Have you looked at VASI configuration. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html
David -- http://dcp.dcptech.com On 8/19/19, 8:58 AM, "cisco-nsp on behalf of Aaron Gould" <[email protected] on behalf of [email protected]> wrote: We have lots of zyxel's and manage all them with their public address. Why don't you just do that? -Aaron -----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Mike Sent: Sunday, August 18, 2019 3:14 PM To: [email protected] Subject: Re: [c-nsp] Inter-VRF with NAT > Hi Mike, > > I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE? My cpe devices are typically zyxel. On the wan interface of these devices, we usually have one service which is customer internet access (pppoe or dhcp), and then another service which is mapped at either a different vlan or a different vci/vpl, which is for management (and it's always dhcp). So, from the perspective of the device, it only has one routing table - the global table - and the 'default route' will normally be the internet service gateway. A common short-sightedness in these is that they can't do policy routing, and they can't have a seperate routing table where management network traffic uses a gateway different than the internet service gateway. The broadband aggregation router will have layer 2 to the subscriber. So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20 would be management traffic. I would like to have vlan 20 in a seperate vrf, and I would like to be able to assign it an ip address (172.16.1.1), and I want to hand out addresses to the cpe in the range of 172.16.1.x. But, because the CPE are braindead, I need to arrange things so management access to the cpe all appear to come from 172.16.1.1. That way, the devices won't need to consult the routing table for a gateway and will instead simply arp for the 172.16.1.1 as it's on the same l3 network segment. This is the only way to deal with devices that don't know the correct gateway back. The only way I know how to accomplish this is with nat, unless there was some other socks type proxy on my asr1000 I don't know about. Mike- _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
