>>> 1 . What is the "BOX" nat1 , just a plain VM ( virtual machine ) <<<
Just a plain Linux machine, 2.6.32 or later kernel, same OS as host[ABC], but with ip_forward=1 and with iptables entries for NAT:
iptables -t nat -A POSTROUTING -o bond0.1 -j MASQUERADE
iptables -A FORWARD -i bond0.1 -o bond0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i bond0.2 -o bond0.1 -j ACCEPT
# plus some filters to drop non-SNMP traffic
>>> 2. Why are your internal chassis network not just a plain BRIDGE , is there any reason for using a VLAN ? <<<
It is "plain bridge" with 802.1q VLAN. I have never configured NAT translation using bridged interfaces, always routed. Is this even possible?
>>> 3. Why do you not want the SNMP request with external source IP to leave the HOSTS on internal then loop around via nat1 back ? ( if it is going out externally anyway , why not just let it go the normal shortest/fastest way ) <<<
If I understand your question, Several advantages:
- To reduce the number of entries in SNMP ACL's in the "rest of the network". In this example, reducing ACL entries from 3 to 1.
- To allow insertion of additional SNMP managers without editing SNMP ACL's in the "rest of the network". In this example, adding two new managers host[DE] is transparent to the "rest of the network".
- To allow relocation of SNMP managers without updating SNMP ACL's in the "rest of the network". Example: failover of all SNMP managers (host[ABC]) from one city to another due to a disaster.
In the case of just three managers (host[ABC]) the advantages are not so great, but in the case of, say, 26 managers (host[A-Z]) the advantage becomes significant. In reality, the scale will be 5-20 managers per NAT, perhaps greater if the conntrack performance is acceptable.
��.n��������+%�������w��{.n����z���)���jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
