Internet as a Service in MPLS VPN Networks is another approach to providing Internet access over an MPLS VPN infrastructure.
The main advantage of this method is that customers can use the same MPLS link for both Internet access and intranet (private network) connectivity.
In the previous section, we saw how customers could share Internet access over MPLS VPN between their branches when the Internet Service Provider (ISP) is different from the MPLS VPN provider.
In this section, however, the same MPLS VPN provider delivers both intranet and Internet services.
Internet as a Service in MPLS VPN
Usually, customers use an MPLS VPN service to provide connectivity between different sites, while a separate Internet provider is used for Internet access. In such cases, the MPLS infrastructure is not utilized for Internet connectivity.
However, in this section, we will demonstrate how an MPLS VPN service provider can use the same MPLS infrastructure to offer customers both intranet and Internet connectivity through a single network.
This is the topology we will use to demonstrate Internet as a Service over an MPLS VPN infrastructure.
In this topology, there are two customers, A and B, each with a single site connected to PE1 and PE2, respectively.
Although each customer has only one site, this setup is sufficient to demonstrate the concept.
A dedicated PE router, referred to as the Internet PE router or NAT PE router (PE3), is responsible for providing Internet access.
PE3 is connected to the Internet infrastructure.
In this example, to simulate Internet connectivity, PE3 is connected to an ISP router represented by a loopback interface with IP address 8.8.8.8.
VRF and RT Design
For VRF and route-target design, the objective is to advertise the default route from PE3 to the customers, and to advertise customer prefixes that require Internet access toward PE3.
The configuration is as follows:
Route-target 1:100 is assigned to Customer A (VRF A) for internal connectivity.
Route-target 1:200 is assigned to Customer B (VRF B) for internal connectivity.
Each customer that requires Internet access will have an additional VRF instance on PE3, which advertises the default route to that customerβs sites.
In this example, both Customer A and Customer B require Internet access, so both VRF A and VRF B are created on PE3.
To distribute Internet routes, a new route-target is used for advertising the default route to each customer. here 1:1001 for vrf A and 1:1992 for vrf B.
Each customer that needs Internet access imports it’s customer-specific route-targetΒ to receive the default route.
Similarly, the customer prefixes that should be reachable from the Internet PE must be advertised with a specific route-target, which is imported into the corresponding VRF on the Internet PE router (PE3).
# PE3 ip vrf A rd 1:1011 RT export 1:1001 RT import 1:1011 ! ip vrf B rd 1:10012 RT export 1:1002 RT import 1:1012
# PE1 ip vrf A rd 1:100 RT export 1:100, 1:1011 RT import 1:100, 1:1001
# PE2 ip vrf B rd 1:200 RT export 1:200, 1:1012 RT import 1:200, 1:1002
Internet Access and NAT Design
In this design, the Internet PE router (PE3) provides Internet access for all customer VRFs and performs VRF-aware NAT.
Each customerβs traffic is translated to a unique public IP address before being sent toward the Internet.
π This ensures that return traffic from the Internet can be correctly identified and routed back to the right customer VRF, keeping address spaces isolated while sharing the same infrastructure.
Typically, FastEthernet0/0 is configured as the NAT inside interface (toward the MPLS core) and FastEthernet0/1 as the NAT outside interface (toward the Internet).
An access list defines the internal networks allowed for translation, and each VRF has its own NAT pool.
In this example:
pool1(12.1.1.11) is used for Customer A (VRF A)pool2(12.1.1.12) is used for Customer B (VRF B)
Each VRF also has a static default route pointing to 12.1.1.1 in the global routing table, which represents the Internet next hop.
π This is necessary because the interface connected to the ISP belongs to the global routing table (not to any VRF). Therefore, the global keyword is used in the VRF route configuration so that traffic can reach the Internet-facing interface and next hop.
This configuration allows both customers to reach the Internet through PE3, using a single MPLS VPN infrastructure while maintaining complete traffic and address separation via VRF-aware NAT.
Control Plane Verification
To verify that the setup is functioning correctly, we must ensure the following:
The default route (0.0.0.0/0) is advertised from the Internet PE router (PE3) to other PE routers within the VRFs that require internet access.
