Which NAT takes prescedence, one on the VLAN or the user role?

Aruba Employee
Aruba Employee
Question We can have source natting enabled on the Aruba in two ways.
1. Nat on the vlan
2. Nat in the user role.
which one of these will take precedence i both are configured.
Environment Aruba controller with multiple Vlan configured.


We can have NAT enabled in two ways on Aruba controller:

1. On the Vlan

# config t
# int vlan 3
# ip nat inside

2. On a user role

# ip nat pool internal

# ip access-list session natted-acl
# any any any src-nat pool internal

# user-role natted-role
# access-list natted-acl

Our test setup is as given below:

Vlan 1 =====> /24
Vlan 2 =====> /24
Vlan 3 =====> /24

A user in Vlan 3 is pinging a server in vlan 1

It is falling in user role natted-role. Now, since it is falling in that role, it should be natted by ACL natted-acl to

However, since is it inside the Vlan 2, it should be natted to as per IP nat Inside.

Here we see that the user-role takes precedence. Thus the packet will go out of the contoroller with source IP

Version history
Revision #:
1 of 1
Last update:
‎07-08-2014 12:10 PM
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: