3. Common Service

A provider may want to offer a common service to all his clients. This may vary from Internet access to a website where they can find their billing information. The common service could also be used to give partners or vustomers access to your own network.

We've seen that the provider defines the separation of customers on the PE routers. The provider can also provide a common services network. If such a service is provided, the provider must be sure that there are no conflicts between IP addresses. Also, there may be other requirements on the common service; it should not be possible to use the common service as a stepping stone to other clients.

3.1. Our common service network

Our common service is a simple web server. On my xenial5 machine, I have a webserver running. We'll connect xenial5 directly to the PE router; no CE router is used.

commonservice.png>

3.2. Routing

On PE3, a single VRF is created.
ip vrf services
 rd 65000:99
 route-target both 65000:99
 route-target import 65000:1
 route-target import 65000:2

We only import the routes from 65000:1 and 65000:2 but we do not export them.

All PE routers need to be neighbors (here for PE3):
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.128.128.3 remote-as 65000
 neighbor 10.128.128.3 update-source Loopback0
 neighbor 10.128.128.4 remote-as 65000
 neighbor 10.128.128.4 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 10.128.128.3 activate
  neighbor 10.128.128.3 send-community extended
  neighbor 10.128.128.4 activate
  neighbor 10.128.128.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf services
  redistribute connected
 exit-address-family
 !

The following table might make it more clear what we're doing
router
vrf
1
2
99
PE1
cust_a
both
-
import
PE1
cust_b
-
both
import
PE2
cust_a
both
-
import
PE2
cust_b
-
both
import
PE3
serv.
import
import
both

The PE3 therefore does not export the routes for customer A and B.

It is important to realize that all this is done on the PE routers and therefore under the control of the MPLS provider. The customers A and B have no control over the routing through the MPLS cloud.

3.3. The result.

The result is that both A and B can see the common service, but they cannot see eachother. See, for example xenial1:
ljm$ vagrant ssh xenial1 -c 'ping -c2 10.128.192.101'
PING 10.128.192.101 (10.128.192.101) 56(84) bytes of data.
64 bytes from 10.128.192.101: icmp_req=1 ttl=60 time=103 ms
64 bytes from 10.128.192.101: icmp_req=2 ttl=60 time=80.1 ms
--- 10.128.192.101 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 80.147/91.986/103.825/11.839 ms
Connection to 127.0.0.1 closed.
ljm$ vagrant ssh xenial1 -c 'ping -c2 10.128.93.101'
PING 10.128.93.101 (10.128.93.101) 56(84) bytes of data.
From 10.128.65.1 icmp_seq=1 Destination Host Unreachable
From 10.128.65.1 icmp_seq=2 Destination Host Unreachable
--- 10.128.93.101 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
Connection to 127.0.0.1 closed.

On xenial5, every other system can be seen:
ljm$ vagrant ssh xenial5 -c 'ping -c1 10.128.66.101'
PING 10.128.66.101 (10.128.66.101) 56(84) bytes of data.
64 bytes from 10.128.66.101: icmp_req=1 ttl=60 time=81.9 ms
--- 10.128.66.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 81.989/81.989/81.989/0.000 ms
Connection to 127.0.0.1 closed.
ljm$ vagrant ssh xenial5 -c 'ping -c1 10.128.94.101'
PING 10.128.94.101 (10.128.94.101) 56(84) bytes of data.
64 bytes from 10.128.94.101: icmp_req=1 ttl=60 time=84.8 ms
--- 10.128.94.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 84.820/84.820/84.820/0.000 ms
Connection to 127.0.0.1 closed.

On xenial1:
ljm$ vagrant ssh xenial1 -c 'wget -O- 10.128.192.101'
--2018-06-06 11:32:38--  http://10.128.192.101/
Connecting to 10.128.192.101:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 177 text/html
Saving to: `STDOUT'
 <p>This is the default web page for this server.</p>
 <p>The web server software is running but no content has been added, yet.</p>
 </body></html>
 2018-06-06 11:32:38 (9.63 MB/s) - written to stdout 177/177
 Connection to 127.0.0.1 closed.

This means that it all works according to plan.

3.4. Trouble in paradise

We want our networks separated. Look then at this:
ljm$ vagrant ssh xenial1
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation:  https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to your Vagrant-built virtual machine.
Last login: Wed Jun  6 11:32:38 2018 from 10.0.2.2
vagrant@xenial64:~$ ssh 10.128.192.101
The authenticity of host '10.128.192.101 (10.128.192.101)' can't be established.
ECDSA key fingerprint is 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.128.192.101' (ECDSA) to the list of known hosts.
vagrant@10.128.192.101's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation:  https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to your Vagrant-built virtual machine.
Last login: Wed Jun  6 11:29:42 2018 from 10.0.2.2
vagrant@xenial64:~$ ssh 10.128.93.101
The authenticity of host '10.128.93.101 (10.128.93.101)' can't be established.
ECDSA key fingerprint is 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.128.93.101' (ECDSA) to the list of known hosts.
vagrant@10.128.93.101's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation:  https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to your Vagrant-built virtual machine.
Last login: Fri Sep 14 06:23:18 2012 from 10.0.2.2
vagrant@xenial64:~$ 

I now abused our common service to hop from customer A to customer B. Ofcourse, in real life, you will never allow logging in to the common service from any of the customer networks. But many allow logging in from the Internet and consider this safe enough. Here, not only your own network might be compromised, but also those of all the customers.