ASR9K BNG + CGNAT

Kijush Maharjan · ‎03-12-2017

I have been testing BNG + CGNAT in same box. Both works fine together. But there is a situation where my requirement is different.

I will have a bunch of Public IPs that will be used by subscribers initially. It should not go via VSM card. And then I will have lots of Private IPs, that will be nat to some different Public IP block. This private IP or nat should go only to VSM card.

When i push both public IP pool and Private pool to iVRF, it works find. But I only want to push Private pools to the iVRF and rest in default.

while pushing all the pools to iVRF has no issues. Is there any way to achieve this? Else i need to go with the current working scenario.

smailmilak · ‎03-12-2017

Hi Kijush,

are you talking about PPPoE or IPoE/ipsubscribers?

If you want to do Policy-based routing than check ABF https://supportforums.cisco.com/document/145271/abf-acl-based-forwarding-asr9k

With ABF you can match a private IP subnet and set next-hop "VSM"

If you need to put the subscribers in separate VRF's you can use radius for that.

Cisco-AVPair = "ip:vrf-id=VRFNAME" (this is the AVP that we are using for PPPoE).

I think that it's "subscriber:vrf-id=ipoe" for IPoE.

If you need further assistance with that please reply and we will try to help you as much we can.

Kijush Maharjan · ‎03-19-2017

Hi smailmilak,

ABF have been a way out for me as per my requirement. I have configured static route in ACL to route the Public block to the next-hop and it's working fine.

In one or other way, i had to use vrf. Can't I workout these things in default vrf? I am with PPPoE rather IPoE here.

smailmilak · ‎03-20-2017

Hi,

I am not sure if have understood your query. You want to use ABF or static route in vrf default?

Please explain a little bit more.

r.maharjan · ‎03-20-2017

Hi Smail,

Cisco recommends to put dynamic subscriber interface in the same vrf as of CGNAT to get solution.

As per Kijush it seems, if we use ABF to match private ip and set next-hop as VSM, it is fine but in return path, at CGN vrf we can't use ABF to point out next-hop since subscribers interface is dynamic (L2-Subscribers) in default vrf.

If there is any other way to leak out routes between default vrf and cgn vrf, please let us know. In juniper there is a way to leak out routes from one table to another vrf table like (set routing-options x.x.x.x/x next-table inet.0 or using rib). Do you know anyway you can point out route statically without pointing next-hops? (like ip route x.x.x.x/x vrf default) or can tunneling help to communicate between default vrf to some vrf on same box?

In diagram, green is for public ip block and blue/red is for private. Returning path from cgn vrf to default vrf is not achievable. If you have any ideas let me know.

Regards,

RaaZ

smailmilak · ‎03-20-2017

We have ISM, not VSM and we did it by using different ServiceApp intf for each vrf.

VRF-A

Serviceapp1 is in VRF-A and this is the inside interface

Serviceapp2 is in VRF default (routing table with public IP's).

NATed subscriber will enter Serviceapp1 and leave with public IP on Serviceapp2. Return traffic will be Serviceapp1 ---> Serviceapp1.

Same procedure for VRF-B. Just use Serviceapp3 and 4.

Can you do this on VSM?