Configuration considerations, Traffic permits and fixups – Rockwell Automation 1783-BMxxx Stratix 5700 Ethernet Managed Switches User Manual User Manual

106

Rockwell Automation Publication 1783-UM004E-EN-P - June 2014

Chapter 3 Switch Software Features

Configuration Considerations

Consider these guidelines and limitations when configuring NAT:

• A switch can translate only IPv4 addresses.
• A switch can have a maximum of 128 NAT instances, 128 NAT-associated

VLANs, and 128 translation entries. A subnet translation counts as only
one translation entry, but includes translations for many devices.

• You can configure NAT on one or both uplink ports of the switch.

Ports configured for NAT do not support the following across the NAT
boundary due to embedded IP addresses that are not fixed up, encrypted IP
addresses, or reliance on multicast traffic:

• Traffic encryption and integrity checking protocols generally incompatible

with NAT, including IPsec Transport mode (1756-EN2TSC module)

• Applications that use dynamic session initiations, such as NetMeeting
• File transfer protocol (FTP)
• Microsoft Distributed Component Object Model (DCOM), which is

used in Open Platform Communications (OPC)

• Multicast traffic, including applications that use multicast, such as

CIP Sync (IEEE1588) and CLX redundancy

Traffic Permits and Fixups

While a NAT-configured port can translate many types of traffic, only unicast
and broadcast traffic are supported. You can choose to block or pass through the
following traffic types that are not handled by NAT:

• Untranslated unicast traffic
• Multicast traffic
• IGMP traffic

By default, all of the above traffic types are blocked.

Some traffic types must be fixed up to work properly with NAT because their
packets contain embedded IP addresses. The switch supports fixups for these
traffic types:

• Address Resolution Protocol (ARP)
• Internet Control Message Protocol (ICMP)

By default, fixups are enabled for both ARP and ICMP.

IMPORTANT

Some NAT configurations can result in greater-than-expected traffic loads on
both private and public subnets. Also, unintended traffic can be visible.

NAT is not a substitute for a firewall. Make sure your configuration is
performance qualified prior to use in a production environment.