[an error occurred while processing this directive][an error occurred while processing this directive]

Centralized Internet Access

This section describes several ways to configure a CE router to act as a central site for Internet access. Internet traffic from other sites (CE routers) is routed to the hub CE router (which also performs NAT) using that router’s VPN interface. The hub CE router then forwards the traffic to a PE router connected to the Internet through another interface identified in the inet.0 table. The hub CE router can advertise a default route to the spoke CE routers. The disadvantage of this type of configuration is that all traffic has to go through the central CE router before going to the Internet, causing network delays if this router receives too much traffic. However, in a corporate network, traffic might have to be routed to a central site because most corporate networks separate the VPN from the Internet by means of a single firewall.

This section includes the following examples:

Routing Internet Traffic Through a Hub CE Router

In this example, Internet traffic is routed through a hub CE router. The hub CE router has two interfaces to the hub PE router: a VPN interface and a public interface. It performs NAT on traffic forwarded from the hub PE router through the VPN interface and forwards that traffic from its public interface back to the hub PE router. The hub PE router has a static default route in its VRF table pointing to the hub CE router’s VPN interface. It announces this default route to the rest of the VPN, attracting all non-VPN traffic to the hub CE route. The hub PE router also installs and distributes the VPN’s public IP address space (see Figure 1).

Figure 1: Internet Access Through a Hub CE Router Performing NAT

Image g017195.gif

The configuration for this example is almost identical to that described in Routing Internet Traffic Through a Separate NAT Device. The difference is that Router PE1 is configured to announce a static default route to the other CE routers (see Figure 2).

Figure 2: Internet Access Provided Through a Hub CE Router

Image g017207.gif

The following sections show how to configure centralized Internet access by routing Internet traffic through a hub CE router:

Configuring a Routing Instance on Router PE1

Configure a routing instance for Router PE1. As part of this configuration, under routing-options, configure a default static route (route 0.0.0.0/0) to be installed in vpna.inet.0, and point the route to the hub CE router’s VPN interface (10.23.0.1). Also, configure BGP under the routing instance to export the default route to the local CE router:

[edit]routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;interface at-1/3/1.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-hop 10.23.0.1;}}protocols {bgp {group to-CE1 {export export-default;peer-as 63001;neighbor 192.168.197.14;}}}}}

Configuring Policy Options on Router PE1

Configure policy options on Router PE1. As part of this configuration, Router PE1 should export the static default route to all the remote PE routers in vpna (configured in the policy-statement vpna-export statement under term b):

[edit]policy-options {policy-statement vpna-export {term a {from protocol bgp;then {community add vpna-comm;accept;}}term b {from {protocol static;route-filter 0.0.0.0/0 exact;}then {community add vpna-comm;accept;}}term c {then reject;}}policy-statement export-default {term a {from {protocol static;route-filter 0.0.0.0/0 exact;}then accept;}term b {from protocol bgp;then accept;}term c {then reject;}}}

Internet Traffic Routed by a Hub CE Router: Configuration Summarized by Router

Router PE1

The configuration for Router PE1 is almost identical to that for the example in Routing Internet Traffic Through a Separate NAT Device. The difference is that Router PE1 is configured to announce a static default route to the other CE routers.

Routing Instance

routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;interface at-1/3/1.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-hop 10.23.0.1;}}protocols {bgp {group to-CE1 {export export-default;peer-as 63001;neighbor 192.168.197.14;}}}}}

Policy Options

policy-options {policy-statement vpna-export {term a {from protocol bgp;then {community add vpna-comm;accept;}}term b {from {protocol static;route-filter 0.0.0.0/0 exact;}then {community add vpna-comm;accept;}}term c {then reject;}}policy-statement export-default {term a {from {protocol static;route-filter 0.0.0.0/0 exact;}then accept;}term b {from protocol bgp;then accept;}term c {then reject;}}}

Routing Internet Traffic Through Multiple CE Routers

The example in this section is an extension of that described in Centralized Internet Access. This example provides different exit points for different sites by means of multiple hub CE routers that perform similar functions. Each hub CE router tags the default route with a different route target and allows the spoke CE routers to select the hub site that should be used for Internet access (see Figure 3).

Figure 3: Two Hub CE Routers Handling Internet Traffic and NAT

Image g017208.gif

This example uses two hub CE routers that handle NAT and Internet traffic:

  • Hub1 CE router tags 0/0 with community public-comm1 (target: 1:111)
  • Hub2 CE router tags 0/0 with community public-comm2 (target: 1:112)

The spoke CE router in this example is configured to have a bias toward Hub2 for Internet access.

