[c-nsp] routing between VRF and global

Jeff Bacon bacon at walleyesoftware.com
Wed Jul 28 09:58:56 EDT 2010 

Conceptually, yes, true. 

 

Unfortunately, you can't do this on a 6500 (or presumably a 7600).

 

I had a nice chat with the appropriate group in TAC (in RTP, NC, US) on
the topic. Short summary: 

 

"mpls ip" and "ip nat [inside|outside]" should never be applied to the
same interface. This is a fundamental limitation of the PFC hardware -
MPLS and NAT require different switching paths through the PFC, and They
Just Can't Make The Two Work Together Reliably (apparently not for a
lack of trying).  

 

similarly, MPLS and PBR also don't play nicely together, supposedly. 

 

It's vaguely documented deep in the release notes somewhere as an
obscure reference - I found it but can't remember where exactly.  The
feature certainly doesn't exist within the 12.2SX config manual. (All
part of the fun of Cisco IOS on 6500/7600 vs "real routers" - here's a
feature, but does it actually exist?) 

 

(It begs the question - if you shouldn't be doing it, why does IOS let
you configure it in the first place? I suppose the answer is "because it
kinda works sometimes", and my situation is not part of those
sometimes.)

 

This would tend to limit one's options.

 

I would be interested in hearing counterexamples.

 

-bacon

 

 

 

From: Christopher Gatlin [mailto:gatlin007 at gmail.com] 
Sent: Tuesday, July 20, 2010 4:28 PM
To: Jeff Bacon
Cc: Orlov, Sergey; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] routing between VRF and global

 

You can NAT from an interface with VRF membership to an interface in the
global table.  

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftnatvpn
.html


Chris




On Tue, Jul 20, 2010 at 2:15 PM, Jeff Bacon <bacon at walleyesoftware.com>
wrote:

Unfortunately, I've realized I've missed something fairly fundamental:

All of the tricks for leaking routes between GRT and VRF are just that,
route leaks. But to have the flow be subject to NAT, you need the packet
to come through an interface that you can put a "ip nat inside" on.

Which means the only real option is a "GRE internal hairpin". Except I
can't see how you would implement a tunnel with both endpoints are on
the same device - and even if you could, is that the sort of
configuration you'd want other people to see? Because my devices are in
pairs, I could GRE from one to the other.... but at that point, why not
just use a physical hairpin, other than the cost of the physical ports?

(Using another device to do the NAT is impractical for a lot of reasons,
the two largest being:
- I don't have space or power in every co-lo I'm located in for Yet
Another Device - one of the points of the 6500s was to combine
everything I needed into a single pair of devices.
- it'd require a non-baby ASR to keep up with some of the traffic loads
due to microbursting, driving the cost through the roof.)

At some point you have to give up and say "you just can't do it that
way". *sigh*

-bacon
And yet still, we buy Cisco...

More information about the cisco-nsp mailing list