Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1289
Views
0
Helpful
4
Replies

VRF and NAT Question

ds6123
Level 1
Level 1

‎12-19-2011 02:20 PM

Hello,

I need to NAT between a pair of VRFs.  I understand the simple examples in the documentation where you have customer X and customer Y (each on their own interface/sub-interface) and want them to share a 3rd interface such as an internet connection.  Using NAT with NVI, you'd put an "ip nat enable" statement on all 3 interfaces (each customer interface, plus the internet interface), and an "ip nat source list BLAH" statement for each customer.  Seems pretty simple.

What about when those customers aren't directly connected to that router?  What if they're part of a VRF that's on the "MP-BGP" side of the router?  Ie.  we're no longer dealing with VRF-LITE.  Do I need an "ip nat enable" statement on all of the MPLS enabled interfaces that lead to the "MP-BGP cloud"?

Hope that makes sense.  Normally I'd lab this up to find the answer, but I have limited access to my lab environment and don't want to experiment on production gear. 

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

‎12-20-2011 12:44 AM

Hello,

You are probably talking about the NVI-style of configuration. Yes, in that case, you would indeed need to configure the MPLS-BGP cloud-facing interfaces to be configured with ip nat enable.

In this case, however, you may also be fine with the classic style of NAT configuration using theip nat inside and ip nat outside constructs, plus the ip nat inside source list BLAH ... vrf VRF_NAME overload command to associate a NAT rule with a particular VRF instance. You need to do that also with your current NVI-style - to refer to a particular VRF!

Best regards,

Peter

0 Helpful

Vaibhava Varma
Level 4
Level 4

‎12-20-2011 12:48 AM

Hi

I did test kinda similar setup for providing Internet Access to MPLS VPN Customer using VRF aware NAT whereby the Customers were peering on one PE router and the Internet Peering was on another separate PE router under Internet VRF and MP-iBGP provided connectivity between the two PEs and inturn the CE and Internet.

I built a GRE Tunnel between the two PEs and made it part of Customer VRF and was able to provide reachability between Internet and CE using VRF Aware NAT on the Internet PE..

This did work but has a scalibility issue of building (m  x n ) GRE Tunnels on the Internet PE if we need to serve n unique Customer Sites in m unique VRF.

Hope this provides some insight into your requirements..If you find it relevant to your requirement and need to look at the solution I can PM you the same.

Regards

Varma

0 Helpful

ds6123
Level 1
Level 1

‎12-22-2011 08:48 AM

Thanks everyone!

Once I added the "ip nat enable" command to the router, it promptly reloaded itself with a bus error.  The client was not impressed. 

While I'm researching the cause of the bus error, I put an old PIX 515E (no, not an ASA, but a PIX) we had on the shelf in place to do the natting.  This works so well, we might just keep it around. 

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to ds6123

‎12-23-2011 12:01 AM

Hello,

Once I added the "ip nat enable" command to the router, it promptly  reloaded itself with a bus error.  The client was not impressed.

Oops... What was the type of the router and the IOS version, anyway?

Regarding the bus error - it is a synonymum for segmentation fault, which stands for the IOS process trying to access memory that does not belong to it - or an address that is not even present in the system. This is obviously caused by a software error or, in rare cases, lack of RAM. In any case, there is extremely little you can do about it, apart from upgrading your IOS and/or increasing the amount of RAM in your system.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents