[Contents] [Prev] [Next] [Index] [Report an Error]

Cross-VRF Example

In MPLS VPN configurations, you might want to offer public Internet access to VPN subscribers. MPLS VPNs are enabled through the use of VRFs. If a VPN is using a private or overlapping address space, you can use NAT to enable access to the public network because the NAT implementation is both VR and VRF aware. Figure 9 illustrates how the subscriber interface feature of the router is used in conjunction with NAT to connect the VPNs to the public network.

Figure 9: Cross-VRF Example

Image g013232.gif

VRF11 is the local (this PE) representation of the MPLS VPN and connects enterpriseA to the VPN. Enterprise A communicates to VRFs in other PE devices (the rest of the VPN) through RFC2547bis (MPLS VPNs). VR1, of which the VRF is administratively a member, represents the public network. The interface to EnterpriseA is marked as an inside interface. The normal steps for configuring inside source translation are applied. A subscriber interface is created off the uplink to the core network and anchored in the VRF. A DA-based demultiplexer matching the inside global address range is configured on the subscriber interface. The subscriber interface is marked as an outside interface.

To configure this example:

  1. Enter the correct virtual routing and forwarding instance.
    host1(config)#virtual-router vr1:vrf11
  2. Mark the inside interfaces.
    host1:vr1:vrf11(config)#interface fast-ethernet 6/1
    host1:vr1:vrf11 (config-interface)#ip nat inside
    host1:vr1:vrf11 (config-interface)#exit
  3. Set the primary interface to DA-type demultiplexer (for subsequent shared interfaces).
    host1:vr1(config)#interface atm 12/0.101
    host1:vr1(config-interface)#ip demux-type da-prefix
    host1:vr1(config-interface)#exit
  4. Create the address pool for dynamic translations.
    host1:vr1(config)#virtual-router vr1:vrf11
    host1:vr1:vrf11(config)#ip nat pool entApool 128.13.44.0 128.13.44.255 prefix-length 24
  5. Create the access list for addresses eligible for dynamic translation.
    host1:vr1:vrf11(config)#access-list entA permit 10.16.5.0 0.0.0.255
  6. Create the dynamic translation rule.
    host1:vr1:vrf11(config)#ip nat inside source list entA pool entApool
  7. Create the subscriber interface off the uplink.
    host1:vr1:vrf11(config)#interface ip vrf11vr1
    host1:vr1:vrf11(config-interface)#ip share-interface atm 12/0.101
    host1:vr1:vrf11(config-interface)#ip unnumbered loopback 1
  8. Configure a group of destination prefixes with which the device can communicate on the public network.
    host1:vr1:vrf11(config-interface)#ip destination-prefix 128.13.44.0 255.255.255.0
  9. Mark the subscriber interface as outside.
    host1:vr1:vrf11(config-interface)#ip nat outside
    host1:vr1:vrf11(config-interface)#exit
  10. Point the default route to the shared interface.
    host1:vr1:vrf11(config)#ip route 0.0.0.0 0.0.0.0 ip vrf11vr1
  11. Install a null route to avoid routing loops to the inside global address.
    host1:vr1:vrf11(config)#ip route 128.13.44.0 255.255.255.0 null 0
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.