That would be a correct summarization. VLANxxx is for mobile traffic to be isolated from other VLANs, minus the possible DHCP, and reach out to ISP via VLAN or interface. Given the non-severity we can make the VLAN non HSRP. I have already disabled the standby. Currently it is just published to Core 1 9300 switch where the WLC is connected.

Hello
Then without HRSP redundancy this would make it a lot easier to accomplish and not so reliant on ios feature set.
As VRF lite is going to be used I would also suggest to try and use NVI NAT (domainless NAT - no inside/outside domains) however im not sure and not able to check at this time if the 9300 supports it

try the following
int x/x/
ip nat enable

ip nat enable is allowed it seems.

So apply the VRF configuration as shown above (is it correct to you? ) and add the nat enable to both interfaces for xxx, xxx? Should I shed the Vlanxxx and just configure the interface directly?

Using statement: ip nat inside source list 100 interface Vlanxxx overload? Still?

Sorry, my knowledge of VRF is increasing...

I may have jumped to conclusion. The command is available...but I noticed this...is this prohibitive of NVI?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-12/nat-xe-16-12-book/iadnat-applvlgw.html

NAT Segmentation with Layer 4 Forwarding

Restrictions

The NAT Segmentation with Layer 4 Forwarding feature does not work when:

• Firewalls are configured using the ip inspect name command. (Context-Based Access Control (CBAC) firewalls are not supported. Zone-based firewalls are supported.)

• H.323, SCCP, or TCP DNS messages are larger than 18 KB.

• Multiprotocol Label Switching (MPLS) is configured.

• NAT and the Cisco Unified CallManager are configured on the same device. In this case, a colocated solution in Call Manager Express is used.

• NAT Virtual Interface (NVI) is configured.

• Stateful Network Address Translation (SNAT) is enabled.

It does however show it supports VRF-Aware Dynamic NAT Mapping with HSRP: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-12/nat-xe-16-12-book/iadnat-dynamc-hsrp.html

Seems that I do not have the vrf option under the ip nat inside statement?

Hello

Outch! that make things a bit more difficult, is that the same for --

ip nat source list 10 interface  <wan svi > vrf mobile ?

Correct. Only options are "oer" and "overload".... we at least know that ip nat enable works...so maybe have to look at the NVI route.

I don't know if its a bug, I have another thread going for this. We know that with the network advantage lic - shows VRF supported.

Hello

If your switch doesn't support nat vrf then i would say we can use routed access-list to negate the inter-vlan routing to/from the mobile vlan and then utilize nat on the global route table.

Hello

example
vlan 10 = 10.1.10.0/24
vlan 20 = 10.1.20.0/24
vlan 126 = 10.74.126.0/24

no ip nat inside source list 10 interface  <wan svi > vrf mobile overload
no ip route vrf mobile 0.0.0.0 0.0.0.0 <wan svi > x.x.x.x global

ip access-list extended no-intervlan-routing
 remark negate inter-vlan routing to vlan 126
deny ip any 10.1.10.0 0.0.0.255 
deny ip any 10.1.20.0 0.0.0.255
permit ip any any

int vlan 126
no ip vrf forwarding mobile
ip nat inside
ip access-group no-intervlan-routing IN

access-list 10 permit 10.74.126.0 0.0.0.255
ip nat inside source list 10 interface <wan svi > overload

Ah thanks for this, I may try this as well. I am a stalwart and trying to resolve this another way. I found that the WLC 9800 controller allows VRF-lite and the commands I could not use on the 9300 switch, so I am setting up as you may have seen from the other post.

I can ping out to 8.8.8.8 from a command: ping vrf MOBBILE-SSID 8.8.8.8 with 100%, oddly when the core 1 has VLANxxx enabled. Perhaps it has to do with the trunked interface? But still not from the actual MOBILE clients on 10.74.x.x directly. A traceroute has them coming back through the core 1 and trying to get out to internet through MPLS oddly enough.

If I turn off Vlan xxx on the core completely to allow just the layer 2 VLAN xxx to be hosted by the WLC itself, I can still ping internal to VRF and out to the net through the vrf interface, but cannot reach DHCP or 8.8.8.8 with the mobile (static assignment is no better). So perhaps there is something configuration wise that needs to be changed or a routing statement to allow clients to get out...

Hello
Okay so you have relocated the L3 vlan 126 onto the wlc and put it in vrf now you wish to receive dhcp allocated from global route table?

Have your tried using a relay vrf (if supported)
int vlan 126
ip hepler-addressx.x.x. vrf xxxxx

I used ip helper-address vrf MOBILE-SSID 10.74.xx.x - still no DHCP. I did a shut interface on vlan xxx on the core, and when I do this I can no longer ping the DHCP server on 10.74.xx.x. There seems to a link or something for the vlanxxx, as it cannot segregate itself from the core...Now in testing if I add the vlan xx in the WLC using "ip vrf forwarding MOBILE-SSID" I can reach everything despite the VLAN 126 interface being shut on core 1...

we are using transparent VTP, so in theory the routing to core 1 should not be a concern?