MPLS - Internet Connectivity Through Route Leaking

Download

Internet Connectivity Through Route Leaking

Internet connectivity through route leaking is a technique used in networking to enable specific routes from a private network, such as those within a Virtual Private Network (VPN) or an isolated segment, to be selectively shared or "leaked" into the global Internet routing table. Typically implemented at the edge routers, this process involves controlled sharing of routes between the private network and the public Internet. Route leaking allows certain devices within the private network, like Customer Edge (CE) routers in a MPLS-based VPN, to access the Internet while maintaining the isolation of other network segments. This approach facilitates a more granular control over the traffic flow, allowing organizations to define policies for which routes should be leaked to the Internet and ensuring secure and efficient Internet connectivity for specific network segments while keeping others private. Careful configuration and policy implementation are essential to avoid potential security risks associated with route leaking and to ensure optimal network performance.

Lab:

Disclaimer

This Configuration Guide is designed to assist members to enhance their skills in particular technology area. While every effort has been made to ensure that all material is as complete and accurate as possible, the enclosed material is presented on an “as is” basis. Neither the authors nor Forum assume any liability or responsibility to any person or entity with respect to loss or damages incurred from the information contained in this guide. This configuration guide was developed by Forum. Any similarities between material presented in this configuration guide and any other material is completely coincidental.

CE1 Router:

ip cef 
! 
interface Loopback0 
ip address 203.1.0.1 255.255.255.255 
! 
interface Loopback1 
ip address 203.1.1.1 255.255.255.0 
! 
interface FastEthernet0/0 
ip address 150.1.31.18 255.255.255.252 
!
router bgp 1 
no synchronization 
network 203.1.0.1 mask 255.255.255.255 
network 203.1.1.0 
redistribute connected 
neighbor 150.1.31.17 remote-as 3 
neighbor 150.1.31.17 allowas-in
no auto-summary 
! 
ip route 0.0.0.0 0.0.0.0 150.1.31.17 
! 
end

CE2 Router:

ip cef 
! 
interface Loopback0 
ip address 203.1.0.2 255.255.255.255 
! 
interface Loopback1 
ip address 203.1.2.1 255.255.255.0 
! 
interface FastEthernet0/0 
ip address 150.1.31.14 255.255.255.252 
!
router bgp 1 
no synchronization 
network 203.1.0.2 mask 255.255.255.255 
network 203.1.2.0 
redistribute connected 
neighbor 150.1.31.13 remote-as 3 
neighbor 150.1.31.13 allowas-in
no auto-summary 
! 
ip route 0.0.0.0 0.0.0.0 150.1.31.13 
! 
end

PE1 Router:

ip cef! 
ip vrf vpna 
rd 3:10 
route-target export 3:10 
route-target import 3:10 
! 
mpls label protocol ldp 
! 
interface Loopback1 
ip address 192.168.3.1 255.255.255.255 
! 
interface FastEthernet0/0 
ip vrf forwarding vpna 
ip address 150.1.31.17 255.255.255.252 
! 
interface Serial2/0 
ip address 192.168.3.18 255.255.255.252 
mpls ip 
! 
router ospf 1 
redistribute static subnets 
network 192.168.3.0 0.0.0.255 area 0 
! 
router bgp 3
neighbor 192.168.3.2 remote-as 3 
neighbor 192.168.3.2 update-source Loopback1 
neighbor 192.168.3.4 remote-as 3 
neighbor 192.168.3.4 update-source Loopback1 
! 
address-family ipv4 
neighbor 192.168.3.2 activate 
neighbor 192.168.3.2 next-hop-self 
neighbor 192.168.3.2 soft-reconfiguration inbound
neighbor 192.168.3.4 activate 
neighbor 192.168.3.4 next-hop-self 
neighbor 192.168.3.4 soft-reconfiguration inbound 
no auto-summary 
no synchronization 
network 192.168.3.1 mask 255.255.255.255 
exit-address-family 
! 
address-family vpnv4 
neighbor 192.168.3.2 activate 
neighbor 192.168.3.2 send-community extended 
exit-address-family 
! 
address-family ipv4 vrf vpna 
neighbor 150.1.31.18 remote-as 1 
neighbor 150.1.31.18 activate 
neighbor 150.1.31.18 as-override 
no synchronization 
exit-address-family 
! 
ip route 203.1.0.1 255.255.255.255 FastEthernet0/0 
150.1.31.18 
ip route 203.1.1.0 255.255.255.0 FastEthernet0/0 
150.1.31.18 
ip route vrf vpna 0.0.0.0 0.0.0.0 150.1.31.9 global 
! 
mpls ldp router-id Loopback1 
! 
end

PE2 Router:

ip cef 
! 
ip vrf vpna 
rd 3:10 
route-target export 3:10 
route-target import 3:10 
! 
mpls label protocol ldp 
! 
interface Loopback1 
ip address 192.168.3.2 255.255.255.255 
! 
interface FastEthernet0/0 
ip vrf forwarding vpna 
ip address 150.1.31.13 255.255.255.252 
! 
interface Serial2/1 
ip address 192.168.3.13 255.255.255.252 
mpls ip 
! 
router ospf 1 
redistribute static subnets 
network 192.168.3.0 0.0.0.255 area 0 
! 
router bgp 3 
neighbor 192.168.3.1 remote-as 3 
neighbor 192.168.3.1 update-source Loopback1 
neighbor 192.168.3.4 remote-as 3 
neighbor 192.168.3.4 update-source Loopback1 
! 
address-family ipv4 
neighbor 192.168.3.1 activate 
neighbor 192.168.3.1 next-hop-self 
neighbor 192.168.3.1 soft-reconfiguration inbound 
neighbor 192.168.3.4 activate 
neighbor 192.168.3.4 next-hop-self 
neighbor 192.168.3.4 soft-reconfiguration inbound 
no auto-summary 
no synchronization 
network 192.168.3.2 mask 255.255.255.255 
exit-address-family 
! 
address-family vpnv4 
neighbor 192.168.3.1 activate 
neighbor 192.168.3.1 send-community extended 
exit-address-family 
! 
address-family ipv4 vrf vpna 
neighbor 150.1.31.14 remote-as 1 
neighbor 150.1.31.14 activate 
neighbor 150.1.31.14 as-override 
no synchronization 
exit-address-family 
! 
ip route 203.1.0.2 255.255.255.255 FastEthernet0/0 
150.1.31.14 
ip route 203.1.2.0 255.255.255.0 FastEthernet0/0 
150.1.31.14 
ip route vrf vpna 0.0.0.0 0.0.0.0 150.1.31.9 global 
! 
mpls ldp router-id Loopback1 
! 
end

P Router:

ip cef 
! 
mpls label protocol ldp 
! 
interface Loopback1 
ip address 192.168.3.3 255.255.255.255 
! 
interface Serial2/0 
ip address 192.168.3.17 255.255.255.252 
mpls ip 
! 
interface Serial2/1 
ip address 192.168.3.14 255.255.255.252 
mpls ip 
! 
interface Serial2/2 
ip address 192.168.3.9 255.255.255.252 
mpls ip 
! 
router ospf 1 
network 192.168.3.0 0.0.0.255 area 0 
! 
mpls ldp router-id Loopback1 
! 
end

IGW Router:

ip cef 
! 
mpls label protocol ldp 
! 
interface Loopback1 
ip address 192.168.3.4 255.255.255.255 
! 
interface FastEthernet0/0
ip address 150.1.31.9 255.255.255.252 
! 
interface Serial2/2 
ip address 192.168.3.10 255.255.255.252 
mpls ip 
! 
router ospf 1 
network 0.0.0.0 255.255.255.255 area 0 
! 
router bgp 3 
no synchronization 
network 192.168.3.4 mask 255.255.255.255 
network 203.1.0.1 mask 255.255.255.255 
network 203.1.0.2 mask 255.255.255.255 
network 203.1.1.0 
network 203.1.2.0 
neighbor 150.1.31.10 remote-as 200 
neighbor 150.1.31.10 soft-reconfiguration inbound 
neighbor 192.168.3.1 remote-as 3 
neighbor 192.168.3.1 update-source Loopback1 
neighbor 192.168.3.1 next-hop-self 
neighbor 192.168.3.1 soft-reconfiguration inbound 
neighbor 192.168.3.2 remote-as 3 
neighbor 192.168.3.2 update-source Loopback1 
neighbor 192.168.3.2 next-hop-self 
neighbor 192.168.3.2 soft-reconfiguration inbound 
no auto-summary 
! 
mpls ldp router-id Loopback1 
! 
end

Internet Router:

ip cef 
! 
interface Loopback1 
ip address 100.100.100.100 255.255.255.255 
! 
interface FastEthernet0/0 
ip address 150.1.31.10 255.255.255.252 
! 
router bgp 200 
no synchronization 
network 100.100.100.100 mask 255.255.255.255 
neighbor 150.1.31.9 remote-as 3 
neighbor 150.1.31.9 soft-reconfiguration inbound
no auto-summary 
! 
end

Verification:

CE1#ping 100.100.100.100 source 203.1.1.1
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:Packet sent with a source address of 
203.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 732/473/672 ms 

CE2#ping 100.100.100.100 source 203.1.2.1
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds: 
Packet sent with a source address of 203.1.2.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 388/595/1044 ms

PE1#show ip route vrf vpna
Routing Table: vpna 
Gateway of last resort is 150.1.31.9 to network 0.0.0.0 
B 203.1.2.0/24 [200/0] via 192.168.3.2, 00:13:54 
B 203.1.1.0/24 [20/0] via 150.1.31.18, 00:14:00 
203.1.0.0/32 is subnetted, 2 subnets 
B 203.1.0.2 [200/0] via 192.168.3.2, 00:13:54 
B 203.1.0.1 [20/0] via 150.1.31.18, 00:14:00 
150.1.0.0/30 is subnetted, 2 subnets 
B 150.1.31.12 [200/0] via 192.168.3.2, 00:13:54 
C 150.1.31.16 is directly connected, FastEthernet0/0 
S* 0.0.0.0/0 [1/0] via 150.1.31.9

INTERNET#show ip route
Gateway of last resort is not set 
100.0.0.0/32 is subnetted, 1 subnets 
C 100.100.100.100 is directly connected, Loopback1 
B 203.1.2.0/24 [20/20] via 150.1.31.9, 00:16:47 
B 203.1.1.0/24 [20/20] via 150.1.31.9, 00:16:47 
203.1.0.0/32 is subnetted, 2 subnets 
B 203.1.0.2 [20/20] via 150.1.31.9, 00:16:47 
B 203.1.0.1 [20/20] via 150.1.31.9, 00:16:47 
150.1.0.0/30 is subnetted, 1 subnets 
C 150.1.31.8 is directly connected, FastEthernet0/0 
192.168.3.0/32 is subnetted, 3 subnets 
B 192.168.3.2 [20/0] via 150.1.31.9, 00:16:47 
B 192.168.3.1 [20/0] via 150.1.31.9, 00:16:47 
B 192.168.3.4 [20/0] via 150.1.31.9, 00:16:47