Solved: Hosts can connect.

sendalot7 · ‎02-19-2016

Been struggling with "https://supportforums.cisco.com/discussion/11282626/nx-7000-configuring-default-gateway" and "https://supportforums.cisco.com/discussion/11691736/cisco-nexus-default-gateway" with no luck.

Nexus is a fairly new beast for me compared to Catalyst.

(1) What is the Nexus way of setting default-gateway? I want to forget all VRF/CEF and want it to act as a dumb L2 switch.

(2) Can hosts connected to the Nexus talk to outside successfully at least?

Thanks.

I have a section of topology where 2911 is acting as an internal NAT router. (We don't have enough private ip addresses to give to all our lab servers and networking equipment. So we have our own reserved addresses that aren't route-able across the corporate network).

2911 is using one private ip to NAT lab ip addresses

I have a section of topology where 2911 is acting as an internal NAT router. (We don't have enough private ip addresses to give to all our lab servers and networking equipment. So we have our own reserved addresses that aren't route-able across the corporate network).

2911 is using one private ip to NAT lab ip addresses

!
interface GigabitEthernet0/0
 ip address 192.16.25.94 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/2.100
 encapsulation dot1Q 100
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/2.200
 encapsulation dot1Q 200
 ip address 10.1.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!

ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.16.25.1
!
access-list 1 permit any
!
!
!
control-plane
!

I have 16 Nexus switches but showing one as a sample here. (If I can get this going, rest should be easy).

vlan 1,100,102-103,200

vrf context management

interface Vlan1

interface Vlan100
  no shutdown
  ip address 10.0.0.22/24

interface Vlan200
  no shutdown
  ip address 10.1.0.22/24

interface Ethernet1/1
  switchport access vlan 200

interface Ethernet1/40
  switchport access vlan 100


interface Ethernet1/48
  switchport mode trunk

interface Ethernet1/49
  switchport access vlan 200

interface Ethernet1/50
  switchport access vlan 200

While Nexus can ping the default gw of each vlan, it can't ping outside of 2911 network.

PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=254 time=0.765 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=254 time=0.571 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=254 time=0.547 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=254 time=0.54 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=254 time=0.534 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.534/0.591/0.765 ms
2# ping 10.1.0.1
PING 10.1.0.1 (10.1.0.1): 56 data bytes
64 bytes from 10.1.0.1: icmp_seq=0 ttl=254 time=0.785 ms
64 bytes from 10.1.0.1: icmp_seq=1 ttl=254 time=0.565 ms
64 bytes from 10.1.0.1: icmp_seq=2 ttl=254 time=0.557 ms
64 bytes from 10.1.0.1: icmp_seq=3 ttl=254 time=0.532 ms
64 bytes from 10.1.0.1: icmp_seq=4 ttl=254 time=0.538 ms

--- 10.1.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.532/0.595/0.785 ms

2# ping 192.16.25.1
PING 192.16.25.1 (192.16.25.1): 56 data bytes
ping: sendto 192.16.25.1 64 chars, No route to host

Thanks again.

What am I missing to make NAT & Routing work? Also is this just the nexus management? Can hosts connected to Nexus talk to outside already?

2911 can ping anything by the way.

[Tried the methods from other psts]

C(config)# vrf context management
C(config-vrf)# ip route 0.0.0.0/0 10.1.0.1 (same result with 10.0.0.1)
C(config-vrf)# ping 192.16.25.94
PING 192.16.25.94 (192.16.25.94): 56 data bytes
ping: sendto 192.16.25.94 64 chars, No route to host
Request 0 timed out
ping: sendto 192.16.25.94 64 chars, No route to host

Jon Marshall · ‎02-19-2016

The wildcard, yes I did mean that :)

It may not make a difference but I have seen it not work many times with that.

For your Nexus switches can you pick one of the SVIs on the Nexus and shut the other down, then -

int vlan <x>
management

ip route 0.0.0.0/0 vlan <x> <router subinterface IP for vlan x>

don't put the default route in the management VRF.

I'm not sure whether technically this makes it L3 from a Nexus perspective but as long as the client's default gateways are the router subinterface IPs it shouldn't matter.

Like I say not used Nexus so it may not help but worth a try.

Jon

View solution in original post

Jon Marshall · ‎02-19-2016

Haven't used Nexus either.

My understanding is there is a dedicated interface for management ie.not an SVI which allows you to connect to the switch but you cannot then run ping etc. from the console.

You can also use an SVI for management which does allow you to ping etc. but not sure if it is supported on all platforms.

What are the Nexus models ?

Your 2911 configuration, are you saying it's not working ?

Jon

sendalot7 · ‎02-19-2016

Nexus are N9K with RJ-45 and some fiber ports.

My 2911 configuration is supposedly working as this is what I do all the time for inter-vlan router-on-stick with Catalyst switches.

I'm messing something up on Nexus though.

Jon Marshall · ‎02-19-2016

Can you just clarify.

Are you saying clients cannot get out to the rest of the network ?

Jon

sendalot7 · ‎02-19-2016

Correct, only the default gw of each VLAN can be reached.

Jon Marshall · ‎02-19-2016

The most obvious issue with the router configuration is the NAT acl.

NAT generally doesn't like "any" as the source IPs.

Try modifying "any" to "10.0.0.0 0.0.1.255".

I tend to use extended acls with any as the destination IPs which NAT is fine with but then you would need to update your NAT statement as well.

By the way are you happy with setting up the management port or do you want to try the SVI ?

Jon

sendalot7 · ‎02-19-2016

That's the NAT ACL I've used all the time. But I'll try you approach and thanks for the suggestion.

And you mean 0.1.255.255 as wildcard? Since 10.0 and 10.1

I want SVI without management.

For now, I literally want to forget all vPC, VRF, all the fancy NX-OS features and make them act like Catalyst switches.

Jon Marshall · ‎02-19-2016

The wildcard, yes I did mean that :)

It may not make a difference but I have seen it not work many times with that.

For your Nexus switches can you pick one of the SVIs on the Nexus and shut the other down, then -

int vlan <x>
management

ip route 0.0.0.0/0 vlan <x> <router subinterface IP for vlan x>

don't put the default route in the management VRF.

I'm not sure whether technically this makes it L3 from a Nexus perspective but as long as the client's default gateways are the router subinterface IPs it shouldn't matter.

Like I say not used Nexus so it may not help but worth a try.

Jon

sendalot7 · ‎02-19-2016

Hosts can connect.

So for now, I'll live with this until I study Nexus in-out.

Thanks for your effort.

Iulian Vaideanu · ‎02-19-2016

Clients connected to Nexus in vlans 100 and 200 (with IPs from 10.0.0 and 10.1.0) should be able to ping outside.

Nexus itself won't, if the "ip route 0.0.0.0/0" is configured under "vrf context management" (just put it in the global config).

sendalot7 · ‎02-19-2016

Can that be verified by pinging outside with gig 0/2.100 and 0/2.200 as source?

Thanks.

Iulian Vaideanu · ‎02-19-2016

Yes, if I remember correctly the NAT can be verified from the NAT router itself by using the "nat inside" interfaces as sources.

Nexus default-gateway