# Internet Reachability between VRFs

Load **nat44.vpn.lab3.init.cfg**

```
#IOS-XE
config replace flash:nat44.vpn.lab3.init.cfg

#IOS-XR
configure
load bootflash:nat44.vpn.lab3.init.cfg
commit replace
y
```

<figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2F91eyYcj8CwmV3rWg5N9a%2Fimage.png?alt=media&#x26;token=1f1c5237-cbb8-43e2-96ae-f22edd977fe3" alt=""><figcaption></figcaption></figure>

The R2-R1 link is now in the INET VRF. R8, the CE for VPN\_A, has been given 100.8.8.8/32 as a public address it can use to reach the internet. This is already set on R8 as loopback100.

Configure route leaking so that R8 can ping 8.8.8.8 sourced from 100.8.8.8/32.

## Answer <a href="#id-57ed39f2-8bd6-4e9a-8e43-41985f56f81a" id="id-57ed39f2-8bd6-4e9a-8e43-41985f56f81a"></a>

```
#R2
ip route vrf INET 0.0.0.0 0.0.0.0 100.1.2.1
!
router bgp 100
 add ipv4 vrf INET
  redistribute static
  default-information originate
!
!
ip extcommunity-list standard INET_RT permit rt 100:0
ip extcommunity-list standard VPN_A_RT permit rt 100:1
ip prefix-list VPN_A_PUBLICS permit 100.8.8.8/32
!
route-map IMPORT_VPN_PUBLICS permit 10
 match ip address prefix-list VPN_A_PUBLICS
 match extcommunity VPN_A_RT
route-map IMPORT_VPN_PUBLICS permit 1000
 match extcommunity INET_RT
!
vrf definition INET
 address-family ipv4
  route-target import 100:1
  import map IMPORT_VPN_PUBLICS
  
#R5
ip prefix-list DEFAULT_ONLY permit 0.0.0.0/0
ip extcommunity-list standard INET_RT permit rt 100:0
ip extcommunity-list standard VPN_A_RT permit rt 100:1
!
route-map IMPORT_INET_DEFAULT permit 10
 match ip address prefix-list DEFAULT_ONLY
 match extcommunity INET_RT
route-map IMPORT_INET_DEFAULT permit 20
 match extcommunity VPN_A_RT
!
vrf definition VPN_A
 route-target import 100:0
 !
 address-family ipv4
  import map IMPORT_INET_DEFAULT
```

## Explanation <a href="#id-211677f4-0f94-43de-bad4-550da4de29a1" id="id-211677f4-0f94-43de-bad4-550da4de29a1"></a>

This lab does not use NAT, but instead demonstrates how a customer can use public address space to reach the internet within their L3VPN.

First R2 configures and originates a 0/0 into the INET VRF so that other PEs can import this into their customer VRFs.

```
#R2
ip route vrf INET 0.0.0.0 0.0.0.0 100.1.2.1
!
router bgp 100
 add ipv4 vrf INET
  redistribute static
  default-information originate
```

Next, R2 imports the public 100.8.8.8/32 route into the INET VRF. To do this, we must use an import map to control which prefixes are imported. We only want to import this one /32 from the VPN\_A VRF, and we still need to import all other INET prefixes (with a 100:0 RT).

```
ip extcommunity-list standard INET_RT permit rt 100:0
ip extcommunity-list standard VPN_A_RT permit rt 100:1
ip prefix-list VPN_A_PUBLICS permit 100.8.8.8/32
!
route-map IMPORT_VPN_PUBLICS permit 10
 match ip address prefix-list VPN_A_PUBLICS
 match extcommunity VPN_A_RT
route-map IMPORT_VPN_PUBLICS permit 1000
 match extcommunity INET_RT
!
vrf definition INET
 address-family ipv4
  route-target import 100:1
  import map IMPORT_VPN_PUBLICS
```

On R5, we do the opposite. We import only the 0/0 route from the INET VRF into the customer VRF.

```
ip prefix-list DEFAULT_ONLY permit 0.0.0.0/0
ip extcommunity-list standard INET_RT permit rt 100:0
ip extcommunity-list standard VPN_A_RT permit rt 100:1
!
route-map IMPORT_INET_DEFAULT permit 10
 match ip address prefix-list DEFAULT_ONLY
 match extcommunity INET_RT
route-map IMPORT_INET_DEFAULT permit 20
 match extcommunity VPN_A_RT
!
vrf definition VPN_A
 route-target import 100:0
 !
 address-family ipv4
  import map IMPORT_INET_DEFAULT
```

R8 now has a 0/0 route in its BGP table:

<div align="left"><figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2FHktNNUJxqbVfxJwKRGIA%2Fimage.png?alt=media&#x26;token=ebeac300-3a43-48b6-b2b6-073d205a1cbe" alt=""><figcaption></figcaption></figure></div>

On R5, this points to R2 in the INET VRF:

<div align="left"><figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2FzelPeqnLr0FDky7J08jz%2Fimage.png?alt=media&#x26;token=d07406e3-f4fc-4a31-90a1-7bdec6ece4ac" alt=""><figcaption></figcaption></figure></div>

R2 routes back to 100.8.8.8/32 via the VPN\_A route that it is importing into the INET VRF.

<div align="left"><figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2F4UFdUMPlFYeZx1dhze15%2Fimage.png?alt=media&#x26;token=0414e51e-b6ca-4505-b124-dc2131a518e5" alt=""><figcaption></figcaption></figure></div>

The end result is that R8 can ping 8.8.8.8, but only if sourced from Lo100.

<div align="left"><figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2FZHer6XmFj7NMRDfMsgS4%2Fimage.png?alt=media&#x26;token=a44f3c25-f521-4117-9345-82ed1b1b1331" alt=""><figcaption></figcaption></figure></div>

## Conclusion <a href="#id-3592c110-172b-4a15-84c6-bdd9e158730e" id="id-3592c110-172b-4a15-84c6-bdd9e158730e"></a>

This lab shows a basic example of extranets. VPN routes can be leaked between VRFs by importing the RT of the remote VRF. Import route-maps control which routes are imported from each VPN.