Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Document
Wed, 08/26/2015 - 21:14
Overview:
One of the common services that included in the implementations of MPLS L3 VPN
of service providers and enterprise networks is Internet Access, which can be
provided using several ways. In this document we will discuss the following
methods:
Route leaking between the VRFs and global routing table of the PE
Using a dedicated VRF for internet service also known as (shared service)
Furthermore, this document will discuss the configurations of the VRF-aware NAT on
the edge PE router facing the Internet gateway.
Internet access using Route leaking between the VRFs and global routing table of
the PEs
By using this method each PE that reside in the service provider or enterprise MPLS
network will use a default route in the global routing table to route internet traffic
from the CE routers. Each CE router will have default route either injected by the
directly connected PE or by using a default static router in the CE router.
As it shown in the above diagram, CE1 receives a default route from PE1 through
BGP. PE1 has a static default route entry under each VRF need to access the
internet points to a next hop in the global routing table which is the PE called GW
( represent an internet gateway which could be a router or a firewall ). The same
concept and configurations will be applied on each PE-CE.
In the above example we will assume that the internal network of CE1 is 10.10.1.0
and the allocated ip addresses to be used over internet by CE1 site is 120.1.1.0/30
NAT has been configured in CE1 so that traffic to the internet will use the
120.1.1.0/30 subnet.
CE1:
ip nat pool pool1 120.1.1.1 120.1.1.2 prefix-length 30
ip nat inside source list 100 pool pool1 overload
!
access-list 100 deny ip any 10.20.1.0 0.0.0.255
access-list 100 deny ip any 20.1.1.0 0.0.0.255 the first two lines used to exclude
any traffic going to CE2 from being NATed
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
router bgp 65001
no synchronization
neighbor 10.1.1.1 remote-as 100
no auto-summary
CE1#show ip bgp
BGP table version is 4, local router ID is 150.1.1.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 0.0.0.0
r> 10.1.1.0/24
Next Hop
10.1.1.1
10.1.1.1
0 100 i
0
0 100 ?
CE1#
PE1:
interface FastEthernet2/0
ip vrf forwarding VPNA
ip address 10.1.1.1 255.255.255.0
router bgp 100
no synchronization
bgp log-neighbor-changes
network 120.1.1.0 mask 255.255.255.252 advertise CE1 ip range through global
BGP routing table to make it reachable by GW
address-family ipv4 vrf VPNA
neighbor 10.1.1.10 remote-as 65001
neighbor 10.1.1.10 activate
neighbor 10.1.1.10 default-originate -- to inject the default route to CE1
no synchronization
exit-address-family
Inside local
10.10.1.1:19
Outside local
Outside global
100.100.100.100:19 100.100.100.100:19
CE1#
VRF-aware NAT
We can use the same concept used above by leaking the route between the VRFs
and global routing table but instead of configuring this in every PE we can configure
it in the PE connected directly to the internet gateway and this PE will do the NAT for
the VRFs using what is know as VRF-aware NAT.
Using the same topology above, standard MP-BGP L3 VPN routes will be exchange
between all PEs including PE GW however this time PE GW will inject default route to
all VRFs routes through MP-BGP. GW will have a static default route uses a next hop
reside in the global routing table, at the same time VRF NATing will be configured in
GW PE as well to NAT CEs traffic going to the internet.
GW:
ip vrf VPNA
-- add all of the VRFs in the MPLS network that need to be NATed
rd 1:10
route-target export 1:10
route-target import 1:10
interface FastEthernet1/0
description ## connected to P ###
ip address 192.168.1.2 255.255.255.0
ip nat inside
mpls ip
interface FastEthernet1/1
description ## connected to Internet Gateway/Firewall ##
ip address 200.1.1.1 255.255.255.0
ip nat outside
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
exit-address-family
!
address-family ipv4 vrf VPNA
default-information originate --- this to generate a default route under the routing
table of the VRF
no synchronization
exit-address-family
ip route vrf VPNA 0.0.0.0 0.0.0.0 200.1.1.2 global
---- this is a VRF static default
route point to a next hop in the global routing table
ip nat pool VPNA_POOL 201.1.1.1 201.1.1.10 prefix-length 28
ip nat inside source route-map VPNA pool VPNA_POOL vrf VPNA overload -- this will
NAT all the traffic coming from 10.10.1.0/24 subnet under VRF named VPNA
!
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
!
route-map VPNA permit 10
match ip address 100
PE1:
PE1#show ip route vrf VPNA 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 100", distance 200, metric 0, candidate default path, type internal
Last update from 3.3.3.3 00:23:25 ago
Routing Descriptor Blocks:
* 3.3.3.3 (Default-IP-Routing-Table), from 3.3.3.3, 00:23:25 ago
Route metric is 0, traffic share count is 1
AS Hops 0
CE1#show ip bgp 0.0.0.0
Inside local
10.10.1.1:3
Outside local
Outside global
100.100.100.100:3 100.100.100.100:3
GW#
Internet Access using a separate VRF for internet service
This approach also know as shared services. This Shared Services VRF gives the
ability of providing access to other VRFs in the MPLS L3 VPN network to use a
required service such as internet. The mechanism used by this shared services VRF
to provide reachability to other VRFs is by using route export value of the VRF routetarget, also this VRF need to import the source routes of the VRFs that require
internet access to maintain full reachablity. This method is one of the simplest and
most scaleable methods of providing internet access or any access to any other
shared services, because the required configuration is only to import and export
routes between any VRF and the Shard service VRF by using route-target values. As
depicted in the bellow diagram, the internet service now has been configured in its
own VRF and this VRF will export a default route to the other VRFs to be imported
and provide internet access.
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
exit-address-family
!
address-family ipv4 vrf Internet
no synchronization
network 0.0.0.0
--- to inject default route into Internet VRF MP-BGP address family
exit-address-family
!
ip route vrf Internet 0.0.0.0 0.0.0.0 200.1.1.2 -- default static route for VRF Internet
point to an internet gateway
!
Note:
The above configurations used import and export without any filtering, however you
can import and export route prefixes selectively between the shared services VRF
and any other VRF by using a route-map.
PE1:
Interfaces:
Fa2/0
Connected addresses are not in global routing tabl
Export VPN route-target communities
RT:1:10
Import VPN route-target communities
RT:1:10
RT:100:100
Next Hop
3.3.3.3
0.0.0.0
100
0
0i
32768 ?
3.3.3.3
PE1#
Thank you
Marwan Alshawi
Rating
1
2
3
4
5
Overall Rating: 4 (1 ratings)
Follow
Report
Add Shortcut
Comment
Share:
100
0i
Comments
Collapse all
Recent replies last
Its a very good and informative. For more on route leaking please visit MPLSVPN
blog link
http://www.mplsvpn.info/2009/03/provisioning-internet-with-internet-vrf.html
regards
shivlu jain
See More
Report
Reply