Uncategorized

Adtran – Multiple VRFs with Internet Access

keithcroxford /
 ·  ·  ·  ·  · 

I recently had to create a configuration that contained multiple VRFs that all NAT/PAT out the same ISP connection. There is also a managed circuit that connects back to the Managed Service Provider (MSP) for management. All dynamic routing configs will need to be placed in the global routing table (default vrf). For this example, assume that the MSP is in the GRT. 

To begin, we need to define our vrfs. For this example I will use the following :

ip vrf TENANT1 route-distinguisher 100:1
ip vrf TENANT2 route-distinguisher 100:2
ip vrf INTERNET route-distinguisher 100:100

 

We also need to enable the firewall for all of the VRFs that need Internet access:

ip firewall vrf TENANT1
ip firewall vrf TENANT2
ip firewall vrf INTERNET

Now we can configure our interfaces: 

interface vlan 1
  ip vrf forwarding TENANT1
  description TENANT1 – LAN
  ip address 172.25.0.1 255.255.255.0

interface vlan 2
  ip vrf forwarding TENANT2
  description TENANT2 – LAN
  ip address 172.25.0.1 255.255.255.0

interface vlan 100
  ip vrf forwarding INTERNET
  description Cox Communications – INTERNET
  ip address 66.1.1.2 255.255.255.248

 

We need to set a default route for the TENANT VRFs. We need an egress interface or IP address for this. As traffic is going to the same physical device, we must first configure a few loopback interfaces.

interface loopback 1
  ip vrf forwarding TENANT1
  description TENANT1 – Internet Route
  ip address 1.1.1.1 255.255.255.255

interface loopback 2
  ip vrf forwarding TENANT2
  description TENANT2 – Internet Route
  ip address 1.1.1.1 255.255.255.255

Then add the routes – Notice that the TENANTS both route to 1.1.1.1 as it is contain in both VRFs. 

ip route vrf TENANT1 0.0.0.0 0.0.0.0 1.1.1.1
ip route vrf TENANT2 0.0.0.0 0.0.0.0 1.1.1.1
ip route vrf INTERNET 0.0.0.0 0.0.0.0 66.1.1.1

 

We can now configure an ACL to specify source traffic  to NAT overload (PAT). Again, both VRFs have the same IP space.

ip access-list extended NAT
  permit ip 172.25.0.0 0.0.0.255 any

Now confgure a policy-class to map to the above ACL :

ip policy-class TENANT1_NAT_OUT
  nat source list NAT interface vlan 100 overload

ip policy-class TENANT2_NAT_OUT
  nat source list NAT interface vlan 100 overload

Next we need to add an “access-class” to the source interfaces. This will map the interface to the policy-class.

interface vlan 1
  access-class TENANT1_NAT_OUT

interface vlan 2
  access-class TENANT2_NAT_OUT

 

Clear the policy-sessions, then attempt to access the internet from a device in VLAN 1, or 2.  I’ll add another section to this later than explains how to configure DHCP pools per VLAN.

 

SUMMARY (Please excuse the diagram.. it was made in Dia and not Visio)

Image

ip firewall vrf TENANT1
ip firewall vrf TENANT2
ip firewall vrf INTERNET

ip vrf TENANT1 route-distinguisher 100:1
ip vrf TENANT2 route-distinguisher 100:2
ip vrf INTERNET route-distinguisher 100:100

interface vlan 1
  ip vrf forwarding TENANT1
  description TENANT1 – LAN
  access-class TENANT1_NAT_OUT
  ip address 172.25.0.1 255.255.255.0

interface vlan 2
  ip vrf forwarding TENANT2
  description TENANT2 – LAN
  access-class TENANT2_NAT_OUT
  ip address 172.25.0.1 255.255.255.0

interface vlan 100
  ip vrf forwarding INTERNET
  description Cox Communications – INTERNET
  ip address 66.1.1.2 255.255.255.248

interface loopback 1
  ip vrf forwarding TENANT1
  description TENANT1 – Internet Route
  ip address 1.1.1.1 255.255.255.255

interface loopback 2
  ip vrf forwarding TENANT2
  description TENANT2 – Internet Route
  ip address 1.1.1.1 255.255.255.255

ip route vrf TENANT1 0.0.0.0 0.0.0.0 1.1.1.1
ip route vrf TENANT2 0.0.0.0 0.0.0.0 1.1.1.1
ip route vrf INTERNET 0.0.0.0 0.0.0.0 66.1.1.1

ip access-list extended NAT
  permit ip 172.25.0.0 0.0.0.255 any

ip policy-class TENANT1_NAT_OUT
  nat source list NAT interface vlan 100 overload

ip policy-class TENANT2_NAT_OUT
  nat source list NAT interface vlan 100 overload