×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

scalable vcs-e design for MPLS customers and internet

Answered Question
Apr 10th, 2012
User Badges:

Hi all,

I'm thinking about a scalable VCS-expressway design in a service provider architecture.

Some customer reach vcs-e through an MPLS network, other customer through internet (each customer with its own vcs-c).

I've a vcs-e with dual nic and nat feature enabled.

VCS-e is in a private network.



In this architecture, if I nat vcs-e address in a public ip address, I can't inject the public IP into the customer VPNs (customers use private addressing, and anyway they don't want to receive a public ip address from MPLS and from internet). And I can't inject a private ip address in Internet; in addition, each customer want to use a vcs-e ip address compliant with their ip plan... so maybe customer A wants to use a 172.31.x.y address, and customer B a 192.168.x.y ip address.



Best solution could be to nat vcs-e address in different ip address for each customer / internet via firewall, so for example vcs-e 10.1.1.1 in 172.31.24.1 for customer A, in 192.168.24.1 for customer B, and in 80.x.y.z for internet, based on firewall context... but I'm not sure I can do that (can I? I think I only can nat vcs-e ip address statically 1 to 1).


I attach a figure showing network design.



Any suggestion?

Correct Answer by Robert Krenn about 5 years 4 months ago

Hello,


In your design it is allowed to do NAT between VCS-C and VCS-E if you set them up using traversal links/zone, which I guess is what you plan to do. A neighbour zone will fail in this design.


So your customer can have a VCS-C on their private network and that one connects to your VCS-E over a NAT-firewall as you describe as the "best solution".  Ther are no need to NAT any IP address back to the customer, since the VCS-C will do a outbound connection only to the VCS-E.


//Robert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Robert Krenn Tue, 04/10/2012 - 04:02
User Badges:

Hello,


In your design it is allowed to do NAT between VCS-C and VCS-E if you set them up using traversal links/zone, which I guess is what you plan to do. A neighbour zone will fail in this design.


So your customer can have a VCS-C on their private network and that one connects to your VCS-E over a NAT-firewall as you describe as the "best solution".  Ther are no need to NAT any IP address back to the customer, since the VCS-C will do a outbound connection only to the VCS-E.


//Robert

Fabrizio Nurra Tue, 04/10/2012 - 05:44
User Badges:

Robert,

thank for the answer, but sorry, I think I didn't get the point: what do you need with "ther are no need to NAT any IP address back to the customer, since the VCS-C will do a outbound connection only to the VCS-E."? Which peer address has a customer to set in his own vcs-c? In this scenatio, still I need the dual nic option?



Another question: what if customer has his own VCS-e and he wants to connect to my vcs-e?


Thanks

Robert Krenn Tue, 04/10/2012 - 06:02
User Badges:

For this part of your design you do not need the Dual NIC option.  The VCS-C and VCS-E will use a firewall traversal protocol to connect.


The customers should set the peer address to the NAT address that is configured in the firewall pointing to your Expressway. 


If the customer already has a VCS-E, then you must design and implement some clever search rules that manage to find out whether to send calls to your VCS-E or to the customer VCS-E. That search rule MUST be implemented in the customers VCS-C and possible even in the VCS-E to avoid potential Search-Loops that most probably will happen in such a scenario.


//Robert

Fabrizio Nurra Tue, 04/10/2012 - 06:53
User Badges:

Thank you Robert, clear now.

Having already had the benefit of your kindness, may I also ask you when must I use the dual nic/nat option? Only when I have no firewall and I need the nat to be done by the vcs-e itself?


I read that even if NAT is performed by the firewall, the dual nic/nat feature option is needed anyway: am I wrong?


Thanks

Robert Krenn Tue, 04/10/2012 - 07:08
User Badges:

There are basicly 2 things you need the dual nic option for:


1. When you want to seperate a inside network and a outside network on seperate interfaces..

2. IF you want to place the public interface on a NATed network behind a firewall.


The NAT option is mostly for bare-bone H.323 and SIP calls and doesn't affect the Traversal protocols that is used when connecting VCS-C and VCS-E for example.


//Robert

Actions

This Discussion