NAT on vlans???
Noods
Member Posts: 168
in CCNA & CCENT
Assume I have a router with an ethernet port connected to a switch. The switch has several vlans and the router has the appropriate configurations to match.
If I wanted to set up a form of NAT on on the interface connected to the switch, would I configure it on the ethernet interface, or the sub interfaces?
If I wanted to set up a form of NAT on on the interface connected to the switch, would I configure it on the ethernet interface, or the sub interfaces?
Comments
-
lordy
Member Posts: 632 ■■■■□□□□□□
Never done this, but I guess it would only make sense on the subinterfaces as the main interface is just a trunk.
Regards,
LordyWorking on CCNP: [X] SWITCH --- [ ] ROUTE --- [ ] TSHOOT
Goal for 2014: RHCA
Goal for 2015: CCDP -
johnnynodough
Member Posts: 634
excellent question!
I dunno. But I would like to find out as well.
Go Hawks - 7 and 2
2 games againts San Fran coming up, oh yeah baby, why even play? just put then in the win category and call it good
-
Noods
Member Posts: 168
Im going to assume you can do it on either interface, with the advantage of being able to utilie NAT on a particular vlan. Is there any functional difference? I dont have the equipment or the time to test it. Ill post on the Cisco site and let you guys know.
access01(config)#int ethernet 0.1 access01(config-subif)#ip ? Interface IP configuration subcommands: access-group Specify access control for packets accounting Enable IP accounting on this interface address Set the IP address of an interface authentication authentication subcommands bandwidth-percent Set EIGRP bandwidth limit bgp BGP interface commands broadcast-address Set the broadcast address of an interface cef Cisco Express Fowarding interface commands cgmp Enable/disable CGMP dhcp Configure DHCP parameters for this interface directed-broadcast Enable forwarding of directed broadcasts dvmrp DVMRP interface commands flow NetFlow related commands hello-interval Configures IP-EIGRP hello interval helper-address Specify a destination address for UDP broadcasts hold-time Configures IP-EIGRP hold time idle-group Specify interesting packets for idle-timer igmp IGMP interface commands information-reply Enable sending ICMP Information Reply messages irdp ICMP Router Discovery Protocol load-sharing Style of load sharing local-proxy-arp Enable local-proxy ARP mask-reply Enable sending ICMP Mask Reply messages mrm Configure IP Multicast Routing Monitor tester mroute-cache Enable switching cache for incoming multicast packets mtu Set IP Maximum Transmission Unit multicast IP multicast interface commands nat NAT interface commands next-hop-self Configures IP-EIGRP next-hop-self nhrp NHRP interface subcommands ospf OSPF interface commands pim PIM interface commands policy Enable policy routing proxy-arp Enable proxy ARP rarp-server Enable RARP server for static arp entries redirects Enable sending ICMP Redirect messages rgmp Enable/disable RGMP rip Router Information Protocol route-cache Enable fast-switching cache for outgoing packets rsvp RSVP Interface Commands sap Session Announcement Protocol interface commands security DDN IP Security Option split-horizon Perform split horizon summary-address Perform address summarization tcp TCP header compression and other parameters unnumbered Enable IP processing without an explicit address unreachables Enable sending ICMP Unreachable messages urd Configure URL Rendezvousing verify Enable per packet validation vrf VPN Routing/Forwarding parameters on the interface wccp WCCP interface commands access01(config-subif)#
-
Drakonblayde
Member Posts: 542
You know, that's actually a pretty damned good question. I can't see why it wouldn't work, I'll test it out later today if we get some free time (I've already got a lab setup to practive various BCMSN configs, so pretty easy to go router on a stick and toss in an ACL)= Marcus Drakonblayde
================
CCNP-O-Meter:
=[0%]==[25%]==[50%]==[75%]==[100%]
==[X]===[X]====[ ]=====[ ]====[ ]==
=CCNA==BSCI==BCMSN==BCRAN==CIT= -
garv221
Member Posts: 1,914
It depends on your hardware...There a some pretty smart devices out there...I have a router moving packets from an ATM, then a smart 4000 series Blade switch handling static routes. Thats done by VLANs & NAT Pools. Then each physical connection is trunked.
-
keenon
Member Posts: 1,922 ■■■■□□□□□□
actually it can be done on the regular interface as well(config-if)#ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
accounting Enable IP accounting on this interface
address Set the IP address of an interface
authentication authentication subcommands
bandwidth-percent Set EIGRP bandwidth limit
bgp BGP interface commands
broadcast-address Set the broadcast address of an interface
cef Cisco Express Fowarding interface commands
cgmp Enable/disable CGMP
dhcp Configure DHCP parameters for this interface
directed-broadcast Enable forwarding of directed broadcasts
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
igmp IGMP interface commands
irdp ICMP Router Discovery Protocol
load-sharing Style of load sharing
mask-reply Enable sending ICMP Mask Reply messages
mobile Mobile IP support
mrm Configure IP Multicast Routing Monitor tester
mroute-cache Enable switching cache for incoming multicast packets
mtu Set IP Maximum Transmission Unit
multicast IP multicast interface commands
nat NAT interface commands
nbar Network-Based Application Recognition
nhrp NHRP interface subcommands
ospf OSPF interface commands
pgm PGM Reliable Transport Protocol
pim PIM interface commands
policy Enable policy routing
probe Enable HP Probe support
proxy-arp Enable proxy ARP
rarp-server Enable RARP server for static arp entries
redirects Enable sending ICMP Redirect messages
rgmp Enable/disable RGMP
rip Router Information Protocol
route-cache Enable fast-switching cache for outgoing packets
router IP router interface commands
rsvp RSVP interface commands
rtp RTP parametersBecome the stainless steel sharp knife in a drawer full of rusty spoons -
tunerX
Member Posts: 447 ■■■□□□□□□□
You would configure nat on the interface that needs translation. It can pretty much be any interface that supports IP. If you can do the IP command then you should be able to also do the nat inside our nat outside commands.
-
dissolved
Inactive Imported Users Posts: 228
I've done NAT with VLANs.
Basically, you use NAT on the physical interface. You then do the access list for each network you want "natted."
Take my network for example. It is double NAT. I had an internal host I wanted externally accessible (very bad security practice, but I had to practice NAT
).
outside-public IP (68.x.x.x)
gateway router
e1-192.168.1.0 0.0.0.3
|
|
outside-192.168.1.0 0.0.0.3
fwall
inside-192.168.2.0 0.0.0.3
|
|
e0-192.168.2.0 0.0.0.3
internal router (inter-vlan routing for vlan 1,2,3)
e1-192.168.3.0
|
|
8mb 2924xl (3 vlans)
|
|
mail server (192.168.4.2)
internal router Config:
int e0/0
ip nat outside
int e1/0
ip nat inside
Then add your permit nat statements:
access-list 1 permit 192.168.3.0 0.0.0.255(vlan 1)
access-list 1 permit 192.168.4.0 0.0.0.255(vlan 2)
access-list 1 permit 192.168.5.0 0.0.0.255 (vlan 3)
I also have static PAT statements so tcp 25 traffic on my internal router so external traffic can reach it on the inside. It's not as hard as it seems. You just point to the router that knows about your VLANs. It will take care of the rest as long as the VLAN'd host can get out.
Sorry for rambling
