Inter-VRF-Lite routing (5/7)


Customer VRFs & Common service global RIB + Traditional NAT

– R1 separates Customer A and B traffic inside different routing instances “vhost5” and “vhost4” and a global instance for common site traffic.

– Both customers with overlapping address schemes communicate with a common site using traditional Dynamic NAT.

– YOU CANNOT ROUTE between inside VRFs using traditional NAT (picture2-1-1a)

Picture 2-1-1: topology


Picture 2-1-1a: traffic flow with traditional NAT


R1 Configuration

Inter-VRF-lite communications doesn’t depend on RT policy

! — VRFs

ip vrf vhost4

rd 400:400

route-target export 400:400

route-target import 400:400

!

ip vrf vhost5

rd 500:500

route-target export 500:500

route-target import 500:500

! — R1 Interfaces

interface Serial1/0

no ip address

encapsulation frame-relay

!

interface Serial1/0.104 point-to-point

ip vrf forwarding vhost4

ip address 155.1.0.14 255.255.255.0

ip nat inside

frame-relay interface-dlci 104

!

interface Serial1/0.105 point-to-point

ip vrf forwarding vhost5

ip address 155.1.0.15 255.255.255.0

ip nat inside

frame-relay interface-dlci 105

!

interface FastEthernet2/0

ip address 172.1.1.1 255.255.255.0

ip nat outside

Routing

vrf “vhost5”

Note:

The key concept of NAT is the order of operations (routing and NAT) when traffic comes at an NAT interface.

Routing means prefix reachability, so if your virtual prefixes, outside-local (outside prefixes seen from inside) and inside global (inside prefixes seen from outside), don’t belong to attached subnets ==> YOU NEED TO PROVIDE STATIC ROUTING for the router to know where forward traffic.

Traffic coming at the outside interface is translated 1st, so a static route pointing to inside-local prefix 10.0.0.0/24 is needed; because it is not directly connected (picture2-2-1b)

ip route vrf vhost5 10.0.0.0 255.255.255.0 Serial1/0.105 155.1.0.5

Picture 2-2-1b: order of operations with traditional NAT

Traffic coming at the inside domain interface is routed 1st, hence the need for a static route to Outside-local prefix pointing to outside interface; because it doesn’t belong to any attached subnet. (Picture 2-2-1b)

ip route vrf vhost5 20.0.0.7 255.255.255.255 FastEthernet2/0 172.1.1.7

vrf “vhost4”

the same configuration as for vrf “vhost5”

ip route vrf vhost4 10.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.4

ip route vrf vhost4 20.0.0.7 255.255.255.255 FastEthernet2/0 172.1.1.7

Global instance

The global instance need to be aware that the outside-local prefix 20.0.0.7 is reachable through the outside interface

ip route 20.0.0.7 255.255.255.255 FastEthernet2/0

But how to make global RIB differentiate between customer with overlapping prefixes?

=> Note that the global instance doesn’t need additional static routes to customer overlapping prefixes 10.0.0.0/24; because with outside translation, traffic coming at the outside NAT domain will be translated then routed.

So traffic will be redirected to the appropriate VRF according to Dynamic NAT entries

NAT (Dynamic NAT + overload)

ip nat pool POOL4 155.1.0.44 155.1.0.44 prefix-length 24

ip nat pool POOL5 155.1.0.55 155.1.0.55 prefix-length 24

Traditional NAT rely on the concept of inside and outside domains, so to not confuse traditional NAT with NAT NVI commands ask yourself:

Which domain is hidden (inside/outside)? ==> Inside

What prefix will trigger the translation? ==> Source

ip nat inside source list CustomerP pool POOL4 vrf vhost4 overload

ip nat inside source list CustomerP pool POOL5 vrf vhost5 overload

Outside translation is configured in the global routing instance

Which domain is hidden (inside/outside)? ==> outside

What prefix will trigger the translation? ==> source

ip nat outside source static 172.1.1.7 20.0.0.7

!

ip access-list extended CustomerP

permit ip any host 20.0.0.7

ping test

vhost#p vrf vhost5 20.0.0.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/99/196 ms

vhost#

vhost#p vrf vhost4 20.0.0.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/102/196 ms

vhost#

Dynamic Translations on R1

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

— — — 20.0.0.7 172.1.1.7

icmp 155.1.0.55:7 10.0.0.1:7 20.0.0.7:7 172.1.1.7:7

icmp 155.1.0.44:6 10.0.0.1:6 20.0.0.7:6 172.1.1.7:6

R1#

NAT debug

R1(config)#

*Mar 14 05:32:41.211: %IPNAT-6-CREATED: icmp 10.0.0.1:4 155.1.0.55:4 20.0.0.7:4 172.1.1.7:4

*Mar 14 05:32:41.215: NAT: s=10.0.0.1->155.1.0.55, d=20.0.0.7 [20]

*Mar 14 05:32:41.219: NAT: s=155.1.0.55, d=20.0.0.7->172.1.1.7 [20]

*Mar 14 05:32:41.299: NAT: s=172.1.1.7->20.0.0.7, d=155.1.0.55 [20]

*Mar 14 05:32:41.303: NAT: s=20.0.0.7, d=155.1.0.55->10.0.0.1 [20]

R1(config)#

R1(config)#

*Mar 14 05:33:13.443: %IPNAT-6-CREATED: icmp 10.0.0.1:5 155.1.0.44:5 20.0.0.7:5 172.1.1.7:5

*Mar 14 05:33:13.447: NAT: s=10.0.0.1->155.1.0.44, d=20.0.0.7 [25]

*Mar 14 05:33:13.451: NAT: s=155.1.0.44, d=20.0.0.7->172.1.1.7 [25]

*Mar 14 05:33:13.547: NAT: s=172.1.1.7->20.0.0.7, d=155.1.0.44 [25]

*Mar 14 05:33:13.551: NAT: s=20.0.0.7, d=155.1.0.44->10.0.0.1 [25]

R1(config)#

traceroute test

vhost#trace vrf vhost5 20.0.0.7

Type escape sequence to abort.

Tracing the route to 20.0.0.7

1 10.0.0.5 44 msec 56 msec 4 msec

2 155.1.0.15 44 msec 12 msec 16 msec

3 20.0.0.7 136 msec * 140 msec

vhost#

vhost#trace vrf vhost4 20.0.0.7

Type escape sequence to abort.

Tracing the route to 20.0.0.7

1 10.0.0.4 64 msec 20 msec 8 msec

2 155.1.0.14 64 msec 16 msec 16 msec

3 20.0.0.7 92 msec * 176 msec

vhost#

Back to main article

Advertisements

About ajnouri
Se vi deziras sekure komuniki eksterbloge, jen mia publika (GPG) ŝlosilo: My public key for secure communication: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x41CCDE1511DF0EB8

3 Responses to Inter-VRF-Lite routing (5/7)

  1. Pingback: Inter-VRF-Lite routing « CCIE, the beginning!

  2. djagga says:

    i love your tutorials !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: