Arista Portal

  • 7150S NAT – Practical Guide – Source NAT – Dynamic

 
 
Posted on March 29, 2015 by   |   13931 Views
Print Friendly, PDF & Email

Introduction

This article presents Dynamic Source NAT, as part of a series of articles about Source NAT on the Arista 7150S with practical examples. It assumes an understanding of NAT and Source NAT.

See the article Static Source NAT as foundation to the present Dynamic Source NAT article

The following topics are covered in this article:

  1. Dynamic Source NAT with Pool
  2. Dynamic Source NAT Overload

 

The following additional topics are covered in other articles:

  1. Static Source NAT
    1. Source NAT – Baseline
    2. Static Source NAT – Unicast and multicast with routed ports
    3. Static Source NAT – with SVI
    4. Static Source NAT + ACL Match
    5. Static Source NAT + PAT
  2. Static Twice NAT
  3. Static Twice NAT – With SVI
  4. Troubleshooting
  5. Tuning NAT

 

 

1) Dynamic Source NAT with pool

1.1) Differences with Static Source NAT

 

With Dynamic Source NAT, multiple unicast flows get translated using the pool as source IP. This does not include/support Multicast.
An ACL is required to identify traffic to translate. The ACL’s only purpose is to match the Source IP address.

The match ACL for dynamic source NAT follow these rules:

  • the ACL source may be either specific or any
  • the ACL destination address maybe either specific or any
  • the two ACL types are therefore: specific-to-any, any-to-any, any-to-specific, or specific-to-specific

 

Just for reference, below is a reminder about ACL from “Static Source NAT with ACL”:

  • for static source NAT ACL match, the following rules apply:
    • the ACL source address must be any
    • the ACL destination address must not be any. It must be specific

These two are brought in comparison to contrast the difference, as a source of potential configuration mistake: ACL usage is not the same for static source NAT and dynamic source NAT.

 

1.2) Dynamic Source NAT example

In the below diagram, base on common baseline already employed in the static source NAT articles, some dynamic source NAT is applied (on egress). Note that multicast traffic is not translated.

Dynamic Source NAT with pool

Dynamic Source NAT with pool

 

 

Baseline configuration (reminder)

Arista 7150S Baseline Layer3 configuration:

!
interface Ethernet5
 no switchport
 ip address 10.0.0.1/24
 ip pim sparse-mode 
!
interface Ethernet6
 no switchport
 ip address 123.0.0.1/24
 ip ospf network point-to-point
 ip pim sparse-mode
!
ip routing
ip multicast-routing
!
monitor session CPU5 source Ethernet5
monitor session CPU5 destination Cpu
monitor session CPU6 source Ethernet6
monitor session CPU6 destination Cpu
!

NAT involves Layer3 interfaces: either physical routed ports (no switchport), or SVI (interface VLAN)

 

Dynamic Source NAT with pool configuration:

!
ip nat pool NAT-POOL-172 prefix-length 24
   range 172.16.0.100 172.16.0.200

ip access-list ACL-NAT-10
   10 permit ip 10.0.0.0/24 any

interface Ethernet6
  ip nat source dynamic access-list ACL-NAT-10 pool NAT-POOL-172
!

 

Resulting translation

Before NAT (eth5 – ingress) :

7150S(config)#bash sudo tcpdump -nni mirror0
22:57:50.233623 […] 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 978
22:57:50.433911 […] 10.0.0.16.1234 > 200.0.0.10.80: UDP, length 978
22:57:50.635149 […] 10.0.0.17.2222 > 200.0.0.10.80: UDP, length 978
22:57:50.770964 […] 10.0.0.18.2222 > 200.0.0.10.80: UDP, length 978
22:57:50.970964 […] 10.0.0.15.1234 > 239.0.0.1.80: UDP, length 978

 

After NAT (eth6 – egress) – Note that Multicast traffic is not translated:

7150S(config)#bash sudo tcpdump -nni mirror1
23:01:32.469936 […] 172.16.0.189.1234 > 200.0.0.10.80: UDP, length 978
23:01:32.668714 […] 172.16.0.133.1234 > 200.0.0.10.80: UDP, length 978
23:01:32.905784 […] 172.16.0.164.2222 > 200.0.0.10.80: UDP, length 978
23:01:32.968443 […] 172.16.0.140.2222 > 200.0.0.10.80: UDP, length 978
23:01:33.346984 […] 10.0.0.15.1234 > 239.0.0.1.80: UDP, length 978

 

 2.2) Configuration for Dynamic Source NAT – with pool

 

! device: 7150S (DCS-7150S-64-CL, EOS-4.14.3F)
!
ip pim rp-address 1.1.1.1
ip pim rp-candidate Loopback0 224.0.0.0/4
!
interface Ethernet5
 no switchport
 ip address 10.0.0.1/24
 ip pim sparse-mode
!
interface Ethernet6
 no switchport
 ip address 123.0.0.1/24
 ip nat source dynamic access-list ACL-NAT-10 pool NAT-POOL-172
 ip ospf network point-to-point
 ip pim sparse-mode
!
interface Loopback0
 ip address 1.1.1.1/32
!
ip access-list ACL-NAT-A-UNICAST
 10 permit ip any host 200.0.0.10
!
ip routing
!
ip multicast-routing
!
ip nat pool NAT-POOL-172 prefix-length 24
 range 172.16.0.100 172.16.0.200
!
router ospf 1
 router-id 1.1.1.1
 network 1.1.1.1/32 area 0.0.0.0
 network 10.0.0.1/32 area 0.0.0.0
 network 123.0.0.1/32 area 0.0.0.0
!

 

2.3) Verification outputs for  Dynamic Source NAT – with pool

 

7150S#show ip nat translation static7150S#show ip nat translation
Source IP           Destination IP       Translated IP        TGT Type Intf
----------------------------------------------------------------------------
10.0.0.18:2222      200.0.0.10:80        172.16.0.140:2222    SRC DYN  Et6
10.0.0.16:1234      200.0.0.10:80        172.16.0.133:1234    SRC DYN  Et6
10.0.0.17:2222      200.0.0.10:80        172.16.0.164:2222    SRC DYN  Et6
10.0.0.15:1234      200.0.0.10:80        172.16.0.189:1234    SRC DYN  Et6


7150S#show ip nat pool
Pool                 StartIp               EndIp                 Prefix
NAT-POOL-172         172.16.0.100          172.16.0.200          24


7150S#show platform fm6000 nat tcam

Acl   Rule  Source          Port  Destination       Port  Proto Frag Vlan TId
----------------------------------------------------------------------------
0     7     10.0.0.15/32    1234  200.0.0.10/32     80    2     0    0    3
0     8     200.0.0.10/32   80    172.16.0.189/32   1234  2     0    0    0
0     9     10.0.0.16/32    1234  200.0.0.10/32     80    2     0    0    5
0     10    200.0.0.10/32   80    172.16.0.133/32   1234  2     0    0    0
0     11    10.0.0.17/32    2222  200.0.0.10/32     80    2     0    0    4
0     12    200.0.0.10/32   80    172.16.0.164/32   2222  2     0    0    0
0     13    10.0.0.18/32    2222  200.0.0.10/32     80    2     0    0    6
0     14    200.0.0.10/32   80    172.16.0.140/32   2222  2     0    0    0


7150S#bash sudo conntrack –L
conntrack v0.9.14 (conntrack-tools): 18 flow entries have been shown.
[…]
udp 17 17218671 src=10.0.0.15 dst=200.0.0.10 sport=1234 dport=80 packets=1 bytes=1006 [UNREPLIED] src=200.0.0.10 dst=172.16.0.189 sport=80 dport=1234 packets=0 bytes=0 [ASSURED] mark=1024 use=1

udp 17 17218671 src=10.0.0.17 dst=200.0.0.10 sport=2222 dport=80 packets=1 bytes=1006 [UNREPLIED] src=200.0.0.10 dst=172.16.0.164 sport=80 dport=2222 packets=0 bytes=0 [ASSURED] mark=1024 use=1

udp 17 17218671 src=10.0.0.18 dst=200.0.0.10 sport=2222 dport=80 packets=1 bytes=1006 [UNREPLIED] src=200.0.0.10 dst=172.16.0.140 sport=80 dport=2222 packets=0 bytes=0 [ASSURED] mark=1024 use=1

udp 17 17218671 src=10.0.0.16 dst=200.0.0.10 sport=1234 dport=80 packets=1 bytes=1006 [UNREPLIED] src=200.0.0.10 dst=172.16.0.133 sport=80 dport=1234 packets=0 bytes=0 [ASSURED] mark=1024 use=1

 

Note: In the above output (conntrack), the “[UNREPLIED]” are expected in a lab environment with unidirectional traffic. For production traffic they might not be expected.

 

 

2) Dynamic Source NAT Overload (Many to one)

2.1 ) Overload Example

Multiple unicast flows can be translated to a unique overload (many-to-one) Source IP address from the Layer3 interface (i.e eth6).

 

 

Dynamic Source NAT overload

Dynamic Source NAT overload

 

 

Before NAT (eth5) :

7150S(config)#bash sudo tcpdump -nni mirror0
22:57:50.233623 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype IPv4 (0x0800), length 1020: 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 978
22:57:50.433911 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype IPv4 (0x0800), length 1020: 10.0.0.16.1234 > 200.0.0.10.80: UDP, length 978
22:57:50.635149 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype IPv4 (0x0800), length 1020: 10.0.0.17.2222 > 200.0.0.10.80: UDP, length 978
22:57:50.771853 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype IPv4 (0x0800), length 1020: 10.0.0.18.2222 > 200.0.0.10.80: UDP, length 978
22:57:50.860964 00:ab:00:00:02:23 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800), length 1020: 10.0.0.15.1234 > 239.0.0.1.80: UDP, length 978

For the purpose if highlighting the overload feature, flows are generated with repeated source ports (i.e. 1234 and  2222 are used twice each).

The translated source IP address now uses the Ethernet6 interface overload IP address. Also notice the Layer4 ports; available ports retain their sources values. Unavailable L4 ports are allocated new values (i.e. 1234 –> 1024, 2222 –>1025) .

After NAT (eth6 – egress):

7150S(config)#bash sudo tcpdump -nni mirror1
22:59:46.372116 00:1c:73:86:00:69 > 00:1c:73:86:12:f9, ethertype IPv4 (0x0800), length 1020: 123.0.0.1.1234 > 200.0.0.10.80: UDP, length 978
22:59:46.572380 00:1c:73:86:00:69 > 00:1c:73:86:12:f9, ethertype IPv4 (0x0800), length 1020: 123.0.0.1.1024 > 200.0.0.10.80: UDP, length 978
22:59:46.709458 00:1c:73:86:00:69 > 00:1c:73:86:12:f9, ethertype IPv4 (0x0800), length 1020: 123.0.0.1.2222 > 200.0.0.10.80: UDP, length 978
22:59:46.873603 00:1c:73:86:00:69 > 00:1c:73:86:12:f9, ethertype IPv4 (0x0800), length 1020: 123.0.0.1.1025 > 200.0.0.10.80: UDP, length 978
22:59:46.946984 00:1c:73:86:00:69 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800), length 1020: 10.0.0.15.1234 > 239.0.0.1.80: UDP, length 978

Note: Multicast flows cannot get NATed this way. Dynamic Source NAT does not apply to Multicast traffic.

 

2.2) Configuration for Dynamic Source NAT Overload

! device: 7150S (DCS-7150S-64-CL, EOS-4.14.3F)
!
ip pim rp-address 1.1.1.1
ip pim rp-candidate Loopback0 224.0.0.0/4
!
interface Ethernet5
   no switchport
   ip address 10.0.0.1/24
   ip pim sparse-mode
!
interface Ethernet6
   no switchport
   ip address 123.0.0.1/24
   ip nat source dynamic access-list ACL-IP-ANY overload
   ip ospf network point-to-point
   ip pim sparse-mode
!
interface Loopback0
   ip address 1.1.1.1/32
!
ip access-list ACL-IP-ANY
   10 permit ip any any
!
ip routing
!
ip multicast-routing
! router ospf 1
   router-id 1.1.1.1
   network 1.1.1.1/32 area 0.0.0.0
   network 10.0.0.1/32 area 0.0.0.0
   network 123.0.0.1/32 area 0.0.0.0
!

 

2.3) Verification output for Dynamic Source NAT Overload

 

7150S#show ip nat translation
Source IP           Destination IP       Translated IP         TGT Type Intf
-----------------------------------------------------------------------------
10.0.0.15:1234      200.0.0.10:80        123.0.0.1:1234        SRC DYN  Et6
10.0.0.16:1234      200.0.0.10:80        123.0.0.1:1024        SRC DYN  Et6
10.0.0.17:2222      200.0.0.10:80        123.0.0.1:1025        SRC DYN  Et6
10.0.0.18:2222      200.0.0.10:80        123.0.0.1:2222        SRC DYN  Et6

 

Vefify whether the flow is unidirectional or bidirectional (replied to). In our test environment, traffic is UDP and mostly unidirectional. Real TCP traffic should be bidirectional.

7150S#bash sudo conntrack -L
udp      17 17242221 src=10.0.0.15 dst=200.0.0.10 sport=1234 dport=80 packets=1 bytes=1006 [UNREPLIED] src=200.0.0.10 dst=123.0.0.1 sport=80 dport=1234 packets=0 bytes=0 [ASSURED] mark=1025 use=1

udp      17 17242221 src=10.0.0.17 dst=200.0.0.10 sport=2222 dport=80 packets=1 bytes=1006 [UNREPLIED] src=200.0.0.10 dst=123.0.0.1 sport=80 dport=1025 packets=0 bytes=0 [ASSURED] mark=1025 use=1

udp      17 17242221 src=10.0.0.16 dst=200.0.0.10 sport=1234 dport=80 packets=1 bytes=1006 [UNREPLIED] src=200.0.0.10 dst=123.0.0.1 sport=80 dport=1024 packets=0 bytes=0 [ASSURED] mark=1025 use=1

udp      17 17242221 src=10.0.0.18 dst=200.0.0.10 sport=2222 dport=80 packets=1 bytes=1006 [UNREPLIED] src=200.0.0.10 dst=123.0.0.1 sport=80 dport=2222 packets=0 bytes=0 [ASSURED] mark=1025 use=1


7150S#show platform fm6000 nat tcam
Acl   Rule  Source          Port  Destination       Port  Proto Frag Vlan TId
-----------------------------------------------------------------------------
0     0     10.0.0.18/32    2222  200.0.0.10/32     80    2     0    0    3
0     1     200.0.0.10/32   80    123.0.0.1/32      2222  2     0    0    0
0     2     10.0.0.15/32    1234  200.0.0.10/32     80    2     0    0    4
0     3     200.0.0.10/32   80    123.0.0.1/32      1234  2     0    0    0
0     4     10.0.0.17/32    2222  200.0.0.10/32     80    2     0    0    5
0     5     200.0.0.10/32   80    123.0.0.1/32      1024  2     0    0    0
0     6     10.0.0.16/32    1234  200.0.0.10/32     80    2     0    0    6
0     7     200.0.0.10/32   80    123.0.0.1/32      1025  2     0    0    0

 

 

3) Dynamic Source NAT Overload + Specific ACL

3.1) Example

In the previous example, the ACL was a generic permit any.

In this new example a specific ACL is being used to illustrate how to selectively NAT overload traffic, and the outputs differences

 

Dynamic Source NAT overload + specific ACL

Dynamic Source NAT overload + specific ACL

 

 

Before NAT (eth5 – ingress):

7150S(config)#bash sudo tcpdump -nni mirror0
22:54:30.133623 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype IPv4 (0x0800), length 1020: 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 978
22:54:30.333911 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype IPv4 (0x0800), length 1020: 10.0.0.16.1234 > 200.0.0.10.80: UDP, length 978
22:54:30.535149 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype IPv4 (0x0800), length 1020: 10.0.0.17.2222 > 200.0.0.10.80: UDP, length 978
22:54:30.671853 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype IPv4 (0x0800), length 1020: 10.0.0.18.2222 > 200.0.0.10.80: UDP, length 978
22:54:30.870964 00:ab:00:00:02:23 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800), length 1020: 10.0.0.15.1234 > 239.0.0.1.80: UDP, length 978

 

Only the traffic matched by the ACL is translated (–>123.0.0.1)

Catpure after NAT (eth6 – egress):

7150S(config)#bash sudo tcpdump -nni mirror1
22:55:32.809124 00:1c:73:86:00:69 > 00:1c:73:86:12:f9, ethertype IPv4 (0x0800), length 1020: 10.0.0.16.1234 > 200.0.0.10.80: UDP, length 978
22:55:33.236113 00:1c:73:86:00:69 > 00:1c:73:86:12:f9, ethertype IPv4 (0x0800), length 1020: 10.0.0.18.2222 > 200.0.0.10.80: UDP, length 978
22:55:33.247845 00:1c:73:86:00:69 > 00:1c:73:86:12:f9, ethertype IPv4 (0x0800), length 1020: 123.0.0.1.1234 > 200.0.0.10.80: UDP, length 978
22:55:33.248585 00:1c:73:86:00:69 > 00:1c:73:86:12:f9, ethertype IPv4 (0x0800), length 1020: 10.0.0.17.2222 > 200.0.0.10.80: UDP, length 978
22:55:33.596337 00:1c:73:86:00:69 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800), length 1020: 10.0.0.15.1234 > 239.0.0.1.80: UDP, length 978

 

4.2) Configuration for Dynamic Source NAT Overload + Specific ACL

 

! device: 7150S (DCS-7150S-64-CL, EOS-4.14.3F)
!
ip pim rp-address 1.1.1.1
ip pim rp-candidate Loopback0 224.0.0.0/4
!
interface Ethernet5
 no switchport
 ip address 10.0.0.1/24
 ip pim sparse-mode
!
interface Ethernet6
 no switchport
 ip address 123.0.0.1/24
 ip nat source dynamic access-list ACL-NAT-SRC15-DST200 overload
 ip ospf network point-to-point
 ip pim sparse-mode
!
interface Loopback0
 ip address 1.1.1.1/32
!
ip access-list ACL-NAT-SRC15-DST200
 10 permit ip host 10.0.0.15 host 200.0.0.10
!
ip routing
!
ip multicast-routing
! router ospf 1
 router-id 1.1.1.1
 network 1.1.1.1/32 area 0.0.0.0
 network 10.0.0.1/32 area 0.0.0.0
 network 123.0.0.1/32 area 0.0.0.0
!

 

4.3) Verification outputs for Dynamic Source NAT Overload + specific ACL

 

7150S#show ip nat translation
Source IP           Destination IP       Translated IP         TGT Type Intf
-----------------------------------------------------------------------------
10.0.0.15:1234      200.0.0.10:80        123.0.0.1:1234        SRC DYN  Et6



7150S#show platform fm6000 nat tcam
Acl   Rule  Source          Port  Destination       Port  Proto Frag Vlan TId
-----------------------------------------------------------------------------
0     1     10.0.0.15/32    1234  200.0.0.10/32     80    2     0    0    4
0     2     200.0.0.10/32   80    123.0.0.1/32      1234  2     0    0    0

 

 

 

Alexis

Posted in | Tagged: , ,
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: