VRF aware NAT on local PE for internet access

Unanswered Question
Feb 26th, 2009


Have one question about VRF aware NAT for internet access! If we will enable the VRF aware NAT on local PE to have an internet access via centeral Internet PE then we will not have connectivity to any other VPN site as all local CE prefixes will be translated to the loopback IP address of the local PE.

We can have route map which will match the ACL for specific CE source to specific VPN destination with deny key word and it will prevent the NAT when CE will try to communicate with other CE of same VPN or different VPN. That looks longer configuration in real world right! so is that the only way I have when I will have only one option to configure the locap PE with VRF aware NAT to gain internet access?

I need to know what is the implement in real world? How service provider networks are providing internet access with MPLS VPN option? I know about customer is getting VPN connectivity on one router and service provider will give other internet connectivity link which might be terminating on same router or other router.


Devang Patel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shivlu jain Thu, 02/26/2009 - 23:27

Hi Devang

We are using the vrf nat where the customer demands the firewall services. For implementing this we are advertising a default route and vrf nat is used per VPN basics.This is the rate services in case of whole sale.

Actual implementation; we are creating a INTERNET VRF which is having a default route; In customer vrf the RT of internet route is imported and vrf is able to get the default route. For reverse traffic a ipv4 route is added at the PE towards customer interface.


shivlu jain

devang_etcom Fri, 02/27/2009 - 00:34


So I guess you have the central internet PE where you have the internet routes. and if customer need the internet access with VPN then you are generating default route and importing that default route with the help of RT in that customer VRF! Right! so whe are you performing NAT? at the central internet PE?


Devang Patel

shivlu jain Fri, 02/27/2009 - 00:51

hi devang

There is no requirement for nating. Because INTERNET is vrf and we are simpling leaking the route in global.

Actually internet vrf is having a default route pointing in the global routing table. When ever the rt of INTERNET vrf is being imported by any CE Vrf that vrf gets default route with vpn label pointing towards the PE which is advertising the default route. WHen the traffic reached to that PE the vrf traffic converted to ip traffic and moves out. For reverse path we are announcing customer prefixes in the global routing table pointing towards customer end.

Hope it will help you.


shivlu jain


This Discussion