VRF-Aware NAT PE Router Configuration with MPLS L3VPN
Table of Contents
- What is VRF-aware NAT with MPLS L3VPN? ‹
- How to configure a VRF-aware NAT PE router? ‹
- Download section ‹
What is VRF-aware NAT with MPLS L3VPN?
VRF-aware NAT is an address translation mechanism which is specific to a VRF routing table. Two VRFs may have overlapping IP addresses, and VRF-aware NAT can provide separate translations for the overlapping addresses. This is especially useful in an MPLS Layer-3 VPN architecture in order to deploy shared services for multiple VRF address spaces assigned to different customers.
The image displays an MPLS NAT PE router providing internet access for two different VRFs which use the same IP address space. The NAT PE advertises default routes to both CE routers, and translates the VRF source addresses to the single global outside address on interface Gi0/0. The following configuration highlights important aspects of VRF-aware NAT and it is applied on the NAT PE router.
NAT-PE> NAT-PE>enable NAT-PE#configure terminal Enter configuration commands, one per line. End with CNTL/Z. NAT-PE(config)# NAT-PE(config)#ip route vrf Copper 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.3.2 global NAT-PE(config)#ip route vrf Gold 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.3.2 global NAT-PE(config)# NAT-PE(config)# NAT-PE(config)#ip access-list standard ACL-INSIDE-ADDRESS NAT-PE(config-std-nacl)#permit 192.168.1.0 0.0.0.255 NAT-PE(config-std-nacl)#exit NAT-PE(config)# NAT-PE(config)# NAT-PE(config)#ip nat inside source list ACL-INSIDE-ADDRESS interface GigabitEthernet0/0 vrf Copper overload NAT-PE(config)#ip nat inside source list ACL-INSIDE-ADDRESS interface GigabitEthernet0/0 vrf Gold overload NAT-PE(config)# NAT-PE(config)# NAT-PE(config)#interface Gi0/0 NAT-PE(config-if)#ip nat outside NAT-PE(config-if)# NAT-PE(config-if)#exit NAT-PE(config)# NAT-PE(config)# NAT-PE(config)#interface Gi0/1 NAT-PE(config-if)#ip nat inside NAT-PE(config-if)# NAT-PE(config-if)#exit NAT-PE(config)#exit NAT-PE# NAT-PE#
How to configure a VRF-aware NAT PE router?
In the following example scenario two customers are connected to an MPLS Layer-3 VPN Service Provider using VRF Gold and VRF Copper. The two independent customer sites use overlapping IP addresses, both sites are configured with 192.168.1.0/24. Due to the MPLS VPN routes which use Route Distinguisher and Route Target import/export rules both sites can access the Server on the Internet which is a shared resource.
PE router R10 has VRF-aware Network Address Translation (NAT) configured and advertises a default to each customer site's CE router. This means, Host1 and Host2 can both use the IP address 192.168.1.1 but still share the same outside IP address 10.0.3.1 configured on the NAT PE R10. The interfaces on the NAT PE R10 are not configured under a VRF, and VRF static routes point to the IP address of R11 in the global RIB.
Configuration:
R10 (NAT PE)
R10#show run all | sec ^mpls ip__ mpls ip R10#show run | sec ^mpls mpls label range 1000 1099 mpls ldp router-id Loopback10 force R10#show run int Lo10 | sec int interface Loopback10 ip address 10.10.10.10 255.255.255.255 R10#show run | sec ^vrf vrf definition Copper rd 65010:2 ! address-family ipv4 route-target export 65010:2 route-target import 65010:2 exit-address-family vrf definition Gold rd 65010:1 ! address-family ipv4 route-target export 65010:1 route-target import 65010:1 exit-address-family R10#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Internet Access (Global RIB) ** ip address 10.0.3.1 255.255.255.252 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 R10#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R9 ** ip address 10.7.0.1 255.255.255.252 ip router isis ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R10#show run | sec ^router router isis net 49.0010.0000.0000.0010.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 10.10.10.10 bgp log-neighbor-changes neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community extended exit-address-family ! address-family ipv4 vrf Copper network 0.0.0.0 exit-address-family ! address-family ipv4 vrf Gold network 0.0.0.0 exit-address-family R10#show run | sec ^ip route ip route vrf Copper 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.3.2 global ip route vrf Gold 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.3.2 global R10#show run | sec ^ip nat ip nat inside source list ACL-INSIDE-ADDRESS interface GigabitEthernet0/0 vrf Copper overload ip nat inside source list ACL-INSIDE-ADDRESS interface GigabitEthernet0/0 vrf Gold overload R10#show run | sec ^ip access ip access-list standard ACL-INSIDE-ADDRESS permit 192.168.1.0 0.0.0.255
R11 (Internet Access)
R11#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Internet and Server ** ip address 172.16.0.2 255.255.255.0 duplex auto speed auto media-type rj45 R11#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to MPLS PE R10 (Global RIB) ** ip address 10.0.3.2 255.255.255.252 duplex auto speed auto media-type rj45
R5 (PE)
R5#show run all | sec ^mpls ip__ mpls ip R5#show run | sec ^mpls mpls label range 500 599 mpls ldp router-id Loopback10 force R5#show run int Lo10 | sec int interface Loopback10 ip address 5.5.5.5 255.255.255.255 R5#show run | sec ^vrf vrf definition Copper rd 65010:2 ! address-family ipv4 route-target export 65010:2 route-target import 65010:2 exit-address-family R5#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R6 ** no ip address duplex auto speed auto media-type rj45 R5#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to CE R6 in VRF Copper ** encapsulation dot1Q 10 vrf forwarding Copper ip address 10.0.2.1 255.255.255.252 R5#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R4 ** ip address 10.3.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R5#show run | sec ^router router isis net 49.0010.0000.0000.0005.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 5.5.5.5 bgp log-neighbor-changes neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community both exit-address-family ! address-family ipv4 vrf Copper network 10.0.2.0 mask 255.255.255.252 neighbor 10.0.2.2 remote-as 65002 neighbor 10.0.2.2 activate exit-address-family
R2 (PE)
R2#show run all | sec ^mpls ip__ mpls ip R2#show run | sec ^mpls mpls label range 200 299 mpls ldp router-id Loopback10 force R2#show run int Lo10 | sec int interface Loopback10 ip address 2.2.2.2 255.255.255.255 R2#show run | sec ^vrf vrf definition Gold rd 65010:1 ! address-family ipv4 route-target export 65010:1 route-target import 65010:1 exit-address-family R2#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R1 ** no ip address duplex auto speed auto media-type rj45 R2#show run int Gi0/0.10 | sec int interface GigabitEthernet0/0.10 description ** to CE R1 in VRF Gold ** encapsulation dot1Q 10 vrf forwarding Gold ip address 10.0.1.1 255.255.255.252 R2#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R3 ** ip address 10.1.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R2#show run | sec ^router router isis net 49.0010.0000.0000.0002.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 2.2.2.2 bgp log-neighbor-changes bgp scan-time 5 neighbor 8.8.8.8 remote-as 65010 neighbor 8.8.8.8 update-source Loopback10 ! address-family vpnv4 neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community both exit-address-family ! address-family ipv4 vrf Gold network 10.0.1.0 mask 255.255.255.252 neighbor 10.0.1.2 remote-as 65001 neighbor 10.0.1.2 activate exit-address-family
R8 (BGP RR)
R8#show run int Lo10 | sec int interface Loopback10 ip address 8.8.8.8 255.255.255.255 R8#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to R7 ** ip address 10.5.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point R8#show run | sec ^router router isis net 49.0010.0000.0000.0008.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10 router bgp 65010 bgp router-id 8.8.8.8 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 65010 neighbor 2.2.2.2 update-source Loopback10 neighbor 5.5.5.5 remote-as 65010 neighbor 5.5.5.5 update-source Loopback10 neighbor 10.10.10.10 remote-as 65010 neighbor 10.10.10.10 update-source Loopback10 ! address-family vpnv4 neighbor 2.2.2.2 activate neighbor 2.2.2.2 send-community extended neighbor 2.2.2.2 route-reflector-client neighbor 5.5.5.5 activate neighbor 5.5.5.5 send-community extended neighbor 5.5.5.5 route-reflector-client neighbor 10.10.10.10 activate neighbor 10.10.10.10 send-community extended neighbor 10.10.10.10 route-reflector-client exit-address-family
R1 (CE)
R1#show run | sec ^vrf vrf definition Gold rd 1:1 ! address-family ipv4 exit-address-family R1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host1 ** no ip address duplex auto speed auto media-type rj45 R1#show run int Gi0/0.1 | sec int interface GigabitEthernet0/0.1 description ** to Host1 in VRF Gold (VLAN 1) ** encapsulation dot1Q 1 native vrf forwarding Gold ip address 192.168.1.2 255.255.255.0 R1#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to PE R2 ** no ip address duplex auto speed auto media-type rj45 R1#show run int Gi0/1.10 | sec int interface GigabitEthernet0/1.10 description ** to PE R2 in VRF Gold ** encapsulation dot1Q 10 vrf forwarding Gold ip address 10.0.1.2 255.255.255.252 R1#show run | sec ^router router bgp 65001 bgp router-id 1.1.1.1 bgp log-neighbor-changes ! address-family ipv4 vrf Gold network 192.168.1.0 neighbor 10.0.1.1 remote-as 65010 neighbor 10.0.1.1 activate exit-address-family
R6 (CE)
R6#show run | sec ^vrf vrf definition Copper rd 1:1 ! address-family ipv4 exit-address-family R6#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Host2 ** no ip address duplex auto speed auto media-type rj45 R6#show run int Gi0/0.1 | sec int interface GigabitEthernet0/0.1 description ** to Host2 in VRF Copper (VLAN 1) ** encapsulation dot1Q 1 native vrf forwarding Copper ip address 192.168.1.2 255.255.255.0 R6#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to PE R5 ** no ip address duplex auto speed auto media-type rj45 R6#show run int Gi0/1.10 | sec int interface GigabitEthernet0/1.10 description ** to PE R5 in VRF Copper ** encapsulation dot1Q 10 vrf forwarding Copper ip address 10.0.2.2 255.255.255.252 R6#show run | sec ^router router bgp 65002 bgp router-id 6.6.6.6 bgp log-neighbor-changes ! address-family ipv4 vrf Copper network 192.168.1.0 neighbor 10.0.2.1 remote-as 65010 neighbor 10.0.2.1 activate exit-address-family
R7
R7#show run all | sec ^mpls ip__ mpls ip R7#show run | sec ^mpls mpls label range 700 799 mpls ldp router-id Loopback10 force R7#show run int Lo10 | sec int interface Loopback10 ip address 7.7.7.7 255.255.255.255 R7#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to RR R8 ** ip address 10.5.0.2 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 isis circuit-type level-2-only isis network point-to-point R7#show run int Gi0/1 | sec int interface GigabitEthernet0/1 description ** to R4 ** ip address 10.4.0.2 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R7#show run int Gi0/2 | sec int interface GigabitEthernet0/2 description ** to R9 ** ip address 10.6.0.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip isis circuit-type level-2-only isis network point-to-point R7#show run | sec ^router router isis net 49.0010.0000.0000.0007.00 is-type level-2-only advertise passive-only metric-style wide log-adjacency-changes passive-interface Loopback10
Host1
Host1#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R1 ** ip address 192.168.1.1 255.255.255.0 duplex auto speed auto media-type rj45 Host1#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 192.168.1.2
Host2
Host2#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to CE R6 ** ip address 192.168.1.1 255.255.255.0 duplex auto speed auto media-type rj45 Host2#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server
Server#show run int Gi0/0 | sec int interface GigabitEthernet0/0 description ** to Internet and R11 ** ip address 172.16.0.1 255.255.255.0 duplex auto speed auto media-type rj45 Server#show run | sec ^ip route ip route 0.0.0.0 0.0.0.0 172.16.0.2
Host1#ping 172.16.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 49/50/52 ms « Host1 can reach the Server Host1#trace 172.16.0.1 probe 1 Type escape sequence to abort. Tracing the route to 172.16.0.1 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.2 2 msec 2 10.0.1.1 23 msec 3 10.1.0.2 [MPLS: Labels 307/1001 Exp 0] 28 msec « MPLS label stack 4 10.2.0.2 [MPLS: Labels 408/1001 Exp 0] 26 msec 5 10.4.0.2 [MPLS: Labels 708/1001 Exp 0] 27 msec 6 10.6.0.2 [MPLS: Labels 907/1001 Exp 0] 29 msec 7 10.7.0.1 [MPLS: Label 1001 Exp 0] 27 msec « VPN Service Label assigned by PE R10 8 10.0.3.2 52 msec 9 172.16.0.1 51 msec Host2#ping 172.16.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/49 ms Host2#trace 172.16.0.1 probe 1 Type escape sequence to abort. Tracing the route to 172.16.0.1 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.2 2 msec 2 10.0.2.1 23 msec 3 10.3.0.2 [MPLS: Labels 408/1000 Exp 0] 25 msec 4 10.4.0.2 [MPLS: Labels 708/1000 Exp 0] 25 msec 5 10.6.0.2 [MPLS: Labels 907/1000 Exp 0] 25 msec 6 10.7.0.1 [MPLS: Label 1000 Exp 0] 25 msec 7 10.0.3.2 48 msec 8 172.16.0.1 50 msec
As visible in the above router outputs both hosts can reach the Server through the MPLS network. This is due to the NAT PE R10 performing address translation independently for each VRF. The following outputs from the PE R10 show these translations.