The customer prefixes of sites needing internet connectivity are correctly received by PE3.
On PE1, the command show bgp vpnv4 unicast all confirms that the default route (0.0.0.0/0) is successfully received from PE3 (10.10.10.3) in all relevant VRFs.
In the VRF A routing table (show ip route vrf A), the default route points to 10.10.10.3, verifying that Internet-bound traffic from Customer A is forwarded toward the Internet PE (PE3).
Likewise, in the VRF B routing table (show ip route vrf B), the same default route is present and also points to 10.10.10.3, ensuring that Customer Bβs traffic is routed to the Internet PE through the MPLS core.
On PE3, the show bgp vpnv4 unicast all output confirms that it has learned the customer routes (e.g., 172.16.1.0/24, 172.16.11.0/24,172.16.2.0/24, 172.16.12.0/24 etc.) from other PE routers and is advertising the default route (0.0.0.0/0) toward them.
This validates the full exchange of routes between the customer VRFs and the Internet VRF, enabling end-to-end Internet connectivity for both customers through the shared MPLS VPN infrastructure.
PE1#show bgp vpnv4 unicast all
BGP table version is 16, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf A)
*>i0.0.0.0 10.10.10.3 0 100 0 i
*>i11.11.11.11/32 10.10.10.3 0 100 0 ?
*> 172.16.1.0/24 0.0.0.0 0 32768 ?
*> 172.16.11.0/24 172.16.1.2 0 32768 ?
Route Distinguisher: 1:1011
*>i0.0.0.0 10.10.10.3 0 100 0 i
*>i11.11.11.11/32 10.10.10.3 0 100 0 ?
PE1#show ip route vrf A
Routing Table: A
...
Gateway of last resort is 10.10.10.3 to network 0.0.0.0
172.16.0.0/24 is subnetted, 2 subnets
S 172.16.11.0 [1/0] via 172.16.1.2
C 172.16.1.0 is directly connected, FastEthernet0/1
11.0.0.0/32 is subnetted, 1 subnets
B 11.11.11.11 [200/0] via 10.10.10.3, 16:58:52
12.0.0.0/32 is subnetted, 1 subnets
B 12.12.12.12 [200/0] via 10.10.10.3, 16:58:52
B* 0.0.0.0/0 [200/0] via 10.10.10.3, 16:58:52
PE2#show bgp vpnv4 unicast all
BGP table version is 21, local router ID is 10.10.10.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:200 (default for vrf B)
*>i0.0.0.0 10.10.10.3 0 100 0 i
*>i12.12.12.12/32 10.10.10.3 0 100 0 ?
*> 172.16.2.0/24 0.0.0.0 0 32768 ?
*> 172.16.12.0/24 172.16.2.2 0 32768 ?
Route Distinguisher: 1:10012
*>i0.0.0.0 10.10.10.3 0 100 0 i
*>i12.12.12.12/32 10.10.10.3 0 100 0 ?
PE3#show bgp vpnv4 unicast all
BGP table version is 19, local router ID is 10.10.10.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100
*>i172.16.1.0/24 10.10.10.1 0 100 0 ?
*>i172.16.11.0/24 10.10.10.1 0 100 0 ?
Route Distinguisher: 1:200
*>i172.16.2.0/24 10.10.10.2 0 100 0 ?
*>i172.16.12.0/24 10.10.10.2 0 100 0 ?
Route Distinguisher: 1:1011 (default for vrf A)
*> 0.0.0.0 12.1.1.1 0 32768 i
*> 11.11.11.11/32 0.0.0.0 0 32768 ?
*>i172.16.1.0/24 10.10.10.1 0 100 0 ?
*>i172.16.11.0/24 10.10.10.1 0 100 0 ?
Route Distinguisher: 1:10012 (default for vrf B)
*> 0.0.0.0 12.1.1.1 0 32768 i
*> 12.12.12.12/32 0.0.0.0 0 32768 ?
*>i172.16.2.0/24 10.10.10.2 0 100 0 ?
*>i172.16.12.0/24 10.10.10.2 0 100 0 ?
Data Plane Verification
To verify Internet access and NAT operation, connectivity tests were performed from both Customer A and Customer B sites.
For Customer A, the successful ping and traceroute to 8.8.8.8 confirm that traffic is correctly forwarded through the MPLS VPN toward PE3, translated by NAT using pool1 (12.1.1.11), and returned properly.
Similarly, Customer B can also reach the Internet. The traffic from VRF B is translated on PE3 using pool2 (12.1.1.12), ensuring address separation between customers.
On PE3, NAT tables per VRF confirm that each customerβs private address is translated to its assigned public IP. This guarantees that return traffic from the Internet is correctly identified and routed to the proper VRF, maintaining complete isolation between Customer A and Customer B
A#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 172/177/180 ms
A#traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 1 172.16.1.1 96 msec 92 msec 92 msec 2 10.0.1.10 [MPLS: Labels 18/21 Exp 0] 136 msec 132 msec 144 msec 3 12.1.1.2 [MPLS: Label 21 Exp 0] 184 msec 136 msec 136 msec 4 12.1.1.1 176 msec 180 msec 176 msec A#
PE3#show ip nat translations vrf A Pro Inside global Inside local Outside local Outside global icmp 12.1.1.11:0 172.16.1.2:0 8.8.8.8:0 8.8.8.8:0 udp 12.1.1.11:49163 172.16.1.2:49163 8.8.8.8:33443 8.8.8.8:33443 udp 12.1.1.11:49164 172.16.1.2:49164 8.8.8.8:33444 8.8.8.8:33444 udp 12.1.1.11:49165 172.16.1.2:49165 8.8.8.8:33445 8.8.8.8:33445 --- 12.1.1.11 172.16.1.2 --- --- PE3#
B#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 128/157/204 ms
B#traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 1 172.16.2.1 28 msec 32 msec 28 msec 2 10.0.2.10 [MPLS: Labels 18/23 Exp 0] 76 msec 92 msec 96 msec 3 12.1.1.2 [MPLS: Label 23 Exp 0] 88 msec 88 msec 88 msec 4 12.1.1.1 140 msec 124 msec 112 msec
PE3#show ip nat translations vrf B Pro Inside global Inside local Outside local Outside global icmp 12.1.1.12:2 172.16.2.2:2 8.8.8.8:2 8.8.8.8:2 udp 12.1.1.12:49163 172.16.2.2:49163 8.8.8.8:33443 8.8.8.8:33443 udp 12.1.1.12:49164 172.16.2.2:49164 8.8.8.8:33444 8.8.8.8:33444 udp 12.1.1.12:49165 172.16.2.2:49165 8.8.8.8:33445 8.8.8.8:33445 --- 12.1.1.12 172.16.2.2 --- ---
Final Device Configurations
This section presents the complete configuration of all devices related to the topology, including PE routers, customer edge devices, and the Internet PE.
hostname PE1 ! ip cef ! ip vrf A rd 1:100 route-target export 1:100 route-target export 1:1011 route-target import 1:100 route-target import 1:1001 ! mpls label protocol ldp ! interface Loopback0 ip address 10.10.10.1 255.255.255.255 ! interface FastEthernet0/0 ip address 10.0.1.1 255.255.255.0 ip virtual-reassembly duplex auto speed auto mpls ip ! interface FastEthernet0/1 ip vrf forwarding A ip address 172.16.1.1 255.255.255.0 ip virtual-reassembly duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ! router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.10.10.2 remote-as 65001 neighbor 10.10.10.2 update-source Loopback0 neighbor 10.10.10.3 remote-as 65001 neighbor 10.10.10.3 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.10.10.2 activate neighbor 10.10.10.2 send-community both neighbor 10.10.10.2 next-hop-self neighbor 10.10.10.3 activate neighbor 10.10.10.3 send-community both neighbor 10.10.10.3 next-hop-self exit-address-family ! address-family ipv4 vrf A redistribute connected redistribute static no synchronization exit-address-family ! ip route vrf A 172.16.11.0 255.255.255.0 172.16.1.2 ! mpls ldp router-id Loopback0
hostname PE2 ! ip cef ! ip vrf B rd 1:200 route-target export 1:200 route-target export 1:1012 route-target import 1:200 route-target import 1:1002 ! mpls label protocol ldp ! interface Loopback0 ip address 10.10.10.2 255.255.255.255 ! interface FastEthernet0/0 ip address 10.0.2.2 255.255.255.0 duplex auto speed auto mpls ip ! interface FastEthernet0/1 ip vrf forwarding B ip address 172.16.2.1 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ! router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 update-source Loopback0 neighbor 10.10.10.3 remote-as 65001 neighbor 10.10.10.3 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.10.10.1 activate neighbor 10.10.10.1 send-community both neighbor 10.10.10.1 next-hop-self neighbor 10.10.10.3 activate neighbor 10.10.10.3 send-community both neighbor 10.10.10.3 next-hop-self exit-address-family ! address-family ipv4 vrf B redistribute connected redistribute static no synchronization exit-address-family ! ip route vrf B 172.16.12.0 255.255.255.0 172.16.2.2 ! mpls ldp router-id Loopback0
hostname PE3 ! ip cef ! ip vrf A rd 1:1011 route-target export 1:1001 route-target import 1:1011 ! ip vrf B rd 1:10012 route-target export 1:1002 route-target import 1:1012 ! mpls label protocol ldp ! interface Loopback0 ip address 10.10.10.3 255.255.255.255 ! interface Loopback11 ip vrf forwarding A ip address 11.11.11.11 255.255.255.255 ! interface Loopback12 ip vrf forwarding B ip address 12.12.12.12 255.255.255.255 ! interface FastEthernet0/0 ip address 10.0.3.3 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto mpls ip ! interface FastEthernet0/1 ip address 12.1.1.2 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ! router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 update-source Loopback0 neighbor 10.10.10.2 remote-as 65001 neighbor 10.10.10.2 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.10.10.1 activate neighbor 10.10.10.1 send-community both neighbor 10.10.10.1 next-hop-self neighbor 10.10.10.2 activate neighbor 10.10.10.2 send-community both neighbor 10.10.10.2 next-hop-self exit-address-family ! address-family ipv4 vrf B redistribute connected no synchronization network 0.0.0.0 exit-address-family ! address-family ipv4 vrf A redistribute connected no synchronization network 0.0.0.0 exit-address-family ! ip route 0.0.0.0 0.0.0.0 12.1.1.1 ip route vrf A 0.0.0.0 0.0.0.0 12.1.1.1 global ip route vrf B 0.0.0.0 0.0.0.0 12.1.1.1 global ! ip nat pool pool1 12.1.1.11 12.1.1.11 netmask 255.255.255.0 ip nat pool pool2 12.1.1.12 12.1.1.12 netmask 255.255.255.0 ip nat inside source list 1 pool pool1 vrf A ip nat inside source list 1 pool pool2 vrf B ! access-list 1 permit 172.16.0.0 0.0.255.255 access-list 1 permit 172.16.1.0 0.0.0.255 access-list 1 permit 172.16.11.0 0.0.0.255 access-list 2 permit 172.16.2.0 0.0.0.255 access-list 2 permit 172.16.12.0 0.0.0.255 ! mpls ldp router-id Loopback0
hostname P ! ip cef ! mpls label protocol ldp ! interface Loopback0 ip address 10.10.10.10 255.255.255.255 ! interface FastEthernet0/0 ip address 10.0.1.10 255.255.255.0 duplex auto speed auto mpls ip ! interface FastEthernet0/1 ip address 10.0.2.10 255.255.255.0 duplex auto speed auto mpls ip ! interface FastEthernet1/0 ip address 10.0.3.10 255.255.255.0 duplex auto speed auto mpls ip ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ! mpls ldp router-id Loopback0
hostname A ! interface Loopback0 ip address 172.16.11.1 255.255.255.255 ! interface FastEthernet0/0 ip address 172.16.1.2 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 172.16.1.1
hostname ISP ! interface Loopback0 ip address 8.8.8.8 255.255.255.255 ! interface FastEthernet0/0 ip address 12.1.1.1 255.255.255.0 duplex auto speed auto