[c-nsp] Inter-VRF with NAT

Mike mike-cisconsplist at tiedyenetworks.com
Sun Aug 18 16:13:59 EDT 2019


> Hi Mike,
>
> I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE?

My cpe devices are typically zyxel. On the wan interface of these
devices, we usually have one service which is customer internet access
(pppoe or dhcp), and then another service which is mapped at either a
different vlan or a different vci/vpl, which is for management (and it's
always dhcp). So, from the perspective of the device, it only has one
routing table - the global table - and the 'default route' will normally
be the internet service gateway.  A common short-sightedness in these is
that they can't do policy routing, and they can't have a seperate
routing table where management network traffic uses a gateway different
than the internet service gateway.

The broadband aggregation router will have layer 2 to the subscriber.
So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
would be management traffic. I would like to have vlan 20 in a seperate
vrf, and I would like to be able to assign it an ip address
(172.16.1.1), and I want to hand out addresses to the cpe in the range
of 172.16.1.x. But, because the CPE are braindead, I need to arrange
things so management access to the cpe all appear to come from
172.16.1.1. That way, the devices won't need to consult the routing
table for a gateway and will instead simply arp for the  172.16.1.1 as
it's on the same l3 network segment. This is the only way to deal with
devices that don't know the correct gateway back. The only way I know
how to accomplish this is with nat, unless there was some other socks
type proxy on my asr1000 I don't know about.


Mike-






More information about the cisco-nsp mailing list