Solved: Something isn't right here - Page 2

psaunders · ‎08-07-2015

Below is a copy of what I am trying to accomplish but it does not seem to be working. Works fine if I only use one interface as the outside NAT but i need to use a VLAN so I can have and outside VLAN and add ports to the vlan as we add a few other network devices.

I am obviously missing something or doing something wrong.

vlan 200
name Outside_Access_Vlan
int vlan 200
ip address 216.10.10.251 255.255.255.240
ip nat outside
no shut

interface vlan 10
ip nat inside
interface vlan 90
ip nat inside
interface vlan 92
ip nat inside
Interface vlan 96
ip nat inside
interface vlan 112
ip nat inside

ip routing
ip route 0.0.0.0 0.0.0.0 216.10.10.241

Interface GigabitEthernet1/1
description Outside_Access_Vlan_Sw1
switchport
switchport access vlan 200
ip nat outside

Interface GigabitEthernet1/2
description Outside_Access_Vlan_Sw2
switchport
switchport access vlan 200
ip nat outside

Interface GigabitEthernet1/3
description Outside_Access_Vlan_Sw3
switchport
switchport access vlan 200
ip nat outside

Interface GigabitEthernet1/4
description Outside_Access_Vlan_ISP
switchport
switchport access vlan 200
ip nat outside

access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.96.0 0.0.0.255 any
access-list 102 permit ip 10.10.112.0 0.0.0.255 any
access-list 103 permit ip 192.168.90.0 0.0.0.255 any
access-list 104 permit ip 192.168.92.0 0.0.0.255 any

ip nat pool IP101 216.10.10.246 216.10.10.246 netmask 255.255.255.240
ip nat pool IP102 216.10.10.247 216.10.10.247 netmask 255.255.255.240
ip nat pool IP103 216.10.10.248 216.10.10.248 netmask 255.255.255.240
ip nat pool IP104 216.10.10.249 216.10.10.249 netmask 255.255.255.240

ip nat inside source list 100 interface vlan 200 overload
ip nat inside source list 101 pool IP101 overload
ip nat inside source list 102 pool IP102 overload
ip nat inside source list 103 pool IP103 overload
ip nat inside source list 104 pool IP104 overload

Jon Marshall · ‎08-10-2015

When you moved to the SVI did you place g1/1 into vlan 200 ?

Jon

psaunders · ‎08-10-2015

Jon,

Yes i did place gi1/1 into vlan 200

here are the outputs you asked for. this is when it is not working as it should

_RTR#
_RTR#sh run int vlan 200
Building configuration...

Current configuration : 84 bytes
!
interface Vlan200
ip address 216.10.10.251 255.255.255.240
ip nat outside
end

_RTR#sh int vlan 200
Vlan200 is up, line protocol is up
Hardware is EtherSVI, address is 0023.33c6.0e40 (bia 0023.33c6.0e40)
Internet address is 216.10.10.251/28
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:21:53, output 00:06:33, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
626 packets output, 40268 bytes, 0 underruns
0 output errors, 4 interface resets
0 output buffer failures, 0 output buffers swapped out
_RTR#

_RTR#

_RTR#sh run int gi1/1
Building configuration...

Current configuration : 76 bytes
!
interface GigabitEthernet1/1
switchport
switchport access vlan 200
end

_RTR#sh int gi1/1
GigabitEthernet1/1 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 001e.7a58.ad88 (bia 001e.7a58.ad88)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is SX
input flow-control is off, output flow-control is off
Clock mode is auto
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:42, output 00:00:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 5000 bits/sec, 5 packets/sec
5 minute output rate 5000 bits/sec, 6 packets/sec
49503 packets input, 7089407 bytes, 0 no buffer
Received 45153 broadcasts (15562 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
50113 packets output, 4965874 bytes, 0 underruns
0 output errors, 0 collisions, 16 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
_RTR#

_RTR#

Jon Marshall · ‎08-10-2015

Something isn't right here.

You can see the interfaces have different mac addresses.

But from your arp outputs when it worked with the physical interface it is saying the mac address of 216.10.10.51 is for the SVI for vlan 200 which doesn't make sense.

I also noticed from your earlier out when you used the SVI you used a completely different address ie. 216.24.172.251 which could be a typo.

So to retest can you -

1) set it up for the SVI using 216.10.10.51

2) clear arp entries on next hop if there are any for that IP

3) check the arp table on the 6500 and clear any entries for the next hop IP

then try pinging and see what your arp table shows on the 6500.

Like I say none of your arp outputs show the physical interface mac address which I would expect to see when you are using a L3 port.

It may be that "ip nat outside" is not supported on an SVI in which case there may be a workaround but I can't see why it wouldn't be supported.

If the ping fails then can you remove the "ip nat outside" from the SVI for vlan 200 and try pinging again.

To me it looks like more of an arp/mac address issue than a NAT issue.

Jon

Jon Marshall · ‎08-10-2015

Can you also post -

"sh int g1/1" and "sh int vlan 200"

Jon

psaunders · ‎08-10-2015

Thanks Jon, issue was a stale arp entry on the next hop.

Is it possible to use a Vlan, as apposed to an interface as the outside NAT on a 6500?