NAT Overload from Multiple Inside VRFs

Daryl Clark · ‎05-02-2017

I have one outside, public interface with a single IP. That interface is in VRF INTERNET. I have two internal VRFs for GUEST and CONTRACTOR internet access that I need segmented. This is all separate from the global routing table for corporate devices. My NAT overload is not working as I am not seeing any NAT Translations and users have no internet. If i put the internet access VLANs in the same VRF as the outside interface, it works. Any ideas?

See config below.

vrf definition IWAN-INTERNET
!
address-family ipv4
exit-address-family
!

vrf definition GUEST
!
address-family ipv4
exit-address-family
!
vrf definition BYOD
!
address-family ipv4
exit-address-family
!
ip dhcp pool GUEST
vrf GUEST
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool BYOD
vrf BYOD
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222 208.67.220.220
!
ip nat inside source list 100 interface GigabitEthernet0/0/2 vrf GUEST overload
!
ip nat inside source list 100 interface GigabitEthernet0/0/2 vrf BYOD overload
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
int gig 0/0/1.300
vrf forwarding BYOD
encapsulation dot1q 300
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
int gig 0/0/1.301
vrf forwarding GUEST
encapsulation dot1q 301
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!

interface GigabitEthernet0/0/2
vrf forwarding IWAN-INTERNET
ip address <public ip>
ip nat outside
ip access-group IWAN-INTERNET-IN in
negotiation auto
ntp disable
ip virtual-reassembly
!

Collin Clark · ‎05-02-2017

It sounds like you are not sharing any routes between the VRF's. The CONTRACTOR and GUEST need to know their default gateway to the internet. http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/

Daryl Clark · ‎05-02-2017

Thanks for the quick response, follwoing that guide, I now have:

vrf definition BYOD
rd 65000:300
route-target export 65000:300
route-target import 65000:2
!
address-family ipv4
exit-address-family
!
vrf definition GUEST
rd 65000:301
route-target export 65000:301
route-target import 65000:2
!
address-family ipv4
exit-address-family
!
vrf definition IWAN-INTERNET
rd 65000:2
route-target export 65000:2
route-target import 65000:300
route-target import 65000:301
!
address-family ipv4
exit-address-family
!

However my routing tables dont show the shared routes:

RICRAN2115-4331#sh ip route vrf IWAN-INTERNET

Routing Table: IWAN-INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 98.174.xx.xxx to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 98.174.81.193
98.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 98.174.xx.xxx/27 is directly connected, GigabitEthernet0/0/2
L 98.174.xx.xxx/32 is directly connected, GigabitEthernet0/0/2

Vasilii Mikhailovskii · ‎05-11-2017

Hello.

Just FYI - inter-VRF NAT is not supported with legacy (ip nat inside/outside) configuration. And for inter-VRF communication/NAT you may need to use VASI.

PS: even though it may work and was a part of DIA design guide (Mar2015), but TAC would most probably decline support.

a.alekseev · ‎05-11-2017

You must start BGP on the router

Reza Sharifi · ‎05-02-2017

Can you add below statement for vrf GUEST and test?

ip route vrf GUEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2 <provider side ip>

HTH