I need to NAT between a pair of VRFs. I understand the simple examples in the documentation where you have customer X and customer Y (each on their own interface/sub-interface) and want them to share a 3rd interface such as an internet connection. Using NAT with NVI, you'd put an "ip nat enable" statement on all 3 interfaces (each customer interface, plus the internet interface), and an "ip nat source list BLAH" statement for each customer. Seems pretty simple.
What about when those customers aren't directly connected to that router? What if they're part of a VRF that's on the "MP-BGP" side of the router? Ie. we're no longer dealing with VRF-LITE. Do I need an "ip nat enable" statement on all of the MPLS enabled interfaces that lead to the "MP-BGP cloud"?
Hope that makes sense. Normally I'd lab this up to find the answer, but I have limited access to my lab environment and don't want to experiment on production gear.
You are probably talking about the NVI-style of configuration. Yes, in that case, you would indeed need to configure the MPLS-BGP cloud-facing interfaces to be configured with ip nat enable.
In this case, however, you may also be fine with the classic style of NAT configuration using theip nat inside and ip nat outside constructs, plus the ip nat inside source list BLAH ... vrf VRF_NAME overload command to associate a NAT rule with a particular VRF instance. You need to do that also with your current NVI-style - to refer to a particular VRF!
I did test kinda similar setup for providing Internet Access to MPLS VPN Customer using VRF aware NAT whereby the Customers were peering on one PE router and the Internet Peering was on another separate PE router under Internet VRF and MP-iBGP provided connectivity between the two PEs and inturn the CE and Internet.
I built a GRE Tunnel between the two PEs and made it part of Customer VRF and was able to provide reachability between Internet and CE using VRF Aware NAT on the Internet PE..
This did work but has a scalibility issue of building (m x n ) GRE Tunnels on the Internet PE if we need to serve n unique Customer Sites in m unique VRF.
Hope this provides some insight into your requirements..If you find it relevant to your requirement and need to look at the solution I can PM you the same.
Once I added the "ip nat enable" command to the router, it promptly reloaded itself with a bus error. The client was not impressed.
Oops... What was the type of the router and the IOS version, anyway?
Regarding the bus error - it is a synonymum for segmentation fault, which stands for the IOS process trying to access memory that does not belong to it - or an address that is not even present in the system. This is obviously caused by a software error or, in rare cases, lack of RAM. In any case, there is extremely little you can do about it, apart from upgrading your IOS and/or increasing the amount of RAM in your system.
1. Introduction Internet security is important with the increasing
attacks that are happening every day. Many internet and browsing
security solutions exist, but some are not very easy to use or maybe the
question is how can I enable them? In this referen...
Cisco Software Manager Server API Guide This document describes the
programmatic interfaces, RESTful APIs, which are supported by Cisco
Software Manager Server (CSM Server). Overview CSM Server supports a set
of finite RESTful APIs. The first step to use ...
If you are using Cisco's new linux-based Cisco Software Manager server,
then you probably want to make sure there is a startup service for
it.I'll assume that you've already installed the CSM server on a
systemd-based linux system. The commands given belo...