nat between vrf

Unanswered Question
May 15th, 2007

Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.

I've ip overlapping issue, so i'm trying to use nat aware vrf.

The shared service is on a vrf also.

I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.

This is my configuration :

ip vrf proxy

rd 500:500

route-target export 500:500

route-target export 501:501

route-target import 500:500

route-target import 401:401

!

ip vrf upa

rd 300:300

route-target export 300:300

route-target export 401:401

route-target import 300:300

route-target import 501:501

!

ip vrf upa-tv

rd 1000:1000

route-target export 1000:1000

route-target export 401:401

route-target import 1000:1000

route-target import 501:501

!

mpls label protocol ldp

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

description interfacccia outside per ip pubblico ipsec

encapsulation dot1Q 500

ip address 195.195.195.195 255.255.255.0

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 300

ip vrf forwarding upa

ip address 172.31.47.254 255.255.255.0

ip nat enable

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 310

ip vrf forwarding proxy

ip address 172.31.50.1 255.255.255.0

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 320

ip vrf forwarding upa-tv

ip address 10.4.1.254 255.255.255.0

!

interface GigabitEthernet0/1

description connessa a 6500

ip address 80.x.x.1 255.255.255.0

duplex auto

speed auto

mpls ip

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

neighbor 80.80.80.2 remote-as 65000

no auto-summary

!

address-family vpnv4

neighbor 80.80.80.2 activate

neighbor 80.80.80.2 send-community both

exit-address-family

!

address-family ipv4 vrf upa-tv

no synchronization

exit-address-family

!

address-family ipv4 vrf upa

redistribute connected

no synchronization

exit-address-family

!

address-family ipv4 vrf proxy

redistribute connected

no synchronization

exit-address-family

!

ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254

ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1

!

ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa

as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.

network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:

interface GigabitEthernet0/0.10

encapsulation dot1Q 300

ip vrf forwarding upa

ip address 172.31.47.254 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 310

ip vrf forwarding proxy

ip address 172.31.50.1 255.255.255.0

ip nat outside

!

ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy

tried also with

ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa

but it didn't work...

any suggestion ?

any help will be appreciated

Max

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Massimiliano Tognon Wed, 05/16/2007 - 00:06

as you can see on my configuration, route leaking is already configured (redistribute connected is always in place) for vrf upa and proxy, that is the vrf involved in nat.I can't make redistribute/import network 10.4.1.0/24 on vrf proxy from vrf upa, because this overlap with vrf upa-tv.

mounir.mohamed Wed, 05/16/2007 - 00:14

I'm not sure that route leaking working between VRF's or not, but let me check and feed u back.

mohammedmahmoud Wed, 05/16/2007 - 00:31

Hi,

AFAIK, Since release 12.2(13)T, NAT configured with MPLS on the MPLS (PE) device includes the VRF Table Id as part of the NAT Translation entry, the VRF Table Id allows NAT to differentiate between overlapped IP Addresses, which are common with an MPLS VPN design, NAT performs translation as it normally does, Phase 1 does not support VRF to VRF in the same PE in this initial release.

VRF to VRF in the same PE is targeted for Release 12.3(6)T.

To solve your issue, please do check this "NAT Virtual Interface";

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041d91a.html

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Massimiliano Tognon Wed, 05/23/2007 - 00:00

Hi Mohammed, now all works well.

I understand my error, basically when i tried to ping, i pinged a router on my

own vrf, because i imported the network, so the packet didn't came across

interfaces and nat was not in place.Now i tried static host and network

natting and dymanic natting and all works well.

here there is a complete working configuration

ip vrf proxy

rd 500:500

route-target export 500:500

route-target export 501:501

route-target import 500:500

route-target import 401:401

!

ip vrf upa

rd 300:300

route-target export 300:300

route-target export 401:401

route-target import 300:300

route-target import 501:501

!

ip vrf upa-tv

rd 1000:1000

route-target export 1000:1000

route-target export 401:401

route-target import 1000:1000

route-target import 501:501

!

mpls label protocol ldp

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

description interfacccia outside per ip pubblico ipsec

encapsulation dot1Q 500

ip address 195.195.195.195 255.255.255.0

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 300

ip vrf forwarding upa

ip address 172.31.47.254 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 310

ip vrf forwarding proxy

ip nat outside

ip address 172.31.50.1 255.255.255.0

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 320

ip vrf forwarding upa-tv

ip address 10.4.1.254 255.255.255.0

!

interface GigabitEthernet0/1

description connessa a 6500

ip address 80.x.x.1 255.255.255.0

duplex auto

speed auto

mpls ip

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

neighbor 80.80.80.2 remote-as 65000

no auto-summary

!

address-family vpnv4

neighbor 80.80.80.2 activate

neighbor 80.80.80.2 send-community both

exit-address-family

!

address-family ipv4 vrf upa-tv

no synchronization

exit-address-family

!

address-family ipv4 vrf upa

redistribute connected

no synchronization

exit-address-family

!

address-family ipv4 vrf proxy

redistribute connected

no synchronization

exit-address-family

!

ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254

ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1

!

ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa

Many thanks for the help, now all works well and i understand the way to

configure it.

ar Wed, 11/02/2011 - 18:37

Hi. Do we docs here for inter-vrf NAT on a PE for 7200/7600?

Actions

This Discussion