2. H3C
  3. S9500 Series

H3C S9500 Series Operating instructions

  • Hello! I am an AI chatbot trained to assist you with the H3C S9500 Series Operating instructions. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Table of Contents
i
Table of Contents
Chapter 1 NAT Configuration.......................................................................................................1-1
1.1 NAT Overview....................................................................................................................1-1
1.1.1 Introduction to NAT.................................................................................................1-1
1.1.2 NAT Functionalities.................................................................................................1-3
1.2 NAT Configuration Task List..............................................................................................1-6
1.3 Configuring Address Translation .......................................................................................1-7
1.3.1 Introduction to Address Translation ........................................................................ 1-7
1.3.2 Configuring Address Translation.............................................................................1-8
1.4 Configuring Internal Server..............................................................................................1-10
1.4.1 Introduction to Internal Server...............................................................................1-10
1.4.2 Configuring an Internal Server..............................................................................1-10
1.5 Configuring the Binding ...................................................................................................1-11
1.5.1 Introduction to Binding ..........................................................................................1-11
1.5.2 Configuration Procedure.......................................................................................1-11
1.6 Configuring NAT Log.......................................................................................................1-12
1.6.1 Introduction to NAT Log........................................................................................1-12
1.6.2 Enabling NAT Log Function..................................................................................1-12
1.6.3 Exporting NAT Logs..............................................................................................1-13
1.7 Configuring User Resource Limit.....................................................................................1-15
1.7.1 Introduction to User Resource Limit......................................................................1-15
1.7.2 Configuring User Resource Limit..........................................................................1-15
1.8 Configuring Connection-limit............................................................................................1-16
1.8.1 Introduction to Connection-limit.............................................................................1-16
1.8.2 Configuration Procedure.......................................................................................1-16
1.9 Displaying and Maintaining NAT......................................................................................1-18
1.10 NAT Configuration Example..........................................................................................1-19
1.10.1 NAT Configuration Example................................................................................1-19
1.10.2 Exporting NAT Logs to the Information Center...................................................1-21
1.10.3 Exporting NAT logs to Log Server.......................................................................1-24
1.11 Troubleshooting NAT.....................................................................................................1-25
1.11.1 Symptom 1: Abnormal Translation of IP Addresses...........................................1-25
1.11.2 Symptom 2: Internal Server Functions Abnormally............................................. 1-25
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-1
Chapter 1 NAT Configuration
When configuring NAT, go to these sections for information you are interested in:
z NAT Overview
z NAT Configuration Task List
z Configuring Address Translation
z Configuring Internal Server
z Configuring the Binding
z Configuring NAT Log
z Configuring User Resource Limit
z Configuring Connection-limit
z Displaying and Maintaining NAT
z NAT Configuration Example
z Troubleshooting NAT
Note:
The line processing unit (LPU) mentioned in this chapter is LSB1NATB0.
1.1 NAT Overview
1.1.1 Introduction to NAT
Network Address Translation (NAT for short) provides a way of translating the IP
address in an IP packet header to another IP address. In practice, NAT is primarily
designed for private network users to access public networks. This way of using a
smaller number of public IP addresses to represent a larger number of private IP
addresses can effectively alleviate the depletion of IP addresses.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-2
Note:
Private or internal IP addresses refer to IP addresses used in an internal network
whereas public or external IP addresses refer to the globally unique IP addresses used
on the Internet.
According to RFC 1918, three blocks of IP addresses are reserved for private networks:
z In Class A: 10.0.0.0 to 10.255.255.255;
z In Class B: 172.16.0.0 to 172.31.255.255;
z In Class C: 192.168.0.0 to 192.168.255.255;
The above three ranges of IP addresses are not assigned over the Internet. You can
use these IP addresses in enterprises freely without the need for applying them from
the ISPs or the registration center.
Figure 1-1 depicts a basic NAT operation:
Internet
IP packet 1
Source IP : 192.168.1.3
Destination IP : 10.1.1.2
IP packet 1
Source IP : 20.1.1.1
Destination IP : 10.1.1.2
192.168.1.1 20.1.1.1
IP packet 2
Source IP : 10.1.1.3
Destination IP : 20.1.1.1
IP packet 2
Source IP : 10.1.1.3
Destination IP :192.168.1.2
10.1.1.2
10.1.1.3
Server B
Host
Server A
192.168.1.2
192.168.1.3
Host
Figure 1-1 A basic NAT operation
z NAT gateway lies between the private network and the public network.
z The internal PC (with source IP address 192.168.1.3) sends an IP packet (IP
packet 1) to the external server (with source IP address 10.1.1.2) through the NAT
gateway.
z Upon receipt of the packet, the NAT gateway checks the packet header and
translates the original private address 192.168.1.3 to a globally unique IP address
20.1.1.1 for routing over the Internet. After that, the gateway forwards the packet
and records the mapping between the two addresses in its network address
translation table.
z The external server responds the internal PC with an IP packet (IP packet 2 with
original destination IP address 20.1.1.1) through the NAT gateway. Upon receipt
of the packet, the NAT gateway checks the packet header and looks in its network
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-3
address translation table for the mapping and replaces the original destination
address with the private address 192.168.1.3.
The above NAT operation is transparent to the terminals like the Host and the Server in
the above figure. The external server believes that the IP address of the internal PC is
20.1.1.1, and is unaware of the private address 192.168.1.3. As such, NAT hides the
private network from the external networks.
Despite the advantage of allowing internal hosts to access external resources and
providing privacy, NAT also has the following disadvantages:
z As NAT involves translation of IP addresses, the packet headers that carry these
addresses cannot be encrypted. This is also true to the application protocol
packets when the contained IP address or port number needs to be translated. For
example, you cannot encrypt an FTP connection, or its port command cannot
work correctly.
z Network debugging becomes more difficult. For example, when a host in a private
network tries to attack other networks, it is harder to pinpoint the attacking host as
the host IP address has been hidden.
z The influence of NAT on network performance is not obvious when the bandwidth
is lower than 1.5 Gbps. The bottleneck in this scenario lies in the transmission rate.
However, when the bandwidth is higher than 1.5 Gbps, NAT could affect the
switch performance to a certain extent.
1.1.2 NAT Functionalities
I. Many-to-many NAT and NAT control
As depicted in Figure 1-1, when an internal network user accesses an external network,
NAT uses an external or public IP address to replace the original internal IP address. In
Figure 1-1, this address is the outbound interface address (a public IP address) of the
NAT gateway. This means that all internal hosts use the same external IP address
when accessing external networks. In this scenario, only one host is allowed to access
external networks at a given time. Hence, it is referred to as “one-to-one NAT”.
Another form of NAT solves this problem by allowing the NAT gateway to have multiple
public IP addresses. When the first internal host accesses external networks, NAT
chooses a public IP address for it, records the mapping between the two addresses and
transfers data packets. When the second internal host accesses external networks, a
similar process happens, but this time another public IP address is used, and so are the
remaining internal hosts. In this way, multiple internal hosts can access the external
networks simultaneously. This type of NAT is called “many-to-many NAT”.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-4
Note:
The number of public IP addresses an NAT gateway has is far less than the number of
internal hosts, because not all internal hosts will access the external networks at the
same time. The number of necessary public IP addresses should be determined based
on the statistics on the number of the hosts that might access external networks during
peak time.
In practice, an enterprise may need to allow some internal hosts to access external
networks while prohibiting others. This can be achieved through the NAT control
mechanism. If a source IP address is among those addresses that have been denied
access to external networks, the NAT gateway will not translate this address.
The “many-to-many NAT” can be realized through definition of an address pool
whereas NAT control can be achieved through ACLs.
z Address pool: a set of consecutive public IP addresses intended for address
translation. The address pool should be configured according to the number of
legal IP addresses, the number of internal hosts, and the actual network
requirements. The NAT gateway will select an address from the address pool and
use it as the source public IP address during address translation.
z NAT control through ACLs: NAT is only applied to the packets that match the ACL
rules. This makes the use of NAT more flexible.
II. NAPT
Another form of NAT is network address port translation (NAPT for short). NAPT allows
multiple internal addresses to be mapped to the same external public IP address,
namely “multiple-to-one NAT”, or “address multiplexing”.
The destination addresses of the packets from different internal hosts are mapped to
the same external IP address but with different port numbers. In other words, NAPT
maps the combination of a private IP address and a port number to the combination of
a public IP address and a port number.
Figure 1-2 depicts an NAPT process.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-5
Figure 1-2 An NAPT process
As illustrated in the above figure, four data packets arrive at the NAT gateway. Packets
1 and 2 have the same internal address but different source port numbers. Packets 3
and 4 have different internal addresses but the same source port number. NAPT maps
the four data packets to the same external address but with different source port
numbers. Therefore, the packets can still be discriminated. When response packets
arrive, the NAT gateway can forward them to the corresponding hosts based on the
destination address and port numbers.
III. Internal server
NAT hides the internal network structure, including the identities of internal hosts.
However, in practice, external contacts to internal hosts are sometimes also necessary.
In this case, you need an internal server, such as a WWW server or an FTP server to
provide such services. With NAT, you can deploy an internal server easily and flexibly.
For instance, you can use 20.1.1.10 as the WWW server’s external address, 20.1.1.11
as the FTP server’s external address; or you can even use such address
20.1.1.12:8080 as the WWW server’s external address.
Currently, this feature is available on the device. When an external user accesses an
internal server, NAT translates the destination address in the request packet to the
private IP address of the internal server. When the internal server returns a packet, NAT
translates the source address (a private IP address) of the packet into a public IP
address.
IV. Easy IP
Easy IP allows the NAT gateway to use the public IP address of an interface as the
translated source address for NAT. Besides, the NAT gateway can use ACLs to define
the internal IP addresses for NAT.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-6
Easy IP applies to scenarios where there is only one public network interface address
or there are only a few internal host addresses.
V. Support for special protocols
Apart from the basic address translation function, NAT also provides a perfect
application layer gateway (ALG) mechanism that supports translation for some special
application protocols without requiring the NAT platform to be modified, featuring high
scalability. The IP addresses and/or port numbers contained in such protocol
messages need address translation. The special protocols supported by the S9500
series include: Internet control message protocol (ICMP), domain name system (DNS),
Internet locator service (ILS), and NetBIOS over TCP/IP (NBT).
VI. NAT multiple-instance
This feature allows users from different MPLS VPNs to access external networks
through the same outbound interface. It also allows them to have the same internal
network address. The process works as follows:
When an MPLS VPN user communicates with an external network, NAT replaces its
internal IP address and port number with the NAT gateway’s external IP address and
port number. It also records the relevant MPLS VPN information, such as the protocol
type and router distinguisher (RD for short). When the response packet arrives, the
NAT gateway then restores the external IP address and port number to the internal IP
address and port number. Additionally, the NAT gateway can identify the users who
access the external network. Besides NAT, NAPT also supports multiple-instance.
The multiple-instance feature can also apply to internal servers so that external users
can access an internal host of an MPLS VPN. For example, in MPLS VPN1, the host
that provides WWW service has an internal address 10.110.1.1. The host can use
202.110.10.20 as an external IP address so that the Internet users can access the
WWW service in MPLS VPN1 through this external address.
1.2 NAT Configuration Task List
Follow the following steps to configure NAT:
To do… Use the command… Remarks
Enter system view
system-view
Define an address pool
nat address-group
group-number start-address
end-address
Optional
Not necessary when the
switch has been
configured with Easy IP.
Configure address
translation
Refer to Configuring Address
Translation
.
Required
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-7
To do… Use the command… Remarks
Configure an internal
server
Refer to Configuring Internal
Server
.
Optional
Enable NAT
application layer
gateway
nat alg { all | dns | ftp | ils |
nbt }
Optional
Enabled by default
Currently, the NAT ALG
supports only standard
ports for DNS, FTP, ILS,
and NBT.
Configure the binding
Refer to
Configuring the
Binding
Required
Configure NAT log
Refer to
Configuring NAT
Log
Optional
Configure user
resource limit
Refer to Configuring User
Resource Limit
Optional
Only the NAPT with
application gateway
function disabled has user
resource limit.
Configure
connection-limit
Refer to Configuring
Connection-limit
Optional
Note:
The addresses in the address pool referenced by NAT must be different from the
interface address. Otherwise, the service can be implemented. To use the interface
address as the translation address, Easy IP must be used.
1.3 Configuring Address Translation
1.3.1 Introduction to Address Translation
Address translation is implemented by associating an ACL with an address pool (or an
interface address in case of Easy IP). This association specifies what packets (defined
by ACLs) can use which address (one in the address pool, or the interface address
itself) to access the external network. When an internal host needs to send data
packets to an external network, the NAT gateway checks the first packet against the
ACL to see if it is permitted. If so, NAT chooses an address from the address pool (or
the interface address, depending on the association) to perform address translation.
This address mapping is recorded in an address translation table so that subsequent
packets can be translated directly according to this mapping entry.
For details about ACL, refer to ACL Configuration in QoS ACL Volume.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-8
The configuration for different forms of address translation varies somewhat:
z Easy IP
This feature is implemented using the nat outbound acl-number command, without
the address-group keyword specified. When address translation, the NAT gateway
directly uses an interface’s public IP address as the translated IP address, and uses
ACLs to restrict the traffic.
z NAT (address pool with the VPN attribute)
If you specify the address-group keyword in the nat outbound acl-number command,
you can configure the VPN attribute of an address pool, that is, the VPN that the
address pool belongs to. Generally, such a VPN has no hosts and is only used for
injecting NAT routes. You can configure the VPN attributes to advertise the NAT routes
to other accessible VPNs, thus implementing interworking between VPNs in a
NAT-enabled VPN networking application.
z Many-to-many NAT
You only need to associate an ACL with an address pool, without considering port
numbers.
z NAPT
You need to associate an ACL with an address pool, and deal with both IP addresses
and port numbers.
z NAT multiple-instance
You need to configure vpn instance vpn-instance-name in the rule of an ACL to
specify the MPLS VPN users that need address translation and add a static route to the
public network into the routing table of the private network. NAT multiple-instance is
supported on Easy IP, Many-to-many NAT, and NAPT.
Caution:
For a multi-channel service (for example, FTP service, which uses a control channel
and a data channel), it is not recommended to modify NAT configurations during
service establishment. Otherwise, the service may fail because some sub-channels
that have not been established may use different rules for NAT.
1.3.2 Configuring Address Translation
I. Configuring Easy IP
Follow these steps to configure Easy IP:
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-9
To do… Use the command… Remarks
Enter system view
system-view
Enter VLAN interface view
interface vlan-interface
interface-number
Enable Easy IP by associating
the ACL with the interface IP
address
nat outbound acl-number
Required
II. Configuring many-to-many NAT
Follow these steps to configure many-to-many NAT:
To do… Use the command… Remarks
Enter system view
system-view
Enter VLAN interface view
interface vlan-interface
interface-number
Enable many-to-many NAT, and
associate an ACL with an IP
address pool to translate IP
address alone
nat outbound acl-number
address-group
group-number no-pat
Required
III. Configuring NAPT
Follow these steps to configure NAPT:
To do… Use the command… Remarks
Enter system view
system-view
Enter VLAN interface view
interface vlan-interface
interface-number
Enable NAPT and associate an
ACL with an IP address pool to
translate both IP address and
port number.
nat outbound acl-number
address-group
group-number
Required
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-10
Note:
z For the ACL referenced by NAT, only the source IP address, destination IP address,
and VPN instance take effect.
z For NO-PAT translation, if multiple NAT rules are configured on a VLAN interface,
the device will determine the rule priority based on the ACL numbers bound with the
NAT rules and always match the NAT rule with a greater ACL number. The priorities
of the rules of an ACL are based on rule number. The smaller the rule number, the
higher the priority.
z In PAT translation, ACLs are matched according to the "depth-first" order.
z After removing a NAT-enabled VLAN virtual interface or the association between an
ACL and an address pool, you need to execute the reset nat session command to
purge all NAT entries if you want the NATed public network address to be
reassigned.
z When configuring the nat outbound acl-number command on an interface bound
with a VPN, note that the specified VPN in the referenced ACL rule cannot be the
same as the bound VPN. For example, if VLAN-interface 10 is bound with VPN 1
and ACL 2001 has a rule using VPN 1 (rule permit vpn-instance vpn1), you
cannot configure the nat outbound 2001 command on VLAN-interface 10.
1.4 Configuring Internal Server
1.4.1 Introduction to Internal Server
To configure an internal server, you need to map an external IP address and port to the
internal server. This is done through the nat server command.
Internal server configurations include: external IP address, external port, internal server
IP address, internal server port, and internal server protocol type.
If an internal server belongs to an MPLS VPN instance, you should specify the
vpn-instance-name argument. With this argument not provided, the internal server is
considered belonging to a private network.
1.4.2 Configuring an Internal Server
Follow the following steps to configure an internal server:
To do… Use the command… Remarks
Enter system view
system-view
Enter VLAN interface
view
interface Vlan-interface
interface-number
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-11
To do… Use the command… Remarks
nat server [ vpn-instance
vpn-instance-name ] protocol pro-type
global global-address [ global-port ]
inside host-address [ host-port ]
Configure an internal
server
nat server [ vpn-instance
vpn-instance-name ] protocol pro-type
global global-address global-port1
global-port2 inside host-address1
host-address2 host-port
Use either
command
1.5 Configuring the Binding
1.5.1 Introduction to Binding
Through the use of the L3+NAT board on a switch, the NAT services can be handled
centrally and more efficiently thanks to the quick handling capability of the hardware.
When a VLAN interface is configured with NAT, you can bind the VLAN interface with
the NAT virtual interface so that all the packets that pass through the VLAN interface
are redirected to the L3+NAT board for handling.
Before configuring the binding, you must configure the VLAN interface first.
1.5.2 Configuration Procedure
Follow these steps to configure the binding:
To do... Use the command… Remarks
Enter system view
system-view
Enter NAT service
interface view
interface nat
interface-number
Configure the
binding
nat binding interface
interface-type
interface-number
Required
Only VLAN interfaces can be
bound. A NAT service interface can
be bound with multiple
NAT-enabled interfaces.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-12
Caution:
z Once bound to the NAT virtual interface, a VLAN interface can no longer serve as
the outbound interface of QoS redirection. This is because the packets that pass
through the VLAN interface have been redirected to the L3+NAT board, causing the
QoS redirection function ineffective.
z After removing a NAT-enabled VLAN virtual interface or the binding of an
NAT-enabled VLAN interface with a NAT service interface, you need to execute the
reset nat session command to purge all NAT entries if you want the NATed public
network address to be reassigned.
1.6 Configuring NAT Log
1.6.1 Introduction to NAT Log
NAT log is a type of system information generated by the NAT gateway during the IP
address translation. NAT log contains such information as the packet’s source IP
address, source port address, destination IP address, destination port address,
translated source IP address, translated source port address and other user operations.
The log only traces operations of private network users in accessing an external
network, not those in the opposite direction.
As multiple private users share one public IP address when accessing an external
network through a NAT gateway, it is hard to identify each of the users. The log function,
however, can enhance network security (for supervising purpose) by keeping records
of the private network users that access the external network.
1.6.2 Enabling NAT Log Function
Follow these steps to enable NAT log function:
To do... Use the command… Remarks
Enter system view
system-view
Enable log function
nat log enable [ acl
acl-number ]
Required
Disabled by default
Generate NAT log when
establishing a NAT
session
nat log flow-begin
Required
By default, no log is
generated when
establishing NAT session.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-13
To do... Use the command… Remarks
Enable and set the
interval for logging active
flows
nat log flow-active
minutes
Required
Disabled by default
1.6.3 Exporting NAT Logs
NAT logs can be exported in two directions, either to the information center or to the
NAT log server.
In the former case, NAT logs are first converted into system logs and exported to the
local device’s information center. Depending on the configuration of the information
system, NAT logs are again exported to their final destination. At most 10 NAT logs can
be exported to the information center at one time.
In the latter case, NAT logs are encapsulated into UDP packets and sent to the log
server, as shown in
Figure 1-3. The UDP packets may come in several versions, each
with different packet formats. Only version 1 is used presently. A UDP packet is
composed of a header and several NAT logs.
Figure 1-3 Export NAT logs
I. Exporting NAT logs to the information center
Follow these steps to export NAT logs to the information center:
To do... Use the command… Remarks
Enter system view
system-view
Export NAT logs to the
information center
userlog nat syslog
Required
NAT logs are exported to
the NAT log server by
default.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-14
Note:
z Exporting NAT logs to the information center occupies storage space. This
approach is recommended when the volume of NAT logs is small.
z NAT logs exporting to the information center are prioritized as informational,
meaning that they are ordinary information.
z For detailed information about data priority, refer to Information Center
Configuration in System Volume.
II. Exporting NAT logs to log server
When exporting NAT logs to the log server in UDP packets, you can configure the
following three parameters:
z IP address and UDP port number of the NAT log server. NAT logs cannot be
exported successfully without configuring the information center export direction
and specifying the log server address.
z Source IP address of NAT logs. This address allows the log server to identify the
log source. You are recommended to use the loopback interface address as the
source IP address of NAT logs.
z Version number of NAT logs. NAT logs may come in several versions, each with
different packet formats. However, the device supports only version 1 currently.
Follow these steps to configure a NAT log server:
To do... Use the command… Remarks
Enter system view
system-view
Specify the IP address
and UDP port number of
the NAT log server
userlog nat export [ slot
slot-number ] host
ip-address udp-port
Required
Specify the source IP
address of the UDP
packet that carries NAT
logs
userlog nat export
source-ip ip-address
Optional
By default, the source IP
address is the interface IP
address through which
the packet is sent.
Specify the version
number of NAT logs
userlog nat export
version version-number
Optional
Version 1 is used by
default
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-15
Note:
z The IP address of the NAT log server must be a valid unicast address.
z As for the UDP port number of the log server, you are recommended to use a port
number greater than 1024 to avoid conflicts with the system-defined port numbers.
1.7 Configuring User Resource Limit
1.7.1 Introduction to User Resource Limit
User resource limit is a function that defines the maximum number of ordinary users
(non-VPN users in an internal network) or VPN users as well as their connections in
accessing external network(s). This can help distributing resources more reasonably.
This function only applies to NAPT with its application layer gateway function not
enabled.
1.7.2 Configuring User Resource Limit
Follow these steps to configure user resource limit:
To do… Use the command… Remarks
Enter system view system-view
Set limits for ordinary
users or VPN users.
nat limit { public |
vpn-instance
vpn-instance-name }
user-amount user-limit
connection-amount
connection-limit
Optional
By default, the ordinary
users occupy all the
system resources.
Note:
z On a newly started system without any configuration, the system resources are
completely occupied by ordinary users.
z Before a user resource limit is configured for public network users, resources are
allocated from those for public network users to a VPN user until the public network
user resources are used up.
z After the administrator configures a limit on the resources for public network users,
resources can be allocated only from the remaining resources to a VPN user until
the remaining system resources are used up.
z The user resource configuration is performed on a single L3+NAT board, but takes
effect to all L3+NAT boards if there are multiple L3+NAT boards.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-16
1.8 Configuring Connection-limit
1.8.1 Introduction to Connection-limit
The connection-limit function allows you to limit user connections in three ways:
connection number, connection rate or both. This can avoid the situation where a single
user establishes too many connections in a short time as to affect other users in using
the network. This feature applies to VPN users as well.
z Limiting connection number means that when the number of connections initiated
by a user reaches a certain upper limit, the user cannot establish new connections.
The user must wait (for at least 5 minutes) till the connection number is lower than
the upper limit in order to create new connections.
z Limiting connection rate means that a user connection rate cannot exceed a
predefined maximum value.
For the connection-limit function to take effect, you need to set a connection-limit policy,
bind the policy with the NAT module, and meanwhile activate the connection-limit
switch.
Caution:
z For parameters not configured in a connection-limit policy, the global configurations
take effect.
z For user connections not covered in a connection-limit policy, the global
configurations take effect.
1.8.2 Configuration Procedure
I. Configuring global connection-limit parameters
Follow these steps to configure global connection-limit parameters
To do... Use the command… Remarks
Enter system view
system-view
Enable connection-limit
function
connection-limit enable
Required
Disabled by default
Configure connection-limit
action globally
connection-limit default
action [ permit | deny ]
Optional
User connections are not
counted and limited by
default.
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-17
To do... Use the command… Remarks
Configure connection
number limits globally
connection-limit default
amount upper-limit
max-amount
Optional
200 by default
Set the maximum
connection rate globally
connection-limit default
rate max-rate max-rate
Optional
100 by default
II. Configuring connection-limit policy
Follow these steps to configure a connection-limit policy:
To do... Use the command… Remarks
Enter system view
system-view
Create or edit a
connection-limit policy
and enter the
connection-limit policy
view
connection-limit policy
policy-number
Required
Configure the rules of
connection-limit
limit limit-id source
user-ip [ vpn-instance
vpn-instance-name ]
{ amount max-amount |
rate } *
Required
Set connection-limit mode
limit mode { all | amount
| rate }
Optional
By default, both the
number and rate of user
connections are limited.
Set the maximum
connection rate in a policy
limit rate max-rate
Optional
By default, the global
setting is used.
III. Binding a connection-limit policy to a NAT module
Follow these steps to bind a connection-limit policy to a NAT module
To do... Use the command… Remarks
Enter system view
system-view
Bind a connection-limit
policy to the NAT module
nat
connection-limit-policy
policy-number
Required
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-18
Caution:
z A NAT module limits user connections based on the policy bound to it. Each NAT
module can be bound with one policy only.
z The global connection-limit configuration does not take effect until you bind the
connection-limit policy with the NAT module.
z If multiple NAT modules exist in the system, the connection limit policy applies to all
these NAT modules.
z A connection limit policy does not take effect in NO-PAT translation.
1.9 Displaying and Maintaining NAT
To do… Use the command… Remarks
Display information about
the NAT address pool
display nat
address-group
Available in any view
Display configurations
about all forms of NAT
display nat all
Available in any view
Display the
connection-limit
information
display nat
connection-limit { all | ip
user-ip [ vpn-instance
vpn-instance-name ] }
Available in any view
Display the address
translation configuration
display nat outbound
Available in any view
Display the internal server
information
display nat server
Available in any view
Display the information
about active connections
display nat session slot
slot-number protocol
{ tcp | udp }
[ vpn-instance
vpn-instance-name ]
source { global
global-address global-port
| inside inside-address
inside-port } destination
dst-address
destination-port
Available in any view
Display NAT statistics
display nat statistics
slot slot-number
Available in any view
Display information about
the connection-limit policy
display connection-limit
policy { policy-number |
all }
Available in any view
Display NAT log
information
display nat log
Available in any view
Operation Manual – L3+NAT
H3C S9500 Series Routing Switches Chapter 1 NAT Configuration
1-19
To do… Use the command… Remarks
Display information about
the resource allocation
and utilization
display nat limit { all |
public | vpn-instance
vpn-instance--name }
Available in any view
Display NAT log
configuration and
statistics
display userlog export
slot slot-number
Available in any view
Clears the records in the
NAT log buffer
reset userlog nat
logbuffer slot
slot-number
Available in user view
Clears NAT log statistics
reset userlog export
slot slot-number
Available in user view
Clears the address
translation mapping table
in the memory and
release the memory
dynamically allocated for
storing the mapping table
reset nat session slot
slot-number
Available in user view
Note:
Clearing the NAT log buffer implies loss of all NAT logs. In general, you are not
recommended to use this command.
1.10 NAT Configuration Example
1.10.1 NAT Configuration Example
I. Network requirements
As illustrated in Figure 1-4, a company accesses the Internet through VLAN 10 of the
NAT-enabled device. The company provides two WWW servers, one FTP server, and
one SMTP server for external users to access. The internal network address segment
is 10.110.0.0/16. The internal address for the FTP server is 10.110.10.1, for the WWW
server 1 is 10.110.10.2, for the WWW server 2 is 10.110.10.3, and for the SMTP server
10.110.10.4. The company wants to provide a unified IP address to external users.
Specifically, the company has the following requirements:
z The internal users in subnet 10.110.10.0/24 can access the Internet, while users in
other network segments cannot.
z External PCs can access an internal server.
z The company has 6 legal IP addresses ranging from 202.38.160.100/24 to
202.38.160.105/24. Address 202.38.160.100 is used as the one for external
access and port 8080 is used for WWW server 2.
/