DRAFT: BROCADE CONFIDENTIAL 53-1002444-02 June 2012 ServerIron ADX NAT64 Configuration Guide Supporting Brocade ServerIron ADX version 12.4.
DRAFT: BROCADE CONFIDENTIAL ©© 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
DRAFT: BROCADE CONFIDENTIAL Contents About This Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Command syntax conventions . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL Advanced stateful NAT64 configuration . . . . . . . . . . . . . . . . . . . . . . 11 Configuring stateful NAT64 with route injection . . . . . . . . . . . . 11 NAT64 sticky session configuration . . . . . . . . . . . . . . . . . . . . . . 15 Enabling connection logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Configuring HTTP client IP address insertion. . . . . . . . . . . . . . . 16 Configuring NAT64 packet fragmentation options . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL NAT46 static mapping configuration . . . . . . . . . . . . . . . . . . . . . . . . . 45 Basic NAT46 static mapping configuration . . . . . . . . . . . . . . . . 46 Stateless NAT46 static mapping with route injection . . . . . . . . 47 Configuring NAT46 packet fragmentation . . . . . . . . . . . . . . . . . 51 Stateless NAT46 dynamic mapping configuration . . . . . . . . . . . . . . 52 Real-time NAT46 dynamic mapping configuration . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL Displaying rule-based ACL entries . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Displaying ACLs using the show access-list command . . . . . . . 78 Displaying ACLs using the show ip access-lists command . . . . 79 Displaying ACLs using keywords . . . . . . . . . . . . . . . . . . . . . . . . . 79 Displaying ACL bindings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL Chapter 7 Network Address Translation In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 PAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Configuring static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Configuring dynamic NAT. . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL viii ServerIron ADX NAT64 Configuration Guide 53-1002444-02
DRAFT: BROCADE CONFIDENTIAL About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network: IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP.
DRAFT: BROCADE CONFIDENTIAL bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output For readability, command names in the narrative portions of this guide are presented in bold: for example, show version.
DRAFT: BROCADE CONFIDENTIAL Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only.
DRAFT: BROCADE CONFIDENTIAL xii ServerIron ADX NAT64 Configuration Guide 53-1002444-02
DRAFT: BROCADE CONFIDENTIAL Chapter NAT64 and NAT46 Overview 1 In this chapter • Overview of NAT64 and NAT46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • NAT64 and NAT46 implementation details . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Overview of NAT64 and NAT46 The industry faces a challenging transition while it moves from its current IPv4-capable routers, switches, servers, and applications to IPv6-ready devices.
DRAFT: BROCADE CONFIDENTIAL 1 NAT64 and NAT46 implementation details The stateless NAT64 gateway generates an IPv4 source address for the IPv6 host from the IPv4-IPv6 mapping table. The mapping table can be dynamically constructed using a DNS server or manually configured. The IPv4 destination address is obtained by stripping away the IPv6 prefix from the synthesized IPv6 destination address provided by the DNS64 server.
DRAFT: BROCADE CONFIDENTIAL NAT64 and NAT46 implementation details 1 Requirements for stateless NAT46 configurations The ServerIron ADX must be configured as a NAT46 gateway. The NAT46 gateway receives IPv4 packets whose destination IPv4 address is mapped to an internal IPv6 resource. It then translates the IPv4 address to an IPv6 address using the IPv4-IPv6 mapping table information. Return packets from the IPv6 resource are then mapped back to the client’s IPv4 address.
DRAFT: BROCADE CONFIDENTIAL 1 NAT64 and NAT46 implementation details TABLE 1 ICMPv6 to ICMPv4 message translation (Continued) ICMPv6 message type ICMPv4 message type Time Exceeded (Type 3) Time Exceeded (Type 11) Code remains same from ICMPv6 Parameter Problem (Type 4) unrecognized Next Header type encountered (code 1) Destination Unreachable (Type 3) destination protocol unreachable (code 2) Parameter Problem (Type 4) Any other parameter problem Parameter problem: bad IP header (Type 12) pointe
DRAFT: BROCADE CONFIDENTIAL NAT64 and NAT46 implementation details TABLE 2 1 ICMPv4 to ICMPv6 message translation (Continued) ICMPv4 message type ICMPv6 message type host precedence violation (code 14) communication with destination administratively prohibited (code 1) precedence cutoff in effect (code 15) communication with destination administratively prohibited (code 1) Time Exceeded (Type 11) Time Exceeded (Type 3) Code remains same from ICMPv4 Destination Unreachable (Type 3) destination pr
DRAFT: BROCADE CONFIDENTIAL 1 NAT64 and NAT46 implementation details NOTE Because the ICMP checksum mechanism in IPv6 is different than the IPv4 checksum mechanism, ICMP fragmentation is currently not supported, and all fragmented ICMP packets received on either the IPv6 or IPv4 side are dropped. Counters keep track of the number of fragmented ICMP packets dropped. NOTE When an IPv4 host sends multiple fragments with UDP checksum 0, the translation of those packets from IPv4 to IPv6 is not supported.
DRAFT: BROCADE CONFIDENTIAL Chapter 2 Stateful NAT64 Configuration In this chapter • Stateful NAT64 overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 • Basic stateful NAT64 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 • Advanced stateful NAT64 configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 • High availability for stateful NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL 2 Stateful NAT64 overview The DNS64 server provides the IPv6 client with a synthesized IPv6 address which enables the IPv6 client to reach the IPv4 resource. The synthesized IPv6 address consists of the 96-bit NAT64 IPv6 prefix concatenated to the IPv4 destination address of the IPv4 resource and represents that IPv4 resource to the IPv6 network. The ServerIron ADX is configured as a stateful NAT64 gateway.
DRAFT: BROCADE CONFIDENTIAL Basic stateful NAT64 configuration 2 5. The NAT64 gateway also dynamically selects an IPv4 address (192.0.2.1) from the IPv4 NAT address pool (192.0.2.1–192.0.2.10) and uses that address as the source address for the packet that is sent to the IPv4 resource. In a stateful configuration, the NAT64 gateway keeps track of all its connections. 6.
DRAFT: BROCADE CONFIDENTIAL 2 Basic stateful NAT64 configuration To specify an IPv6 prefix, enter a command such as the following: ServerIron ADX(config)# nat64 ipv6-prefix 2001:db8:8000::/96 Syntax: [no] nat64 ipv6-prefix [inject-static-route ] NOTE A maximum of eight NAT64 IPv6 prefixes can be configured. The variable specifies the NAT64 IPv6 prefix that will be used by the ServerIron ADX when operating as a NAT64 gateway.
DRAFT: BROCADE CONFIDENTIAL Advanced stateful NAT64 configuration 2 NOTE If the ServerIron ADX runs out of stateful NAT64 NAT pool ports or session entries, new connection requests are dropped silently. NOTE You must reload the ServerIron ADX whenever the IPv4 NAT address pool configuration is changed. Advanced stateful NAT64 configuration An advanced stateful NAT64 configuration includes one or more optional features in addition to the basic configurations.
DRAFT: BROCADE CONFIDENTIAL 2 Advanced stateful NAT64 configuration Figure 4 shows a typical IPv6-only client to IPv4 resource topology configured with router adjacency relationships on both the IPv4 and IPv6 sides of the ServerIron ADX. In this configuration, routes defined by the IPv6 prefix and IPv4 NAT address pool are advertised to the adjacent routers and distributed to the respective networks using the routing protocol configured. FIGURE 4 NAT64 route injection .
DRAFT: BROCADE CONFIDENTIAL Advanced stateful NAT64 configuration 2 The inject-static-route option is used to advertise the subnet defined by the variable to the IPv6 network. In ServerIron ADX releases prior to 12.4.00, you must also identify either an Ethernet or VE interface and port number on the NAT64 gateway for static route injection. The specified interface must have an IPv6 address and be directly connected to an adjacent router.
DRAFT: BROCADE CONFIDENTIAL 2 Advanced stateful NAT64 configuration NOTE If the ServerIron ADX runs out of stateful NAT64 NAT pool ports or session entries, new connection requests are dropped silently. NOTE You must reload your ServerIron ADX when the IPv4 NAT address pool configuration is changed.
DRAFT: BROCADE CONFIDENTIAL Advanced stateful NAT64 configuration ServerIron ServerIron ServerIron ServerIron ServerIron ServerIron ServerIron ServerIron 2 ADX(config)# router ospf ADX(config-ospf-router)# redistribution static ADX(config-ospf-router)# area 0 ADX(config-ospf-router)# exit ADX(config)# ipv6 router ospf ADX(config-ospf6-router)# redistribute static ADX(config-ospf6-router)# area 1 ADX(config-ospf6-router)# exit 4. Assign the VE interfaces to OSPF or OSPFv6 areas defined previously.
DRAFT: BROCADE CONFIDENTIAL 2 Advanced stateful NAT64 configuration Once this command is configured, the NAT64 gateway will automatically delete an existing sticky session for a NAT64 pool if a connection request arrives from the same IPv6 client and the NAT64 pool IP address in the associated sticky session has run out of available source ports.
DRAFT: BROCADE CONFIDENTIAL Advanced stateful NAT64 configuration 2 Host: foo.com\r\n … Connection: Keep-Alive\r\n X-Forwarded-For: 2001:db8::6401:101\r\n \r\n NOTE Client IP address insertion must be enabled for the port handling HTTP traffic. The ServerIron ADX will not automatically detect HTTP traffic on any port. NOTE A client IP address will only be inserted for the first HTTP request in a TCP connection.
DRAFT: BROCADE CONFIDENTIAL 2 High availability for stateful NAT64 For more information about NAT64 fragmentation support, refer to “NAT64 fragmentation support” on page 5. NOTE The ipv6-frag-full-4to6 command was introduced in ServerIron ADX release 12.4.00 and it replaces the frag-664-reverse-full-sized-pkt command from earlier releases. If the IPv4 host sends out fragmented UDP packets with checksum 0, the translation of those packets from IPv4 to IPv6 is not supported.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT64 information 2 ServerIron ADX(config)# nat64 pool nat64-zone1 201.1.1.1 201.1.1.20 prefix-length 24 port-pool-range 2 NOTE Active-active NAT configurations use the server active-active-port ethernet vlan-id command to identify the port that connects the ServerIron ADX to its Active-Active partner. The port you specify must be in its own port-based VLAN. The configuration is mandatory on both HA boxes.
DRAFT: BROCADE CONFIDENTIAL 2 Displaying NAT64 information ServerIron ADX1/1 show session all 0 Session Info: Flags - 0:UDP, 1:TCP, 2:IP, 3:INT, 4:INVD, H: sessInHash, N: sessInNextEntry Index Src-IP Dst-IP S-port D-port Age Server Flags ===== ====== ====== ====== ====== === ====== ======== 0 192.168.1.101 200.1.1.2 80 38912 60 n/a NAT641 H 1 3003::10 0.0.0.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT64 information TABLE 4 2 Display fields for show nat translation Field Description Pro The Layer 4 protocol: TCP. UDP or ICMP. Client IP The IPv6 client IP address. NAT IP The translated IP address from the NAT64 IPv4 pool. Dest IP The IP address of the internal IPv4 resource. Displaying NAT64 statistics You can use the show nat64 statistics command to display statistics for the NAT64 gateway.
DRAFT: BROCADE CONFIDENTIAL 2 Displaying NAT64 information UDP 6->4 = 0 UDP 4->6 = 0 Static pending or error in entry drop = 0 Stateful Statistics: TCP 6->4 = 17 TCP 4->6 = 16 TCP reverse no session drop = 0 UDP 6->4 = 0 UDP 4->6 = 0 UDP reverse no session drop = 0 NAT64 NAT pool 6->4: TCP: NAT 6->4: TCP: NAT NAT port freed Statistics: port allocated = 3 port not available = 0 = 3 NAT64 HA Statistics: Message sync sent = 0 Message sync received = 0 Error during sending sync messages = 0 Error during re
DRAFT: BROCADE CONFIDENTIAL Displaying NAT64 information TABLE 5 2 Display fields for show nat64 statistics (Continued) Field Description Stateless IPv6 prefix prepended = Stateless NAT46 IPv4->IPv6 packet conversions. Stateful IPv6 prefix prepended = Stateful NAT64 IPv4->IPv6 packet conversions. 6->4 initiate dynamic learning = Stateless: Number of DNS dynamic learnings initiated to discover IPv4 address.
DRAFT: BROCADE CONFIDENTIAL 2 Displaying NAT64 information TABLE 5 Display fields for show nat64 statistics (Continued) Field Description TCP 4->6 = # stateless NAT64 TCP IPv4 packets converted to IPv6. UDP 6->4 = # stateless NAT64 UDP IPv6 packets converted to IPv4. UDP 4->6 = # stateless NAT64 UDP IPv4 packets converted to IPv6. Static pending or error in entry drop = Stateful Statistics: TCP 6->4 = The number of IPv6 TCP packets that have been translated to IPv4.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT64 information 2 Displaying NAT64 resources You can use the show nat64 resources command at the rconsole to display information about NAT64 resources on the ServerIron ADX. This command can be used for stateful NAT64, stateless NAT64, and stateless NAT46 configurations. This output is displayed as follows.
DRAFT: BROCADE CONFIDENTIAL 2 Clearing stateful NAT64 information TABLE 6 Display fields for show nat64 resources (Continued) Field Description Number of IPv6 prefixes: Lists the total number of IPv6 prefixes on the system max: 8 Stateless IPv6 prefix: Indicates whether the IPv6 Prefix is configured as stateless. NAT64 Stateless: Lists all NAT46 configuration. IPv6 map hash table size: IPv6 map hash table size. Max mapping entries: The max mapping entries allowed on the system.
DRAFT: BROCADE CONFIDENTIAL Chapter 3 Stateless NAT64 Configuration In this chapter • Stateless NAT64 overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Stateless NAT64 static mapping configuration . . . . . . . . . . . . . . . . . . . . . . . • Stateless NAT64 dynamic mapping configuration . . . . . . . . . . . . . . . . . . . . • High availability for NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL 3 Stateless NAT64 overview The DNS64 server provides the IPv6 client with a synthesized IPv6 address which enables the IPv6 client to reach the IPv4 resource. The synthesized IPv6 address consists of the NAT64 IPv6 prefix concatenated to the IPv4 destination address of the IPv4 resource and represents that IPv4 resource to the IPv6 network. The ServerIron ADX is configured as a stateless NAT64 gateway.
DRAFT: BROCADE CONFIDENTIAL Stateless NAT64 overview FIGURE 8 3 IPv4 client to DNS64 server communication DNS Server om .2.1 2.0 st.c ete ::19 cad b8:64 o r w.b 001:d ww 2 IPv6 IPv6 Client 3. The request packet is then sent to the NAT64 gateway using the IPv6 address obtained from the DNS64 server as the destination IP (DIP) address (2001:db8:64::192.0.2.1.) and 2001:db8:80::80 as the source IP (SIP) address. 4.
DRAFT: BROCADE CONFIDENTIAL 3 Stateless NAT64 static mapping configuration FIGURE 9 Stateless NAT64 translation DNS Server IPv6 Client IPv4 Server NAT64 Gateway 2001:db8:80::80 192.0.2.1 Stateless NAT64 Translation Source IP = 2001:db8:80::80 Destination IP = 2001:db8:64::192.0.2.1 Source IP = 200.1.1.1 Destination IP = 192.0.2.1 Source IP = 2001:db8:64::192.0.2.1 Destination IP = 2001:db8:80::80 Source IP = 192.0.2.1 Destination IP = 200.1.1.
DRAFT: BROCADE CONFIDENTIAL Stateless NAT64 static mapping configuration 3 • Stateless NAT64 packet fragmentation configuration: This topic describes the options available for handling packet fragmentation in a stateless NAT64 gateway. Basic stateless NAT64 static mapping configuration A basic NAT64 gateway configuration uses a statically defined mapping table to make IPv4 resources available to IPv6 clients. The mapping table defines a one-to-one relationship between an IPv4 address and an IPv6 address.
DRAFT: BROCADE CONFIDENTIAL 3 Stateless NAT64 static mapping configuration Stateless NAT64 static mapping with route injection Route injection can be used to make the addresses assigned to IPv4 and IPv6 translations available as destinations in the routing tables of the respective IPv4 and IPv6 networks.
DRAFT: BROCADE CONFIDENTIAL Stateless NAT64 static mapping configuration 3 Tasks to configure a ServerIron ADX for advanced static mapping with route injection include the following: • “Configuring static NAT64 IPv6 prefixes with route injection” on page 33 • “Configuring static NAT64 IPv4 prefixes with route injection” on page 33 • “Configuring NAT64 static mapping” on page 34 Configuring static NAT64 IPv6 prefixes with route injection The NAT64 gateway uses a NAT64 IPv6 prefix to create a synthesized
DRAFT: BROCADE CONFIDENTIAL 3 Stateless NAT64 static mapping configuration The inject-static-route option injects the host route into the routing protocol. The host route is only injected if the static map command is issued or a dynamic mapping is found. Unlike when an IPv4 prefix route is injected, the IPv6 route injection configuration does not require that you specify an interface. Route injection for IPv6 uses the null0 route.
DRAFT: BROCADE CONFIDENTIAL Stateless NAT64 static mapping configuration ServerIron ServerIron ServerIron ServerIron ServerIron 3 ADX(config-vlan-1)# interface ve 7 ADX(config-vlan-1)# exit ADX(config)# interface ve 7 ADX(config-vif-7)# ipv6 address 2001:db8:80::80 ADX(config-vif-7)# exit 2. OSPF and OSPFv6 are configured for static route redistribution. The IPv6 side is configured as OSPF Area 0 and the IPv4 side is configured as OSPF Area 1.
DRAFT: BROCADE CONFIDENTIAL 3 Stateless NAT64 dynamic mapping configuration • If the ipv6 frag-full-4to6 command is configured, the packet will be split and no further actions will be performed. • If the condition in step 1 is not met, and the DF bit is set at the server, the “fragmentation needed” ICMP error message will be sent. • If the conditions in steps 1 and 2 are not met, the packet will be split. The ipv6 frag-full-4to6 command is configured as shown in the following example.
DRAFT: BROCADE CONFIDENTIAL Stateless NAT64 dynamic mapping configuration 3 Advanced configuration tasks include “Configuring NAT64 hold-off intervals for DNS discoveries” on page 38. Configuring NAT64 IPv6 prefixes with real-time dynamic learning The NAT64 gateway uses a NAT64 IPv6 prefix to create a synthesized IPv6 address to represent IPv4 resources to the IPv6 network.
DRAFT: BROCADE CONFIDENTIAL 3 Stateless NAT64 dynamic mapping configuration Configuring NAT64 hold-off intervals for DNS discoveries By default, a DNS discovery (or refresh) fails if three retries time out or if the DNS server returns an error. In this situation, the NAT64 gateway can still receive traffic intended for IPv4 resources. Use the nat64 dns-fail-holdoff command to direct the ServerIron ADX to wait a specified period of time (in seconds) before retrying a request to the DNS server.
DRAFT: BROCADE CONFIDENTIAL Stateless NAT64 dynamic mapping configuration 3 Use the nat64 ipv4-prefix command to specify an IPv4 prefix with a subnet mask. Any IPv4 address within the defined subnet can then be assigned to an IPv6 host made available through the NAT64 gateway. To configure an IPv4 prefix for prefetched dynamic learning, enter a command such as the following using the prefetch option: ServerIron ADX(config)# nat64 ipv4-prefix 200.1.1.
DRAFT: BROCADE CONFIDENTIAL 3 High availability for NAT64 The variable is configured in seconds. Configurable values are from 10 through 3600 seconds. The default value is 180 seconds. High availability for NAT64 The only high availability (HA) mode currently supported with the NAT64 feature is Active-Active HA.
DRAFT: BROCADE CONFIDENTIAL Clearing NAT64 information 3 The all parameter displays all of the configured static NAT64 IPv6-IPv4 address mappings. Table 7 describes the fields returned by the show nat64 map command. TABLE 7 Display fields for show nat64 map all command Field Description IPv6 Address IPv6 address (destination for incoming IPv6 packets). IPv4 Address IPv4 address (source of incoming IPv4 packets).
DRAFT: BROCADE CONFIDENTIAL 3 Debugging stateless NAT64 configurations The variable specifies the IPv6 address for the IPv6-IPv4 mapping that you want to clear. The all parameter clears all of the configured stateless static NAT64 IPv6-IPv4 address mappings. Clearing stateless NAT64 statistics Use the clear nat64 statistics command to clear stateless NAT64 statistics on a ServerIron ADX.
DRAFT: BROCADE CONFIDENTIAL Chapter 4 Stateless NAT46 Configuration In this chapter • Stateless NAT46 overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • NAT46 static mapping configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Stateless NAT46 dynamic mapping configuration . . . . . . . . . . . . . . . . . . . . • High availability for NAT46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL 4 Stateless NAT46 overview The ServerIron ADX is configured as a stateless NAT46 gateway. For an IPv4 host, the NAT46 gateway generates the IPv6 source address by concatenating the IPv6 prefix to the IPv4 source address. The IPv6 destination address is obtained from the IPv4-IPv6 mapping table using the IPv4 destination address. Two key components must be configured on the NAT46 gateway for it to enable communication between IPv4 clients and IPv6 resources.
DRAFT: BROCADE CONFIDENTIAL NAT46 static mapping configuration 4 5. The IPv6 client replies using the synthesized IP address (2001:db8:64::192.0.2.1) as the DIP and its own IPv6 address (2001:db8:80::80) as the SIP. 6. The NAT46 gateway strips out the IPv6 portion of the DIP (that is, the IPv6 prefix) and uses the remaining IPv4 portion (192.0.2.1) as the destination address. 7.
DRAFT: BROCADE CONFIDENTIAL 4 NAT46 static mapping configuration Route injection can be used in advanced static mapping configurations to inject IPv4 and IPv6 addresses into the respective network routing tables. Route distribution is then performed using any one of the routing protocols supported by ServerIron ADX: OSPF, IS-IS, and BGP (IPv4 to IPv6).
DRAFT: BROCADE CONFIDENTIAL NAT46 static mapping configuration 4 NOTE A maximum of 1024 entries is supported in the mapping table. Entries can be defined manually using the nat64 map command or dynamically using real-time or prefetched dynamic mappings. For more information, refer to “Populating the NAT46 mapping table” on page 45.
DRAFT: BROCADE CONFIDENTIAL 4 NAT46 static mapping configuration NOTE For details about how to configure routing protocols on a ServerIron ADX, refer to the following chapters in the ServerIron ADX Switch and Router Guide: “Configuring OSPF”, “Configuring IPv6 Dynamic Routing”, “Configuring IS-IS (IPv4)”, “Configuring IPv6 IS-IS”, “Configuring BGP4 (IPv4)”, and “Configuring BGP4+”.
DRAFT: BROCADE CONFIDENTIAL NAT46 static mapping configuration 4 Configuring static NAT46 IPv4 prefixes with static route injection The NAT46 IPv4 prefix provides a range of IPv4 addresses on the NAT46 gateway that can be used to represent IPv6 resources. It is created by defining an IPv4 prefix with a subnet mask. Any IPv4 address within the defined subnet can then be assigned to an IPv6 resource made available through the gateway.
DRAFT: BROCADE CONFIDENTIAL 4 NAT46 static mapping configuration Stateless NAT46 static route injection configuration example Figure 16 shows a typical IPv4-only client to IPv6 resource topology configured with router adjacency relationships on both the IPv4 and IPv6 sides of the ServerIron ADX (NAT46 gateway).
DRAFT: BROCADE CONFIDENTIAL NAT46 static mapping configuration 4 If you are running a ServerIron ADX build prior to 12.4.00, you must specify an interface and port number. ServerIron ADX(config)# nat64 ipv6-prefix 2001:db8:8000::0/96 inject-static-route stateless ve 7 stateless 5. An IPv4 address (100.1.1.100) within the subnet defined by the NAT46 IPv4 prefix is mapped to the IPv6 address (2001:db8:8000::100) specified in Step 1. ServerIron ADX(config)# nat64 map 100.1.1.
DRAFT: BROCADE CONFIDENTIAL 4 Stateless NAT46 dynamic mapping configuration Stateless NAT46 dynamic mapping configuration The stateless NAT46 gateway uses a mapping table to translate the IPv4 destination address that the IPv4 network uses to identify the IPv6 resource into the actual IPv6 address of that resource. This mapping table can be configured manually (using static mapping) or generated dynamically (using real-time dynamic learning or prefetched dynamic learning).
DRAFT: BROCADE CONFIDENTIAL Stateless NAT46 dynamic mapping configuration 4 The stateless operand is required for stateless NAT46 gateway configurations. Only one IPv6 prefix can be configured with this option. Configuring NAT46 IPv4 prefixes with real-time dynamic learning In a NAT46 configuration, the IPv4 prefix defines the range of IPv4 addresses that can be used to represent the IPv6 resources available to IPv4 clients. Use the nat64 ipv4-prefix command to specify an IPv4 prefix with a subnet mask.
DRAFT: BROCADE CONFIDENTIAL 4 Stateless NAT46 dynamic mapping configuration The variable is configured in seconds. Configurable values are from 10 through 3600 seconds. The default value is 180 seconds. Prefetched NAT46 dynamic mapping configuration The NAT46 gateway can be configured to prefetch dynamic mappings—to periodically send PTR queries to the DNS server to determine the IPv6 address translations for the IPv4 destination addresses specified.
DRAFT: BROCADE CONFIDENTIAL High availability for NAT46 4 The variable specifies the NAT46 IPv4 prefix used by the ServerIron ADX when it operates as a NAT46 gateway. The prefetch option directs the ServerIron ADX to prefetch IPv4 to IPv6 mappings from DNS. NOTE The nat64 dns-dynamic-learning command must be configured for the prefetch option to take effect. If dynamic learning is not configured, an error message is displayed.
DRAFT: BROCADE CONFIDENTIAL 4 Displaying NAT46 information • Each ServerIron ADX is configured with a NAT46 IPv6 prefix, specifying the IPv6 address range, and a NAT46 IPv4 prefix, specifying the IPv4 address range. • Because the NAT46 configuration does not use a port pool, the port pool range option is not configured. • Because the NAT46 configuration is stateless, the inject-active-only option for HA configuration is not used.
DRAFT: BROCADE CONFIDENTIAL Clearing NAT46 information TABLE 9 4 Display fields for show nat64 map all command Field Description IPv6 Address IPv6 address (source of incoming IPv6 packets). Type CLI: Configured DNS: Dynamically learned DNS pending: Dynamic learning ongoing Displaying in-progress dynamic NAT46 mappings Use the show nat64 dns-in-flight command to display in progress NAT46 DNS dynamic learning on stateless NAT46 gateways.
DRAFT: BROCADE CONFIDENTIAL 4 Debugging NAT46 configurations The all parameter clears all of the configured stateless static NAT46 IPv4-IPv6 address mappings. Clearing stateless NAT46 statistics Use the clear nat64 statistics command to clear stateless NAT46 statistics on a ServerIron ADX.
DRAFT: BROCADE CONFIDENTIAL Chapter 5 Access Control Lists In this chapter • In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ACL entries and the Layer 4 CAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring rule-based ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Modifying rule-based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL 5 How ServerIron ADX ADX processes ACLs For pass-through traffic, packets are processed in hardware. For Layer 4 through Layer 7 traffic, packets are forwarded to the barrel processors (BPs) and the BPs perform the ACL processing. Beginning with release 12.3.01 and later Beginning with release 12.3.01, IPv4 ACLs are processed as described in the following: For deny actions: All deny packets are dropped in hardware.
DRAFT: BROCADE CONFIDENTIAL How ServerIron ADX ADX processes ACLs 5 Configuration guidelines for rule-based ACLs Consider the following guidelines: • Rule-based ACLs support only one ACL per port. The ACL can contain multiple entries (rules). For example, rule-based ACLs do not support ACLs 101 and 102 on port 1, but rule-based ACLs do support ACL 101 containing multiple entries.
DRAFT: BROCADE CONFIDENTIAL 5 How ServerIron ADX ADX processes ACLs • If both the fragment’s source and destination addresses do not exactly match an ACL entry, the device skips the ACL entry and compares the packet to the next ACL entry. This is true even if either the source or destination address (but not both) does exactly match an ACL entry. • If the source and destination addresses do not exactly match any ACL entry on the applicable interface, the device drops the fragment.
DRAFT: BROCADE CONFIDENTIAL ACL entries and the Layer 4 CAM 5 You configure ACLs on a global basis, then apply them to the incoming or outgoing traffic on specific ports. You can apply only one ACL to a port’s inbound traffic and only one ACL to a port’s outbound traffic. The software applies the entries within an ACL in the order they appear in the ACL’s configuration.
DRAFT: BROCADE CONFIDENTIAL 5 ACL entries and the Layer 4 CAM Displaying the number of Layer 4 CAM entries To display the number of Layer 4 CAM entries used by each ACL, enter the show access-list all command. ServerIronADX(config)# show access-list all Extended IP access list 100 (Total flows: N/A, Total packets: N/A, Total rule cam use: 3) permit udp host 192.168.2.
DRAFT: BROCADE CONFIDENTIAL Configuring rule-based ACLs 5 NOTE If you enter the ip access-group max-l4-cam command on more than one port managed by the same IPC or IGC, the CLI uses the value entered with the most-recent command for all the ports on the ICP or IGC. Configuring rule-based ACLs When you configure rule-based ACLs, you can refer to the ACL by a numeric ID or by an alphanumeric name.
DRAFT: BROCADE CONFIDENTIAL 5 Configuring rule-based ACLs Syntax: [no] access-list deny | permit host | Syntax: [no] access-list deny | permit any Syntax: [no] ip access-group in | out The parameter is the access list number and can be from 1 through 99. The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded). The parameter specifies the source IP address.
DRAFT: BROCADE CONFIDENTIAL Configuring rule-based ACLs 5 Configuring extended numbered ACLs This section describes how to configure extended numbered ACLs.
DRAFT: BROCADE CONFIDENTIAL 5 Configuring rule-based ACLs The third entry denies IGRP traffic from the 209.157.21.x network to the host device named “rkwong”. The fourth entry denies all IP traffic from host 209.157.21.100 to host 209.157.22.1. The fifth entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.
DRAFT: BROCADE CONFIDENTIAL Configuring rule-based ACLs 5 Syntax: [no] access-list deny | permit | [ ] | [ | | ] [ ] [established] [precedence | ] [tos | ] [ip-pkt-len ] Syntax: [no] access-list deny | permit host any any Syntax: [no] ip ac
DRAFT: BROCADE CONFIDENTIAL 5 Configuring rule-based ACLs • If you do not specify a message type, the ACL applies to all types of ICMP messages. The parameter can be a value from 0 through 255.
DRAFT: BROCADE CONFIDENTIAL Configuring rule-based ACLs 5 The parameter specifies the TCP or UDP port number or well-known name. You can specify a well-known name for any application port whose number is less than 1024. For other application ports, you must enter the number. Enter “?” instead of a port to list the well-known names recognized by the CLI.
DRAFT: BROCADE CONFIDENTIAL 5 Configuring rule-based ACLs • : A number from 0 through 15 that is the sum of the numeric values of the options you want. The ToS field is a four-bit field following the Precedence field in the IP header. You can specify one or more of the following. To select more than one option, enter the decimal value that is equivalent to the sum of the numeric values of all the ToS options you want to select.
DRAFT: BROCADE CONFIDENTIAL Modifying rule-based ACLs 5 Notice that the command prompt changes after you enter the ACL type and name. The “std” in the command prompt indicates that you are configuring entries for a standard ACL. For an extended ACL, this part of the command prompt is “ext“. The “nacl” indicates that are configuring a named ACL. Syntax: ip access-list extended | standard | The extended | standard parameter indicates the ACL type.
DRAFT: BROCADE CONFIDENTIAL 5 Modifying rule-based ACLs Reordering ACLs When you use the Foundry device’s CLI to configure any ACL, the software places the ACL entries in the ACL in the order you enter them. For example, if you enter the following entries in the order shown below, the software always applies the entries to traffic in the same order. ServerIronADX(config)# access-list 1 deny 209.157.22.0/24 ServerIronADX(config)# access-list 1 permit 209.157.22.
DRAFT: BROCADE CONFIDENTIAL Modifying rule-based ACLs access-list access-list access-list access-list 5 1 deny host 209.157.22.26 log 1 deny 209.157.22.0 0.0.0.255 log 1 permit any 101 deny tcp any any eq http log The software will apply the entries in ACL 1 in the order shown and stop at the first match. Thus, if a packet is denied by one of the first three entries, the packet will not be permitted by the fourth entry, even if the packet matches the comparison values in this entry. 4.
DRAFT: BROCADE CONFIDENTIAL 5 Adding, replacing, or deleting comments to rule-based ACLs Syntax: [no] ip rebind-acl | | all Adding, replacing, or deleting comments to rule-based ACLs The remark subcommand enables you to include comments about entries in access control lists (ACLs). Comments make it easier for network administrators to scan and understand ACL entries.
DRAFT: BROCADE CONFIDENTIAL Adding, replacing, or deleting comments to rule-based ACLs 5 Deleting comments applied to numbered ACLs To delete a comment from a numbered ACL, enter the access-list remark command using the no operand such as in the following example. ServerIronADX(config)# no access-list 99 remark Permit all users In the example, the command deletes the comment “Permit all users” from the ACL.
DRAFT: BROCADE CONFIDENTIAL 5 Displaying rule-based ACL entries Replacing comments applied to named ACLs To replace the last comment entered for a named ACL, enter the remark command within the ACL configuration. The previous comment is overwritten. In the following example, the last comment entered for the named ACL called melon is replaced with the comment “Permit sales”.
DRAFT: BROCADE CONFIDENTIAL Displaying rule-based ACL entries 5 ServerIronADX# show access-list 99 Standard IP access list 99 deny host 1.2.4.5 deny host 5.6.7.8 permit any Syntax: show access-list | | all [bindings] Access control lists can be identified by either an or an value. Numbered ACLs are always identified by a value. Named ACLs may be identified by either an or an value.
DRAFT: BROCADE CONFIDENTIAL 5 Displaying rule-based ACL entries Displaying ACLs using numerical keywords Using numerical keywords you can choose to view only those ACL entries that match a specified numerical value, which can be useful for filtering ACL entries by the IP addresses they govern. For example, consider an numbered ACL (99) that includes multiple entries. Entering the show access-list command will return all of the entries.
DRAFT: BROCADE CONFIDENTIAL Displaying rule-based ACL entries 5 Enter the begin parameter to start the display beginning with the first line containing the text that matches the keyword. For example, if you enter “begin 5”, the displayed information begins with the line containing the number “5”. Enter the exclude parameter to exclude any lines containing text that match the keyword. For example, if you enter “exclude 5”, any line containing the number “5” is excluded from the display.
DRAFT: BROCADE CONFIDENTIAL 5 ACL logging Enter the include display only those lines containing text that match the keyword. For example, if you enter “include Permit”, any line containing the word “permit” is included in the display. Displaying ACL bindings To view which ACLs (IPv4 and IPv6) are bound to which interfaces, enter the show access-list command using the bindings keyword such as that shown in the following example.
DRAFT: BROCADE CONFIDENTIAL ACL logging 5 Syslog message for changed ACL mode If the device changes the ACL mode from rule-based to flow-based, the device generates one of the following syslog notification messages: • ACL insufficient L4 session resource, using flow-based ACL instead. • ACL exceed max DMA L4 CAM resource, using flow-based ACL instead. Refer to “Specifying the maximum number of CAM entries” on page 64. • ACL insufficient L4 CAM resource, using flow-based ACL instead.
DRAFT: BROCADE CONFIDENTIAL 5 ACL logging ServerIronADX(config)# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Log Buffer (50 entries): 21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s) 00d07h03m30s:warning:list 101 denied tcp 209.157.22.
DRAFT: BROCADE CONFIDENTIAL Dropping all fragments that exactly match a flow-based ACL • • • • • • • 5 IGMP IGRP IP OSPF TCP UDP Protocol number, if an ACL is configured for a protocol not listed above For TCP and UDP, a separate set of statistics is listed for each application port. Clearing flow-based ACL statistics To clear the ACL statistics, enter the following command at the Privileged EXEC level of the CLI.
DRAFT: BROCADE CONFIDENTIAL 5 Enabling ACL filtering of fragmented packets Enabling ACL filtering of fragmented packets This section includes the following topics: • “Filtering fragmented packets for rule-based ACLs” on page 86 • “Throttling the fragment rate” on page 86 Filtering fragmented packets for rule-based ACLs By default, when a rule-based ACL is applied to a port, the port will use the ACL to permit or deny the first fragment of a fragmented packet, but forward subsequent fragments of the sam
DRAFT: BROCADE CONFIDENTIAL Enabling ACL filtering of fragmented packets 5 You can protect against fragment flooding by specifying the maximum number of fragments the device or an individual interface is allowed to send to the CPU in a one-second interval. If the device or an interface receives more than the specified number of fragments in a one-second interval, the device either drops or forwards subsequent fragments in hardware, depending on the action you specify.
DRAFT: BROCADE CONFIDENTIAL 5 Enabling filtering for packets denied by flow-based ACLs • forward: Fragments are forwarded in hardware without filtering by the ACLs The parameter specifies the number of minutes the device will enforce the drop or forward action after a threshold has been exceeded. You can specify from 1 to 30 minutes, for frag-rate-on-sys or frag-rate-on-interface.
DRAFT: BROCADE CONFIDENTIAL Enabling strict TCP or UDP mode for flow-based ACLs 5 • If the session table does not contain a matching entry, the device sends the packet to the CPU, where the software compares the packet against the ACLs. If the ACLs permit the packet (explicitly by a permit ACL entry or implicitly by the absence of a deny ACL entry), the CPU creates a session table entry for the packet’s forwarding information and forwards the packet.
DRAFT: BROCADE CONFIDENTIAL 5 Enabling strict TCP or UDP mode for flow-based ACLs To disable the strict ACL mode and return to the default ACL behavior, enter the following command. ServerIronADX(config)# no ip strict-acl-tcp NOTE Enter the ip rebind-acl command at the global CONFIG level of the CLI to place the ip strict-acl-tcp or no ip strict-acl-tcp command into effect.
DRAFT: BROCADE CONFIDENTIAL ACLs and ICMP 5 • The ACL packet counter feature provides an accurate count of packets matching individual ACL entries. • The ACL flow counter feature provides an approximate count of flows matching individual ACL entries. This feature can be used for troubleshooting purposes to provide an indication of flow activity against an ACL.
DRAFT: BROCADE CONFIDENTIAL 5 ACLs and ICMP The commands in this example deny (drop) ICMP echo request packets that contain a total length of 92 or 100 in the IP header field. You can specify an IP packet length of 1 through 65535. Refer to the section “ICMP filtering with flow-based ACLs” on page 92 for additional information on using ICMP to filter packets.
DRAFT: BROCADE CONFIDENTIAL ACLs and ICMP 5 Named ACLs For example, to deny the administratively-prohibited message type in a named ACL, enter commands such as the following.
DRAFT: BROCADE CONFIDENTIAL 5 ACLs and ICMP TABLE 12 ICMP message types and codes (Continued) ICMP message type Type Code host-precedence-violation 3 14 host-redirect 5 1 host-tos-redirect 5 3 host-tos-unreachable 3 12 host-unreachable 3 1 information-request 15 0 mask-reply 18 0 mask-request 17 0 net-redirect 5 0 net-tos-redirect 5 2 net-tos-unreachable 3 11 net-unreachable 3 0 packet-too-big 3 4 parameter-problem 12 0 port-unreachable 3 3 precedence-cut
DRAFT: BROCADE CONFIDENTIAL Using flow-based ACLs and NAT on the same interface 5 Using flow-based ACLs and NAT on the same interface You can use ACLs and NAT on the same interface, as long as you follow these guidelines: • You must use the ip strict-acl-tcp command when configuring ACLs and NAT is configured on the same Layer 2 Switch. (Refer to the instructions below on how to use this command.) • Do not enable NAT on an interface until you have applied ACLs (as described below) to the interface.
DRAFT: BROCADE CONFIDENTIAL 5 Troubleshooting rule-based ACLs Troubleshooting rule-based ACLs Use the following methods to troubleshoot a rule-based ACL: • To display the number of Layer 4 CAM entries being used by each ACL, enter the show access-list all command. Refer to “Displaying the number of Layer 4 CAM entries” on page 64.
DRAFT: BROCADE CONFIDENTIAL Chapter IPv6 Access Control Lists 6 In this chapter • In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 • Configuring IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 • Applying IPv6 ACLs to interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 • Displaying IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL 6 IPv6 ACL overview • Source TCP or UDP port (if the IPv6 protocol is TCP or UDP) • Destination TCP or UDP port (if the IPv6 protocol is TCP or UDP) The IPv6 protocol can be one of the following well-known names or any IPv6 protocol number from 0 through 255: • • • • • • • IP Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Control Message Protocol (ICMP) Internet Protocol version 6 (IPv6) Stream Control Transmission Protocol (SCTP) Transmission Contr
DRAFT: BROCADE CONFIDENTIAL Configuring IPv6 ACLs 6 Beginning with ServerIron ADX 12.3.01 and later Beginning with release 12.3.01, IPv6 ACLs are processed as described for the following actions. For deny actions All deny packets are dropped in hardware. For permit actions For all permit traffic, packets are processed in hardware and then forwarded to the barrel processors (BPs). The BPs do not take any action on the ACLs.
DRAFT: BROCADE CONFIDENTIAL 6 Configuring IPv6 ACLs The second condition denies all IPv6 traffic from host 2001:db8:2383:e0ac::2 to host 2001:db8:2383:e0aa:0::24. The third condition denies all UDP traffic. The fourth condition permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming IPv6 traffic on the ports to which you assigned the ACL.
DRAFT: BROCADE CONFIDENTIAL Configuring IPv6 ACLs 6 The following commands apply the ACL called “rtr” to the incoming traffic on ports 2/1 and 2/2.
DRAFT: BROCADE CONFIDENTIAL 6 Configuring IPv6 ACLs The deny statement denies ICMP neighbor discovery acknowledgement. IPv6 ACL syntax When creating IPv6 ACLs, you must use the syntax that is appropriate to the protocol you are filtering. The following sections show the IPv6 ACL syntax for the ICMP, TCP, UDP, and other supported protocols.
DRAFT: BROCADE CONFIDENTIAL Configuring IPv6 ACLs 6 Table 13 describes the syntax used to configure IPv6 ACLs. TABLE 13 Syntax descriptions Syntax Description ipv6 access-list Enables the IPv6 configuration level and defines the name of the IPv6 ACL. The can contain up to 199 characters and numbers, but cannot begin with a number and cannot contain any spaces or quotation marks. permit The ACL will permit (forward) packets that match a policy in the ACL.
DRAFT: BROCADE CONFIDENTIAL 6 Configuring IPv6 ACLs TABLE 13 Syntax descriptions (Continued) Syntax Description tcp Indicates the you are filtering TCP packets. udp Indicates the you are filtering UDP packets. tcp-udp-operator | The tcp-udp-operator parameter can be one of the following: eq: The policy applies to the TCP or UDP port name or number you enter after eq.
DRAFT: BROCADE CONFIDENTIAL Applying IPv6 ACLs to interfaces 6 Table 14 lists ICMPv6 message types that are not supported for IPv6 ACLs.
DRAFT: BROCADE CONFIDENTIAL 6 Displaying IPv6 ACLs ServerIronADX(config)# interface ethernet 3/1 ServerIronADX(config-if-e100-3/1)# ipv6 traffic-filter access1 in This example applies the IPv6 ACL access1 to incoming IPv6 packets on Ethernet interface 3/1. As a result, Ethernet interface 3/1 denies all incoming packets from the site-local prefix fec0:0:0:2::/64 and the global prefix 2001:db8:100:1::/48 and permits all other incoming packets.
DRAFT: BROCADE CONFIDENTIAL Using an ACL to restrict SSH access 6 Syntax: show access-list bindings Using an ACL to restrict SSH access To configure an ACL that restricts SSH access to an IPv6 device, create the named ACL with the ACL statements, and then use the ssh access-group ipv6 command to restrict SSH access for IPv6.
DRAFT: BROCADE CONFIDENTIAL 6 Logging IPv6 ACLs NOTE Permit logging is not currently supported.
DRAFT: BROCADE CONFIDENTIAL Chapter 7 Network Address Translation In this chapter • In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Forwarding packets without NAT translation . . . . . . . . . . . . . . . . . . . . . . . . • Forwarding packets without NAT translation . . . . . . . . . . . . . . . . . . . . . . . .
DRAFT: BROCADE CONFIDENTIAL 7 Configuring NAT Configuring NAT The following types of NAT are supported with ServerIron ADX: • Static NAT: Maps a specific public IP address (Internet IP address) with a specific private address. Static translation ensures that ServerIron ADX always maps the same public address to a given private address. For example, you can map a specific host (IP address 10.1.1.1) in the private network to always use the same Internet address (150.1.1.
DRAFT: BROCADE CONFIDENTIAL Configuring NAT 7 Configuring static NAT Use the ip nat inside source static command to explicitly map a private address to a global address. Static NAT ensures a specific host in the private network is always mapped to the global address you specify. For a sample static NAT configuration, see “Static NAT configuration example” on page 116. For example, to map a private address 10.10.10.69 to a global address 209.157.1.69, you may enter the following command.
DRAFT: BROCADE CONFIDENTIAL 7 Configuring NAT Configuring an address pool Use the ip nat pool command to configure the address pool. For an example, refer to “Dynamic NAT configuration example 1” on page 113. Syntax: [no] ip nat pool netmask | prefix-length The variable specifies the name assigned to the pool. It can be up to 255 characters long and can contain special characters and internal blanks.
DRAFT: BROCADE CONFIDENTIAL Configuring NAT 7 Enabling IP NAT globally The following command enables IP NAT globally. ServerIronADX(config)# ip nat inside Syntax: [no] ip nat inside Enabling IP NAT per-interface When enabled per-interface, IP NAT must be enabled exclusively “inside” or “outside” on a physical or virtual interface as shown in the following example.
DRAFT: BROCADE CONFIDENTIAL 7 Configuring NAT Figure 18 shows a dynamic NAT configuration on a ServerIron ADX, running with switch code. The ServerIron ADX is connected to the Internet through a router. The private network—also referred to as the inside network—consists of IP addresses in the range 10.10.1.2 through 10.10.1.254, with a 24-bit subnet mask. A pool of global addresses in the range of 209.157.1.2 through 209.157.1.
DRAFT: BROCADE CONFIDENTIAL Configuring NAT FIGURE 19 7 Dynamic NAT translating inside host addresses to a pool of global addresses Internet Remote Server Global IP address pool: 15.15.15.15 to 15.15.15.25 1/1 Outside Interface SI 1/5 Inside Interface Inside IP addresses: 20.20.0.0 In the example shown in Figure 19, the ServerIron ADX is acting as a gateway between the private network and the Internet.
DRAFT: BROCADE CONFIDENTIAL 7 Configuring NAT Static NAT configuration example The following example describes how to configure a static NAT entry for Inside-to-outside and outside-to-inside translation for the network shown in Figure 20. FIGURE 20 Example of a static NAT configuration with ServerIron ADX Internet Remote Server Global IP address: 15.15.15.15 Outside Interface 1/1 SI 1/5 Inside Interface Local IP address: 20.20.5.
DRAFT: BROCADE CONFIDENTIAL Forwarding packets without NAT translation 7 ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-e1000-1/1) ip address 30.30.0.1 255.255.0.0 ServerIronADX(config-if-e1000-1/1) ip address 15.15.15.100 255.255.0.
DRAFT: BROCADE CONFIDENTIAL 7 Translation timeouts FIGURE 21 Example of IP NAT with VIP overlap Remote Server 60.60.60.60 eth 1/1 20.20.20.1/24 VIP 20.20.20.3 eth 1/2 10.1.1.1/24 PC PC 10.1.1.101 10.1.1.102 Real Server rs1 10.1.1.103 Real Server rs2 10.1.1.104 In this example, any host on the inside network (10.1.1.0), which has to initiate a connection to the remote host, will get translated to the virtual server IP address (20.20.20.3).
DRAFT: BROCADE CONFIDENTIAL Disabling IP NAT sticky behavior 7 Configuring the NAT translation aging timer Use the ip nat translation command to alter the NAT translation aging timer.
DRAFT: BROCADE CONFIDENTIAL 7 Deleting IP NAT sticky sessions Syntax: [no] ip nat disable-sticky Deleting IP NAT sticky sessions By default, when a dynamic IP NAT client initiates traffic, the ServerIron ADX selects a NAT pool IP and creates a sticky session, which associates this client's IP with the same NAT pool IP. For all subsequent flows from the client, the same NAT pool IP is selected as long as the sticky session exists.
DRAFT: BROCADE CONFIDENTIAL IP NAT redundancy 7 IP NAT redundancy The ServerIron ADX supports static and dynamic IP NAT in redundant/HA environments using Hot-Standby mode with switch code, or Sym-Active (Active-Active) mode using VRRP-E with router code. Further information on VRRP-E can be found in the ServerIron ADX Switch and Router Guide under section “Configuring VRRP and VRRP-E".
DRAFT: BROCADE CONFIDENTIAL 7 IP NAT redundancy FIGURE 22 Minimum required configuration for dynamic NAT in Hot-Standby setup Remote Server 60.60.60.60 ServerIron ADX A 10.1.1.2 1/1 Gateway VE: 63.2.63.244 (Primary) 10.1.1.1 (Secondary) 1/12 NAT Pool IP: 63.2.63.200 1/2 1/1 ServerIron ADX B 10.1.1.3 1/12 NAT Pool IP: 63.2.63.200 1/2 PC PC Server Server 10.1.1.100 10.1.1.101 10.1.1.102 10.1.1.103 1.
DRAFT: BROCADE CONFIDENTIAL IP NAT redundancy 7 ServerIronADX(config)# access-list 10 permit 10.1.1.0 0.0.0.255 4. Configure a dynamic NAT pool on each ServerIron ADX, and assign device ownership to the NAT pool. In this example, ServerIron ADX A is assigned as the NAT Pool owner, and therefore takes the higher priority value: SI_A(config)# ip nat pool P1 63.2.63.200 63.2.63.200 prefix-len 24 SI_A(config)# ip nat pool P1 port-pool-range 2 SI_B(config)# ip nat pool P1 63.2.63.200 63.2.63.
DRAFT: BROCADE CONFIDENTIAL 7 IP NAT redundancy FIGURE 23 Minimum required configuration for static NAT in Hot-Standby setup Remote Server 60.60.60.60 1/1 Gateway VE: 63.2.63.244 (Primary) 10.1.1.1 (Secondary) 1/12 ServerIron ADX A 10.1.1.2 1/2 1/1 1/12 ServerIron ADX B 10.1.1.3 1/2 PC PC Server Server 10.1.1.100 10.1.1.101 10.1.1.102 10.1.1.103 1.
DRAFT: BROCADE CONFIDENTIAL IP NAT redundancy 7 3. Configure the static NAT entries on each ServerIron ADX, and assign device ownerships to the NAT entries. In this example, ServerIron ADX A is assigned as the NAT owner, and therefore takes the higher priority value: SI_A(config)# SI_A(config)# SI_A(config)# SI_A(config)# ip ip ip ip nat nat nat nat inside inside inside inside source source source source static static static static 10.1.1.100 10.1.1.101 10.1.1.102 10.1.1.103 63.2.63.100 63.2.63.
DRAFT: BROCADE CONFIDENTIAL 7 IP NAT redundancy FIGURE 24 Minimum required configuration for dynamic NAT in Sym-Active setup Remote Server 60.60.60.60 Gateway VE: 10.10.20.1 1/1 1/1 1/12 ServerIron ADX A Outside: 10.20.1.2 Inside: 10.10.1.2 ServerIron ADX B Outside: 10.20.1.4 Inside: 10.10.1.4 1/12 1/2 1/2 Switch PC 10.10.1.100 PC 10.10.1.101 Server Server 10.10.1.102 10.10.1.103 1.
DRAFT: BROCADE CONFIDENTIAL IP NAT redundancy 7 ServerIronADX(config)# vlan 100 ServerIronADX(config-vlan-100)# untagged ethernet 1/1 ServerIronADX(config-vlan-100)# router-interface ve 1 ServerIronADX(config-vlan-100)# exit ServerIronADX(config)# vlan 200 ServerIronADX(config-vlan-200)# untagged ethernet 1/2 ServerIronADX(config-vlan-200)# router-interface ve 2 ServerIronADX(config-vlan-200)# exit ServerIronADX-A(config)# interface ve 1 ServerIronADX-A(config-ve-1)# 10.10.20.2 255.255.255.
DRAFT: BROCADE CONFIDENTIAL 7 IP NAT redundancy ServerIronADX-A(config)# interface ve 1 ServerIronADX-A(config-ve-1)# ip vrrp-extended vrid 1 ServerIronADX-A(config-ve-1-vrid-1)# backup priority 200 track-priority 10 ServerIronADX-A(config-ve-1-vrid-1)# ip-address 10.10.20.
DRAFT: BROCADE CONFIDENTIAL IP NAT redundancy 7 Configuring Static NAT redundancy in Sym-Active (Active-Active) mode: The Sym-Active (Active-Active) mode is available for IP NAT in router code, and it is configured in combination with VRRP-E. Also, IP NAT is VIP group-aware and requires NAT port pools to be configured in the VIP group, which is then tied to the VRRP-E configuration. Follow these steps to enable the minimum required configuration for static NAT in Sym-Active mode, as shown in Figure 25.
DRAFT: BROCADE CONFIDENTIAL 7 IP NAT redundancy The server router-ports command enables the ServerIron ADX to count the number of upstream (or downstream) router ports connected to the device. 3. Identify the inside and outside networks and assign them to different VLANs. VRRP-E requires the interface on which you configure a virtual router ID (VRID) to have an IP interface that is in the same subnet as the VRID address.
DRAFT: BROCADE CONFIDENTIAL IP NAT redundancy 7 associates this state change with VRID 1 and causes VRRP-E to fail over the VRID to the other ServerIron ADX. The ServerIron ADX on which you configure the higher VRRP-E backup priority becomes the default master for the VRID, while other ServerIron ADX becomes the backup. In this example, ServerIron ADX A is configured as the default master for the HA setup.
DRAFT: BROCADE CONFIDENTIAL 7 Displaying NAT information Note that each VIP group can have only one VRID associated with it. Also, each virtual IP address can belong to only one VIP group. IP NAT session synchronization in HA configurations IP NAT sessions created by the active ServerIron ADX in a HA configuration are synchronized to the standby ServerIron ADX. When failover occurs, the standby ServerIron ADX will be able to use the IP NAT session information created by the active ServerIron ADX.
DRAFT: BROCADE CONFIDENTIAL 7 Displaying NAT information [0]: [1]: [2]: [3]: [4]: [5]: [0]: [1]: [2]: [3]: [4]: [5]: [0]: [1]: [2]: [3]: [4]: [5]: h: h: h: h: h: h: h: h: h: h: h: h: h: h: h: h: h: h: 0 0 0 0 0 0 0 0 0 0 0 0 t: t: t: t: t: t: t: t: t: t: t: t: 322 373 136 240 443 157 0 0 0 0 0 0 0 0 0 0 0 0 t: t: t: t: t: t: m: m: m: m: m: m: m: m: m: m: m: m: 26e19000 26e2a000 26e2f000 26e31000 26fd0000 26fd5000 26e27000 26e2c000 26fca000 26fcd000 26fd2000 26fd7000 314 340 127 235 410 148 m: m:
DRAFT: BROCADE CONFIDENTIAL 7 Displaying NAT information TABLE 15 Display fields for show ip nat statistics (Continued) Field Description nat tcp rev no ports avl Indicates the number of times that a “port unreachable” message was generated because the ServerIron ADX could not get a port from the port pool for an IP NAT for TCP reverse traffic. nat tcp rev status zero Indicates the number of times that an error in NAT translation for TCP reverse traffic has occurred.
DRAFT: BROCADE CONFIDENTIAL Displaying NAT information TABLE 15 7 Display fields for show ip nat statistics (Continued) Field Description [x] The variable represented by "x" represents the index of the IP address in the IP NAT pool. For example, [0] refers to the first IP address in the IP pool (10.1.1.10). [1] refers to the second IP address in this IP pool (10.1.1.11). h The value following "h:" refers to the head of the port pool for the IP address in the IP NAT pool.
DRAFT: BROCADE CONFIDENTIAL 7 Displaying NAT information TABLE 16 Display fields for show ip nat translation (Continued) Field Description Inside local The private address mapped to the Internet address listed in the Inside global field for inside NAT. Outside global The destination of the traffic. If PAT is enabled, the TCP or UDP port also is shown. NOTE: Currently, outside NAT is not supported. Outside local The destination of the traffic. If PAT is enabled, the TCP or UDP port also is shown.
DRAFT: BROCADE CONFIDENTIAL Clearing NAT entries from the table 7 ServerIronADX_Lower# show ip vrrp-e brief Total number of VRRP-Extended routers defined: 2 Interface VRID CurPri P State Master addr Backup addr v5 v10 1 2 125 P Master Local 125 P Master Local Unknown Unknown VIP 5.1.1.9 10.1.1.9 Syntax: show ip vrrp-e brief Clearing NAT entries from the table Use the clear ip nat command to manually clear entries from the NAT table.
