Technical Documentation

Supported Platforms
M Series
T Series

Routing VPN and Internet Traffic Through the Same Interface Bidirectionally (VPN Has Private Addresses)

The example in this section shows how to route VPN and Internet traffic through the same interface in both directions (from the CE router to the Internet and from the Internet to the CE router). The VPN in this example has private addresses. If you can configure EBGP on the CE router, you can configure a PE router using the configuration outlined in Routing VPN and Internet Traffic Through the Same Interface Bidirectionally (VPN Has Public Addresses), even if the VPN has private addresses.

In the example described in this section, the CE router uses separate communities to advertise its VPN routes and public routes. The PE router selectively imports only the public routes into the inet.0 routing table. This configuration ensures that return traffic from the Internet uses the same interface between the PE and CE routers as that used by VPN traffic going out to public Internet addresses (see Figure 1).

Figure 1: VPN and Internet Traffic Routed Through the Same Interface

Image g017205.gif

In this example, the CE router has one interface and a BGP session with the PE router, and it tags VPN routes and Internet routes with different communities. The PE router has one interface, selectively imports routes for the VPN’s public IP address pool into inet.0, and has a default route in the VRF routing table pointing to inet.0.

The following sections show how to route VPN and Internet traffic through the same interface bidirectionally (VPN has private addresses):

Configuring Routing Options for Router PE1

On Router PE1, configure a routing table group to install VPN routes in the vpna.inet.0 and inet.0 routing tables:

[edit]routing-options {rib-groups {vpna-to-inet0 {import-rib [ vpna.inet.0 inet.0 ];}}}

Configuring a Routing Instance for Router PE1

On Router PE1, configure a routing instance. As part of the configuration for the routing instance, configure a static route that is installed in vpna.inet.0 and is pointed at inet.0 for resolution.

[edit]routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-table inet.0;}}}}

At the [edit routing-instances vpna protocols bgp] hierarchy level, configure a policy (import-public-addr-to-inet0) to import public routes into inet.0 and a routing table group (vpna-to-inet0) to allow BGP to install routes into multiple routing tables (vpna.inet.0 and inet.0):

[edit routing-instances vpna]protocols {bgp {group to-CE1 {import import-public-addr-to-inet0;family inet {unicast {rib-group vpna-to-inet0;}}peer-as 63001;neighbor 192.168.197.14;}}}

Configuring Policy Options for Router PE1

Configure the policy options for Router PE1 to accept all routes initially (term a) and then to install routes with a public-comm community into routing table inet.0 (term b):

[edit]policy-options {policy-statement import-public-addr-to-inet0 {term a {from {protocol bgp;rib vpna.inet.0;community [ public-comm private-comm ];}then accept;}term b {from {protocol bgp;community public-comm;}to rib inet.0;then accept;}term c {then reject;}}community private-comm members target:1:333;community public-comm members target:1:111;community vpna-comm members target:63000:100;}

Traffic Routed by the Same Interface Bidirectionally (VPN Has Private Addresses): Configuration Summarized by Router

Router PE1

Routing Options

routing-options {rib-groups {vpna-to-inet0 {import-rib [ vpna.inet.0 inet.0 ];}}}

Routing Instances

routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-table inet.0;}}}}

Routing Instances Protocols BGP

protocols {bgp {group to-CE1 {import import-public-addr-to-inet0;family inet {unicast {rib-group vpna-to-inet0;}}peer-as 63001;neighbor 192.168.197.14;}}}

Policy Options

policy-options {policy-statement import-public-addr-to-inet0 {term a {from {protocol bgp;rib vpna.inet.0;community [ public-comm private-comm ];}then accept;}term b {from {protocol bgp;community public-comm;}to rib inet.0;then accept;}term c {then reject;}}community private-comm members target:1:333;community public-comm members target:1:111;community vpna-comm members target:63000:100;}