VRF-aware NAT

VRF-aware NAT

PE1 router-

mpls label protocol ldp

mpls ldp router-id Loopback0 force

!

ip vrf CUST1

rd 1:1

route-target export 1:1

route-target import 1:1

!

ip vrf CUST2

rd 2:2

route-target export 2:2

route-target import 2:2

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

ip ospf 1 area 0

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.252

ip ospf 1 area 0

duplex auto

speed auto

mpls ip

!

interface Serial0/0

ip vrf forwarding CUST1

ip address 10.1.1.1 255.255.255.252

!

interface Serial0/1

ip vrf forwarding CUST2

ip address 10.3.3.1 255.255.255.252

!

router rip

version 2

!

address-family ipv4 vrf CUST2

redistribute bgp 100 metric 5

network 10.0.0.0

no auto-summary

version 2

exit-address-family

!

address-family ipv4 vrf CUST1

redistribute bgp 100 metric 5

network 10.0.0.0

no auto-summary

version 2

exit-address-family

!

router bgp 100

no synchronization

bgp log-neighbor-changes

neighbor 2.2.2.2 remote-as 100

neighbor 2.2.2.2 update-source Loopback0

no auto-summary

!

address-family vpnv4

neighbor 2.2.2.2 activate

neighbor 2.2.2.2 send-community both

exit-address-family

!

address-family ipv4 vrf CUST2

redistribute rip metric 5

no synchronization

exit-address-family

!

address-family ipv4 vrf CUST1

redistribute rip metric 5

no synchronization

exit-address-family

!

PE2 router-

mpls label protocol ldp

mpls ldp router-id Loopback0 force

!

ip vrf CUST1

rd 1:1

route-target export 1:1

route-target import 1:1

!

ip vrf CUST2

rd 2:2

route-target export 2:2

route-target import 2:2

!

ip vrf Common_Gateway

rd 100:100

route-target export 100:100

route-target import 100:100

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

ip ospf 1 area 0

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.252

ip nat inside

ip ospf 1 area 0

mpls ip

!

interface Serial0/0

ip vrf forwarding Common_Gateway

ip address 10.2.2.1 255.255.255.252

ip nat outside

!

ip route vrf Common_Gateway 172.16.0.0 255.255.252.0 Null0

!

router rip

version 2

!

address-family ipv4 vrf Common_Gateway

redistribute static

network 10.2.2.0

no auto-summary

version 2

exit-address-family

!

router bgp 100

no synchronization

neighbor 1.1.1.1 remote-as 100

neighbor 1.1.1.1 update-source Loopback0

no auto-summary

!

address-family vpnv4

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community both

exit-address-family

!

address-family ipv4 vrf Common_Gateway

no synchronization

exit-address-family

!

address-family ipv4 vrf CUST1

redistribute static

no synchronization

exit-address-family

!

address-family ipv4 vrf CUST2

redistribute static

no synchronization

exit-address-family

!

ip route vrf CUST1 10.2.2.0 255.255.255.252 Serial0/0 10.2.2.2

ip route vrf CUST2 10.2.2.0 255.255.255.252 Serial0/0 10.2.2.2

!

ip nat pool Common 172.16.1.1 172.16.3.255 netmask 255.255.252.0

!

ip nat inside source route-map ALLOW_PREFIX pool Common vrf CUST1

ip nat inside source route-map ALLOW_CUST2 pool Common vrf CUST2

!

access-list 1 permit 10.1.1.0 0.0.0.3

access-list 2 permit 10.3.3.0 0.0.0.3

!

route-map ALLOW_PREFIX permit 10

match ip address 1

!

route-map ALLOW_CUST2 permit 10

match ip address 2

!

The 10.2.2.0/30 prefix is advertised by PE2 to PE1.

PE1# show ip bgp vpnv4 all

BGP table version is 18, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:1 (default for vrf CUST1)

*> 10.1.1.0/30 0.0.0.0 0 32768 ?

*>i10.2.2.0/30 2.2.2.2 0 100 0 ?

Route Distinguisher: 2:2 (default for vrf CUST2)

*>i10.2.2.0/30 2.2.2.2 0 100 0 ?

*> 10.3.3.0/30 0.0.0.0 0 32768 ?

The NAT pool is reachable by Common_Gateway router through 10.2.2.1 on PE2 router.

Common_Gateway# show ip route | begin Gateway

Gateway of last resort is not set

172.16.0.0/22 is subnetted, 1 subnets

R 172.16.0.0 [120/1] via 10.2.2.1, 00:00:17, Serial0/0

10.0.0.0/30 is subnetted, 1 subnets

C 10.2.2.0 is directly connected, Serial0/0

CUST1# show ip route | begin Gateway

Gateway of last resort is not set

10.0.0.0/30 is subnetted, 2 subnets

R 10.2.2.0 [120/5] via 10.1.1.1, 00:00:22, Serial0/0

C 10.1.1.0 is directly connected, Serial0/0

CUST2# show ip route | begin Gateway

Gateway of last resort is not set

10.0.0.0/30 is subnetted, 2 subnets

C 10.3.3.0 is directly connected, Serial0/0

R 10.2.2.0 [120/5] via 10.3.3.1, 00:00:09, Serial0/0

When Telnet connections (destination port 23) are open to Common_Gateway router (10.2.2.2) from CUST1 and CUST2 routers, NAT translations occur on PE2 router. The inside global address is the translated IP address from the pool Common, the inside local is the actual source IP address, the outside local and outside global IP addresses are the destination IP addresses 10.2.2.2.

PE2# show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 172.16.1.1:61855 10.1.1.2:61855 10.2.2.2:23 10.2.2.2:23

tcp 172.16.1.2:40030 10.3.3.2:40030 10.2.2.2:23 10.2.2.2:23