From: Scott Morris (smorris@ipexpert.com)
Date: Tue Jul 03 2007 - 10:38:19 ART
The difficulty in doing NAT on PE3 is that PE3 would centrally need to be
aware of all the routes in each of your independent VRFs and VRF routes. As
you noted, doing NAT on PE1 and PE2 would be much simpler, and very much for
that reason!
Simply making route-target imports into a central VPN/VRF isn't very
scalable because you may be importing multiple non-unique routes from
different customers. So this is very much a placement issue and processing
issue.
If you do NAT on each respective PE, closest to the source you could then
make a decision about having a global table versus an Internet VRF for
moving traffic. (The less routes your P routers have, the faster the
processing!)
As for your return traffic though, the NAT process should handle the
translations both directions (building an xlate table to steal a term from
the PIX) and as long as the pre-NAT addresses are unique it should do just
fine. NAT is not integrated with BGP, so AFAIK, it doesn't take advantage
of things like SOO communities.
Keep things as simple as possible and the config will be much easier to
follow! :)
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
A Cisco Learning Partner - We Accept Learning Credits!
smorris@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Marko Milivojevic
Sent: Tuesday, July 03, 2007 5:25 AM
To: ccielab@groupstudy.com
Subject: PE NAT in MPLS VPN
I am confused about one thing and I need some assistance understanding it.
Lets'say that I have the following network (home-made scenario, so it may
not be possible):
(CE1) (CE2)
| |
{a} {b}
| |
(PE1) (PE2)
| |
| |
+---(P)---+
|
|
(PE3)
|
{c}
|
(CE3)
CE1: 10.0.0.1/32
CE2: 10.0.0.1/32
CE3: 100.100.100.100
In a case ASCII doesn't come up right: PE1, PE2, PE3 are connected to P.
CE1 connects to PE1 in VRF "a"; CE2 connects to PE2 in VRF "b" and CE3
connects to PE3 in vrf "c". Core network runs IS-IS+MP-BGP. PE1-CE1 is OSPF;
PE2-CE2 is EIGRP; PE3-CE3 is RIPv2.
VRF "c" is central services vrf - it imports both "a" and "b". For the
reasons of making my life miserable, CE1 and CE2 use the same IP address as
loopback. They both need to ping CE3's loopback. Dynamic NAT is supposed to
be on PE3 (as I believe having NAT on PE1 or PE2 would be no-brainer).
I have the network up and running and all the routes are being correctly
propagated, imported, etc. However, on PE3, I have only one route towards
10.0.0.1 (expected). If I make NAT on PE3, how will PE3 know to "return" the
traffic from CE3 to the correct CE? Detailed diagram and configs are
available upon request :-)
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:39 ART