Using VPF NAT with VRF and Overlapping Networks¶
VPF builds on Virtual Routing and Forwarding (VRF) features by adding new functionality to the dataplane which is unique to TNSR.
Note
Virtual Routing and Forwarding allows administrators to create multiple routing tables. Assigning these alternate routing tables to one or more interfaces effectively separates them into isolated virtual “routers” which can contain unique or overlapping network segments.
A virtual “router” of this sort can be referred to as a “VRF”, which includes the routing table component and the interfaces which utilize that table.
Normally when using VRFs with TNSR, routes must exist between VRFs if hosts require access to resources in the default VRF. This results in traffic being able to “leak” between the VRFs. This is problematic for a multi-tenancy provider where overlapping address spaces in the VRFs would prevent valid return routes.
The advanced NAT features in VPF can provide access to resources in the default VRF. Thus, when using VPF there are no limitations on IPv4 address spaces in the VRFs, and there is no need for unique subnets or non-overlapping address spaces.
Note
Currently, services which are not aware of VRFs cannot be bound to interfaces in a VRF. Services which do not support VRFs include, but are not limited to, Kea DHCP Server and Unbound DNS Server.
Example Summary¶
The following example demonstrates a TNSR configuration for two customers with overlapping IPv4 address spaces, outbound dynamic NAT, and port forwards.
The customers in this example are CustomerA and CustomerB. These customers must be isolated from each other so that no services, traffic, or configuration from either customer can affect the other.
This example uses VRF to isolate the networks and VPF for NAT.
Create VRF Route Tables¶
First, create the VRF route tables and provide an egress route from the VRF to
the upstream gateway at 198.51.100.1
:
route table CustomerA
id 100
route 0.0.0.0/0
next-hop 10 via 198.51.100.1 WAN
exit
exit
route table CustomerB
id 200
route 0.0.0.0/0
next-hop 10 via 198.51.100.1 WAN
exit
exit
Note
If the default routing table uses dynamic routing and the VRFs need to follow
those dynamic routes, use next-hop 10 via 0.0.0.0 next-hop-table default
instead of statically defining the gateway.
When using the next-hop-table
option, any routable networks will be
accessible from the VRFs for outbound traffic only, the lack of return routes
to a VRF will prevent remote hosts from making inbound connections. Filtering
can be used to further restrict outbound traffic.
Note
If TNSR cannot resolve the upstream next-hop
at startup, TNSR may fail
to install the default route. In this situation, add the dataplane-only
property to the default route in the VRF so that TNSR will still add the
route to the dataplane at startup. See Managing Routes for details.
Configure Customer Interfaces¶
Next, add the customer VRF to each corresponding customer interface. Each customer interface uses the same IP address to provide a uniform customer experience. This IP address is the default gateway for hosts belonging to customers.
See also
This example uses VLAN subinterfaces, see VLAN Subinterfaces for more details.
interface LAN.100
description CustomerA
enable
vrf CustomerA
ip address 192.168.1.1/24
exit
interface LAN.200
description CustomerB
enable
vrf CustomerB
ip address 192.168.1.1/24
exit
Create VPF NAT Rules¶
Now, create VPF NAT rules. These rules allow outbound dynamic NAT from customer VRFs to the internet.
vpf nat ruleset WAN-nat
rule 100
description Customer VRFs
from ipv4-prefix 192.168.1.0/24
to ipv4-prefix 0.0.0.0/0
dynamic
algorithm ip-hash
direction out
nat-interface WAN
exit
exit
vpf options
interface WAN nat-ruleset WAN-nat
exit
vpf enable
Note
VPF NAT rules apply to all VRFs routed into the default VRF. Future releases of VPF will allow restricting the source VRF for outbound dynamic NAT, for example if a specific customer should use different NAT IP address.
When VPF performs outbound NAT on traffic sourced from a VRF it tracks the VRF ID in the session data, allowing it to uniquely identify return traffic.
VPF Port Forwarding into a VRF¶
VPF also supports port forwarding into VRFs. Port forwarding into a VRF requires
an additional parameter on NAT rules, dest-route-table
. This example
forwards port 80
on the WAN IP address(es) to a host belonging to CustomerA
with address 192.168.1.10/32
.
See also
Refer to Port Forwarding for general port forwarding examples.
vpf nat ruleset WAN-nat
rule 101
description Forward port 80 to CustomerA
dest-route-table CustomerA
to ifaddrs WAN
to port 80
nat-prefix 192.168.1.10/32
nat port 80
dynamic
protocol tcp
direction in
exit
exit
Full Example Configuration Commands¶
host interface enp6s18
enable
ip dhcp-client enable
exit
dataplane dpdk dev 0000:06:13.0 network name WAN
dataplane dpdk dev 0000:06:14.0 network name LAN
route table CustomerA
id 100
exit
route table CustomerB
id 200
exit
vpf nat ruleset WAN-nat
rule 100
description Customer VRFs
from ipv4-prefix 192.168.1.0/24
to ipv4-prefix 0.0.0.0/0
dynamic
algorithm ip-hash
direction out
nat-interface WAN
exit
exit
vpf options
interface WAN nat-ruleset WAN-nat
exit
vpf enable
interface subif LAN 100
exact-match
outer-dot1q 100
exit
interface subif LAN 200
exact-match
outer-dot1q 200
exit
interface LAN
enable
rx-mode adaptive
exit
interface LAN.100
description CustomerA
enable
vrf CustomerA
ip address 192.168.1.1/24
exit
interface LAN.200
description CustomerB
enable
vrf CustomerB
ip address 192.168.1.1/24
exit
interface WAN
enable
rx-mode adaptive
dhcp client ipv4 hostname vrf-docs
exit
route table CustomerA
id 100
route 0.0.0.0/0
next-hop 10 via 198.51.100.1 WAN
exit
exit
route table CustomerB
id 200
route 0.0.0.0/0
next-hop 10 via 198.51.100.1 WAN
exit
exit