Internet over MPLS VPN is a common enterprise design where Internet traffic from branch offices is routed through a central site. In this lesson, we explain how advertising a default route in a VRF allows secure Internet access for branches over the MPLS VPN backbone
Internet over MPLS VPN Fundamental
In this lesson and the following one, we will explore two methods of providing Internet access over an MPLS VPN.
In this lesson, we focus on the scenario where the central office of an enterprise, connected to the MPLS VPN backbone, has Internet access through a separate Internet provider. The central site then shares this Internet connectivity with its remote branches by advertising a default route within the VRF across the MPLS VPN backbone.
In the next lesson, we will cover the second method (Internet as a service in MPLS VPN), where the MPLS VPN provider and the Internet provider are the same. In this design, the enterprise uses a single connection to the provider to receive both Internet access and private communication between its branch offices.
Internet over MPLS VPN Configuration Example
This lesson builds on the previous ones, extending the design to share Internet access over MPLS VPN from the central office to branch offices within an enterprise by advertising a default route in the enterprise VRF.
In our topology, we have Customer A with two branches connected to the MPLS VPN backbone. Connectivity between the central office and branches is already in place using BGP between PE and CE routers, as implemented in the earlier lesson.
What is new here is that the central office of Customer A now obtains Internet access through a separate ISP. In other words, the MPLS VPN provider and the Internet provider are two different providers. The objective is to share this Internet connectivity from the central office to the branches.
As shown in the topology, A1 (the central office) is connected to an ISP using a public IP address from the subnet 12.1.1.0/24. To simulate Internet access, a loopback interface with the IP address 8.8.8.8 is also configured on the ISP router.
The central office (A1) has a default route pointing toward the ISP. Additionally, NAT is enabled between the internal and external interfaces so that any enterprise traffic destined for the Internet is translated to the public IP address assigned to the external interface.
## ISP1 interface Loopback0 ip address 8.8.8.8 255.255.255.255 ! interface Ethernet0/0 no shutdown ip address 12.1.1.1 255.255.255.0
## A1 interface Ethernet0/0 no shutdown ip address 172.16.1.2 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Ethernet0/1 no shutdown ip address 12.1.1.2 255.255.255.0 ip nat outside ip virtual-reassembly in ! access-list 1 permit any ! ip nat inside source list 1 interface Ethernet0/1 overload
One possible solution for sharing Internet access from the central office to the branches is to create tunnels from the central office to each branch and route Internet traffic through them. This approach is independent of the MPLS provider but is outside the scope of this course and will not be discussed further.
The solution we focus on in this lesson involves cooperation with the MPLS service provider. By advertising a default route inside the VRF from the PE router at the central office to other PE routers serving the branches, Internet access can be extended across the enterprise. This is the design we will implement in this lesson.
## PE1 ip route vrf A 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.1.2 ! router bgp 65001 address-family ipv4 vrf A network 0.0.0.0
This section shows the complete BGP configuration on router PE1, including the configuration to advertise the default route.
ip route vrf A 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.1.2 ! router bgp 65001 bgp log-neighbor-changes neighbor 10.10.10.2 remote-as 65001 neighbor 10.10.10.2 update-source Loopback0 neighbor 10.10.10.3 remote-as 65001 neighbor 10.10.10.3 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.10.2 activate neighbor 10.10.10.2 send-community both neighbor 10.10.10.2 next-hop-self neighbor 10.10.10.3 activate neighbor 10.10.10.3 send-community both neighbor 10.10.10.3 next-hop-self exit-address-family ! address-family ipv4 vrf A network 0.0.0.0 neighbor 172.16.1.2 remote-as 65002 neighbor 172.16.1.2 activate exit-address-family
Verifying Advertised Default Route and Internet Connectivity
Now, we can check the BGP table and the VRF A routing table on PE2 or PE3 to verify that the default route has been successfully advertised between the PE routers.
PE2#show ip bgp vpnv4 vrf A
...
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf A)
*>i 0.0.0.0 10.10.10.1 0 100 0 i
*>i 172.16.1.0/24 10.10.10.1 0 100 0 65002 i
r> 172.16.2.0/24 172.16.2.2 0 0 65002 i
*>i 172.16.3.0/24 10.10.10.3 0 100 0 65002 i
*>i 172.16.11.0/24 10.10.10.1 0 100 0 65002 i
*> 172.16.12.0/24 172.16.2.2 0 0 65002 i
*>i 172.16.13.0/24 10.10.10.3 0 100 0 65002 i
PE2#show ip route vrf A
...
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
B* 0.0.0.0/0 [200/0] via 10.10.10.1, 00:15:34
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback50
172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks
B 172.16.1.0/24 [200/0] via 10.10.10.1, 00:29:51
C 172.16.2.0/24 is directly connected, Ethernet0/1
L 172.16.2.1/32 is directly connected, Ethernet0/1
B 172.16.3.0/24 [200/0] via 10.10.10.3, 00:29:53
B 172.16.11.0/24 [200/0] via 10.10.10.1, 00:29:51
B 172.16.12.0/24 [20/0] via 172.16.2.2, 00:29:53
B 172.16.13.0/24 [200/0] via 10.10.10.3, 00:29:53
Using the command "show ip bgp vpnv4 vrf A labels", we can also check which VPN label (internal label) is assigned to the default route when it is advertised to other PE routers. In this output, we can see that label 16 is assigned to the network. This label must be used as the VPN label when other PE routers forward VRF A traffic to Internet destinations.
PE1#show ip bgp vpnv4 vrf A labels Network Next Hop In label/Out label Route Distinguisher: 1:100 (A) 0.0.0.0 172.16.1.2 16/nolabel 172.16.1.0/24 172.16.1.2 22/nolabel 172.16.2.0/24 10.10.10.2 nolabel/22 172.16.3.0/24 10.10.10.3 nolabel/21 172.16.11.0/24 172.16.1.2 23/nolabel 172.16.12.0/24 10.10.10.2 nolabel/23 172.16.13.0/24 10.10.10.3 nolabel/22
We can also trace traffic from A2 and A3 to the Internet to verify that it is being properly routed through the MPLS VPN backbone. Additionally, you can verify the VPN label by tracing traffic from the branches to the Internet destination.
A2#traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 172.16.2.1 2 msec 6 msec 6 msec 2 10.0.2.10 [AS 65001] [MPLS: Labels 20/16 Exp 0] 1 msec 2 msec 1 msec 3 172.16.1.1 [AS 65001] [MPLS: Label 16 Exp 0] 1 msec 0 msec 1 msec 4 172.16.1.2 [AS 65001] 1 msec 1 msec 1 msec 5 12.1.1.1 [AS 65001] 1 msec 1 msec 1 msec A2#
A3#traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 172.16.3.1 6 msec 4 msec 4 msec 2 10.0.3.10 [AS 65001] [MPLS: Labels 20/16 Exp 0] 6 msec 6 msec 1 msec 3 172.16.1.1 [AS 65002] [MPLS: Label 16 Exp 0] 4 msec 0 msec 1 msec 4 172.16.1.2 [AS 65002] 5 msec 1 msec 1 msec 5 12.1.1.1 [AS 65001] 1 msec 5 msec 2 msec A3#
PE-router Full Configuration
hostname PE1 ! ip vrf A rd 1:100 route-target export 1:100 route-target import 1:100 ! ip cef ! mpls label protocol ldp ! interface Loopback0 ip address 10.10.10.1 255.255.255.255 ! interface Loopback50 ip vrf forwarding A ip address 1.1.1.1 255.255.255.255 ! interface Ethernet0/0 ip address 10.0.1.1 255.255.255.0 mpls ip ! interface Ethernet0/1 ip vrf forwarding A ip address 172.16.1.1 255.255.255.0 ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! router bgp 65001 bgp log-neighbor-changes neighbor 10.10.10.2 remote-as 65001 neighbor 10.10.10.2 update-source Loopback0 neighbor 10.10.10.3 remote-as 65001 neighbor 10.10.10.3 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.10.2 activate neighbor 10.10.10.2 send-community both neighbor 10.10.10.2 next-hop-self neighbor 10.10.10.3 activate neighbor 10.10.10.3 send-community both neighbor 10.10.10.3 next-hop-self exit-address-family ! address-family ipv4 vrf A network 0.0.0.0 neighbor 172.16.1.2 remote-as 65002 neighbor 172.16.1.2 activate exit-address-family ! ip route vrf A 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.1.2 ! mpls ldp router-id Loopback0
hostname PE2 ! ip vrf A rd 1:100 route-target export 1:100 route-target import 1:100 ! ip cef ! mpls label protocol ldp ! interface Loopback0 ip address 10.10.10.2 255.255.255.255 ! interface Loopback50 ip vrf forwarding A ip address 2.2.2.2 255.255.255.255 ! interface Ethernet0/0 ip address 10.0.2.2 255.255.255.0 mpls ip ! interface Ethernet0/1 ip vrf forwarding A ip address 172.16.2.1 255.255.255.0 ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! router bgp 65001 bgp log-neighbor-changes neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 update-source Loopback0 neighbor 10.10.10.3 remote-as 65001 neighbor 10.10.10.3 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.10.1 activate neighbor 10.10.10.1 send-community both neighbor 10.10.10.1 next-hop-self neighbor 10.10.10.3 activate neighbor 10.10.10.3 send-community both neighbor 10.10.10.3 next-hop-self exit-address-family ! address-family ipv4 vrf A neighbor 172.16.2.2 remote-as 65002 neighbor 172.16.2.2 activate neighbor 172.16.2.2 as-override exit-address-family ! mpls ldp router-id Loopback0