Meraki

Community

15.4 Beta No-Nat Mode

benny
Getting noticed
‎Mar 16 2018 12:38 AM
‎Mar 16 2018 12:38 AM

15.4 Beta No-Nat Mode

Hi All,

 

Has anyone successfully been able to get No-Nat mode working for a particular VLAN?

 

I have a branch MX64 sitting behind a single MPLS link. The WAN interface has a /30 provided by our MPLS provider. Our provider is routing a private /24 down to the MX and the private /24 is setup as a VLAN on the MX. 

 

I am unable to send any traffic directly to a host sitting on the private /24 and I have confirmed the private /24 is routed as I swapped the MX over with a traditional Cisco ISR which worked. 

 

It seems the default route for the VLAN is still showing the next hop as the MX's IP address. Shouldn't this be the providers address within the /30? 

 

Thanks,

Ben

0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 16 2018 12:39 AM
‎Mar 16 2018 12:39 AM

What you might want to do is move that MPLS circuit to a VLAN on the inside of the MX, and plug an Internet circuit into one of the WAN ports.

 

Then you get your NO-NAT implicitly, and local Internet break out.

 

 

ps. Either with or without NAT, the default route for internal machines should be pointing to the MX IP address, and not the MPLS providers IP address.

0 Kudos
In response to PhilipDAth
benny
Getting noticed
‎Mar 16 2018 12:50 AM
‎Mar 16 2018 12:50 AM

 

Hi Philip,

 

The site only has a single MPLS link. I'm trying to eliminate having a L3 switch or router sitting between our provider edge and our MX64. It seems 15.4 is getting close at providing that. 

 

Yep agree, hosts sitting on the VLAN have the MX as the default route. Its the network route within the MX that shouldn't be pointing to the MX's LAN IP. 

 

IE

I'm dealing with vlan 15 which is 10.97.160.0/24.  Our MPLS provider is routing this down the MX's /30 address. What I want is for this vlan 15 not to be nat'd through the MX's LAN / WAN address. 

 

Currently the MX has the route listed as

10.97.160.0/24 >next hop> 10.97.160.1

 

I would have thought to remove NAT it should be

10.97.160.0/24 >next hop> 172.16.1.2 (Provider Edge within the /30)

 

Isn't this the point of 15.4 Beta and No-Nat mode?

 

0 Kudos
In response to benny
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 16 2018 12:53 AM
‎Mar 16 2018 12:53 AM

That routing is correct.

Also note I think no-nat mode is a beta feature and you will need to open a case with support to get it enabled in the dashboard.
0 Kudos
In response to PhilipDAth
benny
Getting noticed
‎Mar 16 2018 12:55 AM
‎Mar 16 2018 12:55 AM

Yes, it is a beta feature that I'm testing and I do currently have a open case with support. 

 

I thought I'd drop a line in the community here to see if anyone else in my situation has been able to get No-Nat mode working.

 

Thanks for your help though! 

 

 

0 Kudos
In response to benny
Uberseehandel
Kind of a big deal
‎Mar 16 2018 6:22 AM
‎Mar 16 2018 6:22 AM

@benny

 

I'm very interested in what you are doing. I have had 15.4 installed and am waiting to check I can get something else to function before testing the NO-NAT option.

 

In the course of doing the research for getting the the other requirement configured on another gateway device, it has become apparent that I can selectively enable/disable NAT on a LAN port basis.

 

So, which is preferred

 

Scenario 1 - 

  

Let the MX do all its own NATting, and have the uplink to the BrandX device passed through
to the internet

Scenario 2 -

 

Activate NO-NAT on the MX and let the BrandX device do all the NATting

The network attached to the brand X device will be used to handle all the doubtful devices (IoT), Chromecast, smart monitors, Bonjour and the isolated guest WiFi.

 

The MX will handle the secure wired and wireless workstations and devices along with the VoIP system, when available. All servers are Cloud located. 

 

BrandX has its limitations but it does have an approach to handling this stuff and knows that multicast reflectors (Chromecast/Bonjour) do not play well with Multicast proxies. I've got most of it working with the only connections between the secure network and the insecure network being by HDMI.

 

Any thoughts on which will be the best approach?

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
3ffdot
Here to help
‎Mar 19 2018 10:12 AM
‎Mar 19 2018 10:12 AM

@benny I just setup an MX84 behind an ASA and in front of a layer 3 switch.  I used the 15.4 firmware as well and from my experience the MX isn't quite a layer 3 device even with the new firmware.  For the MX to work and pass all traffic from WAN to LAN, you'll need to utilize static routes to the layer 3 device that all of your clients site behind.  So as an example you would have a 66.10.10.1/30 and that goes to your WAN with the gateway being the next hope router.  Then you have a 11.11.11.1/30 on the MX and that goes to your layer 3 switch.  The switch should have a default route of the MX address (11.11.11.1).  This way the WAN and LAN are separate and the MX is able to route traffic to the LAN by using the 11.11.11.x subnet.  As I said, the MX isn't quite a layer 3 device so it takes a bit of engineering to get it to work like you want.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.