[c-nsp] VASI NAT with MPLS

Tim Durack tdurack at gmail.com
Tue Nov 1 16:12:13 EDT 2016 

Had a hard time finding good documentation for this, but this is what I did
in the lab for a NAT-PE:

*RTR-5#sh run | sec vasi*
interface vasileft1
 vrf forwarding V102
 ip address 169.254.0.0 255.255.255.254
 ip nat outside
 no keepalive
interface vasiright1
 vrf forwarding V101
 ip address 169.254.0.1 255.255.255.254
 no keepalive
end

ip route vrf V101 <PUBLIC> 255.255.255.255 vasiright1 169.254.0.0
ip route vrf V102 0.0.0.0 0.0.0.0 vasileft1 169.254.0.1

*RTR-5#sh run | sec ^ip nat*
ip nat pool POOL1 <PUBLIC> <PUBLIC> netmask 255.255.255.255
ip nat inside source list V102-NAT pool POOL1 vrf V102 match-in-vrf overload

*RTR-5#sh run int g0/0/1*
interface GigabitEthernet0/0/1
 description RTR-1(G2/47)
 mtu 9216
 ip unnumbered Loopback0
 no ip redirects
 ip nat inside
 ip ospf network point-to-point
 ip ospf ttl-security
 ip ospf 10 area 0
 negotiation auto
 ipv6 enable
 no ipv6 redirects
 mpls ip
 ospfv3 network point-to-point
 ospfv3 10 ipv6 area 0
end

*RTR-5#sh run int g0/0/2*
interface GigabitEthernet0/0/2
 description RTR-2(G2/47)
 mtu 9216
 ip unnumbered Loopback0
 no ip redirects
 ip nat inside
 ip ospf network point-to-point
 ip ospf ttl-security
 ip ospf 10 area 0
 negotiation auto
 ipv6 enable
 no ipv6 redirects
 mpls ip
 ospfv3 network point-to-point
 ospfv3 10 ipv6 area 0
end

Not entirely intuitive but this worked in the lab...

Tim:>

On Tue, Nov 1, 2016 at 3:53 PM Jason Lixfeld <jason at lixfeld.ca> wrote:

> Hi,
>
> I’m trying to find some documentation to help me understand if it’s
> possible to integrate VASI (IOS XE) NAT between two MPLS VPNs.  The
> examples that I have seen so far seem to imply that a physical interface on
> the left and right sides, each attached to separate VRFs are required, and
> my attempts to do this on MPLS interfaces on the left and right sides
> instead of VRF interfaces have so far been unsuccessful.  My hope is that I
> can use vasileft and vasiright to stitch together two VRFs, with vasileft
> being ip nat inside and vasiright being ip nat outside.
>
> Has anyone seen any docs for deployments along these lines in their
> travels whose links they might be able to share?
>
> Thanks in advance.
>
> Full disclosure - I am testing this in VIRL using CSR1000v nodes because
> the physical hardware for this deployment will be IOS-XE ASR1002 boxes.  I
> am assuming the CSR1000v will be an appropriate virtual substitute.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list