HPE Comware MSR router source/destination VRF-aware NAT

In the following post I will show how to configure source and destination NAT with VRF-aware on HPE MSR router series.

I'm going to use the following topology:

Now let's define the goals – Let's say the we have an internal LAN (192.168.22.0/24) which need to reach some services/servers on remote network (192.168.12.0/24) and, for some reason, we can't install the remote network on our routing table in our LAN, and all of course with VRF-aware.

So here I'm using a virtual IP address 2.2.2.2/32, which will represent remote network server IP address (192.168.12.1 – SW12), so all clients from LAN network (192.168.22.1 – SW22) will be pointed to 2.2.2.2.

IP Address	NAT Translation	NAT Direction
2.2.2.2/32	192.168.12.1	Inbound
192.168.22.0/24	10.20.0.2	Outbound

So, whenever a client, from the internal LAN (192.168.22.0/24), will send packet to IP address 2.2.2.2, his source IP address will be translated to 10.20.0.2 (RTR2 WAN interface) and the destination will be translated to 192.168.12.1 (SW12).

And again, all configuration will be VRF-aware perspective.

RTR2 Basic Configuration:

sysname RTR2 # ip vpn-instance V20  route-distinguisher 1:20 # interface GigabitEthernet0/0  port link-mode route  combo enable copper # interface GigabitEthernet0/0.20  ip binding vpn-instance V20  ip address 10.20.0.2 255.255.255.252  vlan-type dot1q vid 20 # interface GigabitEthernet0/2  port link-mode route  combo enable copper  ip binding vpn-instance V20  ip address 192.168.22.254 255.255.255.0 # ip route-static vpn-instance V20 0.0.0.0 0 GigabitEthernet0/0.20 10.20.0.1

Here we will need to use inbound NAT in order to translate the destination IP address and outbound NAT in order to translate the source IP address.

Configure basic ACL for outbound NAT:

acl basic 2000  rule 0 permit vpn-instance V20 source 192.168.22.0 0.0.0.255

Configure advanced ACL for inbound NAT:

acl advanced 3000  rule 10 permit icmp vpn-instance V20 source 192.168.22.0 0.0.0.255 destination 2.2.2.2 0  rule 15 permit ip vpn-instance V20 source 192.168.22.0 0.0.0.255 destination 2.2.2.2 0

Note that on advanced ACL we need to specify the protocol.

Next configure NAT address group:

nat address-group 1  address 10.20.0.2 10.20.0.2

NAT address group is single or range of IP's that we set as NAT result (source or destination).

On interface GigabitEthernet0/0.20 (RTR2 WAN interface) we will configure the outbound NAT, where internal LAN IP address (192.168.22.0/24) will be translated to 10.20.0.2:

interface GigabitEthernet0/0.20  ip binding vpn-instance V20  ip address 10.20.0.2 255.255.255.252  nat outbound 2000 address-group 1 vpn-instance V20  vlan-type dot1q vid 20

On interface GigabitEthernet0/2 (RTR2 LAN interface) we will configure the inbound NAT, where internal remote IP address (2.2.2.2) will be translated to real outside remote IP address (192.168.12.1):

interface GigabitEthernet0/2  port link-mode route  combo enable copper  ip binding vpn-instance V20  ip address 192.168.22.254 255.255.255.0  nat server global 3000 inside 192.168.12.1 vpn-instance V20

Each packet, with source IP address 192.168.22.0/24, which destinated to 2.2.2.2 (refer to ACL 3000 configuration) will be translated to 192.168.12.1.

Last step is to configure static route for the virtual IP address (2.2.2.2):

ip route-static vpn-instance V20 2.2.2.2 32 GigabitEthernet0/0.20 10.20.0.1

Sending ping, from SW22 to SW12 will have the following result:

This is a packet capture on RTR1 – interface GigabitEthernet0/0

HPE Comware packet capture

How to activate and use built-in packet capture on HPE Comware switches

In every firmware upgrade file, you probably found a feature image package:

After upgrading to the required image version, login into the switch and run the following command:

install activate feature flash:/5130ei-cmw710-packet-capture-r3208p10.bin slot 1

You should see the following output:

<HPE-5130-EI>install activate feature flash:/5130ei-cmw710-packet-capture-r3208p10.bin slot 1 Verifying the file flash:/5130ei-cmw710-packet-capture-r3208p10.bin on slot 1.....Done. Identifying the upgrade methods....Done. Upgrade summary according to following table: flash:/5130ei-cmw710-packet-capture-r3208p10.bin   Running Version             New Version           None                        Release 3208P10      Slot                        Upgrade Way          1                           Service Upgrade    Upgrading software images to compatible versions. Continue? [Y/N]:y This operation might take several minutes, please wait..................Done.

Then do install commit:

<HPE-5130-EI>install commit This operation will take several minutes, please wait........................Done.

Check that the feature package is activated:

<HPE-5130-EI>show install active Active packages on slot 1:   flash:/5130ei-cmw710-boot-r3208p10.bin   flash:/5130ei-cmw710-system-r3208p10.bin   flash:/5130ei-cmw710-packet-capture-r3208p10.bin

Then reboot the switch:

<HPE-5130-EI>reboot Start to check configuration with next startup configuration file, please wait.........DONE! This command will reboot the device. Continue? [Y/N]:y

After the switch reloads, you can start using the built-in packet capture:

<HPE-5130-EI>packet-capture interface Ten-GigabitEthernet 1/0/52 ?   autostop               Specify the autostop criteria for packet capture   brief                  Brief information   capture-filter         Specify a filter rule for packet capture   capture-ring-buffer    Specify the criteria for saving captured frames to a                          new capture file   display-filter         Specify a filter rule for displaying captured frames   limit-captured-frames  Specify the maximum number of captured frames   limit-frame-size       Specify the maximum size of a frame to be captured   raw                    Display the packet data in hexadecimal format   verbose                Detailed information   write                  Specify the directory for saving captured frames   <cr>                   <HPE-5130-EI>packet-capture interface Ten-GigabitEthernet 1/0/52

HPE FlexFabric IRF with Fortigate HA - OSPF and VPN-instances

An HPE comware 7 switches, in IRF mode, connected to Fortigate 600D in HA active/passive mode.

Crossed links between the devices in order to prevent device failure/HA failure situation.

In my first attempt I assumed that since the HPE switches using IRF I should handle them as single device, while connecting them to the Fortigate HA, I’ve connected all 4 ports, from the switches, in one bridge-aggregation group. This configuration led to partial packet loss since all 4 ports, in the link-aggregation group were up and running (Fortigate ports are all up although it’s an HA configuration).

Configuring the Fortigate with 2 ports (port17 and port18) in aggregation mode running all VLAN sub-interfaces while the HPE switches configure with 2 bridge-aggregation interfaces, one for each switch has solved the problem.

Next there was the VPN-instance (VRF lite in Cisco terms) issue, on the switches I’ve configured 5 VPN-instances and one OSPF process per VPN-instance between the Fortigate and the switches. The Fortigate advertised default route (under Router->Dynamic->Advanced) in always mode. In the switches I didn’t manage to see the default route in neither VPN-instance. The problem solved after issuing the command: vpn-instance-capability simple under the VPN-instance sub-command.

Reference: http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0117608

This is the network topology:

 HPE FlexFabric switch (relevant) configuration:

ip vpn-instance TEST1  route-distinguisher 1:10 # ip vpn-instance TEST2  route-distinguisher 1:20 # ip vpn-instance TEST3  route-distinguisher 1:30 # ip vpn-instance TEST4  route-distinguisher 1:40 # ip vpn-instance TEST5  route-distinguisher 1:50 # irf domain 1   irf mac-address persistent timer  irf auto-update enable  irf link-delay 200  irf member 1 priority 32  irf member 2 priority 31  irf member 1 description IRF_UNIT1  irf member 2 description IRF_UNIT2  irf mode normal #  irf-port global load-sharing mode destination-ip source-ip # ospf 10 router-id 1.1.1.10 vpn-instance TEST1  vpn-instance-capability simple  area 0.0.0.10   network 0.0.0.0 255.255.255.255 # ospf 20 router-id 1.1.1.20 vpn-instance TEST2  vpn-instance-capability simple  area 0.0.0.20   network 0.0.0.0 255.255.255.255 # ospf 30 router-id 1.1.1.30 vpn-instance TEST3  vpn-instance-capability simple  area 0.0.0.30   network 0.0.0.0 255.255.255.255 # ospf 40 router-id 1.1.1.40 vpn-instance TEST4  vpn-instance-capability simple  area 0.0.0.40   network 0.0.0.0 255.255.255.255 # ospf 50 router-id 1.1.1.50 vpn-instance TEST5  vpn-instance-capability simple  area 0.0.0.50   network 0.0.0.0 255.255.255.255 #