Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Understanding How MX Series Router Cloud CPE Services Route Internet Traffic from Layer 2 CPEs to a Subscriber-Owned NAT Gateway

This topic describes how you can migrate from a scenario where the customer site requires a router to forward Internet traffic to their NAT device, to a scenario where only a Layer 2 CPE is required and the PE router routes the traffic to the Internet.

In the scenario depicted in Figure 1, the NAT functions are provided by a subscriber-owned device with Layer 3 capabilities. Two logical interfaces are configured between the subscriber site and the PE router. One logical interface is for VPN internal traffic, and the other logical interface is for public Internet traffic. For Internet-bound traffic, the subscriber CE router has a route defined in the VPN routing instance, which forwards the traffic to the subscriber’s NAT device through the VPN internal interface. After address translation, the Internet-bound traffic is converted to a public address and sent through the public interface. In the PE router, the VPN internal interface is defined in the VPN routing instance, and the public interface is defined in the default routing instance.

Figure 1: Using MX Series Router Cloud CPE to Route Internet Traffic to a Subscriber-Owned NAT DeviceUsing MX Series Router Cloud CPE to Route Internet Traffic to a Subscriber-Owned NAT Device

When cCPE services are introduced into this same scenario, the CE router at the subscriber site is replaced with a Layer 2 CPE and the routing is moved out to the PE router. Two VLAN interfaces are connected to the Layer 2 CPE: one as a VPN internal interface and one as a public interface for Internet traffic.

In the VPN site with Internet access, there is a NAT gateway that performs address translation between private and public addresses. The inside interface of the NAT gateway on the LAN side has a private address. In the VPN routing instance in the adjacent PE router, a static route is configured, which sends Internet-bound traffic to the private address of the inside interface of NAT gateway. This static route is further propagated to the VPN in the remote sites through an internal BGP (IBGP) session. The WAN side of the NAT gateway also has a route defined with the adjacent PE router as the next hop for Internet-bound traffic. Packets going to the Internet are sent to the inside interface of the NAT gateway, where the addresses are translated to public address and then routed to the PE router.

In the VPN site without Internet access, you do not need to configure a static route in the VPN routing instance. This site relies on the static route propagated through the BGP routing protocol from the VPN routing instance with Internet access.