VRF to Global Internet Access (IOS-XE)

Load vpnv4.inet.access.init.cfg

#IOS-XE
config replace flash:vpnv4.inet.access.init.cfg

#IOS-XR
configure
load bootflash:vpnv4.inet.access.init.cfg
commit replace
y

L3VPN is fully setup, with R7 and R8 as CEs. BGP is established with R1 and XR2 in the default table.

Allow R7 and R8 to have access to the internet via R2.

They should both be able to ping 1.1.1.1.
Do not configure any new IP addresses on R7 or R8.
Do not leak R7s and R8s IP addresses out to the internet.

Answer

#R3
router bgp 100
 add vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 inherit peer-policy IBGP

#R2
vrf definition VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 !
 address-family ipv4
 exit-address-family
!
ip route vrf VPN_A 0.0.0.0 0.0.0.0 10.1.2.1 global
!
router bgp 100
 add vpnv4
  neighbor 3.3.3.3 activate
 add ipv4 vrf VPN_A
  network 0.0.0.0 mask 0.0.0.0
!
ip access-list ext SOURCES
 permit ip host 7.7.7.7 any
 permit ip host 8.8.8.8 any
!
ip nat inside source list SOURCES int gi2.12 vrf VPN_A overload
!
int gi2.12
 ip nat outside
int gi2.23
 ip nat inside
int gi2.24
 ip nat inside

Explanation

The easiest way to provide internet access to a VPN is to run the internet in its own VRF. This allows you to easily use RTs and import policies to provide internet access.

Providing internet access in the global table is not as easy. On IOS-XE, we can point a default route in the VRF to the global table, but we must specify a connected/local nexthop.

ip route vrf VPN_A 0.0.0.0 0.0.0.0 10.1.2.1 global

We do not have a good way to route the return traffic received in the global table back to the original VRF. The only way I can tell to accomplish this is to use the egress PE NAT feature.

ip access-list ext SOURCES
 permit ip host 7.7.7.7 any
 permit ip host 8.8.8.8 any
!
ip nat inside source list SOURCES int gi2.12 vrf VPN_A overload
!
int gi2.12
 ip nat outside
int gi2.23
 ip nat inside
int gi2.24
 ip nat inside