Network Address Translation
This chapter provides an overview of Network Address Translation (NAT) functionality for BNG CUPS.
Residential NAT for BNG CUPS
For BNG CUPS, NAT responsibilities are divided between the MAG-c and BNG-UP.
The role of the MAG-c is to associate the subscriber session with NAT during the session authentication phase. This process consists mainly of allocating the outside IP address and port-block to the NAT subscriber session. These parameters are submitted to the BNG-UP through the PFCP association.
The BNG-UP performs NAT on the data traffic. On the BNG-UP, NAT runs on ISAs, ESA-VMs or vISAs. For the inside IP addresses, the incoming data traffic is sprayed across ISAs or ESA-VMs. This traffic spraying is based on the subscriber context, which typically represents a residence. For the outside IP addresses, the NAT prefix that is received from the MAG-c is segmented into smaller subnets and equally distributed across ISAs. This approach requires fair load distribution of traffic across service adapters in the upstream and downstream directions.
See the MAG-c Control Plane Function Guide for more information about NAT terminology and an overview of Residential NAT that describes the division of NAT responsibilities between the MAG-c and BNG-UP.
UP NAT policy template
A UP NAT policy template contains parameters that define NAT behavior for a group of subscribers within a NAT pool. This includes configuring the maximum number of port-blocks per subscriber, the size of the extended port-blocks, support for ALGs, setting limits for the number of NAT flows per subscriber, protocol timer definitions, flow-based logging, watermarks, and so on. The UP NAT policy configuration allows the NAT behavior to be customized for different groups of subscribers within the same NAT pool.
Although the UP NAT policy template is configured on the BNG-UP, its assignment to the NAT-enabled session is performed on the MAG-c during the authentication phase, using a reference in the CP NAT profile configuration.
The roles of the CP NAT profile and UP NAT policy can be summarized as follows:
-
The CP NAT profile is configured on the MAG-c and identifies NAT subscribers during the authentication phase. Parameters defined in the CP NAT profile affect the selection of the NAT pool within a specific outside routing context. This includes the allocation of the outside IP addresses, port-blocks, NAT mode of operation (NAPT or 1:1), size of the initial port-block, the number of subscriber per outside IP address and port-forwarding parameters. These resources are managed by the MAG-c.
-
The UP NAT policy template is configured on the BNG-UP and is used to define NAT behavior for a group of subscribers within a NAT pool. This behavior is closer to the NAT translation in the forwarding plane (for example, ALGs and protocol timers).
Guidelines for configuring extended port blocks
In addition to configuring MAG-C for extended Port Blocks (PBs) (see MAG-c Control Plane Function Guide, Multiple Port Blocks Per Subscriber), it is necessary to configure the following two options in the UP NAT policy in BNG-UP:
- size of the extended PBs that a subscriber can allocate in a NAT pool
- total number of PBs (initial and extended) that a subscriber can allocate
Use the following commands to configure the maximum number of PBs per NAT subscriber and the maximum number of ports per extended PB:
configure service nat up-nat-policy block-limit
configure service nat up-nat-policy port-block-extension ports
[ex:/configure service nat]
A:admin@cses-V27# info
up-nat-policy "policy1" {
block-limit 10
port-block-extension {
ports 335
...
}
}
}
Guidelines for configuring NAT subscribers in the sub-profile
Many NAT configuration parameters are defined in the UP NAT policy template (up-nat-policy) or the CP NAT profile (see UP NAT policy template). There are also some parameters that may be used for NAT configuration that require further granularity of definition, such as the UPNP policy that enables the dynamic port forward allocation. If a UPNP policy is used for NAT, it must be defined in the configure subscriber-management sub-profile context, as shown in the following example.
configure {
subscriber-management {
sub-profile name {
upnp-policy policy-name
}
}
}
Guidelines for configuring NAT groups
A NAT group represents a collection of ISAs that are used to process NAT traffic for subscribers. NAT traffic is distributed over multiple ISAs in a NAT group to achieve better performance and scale. BNG CUPS supports a single NAT group per BNG-UP, however, other NAT groups can be configured in the system outside CUPS.
A NAT group is a mandatory configuration. After the NAT group is defined, it must be referenced by a PFCP association. A NAT group is configured using commands in the configure isa nat-group context.
See Provisioning residential NAT for BNG CUPS for a configuration example.
Guidelines for configuring accounting and logging
Aggregated NAT logging based on port blocks is performed on the MAG-c, and flow-based logging can be enabled on the BNG-UP. Because a number of logs are produced in flow logging, flow logs are exported directly from the ISA, bypassing the MAG-c and the CPM on the BNG-UP. The BNG-UP supports flow logging in IPFIX format.
An IPFIX export policy must be configured in the configure service ipfix export-policy context, as shown in the following example.
configure {
service {
ipfix {
export-policy policy1
}
}
}
After the export policy is configured, it must be associated with a UP NAT policy, as shown in the following example.
configure {
service {
nat {
up-nat-policy natpolicy1 {
flow-log-policy {
ipfix exportpolicy1
}
}
}
}
}
Guidelines for configuring watermarks
The following watermarks are supported on the BNG-UP:
-
The session-level watermarks on the member ISA level monitor the NAT flow usage against the configured limit per member ISA. They are configured using the NAT group. Use the high and low command options in the following context to configure the watermarks.
configure isa nat-group session-limits watermarks
-
The session-level watermarks on the subscriber level monitor the NAT flows usage against the configured limit per subscriber. They are configured using the UP NAT policy. Use the high and low command options in the following context to configure the watermarks.
configure service nat up-nat-policy session-limits watermarks
-
The port usage watermarks on the subscriber level monitor port usage against the configured limit per subscriber. They are configured using the UP NAT policy. Use the high and low command options in the following context to configure the watermarks.
configure service nat up-nat-policy port-limits watermarks
- Extended Port Blocks (PBs) are monitored per outside IP address
and alerts are sent if subscribers (on that outside IP address) may soon be denied
additional service because they are running out of extended PBs. This is configured
per NAT UP policy. Note:
- You can map multiple CP NAT profiles with the same NAT UP policy to the same NAT pool. Alternatively, the same NAT UP policy can point to two different pools, using different CP NAT profiles. In other words, this is monitored for all subscribers that use all instances of the referenced NAT UP policy.
- For the system to generate these events, the NAT log event tmnxNatPlMemberExtBlockUsageHigh (ID 2045) must be enabled.
Use the high and low command options in the following context to configure the watermarks to monitor utilization of the PB space per outside IP in a NAT pool reserved for extended PBs.
configure service nat up-nat-policy port-block-extension watermarks
-
On the MAG-c, a watermark threshold can be configured in either absolute value or percentages to monitor micronet usage within a NAT outside pool. See the MAG-c Control Plane Function Guide for more information.
Guidelines for configuring intra-chassis redundancy
ISA redundancy on the BNG-UP level supports the following modes of operation:
-
N:M active/standby mode
M number of standby ISAs protect N number of active ISAs.
-
all active mode
This mode supports failure of up to two ISAs simultaneously. During an ISA failure, the configuration from the failed ISA is distributed over the remaining operational ISAs.
Both modes are stateless which means that NAT binding must be re-established after the switchover.
ISA redundancy is configured in the configure isa nat-group context and active/standby mode is enabled using the following commands.
configure {
isa {
nat-group id {
mda mda-id
redundancy {
active-mda-limit number
intra-chassis {
active-standby
}
}
}
}
}
These commands associate MDAs with the NAT group, set the mode of operation to active/standby, and configure the number of active ISAs in the NAT group. Any ISAs within the NAT group that are in excess of the configured number are automatically considered standby.
All active mode is enabled using the following commands.
configure {
isa {
nat-group id {
mda mda-id
redundancy {
active-mda-limit number
intra-chassis {
active-active {
failed-mda-limit number
}
}
}
}
}
Provisioning residential NAT for BNG CUPS
Review the residential NAT for BNG CUPS overview information; see Network Address Translation.
A UP NAT policy is required; it can be created (exist) for the BNG-UP or it is sufficient to use the default parameters. See Guidelines for configuring NAT groups.
To configure residential NAT on BNG CUPS, perform the following minimum configuration steps:
- Configure the MAG-c as described in the MAG-c Control Plane Function Guide.
-
Configure the BNG-UP.