Shared Firewall in MPLS cloud

Unanswered Question
Jun 10th, 2007

Hi. I have an MPLS cloud on which i want to provide basic Internet connectivity for customers in the cloud. This will not be for VPN services, simply http, ftp etc (possibly some inbound NAT for webservers). I have a 7200VXR for the job. My plan is to set this up as an effective PE in the cloud and use 'NAT VRF AWARE' features to NAT networks in each VRF to Single public IP (currently this is 1 per VRF from a large pool). I cant see a reason for this not working but i wanted to get advice on this. I am also unsure as to how the public facing interface will be seen by the customer VRF since it will not be statically labeled with any VRF.

Any thoughts on this?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
swaroop.potdar Sun, 06/10/2007 - 10:13

You can provide intrnet access as specified by you through "shared central vrf" and also without a vrf but a "global vrf default".

In the latters case your default per vrf would be pointing to a global public IP interface, for which the next-hop would be your 7200 PE.

Your end VRF wont see any label as they will only see a default route, which in turn will point ot this new 7200 PE. There will be a label availabel from the IGP for its next-hop, based on which the traffic will be switched till this nat-aware PE.

And yes this will work.



dankennedy Sun, 06/10/2007 - 10:48

Great. So my last question is do i need to assign the public interface to a vrf ie 'vrf global' if i do not use global vrf default.


swaroop.potdar Sun, 06/10/2007 - 14:41

If you want to create a Shared Internet VRF service then you will create a Internet VRF and include the public IP in it.

If you are not creating a specific Internet VRF then you dont assign the global interface to any VRF but have every VRF have a global VRF default pointing to the 7200 PE where this global interface is.

Once the traffic arrives here in serach of the default next-hop, then its only a mater of assigning inside and outside interface and doing a VRF aware NAT onto the global interface or to a pre-defined pool.



dankennedy Mon, 07/02/2007 - 09:38

Hi Swaroop, I'm trying to follow your advice regarding the global default. I have 2 vrf's I'll be using called CUST1 and CUST2. Traffic will come into the e2/0.1 sub interface and should then be NATed to (global interface not VRF). If i use static translations inside they work fine. Dynamic however translations do not seem to work. I have really tried to follow Cisco's documentation, but I'm not having much luck. Do you notice anything incorrect with the following.


interface Ethernet2/0.1

description "CUST1 Interface"

encapsulation dot1Q 10

ip vrf forwarding CUST1

ip address

ip nat inside

ip virtual-reassembly


interface FastEthernet0/0

description "OUTSIDE INT"

ip address

ip nat outside

ip virtual-reassembly

duplex full


ip nat pool CUST1_POOL netmask

ip nat inside source list 1 pool CUST1_POOL vrf CUST1 overload

access-list 1 permit log


ip route vrf CUST1 FastEthernet0/0 global

Any help you can give me would be very appreciated.



swaroop.potdar Mon, 07/02/2007 - 20:45

Hi Dan, you config is correct. No problems.

Although it may sound wierd but try using a extended ACL for the source list and it will work.



dankennedy Tue, 07/03/2007 - 06:50

Thanks Swaroop. That did work with an extended ACL!.

Do i need any further routes added to get the NATed addresses back to to CUST1 vrf?

When i ping i do see the NATED address on the next hop now but i still don't see a reply. Again i do not have this problem with a static translation.

Thanks once again for all your help.


dankennedy Tue, 07/03/2007 - 08:49

Disregard the above it was simply an arp issue.

With your help i now have both inside dynamic and inside static working. The only thing i now need is outside static. I tried using

ip nat outside source static vrf CUST1

This however did not work. Do i need to add anything to get outside static to work? I am trying to use this to hit an internal web server and have made sure the ACL on the outside interface allows this.



swaroop.potdar Tue, 07/03/2007 - 12:53

Have a look at this document and see if you have been missing anything by chance.

It covers both dynamic and static examples you have been trying to configure. Hope it should be helpful.

Before you start you may want to unconfigure the previous NAT related configs and start fresh, this should help as it would be a clean start.



kent.plummer Mon, 08/03/2009 - 16:25

I'm implementing a similar VRF aware NAT solution, however need to bill Internet traffic per customer (per VRF). The PE performing the VRF aware NAT does not have any interfaces in each customer vrf, other than loopbacks.

For various reasons I need to pull snmp interface byte counters to bill customers, so need to be able to query an interface per customer.

Does anyone have any suggestions on how to bill per vrf?



dankennedy Tue, 08/04/2009 - 00:20

Does the PE run VPNv4 then?

I would perform this function on a seperate box and use 802.1q sub-interfaces assigned to a VRF for the inside NAT interfaces.

kent.plummer Tue, 08/04/2009 - 20:04

Hi Dan,

Yes the PE is running VPNv4 services (Cisco7600) - it is a full MPLS PE.

The separate box with dot1q sub-interfaces is the solution I was trying to avoid due to extra hardware costs and provisioning pain. However this may well be the only solution here.

I guess I need to identify a cost effective vrf aware nat box.


This Discussion