-1

While thinking how an ISP may configure its internal network, I was wondering if it was possible to delegate a router's masquerade to a switch.

Details:

Let's assume there is a 48 port Gbps switch that has 48 vlans. The router is connected to the uplink of this switch. Assuming vlan1 is sending data to vlan2. With a naive routing, the packets from vlan1 would go to the switch, uplink to the router, the router would masquerade with its public IP address and then realize that the destination is on vlan2 and send it back to the switch to send to vlan2.

Ideally, the router should be able to push down a route for just this TCP stream to the switch and let the switch handle the traffic locally. Does that exist? If it does, what is the name of that technology and maybe some names of proprietary technology name? What are the security concerns with this? Could it be done for UDP considering the stateless nature of UDP?

Pierre-Luc Bertrand
  • 99
  • 1
  • A layer-3 switch has a routing module built in. Most enterprise-grade switches are also layer-3 switches. It is a best practice to let the layer-3 switch handle the LAN routing, and use a router for the WAN routing. "_With a naive routing, the packets from vlan1 would go to the switch, uplink to the router, the router would masquerade with its public IP address and then realize that the destination is on vlan2 and send it back to the switch to send to vlan2._" That is not how it works. The traffic would never pass through the WAN interface, so it does not get translated. – Ron Maupin Sep 28 '19 at 18:38
  • Thanks for your answer @RonMaupin. I'm aware that it wouldn't go on the WAN but the advertised address to each vlan would be the public address of each other which in this case would be the same since they're behind the same router. From there, could the router recognize that two vlans are talking to each other and notify the switch under to handle that particular connection? – Pierre-Luc Bertrand Sep 28 '19 at 18:52
  • The source address only gets translated if the packets pass through the WAN interface, not the VLAN interfaces. You have inside (VLAN interfaces, and outside (WAN) interfaces, and the translation occurs as packets traverse from inside to outside. – Ron Maupin Sep 28 '19 at 19:31
  • I think you may be confusing NAT and routing. You can route without NAT, which should only be used where you need it (overlapping addressing or private to public translations). Routing internally doesn't require, nor should it use, NAT. – Ron Maupin Sep 28 '19 at 19:35
  • The intent is if two customers to this ISP are trying to connect to each other, they should not be presented as internal IPs but external hence the vlan for full isolation. This is where my understanding goes for the NAT. They would see each other as the public address rather than their internal address. Am I missing something in my assumptions here? – Pierre-Luc Bertrand Sep 28 '19 at 19:56
  • The ISP router is not doing NAT. The customers will use NAT if necessary. Many businesses have blocks of public addresses that do not require NAT. Also, switches do not NAT, so each customer has its own router. – Ron Maupin Sep 28 '19 at 20:00
  • Got it! Thanks. May I change the question slightly then? What if now the ISP had only one public IP address and was not offering a dedicated IP address per customer. In this scenario, the ISP router would do NAT and route for each vlan within right? One client would see the same public IP of the ISP router with respect to the other client and the router would basically take the full traffic between the two clients without sending it out on the WAN. Is there a way for the router to push temporarily that connection to the underlying switch without exposing the internal IPs of each vlan? – Pierre-Luc Bertrand Sep 28 '19 at 20:20

1 Answers1

1

With a naive routing, the packets from vlan1 would go to the switch, uplink to the router, the router would masquerade with its public IP address and then realize that the destination is on vlan2 and send it back to the switch to send to vlan2.

That depends on how you set up the router. It should be able to route between private subnets without SNAT.

Remember that routing is a very basic feature and that NA(P)T was invented much later and is way more complicated. NAT may be an implied feature on consumer-grade devices but it is only used when necessary in business networks.

Ideally, the router should be able to push down a route for just this TCP stream to the switch and let the switch handle the traffic locally.

No. A "switch" is a layer-2 device that has no inkling of IP addresses and routes at all. Even a layer-3 switch can't do NAT, that's for L4+. The "push down a route" sounds like software-defined networking (SDN) which is something else altogether.

Usually, a L3 switch is used for LAN routing (private-to-private) because it's cheap and fast, and a router is used to WAN routing (private-to-public and reverse) because it can do a lot more and offers more control.

Could it be done for UDP considering the stateless nature of UDP?

Dynamic SNAT requires a stateful NAT device in any case. For UDP, the state needs to guessed more or less à la "private IP S, UDP port x sent a datagram to public IP D, UDP port y, so I'll use a translation in the reverse direction for some time". UDP "connections" need to be aged out at all times while for TCP connections that's only a cleanup procedure.

Zac67
  • 10,320
  • 2
  • 12
  • 32