[134414] in North American Network Operators' Group
Re: Problems with removing NAT from a network
daemon@ATHENA.MIT.EDU (Matt Hite)
Wed Jan 5 22:09:48 2011
In-Reply-To: <4D252B1F.8030506@kenweb.org>
Date: Wed, 5 Jan 2011 19:08:51 -0800
From: Matt Hite <lists@beatmixed.com>
To: ml@kenweb.org
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
You didn't mention, but are you introducing a second border router? Is
the new upstream circuit from a new provider, or is it a second,
redundant circuit to the same provider in a different POP? Does your
customer have their own portable address space, or are they using
provider address space?
I'll make some presumptions: yes, it is a different provider, and no,
they don't have their own address space.
Based on those guesses/presumptions, I'd push to acquire portable
address space. Advertise it to both providers, carve a chunk of that
address space off and route it to a firewall(s) to perform border NAT.
Migrate old, provider dependent external NAT space to new, portable
address space.
-M
On Wed, Jan 5, 2011 at 6:38 PM, ML <ml@kenweb.org> wrote:
> I've got a customer that is looking to multihome with upstreams in two PO=
Ps.
> =A0Currently they multihome in one POP and utilize a single edge router f=
or
> some one to one NAT and some PAT for their users.
>
> Before they turn up the BGP peer in the new POP I've advised them to abol=
ish
> NAT once and for all in order to avoid issues with non-stateful NAT betwe=
en
> network edges and possible asymmetric routing of their Internet traffic.
>
> The PAT can be removed easily enough. =A0The tricky part is the one-one N=
AT.
> They have quite a few systems which have 1918 IPs which they claim "canno=
t
> be changed". At least not without some painful rebuilds of criticals syst=
ems
> which have these IPs deeply embedded in their configs.
>
> Has anyone here had to fix this kind of problem before? Is there a soluti=
on
> that would allow NAT to offloaded to a smaller device hanging off each ed=
ge
> router that can communicate state between each other in case traffic is
> asymmetrically routed?
>
>
