[c-nsp] Inter-VRF with NAT

David Prall dcp at dcptech.com
Mon Sep 2 19:38:48 EDT 2019


Have you looked at VASI configuration. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html

David
--
http://dcp.dcptech.com
 

On 8/19/19, 8:58 AM, "cisco-nsp on behalf of Aaron Gould" <cisco-nsp-bounces at puck.nether.net on behalf of aaron1 at gvtc.com> wrote:

    We have lots of zyxel's and manage all them with their public address.  Why don't you just do that? 
    
    -Aaron
    
    -----Original Message-----
    From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
    Sent: Sunday, August 18, 2019 3:14 PM
    To: cisco-nsp at puck.nether.net
    Subject: Re: [c-nsp] Inter-VRF with NAT
    
    
    > Hi Mike,
    >
    > I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE?
    
    My cpe devices are typically zyxel. On the wan interface of these
    devices, we usually have one service which is customer internet access
    (pppoe or dhcp), and then another service which is mapped at either a
    different vlan or a different vci/vpl, which is for management (and it's
    always dhcp). So, from the perspective of the device, it only has one
    routing table - the global table - and the 'default route' will normally
    be the internet service gateway.  A common short-sightedness in these is
    that they can't do policy routing, and they can't have a seperate
    routing table where management network traffic uses a gateway different
    than the internet service gateway.
    
    The broadband aggregation router will have layer 2 to the subscriber.
    So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
    would be management traffic. I would like to have vlan 20 in a seperate
    vrf, and I would like to be able to assign it an ip address
    (172.16.1.1), and I want to hand out addresses to the cpe in the range
    of 172.16.1.x. But, because the CPE are braindead, I need to arrange
    things so management access to the cpe all appear to come from
    172.16.1.1. That way, the devices won't need to consult the routing
    table for a gateway and will instead simply arp for the  172.16.1.1 as
    it's on the same l3 network segment. This is the only way to deal with
    devices that don't know the correct gateway back. The only way I know
    how to accomplish this is with nat, unless there was some other socks
    type proxy on my asr1000 I don't know about.
    
    
    Mike-
    
    
    
    
    _______________________________________________
    cisco-nsp mailing list  cisco-nsp at puck.nether.net
    https://puck.nether.net/mailman/listinfo/cisco-nsp
    archive at http://puck.nether.net/pipermail/cisco-nsp/
    
    _______________________________________________
    cisco-nsp mailing list  cisco-nsp at puck.nether.net
    https://puck.nether.net/mailman/listinfo/cisco-nsp
    archive at http://puck.nether.net/pipermail/cisco-nsp/
    




More information about the cisco-nsp mailing list