четверг, 11 сентября 2008 г.

Организация механизма NAT в сетевых устройствах Cisco.

Зачем нужна трансляция сетевых адресов? Причин много, основная - нехватка адресного пространства IPv4. При текущих темпах развития сети свободные IPv4 адреса кончатся уже через 2-4 года. В качестве временной меры, предлагается начать распределение адресов из резервной подсети класса Е (сеть 240.0.0.0/4 в которую входят 268 миллионов IP начинающихся на номера с 240 по 255), это поможет продлить жизнь IPv4 приблизительно еще на год. Все с нетерпением осваиваем IPv6 и протоколы динмической маршрутизации, с ним связанные.

Поэтому трансляция сетевых адресов является неотъемлемой частью любой корпоративной сети, имеющей выход в глобальную сеть.

Does NAT occur before or after routing?

The order in which the transactions are processed using NAT is based on whether a packet
is going from the inside network to the outside network, or from the outside network to the
inside network. Inside to outside translation occurs after routing, and outside to inside
translation occurs before routing.

How does PAT work?

PAT works with either one IP address or multiple addresses.

PAT with one IP address:

  1. NAT/PAT inspects traffic and matches it to a translation rule.
  2. Rule matches to a PAT configuration. If PAT knows about the traffic type, and that traffic type has "a set of specific ports or ports it negotiates" that it will use, PAT sets them aside and does not allocate them as unique identifiers.
  3. If a session with no special port requirements attempts to connect out, PAT translates the IP source address and checks availability of the originated source port (433, for example).
    Note: For Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), the ranges are: 1−511, 512−1023, 1024−65535. For Internet Control Message Protocol (ICMP), the first group starts at 0.
  4. If the requested source port is available, PAT assigns the source port, and the session continues.
  5. If the requested source port is not available, NAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).
  6. If a port is available it is assigned, and the session continues.
  7. If no ports are available, the packet is dropped.


PAT with multiple IP addresses:

Note: The first seven conditions are the same as with a single IP address.
If no ports are available in the relevant group on the first IP address, NAT
flips to the next IP address in the pool and tries to allocate the original source
port requested.

  1. If the requested source port is available, NAT assigns the source port and the session continues.
  2. If the requested source port is not available, NAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).
  3. If a port is available, it is assigned and the session continues
  4. If no ports are available, the packet is dropped, unless another IP address is available in the pool.

Комментариев нет: