IOS Router NAT with ECMP Inside interfaces

NeverOutofTune · ‎04-24-2015

Is it possible to have NAT on multiple inside interfaces and one outside interface with the inside interfaces participating in ECMP via EIGRP? My concern is would this be asymmetrical routing, that is, the traffic would go out one interface and return via another interface. Would this affect NAT?

hostname RTR1

interface GigabitEthernet0/0
ip address 3.3.3.3 255.255.255.0
ip nat outside

interface GigabitEthernet0/1
ip address 10.1.1.21 255.255.255.0
ip nat inside

interface GigabitEthernet0/2
ip address 10.2.2.21 255.255.255.0
ip nat inside

router eigrp 1
network 10.0.0.0

ip nat inside source list aclNAT interface GigabitEthernet0/1 overload

ip access-list extended aclNAT
permit ip 10.0.0.0 0.255.255.255 object-group RemoteSites

!----------

hostname L3SW1

interface GigabitEthernet0/1
switchport mode access

interface GigabitEthernet0/2
switchport mode access
switchport access vlan 2

interface Vlan1
ip address 10.1.1.1 255.255.255.0

interface Vlan2
ip address 10.2.2.1 255.255.255.0

router eigrp 1
network 10.0.0.0

Reza Sharifi · ‎04-24-2015

There should not be any asymmetric routing. For example; if a packet is sourced from vlan 1, this vlan only exist on interface g0/1 on the switch and g0/1 on the router. So the return traffic would come back using the same interface. If the source is vlan 2 than it would use g0/2 on both the switch and router

HTH

NeverOutofTune · ‎04-24-2015

Thanks for the quick response Reza. I left out an important item. The source will be in Vlan 3. It will have two equal cost paths to/from the Internet either Vlan 1 or Vlan 2. I will update the diagram.

Reza Sharifi · ‎04-24-2015

Hi,

If you add a 3rd vlan (vlan 3) you still need to add a physical link between the switch and the router and add vlan 3 to that interface just like vlan 1 and 2. The problem with this type of design is every time you add a new vlan, you also need to add a physical interface between the switch and the router and eventually the router will run out of interfaces. A better design would be to keep the switch as layer 2 and have one physical link (trunked) between the switch and the router and add all the interface to that trunk. As you add more vlans all you have to do is to add them to the trunk. Does this make sense?

HTH

NeverOutofTune · ‎04-24-2015

Since my aclNAT is broad (10.0.0.0/8), I should be able to add Vlan3 and other Vlans as long as they are within the aclNAT source range. Thus, if Vlan3 is 10.3.3.1 and the laptop is 10.3.3.2 and I have the RTR1 advertising the default route (not shown but assumed), I should be good.

Having one physical link to the router does not meet my design criteria as I need to dual home the router to two physical switches in a 3750 stack for high availability.

Reza Sharifi · ‎04-24-2015

Having one physical link to the router does not meet my design criteria as I need to dual home the router two physical switches in a 3750 stack for high availability.

Depending on the router you can create a Portchannel with multiple physical links in it.

So, you will have one link from each switch in the stack connected to the router.

Most newer routers are capable of Portchannels.

HTH