet is added and then prefix lists would be generated automatically based on that data? Our IPAM is a bit mess but if we fixed all the networks there to correct VRFs and so we might be able to pull the data from there...
Also the decisions when to advertise what network where is a bit problematic, as the customers also host their own servers and might provide some connections to our other customers.
Any other ideas doing this kind of larger network that connects multiple organizations running different subnets with private IP addresses?
Thanks!
No comments:
Post a Comment