接口基本配置：

DBGvpp# set interface state port7 up DBGvpp# set interface state port8 up DBGvpp# set interface ip address port7 50.1.1.1/24 DBGvpp# set interface ip address port8 192.168.1.203/24

網絡拓撲：

|-----------| |------------| |---------------| | 50.1.1.2 |---------| vpp |----------| 192.168.1.103 | |-----------| |------------| |---------------|Host-A port7 port8 Host-B

啟用NAT44配置：

DBGvpp# nat44 enable

SNAT配置一

配置接口的in/out

DBGvpp# set interface nat44 in port7 out port8 DBGvpp# nat44 add interface address port8 DBGvpp# DBGvpp# show nat44 interfaces NAT44 interfaces:port7 inport8 out DBGvpp# DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent

在主機50.1.1.2上ping主機192.168.1.103進行測試，在103上抓包，可看到源地址轉換為了192.168.1.203，即接口port8的地址。以下增加地址池：

DBGvpp# nat44 add address 192.168.1.204-192.168.1.205 DBGvpp# DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent 192.168.1.204tenant VRF independent 192.168.1.205tenant VRF independent NAT44 twice-nat pool addresses:

再次執行ping，在103上抓包，可看到源地址轉換成了192.168.1.205。如果將主機A的地址修改為50.1.1.25，其源地址將轉換為地址池中的192.168.1.204，參見以下會話列表，可見轉換地址是根據不同的內部地址（主機A地址）而改變的。

DBGvpp# show nat44 sessions NAT44 ED sessions: -------- thread 0 vpp_main: 42 sessions --------i2o 50.1.1.2 proto ICMP port 1 fib 0o2i 192.168.1.205 proto ICMP port 28717 fib 0external host 192.168.1.103:1i2o flow: match: saddr 50.1.1.2 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.205 daddr 192.168.1.103 icmp-id 28717 txfib 0o2i flow: match: saddr 192.168.1.103 sport 28717 daddr 192.168.1.205 dport 28717 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.2 icmp-id 1 txfib 0index 31last heard 1175.08total pkts 6, total bytes 360dynamic translationi2o 50.1.1.25 proto ICMP port 1 fib 0o2i 192.168.1.204 proto ICMP port 49895 fib 0external host 192.168.1.103:1i2o flow: match: saddr 50.1.1.25 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.204 daddr 192.168.1.103 icmp-id 49895 txfib 0o2i flow: match: saddr 192.168.1.103 sport 49895 daddr 192.168.1.204 dport 49895 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.25 icmp-id 1 txfib 0index 8last heard 1323.26total pkts 6, total bytes 360dynamic translation

SNAT配置二

如果我們需要在上一節，port7->port8的SNAT基礎上，再實現port8->port7的SNAT.嘗試以下配置：

DBGvpp# nat44 add address 192.168.1.204-192.168.1.205 del DBGvpp# DBGvpp# set interface nat44 in port8 out port7 DBGvpp# nat44 add interface address port7 DBGvpp# DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent 50.1.1.1tenant VRF independent NAT44 twice-nat pool addresses: DBGvpp# DBGvpp# show nat44 interfaces NAT44 interfaces:port8 in outport7 in out

這時由主機B運行ping主機A，兩者是通的。在主機A上抓包，源地址192.168.1.103轉換為了50.1.1.1（port7接口地址），SNAT轉換正常。反過來主機A->ping->主機B，在主機B抓包，看到源地址50.1.1.2轉換成了50.1.1.1，按照SNAT應該是出接口IP：192.168.1.203。查看NAT會話，兩個方向應該是走了同一個會話。

DBGvpp# show nat44 sessionsi2o 50.1.1.2 proto ICMP port 1 fib 0o2i 50.1.1.1 proto ICMP port 3449 fib 0external host 192.168.1.103:1i2o flow: match: saddr 50.1.1.2 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 50.1.1.1 daddr 192.168.1.103 icmp-id 3449 txfib 0o2i flow: match: saddr 192.168.1.103 sport 3449 daddr 50.1.1.1 dport 3449 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.2 icmp-id 1 txfib 0index 29last heard 8132.79total pkts 168, total bytes 10080dynamic translation

如下地址池中再增加一個地址，這時由主機A到主機B不通，在主機B上查看，源地址50.1.1.2轉換成了192.168.1.204，但是不知道什么原因，地址池地址192.168.1.204不在回應ARP請求，導致ping回復報文不能發送。

在增加192.168.1.204地址之前，兩者能通，在于主機A發送ping請求時，NAT選擇了地址50.1.1.1，而此地址與主機B的地址192.168.1.103不在同一網段，不發送請求50.1.1.1硬件地址的ARP。

DBGvpp# nat44 add address 192.168.1.204 DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent 50.1.1.1tenant VRF independent 192.168.1.204tenant VRF independent NAT44 twice-nat pool addresses:

可見，NAT在地址池中選取地址有隨機性，地址的選擇沒有關聯出接口，另外，也沒有優先選擇與目的地址同網段的地址。兩邊同時做SNAT看起來是不行的。

SNAT配置三

如下開啟output-feature選項。

DBGvpp# set interface nat44 in port7 DBGvpp# set interface nat44 out port8 output-feature DBGvpp# nat44 add interface address port8 DBGvpp# DBGvpp# show nat44 interfaces NAT44 interfaces:port7 inport8 output-feature in out DBGvpp# DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent NAT44 twice-nat pool addresses:

在開啟output-feature選項之后，在位于ip4-output的節點nat-pre-in2out-output之中執行in2out地址轉換，其在ACL插件acl-plugin-out-ip4-fa之前運行，這里ACL的out策略需要根據變換之后的地址配置才能生效。

163 VNET_FEATURE_INIT (nat_pre_in2out_output, static) = {164 .arc_name = "ip4-output",165 .node_name = "nat-pre-in2out-output",166 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),167 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),168 };

對于未開啟output-feature的情況，NAT轉換都是在ip-unicast的node節點nat-pre-in2out和nat-pre-out2in中實現的。兩者都位于ACL插件acl-plugin-in-ip4-fa之后，可見acl規則執行之后才進行地址變換。

82 VNET_FEATURE_INIT (nat_pre_in2out, static) = {83 .arc_name = "ip4-unicast",84 .node_name = "nat-pre-in2out",85 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",86 "ip4-sv-reassembly-feature"),87 };88 VNET_FEATURE_INIT (nat_pre_out2in, static) = {89 .arc_name = "ip4-unicast",90 .node_name = "nat-pre-out2in",91 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",92 "ip4-dhcp-client-detect",93 "ip4-sv-reassembly-feature"),94 };

總結

以上是生活随笔為你收集整理的VPP源地址NAT的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。