Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4514
Views
0
Helpful
25
Replies

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Go to solution
rogelioalvez
Level 1
Level 1

‎06-07-2012 04:04 PM

Hello team:

We are going to populate an Internet Cisco CRS router with a CGSE module in order to carry out NAT44.

According to the CGSE documentation (http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.2/cg_nat/configuration/guide/cgc42cgn.html) the inbound ServiceApp is associated to a VRF. ¿Is this always necessary?

In other words: ¿ Can I just put an IPv4 address to my inbound and outbound ServiceApps, and avoid configuring a VRF on them? Then, I should add the proper "global" static routing sentences to route incoming packets to the corresponding ServiceApp interfaces.

Your kind answers will be greatly appreciated

Best regards

Rogelio Alvez

Argentina

Labels:
0 Helpful
25 Replies 25

Go to solution
Nicolas Fevrier
Cisco Employee
Cisco Employee
In response to Adiyudha Aji

‎10-08-2012 10:46 PM

Hi Adiyudha,

in a general manner, consider these interfaces as SVI or "tunnels" to connect your router to the service blade.

When loaded with a CGN image, the ServiceInfra interface is used for the management of the card. It's mandatory to have it configured to be able to boot properly the card.

The ServiceApp interfaces are used to send traffic (to be NATed or CGv6ed for instance) to and from your router.

It's necessary to configure an IP address on the serviceApp interface, we configure the router side of the tunnel. All other addresses in the range will be considered to be part of the service card side.

So if you define serviceApp1 10.1.1.1/30, 10.1.1.2 will be answered by the CGN card automatically.

These serviceApps must be part of different VRFs (vrf-lite generally) or at least one in the Global routing table and another in a VRF, to avoid routing loops ----> because you'll have to use static routes to send your i2o traffic into the CGN card and to attract back your o2i traffic to guarantee a symetrical path (important in the case of stateful translation).

So, let's take an example if you define a map pool of 20.1.1.0/24 where the external addresses will be allocated to your translations.

You define serviceApp1 in VRF "Inside" with 1.1.1.1/30.

You define serviceApp2 in VRF "Outside" with 1.1.1.5/30.

You need to configure a default route in the VRF Inside pointing to serviceApp1 (or 1.1.1.2), it will send the traffic to the CGN card to be NATed.

And you need to configure a static route 20.1.1.0/24 to serviceApp2 (or 1.1.1.6) to attract the traffic in the o2i direction.

As you said, the serviceApp addresses are only significant locally to the router and don't need to be advertised to the outside, so they can be RFC1918.

Hope it clarifies a bit (not easy without diagrams to describe such principles).

Cheers,

N.

i2o = input to output

o2i = output to intput

0 Helpful

Go to solution
Adiyudha Aji
Level 1
Level 1
In response to Nicolas Fevrier

‎10-12-2012 02:05 AM

Hi Nicholas,

Thank you so much for the very helpful explanation.

have a nice weekend

-adiyudha

0 Helpful

Go to solution
cisco_lad2004
Level 5
Level 5
In response to Adiyudha Aji

‎10-17-2012 02:28 AM

Hi,

I am not sure this thread is still open. But in anycase, here is my question:

I am using an ISM card/ASR9K. Although I would prefer to use a global outisde interface, it seems that is a requirement to have at least 2 pairs of ServiceApps and 3 of them must be in a vrf.

So I can create one "dummy' pair of serviceApp and place in respective vrfs. Then add a production pair, where inside is rightfully in a vrf but outside on global ?

TIA

/Samir

0 Helpful

Go to solution
Nicolas Fevrier
Cisco Employee
Cisco Employee
In response to cisco_lad2004

‎10-23-2012 08:54 AM

Hi Samir,

starting from IOS XR 4.2.3 you can use a single outside VRF.

It doesn't remove the need for two pairs of serviceApp interfaces, but it reduces the number of necessary VRFs.

service cgn cgn1
service-location preferred-active 0/1/CPU0
service-type nat44 nat1
inside-vrf ivrf
    map outsideserviceapp serviceapp2 address-pool 150.10.0.0/24

That way you can "link" several inside-vrf to the global on the outside.

Cheers,

N.

0 Helpful

Go to solution
cisco_lad2004
Level 5
Level 5
In response to Nicolas Fevrier

‎10-23-2012 10:17 AM

Hi Nicolas,

This is awesome and will certainly simply the routing part.

with regards to the minum 2 pairs, can 2nd pair be a dormant or inactive one. i.e just configured to optomise ISM card use. Or does it have to be passing traffic ?

I guess my question is reflecting my lack of knowledge about the limitation and its reasons.

Many thanks

/Samir

0 Helpful

Go to solution
Nicolas Fevrier
Cisco Employee
Cisco Employee
In response to Nicolas Fevrier

‎10-23-2012 11:32 AM

Hi Samir,

the two pairs of ServiceApp interfaces should be configured to reach the full system capability.

You can NOT only configure both of them and simply use one.

It's necessary to use two static routes to spread traffic among them or to rely on ABF with carefully defined address ranges to balance traffic on each pair, based on the source addresses.

Cheers,

N.

0 Helpful

Go to solution
enrique.villa
Level 1
Level 1
In response to Nicolas Fevrier

‎01-15-2013 10:30 AM

Hello Nicolas,

We followed your advice on this thread to get a CGN up and running with a single vrf instance (IOS XR 4.2)

Everything seems to be ok but we are getting the following error:

asr#show cgn nat44 NAT444 statistics

Unable to obtain requested information Error:'cgn' detected the 'warning' condition 'The instance has not yet been configured'

asr#

We have configured the service infra interface and we have also reloaded the line card.

Plus, we don´t see this error in any guide. Could you please enlighten us?

Thank you in advance,

0 Helpful

Go to solution
Nicolas Fevrier
Cisco Employee
Cisco Employee
In response to enrique.villa

‎01-15-2013 10:34 AM

Hi Enrique,

I've seen this message usually when I mistyped the name of my NAT44 instance,

could you please share the "sh run service cgn *" config ?

Thanks,

N.

0 Helpful

Go to solution
cisco_lad2004
Level 5
Level 5
In response to enrique.villa

‎01-15-2013 10:43 AM

I have also seen similar issues, NAT stats would also hang.

Ensure you have added all recommnded SMUs.

HTH

Samir

0 Helpful

Go to solution
Adiyudha Aji
Level 1
Level 1
In response to cisco_lad2004

‎01-15-2013 03:26 PM

Hi Samir and enrique,

Just want to share, I also encountered this issue ('The instance has not yet been configured') back then, and possibly caused by typo of your nat44 instance.

Regarding the SMU, this is the active one installed on my box :

disk0:asr9k-px-4.2.1.CSCua76130-1.0.0

      disk0:asr9k-px-4.2.1.CSCua16764-1.0.0

      disk0:asr9k-px-4.2.1.CSCty83866-1.0.0

      disk0:asr9k-mini-px-4.2.1

      disk0:asr9k-services-p-px-4.2.1

      disk0:asr9k-mpls-px-4.2.1

      disk0:asr9k-px-4.2.1.CSCua14945-1.0.0

      disk0:asr9k-px-4.2.1.CSCub48041-1.0.0

      disk0:asr9k-px-4.2.1.CSCua09897-1.0.0

      disk0:asr9k-px-4.2.1.CSCua37747-1.0.0

      disk0:asr9k-px-4.2.1.CSCua28899-1.0.0

      disk0:asr9k-px-4.2.1.CSCub68512-1.0.0

      disk0:asr9k-px-4.2.1.CSCua12684-1.0.0

hth.

cheers,

Adiyudha

0 Helpful

Go to solution
Nicolas Fevrier
Cisco Employee
Cisco Employee
In response to Adiyudha Aji

‎01-16-2013 03:46 AM

Thread is continued here:

https://supportforums.cisco.com/message/3829382

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents