ExtremeXOS® v33.6.1 User Guide

Overview

In a typical enterprise network, multicast sources use private IP addresses (RFC 1918 ranges such as 10.0.0.0/8). When multicast streams need to reach receivers in a public or external network, the source IP address must be translated to a registered public address. IP Multicast NAT performs this translation transparently at the network edge.

IP Multicast NAT is an extension of the basic source NAT (SNAT) feature. The NAT router rewrites the source IP address in the IP header of each replicated copy of a multicast packet sent to each receiver. The multicast destination group address is never modified.

Translation is keyed on the source IP address only. A single SNAT rule therefore covers all multicast groups originated by a given source host — for example, a rule matching source 10.1.1.1 applies equally to streams sent to 225.1.1.1, 225.1.1.2, and any other group from that source.

Supported Platforms

IP Multicast NAT is supported on the following platforms beginning with EXOS 33.6.1:

X695

IP Multicast NAT is not supported on the X590, X690, X870, or X465, and is not supported on stacking configurations.

Limitations

Supported only for L3 IPv4 multicast traffic. L2 multicast and IPv6 multicast are not supported.
Only the source-nat rule type is supported. The napt and destination-napt rule types do not apply to multicast traffic.
Source IP address mask must be /32 (255.255.255.255) — one rule per source host.
Only one VLAN can be configured as the NAT egress VLAN.
Cannot be used concurrently with MACsec.
Not supported on stacking platforms.
Scalability is limited by available ACL hardware resources, as one ACL entry is installed per configured source.
Unicast NAT and Multicast NAT are controlled by independent global enable/disable commands and can be used simultaneously or independently.

How It Works

When a multicast packet arrives on an ingress VLAN and is replicated to multiple receivers on an egress VLAN, the NAT router applies the configured SNAT rule to each outbound copy. The source IP address in each copy is replaced with the configured public address before forwarding.

For example, given:

Source A (10.1.1.1) sending to multicast group 225.1.1.1
Source B (10.1.1.2) sending to multicast group 225.1.1.2
SNAT rule mapping 10.1.1.1 → 20.1.1.100 and 10.1.1.2 → 20.1.1.101

Each copy forwarded to any receiver will show source IP 20.1.1.100 (for Source A traffic) or 20.1.1.101 (for Source B traffic). The multicast group destination address (225.1.1.x) remains unchanged in all copies.

Configuration Steps

Use the following procedure to configure IP Multicast NAT:

Configure the ingress and egress VLANs for NAT participation:

configure ip nat add vlan <ingress_vlan> direction ingress
configure ip nat add vlan <egress_vlan> direction egress

Create a source-nat rule for each multicast source address to be translated:
```
create ip nat rule <rule_name> type source-nat
```

Configure the source IP address (must use /32 mask), source VR, translated address, and egress VLAN:

configure ip nat rule <rule_name> source <src_ip> 255.255.255.255 source-vr <vr_name> new-source <public_ip>
configure ip nat rule <rule_name> egress vlan <egress_vlan>

Enable the rule:
```
enable ip nat rule <rule_name>
```
Enable IP multicast NAT globally (and unicast NAT if also required):
```
enable ip nat multicast
enable ip nat unicast
```

Example Configuration

The following example configures multicast NAT for two private sources (10.1.1.1 and 10.1.1.2) that are mapped to public addresses (20.1.1.100 and 20.1.1.101) when traffic exits through out_vlan:

configure ip nat add vlan in_vlan direction ingress
configure ip nat add vlan out_vlan direction egress

create ip nat rule snat1 type source-nat
configure ip nat rule snat1 source 10.1.1.1 255.255.255.255 source-vr VR-Default new-source 20.1.1.100
configure ip nat rule snat1 egress vlan out_vlan
enable ip nat rule snat1

create ip nat rule snat2 type source-nat
configure ip nat rule snat2 source 10.1.1.2 255.255.255.255 source-vr VR-Default new-source 20.1.1.101
configure ip nat rule snat2 egress vlan out_vlan
enable ip nat rule snat2

enable ip nat multicast
enable ip nat unicast

Verification Commands

Verify global NAT and multicast NAT status:

show ip nat

Sample output showing both unicast and multicast NAT enabled:

Unicast NAT                         : Enabled
Multicast NAT                       : Enabled
Number of NAT VLANs                 : 2
Maximum number of NAT VLANs         : 4
Number of NAT rules                 : 2
Number of source NAT rules          : 2
Number of destination NAPT rules    : 0
Number of configured NAPT rules     : 0
Number of dynamic NAPT rules        : 0
Maximum number of NAT rules         : 1024
Aging time                          : 20 minutes

Display configured NAT rules and their state:

show ip nat rule

show ip nat rule detail

Display per-VLAN translation and discard counters:

show ip nat vlan counters

Related Commands


Command	Description
`enable ip nat multicast`	Globally enables IP multicast NAT.
`disable ip nat multicast`	Globally disables IP multicast NAT.
`enable ip nat [unicast]`	Globally enables IP unicast NAT (default when no keyword specified).
`create ip nat rule <name> type source-nat`	Creates a source NAT rule (the only rule type supported for multicast).
`configure ip nat rule <name> source <ip> <mask> source-vr <vr> new-source <ip>`	Configures the source address mapping for the rule. Mask must be 255.255.255.255 for multicast NAT.
`configure ip nat rule <name> egress vlan <vlan>`	Configures the egress VLAN for translated traffic.
`show ip nat`	Displays global NAT status including unicast and multicast NAT state.
`show ip nat rule {detail}`	Displays configured NAT rules and their parameters.
`show ip nat vlan counters`	Displays per-VLAN packet translation and discard counters.

IP Multicast NATNEW!