[c-nsp] Setting up a Internet Gateway (NAT-PE) for MPLS VPNCustomers

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Aug 14 03:24:05 EDT 2008


Andy Saykao <> wrote on Thursday, August 14, 2008 4:58 AM:

> Hi All
> 
> We are looking at providing our Layer 3 MPLS VPN customers with the
> option of a managed internet gateway via a NAT-PE router. This would
> mean that remote sites no longer have to access the internet via the
> Central Site model as this is the way we've been implementing Internet
> access for MPLS VPN customers.
> 
> As all our MPLS VPN customers are using private IP addresses, NAT
> would have to obviously take place at the NAT-PE router.
> 
[...]
> My delimma is that I'm not entirely sure which router should be
> designated as the NAT-PE router to act as the Internet Gateway for our
> MPLS VPN customers or if we need to put in a new PE router somewhere?
> 
> So what I've brainstormed are the following ideas...
> 
> 1/ Do we set the P router up as the NAT-PE router? I'm reluctant to do
> this because this is the core router that handles Internet traffic for
> all our customers and I don't want to mess it up.

Agreed, I wouldn't take this path either. NAT is stateful, so future
scalability is a concern, which is limited if you did this on your
core/P node (turning it into a PE).

> 2/  Can the NAT-PE router be assigned to either PE1 or PE2? If so, I'm
> unsure how to apply NAT because there is only one interface on the PE
> router connecting to the P router so I'm not really sure where the ip
> nat inside and outside command would go - unless we use NAT on a stick
> which I don't think is recommended in a production environment.

I would actually vote for some "on-a-stick" deployment, which is what
many customers do (as far as I know). NPE-G1/G2 are popular platforms
for this..

> 3/ Lastly, do we need to put in a new router to act as the NAT-PE
> router? If so, where would this be placed - maybe between the P router
> and the Internet?

I would add a new node, and put it somewhere "close" to the P
router/internet connection. You can scale by adding addtl. routers and
distribute your VPN customers across these nodes. The config would be
along this line:

you use two interfaces (can be sub-interfaces): One MPLS interface
(running LDP and your IGP), and one plain-IP interface. Both connect to
the P node.
You create a static default in the vrf pointing over the IP interface
into the global table and create per-vrf NAT statements.

int Gig0/0.10
 ip address 192.168.0.2 255.255.255.252
 mpls ip
 ip nat inside
!
int gig0/0.20
 ip address 192.168.10.2 255.255.255.252
 ip nat outside
!
ip route vrf foo 0.0.0.0 0.0.0.0 Gig0/0.20 192.168.10.1 global
!
ip nat pool NAT-foo 10.1.1.1 10.1.1.10 netmask 255.255.255.240 add-route

ip nat source list nat-acl-foo pool NAT-foo vrf foo overload  
!
ip access-list extended nat-acl-foo 
 ! define what should be translated
 
and you define MP-iBGP and advertise the static defaults into the
respective VPNs.

something like this. the only addtl. challenge is to advertise the NAT
pool(s) over the gig0/0.20 interface so you send the return traffic from
the Internet back over this outside interface. you could use a dedicated
ipv4-bgp session or another IGP instance, for example..

I hope you'll get the idea..

	oli


More information about the cisco-nsp mailing list