Controller Based WLANs

How can I source NAT all VLAN traffic without using access lists?

Product and Software: This article applies to ArubaOS 3.1 and later.

 

Traditionally ArubaOS has used access lists to NAT user traffic. Aruba OS 3.x includes another command that can be used to NAT all traffic of a VLAN. The "ip nat inside" command marks a VLAN as inside VLAN, which indicates that traffic of this VLAN should be NATed when crossing the VLAN boundary.

 

For example, there are three VLANs: VLANs A, B, and C. VLAN A has been configured as an "inside VLAN". When traffic from VLAN A is exiting the switch via VLAN B, the traffic will be NATed with VLAN B IP address. Similarly, if VLAN A traffic is routed out of the VLAN C interface, it will be NATed with the VLAN C IP address.

 

Configuration Example

 

From CLI:

 

(wlsw2h) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(wlsw2h) (config) #interface vlan 20

(wlsw2h) (config-subif)#ip nat inside

 

From WebUI:

 

Navigate to Configuration > Network > IP > Edit VLAN and check the "Enable Source NAT for this VLAN" option.

 

edit_VLAN.jpg

 

Snippet from the Configuration File

interface vlan 20
ip address 172.16.20.254 255.255.255.0
ip nat inside

On the switch shown above, other IP interfaces are as follows:

(wlsw2h) #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol
vlan 1 unassigned / unassigned up down
vlan 200 172.30.45.200 / 255.255.255.0 up up
vlan 20 172.16.20.254 / 255.255.255.0 up up
vlan 30 192.168.30.254 / 255.255.255.0 up up
loopback 172.16.20.1 / 255.255.255.255 up up

Traffic from a host on VLAN 20 destined for a host on VLAN 200 will be source NATed with the VLAN 200 address, that is, 172.30.45.200.

This can be verified from the datapath session table.

Datapath session table for host 172.16.20.199 on VLAN 20 accessing host 172.30.45.49 on VLAN 200:

(wlsw2h) #show datapath session table 172.30.45.49

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
172.30.45.49 172.30.45.200 6 80 62240 0 0 0 1 tunnel 3 2 FN
172.30.45.49 172.30.45.200 6 80 62237 0 0 0 1 tunnel 3 2 FN
172.30.45.49 172.30.45.200 6 80 62236 0 0 0 1 tunnel 3 3 FN
172.30.45.49 172.30.45.200 6 80 62239 0 0 0 1 tunnel 3 2 FN
172.16.20.199 172.30.45.49 6 62236 80 0 0 0 0 tunnel 3 2 FSC
172.16.20.199 172.30.45.49 6 62237 80 0 0 0 0 tunnel 3 2 FSC
172.16.20.199 172.30.45.49 6 62239 80 0 0 0 0 tunnel 3 2 FSC
172.16.20.199 172.30.45.49 6 62240 80 0 0 0 0 tunnel 3 2 FSC

It can be seen from this example that traffic from 172.16.20.199 to 172.30.45.49 goes through a source NAT, which is indicated with "S" flag. Host 172.30.45.49 receives the HTTP request with source IP of 172.30.45.200, the outgoing VLAN address (VLAN 200) and replies back to same address. Traffic from host 172.30.45.49 to 172.30.45.200 address goes through a destination NAT as indicated with "N" flag to complete the session.

Version History
Revision #:
1 of 1
Last update:
‎07-06-2014 10:09 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.