The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2002-May> msg00202



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

Re: NAT for MPLS VPNs.

  • From: "HANSEN CHAN" <hansen.chan@alcatel.com>
  • Date: 28 May 2002 08:17:42 -0400
  • Cc: raszuk@cisco.com, fraanro@arrakis.es, mpls-ops@mplsrc.com
  • Resent-Date: Tue, 28 May 2002 09:32:23 -0400
  • To: "Yuly Milner" <ymilner@hotmail.com>

Yuly,

Your model is an interesting one.

> I'm one of those service providers, and right now we consider providing
> internet connectivity (via sub-provisioning) to our corporate VPN customers.
> Right now we prefer the centralized internet access model. Currently we rely
> on customer's own security solutions, but the internet access is done on our
> MPLS rouder, via import/export between ISP VPN and customers VPNs.

What do you mean by "via import/export between ISP VPN and customers VPNs?" Do
you mean some customer prefix could be exported to both ISP and their own
customer VPN?

Cheers,
Hansen

> I think
> this is better than access via the hub site, because the potentially, if we
> used a managed firewall, the traffic would go directly to the ISP from all
> VPN sites, without going first to the hub site. Also, we can more easly
> change the ISP for our customers, if they are not satisfied with the service
> ISP provides.
>
> Regarding the NAT and firewall devices: Lucent also has virtual firewalls in
> their Brick product line. Did you consider it? I'm curious because we are in
> a process of selecting the right product for managed firewall service in our
> network.
> Thanks,
>
> Yuly
>
> ___________________________________________________________
> Hi Javier,
>
> >    Now my question is (mainly targeted to people working in service
> >providers but in general to all): Is currently the Internet
> >connectivity for the VPNs being integrated in the VPN service using
> >this kind of devices/features or is actually using mostly the
> >traditional model based on two physical/logical links in the main site
> >of the customer, one for the VPN and one for Internet.
> >    The point is, what is being preferred by service providers and why?
>
> My observations of the actual deployments demonstrate that Internet
> access is mostly provided via a HUB sites with a dedicated solid
> firewalls. It is also often the case that the Internet provider is
> different from the VPN service provider.
>
> Now reg your question if it actually makes sense to integrate both ...
> with the same provider the answer would be yes, but I don't think that
> collapsing both in to one interface between as you said main sites and
> provider is very safe or efficient idea. I am sure some folks may say it
> could be cheaper but bearing in mind that even logical interface
> separation is more then sufficient I don't think so. Also I am sure
> (based on my own experience) that internal securty departments get
> paranoid (and I think for the right cause) when the corporate and
> internet packets travel together.
>
> Rgs,
> R.
>
> >fraanro wrote:
> >
> >Hi all,
> >
> >    ASAIK, some vendors like Netscreen, or Shasta from Nortel, or I
> >thinks also Cosine (but I am not sure about it) support NAT in such a
> >way that can be used for MPLS VPNs, for providing Internet connectivity
> >for a customer corporate VPN.
> >    Cisco is also due to release that feature for MPLS VPNs.
> >    Now my question is (mainly targeted to people working in service
> >providers but in general to all): Is currently the Internet
> >connectivity for the VPNs being integrated in the VPN service using
> >this kind of devices/features or is actually using mostly the
> >traditional model based on two physical/logical links in the main site
> >of the customer, one for the VPN and one for Internet.
> >    The point is, what is being preferred by service providers and why?
> >I think integrating the Internet and VPN service in the same interface
> >(physical and logical) as any solution that integrates several services
> >toghether reduces the churn (i.e. the rate of losing customers going to
> >other service providers), but in practice, how many providers build the
> >service this way?
> >    Thanks in advance for your oppinions.
> >    Javier.
> >
> >-------
> >The MPLS-OPS Mailing List
> >Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
>
> -------
> The MPLS-OPS Mailing List
> Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
> -------
> The MPLS-OPS Mailing List
> Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
> Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml