Posted on August 10, 2014 5:55 pm
 |  Asked by Amy
 |  8897 views
Tags:
RESOLVED
0
0
Print Friendly, PDF & Email

Hi all,

I want to setup dynamic NAT and map it to the ip address of my SVI (many to one).  Any tips? I have tried a few config variations, but the following appears to be what I need. What am I missing?

I am running 4.12.7.1 on a 7150s

Thanks in advance!

interface Vlan4
ip address my.public.ip/31
ip nat source dynamic access-list nat-out overload
IP Access List nat-out
10 permit ip 50.112.0.0/17 any #This is the destination network.

I have tried the same config w/ an ACL that specifies source and destination, but that did not work for me either:

IP Access List nat1
10 permit ip 10.200.250.0/24 50.112.0.0/17
0
Posted by Victor
Answered on September 13, 2014 6:11 pm

Amy,

Were you able to get this working?

2
Posted by Alexis Dacquay
Answered on September 24, 2014 9:53 pm

Hi Amy,

First of all, let’s consider that you have your SVI 4 (interface vlan 4) is your ”outside” NAT interface. This is the correct place for applying Source NAT, since:

  • NAT should be applied on a Layer3 interface (routed port or SVI)
  • Source NAT is applied by the switch when egressing the Layer3 interface

Now consider your traffic profile… You mentioned that ”10 permit ip 50.112.0.0/17 any #This is the destination network”.

Sorry but your statement is not clear… What is the source of your traffic, 50.112.0.0/17 ? In the aforementioned ACL statement your are using 50.112.0.0/17  as source address (it probably is just a type – the format is permit <source> <dest>)

Note: Source NAT use ACLs to filter packets based on destination IP address.

In your second ACL statement, you have src-ip = 10.200.250.0/24, and dst-ip = 50.112.0.0/17

I understand it as ”50.112.0.0/17” being the remote outside destination IP address, while ”10.200.250.0/24” is the internal private-only address that you want to NAT to your public IP. Is that correct.

There are several aspect you must be careful about – some might sound obvious…

  • Routing: can your 7150 route to 50.112.0.0/17 and 10.200.250.0/24 ?
    • Can  the remote subnet 50.112.0.0/17 route back to your SVI public IP ?
  • ARP resolution: ensure the next-hop has got a resolved MAC-IP binding. Without this, NAT would fail to operate. If you were trying in a test / lab environment, place some static entry, or use an equipment that you are sure answers to ARP requests (e.g. another switch.

How to troubleshoot NAT?

Generating test Traffic

If the application traffic is not controlled by your, it might be difficult generating traffic at will to troubleshoot. You can then use ethxmit on another Arista switch connected to the 7150. Use the help for more details (ethxmit –help) Example:
Arista# bash sudo ethxmit --ip-dst=50.112.0.1 --ip-src=10.0.0.1 -D 00:1c:73:1e:e5:ee -n 5 --udp-dport=69 --udp-sport=1 et21

Mirroring to CPU

To prove what is happening, you might have a Network Packet Broker (tap/mirroring sessions to analyzer/probes). For convenience, the 7150S has on-board capture ability. Not just control-plane traffic like any other Arista switch, but you can also configure mirroring to the CPU. Here is a suggestion of mirroring configuration, allowing you to monitor the inside port, and the outside port independently
! inside port
monitor session 1 source Ethernet1
monitor session 1 destination Cpu
!
! outside port (e.g. the one with VLAN4 - access or trunk)
monitor session 49 source Ethernet49
monitor session 49 destination Cpu
!
Once you have configured the session, simply trigger a capture with TCPdump, either from bash or directly from the EOS CLI (recent EOS version) From EOS:

7150s#tcpdump monitor 1

From Bash: a) gather the kernel mirror port with ”show monitor session”
7150s#show monitor session
Session 1
------------------------
Source Ports:
Both: Et1
Destination Ports:
Cpu : active mirror3
Session 49
------------------------
Source Ports:
Both: Et49
Destination Ports:
Cpu : active mirror2
b) in bash, run TCP dump on the relevant kernel interface
7150s# bash tcpdump -ni mirror3

Output example:
tcpdump: WARNING: mirror3: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mirror3, link-type EN10MB (Ethernet), capture size 65535 bytes
21:44:35.263110 00:1c:73:1e:e5:ee &gt; 00:1c:73:1a:c8:3a, ethertype IPv4 (0x0800), length 60: 122.0.0.2.tcpmux &gt; 50.112.0.1.tftp: 18 RRQ "^B^C^D^E^F^G^H^I^J^K^L^M^N^O^P^Q" [|tftp]
21:44:35.263121 00:1c:73:1e:e5:ee &gt; 00:1c:73:1a:c8:3a, ethertype IPv4 (0x0800), length 60: 122.0.0.2.tcpmux &gt; 50.112.0.1.tftp: 18 RRQ "^B^C^D^E^F^G^H^I^J^K^L^M^N^O^P^Q" [|tftp]
21:44:35.263124 00:1c:73:1e:e5:ee &gt; 00:1c:73:1a:c8:3a, ethertype IPv4 (0x0800), length 60: 122.0.0.2.tcpmux &gt; 50.112.0.1.tftp: 18 RRQ "^B^C^D^E^F^G^H^I^J^K^L^M^N^O^P^Q" [|tftp]
With packet capture, traffic generation, verify your routing, next-hop resolution at Layer3 and Layer2 (ARP and MAC tables).

Configuration

I have tested your topology (albeit different EOS version), and it works fine
!
interface Vlan4
 ip address 122.0.0.2/24
 ip nat source dynamic access-list ACL-NAT-SRC-OUT overload
!
ip access-list ACL-NAT-SRC-OUT
 10 permit ip 10.0.0.0/24 50.112.0.0/17
!

I am also not able to get basic source NAT working.

Is there something i am missing or doing wrong.
arista-7050# show ver
 Arista DCS-7050QX-32-R
 Hardware version: 02.11
 Serial number: JPE14230323
 System MAC address: 001c.7355.b25d
 Software image version: 4.14.0F
 Architecture: i386
 Internal build version: 4.14.0F-1939846.4140F.1
 Internal build ID: a7e43cc9-c9ab-4ad4-9740-eff01d4fdd8b
 Uptime: 6 days, 5 hours and 22 minutes
 Total memory: 3992712 kB
 Free memory: 1693664 kB
Packets are from eth3/1 to eth 3/2 source 11.0.0.9 to 12.0.0.9 Want to change source 11.0.0.9 to 20.0.0.9
interface Ethernet3/1
 switchport access vlan 2
 !
interface Ethernet3/2
 switchport access vlan 3
interface Vlan2
 ip address 11.0.0.1/8
ip nat source static 11.0.0.9 20.0.0.9
 !
interface Vlan3
 ip address 12.0.0.1/8

arp 12.0.0.9 00:1c:11:11:11:11 arpa
Just to show traffic is fine i removed ARP and traffic is shown in tcpdump
arista-7050(config)# no arp 12.0.0.9 00:1c:11:11:11:11 arpa
[admin@arista-7050 ~]$ tcpdump -ni vlan2
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on vlan2, link-type EN10MB (Ethernet), capture size 65535 bytes
 01:09:27.388706 00:10:94:00:00:02 > 00:1c:73:55:b2:5d, ethertype IPv4 (0×0800), length 124: 11.0.0.9.sieve-filter > 12.0.0.9.hbci: UDP, length 82
 01:09:27.398707 00:10:94:00:00:02 > 00:1c:73:55:b2:5d, ethertype IPv4 (0×0800), length 124: 11.0.0.9.sieve-filter > 12.0.0.9.hbci: UDP, length 82
 01:09:27.408708 00:10:94:00:00:02 > 00:1c:73:55:b2:5d, ethertype IPv4 (0×0800), length 124: 11.0.0.9.sieve-filter > 12.0.0.9.hbci: UDP, length 82
arista-7050# show ip nat access-list
arista-7050# show ip nat translation
Source IP Destination IP Translated IP TGT Type Intf
 ——————————————————————————–
 11.0.0.9:0 – 20.0.0.9:0 SRC STAT Vl2
arista-7050# show ip nat translation detail
 Source IP Destination IP Translated IP TGT Type Intf Proto Packets Packets Reply
 ———————————————————————————————————————————
 11.0.0.9:0 – 20.0.0.9:0 SRC STAT Vl2 – 0 0
arista-7050# show ip nat counters
 Description Value
 Number of Conntrack new connection events 0
 Number of Conntrack update connection events 0
 Number of Conntrack delete connection events 0
 Conntrack update connection errors 0
 Conntrack delete connection errors 0
 Conntrack table sync requests 13
 Conntrack table sync request errors 0
 Conntrack table sync already in progress count 0
 Kernel iptables write errors 0
 Netlink recv errors 0
 Netlink ENOBUFS errors 0
 Number of Netlink truncated messages 0
 Number of Netlink sequence number mismatches 0
 Number of Netlink sequence number out of range errors 0
 Number of Netlink bad message length errors 0
 Number of Netlink no space in message errors 0
 Number of Netlink unexpected dump done messages 0
 Number of Netlink TCP connections ignored in dump 0
(naveen salem at October 22, 2014 1:06 am)

Hi Naveen,
Your question relate to Static one-to-one source NAT, not NAT overload.
Note that source NAT is applied on the egress interface. It is mentioned in the manual, but it may not be obvious.
In your below configuration example, you seem to apply the source NAT on the source interface (ingress)
!
interface Vlan2
ip address 11.0.0.1/8
ip nat source static 11.0.0.9 20.0.0.9 < — this cannot work for source NAT
!
If your egress L3 interface is VLAN3, then the following should work:
!
interface Vlan3
ip address 12.0.0.1/8
ip nat source static 11.0.0.9 20.0.0.9 < — your NAT statement is now on the egress L3 interface
!
Regards,
Alexis

(Alexis Dacquay at October 28, 2014 5:24 pm)
0
Posted by Alexis Dacquay
Answered on October 28, 2014 5:19 pm

Hi Naveen,

Your question relate to Static one-to-one source NAT, not NAT overload.

Note that source NAT is applied on the egress interface. It is mentioned in the manual, but it may not be obvious.
In your below configuration example, you seem to apply the source NAT on the source interface (ingress)

!
interface Vlan2
 ip address 11.0.0.1/8
 ip nat source static 11.0.0.9 20.0.0.9  < -- this cannot work for source NAT
!

If your egress L3 interface is VLAN3, then the following should work:

!
interface Vlan3
 ip address 12.0.0.1/8
 ip nat source static 11.0.0.9 20.0.0.9  < -- your NAT statement is now on the egress L3 interface
!

Regards,

Alexis

Post your Answer

You must be logged in to post an answer.