05-04-2022 06:57 AM - edited 10-19-2023 12:17 PM
Hi! So after trying to implement VLANs and ACLs on our 9300 catalysts it seems they may be limited or have issues with NAT.
We have our MOBILE SSID and it only needs to access DHCP. Otherwise it needs to get outside to the internet via VLANxxx on 207.xx.xxx.xx Sub .248.... I was advised I could create a VRF for this case, but I have not done one yet and need help on an ideal config.
Essentially I need to:
A) Create a VRF for VLANs 1xx (internal) and VLAN1xx (ISP) so they can inter-communicate.
B) Allow access to DHCP through a route leak.
05-06-2022 08:34 AM - edited 10-19-2023 12:26 PM
circling around to this, just to get this up....I tried the above config...again on the core switch.
I can ping to the IP and GW of the ISP but again cannot get out to 8.8.8.8 ICMP.
lslswmi-mdf-core01#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 207.xx.xxx.x:1024 10.74.xxx.x:30840 xxx.xx.xxx.xx:30840 xxx.xx.xxx.xx:1024
05-06-2022 09:30 AM - edited 05-06-2022 09:31 AM
Hello
TBH I am a lost now as to where you are?
Are you using vrf or not and is the L3 on the 9300 or not.
If you apply the RACL on the 9300 without VRF then the configuration I recently supplied should work for NAT , DHCP and inter-vlan isolation, however is you have now relocated the L3 for vlan 126 off the 9300 and onto the a WLC then VRF NAT should work and we can work on the dhcp allocation.
05-06-2022 09:59 AM - edited 10-19-2023 12:26 PM
For simplicity I went back to the 9300 switch. I figured uncomplicated NAT should work according to Configure and Verify NAT on Catalyst 9000 Switches - Cisco for dynamic NAT/PAT
I did connect my laptop once again to verify I could get straight out....PASSED.
I put the internet on an L3 interface directly connected...no ACL at all...
05-07-2022 12:30 AM
Hello
Okay let leave the access-list off for nowe and focus on the routing.
Is vlan 126 L2 propagated to all other switch's in your LAN and allowed to traverse all trunk interconnects.
As a test:
Can you ping an internet address directly from this switch, you should be able to has it has a directly connect interface to the public wan?
Remove HSRP from vlan 126 for the time being and test NAT from a client again.
05-09-2022 01:18 PM - edited 10-19-2023 12:27 PM
Yes VLAN xxx is propagated by checking show vlan. I can ping the internet directly from the L3 switch.
I remove HSRP again, and no change.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide