NAT on vlans???

NoodsNoods Posts: 168Member
Assume I have a router with an ethernet port connected to a switch. The switch has several vlans and the router has the appropriate configurations to match.

If I wanted to set up a form of NAT on on the interface connected to the switch, would I configure it on the ethernet interface, or the sub interfaces?

Comments

  • lordylordy Posts: 632Member
    Never done this, but I guess it would only make sense on the subinterfaces as the main interface is just a trunk.

    Regards,
    Lordy
    Working on CCNP: [X] SWITCH --- [ ] ROUTE --- [ ] TSHOOT
    Goal for 2014: RHCA
    Goal for 2015: CCDP
  • johnnynodoughjohnnynodough Posts: 634Member
    excellent question!

    I dunno. But I would like to find out as well. icon_confused.gif
    Go Hawks - 7 and 2

    2 games againts San Fran coming up, oh yeah baby, why even play? just put then in the win category and call it good :p
  • NoodsNoods Posts: 168Member
    Im going to assume you can do it on either interface, with the advantage of being able to utilie NAT on a particular vlan. Is there any functional difference? I dont have the equipment or the time to test it. Ill post on the Cisco site and let you guys know.
    access01(config)#int ethernet 0.1
    access01(config-subif)#ip ?
    Interface IP configuration subcommands:
      access-group        Specify access control for packets
      accounting          Enable IP accounting on this interface
      address             Set the IP address of an interface
      authentication      authentication subcommands
      bandwidth-percent   Set EIGRP bandwidth limit
      bgp                 BGP interface commands
      broadcast-address   Set the broadcast address of an interface
      cef                 Cisco Express Fowarding interface commands
      cgmp                Enable/disable CGMP
      dhcp                Configure DHCP parameters for this interface
      directed-broadcast  Enable forwarding of directed broadcasts
      dvmrp               DVMRP interface commands
      flow                NetFlow related commands
      hello-interval      Configures IP-EIGRP hello interval
      helper-address      Specify a destination address for UDP broadcasts
      hold-time           Configures IP-EIGRP hold time
      idle-group          Specify interesting packets for idle-timer
      igmp                IGMP interface commands
      information-reply   Enable sending ICMP Information Reply messages
      irdp                ICMP Router Discovery Protocol
      load-sharing        Style of load sharing
      local-proxy-arp     Enable local-proxy ARP
      mask-reply          Enable sending ICMP Mask Reply messages
      mrm                 Configure IP Multicast Routing Monitor tester
      mroute-cache        Enable switching cache for incoming multicast packets
      mtu                 Set IP Maximum Transmission Unit
      multicast           IP multicast interface commands
      nat                 NAT interface commands
      next-hop-self       Configures IP-EIGRP next-hop-self
      nhrp                NHRP interface subcommands
      ospf                OSPF interface commands
      pim                 PIM interface commands
      policy              Enable policy routing
      proxy-arp           Enable proxy ARP
      rarp-server         Enable RARP server for static arp entries
      redirects           Enable sending ICMP Redirect messages
      rgmp                Enable/disable RGMP
      rip                 Router Information Protocol
      route-cache         Enable fast-switching cache for outgoing packets
      rsvp                RSVP Interface Commands
      sap                 Session Announcement Protocol interface commands
      security            DDN IP Security Option
      split-horizon       Perform split horizon
      summary-address     Perform address summarization
      tcp                 TCP header compression and other parameters
      unnumbered          Enable IP processing without an explicit address
      unreachables        Enable sending ICMP Unreachable messages
      urd                 Configure URL Rendezvousing
      verify              Enable per packet validation
      vrf                 VPN Routing/Forwarding parameters on the interface
      wccp                WCCP interface commands
    
    access01(config-subif)#
    
  • DrakonblaydeDrakonblayde Posts: 542Member
    You know, that's actually a pretty damned good question. I can't see why it wouldn't work, I'll test it out later today if we get some free time (I've already got a lab setup to practive various BCMSN configs, so pretty easy to go router on a stick and toss in an ACL)
    = Marcus Drakonblayde
    ================
    CCNP-O-Meter:
    =[0%]==[25%]==[50%]==[75%]==[100%]
    ==[X]===[X]====[ ]=====[ ]====[ ]==
    =CCNA==BSCI==BCMSN==BCRAN==CIT=
  • garv221garv221 Posts: 1,914Member
    It depends on your hardware...There a some pretty smart devices out there...I have a router moving packets from an ATM, then a smart 4000 series Blade switch handling static routes. Thats done by VLANs & NAT Pools. Then each physical connection is trunked.
  • keenonkeenon Posts: 1,921Member ■■■■□□□□□□
    actually it can be done on the regular interface as well
    (config-if)#ip ?
    Interface IP configuration subcommands:
    access-group Specify access control for packets
    accounting Enable IP accounting on this interface
    address Set the IP address of an interface
    authentication authentication subcommands
    bandwidth-percent Set EIGRP bandwidth limit
    bgp BGP interface commands
    broadcast-address Set the broadcast address of an interface
    cef Cisco Express Fowarding interface commands
    cgmp Enable/disable CGMP
    dhcp Configure DHCP parameters for this interface
    directed-broadcast Enable forwarding of directed broadcasts
    dvmrp DVMRP interface commands
    hello-interval Configures IP-EIGRP hello interval
    helper-address Specify a destination address for UDP broadcasts
    hold-time Configures IP-EIGRP hold time
    igmp IGMP interface commands
    irdp ICMP Router Discovery Protocol
    load-sharing Style of load sharing
    mask-reply Enable sending ICMP Mask Reply messages
    mobile Mobile IP support
    mrm Configure IP Multicast Routing Monitor tester
    mroute-cache Enable switching cache for incoming multicast packets
    mtu Set IP Maximum Transmission Unit
    multicast IP multicast interface commands
    nat NAT interface commands
    nbar Network-Based Application Recognition
    nhrp NHRP interface subcommands
    ospf OSPF interface commands
    pgm PGM Reliable Transport Protocol
    pim PIM interface commands
    policy Enable policy routing
    probe Enable HP Probe support
    proxy-arp Enable proxy ARP
    rarp-server Enable RARP server for static arp entries
    redirects Enable sending ICMP Redirect messages
    rgmp Enable/disable RGMP
    rip Router Information Protocol
    route-cache Enable fast-switching cache for outgoing packets
    router IP router interface commands
    rsvp RSVP interface commands
    rtp RTP parameters
    Become the stainless steel sharp knife in a drawer full of rusty spoons
  • tunerXtunerX Posts: 447Member ■■■□□□□□□□
    You would configure nat on the interface that needs translation. It can pretty much be any interface that supports IP. If you can do the IP command then you should be able to also do the nat inside our nat outside commands.
  • dissolveddissolved Posts: 228Inactive Imported Users
    I've done NAT with VLANs.
    Basically, you use NAT on the physical interface. You then do the access list for each network you want "natted."

    Take my network for example. It is double NAT. I had an internal host I wanted externally accessible (very bad security practice, but I had to practice NAT :D ).

    outside-public IP (68.x.x.x)
    gateway router
    e1-192.168.1.0 0.0.0.3
    |
    |
    outside-192.168.1.0 0.0.0.3
    fwall
    inside-192.168.2.0 0.0.0.3
    |
    |
    e0-192.168.2.0 0.0.0.3
    internal router (inter-vlan routing for vlan 1,2,3)
    e1-192.168.3.0
    |
    |
    8mb 2924xl (3 vlans)
    |
    |
    mail server (192.168.4.2)


    internal router Config:
    int e0/0
    ip nat outside

    int e1/0
    ip nat inside

    Then add your permit nat statements:
    access-list 1 permit 192.168.3.0 0.0.0.255(vlan 1)
    access-list 1 permit 192.168.4.0 0.0.0.255(vlan 2)
    access-list 1 permit 192.168.5.0 0.0.0.255 (vlan 3)

    I also have static PAT statements so tcp 25 traffic on my internal router so external traffic can reach it on the inside. It's not as hard as it seems. You just point to the router that knows about your VLANs. It will take care of the rest as long as the VLAN'd host can get out.

    Sorry for rambling
Sign In or Register to comment.