Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Hello team:

We are going to populate an Internet Cisco CRS router with a CGSE module in order to carry out NAT44.

According to the CGSE documentation (http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.2/cg_nat/configuration/guide/cgc42cgn.html) the inbound ServiceApp is associated to a VRF. ¿Is this always necessary?

In other words: ¿ Can I just put an IPv4 address to my inbound and outbound ServiceApps, and avoid configuring a VRF on them? Then, I should add the proper "global" static routing sentences to route incoming packets to the corresponding ServiceApp interfaces.

Your kind answers will be greatly appreciated

Best regards

Rogelio Alvez

Argentina

  • XR OS and Platforms
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Hola Rogelio,

in the case of NAT44, you definitely need an inside VRF.

On the outside, you could use the global, but for inside, you must use a VRF.

Simply because you need to associate it to a map-pool:

service cgn demo

service-type nat44 nat1

  inside-vrf inside

   map address-pool 100.0.0.0/24

In other kind of translation mechanism like NAT64 or DS-Lite, it's not mandatory to use vrf since you can rely on address-families to discriminate the inside world and outside world.

HTH,

cheers,

Nicolas.

25 REPLIES
Cisco Employee

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Hola Rogelio,

in the case of NAT44, you definitely need an inside VRF.

On the outside, you could use the global, but for inside, you must use a VRF.

Simply because you need to associate it to a map-pool:

service cgn demo

service-type nat44 nat1

  inside-vrf inside

   map address-pool 100.0.0.0/24

In other kind of translation mechanism like NAT64 or DS-Lite, it's not mandatory to use vrf since you can rely on address-families to discriminate the inside world and outside world.

HTH,

cheers,

Nicolas.

New Member

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Thank you ver much Nicolas. Now I have a problem to solve, and I would appreciate your advice.

The interfaces (inbound and outbound) of my router are both global (public IP addresses on both sides). ¿Do I need to move the inbound interface to the same VRF to which the inbound ServiceApp will belong?

Otherwise, I do not see an easy way to "leap" from a global space to a VRF one when NAT must be involved for the incoming packets.

If you have experienced such an scenario, I would appreciate your sending me a sample configuration.

Thank you very much in advance again.

Rogelio

Cisco Employee

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Hi Rogelio,

your inside addresses can be public too, even if it's not the common case (most people would like to use a private range to save the public addresses, being a scarse resource).

The serviceApp interfaces are "virtual tunnels" used by the router to communicate to and from the CGSE card.

For a NAT44 configuration, the inside serviceApp must be assigned to the same VRF than the inside physical interfaces or sub-interfaces. Check this config sample:

service cgn demo

service-location preferred-active 0/1/CPU0

!

vrf inside

address-family ipv4 unicast

!

vrf outside

address-family ipv4 unicast

!

interface te0/0/0/0

vrf inside

ipv4 add 10.1.1.1/24

!

interface te0/1/0/0

vrf outside

ipv4 add 100.1.1.1/24

!

service cgn demo

service-type nat44 nat1

  inside-vrf inside

     map address-pool 100.0.0.0/24

!

interface ServiceApp1

vrf inside

ipv4 address 1.1.1.1 255.255.255.252

service cgn demo service-type nat44

!

interface ServiceApp2

vrf outside

ipv4 address 2.1.1.1 255.255.255.252

service cgn demo service-type nat44

!

router static

vrf inside

  address-family ipv4 unicast

   0.0.0.0/0 ServiceApp1

  address-family ipv4 unicast

    100.0.0.0/24 ServiceApp2

Again, the outside VRF isn't mandatory, you can skip these statement and use the global.

Hope it answers your question,

Cheers,

Nicolas.

New Member

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Hi Nicolas. Thanks a lot again for your kind answer.

For some reasons I have not mentioned before, I would prefer (moreover, need) to assign the inside AND the outside 10GE interfaces to the same VRF.

The point is that some incoming packets will need NAT (origin IP with private addressing) whereas other packets (already with public IP address in their origin IP field) will not need it.

So I am plannig ACL-based forwarding on the input 10GE interfaces in order to redirect "private IP" packets to the internal ServiceApp and let the other (public IP) packets follow their path to the outside interfaces with traditional destination routing. This would be easy to accomplish if the input and output interfaces belong to the same VRF, since the router will be able to route "non NATable" packets with the same FIB.

Since the documentation in principle does not prevent me from doing it: ¿Can I have the ServiceApps of your example both in the same VRF?

I promise this is going to be my last question!!

Thank you very much in advance again

Best regards, Rogelio

Cisco Employee

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Hi Rogelio,

Using the ABF to direct some part of your traffic to the NAT and some other to be directly routed (pass-thru) based on source addresses is indeed supported, but I'm not sure it can be done in one single VRF (for both inside and outside world).

I've never seen this nor configured such a setup myself (on the contrary, the ABF setups are usually using an extra dummy VRF).

I'm afraid you will have to test first this solution since it looks like a very particular requirement.

Let us know if it works

Cheers,

N.

New Member

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Hi Nicolas

We are facing a similar scenario, we are using a vrf  for the inside traffic and for the outside traffic, we are using the  global.

The traffic which need NAT (with Nat44) is  working fine, the issue that we are facing is for the traffic which dont  need the NAT, we are using ABF based on ths source (public ip), to  route the traffic from the vrf direct to the global and to route the  traffic from the global to the public ips inside the vrf, we are trying  to use route-leaking, we dont know if that is possible with the CRS  chassis and CGN.

We have done some tests but so far we could not make it work,

Thank you in advanced for your help.

Kind regards.

Gustavo

New Member

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Would not it be easier if you put the outside interfaces in the same VRF to which the internal interfaces belong?

Then your packets that do not need NAT would be simply routed towards the interfaces on the same FIB and so you wouldn`t need any leaking in any of the directions of the traffic.

regards, Rogelio

Cisco Employee

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

One more comment, I realize that I may have create a confusion.

Only the serviceApp interface (inside) MUST be in the VRF Inside, but not necessarily the physical interfaces connecting your router to the network. You can use static routing in the global pointing to the ServiceApp in the VRF or you can use ABF to direct traffic to your serviceApp interface, but the interfaces of the router can be in the global.

New Member

Carrier-grade NAT (CGSE): ¿do I need VRF on inbound ServiceApp?

Thank you very much Nicolas. I am sorry I have not answered you before.

Best regards, Rogelio

2537
Views
0
Helpful
25
Replies