Internet and Point to Point terminate on same router -- best practice?

brettp · ‎07-18-2019

I have knowledge of theory and facts in terms of networking, but not so much practical knowledge because nearly everything I do is new to me (due to lack of experience.) We currently have an ISP managed router where our internet access and an MPLS network terminates. We're changing providers so I will need to configure a new router for internet access and a point to point. So this, in a sense, kind of sort of, opens the internal network (point to point) to the internet. What is the best practice for setting this up? Is it okay just to leave both like that or should I use VRFs ... one of the point to point ... one for the internet? Just wondering what experienced people are doing. Thanks.

Giuseppe Larosa · ‎07-18-2019

Hello Brett,

you will need NAT on the internet facing link and you will use routing (with no NAT) on the MPLS link.

NAT = Network Address Translation

Using two different VRFs may be too much in any case you need NAT as private IP addresses per RFC 1918 cannot be routed over the public Internet.

As a minimum you will have a default static route pointing to the internet

ip route 0.0.0.0 0.0.0.0 <ISP-next-hop-address>

int gi0/0/0

ip address a.b.c.d 255.255.255.252

ip nat outside

!

int gi0/0/1

ip address 10.10.10.1 255.255.255.0

desc Internal Link

ip nat inside

int gi0/0/2

desc MPLS link

ip address 192.168.10.2 255.255.255.252

! example with static route for MPLS destinations

ip route 192.168.0.0 255.255.0.0 192.168.10.1

access-list 112 remark NAT extended ACL

access-list 112 deny 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 112 permit 10.10.0.0 0.0.255.255 any

The deny statement ensures that traffic to destinations in the MPLS network will not be source NATTed

route-map NAT permit 10

match address 112

match interface gi0/0/0

ip nat inside source route-map NAT interface gi0/0/0 overload

Hope to help

Giuseppe

brettp · ‎07-18-2019

Thank you for the reply, Giuseppe! I appreciate you taking the time to reply and plan that out! With that said, I guess I should have noted a bit more of the topology… as it’s a little more complex but it’s not very complex at all. There will be 4 interfaces in use…

ROUTER --> ISP
ROUTER --> Firewall (which ultimate leads to internal network)
ROUTER --> P2P
ROUTER --> internal router for P2P traffic

Our internet traffic will already be NAT’d by the firewall, so it’s basically just into the router and then out… Which is no problem.
The P2P is a little more complex because we will be NAT’ing private IP to private IP (which again, is no problem.) This traffic can’t go into the firewall at this time, hence the other interface into our network.
Because of static routes, the P2P traffic will never try to go out to the internet. And internet traffic will be NAT’d to an IP of a connected network… so no route is need (except outbound default route.)
So this traffic is already segregated… I just don’t know if it should be segregated even more with the use of VRFs or if this type of setup is fine as is. My concern, which will ultimately be resolved, is the P2P traffic will not be going through the firewall.