1 .. _NAT44_Endpoint_Dependent:
5 NAT44-ED: NAT44 Endpoint Dependent
6 ==================================
11 NAT44-ED is the IPv4 endpoint dependent network address translation
12 plugin. The component implements an address and port-dependent mapping
13 and address and port-dependent filtering NAT as described in
14 `RFC4787 <https://tools.ietf.org/html/rfc4787>`__.
16 The outside address and port (X1’:x1’) is reused for internal hosts
17 (X:x) for different values of Y:y. A flow is matched by {source address,
18 destination address, protocol, transport source port, transport
19 destination port, fib index}. As long as all these are unique the
20 mapping is valid. While a single outside address in theory allows for
21 2^16 source ports \* 2^32 destination IP addresses \* 2^16 destination
22 ports = 2^64 sessions, this number is much smaller in practice. Few
23 destination ports are generally used (80, 443) and a fraction of the IP
24 address space is available. The limitation is 2^16 bindings per outside
25 IP address to a single destination address and port (Y:y).
27 The implementation is split, a control-plane / slow-path and a
28 data-plane / fast-path. Essentially acting as a flow router. The
29 data-plane does a 6-tuple flow lookup (SA, DA, P, SP, DP, FIB) and on a
30 match runs the per-flow packet handling instructions on the packet. On a
31 flow lookup miss, the packet is punted to the slow-path, where depending
32 on policy new sessions are created.
34 The support set of packet handling instructions is ever-increasing.
35 Currently, the implementation supports rewrite of SA, DA, SP, DP and TCP
36 MSS. The fast-path also does connection tracking and expiry of older
40 tuple\ ``(src address, src port, dst address, dst port, protocol and fib)``\ for
41 matching communication.
48 - also called PAT (Port Address Translation)
49 - supports port overloading
53 - types of Static NAT:
57 - exceptions to translations
63 1. address only mapping
65 - one to one translation without ports
69 - double-nat, translation of source and destination
73 - double nat, translation of source and destination, where
74 external host address is the same as local host address
76 4. out2in-only mapping
78 - session is created only from outside interface (out2in feature)
80 c) load balanced static mapping
82 - translates one frontend (``addr``:``port``) to multiple backends
87 a) inside interface (in2out feature) - local to external network
88 translation - feature is before ip4-lookup
89 b) outside interface (out2in feature) - external to local network
90 translation - feature is before ip4-lookup
91 c) inside & outside interface (classify feature) - local or external
92 network translation - correct type of translation is determined per
93 communication - feature is before ip4-lookup
94 d) output interface (output feature) - used for post routing translation
95 - feature is after ip4-lookup
99 a) interface address - automatically managed external address - first
100 address of VPP interface
101 b) pool address - range of external addresses
103 5) Logging and Accounting
108 6) Miscellaneous Features
110 a) inter-vrf translation control 1. basic
112 - nat44 plugin enable inside-vrf / outside-vrf
113 - inside/outside interface vrf’s
117 - vrf table routing feature
119 b) udp/tcp/icmp timeouts - configurable timeouts for these protocols
120 c) session limiting 1. basic (plugin enable [sessions ] 2. advanced
121 (per vrf table / global limiting)
122 d) mss-clamping - MSS (maximum segment size) is by default determined by
123 egress interface MTU (maximum transmission unit) size - used to lower
124 MSS value in VPN tunnel scenarios where additional headers can
125 enlarge the packet beyond MTU causing drops
126 e) hairpinning - hosts on the same lan segment communicating via
128 f) forwarding - if enabled translation only occurs if active session or
129 static configuration exist, rest of the traffic is passed without
135 Session table exists per thread and contains pool of sessions that can
136 be either expired or not expired. NAT44-ED plugin doesn’t use scavenging
137 for clearing expired sessions. Rather then using scavenging plugin uses
138 LRU doubly-linked list. LRU contains ordered list of sessions indices.
139 Head of the list contains last updated session. Each session holds
140 record of the LRU head (tcp transitory, tcp established, udp, icmp or
141 unknown lru head). Because of this plugin can reach maximum number of
142 sessions without requirement to clear old sessions. During session
143 creation if a maximum number of sessions was reached LRU head is
144 checked. Expired head record gets deleted and a new session gets
145 created. For better performance LRU head records exist. Each time a new
146 packet is received session index gets moved to the tail of LRU list.
151 IN2OUT (inside to outside translation) OUT2IN (outside to inside
154 NAT (network address translation) PAT (port address translation) MSS
155 (maximum segment size) MTU (maximum transmission unit) VRF (virtual
156 routing and forwarding)
160 Dynamic NAT (Minimal Required Configuration)
161 --------------------------------------------
169 +----------------------+
170 | GigabitEthernet0/8/0 |
171 +----------------------+
172 +----------------------+
173 | GigabitEthernet0/a/0 |
174 +----------------------+
184 nat44 plugin enable sessions 10000
186 2) configure NAT interfaces, two options:
188 a) add inside NAT interface on local VPP interface, add outside NAT
189 interface on external VPP interface
193 set interface nat44 in GigabitEthernet0/8/0 out GigabitEthernet0/a/0
195 b) add output NAT interface on external VPP interface
199 set interface nat44 in GigabitEthernet0/a/0 output-feature
201 3) configure NAT address
203 a) add external address range
207 nat44 add address 10.0.1.1
209 b) add external VPP interface address
213 nat44 add interface address GigabitEthernet0/a/0
221 nat44 add identity mapping ``ip4-addr``\ \|external ``interface``
222 [``protocol`` ``port``] [vrf ``table-id``] [del]
227 nat44 add static mapping tcp|udp|icmp local ``addr``
228 [``port|icmp-echo-id``] external ``addr`` [``port|icmp-echo-id``]
229 [vrf ``table-id``] [twice-nat|self-twice-nat] [out2in-only] [exact
232 Load Balanced Static Mapping
233 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
235 nat44 add load-balancing back-end protocol tcp|udp external
236 ``addr``:``port`` local ``addr``:``port`` [vrf ``table-id``]
237 probability ``n`` [del]
241 nat44 add load-balancing static mapping protocol tcp|udp external
242 ``addr``:``port`` local ``addr``:``port`` [vrf ``table-id``]
243 probability ``n`` [twice-nat|self-twice-nat] [out2in-only] [affinity
244 ``timeout-seconds``] [del]
255 +----------------------+
256 | GigabitEthernet0/8/0 |
257 +----------------------+
261 set interface nat44 in GigabitEthernet0/8/0 [del]
263 NAT inside interface is used for translating local to external
264 communication. Translates Dynamic and Static NAT traffic. If no matching
265 session is found a new session is created for both Dynamic NAT and
266 Static NAT. Dynamic NAT sessions can get created only on inside
275 +----------------------+
276 | GigabitEthernet0/a/0 |
277 +----------------------+
281 set interface nat44 out GigabitEthernet0/a/0 [del]
283 NAT outside interface is used for translating external to local
284 communication. Translates Dynamic and Static NAT traffic. New session
285 gets created only if no matching session is found and matching Static
286 NAT configuration exists.
288 Inside & Outside Interface
289 ~~~~~~~~~~~~~~~~~~~~~~~~~~
294 +----------------------+
295 | GigabitEthernet0/8/0 |
296 +----------------------+
298 +----------------------+
299 | GigabitEthernet0/a/0 |
300 +----------------------+
304 set interface nat44 in GigabitEthernet0/8/0 out GigabitEthernet0/8/0
307 set interface nat44 in GigabitEthernet0/a/0 out GigabitEthernet0/a/0
310 If one VPP interface is configured both as inside and outside NAT
311 interface then classification feature is used. By default NAT inside
312 interface uses in2out feature and NAT outside uses out2in feature.
313 Classification feature determines if the communication should be passed
314 to in2out feature or to out2in feature. Traffic will get passed to
315 out2in feature if destination address is one of NAT addresses or a
316 static mapping in out2in direction flow matches this communication. By
317 default all traffic is passed to in2out feature.
324 +-------------+ +-------------+
325 | 10.0.2.0/24 | | 10.0.3.0/24 |
326 +-------------+ +-------------+
328 +----------------------+ +----------------------+
329 | GigabitEthernet0/7/0 | | GigabitEthernet0/8/0 |
330 +----------------------+ +----------------------+
332 +----------------------+
333 | GigabitEthernet0/a/0 |
334 +----------------------+
345 set interface nat44 in GigabitEthernet0/a/0 output-feature [del]
347 NAT output interface acts as both inside and outside interfaces. Inside
348 rules apply for all egress communication on VPP interface and outside
349 rules apply for all ingress communication. Compared to inside/outside
350 NAT configuration method non of the local interfaces require to be
351 configured as inside NAT interfaces. Translation only occurs after
352 routing decision has been made and just before leaving NAT output
353 interface. In above example all traffic destined for 10.0.1.0/24 from
354 10.0.2.0/24 or 10.0.3.0/24 will get translated. NAT output interface
355 acts as post-routing feature.
363 nat44 add interface address ``interface`` `twice-nat <#twice-nat>`__
366 NAT interface address is a standard external pool address that gets auto
367 added upon resolving first VPP interface address. Supports both standard
368 address and twice-nat address. Twice-nat address is used in conjunction
369 with static mapping twice-nat and self-twice-nat feature.
374 nat44 add address ``ip4-range-start`` [- ``ip4-range-end``]
375 [tenant-vrf ``vrf-id``] `twice-nat <#twice-nat>`__ [del]
377 Statically configured address or range of addresses that supports both
378 standard and twice-nat address. Specifying vrf-id lets user assign
379 address/addresses to specific NAT inside interfaces that belong to the
385 nat set logging level ``level``
387 Configuration of logging level is used only for internal VPP logging.
389 nat ipfix logging [domain ``domain-id``] [src-port ``port``]
392 Both syslog and ipfix support connection tracking capabilities. Session
393 creation, session deletion, maximum sessions exceeded among other things
394 are logged by syslog and ipfix.
405 +-------------+ +-------------+
406 | 10.0.2.0/24 | | 10.0.3.0/24 |
407 +-------------+ +-------------+
409 NAT INSIDE IF NAT INSIDE IF
410 +----------------------+ +----------------------+
411 | GigabitEthernet0/7/0 | | GigabitEthernet0/8/0 |
412 +----------------------+ +----------------------+
413 NAT OUTSIDE IF NAT OUTSIDE IF
414 +----------------------+ +----------------------+
415 | GigabitEthernet0/a/0 | | GigabitEthernet0/b/0 |
416 +----------------------+ +----------------------+
419 +--------------------------+
421 +------------+------------+------------+
423 +----------+ +----------+ +----------+ +----------+
424 | 10.0.0.1 | | 10.0.0.2 | | 10.0.1.1 | | 10.0.1.2 |
425 +----------+ +----------+ +----------+ +----------+
426 VRF 0 POOL VRF 1 POOL VRF 0 POOL VRF 1 POOL
430 nat44 add address ``ip4-addr`` [tenant-vrf ``vrf-id``] [del]
432 nat44 plugin enable inside-vrf ``vrf-id`` outside-vrf ``vrf-id``
438 By design NAT supports passing communication between VRFs. Passing
439 communication between multiple different VRFs is also supported (GE0/7/0
440 -> GE0/b/0, GE0/8/0 -> GE0/a/0).
442 NAT pool address tenant-vrf configuration parameter is used to constrain
443 pool address to specific inside VRF. Example communication (in the above
444 diagram): 1) from GE0/7/0 -> GE0/b/0 would choose 10.0.1.1 pool address
445 2) from GE0/8/0 -> GE0/b/0 would choose 10.0.1.2 pool address
447 Plugin enable parameters inside-vrf and outside-vrf are used as follows:
449 Both ``inside-vrf`` and ``outside-vrf`` configuration parameters are
450 used in conjunction with Static NAT, inside-vrf is only used for Static
453 inside VRF: - used only in conjunction with static mappings - default
454 inside VRF parameter is used in in2out feature to lookup static mapping
455 if mapping can’t be found by inside interface VRF - used as default when
456 adding static mappings as in2out vrf
458 outside VRF: - used in conjunction with static mappings - secondary
459 option for looking up static mappings in in2out feature based on outside
460 VRF - used as default destination vrf in in2out feature during session
461 creation if non of outside interfaces can resolve destination IP address
463 Session creation default behavior (in2out only): - ingress interface fib
464 is used as inside fib - Outside fib is chosen based on ability to
465 resolve destination address in one of the outside interface networks. if
466 there is no such network that is able to resolve destination a default
467 outside fib (outside vrf index) is used.
469 Default behavior enables use of multiple outside and inside fibs with
470 some limitations. The limitation in the default behavior is that if each
471 interface belonging to different fib contains default gateway every time
472 first interface network fib gets used as outside fib index during
478 nat44 vrf table [add|del] ``vrf-id``
482 nat44 vrf route [add|del] table ``vrf-id`` ``vrf-id``
484 VRF tables change the default behavior of working with inter-vrf
485 communication. Adding empty VRF table disables passing communication
486 between VRFs. Adding additional routes to the table makes destination
487 VRF decision making algorithm do lookups into these tables. During
488 session creation destination VRF in in2out feature is resolved by
489 traversing VRF routes in the matching VRF table. If VRF route resolves
490 destination IPv4 address then this VRF gets used. If non VRF route can
491 resolve destination IPv4 address If VRF route can’t be found source VRF
492 will be used. Priority of VRF routes is based on order of configuration.
497 set nat timeout [udp ``sec`` \| tcp-established ``sec``
498 tcp-transitory ``sec`` \| icmp ``sec`` \| reset]
503 nat44 plugin enable sessions ``max-number``
505 Maximum number of sessions value is used on per-thread (per-worker)
508 set nat44 session limit ``limit`` [vrf ``table-id``]
510 Per-vrf session limiting makes it possible to split maximum number of
511 sessions between different VRFs.
516 nat mss-clamping ``mss-value``\ \|disable
521 nat44 forwarding enable|disable
523 Additional Configuration Commands
524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
526 | set nat frame-queue-nelts ``number``
527 | set nat workers ``workers-list``
528 | nat44 del session in|out ``addr``:``port`` tcp|udp|icmp [vrf
529 ``id``] [external-host ``addr``:``port``]
541 show nat mss-clamping
542 show nat44 interfaces
543 show nat44 vrf tables
544 show nat44 hash tables
545 nat44 show static mappings
546 show nat44 interface address
548 Configuration Examples
549 ----------------------
554 Twice NAT lets you translate both the source and destination address in
555 a single rule. Currently, twice NAT44 is supported only for local
556 network service session initiated from outside network. Twice NAT static
557 mappings can only get initiated (create sessions) from outside network.
564 +--------------------------+
565 | 10.0.0.2/24 (local host) |
566 +--------------------------+
568 +---------------------------------+
569 | 10.0.0.1/24 (eth0) (nat inside) |
570 | 20.0.0.1/24 (eth1) (nat outside)|
571 +---------------------------------+
573 +---------------------------+
574 | 20.0.0.2/24 (remote host) |
575 +---------------------------+
577 In this example traffic will be initiated from remote host. Remote host
578 will be accessing local host via twice-nat mapping.
580 Translation will occur as follows:
581 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
583 outside to inside translation:
586 | src address: 20.0.0.2 -> 192.168.160.101
587 | dst address: 20.0.0.1 -> 10.0.0.2
589 inside to outside translation:
592 | src address: 10.0.0.2 -> 20.0.0.1
593 | dst address: 192.168.160.101 -> 20.0.0.2
598 Enable nat44-ed plugin:
603 nat44 plugin enable sessions 1000
605 Configure inside interface:
610 set int state eth0 up
611 set int ip address eth0 10.0.0.1/24
612 set int nat44 in eth0
614 Configure outside interface:
619 set int state eth1 up
620 set int ip address eth1 20.0.0.1/24
621 set int nat44 out eth1
623 Configure nat address pools:
628 nat44 add address 20.0.0.1
629 nat44 add address 192.168.160.101 twice-nat
631 - alternatively we could use ``nat44 add interface address eth1``
632 - both pools are required
633 - pool ``20.0.0.1`` is used for out2in incoming traffic
634 - special twice-nat pool ``192.168.160.101`` is used for secondary
637 Finally, add twice-nat mapping:
640 nat44 add static mapping tcp local 10.0.0.2 5201 external 20.0.0.1
646 Self twice NAT works similar to twice NAT with few exceptions. Self
647 twice NAT is a feature that lets client and service running on the same
648 host to communicate via NAT device. This means that external address is
649 the same address as local address. Self twice NAT static mappings can
650 only get initiated (create sessions) from outside network.
652 .. _topology-self-twice-nat:
659 +--------------------------+
660 | 10.0.0.2/24 (local host) |
661 +--------------------------+
663 +-------------------------------------------+
664 | 10.0.0.1/24 (eth0) (nat inside & outside) |
665 +-------------------------------------------+
667 In this example traffic will be initiated from local host. Local host
668 will be accessing itself via self-twice-nat mapping.
670 .. _translation-will-occur-as-follows-1:
672 Translation will occur as follows:
673 ''''''''''''''''''''''''''''''''''
675 .. _outside-to-inside-translation-1:
677 outside to inside translation:
680 | src address: 10.0.0.2 -> 192.168.160.101
681 | dst address: 10.0.0.1 -> 10.0.0.2
683 .. _inside-to-outside-translation-1:
685 inside to outside translation:
688 | src address: 10.0.0.2 -> 10.0.0.1
689 | dst address: 192.168.160.101 -> 10.0.0.2
696 .. _enable-nat44-ed-plugin-1:
698 Enable nat44-ed plugin:
703 nat44 plugin enable sessions 1000
705 Configure NAT interface:
710 set int state eth0 up
711 set int ip address eth0 10.0.0.1/24
712 set int nat44 in eth0
713 set int nat44 out eth0
715 .. _configure-nat-address-pools-1:
717 Configure nat address pools:
722 nat44 add address 10.0.0.1
723 nat44 add address 192.168.160.101 twice-nat
725 Finally, add self-twice-nat mapping:
728 nat44 add static mapping tcp local 10.0.0.2 5201 external 10.0.0.1