Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enabling Internet Access for Layer 3 VPNs

This topic provides examples on configuring a provider edge (PE) router to provide Internet access to customer edge (CE) routers in a VPN and configuring a router to route internet traffic to CE routers through a network address translator (NAT). The method you use depends on the needs and specifications of the individual network.

Non-VRF Internet Access Through Layer 3 VPNs

Junos OS supports Internet access from a Layer 3 virtual private network (VPN). You also need to configure the next-table statement at the [edit routing-instances routing-instance-name routing-options static route] hierarchy level. When configured, this statement can point a default route from the VPN table (routing instance) to the main routing table (default instance) inet.0. The main routing table stores all Internet routes and is where final route resolution occurs.

The following sections describe ways to provide Internet access to a CE router in a Layer 3 VPN without using the VPN routing and forwarding (VRF) interface. Because these methods effectively bypass the Layer 3 VPN, they are not discussed in detail.

CE Router Accesses Internet Independently of the PE Router

In this configuration, the PE router does not provide the Internet access. The CE router sends Internet traffic either to another service provider, or to the same service provider but a different router. The PE router handles Layer 3 VPN traffic only (see Figure 1).

Figure 1: PE Router Does Not Provide Internet AccessPE Router Does Not Provide Internet Access

PE Router Provides Layer 2 Internet Service

In this configuration, the PE router acts as a Layer 2 device, providing a Layer 2 connection (such as circuit cross-connect [CCC]) to another router that has a full set of Internet routes. The CE router can use just one physical interface and two logical interfaces to the PE router, or it can use multiple physical interfaces to the PE router (see Figure 2).

Figure 2: PE Router Connects to a Router Connected to the InternetPE Router Connects to a Router Connected to the Internet

Distributed Internet Access Through Layer 3 VPNs

In this scenario, the PE routers provide Internet access to the CE routers. In the examples that follow, it is assumed that the Internet routes (or defaults) are present in the inet.0 table of the PE routers that provide Internet access to selected CE routers.

When accessing the Internet from a VPN, Network Address Translation (NAT) must be performed between the VPN’s private addresses and the public addresses used on the Internet unless the VPN is using the public address space. This section includes several examples of how to provide Internet access for VPNs, most of which require that the CE routers perform the address translation. The Routing Internet Traffic Through a Separate NAT Device example, however, requires that the service provider supply the NAT functionality using a NAT device connected to the PE router.

In all of the examples, the VPN’s public IP address pool (whose entries correspond to the translated private addresses) must be added to the inet.0 table and propagated to the Internet routers to receive reverse traffic from public destinations.

Routing VPN and Internet Traffic Through Different Interfaces for Layer 3 VPNs

In this example, VPN and Internet traffic are routed through different interfaces. The CE router sends the VPN traffic through the VPN interface and sends the Internet traffic through a separate interface that is part of the main routing table on Router PE1 (the CE router can use either one physical interface with two logical units or two physical interfaces). NAT also occurs on the CE router (see Figure 3).

Figure 3: Routing VPN and Internet Traffic Through Different InterfacesRouting VPN and Internet Traffic Through Different Interfaces

The PE router is configured to install and advertise the public IP address pool for the VPN to other core routers (for return traffic). The VPN traffic is routed normally. Figure 4 illustrates the PE router’s VPN configuration.

Figure 4: Example of Internet Traffic Routed Through Separate InterfacesExample of Internet Traffic Routed Through Separate Interfaces

The configuration in this example has the following features:

  • Router PE1 uses two logical interfaces to connect to Router CE1 using Frame Relay encapsulation.

  • The routing protocol between Router PE1 and Router CE1 is EBGP.

  • Router CE1’s public IP address pool is 10.12.1.1 through 10.12.1.254 (10.12.1.0/24).

  • The next-hop-self setting is derived from the fix-nh policy statement on Router PE1. PE routers are forced to use next-hop-self so that next-hop resolution is done only for the PE router’s loopback address for non-VPN routes (by default, VPN–Internet Protocol version 4 [IPv4] routes are sent by means of next-hop-self).

You can configure Router CE1 with a static default route pointing to its public interface for everything else.

The following sections show how to route VPN and Internet traffic through different interfaces:

Configuring Interfaces on Router PE1

Configure an interface to handle VPN traffic and an interface to handle Internet traffic:

Configuring Routing Options on Router PE1

Configure a static route on Router PE1 to install a route to the CE router’s public IP address pool in inet.0:

Configuring BGP, IS-IS, and LDP Protocols on Router PE1

Configure BGP on Router PE1 to allow non-VPN and VPN peering and to advertise the VPN’s public IP address pool:

Configure IS-IS on Router PE1 to allow access to internal routes:

Configure LDP on Router PE1 to tunnel VPN routes:

Configuring a Routing Instance on Router PE1

Configure a routing instance on Router PE1:

Configuring Policy Options on Router PE1

You need to configure policy options on Router PE1. The fix-nh policy statement sets next-hop-self for all non-VPN routes:

The redist-static policy statement advertises the VPN’s public IP address pool:

Configure import and export policies for vpna:

Traffic Routed by Different Interfaces: Configuration Summarized by Router

Router PE1

Interfaces

Routing Options

BGP Protocol

IS-IS Protocol

LDP Protocol

Routing Instance

Policy Options/Policy Statements

Import and Export Policies

Routing VPN and Outgoing Internet Traffic Through the Same Interface and Routing Return Internet Traffic Through a Different Interface

In this example, the CE router sends VPN and Internet traffic through the same interface but receives return Internet traffic through a different interface. The PE router has a default route in the VRF table pointing to the main routing table inet.0. It routes the VPN public IP address pool (return Internet traffic) through a different interface in inet.0 (see Figure 5). The CE router still performs NAT functions.

Figure 5: VPN and Outgoing Internet Traffic Routed Through the Same Interface and Return Internet Traffic Routed Through a Different InterfaceVPN and Outgoing Internet Traffic Routed Through the Same Interface and Return Internet Traffic Routed Through a Different Interface

The following section shows how to route VPN and outgoing Internet traffic through the same interface and routing return Internet traffic through a different interface:

Configuration for Router PE1

This example has the same configuration as Router PE1 in Routing VPN and Internet Traffic Through Different Interfaces for Layer 3 VPNs. It uses the topology shown in Routing VPN and Internet Traffic Through Different Interfaces for Layer 3 VPNs. The default route to the VPN routing table is configured differently. At the [edit routing-instances routing-instance-name routing-options] hierarchy level, you configure a default static route that is installed in vpna.inet.0 and points to inet.0 for resolution:

You also need to change the configuration of Router CE1 (from the configuration that works with the configuration for Router PE1 described in Routing VPN and Internet Traffic Through Different Interfaces for Layer 3 VPNs) to account for the differences in the configuration of the PE routers.

Routing VPN and Internet Traffic Through the Same Interface Bidirectionally (VPN Has Public Addresses)

This section shows how to configure a single logical interface to handle VPN and Internet traffic traveling both to and from the Internet and the CE router. This interface can handle both VPN and Internet traffic as long as there are no private addresses in the VPN. The VPN routes received from the CE router are added to the main routing table inet.0 by means of routing table groups. This allows the PE router to attract the return traffic from the Internet (see Figure 6).

Figure 6: Interface Configured to Carry Both Internet and VPN TrafficInterface Configured to Carry Both Internet and VPN Traffic

In this example, the CE router does not need to perform NAT, because all the VPN routes are public. The CE router has a single interface to the PE router, to which it advertises VPN routes. The PE router has a default route in the VRF table pointing to the main routing table inet.0. The PE router also imports VPN routes received from the CE router into inet.0 by means of routing table groups.

The following configuration for Router PE1 uses the same topology as in Routing VPN and Internet Traffic Through Different Interfaces for Layer 3 VPNs. This configuration uses a single logical interface (instead of two) between Router PE1 and Router CE1.

The following sections show how to route VPN and Internet traffic through the same interface bidirectionally (VPN has public addresses):

Configuring Routing Options on Router PE1

Configure a routing table group definition for installing VPN routes in routing table groups vpna.inet.0 and inet.0:

Configuring Routing Protocols on Router PE1

Configure MPLS, BGP, IS-IS, and LDP protocols on Router PE1. This configuration does not include the policy redist-static statement at the [edit protocols bgp group pe-pe] hierarchy level. The VPN routes are sent directly to IBGP.

Configure BGP on Router PE1 to allow non-VPN and VPN peering, and to advertise the VPN’s public IP address pool:

Configuring the Routing Instance on Router PE1

This section describes how to configure the routing instance on Router PE1. The static route defined in the routing-options statement directs Internet traffic from the CE router to the inet.0 routing table. The routing table group defined by the rib-group vpna-to-inet0 statement adds the VPN routes to inet.0.

Configure the routing instance on Router PE1:

You must configure Router CE1 to forward all traffic to Router PE1 using a default route. Alternatively, the default route can be advertised from Router PE1 to Router CE1 with EBGP.

Traffic Routed Through the Same Interface Bidirectionally: Configuration Summarized by Router

Router PE1

This example uses the same configuration as in Routing VPN and Internet Traffic Through Different Interfaces for Layer 3 VPNs. This configuration uses a single logical interface (instead of two) between Router PE1 and Router CE1.

Routing Options

Routing Protocols

Routing Instance

Routing VPN and Internet Traffic Through the Same Interface Bidirectionally (VPN Has Private Addresses)

The example in this section shows how to route VPN and Internet traffic through the same interface in both directions (from the CE router to the Internet and from the Internet to the CE router). The VPN in this example has private addresses. If you can configure EBGP on the CE router, you can configure a PE router using the configuration outlined in Routing VPN and Internet Traffic Through the Same Interface Bidirectionally (VPN Has Public Addresses), even if the VPN has private addresses.

In the example described in this section, the CE router uses separate communities to advertise its VPN routes and public routes. The PE router selectively imports only the public routes into the inet.0 routing table. This configuration ensures that return traffic from the Internet uses the same interface between the PE and CE routers as that used by VPN traffic going out to public Internet addresses (see Figure 7).

Figure 7: VPN and Internet Traffic Routed Through the Same InterfaceVPN and Internet Traffic Routed Through the Same Interface

In this example, the CE router has one interface and a BGP session with the PE router, and it tags VPN routes and Internet routes with different communities. The PE router has one interface, selectively imports routes for the VPN’s public IP address pool into inet.0, and has a default route in the VRF routing table pointing to inet.0.

The following sections show how to route VPN and Internet traffic through the same interface bidirectionally (VPN has private addresses):

Configuring Routing Options for Router PE1

On Router PE1, configure a routing table group to install VPN routes in the vpna.inet.0 and inet.0 routing tables:

Configuring a Routing Instance for Router PE1

On Router PE1, configure a routing instance. As part of the configuration for the routing instance, configure a static route that is installed in vpna.inet.0 and is pointed at inet.0 for resolution.

At the [edit routing-instances vpna protocols bgp] hierarchy level, configure a policy (import-public-addr-to-inet0) to import public routes into inet.0 and a routing table group (vpna-to-inet0) to allow BGP to install routes into multiple routing tables (vpna.inet.0 and inet.0):

Configuring Policy Options for Router PE1

Configure the policy options for Router PE1 to accept all routes initially (term a) and then to install routes with a public-comm community into routing table inet.0 (term b):

Traffic Routed by the Same Interface Bidirectionally (VPN Has Private Addresses): Configuration Summarized by Router

Router PE1

Routing Options

Routing Instances

Routing Instances Protocols BGP

Policy Options

Routing Internet Traffic Through a Separate NAT Device

In this example, the CE router does not perform NAT. It sends both VPN and Internet traffic over the same interface to the PE router. The PE router is connected to an NAT device by means of two interfaces. One interface is configured in the PE router’s VRF table and points to a VPN interface on the NAT device, which can route Internet traffic for the VPN. The other interface is in a default instance; for example, part of public routing table inet.0. There can be a single physical connection between the PE router and the NAT device and multiple logical connections—one for each VRF table and another interface—as part of the global routing table (see Figure 8).

Figure 8: Internet Traffic Routed Through a Separate NAT DeviceInternet Traffic Routed Through a Separate NAT Device

Requirements

This example uses the following hardware and software components:

  • M Series routers

  • Junos OS Release 9.3 or later

Overview

This example’s topology expands upon that illustrated in Routing VPN and Internet Traffic Through Different Interfaces for Layer 3 VPNs. The CE router sends both VPN and Internet traffic to Router PE1. VPN traffic is routed based on the VPN routes received by Router PE1. Traffic for everything else is sent to the NAT device using Router PE1’s private interface to the NAT device, which then translates the private addresses and sends the traffic back to Router PE1 using that router’s public interface (see Figure 9).

Topology

Figure 9: Internet Traffic Routed Through a NAT Example TopologyInternet Traffic Routed Through a NAT Example Topology

Configuration

To route Internet traffic through a separate NAT device, perform these tasks:

Configuring Interfaces on Router PE1

Step-by-Step Procedure
  1. Configure an interface for VPN traffic from Router CE1:

  2. Configure an interface for VPN traffic to and from the NAT device (unit 0), and an interface for Internet traffic to and from the NAT device (unit 1):

Configuring Routing Options for Router PE1

Step-by-Step Procedure
  1. Configure a static route on Router PE1 to direct Internet traffic to the CE router through the NAT device. Router PE1 distributes this route to the Internet.

Configuring Routing Protocols on Router PE1

Step-by-Step Procedure

Configure the following routing protocols on Router PE1:

  1. Configure MPLS on Router PE1. Include the NAT device’s VPN interface in the VRF table.

  2. Configure BGP on Router PE1. Include a policy to advertise the public IP address pool:

  3. Configure IS-IS on Router PE1:

  4. Configure LDP on Router PE1:

Configuring a Routing Instance on Router PE1

Step-by-Step Procedure

Configure the Layer 3 VPN routing instance on Router PE1:

  1. Configure a routing instance on Router PE1. As part of the routing instance configuration, under routing-options, configure a static default route in vpna.inet.0 pointing to the NAT device’s VPN interface (this directs all non-VPN traffic to the NAT device):

  2. Configure the routing policy for the Layer 3 VPN routing instance on Router PE1:

Results

From configuration mode on Router PE1, confirm your configuration by entering the show interfaces, show routing-options, show protocols, show routing-instances and show policy-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Centralized Internet Access Through Layer 3 VPNs

This section describes several ways to configure a CE router to act as a central site for Internet access. Internet traffic from other sites (CE routers) is routed to the hub CE router (which also performs NAT) using that router’s VPN interface. The hub CE router then forwards the traffic to a PE router connected to the Internet through another interface identified in the inet.0 table. The hub CE router can advertise a default route to the spoke CE routers. The disadvantage of this type of configuration is that all traffic has to go through the central CE router before going to the Internet, causing network delays if this router receives too much traffic. However, in a corporate network, traffic might have to be routed to a central site because most corporate networks separate the VPN from the Internet by means of a single firewall.

This section includes the following examples:

Routing Internet Traffic Through a Hub CE Router

In this example, Internet traffic is routed through a hub CE router. The hub CE router has two interfaces to the hub PE router: a VPN interface and a public interface. It performs NAT on traffic forwarded from the hub PE router through the VPN interface and forwards that traffic from its public interface back to the hub PE router. The hub PE router has a static default route in its VRF table pointing to the hub CE router’s VPN interface. It announces this default route to the rest of the VPN, attracting all non-VPN traffic to the hub CE route. The hub PE router also installs and distributes the VPN’s public IP address space (see Figure 10).

Figure 10: Internet Access Through a Hub CE Router Performing NATInternet Access Through a Hub CE Router Performing NAT

The configuration for this example is almost identical to that described in Routing Internet Traffic Through a Separate NAT Device. The difference is that Router PE1 is configured to announce a static default route to the other CE routers (see Figure 11).

Figure 11: Internet Access Provided Through a Hub CE RouterInternet Access Provided Through a Hub CE Router

The following sections show how to configure centralized Internet access by routing Internet traffic through a hub CE router:

Configuring a Routing Instance on Router PE1

Configure a routing instance for Router PE1. As part of this configuration, under routing-options, configure a default static route (route 0.0.0.0/0) to be installed in vpna.inet.0, and point the route to the hub CE router’s VPN interface (10.23.0.1). Also, configure BGP under the routing instance to export the default route to the local CE router:

Configuring Policy Options on Router PE1

Configure policy options on Router PE1. As part of this configuration, Router PE1 should export the static default route to all the remote PE routers in vpna (configured in the policy-statement vpna-export statement under term b):

Internet Traffic Routed by a Hub CE Router: Configuration Summarized by Router

Router PE1

The configuration for Router PE1 is almost identical to that for the example in Routing Internet Traffic Through a Separate NAT Device. The difference is that Router PE1 is configured to announce a static default route to the other CE routers.

Routing Instance

Policy Options

Routing Internet Traffic Through Multiple CE Routers

The example in this section is an extension of that described in Centralized Internet Access Through Layer 3 VPNs. This example provides different exit points for different sites by means of multiple hub CE routers that perform similar functions. Each hub CE router tags the default route with a different route target and allows the spoke CE routers to select the hub site that should be used for Internet access (see Figure 12).

Figure 12: Two Hub CE Routers Handling Internet Traffic and NATTwo Hub CE Routers Handling Internet Traffic and NAT

This example uses two hub CE routers that handle NAT and Internet traffic:

  • Hub1 CE router tags 0/0 with community public-comm1 (target: 1:111)

  • Hub2 CE router tags 0/0 with community public-comm2 (target: 1:112)

The spoke CE router in this example is configured to have a bias toward Hub2 for Internet access.

The following sections describe how configure two hub CE routers to handle internet traffic and NAT:

Configuring a Routing Instance on Router PE1

Configure a routing instance on Router PE1:

Configuring Policy Options on Router PE1

The policy options for Router PE1 are the same as in Routing Internet Traffic Through a Hub CE Router, but the configuration in this example includes an additional community, public-comm1, in the export statement:

The configuration of Router PE2 is identical to that of Router PE1 except that Router PE2 exports the default route through community public-comm2.

Configuring a Routing Instance on Router PE3

Configure routing instance vpna on Router PE3:

Configuring Policy Options on Router PE3

Configure the vrf-import policy for Router PE3 to select the Internet exit point based on the additional communities specified in Configuring Policy Options on Router PE1:

Routing Internet Traffic Through Multiple CE Routers: Configuration Summarized by Router

Router PE1

This configuration is an extension of the example in Routing Internet Traffic Through a Hub CE Router. It provides different exit points for various sites by using multiple hub CE routers that perform similar functions.

Routing Instances

Policy Options

Router PE2

The configuration of Router PE2 is identical to that of Router PE1, except that Router PE2 exports the default route through community public-comm2 (see #id-centralized-internet-access-through-layer-3-vpns__d410e254).

Router PE3

Routing Instances

Policy Options