Posted on April 21, 2015 7:12 pm
 |  Asked by Cemal
 |  4252 views
Tags:
RESOLVED
0
0
Print Friendly, PDF & Email

Hi All,

I am trying to perform dynamic source NAT (overload) on one Arista 7150s device and Destination NAT on another Arista 7150s device.

Topolopy is:

Juniper MX960 -vlan3002-> Arista1 -vlan701-> Arista2 (vlan100)

I am just trying to see if I can SSH from the Juniper device with a Source NAT performed on Arista1 to a Destination NAT performed on Arista2 which is just another vlan interface.

Below is the configuration I currently have for each device:

Juniper:

 set interfaces xe-0/1/0 unit 3002 family inet address 192.168.254.1/30
 set routing-options static route 10.1.1.1/32 next-hop 192.168.254.2
 set routing-options static route 10.1.1.2/32 next-hop 192.168.254.2
 set routing-options static route 192.168.10.1/32 next-hop 192.168.254.2
 set routing-options static route 192.168.12.1/32 next-hop 192.168.254.2
 set routing-options static route 192.168.12.2/32 next-hop 192.168.254.2
 set routing-options static route 10.210.0.42/32 next-hop 192.168.254.2

Arista1:

interface Vlan3002
 ip address 192.168.254.2/30
interface Vlan701
 ip address 10.91.0.1/30
 ip nat source dynamic access-list NAT-ACL2 pool pool2
IP Access List NAT-ACL2
 10 permit ip host 192.168.11.1 host 192.168.12.1
 20 permit ip host 192.168.11.1 host 192.168.12.2
 30 permit ip host 192.168.11.1 host 10.1.1.2
 40 permit ip host 192.168.9.5 host 10.1.1.2
 50 permit ip host 192.168.254.1 any
 #show ip nat pool pool2
 Pool StartIp EndIp Prefix
 pool2 192.168.10.2 192.168.10.2 32

Arista2:

interface Vlan701
 ip address 10.91.0.2/30
interface Vlan100
 ip address 192.168.100.2/24
 ip nat destination static 192.168.12.1 access-list Static-NAT 192.168.100.2
 #show ip access-lists Static-NAT
 IP Access List Static-NAT
 10 permit ip 192.168.10.0/24 any
 20 permit ip 192.168.11.0/24 any
 30 permit ip 192.168.254.0/24 any

My understanding is that Source NAT is done on Egress and Destination NAT is done on Ingess.

Any input would be appreciated!

0
Posted by Alexis Dacquay
Answered on April 21, 2015 8:57 pm

Hello Cemal,

 

Nice explanations, have you checked the various ”show” commands outputs to understand what was active and not?

 

Firstly I would like to provide pointers for deep-dive articles/threads on NAT, just in case you missed them:

https://eos.arista.com/7150s-nat-practical-guide-source-nat-static/

https://eos.arista.com/7150s-nat-practical-guide-source-nat-dynamic/

 

Past question on NAT overload, with troubleshooting tips

https://eos.arista.com/forum/nat-overload/

 

Also, are you trying to achieve Source + NAT translation on the same flow ?

Have you considered Twice-NAT? (https://eos.arista.com/forum/twice-nat-for-multicast/)

 

With below topology you provided, could you confirm this is for a unidirectional unicast flow (per the ACLs) ?

”Juniper MX960 -vlan3002-> Arista1 -vlan701-> Arista2 (vlan100)”

 

”I am trying to perform dynamic source NAT (overload)”

You are not using the overload feature, instead you use a pool. Would you like to overload the Layer3 VLAN 701 interface instead, on the Arista1 switch ?

Must you use ”192.168.10.2” as many-to-one translation (overload), while keeping it different from the Layer3 VLAN 701 interface? Make sure Arista1 knows how to reach 192.168.10.2, it is not on the Vlan701 after all, so without additional routing, it won’t hold routing for it.

 

”My understanding is that Source NAT is done on Egress and Destination NAT is done on Ingess”

You are correct, but given the flow direction, you seem to apply Destination NAT on Arista2’s egress (VLAN 100), instead of ingress (should it not be VLAN 701?)

 

Make sure to follow the mirroring to CPU tips, to analyze traffic step by step.

 

Suggested commands to run:

show ip nat translation […]

show ip nat pool

sh ip route

sh arp

 

Regards,

Alexis

0
Posted by Cemal
Answered on April 21, 2015 9:35 pm

Hey Alexis,

Thanks for replying back.

I did try some of the show commands but with no luck, I’ll re-run them again and post the output here when I am back at my laptop.

when performing source NAT only the ssh connection attempts I can see and they connect to the real ip fine on Arista2.

When I use the destination NAT on Arista2 I can’t see the source NAT translations occurring in the NAT translation table on Arista1 but if I do a tcpdump on vlan701 on Arista2 I see that the source has been NAT’d correctly which leads me to think my Destination NAT configuration is wrong so until that part works correctly I won’t see the source NAT flow on Arista1 in ’show ip nat translation’ table.

Indeed originally I wanted to perform twice NAT on a single device which was when I reached out to support and they included you on the email chain but twice NAT is only one to one NAT going by the documentation you provided so I can’t have the source as many-to-one NAT (to a pool) and the destination as static.

Thanks,

Cemal

 

0
Posted by Cemal
Answered on April 22, 2015 4:01 pm

Hi Alexis,

With a TCPDump I see the below:

Arista1:

#tcpdump interface vlan701 filter icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan701, link-type EN10MB (Ethernet), capture size 65535 bytes
17:25:07.574754 00:1c:73:2b:02:9a (oui Arista Networks) > 00:1c:73:2b:03:b8 (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.10.2 > 192.168.12.1: ICMP echo request, id 13944, seq 1280, length 64
17:25:07.574862 00:1c:73:2b:03:b8 (oui Arista Networks) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.100.2 > 192.168.10.2: ICMP echo reply, id 13944, seq 1280, length 64
17:25:08.575524 00:1c:73:2b:02:9a (oui Arista Networks) > 00:1c:73:2b:03:b8 (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.10.2 > 192.168.12.1: ICMP echo request, id 13944, seq 1281, length 64
17:25:08.575643 00:1c:73:2b:03:b8 (oui Arista Networks) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.100.2 > 192.168.10.2: ICMP echo reply, id 13944, seq 1281, length 64
PGTLLN01#tcpdump interface vlan3002
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan3002, link-type EN10MB (Ethernet), capture size 65535 bytes
17:29:59.799597 b0:c6:9a:e6:10:52 (oui Unknown) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1572, length 64
17:30:00.800378 b0:c6:9a:e6:10:52 (oui Unknown) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1573, length 64
17:30:01.801115 b0:c6:9a:e6:10:52 (oui Unknown) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1574, length 64
17:30:02.801914 b0:c6:9a:e6:10:52 (oui Unknown) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1575, length 64
17:30:03.802688 b0:c6:9a:e6:10:52 (oui Unknown) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1576, length 64
17:30:04.803442 b0:c6:9a:e6:10:52 (oui Unknown) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1577, length 64

Arista2:

#tcpdump interface vlan 701 filter icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan701, link-type EN10MB (Ethernet), capture size 65535 bytes
16:01:14.586971 00:1c:73:2b:02:9a (oui Arista Networks) > 00:1c:73:2b:03:b8 (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.10.2 > 192.168.100.2: ICMP echo request, id 13944, seq 1345, length 64
16:01:14.587058 00:1c:73:2b:03:b8 (oui Arista Networks) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.100.2 > 192.168.10.2: ICMP echo reply, id 13944, seq 1345, length 64
16:01:15.587896 00:1c:73:2b:02:9a (oui Arista Networks) > 00:1c:73:2b:03:b8 (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.10.2 > 192.168.100.2: ICMP echo request, id 13944, seq 1346, length 64
16:01:15.587941 00:1c:73:2b:03:b8 (oui Arista Networks) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.100.2 > 192.168.10.2: ICMP echo reply, id 13944, seq 1346, length 64

Juniper:

> monitor traffic interface xe-0/1/0.3002 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on xe-0/1/0.3002, capture size 96 bytes
16:54:53.238288 Out IP truncated-ip – 34 bytes missing! 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1379, length 64
16:54:54.239067 Out IP truncated-ip – 34 bytes missing! 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1380, length 64
16:54:55.239834 Out IP truncated-ip – 34 bytes missing! 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1381, length 64
16:54:56.240607 Out IP truncated-ip – 34 bytes missing! 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1382, length 64
16:54:57.241374 Out IP truncated-ip – 34 bytes missing! 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1383, length 64
16:54:58.242141 Out IP truncated-ip – 34 bytes missing! 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1384, length 64
16:54:59.242909 Out IP truncated-ip – 34 bytes missing! 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1385, length 64

I noticed that my D-NAT config was wrong it was placed on vlan100 which would make it egress so I moved it to vlan701 on Arista2

In summary Source NAT is on vlan701 (egress) on Arista1 and Destination NAT is on Arista2 vlan701 (ingess)

On Arista1 you only see ICMP echo requests but no ICMP echo replies.

0
Posted by Alexis Dacquay
Answered on April 22, 2015 8:32 pm

Cemal,

You are correct, Twice NAT is only static. I think what you are trying to achieve makes sense, but let’s have a further look into few points:

Have you tested your Arista1 Source NAT alone, without Arista2 Destination NAT, just to progress step by step and validate everything going on with Arista1 first. Once you have bidirectional NATed traffic through the 1st switch.

Is that what you have done when you mentioned ”when performing source NAT only the ssh connection attempts I can see and they connect to the real ip fine on Arista2.

You could then test the Destination NAT alone on the 2nd switch, before having both at the same time, just to troubleshoot.

 

What and where is the source of the traffic, and what is the destination for your test traffic ? Is it Juniper to Arista2? Is it always the same test traffic throughout, or does it varies along the captures ?

Now that the Destination static NAT is correctly on ingress, how does the configured commands look like ?

You cannot have VLAN IP 192.168.100.2 and also translate the destination into 192.168.100.2. Or are you trying to send SSH/ping traffic to the switch Arista2 itself ?

 

Could you comment your TCPdump captures to highlight what you are demonstrating ? I think I get it, but it would be for 100% clarity.

I am not clear as, if done on Arista switches, you would only capture control-plane traffic. Check the first link I mentioned, and run monitor sessions to the CPU to capture dataplane traffic. (https://eos.arista.com/7150s-nat-practical-guide-source-nat-static/)

 

When you write ”On Arista1 you only see ICMP echo requests but no ICMP echo replies.”, did you mean for VLAN3002 only ? Because your capture for VLAN701 on Arista 1 shows replies.

 

What about basic routing:

- Can the responding host (Arista2?) reach 192.168.10.2 by routing ? It seems Arista1 receive traffic correctly on VLAN 701 but we don’t have the whole picture.

 

If you want to attach your full configs + suggested outputs to that post (or send that to me by email), it could help have better visibility (and maybe I could recreate your topology). Please also details the topology, and what the source/destination hosts are. Or send me all this directly by email, I could build a lab with that.

Sorry if I have more questions than answers, I am just trying to understand the details.

Regards,

Alexis

0
Answered on April 22, 2015 10:01 pm

Hi all,

I have configured the same configuration on my switches. I am able to establish ssh connection from Juniper to host connected to Arista2.

Here is my topology:
=================

Instead of Juniper switch, I have used Arista switch. Destination Host is also Arista switch.

Arista-Source [ 192.168.254.1] —– [192.168.254.2] Arista1[ 10.91.0.1] —- [ 10.91.0.2] Arista2 [192.168.100.2]— [192.168.100.1]Arista-Destination.

1. I have established SSH connection from Arista Source 1 with Source IP as 192.168.254.1 and Destination IP as 10.91.0.2. It will login into Arista-Destination Switch[192.168.100.1]. On Arista1 switch , the source IP address will be changed.

2. Dynamic Source NAT is configured on the interface VLAN 701 of Arista1 switch. Source IP address will be changed to new VIP 192.168.10.2. Source NAT is applied in egress direction. On Arista2 switch, the destination IP address will be changed.

3. Destination NAT is configured on the interface VLAN 701 of Arista2 switch. Destination IP address will be changed to new VIP of 192.168.100.1 which belongs to Arista-destination. Destination NAT will be applied ingress direction before routing decision. And also I have seen that Destination NAT is configured incorrectly on Arista2.

interface Vlan701
ip address 10.91.0.2/30
ip nat destination static 192.168.12.1 access-list Static-NAT 192.168.100.2—> Incorrect
ip nat destination static 10.91.0.2 access-list Static-NAT <Arista-Destination > [ 192.168.100.1]

4. I have enabled routing to reach the following destination.

Arista-source -> To reach the destination 10.91.0.1 via Arista1 [ 192.168.254.2]
Arista2 -> To reach the destinaton 192.168.10.2 via Arista1 [10.91.0.1]
Arista-Destination ->To reach the destinaton 192.168.10.2 via Arista2 [192.168.100.2]

Arista1 switch :
==============

co573-spine1.15:03:51#sh ip nat translation dynamic
Source IP Destination IP Translated IP TGT Type Intf
——————————————————————————–
192.168.254.1:41586 10.91.0.2:22 192.168.10.2:41586 SRC DYN vlan701
Arista2 switch:
============
co571-spine2.15:20:08#sh ip nat translation
Source IP Destination IP Translated IP TGT Type Intf
——————————————————————————–
192.168.10.0/24 10.91.0.2:0 192.168.100.1:0 DST STAT vlan701
192.168.254.0/24 10.91.0.2:0 192.168.100.1:0 DST STAT vlan701
192.168.11.0/24 10.91.0.2:0 192.168.100.1:0 DST STAT vlan701
Please let me know if you have any questions on the same.

-Mani

Hi Mani, Are you able to draw this if possible? Apologies I am struggling to understand your setup. I’ll add a drawing of the current setup I have to this which may help. Thanks, Cemal
(Cemal at April 23, 2015 2:12 pm)
0
Posted by Cemal
Answered on April 23, 2015 2:13 pm

Hopefully this makes more sense.

0
Answered on April 23, 2015 9:29 pm

Hi Cemal,

Thanks for the sending us the topology

We are not supporting NAT , if the NAT destination is the CPU [ ie you are using NAT destination as the loopback port. ]. Can you change the setup in such way that the host is directly attached to Destination NAT box.

Juniper—–Arista1—–Arista2—-Destination Box [ IP address is 10.1.1.2]
Arista1 configuration:
====================

interface Vlan701
ip address 10.91.0.1/30
ip nat source dynamic access-list nat-acl2 pool pool2

ip route 192.168.12.1/32 10.91.0.2

co573-spine1.14:22:41#sh ip access-lists nat-acl2
IP Access List nat-acl2
10 permit ip host 192.168.11.1 host 192.168.12.1
20 permit ip host 192.168.254.1 any

co573-spine1.14:23:01#sh ip nat pool
Pool StartIp EndIp Prefix
pool2 192.168.10.2 192.168.10.2 32
Arista2 Configuration:
=======================

interface Vlan701
ip address 10.91.0.2/30
ip nat destination static 192.168.12.1 access-list static-nat 10.1.1.2

interface Ethernet45—–>Interface attached to Destination Box
no switchport
ip address 10.1.1.1/30

co571-spine2.14:50:56#sh ip access-lists static-nat
IP Access List static-nat
10 permit ip 192.168.10.0/24 any
20 permit ip 192.168.11.0/24 any
30 permit ip 192.168.254.0/24 any
ip route 192.168.10.2/32 10.91.0.1
Destination box configuration:
========================

interface Ethernet45
no switchport
ip address 10.1.1.2/30

ip route 192.168.10.2/32 10.1.1.1
========Output ======

Juniper box :
===========
ssh 192.168.12.1 [ Source IP address as 192.168.254.1]

Arista1 box :
============
co573-spine1.14:23:30#sh ip nat translation dynamic
Source IP Destination IP Translated IP TGT Type Intf
——————————————————————————–
192.168.254.1:35128 192.168.12.1:22 192.168.10.2:35128 SRC DYN Vl701

Arista2 box :
=============
co571-spine2.14:45:20#sh ip nat translation
Source IP Destination IP Translated IP TGT Type Intf
——————————————————————————–
192.168.10.0/24 192.168.12.1:0 10.1.1.2:0 DST STAT Vl701
192.168.254.0/24 192.168.12.1:0 10.1.1.2:0 DST STAT Vl701
192.168.11.0/24 192.168.12.1:0 10.1.1.2:0 DST STAT Vl701

-Mani

Hey Mani,

Thank you for confirming I can’t destination NAT to the CPU of the Arista2 device.
When 1st performing destination NAT to a loopback this was what I was thinking so I switched to a vlan interface on the switch (local ip), obviously this would not work either and would need to perform the destination NAT on the far side of the vlan which was what I was planning to do today and your feedback concurred my theory also.

Thank you so much for the assistance with this.

-Cemal

(Cemal at April 24, 2015 11:19 am)
0
Posted by Neha Goyal
Answered on April 23, 2015 10:33 pm

Hi Cemal,

I read through your question and I believe ssh will not be successful in this scenario. The reason is that the destination 192.168.100.2 is local to the arista box 2 on which you have static destination nat. Static NAT does not work on packets sourced from CPU. 

In your case, icmp packets in forward direction reach the destination 192.168.100.2 by getting source nat on arista box 1 and destination nat on arista box 2.

arista box 1:

PGTLLN01#tcpdump interface vlan3002

17:29:59.799597 b0:c6:9a:e6:10:52 (oui Unknown) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.254.1 > 192.168.12.1: ICMP echo request, id 13944, seq 1572, length 64

#tcpdump interface vlan 701 filter icmp

17:25:07.574754 00:1c:73:2b:02:9a (oui Arista Networks) > 00:1c:73:2b:03:b8 (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.10.2 > 192.168.12.1: ICMP echo request, id 13944, seq 1280, length 64

arista box 2:

#tcpdump interface vlan 701 filter icmp

16:01:14.586971 00:1c:73:2b:02:9a (oui Arista Networks) > 00:1c:73:2b:03:b8 (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.10.2 > 192.168.100.2: ICMP echo request, id 13944, seq 1345, length 64

The icmp packets in reverse direction get generated from arista box 2 which has destination static nat. The packets are sourced from cpu because 192.168.100.2 is a local ip and hence nat on packets in reverse direction does not work. The packet is received on arista box 1 with source as 192.168.100.2 instead of 192.168.12.1 which does not match the source nat rules on this box and hence is dropped.

arista box2:

#tcpdump interface vlan 701 filter icmp

16:01:14.587058 00:1c:73:2b:03:b8 (oui Arista Networks) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.100.2 > 192.168.10.2: ICMP echo reply, id 13944, seq 1345, length 64

arista box 1:

#tcpdump interface vlan 701 filter icmp

17:25:07.574862 00:1c:73:2b:03:b8 (oui Arista Networks) > 00:1c:73:2b:02:9a (oui Arista Networks), ethertype IPv4 (0x0800), length 98: 192.168.100.2 > 192.168.10.2: ICMP echo reply, id 13944, seq 1280, length 64

I hope this helps.

Thanks,

Neha

Hey Neha,

Thanks for confirming that I cannot perform destination NAT to the CPU of the same device.

-Cemal

(Cemal at April 24, 2015 11:20 am)
0
Posted by Cemal
Answered on April 24, 2015 11:27 am

Hi Alexis, Mani, Neha,

Thank you so much for all the patience and help you have provided me for this topic.

I have attached what my current setup is with configurations also.

I can confirm that Source NAT via Arista1 with Destination NAT via Arista2 is now functioning successfully:

Arista1:

#show ip nat translation
Source IP Destination IP Translated IP TGT Type Intf
——————————————————————————–
192.168.11.200:64018 192.168.12.1:22 192.168.10.2:64018 SRC DYN Vl701
192.168.254.1:50696 192.168.12.1:22 192.168.10.2:50696 SRC DYN Vl701

Arista2:

#show ip nat translation
Source IP Destination IP Translated IP TGT Type Intf
——————————————————————————–
192.168.10.0/24 192.168.12.1:0 192.168.253.1:0 DST STAT Vl701
192.168.254.0/24 192.168.12.1:0 192.168.253.1:0 DST STAT Vl701
192.168.11.0/24 192.168.12.1:0 192.168.253.1:0 DST STAT Vl701

-Cemal

Post your Answer

You must be logged in to post an answer.