Configuration considerations, Traffic permits and fixups – Rockwell Automation 1783-BMxxx Stratix 5700 Ethernet Managed Switches User Manual User Manual
Page 106
106
Rockwell Automation Publication 1783-UM004E-EN-P - June 2014
Chapter 3 Switch Software Features
Configuration Considerations
Consider these guidelines and limitations when configuring NAT:
• A switch can translate only IPv4 addresses.
• A switch can have a maximum of 128 NAT instances, 128 NAT-associated
VLANs, and 128 translation entries. A subnet translation counts as only
one translation entry, but includes translations for many devices.
• You can configure NAT on one or both uplink ports of the switch.
Ports configured for NAT do not support the following across the NAT
boundary due to embedded IP addresses that are not fixed up, encrypted IP
addresses, or reliance on multicast traffic:
• Traffic encryption and integrity checking protocols generally incompatible
with NAT, including IPsec Transport mode (1756-EN2TSC module)
• Applications that use dynamic session initiations, such as NetMeeting
• File transfer protocol (FTP)
• Microsoft Distributed Component Object Model (DCOM), which is
used in Open Platform Communications (OPC)
• Multicast traffic, including applications that use multicast, such as
CIP Sync (IEEE1588) and CLX redundancy
Traffic Permits and Fixups
While a NAT-configured port can translate many types of traffic, only unicast
and broadcast traffic are supported. You can choose to block or pass through the
following traffic types that are not handled by NAT:
• Untranslated unicast traffic
• Multicast traffic
• IGMP traffic
By default, all of the above traffic types are blocked.
Some traffic types must be fixed up to work properly with NAT because their
packets contain embedded IP addresses. The switch supports fixups for these
traffic types:
• Address Resolution Protocol (ARP)
• Internet Control Message Protocol (ICMP)
By default, fixups are enabled for both ARP and ICMP.
IMPORTANT
Some NAT configurations can result in greater-than-expected traffic loads on
both private and public subnets. Also, unintended traffic can be visible.
NAT is not a substitute for a firewall. Make sure your configuration is
performance qualified prior to use in a production environment.