cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1016
Views
15
Helpful
12
Replies

Shared Firewall in MPLS cloud

dankennedy
Level 1
Level 1

Hi. I have an MPLS cloud on which i want to provide basic Internet connectivity for customers in the cloud. This will not be for VPN services, simply http, ftp etc (possibly some inbound NAT for webservers). I have a 7200VXR for the job. My plan is to set this up as an effective PE in the cloud and use 'NAT VRF AWARE' features to NAT networks in each VRF to Single public IP (currently this is 1 per VRF from a large pool). I cant see a reason for this not working but i wanted to get advice on this. I am also unsure as to how the public facing interface will be seen by the customer VRF since it will not be statically labeled with any VRF.

Any thoughts on this?

Thanks in advance.

12 Replies 12

swaroop.potdar
Level 7
Level 7

You can provide intrnet access as specified by you through "shared central vrf" and also without a vrf but a "global vrf default".

In the latters case your default per vrf would be pointing to a global public IP interface, for which the next-hop would be your 7200 PE.

Your end VRF wont see any label as they will only see a default route, which in turn will point ot this new 7200 PE. There will be a label availabel from the IGP for its next-hop, based on which the traffic will be switched till this nat-aware PE.

And yes this will work.

HTH-Cheers,

Swaroop

Great. So my last question is do i need to assign the public interface to a vrf ie 'vrf global' if i do not use global vrf default.

Thanks

If you want to create a Shared Internet VRF service then you will create a Internet VRF and include the public IP in it.

If you are not creating a specific Internet VRF then you dont assign the global interface to any VRF but have every VRF have a global VRF default pointing to the 7200 PE where this global interface is.

Once the traffic arrives here in serach of the default next-hop, then its only a mater of assigning inside and outside interface and doing a VRF aware NAT onto the global interface or to a pre-defined pool.

HTH-Cheers,

Swaroop

Hi Swaroop, I'm trying to follow your advice regarding the global default. I have 2 vrf's I'll be using called CUST1 and CUST2. Traffic will come into the e2/0.1 sub interface and should then be NATed to 210.10.10.17 (global interface not VRF). If i use static translations inside they work fine. Dynamic however translations do not seem to work. I have really tried to follow Cisco's documentation, but I'm not having much luck. Do you notice anything incorrect with the following.

!

interface Ethernet2/0.1

description "CUST1 Interface"

encapsulation dot1Q 10

ip vrf forwarding CUST1

ip address 172.16.1.10 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0

description "OUTSIDE INT"

ip address 210.10.10.17 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex full

!

ip nat pool CUST1_POOL 210.10.10.17 210.10.10.17 netmask 255.255.255.0

ip nat inside source list 1 pool CUST1_POOL vrf CUST1 overload

access-list 1 permit 172.16.0.0 0.0.255.255 log

!

ip route vrf CUST1 0.0.0.0 0.0.0.0 FastEthernet0/0 210.10.10.254 global

Any help you can give me would be very appreciated.

Thanks

Dan.

Hi Dan, you config is correct. No problems.

Although it may sound wierd but try using a extended ACL for the source list and it will work.

HTH-Cheers,

Swaroop

Thanks Swaroop. That did work with an extended ACL!.

Do i need any further routes added to get the NATed addresses back to to CUST1 vrf?

When i ping i do see the NATED address on the next hop now but i still don't see a reply. Again i do not have this problem with a static translation.

Thanks once again for all your help.

Dan.

Disregard the above it was simply an arp issue.

With your help i now have both inside dynamic and inside static working. The only thing i now need is outside static. I tried using

ip nat outside source static vrf CUST1

This however did not work. Do i need to add anything to get outside static to work? I am trying to use this to hit an internal web server and have made sure the ACL on the outside interface allows this.

Thanks

Dan.

Have a look at this document and see if you have been missing anything by chance.

It covers both dynamic and static examples you have been trying to configure. Hope it should be helpful.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatvpn.htm

Before you start you may want to unconfigure the previous NAT related configs and start fresh, this should help as it would be a clean start.

HTH-Cheers,

Swaroop

Thanks all working now

Dan.

I'm implementing a similar VRF aware NAT solution, however need to bill Internet traffic per customer (per VRF). The PE performing the VRF aware NAT does not have any interfaces in each customer vrf, other than loopbacks.

For various reasons I need to pull snmp interface byte counters to bill customers, so need to be able to query an interface per customer.

Does anyone have any suggestions on how to bill per vrf?

Cheers

Kent.

Does the PE run VPNv4 then?

I would perform this function on a seperate box and use 802.1q sub-interfaces assigned to a VRF for the inside NAT interfaces.

Hi Dan,

Yes the PE is running VPNv4 services (Cisco7600) - it is a full MPLS PE.

The separate box with dot1q sub-interfaces is the solution I was trying to avoid due to extra hardware costs and provisioning pain. However this may well be the only solution here.

I guess I need to identify a cost effective vrf aware nat box.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: