Re: NAT in PE

From: Narbik Kocharians <narbikk_at_gmail.com>
Date: Sun, 20 Nov 2011 21:22:08 -0800

Sorry for a long post, and please excuse the typos.

I think this is what you are looking for and i hope it helps

*Lab Setup:*

R1 (A CE router) is in SITE-1, and R5 (Another CE router) is configured in
SITE-2

R1 (CE) and R3 (PE) are connected via their S0/1 interfaces.

R3 (PE) and R2 (P) are connected via their F0/0 interface.

R2 (P) and R4 (The other PE) are connected via their F0/1 interface.

R4 (PE) and R5 (The other CE) are connected via their S0/1 interface.

*IP addressing:*

R1 (CE) and R5 (The other CE) have the following Loopback interfaces:

*Lo1  10.1.1.1/32 **` Server-1*

*Lo2  10.1.1.2/32 **` Host-2*

*Lo3  10.1.1.3/32 **` Host-3*

*Lo4  10.1.1.4/32 **` Host-4*

*Lo5  10.1.1.5/32 **` Host-5** *

*The connection between the routers:*

*(R1) S0/1  100.1.13.1/24 -------------- 100.1.13.3/24 ---- S0/1 (R3)*

*(R3) F0/0  100.1.23.2/24 -------------- 100.1.23.3/24 ---- F0/0 (R2)*
                     *(R2) F0/1  100.1.24.2/24 --------------
100.1.24.4/24---- F0/1 (R4)
*
                     *(R4) S0/1  100.1.45.4/24 --------------
100.1.45.5/24---- S0/1 (R5)
*

*IP Address of the loopback interfaces:*

*R2s Loopback 0 = 2.2.2.2/32*

*R3s Loopback 0 = 3.3.3.3/32*
                     *R4s Loopback 0 = 4.4.4.4/32 *

**
*Task 1*
**
Configure OSPF on the core routers (R2, R3 and R4); you should run OSPF
area 0 on the F0/0 interfaces of R2 and R3, the F0/1 interfaces of R2 and
R4, and the Loopback 0 interfaces of R2, R3 and R4. The CE routers, R1 and
R5 should be configured with a static default route pointing to their next
hop router.

* *

*To configure the CE routers:*

*On R1*

R1(config)#*IP route 0.0.0.0 0.0.0.0 100.1.13.3*

*On R5*

R5(config)#*IP route 0.0.0.0 0.0.0.0 100.1.45.4*

* *

*To configure the core routers:*

*On R2*

R2(config)#*Router ospf 1*

R2(config-router)#*Netw 2.2.2.2 0.0.0.0 area 0*

R2(config-router)#*Netw 100.1.23.2 0.0.0.0 area 0*

R2(config-router)#*Netw 100.1.24.2 0.0.0.0 area 0*

* *

*On R3*

R3(config)#*Router ospf 1*

R3(config-router)#*Netw 100.1.23.3 0.0.0.0 area 0*

R3(config-router)#*Netw 3.3.3.3 0.0.0.0 area 0*

*On R4*

R4(config)#*Router ospf 1*

R4(config-router)#*Netw 4.4.4.4 0.0.0.0 area 0*

R4(config-router)#*Netw 100.1.24.4 0.0.0.0 area 0*

*To verify the configuration:*

* *

*On R2*

* *

R2#*Show ip ospf neighbor*

*Neighbor ID Pri State Dead Time Address Interface*

4.4.4.4 1 FULL/BDR 00:00:33 100.1.24.4
FastEthernet0/1

3.3.3.3 1 FULL/BDR 00:00:33 100.1.23.3
FastEthernet0/0

R2#*Show ip route ospf | Inc O*

* *

O 3.3.3.3 [110/2] via 100.1.23.3, 00:10:53, FastEthernet0/0

O 4.4.4.4 [110/2] via 100.1.24.4, 00:10:35, FastEthernet0/1

*Task 2*

**

Configure LDP between the core routers. These routers should use their
Loopback0 interface as their LDP router-id.

*On R2, R3 and R4*

Rx(config)#*Mpls label protocol ldp*

Rx(config)#*Mpls ldp router-id Lo0*

*On R3*

R3(config)#*Int F0/0*

R3(config-if)#*MPLS IP*

*On R2*

R2(config)#*Int F0/0*

R2(config-if)#*MPLS IP*

R2(config-if)#*Int F0/1*

R2(config-if)#*MPLS IP*

*On R4*

R4(config)#*Int F0/1*

R4(config-if)#*MPLS IP*

*To Verify the configuration:*

* *

*On R2*

R2#*Show mpls ldp neighbor***

    *Peer **LDP** Ident: 4.4.4.4:0*; Local LDP Ident 2.2.2.2:0

        TCP connection: 4.4.4.4.60890 - 2.2.2.2.646

        State: Oper; Msgs sent/rcvd: 9/10; Downstream

        Up time: 00:01:05

        LDP discovery sources:

          FastEthernet0/1, Src IP addr: 100.1.24.4

        Addresses bound to peer LDP Ident:

          100.1.24.4 100.1.45.4 4.4.4.4

    *Peer **LDP** Ident: 3.3.3.3:0*; Local LDP Ident 2.2.2.2:0

        TCP connection: 3.3.3.3.18225 - 2.2.2.2.646

        State: Oper; Msgs sent/rcvd: 9/10; Downstream

        Up time: 00:01:00

        LDP discovery sources:

          FastEthernet0/0, Src IP addr: 100.1.23.3

        Addresses bound to peer LDP Ident:

          100.1.23.3 100.1.13.3 3.3.3.3

*On R3*

* *

R3#*Show mpls forwarding-table *

* *

*Local Outgoing Prefix Bytes tag Outgoing Next Hop *

*tag tag or VC or Tunnel Id switched interface *

16 Pop tag 2.2.2.2/32 0 Fa0/0 100.1.23.2

17 Pop tag 100.1.24.0/24 0 Fa0/0 100.1.23.2

18 17 4.4.4.4/32 0 Fa0/0 100.1.23.2

*Task 3*

**

Configure MP-BGP between R3 and R4 as they represent the Provider Edge
routers in this topology in AS 100. The ONLY BGP peering relationship
should be VPNV4. These two neighbors should use their Lo0 interfaces for
their peering.

*On R3*

R3(config)#*Router bgp 100*

R3(config-router)#*Neighbor 4.4.4.4 remote-as 100*

R3(config-router)#*Neighbor 4.4.4.4 update-source Lo0*

R3(config-router)#*Address-family VPNV4 Unicast*

R3(config-router-af)#*Neighbor 4.4.4.4 Act*

R3(config-router-af)#*Neighbor 4.4.4.4 Send-community Ext*

*On R4*

R4(config)#*Router bgp 100*

R4(config-router)#*Neighbor 3.3.3.3 remote-as 100*

R4(config-router)#*Neighbor 3.3.3.3 update-source Lo0*

R4(config-router)#*Address-family VPNV4 Unicast*

R4(config-router-af)#*Neighbor 3.3.3.3 Act*

R4(config-router-af)#*Neighbor 3.3.3.3 Send-community Ext*

*To verify the configuration:*

* *

*On R3***

R3#*Show ip bgp vpnv4 all Summary | B Neigh*

* *

*Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd*

4.4.4.4 4 100 8 8 1 0 0 00:02:02 0

*Task 4*

**

Configure the following VRFs, RDs and route-targets on the PE routers:

*Router*

*VRF Name*

*RD*

*Route-Target*

*Interface*

R3

aaa

1:10

Route-target Both 151:100

S0/1

R4

bbb

2:20

Route-target Both 151:100

S0/1

*On R3*

R3(config)#*IP VRF aaa*

R3(config-vrf)#*RD 1:10*

R3(config-vrf)#*Route-target Both 151:100*

R3(config)#*Int S0/1*

R3(config-if)#*IP VRF Forwarding aaa*

R3(config-if)#*IP address 100.1.13.3 255.255.255.0*

*On R4*

R4(config)#*IP VRF bbb*

R4(config-vrf)#*RD 2:20*

R4(config-vrf)#*Route-target Both 151:100*

R4(config)#*Int S0/1*

R4(config-if)#*IP VRF Forwarding bbb*

R4(config-if)#*IP address 100.1.45.4 255.255.255.0*

*To verify the configuration:*

* *

*On R3*

* *

R3#*Show ip vrf detail *

*VRF aaa; default RD 1:10*; default VPNID <not set>

  *Interfaces:*

* Se0/1 *

  Connected addresses are not in global routing table

  *Export VPN route-target communities*

* RT:151:100 *

* Import VPN route-target communities*

* RT:151:100 *

  No import route-map

  No export route-map

  VRF label distribution protocol: not configured

  VRF label allocation mode: per-prefix

*On R4*

* *

R4#*Show ip vrf detail*

*VRF bbb; default RD 2:20*; default VPNID <not set>

  *Interfaces:*

* Se0/1 *

  Connected addresses are not in global routing table

  *Export VPN route-target communities*

* RT:151:100 *

* Import VPN route-target communities*

* RT:151:100*

  No import route-map

  No export route-map

  VRF label distribution protocol: not configured

  VRF label allocation mode: per-prefix

*Task 5*

**

Configure the routers such that the hosts in Site-1 can access the server-1
in Site 2 and vice versa. You should configure the CE routers (R1 and R5).
Use the following translation chart:

*Rouer*

*Inside Local*

*Inside Global*

*R1*

*10.1.1.1*

*10.1.1.2  10.1.1.5*

*1.1.1.1*

*1.1.1.2  1.1.1.5*

R5

10.1.1.1

10.1.1.2  10.1.1.5

5.5.5.1

5.5.5.2  5.5.5.5

*A static route for network 1.1.1.0 /24 is configured and redistributed
into the vrf aaa on R3. *

*This is done to provide reachability to the hosts connected to R5.*

* *

*On R3*

R3(config)#*IP Route** vrf aaa 1.1.1.0 255.255.255.0 100.1.13.1*

R3(config)#*Router bgp 100*

R3(config-router)#*Address-family IPv4 vrf aaa*

R3(config-router-af)#*Redistribute Static*

R3(config-router-af)#*Redistribute connected*

*The same is configured on R4:*

*On R4*

R4(config)#*IP Route** vrf bbb 5.5.5.0 255.255.255.0 100.1.45.5*

R4(config)#*Router bgp 100*

R4(config-router)#*Address-family IPv4 vrf bbb*

R4(config-router-af)#*Redistribute Static*

R4(config-router-af)#*Redistribute Connected*

*To verify the configuration:*

* *

*On R4*

R4#*Show ip route vrf bbb | b Gate*

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets

*B 1.1.1.0 [200/0] via 3.3.3.3, **00:02:17***

     100.0.0.0/24 is subnetted, 2 subnets

C 100.1.45.0 is directly connected, Serial0/1

B 100.1.13.0 [200/0] via 3.3.3.3, 00:02:17

     5.0.0.0/24 is subnetted, 1 subnets

S 5.5.5.0 [1/0] via 100.1.45.5

*On R3*

R3#*Show ip route vrf aaa | b Gate*

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets

S 1.1.1.0 [1/0] via 100.1.13.1

     100.0.0.0/24 is subnetted, 2 subnets

B 100.1.45.0 [200/0] via 4.4.4.4, 00:02:06

C 100.1.13.0 is directly connected, Serial0/1

     5.0.0.0/24 is subnetted, 1 subnets

*B 5.5.5.0 [200/0] via 4.4.4.4, **00:02:06***

*On R1*

*The **NAT** Inside and Outside interfaces are defined:*

R1(config)#*Int range Lo0  4*

R1(config-if)#*IP **NAT** Inside*

R1(config)#*Int S0/1*

R1(config-if)#*IP **NAT** Outside*

*The following command translates the inside source IP address of 10.1.1.1
to 1.1.1.1 *

*IP address:*

R1(config)#*IP **NAT** inside source static 10.1.1.1 1.1.1.1*

*An access-list is configured to identify the communication between inside
sources with *

*destination IP addresses:*

R1(config)#*Access-list 100 permit ip 10.1.1.0 0.0.0.255 5.5.5.0 0.0.0.255*

*The following configures a **NAT** pool that the inside hosts can use:*

R1(config)#*IP Nat pool TST 1.1.1.2 1.1.1.5 Prefix-length 24 type match-host
*

* *

*The last step is to configure the inside sources identified in **ACL** 100
to use the **NAT** pool *

*called TST:*

R1(config)#*IP **NAT** inside source list 100 pool TST*

*On R5*

R5(config-if)#*Int range Lo0 - 4*

R5(config-if)#*IP **NAT** Inside*

R5(config)#*Int S0/1*

R5(config-if)#*IP **NAT** Outside*

R5(config)#*IP **NAT** inside source static 10.1.1.1 5.5.5.1*

R5(config)#*Access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255*

R5(config)#*IP Nat pool TST 1.1.1.2 1.1.1.5 Prefix-length 24*

R5(config)#*IP **NAT** inside source list 100 pool TST*

*To verify the configuration:*

* *

*On R1*

R1#*Ping** 5.5.5.1 source Lo0*

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

*!!!!!*

*Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/60 ms*

R1#*Show ip nat translations *

*Pro Inside global Inside local Outside local Outside global
*

icmp 1.1.1.1:2 10.1.1.1:2 5.5.5.1:2 5.5.5.1:2

--- 1.1.1.1 10.1.1.1 --- ---

* *

R1#*Ping** 5.5.5.1 Source Lo4*

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.2

*!!!!!*

*Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms*

R1#*Sh ip nat translation *

*Pro Inside global Inside local Outside local Outside global
*

icmp 1.1.1.1:7 10.1.1.1:7 5.5.5.1:7 5.5.5.1:7

--- 1.1.1.1 10.1.1.1 --- ---

icmp 1.1.1.5:8 10.1.1.5:8 5.5.5.5:8 5.5.5.5:8

--- 1.1.1.5 10.1.1.5 --- ---

*Task 6*

**

**Remove the configuration from the previous step and configure the PE
routers to accomplish the same task.

*On R1*

R1(config)#*Int range Lo0 - 4*

R1(config-if-range)#*NO** IP **NAT** Inside*

R1(config)#*Int S0/1*

R1(config-if)#*NO** IP **NAT** Outside*

R1(config)#*No** Access-list 100*

R1(config)#*NO** ip nat inside source static 10.1.1.1 1.1.1.1*

R1(config)#*NO** ip nat inside source list 100 pool TST*

R1(config)#*NO** ip nat pool TST 1.1.1.2 1.1.1.5 prefix-length 24*

*On R5*

R5(config)#*Int range Lo0 - 4*

R5(config-if-range)#*NO** IP **NAT** Inside*

R5(config)#*Int S0/1*

R5(config-if)#*NO** IP **NAT** Outside*

R5(config)#*NO** access-list 100*

R5(config)#*NO** ip nat inside source static 10.1.1.1 5.5.5.1*

R5(config)#*NO** ip nat inside source list 100 pool TST*

R5(config)#*NO** ip nat pool TST 1.1.1.2 1.1.1.5 prefix-length 24*

*NOTE: The configuration on the PE is identical to the configuration that
was performed *

*on the CEs with one difference; on the PEs the VRF MUST be referenced.*

*On R3*

*The inside and outside interfaces are defined; the interface facing the CE
MUST be defined *

