[c-nsp] Inter-VRF with NAT

James Bensley jwbensley+cisco-nsp at gmail.com
Sun Aug 18 15:32:10 EDT 2019 


On 17 August 2019 20:47:28 CEST, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:
>Hello,
>
>    I have a group of devices on my network (customer cpe - dsl modems
>mostly) which don't have the intelligence necessary to route their
>management traffic seperate from the user internet traffic. This means
>that packets inbound to management, will go outbound to the default
>gateway in the device's routing table instead of being routed back out
>the default gateway for the management interface.
>
>    I have solved this in the past by using a linux server that had an
>interface on the global network, and another interface facing the
>customer management interfaces, with NAT rules so that packets destined
>TO addressees within the management network would have a source of the
>linux server itself. This meant that traffic to the cpe management
>interface appeared to be from an ip that was local (on the same
>network)
>and thus did not require routing. For example, if the management
>network
>was 172.16.1.0/24 and the cpe had an ip of 172.1.1.100, packets from
>global destinated to 172.16.1.100 would appear to the cpe to be comming
>from 172.16.1.1 (the linux server). Unfortunately, for various network
>reasons, this doesn't scale (the linux server has to have direct l2
>connectivity to each such network, which becomes unmanageable).
>
>    I have been trying to discern a more cisco-centric way of
>accomplishing this end goal, and I need some help fleshing this out. My
>thoughts are that the router of course will have an l2 interface on the
>cpe management network, and this could be inside a seperate vrf. If the
>vrf/management network was 172.16.1.0/24, I would want this same route
>also in my global table so I can address hosts on this network, with
>the
>switch to vrf/nat on the inside. Is this possible, or am I just
>conceptualizing this wrong?
>
>
>
>Mike-

Hi Mike,

I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE?

Cheers,
James.

[1] Multiple ATM virtual circuits are usually not an option.

More information about the cisco-nsp mailing list