The following sections describe how configure two hub CE routers to handle internet traffic and NAT:

Configuring a Routing Instance on Router PE1

Configure a routing instance on Router PE1:

[edit]routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;interface at-1/3/1.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-hop 10.23.0.1;}}protocols {bgp {group to-CE1 {export export-default;peer-as 63001;neighbor 192.168.197.14;}}}}}

Configuring Policy Options on Router PE1

The policy options for Router PE1 are the same as in Centralized Internet Access, but the configuration in this example includes an additional community, public-comm1, in the export statement:

[edit]policy-options {policy-statement vpna-import {term a {from {protocol bgp;community vpna-comm;}then accept;}term b {then reject;}}policy-statement vpna-export {term a {from {protocol static;route-filter 0.0.0.0/0 exact;}then {community add public-comm1;community add vpna-comm;accept;}}term b {from protocol bgp;then {community add vpna-comm;accept;}}term c {then reject;}}community public-comm1 members target:1:111;community public-comm2 members target:1:112;community vpna-comm members target:63000:100;}

The configuration of Router PE2 is identical to that of Router PE1 except that Router PE2 exports the default route through community public-comm2.

Configuring a Routing Instance on Router PE3

Configure routing instance vpna on Router PE3:

[edit]routing-instances {vpna {instance-type vrf;interface t1-0/2/0.0;route-distinguisher 10.255.14.173:100;vrf-import vpna-import;vrf-export vpna-export;protocols {rip {group to-vpn12 {export export-CE;neighbor t1-0/2/0.0;}}}}}

Configuring Policy Options on Router PE3

Configure the vrf-import policy for Router PE3 to select the Internet exit point based on the additional communities specified in Centralized Internet Access:

[edit]policy-options {policy-statement vpna-export {term a {from protocol rip;then {community add vpna-comm;accept;}}term b {then reject;}}policy-statement vpna-import {term a {from {protocol bgp;community public-comm1;route-filter 0.0.0.0/0 exact;}then reject;}term b {from {protocol bgp;community vpna-comm;}then accept;}term c {then reject;}}policy-statement export-CE {from protocol bgp;then accept;}community vpna-comm members target:69:100;community public-comm1 members target:1:111;community public-comm2 members target:1:112;}

Routing Internet Traffic Through Multiple CE Routers: Configuration Summarized by Router

Router PE1

This configuration is an extension of the example in Centralized Internet Access. It provides different exit points for various sites by using multiple hub CE routers that perform similar functions.

Routing Instances

routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;interface at-1/3/1.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-hop 10.23.0.1;}}protocols {bgp {group to-CE1 {export export-default;peer-as 63001;neighbor 192.168.197.14;}}}}}

Policy Options

policy-options {policy-statement vpna-import {term a {from {protocol bgp;community vpna-comm;}then accept;}term b {then reject;}}policy-statement vpna-export {term a {from {protocol static;route-filter 0.0.0.0/0 exact;}then {community add public-comm1;community add vpna-comm;accept;}}term b {from protocol bgp;then {community add vpna-comm;accept;}}term c {then reject;}}community public-comm1 members target:1:111;community public-comm2 members target:1:112;community vpna-comm members target:63000:100;}

Router PE2

The configuration of Router PE2 is identical to that of Router PE1, except that Router PE2 exports the default route through community public-comm2 (see Centralized Internet Access).

Router PE3

Routing Instances

routing-instances {vpna {instance-type vrf;interface t1-0/2/0.0;route-distinguisher 10.255.14.173:100;vrf-import vpna-import;vrf-export vpna-export;protocols {rip {group to-vpn12 {export export-CE;neighbor t1-0/2/0.0;}}}}}

Policy Options

policy-options {policy-statement vpna-export {term a {from protocol rip;then {community add vpna-comm;accept;}}term b {then reject;}}policy-statement vpna-import {term a {from {protocol bgp;community public-comm1;route-filter 0.0.0.0/0 exact;}then reject;}term b {from {protocol bgp;community vpna-comm;}then accept;}term c {then reject;}}policy-statement export-CE {from protocol bgp;then accept;}community vpna-comm members target:69:100;community public-comm1 members target:1:111;community public-comm2 members target:1:112;}

Published: 2010-04-27

[an error occurred while processing this directive]