Configuring NAT VLANs with Same IP Subnets on Cisco

cisconat;vlanvrf

I have a VMware environment in which VMs are running a simulation suite. The software used has hardcoded IP addresses, about 10-15 VMs, and we are running multiple instances of this software each in different distributed port groups. So SIM1 VM set has 192.168.1.0/24 in VLAN10 and SIM2 has 192.168.1.0/24 in VLAN20, etc…

This works fine, there is no need for SIM1 VMs to talk to SIM2 VMs and so on. A new requirement has popped up and I now need to be able to remotely monitor progress, manage, and share data from a physical set of machines. The management PCs will live in VLAN200 connected to a catalyst cisco switch.

I have 4x10gbe uplinks on the distributed switch. I was going to run those to some Cisco 10gbe Router (I want to keep 10gbe connectivity to the VMs, not sure exactly which model would do this) and use VRF on subinterfaces for each VLAN using that interface as the gateway and static NAT each virtual machine. So SIM1 machine1 has IP 192.168.1.2 which would NAT publicly to 10.0.10.2. The 4th octet would match the private vm IP and the 3rd octet would match the VLAN. So SIM2 machine1 (192.168.1.2) would NAT to 10.0.20.2. The management side could also be a subinterface on a different port and live in global or a shared VRF. To manage SIM2 machine1 I should be able to use 10.0.20.2. If shared routes between the VRFs and NAT was working.

I started trying to build something similar up in GNS3 and quickly got overwhelmed. So I want to make sure my design is sane or if there is another better more sane way of dealing with the problem. Or any tips or pointers on how to accomplish this?

Thanks!

Edit: Added a diagram:

NAT Diagram

The idea would be that SIM1-S1 would NAT to 10.0.10.2, SIM1-S2 would NAT to 10.0.10.3, etc… SIM2-S1 would NAT to 10.0.20.2, SIM2-S2 would NAT to 10.0.20.3, etc…

Best Answer

With a bit of VRF-lite and VRF-aware-NAT and the help of the Cat-3850's routing capability, here's some config snippets that should work, or at least get you halfway there - all based on the diagram you showed.

A few caveats:

  • This example assumes that the Cat-3850 may act as L3 switch and that it can route at least between directly attached subnets/vlans.
  • Cisco IOS and IOS-XE have some slight differences w/regards to NAT, especially when it comes to NATting from one VRF to another, some licensing questions may arise. I don't think that this hurts us here, though.
  • This is freehandedly composed "pseudo code", it might not be fully copy&pasteable, but it should get you towards a solution.
  • Separation of SIM environments is not being enforced; one environment can "talk" to the NAT addresses of the other(s). If that is an issue, don't set the default route in each VRF (just a static route for the managament system or its subnet), or use ZBFW on the ASR-1001

Let's start with R1 and set up the interfaces

interface fastEthernet0/0
 desc * Vmware-dSwitch *
 no ip address

interface Fasterthern0/1
 desc * Cisco-3850 Port 1* 
 no ip address

Then, you'll have to repeat the following for each SIM or sub-environment: Note that the example uses the same VLAN tag on both sides of R1. They may be different to match the VMware environment one side and the LAN environment on the other side.

!
! Start of per VRF or per SIMn section
!
! replace VRF names, dot1q tags, interface names as appropriate

vrf defintion VRF-SIM1
 address-family ipv4
 exit-address-family

interface fast0/0.10
 description * SIM1 inside subinterface *
 vrf forwarding VRF-SIM1
 encapsulation dot1q 10
 ip address 192.168.1.254 255.255.255.0
 ip nat inside

interface fast0/1.10
 description * SIM1 outside subinterface *
 vrf forwarding VRF-SIM1
 encapsulation dot1q 10
 ip address 10.0.10.1
! ip nat inside           <--- dear me! how could I copy&waste that one! (edited after comment)
 ip nat outside

ip nat inside source static 192.168.1.2 10.0.10.2 vrf VRF-SIM1
ip nat inside source static 192.168.1.3 10.0.10.3 vrf VRF-SIM1
ip nat inside source static 192.168.1.4 10.0.10.4 vrf VRF-SIM1

ip route vrf VRF-SIM1 0.0.0.0 0.0.0.0 fast0/1.10 10.0.10.254

!
! End of per VRF or per SIMn section
!

Please note: the nat part might need some tweaking here, but since inside and outside interface are in the same VRF, I dont' think there's any more config magic needed.

Then, on the Cat3850, you'll need a set of VLANs and SVIs (interface vlan) to match the "right" side of R1:

vlan 10 
 name SIM1-TRANSIT

vlan 20
 name SIM2-TRANSIT

vlan 30
 name SIM3-TRANSIT

int g1/0/1
 desc * R1 fast0/1 *
 switchport mode trunk
 switchport nonegotiate
 switchport trunk allowed vlan 10,20,30
 spanning-tree portfast trunk

interface vlan 10
 desc * transit subnet to SIM1 *  
 ip address 10.0.10.254 255.255.255.0

interface vlan 20
 desc * transit subnet to SIM2 *  
 ip address 10.0.20.254 255.255.255.0

interface vlan 30
 desc * transit subnet to SIM3 *  
 ip address 10.0.30.254 255.255.255.0
Related Topic