L3VPN Extranet
Last updated
Last updated
IP addressing, IGP, Segment Routing, and BGP on the CEs is already configured.
The objective is to configure three L3VPN services, and allow the PARNTER1 L3VPN to have access to the loopbacks of each customer router. Additionally, each customer L3VPN service should have access to the 192.0.2.0/24 network. The idea is that the partner needs to manage these separate customers. So the partner needs reachability into the customer L3VPNs.
NAT is already configured on the customer CEs. The R2 customer routers will be NATed to 10.255.255.X and should be able to ping 192.0.2.2.
You will need to configure BGP on the provider network, but throughout this entire exercise you should not need to make any changes to customer routers.
The routing table of each CE should appear as follows:
R2 of each customer should be able to ping 192.0.2.2:
First you must run iBGP inside the service provider network. You can simply run iBGP between PE1 and PE3, creating a BGP-free core. You will need to peer with each CE. They are all 100.64.0.2 with remote-as 65000. On PE3_XR you will need a route-policy that passes all routes received and advertised because these are eBGP neighbors (i.e. route-policy PASS in/out).
Next you will need to import PARTNER1 routes into the customer VRFs and import the customer 10.255.255.X/32 loopbacks into the PARTNER1 VRF. To do this you import 10:10 into each customer VRF, and import 1:1 and 2:2 into the PARTNER1 VRF.
The problem is that we must filter the routes that are imported so we don’t get the LAN routes. On PE1 you can use an import map such as this:
The logic of the route-map is that only the partner subnet is imported with RT 10:10, then any route with RT 1:1 is imported, and anything else is denied.
On PE3_XR you will need a route-policy such as this:
I will leave it to you to figure out the route-policy for routes imported into the PARTNER1 VRF.
Finally, you will notice that none of these imported routes are accepted by the CEs. This is because they all use AS 65000 so they reject the route due to loop avoidance. You can use as-override on each CE neighbor to change the AS path from 100 65000 i to 100 100 i