cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10382
Views
4
Helpful
6
Replies

nat between vrf

Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.

I've ip overlapping issue, so i'm trying to use nat aware vrf.

The shared service is on a vrf also.

I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.

This is my configuration :

ip vrf proxy

rd 500:500

route-target export 500:500

route-target export 501:501

route-target import 500:500

route-target import 401:401

!

ip vrf upa

rd 300:300

route-target export 300:300

route-target export 401:401

route-target import 300:300

route-target import 501:501

!

ip vrf upa-tv

rd 1000:1000

route-target export 1000:1000

route-target export 401:401

route-target import 1000:1000

route-target import 501:501

!

mpls label protocol ldp

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

description interfacccia outside per ip pubblico ipsec

encapsulation dot1Q 500

ip address 195.195.195.195 255.255.255.0

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 300

ip vrf forwarding upa

ip address 172.31.47.254 255.255.255.0

ip nat enable

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 310

ip vrf forwarding proxy

ip address 172.31.50.1 255.255.255.0

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 320

ip vrf forwarding upa-tv

ip address 10.4.1.254 255.255.255.0

!

interface GigabitEthernet0/1

description connessa a 6500

ip address 80.x.x.1 255.255.255.0

duplex auto

speed auto

mpls ip

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

neighbor 80.80.80.2 remote-as 65000

no auto-summary

!

address-family vpnv4

neighbor 80.80.80.2 activate

neighbor 80.80.80.2 send-community both

exit-address-family

!

address-family ipv4 vrf upa-tv

no synchronization

exit-address-family

!

address-family ipv4 vrf upa

redistribute connected

no synchronization

exit-address-family

!

address-family ipv4 vrf proxy

redistribute connected

no synchronization

exit-address-family

!

ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254

ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1

!

ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa

as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.

network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:

interface GigabitEthernet0/0.10

encapsulation dot1Q 300

ip vrf forwarding upa

ip address 172.31.47.254 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 310

ip vrf forwarding proxy

ip address 172.31.50.1 255.255.255.0

ip nat outside

!

ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy

tried also with

ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa

but it didn't work...

any suggestion ?

any help will be appreciated

Max

6 Replies 6

mounir.mohamed
Level 7
Level 7

Dear,

As far as i know, you can NAT the VRF address by one pool or even static but you must configure route leaking to get everything working.

Here is a route leaking example:

http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

Please rate helpful posts.

Best Regards,

Mounir Mohamed

as you can see on my configuration, route leaking is already configured (redistribute connected is always in place) for vrf upa and proxy, that is the vrf involved in nat.I can't make redistribute/import network 10.4.1.0/24 on vrf proxy from vrf upa, because this overlap with vrf upa-tv.

I'm not sure that route leaking working between VRF's or not, but let me check and feed u back.

Hi,

AFAIK, Since release 12.2(13)T, NAT configured with MPLS on the MPLS (PE) device includes the VRF Table Id as part of the NAT Translation entry, the VRF Table Id allows NAT to differentiate between overlapped IP Addresses, which are common with an MPLS VPN design, NAT performs translation as it normally does, Phase 1 does not support VRF to VRF in the same PE in this initial release.

VRF to VRF in the same PE is targeted for Release 12.3(6)T.

To solve your issue, please do check this "NAT Virtual Interface";

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041d91a.html

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Hi Mohammed, now all works well.

I understand my error, basically when i tried to ping, i pinged a router on my

own vrf, because i imported the network, so the packet didn't came across

interfaces and nat was not in place.Now i tried static host and network

natting and dymanic natting and all works well.

here there is a complete working configuration

ip vrf proxy

rd 500:500

route-target export 500:500

route-target export 501:501

route-target import 500:500

route-target import 401:401

!

ip vrf upa

rd 300:300

route-target export 300:300

route-target export 401:401

route-target import 300:300

route-target import 501:501

!

ip vrf upa-tv

rd 1000:1000

route-target export 1000:1000

route-target export 401:401

route-target import 1000:1000

route-target import 501:501

!

mpls label protocol ldp

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

description interfacccia outside per ip pubblico ipsec

encapsulation dot1Q 500

ip address 195.195.195.195 255.255.255.0

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 300

ip vrf forwarding upa

ip address 172.31.47.254 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 310

ip vrf forwarding proxy

ip nat outside

ip address 172.31.50.1 255.255.255.0

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 320

ip vrf forwarding upa-tv

ip address 10.4.1.254 255.255.255.0

!

interface GigabitEthernet0/1

description connessa a 6500

ip address 80.x.x.1 255.255.255.0

duplex auto

speed auto

mpls ip

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

neighbor 80.80.80.2 remote-as 65000

no auto-summary

!

address-family vpnv4

neighbor 80.80.80.2 activate

neighbor 80.80.80.2 send-community both

exit-address-family

!

address-family ipv4 vrf upa-tv

no synchronization

exit-address-family

!

address-family ipv4 vrf upa

redistribute connected

no synchronization

exit-address-family

!

address-family ipv4 vrf proxy

redistribute connected

no synchronization

exit-address-family

!

ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254

ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1

!

ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa

Many thanks for the help, now all works well and i understand the way to

configure it.

Hi. Do we docs here for inter-vrf NAT on a PE for 7200/7600?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: