Network Address Translation Catalyst Switch Support Matrix

Available Languages

Updated:April 5, 2006
Document ID:29283

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

Network Address Translation (NAT) operates on a routing device that connects two networks together. One of these networks (which is designated as "inside") has private addresses that require conversion into legal addresses before packets are forwarded onto the other network (which is designated as "outside"). The translation operates in conjunction with routing so that you can simply enable NAT on a gateway router when you need translation. The table in the NAT Feature Support on Catalyst Switches section of this document summarizes the support of the NAT feature in Cisco Catalyst switches.

Refer to Network Address Translation (NAT) Technology Support for additional information on how to implement the NAT feature. The page provides sample configurations and troubleshoot tips.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

NAT Feature Support on Catalyst Switches

This table provides information about NAT feature support in Catalyst switches:

Catalyst Platform Minimum Software Release
Catalyst 6500/6000—CatOS1 with Cisco IOS® Software on MSFC2/MSFC2/MSFC3 All versions
Catalyst 6000—CatOS (MSM3) No support
Catalyst 6500/6000—Cisco IOS system software All versions
Catalyst 5500/5000 (RSM) 4 Cisco IOS Software Releases 11.2(P),11.3(T), 12.0, 12.0T, 12.1, 12.1T
Catalyst 5500/5000 (RSFC5) Cisco IOS Software Release 12.1
Catalyst 4500/4000—CatOS (WS-X4232-L3) No support/no plans
Catalyst 4500/4000—Cisco IOS Software (Supervisor Engine II+/III/IV/V) No support currently6
Catalyst 3750 No support
Catalyst 3560 No support
Catalyst 3550 No support
Catalyst 2970 Not applicable (no support for IP routing7)
Catalyst 2950/2955 Not applicable (no support for IP routing7)
Catalyst 2940 Not applicable (no support for IP routing7)
Catalyst 2900XL/3500XL Not applicable (no support for IP routing)
Catalyst 2948G-L3/4908G-L3 No support/no plans
Catalyst 1900 Not applicable (no support for IP routing)
Catalyst 8500 No support/no plans

  • 1 CatOS = Catalyst OS.

  • 2 MSFC = Multilayer Switch Feature Card.

  • 3 MSM = Multilayer Switch Module.

  • 4 RSM = Remote Switch Module.

  • 5 RSFC = Router Switch Feature Card.

  • 6 Catalyst 4500/4000 series switches with Supervisor Engine III/IV support the Access Gateway Module (AGM) in Cisco IOS Software Release 12.1(13)EW or later. You need Cisco IOS Software Release 12.2.13T or later on the AGM module. NAT has support in the software switching path on the AGM module.

  • 7Catalyst 2940, 2970, 2950/2955 does not support IP Routing and the NAT feature. For more information, refer to the Cisco Feature Navigator Tool (registered customers only) .

Additional Notes for the Catalyst 6500/6000

  1. Software performs the NAT function on the Catalyst 6500/6000 with a Supervisor Engine 1/2 and MSFC/MSFC2. There is no support in the hardware path.

  2. When you use the NAT router feature on a Catalyst 6500 with Supervisor Engine 1/2 and MSFC/MSFC2, packets that traverse the NAT outside interface can (in certain configurations) undergo software routing instead of Layer 3 (L3) switching. The software routing can occur regardless of whether the packets require translation. For packets that traverse the NAT outside interface, the redirection to MSFC for software routing should occur for only those packets that require NAT. Cisco IOS Software only translates traffic that traverses from NAT inside interfaces to NAT outside interfaces. Create the access control list (ACL) for use with NAT to be more specific. Have the ACL limit the software-handled packets to only those packets that require NAT translation. For example, if you use a general ACL, such as permit ip any any, to specify the traffic that requires NAT, all traffic inbound or outbound on the NAT outside interface is software routed. Traffic that does not originate in the NAT inside interfaces or have the NAT inside interfaces as a destination is also software routed. If you use a more specific ACL, such as permit ip 192.168.1.0 0.0.0.255 any, only the NAT outside traffic that matches the ACL is software routed.

  3. The NAT function is performed in hardware for unicast packets on a Catalyst 6500 with Supervisor Engine 720 and MSFC3 when you run Cisco IOS Software Release 12.2(14)SX or later.

Caveats in the NAT Feature on the Catalyst 6500/6000 MSFC/MSFC2

This table lists some of the caveats that relate to the NAT feature on the Catalyst 6500/6000 MSFC/MSFC2:

Description Version with Resolution
If you configure a port with a VACL1 access map that has an action clause that contains the capture keyword, the port does not send any traffic to the MSFC to process in software. This configuration prevents the NAT feature operation. Refer to Cisco bug IDs CSCdu61309 popup_icon.gif (registered customers only) and CSCdx37625 popup_icon.gif (registered customers only) for more information. Cisco IOS Software Release 12.1.13(E)
When you configure approximately 500 static NAT entries and issue the mls aclmerge algorithm odm command, a reload can occur if you issue the ip nat outside command for an active interface. Refer to Cisco bug ID CSCdx74455 popup_icon.gif (registered customers only) for more information. Cisco IOS Software Release 12.1(12c)E1
With 7,000 NAT entries and 3,000 pps2 of NAT traffic, MSFC CPU utilization is 100 percent. Refer to Cisco bug ID CSCdx40232 popup_icon.gif (registered customers only) for more information. Cisco IOS Software Release 12.1(12c)E1
NAT pool subranges do not work. Refer to Cisco bug ID CSCdt21533 popup_icon.gif (registered customers only) for more information. Cisco IOS Software Release 12.1 (11b)E3
A sequence problem results when there are NAT ACL configurations and static NAT entries in the startup configuration at bootup. The problem results in the program of incorrect entries into the TCAM3. Refer to Cisco bug ID CSCdx35689 popup_icon.gif (registered customers only) for more information. Cisco IOS Software Release 12.1(11b)E3
With the configuration of the NAT outside-source static translation, packets are forwarded without translation. Refer to Cisco bug ID CSCdv12429 popup_icon.gif (registered customers only) for more information. Cisco IOS Software Release 12.1(8a)E4

1 VACL = VLAN ACL.

2 pps = packets per second.

3 TCAM = ternary content addressable memory.

Related Information

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products