[c-nsp] routing between VRF and global
Jeff Bacon
bacon at walleyesoftware.com
Tue Jul 20 15:15:37 EDT 2010
Unfortunately, I've realized I've missed something fairly fundamental:
All of the tricks for leaking routes between GRT and VRF are just that,
route leaks. But to have the flow be subject to NAT, you need the packet
to come through an interface that you can put a "ip nat inside" on.
Which means the only real option is a "GRE internal hairpin". Except I
can't see how you would implement a tunnel with both endpoints are on
the same device - and even if you could, is that the sort of
configuration you'd want other people to see? Because my devices are in
pairs, I could GRE from one to the other.... but at that point, why not
just use a physical hairpin, other than the cost of the physical ports?
(Using another device to do the NAT is impractical for a lot of reasons,
the two largest being:
- I don't have space or power in every co-lo I'm located in for Yet
Another Device - one of the points of the 6500s was to combine
everything I needed into a single pair of devices.
- it'd require a non-baby ASR to keep up with some of the traffic loads
due to microbursting, driving the cost through the roof.)
At some point you have to give up and say "you just can't do it that
way". *sigh*
-bacon
And yet still, we buy Cisco...
> -----Original Message-----
> From: Orlov, Sergey [mailto:sorlov at amt.ru]
> Sent: Sunday, July 18, 2010 3:38 PM
> To: Jeff Bacon
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: routing between VRF and global
>
> Hi Jeff,
>
> Other possible tricks:
>
> 1. BGP Support for IP Prefix Import from GRT into a VRF:
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_
bgivt.html
> 2. (may be useful depending on your particular problem) VRF source
selection:
> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/vrfselec.html
>
> --
>
> Regadring "internal hairpin" on GRE tunnel: you can run into MTU-
> related issues. And of course the internal forwarding path could be
> unsuspected in this case.
>
> --
> Sergey
More information about the cisco-nsp
mailing list