Scribd Logo
Upload

Welcome to Scribd!

  • 74 views

    06 - CGN Configuration

    Uploaded by

    bruno borba
    Carrier Grade NAT (CGN or CGNAT) is a technique used to address the limited IPv4 address space problem by employing network address translation devices to transform private IP addresses into public IPv4 addresses, allowing sharing of public addresses. The document discusses different CGNAT configuration types and components, including static, dynamic, and fixed-NAT configurations, and covers NAT pools, limit IDs, class lists, and interfaces.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    06 - CGN Configuration

    Uploaded by

    bruno borba
    74 views21 pages
    Carrier Grade NAT (CGN or CGNAT) is a technique used to address the limited IPv4 address space problem by employing network address translation devices to transform private IP addresses into public IPv4 addresses, allowing sharing of public addresses. The document discusses different CGNAT configuration types and components, including static, dynamic, and fixed-NAT configurations, and covers NAT pools, limit IDs, class lists, and interfaces.

    Original Description:

    A10 - Configurações

    Original Title

    06 - CGN CONFIGURATION

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Carrier Grade NAT (CGN or CGNAT) is a technique used to address the limited IPv4 address space problem by employing network address translation devices to transform private IP addresses into public IPv4 addresses, allowing sharing of public addresses. The document discusses different CGNAT configuration types and components, including static, dynamic, and fixed-NAT configurations, and covers NAT pools, limit IDs, class lists, and interfaces.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    74 views21 pages

    06 - CGN Configuration

    Uploaded by

    bruno borba
    Carrier Grade NAT (CGN or CGNAT) is a technique used to address the limited IPv4 address space problem by employing network address translation devices to transform private IP addresses into public IPv4 addresses, allowing sharing of public addresses. The document discusses different CGNAT configuration types and components, including static, dynamic, and fixed-NAT configurations, and covers NAT pools, limit IDs, class lists, and interfaces.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 21

    05 – CGN LSN NAT44(4)

    What is CGNAT?
    Carrier Grade NAT (CGN or CGNAT), also known as Large Scale NAT (LSN) is a
    means to solve the problem of the limited number of IP addresses available
    in the 32-bit IPv4 address space. It employs translation devices built into
    the operator's network to transform private network addresses into public
    IPv4 addresses. Thus, it is possible to share small packets of public
    addresses between several end sites, or which greatly expand the capacity of
    the existing network.

    One CGN usage scenario was labeled NAT444 because some customer connections
    to Internet services on the public Internet passed through three different
    IPv4 addressing domains: the consumer's private network, the provider's
    private network, and the public internet.
    2

    www.l8group.net
    A10 CGN Solutions to Extend IPv4 (NAT44/444)

    www.l8group.net
    Types of CGNAT configuration
    Static
    In the static configuration, the port range is fixed for each inside client.

    Dynamic

    In the dynamic configuration, the port range is distributed according to the


    usage.

    Which type of configuration is better?

    It depends!!!!

    www.l8group.net
    Fixed-NAT: alternate configuration mechanism
    Map inside addresses to public address and L4 port range

    Deterministic allocation

    L4 ports pre-allocated
    ü User Quota
    ü Less / No logging
    ü Easier Environment Provisioning?

    Trade-off: L4 port usage efficiency

    www.l8group.net
    Fixed-Nat Dynamic Pool
    Optional hybrid Fixed/Dynamic

    Reserves pool each NAT address

    IP Address Pooling – Paired (APP)


    Still applies

    Dynamic Pool use triggers


    Logging

    www.l8group.net
    Components of a Fixed-NAT configuration

    ACOS CGNv6 Fixed-Nat configuration has two required elements:

    Fixed-Nat config with inside IP addresses and NAT addresses


    Inside/Outside interfaces

    www.l8group.net
    Define a Fixed-Nat
    Configure Fixed-NAT global configuration level (command on 1 line)
    Cgnv6 fixed-nat inside 100.64.0.2 100.64.15.254 netmask /20 nat 192.0.2.255
    192.0.2.254 netmask /27 dynamic-pool-size 5000 vrid 1

    Inside (private) addresses: 100.64.0.2 to 100.64.15.254 (4093 users)


    Outside (NAT, public) addresses: 192.0.2.225 to 192.0.2.254 (30 addresses)
    Netmask used for routing advertisements
    Reserved Ports per NAT addr (optional): 5000
    VRID used for HA
    434 ports allocated to each user

    www.l8group.net
    Fixed NAT math
    It’s advised to creat CGNAT from: 1/16, 1/32, 1/64
    Let’s understand about quantity of ports:
    We know that a single IP has 65535 ports, but because of good practices we
    should preserve the ports from 0-1023, that are reserved as service ports.

    So: 65535 – 1024 = 64511 usable ports

    Ports per clients: Considering the need to serve 2048 clients using 2
    Thousand ports , how many public ips will i need?
    64511
    = 2000 𝑃𝑜𝑟𝑡𝑠 𝑝𝑒𝑟 𝑢𝑠𝑒𝑟
    32 2048
    = 64 𝑃𝑢𝑏𝑙𝑖𝑐 𝑖𝑝𝑠
    64511 32
    = 1000 𝑃𝑜𝑟𝑡𝑠 𝑝𝑒𝑟 𝑢𝑠𝑒𝑟
    64

    www.l8group.net
    Components of a NAT44(4) LSN configuration
    Aka Dynamic-NAT

    ACOS CGNv6 configuration has five required elements:

    NAT-Pool
    Limit-ID
    Class List of IP addresses / subnets
    Source Class List Binding
    Inside/Outside Interfaces

    10

    www.l8group.net
    Define a NAT Pools
    Configure NAT pools at the global configuration level
    Cgnv6 nat pool NAT1 192.168.0.2.224 192.0.2.254 netmask /27 vrid 1

    Name of Pool: NAT1


    Stard Address: 192.0.2.224
    End Address(optional): 192.0.2.254
    Netmask used for routing advertisements
    VRID used for HA

    Additional Features (specific to cgnv6 nat pools)


    Cgnv6 nat pool NAT1 exclude-ip 192.0.2.230 [to 192.0.2.235]
    Cgnv6 nat pool NAT2 192.0.2.208 netmask /28

    11

    www.l8group.net
    Define NAT Pool Group (Best Practice)
    Configure NAT pool groups at global configuration level
    Cgnv6 nat pool-group NAT-Group
    member NAT1
    member NAT2
    member NAT3

    Edit Pool Group members while group assigned to LSN-LID


    Remove member, edit member, red-add member
    Add new member to add more nat addresses

    All members must share same VRID group.

    12

    www.l8group.net
    Configuring IP address selection algorithms

    Cgnv6 lsn ip-slection round-robin

    Algorithm for IP address selection from NAT pool is configurable on a global basis

    13

    www.l8group.net
    User Quotas

    Reserve Resources for Individual to Provide Predictable Behavior


    Restrict Individual’s usage to Preserve Resources for Everyone

    14

    www.l8group.net
    Define LSN Limit IDs (LID) – the policy
    LID define policy, i.e., the rules
    Configure LSN-LID at global configuration level

    Cgnv6 lsn-lid 1
    source-nat-pool NAT-Group
    user-quota icmp 50
    user-quota udp 250
    user-quota tcp 250

    Cgnv6 lsn-lid 1023


    override drop

    15

    www.l8group.net
    Understanding class lists
    Classifies/segments address space into groups
    Set of IP host or subnet addresses and mapping to LSN LIDs
    1 list -> 64,000 subnets and 8 million host IP addresses
    Each entry (row) defines a class
    Supports IPv4 or IPv6 addresses

    Define inline or as external file


    UP to 255 class lists can be created
    Only 1 can be used for LSN

    Only 1 bound to lsn inside source


    Matches on IP SRC addresses

    16

    www.l8group.net
    Define and Bind LSN Class List
    Create the class list at global configuration level
    Class-list CL_CGN1
    100.64.1.0/24 lsn-lid 1 subnet class
    100.64.254.123 lsn-lid 2 host class
    100.64.8.6/32 lsn-lid 3 host class
    0.0.0.0/0 lsn-lid 1023 wildcard class

    Bind class list to LSN at global configuration level

    Cgnv6 lsn inside source class-list CL_CGN1

    17

    www.l8group.net
    Configure inside and Outside LSN interfaces
    IP inside NAT interfaces: ingress for traffic to be NATed (client side)

    IP outside NAT interface: ingress for return traffic (everything else)

    More than 1 allowed


    AX1(config)# interface eth 1
    AX1(config-if:Ethernet:1)#ip nat inside

    AX1(config)# interface ve 200


    AX1(config-if:Ethernet:1)#ip nat outside

    18

    www.l8group.net
    Troubleshooting LSN
    Confirm Ip nat inside/outside
    show interfaces [ [ethernet 1] or [ve 100] ]

    Check config (esp. “lsn inside source”, ”lsn-lid”, ”nat pool-group”)


    sh running-config cgnv6 or
    sh running-config | sec cgnv6\|class
    Check class lists
    sh class-list [CL_NAME]

    Check NAT pools


    sh cgnv6 nat pool [statistics]

    19

    www.l8group.net
    Troubleshooting LSN Sessions
    Check sessions
    show session […]
    show session filter <filter>

    Clear sessions
    clear session [all | filter <filter>
    Check sessions for internal (NATed) user
    sh cgnv6 lsn inside-user <user.inside.IP.addr>

    Check sessions tied to external NAT address


    sh cgnv6 lsn nat-address <NAT.pool.IP.addr>

    Check User-Quota related details


    sh cgnv6 lsn user-quota-sessions […]

    20

    www.l8group.net

    You might also like