ExtremXOS IP Network Address Translation (NAT)

Network Address Translation (NAT) maps IP addresses from one address domain (typically private IP address spaces) to an another address domain (typically public Internet IP address spaces) to provide transparent routing to end hosts. This translation is done transparently by having a NAT device translate the IP address and/or Layer 4 port of the packets.

ExtremeXOS 31.2 adds support for IP Network Address Translation (NAT).

Supported Platforms

ExtremeSwitching X465, X590, X690, X695, and X870 series switches.

Limitations

NAT is supported for IPv4 packets only. NAT is not supported for IPv6 packets.
NAT is not supported for IPv4 or IPv6 multicast packets.
Application Level Gateways (ALG) is not supported.
NAT translates IP address of an IPv4 unicast packet, and possibly TCP/UDP port in the TCP/UDP header. The contents of the payload are not modified. If IP address or L4 port are present in the payload of the packets, these fields are not modified. If the payload contents are to be modified, specific ALGs are required. Examples of protocols that require ALG, are File Transfer Protocol (FTP), Session Initiation Protocol (SIP), Real Time Streaming Protocol (RTSP), BitTorrent, Domain Name System (DNS), etc.
Network Address Port Translation (NAPT) does not work with fragmented IP packets, and these are dropped when NAT is enabled. This is because the fragmented IP packet does not contain a valid TCP/UDP header, unless it is the first fragment.
Twice-NAT (NAT where both source and destination IP addresses are translated) are not supported.
Twice-NAT is typically used to interconnect subnets in two incompatible address domains—both using private addresses. Each Twice-NAT rule requires twice the number of resources compared to a basic NAT rule.
MLAG support for NAT is not supported.
NAT is not supported on VXLAN tenant VLANs and MPLS service VLANs
NAT is not supported on MAC-based VLANs and Netlogin VLANs.
NAT is not supported on VPEX switches.

New CLI Commands

enable ip nat

disable ip nat

show ip nat

configure ip nat add {vlan} vlan_name direction [ingress | egress | both]

configure ip nat delete {vlan} vlan_name

show ip nat vlan {vlan_name}

show ip nat vlan counters {vlan_name}

clear ip nat counters vlan {vlan_name}

create ip nat rule rule_name type [ source-nat | napt | destination-napt]

delete ip nat rule rule_name

configure ip nat rule rule_name source [[[src_ip_addr src_mask | src_ipNetmask ] {{source-vr} src_vr_name} new-source new_src_ip_addr] | none]

configure ip nat rule rule_name destination [[dst_ip_addr new-destination new_dst_ip_addr {{vr} vr_name}] | none]

configure ip nat rule rule_name destination protocol [[[tcp | udp | protocol_num] port port_num new-port new_port_num] | none]

configure ip nat rule rule_name egress {vlan} vlan_name

enable ip nat rule rule_name

disable ip nat rule rule_name

configure ip nat rule rule_name name new_rule_name

show ip nat rule {detail}

configure ip nat rule rule_name monitor [on | off]

show ip nat rule {rule_name} statistics {no-refresh}

configure ip nat aging-time [minutes | none]