Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding How MX Series Router Cloud CPE NAT Services Provide Internet Traffic Routing for Layer 2 CPEs

This topic describes how you can migrate from a scenario where the NAT function is performed by a Layer 3 CPE device to a scenario where the Layer 3 CPE is replaced by a Layer 2 CPE and the MX Series router provides carrier-grade NAT (CGN). The Junos OS provides CGN for IPv4 and IPv6 networks.

In the scenario shown in Figure 1, the NAT function is performed by a Layer 3 CPE provided by the service provider. In the Layer 3 CPE, a default route or route for public prefixes is configured to send Internet-bound traffic to the inside interface of NAT. Routes for private address prefixes, configured statically or learned through routing protocols, are used to send VPN internal traffic to the VPN interfaces (the subscriber LAN or the VPN internal interface to the PE router).

If dynamic routing is enabled between the CE router and the adjacent PE router, the default route configured in the CE router is advertised to the VPN routing instance in the PE router, which further propagates it to other VPN sites through IBGP. The default route in the remote VPN sites, sends Internet-bound traffic to the NAT inside interface of the CE router through the VPN. The addresses are translated, and the traffic is sent back to the PE router through the public interface. Internet-bound traffic from the remote site travels through the WAN link of the VPN site with Internet access twice: First from the PE router to the CE router and then from the CE router back to the PE router after address translation by NAT. The process is the same for traffic from the Internet.

Figure 1: Using MX Series Router Cloud CPE NAT Service to Route Internet TrafficUsing MX Series Router Cloud CPE NAT Service to Route Internet Traffic

There is one interface from the CE router to the subscriber LAN, and two interfaces between the CE router and the PE router: one for VPN internal traffic and one for Internet traffic. The VPN internal interface belongs to the VPN routing instance in the PE router, and the public interface is terminated in the global routing instance in the PE router.

When you implement cCPE services into this same scenario, the Layer 3 CPE is replaced by a Layer 2 CPE. Layer 3 functions, including routing, NAT, and firewall, are provided as cloud services by the MX Series router. In the VPN routing instance in the PE router, a static route is needed to send Internet-bound traffic to the inside interface of the NAT gateway and the firewall. After address translation, traffic travels through the global routing instance and is then routed to the Internet. Return traffic travels back through the global routing instance and is then routed to the outside interface of the NAT gateway and firewall. After the traffic is converted to the private destination address, the packets in the routing instance are routed within the VPN.

Implementing cCPE services in this scenario provides two benefits:

  • Internet traffic for remote sites (sites without Internet access) does not need to go through the WAN link twice for address translation by NAT.

  • Only one interface is required between the PE router and the CE router.