Wednesday, July 7, 2010

MPLS NAT Aware

Internet access is perhaps one of the most popular services that Service Providers offer their customers. Customers have flexibility to purchase MPLS VPN services Internet connectivity from separate Service Providers. Customers can alternatively offer Internet connectivity directly from their network may it be from one of their remote sites or the central site. In the latter case, the Internet Service Provider (ISP) does not need to distinguish customer’s Internet and VPN traffic, because all traffic traversing through a Service Provider network would be MPLS VPN traffic.

In MPLS based BGP-VPNs (RFC 2547), ISPs offered customers an interface that was capable of carrying intranet and internet traffic.

Traffic between intranet and internet in a MPLS BGP-VPNs requires NAT Services at the customer edge router, between the customer private addresses and a globally routable address.






R3NATPE#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
R3NATPE(config)#
R3NATPE(config)#ip vrf 23
R3NATPE(config-vrf)#rd 23:23
R3NATPE(config-vrf)#route-t 23:23
R3NATPE(config-vrf)#
R3NATPE(config-vrf)#ip vrf 13
R3NATPE(config-vrf)#rd 13:13
R3NATPE(config-vrf)#route-t 13:13
R3NATPE(config-vrf)#
R3NATPE(config-vrf)#int s0/0
R3NATPE(config-if)#ip vrf for 13
R3NATPE(config-if)#ip add 10.1.13.3 255.255.255.0
R3NATPE(config-if)#ip nat inside
R3NATPE(config-if)#no sh
R3NATPE(config-if)#
R3NATPE(config-if)#int s0/1
R3NATPE(config-if)#ip vrf for 23
R3NATPE(config-if)#ip add 10.1.23.3 255.255.255.0
R3NATPE(config-if)#ip nat inside
R3NATPE(config-if)#no sh
R3NATPE(config-if)#
R3NATPE(config-if)#int s0/2
R3NATPE(config-if)#ip add 10.1.34.3 255.255.255.0
R3NATPE(config-if)#ip nat out
R3NATPE(config-if)#no sh
R3NATPE(config-if)#exit
R3NATPE(config)#access-list 1 permit any
R3NATPE(config)#ip route vrf 13 1.1.1.1 255.255.255.255 10.1.13.1
R3NATPE(config)#ip route vrf 13 0.0.0.0 0.0.0.0 10.1.34.4 global
R3NATPE(config)#
R3NATPE(config)#ip route vrf 23 2.2.2.2 255.255.255.255 10.1.23.2
R3NATPE(config)#ip route vrf 23 0.0.0.0 0.0.0.0 10.1.34.4 global
R3NATPE(config)#
R3NATPE(config)#ip nat pool MYPOOL 10.1.34.50 10.1.34.255 netmask 255.255.255.0
R3NATPE(config)#ip nat inside source list 1 pool MYPOOL vrf 13
R3NATPE(config)#
R3NATPE(config)#ip nat inside source list 1 pool MYPOOL vrf 23
R3NATPE(config)#
NAT get hold of the packet, and does the translation (static or dynamic) and also stores the VRF table ID in the translation entry

R3NATPE#show ip nat translations verbose
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.34.50:5      10.1.23.2:5        4.4.4.4:5          4.4.4.4:5
 create 00:00:10, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 2,
 flags:
extended, use_count: 0, VRF : 23, entry-id: 3, lc_entries: 0
--- 10.1.34.50         10.1.23.2          ---                ---
 create 00:16:50, use 00:00:11 timeout:86400000, left 23:59:48, Map-Id(In): 2,
 flags:
none, use_count: 1, VRF : 23, entry-id: 1, lc_entries: 0
NAT receives the packet before routing and performs lookup on the translation table. NAT performs the reverse translation, and also sets the VRF table ID in the packet descriptor header. This enables the subsequent route lookup to occur on the right Forwarding Information Block (FIB). If the outgoing interface is in a VRF on the same PE, then the packet is forwarded as an IP packet. If the destination is on a remote PE, then the packet is imposed with labels and forwarded on the core facing interface.

Note:For security reasons, this approach is not recommended. It is not a good practice to
bring in Internet traffic using the corporate VPN. This practice negates the isolation of the
corporate VPN.
This option is briefly discussed only to show an alternate practice that has been used in the
industry.(from the  Implementing Cisco Mpls Volume 2)

No comments:

Post a Comment