The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] RE: NAT for MPLS VPNs.
What we do now is like that: we create a unique extcommunity for VPN customers's legal IP addresses, and import that into the ISP's VRF we import into the customer's VPN the ISP's ext.community with default route This way we have internet access provisioned for VPN customers directly in our MPLS router. However, this limits us in terms of security and NAT services. So we planned to use a firewall that supports vlans and virtual policies, to do nat and firewall per customer. I suppose if we do that, we would have different legs of the firewall connected to VPN and ISP parts Regards, Yuly > -----Original Message----- > From: HANSEN CHAN [mailto:hansen.chan@alcatel.com] > Sent: Tuesday, May 28, 2002 3:18 PM > To: Yuly Milner > Cc: raszuk@cisco.com; fraanro@arrakis.es; mpls-ops@mplsrc.com > Subject: Re: [MPLS-OPS]: NAT for MPLS VPNs. > > > Yuly, > > Your model is an interesting one. > > > I'm one of those service providers, and right now we > consider providing > > internet connectivity (via sub-provisioning) to our > corporate VPN customers. > > Right now we prefer the centralized internet access model. > Currently we rely > > on customer's own security solutions, but the internet > access is done on our > > MPLS rouder, via import/export between ISP VPN and customers VPNs. > > What do you mean by "via import/export between ISP VPN and > customers VPNs?" Do > you mean some customer prefix could be exported to both ISP > and their own > customer VPN? > > Cheers, > Hansen > > > I think > > this is better than access via the hub site, because the > potentially, if we > > used a managed firewall, the traffic would go directly to > the ISP from all > > VPN sites, without going first to the hub site. Also, we > can more easly > > change the ISP for our customers, if they are not satisfied > with the service > > ISP provides. > > > > Regarding the NAT and firewall devices: Lucent also has > virtual firewalls in > > their Brick product line. Did you consider it? I'm curious > because we are in > > a process of selecting the right product for managed > firewall service in our > > network. > > Thanks, > > > > Yuly > > > > ___________________________________________________________ > > Hi Javier, > > > > > Now my question is (mainly targeted to people working > in service > > >providers but in general to all): Is currently the Internet > > >connectivity for the VPNs being integrated in the VPN service using > > >this kind of devices/features or is actually using mostly the > > >traditional model based on two physical/logical links in > the main site > > >of the customer, one for the VPN and one for Internet. > > > The point is, what is being preferred by service > providers and why? > > > > My observations of the actual deployments demonstrate that Internet > > access is mostly provided via a HUB sites with a dedicated solid > > firewalls. It is also often the case that the Internet provider is > > different from the VPN service provider. > > > > Now reg your question if it actually makes sense to > integrate both ... > > with the same provider the answer would be yes, but I don't > think that > > collapsing both in to one interface between as you said > main sites and > > provider is very safe or efficient idea. I am sure some > folks may say it > > could be cheaper but bearing in mind that even logical interface > > separation is more then sufficient I don't think so. Also I am sure > > (based on my own experience) that internal securty departments get > > paranoid (and I think for the right cause) when the corporate and > > internet packets travel together. > > > > Rgs, > > R. > > > > >fraanro wrote: > > > > > >Hi all, > > > > > > ASAIK, some vendors like Netscreen, or Shasta from Nortel, or I > > >thinks also Cosine (but I am not sure about it) support > NAT in such a > > >way that can be used for MPLS VPNs, for providing Internet > connectivity > > >for a customer corporate VPN. > > > Cisco is also due to release that feature for MPLS VPNs. > > > Now my question is (mainly targeted to people working > in service > > >providers but in general to all): Is currently the Internet > > >connectivity for the VPNs being integrated in the VPN service using > > >this kind of devices/features or is actually using mostly the > > >traditional model based on two physical/logical links in > the main site > > >of the customer, one for the VPN and one for Internet. > > > The point is, what is being preferred by service > providers and why? > > >I think integrating the Internet and VPN service in the > same interface > > >(physical and logical) as any solution that integrates > several services > > >toghether reduces the churn (i.e. the rate of losing > customers going to > > >other service providers), but in practice, how many > providers build the > > >service this way? > > > Thanks in advance for your oppinions. > > > Javier. > > > > > >------- > > >The MPLS-OPS Mailing List > > >Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > > >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > > ------- > > The MPLS-OPS Mailing List > > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > > _________________________________________________________________ > > Send and receive Hotmail on your mobile device: > http://mobile.msn.com > > > > ------- > > The MPLS-OPS Mailing List > > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml |
|