Deterministic Large Scale NAT44

This chapter provides information about deterministic large scale NAT44 configurations.

Topics in this chapter include:

Applicability

The information and configuration in this chapter was initially based on SR OS Release 11.0.R3, and is updated to SR OS Release 14.0.R4.

Overview

Deterministic Network Address Translation (NAT) is a mode of operation where mappings between the NAT subscriber and the outside IP address and port range are allocated at the time of configuration.

In deterministic NAT for Large Scale NAT IPv4-to-IPv4 (LSN44) subscribers, each LSN44 subscriber is permanently mapped to an outside IP address and a dedicated (deterministic) port-block based on a specific algorithm.

Logging is not needed in this case because the reverse mapping can be obtained using the reverse of the preceding algorithm.

A deterministic LSN44 subscriber can have only one deterministic port-block that can (optionally) be extended by one or multiple dynamic port-blocks in case all ports in deterministic port-block are exhausted.

In case an LSN44 subscriber has been assigned both deterministic and dynamic port blocks, logging for the dynamic port-block allocation/de-allocation is required.

A scalable logging solution for dynamic port-blocks is achievable using RADIUS or IPFIX.

Logging for dynamic port-blocks is out of the scope of this chapter.

Figure 1. Deterministic NAT Mapping

Algorithm

The deterministic NAT algorithm makes a predictable mapping between the (inside IP, routing instance) and the (outside IP, routing instance, deterministic port block).

The algorithm is revertive, meaning that a given (outside IP, routing instance, deterministic port block) will derive a given (inside IP, routing Instance).

The algorithm is loosely based on draft-donley-behave-deterministic-cgn-00.txt, which allows for the dynamic expansion of the port-blocks once the ports in the original deterministic port-block are exhausted.

Figure 2. Deterministic NAT Algorithm

Deterministic mapping

Any inside prefix in any routing instance can be mapped to any pool in any routing instance.

In deterministic NAT, prefixes from multiple routing instances can be mapped to the same outside pool, also prefixes from a single inside routing instance can be selectively mapped to different outside pools.

Figure 3. Deterministic Mapping: Inside -> Outside Routing Instances

Mapping rules

A deterministic LSN44 subscriber is mapped to only one deterministic block which can further be extended to multiple dynamic blocks if ports within the deterministic block are exhausted.

The subscriber-limit is the number of subscribers that can be deterministically mapped to one outside IP address (i.e. compression ratio) and must be a power of 2.

The total number of deterministic ports (DetP) per outside IP address is determined by this subscriber-limit and the number of deterministic ports per subscriber.

The remaining ports (DynP) beyond the deterministic port range up to 65535 will be dedicated for dynamic use when a deterministic block is exhausted.

Every host using an inside prefix is guaranteed one dedicate block in the deterministic port ranges.

If the inside prefix length is m < 32-n, where 2^n=subscriber-limit, then the prefix must be broken into pieces so that all hosts (subscriber-limit) in each piece maps exactly to one outside IP address.

For example, if there is an inside prefix 192.168.0.0/23, with m=23 and a maximum number of 256 hosts; and the subscriber-limit set to 256, then n=8. This results in 23 < 24 (32-8) and so this inside prefix has to be broken into 2 pieces, in other words, this inside prefix will fit into 2 outside IP addresses, each of 256 port-blocks.

In case that the prefix length is m ≥ 32-n, where 2^n=subscriber-limit, then all hosts from the configured prefix are mapped to the same outside IP.

For example, if there is an inside prefix 192.168.1.0/25, with m=25 and a maximum number of 128 hosts, and the subscriber-limit set to 256, then n=8. This results in 25 > 24 (32-8), so definitely 128 hosts can fit in one outside IP because there are 256 available port-blocks, in other words, this inside prefix will fit into one outside IP where 128 blocks have been used out of the 256 port-blocks available, and the rest (256-128) are wasted.

Overbooking of the outside address pool is not supported in deterministic NAT.

Figure 4. Deterministic mapping: outside IP port-blocks/ranges

Configuration

Figure 5. Example topology

Configuration prerequisites

Card and MDA configuration.

configure
    card 2
        card-type iom3-xp
        mda 1
            mda-type isa-bb
            no shutdown
        exit
        mda 2
            mda-type isa-bb
            no shutdown
        exit
        no shutdown
    exit
exit
Note:

Private address ranges are used in outside pools within this chapter but normally public address ranges would be used.

Create the NAT group, and add the MS-ISAs created above to the NAT group; up to 10 MS-ISAs of type isa-bb can be configured under the NAT group.

configure
    isa
        nat-group 1 create
            mda 2/1
            mda 2/2
            active-mda-limit 1
            no shutdown
        exit
    exit
exit

Configuration commands

A NAT outside pool is configured using the following command:

configure  {router | service vprn <service-id>}
  nat 
    outside
      pool <nat-pool-name> [nat-group <nat-group-id> type <pool-type> create]
        port-reservation {blocks <num-blocks> | ports <num-ports>}
        port-forwarding-range <range-end> 
        subscriber-limit <subscriber-limit>
        deterministic
          port-reservation <det-num-ports>
        exit
          address-range <start-ip-address> <end-ip-address> create
        exit
      exit
    exit
  exit

where:

nat-pool-name — Specifies the name of the NAT pool up to 32 characters max.

nat-group-id — Specifies the NAT group ID. The values are 1 — 4.

pool-type — Species the pool type (large-scale).

num-blocks — Specifies the number of dynamic port-blocks per outside IP address. The values are 1 — 64512

num-ports — Specifies the number of ports per dynamic block. The values are 1 — 32256

range-end — Specifies the upper limit of the port range available for static port forwarding. The values are 1023 — 65535

subscriber-limit — Specifies the maximum number of subscribers per outside IP address.

A power of 2 (2^n) number for deterministic NAT

[1,2,4,8,16,32,64,128,256,512,1024,2048, 4096, 8192,16348, 32768]

1..65535 for non-deterministic NAT

default: 65535 for non-deterministic

det-num-ports — Specifies the number of ports in a deterministic port block that is allocated and dedicated to a single subscriber during the configuration phase. The values are 1..65535

start-ip-address — Specifies the first outside IP address in the a.b.c.d format.

end-ip-address — Specifies the last outside IP address in the a.b.c.d format.

Note:
  • When the subscriber limit equals 1, each subscriber is mapped to a single outside IP address, though the NAPT (port translation) function is still performed.

  • 1:1 NAT mode in combination with deterministic NAT is not supported.

A NAT policy is configured using the following command:

configure service nat 
 nat-policy <nat-policy-name> [create]
    block-limit <[1..40]>
    pool <nat-pool-name> {router <router-instance> | service-name <service-name>} 
 exit

where:

nat-policy-name — Specifies the NAT policy name up to 32 characters max.

block-limit —The maximum number of deterministic plus dynamic port blocks that can be assigned to a single inside IP address. In other words, the maximum number of dynamic port blocks that can be assigned to an inside IP address when the deterministic port block is exhausted equals (block-limit - 1).

nat-pool-name — Specifies the NAT pool name up to 32 characters max.

router-instance — Specifies the router instance the pool belongs to, either by router name or service ID.

<router-name> | <service-id>

The router name values are Base or service-id [1..2147483647]

service-name — Specifies the name of the service up to 64 characters max.

A NAT inside prefix is configured using the following command:

configure [router| service vprn <service-id>]
    nat 
        inside
            classic-lsn-max-subscriber-limit <max>
            deterministic
                prefix <ip-prefix/length> subscriber-type <nat-sub-type> 
                nat-policy <nat-policy-name> create
                    map start <lsn-sub-address> end <lsn-sub-address> to <outside-ip-address>
                    no shutdown
                exit
            exit
        exit
    exit

where:

max — The power of 2 (2^n) number that must match the largest subscriber limit number in a deterministic pool referenced from this inside routing instance. The range for this command is the same as the subscriber-limit command under the pool hierarchy. The values are 1,2,4,8 — 32768

ip-prefix/length — A prefix on the inside encompassing subscribers that will be deterministically mapped to an outside IP address and port block in the corresponding pool.

<ip-prefix/ip-pref*>

<ipv4-prefix>/<ipv4-prefix-length> |

<ipv6-prefix>/<ipv6-prefix-length>

<ipv4-prefix>

a.b.c.d (host bits must be 0)

<ipv4-prefix-length>

[0..32]

<ipv6-prefix>

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0..FFFF]H

d - [0..255]D

<ipv6-prefix-length>

[0..128]

<nat-sub-type>:

classic-lsn-sub

<nat-policy-name>

Specifies a NAT policy name up to 32 characters in length.

Following rules apply to the classic-lsn-max-subscriber-limit:

  • Should be greater than or equal to the largest subscriber-limit of all pools referenced by the NAT policies within the corresponding inside routing instance.

  • Must be configured before any inside prefix configuration.

  • Must be 2^n and affects the ingress hashing of deterministic subscribers and also non-deterministic subscribers in case both are configured under the same inside router instance.

Three cases are now configured to demonstrate the use of deterministic and dynamic port-block usage:

  • Case 1: Mapping multiple prefixes from the same VRF (VPRN 15001) into the same outside pool, routing instance ‟Base”.

  • Case 2: Mapping multiple prefixes from the same VRF (VPRN 15001) into different outside pools, routing instance VPRN 15002

  • Case 3: Mapping overlapping prefixes from different VRFs (VPRN 15001 and VPRN 15002) into the same outside pool, routing instance ‟Base”.

In each case all of the traffic is NATed.

Case 1

Configured with:

  • Mapping multiple prefixes of the same VRF into the same outside pool.

  • NAT all traffic.

    Figure 6. Case 1

The NAT outside pool is configured as follows:

configure
    router
        nat
            outside
                pool "nat-pool-1" nat-group 1 type large-scale create
                    port-reservation ports 180
                    port-forwarding-range 4023
                    subscriber-limit 128
                    deterministic
                        port-reservation 300
                    exit
                    address-range 192.168.0.1 192.168.0.100 create
                    exit
                    no shutdown
                exit
            exit
        exit
    exit
exit

The NAT policy is configured as follows:

configure 
    service
        nat
            nat-policy "nat-policy-1" create
                block-limit 4
                pool "nat-pool-1" router Base
            exit
        exit
    exit
exit

The NAT inside prefixes are configured as follows:

configure 
    service 
        vprn 15001 customer 1 create
            nat
                inside
                    destination-prefix 0.0.0.0/0
                    classic-lsn-max-subscriber-limit 256
                    deterministic
                        prefix 10.0.0.0/24 subscriber-type classic-lsn-sub 
                        nat-policy "nat-policy-1" create
                            map start 10.0.0.0 end 10.0.0.255 to 192.168.0.1
                            no shutdown
                        exit
                        prefix 10.10.4.0/22 subscriber-type classic-lsn-sub 
                        nat-policy "nat-policy-1" create
                            map start 10.10.4.0 end 10.10.7.255 to 192.168.0.3
                            no shutdown
                        exit
                    exit
                exit
            exit
            no shutdown
        exit
    exit
exit

map statements are automatically created when the prefix is created and it is no shutdown.

Show commands

The subscriber-limit is set to 128 for the 10.0.0.0/24 prefix, so it is broken into two smaller /25 prefixes each. Each of these smaller prefixes are mapped into a specific outside IP address.

To show the first Large Scale NAT (LSN) subscriber of the first /25 prefix for inside routing instance 15001, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-router 15001 inside-ip 10.0.0.0
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.0.0.0]
NAT policy                  : nat-policy-1
Subscriber ID               : 276824064
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.0.0.0/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : "Base"
Outside IP address          : 192.168.0.1
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last subscriber mapping to the same 192.168.0.1 outside IP address has inside address 10.0.0.127.

To show the first LSN subscriber of the second /25 prefix for inside routing instance 15001, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-router 15001 inside-ip 10.0.0.128
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.0.0.128]
NAT policy                  : nat-policy-1
Subscriber ID               : 276824192
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.0.0.128/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : "Base"
Outside IP address          : 192.168.0.2
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last subscriber mapping to the same 192.168.0.2 outside IP address has inside address 10.0.0.255.

To show the base router LSN blocks corresponding to the first inside IP address within the 10.0.0.0/24 prefix, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.0.0.0
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.0.1 [4024..4323]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/27 11:18:59
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.0
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

To show the base router LSN blocks corresponding to the last inside IP address within the 10.0.0.0/24 prefix, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.0.0.255
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.0.2 [42124..42423]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/27 11:18:59
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.255
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

The subscriber-limit is 128 for the 10.10.4.0/22 prefix, so it is broken into eight /25 prefixes. Each of these smaller prefixes are mapped into a specific outside IP address.

To show the first LSN subscriber of the first /25 prefix for inside routing instance 15001, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.10.4.0
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.10.4.0]
NAT policy                  : nat-policy-1
Subscriber ID               : 276824320
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.10.4.0/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : "Base"
Outside IP address          : 192.168.0.3
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last subscriber mapping to the same 192.168.0.3 outside IP address has inside address 10.10.4.127.

To show the first LSN subscriber of the last /25 prefix for inside routing instance 15001, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.10.7.128
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.10.7.128]
NAT policy                  : nat-policy-1
Subscriber ID               : 276825216
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.10.7.128/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : "Base"
Outside IP address          : 192.168.0.10
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

To show the base router LSN blocks corresponding to the first inside IP within 10.10.4.0/24 prefix, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.10.4.0
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.0.3 [4024..4323]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/27 11:18:59
Inside router                         : vprn15001
Inside IP address                     : 10.10.4.0
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

To show the base router LSN blocks corresponding to the last inside IP within 10.10.4.0/24 prefix, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.10.7.255
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.0.10 [42124..42423]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/27 11:18:59
Inside router                         : vprn15001
Inside IP address                     : 10.10.7.255
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#
Mapping results

According to this configuration, each inside IP address has one deterministic block of 300 ports and can have up to three dynamic blocks (block-limit = 4) each of 180 ports, allowing a maximum of 300+3*180 = 840 flows.

Figure 7. Case 1 results
Sending flows

For the inside IP 10.0.0.1, several UDP flows will be sent and both the deterministic and dynamic blocks mappings will be verified.

Figure 8. Case 1 flows

When sending 300 UDP flows or less, all flows are mapped to a single deterministic block because the number of ports in a deterministic block is 300. There is no logging; because no dynamic blocks are used, only the deterministic block is used.

To show LSN blocks on the outside routing instance Base and the outside ports allocated for the inside IP 10.0.0.1, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.0.0.1

===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.0.1 [4324..4623]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/27 11:18:59
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1

-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

When increasing the number of flows such that: 301 < number of flows < 480

  • In addition to the deterministic block (300 ports), there will be an extension by 1 dynamic block of 180 ports (port-reservation=180).

  • Logging occurs for the dynamic port-block.

To show the base router LSN blocks and the outside ports allocated to the inside IP address 10.0.0.1, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.0.0.1
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.0.1 [4324..4623]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/27 11:18:59
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
192.168.0.1 [44044..44223]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/28 12:40:41
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
-------------------------------------------------------------------------------
Number of blocks: 2
===============================================================================
*A:PE1#

Logging is verified using Log 99 (in case event-control nat events are generated) which shows the mapping details to the new dynamic block as follows:

2 2016/10/28 12:40:41.51 UTC MINOR: NAT #2012 Base NAT
"{12} Map  192.168.0.1 [44044-44223] MDA 2/1 -- 276824065 classic-lsn-sub %1 vprn15001 10.0.0.1 at 2016/10/28 12:40:41"

When increasing the number of flows such that: 481 < number of flows < 660

  • In addition to the deterministic block (300 ports), there will be an extension by 2 dynamic blocks of 180 ports each.

  • Logging occurs for the dynamic port-blocks.

To show LSN blocks on the outside routing instance Base and the outside ports allocated for the inside IP 10.0.0.1, the following command is used:

*A:PE1# show router nat lsn-blocks inside-ip 10.0.0.1
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.0.1 [4324..4623]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/27 11:18:59
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
192.168.0.1 [44044..44223]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/28 12:40:41
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
192.168.0.1 [44224..44403]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/28 12:41:52
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
-------------------------------------------------------------------------------
Number of blocks: 3
===============================================================================
*A:PE1#

Logging is verified using Log 99 (in case event-control nat events are generated) which shows the mapping details to the new dynamic block as follows:

3 2016/10/28 12:41:52.66 UTC MINOR: NAT #2012 Base NAT
"{13} Map  192.168.0.1 [44224-44403] MDA 2/1 -- 276824065 classic-lsn-sub %1 vprn15001 10.0.0.1 at 2016/10/28 12:41:52"

When increasing the number of flows such that :661 < number of flows < 840

  • In addition to the deterministic block (300 ports), there will be an extension by 3 dynamic blocks of 180 ports each.

  • Logging occurs for the dynamic port-blocks.

To show LSN blocks on the outside routing instance ‟Base” and the outside ports allocated for the inside IP 10.0.0.1, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.0.0.1
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.0.1 [4324..4623]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/27 11:18:59
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
192.168.0.1 [44044..44223]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/28 12:40:41
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
192.168.0.1 [44224..44403]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/28 12:41:52
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
192.168.0.1 [44404..44583]
Pool                                  : nat-pool-1
Policy                                : nat-policy-1
Started                               : 2016/10/28 12:43:46
Inside router                         : vprn15001
Inside IP address                     : 10.0.0.1
 
-------------------------------------------------------------------------------
Number of blocks: 4
===============================================================================
*A:PE1#

Logging is verified using Log 99 (in case event-control nat events are generated) which shows the mapping details to the new dynamic block as follows:

4 2016/10/28 12:43:46.71 UTC MINOR: NAT #2012 Base NAT
"{14} Map  192.168.0.1 [44404-44583] MDA 2/1 -- 276824065 classic-lsn-sub %1 vprn15001 10.0.0.1 at 2016/10/28 12:43:46"

When increasing number of flows such that the number of flows > 840

  • No more extension by dynamic blocks (block-limit = 4) allowed.

  • Any flows more than 840 will be dropped and the relevant NAT statistics incremented.

To verify NAT statistics, first check the NAT group/member and MS-ISA associated with the outside IP 192.168.0.1/32:

*A:PE1# show router route-table 192.168.0.1/32
 
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
192.168.0.1/32                                Remote  NAT       01d01h26m  0
       NAT outside to mda 2/1                                       0
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================
*A:PE1#

To check which group/member does this MS-ISA belong to, the following command can be used:

*A:PE1# show isa nat-group 1 members
 
===============================================================================
ISA Group 1 members
===============================================================================
Group Member     State          Mda  Addresses  Blocks     Se-% Hi Se-Prio
-------------------------------------------------------------------------------
1     1          active         2/1  175        23648      < 1  N  0
-------------------------------------------------------------------------------
No. of members: 1
===============================================================================
*A:PE1#

To verify relevant statistics for this NAT group/member, the following command can be used:

*A:PE1# show isa nat-group 1 member 1 statistics | match flow
no matching flow                                        : 56818
max flow exceeded                                       : 0
TCP no flow for RST                                     : 0
TCP no flow for FIN                                     : 0
TCP no flow                                             : 128094
flow log failed                                         : 0
new flow                                                : 1470768
found flow                                              : 39661850
flow create logged                                      : 0
flow delete logged                                      : 0
flow log pkt tx                                         : 0
flow create failed, key ambiguous                       : 0
flow create failed, conflicting policies                : 0
*A:PE1#

Case 2

Configured with:

  • Mapping multiple prefixes from the same VRF into different outside pools.

  • NAT all traffic.

Figure 9. Case 2

The NAT outside pool are configured as follows:

configure
    service
        vprn 15002 customer 1 create
            nat
                outside
                    pool "nat-pool-2" nat-group 1 type large-scale create 
                        port-reservation ports 80
                        subscriber-limit 256
                        deterministic
                            port-reservation 180
                        exit
                        address-range 192.168.2.1 192.168.2.200 create
                        exit
                        no shutdown
                    exit
                    pool "nat-pool-3" nat-group 1 type large-scale create 
                        port-reservation ports 120
                        port-forwarding-range 4023
                        subscriber-limit 64
                        deterministic
                            port-reservation 840
                        exit
                        address-range 192.168.3.1 192.168.3.200 create
                        exit
                        no shutdown
                    exit
                exit
            exit
        exit
    exit
exit

The NAT policies are configured as follows:

configure
    service
        nat
            nat-policy "nat-policy-2" create
                block-limit 4
                pool "nat-pool-2" router 15002
            exit
            nat-policy "nat-policy-3" create
                block-limit 2
                pool "nat-pool-3" router 15002
            exit
        exit
    exit
exit

The NAT inside prefix is configured as follows:

configure 
    service 
        vprn 15001 customer 1 create
            nat
                inside
                    destination-prefix 0.0.0.0/0
                    classic-lsn-max-subscriber-limit 256
                    deterministic
                        prefix 10.1.0.0/23 subscriber-type classic-lsn-sub 
                                                nat-policy "nat-policy-2" create
                            map start 10.1.0.0 end 10.1.1.255 to 192.168.2.1
                            no shutdown
                        exit
                        prefix 10.2.0.0/22 subscriber-type classic-lsn-sub 
                                                nat-policy "nat-policy-3" create
                            map start 10.2.0.0 end 10.2.3.255 to 192.168.3.1
                            no shutdown
                        exit
                    exit
                exit
            exit
        exit
    exit
exit
Show commands

The subscriber-limit corresponding to the 10.1.0.0/23 prefix is 256, so the 10.1.0.0/23 prefix is broken into two /24 prefixes. Each of these smaller prefixes are mapped into a specific outside IP address.

To show the first LSN subscriber of the first /24 prefix for inside routing instance 15001, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.1.0.0
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.1.0.0]
NAT policy                  : nat-policy-2
Subscriber ID               : 276829472
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.1.0.0/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : 15002
Outside IP address          : 192.168.2.1
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last subscriber mapping to the same 192.168.2.1 outside IP address has inside address 10.1.0.255.

To show the first LSN subscriber of the second /24 prefix for inside routing instance 15001, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.1.1.0
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.1.1.0]
NAT policy                  : nat-policy-2
Subscriber ID               : 276829728
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.1.1.0/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : 15002
Outside IP address          : 192.168.2.2
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last subscriber mapping to the same 192.168.2.2 outside IP address has inside address 10.1.1.255.

To show the VPRN-15002 LSN blocks corresponding to the first inside IP address within 10.1.0.0/23 prefix, the following command can be used:

*A:PE1# show router 15002 nat lsn-blocks inside-ip 10.1.0.0
 
===============================================================================
Large-Scale NAT blocks for vprn15002
===============================================================================
192.168.2.1 [1024..1203]
Pool                                  : nat-pool-2
Policy                                : nat-policy-2
Started                               : 2016/10/28 12:53:23
Inside router                         : vprn15001
Inside IP address                     : 10.1.0.0
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

To show the VPRN-15002 LSN blocks corresponding to the last inside IP address within 10.1.0.0/23 prefix, the following command can be used:

*A:PE1# show router 15002 nat lsn-blocks inside-ip 10.1.1.255
 
===============================================================================
Large-Scale NAT blocks for vprn15002
===============================================================================
192.168.2.2 [46924..47103]
Pool                                  : nat-pool-2
Policy                                : nat-policy-2
Started                               : 2016/10/28 12:53:23
Inside router                         : vprn15001
Inside IP address                     : 10.1.1.255
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

The subscriber-limit corresponding to the 10.2.0.0/22 prefix is 64,so the 10.2.0.0/22 prefix is broken into sixteen /26 prefixes. Each of these /26 prefixes is mapped to a specific outside IP address.

To show the first LSN subscriber for the inside routing instance 15001 for the first /26 prefix, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.2.0.0
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.2.0.0]
NAT policy                  : nat-policy-3
Subscriber ID               : 276829984
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.2.0.0/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : 15002
Outside IP address          : 192.168.3.1
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last inside address mapping to the 192.168.3.1 outside address is 10.2.0.63.

To show the first LSN subscriber for the inside routing instance 15001 for the last /26 prefix, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.2.3.192
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.2.3.192]
NAT policy                  : nat-policy-3
Subscriber ID               : 276830944
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.2.3.192/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : 15002
Outside IP address          : 192.168.3.16
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last inside address mapping to the 192.168.3.16 outside address is 10.2.3.255.

To show the VPRN-15002 LSN blocks corresponding to the first inside IP address within the 10.2.0.0/22 prefix, the following command can be used:

*A:PE1# show router 15002 nat lsn-blocks inside-ip 10.2.0.0
 
===============================================================================
Large-Scale NAT blocks for vprn15002
===============================================================================
192.168.3.1 [4024..4863]
Pool                                  : nat-pool-3
Policy                                : nat-policy-3
Started                               : 2016/10/28 12:53:23
Inside router                         : vprn15001
Inside IP address                     : 10.2.0.0
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

To show the VPRN-15002 LSN blocks corresponding to the last inside IP within 10.2.0.0/22 prefix, the following command can be used:

*A:PE1# show router 15002 nat lsn-blocks inside-ip 10.2.3.255
 
===============================================================================
Large-Scale NAT blocks for vprn15002
===============================================================================
192.168.3.16 [56944..57783]
Pool                                  : nat-pool-3
Policy                                : nat-policy-3
Started                               : 2016/10/28 12:53:23
Inside router                         : vprn15001
Inside IP address                     : 10.2.3.255
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#
Mapping results

According to this configuration, for the 10.1.0.0/23 prefix, each inside IP address has one deterministic block of 180 ports and can have up to three dynamic blocks (block-limit =4) each of 80 ports, allowing for a maximum of 180+3*80 = 420 flows.

Figure 10. Case 2: Prefix 10.1.0.0/23 results

According to this configuration, for the 10.2.0.0/22 prefix, each inside IP address has one deterministic block of 840 ports, and can have up to one dynamic block (block-limit =2) of 120 ports, allowing for a maximum of 840+120 = 960 flows.

Figure 11. Case 2: Prefix 10.2.0.0/22 results

Case 3

Configured with:

  • Mapping overlapping prefixes from different VRFs into the same outside pool.

  • NAT all traffic.

Figure 12. Case 3

The NAT outside pool is configured as follows:

configure
    router "Base"
        nat
            outside
                pool "nat-pool-4" nat-group 1 type large-scale create 
                    port-reservation ports 461
                    port-forwarding-range 4023
                    subscriber-limit 64
                    deterministic
                        port-reservation 500
                    exit
                    address-range 192.168.4.1 192.168.4.100 create
                    exit
                    no shutdown
                exit
            exit
        exit
    exit
exit

The NAT policy is configured as follows:

configure
    service
        nat
            nat-policy "nat-policy-4" create
                block-limit 4
                pool "nat-pool-4" router Base
            exit
        exit
    exit
exit

The NAT inside prefix is configured as follows:

configure 
    service 
        vprn 15001 customer 1 create
            nat
                inside
                    destination-prefix 0.0.0.0/0
                    classic-lsn-max-subscriber-limit 256
                    deterministic
                        prefix 10.5.0.0/20 subscriber-type classic-lsn-sub 
                                                nat-policy "nat-policy-4" create
                            map start 10.5.0.0 end 10.5.15.255 to 192.168.4.1
                            no shutdown
                        exit
                    exit
                exit
            exit
        exit
    exit
exit
 
configure 
    service 
        vprn 15002 customer 1 create
            nat
                inside
                    destination-prefix 0.0.0.0/0
                    classic-lsn-max-subscriber-limit 128
                    deterministic
                        prefix 10.5.0.0/27 subscriber-type classic-lsn-sub 
                                                nat-policy "nat-policy-4" create
                            map start 10.5.0.0 end 10.5.0.31 to 192.168.4.65
                            no shutdown
                        exit
                    exit
                exit
            exit
        exit
    exit
exit
Show commands

For the 10.5.0.0/20 prefix on VPRN 15001, the subscriber-limit is 64.The 10.5.0.0/20 prefix will be broken into 64 smaller /26 prefixes, each will be mapped into a specific outside IP address.

To show the first LSN subscriber for the inside routing instance 15001 of the first /26 prefix, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.5.0.0 inside-router 15001
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.5.0.0]
NAT policy                  : nat-policy-4
Subscriber ID               : 276825344
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.5.0.0/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : "Base"
Outside IP address          : 192.168.4.1
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last inside address mapping to the 192.168.4.1 outside address is 10.5.0.63.

To show the first Large Scale NAT (LSN) subscriber for the inside routing instance 15001 of the last /26 prefix, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.5.15.192 inside-router 15001
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.5.15.192]
NAT policy                  : nat-policy-4
Subscriber ID               : 276829376
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15001
Inside IP address prefix    : 10.5.15.192/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : "Base"
Outside IP address          : 192.168.4.64
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

The last inside address mapping to the 192.168.4.64 outside address is 10.5.15.255.

To show the base router LSN blocks corresponding to the first inside IP address within the 10.5.0.0/20 prefix, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.5.0.0 inside-router 15001
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.4.1 [4024..4523]
Pool                                  : nat-pool-4
Policy                                : nat-policy-4
Started                               : 2016/10/27 13:11:38
Inside router                         : vprn15001
Inside IP address                     : 10.5.0.0
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

To show the base router LSN blocks corresponding to the last inside IP address within the 10.5.0.0/20 prefix, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.5.15.255 inside-router 15001
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.4.64 [35524..36023]
Pool                                  : nat-pool-4
Policy                                : nat-policy-4
Started                               : 2016/10/27 13:11:38
Inside router                         : vprn15001
Inside IP address                     : 10.5.15.255
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

For the 10.5.0.0/27 prefix in VPRN 15002, the subscriber-limit is 64.The 10.5.0.0/27 prefix will be mapped into one outside IP address.

To show the first LSN subscriber for the inside routing instance 15002 of the 10.5.0.0/27 prefix, the following command can be used:

*A:PE1# show service nat lsn-subscribers inside-ip 10.5.0.0 inside-router 15002
 
===============================================================================
NAT LSN subscribers
===============================================================================
Subscriber                  : [LSN-Host@10.5.0.0]
NAT policy                  : nat-policy-4
Subscriber ID               : 276829440
-------------------------------------------------------------------------------
Type                        : classic-lsn-sub
Inside router               : 15002
Inside IP address prefix    : 10.5.0.0/32
ISA NAT group               : 1
ISA NAT group member        : 1
Outside router              : "Base"
Outside IP address          : 192.168.4.65
 
-------------------------------------------------------------------------------
No. of LSN subscriber instances: 1
===============================================================================
*A:PE1#

To show the LSN blocks corresponding to the first inside IP address within the 10.5.0.0/27 prefix, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.5.0.0 inside-router 15002

===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.4.65 [4024..4523]
Pool                                  : nat-pool-4
Policy                                : nat-policy-4
Started                               : 2016/10/27 13:12:02
Inside router                         : vprn15002
Inside IP address                     : 10.5.0.0

-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

To show the LSN blocks for the last inside IP address within the 10.5.0.0/27 prefix, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.5.0.31 inside-router 15002
 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.4.65 [19524..20023]
Pool                                  : nat-pool-4
Policy                                : nat-policy-4
Started                               : 2016/10/27 13:12:02
Inside router                         : vprn15002
Inside IP address                     : 10.5.0.31
 
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#
Mapping results

According to this configuration, each inside IP address within VPRN 15001 has one deterministic block of 500 ports and can have up to three dynamic blocks (block-limit =4) of 461 ports each, allowing a maximum of 500+3*461 = 1883 flows.

According to this configuration each inside IP address within VPRN 15002 has one deterministic block of 500 ports and can have up to three dynamic blocks (block-limit =4) of 461 ports each, allowing a maximum of 500+3*461 = 1883 flows.

For VPRN 15002, since the number of LSN subscribers (32) is less than the number of deterministic blocks (64), then 32 deterministic blocks will be wasted, specifically 32*500 = 16,000 ports will be wasted which is not good in terms of capacity planning.

Figure 13. Case 3 results

Inverse mapping

In deterministic LSN44, the inside IP addresses are mapped to outside IP addresses and corresponding port blocks based on a deterministic algorithm. The inverse mapping that reveals the subscriber identity behind the NAT is based on the reversal of this algorithm.

Inverse mappings can be done either online or offline:

  • Online — Locally on the 7x50 node, via CLI (MIB)

  • Offline — Externally, via a Python script. The purpose of such an offline approach is to provide fast queries without accessing the 7x50.

Figure 14. Inverse mapping approach
Online approach

A tools command is available which shows the reverse mapping (outside to inside) for deterministic NAT instead of using logging.

tools dump nat deterministic-mapping outside-ip <ipv4-address> router <router-instance> outside-port <[1..65535]>

 <ipv4-address>       : a.b.c.d 
 <router-instance>    : <router-name>|<service-id>
                        router-name    - "Base"
                        service-id     - [1..2147483647]

Using Case 3 as an example, to obtain (inside IP, inside routing instance), the inverse mapping for a specific (outside IP, outside routing instance, outside port) is done as follows:

*A:PE1# tools dump nat deterministic-mapping outside-ip 192.168.4.1 router "Base" outside-port 4024
classic-lsn-sub inside router 15001 ip 10.5.0.0 -- outside router Base ip 192.168.4.1 port 4024 at Fri Oct 28 13:04:22 UTC 2016
*A:PE1#
*A:PE1# tools dump nat deterministic-mapping outside-ip 192.168.4.65 router "Base" outside-port 4024
classic-lsn-sub inside router 15002 ip 10.5.0.0 -- outside router Base ip 192.168.4.65 port 4024 at Fri Oct 28 13:04:45 UTC 2016
*A:PE1#
Offline approach

The purpose of such an offline approach is to provide fast queries without the need to directly query the 7x50.

This is achieved by generating and exporting a Python script for reverse querying, which is a manual operation that needs to be repeated every time there is configuration change in deterministic NAT.

The script is exported (manually) to the external system.

To configure remotely the location for the Python script, the following command is used:

configure service nat deterministic-script location <remote-url>

remote-url — A remote location where the script is stored:

[{ftp://|tftp://}<login>:<pswd>@ <remote-locn>/][<file-path>]

Maximum length is 180 characters.

Once the script location is specified, the script can be exported to that location using the following command:

admin nat save-deterministic-script

Using the following command the status of the script can be checked, and whether it is necessary to re-save (export) the script or not:

*A:PE1# show service nat deterministic-script
 
===============================================================================
Deterministic NAT script data
===============================================================================
Location                    : ftp://*:*@123.123.123.123/pub/python/detnat.py
Save needed                 : no
Last save result            : success
Last save time              : 2016/10/28 13:05:41
===============================================================================
*A:PE1#

The external system must have the Python scripting language installed with the following modules: getopt, math, os, socket, and sys.

The Python script can then be run on the external server; the parameters are as follows:

[user@123.123.123.123 ~]$ ./detnat.py
Error: need exactly one of --forward or --backward arguments
 
Usage: detnat.py DIRECTION PARAMETERS
Perform forward or backard NAPT according to the configured deterministic rules.
 
DIRECTION:
  -f, --forward             Translate from inside to outside address/port
  -b, --backward            Translate from outside to inside address/port
 
PARAMETERS:
  -a, --address=IP-ADDRESS  The address to translate. IPv6 addresses can be
                            specified in shorthand or full notation.
  -p, --port=PORT           The outside port in case of backward translation.
  -s, --service=SERVICE-ID  The service where the IP-ADDRESS originates from.
                            This is the inside service in case of forward
                            translation and the outside service in case of
                            backward translation.
                            To specify the base router, this option must be
                            omitted.
 
  -h, --help                Show this help message
[user@123.123.123.123 ~]$

where deterministic-nat.py is the name of the python script previously exported.

As an example of a forward query:

[user@123.123.123.123 ~]$ ./detnat.py -f -s 15001 -a 10.0.0.1
classic-lsn-sub has public ip address 192.168.0.1 from base router and is using ports [4324 - 4623]
[user@123.123.123.123 ~]$

As an example of a reverse query:

[user@123.123.123.123 ~]$ ./detnat.y -b -s 0 -a 192.168.0.1 -p 4325
classic-lsn-sub has private ip address 10.0.0.1 from service 15001
[user@123.123.123.123 ~]$

Simultaneous support of deterministic and non-deterministic NAT

Deterministic NAT can be used simultaneously with non-deterministic NAT within the same inside routing instance. However, they cannot share the same pool.

An outside pool can be only deterministic (although expandable by dynamic ports blocks) or non-deterministic at any given time (a non-deterministic pool is a pool that contains dynamic port-blocks only).

The following show a configuration using deterministic NAT simultaneously with non-deterministic NAT.

The NAT outside pool are configured as follows:

configure
    router
        nat
            outside
                pool "nat-pool-1" nat-group 1 type large-scale create
                    port-reservation ports 180
                    port-forwarding-range 4023
                    subscriber-limit 128
                    deterministic
                        port-reservation 300
                    exit
                    address-range 192.168.0.1 192.168.0.100 create
                    exit
                    no shutdown
                exit
                pool "nat-pool-Non-Deterministic" nat-group 1 type large-scale create
                    address-range 192.168.7.1 192.168.7.100 create
                    exit
                    no shutdown
                exit
            exit
        exit
    exit
exit

The NAT policies are configured as follows:

configure
    service
        nat
            nat-policy "nat-policy-1" create
                block-limit 4
                pool "nat-pool-1" router Base
            exit
            nat-policy "nat-policy-Non-Deterministic" create
                pool "nat-pool-Non-Deterministic" router Base
            exit
        exit
    exit
exit

The NAT inside prefixes are configured as follows:

configure
    service 
        vprn 15001 customer 1 create
            nat
                inside
                    destination-prefix 0.0.0.0/0
                    classic-lsn-max-subscriber-limit 256
                    deterministic
                        prefix 10.0.0.0/24 subscriber-type classic-lsn-sub 
                        nat-policy "nat-policy-1" create
                            map start 10.0.0.0 end 10.0.0.255 to 192.168.0.1
                            no shutdown
                        exit
                    exit
                    nat-policy "nat-policy-Non-Deterministic"
                exit
            exit
            no shutdown
        exit
    exit
exit

In this example, the inside IP prefixes that do not match any of the deterministic prefixes will be NATed using a non-deterministic pool.

Figure 15. Sending flows: deterministic + non-deterministic NAT

To check which NAT pool/NAT policy is used for NATing the inside IP 10.7.0.1, the following command can be used:

*A:PE1# show router nat lsn-blocks inside-ip 10.7.0.1

===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
192.168.7.100 [1024..1527]
Pool                                  : nat-pool-Non-Deterministic
Policy                                : nat-policy-Non-Deterministic
Started                               : 2016/10/28 13:24:56
Inside router                         : vprn15001
Inside IP address                     : 10.7.0.1

-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
*A:PE1#

Conclusion

This example provides the commands required for configuring deterministic LSN44 NAT. Both deterministic as well as non-deterministic NAT are supported, with simultaneous operation being possible.

Inverse query can be done online or offline to retrieve the NAT mappings. Logging is not needed as long as there are no dynamic blocks assigned to LSN44 subscribers.