Internet Access Options

According to RFC4364 there are several methods for access the public internet using MPLS VPNs. Each approach utilities either “VRF aware” or “non VRF aware” procedures for delivering Internet access to a CE device.

Option 1.1 (Third Party Provider)

In this scenario the provider simply does not participate in any Internet gateway service and the access is provided by a third party network.

Option 1.2 (PE provides Layer 2 VPN towards Internet Gateway)

In this scenario a separate peering router is used to connect the providers network to the Internet. Access to the customer CE is provided using an MPLS layer 2 VPN, using CCC Ethernet encapsulation to present the attachment circuit to the CE. The attachment circuit does not necessarily need to be connected on a separate physical interface as it can be presented as a different logical interface over the customers existing circuit.

Option 2.1 (Separate interfaces for VPN and Internet Gateway)

In this scenario the CE router connects to the PE using two separate logical interfaces. The interface that connects to the Internet is part of the global routing table on both the CE and PE and thus makes it non VRF aware. A second VRF aware interface is also connected between the CE and PE to carry the customers VPN routes as part of their internal routing domain.

The PE carries all customer public routes within its global routing table and advertises them to the Internet. A default route, or full or partial Internet table is advertised from the PE to the CE over the non VRF aware interface. Using a rib-group (or static route with a next-hop table statement) each CE that requires Internet access exports the default route into the internal VPN and also in order to provide inbound routing from the Internet the customer public address space would be exported from the internal VPN into the CEs global routing table.

Option 2.2 (Internet routes within the VRF table on the PE)

In this scenario the CE router again connects to the PE using two separate logical interfaces, one non VRF aware and one VRF aware. All outbound traffic is carried over the VRF aware interface and when it arrives at the PE a default static route is configured to direct the outbound traffic to the global routing table using the next-hop table statement.

Traffic arriving at the PE from the Internet is directed to the CE over the non VRF aware interface. Either a rib-group or static next-hop table configuration routes traffic towards the customer VPN table.

Option 2.3 (Single interface for VPN and Internet access)

In this scenario a single VRF aware interface is used between the CE and the PE. All public and private routes are carried within the VPN and if BGP is used between the CE and PE the public routes can be tagged with community so when they arrive at the PE they can be exported into the global routing table using a rib-group that matches on this community. All other private VPN routes are carried within the customer domain.

In order to carry outbound traffic outside of the customer VRF a default route with a next-hop table statement is configured on the PE. The next-hop table is configured as the global routing table which allows outbound traffic to reach the Internet.

Option 3 (Central hub site with separate interfaces for VPN and Internet gateway)

In this scenario a central CE router is used to connect a non VRF and a VRF interface to the PE router. For outbound traffic a default route is generated by the PE in its global routing table and sent to the central CE over the non VRF interface. The default route is then set a next-hop table from with the CEs VRF table; this default state route is also advertised to all route CEs within the VPN to provide outbound connectivity for the whole VPN domain.

Inbound traffic is routed to the PE within its global routing tables and customer Internet routes are advertised by the central CE towards the PE using the non VRF interface. The central CE then use the next-hop table statement to forward inbound Internet traffic into the VPN tables to provide connectivity for the rest of the VPN domain.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s