IE3300 Layer 2 NAT Per All

Himanshu_Dwivedi · ‎12-07-2024

Hello,

Please consider below topology in which I have 1 core Switch which have 2 SVI VLAN 10(192.168.10.1) and VLAN 20(192.168.20.1) and 2 access switches(IE3300) which are acting as layer 2 device. AS1 has 2 PC connected and AS2 also has the same. All the switches forming a RING and REP has been used as Ring Protocol. Everything is working fine.

PC 1 : 10.0.0.1, PC 2 : 10.0.0.2, PC 3 : 10.0.0.1, PC 4 : 10.0.0.2 IP are duplicate. That is fine. I have introduced a L2NAT in both the switches, for Switch 1 am translating all the IP in PC's to VLAN 10 series and for Switch 2 I am translating it to VLAN 20 series for all the PC in Switch 2. That is also fine. I am confused about Permit All command, if I execute permit all will there be any issue. Because I am facing an issue, If I am executing permit all command PC1 and PC2 which are on same switches are dropping frequently.

ammahend · ‎12-07-2024

Your setup looks similar to figure 2 here

make sure your config is as per the example shown

-hope this helps-

paul driver · ‎12-07-2024

Hello
Its unclear why you are dropping packets at this time when you enable permit all in the L2NAT instance.
The Permit ALL in the L2NAT instance acts just like an access-list does so without it there is an implicit deny for packets that do not match, however allowing all traffic when in a L2NAT access mode design can potentially cause broadcast traffic to the other hosts sharing the same vlan on your other IE switches, which could be negated if you changed to a routed access design.

I see in your diagram above you have the IE switches interconnected, what happens if you break that REP ring between those IE switches and then enable enable permit all on the L2NAT instances?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Himanshu_Dwivedi · ‎12-07-2024

Hello Thanks for your brief, info.

You mentioned that there will be broadcast tariff, so I believe it will be on the same Vlan not broadcast from VLAN 10 to VLAN 20.

I did not tried breaking up the ring as it is production network. L2NAT has been passed on both Gig interfaces.

Also, one thing I want to understand that, I have router connected above the core switches and core Switches can learn routes from router. Lets say 172.16.10.10 learning from static route. So I am doing the translation like.

Inside from host 10.0.0.1 to 192.168.10.101

Outside from host 172.16.10.10 to 10.0.0.10.

Inside PC can reach 10.0.0.10 as well, router can also ping 192.168.10.101 but only after providing once permit all, then removing permit all keeps on working, but at the same time local PC causes RTO.

NOTE : Customer cannot put Gateway on end device due to legacy device.

paul driver · ‎12-07-2024

The outside host should see your inside hosts as 192.168.x.x host
The inside hosts should see your outside host as 10.0.0.10

@Himanshu_Dwivedi wrote:
NOTE : Customer cannot put Gateway on end device due to legacy device.

So you must be using proxy-arp to gain external connectivity as such your fix-up is set to ALL correct??
Can you share the cfg of the core and a IE switch please if applicable?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Himanshu_Dwivedi · ‎12-08-2024

My topology looks something like this and below is the basic config.

l2nat instance VLAN10

fixup : arp, icmp

outside from host 172.16.10.10 to 10.0.0.100

inside from host 10.0.0.10 to 192.168.10.10

outside from host 192.168.10.1 to 10.0.0.101

interface GigabitEthernet1/1

switchport mode trunk

l2nat VLAN10 10

rep segment 1

!

interface GigabitEthernet1/2

switchport mode trunk

l2nat VLAN10 10

rep segment 1

!

This is the packet tracert scenario, It which it is working fine as packet tracer if not having permit all functionality. But in my scenario there are multiple switches in a Ring, which have different L2NAT instance Running on both the Uplink and downlink port that is why I am running permit all.

MHM Cisco World · ‎12-07-2024

I think this your third post about l2 NAT IE3300' as I remember I share YouTube link about l2 NAT

Can you double check it

Thanks

MHM

Himanshu_Dwivedi · ‎12-08-2024

Thanks for sharing the Youtube Link, I went through the full video but unfortunately, there is not information which I require now.

paul driver · ‎12-08-2024

Hello
Fyi - permit all IS recommended on the L2NAT instance
As for the the pc1/2 that are in the same vlan could be due to BUM traffic -the L2 and the fact your hosts don’t have any D/G
you don’t mention how large of ring topology you have however if the requirement is to have resilient IE topology between the core and other IE switches and run L2NAT at each IE switch then i would look into running L3 on each IE switch and let them perform both functions (routing - L2NAT) - routed-access design
Having dynamic routing such as eigrp between the core and IE switches you will not require any rep -each IE will L2nat its own vlan without any outside local or gateway 1-2-1 mapping and you’ll have full resilient connection between each IE switch host and externally

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Himanshu_Dwivedi · ‎12-08-2024

FYi, I have 9 switches forming a Ring with REP protocol and as it is ring so L2nat instance has been called on both the uplink and downlink interfaces.

If I understand correctly, you means to perform the routing at IE end instead of Core layer. How ring will.be formed in this case.? Also As I mentioned that I cannot add a gateway to machines.

paul driver · ‎12-09-2024

Hello @Himanshu_Dwivedi
TBH thinking about it a bit more Im not so sure the routed access mode would be a viable option, the problem is the ring topology, you would have peering issues that would need to be negated plus the L2nat instance can only be applied to L2 interfaces anyway.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Himanshu_Dwivedi · ‎12-09-2024

I have found L2NAT video in which they are configuring L2NAT in Ring, in which Permit All is suggested, but the ring is in access mode, as all the switches uplink and downlinad are on access port. In my case it is trunk, hopefully it should work

paul driver · ‎12-10-2024

Hello
if that is applicable to your own topology then try that it, I would say it much better then having trunks interconnecting

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul