Why are services unavailable after N:1 VLAN-MAPPING is configured for a port

0

The N:1mapping backward traffic does not support the broadcasting, unknown unicast, and reserved multicast. Therefore, you must first ping the peer device on the N side. If you cannot first ping a downstream device on the peer device. This has huge impact on services. Therefore, do not use this function in networking.

Other related questions:
Why resources are insufficient after N:1 VLAN mapping is configured
In V100R003 and later versions, the reverse traffic of VLAN mapping matches the mapped VLAN and source MAC address of original packets. The system delivers ACL rules and replaces the VLAN ID of original packets, consuming too many ACL resources.

IPSec is unavailable when both IPSec and NAT are configured on an interface of the AR
If NAT is configured on the interface to which an IPSec policy is applied, IPSec does not take effect because the device executes the NAT configuration first. Use either of the following methods: -Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec. - Ensure that the ACL rule referenced by IPSec matches the NAT-translated IP address. Note: After the deny rule is defined, you are advised to run the reset session all or reset nat session all command to reestablish the flow table, ensuring that there are no incorrect NAT entries. If services are transmitted unidirectionally, check whether the NAT policy is applied to the device. If so, perform operations according to the preceding method.

PPTP VPN service is unavailable after NAT is configured on an AR
No matter whether the PPTP server is on the public or private network, a NAT-enabled AR cannot translate the Data field that contains IP addresses or port numbers. To resolve this problem, enable the NAT ALG function.
For example, enable the NAT ALG function for PPTP as follows:
<Huawei> system-view  
[Huawei] nat alg pptp enable
NAT supported by PPTP is used in either of the following scenarios: PPTP client on the private network or PPTP server on the private network.
When the PPTP client is on the private network and the PPTP server is on the public network, the Client-Call-ID field is translated.
When the PPTP server is on the private network and the PPTP client is on the public network, the Server-Call-ID field is translated.

FTP server cannot be accessed after NAT is configured on an AR
No matter whether intranet users access the FTP server on the public network or the IP address of the FTP server on the private network is mapped to a public IP address by a NAT server, the NAT ALG function for FTP needs to be enabled.
For example, enable the NAT ALG function for FTP as follows:
<Huawei> system-view  
[Huawei] nat alg ftp enable
Reason:
NAT and NAPT can translate only IP addresses in the IP packet header and the port numbers in the TCP/UDP header. For some special protocols such as FTP, IP addresses or port numbers may be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP addresses or port numbers. A good way to solve the NAT issue for these special protocols is to use the application level gateway (ALG) function.
As a special translation agent for application protocols, the ALG interacts with the NAT-enabled device to establish states. It uses NAT state information to change the specific data in the Data field of IP datagram and complete other necessary work, so that application protocols can run across private and public networks.
For example, when an FTP server with a private IP address sets up a session with a host on the public network, the server may need to send its IP address to the host. NAT cannot translate this IP address because the IP address is carried in the Data field. The host on the external network then uses the private address carried in the IP packet and finds that the FTP server is unreachable.
After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT device. Otherwise, the application protocol cannot work normally.
If the FTP server on the intranet is available and port mapping is configured, after NAT ALG is enabled for FTP, the FTP service can be used after the mapping between port and FTP is configured.
After NAT ALG is enabled for FTP, FTP packets can traverse the NAT device. Because port mapping is configured, the device does not know that packets sent from port 27 are FTP packets. Therefore, the device does not send FTP packets to the ALG, affecting the FTP service.
To solve this problem, configure the mapping between port and FTP:
[huawei] acl 2005
[huawe-acl-basic-2005]rule permit
[huawe-acl-basic-2005]quit
[huawei] port-mapping ftp  port 27 acl 2005

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top