No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C00 Feature Description - NAT and IPv6 Transition 01

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAT Resource Protection

NAT Resource Protection

Port Number Limiting

To prevent connection failures stemming from the consumption of a lot of port resources by an individual user, a maximum of NAT ports that IP address-specific sessions use can be set to protect NAT address pool resources on the ports. With this function, a NAT device counts the number of address pool ports used by a single IP address.

If the total number of TCP, UDP, and ICMP ports that the same source or destination IP address uses exceeds the specified threshold, the IP address cannot be used to initiate new connections.

After the total number of TCP, UDP, and ICMP ports used by the IP address reaches or falls below the specified threshold, the IP address can be used again to initiate connections over TCP, UDP, or ICMP ports.

Session Limiting

NAT is a stateful address translation technique, and session tables are core NAT resources. If deny of service (DoS) attacks, such as SYN-Flood attacks, are initiated, all NAT session table resources may be used up, which causes a failure to establish session tables for common users and therefore access failures. With this function, a NAT device counts the number of TCP, UDP, and ICMP sessions established using a single IP address.

  • If the number of sessions initiated using a source IP address or destined for a destination IP address reaches a specified threshold, the IP address cannot be used to initiate new connections.
  • After the total number of TCP, UDP, and ICMP sessions used by the IP address falls below the configured threshold, the IP address can be used again to initiate TCP, UDP, and ICMP connections.

Session Table Aging

The aging time for application-specific NAT session entries in a NAT table can be set on a NAT device. After the aging time elapses, the NAT device automatically ages the entries and releases session resources. The NAT device can be configured to forcibly age all session tables or a specific type of session tables.

User-specific Flow Construction Speed Limiting

A NAT device uses a multi-core structure and allows the flow construction and forwarding processes to share CPU resources. The NAT device dynamically learns the sizes of flows and limits the speed and resources used to construct flows.

If the number of user sessions reaches a specified upper limit, construction flows deteriorates the performance of other services. To minimize the impact, the speed at which the NAT device constructs flows can be set. Alternatively, the committed access rate (CAR) function can be configured to limit the speeds at which the NAT device constructs flows for all users to help properly transmit user services.

Download
Updated: 2018-07-04

Document ID: EDOC1100027155

Views: 19459

Downloads: 67

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next