[c-nsp] NAT through VRF imported routes
Jeff Bacon
bacon at walleyesoftware.com
Fri Feb 25 09:36:30 EST 2011
OK, write this off as another weird thing I want to do and yes I should
be using an ASR and/or multiple layers of hardware but I have a lot of
reasons for not wanting to do either so instead I'm using a
cat6500/vs720, SXI5.
-------------
ip access-list extended NAT-ACL
permit tcp 10.200.0.0 0.0.255.255 75.98.69.0 0.0.0.255 range 10000
11000
ip vrf A
rd 1:1
route-target import 1:1
route-target import 2:2
route-target export 1:1
ip vrf B
rd 2:2
route-target import 1:1
route-target export 2:2
route-target import 2:2
int g1/1
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.0
ip nat outside
int g2/2
ip vrf forwarding B
ip address 20.2.2.2 255.255.255.0
ip nat inside
ip nat pool POOL 3.3.3.3 3.3.3.9 prefix-length 24
ip nat inside source list NAT-ACL pool POOL overload
(insert bunch of stuff here using BGP such that the net effect is
ip route 75.98.69.0 255.255.255.0 int g1/1 vrf A
ip route 10.200.0.0 0.0.255.255 int g2/2 vrf B
e.g. importing the routes into the other VRFs)
-------------
Will this actually work, or will it blow up spectacularly in my face?
Something tells me that it'd work on an ASR but not on a cat6500 because
it requires a mind-bending twist that the EARL isn't able to process.
(Though netflow entries don't exist on a per-VRF basis, do they? And NAT
is handled via netflow...)
-bacon
More information about the cisco-nsp
mailing list