Brocade Communications Systems 5600 Reference Manual
Vrouter nat
Hide thumbs
Also See for 5600:
- Configuration manual (187 pages) ,
- Reference manual (124 pages) ,
- Quick start manual (48 pages)
Subscribe to Our Youtube Channel
Related Manuals for Brocade Communications Systems 5600
Summary of Contents for Brocade Communications Systems 5600
- Page 1 53-1003718-03 14 September 2015 Brocade 5600 vRouter Reference Guide Supporting Brocade 5600 vRouter 3.5R6...
- Page 2 United States government. The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.
-
Page 3: Table Of Contents
The "source" filter................24 The "destination" filter................. 24 Address conversion: translation addresses............ 24 Source address translations..............25 Destination address translations............25 NAT Configuration Examples....................27 Source NAT (one-to-one)................27 Source NAT (many-to-one)................28 Source NAT (many-to-many)................29 Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 4 <rule-number> protocol <protocol>......67 service nat source rule <rule-number> source <address>......68 service nat source rule <rule-number> translation <address>......69 show nat destination..................70 show nat source....................71 Related commands..................72 List of Acronyms........................73 Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
-
Page 5: Preface
Identifies command names, keywords, and command options. italic text Identifies a variable. value In Fibre Channel products, a fixed value provided as input to a command option is printed in plain text, for example, --show WWN. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 6: Notes, Cautions, And Warnings
DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 7: Brocade Resources
OEM/Solution Provider for all of your product support needs. ® • OEM/Solution Providers are trained and certified by Brocade to support Brocade products. • Brocade provides backline support for issues that cannot be resolved by the OEM/Solution Provider. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 8: Document Feedback
• By sending your feedback to documentation@brocade.com. Provide the publication title, part number, and as much detail as possible, including the topic heading and page number if applicable, as well as your suggestions for improvement. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 9: About This Guide
About This Guide This guide describes how to configure NAT on the Brocade 5600 vRouter (referred to as a virtual router, vRouter, or router in the guide). Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 10 About This Guide Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
-
Page 11: Nat Overview
Be aware that, although NAT can minimize the possibility that internal computers make unsafe connections to the external network, it provides no protection to a computer that, for one reason or Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 12: Benefits Of Nat
• NAT enhances security. IP addresses within a private (internal) network are hidden from the public (external) network. This hiding of addresses makes it more difficult for hackers to initiate an attack on an internal host. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 13: Types Of Nat
IP address of the outbound interface. The destination address of return packets is automatically translated back to the IP address of the source host. NOTE SNAT is performed after the routing decision is made. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 14: Destination Nat (Dnat)
Bidirectional NAT is typically used when internal hosts need to initiate sessions with external hosts and external hosts need to initiate sessions with internal hosts. The following figure shows an example of bidirectional NAT. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 15: Nat 6-4
This rewrite requires that the router modify the Ethernet and the IP headers. For more information about the IPv4 and IPv6 address formats, refer to RFC 6052 (section 2.2). Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 16: Packet Processing
• Address formats as specified in section 2.2 of RFC 6052. • Stateful connection tracking and validation (by way of the NPF session table). • Selective packet filtering of source and destination prefixes on the inbound interface of the IPv6 network. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 17: What Nat 6-4 Does Not Support
For example, if you are using DNAT, you should take care not to set up the system to route packets based on particular external addresses. This routing method would not have the expected result Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 18: Interaction Between Nat And Routing
Note that DNAT operates on the packets before the routing decision. This sequence means that routing decisions based on the destination address are made relative to the translated destination address—not the original destination address; refer to the following figure. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 19 On the other hand, routing decisions are made before SNAT. This sequence means that routing decisions based on the source address are made on the original source address—not the translated source address. NOTE SNAT routing decisions are based on original source address. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
-
Page 20: Interaction Between Nat And Firewall
In this scenario, packets are destined for a process within the Brocade vRouter. When firewall rule sets are applied to locally bound packets on an interface, the firewall rules are applied before DNAT (that is, on the translated destination address); refer to the following figure. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 21 SNAT firewall rules are applied on original source address. FIGURE 15 Pass-through SNAT firewall decisions Scenario 2b: SNAT—Packets originating from the Brocade vRouter In this scenario, packets originate with a process in the Brocade vRouter. Firewall rule sets are not involved. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
-
Page 22: Interaction Between Nat And Dns
The Brocade vRouter allows you to configure SNAT and DNAT rules. To implement bidirectional NAT, you define a NAT rule for SNAT and one for DNAT. The following example shows how to define a SNAT rule, rule 10. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 23: Traffic Filters
The following example shows how to apply a SNAT rule, rule 10, to TCP protocol packets. Only TCP packets have address translation performed. Filtering packets by protocol vyatta@vyatta# set service nat source rule 10 protocol tcp Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 24: The "Source" Filter
30 destination address 12.34.56.78 Address conversion: translation addresses The translation address defines the address conversion that takes place. It specifies the information that is substituted into the packet for the original address. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 25: Source Address Translations
10.0.0.0 through 10.0.0.3 as the range of destination IP addresses for inbound packets that match its filter criteria. Substituting a range of destination IP addresses vyatta@vyatta# set service nat destination rule 50 translation address 10.0.0.0-10.0.0.3 Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 26 Destination address translations Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
-
Page 27: Nat Configuration Examples
• An internal news server, a Network News Time Protocol (NTTP) device, needs to connect to an external news server. • The external news server accepts connections only from known clients. • The internal news server does not receive connections from outside the local network. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 28: Source Nat (Many-To-One)
The following figure shows an example of SNAT in which many different “inside” addresses are dynamically translated to a single “outside” address. In this example, all hosts on the 10.0.0.0/24 subnet show the same source address externally. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 29: Source Nat (Many-To-Many)
For this reason, the mapping can provide more capacity for outbound translations. The following figure shows a large private address space (a /8 network prefix, here represented as three /16 subnets) mapped to a small range of external addresses. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 30: Source Nat (One-To-Many)
The scenario described in this section is less common. In this scenario, a single test-source device behind the NAT device appears externally to be multiple devices, as shown in the following figure. One application of this scenario might be to test an upstream load-balancing device. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 31: Masquerade Nat
Specifying masquerade as the translation address instructs the system to use the IP address currently assigned to the outbound interface as the translation address. Masquerade NAT rules typically consist of match conditions that contain the following characteristics: Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 32: Destination Nat (One-To-One)
10 Show the configuration. outbound-interface dp0p1p1 source { address 10.0.0.0/24 translation { address masquerade Destination NAT (one-to-one) Destination NAT (DNAT) is used when only inbound traffic is expected. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 33: Scenario 1: Packets Destined For An Internal Web Server
Scenario 2: Packets destined for an internal SSH server In this scenario, all traffic destined for the SSH port is passed through to a host containing an SSH server, as shown in the following figure. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 34: Destination Nat (One-To-Many)
Another application where DNAT might be used is a scenario in which there are multiple instances (each on a different port) of the server inside a private network. To configure NAT for this particular scenario, perform the following steps in configuration mode. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 35: Bidirectional Nat
Bidirectional NAT is simply a combination of source and destination NAT. A typical scenario might use SNAT on the outbound traffic of an entire private network and DNAT for specific internal services (for example, mail or web); refer to the following figure. FIGURE 24 Bidirectional NAT Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 36: Mapping Of Address Ranges
10.0.0.0/24 network to the 11.22.33.0/24 network, which maps 10.0.0.1 through 11.22.33.1, 10.0.0.2 through 11.22.33.2, and so on. The networks must be the same size, that is, they must have the same network mask, as shown in the following figure. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 37 10 inbound-interface dp0p1p1 vyatta@vyatta# set service nat destination rule Use 10.0.0.x as the destination address in 10 translation address 10.0.0.0/24 incoming packets. vyatta@vyatta# commit Commit the change. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
-
Page 38: The "Exclude" Option
20 Use the primary IP address of the outbound translation address masquerade interface as the translation address. vyatta@vyatta# commit Commit the change. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 39: Source Nat And Vpn: Using The "Exclude" Option
You can do this by using an exclusion rule, as shown in the following figure. FIGURE 26 Source NAT and VPN To configure NAT in this way, perform the following steps in configuration mode. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 40: The Negation Operator
(exclamation mark [!]). The following example shows how to provide the same functionality as in the previous example but use the negation operator instead of the exclude option. NOTE You can use the negation operator with IP addresses but not with port addresses. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 41 192.168.0.0/24 translation { address masquerade This combination of rules does not exclude the 192.168.50.0/24 and 172.16.50.0/24 networks. As previously explained, these NAT rules are evaluated sequentially; when a packet arrives, it is tested Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
-
Page 42: Address And Port Groups
Commit the changes. vyatta@vyatta# show service nat source rule 200 Show the NAT outbound-interface dp0s224 configuration. protocol tcp source { address foo port bar translation { address 20.20.10.0/24 port http Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 43: Configuring Nat 6-4
1 For rule 1, specify the inbound interface. inbound-interface dp0p3p1 vyatta@R1# set service nat ipv6-to-ipv4 rule 1 For rule 1, specify the routing prefix for source prefix 2001:db8::/32 source addresses. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 44 FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK, TW - TIME WAIT, CL - CLOSE, LI - LISTEN CONNID Source Destination Protocol TIMEOUTIntf Parent 198.18.4.200:46468 198.18.5.200:22 tcp [6] TW 237 dp0p4p10 198.18.4.200 198.18.5.200 icmp [1] dp0p4p10 Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
-
Page 45: Nat Commands
<rule-number> protocol <protocol>..........67 ● service nat source rule <rule-number> source <address>..........68 ● service nat source rule <rule-number> translation <address>........69 ● show nat destination....................... 70 ● show nat source......................71 ● Related commands......................72 Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 46: Clear Nat
Clears counters for active NAT rules. Syntax clear nat Command Default Counters for all NAT rules. Modes Operational mode Usage Guidelines Use this command to clear counters for active NAT rules. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 47: Service Nat
Use the set form of this command to enable, create, or modify the NAT configuration. Use the delete form of this command to remove NAT configuration and disable NAT on the system. Use the show form of this command to view NAT configuration. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 48: Service Nat Destination Rule
Use the set form of this command to define a NAT rule number. Use the delete form of this command to remove a NAT rule number. Use the show form of this command to view a NAT rule number. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 49: Service Nat Destination Rule
Use the set form of this command to provide a description of a rule. Use the delete form of this command to remove the description of a rule. Use the show form of this command to view the description of a rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Description -
Page 50: Service Nat Destination Rule
Use the set form of this command to specify a destination address and port to match a NAT rule (destination filter). Use the delete form of this command to remove a destination filter. Use the show form of this command to view a destination filter. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Destination -
Page 51: Service Nat Destination Rule
Use the set form of this command to disable a NAT rule. Use the delete form of this command to return a rule to its enabled state. Use the show form of this command to view a rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Disable -
Page 52: Service Nat Destination Rule
Use the set form of this command to specify that packets matching this rule are excluded from NAT. Use the delete form of this command to remove an exclusion rule. Use the show form of this command to view an exclusion rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Exclude -
Page 53: Service Nat Destination Rule
Use the set for of this command to specify the data plane interface on which inbound traffic has DNAT rules applied. Use the delete form of this command to remove an inbound interface. Use the show form of this command to view an inbound interface. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Inbound-Interface -
Page 54: Service Nat Destination Rule
Use the delete form of this command to restore the default NAT logging, that is, the logging of NAT destination entries is not generated. Use the show form of this command to view the state of NAT logging. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Log -
Page 55: Service Nat Destination Rule
Use the delete form of this command to remove a protocol from a NAT destination rule. Use the show form of this command to view a protocol for a NAT destination rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Protocol -
Page 56: Service Nat Destination Rule
Use the set form of this command to specify a source address and port to match in a NAT rule (source filter). Use the delete form of this command to remove a source filter. Use the show form of this command to view a source filter. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Source -
Page 57: Service Nat Destination Rule
Use the delete form of this command to remove a translated address, port, or both from a NAT rule. Use the show form of this command to view a translated address, port, or both of a NAT rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Translation -
Page 58: Service Nat Ipv6-To-Ipv4 Rule
Use the set form of this command to specify the NAT IPv6-to-IPv4 rule to apply to the IPv6 prefix for the destination. Use the delete form of this command to delete the NAT IPv6-to-IPv4 rule. Use the show form of this command to display the configured NAT IPv6-to-IPv4 rules. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Destination Prefix -
Page 59: Service Nat Ipv6-To-Ipv4 Rule
Use the set form of this command to specify the service IPv6-to-IPv4 rule to apply to the inbound interface. Use the delete form of this command to delete the service IPv6-to-IPv4 rule. Use the show form of this command to display the configured IPv6-to-IPv4 rules. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Inbound-Interface -
Page 60: Service Nat Ipv6-To-Ipv4 Rule
Use the set form of this command to specify the service IPv6-to-IPv4 rule to apply to the source prefix for the destination. Use the delete form of this command to delete the service IPv6-to-IPv4 rule. Use the show form of this command to display the configured IPv6-to-IPv4 rules. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Source Prefix -
Page 61: Service Nat Source Rule
Use the set form of this command to provide a description of a rule. Use the delete form of this command to remove the description of a rule. Use the show form of this command to view the description of a rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Description -
Page 62: Service Nat Source Rule
Use the delete form of this command to remove a destination filter for a NAT source rule. Use the show form of this command to view a destination filter for a NAT source rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Destination -
Page 63: Service Nat Source Rule
Use the set form of this command to disable a NAT rule. Use the delete form of this command to return a rule to its enabled state. Use the show form of this command to view a rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Disable -
Page 64: Service Nat Source Rule
Use the set form of this command to specify that packets matching this rule are excluded from NAT. Use the delete form of this command to remove an exclusion rule. Use the show form of this command to view an exclusion rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Exclude -
Page 65: Service Nat Source Rule
Use the delete form of this command to restore the default NAT logging, that is, the logging of NAT source entries is not generated. Use the show form of this command to view the state of NAT logging. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Log -
Page 66: Service Nat Source Rule
Use the set form of this command to specify the data plane interface on which outbound traffic has SNAT rules applied. Use the delete form of this command to remove an outbound interface. Use the show form of this command to view an outbound interface. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Outbound-Interface -
Page 67: Service Nat Source Rule
Use the delete form of this command to remove a protocol from a NAT source rule. Use the show form of this command to view a protocol for a NAT source rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Protocol -
Page 68: Service Nat Source Rule
Use the set form of this command to specify a source address and port to match in a NAT source rule (source filter). Use the delete form of this command to remove a source filter. Use the show form of this command to view a source filter. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Source -
Page 69: Service Nat Source Rule
Use the delete form of this command to remove a translated address, port, or both from a NAT rule. Use the show form of this command to view a translated address, port, or both of a NAT rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...Translation -
Page 70: Show Nat Destination
SNAT cannot. In SNAT, if the translation space is exhausted, the remaining packets are dropped. The following example shows how to display destination NAT translation information. vyatta@vyatta:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout 172.16.139.100:80 10.0.0.102:80 Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 71: Show Nat Source
The following example shows how to display source NAT translation information. vyatta@vyatta:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.0.0.101:56803 172.16.139.100:56803 86375 10.0.0.102:48635 172.16.139.100:48635 10.0.0.102:56279 172.16.139.100:56279 10.0.0.102:56432 172.16.139.100:56432 10.0.0.102 172.16.139.100 icmp Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 72: Related Commands
Defines a group of IP addresses that are referenced in firewall rules. (Refer to Basic Routing Reference Guide) resources group port‐group <group‐name> Defines a group of ports that are referenced in firewall rules. (Refer to Basic Routing Reference Guide) Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... -
Page 73: List Of Acronyms
Domain Name System DSCP Differentiated Services Code Point Digital Subscriber Line eBGP external BGP Amazon Elastic Block Storage Amazon Elastic Compute Cloud Exterior Gateway Protocol ECMP equal-cost multipath Encapsulating Security Payload Brocade 5600 vRouter NAT Reference Guide 53-1003718-03... - Page 74 Link Layer Discovery Protocol medium access control mGRE multipoint GRE Management Information Base Multicast Listener Discovery MLPPP multilink PPP MRRU maximum received reconstructed unit maximum transmission unit Network Address Translation NBMA Non-Broadcast Multi-Access Neighbor Discovery Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
- Page 75 Reverse Path Forwarding Rivest, Shamir, and Adleman receive Amazon Simple Storage Service SLAAC Stateless Address Auto-Configuration SNMP Simple Network Management Protocol SMTP Simple Mail Transfer Protocol SONET Synchronous Optical Network Shortest Path Tree Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
- Page 76 User Datagram Protocol virtual hard disk virtual interface VLAN virtual LAN Amazon virtual private cloud virtual private network VRRP Virtual Router Redundancy Protocol wide area network wireless access point Wired Protected Access Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Need help?
Do you have a question about the 5600 and is the answer not in the manual?
Questions and answers