VRF-Lite and NAT

ALAN MURRAY · ‎09-04-2018

I have a question regarding VRF-Lite. One of our customers wishes to run a number of different VRFs on a Catalyst 9500 switch. On more than one of these routing interfaces NAT is required. They have purchased DNA Advantage licensing but are unable to get NAT to work on any but the default VRF. There are possible licensing issues which may be stopping this from happening which I am following up on but I'd like to know if anyone can answer whether such a configuration will succeed or is there only one NAT table available?

Thanks

Al

omz · ‎09-05-2018

"NAT is not supported on Cisco Nexus 9500 platform switches."

Notes for VRF aware NAT:

The VRF aware NAT feature is supported only on the Cisco Nexus 9300 platform switches.

The VRF aware NAT feature is not supported on the Cisco Nexus 9300-EX and 9300-FX platform switches.

Note

This is a NAT TCAM limitation for the Cisco Nexus 9300-EX and 9300-FX platform switches. NAT TCAM is not VRF aware. NAT does not work with overlapping IP addresses on Cisco Nexus 9300-EX and 9300-FX platform switches.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_0110...

rasmus.elmholt · ‎09-05-2018

Could you give us some more information on what commands are working and not?

ALAN MURRAY · ‎09-05-2018

Hi,

Thanks for the replies to this query.

Rasmus - it was general inquiry this stage. The customer completed the configuration so I shall get that off them and post it later today.

omc79 - hat was an answer i was half-expecting but dreading. The person who made up the original BoM chose the 9500 as the device that supported NAT so going back and telling the customer it doesn't puts me in an awkward position - such is life.

Al

ALAN MURRAY · ‎09-05-2018

Hi again,

omc79 - I have re-read your reply. This is not a Nexus 9500. This is a Catalyst 9500 switch. Specifically a Catalyst 9500 16-port 10G, 8-port 10G switch (C9500-24X-A).

Thanks

Al

ALAN MURRAY · ‎09-05-2018

OK - the customer has given me his configuration from which I have hopefully removed any identifying info:-

interface VlanXX3
description
vrf forwarding <VRF-Name>
ip address X.X.33.1 255.255.255.0
ip helper-address <dhcp server>
ip nat inside
!
interface VlanXX1
description
vrf forwarding <VRF-Name>
ip address X.X.126.1 255.255.255.240
ip nat outside
!
ip nat pool CLIENT-SNAT X.X.126.1 X.X.126.1 prefix-length 28
ip nat inside source list CLIENTS pool CLIENT-SNAT overload
!
ip access-list extended CLIENTS
permit ip X.X.33.0 0.0.0.255 X.X.126.0 0.0.1.255

If the VRF commands are removed from the two interfaces and a ping is run between X.X.33.10 and X.X.126.14 the following translations is seen in the nat translation table:-

sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp X.X.126.1:1024    X.X.33.10:1        X.X.126.14:1       X.X.126.14:1024

If the VRF commands are re-applied to these interface no translations are visible

HPG08-61991-RTR#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

I realise the prefix-length in the nat pool statement is incorrect but I don't think that is the source of the problem.

I've been through the configuration guide but it doesn't mention VRFs in the NAT section - in fact I've only seen one mention of VRFs in the VRRPv3 section.

Any pointers would be appreciated.

omz · ‎09-06-2018

@ALAN MURRAY my bad for not reading the post properly. You clearly mentioned Catalyst 9500.

I have been trying to find anything on Catalyst 9500 VRF NAT but unfortunately nothing. As you mentioned there nothing in the configuration guides.