[c-nsp] Setting up a Internet Gateway (NAT-PE) for MPLS VPN Customers

Andy Saykao andy.saykao at staff.netspace.net.au
Wed Aug 13 22:58:13 EDT 2008 

Hi All
 
We are looking at providing our Layer 3 MPLS VPN customers with the
option of a managed internet gateway via a NAT-PE router. This would
mean that remote sites no longer have to access the internet via the
Central Site model as this is the way we've been implementing Internet
access for MPLS VPN customers.
 
As all our MPLS VPN customers are using private IP addresses, NAT would
have to obviously take place at the NAT-PE router. 
 
Below is a simple illustration of our network with the MPLS cloud
comprising of PE1,PE2 and P. All internet traffic goes out through the P
router. We do not have local POPS in each city/state with a link to the
Internet, instead we have one central POP and internet traffic from
across the country is routed to the P router.
 
                         [INTERNET] 
                                 |
                                 |
                                 |
[CE1] ----- [PE1] ----- [ P ] ----- [PE2] ----- [CE2]
 
My delimma is that I'm not entirely sure which router should be
designated as the NAT-PE router to act as the Internet Gateway for our
MPLS VPN customers or if we need to put in a new PE router somewhere?
 
So what I've brainstormed are the following ideas...
 
1/ Do we set the P router up as the NAT-PE router? I'm reluctant to do
this because this is the core router that handles Internet traffic for
all our customers and I don't want to mess it up.
 
2/  Can the NAT-PE router be assigned to either PE1 or PE2? If so, I'm
unsure how to apply NAT because there is only one interface on the PE
router connecting to the P router so I'm not really sure where the ip
nat inside and outside command would go - unless we use NAT on a stick
which I don't think is recommended in a production environment.
 
3/ Lastly, do we need to put in a new router to act as the NAT-PE
router? If so, where would this be placed - maybe between the P router
and the Internet?
 
I've read various Cisco documentations but can't find anything for my
particular situation.
 
Any further ideas would be greatly appreciated.
 
Thanks.
 
Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.

More information about the cisco-nsp mailing list