nanog mailing list archives

Re: NAT for an ISP

From: Andy Dills <andy () xecu net>
Date: Wed, 4 Jun 2003 18:51:40 -0400 (EDT)


On Wed, 4 Jun 2003, Dan Armstrong wrote:


90% of our customers all use private address space.   We only give out
real address space to customers that have servers that need to be
visible.   We run NAT on several customer facing routers.

Cool stuff we can do is setup PPTP VPNs on the same router to give
people "access from home" to their LAN.  Same with L2TP/ILEC DSL.

Problems include:

We have a big nat pool on each router.  If some twerp customer gets
infected with some windoze crap, tracking it down can be a bit more
work.

Until recently, the IOS could not take huge volumes of NAT without
tossing it's cookies from time to time.

We have been toying around with VRFs & NAT which was recently introduced
in the IOS, and it appears that in a NAT situation, the VRFs "leak"
between each other, which scares the crap out of me.  We are going to
wait for a couple of revisions of the IOS before looking into that
again.


Why on earth would you do anything other than push NAT responsibility to
the end-user CPE?

So you can do the aforementiond "cool stuff"?

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Current thread:

NAT for an ISP Christopher J. Wolff (Jun 04)
- Re: NAT for an ISP Dan Armstrong (Jun 04)
  - Re: NAT for an ISP Andy Dills (Jun 04)
    - Re: NAT for an ISP Dan Armstrong (Jun 04)
    - Re: NAT for an ISP Andy Dills (Jun 04)
    - RE: NAT for an ISP William Devine, II (Jun 04)
    - Re: NAT for an ISP E.B. Dreger (Jun 04)
    - Re: NAT for an ISP John Kristoff (Jun 04)
- Re: NAT for an ISP David G. Andersen (Jun 04)
  - Re: NAT for an ISP Andy Dills (Jun 04)
    - Re: NAT for an ISP David G. Andersen (Jun 04)
- Re: NAT for an ISP Johannes Catterwell (Jun 04)
- RE: NAT for an ISP William S. Duncanson (Jun 04)

(Thread continues...)