VRF and NAT Question

ds6123 · ‎12-19-2011

Hello,

I need to NAT between a pair of VRFs. I understand the simple examples in the documentation where you have customer X and customer Y (each on their own interface/sub-interface) and want them to share a 3rd interface such as an internet connection. Using NAT with NVI, you'd put an "ip nat enable" statement on all 3 interfaces (each customer interface, plus the internet interface), and an "ip nat source list BLAH" statement for each customer. Seems pretty simple.

What about when those customers aren't directly connected to that router? What if they're part of a VRF that's on the "MP-BGP" side of the router? Ie. we're no longer dealing with VRF-LITE. Do I need an "ip nat enable" statement on all of the MPLS enabled interfaces that lead to the "MP-BGP cloud"?

Hope that makes sense. Normally I'd lab this up to find the answer, but I have limited access to my lab environment and don't want to experiment on production gear.

Peter Paluch · ‎12-20-2011

Hello,

You are probably talking about the NVI-style of configuration. Yes, in that case, you would indeed need to configure the MPLS-BGP cloud-facing interfaces to be configured with ip nat enable.

In this case, however, you may also be fine with the classic style of NAT configuration using theip nat inside and ip nat outside constructs, plus the ip nat inside source list BLAH ... vrf VRF_NAME overload command to associate a NAT rule with a particular VRF instance. You need to do that also with your current NVI-style - to refer to a particular VRF!

Best regards,

Peter

Vaibhava Varma · ‎12-20-2011

Hi

I did test kinda similar setup for providing Internet Access to MPLS VPN Customer using VRF aware NAT whereby the Customers were peering on one PE router and the Internet Peering was on another separate PE router under Internet VRF and MP-iBGP provided connectivity between the two PEs and inturn the CE and Internet.

I built a GRE Tunnel between the two PEs and made it part of Customer VRF and was able to provide reachability between Internet and CE using VRF Aware NAT on the Internet PE..

This did work but has a scalibility issue of building (m x n ) GRE Tunnels on the Internet PE if we need to serve n unique Customer Sites in m unique VRF.

Hope this provides some insight into your requirements..If you find it relevant to your requirement and need to look at the solution I can PM you the same.

Regards

Varma

ds6123 · ‎12-22-2011

Thanks everyone!

Once I added the "ip nat enable" command to the router, it promptly reloaded itself with a bus error. The client was not impressed.

While I'm researching the cause of the bus error, I put an old PIX 515E (no, not an ASA, but a PIX) we had on the shelf in place to do the natting. This works so well, we might just keep it around.

Peter Paluch · ‎12-23-2011

Hello,

Once I added the "ip nat enable" command to the router, it promptly  reloaded itself with a bus error.  The client was not impressed.

Oops... What was the type of the router and the IOS version, anyway?

Regarding the bus error - it is a synonymum for segmentation fault, which stands for the IOS process trying to access memory that does not belong to it - or an address that is not even present in the system. This is obviously caused by a software error or, in rare cases, lack of RAM. In any case, there is extremely little you can do about it, apart from upgrading your IOS and/or increasing the amount of RAM in your system.

Best regards,

Peter