SAT translation can be used with broadcast packets if appropriate. With SAT translation the
destination address would always be the broadcast address.
•
NAT
NAT translation cannot be used with broadcast packets in transparent mode. The packets will
be dropped and a log message will be generated when they encounter the NAT IP
rule/policy.
NAT can be used with broadcast packets in non-transparent mode routing. This might be
appropriate in some unusual networking scenarios.
Transparent Mode Broadcast Forwarding is Always Stateless
It is important to note that broadcast packets are always forwarded statelessly by NetDefendOS
when in transparent mode. In other words, even if an IP rule with an action of
Allow
permits
transparent mode broadcast packets to flow, they will be forwarded as though the rule had an
action of
FwdFast
.
The reason for enforcing stateless forwarding is because packets may need to be duplicated and
transmitted on multiple interfaces. For normal, non-transparent routes where broadcast packets
are not duplicated, a normal
Allow
rule or policy could be used and the traffic will be treated
statefully. A stateful rule/policy has the advantage of using less hardware resources to process
broadcast packets when many are coming from the same source.
Only Triggering an IP Rule/Policy on Broadcast Packets
When creating an IP rule or IP policy which triggers only on broadcast packets, the
Destination
Network
property should be set to be the broadcast IP address. However, the
Source Network
should be the network to which the broadcast address belongs. For example, a broadcast packet
for the IPv4 network
10.0.0.0/8
will have the address
10.255.255.255
(the highest IP address in the
network). So in an IP rule or IP policy targeting these packets, the
Source Network
property should
be set to
10.0.0.0/8
and the
Destination Network
property should be set to
10.255.255.255
.
Log Messages for Broadcast Packets
Log messages are only generated for broadcast packets that trigger an IP rule or IP policy when
in transparent mode (using switch routes). There are only two messages that can be generated:
•
allow_broadcast
This log message is generated each time a broadcast packet triggers an IP rule or IP Policy
with an action of
Allow
in transparent mode. It indicates that the packet has been forwarded
statelessly as though the rule had an action of
FwdFast
(or the policy was a
Stateless Policy
). A
typical log message of this type will look similar to the following:
prio=Notice id=06000016 rev=1 event=allow_broadcast
action=stateless_fwd rule=a recvif=If3 srcip=192.168.100.25
destip=192.168.100.255 ipproto=UDP ipdatalen=58 srcport=137
destport=137 udptotlen=58
It should be noted that this event message will be generated for every interface that the
broadcast packet is sent on. For example, if interfaces
if1
,
if2
and
if3
are all defined as being
on the same network using transparent mode, a broadcast packet for the network could
trigger a rule/policy twice, generating two log messages. This is because the broadcast
packet would arrive on one interface and would need transmitting on the other two.
Chapter 4: Routing
305
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...