Overview:

One of the common services that included in the implementations of MPLS L3 VPN of service providers and enterprise networks is Internet Access, which can be provided using several ways. In this document we will discuss the following methods:

·   Route leaking between the VRFs and global routing table of the PE

·   Using a dedicated VRF for internet service also know as ( shared service)

Furthermore, this document will discuses the configurations of the VRF-aware NAT on the edge PE router facing the Internet gateway.

  Internet access using Route leaking between the VRFs and global routing table of the PEs

By using this method each PE that reside in the service provider or enterprise MPLS network will use a default route in the global routing table to route internet traffic from the CE routers. Each CE router will have default route either injected by the directly connected PE or by using a default static router in the CE router.

As it shown in the above diagram, CE1 receives a default route from PE1 through BGP. PE1 has a static default route entry under each VRF need to access the internet points to a next hop in the global routing table which is the PE called GW ( represent an internet gateway which could be a router or a firewall ). The same concept and configurations will be applied on each PE-CE.

In the above example we will assume that the internal network of CE1 is 10.10.1.0 and the allocated ip addresses to be used over internet by CE1 site is 120.1.1.0/30

NAT has been configured in CE1 so that traffic to the internet will use the 120.1.1.0/30 subnet.

CE1:

ip nat pool pool1 120.1.1.1 120.1.1.2 prefix-length 30

ip nat inside source list 100 pool pool1 overload

!

access-list 100 deny   ip any 10.20.1.0 0.0.0.255

access-list 100 deny   ip any 20.1.1.0 0.0.0.255   – the first two lines used to exclude any traffic going to CE2 from being NATed

access-list 100 permit ip 10.10.1.0 0.0.0.255 any

router bgp 65001

no synchronization

neighbor 10.1.1.1 remote-as 100

no auto-summary

CE1#show ip bgp

BGP table version is 4, local router ID is 150.1.1.10

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path

*> 0.0.0.0          10.1.1.1                 0             0 100 i

r> 10.1.1.0/24      10.1.1.1                 0             0 100 ?

CE1#

PE1:

interface FastEthernet2/0

ip vrf forwarding VPNA

ip address 10.1.1.1 255.255.255.0

router bgp 100

no synchronization

bgp log-neighbor-changes

network 120.1.1.0 mask 255.255.255.252 – advertise CE1 ip range through global BGP routing table to make it reachable by GW

address-family ipv4 vrf VPNA

neighbor 10.1.1.10 remote-as 65001

neighbor 10.1.1.10 activate

neighbor 10.1.1.10 default-originate  -- to inject the default route to CE1

no synchronization

exit-address-family

ip route 120.1.1.0 255.255.255.252 FastEthernet2/0 10.1.1.10 – this static route used to make CE1 ip range used for internet access reachable by PE1

ip route vrf VPNA 0.0.0.0 0.0.0.0 192.168.1.2 global – this default static route will generate default route to the VRF routing table using a next hop address from the global routing table

PE1#sho ip route vrf VPNA 0.0.0.0

Routing entry for 0.0.0.0/0, supernet

  Known via "static", distance 1, metric 0, candidate default path

  Redistributing via bgp 100

  Routing Descriptor Blocks:

  * 192.168.1.2 (Default-IP-Routing-Table)

      Route metric is 0, traffic share count is 1

CE1#ping 100.100.100.100 source 10.10.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:

Packet sent with a source address of 10.10.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 192/534/1192 ms

CE1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 120.1.1.1:19      10.10.1.1:19       100.100.100.100:19 100.100.100.100:19

CE1#

  VRF-aware NAT

We can use the same concept used above by leaking the route between the VRFs and global routing table but instead of configuring this in every PE we can configure it in the PE connected directly to the internet gateway and this PE will do the NAT for the VRFs using what is know as VRF-aware NAT.

Using the same topology above, standard MP-BGP L3 VPN routes will be exchange between all PEs including PE GW however this time PE GW will inject default route to all VRFs routes through MP-BGP. GW will have a static default route uses a next hop reside in the global routing table, at the same time VRF NATing will be configured in GW PE as well to NAT CEs traffic going to the internet.

