[c-nsp] Restrictions for NAT Integration with MPLS VPNs

[Oliver Boehmer (oboehmer)]

>> This configuration works, though (I tried it in 12.3(6)), but the
>> current vrf-aware NAT functionality was designed around central
>> services (several VRFs with overlapping IP addresses  want to access
>> SP's central services, like an Internet connection), so the outside
>> interface is usally in the global table.
> 
> Does it mean that the only currently possible right way is to put
> shared services in global?

If NAT on the PE is involved, yes (at least in Phase 1, i.e. what is
available today). If you don't need NAT (i.e. your central services PE
does not have to deal with overlapping addresses), regular VPN
hub&spoke/RT import/export mechanisms, possibly with NAT on the CE, can
be deployed.
I think there are some cases where NAT phase 1 will also work with the
"Out" interface in a VRF, but I haven't digged deeply enough into this
to comment further..

> Is there any references or whitepapers which describe Cisco's
> understanding of shared services implementation in MPLS VPN
environment?

There is some information at
http://www.cisco.com/warp/public/732/Tech/mpls/docs/mplsconcepts.pdf
(via  www.cisco.gom/go/mpls).

> I am especially interested in examples where shared services reside in
> separate VPN rather than global.
> 
> One more shared services related thing - are there any plans to make
> inter-VRF leaks be presented as logical interface instance with
possibility to
> enforce in/out ACLs on particular inter-VRF leak?

I'm not sure about ACLs, but the new NAT infrastructure will present a
NVI (Nat Virtual Interface), but I don't think it can be viewed as a
general inter-vrf-leak-interface..
 
>> We'll release new vrf-aware NAT functionality in the upcoming
>> 12.3(14)T release (due out soon)  which will also allow to translate
>> between separate VRFs..
> 
> Will it be back-ported to 12.2S train?

Don't know, will try to find out..

	oli