Usage Scenario
To secure networks from virus, configure the port filter function on a NAT64 service board to prevent an unwanted port from being translated to a filtered port and resulting in a packet forwarding failure.
On a centralized NAT64 network, a carrier deploys the port filter function on two network interfaces of a core router (CR) to filter out packets on destination port 1434 (Worm.NetKiller2003). When a packet from the public network side reaches the private network side, the CR checks the packet's destination port. If the port is within the filtered port range, the CR discards the packet.
The port filter function may cause the CR to discard returned packets. A NAT64 service board translates a private source port into a filtered port used to forward packets from a private network to a public network. After packets are returned from the public network to the private network, the CR finds that the packets' destination port is within a range of filtered ports and unexpectedly discards the packets, which interrupts user services.
To prevent such an error, configure the port filter function on a NAT64 service board so that the board can filter out the ports that the CR is configured to filter out. The NAT64 service board is prevented from translating the source port into a filtered port. This prevents returned user packets from being discarded by the CR.
Configuration Impact
If the exclude-port command is run more than once, all configurations take effect. After the exclude-port command is run, the filtered ports in the NAT64 instance view are displayed in ascending order, and consecutive ports are displayed after combination. For example, the exclude-port 1 2 3 4 5 command is combined into exclude-port 1 to 5.
Precautions
- You can configure a maximum of 10 parameters in the view of each NAT64 instance. A maximum of 512 ports can be filtered.
- The exclude-port command cannot be run if a filter port list to be configured and a filter port list to be deleted overlap.
- Running the exclude-port command causes an established flow table to be reestablished.
- If the port range allocated to a user contains filtered ports, the user cannot get online through these ports. If most ports in the port range allocated to a user are filtered out, the user's most traffic fails to be forwarded. If a user has gone online and traffic already exists, this issue also occurs when the exclude-port command is run.
- The CR is enabled to filter out private network packets with a specified source port (for example, port 1434). After a NAT64 device translates the source port into another port (for example, port 1024) that is out of the range of filtered ports, the CR properly forwards the packets that should have been filtered out. To prevent such an error, perform the port filter function on a device before the NAT64 device receives them.