w*****r
发帖数: 89 | 1 damn it
还是在foundry load balancer方解决了
如果是nat到一台机器,简单,机器增加一个alias ip就可以了
问题是要nat到一个vip
call了foundry,找到了work around
妈妈的,这么easy一破功能cisco咋不支持呢 |
|
w*****r
发帖数: 89 | 2 there are some more twist in the vip to prevent a wildcard vip,
for example, we don't just load balance port 80, hehe
anyways, I did similiar things
made up two vips with same server pool
and nat each of them to a public ip.
only thing is even to do that, the load balancer prevent two vip
with same server farm bind to them at the same time.
have to play some tricks over there.
some cheap low lever equipments were really easy, just make up
two rules with same static nat, or bind same real servers |
|
w*****r
发帖数: 89 | 3 there are some more twist in the vip to prevent a wildcard vip,
for example, we don't just load balance port 80, hehe
anyways, I did similiar things
made up two vips with same server pool
and nat each of them to a public ip.
only thing is even to do that, the load balancer prevent two vip
with same server farm bind to them at the same time.
have to play some tricks over there.
some cheap low lever equipments were really easy, just make up
two rules with same static nat, or bind same real servers |
|
b******e
发帖数: 66 | 4 For NAT, I was thinking that you NAT half of your address to one next hop, and
the other half to the other next hop and you don't advertise your /24 block
to SP at all. |
|
b******e
发帖数: 66 | 5 For NAT, I was thinking that you NAT half of your address to one next hop, and
the other half to the other next hop and you don't advertise your /24 block
to SP at all. |
|
p******h
发帖数: 1783 | 6 SIP based VOIP 不也是用STUN来穿透NAT的么?
Skype 的 p2p 比较起来就是用supernodes来替代一个中心server,这样理解对不对?
NAT
external
full
way
514.plaice 鱼潜水底 69.180. 阅读文章 7 2485
515.plain 拳头底下出孝子 169.231. 阅读文章 1 7338
516.pledge netcat 12.210. 阅读文章 1 31245
517.plus Cara, Master, Fa 68.107. 阅读文章 9 7646
518.popdrink popdrink 67.51. 阅读文章 5146
519.popsoft FAI |
|
z**r
发帖数: 17771 | 7 上次写了一个NAT I,要不谁写个NAT II? |
|
z**r
发帖数: 17771 | 8 上次写了一个NAT I,要不谁写个NAT II? |
|
z**r
发帖数: 17771 | 9 上次写了一个NAT I,要不谁写个NAT II? |
|
a***n
发帖数: 262 | 10 6500 support ethernet PW? May be with some WAN ether card.
We tried EoMPLS with PFC3BXL, no WAN ether card. There is
a little subtlety though. You cannot have NAT and EoMPLS
together. Unfortunately, we do have NAT on one node we
want to bring up EoMPLS.
65 |
|
a***n
发帖数: 262 | 11 Hi Zher,
Here it is. The TAC engineer confirmed that this affects both cat6500/7600.
There should have been a bug for cat6500 too.
So I believe I found the issue you are seeing with having NAT and MPLS
> on the same interface on a 6500. This is not a supported configuration
> on a sup720-3b/3bxl. Please see bug, CSCsx06875.
>
> This issue has been resolved with using PFC-3C hardware. So this is not
> a supported configuration. If we removed NAT from this interface
> everything should begin to w... 阅读全帖 |
|
z**r
发帖数: 17771 | 12 你这个是被公司的安全策略给block了,很多公司都有NAC这样的实施。你需要把
bridging方式改成NAT方式,只让host拿一个IP,guest os通过NAT出去就没问题了。
guest
network
以上 |
|
a***n
发帖数: 262 | 13 static (inside, outside) 54.x.y.106 192.168.1.100 netmask 255.255.255.255
Static NAT entry needed. I copied from FWSM should be the same with ASA.
show nat ? |
|
a**********k
发帖数: 1953 | 14 HTTP XFF header.
configuration can be common, i.e. in certain network design, backend servers
accept connections from front end load balancers and from other sources, to
ensure that return traffic hits load balancers in stead of following
default gateway for traffic coming from load balancers, load balancers will
perform both source NAT and destination NAT, in the case back end servers
will have no visibility to the source. |
|
m********d
发帖数: 188 | 15
址。
根本区别是loadbalancer终结tcp连接,nat仅做地址转换。实战中区别就大了,
loadbalancer可以做tcp multiplexing, tcp tunning, etc.,而nat
这些都不容易做。 |
|
a**********k
发帖数: 1953 | 16 NAT devices only operates at L3/L4 layer, so it just
modifies client private source IP to a routable IP, but
will not touch HTTP layer.
HTTP XFF header is at L7, so it will only be used by
Proxy (or reverse proxy), which will record routable IP
after NAT. SLB is a type of proxy.
public
? |
|
m*****g
发帖数: 776 | 17 我加了 router eigrp ** , network 192.168.***.***, 这个新router的f0/0可以根直
接相连的已有router的f0/0 ping通,但是已有router的s0/0, s0/1的ip ping不通。
根这些相连的其他subnet也ping 不通。为什末?已有router连internet的是不同ip。
连internet 的是198.170.***.***. 难道还要在已有router加NAT?感觉这个题不是考
NAT,因为说已有router一切连通正常。
thanks! |
|
a***n
发帖数: 262 | 18 Just participated a design for F5 and exchange 2010.
exchange 2010 everything except public folder access
could be load balanced. Pulic folder still needs direct
communication between real servers and clients.
Unfortunately, F5 is administered by an application guy.
You can imagine how much network knowledge he has. Windows
people don't give a second thought to network design too.
They end of selecting a SNAT+NAT arhcitecture. Real servers
will have default gateway to router not F5. SNAT+NAT wil... 阅读全帖 |
|
z**r
发帖数: 17771 | 19 题是跑的越来越远了,好像最开始是讨论nxos和ios xe是不是理论上接近。你说的这个
VM给自己定了一个范围,就是host virtualization,而俺说的是network
virtualization,nxos里面的VDC,XR里面的SDR对于俺来说都是VM。
XE里把IOS里面的很多东西都拿出来重做了,比如nat,没错用户当然还是在IOS CLI里
configure,但是实际上和IOS NAT没有一点关系,完全独立于IOS的,叫ASRNAT,说白
了,其实好像就是iptables。包括syslog等等这些传统的control plane的东西,都从
IOS里拿出来重做,但是用户界面还比较接近于IOS。这样的例子有很多。这就是俺为啥
说看上去接近IOS,但是本质上IOS XE和IOS有非常大的区别。
不过俺同意你说的,要是从模块化角度看,xe肯定不如nxos/xr做的彻底,但是比ION还
是彻底。 |
|
w***s
发帖数: 321 | 20 所以我们可以翻过VM这篇。
从模块化的角度而言,XE和ION的方法和结果都很接近,它们都采用了一个先进的Unix
Kernal,保留相当部分完整IOS code,所以可以直接从对应的IOS train集成进来,当
然bug和缺点也完整保留。
至于NAT的例子,如果是PD实现,就不太适合用于讨论XE和ION,因为在65上真正使用的
是PD那部分:PFC NAT。如果是PI部分,的确要走得比ION快一点,但是也就是50步和
100步而已。ION落后是因为已经不发展了。
在进一步的模块化中,会逐渐将很多松耦合部分从IOS里面迁移出来,但是如果不彻底
重写,与IOS还是藕断丝连。 |
|
z**r
发帖数: 17771 | 21 用户体验?没太看明白你想表达个什么意思,这东西难道不是一步一步做出来的?难道
这点问题能挡住历史洪流?只要在last mile做成dual stack,用户体验会有什么问题
?你知道今年各家的last mile比如u-verse和fios这些有多少会支持ipv6吗?
ipv4地址现在就是已经分配结束,period。你可以到黑市去买,M$从Nortel花7美金买
一个ipv4地址,运营商肯定有不少,但是情况绝对没有那么乐观,否则现在嚷得最凶的
就不是那几个ipv4最多的那几家了。放眼看去,哪家大型ISP不支持ipv6现在?是,你
可以用carrier grade nat设备来解决一部分问题,但是这个代价太高了吧,很可能比
直接上马ipv6还贵,还是一个临时方案。nat的特性天生就有scalability问题,大规模
用,便宜不了。
mobile上全ipv6有问题吗?如果俺没记错的话,tmobile马上就要出台全Ipv6的LTE试点
了。
咱们看看等这个出来会不会有问题。事实胜于雄辩对吧。
v4 |
|
c****n
发帖数: 21367 | 22 all in all, if we want to sell v6 tech/device to ISPs (our users), we have
to be able to answer questions from ISPs' users.
1. SW might bring more headaches than HW during the transition period from
v4 to v6. if there's no killer app, it's ok. if the transition kills app, it
's no go... (how to ensure the SW compatibility?)
2. the address issue. not sure about the end users' reaction when ISP tells
them to replace v4 NAT / vLAN with global v6 addresses. how much effort /
cost need to be paid by ... 阅读全帖 |
|
x*********n
发帖数: 28013 | 23 192.168.x。x
first of all, this is a private IP, how can you reach a private IP when you
are outside of the network?
For internet users to access the website, they are hitting the public IP
first, then NAT to private, firewall or router usually do the NAT job.
Most likely, check your firewall.
for internal visit, firewall rule is also possible if you and the server are
under the different area, server usually located at DMZ zone, you are user
zone.
To isolate the issue, connect you PC to switch, ... 阅读全帖 |
|
n**********l
发帖数: 271 | 24 看了下wireshark
mitbbs不用cookie, 不回复tcp keepalive, 也不发reset
chrome就总是尝试用existing sockets 于是就不停的tcp retran...
Firefox好像每次都开一个新的socket所以没这个问题, Chrome第一次打开的时候开一
堆socket, 然后用tcp keepalive 过了很久什么都收不到才reset...
我是behind NAT, NAT timer应该比tcp timer长的多吧?
为什么会这样呢? |
|
I********x
发帖数: 858 | 25
tunnel
网络上的设备只有三层设备才有能力分割包,但是如果大家关注一下实际应用就会发现
分割绝大多数情况下在会话端的操作系统上就完成了。抓一下windows发的数据包就会
发现DF=1.
我们做的骨干网上都支持jumbo frame甚至到接入层都支持,所以实际上网管已经不用
关心有没有分割包。
唯一的问题是防火墙,因为防火墙不重组包就不能做deep inspection,这样会影响性
能。
另外我们在实际中碰到过IOS NAT好像会重组virtual assemble (?) 这个会降低NAT设
备的性能。 |
|
t****t
发帖数: 6806 | 26 anyway, if you can get a shell to invoke iptables, here it is
iptables -t nat -I POSTROUTING -s blocked_internal_ip -j DROP
this will block all new connections from blocked_internal_ip to internet.
the existing connections (such as opened telnet, ssh) are not affected. to
restore, write
iptables -t nat -D POSTROUTING -s blocked_internal_ip -j DROP
depends on your router configuration, you could automate the process (each
time you start the router? every sunday? etc) in various ways. |
|
m***b
发帖数: 265 | 27 以下解决方法可行不?
- 还用virtual machine run vpn。双网卡,vpn用一个。另一个网卡用来接受host的
mstsc连
接?具体怎么操作?
1 用virtual machine run vpn。双网卡, 并且打开 共享( NAT)
2 在host上,需要添加一个静态路由, 如果是到公司的IP, 走VM的NAT |
|
c********l
发帖数: 8138 | 28 目前的网络设置:
一台路由器,IP地址:192.168.0.1
一台Windows Server 2008,IP地址:192.168.0.2
现在Windows Server 2008上开了一个VPN Server,子网:10.8.0.0/24
我看OpenVPN的说明上说:
Pushing the redirect-gateway option to clients will cause all IP network
traffic originating on client machines to pass through the OpenVPN server.
The server will need to be configured to deal with this traffic somehow,
such as by NATing it to the internet, or routing it through the server site'
s HTTP proxy.
On Linux, you could use a command such as this to... 阅读全帖 |
|
g***i
发帖数: 4272 | 29 家里的modem有路由器功能,我自己还有个linksys,所有的设备都通过linksys来接入。
但是我不想让linksys再做一次NAT,这样目前我就把modem的线接到linksys的LAN口上
当做交换机,家里只有一个subnet
现在我在想的事情是,有没有办法让路由器也分配一个ip地址,同时他又不做NAT,仅
当做ap? |
|
z****8
发帖数: 5023 | 30 现在一个2000人刀的路由就能带1000台机器的NAT。。
那种骨干网路由 一个能带几万的NAT谁还用IPv6 |
|
r*****e
发帖数: 52 | 31 how many IP does cox allow you? if only one, and your roommate is already
using it, you cann't use it any more. get a nat box (or so called
cable/DSL router by linksys, netgear, etc) so you can share the ip with
your roommate.
if only one, and you don't want to buy a nat box since you only use it
when your roomamte is not. then everytime before any one uses the cable
modem, reset it. another option is to change the MAC address of your nic
to the same as your roommate's (if your machine allow |
|
i***h
发帖数: 12655 | 32 刚装的eMule.
每次运行它总是从一大堆服务器里连上比利时的razorback2.com.
我断开连接然后试图用右键连接中国的edonkey2000.cn却不行.
日志显示:
2005-9-25 15:46:29: CountryFlag Disabled, failed to load in C:\Program Files\
eMule_ACAT\config\countryflag.dll
2005-9-25 15:46:35: Error adding UPnP NAT Support: (Server UDP Port) NAT
ROUTER/FIREWALL:4688 -> 192.168.2.73:4688 (Can not found a UPnP Router)
2005-9-25 15:46:35: 发现 0个已知的共享文件
2005-9-25 15:46:35: Creditfile已加载,0个客户已知
2005-9-25 15:46:37: 在server.met中找到77个服务器
2005-9-25 15:46:38: 发现 1个.part文件
2005-9 |
|
D*********s
发帖数: 555 | 33
NAT
没NAT那就是代理了,不知道BT支持代理不 |
|
g*********i
发帖数: 89 | 34 谢谢楼上的回答,不过我好像就是用的bridge呀,没有用NAT,因为根本不懂什么是NAT
,嘻嘻。。。
能不能帮帮忙看看还有什么办法嘛? |
|
N**********d
发帖数: 9292 | 35 在cisco路由中
ip nat inside source static tcp 192.168.1.99 80 12.173.91.21 80 extendable
要改成
ip nat inside source static tcp 192.168.1.100 80 12.173.91.21 80 extendable
应该如何实现?
谢谢 |
|
z**r
发帖数: 17771 | 36 今天出来的吧?昨天看还没有。。。
在change log里,
NAT: on some Windows host, the guest didn’t receive a DHCP lease (bug #3655)
就是俺提到的那个bug,俺之前follow过,case owner提供过一个.DLL,说是能解决,
但是俺之前用了那个DLL,貌似DNS还是有问题,主要问题是在NAT环境下,他就不应该
把真实的DNS写进/etc/resolv.conf里,如果没有网络切换,这样没有问题,但是网络
一旦切换,原有的DNS很可能就unreachable,比如通常你在公司的网络上拿到了公司的
DNS,一旦切换到家里网络,公司的DNS就访问不了了。
不知道2.22里是不是像2.14里那样给个10.0.2.3作为dns |
|
p**i
发帖数: 688 | 37 你这种情况是不是把openwrt router设成repeater应该就够了('sta' client mode)
个人认为nat router的设置可能更straightforward一些, 看看下面的命令的结果
iptables -t nat -nv -L POSTROUTING
ip route
ip rule |
|
y***n
发帖数: 100 | 38 我装的OpenWrt firmware image可能有点问题,一开始没有/etc/init.d/firewall文件。
这是ip route, ip rule, nat table 的结果
root@OpenWrt:/# ip route
192.168.69.0/24 dev wlan0 proto kernel scope link src 192.168.69.105
192.168.70.0/24 dev br-lan proto kernel scope link src 192.168.70.1
default via 192.168.69.1 dev wlan0
root@OpenWrt:/# ip rule
RTNETLINK answers: Operation not supported
Dump terminated
root@OpenWrt:/# iptables -t nat -nv -L POSTROUTING
Chain POSTROUTING (policy ACCEPT 76 packets, 5919 bytes)
pkts bytes |
|
m********o
发帖数: 129 | 39
看你的路由表是没有问题的,应该是nat的问题
这足够说明所有从PC上来的包在副router上没有继续了
tcpdump一下看看ping包到底有没有出去,如果没有出去。
确认一下几个地方,/etc/sysctl.conf里面有net.ipv4.ip_forward=1
iptables加这句
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
注意,如果PC是通过dhcp从副router获取ip,那么iptables用MASQUERADE,
如果是静态,用SNAT。。 |
|
l*******G
发帖数: 1191 | 40 I'm using dyndns as well, if your server is linux, you can install ddclient
on server to update ip with dyndns.org. However sometimes dyndns.org blocks
your free domain name by saying you could be abusing their system. But you
can always login at www.dyndns.org with your account and unblock.
If your server is windows, i suggest you use oray: http://www.oray.com/peanuthull/ which you can get a free yourdomain.gicp.net name and client software to install on your windows machine to update your ip d... 阅读全帖 |
|
r****t
发帖数: 10904 | 41 应该是个常见问题了,一直不知道咋办:
A acts as the gateway, eth0 internal, eth1 external.
B is a web server behind A.
能做 DNAT 让 internet 访问到 B, 但是和 B 在同一个子网的机器却没法
直接用 A 的 IP 访问 B, 因为一些原因不想改内部 DNS, 我现在用
iptables -t nat -A PREROUTING -s $INTERNAL_NET -i eth0 -d IP_A -j DNAT --to-
dest IP_B
iptables -t nat -A POSTROUTING -s IP_B -o eth0 -d $INTERNAL_NET -j SNAT --to
-source IP_A
不能工作,请问我该怎么办? |
|
c******n
发帖数: 4965 | 42 I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
the 22 port of my local box instead,
I tried the following but it doesn't work
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
DNAT --to-destination 127.0.0.0
sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
to-source $EXTERNAL_BOX_IP
any ideas?
Thanks a lot |
|
c******n
发帖数: 4965 | 43 i don't think so, PREROUTING is for incoming messages,
here the messages are generated by my local process ( ssh client )
I got it working in another post.
but here it is
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
j |
|
j*a
发帖数: 14423 | 44 兄弟,你还是用中文写吧
那个tutorial你看懂了一点 但是和ssh tunnel混淆了
你这里面只需要用到NAT OUTPUT,不需要NAT POSTROUTING
so
set |
|
c******n
发帖数: 4965 | 45 yes, I only care about my tests on the local box.
the script is used in the context of JMX, please see my previous JMX post.
what I don't understand is basically how kernel is able to properly route
the response packet. it's probably easier to use a plain NAT example.
let's say my box is in a private network ,
my_box 192.168.1.2
||
||
\ /
\/
gateway_box 192.168.1.1 , public_ip : 111.222.333.888
||
||
\ /
\/
yahoo.com 111.222.333.444
on a regular NAT case, my_box sends to yahoo.com, the packe... 阅读全帖 |
|
G**Y
发帖数: 33224 | 46 我们这里的tech support
不给虚拟机分配ip,只能NAT,很烦人。(Virtualbox的NAT做的好像有问题。mount的
网络盘,经常会挂掉.) |
|
c******g
发帖数: 63 | 47 VM中run的是Ubuntu 12.04, VM Player的Network Adapter设置为NAT,也即share the
host's IP address。有时候把笔记本电脑带到其他地方,重新恢复suspended的VM,就
会显示出“网络找不到”。用route显示的路由表空空如也。用ifconfig发现连eth0都
down掉了,只有一个lo。我觉得可能是移到另一个地方(比如从办公室回到家里)主机
网络变过的缘故。如果我重启VM,就没问题。但是有没有简单的方法(比如reset,
reconfigure之类的),可以直接以命令行的方式恢复和当前Windows主机的NAT?
我试着手动加上以前连着时的几个路由表项,可能哪里没加对,反正不work。当然也有
可能时DNS service也down掉了,反正我ping www.google.com时是unknown host。
向Linux网络管理的达人们请教!多谢! |
|
