在Catalyst 9000交換機上配置並檢驗NAT
簡介
本檔案介紹如何在Catalyst 9000平台上設定和驗證網路位址翻譯(NAT)。
必要條件
需求
思科建議您瞭解以下主題:
- IP定址
- 存取控制清單
背景資訊
NAT最常見的情況是將專用IP網路空間轉換為全球唯一的Internet可路由地址。
執行NAT的裝置需要有一個內部網路上的介面(本地)和一個外部網路上的介面(全局)。
NAT裝置負責檢查源流量,以確定它是否需要根據NAT規則配置進行轉換。
如果需要轉換,裝置會將本地源IP地址轉換為全局唯一的IP地址,並在其NAT轉換表中跟蹤此地址。
當資料包以可路由地址返回時,裝置將檢查其NAT表,檢視是否有其他轉換正在進行。
如果是,路由器會將內部全局地址轉換回相應的內部本地地址並路由資料包。
採用元件
透過Cisco IOS® XE 16.12.1,NAT現在可在Network Advantage許可證上使用。在所有舊版本中,DNA Advantage許可證中均提供此功能。
| 平台 | 引入了NAT功能 |
| C9300 | Cisco IOS® XE版本16.10.1 |
| C9400 | Cisco IOS® XE版本17.1.1 |
| C9500 | Cisco IOS® XE版本16.5.1a |
| C9600 | Cisco IOS® XE版本16.11.1 |
本文檔基於採用Cisco IOS® XE 版本16.12.4的Catalyst 9300平台
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
技術
| 靜態Nat | 允許本地地址到全局地址的1對1對映。 |
| 動態NAT | 將本地地址對映到全局地址池。 |
| 過載NAT | 將本地地址對映到使用唯一L4埠的單個全局地址。 |
| 內部本地 | 分配給內部網路上主機的IP地址。 |
| 內部全局 | 這是內部主機對外部網路顯示的IP地址。您可以將此地址視為內部本地地址轉換的地址。 |
| 外部本機 | 外部主機顯示給內部網路的IP地址。 |
| 外部全局 | 分配給外部網路上主機的IP地址。在大多數情況下,外部本地地址和外部全局地址相同。 |
| FMAN-RP | Feature Manager RP。這是將程式設計資訊傳遞給FMAN-FP的Cisco IOS® XE 的控制平面。 |
| FMAN-FP | 功能管理器FP。FMAN-FP接收來自FMAN-RP的資訊並將其傳遞給FED。 |
| FED | 轉發引擎驅動程式。FMAN-FP使用FED將來自控制平面的資訊程式設計到統一接入資料平面(UADP)專用積體電路(ASIC)中。 |
網路圖表
設定
配置示例
將192.168.1.100(內部本地)轉換為172.16.10.10(內部全局)的靜態NAT配置:
NAT-Device#show run interface te1/0/1
Building configuration...
Current configuration : 109 bytes
!
interface TenGigabitEthernet1/0/1
no switchport
ip address 192.168.1.1 255.255.255.0
ip nat inside <-- NAT inside interface
end
NAT-Device#show run interface te1/0/2
Building configuration...
Current configuration : 109 bytes
!
interface TenGigabitEthernet1/0/2
no switchport
ip address 10.10.10.1 255.255.255.0
ip nat outside <-- NAT outside interface
end
ip nat inside source static 192.168.1.100 172.16.10.10 <-- static NAT rule
NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.10.10:4 192.168.1.100:4 10.20.30.40:4 10.20.30.40:4 <-- active NAT translation
--- 172.16.10.10 192.168.1.100 --- --- <-- static NAT translation added as a result of the configuration
將192.168.1.0/24轉換為172.16.10.1 ― 172.16.10.30的動態NAT配置:
NAT-Device#show run interface te1/0/1
Building configuration...
Current configuration : 109 bytes
!
interface TenGigabitEthernet1/0/1
no switchport
ip address 192.168.1.1 255.255.255.0
ip nat inside <-- NAT inside interface
end
NAT-Device#show run interface te1/0/2
Building configuration...
Current configuration : 109 bytes
!
interface TenGigabitEthernet1/0/2
no switchport
ip address 10.10.10.1 255.255.255.0
ip nat outside <-- NAT outside interface
end
!
ip nat pool TAC-POOL 172.16.10.1 172.16.10.30 netmask 255.255.255.224 <-- NAT pool configuration
ip nat inside source list hosts pool TAC-POOL <-- NAT rule configuration
!
ip access-list standard hosts <-- ACL to match hosts to be translated
10 permit 192.168.1.0 0.0.0.255
NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.10.10:6 192.168.1.100:6 10.20.30.40:6 10.20.30.40:6
--- 172.16.10.10 192.168.1.100 --- ---
動態NAT過載(PAT)配置,用於將192.168.1.0/24轉換為10.10.10.1(ip nat外部介面):
NAT-Device#show run interface te1/0/1
Building configuration...
Current configuration : 109 bytes
!
interface TenGigabitEthernet1/0/1
no switchport
ip address 192.168.1.1 255.255.255.0
ip nat inside <-- NAT inside interface
end
NAT-Device#show run interface te1/0/2
Building configuration...
Current configuration : 109 bytes
!
interface TenGigabitEthernet1/0/2
no switchport
ip address 10.10.10.1 255.255.255.0
ip nat outside <-- NAT outside interface
end
!
ip nat inside source list hosts interface TenGigabitEthernet1/0/2 overload <-- NAT configuration to use PAT
!
ip access-list standard hosts <-- ACL to match hosts for translation
10 permit 192.168.1.0 0.0.0.255
注意內部全局地址的埠每次轉換的增量為1:
NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.10.10.1:1024 192.168.1.100:1 10.20.30.40:1 10.20.30.40:1024 <-- Notice layer 4 port increments
icmp 10.10.10.1:1025 192.168.1.100:2 10.20.30.40:2 10.20.30.40:1025 <-- Notice layer 4 port increments
icmp 10.10.10.1:1026 192.168.1.100:3 10.20.30.40:3 10.20.30.40:1026
icmp 10.10.10.1:1027 192.168.1.100:4 10.20.30.40:4 10.20.30.40:1027
icmp 10.10.10.1:1028 192.168.1.100:5 10.20.30.40:5 10.20.30.40:1028
icmp 10.10.10.1:1029 192.168.1.100:6 10.20.30.40:6 10.20.30.40:1029
icmp 10.10.10.1:1030 192.168.1.100:7 10.20.30.40:7 10.20.30.40:1030
icmp 10.10.10.1:1031 192.168.1.100:8 10.20.30.40:8 10.20.30.40:1031
10.10.10.1:1024 = inside global
192.168.1.100:1 = inside local
驗證靜態NAT
軟體驗證
如果沒有轉換的活動流,預計會看到一半的轉換包含靜態NAT。 當流程變為活動狀態時,將建立動態轉換
NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.10.10:10 192.168.1.100:10 10.20.30.40:10 10.20.30.40:10 <-- dynamic translation
--- 172.16.10.10 192.168.1.100 --- --- <-- static configuration from NAT rule configuration
使用show ip nat translations verbose命令,您可以確定建立流的時間和剩餘轉換時間。
NAT-Device#show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 172.16.10.10:10 192.168.1.100:10 10.20.30.40:10 10.20.30.40:10
create 00:00:13, use 00:00:13, left 00:00:46, <-- NAT timers
flags:
extended, use_count: 0, entry-id: 10, lc_entries: 0
--- 172.16.10.10 192.168.1.100 --- ---
create 00:09:47, use 00:00:13,
flags:
static, use_count: 1, entry-id: 9, lc_entries: 0
檢查NAT統計資料。當流量與NAT規則匹配並建立時,NAT命中計數器將會增加。
當流量與規則匹配但無法建立轉換時,NAT未命中計數器將會增加。
NAT-DEVICE#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended) <-- 1 static translation
Outside interfaces:
TenGigabitEthernet1/0/1 <-- NAT outside interface
Inside interfaces:
TenGigabitEthernet1/0/2 <-- NAT inside interface
Hits: 0 Misses: 0 <-- NAT hit and miss counters.
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list hosts interface TenGigabitEthernet1/0/1 refcount 0
要進行轉換,需要與NAT流的源和目標建立鄰接關係。記下鄰接關係ID。
NAT-Device#show ip route 10.20.30.40
Routing entry for 10.20.30.40/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.10.10.2
Route metric is 0, traffic share count is 1
NAT-Device#show platform software adjacency switch active f0
Adjacency id: 0x29(41) <-- adjacency ID
Interface: TenGigabitEthernet1/0/1, IF index: 52, Link Type: MCP_LINK_IP
Encap: 0:ca:e5:27:3f:e4:70:1f:53:0:b8:e4:8:0
Encap Length: 14, Encap Type: MCP_ET_ARPA, MTU: 1500
Flags: no-l3-inject
Incomplete behavior type: None
Fixup: unknown
Fixup_Flags_2: unknown
Nexthop addr: 192.168.1.100 <-- source adjacency
IP FRR MCP_ADJ_IPFRR_NONE 0
aom id: 464, HW handle: (nil) (created)
Adjacency id: 0x24 (36) <-- adjacency ID
Interface: TenGigabitEthernet1/0/2, IF index: 53, Link Type: MCP_LINK_IP
Encap: 34:db:fd:ee:ce:e4:70:1f:53:0:b8:d6:8:0
Encap Length: 14, Encap Type: MCP_ET_ARPA, MTU: 1500
Flags: no-l3-inject
Incomplete behavior type: None
Fixup: unknown
Fixup_Flags_2: unknown
Nexthop addr: 10.10.10.2 <-- next hop to 10.20.30.40
IP FRR MCP_ADJ_IPFRR_NONE 0
aom id: 452, HW handle: (nil) (created)
可以啟用NAT調試來驗證交換機是否接收流量以及是否建立NAT流
NAT-Device#debug ip nat detailed
IP NAT detailed debugging is on
NAT-Device#
*Mar 8 23:48:25.672: NAT: Entry assigned id 11 <-- receive traffic and flow created
*Mar 8 23:48:25.672: NAT: i: icmp (192.168.1.100, 11) -> (10.20.30.40, 11) [55]
*Mar 8 23:48:25.672: NAT: s=192.168.1.100->172.16.10.10, d=10.20.30.40 [55]NAT: dyn flow info download suppressed for flow 11 <-- source is translated
*Mar 8 23:48:25.673: NAT: o: icmp (10.20.30.40, 11) -> (172.16.10.10, 11) [55]
*Mar 8 23:48:25.674: NAT: s=10.20.30.40, d=172.16.10.10->192.168.1.100 [55]NAT: dyn flow info download suppressed for flow 11 <-- return source is translated
*Mar 8 23:48:25.675: NAT: i: icmp (192.168.1.100, 11) -> (10.20.30.40, 11) [56]
<snip>
當流程到期或被刪除時,您會在調試中看到DELETE操作:
*Mar 31 17:58:31.344: FMANRP-NAT: Received flow data, action: DELETE <-- action is delete
*Mar 31 17:58:31.344: id 2, flags 0x1, domain 0
src_local_addr 192.168.1.100, src_global_addr 172.16.10.10, dst_local_addr 10.20.30.40,
dst_global_addr 10.20.30.40, src_local_port 31783, src_global_port 31783,
dst_local_port 23, dst_global_port 23,
proto 6, table_id 0 inside_mapping_id 0,
outside_mapping_id 0, inside_mapping_type 0,
outside_mapping_type 0
硬體驗證
配置NAT規則後,裝置在NAT區域5下的TCAM中對此規則進行程式設計。確認已在TCAM中設定規則。
輸出以十六進位制表示,因此需要轉換為IP地址。
NAT-Device#show platform hardware fed switch active fwd-asic resource tcam table pbr record 0 format 0 | begin NAT_1
Printing entries for region NAT_1 (370) type 6 asic 3
========================================================
Printing entries for region NAT_2 (371) type 6 asic 3
========================================================
Printing entries for region NAT_3 (372) type 6 asic 3
========================================================
Printing entries for region NAT_4 (373) type 6 asic 3
========================================================
Printing entries for region NAT_5 (374) type 6 asic 3 <-- NAT Region 5
========================================================
TAQ-2 Index-128 (A:1,C:1) Valid StartF-1 StartA-1 SkipF-0 SkipA-0
Mask1 3300f000:00000000:00000000:00000000:00000000:00000000:00000000:ffffffff
Key1 21009000:00000000:00000000:00000000:00000000:00000000:00000000:c0a80164 <-- inside local IP address 192.168.1.100 in hex (c0a80164)
AD 10087000:00000073
TAQ-2 Index-129 (A:1,C:1) Valid StartF-0 StartA-0 SkipF-0 SkipA-0
Mask1 0300f000:00000000:00000000:00000000:00000000:00000000:ffffffff:00000000
Key1 02009000:00000000:00000000:00000000:00000000:00000000:ac100a0a:00000000 <-- inside global IP address 172.16.10.10 in hex (ac100a0a)
AD 10087000:00000073
最後,當流量變為活動狀態時,可以透過驗證NAT區域1下的TCAM來確認硬體程式設計。
NAT-Device#show platform hardware fed switch active fwd-asic resource tcam table pbr record 0 format 0 | begin NAT_1
Printing entries for region NAT_1 (370) type 6 asic 1 <-- NAT Region 1
========================================================
TAQ-2 Index-32 (A:0,C:1) Valid StartF-1 StartA-1 SkipF-0 SkipA-0
Mask1 0000f000:ff00ffff:00000000:0000ffff:00000000:00000000:ffffffff:ffffffff
Key1 00009000:06005ac9:00000000:00000017:00000000:00000000:0a141e28:c0a80164
AD 10087000:000000b0
TAQ-2 Index-33 (A:0,C:1) Valid StartF-0 StartA-0 SkipF-0 SkipA-0
Mask1 0000f000:ff00ffff:00000000:0000ffff:00000000:00000000:ffffffff:ffffffff
Key1 00009000:06000017:00000000:00005ac9:00000000:00000000:ac100a0a:0a141e28
AD 10087000:000000b1
Starting at Index-32 Key1 from right to left:
c0a80164 = 192.168.1.100 (Inside Local)
0a141e28 = 10.20.30.40 (Outside Global)
00000017 = 23 (TCP destination port)
06005ac9 = 06 for TCP and 5ac9 is 23241 which is source port from "show ip nat translations" of the inside host
Repeat the same for Index-33 which is the reverse translation:
0a141e28 = 10.20.30.40 (Outside Global)
ac100a0a = 172.16.10.10 (Inside Global)
00005ac9 = 23241 TCP Destination port
06000017 = 06 for TCP and 17 for TCP source port 23
檢驗動態NAT
軟體驗證
確認已配置要將內部IP地址轉換為的地址池。
此配置允許將192.168.1.0/24網路轉換為地址172.16.10.1到172.16.10.254
NAT-Device#show run | i ip nat
ip nat inside <-- ip nat inside on inside interface
ip nat outside <-- ip nat outside on outside interface
ip nat pool MYPOOL 172.16.10.1 172.16.10.254 netmask 255.255.255.0 <-- Pool of addresses to translate to
ip nat inside source list hosts pool MYPOOL <-- Enables hosts that match ACL "hosts" to be translated to MYPOOL addresses
NAT-Device#show ip access-list 10 <-- ACL to match hosts to be translated
Standard IP access list 10
10 permit 192.168.1.0, wildcard bits 0.0.0.255
NAT-Device#
請注意,使用動態NAT時,它不會建立任何僅包含配置的條目。需要在填充轉換表之前建立活動流。
NAT-Device#show ip nat translations
<...empty...>
檢查NAT統計資料。當流量與NAT規則匹配並建立時,NAT命中計數器將會增加。
當流量與規則匹配但無法建立轉換時,NAT未命中計數器將會增加。
NAT-DEVICE#show ip nat statistics
Total active translations: 3794 (1 static, 3793 dynamic; 3793 extended) <-- dynamic translations
Outside interfaces:
TenGigabitEthernet1/0/1 <-- NAT outside interface
Inside interfaces:
TenGigabitEthernet1/0/2 <-- NAT inside interface
Hits: 3793 Misses: 0 <-- 3793 hits
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings: <-- rule for dynamic mappings
-- Inside Source
[Id: 1] access-list hosts interface TenGigabitEthernet1/0/1 refcount 3793 <-- NAT rule displayed
確認存在與源和目標的鄰接關係
NAT-Device#show platform software adjacency switch active f0
Number of adjacency objects: 4
Adjacency id: 0x24(36) <-- adjacency ID
Interface: TenGigabitEthernet1/0/2, IF index: 53, Link Type: MCP_LINK_IP
Encap: 34:db:fd:ee:ce:e4:70:1f:53:0:b8:d6:8:0
Encap Length: 14, Encap Type: MCP_ET_ARPA, MTU: 1500
Flags: no-l3-inject
Incomplete behavior type: None
Fixup: unknown
Fixup_Flags_2: unknown
Nexthop addr: 10.10.10.2 <-- adjacency to destination
IP FRR MCP_ADJ_IPFRR_NONE 0
aom id: 449, HW handle: (nil) (created)
Adjacency id: 0x25 (37) <-- adjacency ID
Interface: TenGigabitEthernet1/0/1, IF index: 52, Link Type: MCP_LINK_IP
Encap: 0:ca:e5:27:3f:e4:70:1f:53:0:b8:e4:8:0
Encap Length: 14, Encap Type: MCP_ET_ARPA, MTU: 1500
Flags: no-l3-inject
Incomplete behavior type: None
Fixup: unknown
Fixup_Flags_2: unknown
Nexthop addr: 192.168.1.100 <-- source adjacency
IP FRR MCP_ADJ_IPFRR_NONE 0
aom id: 451, HW handle: (nil) (created)
在確認鄰接關係後,如果存在NAT問題,您可以開始進行與平台無關的NAT調試
NAT-Device#debug ip nat
IP NAT debugging is on
NAT-Device#debug ip nat detailed
IP NAT detailed debugging is on
NAT-Device#show logging
*May 13 01:00:41.136: NAT: Entry assigned id 6
*May 13 01:00:41.136: NAT: Entry assigned id 7
*May 13 01:00:41.136: NAT: i: tcp (192.168.1.100, 48308) -> (10.20.30.40, 23) [30067] <-- first packet ingress without NAT
*May 13 01:00:41.136: NAT: TCP Check for Limited ALG Support
*May 13 01:00:41.136: NAT: s=192.168.1.100->172.16.10.10, d=10.20.30.40 [30067]NAT: dyn flow info download suppressed for flow 7 <-- confirms source address translation
*May 13 01:00:41.136: NAT: attempting to setup alias for 172.16.10.10 (redundancy_name , idb NULL, flags 0x2), rg_id 0 tableid 0 use_tableid 0
*May 13 01:00:41.139: NAT: o: tcp (10.20.30.40, 23) -> (172.16.10.10, 48308) [40691] <-- return packet from destination to be translated
*May 13 01:00:41.139: NAT: TCP Check for Limited ALG Support
*May 13 01:00:41.139: NAT: s=10.20.30.40, d=172.16.10.10->192.168.1.100 [40691]NAT: dyn flow info download suppressed for flow 7 <-- return packet is translated
*May 13 01:00:41.140: NAT: i: tcp (192.168.1.100, 48308) -> (10.20.30.40, 23) [30068]
您還可以調試FMAN-RP NAT操作:
NAT-Device#debug platform software nat all
NAT platform all events debugging is on
Log Buffer (100000 bytes):
*May 13 01:04:16.098: FMANRP-NAT: Received flow data, action: ADD <-- first packet in flow so we ADD an entry
*May 13 01:04:16.098: id 9, flags 0x1, domain 0
src_local_addr 192.168.1.100, src_global_addr 172.16.10.10, dst_local_addr 10.20.30.40, <-- verify inside local/global and outside local/global
dst_global_addr 10.20.30.40, src_local_port 32529, src_global_port 32529,
dst_local_port 23, dst_global_port 23, <-- confirm ports, in this case they are for Telnet
proto 6, table_id 0 inside_mapping_id 1,
outside_mapping_id 0, inside_mapping_type 2,
outside_mapping_type 0
*May 13 01:04:16.098: FMANRP-NAT: Created TDL message for flow info:
ADD id 9
*May 13 01:04:16.098: FMANRP-NAT: Sent TDL message for flow data config:
ADD id 9
*May 13 01:04:16.098: FMANRP-NAT: Received flow data, action: MODIFY <-- subsequent packets are MODIFY
*May 13 01:04:16.098: id 9, flags 0x1, domain 0
src_local_addr 192.168.1.100, src_global_addr 172.16.10.10, dst_local_addr 10.20.30.40,
dst_global_addr 10.20.30.40, src_local_port 32529, src_global_port 32529,
dst_local_port 23, dst_global_port 23,
proto 6, table_id 0 inside_mapping_id 1,
outside_mapping_id 0, inside_mapping_type 2,
outside_mapping_type 0
*May 13 01:04:16.098: FMANRP-NAT: Created TDL message for flow info:
MODIFY id 9
*May 13 01:04:16.098: FMANRP-NAT: Sent TDL message for flow data config:
MODIFY id 9
如果規則因任何原因(例如到期或手動刪除)而被刪除,則會執行DELETE操作:
*May 13 01:05:20.276: FMANRP-NAT: Received flow data, action: DELETE <-- DELETE action
*May 13 01:05:20.276: id 9, flags 0x1, domain 0
src_local_addr 192.168.1.100, src_global_addr 172.16.10.10, dst_local_addr 10.20.30.40,
dst_global_addr 10.20.30.40, src_local_port 32529, src_global_port 32529,
dst_local_port 23, dst_global_port 23,
proto 6, table_id 0 inside_mapping_id 0,
outside_mapping_id 0, inside_mapping_type 0,
outside_mapping_type 0
硬體驗證
檢查是否已將匹配要轉換流量的NAT規則正確增加到NAT區域5下的硬體中:
NAT-Device#show platform hardware fed switch active fwd-asic resource tcam table pbr record 0 format 0 | begin NAT_1
Printing entries for region NAT_1 (370) type 6 asic 1 <<<< empty due to no active flow
========================================================
Printing entries for region NAT_2 (371) type 6 asic 1
========================================================
Printing entries for region NAT_3 (372) type 6 asic 1
========================================================
Printing entries for region NAT_4 (373) type 6 asic 1
========================================================
Printing entries for region NAT_5 (374) type 6 asic 1
========================================================
TAQ-2 Index-128 (A:0,C:1) Valid StartF-1 StartA-1 SkipF-0 SkipA-0
Mask1 0300f000:00000000:00000000:00000000:00000000:00000000:fffffff8:00000000
Key1 02009000:00000000:00000000:00000000:00000000:00000000:ac100a00:00000000
AD 10087000:00000073
TAQ-2 Index-129 (A:0,C:1) Valid StartF-0 StartA-0 SkipF-0 SkipA-0
Mask1 3300f000:00000000:00000000:00000000:00000000:00000000:00000000:ffffff00
Key1 21009000:00000000:00000000:00000000:00000000:00000000:00000000:c0a80100
AD 10087000:00000073
ffffff00 = 255.255.255.0 in hex
c0a80100 = 192.168.1.0 in hex which matches our network in the NAT ACL
最後,您需要確認活動轉換在NAT TCAM區域1中程式設計正確
NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.16.10.10:54854 192.168.1.100:54854 10.20.30.40:23 10.20.30.40:23
--- 172.16.10.10 192.168.1.100 --- ---
NAT-Device#show platform hardware fed switch active fwd-asic resource tcam table pbr record 0 format 0 | begin NAT_1
Printing entries for region NAT_1 (370) type 6 asic 1
========================================================
TAQ-2 Index-32 (A:0,C:1) Valid StartF-1 StartA-1 SkipF-0 SkipA-0
Mask1 0000f000:ff00ffff:00000000:0000ffff:00000000:00000000:ffffffff:ffffffff
Key1 00009000:0600d646:00000000:00000017:00000000:00000000:0a141e28:c0a80164
AD 10087000:000000b0
TAQ-2 Index-33 (A:0,C:1) Valid StartF-0 StartA-0 SkipF-0 SkipA-0
Mask1 0000f000:ff00ffff:00000000:0000ffff:00000000:00000000:ffffffff:ffffffff
Key1 00009000:06000017:00000000:0000d646:00000000:00000000:ac100a0a:0a141e28
AD 10087000:000000b1
Printing entries for region NAT_2 (371) type 6 asic 1
========================================================
Printing entries for region NAT_3 (372) type 6 asic 1
========================================================
Printing entries for region NAT_4 (373) type 6 asic 1
========================================================
Printing entries for region NAT_5 (374) type 6 asic 1
========================================================
Starting at Index-32 Key 1 from right to left:
c0a80164 - 192.168.1.100 (inside local)
0a141e28 - 10.20.30.40 (outside local/global)
00000017 - TCP port 23
0600d646 - 6 for TCP protocol and 54854 for TCP source port
Starting at Index-33 Key 1 from right to left
0a141e28 - 10.20.30.40 destination address
ac100a0a - 172.16.10.10 (inside global source IP address)
0000d646 - TCP source port
06000017 - TCP protocol 6 and 23 for the TCP destination port
檢驗動態NAT過載(PAT)
軟體驗證
用於檢驗PAT的日誌進程與動態NAT相同。您只需要確認埠轉換是否正確,以及埠在硬體中的程式設計是否正確。
PAT透過附加到NAT規則的「overload」關鍵字實現。
NAT-Device#show run | i ip nat
ip nat inside <-- ip nat inside on NAT inside interface
ip nat outside <-- ip nat outside on NAT outside interface
ip nat pool MYPOOL 172.16.10.1 172.16.10.254 netmask 255.255.255.0 <-- Address pool to translate to
ip nat inside source list hosts pool MYPOOL overload <-- Links ACL hosts to address pool
確認存在與源和目標的鄰接關係
NAT-Device#show ip route 10.20.30.40
Routing entry for 10.20.30.40/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.10.10.2
Route metric is 0, traffic share count is 1
NAT-Device#show platform software adjacency switch active f0
Number of adjacency objects: 4
Adjacency id: 0x24 (36) <-- adjacency ID
Interface: TenGigabitEthernet1/0/2, IF index: 53, Link Type: MCP_LINK_IP
Encap: 34:db:fd:ee:ce:e4:70:1f:53:0:b8:d6:8:0
Encap Length: 14, Encap Type: MCP_ET_ARPA, MTU: 1500
Flags: no-l3-inject
Incomplete behavior type: None
Fixup: unknown
Fixup_Flags_2: unknown
Nexthop addr: 10.10.10.2 <-- adjacency to destination
IP FRR MCP_ADJ_IPFRR_NONE 0
aom id: 449, HW handle: (nil) (created)
Adjacency id: 0x25 (37) <-- adjacency ID
Interface: TenGigabitEthernet1/0/1, IF index: 52, Link Type: MCP_LINK_IP
Encap: 0:ca:e5:27:3f:e4:70:1f:53:0:b8:e4:8:0
Encap Length: 14, Encap Type: MCP_ET_ARPA, MTU: 1500
Flags: no-l3-inject
Incomplete behavior type: None
Fixup: unknown
Fixup_Flags_2: unknown
Nexthop addr: 192.168.1.100 <-- source adjacency
IP FRR MCP_ADJ_IPFRR_NONE 0
aom id: 451, HW handle: (nil) (created)
確認在流處於活動狀態時已將轉換增加到轉換表中。請注意,使用PAT時,不會像使用動態NAT時那樣建立半條目。
跟蹤內部本地和內部全局地址的埠號。
NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.16.10.10:1024 192.168.1.100:52448 10.20.30.40:23 10.20.30.40:23
檢查NAT統計資料。當流量與NAT規則匹配並建立時,NAT命中計數器將會增加。
當流量與規則匹配但無法建立轉換時,NAT未命中計數器將會增加。
NAT-DEVICE#show ip nat statistics
Total active translations: 3794 (1 static, 3793 dynamic; 3793 extended) <-- dynamic translations
Outside interfaces:
TenGigabitEthernet1/0/1 <-- NAT outside interface
Inside interfaces:
TenGigabitEthernet1/0/2 <-- NAT inside interface
Hits: 3793 Misses: 0 <-- 3793 hits
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings: <-- rule for dynamic mappings
-- Inside Source
[Id: 1] access-list hosts interface TenGigabitEthernet1/0/1 refcount 3793 <-- NAT rule displayed
與平台無關的NAT調試顯示發生了埠轉換:
NAT-Device#debug ip nat detailed
IP NAT detailed debugging is on
NAT-Device#debug ip nat
IP NAT debugging is on
NAT-device#show logging
Log Buffer (100000 bytes):
*May 18 23:52:20.296: NAT: address not stolen for 192.168.1.100, proto 6 port 52448
*May 18 23:52:20.296: NAT: Created portlist for proto tcp globaladdr 172.16.10.10
*May 18 23:52:20.296: NAT: Allocated Port for 192.168.1.100 -> 172.16.10.10: wanted 52448 got 1024<-- confirms PAT is used
*May 18 23:52:20.296: NAT: Entry assigned id 5
*May 18 23:52:20.296: NAT: i: tcp (192.168.1.100, 52448) -> (10.20.30.40, 23) [63338]
*May 18 23:52:20.296: NAT: TCP Check for Limited ALG Support
*May 18 23:52:20.296: NAT: TCP s=52448->1024, d=23 <-- confirms NAT overload with PAT
*May 18 23:52:20.296: NAT: s=192.168.1.100->172.16.10.10, d=10.20.30.40 [63338]NAT: dyn flow info download suppressed for flow 5 <-- shows inside translation
*May 18 23:52:20.297: NAT: attempting to setup alias for 172.16.10.10 (redundancy_name , idb NULL, flags 0x2), rg_id 0 tableid 0 use_tableid 0
*May 18 23:52:20.299: NAT: o: tcp (10.20.30.40, 23) -> (172.16.10.10, 1024) [55748]
*May 18 23:52:20.299: NAT: TCP Check for Limited ALG Support
*May 18 23:52:20.299: NAT: TCP s=23, d=1024->52448 <-- shows PAT on return traffic
*May 18 23:52:20.299: NAT: s=10.20.30.40, d=172.16.10.10->192.168.1.100 [55748]NAT: dyn flow info download suppressed for flow 5
NAT-Device#debug platform software nat all
NAT platform all events debugging is on
NAT-Device#
*May 18 23:52:20.301: FMANRP-NAT: Received flow data, action: ADD <-- first packet in flow ADD operation
*May 18 23:52:20.301: id 5, flags 0x5, domain 0
src_local_addr 192.168.1.100, src_global_addr 172.16.10.10, dst_local_addr 10.20.30.40, <-- source translation
dst_global_addr 10.20.30.40, src_local_port 52448, src_global_port 1024, <-- port translation
dst_local_port 23, dst_global_port 23,
proto 6, table_id 0 inside_mapping_id 1,
outside_mapping_id 0, inside_mapping_type 2,
outside_mapping_type 0
<snip>
硬體驗證
確認NAT規則已在NAT區域5下的硬體中正確安裝
NAT-Device#show platform hardware fed switch active fwd-asic resource tcam table pbr record 0 format 0 | begin NAT_1
Printing entries for region NAT_1 (370) type 6 asic 1 <-- NAT_1 empty due to no active flow
========================================================
Printing entries for region NAT_2 (371) type 6 asic 1
========================================================
Printing entries for region NAT_3 (372) type 6 asic 1
========================================================
Printing entries for region NAT_4 (373) type 6 asic 1
========================================================
Printing entries for region NAT_5 (374) type 6 asic 1
========================================================
TAQ-2 Index-128 (A:0,C:1) Valid StartF-1 StartA-1 SkipF-0 SkipA-0
Mask1 0300f000:00000000:00000000:00000000:00000000:00000000:fffffffc:00000000
Key1 02009000:00000000:00000000:00000000:00000000:00000000:ac100a00:00000000
AD 10087000:00000073
TAQ-2 Index-129 (A:0,C:1) Valid StartF-0 StartA-0 SkipF-0 SkipA-0
Mask1 3300f000:00000000:00000000:00000000:00000000:00000000:00000000:ffffff00
Key1 21009000:00000000:00000000:00000000:00000000:00000000:00000000:c0a80100
AD 10087000:00000073
ffffff00 = 255.255.255.0 in hex for our subnet mask in NAT ACL
c0a80100 = 192.168.1.0 in hex for our network address in NAT ACL
最後,當流量處於活動狀態時,您可以檢查NAT流量是否已程式設計到NAT_Region 1下的硬體TCAM中
NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.16.10.10:1024 192.168.1.100:20027 10.20.30.40:23 10.20.30.40:23
NAT-Device#show platform hardware fed switch active fwd-asic resource tcam table pbr record 0 format 0 | begin NAT_1
Printing entries for region NAT_1 (370) type 6 asic 1 <-- NAT region 1
========================================================
TAQ-2 Index-32 (A:0,C:1) Valid StartF-1 StartA-1 SkipF-0 SkipA-0
Mask1 0000f000:ff00ffff:00000000:0000ffff:00000000:00000000:ffffffff:ffffffff
Key1 00009000:06004e3b:00000000:00000017:00000000:00000000:0a141e28:c0a80164
AD 10087000:000000b0
TAQ-2 Index-33 (A:0,C:1) Valid StartF-0 StartA-0 SkipF-0 SkipA-0
Mask1 0000f000:ff00ffff:00000000:0000ffff:00000000:00000000:ffffffff:ffffffff
Key1 00009000:06000017:00000000:00000400:00000000:00000000:0a141e28:0a141e28
AD 10087000:000000b1
Starting at Index-32 Key1 from right to left:
c0a80164 - 192.168.1.100 (inside local source address)
0a141e28 - 10.20.30.40 (inside global address/outside local address)
00000017 - 23 (TCP destination port)
06004e3b - TCP source port 20027 (4e3b) and TCP protocol 6
Starting at Index-33 Key1 from right to left:
0a141e28 - 10.20.30.40 (outside global address/outside local address)
ac100a0a - 172.16.10.10 (inside global)
00000400 - TCP inside global source port 1024
06000017 - TCP protocol 6 and TCP source port 23
封包層級偵錯
流中與硬體中的NAT規則匹配的第一個資料包必須傳送到要處理的裝置CPU。要檢視與傳送路徑相關的調試輸出,您可以啟用指向調試級別的FED傳送路徑跟蹤以確保資料包被傳送。需要CPU資源的NAT流量進入傳輸流量CPU隊列。
檢查傳輸流量CPU隊列是否看到主動傳送的資料包。
NAT-DEVICE#show platform software fed switch active punt cpuq clear <-- clear statistics
NAT-DEVICE#show platform software fed switch active punt cpuq 18 <-- transit traffic queue
Punt CPU Q Statistics
===========================================
CPU Q Id : 18
CPU Q Name : CPU_Q_TRANSIT_TRAFFIC
Packets received from ASIC : 0 <-- no punt traffic for NAT
Send to IOSd total attempts : 0
Send to IOSd failed count : 0
RX suspend count : 0
RX unsuspend count : 0
RX unsuspend send count : 0
RX unsuspend send failed count : 0
RX consumed count : 0
RX dropped count : 0
RX non-active dropped count : 0
RX conversion failure dropped : 0
RX INTACK count : 0
RX packets dq'd after intack : 0
Active RxQ event : 0
RX spurious interrupt : 0
RX phy_idb fetch failed: 0
RX table_id fetch failed: 0
RX invalid punt cause: 0
Replenish Stats for all rxq:
-------------------------------------------
Number of replenish : 0
Number of replenish suspend : 0
Number of replenish un-suspend : 0
-------------------------------------------
NAT-DEVICE#show platform software fed switch active punt cpuq 18 <-- after new translation
Punt CPU Q Statistics
===========================================
CPU Q Id : 18
CPU Q Name : CPU_Q_TRANSIT_TRAFFIC
Packets received from ASIC : 5 <-- confirms the UADP ASIC punts to CPU to create translation
Send to IOSd total attempts : 5
Send to IOSd failed count : 0
RX suspend count : 0
RX unsuspend count : 0
RX unsuspend send count : 0
RX unsuspend send failed count : 0
RX consumed count : 0
RX dropped count : 0
RX non-active dropped count : 0
RX conversion failure dropped : 0
RX INTACK count : 5
RX packets dq'd after intack : 0
Active RxQ event : 5
RX spurious interrupt : 0
RX phy_idb fetch failed: 0
RX table_id fetch failed: 0
RX invalid punt cause: 0
Replenish Stats for all rxq:
-------------------------------------------
Number of replenish : 18
Number of replenish suspend : 0
Number of replenish un-suspend : 0
-------------------------------------------
NAT規模故障排除
當前對NAT TCAM條目最大數量的硬體支援,如下表所示:
| 平台 | TCAM條目的最大數量 |
| Catalyst 9300 | 5000 |
| Catalyst 9400 | 14000 |
| Catalyst 9500 | 14000 |
| Catalyst 9500高效能 | 15500 |
| Catalyst 9600 | 15500 |
如果懷疑存在擴展問題,您可以確認要根據平台限制進行檢查的TCP/UDP NAT轉換總數。
NAT-Device#show ip nat translations | count tcp
Number of lines which match regexp = 621 <-- current number of TCP translations
NAT-Device#show ip nat translations | count udp
Number of lines which match regexp = 4894 <-- current number of UDP translations
如果您已耗盡NAT TCAM空間,則交換機硬體中的NAT模組將無法處理這些轉換。在此場景中,需要進行NAT轉換的流量被傳送至要處理的裝置CPU。
這可能會導致延遲,並且可以透過在負責NAT傳送流量的控制平面監察器隊列中遞增的丟棄來確認。NAT流量進入的CPU隊列是「中轉流量」。
NAT-Device#show platform hardware fed switch active qos queue stats internal cpu policer
CPU Queue Statistics
============================================================================================
(default) (set) Queue Queue
QId PlcIdx Queue Name Enabled Rate Rate Drop(Bytes) Drop(Frames)
--------------------------------------------------------------------------------------------
<snip>
14 13 Sw forwarding Yes 1000 1000 0 0
15 8 Topology Control Yes 13000 16000 0 0
16 12 Proto Snooping Yes 2000 2000 0 0
17 6 DHCP Snooping Yes 500 500 0 0
18 13 Transit Traffic Yes 1000 1000 34387271 399507 <-- drops for NAT traffic headed towards the CPU
19 10 RPF Failed Yes 250 250 0 0
20 15 MCAST END STATION Yes 2000 2000 0 0
<snip>
確認17.x代碼中可用的NAT TCAM空間。此輸出來自9300,該NAT模板已啟用,因此空間最大化。
NAT-DEVICE#show platform hardware fed switch active fwd-asic resource tcam utilization
Codes: EM - Exact_Match, I - Input, O - Output, IO - Input & Output, NA - Not Applicable
CAM Utilization for ASIC [0]
Table Subtype Dir Max Used %Used V4 V6 MPLS Other
------------------------------------------------------------------------------------------------------
Mac Address Table EM I 32768 22 0.07% 0 0 0 22
Mac Address Table TCAM I 1024 21 2.05% 0 0 0 21
L3 Multicast EM I 8192 0 0.00% 0 0 0 0
L3 Multicast TCAM I 512 9 1.76% 3 6 0 0
L2 Multicast EM I 8192 0 0.00% 0 0 0 0
L2 Multicast TCAM I 512 11 2.15% 3 8 0 0
IP Route Table EM I 24576 16 0.07% 15 0 1 0
IP Route Table TCAM I 8192 25 0.31% 12 10 2 1
QOS ACL TCAM IO 1024 85 8.30% 28 38 0 19
Security ACL TCAM IO 5120 148 2.89% 27 76 0 45
Netflow ACL TCAM I 256 6 2.34% 2 2 0 2
PBR ACL TCAM I 5120 24 0.47% 18 6 0 0 <-- NAT usage in PBR TCAM
Netflow ACL TCAM O 768 6 0.78% 2 2 0 2
Flow SPAN ACL TCAM IO 1024 13 1.27% 3 6 0 4
Control Plane TCAM I 512 281 54.88% 130 106 0 45
Tunnel Termination TCAM I 512 18 3.52% 8 10 0 0
Lisp Inst Mapping TCAM I 512 1 0.20% 0 0 0 1
Security Association TCAM I 256 4 1.56% 2 2 0 0
Security Association TCAM O 256 5 1.95% 0 0 0 5
CTS Cell Matrix/VPN
Label EM O 8192 0 0.00% 0 0 0 0
CTS Cell Matrix/VPN
Label TCAM O 512 1 0.20% 0 0 0 1
Client Table EM I 4096 0 0.00% 0 0 0 0
Client Table TCAM I 256 0 0.00% 0 0 0 0
Input Group LE TCAM I 1024 0 0.00% 0 0 0 0
Output Group LE TCAM O 1024 0 0.00% 0 0 0 0
Macsec SPD TCAM I 256 2 0.78% 0 0 0 2
確認16.x代碼中可用的NAT TCAM空間。此輸出來自帶有SDM Access模板的9300,因此NAT TCAM條目的可用空間沒有最大化。
NAT-DEVICE#show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC [0]
Table Max Values Used Values
--------------------------------------------------------------------------------
Unicast MAC addresses 32768/1024 20/21
L3 Multicast entries 8192/512 0/9
L2 Multicast entries 8192/512 0/11
Directly or indirectly connected routes 24576/8192 5/23
QoS Access Control Entries 5120 85
Security Access Control Entries 5120 145
Ingress Netflow ACEs 256 8
Policy Based Routing ACEs 1024 24 <-- NAT usage in PRB TCAM
Egress Netflow ACEs 768 8
Flow SPAN ACEs 1024 13
Control Plane Entries 512 255
Tunnels 512 17
Lisp Instance Mapping Entries 2048 3
Input Security Associations 256 4
SGT_DGT 8192/512 0/1
CLIENT_LE 4096/256 0/0
INPUT_GROUP_LE 1024 0
OUTPUT_GROUP_LE 1024 0
Macsec SPD 256 2
透過將SDM模板更改為首選NAT,可以增加NAT TCAM的可用硬體空間。這會分配硬體支援,以支援TCAM條目的最大數量。
NAT-Device#conf t
Enter configuration commands, one per line. End with CNTL/Z.
NAT-Device(config)#sdm prefer nat
如果將SDM轉換前後與NAT模板進行比較,您可以確認可用TCAM空間已交換為QoS訪問控制條目和基於策略的路由(PBR) ACE。
PBR TCAM是對NAT進行程式設計的地方。
NAT-Device#show sdm prefer
Showing SDM Template Info
This is the Access template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 1024
L2 Multicast entries: 8192
Overflow L2 Multicast entries: 512
L3 Multicast entries: 8192
Overflow L3 Multicast entries: 512
Directly connected routes: 24576
Indirect routes: 8192
Security Access Control Entries: 5120
QoS Access Control Entries: 5120
Policy Based Routing ACEs: 1024 <-- NAT
<...snip...>
NAT-Device#show sdm prefer
Showing SDM Template Info
This is the NAT template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 1024
L2 Multicast entries: 8192
Overflow L2 Multicast entries: 512
L3 Multicast entries: 8192
Overflow L3 Multicast entries: 512
Directly connected routes: 24576
Indirect routes: 8192
Security Access Control Entries: 5120
QoS Access Control Entries: 1024
Policy Based Routing ACEs: 5120 <-- NAT
<snip>
僅位址翻譯(AOT)
AOT是一種機制,當NAT要求僅轉換IP地址欄位而不是流的第4層埠時可以使用。如果這符合要求,則AOT可以大大增加硬體中要轉換和轉發的資料流的數量。
- 當大多數NAT流都發往單個或少量目標時,AOT最有效。
- AOT預設停用。啟用後,需要清除當前的NAT轉換。
這意味著允許AOT的唯一可能的NAT配置是:
#ip nat inside source static <source> <destination>
#ip nat inside source list <list> pool <pool name>
您可以使用以下命令啟用AOT:
NAT-Device(config)#no ip nat create flow-entries
確認AOT NAT規則程式設計正確。此輸出來自靜態NAT轉換。
NAT-DEVICE#show running-config | include ip nat
ip nat outside
ip nat inside
no ip nat create flow-entries <-- AOT enabled
ip nat inside source static 10.10.10.100 172.16.10.10 <-- static NAT enabled
NAT-DEVICE#show platform hardware fed switch active fwd-asic resource tcam table pbr record 0 format 0 | begin NAT_1
Printing entries for region NAT_1 (376) type 6 asic 1
========================================================
Printing entries for region NAT_2 (377) type 6 asic 1
========================================================
Printing entries for region NAT_3 (378) type 6 asic 1
========================================================
Printing entries for region NAT_4 (379) type 6 asic 1
========================================================
Printing entries for region NAT_5 (380) type 6 asic 1
========================================================
TAQ-1 Index-864 (A:0,C:1) Valid StartF-1 StartA-1 SkipF-0 SkipA-0
Mask1 3300f000:00000000:00000000:00000000:00000000:00000000:00000000:ffffffff
Key1 21009000:00000000:00000000:00000000:00000000:00000000:00000000:0a0a0a64
AD 10087000:00000073
TAQ-1 Index-865 (A:0,C:1) Valid StartF-0 StartA-0 SkipF-0 SkipA-0
Mask1 0300f000:00000000:00000000:00000000:00000000:00000000:ffffffff:00000000
Key1 02009000:00000000:00000000:00000000:00000000:00000000:ac100a0a:00000000
AD 10087000:00000073
0a0a0a64 = 10.10.10.100 (inside local)
ac100a0a = 172.16.10.10 (inside global)
透過確認當流量變為活動狀態時,僅對源和目標IP地址進行程式設計,驗證TCAM中的AOT條目。
NAT-DEVICE#show platform hardware fed switch active fwd-asic resource tcam table pbr record 0 format 0 | begin NAT_1
Printing entries for region NAT_1 (376) type 6 asic 1
========================================================
Printing entries for region NAT_2 (377) type 6 asic 1
========================================================
TAQ-1 Index-224 (A:0,C:1) Valid StartF-1 StartA-1 SkipF-0 SkipA-0
Mask1 0000f000:00000000:00000000:00000000:00000000:00000000:ffffffff:ffffffff
Key1 00009000:00000000:00000000:00000000:00000000:00000000:c0a80164:0a0a0a64 <-- no L4 ports, only source and destination IP is programmed
AD 10087000:000000b2
TAQ-1 Index-225 (A:0,C:1) Valid StartF-0 StartA-0 SkipF-0 SkipA-0
Mask1 0000f000:00000000:00000000:00000000:00000000:00000000:ffffffff:00000000
Key1 00009000:00000000:00000000:00000000:00000000:00000000:ac100a0a:00000000
AD 10087000:000000b3
0a0a0a64 = 10.10.10.100 in hex (inside local IP address)
c0a80164 = 192.168.1.100 in hex (outside local/outside global)
ac100a0a = 172.16.10.10 (inside global)
相關資訊
- Catalyst 9300 17.3.x NAT配置指南
- Catalyst 9400 17.3.x NAT配置指南
- Catalyst 9500 17.3.x NAT配置指南
- Catalyst 9600 17.3.x NAT配置指南
- 技術支援與文件 - Cisco Systems
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
5.0 |
10-May-2024 |
刪除了已公開的Cisco內部資訊標題 |
4.0 |
11-May-2023 |
重新認證 |
3.0 |
08-Oct-2021 |
1.1版:
將空白間距和更改的IP編址和訪問控制清單從數字清單編輯為專案符號清單。 |
2.0 |
29-Sep-2021 |
格式變更較輕,沒有新內容。 |
1.0 |
29-Sep-2021 |
初始版本 |
意見