Providing Internet Access for MPLS L3 VPNs

Document
Wed, 08/26/2015 - 21:14

Marwan ALshawi 6 years ago

Overview:
One of the common services that included in the implementations of MPLS L3 VPN
of service providers and enterprise networks is Internet Access, which can be
provided using several ways. In this document we will discuss the following
methods:
Route leaking between the VRFs and global routing table of the PE
Using a dedicated VRF for internet service also known as (shared service)
Furthermore, this document will discuss the configurations of the VRF-aware NAT on
the edge PE router facing the Internet gateway.
Internet access using Route leaking between the VRFs and global routing table of
the PEs
By using this method each PE that reside in the service provider or enterprise MPLS
network will use a default route in the global routing table to route internet traffic
from the CE routers. Each CE router will have default route either injected by the
directly connected PE or by using a default static router in the CE router.

As it shown in the above diagram, CE1 receives a default route from PE1 through
BGP. PE1 has a static default route entry under each VRF need to access the
internet points to a next hop in the global routing table which is the PE called GW
( represent an internet gateway which could be a router or a firewall ). The same
concept and configurations will be applied on each PE-CE.
In the above example we will assume that the internal network of CE1 is 10.10.1.0
and the allocated ip addresses to be used over internet by CE1 site is 120.1.1.0/30
NAT has been configured in CE1 so that traffic to the internet will use the
120.1.1.0/30 subnet.
CE1:
ip nat pool pool1 120.1.1.1 120.1.1.2 prefix-length 30
ip nat inside source list 100 pool pool1 overload
!
access-list 100 deny ip any 10.20.1.0 0.0.0.255
access-list 100 deny ip any 20.1.1.0 0.0.0.255 the first two lines used to exclude
any traffic going to CE2 from being NATed
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
router bgp 65001

no synchronization
neighbor 10.1.1.1 remote-as 100
no auto-summary
CE1#show ip bgp
BGP table version is 4, local router ID is 150.1.1.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 0.0.0.0
r> 10.1.1.0/24

Next Hop

Metric LocPrf Weight Path

10.1.1.1

10.1.1.1

0 100 i
0

0 100 ?

CE1#
PE1:
interface FastEthernet2/0
ip vrf forwarding VPNA
ip address 10.1.1.1 255.255.255.0
router bgp 100
no synchronization
bgp log-neighbor-changes
network 120.1.1.0 mask 255.255.255.252 advertise CE1 ip range through global
BGP routing table to make it reachable by GW
address-family ipv4 vrf VPNA
neighbor 10.1.1.10 remote-as 65001
neighbor 10.1.1.10 activate
neighbor 10.1.1.10 default-originate -- to inject the default route to CE1
no synchronization
exit-address-family

ip route 120.1.1.0 255.255.255.252 FastEthernet2/0 10.1.1.10 this static route

used to make CE1 ip range used for internet access reachable by PE1
ip route vrf VPNA 0.0.0.0 0.0.0.0 192.168.1.2 global this default static route will
generate default route to the VRF routing table using a next hop address from the
global routing table
PE1#sho ip route vrf VPNA 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Redistributing via bgp 100
Routing Descriptor Blocks:
* 192.168.1.2 (Default-IP-Routing-Table)
Route metric is 0, traffic share count is 1
CE1#ping 100.100.100.100 source 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 192/534/1192 ms
CE1#show ip nat translations
Pro Inside global
icmp 120.1.1.1:19

Inside local
10.10.1.1:19

Outside local

Outside global

100.100.100.100:19 100.100.100.100:19

CE1#
VRF-aware NAT
We can use the same concept used above by leaking the route between the VRFs
and global routing table but instead of configuring this in every PE we can configure
it in the PE connected directly to the internet gateway and this PE will do the NAT for
the VRFs using what is know as VRF-aware NAT.
Using the same topology above, standard MP-BGP L3 VPN routes will be exchange
between all PEs including PE GW however this time PE GW will inject default route to

all VRFs routes through MP-BGP. GW will have a static default route uses a next hop
reside in the global routing table, at the same time VRF NATing will be configured in
GW PE as well to NAT CEs traffic going to the internet.
GW:
ip vrf VPNA

-- add all of the VRFs in the MPLS network that need to be NATed

rd 1:10
route-target export 1:10
route-target import 1:10
interface FastEthernet1/0
description ## connected to P ###
ip address 192.168.1.2 255.255.255.0
ip nat inside
mpls ip
interface FastEthernet1/1
description ## connected to Internet Gateway/Firewall ##
ip address 200.1.1.1 255.255.255.0
ip nat outside
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both

exit-address-family
!
address-family ipv4 vrf VPNA
default-information originate --- this to generate a default route under the routing
table of the VRF
no synchronization
exit-address-family
ip route vrf VPNA 0.0.0.0 0.0.0.0 200.1.1.2 global
---- this is a VRF static default
route point to a next hop in the global routing table
ip nat pool VPNA_POOL 201.1.1.1 201.1.1.10 prefix-length 28
ip nat inside source route-map VPNA pool VPNA_POOL vrf VPNA overload -- this will
NAT all the traffic coming from 10.10.1.0/24 subnet under VRF named VPNA
!
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
!
route-map VPNA permit 10
match ip address 100
PE1:
PE1#show ip route vrf VPNA 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 100", distance 200, metric 0, candidate default path, type internal
Last update from 3.3.3.3 00:23:25 ago
Routing Descriptor Blocks:
* 3.3.3.3 (Default-IP-Routing-Table), from 3.3.3.3, 00:23:25 ago
Route metric is 0, traffic share count is 1
AS Hops 0
CE1#show ip bgp 0.0.0.0

BGP routing table entry for 0.0.0.0/0, version 10

Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
1
100
10.1.1.1 from 10.1.1.1 (1.1.1.1)
Origin incomplete, localpref 100, valid, external, best
CE1#ping 100.100.100.100 source 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 164/299/592 ms
CE1#
GW:
GW#show ip nat translations vrf VPNA
Pro Inside global
icmp 201.1.1.1:3

Inside local
10.10.1.1:3

Outside local

Outside global

100.100.100.100:3 100.100.100.100:3

GW#
Internet Access using a separate VRF for internet service
This approach also know as shared services. This Shared Services VRF gives the
ability of providing access to other VRFs in the MPLS L3 VPN network to use a
required service such as internet. The mechanism used by this shared services VRF
to provide reachability to other VRFs is by using route export value of the VRF routetarget, also this VRF need to import the source routes of the VRFs that require
internet access to maintain full reachablity. This method is one of the simplest and
most scaleable methods of providing internet access or any access to any other
shared services, because the required configuration is only to import and export
routes between any VRF and the Shard service VRF by using route-target values. As
depicted in the bellow diagram, the internet service now has been configured in its

own VRF and this VRF will export a default route to the other VRFs to be imported
and provide internet access.

Configuration portion of GW PE:

ip vrf Internet
rd 100:100
route-target export 100:100
route-target import 100:100
route-target import 1:10 -- import the route of the VRF that need to access the
shared service ( internet ) to have two ways reachability
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
no auto-summary

!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
exit-address-family
!
address-family ipv4 vrf Internet
no synchronization
network 0.0.0.0

--- to inject default route into Internet VRF MP-BGP address family

exit-address-family
!
ip route vrf Internet 0.0.0.0 0.0.0.0 200.1.1.2 -- default static route for VRF Internet
point to an internet gateway
!
Note:
The above configurations used import and export without any filtering, however you
can import and export route prefixes selectively between the shared services VRF
and any other VRF by using a route-map.
PE1:
Interfaces:
Fa2/0
Connected addresses are not in global routing tabl
Export VPN route-target communities
RT:1:10
Import VPN route-target communities
RT:1:10

RT:100:100

PE1#show ip bgp vpnv4 all

-- to receive Internet VRF default route

BGP table version is 5, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 1:10 (default for vrf VPNA)

*>i0.0.0.0
*> 10.1.1.0/24

3.3.3.3

0.0.0.0

100
0

0i
32768 ?

Route Distinguisher: 100:100

*>i0.0.0.0

3.3.3.3

PE1#
Thank you
Marwan Alshawi
Rating
1
2
3
4
5
Overall Rating: 4 (1 ratings)
Follow
Report
Add Shortcut
Comment
Share:

100

0i

Comments
Collapse all
Recent replies last

vothongg@gmail.com 10 months ago

thank you so much. :D
See More
Report
Reply

TimurKaneev 6 years ago

Hi .
I decide this problem, add route "ip route 0.0.0.0 0.0.0.0 vrf OUT null 0" and
"network 0.0.0.0 " in router bgp .
here config:
ip vrf OUT
rd 333:1
route-target export 333:1
route-target import 300:0
router bgp 65200
bgp router-id 10.0.0.3
no bgp enforce-first-as
bgp log-neighbor-changes

bgp graceful-restart restart-time 120

bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 10.0.0.4 remote-as 65200
neighbor 10.0.0.4 inherit peer-session iBGP_session
neighbor 10.0.0.4 update-source Loopback0
neighbor 10.0.0.4 fall-over
address-family ipv4
redistribute connected
neighbor 10.0.0.4 activate
neighbor 10.0.0.4 send-community both
neighbor 10.0.0.4 default-originate
address-family ipv4 vrf OUT
redistribute connected
redistribute static
neighbor <ISP1> remote-as 65000
neighbor <ISP1> local-as 65200 no-prepend replace-as
neighbor <ISP2> remote-as 65001
neighbor <ISP2> local-as 65200 no-prepend replace-as
default-information originate
no synchronization
network 0.0.0.0
ip route vrf OUT 0.0.0.0 0.0.0.0 Null0
See More
Report
Reply

TimurKaneev 6 years ago

Hi.
Thanks, very usefull.
But I have one question...
How to configure GW router if i have 2 ISP or more and want to load ballance traffic
via diferent ISP issue localpref.
See More
Report
Reply

shivlu jain 6 years ago

Its a very good and informative. For more on route leaking please visit MPLSVPN
blog link
http://www.mplsvpn.info/2009/03/provisioning-internet-with-internet-vrf.html
regards
shivlu jain
See More
Report
Reply

racarvalho 6 years ago

Great Doc ...
We're were tried to implement this solution, and it works(vrf-aware nat) with our l3
vpn implementations(L3 VPN + vrf-aware IPsec + vrf-aware PPTP).
Our problem is how to limit bandwidth to each vrf-aware nat customer.
Ex. a vrf with 3 x 10Mb L3vpn access but only 10Mb internet access.
Any ideas?? Know we're thinking vrf vlan mapping to a FWSM, with a context for
each customer, and doing police-map on the SUP720 for each vlan.
Thanks