[c-nsp] Cisco ASR 1000 and Hairpinning issue

Pshem Kowalczyk pshem.k at gmail.com
Mon May 6 18:47:43 EDT 2013 

Hi,

In these circumstances I suggest you use the vasi interfaces and run
BGP across them with NAT (one end in customer vrf, the other in
internet). Then use import/export from the customer vrf to access all
other resources (unnated). If some addresses are reachable through
both VRFs you can tweak BGP to make sure only the right ones get
selected.

kind regards
Pshem


On 7 May 2013 02:12, Lionel THAI <lionel.thai at gmail.com> wrote:
> Dear all,
>
> I would like to get your feedback on an issue we have been facing on our
> ASR. We have been using our ASR to provide our clients with a dedicated
> VRF. Each VRF is granted internet access via and VRF Internet shared where
> we do some sort of segmentation for bandwidth. We use VRF lite with a BGP
> routing protocol between VRF client and VRF Internet. It was not really
> necessary to use BGP but our integrator told us that it could be useful at
> some point.
>
> We have a pool of public IPs that we allocate to our clients, so basically,
> a client could access the internet via a shared public IP address or we can
> allocate a specific public IP if needed. To achieve that, we use NAT rules
> with overload for shared access or some static NAT rules. Each VRF client
> is an IP NAT inside and the VRF Internet is IP NAT outside basically
>
> Now, the problem we have is when a client is trying to reach a resource in
> another VRF that is NATed on a public IP. If we import / export the VRF, no
> problem, we can access the resource using the private IP address range.
> Now, if on the ASR, we set a NAT static from one public IP to a private IP
> in the VRF, then if our client is trying to access this public IP, it is
> not working (although with the private IP is). The public IP is not
> assigned to an interface, so it is not existing except via the static NAT
> rule.
>
> The initial design was propsed by our integrator but they have not been
> able to solve this issue.
> After some googling, we found the traditional solution such as NAT on
> stick, but I think it is not really a clean solution. I looked into the
> VASI interface as well, but I am not sure if this is the right solution.
> The NVI solution was working fine on IOS 15, but is not implemented on IOS
> XR.
>
> Any thoughts or ideas on this would be really appreciated.
>
> Thanks in advance,
>
> Lionel
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list