05-15-2007 03:06 AM
Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
I've ip overlapping issue, so i'm trying to use nat aware vrf.
The shared service is on a vrf also.
I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
This is my configuration :
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
!
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
!
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
!
mpls label protocol ldp
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat enable
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
!
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
!
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
!
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
!
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
!
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
!
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
ip nat outside
!
ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
tried also with
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
but it didn't work...
any suggestion ?
any help will be appreciated
Max
05-15-2007 06:28 PM
Dear,
As far as i know, you can NAT the VRF address by one pool or even static but you must configure route leaking to get everything working.
Here is a route leaking example:
http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
Please rate helpful posts.
Best Regards,
Mounir Mohamed
05-16-2007 12:06 AM
as you can see on my configuration, route leaking is already configured (redistribute connected is always in place) for vrf upa and proxy, that is the vrf involved in nat.I can't make redistribute/import network 10.4.1.0/24 on vrf proxy from vrf upa, because this overlap with vrf upa-tv.
05-16-2007 12:14 AM
I'm not sure that route leaking working between VRF's or not, but let me check and feed u back.
05-16-2007 12:31 AM
Hi,
AFAIK, Since release 12.2(13)T, NAT configured with MPLS on the MPLS (PE) device includes the VRF Table Id as part of the NAT Translation entry, the VRF Table Id allows NAT to differentiate between overlapped IP Addresses, which are common with an MPLS VPN design, NAT performs translation as it normally does, Phase 1 does not support VRF to VRF in the same PE in this initial release.
VRF to VRF in the same PE is targeted for Release 12.3(6)T.
To solve your issue, please do check this "NAT Virtual Interface";
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041d91a.html
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
05-23-2007 12:00 AM
Hi Mohammed, now all works well.
I understand my error, basically when i tried to ping, i pinged a router on my
own vrf, because i imported the network, so the packet didn't came across
interfaces and nat was not in place.Now i tried static host and network
natting and dymanic natting and all works well.
here there is a complete working configuration
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
!
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
!
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
!
mpls label protocol ldp
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip nat outside
ip address 172.31.50.1 255.255.255.0
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
!
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
!
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
!
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
!
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
!
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
!
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
Many thanks for the help, now all works well and i understand the way to
configure it.
11-02-2011 06:37 PM
Hi. Do we docs here for inter-vrf NAT on a PE for 7200/7600?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: