Configuring IP Router Parameters
42 7705 SAR OS Router Configuration Guide
For example, when applying NAT to a typical metrocell deployment, the cell site network is
divided into two separate segments, a private domain and a public domain. Private domain
network IP addressing needs to be hidden from the public domain. NAT makes all metrocells
accessible via a single IP address visible in the public domain. The IPSec tunnels generated
from metrocells are uniquely identified using IPSec NAT traversal (NAT-T).
Besides conserving available IPv4 addresses, NAT can also be used as a security feature to
hide the real IP addresses of hosts, securely providing private LAN users access to public
addresses.
NAT is supported on the following cards and platforms:
• on the 7705 SAR-8 (with CSMv2) and the 7705 SAR-18:
→ 8-port Gigabit Ethernet Adapter card
→ 2-port 10GigE (Ethernet) Adapter card
→ Packet Microwave Adapter card
→ 10-port 1GigE/1-port 10GigE X-Adapter card (7705 SAR-18 only)
• 7705 SAR-H
• 7705 SAR-Hc
• 7705 SAR-Wx
Session Creation
A NAT session is established by extracting session packets to the CSM to match them against
NAT rules. Packet extraction is based on zone configuration. If a packet is inbound to or
outbound from a zone, the packet is passed to the CSM and checked against NAT rules. If the
extracted packet matches a NAT policy and an accompanying NAT action, a NAT session is
created. NAT sessions created on the CSM are downloaded to the datapath and the
throughput of the session is constrained by the 7705 SAR datapath throughput.
A 6-tuple lookup (source IP, destination IP, source port, destination UDP or TCP port,
protocol, and source zone) is performed for a packet arriving on the ingress datapath. If there
is a match, the packet has NAT applied to it and is routed based on the datapath NAT session
table.
Once the active session is downloaded (established) any subsequent packet will match the
established session and a 6-tuple will not be extracted or checked against the NAT policy.
When the downloaded NAT session times out, or closes because of TCP connection
termination, the session is deleted from the datapath.
On the 7705 SAR-8 and 7705 SAR-18, NAT sessions survive a CSM redundancy switch.
To Next Page
Loading...
