The MPLS-OPS Archive

[Rajesh Balay <Rajesh.Balay@cosinecom.com>]

Title: FW: Re: nat at the PE

(resending....)
 -----Original Message-----
From:   Rajesh Balay 
Sent:   Monday, September 24, 2001 2:17 PM
To:     'mpls-ops@mplsrc.com'
Cc:     'rstaats@icnt.net'; 'alfred.zhang@u-cyber.com'; 'wulf@cisco.com'
Subject:        Re: nat at the PE

If NAT/firewall is used at a CE (and not at the PE), I would like to know what the recommended solutions are to provide "Internet connectivity" while using "MPLS VPN" for a customer.

My thoughts are:
(a) If NAT/Firewall is done at the CE then it will be have to be applied
    to VPN traffic as well as Internet-bound traffic.

I do no see an elegant solution to NAT/Firewall only the Internet traffic and not the VPN traffic at a CE. The possible solutions for this case are:

(b) the CE uses a separate link to the PE for VPN and Internet service.
    Here use the usual interface based ACLs to NAT and firewall at the
    interface used for Internet traffic. The other interface will be used
    for VPN traffic...
    -> problems here:  for an extranet will one need one more interface?
       a true extranet requires NAT and Firewall services with different
       filters than used for Internet traffic
    -> this is a last resort solution i guess... two links to a site is expensive
       an may not be feasible.
(c) each VPN's address-space is well known and ACLs can be used to
    identify VPN/Internet traffic to apply NAT/Firewalls appropriately.
    This seems feasible but administration-heavy to make changes and as
    Robert Staaz points out it would require smarter CPEs.
    -> even here there may be some loopholes. Say all CEs can be reached
       by MPLS VPN as well as Internet; if the MPLS VPN connectivity
       goes down then one cannot reach the site through the Internet (due
       to address-based static rules)

Any other options? Are there any deployments? any recommended solutions from cisco/other vendors.

Same issues apply if one has to support Extranet VPNs too. At CoSine, we have addressed these issues using a PE based solution.

Appreciate comments.
thanks,
-rajesh

---- cut-n-paste from archive ----

• From: Robert Staats <rstaats@icnt.net <mailto:rstaats@icnt.net>>
• Date: Thu, 20 Sep 2001 23:29:44 -0700
• Resent-Date: Fri, 21 Sep 2001 04:32:15 -0400
• To: "'Wulf Losee'" <wulf@cisco.com <mailto:wulf@cisco.com>>, alfred zhang <alfred.zhang@u-cyber.com <mailto:alfred.zhang@u-cyber.com>>, mpls-ops@mplsrc.com <mailto:mpls-ops@mplsrc.com>
• X-Mailer: Internet Mail Service (5.5.2650.21)

Wulf,

        This is not to meant to be confrontational but I am going to be
directly to the point on this.  Your question is the exact same reply I
always get from Cisco in this regard .Although I realize you don't speak for
Cisco nonetheless your answer is in step with every 'official' reply I get,
"Why would you want to NAT in an MPLS VPN?" 

        I work for a service provider that has been deploying MPLS VPNs for
a year and a half now (InternetConnect).  We specialize in providing wide
area networks for small and medium size businesses (not a plug here :) just
explaining what we do).  These companies typically do not have Network
Engineers.  They do not care who controls the IP space.  In most cases they
do not even have a clue what an IP space is.  They are just companies that
want to connect their offices.

        Many different types of CPE are used as the CE and they are
primarily not Cisco equipment.  These CPE do not have the concept of access
lists to determine what to NAT and what not to NAT.  So typically your
choices are that either everything has to be NATed from a site or nothing is
NATed from a site. If you are trying to provide connectivity between many
different locations then you do not want to NAT from the CPE.  If you NAT
from the CPE then devices will not be able to communicate with each other
from two different locations unless you have setup static maps in the CPE.
This becomes very tedious and inefficient when you have 10 - 20 locations
and a couple of hundred hosts.  So then the only real option is to not NAT
at the CPE.  OK so now what if the customer is using RFC1918 addresses or
picked random address (we run into this allot :) ). The exit point from the
MPLS VPN will need to be NATed so the hosts in the VPN can communicate with
the outside world.  The optimal solution for us would to be able to NAT
within the VPN on the link that exits the VPN to the Internet.  This is not
possible with Cisco equipment.  So then the other option is to NAT on the
equipment on the other side of the link from the MPLS VPN.  The problem here
is that the Cisco equipment does not handle overlapping address ranges for
NAT on the same router.  So for every customer that has chosen to use
10.1.1.X for their network I need a dedicated router just to NAT their
connection to the Internet.  This is a very costly and inefficient way of
providing NAT to our customers.

        I have looked at CoSine and they do have the ability to do this.
They also have the ability to terminate IPSec tunnels directly to an MPLS
VPN which I like but that is another story.  We are currently a Cisco shop
but after evaluating some of the newer products on the market I don't see
why we would stay that way.

        Thanks for allowing me to vent!

Bob

-----Original Message-----
From: Wulf Losee [<mailto:wulf@cisco.com>]
Sent: Thursday, September 20, 2001 5:49 PM
To: alfred zhang; mpls-ops@mplsrc.com
Subject: Re: nat at the PE

Alfred:
Why would you want to do NAT on a PE? From a customer's operational
standpoint the CE is where customer's physical network ends -- and most
customers like to have control of their IP space. From a service provider's
operational standpoint, would they really want NAT sucking down the CPU
cycles on their PE routers? -- which in turn would up their costs for
providing MPLS VPN services their customers. Maybe I'm missing something
here, but I don't see any reason in your CUG example that you'd need to
have NAT on the PE routers.

Please note: although I work for Cisco, I'm not advocating any Cisco
position on this. I'm just trying to understand the technical and/or
operational reason why you'd ever want NAT on the PE routers.

--Wulf

At 04:24 PM 9/19/2001 +0800, alfred zhang wrote:
>Hi guys,
>
>   I'm doing some testing about nat in the mpls vpn .I assumed the ISP
> want to provide internet access to their VPN customers only, with Closed
> User Group, there can be a public ip address segment that every VPN can
> access it. Due to IP address issue, NAT is needed somewhere in this
> public segment for each VPN. Can PE do this nat function?Or I have to use
> CE or one external NAT box.
>
>
>Best regards,
>alfred zhang
>-------
>The MPLS-OPS Mailing List
>Subscribe/Unsubscribe:  <http://www.mplsrc.com/mplsops.shtml>
>Archive: <http://www.mplsrc.com/mpls-ops_archive.shtml>

********************************************************
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin, ~1784
********************************************************
Wulf Losee
Product Manager
Cisco Systems, INSMBU
email: wulf@cisco.com
vox: 408.525.1493     cell: 408.406.4914
fax: 408.525.4251     page: 800.365.4578
********************************************************

###################################################################################################### This email communication may contain CONFIDENTIAL INFORMATION and is intended only for the use of the intended recipients identified above.  If you are not the intended recipient of this communication, you must not use, disclose, distribute, copy or print this email. If you have received this communication in error, please immediately notify the sender by reply email, delete the communication and destroy all copies. ######################################################################################################