[c-nsp] Inter-VRF with NAT

[Andrey Kostin]

Does your CPE allows to have static routes in addition to default route?
The situation you are describing is typical for all Juniper routers 
where management ethernet port can't be isolated in VRF so has to use 
GRT, although routing between this fxp interface and normal ports isn't 
possible. The solution is to have more specific route to the management 
network, usually private, so no harm for connectivity to the public 
address space.

Kind regards,
Andrey Kostin

Mike писал 2019-08-18 16:13:
>> Hi Mike,
>> 
>> I'm not sure I've understood your network topology to be honest. Are 
>> you saying that you have Cisco devices with a single WAN link that 
>> doesn't support logical separation such as VLANs, e.g. ADSL [1] to run 
>> multiple VRFs over different VLANs, e.g. internet in global routing 
>> table over VLAN 10, management VRF over VLAN 20 etc? And you basically 
>> want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do 
>> that you don't have to NAT your management traffic or need layer 2 
>> connectivity to every CPE?
> 
> My cpe devices are typically zyxel. On the wan interface of these
> devices, we usually have one service which is customer internet access
> (pppoe or dhcp), and then another service which is mapped at either a
> different vlan or a different vci/vpl, which is for management (and 
> it's
> always dhcp). So, from the perspective of the device, it only has one
> routing table - the global table - and the 'default route' will 
> normally
> be the internet service gateway.  A common short-sightedness in these 
> is
> that they can't do policy routing, and they can't have a seperate
> routing table where management network traffic uses a gateway different
> than the internet service gateway.
> 
> The broadband aggregation router will have layer 2 to the subscriber.
> So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
> would be management traffic. I would like to have vlan 20 in a seperate
> vrf, and I would like to be able to assign it an ip address
> (172.16.1.1), and I want to hand out addresses to the cpe in the range
> of 172.16.1.x. But, because the CPE are braindead, I need to arrange
> things so management access to the cpe all appear to come from
> 172.16.1.1. That way, the devices won't need to consult the routing
> table for a gateway and will instead simply arp for the  172.16.1.1 as
> it's on the same l3 network segment. This is the only way to deal with
> devices that don't know the correct gateway back. The only way I know
> how to accomplish this is with nat, unless there was some other socks
> type proxy on my asr1000 I don't know about.
> 
> 
> Mike-
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/