One-to-one Layer 2 NAT (Network Address Translation) is a service that allows the assignment of a unique public IP address to an existing private IP address (end device). The assignment enables the end device to communicate on both the private and public subnets. This service is configured in a NAT-enabled device and is the public “alias” of the IP address that is physically programmed on the end device. This is typically represented by a table in the NAT device.

Layer 2 NAT uses a table to translate IPv4 addresses both public-to-private, and private-to-public at line rate. Layer 2 NAT is a hardware-based implementation that provides the same high level of (bump-on-the-wire) wire-speed performance. This implementation also supports multiple VLANs through the NAT boundary for enhanced network segmentation.

In the following example, Layer 2 NAT translates addresses between sensors on a 192.168.1.x network and a line controller on a 10.1.1.x network.

1. The 192.168.1.x network is the inside/internal IP address space and the 10.1.1.x network is the outside or external IP address space.

2. The sensor at 192.168.1.1 sends a ping request to the line controller by using an “inside” address, 192.168.1.100.

3. Before the packet leaves the internal network, Layer 2 NAT translates the source address (SA) to 10.1.1.1 and the destination address (DA) to 10.1.1.100.

4. The line controller sends a ping reply to 10.1.1.1.

5. When the packet is received on the internal network, Layer 2 NAT translates the source address to 192.168.1.100 and the destination address to 192.168.1.1.

For large numbers of nodes, you can quickly enable translations for all devices in a subnet. In the scenario shown in the following figure, addresses from Inside Network 1 can be translated to outside addresses in the 10.1.1.0/28 subnet, and addresses from Inside Network 2 can be translated to outside addresses in the 10.1.1.16/28 subnet. All addresses in each subnet can be translated with one command. The benefit of using subnet-based translations saves in Layer L2 NAT rules. The switch has limits on the number of Layer 2 NAT rules. A rule with a subnet allows for multiple end devices to be translated with a single rule.

The following figure shows a Cisco Catalyst IE9300 Rugged Series Switch at the aggregation layer forwarding Ethernet packets based on Layer 2 MAC Addresses. In this example, the router is the Layer 3 gateway for all subnets and VLANs.

The L2NAT instance definitions use the network command to define a translated row for multiple devices in the same subnet. In this the case, it’s a /28 subnet with last byte in the IP address starting with 16 and ending with 31. The gateway for the VLAN is the router with last byte of the IP address ending with .1. An outside host translation is provided for the router. The network command in the Layer 2NAT definition translates a subnet’s worth of host with a single command, saving on Layer 2 NAT translation records.

The Gi1/0/25 uplink interface has Layer 2NAT translation instances for vlan10 and vlan 11 subnets. Interfaces can support multiple Layer 2 NAT instance definitions.

The downstream Cisco Catalyst IE3300 Rugged Series Switches are examples of access layer switches which do not perform L2NAT and rely on the upstream aggregation layer switch to do it.

The following example shows the NAT configuration for the preceding diagram:

!
l2nat instance Subnet10-NAT
 instance-id 1
 permit all
 fixup all
 outside from host 10.10.10.1 to 192.168.0.1
 inside from network 192.168.0.0 to 10.10.10.16 mask 255.255.255.240
!
l2nat instance Subnet11-NAT
 instance-id 1
 permit all
 fixup all
 outside from host 10.10.11.1 to 192.168.0.1
 inside from network 192.168.0.0 to 10.10.11.16 mask 255.255.255.240
!
interface GigabitEthernet1/0/25
 switchport mode trunk
 l2nat Subnet10-NAT 10
 l2nat Subnet11-NAT 11
!
Interface vlan 1
  ip address 10.10.1.2
 

The following list provides guidelines and limitations for using Layer 2 NAT with Cisco Catalyst IE9300 Rugged Series Switches.

Note	For scale information, see the section NAT Performance and Scalability in this guide.

• Layer 2 NAT is supported for Cisco Catalyst IE9300 Rugged Series Switches in Cisco IOS XE Dublin 17.10.1 and later releases.

• Layer 2 NAT is supported for Cisco Catalyst IE9300 Rugged Series Switches on standalone or stacked switches.

• Layer 2 NAT is disabled by default; it becomes enabled when you configure it. See Configure Layer 2 NAT in this guide.

• Layer 2 NAT applies only to unicast traffic. Untranslated unicast traffic, multicast traffic, and IGMP traffic are permitted.

• Layer 2 NAT is supported only on the uplink ports (25-28) and available in both Network Essentials and Network Advantage licenses.

• Layer 2 NAT supports one-to-one mapping between external and internal IP addresses.

• Layer 2 NAT can be applied to uplink interfaces in access or trunk mode.

• Only IPv4 addresses for Layer 2 traffic can be translated.

• Supported subnet masks on inside network translation are /24, /25, /26, /27, /28, and /32 only.

• Outside translation rule supports only host translations.

• ARP does not work transparently across Layer 2 NAT; however, the switch changes the IP addresses embedded in the payload of IP packets for the protocols to work. Embedded IP addresses are not translated.

• Statistics for debugging include the following statistics: entries for each translation, translated total ingress and egress for each instance, and for each interface. Also included are ARP fixup stats and the number of translations entries allocated in hardware.

• Layer 2 NAT does not support one-to-many and many-to-one IP address mapping.

• Layer 2 NAT cannot save on public IP addresses because public-to-private is a 1:1 translation. It is not 1:N NAT.

• If you configure a translation for a Layer 2 NAT host, do not configure it as a DHCP client.

• The management interface is behind the Layer 2 NAT function. Therefore this interface should not be on the private network VLAN. If it is on the private network VLAN, assign an inside address and configure an inside translation.

• Because Layer 2 NAT is designed to separate outside and inside addresses, we recommend that you do not configure addresses of the same subnet as both outside and inside addresses.

• Cisco Catalyst IE9300 Rugged Series Switch uplinks that support NAT instance configurations are Gig1/0/25 to Gig1/0/28.

• Layer 2 NAT is only for Layer 2 traffic; do not use it for packets undergoing routing

• Layer 2 NAT does not translate packets destined for CPU and packets coming from CPU. Management traffic should be on a different VLAN from the private network VLAN.

Layer 2 NAT translation and forwarding are performed in the hardware at line rate. The number of Layer 2NAT rules that are supported depends on the number of hardware entries that can be supported in hardware.

Scale depends on the number of inside/outside combinations. The following list provides scale examples.

• An instance with only inside rules can have a total of 128 translation rules.

• Multiple instances with one inside rule can have a total of 128 such instances applied to 128 different VLANs.

• Multiple instances with one inside rule and one outside rule can have a maximum of 64 instances.

• A single instance with one outside rule can have a maximum of 100 inside rules. The number of inside rules that can be supported reduces with increase in the outside rules.

Note	We recommended that you use network translation rules to save on the number of rules.

In this example, A1 must communicate with a logic controller (LC) that is directly connected to the uplink port. A Layer 2 NAT instance is configured to provide an address for A1 on the outside network (10.1.1.1) and an address for the LC on the inside network (192.168.1.250).

Now this communication can occur:

1. A1 sends an ARP request: SA: 192.168.1.1DA: 192.168.1.250.

2. Cisco Switch A fixes up the ARP request:SA:10.1.1.1DA: 10.1.1.200.

3. LC receives the request and learns the MAC Address of 10.1.1.1.

4. LC sends a response:SA: 10.1.1.200DA: 10.1.1.1.

5. Cisco Switch A fixes up the ARP response:SA: 192.168.1.250DA: 192.168.1.1.

6. A1 learns the MAC address for 192.168.1.250, and communication starts.

Note	The management interface of the switch must be on a different VLAN from the inside network 192.168.1.x. See the section Basic Inside-to-Outside Communications: Configuration for the tasks to configure the example in this section.

In this scenario, two machine nodes are preconfigured with addresses in the 192.168.1.x space. Layer 2 NAT translates these addresses to unique addresses on separate subnets of the outside network. In addition, for machine-to-machine communications, the Node A machines need unique addresses on the Node B space and the Node B machines need unique addresses in the Node A space.

• Switch C needs an address in the 192.168.1.x space. When packets come into Node A or Node B, the 10.1.1.254 address of Switch C is translated to 192.168.1.254. When packets leave Node A or Node B, the 192.168.1.254 address of Switch C is translated to 10.1.1.254.

• Node A and Node B machines need unique addresses in the 10.1.1.x space. For quick configuration and ease of use, the 10.1.1.x space is divided into subnets: 10.1.1.0, 10.1.1.16, 10.1.1.32, and so on. Each subnet can then be used for a different node. In this example, 10.1.1.16 is used for Node A, and 10.1.1.32 is used for Node B.

• Node A and Node B machines need unique addresses to exchange data. The available addresses are divided into subnets. For convenience, the 10.1.1.16 subnet addresses for the Node A machines are translated to 192.168.1.16 subnet addresses on Node B. The10.1.1.32 subnet addresses for the Node B machines are translated to 192.168.1.32 addresses on Node A.

• Machines have unique addresses on each network: