Showing posts with label NAT. Show all posts
Showing posts with label NAT. Show all posts
Saturday, May 7, 2011
Thursday, April 28, 2011
TCP Load Distribution using Rotary NAT
Network topology:
An organization has multiple servers that serve multiple hosts. Using Rotary NAT, a virtual server is established in the inside network which communicates with real servers. Destination addresses that match an access-list (permitting the IP address of virtual server) are replaced with addresses from a rotary pool. Allocation is done on a round-robin basis. The NAT router performs the following steps when translating rotary addresses-
A host opens a TCP connection with virtual server 10.1.1.5
The router receives the connection request and creates a translation, allocating the next real server IP address.
The router replaces the destination IP address with the selected real IP address and forwards the packet.
The server receives the packet and responds.
The router receives the packet and performs the NAT table lookup. The router then translates the source address to virtual server IP address forwards the packet.
Configuration:
We define a pool of addresses containing the addresses of the real servers. This can be done using the global configuration command-
ip nat pool name start-ip end-ip {netmask netmask prefix-length prefix-length} type rotary
ip nat pool SERVER_LIST 10.1.1.10 10.1.1.11 prefix-length 24 type rotary
We define an access-list permitting the address of virtual-server 10.1.1.5. Non-TCP traffic is passed untranslated-
access-list 110 permit tcp any host 10.1.1.5
Then we establish dynamic inside destination translation specifying the access-list defined above. This is done using the global configuration command-
ip nat inside destination list access-list-number pool name
ip nat inside destination list 110 pool SERVER_LIST
Lastly, we define inside and outside interface for NAT.
interface fastethernet 0/0
ip nat inside
!
interface fastethernet 0/1
ip nat outside
!
Verification:
When multiple Telnet sessions (TCP session, port 23) are established to virtual server IP address 10.1.1.5, the NAT router allocates IP addresses of different internal servers in a round-robin fashion. The following output shows that 3 different Telnet sessions are opened to 10.1.1.5. The NAT router allocates the first session to 10.1.1.10, second session to 10.1.1.11 and third session back to 10.1.1.10
A host opens a TCP connection with virtual server 10.1.1.5
The router receives the connection request and creates a translation, allocating the next real server IP address.
The router replaces the destination IP address with the selected real IP address and forwards the packet.
The server receives the packet and responds.
The router receives the packet and performs the NAT table lookup. The router then translates the source address to virtual server IP address forwards the packet.
Configuration:
We define a pool of addresses containing the addresses of the real servers. This can be done using the global configuration command-
ip nat pool name start-ip end-ip {netmask netmask prefix-length prefix-length} type rotary
ip nat pool SERVER_LIST 10.1.1.10 10.1.1.11 prefix-length 24 type rotary
We define an access-list permitting the address of virtual-server 10.1.1.5. Non-TCP traffic is passed untranslated-
access-list 110 permit tcp any host 10.1.1.5
Then we establish dynamic inside destination translation specifying the access-list defined above. This is done using the global configuration command-
ip nat inside destination list access-list-number pool name
ip nat inside destination list 110 pool SERVER_LIST
Lastly, we define inside and outside interface for NAT.
interface fastethernet 0/0
ip nat inside
!
interface fastethernet 0/1
ip nat outside
!
Verification:
When multiple Telnet sessions (TCP session, port 23) are established to virtual server IP address 10.1.1.5, the NAT router allocates IP addresses of different internal servers in a round-robin fashion. The following output shows that 3 different Telnet sessions are opened to 10.1.1.5. The NAT router allocates the first session to 10.1.1.10, second session to 10.1.1.11 and third session back to 10.1.1.10
Load-balancing with 2 ISPs
Network topology:
All hosts with IP addresses ranging from 192.168.1.1 - 192.168.1.126 (first-half) will be using ISP-1 while all hosts with IP addresses ranging from 192.168.1.129 - 192.168.1.254 (second-half) will be using ISP-2. In case of failover, hosts will be using the active ISP to access the Internet. NAT (NAT-overload) is applied on Edge routers to hide the inside network from the ISPs. The customer is using OSPF within the network. Both Edge routers use eBGP connection with the ISPs. Both ISPs only advertise default-route to the customer.
Splitting Host-traffic at Internal router:
On the Internal router, host-traffic is split based on the IP address of the host. Policy-based routing is used on the LAN interface and decision is made based on the IP address. If host IP address falls in the first-half, Internal router will forward the traffic over to Edge-1 router, while if host IP address falls in the second-half, Internal router will forward the traffic over to Edge-2 router. The set ip next-hop verify-availability command is used with tracking object to ensure the next-hop is available. If tracking-object fails, traffic is forwarded based on IP routing.
Policy-Based Routing (PBR):
IP SLA is used to ensure the availability of next-hops. The IP address 4.2.2.2 is a global IP address on the Internet. To ensure the Internal router check both next-hops, two instances of IP SLAs are created on the router. Local policy-based routing is implemented to ensure packets originated by Internal router takes proper interfaces i.e. IP SLA packets with source address of 10.3.3.1 should go through Edge-1 router while IP SLA packets with source address of 10.4.4.1 should go through Edge-2 router.
NAT on Edge routers:
On Edge-1 & Edge-2 routers, NAT is applied. The interesting traffic includes 192.168.1.0/24 network, 10.3.3.0/24 (on Edge-1) and 10.4.4.0/24 (on Edge-2).
In action:
The following output shows that both tracking-objects are UP.
When a host (IP address: 192.168.1.129) tries to reach global IP address 4.2.2.2, the Internal router forwards the traffic over to Edge-2 router. While when a host (IP address 192.168.1.3) tries to reach same global IP address 4.2.2.2, the Internal router forwards the traffic over to Edge-1 router. The following output on Edge-2 & Edge-1 routers shows that NAT is applied on the source address (host IP address).
Testing failover:
While host address (IP address 192.168.1.3) is continuously sending Ping packets to 4.2.2.2, ISP-1 fails. The tracking-object on the Internal router fails and packets are forwarded over to Edge-1 router.
Splitting Host-traffic at Internal router:
On the Internal router, host-traffic is split based on the IP address of the host. Policy-based routing is used on the LAN interface and decision is made based on the IP address. If host IP address falls in the first-half, Internal router will forward the traffic over to Edge-1 router, while if host IP address falls in the second-half, Internal router will forward the traffic over to Edge-2 router. The set ip next-hop verify-availability command is used with tracking object to ensure the next-hop is available. If tracking-object fails, traffic is forwarded based on IP routing.
IP SLA is used to ensure the availability of next-hops. The IP address 4.2.2.2 is a global IP address on the Internet. To ensure the Internal router check both next-hops, two instances of IP SLAs are created on the router. Local policy-based routing is implemented to ensure packets originated by Internal router takes proper interfaces i.e. IP SLA packets with source address of 10.3.3.1 should go through Edge-1 router while IP SLA packets with source address of 10.4.4.1 should go through Edge-2 router.
On Edge-1 & Edge-2 routers, NAT is applied. The interesting traffic includes 192.168.1.0/24 network, 10.3.3.0/24 (on Edge-1) and 10.4.4.0/24 (on Edge-2).
The following output shows that both tracking-objects are UP.
While host address (IP address 192.168.1.3) is continuously sending Ping packets to 4.2.2.2, ISP-1 fails. The tracking-object on the Internal router fails and packets are forwarded over to Edge-1 router.
LSN: Large Scale NAT
Large scale NAT was previously known by different terms like NAT444 and Carrier Grade NAT (CGN). It is dicussed in depth by Jeff Doyle. LSN stems from the fact that NAT is applied at the provider-facing customer edge and customer-facing provider edge. NAT is applied twice- once at the Customer CPE and second time at the Provider router.
The Service Provider assigns an address out of Private IPv4 block (RFC 1918 addresses) to the customer side of each LSN. The provider facing side is assigned a Public IPv4 address to each LSN. Each customer uses another Private IPv4 block to address each device within the network.
So, if a device within the customer network wish to access the Internet, the CPE will perform the translation on the source IP address. This {inside Private IPv4 source IP address, port} mapping will be translated to {outside Private IPv4 address, port} mapping (aka NAT-Port Translation) at the CPE. At the LSN device, the {inside Private IPv4 address, port} mapping will be translated to another {outside Public IPv4 address, port} mapping.
NOTE: Each LSN can support multiple Customers. Only one Customer is attached to each LSN here for simplicity.
Network topology:
IP Address assignment and NAT44 on CPE routers:
Since inside and outside interfaces of the CPE routers are Private IPv4 addresses, care should be taken that these IP addresses do not overlap, otherwise, it could cause routing issues.
Hence, the CPE will use 192.168.1.0/24 block to address devices within the network. The Service Provider will use 10.0.0.0/8 block to assign addresses to the Customers. The interesting traffic to be NAT will be traffic with source address from 192.168.1.0/24 network.
IP Address assignment and NAT44 on LSN routers:
The customer-facing side of LSN is assigned a Private IPv4 address while the Internet-facing side is assigned a Public IPv4 address. Since Customer traffic is already NAT-ed once, the source address of the IP packet would have changed to the outside IPv4 address of the CPE device. So interesting traffic for LSN1 router will have source address from 10.1.0.0/30 network and interesting traffic for LSN2 router will have source address from 10.2.0.0/30 network.
LSN Configuration
LSN1 router:
Routing on CPE and LSN routers:
Within the Customer network, the customer devices point towards Default Gateway i.e. the CPE router. There is an eBGP connection between CPE and LSN routers. The LSN routers advertise only default-route to the CPEs.
OSPF runs within the SP Public network. There are iBGP sessions between LSNs and the Internet router.
Verification:
If a PING is made from within the CPE1 router to an IP address 4.2.2.2 in the Internet, the CPE router will first perform NAT on the source IP address.
The Service Provider assigns an address out of Private IPv4 block (RFC 1918 addresses) to the customer side of each LSN. The provider facing side is assigned a Public IPv4 address to each LSN. Each customer uses another Private IPv4 block to address each device within the network.
So, if a device within the customer network wish to access the Internet, the CPE will perform the translation on the source IP address. This {inside Private IPv4 source IP address, port} mapping will be translated to {outside Private IPv4 address, port} mapping (aka NAT-Port Translation) at the CPE. At the LSN device, the {inside Private IPv4 address, port} mapping will be translated to another {outside Public IPv4 address, port} mapping.
NOTE: Each LSN can support multiple Customers. Only one Customer is attached to each LSN here for simplicity.
Network topology:
IP Address assignment and NAT44 on CPE routers:
Since inside and outside interfaces of the CPE routers are Private IPv4 addresses, care should be taken that these IP addresses do not overlap, otherwise, it could cause routing issues.
Hence, the CPE will use 192.168.1.0/24 block to address devices within the network. The Service Provider will use 10.0.0.0/8 block to assign addresses to the Customers. The interesting traffic to be NAT will be traffic with source address from 192.168.1.0/24 network.
The customer-facing side of LSN is assigned a Private IPv4 address while the Internet-facing side is assigned a Public IPv4 address. Since Customer traffic is already NAT-ed once, the source address of the IP packet would have changed to the outside IPv4 address of the CPE device. So interesting traffic for LSN1 router will have source address from 10.1.0.0/30 network and interesting traffic for LSN2 router will have source address from 10.2.0.0/30 network.
LSN Configuration
LSN1 router:
Routing on CPE and LSN routers:
Within the Customer network, the customer devices point towards Default Gateway i.e. the CPE router. There is an eBGP connection between CPE and LSN routers. The LSN routers advertise only default-route to the CPEs.
OSPF runs within the SP Public network. There are iBGP sessions between LSNs and the Internet router.
Verification:
If a PING is made from within the CPE1 router to an IP address 4.2.2.2 in the Internet, the CPE router will first perform NAT on the source IP address.
Subscribe to:
Posts (Atom)