[c-nsp] VRF-Aware NAT in ASR1k

Derick Winkworth dwinkworth at att.net
Sun Aug 8 01:25:47 EDT 2010


You do not have to use NVI.  We require the VASI functionality, so if we run 
out.. then we will have to buy more ASRs.  


Each customer has their own VRF and there are between 1 and 4 VRFs they are all 
converging on.  Its all VRF lite for us, so the VASI interfaces are always 
outside NAT interfaces, and the customer-facing and services-facing interfaces 
are inside (providing us overload in both directions).

Not every customer talks to all 3 or 4 of the service area VRFs.  So its up in 
the air as to how many customers will be supported with 500 pairs.  In your 
case, you have one service area: the mgmt VRF.  So you could support about 500 
customers potentially on one ASR using VASI.  


Also keep in mind that the NAT sessions themselves are not stored in main 
memory, but a much smaller high-speed memory area.  The 20G ESP supports 512k 
sessions globally, the 10G supports 256k and below that is 128k I believe...







________________________________
From: Matthew Melbourne <matt at melbourne.org.uk>
To: Derick Winkworth <dwinkworth at att.net>; Neil Fenemor <Neil.Fenemor at fx.net.nz>
Cc: cisco-nsp at puck.nether.net
Sent: Sat, August 7, 2010 10:22:07 AM
Subject: RE: [c-nsp] VRF-Aware NAT in ASR1k

So, are you doing something like:

interface vasileft1
vrf forwarding MGMT
...
interface vasiright1
vrf forwarding CUST-1
...

interface vasileft2
vrf forwarding MGMT
...
interface vasiright2
vrf forwarding CUST-2
...

Do you have to perform NAT using NVI between VRFs. The limitation here may
be that ~500 pairs may not be enough.

The only other option I can see is to NAT the hosts within the Customer VRFs
into the global table and provide some upstream firewalling for external
connectivity?

Cheers,

Matt

________________________________________
From: Derick Winkworth [mailto:dwinkworth at att.net] 
Sent: 07 August 2010 15:53
To: Matthew Melbourne; Neil Fenemor
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VRF-Aware NAT in ASR1k

I believe the limit is 500 *pairs* of interfaces...

We are using the ASR too for this exact thing.

________________________________________
From: Matthew Melbourne <matt at melbourne.org.uk>
To: Neil Fenemor <Neil.Fenemor at fx.net.nz>
Cc: cisco-nsp at puck.nether.net
Sent: Sat, August 7, 2010 9:04:37 AM
Subject: Re: [c-nsp] VRF-Aware NAT in ASR1k

Yes, I saw VASI Enhancements Phase I in the latest ASR 3.1S release notes.
There is a limit of 500 VASI interfaces which may be an issue for multiple
customer VRFs. Basically, the requirement is to NAT hosts within hosted
customer private networks (VRFs) to another private range which makes them
available and routable from our management systems, and additionally
provides limited Internet access to update servers, etc.

-----Original Message-----
From: Neil Fenemor [mailto:Neil.Fenemor at fx.net.nz] 
Sent: 07 August 2010 02:55
To: Matthew Melbourne
Subject: Re: [c-nsp] VRF-Aware NAT in ASR1k

Hi Matthew, 

Have you looked at VASI at all? It's a reasonably recent addition to the
ASR1k codebase, but does some interesting things. 

Cheers,

neil

On 6/08/2010, at 8:52 PM, Matthew Melbourne wrote:

> Hi,
> 
> Is it possible to implement VRF-Aware NAT on the ASR1k, specifically
> NAT between two different VRFs? Ideally, I have a requirement to NAT
> between customers' VRFs and a management VRF and from customers' VRFs
> to the global table (for limited Internet access).
> 
> Cheers,
> 
> Matt
> 
> -- 
> Matthew Melbourne
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Neil Fenemor
Señor Network Engineer
FX Networks

(m) 021 978 078
(e) neil.fenemor at fx.net.nz
(w) http://www.fx.net.nz/
(p) 04 498 9565
(f) 04 498 9649

Level 3
FX Networks House
138 The Terrace
Wellington


No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.851 / Virus Database: 271.1.1/3056 - Release Date: 08/07/10
07:28:00


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.851 / Virus Database: 271.1.1/3056 - Release Date: 08/07/10
07:28:00


More information about the cisco-nsp mailing list