Network Address Translation
This chapter provides an overview of Network Address Translation (NAT) functionality for BNG CUPS.
Residential NAT for BNG CUPS
For BNG CUPS, NAT responsibilities are divided between the BNG CPF and BNG UPF.
The role of the BNG CPF is to associate the subscriber session with NAT during the session authentication phase. This process consists mainly of allocating the outside IP address and port-block to the NAT subscriber session. These parameters are submitted to the BNG UPF through the PFCP association.
The BNG UPF performs NAT on the data traffic. On the BNG UPF, NAT runs on MS-ISA service adapters, including the Integrated Service Adapter (ISA), Virtual ISA (vISA), and Extended Service Adapter (ESA). For the inside IP addresses, the incoming data traffic is sprayed across ISAs. This traffic spraying is based on the subscriber context, which typically represents a residence. For the outside IP addresses, the NAT prefix that is received from the BNG CPF is segmented into smaller subnets and equally distributed across ISAs. This approach requires fair load distribution of traffic across service adapters in the upstream and downstream directions.
See the CMG BNG CUPS Control Plane Function Guide for more information about NAT terminology and an overview of Residential NAT that describes the division of NAT responsibilities between the BNG CPF and BNG UPF.
UP NAT policy template
A UP NAT policy template contains parameters that define NAT behavior for a group of subscribers within a NAT pool. This NAT behavior includes support for ALGs, setting limits for the number of NAT flows per subscriber, protocol timer definitions, flow-based logging, watermarks, and so on. The UP NAT policy configuration allows the NAT behavior to be customized for different groups of subscribers within the same NAT pool.
Although the UP NAT policy template is configured on the BNG UPF, its assignment to the NAT-enabled session is performed on the BNG CPF during the authentication phase, using a reference in the CP NAT profile configuration.
The roles of the CP NAT profile and UP NAT policy can be summarized as follows:
-
The CP NAT profile is configured on the BNG CPF and identifies NAT subscribers during the authentication phase. Parameters defined in the CP NAT profile affect the selection of the NAT pool within a specific outside routing context. This includes the allocation of the outside IP addresses, port-blocks, and NAT mode of operation (NAPT or 1:1). These resources are managed by the BNG CPF.
-
The UP NAT policy template is configured on the BNG UPF and is used to define NAT behavior for a group of subscribers within a NAT pool. This behavior is closer to the NAT translation in the forwarding plane (for example, ALGs and protocol timers).
Guidelines for configuring NAT subscribers in the sub-profile
Many NAT configuration parameters are defined in the UP NAT policy template (up-nat-policy) or the CP NAT profile (see UP NAT policy template). There are also some parameters that may be used for NAT configuration that require further granularity of definition, such as the UPNP policy that enables the dynamic port forward allocation. If a UPNP policy is used for NAT, it must be defined in the configure subscriber-management sub-profile context, as shown in the following example.
configure {
subscriber-management {
sub-profile name {
upnp-policy policy-name
}
}
}
Guidelines for configuring NAT groups
A NAT group represents a collection of ISAs that are used to process NAT traffic for subscribers. NAT traffic is distributed over multiple ISAs in a NAT group to achieve better performance and scale. BNG CUPS supports a single NAT group per BNG UPF, however, other NAT groups can be configured in the system outside CUPS.
A NAT group is a mandatory configuration. After the NAT group is defined, it must be referenced by a PFCP association. A NAT group is configured using commands in the configure isa nat-group context.
See Provisioning residential NAT for BNG CUPS for a configuration example.
Guidelines for configuring accounting and logging
Aggregated NAT logging based on port blocks is performed on the BNG CPF, and flow-based logging can be enabled on the BNG UPF. Because a number of logs are produced in flow logging, flow logs are exported directly from the ISA, bypassing the BNG CPF and the CPM on the BNG UPF. The BNG UPF supports flow logging in IPFIX format.
An IPFIX export policy must be configured in the configure service ipfix export-policy context, as shown in the following example.
configure {
service {
ipfix {
export-policy policy1
}
}
}
After the export policy is configured, it must be associated with a UP NAT policy, as shown in the following example.
configure {
service {
nat {
up-nat-policy natpolicy1 {
flow-log-policy {
ipfix exportpolicy1
}
}
}
}
}
Guidelines for configuring watermarks
The following watermarks are supported on the BNG UPF:
-
The session-level watermarks on the member ISA level monitor the NAT flow usage against the configured limit per member ISA. They are configured using the NAT group, as shown in the following example.
configure { isa { nat-group id { session-limits { watermarks { high number low number } } } } }
-
The session-level watermarks on the subscriber level monitor the NAT flows usage against the configured limit per subscriber. They are configured using the UP NAT policy, as shown in the following example.
configure { service { nat id { up-nat-policy name { session-limits { watermarks { high number low number } } } } } }
-
The port usage watermarks on the subscriber level are used to monitor port usage against the configured limit per subscriber. They are configured using the UP NAT policy, as shown in the following example.
configure { service { nat id { up-nat-policy name { port-limits { watermarks { high number low number } } } } } }
-
On the BNG CPF, a watermark threshold can be configured in either absolute value or percentages to monitor micronet usage within a NAT outside pool. See the CMG BNG CUPS Control Plane Function Guide for more information.
Guidelines for configuring intra-chassis redundancy
ISA redundancy on the BNG UPF level supports the following modes of operation:
-
N:M active/standby mode
M number of standby ISAs protect N number of active ISAs.
-
all active mode
This mode supports failure of up to two ISAs simultaneously. During an ISA failure, the configuration from the failed ISA is distributed over the remaining operational ISAs.
Both modes are stateless which means that NAT binding must be re-established after the switchover.
ISA redundancy is configured in the configure isa nat-group context and active/standby mode is enabled using the following commands.
configure {
isa {
nat-group id {
mda mda-id
redundancy {
active-mda-limit number
intra-chassis {
active-standby
}
}
}
}
}
These commands associate MDAs with the NAT group, set the mode of operation to active/standby, and configure the number of active ISAs in the NAT group. Any ISAs within the NAT group that are in excess of the configured number are automatically considered standby.
All active mode is enabled using the following commands.
configure {
isa {
nat-group id {
mda mda-id
redundancy {
active-mda-limit number
intra-chassis {
active-active {
failed-mda-limit number
}
}
}
}
}
Provisioning residential NAT for BNG CUPS
Review the residential NAT for BNG CUPS overview information; see Network Address Translation.
A UP NAT policy is required; it can be created (exist) for the UPF or it is sufficient to use the default parameters. See Guidelines for configuring NAT groups.
To configure residential NAT on BNG CUPS, perform the following minimum configuration steps:
- Configure the CPF as described in the CMG BNG CUPS Control Plane Function Guide.
-
Configure the UPF.