[c-nsp] VASI NAT with MPLS

Nathan Ward cisco-nsp at daork.net
Tue Nov 1 16:25:06 EDT 2016


> On 2/11/2016, at 8:53 AM, Jason Lixfeld <jason at lixfeld.ca> wrote:
> 
> Hi,
> 
> I’m trying to find some documentation to help me understand if it’s possible to integrate VASI (IOS XE) NAT between two MPLS VPNs.  The examples that I have seen so far seem to imply that a physical interface on the left and right sides, each attached to separate VRFs are required, and my attempts to do this on MPLS interfaces on the left and right sides instead of VRF interfaces have so far been unsuccessful.  My hope is that I can use vasileft and vasiright to stitch together two VRFs, with vasileft being ip nat inside and vasiright being ip nat outside.
> 
> Has anyone seen any docs for deployments along these lines in their travels whose links they might be able to share?

I have this running in production. We have an ASR1002x with two physical MPLS interfaces, and no non-MPLS physical interfaces performing CGNAT for broadband customers.

The key is:
- set “ip nat inside” on your MPLS interfaces - the physicals
- set “ip nat outside” on the VASI end that is part of your “inside” VRF. i.e. if VL1 has “vrf forwarding InsideVrf” and VR1 has “vrf forwarding OutsideVrf" then stick “ip nat outside” on VL1.
- proceed as normal with NAT config

If you have multiple NAT routers, you may also wish to run BGP over the VASI to advertise a default or similar from your outside VRF to your inside, in order to get failover going.

Works pretty well, over all. We use this with packets coming in on LDP and RSVP. Have only tested outgoing packets on LDP though, but I’m sure RSVP would work just fine too.

There was a slide pack somewhere that had info on how this works. I can’t find it, but check this out:
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html <http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html>

Perhaps inverting what I’ve suggested is better for some reason and the physicals should have “ip nat outside" - though I’m not sure why.

--
Nathan Ward


More information about the cisco-nsp mailing list