To configure a vEdge router to be an Internet exit point, you enable NAT within a VPN on the vEdge router, and then you configure a centralized data policy on a vSmart controller. This policy splits the traffic within the VPN so that some of it is directed towards remote sites within the VPN, and hence remains within the overlay network, and other traffic is directed to the Internet or other destinations outside the overlay network. It is also possible to configure a vEdge router to forward data traffic directly to the Internet, by specifying the destination IP prefix.
NAT Configuration Considerations
When configuring a vEdge router to act as a NAT device, keep the following considerations in mind:
- For a vEdge router that is acting as a vBond orchestrator, do not enable NAT operation on the interface that is tied to the vBond orchestrator's IP address. If you do so, the orchestrator is placed into a private address space behind the NAT. For the overlay network to function properly, the vBond orchestrator must be in a public address space. You can, however, enable NAT operation on the other vEdge router interfaces.
- When you enable NAT on a vEdge router, the router NATs all traffic that is sent out through VPN 0. That is, both data traffic and control traffic are NATed.
- The NAT operation on outgoing traffic is performed in the VPN 0, which is always only a transport VPN. The router's connection to the Internet is in VPN 0. Performing the NAT operation in VPN 0 avoids the IPsec tunnels that carry data traffic within the overlay network.
- If you configure NAT on multiple interfaces in VPN 0, ECMP is performed among the interfaces.
- When you use NAT—either by configuring it on an interface or by setting it as an action in a centralized data policy—no route lookup is performed. Instead, traffic is forwarded to one of the available NAT default gateways.
- The vEdge router NAT implementation uses end-point–independent NAT. If your network contains other NAT devices that interact with the vEdge router NAT, these devices must either perform end-point–independent NAT, or they must be configured with policy rules so that they do not change the port numbers for Viptela overlay network destinations.
- When a vEdge router has two or more NAT interfaces, and hence two or more DIA connections to the internet, by default, data traffic is forwarding on the NAT interfaces using ECMP. To direct data traffic to a specific DIA interface, configure a centralized data policy on the vSmart controller that sets two actions—nat and local-tloc color. In the local-tloc color action, specify the color of the TLOC that connects to the desired DIA connection.
Direct Traffic to Exit to the Internet Using Data Policy
To use a centralized data policy to direct traffic from a vEdge router directly to the Internet, you enable NAT functionality in the WAN VPN or VPNs, and then you create and apply a centralized data policy.
Enable NAT Functionality in the WAN VPN
The first step in setting up Internet exit on a vEdge router is to configure the router to act as a NAT device. You do this by enabling NAT functionality in VPNs that have interfaces that connect to a WAN transport network. By default, VPN 0 always connects to the WAN transport. Other VPNs in your network might also connect to WANs.
To configure a vEdge router to act as a NAT device:
- Enable NAT in the desired VPN:
vEdge(config)# vpn vpn-id interface interface-name nat
- By default, NAT mappings from the Viptela overlay network side of the NAT to the external side of the NAT remain active, and NAT mapping timers are refreshed regularly to keep the mapping operational. To also refresh NAT mappings of packets coming from the external side of the NAT into the overlay network, change the refresh behavior:
vEdge(config-nat)# refresh bi-directional
- NAT sessions time out after a period of non-use. By default, TCP sessions time out after 60 minutes, and UDP sessions time out after 20 minutes. To change these times:
vEdge(config-nat)# tcp-timeout minutes
vEdge(config-nat)# udp-timeout minutes
The times can be from 1 to 65535 minutes.
The following NAT session timers are fixed, and you cannot modify them:
• TCP session timeout if no SYN-ACK response is received—5 seconds
• TCP session timeout if three-way handshaking is not established—10 seconds
• TCP session timeout after receiving a FIN/RST packet—30 seconds
• ICMP timeout—6 seconds
• Other IP timeout—60 seconds
- By default, the vEdge router does not receive inbound ICMP error messages. However, NAT uses ICMP to relay error messages across a NAT. To have the router receive the NAT ICMP messages:
vEdge(config-nat)# no block-icmp-error
However, in case of a DDoS attack, you might want to return to the default, to again prevent the vEdge router from receiving inbound ICMP error messages.
Create a Data Policy to Direct Traffic to the Internet Exit
To direct data traffic from a vEdge router to an Internet exit point, you split the destination of the traffic within a VPN, sending some to remote sites in the VPN and directing the traffic that is destined to the Internet (or other destinations outside the overlay network) to exit directly from the local vEdge router to the external destination destination.
To split the traffic, configure a centralized data policy on a vSmart controller:
- Configure the source prefix of the data traffic:
vSmart(config)# policy data-policy policy-name
vSmart(data-policy)# vpn-list list-name
vSmart (vpn-list)# sequence number
vSmart(sequence)# match source-ip ip-prefix
- Configure the destination of the data traffic, either by IP prefix or by port number:
vSmart(sequence)# match destination-ip ip-prefix
vSmart(sequence)# match destination-port port-number
- Direct matching data traffic to the NAT functionality. You can optionally configure a packet counter.
vSmart(sequence)# action accept
vSmart(accept)# count counter-name
vSmart(accept)# nat use-vpn 0
- Configure additional sequences, as needed, for other source prefixes and destination prefixes or ports, and for other VPNs.
- Change the default data policy accept default action from reject to accept. With this configuration, all non-matching data traffic is forwarded to service-side VPNs at remote sites instead of being dropped.
vSmart(vpn-list)# default-action accept
- Apply the data policy to particular sites in the overlay network:
vSmart(config)# apply-policy site-list list-name data-policy policy-name
Direct Traffic to Exit to the Internet Based Only on IP Prefix
You can direct data traffic to a local internet exit based only on the destination IP prefix. To configure this, in the service VPN, forward traffic that is destined towards an internet location to VPN 0, which is the WAN transport VPN:
vEdge(config)# vpn vpn-id vEdge(config-vpn)# ip route prefix vpn 0
In the vpn command, specify the VPN ID of the service-side VPN from which you are sending the traffic. In the ip route command, prefix is the IPv4 prefix of the remote destination.The vpn 0 option configures the software to perform the route lookup in VPN 0 rather than in the service-side VPN, because the service-side VPN cannot resolve the route.
For the traffic redirection to work, in VPN 0, you must enable NAT on the interface associated with the configured prefix:
vEdge(config)# vpn 0 interface interface-name nat
Here, the interface is the one to use to reach the destination prefix.
The following snippet illustrates the two parts of the configuration:
vEdge# show running-config vpn 1 vpn 1 ... ip route 10.1.17.15/32 vpn 0 ! vEdge# show running-config vpn 0 vpn 0 ... interface ge0/1 ... nat ! no shutdown ! !
To verify that the redirection is working properly, look at the output of the show ip routes command:
vEdge# show ip routes Codes Proto-sub-type: IA -> ospf-inter-area, E1 -> ospf-external1, E2 -> ospf-external2, N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2, e -> bgp-external, i -> bgp-internal Codes Status flags: F -> fib, S -> selected, I -> inactive, B -> blackhole, R -> recursive PROTOCOL NEXTHOP NEXTHOP NEXTHOP VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS ---------------------------------------------------------------------------------------------------------------------------------- 0 0.0.0.0/0 static - ge0/0 10.1.15.13 - - - - F,S 0 10.0.20.0/24 connected - ge0/3 - - - - - F,S 0 10.0.100.0/24 connected - ge0/7 - - - - - F,S 0 10.1.15.0/24 connected - ge0/0 - - - - - F,S 0 10.1.17.0/24 connected - ge0/1 - - - - - F,S 0 220.127.116.11/24 connected - ge0/6 - - - - - F,S 0 172.16.255.15/32 connected - system - - - - - F,S 1 10.1.17.15/32 nat - ge0/1 - 0 - - - F,S 1 10.20.24.0/24 ospf - ge0/4 - - - - - - 1 10.20.24.0/24 connected - ge0/4 - - - - - F,S 1 10.20.25.0/24 omp - - - - 172.16.255.16 lte ipsec F,S 1 18.104.22.168/24 connected - ge0/5 - - - - - F,S 1 22.214.171.124/24 omp - - - - 172.16.255.16 lte ipsec F,S 1 126.96.36.199/24 omp - - - - 172.16.255.16 lte ipsec F,S 512 10.0.1.0/24 connected - eth0 - - - - - F,S
In VPN 1, the prefix 10.1.17.15/32 is associated with the protocol "nat", which reflects the configuration of the ip route command in VPN 1. For this prefix, the next-hop interface is ge0/1, and the next-hop VPN is VPN 0. This prefix is installed into the route table only if the resolving next hop is over an interface on which NAT is enabled.
The prefix that you configure in the ip route represents a route in the specified VPN (the VPN whose ID you enter in the first command above). To direct traffic to that prefix, you can redistribute it into BGP or OSPF:
vEdge(config-vpn)# bgp address-family address-family redistribute nat vEdge(config-vpn)# ospf redistribute nat