Mailing List Archive

On 17 August 2019 20:47:28 CEST, Mike <mike-cisconsplist@tiedyenetworks.com> wrote:
>Hello,
>
>    I have a group of devices on my network (customer cpe - dsl modems
>mostly) which don't have the intelligence necessary to route their
>management traffic seperate from the user internet traffic. This means
>that packets inbound to management, will go outbound to the default
>gateway in the device's routing table instead of being routed back out
>the default gateway for the management interface.
>
>    I have solved this in the past by using a linux server that had an
>interface on the global network, and another interface facing the
>customer management interfaces, with NAT rules so that packets destined
>TO addressees within the management network would have a source of the
>linux server itself. This meant that traffic to the cpe management
>interface appeared to be from an ip that was local (on the same
>network)
>and thus did not require routing. For example, if the management
>network
>was 172.16.1.0/24 and the cpe had an ip of 172.1.1.100, packets from
>global destinated to 172.16.1.100 would appear to the cpe to be comming
>from 172.16.1.1 (the linux server). Unfortunately, for various network
>reasons, this doesn't scale (the linux server has to have direct l2
>connectivity to each such network, which becomes unmanageable).
>
>    I have been trying to discern a more cisco-centric way of
>accomplishing this end goal, and I need some help fleshing this out. My
>thoughts are that the router of course will have an l2 interface on the
>cpe management network, and this could be inside a seperate vrf. If the
>vrf/management network was 172.16.1.0/24, I would want this same route
>also in my global table so I can address hosts on this network, with
>the
>switch to vrf/nat on the inside. Is this possible, or am I just
>conceptualizing this wrong?
>
>
>
>Mike-

Hi Mike,

I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE?

Cheers,
James.

[1] Multiple ATM virtual circuits are usually not an option.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

> Hi Mike,
>
> I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE?

My cpe devices are typically zyxel. On the wan interface of these
devices, we usually have one service which is customer internet access
(pppoe or dhcp), and then another service which is mapped at either a
different vlan or a different vci/vpl, which is for management (and it's
always dhcp). So, from the perspective of the device, it only has one
routing table - the global table - and the 'default route' will normally
be the internet service gateway.  A common short-sightedness in these is
that they can't do policy routing, and they can't have a seperate
routing table where management network traffic uses a gateway different
than the internet service gateway.

The broadband aggregation router will have layer 2 to the subscriber.
So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
would be management traffic. I would like to have vlan 20 in a seperate
vrf, and I would like to be able to assign it an ip address
(172.16.1.1), and I want to hand out addresses to the cpe in the range
of 172.16.1.x. But, because the CPE are braindead, I need to arrange
things so management access to the cpe all appear to come from
172.16.1.1. That way, the devices won't need to consult the routing
table for a gateway and will instead simply arp for the  172.16.1.1 as
it's on the same l3 network segment. This is the only way to deal with
devices that don't know the correct gateway back. The only way I know
how to accomplish this is with nat, unless there was some other socks
type proxy on my asr1000 I don't know about.


Mike-




_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Does your CPE allows to have static routes in addition to default route?
The situation you are describing is typical for all Juniper routers
where management ethernet port can't be isolated in VRF so has to use
GRT, although routing between this fxp interface and normal ports isn't
possible. The solution is to have more specific route to the management
network, usually private, so no harm for connectivity to the public
address space.

Kind regards,
Andrey Kostin

Mike ????? 2019-08-18 16:13:
>> Hi Mike,
>>
>> I'm not sure I've understood your network topology to be honest. Are
>> you saying that you have Cisco devices with a single WAN link that
>> doesn't support logical separation such as VLANs, e.g. ADSL [1] to run
>> multiple VRFs over different VLANs, e.g. internet in global routing
>> table over VLAN 10, management VRF over VLAN 20 etc? And you basically
>> want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do
>> that you don't have to NAT your management traffic or need layer 2
>> connectivity to every CPE?
>
> My cpe devices are typically zyxel. On the wan interface of these
> devices, we usually have one service which is customer internet access
> (pppoe or dhcp), and then another service which is mapped at either a
> different vlan or a different vci/vpl, which is for management (and
> it's
> always dhcp). So, from the perspective of the device, it only has one
> routing table - the global table - and the 'default route' will
> normally
> be the internet service gateway.  A common short-sightedness in these
> is
> that they can't do policy routing, and they can't have a seperate
> routing table where management network traffic uses a gateway different
> than the internet service gateway.
>
> The broadband aggregation router will have layer 2 to the subscriber.
> So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
> would be management traffic. I would like to have vlan 20 in a seperate
> vrf, and I would like to be able to assign it an ip address
> (172.16.1.1), and I want to hand out addresses to the cpe in the range
> of 172.16.1.x. But, because the CPE are braindead, I need to arrange
> things so management access to the cpe all appear to come from
> 172.16.1.1. That way, the devices won't need to consult the routing
> table for a gateway and will instead simply arp for the  172.16.1.1 as
> it's on the same l3 network segment. This is the only way to deal with
> devices that don't know the correct gateway back. The only way I know
> how to accomplish this is with nat, unless there was some other socks
> type proxy on my asr1000 I don't know about.
>
>
> Mike-
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

We have lots of zyxel's and manage all them with their public address. Why don't you just do that?

