Hi Amir,
If I understand your use case correctly you have 2 inside and 2 outside
interfaces. 2 outside belong to two different ISPs. You want communication
entering inside interface one to go through let's say outside interface one
and vice versa for the other two.
inside 1 <-> outside 1
inside 2 <-> outside 2
So from here there are multiple possibilities on how to approach the
problem. It really comes to the point if you need to network from inside 1
reach network behind inside 2 or network from inside 1 to reach network
behind outside 2 and vice versa.
Solution a)
1. Create 2 vrfs
2. Put inside 1 and outside 1 to vrf 1
3. Put inside 2 and outside 2 to vrf 2
4. configure NAT
4.1 enable nat
4.2 configure 2 nat addresses for each outside interface:
`nat44 add interface address ...`
4.3 configure outside and inside nat44 interfaces:
`set interface nat44 in <inside 1> out <outside 1>`
`set interface nat44 in <inside 2> out <outside 2>`
- This should work out of the box. You have its own default gateway for
each vrf. NAT will pick up this fact and pass traffic through the vrf we
are in.
Solution nat vrf tables b)
Basically creating a vrf table for specific inside vrf - this could be the
default one for example restricts nat ability to pass packets between vrfs.
If solution a) doesn't work you can create a nat vrf table for vrf 1 and
vrf 2. If you create a table without adding entries into it NAT inter VRF
passing of packets get's disabled.
So you basically restrict all NAT traffic inside one vrf.
Now if you need to reach some resources between vrfs you can start adding
entries to the table, the output vrf gets decided based on the first table
in the list resolving route.
So let's say:
nat vrf table for vrf1
first entry vrf1
second entry vrf2
internet traffic - reaching public space ip
inside 1 (vrf1) - > goes through (vrf1) because obviously vrf1 can resolve
the ip
private space traffic trying to reach ISPS private addresses (let's say
scenario where there is another router up the line - behind our outside
interface) reachable only through vrf2 outside 2 interface
inside 1 (vrf1) - > goes through (vrf2) because vrf1 wasn't able to resolve
the ip and vrf2 was.
The possibilities can get more and more complicated down the line. You can
for example configure the interface to be both inside and outside and make
NAT pass traffic using the above logic between inside ones in different vrs
and so on.
Best regards,
Filip Varga
št 22. 9. 2022 o 11:43 Amir Hossein <1377amirhossein1...@gmail.com>
napísal(a):
> Hi Filip,
> thanks for suggestion,
> so i can have a vrf(rx) use nat ip pool from another tenant vrf?
> I'm a little confused about using nat vrf routes can you give me an
> example?
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21912): https://lists.fd.io/g/vpp-dev/message/21912
Mute This Topic: https://lists.fd.io/mt/93820447/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
