EU-Vietnam Business Network (EVBN) > Noindex > Source Network Address Translation (SNAT) – TechLibrary – Juniper Networks

Source Network Address Translation (SNAT) – TechLibrary – Juniper Networks

Source Network Address Translation (SNAT)

 

Overview

Source Network Address Translation (source-nat or SNAT) allows
traffic from a private network to go out to the internet. Virtual
machines launched on a private network can get to the internet by
going through a gateway capable of performing SNAT. The gateway has
one arm on the public network and as part of SNAT, it replaces the
source IP of the originating packet with its own public side IP. As
part of SNAT, the source port is also updated so that multiple VMs
can reach the public network through a single gateway public IP.

The following diagram shows a virtual network with the private
subnet of 10.1.1.0/24. The default route for the virtual network points
to the SNAT gateway. The gateway replaces the source-ip from 10.1.1.0/24
and uses its public address 172.21.1.1 for outgoing packets. To maintain
unique NAT sessions the source port of the traffic also needs to be
replaced.

Figure 1: Virtual Network With a Private SubnetVirtual Network With a Private Subnet

SNAT on MX Series Routers Acting as Data Center Gateways

Starting in Contrail Networking Release 2011.L1, you can enable
SNAT on MX Series routers using MS-MPC line cards when the MX Series
router is functioning in the DC-Gateway fabric
role. See Contrail Networking Supported Hardware Platforms and Associated Roles And Node Profiles for a list of MX Series routers that support the DC-Gateway or any other fabric role.

When SNAT is enabled on the MX Series router, it can be used
to translate source IP addresses from physical interfaces on bare
metal servers and from virtual interfaces on virtual machines. SNAT
can only translate the IP addresses of source traffic leaving the
fabric; it cannot be used to translate IP addresses for traffic entering
the fabric.

For additional information on SNAT on MX Series routers, see Network Address Translation Overview.

How to Enable SNAT on an MX Series Router Using Contrail Command

To enable SNAT on an MX Series Router from Contrail Command:

  1. Ensure that a fabric using an MX Series router with one
    or more MS-MPC line cards is configured into the DC-Gateway fabric role in your fabric.

    See In Focus: How to Onboard a Fabric and Create an Overlay   to
    setup a fabric.

    See Assign a Role to a Device to change the routing role of a device
    in a fabric.

  2. Click Infrastructure > Fabrics > fabric-name to navigate
    to the devices in your fabric. Mouse over the mx-router-name of the router configured as a DC gateway in your fabric that will
    perform SNAT. Click the ellipsis (…) button—located as the
    last option on the far right for the router—and select Edit.

    The Fabric Device page opens.

  3. From the Fabric Device page,
    open Netconf Settings.

    In the Junos Service Interface field,
    add the services interface name—for instance, ms-1/0/0—from the MX Series router.

  4. (BMS interfaces that require SNAT only) Create a Virtual
    Port Group (VPG) that maps VLANs to physical interfaces on bare metal
    servers (BMSs). See Configuring Virtual Port Groups.

    The VPG will be used later in the process to identify traffic
    that requires IP address translation using SNAT.

    This step is needed to identify source IP addresses on BMS hosts
    only. You can skip this step when you are using SNAT to translate
    source IP addresses from virtual machine interfaces.

  5. Create a public logical router for SNAT. See Create Logical Routers.

    The logical router is configured in the Overlay > Logical Routers > Edit
    Logical Router menu. From this menu, include the following
    configuration parameters:

    • connected networks field: add
      the virtual networks that were created to carry traffic.

      The traffic in these virtual networks will be translated using
      SNAT.

    • Public Logical Router checkbox:
      Select the checkbox.

      The SNAT POOL drop-down menu appears.
      Select snat_pool.

    • Extend to Physical Router field:
      add the MX Series router in the fabric where source-based IP address
      translation is performed.

  6. To monitor SNAT after completing the configuration, log
    onto the MX Series router and enter the following JUNOS commands:

    • show configuration to verify
      NAT configuration in JUNOS.

    • show services nat pool to verify
      translation.

    • Monitor system messages.

    For additional information on using and monitoring NAT in Junos,
    see the Network Address Translation User Guide.

Neutron APIs for Routers

OpenStack supports SNAT gateway implementation through its Neutron
APIs for routers. The SNAT flag can be enabled or disabled on the
external gateway of the router. The default is True (enabled).

