05-05-2017 08:10 AM - edited 03-05-2019 08:28 AM
Hi,
I have 3 Spoke CSR connected to central hub CSR Router over VTI Tunnel VPN/BGP.
Spoke 1 and Spoke 2 has overlapping subnets 10.55.x.x/16
Spoke 3 is head office on 10.60.x.x/16
Hub CSR is 10.99.x.x/16 , so hub is sitting in middle of 3 Spoke.
All 3 Spoke are in their own VRF and route leaking done among them.
I am natting Spoke 1 10.55.x.x in to 1.1.1.x when reaching Spoke 3
and
I am natting Spoke 2 10.55.x.x in to 2.2.2.x when reaching Spoke 3
Traffic reach Spoke 3 fine but when response come back from Spoke 3 to hub CSR, hub CSR confuses if he need to send traffic to Spoke 1 or Spoke 2 due to over lapping 10.55.x.x subnet.
So i applied route-map on Head office tunnel.
int tunnel 3
description HeadOffice Tunnel
ip nat outside
ip policy route-map HeadOffice
ip access-list extended Spoke1
permit ip any 1.1.1.0 0.0.0.255
ip access-list extended Spoke2
permit ip any 2.2.2.0 0.0.0.255
Route-map permit HeadOffice permit 10
match ip address Spoke 1
set vrf Spoke1VRF
Route-map permit HeadOffice permit 10
match ip address Spoke 2
set vrf Spoke2VRF
But ACL doesnt match. when traffic come back from Spoke 3 to CSR.
How to match ACL on Pre DNAT IP ?
05-06-2017 01:27 AM
Hello
Do you really require /16 for these 3 sites, Would it be possible to split the ip range into smaller ip blocks to avoid the overlapping?
Even a /18 would give you 4 subnets and 16K+ host per subnet?
res
Paul
05-06-2017 02:56 AM
Hi Paul,
I wish I could do that, Each spoke is in ownership of separate customer with production environment. above was just example, and I have 100 + Spoke that I need to connect with HUB and then route them to common data center Spoke 3, I wish Cisco had option to some how with route map traffic returning from Spoke 3 send to appropriate Spoke1/Spoke2 VRF , but looks like I am stuck.
Alternate option is to run a CSR in each spoke and do NAT in each spoke as a.alekseev suggested, but I know most customers wont agree to that due to their own reasoning, so wanted to do something natively.
05-06-2017 11:59 AM
HUB#sh run Building configuration... Current configuration : 3460 bytes ! ! Last configuration change at 21:31:05 UTC Sat May 6 2017 upgrade fpd auto version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HUB ! boot-start-marker boot-end-marker ! ! vrf definition SPOKE_1 rd 1:1 ! address-family ipv4 route-target export 1:1 route-target import 1:1 route-target import 3:3 exit-address-family ! vrf definition SPOKE_2 rd 2:2 ! address-family ipv4 route-target export 2:2 route-target import 2:2 route-target import 3:3 exit-address-family ! vrf definition SPOKE_3 rd 3:3 ! address-family ipv4 import map SPOKE_3_import route-target export 3:3 route-target import 1:1 route-target import 2:2 exit-address-family ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! redundancy ! ! ip tcp synwait-time 5 ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.255.255.1 255.255.255.255 ! interface FastEthernet0/0 description ## SPOKE 1 ## vrf forwarding SPOKE_1 ip address 10.0.0.0 255.255.255.254 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet0/1 description ## SPOKE_2 ## vrf forwarding SPOKE_2 ip address 10.0.0.2 255.255.255.254 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet1/0 description ## SPOKE_3 ## vrf forwarding SPOKE_3 ip address 10.0.0.4 255.255.255.254 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet1/1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet2/1 no ip address shutdown duplex auto speed auto ! router bgp 65000 bgp log-neighbor-changes ! address-family ipv4 vrf SPOKE_1 redistribute connected redistribute static route-map STATIC2BGP neighbor 10.0.0.1 remote-as 1 neighbor 10.0.0.1 activate neighbor 10.0.0.1 route-map SPOKE_OUT out exit-address-family ! address-family ipv4 vrf SPOKE_2 redistribute connected redistribute static route-map STATIC2BGP neighbor 10.0.0.3 remote-as 2 neighbor 10.0.0.3 activate neighbor 10.0.0.3 route-map SPOKE_OUT out exit-address-family ! address-family ipv4 vrf SPOKE_3 redistribute connected neighbor 