[j-nsp] NAT per VRF in M7i issue

Wed May 4 06:11:42 EDT 2005

Hello

I work in a company in which nearly all the MPLS network is composed by
Cisco routers, but we recently started to deploy Juniper routers (M7i with
ASM).
We need to implement NAT per VRF, and in IOS is quiet easy. We are finding
more problems in the JunOS side.  I've been reading the JunOS documentation
about NAT and nearly all the examples seem to do it between VRF and the
global routing table. There is also an example about NAT between VRF, but
our scenario is not covered at all.  I'll try to summarize the most
significat facts:

[REQ1]  We need to make Static NAT in the PE-CE interface of a VRF.
The NAT is done for traffic originated and terminated in the CE.  Reading
docs, it seems we need to create 2 nat-rules one matching INPUT and the
other for the OUTPUT Direction.

[REQ2] NAT pools associated to the VRF overlap with prefixes in Global
routing table.
This may impose a restriction for the option of using "Interface service",
because NAT pools appear in inet.0

[REQ3] There is a eBGP sessión with the CE router which anounces the
default route (0.0.0.0).
I tried putting "inside-service-interface" and "outside-service-interface"
of "Next-hop service" inside the VRF instance. The problem is that if i
follow the examples the static route to the "sp" interface competes again
eBGP default route.

   set routing-instance <vrf_name> routing-options static route 0.0.0.0/0
   next-hop sp-1/2/0.I

[REQ4] A very small percentage of the CE traffic needs NAT to be applied,
so redirecting all the traffic to the ASP/ASM could suppose a bottleneck in
this device. Maybe a Firewall Filter could be an option, but I don't know
if it is compatible with NAT services.

I would like to ask , if anyone with a similar topology o requirements, was
able to solve it without passing through the Global routing table.

Thanks

             Miguel

--
Este mensaje puede contener información confidencial y/o privilegiada.
Si Vd. no es el destinatario de este mensaje o ha recibido este mensaje
por error, por favor, informe inmediatamente al emisor y destruya este
mensaje. Está estrictamente prohibido por la legislación vigente
realizar sin autorización cualquier copia, revelación o distribución de
este mensaje. Las opiniones expresadas en este correo son las de su
autor y Telefónica Móviles España, S.A. no se responsabiliza de su
contenido.

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail
in error), please notify the sender immediately and destroy this
e-mail. Any unauthorised copying, disclosure or distribution of the
material in this e-mail is strictly forbidden by current legislation.
The points of view expressed in this e-mail are solely those of the
author and may not necessarily be from, or supported by, the company.
Telefonica Moviles S.A. neither assumes obligations nor accepts
liability for the content of this e-mail, unless that information is
subsequently confirmed by writing by a duly authorised representative.