Using VPF NAT with VRF and Overlapping Networks

VPF builds on Virtual Routing and Forwarding (VRF) features by adding new functionality to the dataplane which is unique to TNSR.

Note

Virtual Routing and Forwarding allows administrators to create multiple routing tables. Assigning these alternate routing tables to one or more interfaces effectively separates them into isolated virtual “routers” which can contain unique or overlapping network segments.

A virtual “router” of this sort can be referred to as a “VRF”, which includes the routing table component and the interfaces which utilize that table.

Normally when using VRFs with TNSR, routes must exist between VRFs if hosts require access to resources in the default VRF. This results in traffic being able to “leak” between the VRFs. This is problematic for a multi-tenancy provider where overlapping address spaces in the VRFs would prevent valid return routes.

The advanced NAT features in VPF can provide access to resources in the default VRF. Thus, when using VPF there are no limitations on IPv4 address spaces in the VRFs, and there is no need for unique subnets or non-overlapping address spaces.

Note

Currently, services which are not aware of VRFs cannot be bound to interfaces in a VRF. Services which do not support VRFs include, but are not limited to, Kea DHCP Server and Unbound DNS Server.

Example Summary

The following example demonstrates a TNSR configuration for two customers with overlapping IPv4 address spaces, outbound dynamic NAT, and port forwards.

The customers in this example are CustomerA and CustomerB. These customers must be isolated from each other so that no services, traffic, or configuration from either customer can affect the other.

This example uses VRF to isolate the networks and VPF for NAT.

Create VRF Route Tables

First, create the VRF route tables and provide an egress route from the VRF to the upstream gateway at 198.51.100.1:

route table CustomerA
    id 100
    route 0.0.0.0/0
        next-hop 10 via 198.51.100.1 WAN
    exit
exit

route table CustomerB
    id 200
    route 0.0.0.0/0
        next-hop 10 via 198.51.100.1 WAN
    exit
exit

Note

If the default routing table uses dynamic routing and the VRFs need to follow those dynamic routes, use next-hop 10 via 0.0.0.0 next-hop-table default instead of statically defining the gateway.

When using the next-hop-table option, any routable networks will be accessible from the VRFs for outbound traffic only, the lack of return routes to a VRF will prevent remote hosts from making inbound connections. Filtering can be used to further restrict outbound traffic.

Note

If TNSR cannot resolve the upstream next-hop at startup, TNSR may fail to install the default route. In this situation, add the dataplane-only property to the default route in the VRF so that TNSR will still add the route to the dataplane at startup. See Managing Routes for details.

Configure Customer Interfaces

Next, add the customer VRF to each corresponding customer interface. Each customer interface uses the same IP address to provide a uniform customer experience. This IP address is the default gateway for hosts belonging to customers.

See also

This example uses VLAN subinterfaces, see VLAN Subinterfaces for more details.

interface LAN.100
    description CustomerA
    enable
    vrf CustomerA
    ip address 192.168.1.1/24
exit

interface LAN.200
    description CustomerB
    enable
    vrf CustomerB
    ip address 192.168.1.1/24
exit

Create VPF NAT Rules

Now, create VPF NAT rules. These rules allow outbound dynamic NAT from customer VRFs to the internet.

vpf nat ruleset WAN-nat
    rule 100
        description Customer VRFs
        from ipv4-prefix 192.168.1.0/24
        to ipv4-prefix 0.0.0.0/0
        dynamic
        algorithm ip-hash
        direction out
        nat-interface WAN
    exit
exit

vpf options
    interface WAN nat-ruleset WAN-nat
exit
vpf enable

Note

VPF NAT rules apply to all VRFs routed into the default VRF. Future releases of VPF will allow restricting the source VRF for outbound dynamic NAT, for example if a specific customer should use different NAT IP address.

When VPF performs outbound NAT on traffic sourced from a VRF it tracks the VRF ID in the session data, allowing it to uniquely identify return traffic.

VPF Port Forwarding into a VRF

VPF also supports port forwarding into VRFs. Port forwarding into a VRF requires an additional parameter on NAT rules, dest-route-table. This example forwards port 80 on the WAN IP address(es) to a host belonging to CustomerA with address 192.168.1.10/32.

See also

Refer to Port Forwarding for general port forwarding examples.

vpf nat ruleset WAN-nat
    rule 101
        description Forward port 80 to CustomerA
        dest-route-table CustomerA
        to ifaddrs WAN
        to port 80
        nat-prefix 192.168.1.10/32
        nat port 80
        dynamic
        protocol tcp
        direction in
    exit
exit

Full Example Configuration Commands

host interface enp6s18
    enable
    ip dhcp-client enable
exit

dataplane dpdk dev 0000:06:13.0 network name WAN
dataplane dpdk dev 0000:06:14.0 network name LAN

route table CustomerA
    id 100
exit

route table CustomerB
    id 200
exit

vpf nat ruleset WAN-nat
    rule 100
        description Customer VRFs
        from ipv4-prefix 192.168.1.0/24
        to ipv4-prefix 0.0.0.0/0
        dynamic
        algorithm ip-hash
        direction out
        nat-interface WAN
    exit
exit

vpf options
    interface WAN nat-ruleset WAN-nat
exit

vpf enable

interface subif LAN 100
    exact-match
    outer-dot1q 100
exit
interface subif LAN 200
    exact-match
    outer-dot1q 200
exit

interface LAN
    enable
    rx-mode adaptive
exit

interface LAN.100
    description CustomerA
    enable
    vrf CustomerA
    ip address 192.168.1.1/24
exit
interface LAN.200
    description CustomerB
    enable
    vrf CustomerB
    ip address 192.168.1.1/24
exit
interface WAN
    enable
    rx-mode adaptive
    dhcp client ipv4 hostname vrf-docs
exit

route table CustomerA
    id 100
    route 0.0.0.0/0
        next-hop 10 via 198.51.100.1 WAN
    exit
exit

route table CustomerB
    id 200
    route 0.0.0.0/0
        next-hop 10 via 198.51.100.1 WAN
    exit
exit