Technical Documentation

Routing VPN and Internet Traffic Through Different Interfaces

In this example, VPN and Internet traffic are routed through different interfaces. The CE router sends the VPN traffic through the VPN interface and sends the Internet traffic through a separate interface that is part of the main routing table on Router PE1 (the CE router can use either one physical interface with two logical units or two physical interfaces). NAT also occurs on the CE router (see Figure 1).

Figure 1: Routing VPN and Internet Traffic Through Different Interfaces

Image g017192.gif

The PE router is configured to install and advertise the public IP address pool for the VPN to other core routers (for return traffic). The VPN traffic is routed normally. Figure 2 illustrates the PE router’s VPN configuration.

Figure 2: Example of Internet Traffic Routed Through Separate Interfaces

Image g017191.gif

The configuration in this example has the following features:

  • Router PE1 uses two logical interfaces to connect to Router CE1 using Frame Relay encapsulation.
  • The routing protocol between Router PE1 and Router CE1 is the EBGP.
  • Router CE1’s public IP address pool is 10.12.1.1 through 10.12.1.254 (10.12.1.0/24).
  • The next-hop-self setting is derived from the fix-nh policy statement on Router PE1. PE routers are forced to use next-hop-self so that next-hop resolution is done only for the PE router’s loopback address for non-VPN routes (by default, VPN–Internet Protocol version 4 [IPv4] routes are sent by means of next-hop-self).

You can configure Router CE1 with a static default route pointing to its public interface for everything else.

The following sections show how to route VPN and Internet traffic through different interfaces:

Configuring Interfaces on Router PE1

Configure an interface to handle VPN traffic and an interface to handle Internet traffic:

[edit]interfaces {t3-0/2/0 {dce;encapsulation frame-relay;unit 0 {description "to CE1 VPN interface";dlci 10;family inet {address 192.168.197.13/30;}}unit 1 {description "to CE1 public interface";dlci 20;family inet {address 192.168.198.201/30;}}}}

Configuring Routing Options on Router PE1

Configure a static route on Router PE1 to install a route to the CE router’s public IP address pool in inet.0:

[edit]routing-options {static {route 10.12.1.0/24 next-hop 192.168.198.202;}}

Configuring BGP, IS-IS, and LDP Protocols on Router PE1

Configure BGP on Router PE1 to allow non-VPN and VPN peering and to advertise the VPN’s public IP address pool:

[edit]protocols {bgp {group pe-pe {type internal;local-address 10.255.14.171;family inet {any;}family inet-vpn {any;}export [fix-nh redist-static];neighbor 10.255.14.177;neighbor 10.255.14.179;}}}

Configure IS-IS on Router PE1 to allow access to internal routes:

[edit protocols]isis {level 1 disable;interface so-0/0/0.0;interface lo0.0;}

Configure LDP on Router PE1 to tunnel VPN routes:

[edit protocols]ldp {interface so-0/0/0.0;}

Configuring a Routing Instance on Router PE1

Configure a routing instance on Router PE1:

[edit]routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;protocols {bgp {group to-CE1 {peer-as 63001;neighbor 192.168.197.14;}}}}}

Configuring Policy Options on Router PE1

You need to configure policy options on Router PE1. The fix-nh policy statement sets next-hop-self for all non-VPN routes:

[edit]policy-options {policy-statement fix-nh {then {next-hop self;}}}

The redist-static policy statement advertises the VPN’s public IP address pool:

[edit policy-options]policy-statement redist-static {term a {from {protocol static;route-filter 10.12.1.0/24 exact;}then accept;}term b {then reject;}}

Configure import and export policies for vpna:

[edit policy-options]policy-statement vpna-import {term a {from {protocol bgp;community vpna-comm;}then accept;}term b {then reject;}}policy-statement vpna-export {term a {from protocol bgp;then {community add vpna-comm;accept;}}term b {then reject;}}community vpna-comm members target:63000:100;

Traffic Routed by Different Interfaces: Configuration Summarized by Router

Router PE1

Interfaces

interfaces {t3-0/2/0 {dce;encapsulation frame-relay;unit 0 {description "to CE1 VPN interface";dlci 10;family inet {address 192.168.197.13/30;}}unit 1 {description "to CE1 public interface";dlci 20;family inet {address 192.168.198.201/30;}}}}

Routing Options

routing-options {static {route 10.12.1.0/24 next-hop 192.168.198.202;}}

BGP Protocol

protocols {bgp {group pe-pe {type internal;local-address 10.255.14.171;family inet {any;}family inet-vpn {any;}export [ fix-nh redist-static];neighbor 10.255.14.177;neighbor 10.255.14.179;}}}

IS-IS Protocol

isis {level 1 disable;interface so-0/0/0.0;interface lo0.0;}

LDP Protocol

ldp {interface so-0/0/0.0;}

Routing Instance

routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;protocols {bgp {group to-CE1 {peer-as 63001;neighbor 192.168.197.14;}}}}}

Policy Options/Policy Statements

policy-options {policy-statement fix-nh {then {next-hop self;}}policy-statement redist-static {term a {from {protocol static;route-filter 10.12.1.0/24 exact;}then accept;}term b {then reject;}}}

Import and Export Policies

policy-statement vpna-import {term a {from {protocol bgp;community vpna-comm;}then accept;}term b {then reject;}}policy-statement vpna-export {term a {from protocol bgp;then {community add vpna-comm;accept;}}term b {then reject;}}community vpna-comm members target:63000:100;

Published: 2010-04-27