*as inside, and the interface facing the core must be defined as outside.*

R3(config)#*Int S0/1*

R3(config-if)#*IP **NAT** Inside*

R3(config)#*Int F0/0*

R3(config-if)#*IP **NAT** Outside*

*A Static **NAT** is configured to translate any traffic with a source IP
address of 10.1.1.1 to *

*1.1.1.1 IP address IN VRF aaa:*

R3(config)#*IP **NAT** inside source static 10.1.1.1 1.1.1.1 vrf aaa*

*An access-list is configured to identify the communication between inside
sources with *

*destination IP addresses:*

* *

R3(config)#*Access-list 100 permit ip 10.1.1.0 0.0.0.255 5.5.5.0 0.0.0.255*

*A **NAT** pool called TST is configured:*

R3(config)#*IP **NAT** Pool TST 1.1.1.2 1.1.1.5 Prefix-length 24 Type
match-host*

* *

*The last step is to configure the inside sources identified in **ACL** 100
to use the **NAT** pool called*

* TST for VRF aaa:***

* *

R3(config)#*IP **NAT** inside source list 100 pool TST vrf aaa*

*On R4*

R4(config)#*Int S0/1*

R4(config-if)#*IP **NAT** Inside*

R4(config)#*Int F0/1*

R4(config-if)#*IP **NAT** Outside*

R4(config)#*IP **NAT** inside source static 10.1.1.1 5.5.5.1 vrf bbb*

R4(config)#*Access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255*

R4(config)#*IP **NAT** Pool TST 5.5.5.2 5.5.5.5 prefix-length 24 type
match-host*

* *

R4(config)#*IP **NAT** Inside source list 100 pool TST vrf bbb*

*To verify the configuration:*

* *

*On R3*

R3#*Show ip nat translations vrf aaa*

*Pro Inside global Inside local Outside local Outside global
*

--- 1.1.1.1 10.1.1.1 --- ---

*To test the configuration:*

* *

*On R1*

R1#*Ping** 5.5.5.1 Source Lo0*

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

*!!!!!*

*Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms*

*On R3*

* *

R3#*Show ip nat translation vrf aaa*

*Pro Inside global Inside local Outside local Outside global
*

icmp 1.1.1.1:0 10.1.1.1:0 5.5.5.1:0 5.5.5.1:0

--- 1.1.1.1 10.1.1.1 --- ---

R1#*Ping** 5.5.5.1 Source Lo4*

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.2

*!!!!!*

*Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms*

*On R3*

* *

R3#*Show ip nat translation vrf aaa*

*Pro Inside global Inside local Outside local Outside global
*

icmp 1.1.1.1:2 10.1.1.1:2 10.1.1.2:2 10.1.1.2:2

--- 1.1.1.1 10.1.1.1 --- ---

*icmp 1.1.1.5:1 10.1.1.5:1 5.5.5.5:1 5.5.5.5:1*

*--- 1.1.1.5 10.1.1.5 --- ---***

Have fun.

**
**
**
**
**
**
**

On Sun, Nov 20, 2011 at 6:06 PM, Bernard Steven <buny.steven_at_gmail.com>wrote:

> Guys,
> Is there a way to do a nat between a vrf interface and traffic coming from
> an LDP enabled interface towards the core ?
> I am trying to NAT in a PE.One interface is towards a CE and the other
> interface is towards the P router.,
>
> The device does not support NVI , also vrf aware nat does not seem to help.
>
> My problem is it does not make sense to put an ip nat inside / outside
> statement in the interface towards the PE.
> Any thoughts ?
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
> 

--
*Narbik Kocharians
*CCSI#30832, CCIE# 12410 (R&S, SP, Security)
*www.MicronicsTraining.com* <http://www.micronicstraining.com/>
Sr. Technical Instructor
YES! We take Cisco Learning Credits!
Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Sun Nov 20 2011 - 21:22:08 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART