Intranet users access different businesses via different exit VPN configuration examples

1. On Router1, there are two exit VPNS to connect different regions.

2. After the PC traffic arrives at Router1, match the PBR of the interface and redirect the message to the next hop in different VPNS according to the source and destination addresses;

3, PC access Router2 (address 2.2.2.2) and Router3, through different VPN interface, and normal communication.

In this case, a router is used to simulate the Intranet device PC, Router0 is used to simulate the three-layer switching devices of the Intranet, Router1 is used to simulate the outlet devices of the branch, and Router2 and Router3 are used to simulate the remote devices at different exits.

Router1 USES G0/0 to connect a three-layer Router0 device on the internal network, and the interface address is 1.1.1.2;

Router1 USES G0/1 to connect to Router2 with an interface address of 2.1.1.1 and a vPN-instance 1 binding.

Router1 used G0/2 to connect to Router3, with the interface address of 3.1.1.1 and vPN-instance 2 bound.

The interfaces Router2 and Router3 connect to Router1 are not tied to a VPN.

# Configure interface Address:

[PC]interface GigabitEthernet5/0

[PC-GigabitEthernet5/0] port link-mode route

[PC-GigabitEthernet5/0] combo enable copper

[PC-GigabitEthernet5/0] ip address 10.1.1.1 255.255.255.0

# Configure an exit route:                                      

[PC] ip route-static 0.0.0.0 0 10.1.1.2

2. Configuration of the Router0

# Configure the g5/0 address of the interface for connecting to a PC

[ROUTER0]interface GigabitEthernet5/0

[ROUTER0-GigabitEthernet5/0] port link-mode route

[ROUTER0-GigabitEthernet5/0] combo enable copper

[ROUTER0-GigabitEthernet5/0] ip address 10.1.1.2 255.255.255.0

# Configure the g0/0 address of the interface for connecting to Router1

[ROUTER0]interface GigabitEthernet0/0

[ROUTER0-GigabitEthernet0/0] port link-mode route

[ROUTER0-GigabitEthernet0/0] combo enable copper

[ROUTER0-GigabitEthernet0/0] ip address 1.1.1.1 255.255.255.0

# Configure an exit route:                                      

[ROUTER0] ip route-static 0.0.0.0 0 1.1.1.2

3、Configuration of the Router1

 [ROUTER1]ip vpn-instance 1

[ROUTER1-vpn-instance-1] route-distinguisher 1:1

[ROUTER1-vpn-instance-1] vpn-target 1:1 import-extcommunity

[ROUTER1-vpn-instance-1] vpn-target 1:1 export-extcommunity

[ROUTER1-vpn-instance-1]#

[ROUTER1-vpn-instance-1]ip vpn-instance 2

[ROUTER1-vpn-instance-2] route-distinguisher 2:1

[ROUTER1-vpn-instance-2] vpn-target 2:1 import-extcommunity

[ROUTER1-vpn-instance-2] vpn-target 2:1 export-extcommunity

# Configure the interface G0/1 address for interconnecting Router2.

 [ROUTER1] interface GigabitEthernet0/1

[ROUTER1-GigabitEthernet0/1] port link-mode route

[ROUTER1-GigabitEthernet0/1] combo enable copper

[ROUTER1-GigabitEthernet0/1] ip binding vpn-instance 1

[ROUTER1-GigabitEthernet0/1] ip address 2.1.1.1 255.255.255.0

# Configure the interface G0/2 address for interconnecting Router3

[ROUTER1]interface GigabitEthernet0/2

[ROUTER1-GigabitEthernet0/2] port link-mode route

[ROUTER1-GigabitEthernet0/2] combo enable copper

[ROUTER1-GigabitEthernet0/2] ip binding vpn-instance 2

[ROUTER1-GigabitEthernet0/2] ip address 3.1.1.1 255.255.255.0

# Configure the ACL to match the address of the Intranet PC to the remote end, respectively.

[ROUTER1]acl advanced 3000

[ROUTER1-acl-ipv4-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 2.2.2.2 0

[ROUTER1]acl advanced 3001

[ROUTER1-acl-ipv4-adv-3001] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 3.3.3.3 0

# Configure PBR to forward to the next hop in different VPNS when matched  different ACLs.

[ROUTER1]policy-based-route 1 permit node 1

[ROUTER1-pbr-1-1] if-match acl 3000

[ROUTER1-pbr-1-1] apply next-hop vpn-instance 1 2.1.1.2

[ROUTER1-pbr-1-1]#

[ROUTER1-pbr-1-1]policy-based-route 1 permit node 2

[ROUTER1-pbr-1-2] if-match acl 3001

[ROUTER1-pbr-1-2] apply next-hop vpn-instance 2 3.1.1.2

# Configure routing

[ROUTER1] ip route-static 10.1.1.0 24 1.1.1.1

[ROUTER1] ip route-static vpn-instance 1 10.1.1.0 24 1.1.1.1 public

[ROUTER1] ip route-static vpn-instance 2 10.1.1.0 24 1.1.1.1 public

4、 Router2

# Create a Loopback 0 interface to simulate the service server

[ROUTER2]interface LoopBack0

[ROUTER2-LoopBack0] ip address 2.2.2.2 255.255.255.255

# Configure the G0/1 interface to connect to Router1

[ROUTER2]interface GigabitEthernet0/1

[ROUTER2-GigabitEthernet0/1] port link-mode route

[ROUTER2-GigabitEthernet0/1] combo enable copper

[ROUTER2-GigabitEthernet0/1] ip address 2.1.1.2 255.255.255.0

#Add an exit route

[ROUTER2] ip route-static 0.0.0.0 0 2.1.1.1

5、 Router3

#Create a Loopback 0 interface to simulate the service server

[ROUTER3]interface LoopBack0

[ROUTER3-LoopBack0] ip address 2.2.2.2 255.255.255.255

# Configure the G0/1 interface to connect to Router1

[ROUTER3]interface GigabitEthernet0/1

[ROUTER3-GigabitEthernet0/1] port link-mode route

[ROUTER3-GigabitEthernet0/1] combo enable copper

[ROUTER3-GigabitEthernet0/1] ip address 2.1.1.2 255.255.255.0

#Add an exit route

 [ROUTER3] ip route-static 0.0.0.0 0 2.1.1.1

6. Verify the configuration

 [PC]ping 2.2.2.2

Ping 2.2.2.2 (2.2.2.2): 56 data bytes, press CTRL_C to break

56 bytes from 2.2.2.2: icmp_seq=0 ttl=253 time=3.000 ms

56 bytes from 2.2.2.2: icmp_seq=1 ttl=253 time=1.000 ms

56 bytes from 2.2.2.2: icmp_seq=2 ttl=253 time=1.000 ms

56 bytes from 2.2.2.2: icmp_seq=3 ttl=253 time=1.000 ms

56 bytes from 2.2.2.2: icmp_seq=4 ttl=253 time=1.000 ms

 [PC]ping 3.3.3.3

Ping 3.3.3.3 (3.3.3.3): 56 data bytes, press CTRL_C to break

56 bytes from 3.3.3.3: icmp_seq=0 ttl=253 time=2.000 ms

56 bytes from 3.3.3.3: icmp_seq=1 ttl=253 time=2.000 ms

56 bytes from 3.3.3.3: icmp_seq=2 ttl=253 time=2.000 ms

56 bytes from 3.3.3.3: icmp_seq=3 ttl=253 time=2.000 ms

56 bytes from 3.3.3.3: icmp_seq=4 ttl=253 time=1.000 ms