DRAFT: BROCADE CONFIDENTIAL 53-1002288-02 August 2011 ServerIron ADX NAT64 Configuration Guide Supporting Brocade ServerIron ADX version 12.3.
DRAFT: BROCADE CONFIDENTIAL © 2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
DRAFT: BROCADE CONFIDENTIAL Contents About This Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . vii Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Notes, cautions, and danger notices . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL Route injection NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 NAT 64 route injection example . . . . . . . . . . . . . . . . . . . . . . . . . 14 HTTP client IP address insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Enabling HTTP client IP address insertion . . . . . . . . . . . . . . . . . 16 Configuring Packet fragmentation with IPv6-only client to IPv4 resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL Chapter 4 Access Control List How ServerIron processes ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Prior to release 12.3.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Beginning with release 12.3.01 and later . . . . . . . . . . . . . . . . . 41 Rule-based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 How fragmented packets are processed . . . . . . . . . . . . . . . . . . 42 Default ACL action. . . .
DRAFT: BROCADE CONFIDENTIAL Displaying ACL bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Troubleshooting rule-based ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Chapter 5 IPv6 Access Control Lists ACL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Processing of IPv6 ACLs . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP.
DRAFT: BROCADE CONFIDENTIAL bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output For readability, command names in the narrative portions of this guide are presented in bold: for example, show version.
DRAFT: BROCADE CONFIDENTIAL Corporation Referenced Trademarks and Products Microsoft Corporation Windows NT, Windows 2000 The Open Group Linux Related publications The following Brocade documents supplement the information in this guide: • • • • • • • • • • • Release Notes for ServerIron Switch and Router Software TrafficWorks 12.2.
DRAFT: BROCADE CONFIDENTIAL x ServerIron ADX NAT64 Configuration Guide 53-1002288-02
DRAFT: BROCADE CONFIDENTIAL Chapter NAT 64 Overview 1 When the Internet Assigned Numbers Authority (IANA) standardized IPv4 in 1981, no one could have foreseen that its seemingly plentiful pool of 4 billion addresses would become depleted. But according to Internet World Stats, Internet usage grew by 444.8 percent between 2000 and 2010.
DRAFT: BROCADE CONFIDENTIAL 1 NAT 64 Overview Topology B: Similarly, Brocade ServerIron ADX enables organizations to offer new IPv6-based services to their existing IPv4 clients.
DRAFT: BROCADE CONFIDENTIAL Implementation Details 1 Disadvantages of NAT64 • It involves translating addresses between IPv4 and IPv6, resulting in potential loss of originating client IP addresses unless they are captured through some other means such as client ip insertion available on the ServerIron ADX.
DRAFT: BROCADE CONFIDENTIAL 1 Implementation Details NAT46 gateway The NAT46 gateway receives the IPv4 packets whose Destination IPv4 address is mapped to an internal IPv6 resource. It then translates the IPv6 address to an IPv4 address used by the resource. Return packets from the IPv6 resource are then mapped back to the clients IPv4 address. NAT46 is stateless, meaning that the NAT64 device does not keep track of the connections between the IPv4 client and the IPv6 resource.
DRAFT: BROCADE CONFIDENTIAL Implementation Details TABLE 2 1 ICMPv4 to ICMPv6 message translation ICMPv4 Message Type ICMPv6 Message Type Destination Unreachable (Type 1) Destination Unreachable ( Type 3) • net unreachable (code 0) • no route code (code 0) • host unreachable (code 1) • no route code(code 0) • protocol unreachable (code 2) • type - param prob, code - next header • port unreachable (code 3) • no port (code 4) • fragment needed (code 4) • type - packet too big, code- no route • route fai
DRAFT: BROCADE CONFIDENTIAL 1 NAT64 Connection logging • populates the fragment ID, offset, and flags of the IPv4 header For the IPv4 to IPv6 direction, ADX: • extracts information stored in the IPv4 header • creates and populates the IPv6 fragment header NOTE Because the nature of the ICMP checksum mechanism in IPv6 is different than in IPv4, ICMP fragmentation is currently not supported, and all fragmented ICMP packets received on either IPv6 or IPv4 will be dropped.
DRAFT: BROCADE CONFIDENTIAL NAT64 Connection logging 1 • NAT pool IP • NAT port A user can recreate an IPv6 destination IP address by concatenating the NAT64 prefix+ the IPv4 destination IP address. Currently a Syslog message is sent each time a flow session pair is created. There is no buffering or batching in the current release. Beginning with release 12.301a, the connection creation is logged. The ServerIron ADX does not currently log connection teardown.
DRAFT: BROCADE CONFIDENTIAL 1 NAT64 Connection logging TABLE 3 8 Display fields for NAT64 connection logging This field... Displays... USER.INFO Informational message Time stamp The date and time the message was logged. NAT64-EST NAT64 session creation event. proto The protocol (UDP or TCP) sip The client IP address. sp The client port ID. prefix The NAT64 prefix in the destination address. dip The IPv4 address in the destination IPv6 address. dp The destination port ID.
DRAFT: BROCADE CONFIDENTIAL Chapter* 2 IPv6-only client to IPv4 resource Overview A NAT64 gateway enables IPv6-only clients and IPv4 resources to communicate with each other via address and packet translation. This translation operation is performed on the NAT64 gateway using stateful sessions. This mode requires the following components: • NAT64 Prefix – The NAT64 prefix converts the IPv4 address of the IPv4-only resource to an IPv6 address that the IPv6 client can send a request to.
DRAFT: BROCADE CONFIDENTIAL 2 Operation of NAT64 for IPv6-only client to IPv4 resource The DNS64 server (not supplied by Brocade) is configured to respond to a query from the IPv6 client with an IPv6 address created from the NAT64 prefix and the IPv4 address of the IPv4-only server. In the example shown in Figure 3, the IPv6 client sends a query to the DNS64 server for the IP address of “www.brocadetest.com” and the DNS server responds with the IPv6 address “2001:db8::100.1.1.1”.
DRAFT: BROCADE CONFIDENTIAL Configuring NAT64 for IPv6-only client to IPv4 resource 2 Configuring NAT64 for IPv6-only client to IPv4 resource Basic configuration of NAT64 for an IPv6-only client to an IPv4-only resource is performed using the following: • • • • Configure a NAT64 IPv6 prefix (required) Configure an IPv4 NAT address pool (required) Enable the ServerIron ADX to delete sticky sessions (optional) Enable connection logging (optional) Other configuration options are described later in the cha
DRAFT: BROCADE CONFIDENTIAL 2 Configuring NAT64 for IPv6-only client to IPv4 resource The variable specifies the IPv4 address at the end of the NAT64 pool range. This value should be the highest numbered IPv4 address in the range. The prefix length option uses the CIDR prefix value specified by the variable to distinguish the portion of the IPv4 address that will be used for all IPv4 addresses in the pool. For example, you can use “24” for the length of the CIDR prefix.
DRAFT: BROCADE CONFIDENTIAL Route injection NAT64 2 IPv6-only client to IPv4 resource sample configuration The following example provides the commands required on a ServerIron ADX to enable the basic IPv6-only client to IPv4 resource configuration shown in Figure 5. FIGURE 5 NAT64 stateful example DNS 64 Server IPv4-only Server IPv6-only Client IPv6 IPv6 + IPv4 IPv4 IPv6 address: 2001:db8:ccc::1 ServerIron ADX with NAT64 NAT64 Prefix: IPv4 address: 100.1.1.
DRAFT: BROCADE CONFIDENTIAL 2 Route injection NAT64 For resources that are mapped to the subnet defined by the IPv6 prefix, the nat64 ipv6-prefix command has an option to identify an interface on the ServerIron ADX (Ethernet or VE). The interface defined here must have an IPv6 address and should be the interface that is directly connected to the adjacent router.
DRAFT: BROCADE CONFIDENTIAL HTTP client IP address insertion FIGURE 7 2 NAT64 route injection example OSPF Area 1 IPv6-only Client Upstream IPv6 Router OSPF Area 0 ServerIron ADX with NAT64 IPv4-only Server Downstream IPV4 Router port 2 port 1 port 3 NAT64 Prefix: 2001:db8:8000::0/96 NAT64 IPv4 address pool 192.0.2.1 - 192.0.2.
DRAFT: BROCADE CONFIDENTIAL 2 Configuring Packet fragmentation with IPv6-only client to IPv4 resource After insertion, the HTTP request will be: GET /abc/index.html HTTP 1/0\r\n Host: foo.com\r\n … Connection: Keep-Alive\r\n X-Forwarded-For: 2001:db8::6401:101\r\n \r\n No automatic detection of HTTP traffic Client IP address insertion needs to be enabled for the port running HTTP traffic. The ServerIron ADX will not automatically detect HTTP traffic on any port.
DRAFT: BROCADE CONFIDENTIAL High availability for NAT64 2 Regular packets – IP total length greater than 1480 bytes Fragmented packets – IP total length greater than 1480 + 8 bytes If the packets exceed these limitations, one of the following actions will be taken: 1. If the frag-664-reverse-full-sized-pkt command is configured, the packet will be split and no further actions will be performed. 2.
DRAFT: BROCADE CONFIDENTIAL 2 Displaying NAT64 information Forwarding can become asymmetric when there are failovers. For example using the topology shown in Figure 8 the following could occur: 1. the link from the downstream router to ADX-1 goes down. 2. ADX-1 receives a request from the upstream router which is forwarded to the downstream router via ADX-2 3. The downstream then forwards the response to the upstream router via ADX-2. 4.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT64 information 2 Displaying session information You can use the show session all command at the rconsole to display sessions on the ServerIron ADX including NAT64 sessions. NAT64 sessions are indicated by a unique session type in the output. This output is displayed as follows.
DRAFT: BROCADE CONFIDENTIAL 2 Displaying NAT64 information TABLE 5 Display fields for show nat translation This field... Displays... Pro The Layer 4 Protocol: TCP. UDP or ICMP. Client IP: The IPv6 Client IP address. NAT IP The translated IP address from the NAT64 IPv4 pool. Dest IP The IP address of the internal IPv4 resource. Displaying NAT 64 statistics You can use the show nat64 statistics command at the rconsole to display statistics for the NAT64 gateway.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT64 information 2 UDP 6->4 = 0 UDP 4->6 = 0 Static pending or error in entry drop = 0 Stateful Statistics: TCP 6->4 = 17 TCP 4->6 = 16 TCP reverse no session drop = 0 UDP 6->4 = 0 UDP 4->6 = 0 UDP reverse no session drop = 0 NAT64 NAT pool 6->4: TCP: NAT 6->4: TCP: NAT NAT port freed Statistics: port allocated = 3 port not available = 0 = 3 NAT64 HA Statistics: Message sync sent = 0 Message sync received = 0 Error during sending sync messages = 0 Error during rec
DRAFT: BROCADE CONFIDENTIAL 2 Displaying NAT64 information TABLE 6 Display fields for show nat64 statistics (Continued) This field... Displays... 4->6 initiate dynamic learning = Stateless: Number of DNS dynamic learnings initiated to discover IPv6 address. 6->4 cannot initiate learning table full = # DNS learning not initated for for IPv4 address discovery due to table being full.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT64 information TABLE 6 2 Display fields for show nat64 statistics (Continued) This field... Displays... Stateful Statistics: TCP 6->4 = The number of IPv6 TCP packets that have been translated to IPv4. TCP 4->6 = The number of IPv4 TCP packets that have been translated to IPv6. TCP reverse no session drop = The number of TCP packets that were dropped due to no reverse session being present.
DRAFT: BROCADE CONFIDENTIAL 2 Displaying NAT64 information ServerIron ADX# rconsole 1 1 ServerIron ADX1/1# show nat64 resources ********************* NAT64 Gateway RESOURCES ********************* NAT64 only feature enabled: Yes NAT64 Stateless enabled: No NAT64 Stateful enabled: Yes NAT64 IPv6 prefixes: ------------------IPv6 Prefix: 4003:: Number of IPv6 prefixes: 1 Stateless IPv6 prefix: Not Configured NAT64 Stateless: ------------------IPv6 map hash table size: 1024 Max mapping entries: 1024 Number of
DRAFT: BROCADE CONFIDENTIAL Clearing NAT64 information TABLE 7 2 Display fields for show ip nat statistics (Continued) This field... Number of free map entries: NAT64 IPv4 NAT Pools: Displays... The number of free map entries. Lists all NAT64 pool configuration. Number of NAT pools configured: The number of NAT pools configured on the system. Number of NAT pool IPs configured: The number of NAT pool IP addresses configured on the system. The maximum number is 192.
DRAFT: BROCADE CONFIDENTIAL 2 NAT64 Connection logging NAT64 Connection logging A ServerIron ADX provides NAT64 connection logging to enable administrators to audit and log NAT64 connections created on the ServerIron ADX. A user can configure the ServerIron ADX to send a message to an external Syslog server each time NAT64 creates session table entries for NAT64 traffic. The forward flow for NAT64 is from the IPv6 Client to the NAT64 IPv6 prefix::ipv4 destination address.
DRAFT: BROCADE CONFIDENTIAL NAT64 Connection logging 2 Enabling NAT64 connection-logging You can enable NAT64 connection-logging using the following commands. adx-nat64#conf t adx-nat64(config)#nat64 connection-log adx-nat64(config)# Syntax: [no] nat64 connection-log Example of NAT64 Connection logging The following example displays Syslog output for NAT64 Connection logging. USER.INFO Jul 13 02:44:47 192.168.13.1 NAT64-EST proto=UDP sip=2013::20c:29ff:fe06:4473 sp=53947 prefix=3013:: dip=192.168.130.
DRAFT: BROCADE CONFIDENTIAL 2 28 NAT64 Connection logging ServerIron ADX NAT64 Configuration Guide 53-1002288-02
DRAFT: BROCADE CONFIDENTIAL Chapter IPv4-only client to IPv6 resource 3 Overview A NAT46 gateway enables IPv4-only clients and IPv6 resources to communicate with each other via address and packet translation. This translation is performed in stateless mode on a NAT46 gateway using a mapping table. The mapping table matches IPv4 request packets from the client sent to the gateway to an IPv6 destination address of the IPv6 resource.
DRAFT: BROCADE CONFIDENTIAL 3 Operation of NAT46 for IPv4-only client to IPv6 resource DNS Dynamic Learning – If a packet is received at the NAT46 gateway with IPv4 destination address within the range defined by the NAT64 IPv4 prefix and it does not contain an entry in its mapping table for that IPv4 address, the gateway will send a PTR query to the DNS64 server to obtain the hostname of the resource it is trying to reach.
DRAFT: BROCADE CONFIDENTIAL Operation of NAT46 for IPv4-only client to IPv6 resource FIGURE 10 3 IPv6 client to DNS server communication DNS 64 Server om st.c ete ad roc .1 .1.1 100 w.b ww IPv4 IPv4 Client The request packet is then sent with the IPv4 source address of the client (192.0.2.1) to the destination IPv4 address that was obtained for “brocadetest.com” (100.1.1.1) from the DNS64 server. The packet destined for “brocadetest.
DRAFT: BROCADE CONFIDENTIAL 3 Configuring NAT64 for IPv4-only client to IPv6 resource In this example, the IPv4 address (100.1.1.1) is stripped out of the concatenated IPv6 packet and used as the source address in the packet forwarded to the IPv4 client. That IPv4 address is mapped to the clients IPv4 address (192.0.2.1) in the mapping table and used as the destination IPv4 address.
DRAFT: BROCADE CONFIDENTIAL Configuring NAT64 for IPv4-only client to IPv6 resource 3 Syntax: [no] nat64 ipv6-prefix [inject-static-route { ve | ethernet ] stateless The variable specifies the NAT64 IPv6 prefix that will be used by the ServerIron ADX when operating as a NAT46 gateway. The inject-static-route option is used to advertise the subnet defined by the variable on the IPv6 network.
DRAFT: BROCADE CONFIDENTIAL 3 Configuring NAT64 for IPv4-only client to IPv6 resource IPv4-only client to IPv6 resource sample configuration The example in Figure 12 is a NAT46 configuration that uses the DNS Dynamic Learning method to populate its translation map. FIGURE 12 NAT64 stateless example DNS 64 Server IPv4 address: 192.168.13.50 IPv6-only Server IPv4-only Client IPv6 + IPv4 IPv4 IPv4 address: 192.0.2.1 ServerIron ADX with NAT46 IPv6 IPv6 address: 2001:dba:fff.
DRAFT: BROCADE CONFIDENTIAL Route injection NAT46 3 Changing the DNS back-off interval To change the back-off interval for DNS discovery (during which the ServerIron ADX does not try to re-query the DNS server for mapping that recently generated a failure) use the following commands. ServerIron ADX(config) nat64 dns-fail-holdoff 300 Pre-fetching IP mappings from the DNS server To pre-fetch all of the available mappings for the IPv4 subnet defined by the IPv4 prefix, use the prefetch option as shown.
DRAFT: BROCADE CONFIDENTIAL 3 Route injection NAT46 Figure 13 shows a typical IPv4-only client to IPv6 resource topology configured with router adjacency relationships on both the IPv4 and IPv6 sides of the ServerIron ADX. In this configuration, routes defined by the IP4 prefix and IPv6 prefix are advertised to the adjacent routers and distributed to the respective networks using the routing protocol configured.
DRAFT: BROCADE CONFIDENTIAL Configuring Packet fragmentation with IPv4-only client to IPv6 resource 3 For a description of NAT64 route injection see “Route injection NAT46” on page 35. FIGURE 14 NAT64 route injection example OSPF Area 1 OSPF Area 0 IPv4-only Client ServerIron ADX with NAT64 Downstream IPv6 port 2 Router Upstream IPv4 Router port 3 IPv6-only Server port 1 IPv4 NAT64 IPv6 Prefix: 2001:db8:8000::0/96 NAT64 IPv4 Prefix 100.1.1.
DRAFT: BROCADE CONFIDENTIAL 3 High availability for NAT46 If the packets exceed these limitations, one of the following actions will be taken: 1. If the frag-664-reverse-full-sized-pkt command is configured, the packet will be split and no further actions will be performed. 2. If the condition in step 1 isn’t met, and the DF bit is set at the server, the “frag needed” ICMP error message will be sent. 3. If the conditions in steps 1 and 2 aren’t met, the packet will be split.
DRAFT: BROCADE CONFIDENTIAL Clearing NAT46 information 1.1.1.3 ******************************* 3 DNS pending Syntax: show nat64 map { | | all } The variable specifies the IPv4 address for the IPv4-IPv6 mapping that you want to display. The variable specifies the IPv6 address for the IPv4-IPv6 mapping that you want to display. The all parameter displays all of the configured Stateless Static NAT64 IPv4-IPv6 address mapping.
DRAFT: BROCADE CONFIDENTIAL 3 Clearing NAT46 information Clearing IPv6-IPv4 mappings learned through DNS You can use the clear nat64 dns-dynamic-mapping command to clear sIPv6-IPv4 mappings learned through DNS on a ServerIron ADX. This command is issued as follows. ServerIron ADX# clear nat64 dns-dynamic-mapping 1.1.1.1 Syntax: clear nat64 dns-dynamic-mapping { | | all } The variable specifies the IPv4 address for the IPv4-IPv6 mapping that you want to clear.
DRAFT: BROCADE CONFIDENTIAL Chapter Access Control List 4 How ServerIron processes ACLs This chapter describes the Access Control List (ACL) feature. ACLs allow you to filter traffic based on the information in the IP packet header. Depending on the Brocade device, the device may also support Layer 2 ACLs, which filter traffic based on Lay 2 MAC header fields. You can use IP ACLs to provide input to other features such as distribution lists and rate limiting.
DRAFT: BROCADE CONFIDENTIAL 4 How ServerIron processes ACLs Backwards compatibility option: You can use the ip flow-based-acl-enable command to provide backwards compatibility for IPv4 ACL processing. If this command is configured, Layer 4 - 7 traffic, packets are processed in hardware and then forwarded to the BPs where the BPs also process the ACLs. This command is configured as shown in the following.
DRAFT: BROCADE CONFIDENTIAL Default ACL action 4 • The first fragment of a packet is permitted or denied using the ACLs. The first fragment is handled the same way as non-fragmented packets, since the first fragment contains the Layer 4 source and destination application port numbers. The device uses the Layer 4 CAM entry if one is programmed, or applies the interface's ACL entries to the packet and permits or denies the packet according to the first matching ACL.
DRAFT: BROCADE CONFIDENTIAL 4 Types of IP ACLs Types of IP ACLs Rule-based ACLs can be configured as standard or extended ACLs. A standard ACL permits or denies packets based on source IP address. An extended ACL permits or denies packets based on source and destination IP address and also based on IP protocol information. Standard or extended ACLs can be numbered or named. Standard numbered ACLs have an idea of 1 – 99. Extended numbered ACLs are numbered 100 – 199.
DRAFT: BROCADE CONFIDENTIAL ACL entries and the Layer 4 CAM 4 3. Execute the write memory command to save the running configuration to the startup-config reload the ServerIron ADX. The actual number of ACLs you can configure and store in the startup-config file depends on the amount of memory available on the device for storing the startup-config. To store 4096 ACLs in the startup-config file requires at least 250K bytes, which is larger than the space available on a device’s flash memory module.
DRAFT: BROCADE CONFIDENTIAL 4 Configuring numbered and named ACLs Make sure you specify a maximum that is equal to or greater than the largest number of entries required by an ACL applied to any of the ports managed by the same IPC or IGC. For example, if port 1 will have an ACL that requires 250 entries, make sure 250 is the lowest number of entries you specify for any port on IPC 1 (the IPC that manages ports 1 – 24).
DRAFT: BROCADE CONFIDENTIAL Configuring numbered and named ACLs 4 Standard ACLs permit or deny packets based on source IP address. You can configure up to 99 standard ACLs. There is no limit to the number of ACL entries an ACL can contain except for the system-wide limitation. For the number of ACL entries supported on a device, refer to “ACL IDs and entries” on page 44. To configure a standard ACL and apply it to outgoing traffic on port 1/1, enter the following commands.
DRAFT: BROCADE CONFIDENTIAL 4 Configuring numbered and named ACLs significant bits) and changes the non-significant portion of the IP address into ones. For example, if you specify 209.157.22.26/24 or 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 0.0.0.255 in the startup-config file.
DRAFT: BROCADE CONFIDENTIAL Configuring numbered and named ACLs 4 • User Datagram Protocol (UDP) For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IP address to the website’s IP address. To configure an extended access list that blocks all Telnet traffic received on port 1/1 from IP host 209.157.22.
DRAFT: BROCADE CONFIDENTIAL 4 Configuring numbered and named ACLs ServerIronADX(config)# ServerIronADX(config)# 209.157.22.0/24 ServerIronADX(config)# telnet neq 5 ServerIronADX(config)# range 7 8 ServerIronADX(config)# access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24 access-list 103 deny tcp 209.157.21.0/24 eq ftp access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24 lt access-list 103 deny udp any range 5 6 209.157.22.
DRAFT: BROCADE CONFIDENTIAL Configuring numbered and named ACLs 4 The | parameter specifies the source IP host for the policy. If you want the policy to match on all source addresses, enter any. The parameter specifies the portion of the source IP host address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the .
DRAFT: BROCADE CONFIDENTIAL 4 Configuring numbered and named ACLs • • • • • • • redirect source-quench time-exceeded timestamp-reply timestamp-request unreachable The parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http.
DRAFT: BROCADE CONFIDENTIAL Configuring numbered and named ACLs 4 • flash or 3 – The ACL matches packets that have the flash precedence. If you specify the option number instead of the name, specify number 3. • flash-override or 4 – The ACL matches packets that have the flash override precedence. If you specify the option number instead of the name, specify number 4. • immediate or 2 – The ACL matches packets that have the immediate precedence.
DRAFT: BROCADE CONFIDENTIAL 4 Configuring numbered and named ACLs Configuring standard or extended named ACLs To configure a named IP ACL, use the following CLI method. The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list.
DRAFT: BROCADE CONFIDENTIAL Configuring numbered and named ACLs access-list access-list access-list access-list 4 1 deny host 209.157.22.26 1 deny 209.157.22.0 0.0.0.255 1 permit any 101 deny tcp any any eq http The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring standard numbered ACLs” on page 46.
DRAFT: BROCADE CONFIDENTIAL 4 Configuring numbered and named ACLs ServerIronADX(config)# ip show access-list standard melon 3 Standard IP access-list melon deny host 5.6.7.8 deny 192.168.12.3 permit any Syntax: show ip access-list | [] Enter the ACL name for the parameter or the ACL’s number for . Determine from which line you want the displayed information to begin and enter that number for the parameter.
DRAFT: BROCADE CONFIDENTIAL Configuring numbered and named ACLs 4 Syntax: show access-list | begin | exclude | include Enter the ACL number for the parameter. Use the | operator to indicate a keyword. Enter the begin parameter to start the display beginning with the first line containing the text that matches the keyword. For example, if you enter begin Total, the displayed information begins with the line containing the word “Total”.
DRAFT: BROCADE CONFIDENTIAL 4 Modifying ACLs Syntax: show ip access-list | begin | exclude | include Enter the ACL’s number for the parameter. Use the | operator to indicate a keyword. Enter the begin parameter to start the display beginning with the first line containing text that matches the keyword. For example, if you enter begin Total, the displayed information begins with the line containing the word “Total”.
DRAFT: BROCADE CONFIDENTIAL Modifying ACLs 4 You can use the CLI to reorder entries within an ACL by individually removing the ACL entries and then re-adding them. To use this method, enter “no” followed by the command for an ACL entry, and repeat this for each ACL entry in the ACL you want to edit. After removing all the ACL entries from the ACL, re-add them. This method works well for small ACLs such as the example above, but can be impractical for ACLs containing many entries.
DRAFT: BROCADE CONFIDENTIAL 4 Modifying ACLs copy tftp running-config NOTE This command will be unsuccessful if you place any commands other than access-list and end (at the end only) in the file. These are the only commands that are valid in a file you load using the copy tftp running-config… command. 7. To save the changes to the device’s startup-config file, enter the following command at the Privileged EXEC level of the CLI.
DRAFT: BROCADE CONFIDENTIAL Modifying ACLs 4 ServerIronADX(config)# show access-list 99 Standard IP access-list 99 deny host 1.2.4.5 Permit all users permit host 5.6.7.8 permit any Syntax: access-list insert | replace remark Simply entering access-list remark adds a remark to the next ACL entry you create. The insert parameter indicates into which entry the comment is to be added.
DRAFT: BROCADE CONFIDENTIAL 4 Modifying ACLs Syntax: deny | permit The standard | extended parameter indicates the ACL type. The parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The parameter allows you to specify an ACL number if you prefer.
DRAFT: BROCADE CONFIDENTIAL Displaying a list of ACL entries 4 The standard | extended parameter indicates the ACL type. The parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The parameter allows you to specify an ACL number if you prefer. You can specify a number from 1 – 99 for standard ACLs or 100 – 199 for extended ACLs.
DRAFT: BROCADE CONFIDENTIAL 4 Applying an ACLs to interfaces Applying an ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 46 show that you apply ACLs to interfaces using the ip access-group command. This section present additional information about applying ACLs to interfaces. Reapplying modified ACLs If you make an ACL configuration change, you must reapply the ACLs to their interfaces to place the change into effect.
DRAFT: BROCADE CONFIDENTIAL ACL logging 4 ACL logging You may want the software to log entries for ACLs in the syslog. This section present the how logging is processed by rule-based ACLs. Rule-based ACLs do not support the log option. Even when rule-based ACLs are enabled, if an ACL entry has the log option, traffic that matches that ACL is sent to the CPU for processing. Depending on how many entries have the log option and how often packets match those entries, ACL performance can be affected.
DRAFT: BROCADE CONFIDENTIAL 4 ACL logging NOTE The software requires that an ACL has already been applied to the interface. When you enable redirection, the deny action of the ACL entry is still honored. Traffic that matches the ACL is not forwarded. Displaying ACL log entries The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap.
DRAFT: BROCADE CONFIDENTIAL Dropping all fragments that exactly match a flow-based ACL 4 You can also configure the maximum number of ACL-related log entries that can be added to the system log over a one-minute period. For example, to limit the device to 100 ACL-related syslog entries per minute. ServerIronADX(config)# max-acl-log-num 100 Syntax: [no] max-acl-log-num You can specify a number between 0 – 4096. The default is 256. Specifying 0 disables all ACL logging.
DRAFT: BROCADE CONFIDENTIAL 4 Enabling ACL filtering of fragmented packets On an individual interface basis, you can configure an IronCore device to automatically drop a fragment whose source and destination IP addresses exactly match an ACL entry that has Layer 4 information, even if that ACL entry’s action is permit. To do so, enter the following command at the configuration level for an interface.
DRAFT: BROCADE CONFIDENTIAL Enabling ACL filtering of fragmented packets 4 Syntax: [no] ip access-group frag inspect | deny The inspect | deny parameter specifies whether you want fragments to be sent to the CPU or dropped: • inspect – This option sends all fragments to the CPU. • deny – This option begins dropping all fragments received by the port as soon as you enter the command.
DRAFT: BROCADE CONFIDENTIAL 4 Enabling hardware filtering for packets denied by flow-based ACLs The parameter specifies the maximum number of fragments the device or an individual interface can receive and send to the CPU in a one-second interval. • frag-rate-on-system – Sets the threshold for the entire device. The device can send to the CPU only the number of fragments you specify per second, regardless of which interfaces the fragments come in on.
DRAFT: BROCADE CONFIDENTIAL Enabling strict TCP or UDP mode for flow-based ACLs 4 Syntax: [no] hw-drop-acl-denied-packet Enabling strict TCP or UDP mode for flow-based ACLs By default, when you use ACLs to filter TCP or UDP traffic, the Brocade device does not compare all TCP or UDP packets against the ACLs. For TCP and UDP, the device first compares the source and destination information in a TCP control packet or a UDP packet against entries in the session table.
DRAFT: BROCADE CONFIDENTIAL 4 Enabling strict TCP or UDP mode for flow-based ACLs NOTE Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets against the configured ACLs before creating a session entry for forwarding the traffic. NOTE If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the interfaces before changing the ACL mode.
DRAFT: BROCADE CONFIDENTIAL Enabling strict TCP or UDP mode for flow-based ACLs 4 Syntax: [no] ip strict-acl-udp This command configures the device to compare all UDP packets against the configured ACLs before forwarding them. To disable the strict ACL mode and return to the default ACL behavior, enter the following command.
DRAFT: BROCADE CONFIDENTIAL 4 ACLs and ICMP ServerIronADX# show access-list 100 Extended IP access list 100 (Total flows: 432, Total packets: 42000) permit tcp 1.1.1.0 0.0.0.255 any (Flows: 80, Packets: 12900) deny udp 1.1.1.0 0.0.0.255 any (Flows: 121, Packets: 20100) permit ip 2.2.2.0 0.0.0.255 any (Flows: 231, Packets: 9000) Syntax: show access-list | | all To clear the flow counters for ACL 100.
DRAFT: BROCADE CONFIDENTIAL ACLs and ICMP 4 • Also, to create ACL policies that filter ICMP message types, you can either enter the description of the message type or enter its type and code IDs. Furthermore ICMP message type filtering is now available for rule-based ACLs on BigIron Layer 2 Switch and Layer 3 Switch images. Numbered ACLs For example, to deny the echo message type in a numbered ACL, enter commands such as the following when configuring a numbered ACL.
DRAFT: BROCADE CONFIDENTIAL 4 ACLs and ICMP The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. You can either use the and enter the name of the message type or use the parameter and enter the type number and code number of the message. Refer to Table 12 for valid values. NOTE “X” in the Type-Number or Code-Number column in Table 12 means the device filters any traffic of that ICMP message type.
DRAFT: BROCADE CONFIDENTIAL Using ACLs and NAT on the same interface (flow-based ACLs) TABLE 12 4 ICMP message types and codes (Continued) ICMP message type Type Code protocol-unreachable 3 2 reassembly-timeout 11 1 redirect 5 x router-advertisement 9 0 router-solicitation 10 0 source-host-isolated 3 8 source-quench 4 0 source-route-failed 3 5 time-exceeded 11 x timestamp-reply 14 0 timestamp-request 13 0 ttl-exceeded 11 0 unreachable 3 x NOTE: This includes all
DRAFT: BROCADE CONFIDENTIAL 4 Displaying ACL bindings ServerIronADX(config)# ip strict-acl-tcp ServerIronADX(config)# access-list 1 permit 10.10.200.0 0.0.0.255 ServerIronADX(config)# access-list 2 deny 209.157.2.184 The following commands configure global NAT parameters. ServerIronADX(config)# ip nat inside source list 1 pool outadds overload ServerIronADX(config)# ip nat pool outadds 204.168.2.1 204.168.2.254 netmask 255.255.255.
DRAFT: BROCADE CONFIDENTIAL Troubleshooting rule-based ACLs 4 • To view the types of packets being received on an interface, enable ACL statistics using the enable-acl-counter command, reapply the ACLs by entering the ip rebind-acl all command, then display the statistics by entering the show ip acl-traffic command. • To determine whether an ACL entry is correctly matching packets, add the log option to the ACL entry, then reapply the ACL.
DRAFT: BROCADE CONFIDENTIAL 4 80 Troubleshooting rule-based ACLs ServerIron ADX NAT64 Configuration Guide 53-1002288-02
DRAFT: BROCADE CONFIDENTIAL Chapter IPv6 Access Control Lists 5 ACL overview ServerIron ADX supports IPv6 Access Control Lists (ACLs) in software. You can configure up to 100 IPv6 ACLs. By default, IPv6 ACLs are processed in hardware and all IPv6 ACL rules are stored in TCAM. An IPv6 ACL is composed of one or more conditional statements that pose an action (permit or deny) if a packet matches a specified source or destination prefix. There can be up to 1024 IPv6 ACL statements per device.
DRAFT: BROCADE CONFIDENTIAL 5 ACL overview • User Datagram Protocol (UDP) NOTE TCP and UDP filters will be matched only if they are listed as the first option in the extension header. For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address.
DRAFT: BROCADE CONFIDENTIAL ACL overview 5 All deny packets are dropped in hardware. For permit actions: For all traffic, packets are processed in hardware and then forwarded to the BPs. The BPs do not take any action on the ACLs. Backwards compatibility option: You can use the ipv6 flow-based-acl-enable command to provide backwards compatibility for IPv6 ACL processing. If this command is configured, packets are processed in hardware and then forwarded to the BPs where the BPs also process the ACLs.
DRAFT: BROCADE CONFIDENTIAL 5 ACL overview The following commands apply the ACL "netw" to the incoming traffic on port 1/2 and to the incoming traffic on port 4/3.
DRAFT: BROCADE CONFIDENTIAL ACL overview 5 • If you want to secure access in environments with many users, you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL. The permit entry permits packets that are not denied by the deny entries. Every IPv6 ACL has the following implicit condition as its last match conditions: deny ipv6 any any – Denies IPv6 traffic.
DRAFT: BROCADE CONFIDENTIAL 5 ACL overview • ipv6-operator routing when any protocol is specified.
DRAFT: BROCADE CONFIDENTIAL ACL overview 5 For IPv6 and Supported Protocols Other than ICMP, TCP, or UDP Syntax: [no] ipv6 access-list Syntax: permit | deny | any | host | any | host [ipv6-operator []] [log] For ICMP Syntax: [no] ipv6 access-list Syntax: permit | deny icmp | any | host
DRAFT: BROCADE CONFIDENTIAL 5 ACL overview TABLE 13 Syntax Descriptions Arguments... Description... protocol The type of IPv6 packet you are filtering. You can specify a well-known name for some protocols whose number is less than 255. For other protocols, you must enter the number. Enter “?” instead of a protocol to list the well-known names recognized by the CLI.
DRAFT: BROCADE CONFIDENTIAL ACL overview TABLE 13 5 Syntax Descriptions Arguments... / Description... The / parameter specify a destination prefix and prefix length that a packet must match for the specified action (deny or permit) to occur. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
DRAFT: BROCADE CONFIDENTIAL 5 ACL overview • • • • • • • • • • • • • • • • • • • • • • • • • echo-request header hop-limit mld-query mld-reduction mld-report nd-na nd-ns next-header no-admin no-route packet-too-big parameter-option parameter-problem port-unreachable reassembly-timeout renum-command renum-result renum-seq-number router-advertisement router-renumbering router-solicitation sequence time-exceeded unreachable NOTE If you do not specify a message type, the ACL applies to all types ICMP mess
DRAFT: BROCADE CONFIDENTIAL Using an ACL to Restrict SSH Access 5 Displaying ACLs To display the ACLs configured on a device, enter the show ipv6 access-list command.
DRAFT: BROCADE CONFIDENTIAL 5 Using an ACL to Restrict Telnet Access ServerIronADX(config)# ipv6 access-list test2 ServerIronADX(config-ipv6-access-list test2)# deny ipv6 host 2000:1::1 any log ServerIronADX(config-ipv6-access-list test2)# permit ipv6 2000:1::0/32 any ServerIronADX(config-ipv6-access-list test2)# permit ipv6 2000:2::0/32 any ServerIronADX(config-ipv6-access-list test2)# permit ipv6 host 2000:3::1 any ServerIronADX(config-ipv6-access-list test2)# exit ServerIronADX(config)# ssh access-gro
DRAFT: BROCADE CONFIDENTIAL Chapter 6 Network Address Translation Introduction Network Address Translation (NAT) translates one IP address into another. For example, it translates an internal private IP address (nonregistered) into an external unique IP address (registered) used on the Internet. FIGURE 15 Mapping an internal address to an external address Internal External Internet or Intranet Backbone SI 150.1.1.1 10.1.1.
DRAFT: BROCADE CONFIDENTIAL 6 Configuring NAT • Dynamic NAT — Maps private addresses to Internet addresses. The Internet addresses come from a pool of addresses that you configure. For example, you can dynamically translate the global pool 150.1.1.10 - 19 to private pool 10.1.1.1 - 254. In Figure 16, the pool is the range of addresses from 209.157.1.2/24 – 209.157.1.254/24.
DRAFT: BROCADE CONFIDENTIAL Configuring NAT 6 Configuring an address pool Use the ip nat pool command to configure the address pool. For an example, refer to “Dynamic NAT configuration example 1” on page 96. Syntax: [no] ip nat pool netmask | prefix-length | port-pool-range The parameter specifies the name assigned to the pool. It can be up to 255 characters long and can contain special characters and internal blanks.
DRAFT: BROCADE CONFIDENTIAL 6 Configuring NAT Dynamic NAT configuration example 1 This section describes the Dynamic NAT configuration shown in Figure 16. FIGURE 16 Minimum required commands Internet ip address 10.10.1.2 255.255.255.0 ip default-gateway 10.10.1.1 ip nat inside ip nat inside source list 10 pool out_pool ip nat pool out_pool 63.236.63.200 63.236.63.
DRAFT: BROCADE CONFIDENTIAL Configuring NAT 6 On Router (R) code, enable NAT on interfaces (both ip nat inside and outside should be enabled). The interfaces can also be physical interfaces (not necessarily virtual interfaces). ServerIronADX(config-ve-2)#ip nat inside ServerIronADX(config-ve-3)#ip nat outside 3. Configure a numbered ACL and permit the IP addresses on the inside. Then define the global address pool and enable dynamic NAT. ServerIronADX(config)# access-list 101 permit ip 10.10.1.
DRAFT: BROCADE CONFIDENTIAL 6 Configuring NAT ServerIronADX(config)# interface ethernet 1/5 ServerIronADX(config-if-e1000-1/5) ip address 20.20.50.1 255.255.0.0 ServerIronADX(config-if-e1000-1/5) ip nat inside ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-e1000-1/5) ip address 30.30.0.1 255.255.0.0 ServerIronADX(config-if-e1000-1/5) ip nat outside The following command creates a pool of IP NAT addresses from 15.15.15.15 to 15.15.15.25 named p1.
DRAFT: BROCADE CONFIDENTIAL PAT 6 ServerIronADX(config)# interface ethernet 1/5 ServerIronADX(config-if-e1000-1/5) ip address 20.20.50.1 255.255.0.0 ServerIronADX(config-if-e1000-1/5) ip nat inside ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-e1000-1/5) ip address 30.30.0.1 255.255.0.0 ServerIronADX(config-if-e1000-1/5) ip nat outside The following command configures the ServerIron ADX to translate IP packets with a local IP address of 20.20.5.6 to the global IP address 15.15.15.
DRAFT: BROCADE CONFIDENTIAL 6 Forwarding packets without NAT translation Forwarding packets without NAT translation When ServerIron ADX receives a non-SYN packet for a TCP flow from an internal NAT client and no sessions are found, then by default ServerIron drops that packet. Optionally, you can forward that packets without NAT translation by entering the following command.
DRAFT: BROCADE CONFIDENTIAL Stateless static IP NAT 6 The syn-timeout keyword indicates timeout for NAT TCP flows after a SYN The tcp-timeout keyword indicates dynamic entries that use PAT based on TCP port numbers. The default is 120 seconds. This timer applies only to TCP sessions that do not end “gracefully”, with a TCP FIN or TCP RST. The udp-timeout keyword indicates dynamic entries that use PAT based on UDP port numbers. The default is 120 seconds.
DRAFT: BROCADE CONFIDENTIAL 6 Redundancy • TCS — An ip policy must be defined. Without it, caching will not work. Enabling IP NAT When a ServerIron ADX is configured with Switch code, NAT is enabled globally but when it is configured with Router Code, it is enabled per-interface. NOTE ServerIron ADX ADX does not support IP NAT inside and outside on the same physical interface. Enabling IP NAT globally The following command enables IP NAT globally.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT information 6 The port-pool-range parameter supports redundancy for IP NAT pool addresses. This parameter is similar to the priority value for static NAT, except it also determines the range of source ports allocated by the NAT IP (which prevents source port collision). In ServerIron ADX, the ip nat pool port-pool-range command is mandatory for running router code in HA setups.
DRAFT: BROCADE CONFIDENTIAL 6 Displaying NAT information Displaying NAT statistics To display NAT statistics, enter commands such as the following.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT information 6 Syntax: show ip nat statistics TABLE 14 Display fields for show ip nat statistics This field... Displays... send nat unreachable (tcp fwd) Indicates the number of times that a “port unreachable” message was generated for NAT TCP forward traffic. nat tcp no ports avl Indicates the number of times that a “port unreachable” message was generated because the ServerIron could not get a port from the port pool for a NAT IP for TCP forward traffic.
DRAFT: BROCADE CONFIDENTIAL 6 Displaying NAT information TABLE 14 Display fields for show ip nat statistics (Continued) This field... Displays... nat udp rev ip status zero Indicates the number of times that an error in NAT translation for UDP reverse traffic has occurred. nat udp rev usr index null Indicates the number of times that a “port unreachable” message was generated because the ServerIron could not create a a user session for UDP reverse traffic.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT information TABLE 15 6 Display fields for show ip nat translation This field... Displays... Pro When PAT is enabled, this field indicates the protocol NAT is using to uniquely identify the host. NAT can map the same IP address to multiple hosts and use the protocol port to distinguish among the hosts. This field can have one of the following values: • tcp – In addition to this IP address, NAT is associating a TCP port with the host on the private network.
DRAFT: BROCADE CONFIDENTIAL 6 Clearing NAT entries from the table ServerIronADX# show ip nat redundancy (on standby) NAT Pool Start IP: 10.1.1.150 Mac address: 020c.db01.0196 State: Standby Priority: Low Standby Idle count: 0 Threshold: 20 NAT Pool Start IP: 10.1.1.91 Mac address: 020c.db01.015b State: Standby Priority: Low Standby Idle count: 0 Threshold: 20 NAT Pool Start IP: 10.1.1.92 Mac address: 020c.db01.015c State: Standby Priority: Low Standby Idle count: 0 Threshold: 20 NAT Pool Start IP: 10.1.