VLAN based NAT with ArubaOS

Community Manager
Community Manager

Back to the future with this Airheads Online article from July 2007. 

 

With ArubaOS 3.x there is a new way to configure NAT. Instead of creating NAT firewall policies you now have a second option of designating that an entire VLAN is NAT'd. Here is a sample config:

 

interface vlan 1
        ip address 66.1.131.5 255.255.255.0
interface vlan 2
        ip address 99.1.1.1 255.255.255.0
interface vlan 5
        ip address 192.168.1.1 255.255.255.0
        ip nat inside
ip default-gateway 66.1.131.1
ip route 100.0.0.0 255.0.0.0 99.1.1.2

 

Traffic going to the default gateway would get NATed as 66.1.131.5, while traffic destined to 100.0.0.0/8 would get NATed as 99.1.1.1. It does this by automagically determining the src-NAT address by pulling

it from the egress VLAN.  So what this means is that I just specify "ip nat inside" on the inside VLAN, then the outside interface is learned automatically through route tables.


To go into detail on each line of the config:

 

interface vlan 5
        ip address 192.168.1.1 255.255.255.0
        ip nat inside

 

This set you can think of as the client side addresses.  Because you have the "ip nat inside" here, then this tells the controller to source NAT the clients coming from this subnet.

 

interface vlan 1
        ip address 66.1.131.5 255.255.255.0
ip default-gateway 66.1.131.1

 

This set basically defines an IP address on VLAN 1 and a default route for the machine.  Without any NAT, this would mean that all traffic would, by default, exit out the machine via VLAN 1 being passed on towards 
66.1.131.1.  However because you have ip nat inside on vlan 5, all the traffic from 192.168.1.0/24 which hits the default route will be source NAT'ed to the IP address of this VLAN, ie 66.1.131.5. In short, this set means that by default your inside subnet will be NAT'ed to the address of VLAN 1 and then routed to the default gateway.

 

interface vlan 2
        ip address 99.1.1.1 255.255.255.0
ip route 100.0.0.0 255.0.0.0 99.1.1.2

 

This set tells the controller that there is infact another subnet in the network and in order to reach the 100/8 subnet then you need to route via 99.1.1.2.  So the 100/8 subnet is the only exception to the default route 
and without NAT, traffic destined for 100/8 will be routed via 99.1.1.2.  But with the NAT, since traffic from VLAN 5 will be source NAT'ed into the address of the egress VLAN, those users will be NATted to 99.1.1.1

 

So when you put it all together, 192.168.1/24 users will be NAT'ed to 66.1.131.5 and routed via 66.1.131.1 unless the destination address is in the 100/8 subnet in which case they will be NATted to 99.1.1.1 and routed  via 99.1.1.2. 

 

This method is quite simple and powerful, but if you want more control of exactly how the machine performs NAT, then you cannot go passed configuring NAT using the ACLs with the PEF license, where you have 
ultimate configurability and control over the traffic.

Version history
Revision #:
1 of 1
Last update:
‎02-06-2012 04:36 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: