Hi. I have an MPLS cloud on which i want to provide basic Internet connectivity for customers in the cloud. This will not be for VPN services, simply http, ftp etc (possibly some inbound NAT for webservers). I have a 7200VXR for the job. My plan is to set this up as an effective PE in the cloud and use 'NAT VRF AWARE' features to NAT networks in each VRF to Single public IP (currently this is 1 per VRF from a large pool). I cant see a reason for this not working but i wanted to get advice on this. I am also unsure as to how the public facing interface will be seen by the customer VRF since it will not be statically labeled with any VRF.
Any thoughts on this?
Thanks in advance.
You can provide intrnet access as specified by you through "shared central vrf" and also without a vrf but a "global vrf default".
In the latters case your default per vrf would be pointing to a global public IP interface, for which the next-hop would be your 7200 PE.
Your end VRF wont see any label as they will only see a default route, which in turn will point ot this new 7200 PE. There will be a label availabel from the IGP for its next-hop, based on which the traffic will be switched till this nat-aware PE.
And yes this will work.
Great. So my last question is do i need to assign the public interface to a vrf ie 'vrf global' if i do not use global vrf default.
If you want to create a Shared Internet VRF service then you will create a Internet VRF and include the public IP in it.
If you are not creating a specific Internet VRF then you dont assign the global interface to any VRF but have every VRF have a global VRF default pointing to the 7200 PE where this global interface is.
Once the traffic arrives here in serach of the default next-hop, then its only a mater of assigning inside and outside interface and doing a VRF aware NAT onto the global interface or to a pre-defined pool.
Hi Swaroop, I'm trying to follow your advice regarding the global default. I have 2 vrf's I'll be using called CUST1 and CUST2. Traffic will come into the e2/0.1 sub interface and should then be NATed to 126.96.36.199 (global interface not VRF). If i use static translations inside they work fine. Dynamic however translations do not seem to work. I have really tried to follow Cisco's documentation, but I'm not having much luck. Do you notice anything incorrect with the following.
description "CUST1 Interface"
encapsulation dot1Q 10
ip vrf forwarding CUST1
ip address 172.16.1.10 255.255.255.252
ip nat inside
description "OUTSIDE INT"
ip address 188.8.131.52 255.255.255.0
ip nat outside
ip nat pool CUST1_POOL 184.108.40.206 220.127.116.11 netmask 255.255.255.0
ip nat inside source list 1 pool CUST1_POOL vrf CUST1 overload
access-list 1 permit 172.16.0.0 0.0.255.255 log
ip route vrf CUST1 0.0.0.0 0.0.0.0 FastEthernet0/0 18.104.22.168 global
Any help you can give me would be very appreciated.
Hi Dan, you config is correct. No problems.
Although it may sound wierd but try using a extended ACL for the source list and it will work.
Thanks Swaroop. That did work with an extended ACL!.
Do i need any further routes added to get the NATed addresses back to to CUST1 vrf?
When i ping i do see the NATED address on the next hop now but i still don't see a reply. Again i do not have this problem with a static translation.
Thanks once again for all your help.
Disregard the above it was simply an arp issue.
With your help i now have both inside dynamic and inside static working. The only thing i now need is outside static. I tried using
ip nat outside source static
This however did not work. Do i need to add anything to get outside static to work? I am trying to use this to hit an internal web server and have made sure the ACL on the outside interface allows this.
Have a look at this document and see if you have been missing anything by chance.
It covers both dynamic and static examples you have been trying to configure. Hope it should be helpful.
Before you start you may want to unconfigure the previous NAT related configs and start fresh, this should help as it would be a clean start.
I'm implementing a similar VRF aware NAT solution, however need to bill Internet traffic per customer (per VRF). The PE performing the VRF aware NAT does not have any interfaces in each customer vrf, other than loopbacks.
For various reasons I need to pull snmp interface byte counters to bill customers, so need to be able to query an interface per customer.
Does anyone have any suggestions on how to bill per vrf?
Does the PE run VPNv4 then?
I would perform this function on a seperate box and use 802.1q sub-interfaces assigned to a VRF for the inside NAT interfaces.
Yes the PE is running VPNv4 services (Cisco7600) - it is a full MPLS PE.
The separate box with dot1q sub-interfaces is the solution I was trying to avoid due to extra hardware costs and provisioning pain. However this may well be the only solution here.
I guess I need to identify a cost effective vrf aware nat box.