10.0.0.5 remote-as 3 neighbor 10.0.0.5 activate exit-address-family ! ip forward-protocol nd no ip http server no ip http secure-server ! ip bgp-community new-format ip community-list standard NAT permit 255:255 ! ip nat inside source static network 10.55.0.0 1.1.1.0 /24 vrf SPOKE_1 ip nat inside source static network 10.55.0.0 2.2.2.0 /24 vrf SPOKE_2 ip route vrf SPOKE_1 1.1.1.0 255.255.255.0 10.0.0.1 tag 999 ip route vrf SPOKE_2 2.2.2.0 255.255.255.0 10.0.0.3 tag 999 ! no cdp log mismatch duplex ! route-map SPOKE_OUT deny 10 match community NAT ! route-map SPOKE_OUT permit 20 ! route-map SPOKE_3_import permit 10 match community NAT ! route-map STATIC2BGP permit 10 match tag 999 set community 255:255 ! ! ! control-plane ! ! ! mgcp profile default ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login transport input all ! ! end HUB#sh ip route vrf SPOKE_3 Routing Table: SPOKE_3 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets B 1.1.1.0 [20/0] via 10.0.0.1 (SPOKE_1), 00:14:12 2.0.0.0/24 is subnetted, 1 subnets B 2.2.2.0 [20/0] via 10.0.0.3 (SPOKE_2), 00:13:52 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks C 10.0.0.4/31 is directly connected, FastEthernet1/0 L 10.0.0.4/32 is directly connected, FastEthernet1/0 B 10.10.0.0/24 [20/0] via 10.0.0.5, 00:32:07 HUB#sh ip route vrf SPOKE_2 Routing Table: SPOKE_2 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 2.0.0.0/24 is subnetted, 1 subnets S 2.2.2.0 [1/0] via 10.0.0.3 10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks C 10.0.0.2/31 is directly connected, FastEthernet0/1 L 10.0.0.2/32 is directly connected, FastEthernet0/1 B 10.0.0.4/31 is directly connected (SPOKE_3), 01:38:30, FastEthernet1/0 L 10.0.0.4/32 is directly connected, FastEthernet1/0 B 10.10.0.0/24 [20/0] via 10.0.0.5 (SPOKE_3), 00:32:14 B 10.55.0.0/24 [20/0] via 10.0.0.3, 00:39:36 HUB#sh ip route vrf SPOKE_1 Routing Table: SPOKE_1 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets S 1.1.1.0 [1/0] via 10.0.0.1 10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks C 10.0.0.0/31 is directly connected, FastEthernet0/0 L 10.0.0.0/32 is directly connected, FastEthernet0/0 B 10.0.0.4/31 is directly connected (SPOKE_3), 01:38:33, FastEthernet1/0 L 10.0.0.4/32 is directly connected, FastEthernet1/0 B 10.10.0.0/24 [20/0] via 10.0.0.5 (SPOKE_3), 00:32:17 B 10.55.0.0/24 [20/0] via 10.0.0.1, 00:46:03 SPOKE_1 R1# sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks C 10.0.0.0/31 is directly connected, FastEthernet0/0 L 10.0.0.1/32 is directly connected, FastEthernet0/0 B 10.0.0.4/31 [20/0] via 10.0.0.0, 00:27:32 B 10.10.0.0/24 [20/0] via 10.0.0.0, 00:27:32 C 10.55.0.0/24 is directly connected, FastEthernet0/1 L 10.55.0.1/32 is directly connected, FastEthernet0/1 SPOKE_2 R2#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks C 10.0.0.2/31 is directly connected, FastEthernet0/0 L 10.0.0.3/32 is directly connected, FastEthernet0/0 B 10.0.0.4/31 [20/0] via 10.0.0.2, 00:28:31 B 10.10.0.0/24 [20/0] via 10.0.0.2, 00:28:31 C 10.55.0.0/24 is directly connected, FastEthernet0/1 L 10.55.0.1/32 is directly connected, FastEthernet0/1 SPOKE_3 R3#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets B 1.1.1.0 [20/0] via 10.0.0.4, 00:38:00 2.0.0.0/24 is subnetted, 1 subnets B 2.2.2.0 [20/0] via 10.0.0.4, 00:37:40 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks C 10.0.0.4/31 is directly connected, FastEthernet0/0 L 10.0.0.5/32 is directly connected, FastEthernet0/0 C 10.10.0.0/24 is directly connected, FastEthernet0/1 L 10.10.0.1/32 is directly connected, FastEthernet0/1
05-08-2017 03:31 AM
Wow, Thats complex :) a.alekseev
Will test it out.
I was also able to make it work yesterday, here is my full config.
ip vrf vpn-5fba7268##### Spoke 1 VRF
rd 64512:1
import map deny55
route-target export 64512:0
route-target import 64512:0
!
ip vrf vpn-c8017183 #### Spoke 2 VRF
rd 64512:13
import map deny55
route-target export 64512:0
route-target import 64512:0
!
ip vrf vpn-d8bacb93 #### Spoke 3 VRF
rd 64512:3
route-target export 64512:0
route-target import 64512:0
!
ip vrf vpn0
rd 64512:0
interface Tunnel1 #####( Spoke 1 )
ip vrf forwarding vpn-5fba7268
ip address 169.254.59.166 255.255.255.252
ip nat inside
interface Tunnel13#####(Spoke 2)
ip vrf forwarding vpn-c8017183
ip address 169.254.22.70 255.255.255.252
ip nat inside
interface Tunnel3####(Spoke 3)
ip vrf forwarding vpn-d8bacb93
ip address 169.254.20.110 255.255.255.252
ip nat outside
router bgp 64512
bgp log-neighbor-changes
address-family ipv4 vrf vpn-d8bacb93 ### Spoke 3
network 1.1.1.0 mask 255.255.255.0
network 2.2.2.0 mask 255.255.255.0
neighbor 169.254.20.109 remote-as 9059
neighbor 169.254.20.109 timers 10 30 30
neighbor 169.254.20.109 activate
neighbor 169.254.20.109 as-override
neighbor 169.254.20.109 soft-reconfiguration inbound
address-family ipv4 vrf vpn-5fba7268 ##### Spoke 1
neighbor 169.254.59.165 remote-as 7224
neighbor 169.254.59.165 timers 10 30 30
neighbor 169.254.59.165 activate
neighbor 169.254.59.165 as-override
address-family ipv4 vrf vpn-c8017183 ##### Spoke2
neighbor 169.254.22.69 remote-as 9059
neighbor 169.254.22.69 timers 10 30 30
neighbor 169.254.22.69 activate
neighbor 169.254.22.69 as-override
ip nat inside source static network 10.55.0.0 1.1.1.0 /24 vrf vpn-5fba7268
ip nat inside source static network 10.55.0.0 2.2.2.0 /24 vrf vpn-c8017183
ip route vrf vpn-d8bacb93 1.1.1.0 255.255.255.0 100.64.127.225 global
ip route vrf vpn-d8bacb93 2.2.2.0 255.255.255.0 100.64.127.225 global
access-list 55 permit 10.55.0.0 0.0.255.255
route-map deny55 permit 10
match ip address deny55
Only thing which was confusing for me, when traffic come back from remote end of Spoke3 and enter CSR how it will decide it need to go to Spoke1 or Spoke 2, but looks like its getting DNAT first and going to right Spoke1|Spoke2 VRF itself, ( Instead of checking Spoke3 VRF BGP Table which is learning same subnet from both spoke1 and spoke 2 neighbors and selecting one of them as best always.). but apparently on return traffic CSR is not even looking at VRF BGP Route table.
Then on each Spoke1/Spoke 2 VRF i had to block overlapping subnet leaking so that traffic go out to Spoke1 and Spoke 2 VPN Tunnel and it worked like a charm :)
05-08-2017 03:31 AM
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html
05-08-2017 03:42 AM
thanx :) NAT Order make sense now . Happy hour...
05-10-2017 04:26 AM
Hi a.alekseev ,
Need assistance :)
Working on a variation where both Spoke1 and Spoke 2 also need to communicate.
Since NAT inside and outside cant be applied at same time, so trying NAT on stick, but no luck so far.
Ping 2.2.2.99(Spoke2 NAT IP ) from 10.55.0.201(Spoke1) doesnt work.
Additional config done for ping to work from Spoke 1 to Spoke 2.
ip access-list ext 100
permit ip 10.55.0.0 0.0.0.255 2.2.2.0 0.0.0.255
route-map vpn-5fba7268-map
match ip address 100
set ip next-hop 1.1.1.2 ( also tried set interface loop1 and set ip next-hop 1.1.1.1)
int loop1
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip vrf forwarding vpn-c8017183 ### VRF of Spoke 2
interface Tunnel1 #####( Spoke 1 )
ip vrf forwarding vpn-5fba7268
ip address 169.254.59.166 255.255.255.252
ip nat inside
ip policy route-map vpn-5fba7268-map
But NAT is not triggering. scratching my head.
Any pointers will be appreciated .
(Also have advertised NAT ranges towards Spoke1 and 2)
05-11-2017 12:07 PM
! int lo100 ip address 192.168.0.0 255.255.255.255 ! int lo200 ip address 192.168.0.1 255.255.255.255 ! interface Tunnel100 ip vrf forwarding vpn-5fba7268 ip address 192.168.0.2 255.255.255.254 ip nat outside tunnel source lo100 tunnel destination 192.168.0.1 ! interface Tunnel200 ip vrf forwarding vpn-c8017183 ip address 192.168.0.3 255.255.255.254 ip nat outside tunnel source lo200 tunnel destination 192.168.0.0 !
05-12-2017 03:17 AM
Dont tell me, You are awesome man. Do you write any blogs as well? If so please share link, i would love to follow your posts.
Also how can i read more about above approach ? i tried to google but can't find exactly what you did above. I want to read its theory.
05-06-2017 03:06 AM
Hello
Seem the PBR of this traffic isn't working accordingly- Can you post a simple Topology diagram please it would provide the forum with a better understanding and maybe the config of the hub rtr
res
paul
05-08-2017 03:47 AM
Hi Paul,
This was topology, So spoke 3 you can consider as Corporate Data center, and rest of Spokes as customers. and Spoke 3 is hosting shared services for all spoke 1,2,3.
Problem was all Spokes had (possible) overlapping subnets.
https://aws.amazon.com/blogs/aws/aws-solution-transit-vpc/
Looks like we are golden now :)
05-06-2017 01:53 AM
Do NAT on spokes (R1, R2)
And think about redesigning your network.
05-06-2017 02:51 AM
Hi a.alekseev ,
Thank you for your kind response. Actually Spoke 1 and Spoke 2 are AWS VGW base VPN, that doesnt have NAT capability. so this is the limitation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: