MPLS/VPN with NAT-PE

From IPFlow Netflow Collector

MPLS/VPN with NAT-PE Example

This is a simple example of MPLS/VPN configuration with NAT-PE for Internet access on Cisco routers (using Dynamips and GNS3).

Author: Christophe Fillot - 07-Nov-2007

Table of contents

1 Topology 2 IOS configurations 3 Dynamips/Dynagen/GNS3 configuration 4 Description 5 Configuration 6 Verifying operation

Topology

IOS configurations

• P (http://www.ipflow.utc.fr/configs/NAT_PE/P.cfg)
• PE1 (http://www.ipflow.utc.fr/configs/NAT_PE/PE1.cfg)
• PE2 (http://www.ipflow.utc.fr/configs/NAT_PE/PE2.cfg)
• PE-NAT (http://www.ipflow.utc.fr/configs/NAT_PE/PE-NAT.cfg)
• Internet (http://www.ipflow.utc.fr/configs/NAT_PE/Internet.cfg)

Dynamips/Dynagen/GNS3 configuration

You can use this configuration file (http://www.ipflow.utc.fr/configs/NAT_PE/nat_pe.net) directly with Dynagen or GNS3. Change the working directory and Cisco IOS image path to match your needs.

Description

PE-NAT provides Internet access (represented by a single router) with NAT for 3 VPNs. P, PE1, PE2 have a classical MPLS/VPN configuration.

Configuration

"ip nat inside" is configured on the mpls core interface:

PE-NAT#sh run int fa 0/0
interface FastEthernet0/0
 description To P
 ip address 10.0.0.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex half
 mpls ip
end

"ip nat outside" is configured on the "Internet" interface:

PE-NAT#sh run int fa 1/0
interface FastEthernet1/0
 description To Internet
 ip address 123.0.0.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex half
end

Configuration for VRF "VPN1":

ip route vrf VPN1 0.0.0.0 0.0.0.0 FastEthernet1/0 123.0.0.2 global
ip nat pool VPN1_POOL 123.1.0.0 123.1.0.255 prefix-length 24
ip nat inside source list 1 pool VPN1_POOL vrf VPN1 overload
access-list 1 permit 100.10.0.0 0.0.255.255

The default route is required to send packets through the Internet interface, even if it is not in VRF.

The default route is propagated to the other PE with "default-information originate" in BGP:

router bgp 65000
[...]
 address-family ipv4 vrf VPN1
  redistribute connected
  redistribute static
  default-information originate
  no synchronization
 exit-address-family
[...]
!

Verifying operation

200.0.0.1 is a Loopback address configured on "Internet" router to simulate a server on Internet.

PE2#ping vrf VPN1 200.0.0.1 repeat 10          

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 8/24/64 ms
PE2#ping vrf VPN2 200.0.0.1 repeat 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 12/28/56 ms
PE2#ping vrf VPN3 200.0.0.1 repeat 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 8/34/64 ms

You can examine the translations entries:

PE-NAT#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 123.1.0.1:84      100.10.0.2:84      200.0.0.1:84       200.0.0.1:84
icmp 123.2.0.1:85      100.20.0.2:85      200.0.0.1:85       200.0.0.1:85
icmp 123.3.0.1:86      100.30.0.2:86      200.0.0.1:86       200.0.0.1:86

You can also display only the entries specific to a given VRF:

PE-NAT#sh ip nat trans vrf VPN1
Pro Inside global      Inside local       Outside local      Outside global
icmp 123.1.0.1:84      100.10.0.2:84      200.0.0.1:84       200.0.0.1:84