The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2001-Sep> msg00049



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

RE: nat at the PE

  • From: Robert Staats <rstaats@icnt.net>
  • Date: Thu, 20 Sep 2001 23:29:44 -0700
  • Resent-Date: Fri, 21 Sep 2001 04:32:15 -0400
  • To: "'Wulf Losee'" <wulf@cisco.com>, alfred zhang <alfred.zhang@u-cyber.com>, mpls-ops@mplsrc.com

Wulf,

	This is not to meant to be confrontational but I am going to be
directly to the point on this.  Your question is the exact same reply I
always get from Cisco in this regard .Although I realize you don't speak for
Cisco nonetheless your answer is in step with every 'official' reply I get,
"Why would you want to NAT in an MPLS VPN?"  

	I work for a service provider that has been deploying MPLS VPNs for
a year and a half now (InternetConnect).  We specialize in providing wide
area networks for small and medium size businesses (not a plug here :) just
explaining what we do).  These companies typically do not have Network
Engineers.  They do not care who controls the IP space.  In most cases they
do not even have a clue what an IP space is.  They are just companies that
want to connect their offices.

	Many different types of CPE are used as the CE and they are
primarily not Cisco equipment.  These CPE do not have the concept of access
lists to determine what to NAT and what not to NAT.  So typically your
choices are that either everything has to be NATed from a site or nothing is
NATed from a site. If you are trying to provide connectivity between many
different locations then you do not want to NAT from the CPE.  If you NAT
from the CPE then devices will not be able to communicate with each other
from two different locations unless you have setup static maps in the CPE.
This becomes very tedious and inefficient when you have 10 - 20 locations
and a couple of hundred hosts.  So then the only real option is to not NAT
at the CPE.  OK so now what if the customer is using RFC1918 addresses or
picked random address (we run into this allot :) ). The exit point from the
MPLS VPN will need to be NATed so the hosts in the VPN can communicate with
the outside world.  The optimal solution for us would to be able to NAT
within the VPN on the link that exits the VPN to the Internet.  This is not
possible with Cisco equipment.  So then the other option is to NAT on the
equipment on the other side of the link from the MPLS VPN.  The problem here
is that the Cisco equipment does not handle overlapping address ranges for
NAT on the same router.  So for every customer that has chosen to use
10.1.1.X for their network I need a dedicated router just to NAT their
connection to the Internet.  This is a very costly and inefficient way of
providing NAT to our customers.

	I have looked at CoSine and they do have the ability to do this.
They also have the ability to terminate IPSec tunnels directly to an MPLS
VPN which I like but that is another story.  We are currently a Cisco shop
but after evaluating some of the newer products on the market I don't see
why we would stay that way.

	Thanks for allowing me to vent!

Bob




-----Original Message-----
From: Wulf Losee [mailto:wulf@cisco.com]
Sent: Thursday, September 20, 2001 5:49 PM
To: alfred zhang; mpls-ops@mplsrc.com
Subject: Re: nat at the PE


Alfred:
Why would you want to do NAT on a PE? From a customer's operational 
standpoint the CE is where customer's physical network ends -- and most 
customers like to have control of their IP space. From a service provider's 
operational standpoint, would they really want NAT sucking down the CPU 
cycles on their PE routers? -- which in turn would up their costs for 
providing MPLS VPN services their customers. Maybe I'm missing something 
here, but I don't see any reason in your CUG example that you'd need to 
have NAT on the PE routers.

Please note: although I work for Cisco, I'm not advocating any Cisco 
position on this. I'm just trying to understand the technical and/or 
operational reason why you'd ever want NAT on the PE routers.

--Wulf


At 04:24 PM 9/19/2001 +0800, alfred zhang wrote:
>Hi guys,
>
>   I'm doing some testing about nat in the mpls vpn .I assumed the ISP 
> want to provide internet access to their VPN customers only, with Closed 
> User Group, there can be a public ip address segment that every VPN can 
> access it. Due to IP address issue, NAT is needed somewhere in this 
> public segment for each VPN. Can PE do this nat function?Or I have to use 
> CE or one external NAT box.
>
>
>Best regards,
>alfred zhang
>-------
>The MPLS-OPS Mailing List
>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

********************************************************
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin, ~1784
********************************************************
Wulf Losee
Product Manager
Cisco Systems, INSMBU
email: wulf@cisco.com
vox: 408.525.1493     cell: 408.406.4914
fax: 408.525.4251     page: 800.365.4578
********************************************************


-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml