Inter VRF Routing using Simple Static Routes
Imagine a situation like the following where you may need to perform a NAT operation over VRFs.
Domain Based NAT is where we use inside & outside domains on interfaces.
Domainless NAT is where we enable nat on interfaces.
Here the example considers the e0/0 interface as inside and e0/1 interface as outside.
If we use Domain Based NAT, following is the way to configure domains.
R2(config)#interface Ethernet0/0
R2(config-if)#ip nat inside
R2(config)#interface Ethernet0/1
R2(config-if)#ip nat outside
If we use Domainless NAT, following is the way to enable NAT on interfaces.
R2(config)#interface Ethernet0/0
R2(config-if)#ip nat enable
R2(config)#interface Ethernet0/1
R2(config-if)#ip nat enable
Let's place a route from VRF-1 to VRF-2. Let's take a default route for the sake of simplicity..
R2(config)#ip route vrf VRF-1 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.1.1
Static NAT
Let's take a static NAT example 1st. Following is the required NAT command for Domain Based NAT.
R2(config)#ip nat inside source static 192.168.1.1 172.16.1.2 vrf VRF-1
This will perform a 1 to 1 NAT which will translate 192.168.1.1 to 172.16.1.2 and vice versa and route correctly from R1 to R3. But pings from R3 to R1 will fail because VRF-2 does not have a route to VRF-1. So if the following command is entered, the traffic will pass both ways with translation.
R2(config)#ip route vrf VRF-2 0.0.0.0 0.0.0.0 Ethernet0/0 192.168.1.1
Note that NAT is not really needed if you enter those 2 routes and need to route traffic without address translation..
If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.
R2(config)#ip nat source static 192.168.1.1 172.16.1.2 vrf VRF-1
Dynamic NAT
Following commands will perform the dynamic NAT in Domain Based NAT.
R2(config)#access-list 10 permit any
R2(config)#ip nat pool DYNAMIC 172.16.1.2 172.16.1.2 prefix-length 24
R2(config)#ip nat inside source list 10 pool DYNAMIC vrf VRF-1
Access list is there to capture the traffic and the NAT command is extended with source VRF and bonded with the specified pool to perform Dynamic NAT here.
If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.
R2(config)#ip nat source list 10 pool DYNAMIC vrf VRF-1
Dynamic PAT
Following commands will perform the dynamic PAT in Domain Based NAT.
R2(config)#access-list 10 permit any
R2(config)#ip nat inside source list 10 interface Ethernet0/1 vrf VRF-1 overload
Access list is there to capture the traffic and the NAT command is extended with source VRF and overload command to perform PAT here.
If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.
R2(config)#ip nat source list 10 interface Ethernet0/1 vrf VRF-1 overload
Note:-
If the traffic is going from global default VRF to a configured VRF and if you are using Domain Based NAT, you will need to configure a route-map which sets the returning traffic to global VRF and apply it to the configured VRF interface. Otherwise the replies will not comeback..
Domainless NAT is where we enable nat on interfaces.
Here the example considers the e0/0 interface as inside and e0/1 interface as outside.
If we use Domain Based NAT, following is the way to configure domains.
R2(config)#interface Ethernet0/0
R2(config-if)#ip nat inside
R2(config)#interface Ethernet0/1
R2(config-if)#ip nat outside
If we use Domainless NAT, following is the way to enable NAT on interfaces.
R2(config)#interface Ethernet0/0
R2(config-if)#ip nat enable
R2(config)#interface Ethernet0/1
R2(config-if)#ip nat enable
Let's place a route from VRF-1 to VRF-2. Let's take a default route for the sake of simplicity..
R2(config)#ip route vrf VRF-1 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.1.1
Static NAT
Let's take a static NAT example 1st. Following is the required NAT command for Domain Based NAT.
R2(config)#ip nat inside source static 192.168.1.1 172.16.1.2 vrf VRF-1
This will perform a 1 to 1 NAT which will translate 192.168.1.1 to 172.16.1.2 and vice versa and route correctly from R1 to R3. But pings from R3 to R1 will fail because VRF-2 does not have a route to VRF-1. So if the following command is entered, the traffic will pass both ways with translation.
R2(config)#ip route vrf VRF-2 0.0.0.0 0.0.0.0 Ethernet0/0 192.168.1.1
Note that NAT is not really needed if you enter those 2 routes and need to route traffic without address translation..
If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.
R2(config)#ip nat source static 192.168.1.1 172.16.1.2 vrf VRF-1
Dynamic NAT
Following commands will perform the dynamic NAT in Domain Based NAT.
R2(config)#access-list 10 permit any
R2(config)#ip nat pool DYNAMIC 172.16.1.2 172.16.1.2 prefix-length 24
R2(config)#ip nat inside source list 10 pool DYNAMIC vrf VRF-1
Access list is there to capture the traffic and the NAT command is extended with source VRF and bonded with the specified pool to perform Dynamic NAT here.
If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.
R2(config)#ip nat source list 10 pool DYNAMIC vrf VRF-1
Dynamic PAT
Following commands will perform the dynamic PAT in Domain Based NAT.
R2(config)#access-list 10 permit any
R2(config)#ip nat inside source list 10 interface Ethernet0/1 vrf VRF-1 overload
Access list is there to capture the traffic and the NAT command is extended with source VRF and overload command to perform PAT here.
If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.
R2(config)#ip nat source list 10 interface Ethernet0/1 vrf VRF-1 overload
Note:-
If the traffic is going from global default VRF to a configured VRF and if you are using Domain Based NAT, you will need to configure a route-map which sets the returning traffic to global VRF and apply it to the configured VRF interface. Otherwise the replies will not comeback..
Let's configure a PAT for this..
R2(config)#access-list 10 permit any
R2(config)#ip nat inside source list 10 interface Ethernet0/1 overload
R2(config)#route-map BACK permit 10
R2(config-route-map)#match ip address 10
R2(config-route-map)#set global
R2(config)#interface Ethernet0/1
R2(config-if)#ip policy route-map BACK
If the source is coming from a configured VRF and goes to global default VRF a route map is not needed. Note that this is not required in Domainless. Following will be the NAT configuration for Domainless NAT.
R2(config)#ip nat source list 10 interface ethernet 0/1 overload
Casino site | LuckyClub Live!
ReplyDeleteCasino Site is home to over 10000+ slots games, progressive jackpots, progressive jackpots and so much more! We've gathered the luckyclub best in the industry together - you can play