Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
4
Replies

Nexus 93180YC-EX NAT between VLANs

Tibor M
Level 1
Level 1

‎11-11-2021 08:03 AM - edited ‎11-11-2021 08:05 AM

Hi,

 

I'm trying to achieve totally simple thing - NAT between VLANs... I have one testing scenario where our QAs need to have all traffic from one VLAN NATed (hidden) as another VLAN IP, but I cannot do it on firewall as I need to keep 10gbps speed (and firewall is just 1gpbs).

 

So I have configured standard Dynamic NAT with overload and because HSRP which we normally use doesn't support dynamic NAT I have removed HSRP from both Vlan 133 and 135 and kept both routing only on one switch (it's lab, it's not a problem). See the pictures below. 

 

Problem is that only first 2 ICMP packets went through and rest is not returning to source host, but destination serve see NATed packed with Vlan IP address and returning ICMP back.

 

I can see also translations in "show ip nat translations"

 

any idea please?

 

Config

 

nexus_config.png

 

Source server pinging destination and 10.16.133.0/24 should be hidden as 10.16.135.1

source_server_ping.png

 

I can see translations

nexus_ip_nat.png

 

Destination see ICMP request coming in, replying, but this reply never come back through NAT

destination_server_reply.png

 

Thanks a lot

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎11-11-2021 08:50 AM

Hello,

 

as far as I recall, ICMP is 'throttled' by default on the Nexus 9K. 

 

--> Hardware programming is introduced for ICMP on Cisco Nexus 9300 platform switches.
Therefore, the ICMP entries consume the TCAM resources in the hardware.
Because ICMP is in the hardware, the maximum limit for NAT translation in Cisco Nexus platform Series switches is changed to 1024.
Maximum of 100 ICMP entries are allowed to make the best usage of the resources.

 

You might want to try and set/toggle the below values:

 

ip nat translation icmp-timeout 100
ip nat translation creation-delay 250

0 Helpful

Tibor M
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2021 08:56 AM

Now it's even worst. I see just 1 reply on source server

 

I just need that it works as standard ISR router or ASA here

0 Helpful

Georg Pauwen
VIP
VIP
In response to Tibor M

‎11-11-2021 09:17 AM

Hello,

 

as stated, toggle and try different values. E.g.:

 

ip nat translation icmp-timeout 10
ip nat translation creation-delay 10

0 Helpful

Tibor M
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2021 10:38 AM

unfortunately not, tried different values for both, it's same...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card