cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

672
Views
0
Helpful
6
Replies
Highlighted
Beginner

VRF-Lite and NAT

I have a question regarding VRF-Lite. One of our customers wishes to run a number of different VRFs on a Catalyst 9500 switch. On more than one of these routing interfaces NAT is required. They have purchased DNA Advantage licensing but are unable to get NAT to work on any but the default VRF. There are possible licensing issues which may be stopping this from happening which I am following up on but I'd like to know if anyone can answer whether such a configuration will succeed or is there only one NAT table available?

 

Thanks

Al

Everyone's tags (1)
6 REPLIES 6
omz Rising star
Rising star

Re: VRF-Lite and NAT

"NAT is not supported on Cisco Nexus 9500 platform switches."

Notes for VRF aware NAT:

  • The VRF aware NAT feature is supported only on the Cisco Nexus 9300 platform switches.

  • The VRF aware NAT feature is not supported on the Cisco Nexus 9300-EX and 9300-FX platform switches.

    Note

    This is a NAT TCAM limitation for the Cisco Nexus 9300-EX and 9300-FX platform switches. NAT TCAM is not VRF aware. NAT does not work with overlapping IP addresses on Cisco Nexus 9300-EX and 9300-FX platform switches.

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_0110...

 

Enthusiast

Re: VRF-Lite and NAT

Could you give us some more information on what commands are working and not?

Beginner

Re: VRF-Lite and NAT

Hi,

 

Thanks for the replies to this query.

 

Rasmus - it was general inquiry this stage. The customer completed the configuration so I shall get that off them and post it later today.

 

omc79 - hat was an answer i was half-expecting but dreading. The person who made up the original BoM chose the 9500 as the device that supported NAT so going back and telling the customer it doesn't puts me in an awkward position - such is life.

 

Al

Beginner

Re: VRF-Lite and NAT

Hi again,

omc79 - I have re-read your reply. This is not a Nexus 9500. This is a Catalyst 9500 switch. Specifically a Catalyst 9500 16-port 10G, 8-port 10G switch (C9500-24X-A).

 

Thanks

Al

Beginner

Re: VRF-Lite and NAT

OK - the customer has given me his configuration from which I have hopefully removed any identifying info:-

interface VlanXX3
 description
 vrf forwarding <VRF-Name>
 ip address X.X.33.1 255.255.255.0
 ip helper-address <dhcp server>
 ip nat inside
!
interface VlanXX1
 description
 vrf forwarding <VRF-Name>
 ip address X.X.126.1 255.255.255.240
 ip nat outside
!
ip nat pool CLIENT-SNAT X.X.126.1 X.X.126.1 prefix-length 28
ip nat inside source list CLIENTS pool CLIENT-SNAT overload
!
ip access-list extended CLIENTS
 permit ip X.X.33.0 0.0.0.255 X.X.126.0 0.0.1.255
 
If the VRF commands are removed from the two interfaces and a ping is run between X.X.33.10 and X.X.126.14 the following translations is seen in the nat translation table:-

sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp X.X.126.1:1024    X.X.33.10:1        X.X.126.14:1       X.X.126.14:1024

If the VRF commands are re-applied to these interface no translations are visible

HPG08-61991-RTR#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

I realise the prefix-length in the nat pool statement is incorrect but I don't think that is the source of the problem.

 

I've been through the configuration guide but it doesn't mention VRFs in the NAT section - in fact I've only seen one mention of VRFs in the VRRPv3 section.

 

Any pointers would be appreciated.

omz Rising star
Rising star

Re: VRF-Lite and NAT

@ALAN MURRAY  my bad for not reading the post properly. You clearly mentioned Catalyst 9500.

I have been trying to find anything on Catalyst 9500 VRF NAT but unfortunately nothing. As you mentioned there nothing in the configuration guides.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here