Inter-VRF-Lite routing


The main purpose of this post is to put forth the global approach of routing with VRF-lite throughout different deployment schemes, combining:

Network translation & address scheme

– Overlapping / non-overlapping customer prefixes

– Traditional NAT / NAT NVI

Deployment models:

– Customer VRFs and common site global routing instance

– Customer VRFs and a common site VRF

Access policy:

– Customers communicate ONLY with common site

– Customer-to-customer communications

Syllabus:

I) Non-overlapping Customer prefixes

                    2a) Customer-to-common service ONLY communication

               2a) Customer-to-Customer communication through HUB site

               2b) direct any-to-any communication

II) Overlapping Customer prefixes

All individual labs are mainly based on the below topology:

Picture0: General topology

– Routers “vhost5” & R5 belong to CustomerA

– Routers “vhost4” & R4 belong to CustomerB

– Access router R1 deploying VRFs for each customer (locally significant)

– Router “vhost7” gateway to common services in a site accessible by both customers

Note:

End-hosts “vhost4”, “vhost5” and “vhost7” are deployed virtually inside a single physical router with VRF-Lite locally significant (independent from VRF-Lite deployed on R1)

For more detailed information about this technique refer to the post “VRF-Lite as an alternative to VPC

Inter-VRF-Lite routing (1/7)


Customer VRFs & Global routing instance

– R1 separates Customer traffic with different routing instances “vhost4”, “vhost5” and a global routing instance for common site traffic.

– Customers (40.0.0.0/24 and 50.0.0.0/24) communicate ONLY with the common site.

Picture 1-1: topology

Inter-VRF communications depends on static routing from one VRF to other VRF outbound interfaces

ip vrf vhost4

rd 400:400

route-target export 400:400

route-target import 400:400

!

ip vrf vhost5

rd 500:500

route-target export 500:500

route-target import 500:500

R1 configuration

interface Serial1/0.104 point-to-point


ip vrf forwarding vhost4

description VRF vhost4 sub-interface

ip address 155.1.0.14 255.255.255.0

frame-relay interface-dlci 104

!

interface Serial1/0.105 point-to-point

description VRF vhost5 sub-interface


ip vrf forwarding vhost5

ip address 155.1.0.15 255.255.255.0

frame-relay interface-dlci 105

!

interface FastEthernet2/0

description Interface belonging to global routing instance

ip address 172.1.1.1 255.255.255.0

Static inter-vrf (route leaking of VRF prefixes to Global RIB)

ip route 40.0.0.0 255.255.255.0 Serial1/0.104

ip route 50.0.0.0 255.255.255.0 Serial1/0.105

VRF vhost5

ip route vrf vhost5 50.0.0.0 255.255.255.0 Serial1/0.105 155.1.0.5

static inter-vrf (route leaking of Global RIB prefixes to VRF RIB)

ip route vrf vhost5 172.1.1.7 255.255.255.255 FastEthernet2/0 172.1.1.7 global

VRF vhost4

ip route vrf vhost4 40.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.4

Static inter-vrf (route leaking of Global RIB prefixes to VRF RIB)

ip route vrf vhost4 172.1.1.7 255.255.255.255 FastEthernet2/0 172.1.1.7 global

Global routing table

R1#sh ip route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets

C 1.1.1.1 is directly connected, Loopback1

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 is directly connected, Serial1/0.105

172.1.0.0/24 is subnetted, 1 subnets

C 172.1.1.0 is directly connected, FastEthernet2/0

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 is directly connected, Serial1/0.104

R1#

VRF vhost4 RIB

R1#sh ip route vrf vhost4

Routing Table: vhost4

Gateway of last resort is not set

155.1.0.0/24 is subnetted, 1 subnets

C 155.1.0.0 is directly connected, Serial1/0.104

172.1.0.0/32 is subnetted, 1 subnets

S 172.1.1.7 [1/0] via 172.1.1.7, FastEthernet2/0

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 [1/0] via 155.1.0.4, Serial1/0.104

R1#

VRF vhost5 RIB

R1#sh ip route vrf vhost4

Routing Table: vhost5

Gateway of last resort is not set

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 [1/0] via 155.1.0.5, Serial1/0.105

155.1.0.0/24 is subnetted, 1 subnets

C 155.1.0.0 is directly connected, Serial1/0.105

172.1.0.0/32 is subnetted, 1 subnets

S 172.1.1.7 [1/0] via 172.1.1.7, FastEthernet2/0

R1#

Testing From Customer A

vhost#trace vrf vhost5 172.1.1.7

Type escape sequence to abort.

Tracing the route to 172.1.1.7

1 50.0.0.5 88 msec 16 msec 4 msec

2 155.1.0.15 56 msec 52 msec 20 msec

3 172.1.1.7 68 msec * 124 msec

vhost#

Testing From Customer B

vhost#trace vrf vhost4 172.1.1.7

Type escape sequence to abort.

Tracing the route to 172.1.1.7

1 40.0.0.4 68 msec 20 msec 48 msec

2 155.1.0.14 52 msec 28 msec 16 msec

3 172.1.1.7 60 msec * 132 msec

vhost#

Testing from Common site

vhost#trace vrf vhost7 50.0.0.1

Type escape sequence to abort.

Tracing the route to 50.0.0.1

1 172.1.1.1 80 msec 44 msec 4 msec

2 155.1.0.5 96 msec 36 msec 16 msec

3 50.0.0.1 40 msec * 108 msec

vhost#trace vrf vhost7 40.0.0.1

Type escape sequence to abort.

Tracing the route to 40.0.0.1

1 172.1.1.1 92 msec 64 msec 4 msec

2 155.1.0.4 96 msec 48 msec 12 msec

3 40.0.0.1 64 msec * 96 msec

vhost#

Back to main article

Inter-VRF-Lite routing (2/7)


Customer-to-Customer communication through HUB site

– R1 separates Customer traffic using different routing instances “vhost4”, “vhost5”

– VRF “57” reserved for traffic from CustomerA toward the common site R7.

– VRF “47” reserved for traffic from CustomerB toward the common site R7.

– VRF “45” reserved for traffic from common site toward both Customers.

– Customers communicate with each other ONLY through the common site R7.

To avoid confusion, router R7 is deployed using a separate physical router (as against virtual deployment for “Vhost5” and Vhost4 routers)

Picture: 1-2


R1 Configuration

interface Serial1/0.104 point-to-point

ip vrf forwarding vhost4

ip address 155.1.0.14 255.255.255.0

frame-relay interface-dlci 104

!

interface Serial1/0.105 point-to-point

ip vrf forwarding vhost5

ip address 155.1.0.15 255.255.255.0

frame-relay interface-dlci 105

R1-R7 communication is performed through dot1q sub-interface

interface FastEthernet2/0.45

encapsulation dot1Q 45

ip vrf forwarding 45

ip address 172.1.45.1 255.255.255.0

!

interface FastEthernet2/0.47

encapsulation dot1Q 47

ip vrf forwarding 47

ip address 172.1.47.1 255.255.255.0

!

interface FastEthernet2/0.57

encapsulation dot1Q 57

ip vrf forwarding 57

ip address 172.1.57.1 255.255.255.0

Inter-VRF communications depends on static routing from one VRF to other VRF outbound interfaces

VRF “vhost4”

ip route vrf vhost4 0.0.0.0 0.0.0.0 FastEthernet2/0.47 172.1.47.7

ip route vrf vhost4 40.0.0.0 255.255.255.0 155.1.0.4

VRF “vhost5”

ip route vrf vhost5 0.0.0.0 0.0.0.0 FastEthernet2/0.57 172.1.57.7

ip route vrf vhost5 50.0.0.0 255.255.255.0 155.1.0.5

VRF “47” receive traffic from VRF “vhost4” and forward to the HUB site

ip route vrf 47 0.0.0.0 0.0.0.0 172.1.47.7

VRF “57” receive traffic from VRF “vhost5” and forward to the HUB site

ip route vrf 57 0.0.0.0 0.0.0.0 172.1.57.7

For any traffic coming from the HUB site, customer prefixes 40.0.0.0/24 and 50.0.0.0/24 are reachable respectively through VRF “vhost4” and VRF “vhost5” outbound interfaces.

ip route vrf 45 40.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.4

ip route vrf 45 50.0.0.0 255.255.255.0 Serial1/0.105 155.1.0.5

VRF routing tables on R1

R1#sh ip route vrf vhost4

Routing Table: vhost4

Gateway of last resort is 172.1.47.7 to network 0.0.0.0

155.1.0.0/24 is subnetted, 1 subnets

C 155.1.0.0 is directly connected, Serial1/0.104

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 [1/0] via 155.1.0.4

S* 0.0.0.0/0 [1/0] via 172.1.47.7, FastEthernet2/0.47

R1#

R1#sh ip route vrf 47

Routing Table: 47

Gateway of last resort is not set

172.1.0.0/24 is subnetted, 1 subnets

C 172.1.47.0 is directly connected, FastEthernet2/0.47

S 0.0.0.0/0 [1/0] via 172.1.47.7

R1#

Traffic coming from customerB is forwarded to a VRF “47” outbound interface, which in turn forward traffic to R7

R1#sh ip route vrf vhost5

Routing Table: vhost5

Gateway of last resort is 172.1.57.7 to network 0.0.0.0

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 [1/0] via 155.1.0.5

155.1.0.0/24 is subnetted, 1 subnets

C 155.1.0.0 is directly connected, Serial1/0.105

S* 0.0.0.0/0 [1/0] via 172.1.57.7, FastEthernet2/0.57

R1#

R1#sh ip route vrf 57

Routing Table: 57

Gateway of last resort is not set

172.1.0.0/24 is subnetted, 1 subnets

C 172.1.57.0 is directly connected, FastEthernet2/0.57

S 0.0.0.0/0 [1/0] via 172.1.57.7

R1#

Traffic coming from customerA is forwarded to a VRF “57” outbound interface, which in turn forward traffic to R7

R1#sh ip route vrf 45

Routing Table: 45

Gateway of last resort is not set

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 [1/0] via 155.1.0.5, Serial1/0.105

172.1.0.0/24 is subnetted, 1 subnets

C 172.1.45.0 is directly connected, FastEthernet2/0.45

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 [1/0] via 155.1.0.4, Serial1/0.104

R1#

Traffic coming from HUB site R7 is forwarded to the appropriate VRF according to the destination

R7 (HUB site) Configuration

interface FastEthernet1/0.45


encapsulation dot1Q 45

ip address 172.1.45.7 255.255.255.0

!

interface FastEthernet1/0.47


encapsulation dot1Q 47

ip address 172.1.47.7 255.255.255.0

!

interface FastEthernet1/0.57


encapsulation dot1Q 57

ip address 172.1.57.7 255.255.255.0

Traffic from VRF “vhost4” & “vhost5” on R1 converge and sent back to R1 VRF “45”

ip route 40.0.0.0 255.255.255.0 172.1.45.1

ip route 50.0.0.0 255.255.255.0 172.1.45.1

R7#sh ip route

Gateway of last resort is not set

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 [1/0] via 172.1.45.1

172.1.0.0/24 is subnetted, 3 subnets

C 172.1.45.0 is directly connected, FastEthernet1/0.45

C 172.1.47.0 is directly connected, FastEthernet1/0.47

C 172.1.57.0 is directly connected, FastEthernet1/0.57

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 [1/0] via 172.1.45.1

R7#


CustomerB to CustomerA

vhost#trace vrf vhost4 50.0.0.1

Type escape sequence to abort.

Tracing the route to 50.0.0.1

1 40.0.0.4 56 msec 44 msec 4 msec

2 155.1.0.14 52 msec 24 msec 12 msec

3 172.1.47.7 48 msec 20 msec 24 msec

4 172.1.45.1 28 msec 92 msec 36 msec

5 155.1.0.5 76 msec 40 msec 40 msec

6 50.0.0.1 56 msec * 208 msec

vhost#

vhost#trace vrf vhost5 40.0.0.1

Type escape sequence to abort.

Tracing the route to 40.0.0.1

1 50.0.0.5 84 msec 60 msec 8 msec

2 155.1.0.15 52 msec 12 msec 20 msec

3 172.1.57.7 76 msec 32 msec 28 msec

4 172.1.45.1 20 msec 24 msec 28 msec

5 155.1.0.4 88 msec 80 msec 52 msec

6 40.0.0.1 72 msec * 140 msec

vhost#

Picture: 1-2a illustrates how customer traffic switch from one VRF to another through router R7

Picture 1-2a: traffic flow


Back to main article

Inter-VRF-Lite routing (3/7)


Customer-to-common service ONLY communication

– R1 separates Customers and common site traffic using different routing instances “vhost4”, “vhost5” and “vhost7”.

– Customers communicate ONLY with the common site.

Picture: 1-3


R1 configuration:

ip vrf vhost4

rd 400:400

route-target export 400:400

route-target import 400:400

ip vrf vhost5

rd 500:500

route-target export 500:500

route-target import 500:500

ip vrf vhost7

rd 700:700

route-target export 700:700

route-target import 700:700

Routing between VRFs

Inter-VRF communications depends on static routing from one VRF to other VRF outbound interfaces

R1(config)#ip route vrf vhost4 172.1.1.0 255.255.255.0 fa2/0 172.1.1.7

R1(config)#ip route vrf vhost5 172.1.1.0 255.255.255.0 fa2/0 172.1.1.7

R1(config)#ip route vrf vhost7 50.0.0.0 255.255.255.0 s1/0.105 155.1.0.5

R1(config)#ip route vrf vhost7 40.0.0.0 255.255.255.0 s1/0.104 155.1.0.4

VRF vhost4 RIB

R1(config)#do sh ip route vrf vhost4

Gateway of last resort is not set

155.1.0.0/24 is subnetted, 1 subnets

C 155.1.0.0 is directly connected, Serial1/0.104

172.1.0.0/24 is subnetted, 1 subnets

S 172.1.1.0 [1/0] via 172.1.1.7, FastEthernet2/0

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 [1/0] via 155.1.0.4

R1(config)#

VRF vhost5 RIB

R1(config)#do sh ip route vrf vhost5

Gateway of last resort is not set

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 [1/0] via 155.1.0.5

155.1.0.0/24 is subnetted, 1 subnets

C 155.1.0.0 is directly connected, Serial1/0.105

172.1.0.0/24 is subnetted, 1 subnets

S 172.1.1.0 [1/0] via 172.1.1.7, FastEthernet2/0

R1(config)#

VRF vhost7 RIB

R1(config)#do sh ip route vrf vhost7

Gateway of last resort is not set

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 [1/0] via 155.1.0.5, Serial1/0.105

172.1.0.0/24 is subnetted, 1 subnets

C 172.1.1.0 is directly connected, FastEthernet2/0

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 [1/0] via 155.1.0.4, Serial1/0.104

R1(config)#

Traceroute testing

As illustrated by picture 1-3a, Customers can communicate ONLY with the common site.

Picture 1-3a: Customer-to-HUB only communication


CustomerB to Common site

vhost#trace vrf vhost4 172.1.1.7

Type escape sequence to abort.

Tracing the route to 172.1.1.7

1 40.0.0.4 52 msec 52 msec 0 msec

2 155.1.0.14 52 msec 40 msec 12 msec

3 172.1.1.7 32 msec * 100 msec

vhost#

CustomerA to Common site

vhost#trace vrf vhost5 172.1.1.7

Type escape sequence to abort.

Tracing the route to 172.1.1.7

1 50.0.0.5 72 msec 48 msec 4 msec

2 155.1.0.15 60 msec 20 msec 16 msec

3 172.1.1.7 32 msec * 116 msec

vhost#

CustomerA to CustomerB

vhost#p vrf vhost5 40.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

vhost#

vhost#trace vrf vhost5 40.0.0.1

Type escape sequence to abort.

Tracing the route to 40.0.0.1

1 50.0.0.5 80 msec 60 msec 4 msec

2 155.1.0.15 44 msec 24 msec 16 msec

3 155.1.0.15 !H * !H

vhost# CustomerB to CustomerA

vhost#p vrf vhost4 50.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 50.0.0.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

vhost#trace vrf vhost4 50.0.0.1

Type escape sequence to abort.

Tracing the route to 50.0.0.1

1 40.0.0.4 76 msec 12 msec 4 msec

2 155.1.0.14 56 msec 48 msec 52 msec

3 155.1.0.14 !H * !H

vhost#

Back to main article

Inter-VRF-Lite routing (4/7)


Direct any-to-any communication

– R1 separates Customers and common site traffic using different routing instances “vhost4”, “vhost5” and “vhost7”. (Picture1-3)

– All VRFs can communicate with each other.

R1 Configuration

Enough to add static routes from one Customer VRF to another customer VRF outbound interface and we obtain any-any- connectivity.

VRF “vhost4”

ip route vrf vhost4 40.0.0.0 255.255.255.0 155.1.0.4

ip route vrf vhost4 50.0.0.0 255.255.255.0 Serial1/0.105 155.1.0.5

ip route vrf vhost4 172.1.1.0 255.255.255.0 FastEthernet2/0 172.1.1.7

VRF “vhost5”

ip route vrf vhost5 40.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.4

ip route vrf vhost5 50.0.0.0 255.255.255.0 155.1.0.5

ip route vrf vhost5 172.1.1.0 255.255.255.0 FastEthernet2/0 172.1.1.7

VRF “vhost7”

ip route vrf vhost7 40.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.4

ip route vrf vhost7 50.0.0.0 255.255.255.0 Serial1/0.105 155.1.0.5

VERIFICATION

VRF “vhost4” Routing table:

R1(config)#do sh ip route vrf vhost4

Gateway of last resort is not set

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 [1/0] via 155.1.0.5, Serial1/0.105

155.1.0.0/24 is subnetted, 1 subnets

C 155.1.0.0 is directly connected, Serial1/0.104

172.1.0.0/24 is subnetted, 1 subnets

S 172.1.1.0 [1/0] via 172.1.1.7, FastEthernet2/0

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 [1/0] via 155.1.0.4

R1(config)#

VRF “vhost5” Routing table:

R1(config)#do sh ip route vrf vhost5

Gateway of last resort is not set

50.0.0.0/24 is subnetted, 1 subnets

S 50.0.0.0 [1/0] via 155.1.0.5

155.1.0.0/24 is subnetted, 1 subnets

C 155.1.0.0 is directly connected, Serial1/0.105

172.1.0.0/24 is subnetted, 1 subnets

S 172.1.1.0 [1/0] via 172.1.1.7, FastEthernet2/0

40.0.0.0/24 is subnetted, 1 subnets

S 40.0.0.0 [1/0] via 155.1.0.4, Serial1/0.104

R1(config)#

As illustrated by picture1-4, Customers can communicate ONLY with the common site.

Picture 1-4: direct any-to-any communication


CustomerB to CustomerA

vhost#trace vrf vhost4 50.0.0.5

Type escape sequence to abort.

Tracing the route to 50.0.0.5

1 40.0.0.4 88 msec 64 msec 4 msec

2 155.1.0.14 52 msec 24 msec 12 msec

3 155.1.0.5 56 msec * 120 msec

vhost#

CustomerA to CustomerB

vhost#trace vrf vhost5 40.0.0.4

Type escape sequence to abort.

Tracing the route to 40.0.0.4

1 50.0.0.5 56 msec 40 msec 8 msec

2 155.1.0.15 48 msec 16 msec 16 msec

3 155.1.0.4 84 msec * 120 msec

vhost#

Back to main article

Inter-VRF-Lite routing (5/7)


Customer VRFs & Common service global RIB + Traditional NAT

– R1 separates Customer A and B traffic inside different routing instances “vhost5” and “vhost4” and a global instance for common site traffic.

– Both customers with overlapping address schemes communicate with a common site using traditional Dynamic NAT.

– YOU CANNOT ROUTE between inside VRFs using traditional NAT (picture2-1-1a)

Picture 2-1-1: topology


Picture 2-1-1a: traffic flow with traditional NAT


R1 Configuration

Inter-VRF-lite communications doesn’t depend on RT policy

! — VRFs

ip vrf vhost4

rd 400:400

route-target export 400:400

route-target import 400:400

!

ip vrf vhost5

rd 500:500

route-target export 500:500

route-target import 500:500

! — R1 Interfaces

interface Serial1/0

no ip address

encapsulation frame-relay

!

interface Serial1/0.104 point-to-point

ip vrf forwarding vhost4

ip address 155.1.0.14 255.255.255.0

ip nat inside

frame-relay interface-dlci 104

!

interface Serial1/0.105 point-to-point

ip vrf forwarding vhost5

ip address 155.1.0.15 255.255.255.0

ip nat inside

frame-relay interface-dlci 105

!

interface FastEthernet2/0

ip address 172.1.1.1 255.255.255.0

ip nat outside

Routing

vrf “vhost5”

Note:

The key concept of NAT is the order of operations (routing and NAT) when traffic comes at an NAT interface.

Routing means prefix reachability, so if your virtual prefixes, outside-local (outside prefixes seen from inside) and inside global (inside prefixes seen from outside), don’t belong to attached subnets ==> YOU NEED TO PROVIDE STATIC ROUTING for the router to know where forward traffic.

Traffic coming at the outside interface is translated 1st, so a static route pointing to inside-local prefix 10.0.0.0/24 is needed; because it is not directly connected (picture2-2-1b)

ip route vrf vhost5 10.0.0.0 255.255.255.0 Serial1/0.105 155.1.0.5

Picture 2-2-1b: order of operations with traditional NAT

Traffic coming at the inside domain interface is routed 1st, hence the need for a static route to Outside-local prefix pointing to outside interface; because it doesn’t belong to any attached subnet. (Picture 2-2-1b)

ip route vrf vhost5 20.0.0.7 255.255.255.255 FastEthernet2/0 172.1.1.7

vrf “vhost4”

the same configuration as for vrf “vhost5”

ip route vrf vhost4 10.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.4

ip route vrf vhost4 20.0.0.7 255.255.255.255 FastEthernet2/0 172.1.1.7

Global instance

The global instance need to be aware that the outside-local prefix 20.0.0.7 is reachable through the outside interface

ip route 20.0.0.7 255.255.255.255 FastEthernet2/0

But how to make global RIB differentiate between customer with overlapping prefixes?

=> Note that the global instance doesn’t need additional static routes to customer overlapping prefixes 10.0.0.0/24; because with outside translation, traffic coming at the outside NAT domain will be translated then routed.

So traffic will be redirected to the appropriate VRF according to Dynamic NAT entries

NAT (Dynamic NAT + overload)

ip nat pool POOL4 155.1.0.44 155.1.0.44 prefix-length 24

ip nat pool POOL5 155.1.0.55 155.1.0.55 prefix-length 24

Traditional NAT rely on the concept of inside and outside domains, so to not confuse traditional NAT with NAT NVI commands ask yourself:

Which domain is hidden (inside/outside)? ==> Inside

What prefix will trigger the translation? ==> Source

ip nat inside source list CustomerP pool POOL4 vrf vhost4 overload

ip nat inside source list CustomerP pool POOL5 vrf vhost5 overload

Outside translation is configured in the global routing instance

Which domain is hidden (inside/outside)? ==> outside

What prefix will trigger the translation? ==> source

ip nat outside source static 172.1.1.7 20.0.0.7

!

ip access-list extended CustomerP

permit ip any host 20.0.0.7

ping test

vhost#p vrf vhost5 20.0.0.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/99/196 ms

vhost#

vhost#p vrf vhost4 20.0.0.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/102/196 ms

vhost#

Dynamic Translations on R1

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

— — — 20.0.0.7 172.1.1.7

icmp 155.1.0.55:7 10.0.0.1:7 20.0.0.7:7 172.1.1.7:7

icmp 155.1.0.44:6 10.0.0.1:6 20.0.0.7:6 172.1.1.7:6

R1#

NAT debug

R1(config)#

*Mar 14 05:32:41.211: %IPNAT-6-CREATED: icmp 10.0.0.1:4 155.1.0.55:4 20.0.0.7:4 172.1.1.7:4

*Mar 14 05:32:41.215: NAT: s=10.0.0.1->155.1.0.55, d=20.0.0.7 [20]

*Mar 14 05:32:41.219: NAT: s=155.1.0.55, d=20.0.0.7->172.1.1.7 [20]

*Mar 14 05:32:41.299: NAT: s=172.1.1.7->20.0.0.7, d=155.1.0.55 [20]

*Mar 14 05:32:41.303: NAT: s=20.0.0.7, d=155.1.0.55->10.0.0.1 [20]

R1(config)#

R1(config)#

*Mar 14 05:33:13.443: %IPNAT-6-CREATED: icmp 10.0.0.1:5 155.1.0.44:5 20.0.0.7:5 172.1.1.7:5

*Mar 14 05:33:13.447: NAT: s=10.0.0.1->155.1.0.44, d=20.0.0.7 [25]

*Mar 14 05:33:13.451: NAT: s=155.1.0.44, d=20.0.0.7->172.1.1.7 [25]

*Mar 14 05:33:13.547: NAT: s=172.1.1.7->20.0.0.7, d=155.1.0.44 [25]

*Mar 14 05:33:13.551: NAT: s=20.0.0.7, d=155.1.0.44->10.0.0.1 [25]

R1(config)#

traceroute test

vhost#trace vrf vhost5 20.0.0.7

Type escape sequence to abort.

Tracing the route to 20.0.0.7

1 10.0.0.5 44 msec 56 msec 4 msec

2 155.1.0.15 44 msec 12 msec 16 msec

3 20.0.0.7 136 msec * 140 msec

vhost#

vhost#trace vrf vhost4 20.0.0.7

Type escape sequence to abort.

Tracing the route to 20.0.0.7

1 10.0.0.4 64 msec 20 msec 8 msec

2 155.1.0.14 64 msec 16 msec 16 msec

3 20.0.0.7 92 msec * 176 msec

vhost#

Back to main article

Inter-VRF-Lite routing (6/7)


Customer VRFs & Common service VRF + Dynamic NAT NVI

– R1 separates Customers and common site traffic inside different routing instances “vhost4”, “vhost5” and “vhost7”.

– Both customers with overlapping address schemes communicate ONLY with the common site using Dynamic NAT NVI.

Picture 2-2-1: topology


R1 Configuration:

Interface configuration

Inter VRF communication depends ONLY on NAT NVI configuration and static inter-VRF routing

ip vrf vhost4

rd 400:400

route-target export 400:400

route-target import 400:400

!

ip vrf vhost5

rd 500:500

route-target export 500:500

route-target import 500:500

!

ip vrf vhost7

rd 700:700

route-target export 700:700

route-target import 700:700

NVI Translation:
NO NAT DOMAINS, just NAT enabled

interface Serial1/0.104 point-to-point

ip vrf forwarding vhost4

ip address 155.1.0.14 255.255.255.0


ip nat enable

!

interface Serial1/0.105 point-to-point

ip vrf forwarding vhost5

ip address 155.1.0.15 255.255.255.0


ip nat enable

!

interface FastEthernet2/0

ip vrf forwarding vhost7

ip address 172.1.1.1 255.255.255.0


ip nat enable

Routing:

NAT NVI, Routing is always performed before Translation, so R1 need to know where to route traffic. (Picture 2-2-1a)

Picture 2-2-1a: order of operations with NAT NVI


A route for the returning traffic to the customer overlapping prefixes 10.0.0.0/24

ip route vrf vhost4 10.0.0.0 255.255.255.0 155.1.0.4

ip route vrf vhost5 10.0.0.0 255.255.255.0 155.1.0.5

A route to common service prefixes

ip route vrf vhost4 20.0.0.7 255.255.255.255 FastEthernet2/0 172.1.1.7

ip route vrf vhost5 20.0.0.7 255.255.255.255 FastEthernet2/0 172.1.1.7

The common VRF must have a route to the “customer overlapping prefixes”, pointing to the appropriate customer prefixes and the NAT entries will redirect the traffic to the corresponding VRF

ip route vrf vhost7 10.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.5

ip route vrf vhost7 10.0.0.0 255.255.255.0 Serial1/0.104 155.1.0.4

A unique POOL will be used to turn customer overlapping prefixes to unique separated prefixes reachable from common service resources

ip nat pool MyPOOL 155.1.0.100 155.1.0.128 prefix-length 24 add-route

Separated dynamic NAT NVI translation rules for traffic entering each VRF

Caveat: Because NAT NVI has no concept of inside/outside domain, we use “ip nat source…” NOT “ip nat inside source…”

ip nat source list CustomerP pool MyPOOL vrf vhost4 overload

ip nat source list CustomerP pool MyPOOL vrf vhost5 overload

Common service prefix is seen from customer networks as 20.0.0.7

ip nat source static 172.1.1.7 20.0.0.7 vrf vhost7

Traffic that will trigger dynamic NAT NVI

ip access-list extended TCustomer

permit ip 10.0.0.0 0.0.0.255 any

CustomerA to common site traffic testing

vhost#p vrf vhost5 20.0.0.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/70/172 ms

vhost#

Debugging on R1:

R1(config)#

*Mar 15 02:52:52.306: NAT: s=10.0.0.1, d=20.0.0.7->172.1.1.7 [185] s_vrf=> vhost5, d_vrf=> vhost7

*Mar 15 02:52:52.310: NAT-NVI: IP route found: s=10.0.0.1, d=172.1.1.7

*Mar 15 02:52:52.378: NAT: s=172.1.1.7->20.0.0.7, d=10.0.0.1 [185] s_vrf=> vhost7, d_vrf=> vhost5

*Mar 15 02:52:52.382: NAT-NVI: IP route found: s=20.0.0.7, d=10.0.0.1

CustomerA to common site traffic testing

vhost#p vrf vhost4 20.0.0.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/89/204 ms

vhost#

Debugging on R1:

R1(config)#

*Mar 15 02:53:04.106: NAT: s=10.0.0.1, d=20.0.0.7->172.1.1.7 [190] s_vrf=> vhost4, d_vrf=> vhost7

*Mar 15 02:53:04.110: NAT-NVI: IP route found: s=10.0.0.1, d=172.1.1.7

*Mar 15 02:53:04.218: NAT: s=172.1.1.7->20.0.0.7, d=10.0.0.1 [190] s_vrf=> vhost7, d_vrf=> vhost4

*Mar 15 02:53:04.222: NAT-NVI: IP route found: s=20.0.0.7, d=10.0.0.1


traceroute test

vhost#trace vrf vhost5 20.0.0.7

Type escape sequence to abort.

Tracing the route to 20.0.0.7

1 10.0.0.5 56 msec 24 msec 4 msec

2 155.1.0.15 52 msec 92 msec 24 msec

3 20.0.0.7 104 msec * 148 msec

vhost#

vhost#trace vrf vhost4 20.0.0.7

Type escape sequence to abort.

Tracing the route to 20.0.0.7

1 10.0.0.4 68 msec 20 msec 0 msec

2 155.1.0.14 68 msec 16 msec 100 msec

3 20.0.0.7 124 msec * 184 msec

vhost#

Back to main article

%d bloggers like this: