Hi

Thanks for the reply, show ip nat trans vrf Guests doesn't show any translations until I do a ping vrf Guests 8.8.8.8 source vlan 400. The switch is at a remote site so I left a Webex phone connected to Gi1/0/17 (on vlan 400) so it should be generating traffic trying to connect to Webex. The show ip dhcp binding shows the phone has got an address from the pool:

192.168.1.11 0168.2c7b.5db5.a6 May 22 2023 11:19 AM Automatic Active Vlan400

The Gi1/0/15 is definitely connected to the internet, the ping vrf Guests works. The show access-list does show hits but it only goes up when I ping from vlan 400. Using debug ip nat details doesn't trigger any output when I shut/no shut the interface with the ip phone connected, only when I ping from vlan 400. 

sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 31.121.32.130:1024 192.168.1.1:13 8.8.8.8:13 8.8.8.8:1024

sh ip access-list nat-list
Standard IP access list nat-list
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (62 matches)

sh ip route vrf Guests
Extended Host Mode is enabled

Routing Table: Guests
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected

Gateway of last resort is 31.121.32.129 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 31.121.32.129
31.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 31.121.32.128/29 is directly connected, GigabitEthernet1/0/15
L 31.121.32.130/32 is directly connected, GigabitEthernet1/0/15
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan400
L 192.168.1.1/32 is directly connected, Vlan400

Thanks again

icmp 31.121.32.130:1024 192.168.1.1:13 8.8.8.8:13 8.8.8.8:1024 <<- all is OK still why the Port of destination is also NATing ?

Thanks for this, I don't seam to have the Match-in-vrf command available on the switch so. I tried updating it to 17.11.01 but still can't see the command. So, to check if this was the issue, I moved the other routing config on the switch to it's own vrf and removed the Guests vrf from this config so it wasn't in a vrf at all. Unfortunately I had exactly the same behaviour. Pings from the vlan svi were NAT'd but not the traffic from the IP phone connected to the switch.

Thank you. I don't have the match-in-vrf available on the switch. I tried swapping the configs around so the other routing table was in vrf and this one wasn't and had the same issue.

Hi

Thank you, it does require a network-advantage license, we have already bought the upgrade and applied it to the switch:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
None Subscription Smart License None

Thanks for the update <smile>