Solved: Re: configuration of cisco nexus n9k-c9348gc-fxp

rabmou · ‎11-19-2023

Hi all,

I have a home router non configurable from ISP.

I am trying to connect the router to a nexus n9k switch on port eth1/48 and allow internet access to vlan. I have run the below configuration.

# Configure VLANs

switch# configure terminal

switch(config)# vlan 10

switch(config-vlan)# name VLAN10

switch(config-vlan)# exit

switch(config)# vlan 20

switch(config-vlan)# name VLAN20

switch(config-vlan)# exit

# Configure Interfaces

switch(config)# interface ethernet 1/48

switch(config-if)# no switchport

switch(config-if)# ip address 192.168.1.98/24

switch(config-if)# exit

switch(config)# interface vlan 10

switch(config-if)# no shutdown

switch(config-if)# ip address 10.0.1.1/24

switch(config-if)# exit

switch(config)# interface vlan 20

switch(config-if)# no shutdown

switch(config-if)# ip address 10.0.2.1/24

switch(config-if)# exit

# Enable IP Routing

switch(config)# ip routing

# Configure Extended ACL for NAT

switch(config)# ip access-list extended NAT_ACL

switch(config-ext-nacl)# permit ip 10.0.1.0 0.0.0.255 any

switch(config-ext-nacl)# permit ip 10.0.2.0 0.0.0.255 any

switch(config-ext-nacl)# exit

# Enable NAT and specify inside and outside interfaces

switch(config)# feature nat

switch(config)# ip nat inside source list NAT_ACL interface ethernet 1/48 overload

# Save Configuration

switch# copy running-config startup-config

switch(config)# interface vlan 20

switch(config-if)# ip nat inside

switch(config-if)# exit

switch(config)# interface ethernet 1/48

switch(config-if)# ip nat outside

switch(config-if)# exit

# Configure Default Route

switch(config)# ip route 0.0.0.0/0 192.168.1.1

I am able to ping internet from the switch but not from clients on nat outside I am having an error

Nat tcam not carved" what I am doing wrong.

MHM Cisco World · ‎11-20-2023

Class NAT Flow - copp-system-p-class-nat-flow

This class refers to software switch NAT flow traffic. When creating a new dynamic translation, the flow is software forwarded until the translation is programmed in hardware, and then it is policed by CoPP to limit the traffic punted to the supervisor while the entry is installed in hardware.

class-map copp-system-p-class-nat-flow (match-any)
match exception nat-flow
set cos 7
police cir 800 kbps , bc 64000 bytes

Impact

Drops on this class typically occur when a high rate of new dynamic translations and flows are installed in hardware. The impact relates to software switched packets that are discarded and not delivered to the end host, which can lead to loss and retransmissions. Once the entry is installed in hardware, no further traffic is punted to the supervisor.

Recommendations

-Verify guidelines and limitations of dynamic NAT on the relevant platform. There are known limitations that are documented on platforms, such as the 3548, in which the translation can take a few seconds. Refer to: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/93x/interfaces/configuration/guide/b-cisco-nexus-3500-nx-os-interfaces-configuration-guide-93x/b-cisco-nexus-3500-nx-os-interfaces-configuration-guide-93x_chapter_0110.html#id_359...

View solution in original post

MHM Cisco World · ‎11-19-2023

Show ip interface breif

Can I see this ?

rabmou · ‎11-19-2023

Interface IP Address Interface Status
Vlan10 10.0.1.1 protocol-up/link-up/admin-up
Eth1/48 192.168.1.98 protocol-up/link-up/admin-up

MHM Cisco World · ‎11-19-2023

That ok

Now it time to config NAT

Do below command

hardware access-list tcam region nat tcam-size command.

If you get error message that there is no free room then reduce acl size and add room for NAT.

I think you need to reload the NSK to make tcam take effect.

rabmou · ‎11-19-2023

Command not permitted as custom template(s) applied on module(s) 1. Please uncommit the template(s) to continue using the command

MHM Cisco World · ‎11-19-2023

Do you config tcam template before this ?

rabmou · ‎11-19-2023

i have applied l3 template but i am not able to find way to uncommit it

rabmou · ‎11-20-2023

the nat resources and below the switch configuration now but still i have no internet access on vlan10

ip domain-lookup
ip access-list NAT_ACL
10 permit ip 10.0.1.0 0.0.0.255 any
20 permit ip 10.0.2.0 0.0.0.255 any
copp profile strict
snmp-server user admin network-admin auth md5 0xc340d402f79be327ee57064573451d04 priv 0xc340d402f79be327ee57064573451d04 localizedkey
rmon event 1 description FATAL(1) owner PMON@FATAL
rmon event 2 description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 description ERROR(3) owner PMON@ERROR
rmon event 4 description WARNING(4) owner PMON@WARNING
rmon event 5 description INFORMATION(5) owner PMON@INFO

ip route 0.0.0.0/0 192.168.1.1
vlan 1,10,20
ip nat inside source list NAT_ACL interface Ethernet1/48 overload

vrf context management
hardware access-list tcam region ing-racl 512
hardware access-list tcam region nat 1024

interface Vlan1

interface Vlan10
no shutdown
ip address 10.0.1.1/24
ip nat inside

interface Vlan20
no shutdown
ip address 10.0.2.1/24

interface Ethernet1/1
switchport
switchport access vlan 10
no shutdown

interface Ethernet1/2

interface Ethernet1/3

interface Ethernet1/4

interface Ethernet1/5

interface Ethernet1/6

interface Ethernet1/7

interface Ethernet1/8

interface Ethernet1/9

interface Ethernet1/10

interface Ethernet1/11

interface Ethernet1/12

interface Ethernet1/13

interface Ethernet1/14

interface Ethernet1/15

interface Ethernet1/16

interface Ethernet1/17

interface Ethernet1/18

interface Ethernet1/19

interface Ethernet1/20

interface Ethernet1/21

interface Ethernet1/22

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25

interface Ethernet1/26

interface Ethernet1/27

interface Ethernet1/28

interface Ethernet1/29

interface Ethernet1/30

interface Ethernet1/31

interface Ethernet1/32

interface Ethernet1/33

interface Ethernet1/34

interface Ethernet1/35

interface Ethernet1/36

interface Ethernet1/37

interface Ethernet1/38

interface Ethernet1/39

interface Ethernet1/40

interface Ethernet1/41

interface Ethernet1/42

interface Ethernet1/43

interface Ethernet1/44

interface Ethernet1/45

interface Ethernet1/46

interface Ethernet1/47

interface Ethernet1/48
ip address 192.168.1.98/24
ip nat outside
no shutdown

interface Ethernet1/49

interface Ethernet1/50

interface Ethernet1/51

interface Ethernet1/52

interface Ethernet1/53

interface Ethernet1/54

interface mgmt0
vrf member management
line console
line vty
boot nxos bootflash:/nxos.9.3.2.bin

MHM Cisco World · ‎11-20-2023

Did you reload the nsk ?

rabmou · ‎11-20-2023

yes but still no internet on clients

MHM Cisco World · ‎11-20-2023

Ping

And then check

Shwo ip nat translate

In nsk see if any new entry add

rabmou · ‎11-20-2023

Nat translation are added. but ip nat statistcs are showing drops and no connection on tcp.

switch(config)# show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.1.98:65346 10.0.1.2:0 8.8.8.8:0 8.8.8.8:0
udp 192.168.1.98:65492 10.0.1.2:58378 8.8.8.8:443 8.8.8.8:443
udp 192.168.1.98:64438 10.0.1.2:63242 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:65133 10.0.1.2:63242 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64772 10.0.1.2:60722 8.8.8.8:443 8.8.8.8:443
udp 192.168.1.98:64769 10.0.1.2:56899 8.8.8.8:443 8.8.8.8:443
udp 192.168.1.98:64892 10.0.1.2:65351 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:64820 10.0.1.2:65351 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64521 10.0.1.2:62798 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:65405 10.0.1.2:62798 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:65243 10.0.1.2:65363 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:65154 10.0.1.2:65363 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64951 10.0.1.2:59988 40.99.27.18:443 40.99.27.18:443
udp 192.168.1.98:65113 10.0.1.2:65364 1.1.1.1:53 1.1.1.1:53
udp 192.168.1.98:64561 10.0.1.2:55397 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:65028 10.0.1.2:55397 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64964 10.0.1.2:49534 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:64657 10.0.1.2:49534 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:65172 10.0.1.2:53636 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:64729 10.0.1.2:53636 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64842 10.0.1.2:53643 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:65064 10.0.1.2:64652 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:65310 10.0.1.2:64652 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64595 10.0.1.2:55698 192.168.12.5:161 192.168.12.5:161
udp 192.168.1.98:64417 10.0.1.2:55698 192.168.10.14:161 192.168.10.14:161
tcp 192.168.1.98:64971 10.0.1.2:64692 212.70.97.203:80 212.70.97.203:80
tcp 192.168.1.98:65247 10.0.1.2:64693 57.128.101.78:80 57.128.101.78:80
udp 192.168.1.98:65379 10.0.1.2:62134 40.99.27.18:443 40.99.27.18:443
tcp 192.168.1.98:65020 10.0.1.2:64694 51.178.65.231:443 51.178.65.231:443
tcp 192.168.1.98:64474 10.0.1.2:64695 52.123.137.150:443 52.123.137.150:443
tcp 192.168.1.98:65459 10.0.1.2:64696 20.198.119.84:443 20.198.119.84:443
tcp 192.168.1.98:65177 10.0.1.2:64697 23.33.72.191:443 23.33.72.191:443
tcp 192.168.1.98:64432 10.0.1.2:64698 162.19.171.173:443 162.19.171.173:443
tcp 192.168.1.98:64846 10.0.1.2:64699 20.197.103.14:443 20.197.103.14:443
tcp 192.168.1.98:65363 10.0.1.2:64700 15.197.213.252:443 15.197.213.252:443
tcp 192.168.1.98:64840 10.0.1.2:64701 20.190.9.86:443 20.190.9.86:443
tcp 192.168.1.98:64535 10.0.1.2:64702 52.112.120.8:443 52.112.120.8:443
udp 192.168.1.98:65292 10.0.1.2:52671 40.99.27.18:443 40.99.27.18:443
tcp 192.168.1.98:65273 10.0.1.2:64703 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:65151 10.0.1.2:52672 192.168.1.1:53 192.168.1.1:53
tcp 192.168.1.98:65354 10.0.1.2:64704 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:64795 10.0.1.2:52673 192.168.1.1:53 192.168.1.1:53
tcp 192.168.1.98:64367 10.0.1.2:64705 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:64969 10.0.1.2:52674 8.8.8.8:53 8.8.8.8:53
tcp 192.168.1.98:64466 10.0.1.2:64706 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:64826 10.0.1.2:52675 192.168.1.1:53 192.168.1.1:53
tcp 192.168.1.98:65455 10.0.1.2:64707 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:65511 10.0.1.2:52676 8.8.8.8:53 8.8.8.8:53
tcp 192.168.1.98:65377 10.0.1.2:64708 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:65240 10.0.1.2:52677 192.168.1.1:53 192.168.1.1:53
tcp 192.168.1.98:65373 10.0.1.2:64709 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:65020 10.0.1.2:52678 8.8.8.8:53 8.8.8.8:53
tcp 192.168.1.98:64890 10.0.1.2:64710 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:64500 10.0.1.2:52679 192.168.1.1:53 192.168.1.1:53
tcp 192.168.1.98:64869 10.0.1.2:64711 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:64946 10.0.1.2:52680 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64437 10.0.1.2:59336 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:64728 10.0.1.2:59336 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64787 10.0.1.2:59336 8.8.8.8:443 8.8.8.8:443
tcp 192.168.1.98:65436 10.0.1.2:64712 40.99.26.178:443 40.99.26.178:443
udp 192.168.1.98:64705 10.0.1.2:52681 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:64752 10.0.1.2:52682 8.8.8.8:53 8.8.8.8:53
tcp 192.168.1.98:64374 10.0.1.2:64714 13.69.239.73:443 13.69.239.73:443
udp 192.168.1.98:64984 10.0.1.2:52683 192.168.1.1:53 192.168.1.1:53
tcp 192.168.1.98:64858 10.0.1.2:64715 20.190.177.19:443 20.190.177.19:443
udp 192.168.1.98:65026 10.0.1.2:52684 8.8.8.8:53 8.8.8.8:53
tcp 192.168.1.98:64988 10.0.1.2:64716 212.70.97.203:80 212.70.97.203:80
udp 192.168.1.98:64791 10.0.1.2:52685 8.8.8.8:53 8.8.8.8:53
tcp 192.168.1.98:64968 10.0.1.2:64717 151.101.142.133:443 151.101.142.133:443
udp 192.168.1.98:64396 10.0.1.2:52686 192.168.1.1:53 192.168.1.1:53
tcp 192.168.1.98:64341 10.0.1.2:64718 40.99.27.18:443 40.99.27.18:443
udp 192.168.1.98:64684 10.0.1.2:52687 8.8.8.8:53 8.8.8.8:53
tcp 192.168.1.98:65381 10.0.1.2:64719 3.219.6.82:443 3.219.6.82:443
udp 192.168.1.98:65400 10.0.1.2:52688 192.168.1.1:53 192.168.1.1:53
tcp 192.168.1.98:64465 10.0.1.2:64720 3.221.81.186:443 3.221.81.186:443
udp 192.168.1.98:65316 10.0.1.2:52689 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64415 10.0.1.2:52690 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:64479 10.0.1.2:64482 192.168.1.1:53 192.168.1.1:53
udp 192.168.1.98:64629 10.0.1.2:64482 8.8.8.8:53 8.8.8.8:53
udp 192.168.1.98:64374 10.0.1.2:62192 40.99.27.18:443 40.99.27.18:443

IP NAT Statistics
====================================================
Stats Collected since: Mon Nov 20 09:28:42 2023
----------------------------------------------------
Total active translations: 80
No.Static: 0
No.Dyn: 79
No.ICMP: 1
----------------------------------------------------
Total expired Translations: 0
SYN timer expired: 0
FIN-RST timer expired: 0
Inactive timer expired: 0
----------------------------------------------------
Total Hits: 1213 Total Misses: 1944
In-Out Hits: 322 In-Out Misses: 1944
Out-In Hits: 891 Out-In Misses: 0
----------------------------------------------------
Total SW Translated Packets: 861
In-Out SW Translated: 402
Out-In SW Translated: 459
----------------------------------------------------
Total SW Dropped Packets: 2296
In-Out SW Dropped: 1864
Out-In SW Dropped: 432

Address alloc. failure drop: 0
Port alloc. failure drop: 0
Dyn. Translation max limit drop: 1864
ICMP max limit drop: 0
Allhost max limit drop: 0
----------------------------------------------------
Total TCP session established: 0
Total TCP session closed: 0
----------------------------------------------------
NAT Inside Interfaces: 1
Vlan10

NAT Outside Interfaces: 1
Ethernet1/48
----------------------------------------------------
Inside source list:
++++++++++++++++++++

Access list: NAT_ACL
RefCount: 80
Interface Overload: Ethernet1/48(UP) 192.168.1.98

Outside source list:
++++++++++++++++++++
----------------------------------------------------
====================================================

MHM Cisco World · ‎11-20-2023

Ohhh NSK with NAT not easy

switch(config)# ip nat inside source list NAT_ACL interface <use any ip other than Ip of interface connect to router, ip must in same subnet >overload

rabmou · ‎11-20-2023

i did change the interface with same behavior. in the first minute interface translation is populated and the connection shows internet access and after that it drops

MHM Cisco World · ‎11-20-2023

Class NAT Flow - copp-system-p-class-nat-flow

This class refers to software switch NAT flow traffic. When creating a new dynamic translation, the flow is software forwarded until the translation is programmed in hardware, and then it is policed by CoPP to limit the traffic punted to the supervisor while the entry is installed in hardware.

class-map copp-system-p-class-nat-flow (match-any)
match exception nat-flow
set cos 7
police cir 800 kbps , bc 64000 bytes

Impact

Drops on this class typically occur when a high rate of new dynamic translations and flows are installed in hardware. The impact relates to software switched packets that are discarded and not delivered to the end host, which can lead to loss and retransmissions. Once the entry is installed in hardware, no further traffic is punted to the supervisor.

Recommendations

-Verify guidelines and limitations of dynamic NAT on the relevant platform. There are known limitations that are documented on platforms, such as the 3548, in which the translation can take a few seconds. Refer to: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/93x/interfaces/configuration/guide/b-cisco-nexus-3500-nx-os-interfaces-configuration-guide-93x/b-cisco-nexus-3500-nx-os-interfaces-configuration-guide-93x_chapter_0110.html#id_359...