[c-nsp] MPLS/VPN + Internet Setup - Update
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Aug 4 10:03:35 EDT 2006
Mark Tinka <mailto:mtinka at africaonline.co.zw> wrote on Friday, August
04, 2006 2:14 PM:
> On Thursday 03 August 2006 19:36, Oliver Boehmer (oboehmer)
> wrote:
>
>> yes, vrf-lite is used for this purpose in several networks I'm
>> aware of, so I'd call this still best current practice for
>> most applications (maybe not for some very security sensible
>> folks who don't trust VRF-lite segmentation on the CE).
>
> Two other questions, Oli:
>
> a) For the VRF-Lite setup, I'd like to use NAT on the CE router,
> so the customer overloads their internal network onto one or
> more public IP addresses assigned to the PE-facing-Internet
> interface. Are there any restrictions in this deployment, as
> most documentation on www.cisco.com suggest NAT-PE.
NAT on the CE is clearly preferred.. I think it should work right away,
haven't tried this with vrf-lite yet, though.
> b) Are there any benefits deploying private IP addresses for
> PE-CE link when setting up the customer VPN's? I'm inclined
> to using public IP addresses for the MPLS/VPN PE-CE links
> (even though they might not see much "public" action), but
> I'd appreciate insight on the general feeling about this.
Well, if you want to manage the CE from your NMS, you need to use unique
addresses.. Using official/public addresses makes sure those are
unique, but you could also use different ranges.
There once was a draft trying to get an IANA allocation for exactly this
purpose (draft-guichard-pe-ce-addr-00.txt), but this never really went
anywhere. This draft talks about this, so it's still worth a read..
oli
More information about the cisco-nsp
mailing list