GW:

ip vrf VPNA    -- add all of  the VRFs in the MPLS network that need to be NATed

rd 1:10

route-target export 1:10

route-target import 1:10

interface FastEthernet1/0

description  ## connected to P ###

ip address 192.168.1.2 255.255.255.0

ip nat inside

mpls ip

interface FastEthernet1/1

description ## connected to Internet Gateway/Firewall ##

ip address 200.1.1.1 255.255.255.0

ip nat outside

router bgp 100

no synchronization

bgp log-neighbor-changes

neighbor 1.1.1.1 remote-as 100

neighbor 1.1.1.1 update-source Loopback0

no auto-summary

!

address-family vpnv4

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community both

exit-address-family

!

address-family ipv4 vrf VPNA

default-information originate --- this to generate a default route under the routing table of the VRF

no synchronization

exit-address-family

ip route vrf VPNA 0.0.0.0 0.0.0.0 200.1.1.2 global     ---- this is a VRF static default route point to a next hop in the global routing table

ip nat pool VPNA_POOL 201.1.1.1 201.1.1.10 prefix-length 28 

ip nat inside source route-map VPNA pool VPNA_POOL vrf VPNA overload  -- this will NAT all the traffic coming from 10.10.1.0/24 subnet under VRF named VPNA

!

access-list 100 permit ip 10.10.1.0 0.0.0.255 any

!

route-map VPNA permit 10

match ip address 100

PE1:

PE1#show ip route vrf VPNA 0.0.0.0

Routing entry for 0.0.0.0/0, supernet

Known via "bgp 100", distance 200, metric 0, candidate default path, type internal

  Last update from 3.3.3.3 00:23:25 ago

  Routing Descriptor Blocks:

  * 3.3.3.3 (Default-IP-Routing-Table), from 3.3.3.3, 00:23:25 ago

      Route metric is 0, traffic share count is 1

      AS Hops 0

CE1#show ip bgp 0.0.0.0

BGP routing table entry for 0.0.0.0/0, version 10

Paths: (1 available, best #1, table Default-IP-Routing-Table)

  Advertised to update-groups:

     1

  100

    10.1.1.1 from 10.1.1.1 (1.1.1.1)

     Origin incomplete, localpref 100, valid, external, best

CE1#ping 100.100.100.100 source 10.10.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:

Packet sent with a source address of 10.10.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 164/299/592 ms

CE1#

GW:

GW#show ip nat translations vrf VPNA

Pro Inside global      Inside local       Outside local      Outside global

icmp 201.1.1.1:3       10.10.1.1:3        100.100.100.100:3  100.100.100.100:3

GW#

  Internet Access using a separate VRF for internet service

This approach also know as shared services. This Shared Services VRF gives the ability of providing access to other VRFs in the MPLS L3 VPN network to use a required service such as internet. The mechanism used by this shared services VRF to provide reachability to other VRFs is by using route export value of the VRF route-target, also this VRF need to import the source routes of the VRFs that require internet access to maintain full reachablity. This method is one of the simplest and most scaleable methods of providing internet access or any access to any other shared services, because the required configuration is only to import and export routes between any VRF and the Shard service VRF by using route-target values. As depicted in the bellow diagram, the internet service now has been configured in its own VRF and this VRF will export a default route to the other VRFs to be imported and provide internet access.

Configuration portion of GW PE:

ip vrf Internet

rd 100:100

route-target export 100:100

route-target import 100:100

route-target import 1:10   -- import the route of the VRF that need to access the shared service ( internet ) to have two ways reachability

!

router bgp 100

no synchronization

bgp log-neighbor-changes

neighbor 1.1.1.1 remote-as 100

neighbor 1.1.1.1 update-source Loopback0

no auto-summary

!

address-family vpnv4

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community both

exit-address-family

!

address-family ipv4 vrf Internet

no synchronization

network 0.0.0.0    --- to inject default route into Internet VRF MP-BGP address family

exit-address-family

!

ip route vrf Internet 0.0.0.0 0.0.0.0 200.1.1.2  -- default static route for VRF Internet point to an internet gateway

!

Note:

The above configurations used import and export without any filtering, however you can import and export route prefixes selectively between the shared services VRF and any other VRF by using a route-map.

PE1:

  Interfaces:

    Fa2/0

  Connected addresses are not in global routing tabl

  Export VPN route-target communities

    RT:1:10

  Import VPN route-target communities

    RT:1:10                  RT:100:100      -- to receive Internet VRF default route

PE1#show ip bgp vpnv4 all

BGP table version is 5, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 1:10 (default for vrf VPNA)

*>i0.0.0.0          3.3.3.3                  0    100      0 i

*> 10.1.1.0/24      0.0.0.0                  0         32768 ?

Route Distinguisher: 100:100

*>i0.0.0.0          3.3.3.3                  0    100      0 i

PE1#

Thank you

Marwan Alshawi