NAT的match-in-vrf功能介绍



1. inside接口在VRF green1, outside接口在VRF green1,测试如下

如果没有match-in-vrf的话,那么ip alias中就没有该globa地址的entry,自然无法响应arp了。

ASR1013-2#sh run vrf green1
Building configuration...

Current configuration : 515 bytes
vrf definition green1
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
interface GigabitEthernet0/0/0
 vrf forwarding green1
 ip address 90.1.0.1 255.255.255.0
 ip nat outside
 load-interval 30
 negotiation auto
 cdp enable
!
interface GigabitEthernet0/0/1
 vrf forwarding green1
 ip address 100.100.100.1 255.255.255.0
 ip nat inside
 load-interval 30
 negotiation auto
 cdp enable
ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match-in-vrf
!
!
end

ASR1013-2#show ip alias
Address Type             IP Address      Port
Interface                10.74.9.121 
Interface                90.1.0.1 
Dynamic                  90.1.0.14 
Interface                100.100.100.1 
Interface                192.168.1.2 
ASR1013-2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ASR1013-2(config)#no ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match-in-vrf
ASR1013-2(config)#ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1             
ASR1013-2(config)#end
ASR1013-2#show ip alias
Address Type             IP Address      Port
Interface                10.74.9.121 
Interface                90.1.0.1 
Interface                100.100.100.1 
Interface                192.168.1.2 
ASR1013-2#show ip alias vrf green1
Address Type             IP Address      Port
Interface                90.1.0.1 
Interface                100.100.100.1 
ASR1013-2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ASR1013-2(config)#no ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1             
ASR1013-2(config)# ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match-in-vrf  
ASR1013-2(config)#do show ip alias vrf green1
Address Type             IP Address      Port
Interface                90.1.0.1 
Dynamic                  90.1.0.14 
Interface                100.100.100.1 
ASR1013-2(config)#end
ASR1013-2#


2.  inside接口和outside接口都不在VRF内

在指定NAT rule的时候,不需要vrf信息。

ASR1013-2#sh run inter gi 0/0/0
Building configuration...

Current configuration : 137 bytes
!
interface GigabitEthernet0/0/0
 ip address 90.1.0.1 255.255.255.0
 ip nat outside
 load-interval 30
 negotiation auto
 cdp enable
end

ASR1013-2#sh run inter gi 0/0/1
Building configuration...

Current configuration : 141 bytes
!
interface GigabitEthernet0/0/1
 ip address 100.100.100.1 255.255.255.0
 ip nat inside
 load-interval 30
 negotiation auto
 cdp enable
end

ASR1013-2#sh run | in ip nat
 ip nat outside
 ip nat inside
ip nat inside source static 100.100.100.142 90.1.0.14
alias exec trans sh ip nat translations total
alias exec natfull sh ip nat translations filter entry-type full total
alias exec nathalf sh ip nat translations filter entry-type half all total
ASR1013-2#show ip alias
Address Type             IP Address      Port
Interface                10.74.9.121 
Interface                90.1.0.1 
Dynamic                  90.1.0.14 
Interface                100.100.100.1 
Interface                192.168.1.2 
ASR1013-2#


3. inside接口在vrf内,outside接口在global中。

这种情况是最普遍的情况,接收多种接入方法,进来的流量来自于不同的vrf,但是,共用同一个global地址。

这种情况下,nat rule既可以不用vrf,也可以用vrf,还可以vrf + match-in-vrf

ASR1013-2#sh run inter gi 0/0/0
Building configuration...

Current configuration : 137 bytes
!
interface GigabitEthernet0/0/0
 ip address 90.1.0.1 255.255.255.0
 ip nat outside
 load-interval 30
 negotiation auto
 cdp enable
end

ASR1013-2#sh run inter gi 0/0/1
Building configuration...

Current configuration : 164 bytes
!
interface GigabitEthernet0/0/1
 vrf forwarding green1
 ip address 100.100.100.1 255.255.255.0
 ip nat inside
 load-interval 30
 negotiation auto
 cdp enable
end

ASR1013-2#sh run | in ip nat inside
 ip nat inside
ip nat inside source static 100.100.100.142 90.1.0.14
ASR1013-2#show ip alias
Address Type             IP Address      Port
Interface                10.74.9.121 
Interface                90.1.0.1 
Dynamic                  90.1.0.14 
Interface                100.100.100.1 
Interface                192.168.1.2 
ASR1013-2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ASR1013-2(config)#no ip nat inside source static 100.100.100.142 90.1.0.14
ASR1013-2(config)#ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1
ASR1013-2(config)#do sh ip alias
Address Type             IP Address      Port
Interface                10.74.9.121 
Interface                90.1.0.1 
Dynamic                  90.1.0.14 
Interface                100.100.100.1 
Interface                192.168.1.2 
ASR1013-2(config)#no ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1
ASR1013-2(config)#ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match
ASR1013-2(config)#ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match-in-vrf 
ASR1013-2(config)#do sh ip alias
Address Type             IP Address      Port
Interface                10.74.9.121 
Interface                90.1.0.1 
Dynamic                  90.1.0.14 
Interface                100.100.100.1 
Interface                192.168.1.2 
ASR1013-2(config)#end
ASR1013-2#


4. inside接口在globa,outside接口在vrf内,该情况比较特殊,一般没有了。


5. inside接口在vrf A中,outside接口在vrf B中,其实,这就是VASI的实现了。


一言以蔽之,NAT和普通路由有些不一样,inside和outside可以在globa和vrf内,有四种组合。 而,match-in-vrf功能主要是针对inside和outside都在vrf内的用途的。



Reference:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/nat-xe-3s-asr1k-book/iadnat-match-vrf.html





你可能感兴趣的:(Networking)