Nat modes, Static mapping, Dynamic mapping – Extreme Networks 200 Series User Manual
Page 139: Port-mapping, Auto-constraining
Configuring VLANs for NAT
Summit 200 Series Switch Installation and User Guide
137
When a VLAN is configured to be
outside
, it routes all traffic destined for
inside
VLANs. Because the
routed traffic runs through the CPU, it cannot run at line-rate.
When a VLAN is configured to be
none
, all NAT functions are disabled and the VLAN operates
normally.
NAT Modes
There are four different modes used to determine how the outside IP addresses and Layer 4 ports are
assigned.
•
Static mapping
•
Dynamic mapping
•
Port-mapping
•
Auto-constraining
Static Mapping
When static mapping is used, each inside IP address uses a single outside IP address. The Layer 4 ports
are not changed, only the IP address is rewritten. Because this mode requires a 1-to-1 mapping of
internal to external addresses, it does not make efficient use of the external address space. But it is
useful when you have a small number of hosts that need to have their IP addresses rewritten without
conflicting with other hosts. Because this mode does not rely on Layer 4 ports, ICMP traffic is translated
and allowed to pass.
Dynamic Mapping
Dynamic mapping is similar to static mapping in that the Layer 4 ports are not rewritten during
translation. Dynamic mapping is different in that the number of inside hosts can be greater than the
number of outside hosts. The outside IP addresses are allocated on a first-come, first-serve basis to the
inside IP addresses. When the last session for a specific inside IP address closes, that outside IP address
can be used by other hosts. Because this mode does not rely on Layer 4 ports, ICMP traffic is translated
and allowed to pass.
Port-mapping
Port-mapping gives you the most efficient use of the external address space. As each new connection is
initiated from the inside, the NAT device picks the next available source Layer 4 port on the first
available outside IP address. When all ports on a given IP address are in use, the NAT device uses ports
off of the next outside IP address. Some systems reserve certain port ranges for specific types of traffic,
so it is possible to map specific source Layer 4 port ranges on the inside to specific outside source
ranges. However, this may cause a small performance penalty. In this case, you would need to make
several rules using the same inside and outside IP addresses, one for each Layer 4 port range. ICMP
traffic is not translated in this mode. You must add a dynamic NAT rule for the same IP address range
to allow for ICMP traffic.
Auto-constraining
The auto-constraining algorithm for port-mapping limits the number of outside Layer 4 ports a single
inside host can use simultaneously. The limitation is based on the ratio of inside to outside IP addresses.
The outside IP address and Layer 4 port space is evenly distributed to all possible inside hosts. This
guarantees that no single inside host can prevent other traffic from flowing through the NAT device.