nanog mailing list archives
Re: NAT on a Trident/Qumran(/or other?) equipped whitebox?
From: Paul Zugnoni <paulzugnoni () gmail com>
Date: Wed, 10 Oct 2018 22:04:25 -0700
The key to answering the question of NAT support on a Broadcom switch forwarding chip, is... another question: What /flavour of NAT/ you're looking for. Generally Trident (1,2,3), Tomahawk(1,2) and I believe Jericho all support varying degrees of swapping parts of an IP or Eth header for other parts - i.e. TTL of 249 in, TTL of 248 out, MPLS tag 500 in, MPLS tag 513 out. And, to your benefit, SRC IP of 10.1.1.1 in, SRC IP of 10.2.2.2 out. That can be handled at line rate (yes 10G); how many of those rules depends on the chip. So that's perfectly fine for static NAT. Problem with static NAT (i.e. 1:1) isn't what I suspect most of us are looking for. PAT, or "nat overload" - i.e. your internal 10.x or 192.168.x networks to the internet using one or a few public IPv4's - requires stateful tracking, which is not what any of those chips do. So you're dependent on what route engine and software is in use to supply stateful NAT / PAT, and the requirement being higher there generally means you'll need a firewall or router (which, btw, might actually be using one of the aforementioned Broadcom switch chips for the forwarding plane!). To achieve line rate for stateful NAT / PAT there's more than the switch chip and software in the equation, and can be the limiting factor to achieving "line rate" for a set of 10G ports. PZ On Wed, Oct 10, 2018 at 12:20 PM Wes Felter <wmf () felter org> wrote:
On 10/9/18 10:35 AM, Jason Lixfeld wrote:Has anyone played around with this? Curious if the BCM (or whateverother chip) can do this, and if not, if any of the box vendors have tried to find a way to get these things to do a bunch of NAT - say some flavour of NAT, line-rate @ 10G. If so, anyone know of a NOS that has support for it? OcNOS, Cumulus Linux, PicOS and Switch Light OS seem to have none, but not sure if there are others out there. For 10G I would use software NAT like a firewall or CGN virtual appliance. Switch ASICs generally don't support NAT well; Tofino and maybe Jericho II can probably do it but at high cost and as you discovered the market isn't trying very hard to provide "routing" or "firewalling" functionality on "switching" ASICs.
Current thread:
- NAT on a Trident/Qumran(/or other?) equipped whitebox? Jason Lixfeld (Oct 09)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Edward Dore (Oct 09)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Tim Jackson (Oct 09)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Jason Lixfeld (Oct 09)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Wes Felter (Oct 10)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Paul Zugnoni (Oct 12)
- RE: NAT on a Trident/Qumran(/or other?) equipped whitebox? adamv0025 (Oct 15)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? James Bensley (Oct 16)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Brandon Martin (Oct 16)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? joel jaeggli (Oct 16)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Paul Zugnoni (Oct 16)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Paul Zugnoni (Oct 12)
- Re: NAT on a Trident/Qumran(/or other?) equipped whitebox? Edward Dore (Oct 09)