-Aaron

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Mike
Sent: Sunday, August 18, 2019 3:14 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Inter-VRF with NAT


> Hi Mike,
>
> I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE?

My cpe devices are typically zyxel. On the wan interface of these
devices, we usually have one service which is customer internet access
(pppoe or dhcp), and then another service which is mapped at either a
different vlan or a different vci/vpl, which is for management (and it's
always dhcp). So, from the perspective of the device, it only has one
routing table - the global table - and the 'default route' will normally
be the internet service gateway. A common short-sightedness in these is
that they can't do policy routing, and they can't have a seperate
routing table where management network traffic uses a gateway different
than the internet service gateway.

The broadband aggregation router will have layer 2 to the subscriber.
So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
would be management traffic. I would like to have vlan 20 in a seperate
vrf, and I would like to be able to assign it an ip address
(172.16.1.1), and I want to hand out addresses to the cpe in the range
of 172.16.1.x. But, because the CPE are braindead, I need to arrange
things so management access to the cpe all appear to come from
172.16.1.1. That way, the devices won't need to consult the routing
table for a gateway and will instead simply arp for the 172.16.1.1 as
it's on the same l3 network segment. This is the only way to deal with
devices that don't know the correct gateway back. The only way I know
how to accomplish this is with nat, unless there was some other socks
type proxy on my asr1000 I don't know about.


Mike-




_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Have you looked at VASI configuration. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html

David
--
http://dcp.dcptech.com


?On 8/19/19, 8:58 AM, "cisco-nsp on behalf of Aaron Gould" <cisco-nsp-bounces@puck.nether.net on behalf of aaron1@gvtc.com> wrote:

We have lots of zyxel's and manage all them with their public address. Why don't you just do that?

-Aaron

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Mike
Sent: Sunday, August 18, 2019 3:14 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Inter-VRF with NAT


> Hi Mike,
>
> I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE?

My cpe devices are typically zyxel. On the wan interface of these
devices, we usually have one service which is customer internet access
(pppoe or dhcp), and then another service which is mapped at either a
different vlan or a different vci/vpl, which is for management (and it's
always dhcp). So, from the perspective of the device, it only has one
routing table - the global table - and the 'default route' will normally
be the internet service gateway. A common short-sightedness in these is
that they can't do policy routing, and they can't have a seperate
routing table where management network traffic uses a gateway different
than the internet service gateway.

The broadband aggregation router will have layer 2 to the subscriber.
So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
would be management traffic. I would like to have vlan 20 in a seperate
vrf, and I would like to be able to assign it an ip address
(172.16.1.1), and I want to hand out addresses to the cpe in the range
of 172.16.1.x. But, because the CPE are braindead, I need to arrange
things so management access to the cpe all appear to come from
172.16.1.1. That way, the devices won't need to consult the routing
table for a gateway and will instead simply arp for the 172.16.1.1 as
it's on the same l3 network segment. This is the only way to deal with
devices that don't know the correct gateway back. The only way I know
how to accomplish this is with nat, unless there was some other socks
type proxy on my asr1000 I don't know about.


Mike-




_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Tue, 3 Sep 2019 at 00:39, David Prall <dcp@dcptech.com> wrote:
>
> Have you looked at VASI configuration. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html
>
> David
> --
> http://dcp.dcptech.com

I'm happy to be wrong here, but I though the VASI stuff had been killed off?

Cheers,
James.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Supported in IOS-XE. VASI on the GSR has been long gone. IOS-XR had it at one point as well.

David
--
http://dcp.dcptech.com


?On 9/3/19, 4:32 AM, "James Bensley" <jwbensley+cisco-nsp@gmail.com> wrote:

On Tue, 3 Sep 2019 at 00:39, David Prall <dcp@dcptech.com> wrote:
>
> Have you looked at VASI configuration. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html
>
> David
> --
> http://dcp.dcptech.com

I'm happy to be wrong here, but I though the VASI stuff had been killed off?

Cheers,
James.



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/