11-10-2014 06:37 AM - edited 03-05-2019 12:08 AM
So, I am trying to setup NAT on our new 3650 switch running IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE
This simple setup involves a layer 3 port (1/0/46) to our gateway and a Vlan for NAT
My hosts on my NAT Vlan (Vlan 2) do not seem able to ping anywhere else than the switch itself (all its interfaces) and their local subnet. Pings from the switch to outside are fine (NAT debug enabled):
Switch#ping 8.8.8.8 source 192.168.122.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/70 ms
Switch#
*Nov 10 14:27:04.145: NAT: ICMP id=1->1025
*Nov 10 14:27:04.145: NAT: s=192.168.122.1->165.211.28.194, d=8.8.8.8 [5]
*Nov 10 14:27:04.210: NAT: ICMP id=1025->1
*Nov 10 14:27:04.210: NAT: s=8.8.8.8, d=165.211.28.194->192.168.122.1 [0]
....
Running Config: ! Last configuration change at 13:51:06 UTC Mon Nov 10 2014 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname Switch ! boot-start-marker boot system switch all flash:packages.conf boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! no aaa new-model switch 1 provision ws-c3650-48ps ! ip routing ! ip dhcp excluded-address 192.168.122.1 ! ip dhcp pool Pool14 import all network 192.168.122.0 255.255.255.0 dns-server 165.211.29.1 default-router 192.168.122.1 domain-name my.domain crypto pki trustpoint TP-self-signed-1875358754 ..... diagnostic bootup level minimal spanning-tree mode pvst spanning-tree extend system-id hw-switch switch 1 logging onboard message level 3 ! redundancy mode sso ! class-map match-any non-client-nrt-class ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto interface GigabitEthernet1/0/46 description conf GW no switchport ip address 165.211.28.194 255.255.255.192 ip nat outside ! interface GigabitEthernet1/0/47 switchport access vlan 2 spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/48 switchport access vlan 2 spanning-tree portfast spanning-tree bpduguard enable ! interface Vlan1 no ip address shutdown ! interface Vlan2 ip address 192.168.122.1 255.255.255.0 ip nat inside ! ip nat inside source list 61 interface GigabitEthernet1/0/46 overload ip forward-protocol nd ip http server ip http authentication local no ip http secure-server ip route 0.0.0.0 0.0.0.0 165.211.28.193 ! access-list 61 permit 192.168.122.0 0.0.0.255 line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 login line vty 5 15 login ! wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! ap group default-group end
I also tried using a Vlan (+nat outside) instead of the Layer3 port (1/0/46) with the same results
11-10-2014 07:13 AM
Can you post results of the following:
#show ip route - On the switch
tracert -d 8.8.8.8 - On a host
11-10-2014 07:20 AM
Switch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 165.211.28.193 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 165.211.28.193
192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.122.0/24 is directly connected, Vlan2
L 192.168.122.1/32 is directly connected, Vlan2
165.211.28.0/24 is variably subnetted, 2 subnets, 2 masks
C 165.211.28.192/26 is directly connected, GigabitEthernet1/0/46
L 165.211.28.194/32 is directly connected, GigabitEthernet1/0/46
--------------
traceroute -n 8.8.8.8 (I am on a mac)
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 192.168.122.1 2.546 ms 3.291 ms 2.104 ms
2 * * *
3 * * *
4 *
12-19-2014 02:09 PM
Did you get this fixed? I'm having the exact same problem..
Thanks!
12-19-2014 03:46 PM
edited
12-22-2014 12:23 AM
I didn't manage to fix this. After digging into the documentation I found no sign about NAT support on the 3560 switch. I ended up using a router
12-27-2014 09:55 PM
NAT is not supported on any Catalyst switches except some very high end switches (and even then, the NAT support on those is limited).
If it works at all it will be processed switched (not in hardware) which will result in high CPU under any sort of load. TAC will insist you remove it as these devices were not designed to do this function.
You really need a router to do NAT. It's not a function of switching and has never been supported on these platforms, even if the CLI commands appear to exist.
11-10-2014 07:31 AM
Hello kmerentitis
Your configuration is looking correct. I have tested the same topology and its working. You have to check the ip address and default gateway on the host connected in vlan 2.
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services
11-10-2014 07:37 AM
Thank u both for your help
The ip configuration should be correct as it retrieved from the dhcp server running on the switch.
I post the ip configuration from my (dhcp) client:
ip addr: 192.168.122.2
subnet mask: 255.255.255.0
router: 192.168.122.1
11-10-2014 12:44 PM
11-11-2014 12:22 AM
Hello Paul,
1)yes the public addressing is correct. Our gateway is 165.211.28.193/26 and my public is setup 165.211.28.194/26.
2) Ip routing is enabled on the switch as you can see on my configuration
3)Switch#sh sdm prefer
Showing SDM Template Info
This is the Advanced (low scale) template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
IGMP and Multicast groups: 4096
Overflow IGMP and Multicast groups: 512
Directly connected routes: 16384
Indirect routes: 7680
Security Access Control Entries: 1536
QoS Access Control Entries: 3072
Policy Based Routing ACEs: 1024
Netflow ACEs: 768
Wireless Input Microflow policer ACEs: 256
Wireless Output Microflow policer ACEs: 256
Flow SPAN ACEs: 512
Tunnels: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
SGT/DGT entries: 4096
SGT/DGT Overflow entries: 512
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: