MPLS/VPN with NAT-PE - IPFlow Netflow Collector
MPLS/VPN with NAT-PE
From IPFlow Netflow Collector
MPLS/VPN with NAT-PE Example
This is a simple example of MPLS/VPN configuration with NAT-PE for Internet access on Cisco routers (using Dynamips and GNS3).
Author: Christophe Fillot - 07-Nov-2007
Table of contents [showhide]
3 Dynamips/Dynagen/GNS3 configuration
[edit]
Topology
[edit]
IOS configurations
- P (http://www.ipflow.utc.fr/configs/NAT_PE/P.cfg)
- PE1 (http://www.ipflow.utc.fr/configs/NAT_PE/PE1.cfg)
- PE2 (http://www.ipflow.utc.fr/configs/NAT_PE/PE2.cfg)
- PE-NAT (http://www.ipflow.utc.fr/configs/NAT_PE/PE-NAT.cfg)
- Internet (http://www.ipflow.utc.fr/configs/NAT_PE/Internet.cfg)
[edit]
Dynamips/Dynagen/GNS3 configuration
You can use this configuration file (http://www.ipflow.utc.fr/configs/NAT_PE/nat_pe.net) directly with Dynagen or GNS3. Change the working directory and Cisco IOS image path to match your needs.
[edit]
Description
PE-NAT provides Internet access (represented by a single router) with NAT for 3 VPNs. P, PE1, PE2 have a classical MPLS/VPN configuration.
[edit]
Configuration
"ip nat inside" is configured on the mpls core interface:
PE-NAT#sh run int fa 0/0
interface FastEthernet0/0
description To P
ip address 10.0.0.2 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
mpls ip
end
"ip nat outside" is configured on the "Internet" interface:
PE-NAT#sh run int fa 1/0
interface FastEthernet1/0
description To Internet
ip address 123.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex half
end
Configuration for VRF "VPN1":
ip route vrf VPN1 0.0.0.0 0.0.0.0 FastEthernet1/0 123.0.0.2 global
ip nat pool VPN1_POOL 123.1.0.0 123.1.0.255 prefix-length 24
ip nat inside source list 1 pool VPN1_POOL vrf VPN1 overload
access-list 1 permit 100.10.0.0 0.0.255.255
The default route is required to send packets through the Internet interface, even if it is not in VRF.
The default route is propagated to the other PE with "default-information originate" in BGP:
router bgp 65000
[...]
address-family ipv4 vrf VPN1
redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
[...]
!
[edit]
Verifying operation
200.0.0.1 is a Loopback address configured on "Internet" router to simulate a server on Internet.
PE2#ping vrf VPN1 200.0.0.1 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 8/24/64 ms
PE2#ping vrf VPN2 200.0.0.1 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 12/28/56 ms
PE2#ping vrf VPN3 200.0.0.1 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 8/34/64 ms
You can examine the translations entries:
PE-NAT#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 123.1.0.1:84 100.10.0.2:84 200.0.0.1:84 200.0.0.1:84
icmp 123.2.0.1:85 100.20.0.2:85 200.0.0.1:85 200.0.0.1:85
icmp 123.3.0.1:86 100.30.0.2:86 200.0.0.1:86 200.0.0.1:86
You can also display only the entries specific to a given VRF:
PE-NAT#sh ip nat trans vrf VPN1
Pro Inside global Inside local Outside local Outside global
icmp 123.1.0.1:84 100.10.0.2:84 200.0.0.1:84 200.0.0.1:84
