[c-nsp] Inter-VRF with NAT

Aaron Gould aaron1 at gvtc.com
Mon Aug 19 08:58:22 EDT 2019 

We have lots of zyxel's and manage all them with their public address.  Why don't you just do that? 

-Aaron

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
Sent: Sunday, August 18, 2019 3:14 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Inter-VRF with NAT


> Hi Mike,
>
> I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE?

My cpe devices are typically zyxel. On the wan interface of these
devices, we usually have one service which is customer internet access
(pppoe or dhcp), and then another service which is mapped at either a
different vlan or a different vci/vpl, which is for management (and it's
always dhcp). So, from the perspective of the device, it only has one
routing table - the global table - and the 'default route' will normally
be the internet service gateway.  A common short-sightedness in these is
that they can't do policy routing, and they can't have a seperate
routing table where management network traffic uses a gateway different
than the internet service gateway.

The broadband aggregation router will have layer 2 to the subscriber.
So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
would be management traffic. I would like to have vlan 20 in a seperate
vrf, and I would like to be able to assign it an ip address
(172.16.1.1), and I want to hand out addresses to the cpe in the range
of 172.16.1.x. But, because the CPE are braindead, I need to arrange
things so management access to the cpe all appear to come from
172.16.1.1. That way, the devices won't need to consult the routing
table for a gateway and will instead simply arp for the  172.16.1.1 as
it's on the same l3 network segment. This is the only way to deal with
devices that don't know the correct gateway back. The only way I know
how to accomplish this is with nat, unless there was some other socks
type proxy on my asr1000 I don't know about.


Mike-




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list