H3C S9500 Series Operating instructions

Brand: H3C

Model: S9500 Series

Type: Operating instructions

The H3C S9500 Series, your newly purchased routing switch, offers a comprehensive suite of features to enhance your networking capabilities. With its advanced Layer 3 routing functionality, it excels in complex routing scenarios, ensuring efficient and reliable data transmission across your network. Additionally, the H3C S9500 Series provides robust security features, including access control lists (ACLs) and virtual private networks (VPNs), safeguarding your data and network resources from unauthorized access.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Table of Contents

Table of Contents

Chapter 1 NAT Configuration.......................................................................................................1-1

1.1 NAT Overview....................................................................................................................1-1

1.1.1 Introduction to NAT.................................................................................................1-1

1.1.2 NAT Functionalities.................................................................................................1-3

1.2 NAT Configuration Task List..............................................................................................1-6

1.3 Configuring Address Translation .......................................................................................1-7

1.3.1 Introduction to Address Translation ........................................................................ 1-7

1.3.2 Configuring Address Translation.............................................................................1-8

1.4 Configuring Internal Server..............................................................................................1-10

1.4.1 Introduction to Internal Server...............................................................................1-10

1.4.2 Configuring an Internal Server..............................................................................1-10

1.5 Configuring the Binding ...................................................................................................1-11

1.5.1 Introduction to Binding ..........................................................................................1-11

1.5.2 Configuration Procedure.......................................................................................1-11

1.6 Configuring NAT Log.......................................................................................................1-12

1.6.1 Introduction to NAT Log........................................................................................1-12

1.6.2 Enabling NAT Log Function..................................................................................1-12

1.6.3 Exporting NAT Logs..............................................................................................1-13

1.7 Configuring User Resource Limit.....................................................................................1-15

1.7.1 Introduction to User Resource Limit......................................................................1-15

1.7.2 Configuring User Resource Limit..........................................................................1-15

1.8 Configuring Connection-limit............................................................................................1-16

1.8.1 Introduction to Connection-limit.............................................................................1-16

1.8.2 Configuration Procedure.......................................................................................1-16

1.9 Displaying and Maintaining NAT......................................................................................1-18

1.10 NAT Configuration Example..........................................................................................1-19

1.10.1 NAT Configuration Example................................................................................1-19

1.10.2 Exporting NAT Logs to the Information Center...................................................1-21

1.10.3 Exporting NAT logs to Log Server.......................................................................1-24

1.11 Troubleshooting NAT.....................................................................................................1-25

1.11.1 Symptom 1: Abnormal Translation of IP Addresses...........................................1-25

1.11.2 Symptom 2: Internal Server Functions Abnormally............................................. 1-25

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-1

Chapter 1 NAT Configuration

When configuring NAT, go to these sections for information you are interested in:

z NAT Overview

z NAT Configuration Task List

z Configuring Address Translation

z Configuring Internal Server

z Configuring the Binding

z Configuring NAT Log

z Configuring User Resource Limit

z Configuring Connection-limit

z Displaying and Maintaining NAT

z NAT Configuration Example

z Troubleshooting NAT

 Note:

The line processing unit (LPU) mentioned in this chapter is LSB1NATB0.

1.1 NAT Overview

1.1.1 Introduction to NAT

Network Address Translation (NAT for short) provides a way of translating the IP

address in an IP packet header to another IP address. In practice, NAT is primarily

designed for private network users to access public networks. This way of using a

smaller number of public IP addresses to represent a larger number of private IP

addresses can effectively alleviate the depletion of IP addresses.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-2

 Note:

Private or internal IP addresses refer to IP addresses used in an internal network

whereas public or external IP addresses refer to the globally unique IP addresses used

on the Internet.

According to RFC 1918, three blocks of IP addresses are reserved for private networks:

z In Class A: 10.0.0.0 to 10.255.255.255;

z In Class B: 172.16.0.0 to 172.31.255.255;

z In Class C: 192.168.0.0 to 192.168.255.255;

The above three ranges of IP addresses are not assigned over the Internet. You can

use these IP addresses in enterprises freely without the need for applying them from

the ISPs or the registration center.

Figure 1-1 depicts a basic NAT operation:

Internet

IP packet 1

Source IP : 192.168.1.3

Destination IP : 10.1.1.2

IP packet 1

Source IP : 20.1.1.1

Destination IP : 10.1.1.2

192.168.1.1 20.1.1.1

IP packet 2

Source IP : 10.1.1.3

Destination IP : 20.1.1.1

IP packet 2

Source IP : 10.1.1.3

Destination IP :192.168.1.2

10.1.1.2

10.1.1.3

Server B

Host

Server A

192.168.1.2

192.168.1.3

Host

Figure 1-1 A basic NAT operation

z NAT gateway lies between the private network and the public network.

z The internal PC (with source IP address 192.168.1.3) sends an IP packet (IP

packet 1) to the external server (with source IP address 10.1.1.2) through the NAT

gateway.

z Upon receipt of the packet, the NAT gateway checks the packet header and

translates the original private address 192.168.1.3 to a globally unique IP address

20.1.1.1 for routing over the Internet. After that, the gateway forwards the packet

and records the mapping between the two addresses in its network address

translation table.

z The external server responds the internal PC with an IP packet (IP packet 2 with

original destination IP address 20.1.1.1) through the NAT gateway. Upon receipt

of the packet, the NAT gateway checks the packet header and looks in its network

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-3

address translation table for the mapping and replaces the original destination

address with the private address 192.168.1.3.

The above NAT operation is transparent to the terminals like the Host and the Server in

the above figure. The external server believes that the IP address of the internal PC is

20.1.1.1, and is unaware of the private address 192.168.1.3. As such, NAT hides the

private network from the external networks.

Despite the advantage of allowing internal hosts to access external resources and

providing privacy, NAT also has the following disadvantages:

z As NAT involves translation of IP addresses, the packet headers that carry these

addresses cannot be encrypted. This is also true to the application protocol

packets when the contained IP address or port number needs to be translated. For

example, you cannot encrypt an FTP connection, or its port command cannot

work correctly.

z Network debugging becomes more difficult. For example, when a host in a private

network tries to attack other networks, it is harder to pinpoint the attacking host as

the host IP address has been hidden.

z The influence of NAT on network performance is not obvious when the bandwidth

is lower than 1.5 Gbps. The bottleneck in this scenario lies in the transmission rate.

However, when the bandwidth is higher than 1.5 Gbps, NAT could affect the

switch performance to a certain extent.

1.1.2 NAT Functionalities

I. Many-to-many NAT and NAT control

As depicted in Figure 1-1, when an internal network user accesses an external network,

NAT uses an external or public IP address to replace the original internal IP address. In

Figure 1-1, this address is the outbound interface address (a public IP address) of the

NAT gateway. This means that all internal hosts use the same external IP address

when accessing external networks. In this scenario, only one host is allowed to access

external networks at a given time. Hence, it is referred to as “one-to-one NAT”.

Another form of NAT solves this problem by allowing the NAT gateway to have multiple

public IP addresses. When the first internal host accesses external networks, NAT

chooses a public IP address for it, records the mapping between the two addresses and

transfers data packets. When the second internal host accesses external networks, a

similar process happens, but this time another public IP address is used, and so are the

remaining internal hosts. In this way, multiple internal hosts can access the external

networks simultaneously. This type of NAT is called “many-to-many NAT”.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-4

 Note:

The number of public IP addresses an NAT gateway has is far less than the number of

internal hosts, because not all internal hosts will access the external networks at the

same time. The number of necessary public IP addresses should be determined based

on the statistics on the number of the hosts that might access external networks during

peak time.

In practice, an enterprise may need to allow some internal hosts to access external

networks while prohibiting others. This can be achieved through the NAT control

mechanism. If a source IP address is among those addresses that have been denied

access to external networks, the NAT gateway will not translate this address.

The “many-to-many NAT” can be realized through definition of an address pool

whereas NAT control can be achieved through ACLs.

z Address pool: a set of consecutive public IP addresses intended for address

translation. The address pool should be configured according to the number of

legal IP addresses, the number of internal hosts, and the actual network

requirements. The NAT gateway will select an address from the address pool and

use it as the source public IP address during address translation.

z NAT control through ACLs: NAT is only applied to the packets that match the ACL

rules. This makes the use of NAT more flexible.

II. NAPT

Another form of NAT is network address port translation (NAPT for short). NAPT allows

multiple internal addresses to be mapped to the same external public IP address,

namely “multiple-to-one NAT”, or “address multiplexing”.

The destination addresses of the packets from different internal hosts are mapped to

the same external IP address but with different port numbers. In other words, NAPT

maps the combination of a private IP address and a port number to the combination of

a public IP address and a port number.

Figure 1-2 depicts an NAPT process.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-5

Figure 1-2 An NAPT process

As illustrated in the above figure, four data packets arrive at the NAT gateway. Packets

1 and 2 have the same internal address but different source port numbers. Packets 3

and 4 have different internal addresses but the same source port number. NAPT maps

the four data packets to the same external address but with different source port

numbers. Therefore, the packets can still be discriminated. When response packets

arrive, the NAT gateway can forward them to the corresponding hosts based on the

destination address and port numbers.

III. Internal server

NAT hides the internal network structure, including the identities of internal hosts.

However, in practice, external contacts to internal hosts are sometimes also necessary.

In this case, you need an internal server, such as a WWW server or an FTP server to

provide such services. With NAT, you can deploy an internal server easily and flexibly.

For instance, you can use 20.1.1.10 as the WWW server’s external address, 20.1.1.11

as the FTP server’s external address; or you can even use such address

20.1.1.12:8080 as the WWW server’s external address.

Currently, this feature is available on the device. When an external user accesses an

internal server, NAT translates the destination address in the request packet to the

private IP address of the internal server. When the internal server returns a packet, NAT

translates the source address (a private IP address) of the packet into a public IP

address.

IV. Easy IP

Easy IP allows the NAT gateway to use the public IP address of an interface as the

translated source address for NAT. Besides, the NAT gateway can use ACLs to define

the internal IP addresses for NAT.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-6

Easy IP applies to scenarios where there is only one public network interface address

or there are only a few internal host addresses.

V. Support for special protocols

Apart from the basic address translation function, NAT also provides a perfect

application layer gateway (ALG) mechanism that supports translation for some special

application protocols without requiring the NAT platform to be modified, featuring high

scalability. The IP addresses and/or port numbers contained in such protocol

messages need address translation. The special protocols supported by the S9500

series include: Internet control message protocol (ICMP), domain name system (DNS),

Internet locator service (ILS), and NetBIOS over TCP/IP (NBT).

VI. NAT multiple-instance

This feature allows users from different MPLS VPNs to access external networks

through the same outbound interface. It also allows them to have the same internal

network address. The process works as follows:

When an MPLS VPN user communicates with an external network, NAT replaces its

internal IP address and port number with the NAT gateway’s external IP address and

port number. It also records the relevant MPLS VPN information, such as the protocol

type and router distinguisher (RD for short). When the response packet arrives, the

NAT gateway then restores the external IP address and port number to the internal IP

address and port number. Additionally, the NAT gateway can identify the users who

access the external network. Besides NAT, NAPT also supports multiple-instance.

The multiple-instance feature can also apply to internal servers so that external users

can access an internal host of an MPLS VPN. For example, in MPLS VPN1, the host

that provides WWW service has an internal address 10.110.1.1. The host can use

202.110.10.20 as an external IP address so that the Internet users can access the

WWW service in MPLS VPN1 through this external address.

1.2 NAT Configuration Task List

Follow the following steps to configure NAT:

To do… Use the command… Remarks

Enter system view

system-view

—

Define an address pool

nat address-group

group-number start-address

end-address

Optional

Not necessary when the

switch has been

configured with Easy IP.

Configure address

translation

Refer to Configuring Address

Translation

Required

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-7

To do… Use the command… Remarks

Configure an internal

server

Refer to Configuring Internal

Server

Optional

Enable NAT

application layer

gateway

nat alg { all | dns | ftp | ils |

nbt }

Optional

Enabled by default

Currently, the NAT ALG

supports only standard

ports for DNS, FTP, ILS,

and NBT.

Configure the binding

Refer to

Configuring the

Binding

Required

Configure NAT log

Refer to

Configuring NAT

Log

Optional

Configure user

resource limit

Refer to Configuring User

Resource Limit

Optional

Only the NAPT with

application gateway

function disabled has user

resource limit.

Configure

connection-limit

Refer to Configuring

Connection-limit

Optional

 Note:

The addresses in the address pool referenced by NAT must be different from the

interface address. Otherwise, the service can be implemented. To use the interface

address as the translation address, Easy IP must be used.

1.3 Configuring Address Translation

1.3.1 Introduction to Address Translation

Address translation is implemented by associating an ACL with an address pool (or an

interface address in case of Easy IP). This association specifies what packets (defined

by ACLs) can use which address (one in the address pool, or the interface address

itself) to access the external network. When an internal host needs to send data

packets to an external network, the NAT gateway checks the first packet against the

ACL to see if it is permitted. If so, NAT chooses an address from the address pool (or

the interface address, depending on the association) to perform address translation.

This address mapping is recorded in an address translation table so that subsequent

packets can be translated directly according to this mapping entry.

For details about ACL, refer to ACL Configuration in QoS ACL Volume.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-8

The configuration for different forms of address translation varies somewhat:

z Easy IP

This feature is implemented using the nat outbound acl-number command, without

the address-group keyword specified. When address translation, the NAT gateway

directly uses an interface’s public IP address as the translated IP address, and uses

ACLs to restrict the traffic.

z NAT (address pool with the VPN attribute)

If you specify the address-group keyword in the nat outbound acl-number command,

you can configure the VPN attribute of an address pool, that is, the VPN that the

address pool belongs to. Generally, such a VPN has no hosts and is only used for

injecting NAT routes. You can configure the VPN attributes to advertise the NAT routes

to other accessible VPNs, thus implementing interworking between VPNs in a

NAT-enabled VPN networking application.

z Many-to-many NAT

You only need to associate an ACL with an address pool, without considering port

numbers.

z NAPT

You need to associate an ACL with an address pool, and deal with both IP addresses

and port numbers.

z NAT multiple-instance

You need to configure vpn instance vpn-instance-name in the rule of an ACL to

specify the MPLS VPN users that need address translation and add a static route to the

public network into the routing table of the private network. NAT multiple-instance is

supported on Easy IP, Many-to-many NAT, and NAPT.

Caution:

For a multi-channel service (for example, FTP service, which uses a control channel

and a data channel), it is not recommended to modify NAT configurations during

service establishment. Otherwise, the service may fail because some sub-channels

that have not been established may use different rules for NAT.

1.3.2 Configuring Address Translation

I. Configuring Easy IP

Follow these steps to configure Easy IP:

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-9

To do… Use the command… Remarks

Enter system view

system-view

—

Enter VLAN interface view

interface vlan-interface

interface-number

—

Enable Easy IP by associating

the ACL with the interface IP

address

nat outbound acl-number

Required

II. Configuring many-to-many NAT

Follow these steps to configure many-to-many NAT:

To do… Use the command… Remarks

Enter system view

system-view

—

Enter VLAN interface view

interface vlan-interface

interface-number

—

Enable many-to-many NAT, and

associate an ACL with an IP

address pool to translate IP

address alone

nat outbound acl-number

address-group

group-number no-pat

Required

III. Configuring NAPT

Follow these steps to configure NAPT:

To do… Use the command… Remarks

Enter system view

system-view

—

Enter VLAN interface view

interface vlan-interface

interface-number

—

Enable NAPT and associate an

ACL with an IP address pool to

translate both IP address and

port number.

nat outbound acl-number

address-group

group-number

Required

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-10

 Note:

z For the ACL referenced by NAT, only the source IP address, destination IP address,

and VPN instance take effect.

z For NO-PAT translation, if multiple NAT rules are configured on a VLAN interface,

the device will determine the rule priority based on the ACL numbers bound with the

NAT rules and always match the NAT rule with a greater ACL number. The priorities

of the rules of an ACL are based on rule number. The smaller the rule number, the

higher the priority.

z In PAT translation, ACLs are matched according to the "depth-first" order.

z After removing a NAT-enabled VLAN virtual interface or the association between an

ACL and an address pool, you need to execute the reset nat session command to

purge all NAT entries if you want the NATed public network address to be

reassigned.

z When configuring the nat outbound acl-number command on an interface bound

with a VPN, note that the specified VPN in the referenced ACL rule cannot be the

same as the bound VPN. For example, if VLAN-interface 10 is bound with VPN 1

and ACL 2001 has a rule using VPN 1 (rule permit vpn-instance vpn1), you

cannot configure the nat outbound 2001 command on VLAN-interface 10.

1.4 Configuring Internal Server

1.4.1 Introduction to Internal Server

To configure an internal server, you need to map an external IP address and port to the

internal server. This is done through the nat server command.

Internal server configurations include: external IP address, external port, internal server

IP address, internal server port, and internal server protocol type.

If an internal server belongs to an MPLS VPN instance, you should specify the

vpn-instance-name argument. With this argument not provided, the internal server is

considered belonging to a private network.

1.4.2 Configuring an Internal Server

Follow the following steps to configure an internal server:

To do… Use the command… Remarks

Enter system view

system-view

—

Enter VLAN interface

view

interface Vlan-interface

interface-number

—

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-11

To do… Use the command… Remarks

nat server [ vpn-instance

vpn-instance-name ] protocol pro-type

global global-address [ global-port ]

inside host-address [ host-port ]

Configure an internal

server

nat server [ vpn-instance

vpn-instance-name ] protocol pro-type

global global-address global-port1

global-port2 inside host-address1

host-address2 host-port

Use either

command

1.5 Configuring the Binding

1.5.1 Introduction to Binding

Through the use of the L3+NAT board on a switch, the NAT services can be handled

centrally and more efficiently thanks to the quick handling capability of the hardware.

When a VLAN interface is configured with NAT, you can bind the VLAN interface with

the NAT virtual interface so that all the packets that pass through the VLAN interface

are redirected to the L3+NAT board for handling.

Before configuring the binding, you must configure the VLAN interface first.

1.5.2 Configuration Procedure

Follow these steps to configure the binding:

To do... Use the command… Remarks

Enter system view

system-view

—

Enter NAT service

interface view

interface nat

interface-number

—

Configure the

binding

nat binding interface

interface-type

interface-number

Required

Only VLAN interfaces can be

bound. A NAT service interface can

be bound with multiple

NAT-enabled interfaces.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-12

Caution:

z Once bound to the NAT virtual interface, a VLAN interface can no longer serve as

the outbound interface of QoS redirection. This is because the packets that pass

through the VLAN interface have been redirected to the L3+NAT board, causing the

QoS redirection function ineffective.

z After removing a NAT-enabled VLAN virtual interface or the binding of an

NAT-enabled VLAN interface with a NAT service interface, you need to execute the

reset nat session command to purge all NAT entries if you want the NATed public

network address to be reassigned.

1.6 Configuring NAT Log

1.6.1 Introduction to NAT Log

NAT log is a type of system information generated by the NAT gateway during the IP

address translation. NAT log contains such information as the packet’s source IP

address, source port address, destination IP address, destination port address,

translated source IP address, translated source port address and other user operations.

The log only traces operations of private network users in accessing an external

network, not those in the opposite direction.

As multiple private users share one public IP address when accessing an external

network through a NAT gateway, it is hard to identify each of the users. The log function,

however, can enhance network security (for supervising purpose) by keeping records

of the private network users that access the external network.

1.6.2 Enabling NAT Log Function

Follow these steps to enable NAT log function:

To do... Use the command… Remarks

Enter system view

system-view

—

Enable log function

nat log enable [ acl

acl-number ]

Required

Disabled by default

Generate NAT log when

establishing a NAT

session

nat log flow-begin

Required

By default, no log is

generated when

establishing NAT session.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-13

To do... Use the command… Remarks

Enable and set the

interval for logging active

flows

nat log flow-active

minutes

Required

Disabled by default

1.6.3 Exporting NAT Logs

NAT logs can be exported in two directions, either to the information center or to the

NAT log server.

In the former case, NAT logs are first converted into system logs and exported to the

local device’s information center. Depending on the configuration of the information

system, NAT logs are again exported to their final destination. At most 10 NAT logs can

be exported to the information center at one time.

In the latter case, NAT logs are encapsulated into UDP packets and sent to the log

server, as shown in

Figure 1-3. The UDP packets may come in several versions, each

with different packet formats. Only version 1 is used presently. A UDP packet is

composed of a header and several NAT logs.

Figure 1-3 Export NAT logs

I. Exporting NAT logs to the information center

Follow these steps to export NAT logs to the information center:

To do... Use the command… Remarks

Enter system view

system-view

—

Export NAT logs to the

information center

userlog nat syslog

Required

NAT logs are exported to

the NAT log server by

default.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-14

 Note:

z Exporting NAT logs to the information center occupies storage space. This

approach is recommended when the volume of NAT logs is small.

z NAT logs exporting to the information center are prioritized as informational,

meaning that they are ordinary information.

z For detailed information about data priority, refer to Information Center

Configuration in System Volume.

II. Exporting NAT logs to log server

When exporting NAT logs to the log server in UDP packets, you can configure the

following three parameters:

z IP address and UDP port number of the NAT log server. NAT logs cannot be

exported successfully without configuring the information center export direction

and specifying the log server address.

z Source IP address of NAT logs. This address allows the log server to identify the

log source. You are recommended to use the loopback interface address as the

source IP address of NAT logs.

z Version number of NAT logs. NAT logs may come in several versions, each with

different packet formats. However, the device supports only version 1 currently.

Follow these steps to configure a NAT log server:

To do... Use the command… Remarks

Enter system view

system-view

—

Specify the IP address

and UDP port number of

the NAT log server

userlog nat export [ slot

slot-number ] host

ip-address udp-port

Required

Specify the source IP

address of the UDP

packet that carries NAT

logs

userlog nat export

source-ip ip-address

Optional

By default, the source IP

address is the interface IP

address through which

the packet is sent.

Specify the version

number of NAT logs

userlog nat export

version version-number

Optional

Version 1 is used by

default

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-15

 Note:

z The IP address of the NAT log server must be a valid unicast address.

z As for the UDP port number of the log server, you are recommended to use a port

number greater than 1024 to avoid conflicts with the system-defined port numbers.

1.7 Configuring User Resource Limit

1.7.1 Introduction to User Resource Limit

User resource limit is a function that defines the maximum number of ordinary users

(non-VPN users in an internal network) or VPN users as well as their connections in

accessing external network(s). This can help distributing resources more reasonably.

This function only applies to NAPT with its application layer gateway function not

enabled.

1.7.2 Configuring User Resource Limit

Follow these steps to configure user resource limit:

To do… Use the command… Remarks

Enter system view system-view —

Set limits for ordinary

users or VPN users.

nat limit { public |

vpn-instance

vpn-instance-name }

user-amount user-limit

connection-amount

connection-limit

Optional

By default, the ordinary

users occupy all the

system resources.

 Note:

z On a newly started system without any configuration, the system resources are

completely occupied by ordinary users.

z Before a user resource limit is configured for public network users, resources are

allocated from those for public network users to a VPN user until the public network

user resources are used up.

z After the administrator configures a limit on the resources for public network users,

resources can be allocated only from the remaining resources to a VPN user until

the remaining system resources are used up.

z The user resource configuration is performed on a single L3+NAT board, but takes

effect to all L3+NAT boards if there are multiple L3+NAT boards.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-16

1.8 Configuring Connection-limit

1.8.1 Introduction to Connection-limit

The connection-limit function allows you to limit user connections in three ways:

connection number, connection rate or both. This can avoid the situation where a single

user establishes too many connections in a short time as to affect other users in using

the network. This feature applies to VPN users as well.

z Limiting connection number means that when the number of connections initiated

by a user reaches a certain upper limit, the user cannot establish new connections.

The user must wait (for at least 5 minutes) till the connection number is lower than

the upper limit in order to create new connections.

z Limiting connection rate means that a user connection rate cannot exceed a

predefined maximum value.

For the connection-limit function to take effect, you need to set a connection-limit policy,

bind the policy with the NAT module, and meanwhile activate the connection-limit

switch.

Caution:

z For parameters not configured in a connection-limit policy, the global configurations

take effect.

z For user connections not covered in a connection-limit policy, the global

configurations take effect.

1.8.2 Configuration Procedure

I. Configuring global connection-limit parameters

Follow these steps to configure global connection-limit parameters

To do... Use the command… Remarks

Enter system view

system-view

—

Enable connection-limit

function

connection-limit enable

Required

Disabled by default

Configure connection-limit

action globally

connection-limit default

action [ permit | deny ]

Optional

User connections are not

counted and limited by

default.

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-17

To do... Use the command… Remarks

Configure connection

number limits globally

connection-limit default

amount upper-limit

max-amount

Optional

200 by default

Set the maximum

connection rate globally

connection-limit default

rate max-rate max-rate

Optional

100 by default

II. Configuring connection-limit policy

Follow these steps to configure a connection-limit policy:

To do... Use the command… Remarks

Enter system view

system-view

—

Create or edit a

connection-limit policy

and enter the

connection-limit policy

view

connection-limit policy

policy-number

Required

Configure the rules of

connection-limit

limit limit-id source

user-ip [ vpn-instance

vpn-instance-name ]

{ amount max-amount |

rate } *

Required

Set connection-limit mode

limit mode { all | amount

| rate }

Optional

By default, both the

number and rate of user

connections are limited.

Set the maximum

connection rate in a policy

limit rate max-rate

Optional

By default, the global

setting is used.

III. Binding a connection-limit policy to a NAT module

Follow these steps to bind a connection-limit policy to a NAT module

To do... Use the command… Remarks

Enter system view

system-view

—

Bind a connection-limit

policy to the NAT module

nat

connection-limit-policy

policy-number

Required

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-18

Caution:

z A NAT module limits user connections based on the policy bound to it. Each NAT

module can be bound with one policy only.

z The global connection-limit configuration does not take effect until you bind the

connection-limit policy with the NAT module.

z If multiple NAT modules exist in the system, the connection limit policy applies to all

these NAT modules.

z A connection limit policy does not take effect in NO-PAT translation.

1.9 Displaying and Maintaining NAT

To do… Use the command… Remarks

Display information about

the NAT address pool

display nat

address-group

Available in any view

Display configurations

about all forms of NAT

display nat all

Available in any view

Display the

connection-limit

information

display nat

connection-limit { all | ip

user-ip [ vpn-instance

vpn-instance-name ] }

Available in any view

Display the address

translation configuration

display nat outbound

Available in any view

Display the internal server

information

display nat server

Available in any view

Display the information

about active connections

display nat session slot

slot-number protocol

{ tcp | udp }

[ vpn-instance

vpn-instance-name ]

source { global

global-address global-port

| inside inside-address

inside-port } destination

dst-address

destination-port

Available in any view

Display NAT statistics

display nat statistics

slot slot-number

Available in any view

Display information about

the connection-limit policy

display connection-limit

policy { policy-number |

all }

Available in any view

Display NAT log

information

display nat log

Available in any view

Operation Manual – L3+NAT

H3C S9500 Series Routing Switches Chapter 1 NAT Configuration

1-19

To do… Use the command… Remarks

Display information about

the resource allocation

and utilization

display nat limit { all |

public | vpn-instance

vpn-instance--name }

Available in any view

Display NAT log

configuration and

statistics

display userlog export

slot slot-number

Available in any view

Clears the records in the

NAT log buffer

reset userlog nat

logbuffer slot

slot-number

Available in user view

Clears NAT log statistics

reset userlog export

slot slot-number

Available in user view

Clears the address

translation mapping table

in the memory and

release the memory

dynamically allocated for

storing the mapping table

reset nat session slot

slot-number

Available in user view

 Note:

Clearing the NAT log buffer implies loss of all NAT logs. In general, you are not

recommended to use this command.

1.10 NAT Configuration Example

1.10.1 NAT Configuration Example

I. Network requirements

As illustrated in Figure 1-4, a company accesses the Internet through VLAN 10 of the

NAT-enabled device. The company provides two WWW servers, one FTP server, and

one SMTP server for external users to access. The internal network address segment

is 10.110.0.0/16. The internal address for the FTP server is 10.110.10.1, for the WWW

server 1 is 10.110.10.2, for the WWW server 2 is 10.110.10.3, and for the SMTP server

10.110.10.4. The company wants to provide a unified IP address to external users.

Specifically, the company has the following requirements:

z The internal users in subnet 10.110.10.0/24 can access the Internet, while users in

other network segments cannot.

z External PCs can access an internal server.

z The company has 6 legal IP addresses ranging from 202.38.160.100/24 to

202.38.160.105/24. Address 202.38.160.100 is used as the one for external

access and port 8080 is used for WWW server 2.

Page is loading ...

H3C S9500 Series Operating instructions

H3C S9500 Series Operating instructions

H3C S9500 Series Operating instructions

Related papers

Other documents