R10#show ip nat translations vrf Gold Pro Inside global Inside local Outside local Outside global icmp 10.0.3.1:8 192.168.1.1:8 172.16.0.1:8 172.16.0.1:8 « Source address 192.168.1.1 translated to source address 10.0.3.1 udp 10.0.3.1:49161 192.168.1.1:49161 172.16.0.1:33441 172.16.0.1:33441 udp 10.0.3.1:49162 192.168.1.1:49162 172.16.0.1:33442 172.16.0.1:33442 udp 10.0.3.1:49171 192.168.1.1:49171 172.16.0.1:33441 172.16.0.1:33441 udp 10.0.3.1:49172 192.168.1.1:49172 172.16.0.1:33442 172.16.0.1:33442 R10#show ip nat translations vrf Copper Pro Inside global Inside local Outside local Outside global icmp 10.0.3.1:6 192.168.1.1:6 172.16.0.1:6 172.16.0.1:6 udp 10.0.3.1:49160 192.168.1.1:49160 172.16.0.1:33440 172.16.0.1:33440 udp 10.0.3.1:1024 192.168.1.1:49161 172.16.0.1:33441 172.16.0.1:33441 udp 10.0.3.1:49169 192.168.1.1:49169 172.16.0.1:33440 172.16.0.1:33440 udp 10.0.3.1:49170 192.168.1.1:49170 172.16.0.1:33441 172.16.0.1:33441 R10#show ip nat statistics Total active translations: 10 (0 static, 10 dynamic; 10 extended) Peak translations: 10, occurred 00:00:20 ago Outside interfaces: « NAT interfaces are not configured in a VRF, they use the global RIB GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Hits: 96 Misses: 0 CEF Translated packets: 88, CEF Punted packets: 8 Expired translations: 6 Dynamic mappings: -- Inside Source [Id: 5] access-list ACL-INSIDE-ADDRESS interface GigabitEthernet0/0 refcount 5 [Id: 6] access-list ACL-INSIDE-ADDRESS interface GigabitEthernet0/0 refcount 5 Total doors: 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0
The Internet Access router R11 has no knowledge of the network 192.168.1.0/24 which is only used within the L3VPN MPLS Service Provider's domain. Due to NAT translations on the PE R10, the router R11 only receives traffic from the outside source IP address 10.0.3.1 assigned on PE R10. A Netflow monitor configured on R11 is shown in the following output and confirms the source/destination IP addresses.
R11#show flow monitor EXAMPLE-MONITOR cache format table | beg IPV4
IPV4 SRC ADDR IPV4 DST ADDR TCP DST PORT UDP DST PORT bytes pkts
=============== =============== ============ ============ ========== ==========
10.0.3.1 172.16.0.1 513 0 88 2
10.0.3.1 172.16.0.1 23 0 88 2
10.0.3.1 172.16.0.1 0 33441 56 2
10.0.3.1 172.16.0.1 0 33442 28 1
10.0.3.1 172.16.0.1 0 0 1000 10
10.0.3.1 172.16.0.1 0 33440 28 1