The Tungsten Fabric plugin supports the Neutron APIs for routers
and creates the relevant service-template and service-instance objects
in the API server. The service scheduler in Tungsten Fabric instantiates
the gateway on a randomly-selected virtual router. Tungsten Fabric
uses network namespace to support this feature.

Example Configuration: SNAT for Contrail

The SNAT feature is enabled on Tungsten Fabric through
Neutron API calls.

The following configuration example shows how to create a test
network and a public network, allowing the test network to reach the
public domain through the SNAT gateway.

  1. Create the public network and set the router external
    flag.

    neutron net-create public

    neutron subnet-create public 172.21.1.0/24

    neutron net-update public -- --router:external=True

  2. Create the test network.

    neutron net-create test

    neutron subnet-create --name test-subnet test 10.1.1.0/24

  3. Create the router with one interface in test.

    neutron router-create r1

    neutron router-interface-add r1 test-subnet

  4. Set the external gateway for the router.

    neutron router-gateway-set r1 public

Network Namespace

Setting the external gateway is the trigger for Tungsten Fabric
to set up the Linux network namespace for SNAT.

The network namespace can be cleared by issuing the following
Neutron command:

neutron router-gateway-clear r1

SNAT and Security Groups

When a logical router is enabled to support SNAT, the default
security group is automatically applied to the left SNAT interface.
This automatic application of the default security group allows the
virtual machine to send and receive traffic without additional user
configuration when the default security group is used by interconnected
virtual machines. Additional configuration is required to send and
receive traffic, however, when your virtual machine is connected to
virtual machines that are not using the default security group.

If you are connecting your virtual machine to a virtual machine
that is not using the default security group, you must make one of
the following configuration updates to allow your virtual machine
to pass traffic:

  • update the default security group to add rules that allow
    the VM traffic.

  • update the rules to the VM security group to allow traffic
    from the default security group.

  • apply the same security group to the VM and the SNAT left
    interface.

For information on configuring security groups in environments
using Contrail Networking, see Using Security Groups with Virtual Machines Instances.

Using the Web UI to Configure Routers with SNAT

You can use the Contrail user interface to configure routers
for SNAT and to check the SNAT status of routers.

To enable SNAT for a router, go to Configure > Networking
> Routers. In the list of routers, select the router for which
SNAT should be enabled. Click the Edit cog to reveal the Edit
Routers window. Click the check box for SNAT to enable SNAT
on the router.

The following shows a router for which SNAT has been Enabled.

Figure 2: Edit Router Window to Enable SNATEdit Router Window to Enable SNAT

When a router has been Enabled for SNAT, the configuration
can be seen by selecting Configure > Networking > Routers. In the list of routers, click open the router of interest. In the
list of features for that router, the status of SNAT is listed. The
following shows a router that has been opened in the list. The status
of the router shows that SNAT is Enabled.

Figure 3: Router Status for SNATRouter Status for SNAT

You can view the real time status of a router with SNAT by
viewing the instance console, as in the following.

Figure 4: Instance Details WindowInstance Details Window

Using the Web UI to Configure Distributed SNAT

The distributed SNAT feature allows virtual machines to communicate
with the IP fabric network using the existing forwarding infrastructure
for compute node connectivity. This functionality is achieved through
port address translation of virtual machine traffic using the IP address
of the compute node as the public address.

The following distributed SNAT use case is supported:

  • Virtual networks with distributed SNAT enabled can communicate
    with the IP fabric network. The session must be initiated from a virtual
    machine. Sessions initiated from the external network are not supported.

Distributed SNAT is supported only for TCP and UDP, and you
can configure discrete port ranges for both protocols.

A pool of ports is used for distributed SNAT. To create a pool
of ports, go to Configure > Infrastructure > Global Config. The following shows an example of a port range used for port address
translation.

Figure 5: Edit Forwarding Options WindowEdit Forwarding Options Window

To use distributed SNAT, you must enable SNAT on the virtual
network. To enable SNAT on the virtual network, go to Configure
> Networking > Networks. The following shows a virtual network
for which SNAT has been enabled under Advanced Options.

Figure 6: Create WindowCreate Window 

Bài viết liên quan
Bài viết mới
Thể Thao nổi bật