Skip to main content
Cisco Meraki

NAT Detection on MS Switches

Requirements

NAT detection is supported on the following platforms and firmware versions:

MS Switch Family MS Switch Model Minimum Firmware Required
  MS210 MS 14
MS200 Series MS225 MS 14
  MS250 MS 14
MS 300 Series MS355 MS 14
  MS410 MS 14
MS400 Series MS425 MS 14
  MS450 MS 14

Details

MS switches can alert an administrator if a device is detected that appears to be using Network Address Translation (NAT). NAT on the LAN may indicate the use of a rogue AP or router, but also may be used for legitimate purposes with technologies such as containers, or tracking prevention. 

NAT detection compares observed traffic patterns to various signatures that may indicate multiple separate hosts are communicating through a single IP address. For example, TCP timestamps that that indicate multiple clocks, or source ports that appear across multiple ranges could indicate more than one device is using a particular address.

Modern operating systems use a number of tracking prevention methods that can resemble the behaviour of many hosts behind a single NAT IP. Therefore NAT detection may also cause alerts for legitimate traffic that may not be related to NAT. 

It is recommended to tune the alert frequency to a suitable value for your network, then investigate to determine whether further action should be taken.

Configuration

To enable NAT detection on MS switches, log into the Meraki dashboard for a network that contains MS switches and navigate to Network-wide > Alerts. 

In the "Switch" section, click the check box for the "A client is detected sharing its IP address via NAT." option:

NAT alert.png

Select to be alerted ASAP, daily, or weekly, and optionally define additional alert recipients. Daily or weekly alerts may be appropriate if you find that a large amounts of alerts are generated frequently using the ASAP option. 

Alert Example

Alerts appear somewhat different between email or webhooks, but contain similar information in both cases. The alert will indicate the client IP address that might be being used by multiple hosts, the last time an indication of NAT was detected, a suspected number of real hosts sharing that IP address, and the number of switches detecting the behaviour:

NAT alert email.png

 

  • Was this article helpful?