[58895] in North American Network Operators' Group
Re: NAT for an ISP
daemon@ATHENA.MIT.EDU (Andy Dills)
Wed Jun 4 18:52:07 2003
Date: Wed, 4 Jun 2003 18:51:40 -0400 (EDT)
From: Andy Dills <andy@xecu.net>
To: Dan Armstrong <dan@beanfield.com>
Cc: "Christopher J. Wolff" <chris@bblabs.com>, <nanog@merit.edu>
In-Reply-To: <3EDE4DDC.75BC37C7@beanfield.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 4 Jun 2003, Dan Armstrong wrote:
>
> 90% of our customers all use private address space. We only give out
> real address space to customers that have servers that need to be
> visible. We run NAT on several customer facing routers.
>
> Cool stuff we can do is setup PPTP VPNs on the same router to give
> people "access from home" to their LAN. Same with L2TP/ILEC DSL.
>
> Problems include:
>
> We have a big nat pool on each router. If some twerp customer gets
> infected with some windoze crap, tracking it down can be a bit more
> work.
>
> Until recently, the IOS could not take huge volumes of NAT without
> tossing it's cookies from time to time.
>
> We have been toying around with VRFs & NAT which was recently introduced
> in the IOS, and it appears that in a NAT situation, the VRFs "leak"
> between each other, which scares the crap out of me. We are going to
> wait for a couple of revisions of the IOS before looking into that
> again.
Why on earth would you do anything other than push NAT responsibility to
the end-user CPE?
So you can do the aforementiond "cool stuff"?
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
