NAT steering through IP filters

Traffic steering to NAT through IP filters is more customizable than steering through routing with traffic identification because of the extensive matching criteria offered by IP filters.

An IP filter can be applied on:

• ingress access and network interfaces on the private side

• network ingress of a VPRN, for example, auto-bind or spoke SDPs

• ingress SLA profile in subscriber management

The filter entry used for NAT steering has an action nat which redirects traffic identified through matched criteria toward ISAs and VM-ESAs. The entries in the filter are evaluated the first match ends the filter evaluation.

MD-CLI

[pr:/configure filter]     
    match-list {
        ip-prefix-list "nat-dest" {
            prefix 172.16.0.0/24 { }
        }
    }
    ip-filter "demo-filter" {
        default-action accept 
        entry 10 {
            match {
                protocol udp
                src-port {
                    eq 30000
                }
            }
            action {
                accept
            }
        }
        entry 20 {
            match {
                protocol udp
                dst-ip {
                    ip-prefix-list "nat-dest"
                }
                src-port {
                    range {
                        start 40000
                        end 50000
                    }
                }
            }
            action {
                nat {
                }
            }
        }
        entry 30 {
            match {
                protocol udp
            }
            action {
                drop
            }
        }
    }

In this scenario, any UDP traffic with the source port 3000 as indicated in entry 10, is allowed through the system, bypassing NAT UDP traffic with source ports in the range 40,000 to 50,000 destined for network 172.16.0.0.24 as indicated in entry 20, is NAT’d. The remaining UDP traffic is dropped, according to entry 30.

The remaining non-UDP traffic is allowed through the filter and bypasses NAT as indicated by the default action accept.

The following is an example of a filter applied to a network interface on ingress.

MD-CLI

[pr:/configure]     
 router "Base" {
        interface "annex" {
            port 1/x1/2/c10/1:1
            ingress {
                filter {
                    ip "demo-filter"
                }
            }
            ipv4 {
                primary {
                    address 192.168.12.2
                    prefix-length 24
                }
            }            
        }
}

An example of a filter applied to all ingress network ingress for a specific VPRN.

MD-CLI

[pr:/configure service]
vprn "demo" {
        service-id 1
        customer "1"
        network {
            ingress {
                filter {
                    ip "demo-filter"
                }
            }
        }    
}

An example of a filter applied on ingress in an SLA profile.

MD-CLI

[pr:/configure service]
subscriber-mgmt {
        sla-profile "demo" {
            ingress {
                ip-filter "demo-filter"
            }
        }
}