MPLS VPN internet Access with VRF-aware NAT

pablitomassa82 · ‎10-13-2015

Hi,

In order to achieve Internet Connection for CE1 e CE2 that belong to the same VPN

I configured the router GW2 with this command

ip route vrf PA 0.0.0.0 0.0.0.0 99.99.99.99 global, where 99.99.99.99 is the internet router

and than i redistribute it in MPBGP to PE1 and PE2 with

router bgp 1

address-family ipv4 vrf PA

network 0.0.0.0 mask 0.0.0.0

When i type, on PE1, show ip route vrf PA it show a default route via 4.4.4.4 that is the loopback of GW2,

so it's unreachable becouse there are no route for 4.4.4.4. How can i solve it?

Gateway of last resort is 4.4.4.4 to network 0.0.0.0

172.16.0.0/32 is subnetted, 2 subnets
O 172.16.1.1 [110/11] via 10.0.10.2, 00:05:26, FastEthernet0/0
B 172.16.2.1 [200/11] via 2.2.2.2, 00:04:59
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.10.0 is directly connected, FastEthernet0/0
B 10.0.20.0 [200/0] via 2.2.2.2, 00:04:59
B* 0.0.0.0/0 [200/0] via 4.4.4.4, 00:04:59
PE1#

Thanks a lot

P.

Masoud Pourshabanian · ‎10-13-2015

GW2 is a BGP neighbor of PE1 and PE2? Which interface did you use to establish BGP neighboring? Did you advertise loopback0 on GW2 by OSPF?

If you advertise loopback0 on GW2 by OSPF, all PE routers will see loopback0 and then PE can establish BGP neighboring with GW2 on loopback0.

By doing so, default route is reachable by PE routers.

Please share a little more detail about what you did.

Masoud

pablitomassa82 · ‎10-16-2015

I resolved in this way:

i've configured vrf internet on GW2 and associated it with f1/0, than i've putted a default-route in vrf internet that point to internet router, than i've imported this default-route on the vrf of CE1 and vrf of CE2. Than i've imported on vrf internet the route of vrf CE1 and vrf CE2, and that's it. The loopbacks of the router are advirtised with normal IGP process. Now it's work. I've utilized the so called Internet in a VRF method.

PS: I've enabled NAT on CE1 and CE2 instead of enale it per vrf on GW2

Paolo

Masoud Pourshabanian · ‎10-16-2015

The only drawback of this method is you need to import the routes of all vrfs to Internet vrf . Imagine you have so many VRFs.

You said you enabled NAT on CE1 and CE2. Did you advertise public IPs to PE?

Masoud

pablitomassa82 · ‎10-16-2015

Sorry Masoud

i forgot to say that i have changed the ip address scheme on PE-CE link. Now i use the public ip address, so the public IP are inserted automatically in the vrf table on PE.

Surely this approach wastes more public ip address that use a centralized NAT on GW2, but it works.

Masoud Pourshabanian · ‎10-16-2015

Just a small change you can make to avoid wasting IP.

1-Put private IP on PE-CE link.

2- Route public IP (you have it already on the interface) toward CE within each VRF.

3-Redistribute that route to GW2.

4-Nat private IP to public IP on CE( you can either put the Public IP on CE interface or Just doing NAT without putting that Public IP).

Masoud

Jason M. · ‎10-15-2015

Where is the 99.99.99.99 router? Is it global or in the VRF? If it is global then internet traffic should be moved to the global routing table at the PE routers if that's where the VRF interfaces are.