Inter-VRF-Lite routing (6/7)


Customer VRFs & Common service VRF + Dynamic NAT NVI

– R1 separates Customers and common site traffic inside different routing instances “vhost4”, “vhost5” and “vhost7”.

– Both customers with overlapping address schemes communicate ONLY with the common site using Dynamic NAT NVI.

Picture 2-2-1: topology


R1 Configuration:

Interface configuration

Inter VRF communication depends ONLY on NAT NVI configuration and static inter-VRF routing

ip vrf vhost4

rd 400:400

route-target export 400:400

route-target import 400:400

!

ip vrf vhost5

rd 500:500

route-target export 500:500

route-target import 500:500

!

ip vrf vhost7

rd 700:700

route-target export 700:700

route-target import 700:700

NVI Translation:
NO NAT DOMAINS, just NAT enabled

interface Serial1/0.104 point-to-point

ip vrf forwarding vhost4

ip address 155.1.0.14 255.255.255.0


ip nat enable

!

interface Serial1/0.105 point-to-point

ip vrf forwarding vhost5

ip address 155.1.0.15 255.255.255.0


ip nat enable

!

interface FastEthernet2/0

ip vrf forwarding vhost7

ip address 172.1.1.1 255.255.255.0


ip nat enable

Routing:

NAT NVI, Routing is always performed before Translation, so R1 need to know where to route traffic. (Picture 2-2-1a)

Picture 2-2-1a: order of operations with NAT NVI


A route for the returning traffic to the customer overlapping prefixes 10.0.0.0/24

ip route vrf vhost4 10.0.0.0 255.255.255.0 155.1.0.4

ip route vrf vhost5 10.0.0.0 255.255.255.0 155.1.0.5

A route to common service prefixes

ip route vrf vhost4 20.0.0.7 255.255.255.255 FastEthernet2/0 172.1.1.7

ip route vrf vhost5 20.0.0.7 255.255.255.255 FastEthernet2/0 172.1.1.7

The common VRF must have a route to the “customer overlapping prefixes”, pointing to the appropriate customer prefixes and the NAT entries will redirect the traffic to the corresponding VRF

ip route vrf vhost7 10.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.5

ip route vrf vhost7 10.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.4

A unique POOL will be used to turn customer overlapping prefixes to unique separated prefixes reachable from common service resources

ip nat pool MyPOOL 155.1.0.100 155.1.0.128 prefix-length 24 add-route

Separated dynamic NAT NVI translation rules for traffic entering each VRF

Caveat: Because NAT NVI has no concept of inside/outside domain, we use “ip nat source…” NOT “ip nat inside source…”

ip nat source list CustomerP pool MyPOOL vrf vhost4 overload

ip nat source list CustomerP pool MyPOOL vrf vhost5 overload

Common service prefix is seen from customer networks as 20.0.0.7

ip nat source static 172.1.1.7 20.0.0.7 vrf vhost7

Traffic that will trigger dynamic NAT NVI

ip access-list extended TCustomer

permit ip 10.0.0.0 0.0.0.255 any

CustomerA to common site traffic testing

vhost#p vrf vhost5 20.0.0.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/70/172 ms

vhost#

Debugging on R1:

R1(config)#

*Mar 15 02:52:52.306: NAT: s=10.0.0.1, d=20.0.0.7->172.1.1.7 [185] s_vrf=> vhost5, d_vrf=> vhost7

*Mar 15 02:52:52.310: NAT-NVI: IP route found: s=10.0.0.1, d=172.1.1.7

*Mar 15 02:52:52.378: NAT: s=172.1.1.7->20.0.0.7, d=10.0.0.1 [185] s_vrf=> vhost7, d_vrf=> vhost5

*Mar 15 02:52:52.382: NAT-NVI: IP route found: s=20.0.0.7, d=10.0.0.1

CustomerA to common site traffic testing

vhost#p vrf vhost4 20.0.0.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/89/204 ms

vhost#

Debugging on R1:

R1(config)#

*Mar 15 02:53:04.106: NAT: s=10.0.0.1, d=20.0.0.7->172.1.1.7 [190] s_vrf=> vhost4, d_vrf=> vhost7

*Mar 15 02:53:04.110: NAT-NVI: IP route found: s=10.0.0.1, d=172.1.1.7

*Mar 15 02:53:04.218: NAT: s=172.1.1.7->20.0.0.7, d=10.0.0.1 [190] s_vrf=> vhost7, d_vrf=> vhost4

*Mar 15 02:53:04.222: NAT-NVI: IP route found: s=20.0.0.7, d=10.0.0.1


traceroute test

vhost#trace vrf vhost5 20.0.0.7

Type escape sequence to abort.

Tracing the route to 20.0.0.7

1 10.0.0.5 56 msec 24 msec 4 msec

2 155.1.0.15 52 msec 92 msec 24 msec

3 20.0.0.7 104 msec * 148 msec

vhost#

vhost#trace vrf vhost4 20.0.0.7

Type escape sequence to abort.

Tracing the route to 20.0.0.7

1 10.0.0.4 68 msec 20 msec 0 msec

2 155.1.0.14 68 msec 16 msec 100 msec

3 20.0.0.7 124 msec * 184 msec

vhost#

Back to main article

Advertisements

About ajnouri
Se vi deziras sekure komuniki eksterbloge, jen mia publika (GPG) ŝlosilo: My public key for secure communication: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x41CCDE1511DF0EB8

One Response to Inter-VRF-Lite routing (6/7)

  1. Pingback: Inter-VRF-Lite routing « CCIE, the beginning!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: