I want to do something very similar to NAT VLans with same IP sub-nets
but it is dissimilar enough that I don't know how to apply it to my application.
I did find NAT Overlapping but it places individual PCs with the same IP connected to their own routers. If I applied that topology to my application, I would need a router for each pair (at least 6 routers) plus a switch on each router (at least 5 switches). Maybe it could be done with L3 switches but that is still too much hardware to be practical for my application. The "ip nat outside source list" may provide the answer but I need to study the documentation.
This is a test and development lab application where the requirement is to concurrently run multiple identical pairs of devices on the network. In my application, I have up to 10 pairs of devices. Each of the devices within a pair has a different IP address. Each pair has the same IP addresses as the next pair. All of the IP addresses fit within a /24 subnet.
From the LAN, I want to be able to address each device from the outside as if it has a unique IP address. All of the outside addresses must be within the same sub-net /24. There is no requirement for one pair of devices to communicate with any other pair of devices. Each device only needs to be visible from the LAN.
I purchased a Cisco router and L2 switch to configure as a router on a stick. In principle I want to setup VLans and NAT the outside IP addresses to the related inside device. From the outside, it would look like each individual device has a unique IP address. This is illustrated in the diagram. All my reading tells me that the router will object because the VLans would share the same sub-nets.
How can I achieve the requirement? Can I NAT the external IP addresses in the router table to the respective VLans? Is there a way of getting past the problem of VLans sharing a subnet?
Best Answer
NAT happens on a device that can perform NAT, e.g. a router (even layer-3 switches cannot NAT, except for something like the 65xx series). The outside and inside addressing is placed on different interfaces of the NAT device. You will need to either put in a router on each VLAN between the router and hosts, or it may be that your hosts can themselves NAT between a physical and virtual interface, but that is off-topic here (you could try to ask about that on Server Fault).
The bigger problem is the VLAN addressing. Your router will need each interface (VLAN) to be in a different network. You cannot configure the router with the same or overlapping networks on different interfaces. Also, you are trying to use base 10 address separation of VLAN addresses in an inherently binary number (IP address), and that doesn't work well. That means that the shortest prefix for each VLAN with addressing like you have is
/29, giving you eight (six usable) host addresses. A network of/28would be 16 (14 usable) host addresses, which is longer than the separation of 10 that you have, leading to overlapping networks on your VLANs.Using
/31addressing would work, and it can be configured on a Cisco router, but some host OSes, e.g. Windows, do not support it. It would look like this:172.30.21.100/31, which is172.30.21.100to172.30.21.101172.30.21.110/31, which is172.30.21.110to172.30.21.111172.30.21.120/31, which is172.30.21.120to172.30.21.121172.30.21.130/31, which is172.30.21.130to172.30.21.131Using
/30addressing has some problems with your chosen VLAN addresses:172.30.21.100/30, which is172.30.21.100to172.30.21.103, but172.30.21.100is the network address, unusable as a host address172.30.21.108/30, which is172.30.21.108to172.30.21.111, but172.30.21.111is the broadcast address, unusable as a host address172.30.21.120/30, which is172.30.21.120to172.30.21.123, but172.30.21.120is the network address, unusable as a host address172.30.21.128/30, which is172.30.21.128to172.30.21.131, but172.30.21.131is the network address, unusable as a host addressUsing
/29addressing has a couple of problems.172.30.21.100/29, which is172.30.21.96to172.30.21.103172.30.21.104/29, which is172.30.21.104to172.30.21.111, but172.30.21.111is the broadcast address, unusable as a host address172.30.21.120/29, which is172.30.21.120to172.30.21.127, but172.30.21.120is the network address, unusable as a host address172.30.21.128/29, which is172.30.21.128to172.30.21.135If you can adjust the VLAN addressing on your router to something else, and your hosts can NAT internally, then you could do this without placing NAT devices on the VLANs, otherwise you need to NAT on each VLAN, requiring a NAT device for each VLAN.