当前位置:网站首页>VPP source address NAT
VPP source address NAT
2022-08-08 09:01:00 【redwingz】
接口基本配置:
DBGvpp# set interface state port7 up
DBGvpp# set interface state port8 up
DBGvpp# set interface ip address port7 50.1.1.1/24
DBGvpp# set interface ip address port8 192.168.1.203/24
网络拓扑:
|-----------| |------------| |---------------|
| 50.1.1.2 |---------| vpp |----------| 192.168.1.103 |
|-----------| |------------| |---------------|
Host-A port7 port8 Host-B
启用NAT44配置:
DBGvpp# nat44 enable
SNAT配置一
配置接口的in/out
DBGvpp# set interface nat44 in port7 out port8
DBGvpp# nat44 add interface address port8
DBGvpp#
DBGvpp# show nat44 interfaces
NAT44 interfaces:
port7 in
port8 out
DBGvpp#
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
tenant VRF independent
在主机50.1.1.2上ping主机192.168.1.103进行测试,在103上抓包,You can see that the source address is translated to192.168.1.203,即接口port8的地址.Add the address pool below:
DBGvpp# nat44 add address 192.168.1.204-192.168.1.205
DBGvpp#
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
tenant VRF independent
192.168.1.204
tenant VRF independent
192.168.1.205
tenant VRF independent
NAT44 twice-nat pool addresses:
再次执行ping,在103上抓包,You can see that the source address has been converted192.168.1.205.If the hostA的地址修改为50.1.1.25,Its source address will be translated to that in the address pool192.168.1.204,See the session list below,It can be seen that the translation address is based on different internal addresses(主机A地址)而改变的.
DBGvpp# show nat44 sessions
NAT44 ED sessions:
-------- thread 0 vpp_main: 42 sessions --------
i2o 50.1.1.2 proto ICMP port 1 fib 0
o2i 192.168.1.205 proto ICMP port 28717 fib 0
external host 192.168.1.103:1
i2o flow: match: saddr 50.1.1.2 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.205 daddr 192.168.1.103 icmp-id 28717 txfib 0
o2i flow: match: saddr 192.168.1.103 sport 28717 daddr 192.168.1.205 dport 28717 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.2 icmp-id 1 txfib 0
index 31
last heard 1175.08
total pkts 6, total bytes 360
dynamic translation
i2o 50.1.1.25 proto ICMP port 1 fib 0
o2i 192.168.1.204 proto ICMP port 49895 fib 0
external host 192.168.1.103:1
i2o flow: match: saddr 50.1.1.25 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.204 daddr 192.168.1.103 icmp-id 49895 txfib 0
o2i flow: match: saddr 192.168.1.103 sport 49895 daddr 192.168.1.204 dport 49895 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.25 icmp-id 1 txfib 0
index 8
last heard 1323.26
total pkts 6, total bytes 360
dynamic translation
SNAT配置二
If we need in the previous section,port7->port8的SNAT基础上,再实现port8->port7的SNAT.Try the following configuration:
DBGvpp# nat44 add address 192.168.1.204-192.168.1.205 del
DBGvpp#
DBGvpp# set interface nat44 in port8 out port7
DBGvpp# nat44 add interface address port7
DBGvpp#
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
tenant VRF independent
50.1.1.1
tenant VRF independent
NAT44 twice-nat pool addresses:
DBGvpp#
DBGvpp# show nat44 interfaces
NAT44 interfaces:
port8 in out
port7 in out
At this time by the hostB运行ping主机A,Both are compatible.在主机A上抓包,源地址192.168.1.103转换为了50.1.1.1(port7接口地址),SNAT转换正常.Back to the hostA->ping->主机B,在主机B抓包,See the source address50.1.1.2转换成了50.1.1.1,按照SNATShould be the outgoing interfaceIP:192.168.1.203.查看NAT会话,Both directions should be gone for the same session.
DBGvpp# show nat44 sessions
i2o 50.1.1.2 proto ICMP port 1 fib 0
o2i 50.1.1.1 proto ICMP port 3449 fib 0
external host 192.168.1.103:1
i2o flow: match: saddr 50.1.1.2 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 50.1.1.1 daddr 192.168.1.103 icmp-id 3449 txfib 0
o2i flow: match: saddr 192.168.1.103 sport 3449 daddr 50.1.1.1 dport 3449 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.2 icmp-id 1 txfib 0
index 29
last heard 8132.79
total pkts 168, total bytes 10080
dynamic translation
Add another address to the following address pool,At this time by the hostA到主机B不通,在主机B上查看,源地址50.1.1.2转换成了192.168.1.204,但是不知道什么原因,地址池地址192.168.1.204Not respondingARP请求,导致pingReply messages cannot be sent.
在增加192.168.1.204地址之前,Both can communicate,on the hostA发送ping请求时,NATAddress selected50.1.1.1,And this address is associated with the hostB的地址192.168.1.103不在同一网段,不发送请求50.1.1.1hardware addressARP.
DBGvpp# nat44 add address 192.168.1.204
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
tenant VRF independent
50.1.1.1
tenant VRF independent
192.168.1.204
tenant VRF independent
NAT44 twice-nat pool addresses:
可见,NATThe address selection in the address pool is random,The selection of the address is not associated with the outgoing interface,另外,There is also no priority to select addresses on the same network segment as the destination address.两边同时做SNAT看起来是不行的.
SNAT配置三
Open as followsoutput-feature选项.
DBGvpp# set interface nat44 in port7
DBGvpp# set interface nat44 out port8 output-feature
DBGvpp# nat44 add interface address port8
DBGvpp#
DBGvpp# show nat44 interfaces
NAT44 interfaces:
port7 in
port8 output-feature in out
DBGvpp#
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
tenant VRF independent
NAT44 twice-nat pool addresses:
在开启output-feature选项之后,在位于ip4-output的节点nat-pre-in2out-output之中执行in2out地址转换,其在ACL插件acl-plugin-out-ip4-fa之前运行,这里ACL的outThe policy needs to be configured according to the converted address to take effect.
163 VNET_FEATURE_INIT (nat_pre_in2out_output, static) = {
164 .arc_name = "ip4-output",
165 .node_name = "nat-pre-in2out-output",
166 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
167 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
168 };
对于未开启output-feature的情况,NATConversion is all thereip-unicast的node节点nat-pre-in2out和nat-pre-out2in中实现的.两者都位于ACL插件acl-plugin-in-ip4-fa之后,可见aclAddress translation is performed after the rules are executed.
82 VNET_FEATURE_INIT (nat_pre_in2out, static) = {
83 .arc_name = "ip4-unicast",
84 .node_name = "nat-pre-in2out",
85 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
86 "ip4-sv-reassembly-feature"),
87 };
88 VNET_FEATURE_INIT (nat_pre_out2in, static) = {
89 .arc_name = "ip4-unicast",
90 .node_name = "nat-pre-out2in",
91 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
92 "ip4-dhcp-client-detect",
93 "ip4-sv-reassembly-feature"),
94 };
边栏推荐
- DOM操作--防抖和节流
- ACWing 198. 反素数 题解
- 2022/8/7
- Multi-scalar multiplication: state of the art & new ideas
- 文献学习(part33)--Clustering by fast search and find of density peaks
- [Optimized scheduling] Based on particle swarm to realize economic scheduling optimization of microgrid under grid-connected model with matlab code
- Offensive and defensive world - leaking
- 手机APP测试流程规范和方法你知道多少?
- 优先队列的实现原理
- 推荐下载软件
猜你喜欢
随机推荐
数据治理(三):数据质量管理
SSRF漏洞
【项目问题】Ionic开发移动端app,手把手教你如何打包生成apk
实体List转为excel
Redis读写分离(三)
Defense - MFW all over the world
Multi-scalar multiplication: state of the art & new ideas
STL underlying implementation principle
Raspberry pie 】 【 without WIFI even under the condition of the computer screen
Database Tuning: The Impact of Mysql Indexes on Group By Sorting
22-08-06 西安 EasyExcel实现字典表导入、导出
你一定要看的安装及卸载测试用例的步骤及方法总结
Nacos是如何实现心跳机制和服务续约以及超时剔除服务机制的?
【图像分类】2021-CoAtNet NeurlPS
关于#sql#的问题:kingwow数据库
文献学习(part33)--Clustering by fast search and find of density peaks
Kotlin协程:生命周期原理
记一次生产内存溢出分析解决
【树莓派】在没有显示屏的情况下通过WIFI连电脑
Techwiz OLED:偏振片的发射特性