Configuring NAT STUN
Prerequisites
The STUN feature is mainly used for NAT detection in an SD-WAN solution. In the SD-WAN solution, the NAT detection result of STUN needs to be transmitted through tunnels established in an SD-WAN EVPN. Therefore, before configuring NAT detection of STUN, you need to configure the TNP, site, and other information required for establishing tunnels using the SD-WAN EVPN. For details, see the preceding chapters.
Procedure
In an SD-WAN solution, the STUN function can be configured on devices using the CLI, or the STUN configuration is delivered by the network controller to devices using NETCONF. To prevent configuration conflicts, you are advised to use the network controller to deliver the STUN configuration to devices.
Configuring the STUN Server Function
Context
In the SD-WAN Solution, RRs are usually deployed as STUN servers, and CPEs which function as gateways in branches, are deployed as STUN clients. To detect whether a NAT device is deployed between the RRs and CPEs, you need to enable the STUN server function on the RRs and configure the IP address and UDP port number to be checked by the STUN server for STUN messages.
Procedure
- Run system-view
The system view is displayed.
- Run stun server enable
The STUN server function is enabled.
By default, the STUN server function is disabled.
- Run stun server listening-ip ip-address [ vpn-instance vpn-instance-name ]
The IP address to be checked by the STUN server for STUN messages is configured.
By default, the STUN server checks all IP addresses.
The IP address checked by a STUN server must be a local IP address.
- Run stun server listening-port port-number
The UDP port number to be checked by the STUN server for STUN messages is configured.
By default, the STUN server checks UDP port 3478.
Configuring the STUN Client Function
Context
To detect whether a NAT device exists between the RR and CPEs in an SD-WAN solution, you need to enable the STUN client function on the CPEs, and configure the destination port number for the STUN clients to access the STUN server besides enabling the STUN server function on the RR. The CPEs can function as the STUN clients to send STUN binding request packets to the STUN server and initiate the NAT detection process only after the STUN client function is enabled on them.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- Run stun client enable
The STUN client function is enabled on an interface.
By default, the STUN client function is disabled on an interface.
- Run stun client destination-port port-number
The destination port number for the STUN client to access the STUN server is configured.
By default, the destination port number for the STUN client to access the STUN server is 3478.
- Run quit
Return to the system view.
Maintaining STUN Information
Context
To facilitate fault locating in routine maintenance, you can view statistics about STUN packets. If statistics about STUN packets in a specified period of time need to be collected for fault locating, you can clear the STUN packet statistics, wait for a while, and then view the statistics.
STUN packet statistics cannot be restored after being cleared. Therefore, exercise caution before clearing the statistics.