3

(There was a previous question that resolved the VLAN issue.)

I have a section of topology where a 2911 is acting as an internal NAT router. (We don't have enough private IP addresses to give to all our lab servers and networking equipment. So we have our own reserved addresses that aren't routable across the corporate network).

The 2911 is using one private IP address to NAT lab IP addresses

! interface GigabitEthernet0/0 ip address 192.16.25.94 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! interface GigabitEthernet0/2.100 encapsulation dot1Q 100 ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/2.200 encapsulation dot1Q 200 ip address 10.1.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip nat inside source list 1 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 192.16.25.1 ! access-list 1 permit any ! ! ! control-plane !

I have 16 Nexus switches, but I'm showing one as a sample here. (If I can get this going, the rest should be easy).

vlan 1,100,102-103,200 vrf context management interface Vlan1 interface Vlan100 no shutdown ip address 10.0.0.22/24 interface Vlan200 no shutdown ip address 10.1.0.22/24 interface Ethernet1/1 switchport access vlan 200 interface Ethernet1/40 switchport access vlan 100 interface Ethernet1/48 switchport mode trunk interface Ethernet1/49 switchport access vlan 200 interface Ethernet1/50 switchport access vlan 200

While a Nexus can ping the default GW of each VLAN , it can't ping outside of the 2911 network.

PING 10.0.0.1 (10.0.0.1): 56 data bytes 64 bytes from 10.0.0.1: icmp_seq=0 ttl=254 time=0.765 ms 64 bytes from 10.0.0.1: icmp_seq=1 ttl=254 time=0.571 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=254 time=0.547 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=254 time=0.54 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=254 time=0.534 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.534/0.591/0.765 ms 2# ping 10.1.0.1 PING 10.1.0.1 (10.1.0.1): 56 data bytes 64 bytes from 10.1.0.1: icmp_seq=0 ttl=254 time=0.785 ms 64 bytes from 10.1.0.1: icmp_seq=1 ttl=254 time=0.565 ms 64 bytes from 10.1.0.1: icmp_seq=2 ttl=254 time=0.557 ms 64 bytes from 10.1.0.1: icmp_seq=3 ttl=254 time=0.532 ms 64 bytes from 10.1.0.1: icmp_seq=4 ttl=254 time=0.538 ms --- 10.1.0.1 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.532/0.595/0.785 ms 2# ping 192.16.25.1 PING 192.16.25.1 (192.16.25.1): 56 data bytes ping: sendto 192.16.25.1 64 chars, No route to host

What am I missing to make NAT & Routing work? Also, is this just the Nexus management? Can hosts connected to the Nexus talk to outside already?

the 2911 can ping anything by the way.

[Update]

C(config)# vrf context management C(config-vrf)# ip route 0.0.0.0/0 10.1.0.1 (same result with 10.0.0.1) C(config-vrf)# ping 192.16.25.94 PING 192.16.25.94 (192.16.25.94): 56 data bytes ping: sendto 192.16.25.94 64 chars, No route to host Request 0 timed out ping: sendto 192.16.25.94 64 chars, No route to host
Improve this question
8
  • You should create a loopback for a test. Assign an address to it, set it up as an inside interface, and ping using it as a source. Commented Feb 19, 2016 at 0:10
  • You mean on 2911? I can ping anything using gig 0/2.100 or 2.200 as a source. That what you mean? Commented Feb 19, 2016 at 0:13
  • OK. I was just wanting to test to make sure that the NAT is functioning, and that works. What is the Nexus configuration for the default gateway? Commented Feb 19, 2016 at 0:14
  • That sir, is the question of the hour. Nexus doesn't seem to have "ip default-gateway" like catalyst. and I'm reading up on VRF management without luck. For now, I need the Nexus to act dumb and just be simple like catalyst. No L3/VRF/CEF or vPC. Commented Feb 19, 2016 at 0:26
  • It was pretty easy to find: supportforums.cisco.com/discussion/11282626/… Commented Feb 19, 2016 at 0:32

2 Answers 2

Reset to default
2

C(config)# vrf context management

C(config-vrf)# ip route 0.0.0.0/0 10.1.0.1

The issue appears to be that you've configured the default route in the Management VRF but you're pinging from outside of the Management VRF. Therefore, you're pings are failing.

If you want to set up a default route for VLANs100 & 200, you'll need to configure the default route in the main routing table. e.g:

C(config)# ip route 0.0.0.0/0 10.1.0.1

Note how I did not specify the management VRF before issuing the above command.

Improve this answer
0

https://supportforums.cisco.com/discussion/12918911/nexus-default-gateway

NAT generally doesn't like "any" as the source IP addresses.

Try modifying any to 10.0.0.0 0.0.1.255.

I tend to use extended ACLs with any as the destination IP addresses, which NAT is fine with, but then you would need to update your NAT statement as well.

By the way, are you happy with setting up the management port or do you want to try the SVI? It may not make a difference but I have seen it not work many times with that.

For your Nexus switches, can you pick one of the SVIs on the Nexus and shut the other down? Then:

int vlan <x> management ip route 0.0.0.0/0 vlan <x> <router subinterface IP for vlan x>

don't put the default route in the management VRF.

I'm not sure whether technically this makes it L3 from a Nexus perspective, but as long as the client's default gateways are the router subinterface IP addresses, it shouldn't matter.

Like I say, I have not used Nexus, so it may not help, but it's worth a try.

Improve this answer