In the topology of MPLS L3 VPN of a site, NE40 serves as PE. A VPN user connects to NE40 through L2 switch, and the user gateway is at NE40. The user needs to access routing table of public network, so it needs to use the technology that leaks the route of private network to public network at PE. NE40 The software of NE40 is at VRP3.10-2321.
The next hop of PE router is defaulted to 184.108.40.206;
10.0.0.2/24 and 10.0.0.3/24 are VPN users, and the gateway is 10.0.0.1, connecting to Ethernet 3/0/0 of NE40-PE.
For the demand, PE needs the following configurations:
ip route-static 0.0.0.0 0.0.0.0 220.127.116.11
ip route-static vpn-instance VPN1 0 0.0.0.0 0.0.0.0 18.104.22.168 public
ip route-static 10.0.0.2 255.255.255.255 Ethernet 3/0/0 10.0.0.2
ip route-static 10.0.0.3 255.255.255.255 Ethernet 3/0/0 10.0.0.3
The first piece of route is the default one (or created by dynamic routing protocol)of routing table fro NE40 to public network; the second route is a default one created in VPN routing table, with next hop to the interface to public network; The following two pieces of routes function to help NE40 forward the packets received to relevant VRF interface.
CE is at layer 3. Once the packets with destination address as VPN reach PE from public network, configure one VPN network segment route with next hop to CE, as follows:
ip route-static 10.0.0.0 255.255.255.0 Ethernet 3/0/0 *.*.*.*(the next hop to CE)
For the topology with CE as non-L3 equipment, users connect to PE directly, so there must be host route to PC of user; at this time, packets could be forwarded to VPN private network from public network. In other word, in the topology, If it is required for PE to perform leaking of VPN private network route, each host that has such a demand need a host route alike at NE40. If a great number of VPN users have such a demand like this, we should take the limitation on route specification of NE40 into consideration; also, more static routes make maintenance hard.
For the access of VPN users to public network, it it is realized by leaking private network route at PE to public network; at this time, CE should be of L3 equipment, or the limitation will take effect like the case. So other methods like VPN gateway is recommended.