Carrier-Grade NAT Configuration
CGNAT Configuration
You must perform the following tasks to configure CG NAT.
-
Configure NAT Pool
-
Configure NAT Port Block Size
-
Configure NAT Profile
-
Configure NAT Rule
-
NAT Service Profile Configuration
-
Enable NAT Service Profile on Access Interface
-
Enable NAT on External Interface
-
Enable Logging for NAT
Configuration Syntax and Commands
The following sections describe the CGNAT configuration syntax and commands.
Configuring NAT Profile
A NAT profile defines how the NAT device has to perform the IPv4 address translation. NAT profile allows you to define an instance, IPv4 address pools, maximum number of translations, port block size and mapping a particular internal IPv4 address with a particular external IPv4 address for a deterministic address translation.
You can create NAT profile for an RBFS instance using the 'instance' option. Also, you can define the TCP or UDP traffic type for the profile.
A single NAT profile can be attached to subscribers across different instances. This means that regardless of which instance a subscriber belongs to, they can share the same NAT profile. For example, subscribers in different routing instances can be managed using the same NAT settings.
Subscribers within the same instance can be assigned different NAT profiles. Different groups of subscribers or services within the same instance can have tailored NAT configurations.
Syntax:
set forwarding-options address-translation profile <profile-name> <attribute> <value>
| Attribute | Description |
|---|---|
<profile-name> |
Specify the NAT profile name. |
deterministic [true] |
Specify deterministic as true to enable deterministic NAT for the profile. Deterministic NAT allows subscribers always to connect with a single public IP. |
instance |
Specify the RBFS instance. |
ip-protocol |
Specify the protocol: TCP or UDP. |
ip-protocol ageing-timeout <ageing-timeout> |
Specify the aging time value for the protocol. |
max-rules |
Specify the maximum number of rules for address translations for a public IPv4 address and for an interface. |
pool |
Specify the name of the public IP address pool. |
The following commands configure the NAT profile named nat_profile1. The nat profile nat_profile1 is configured on the instanced vrf1 with a pool attached nataddr_pool1. Maximum rules are configured as 100 rules and the aging period is configured as 600 seconds for TCP traffic and 300 seconds for UDP traffic.
set forwarding-options address-translation profile nat_profile1 set forwarding-options address-translation profile nat_profile1 instance vrf1 set forwarding-options address-translation profile nat_profile1 pool nataddr_pool1 set forwarding-options address-translation profile nat_profile1 max-rules 100 set forwarding-options address-translation profile nat_profile1 ip-protocol TCP ageing-timeout 600 set forwarding-options address-translation profile nat_profile1 ip-protocol UDP ageing-timeout 300 set forwarding-options address-translation profile nat_profile1 ip-protocol ALL ageing-timeout 300
Example Configuration:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options address-translation profile
{
"rtbrick-config:profile": [
{
"profile": "nat_profile1",
"instance": "vrf1",
"pool": "nataddr_pool1",
"max-rules": "100",
"ip-protocol": {
"TCP": {
"ageing-timeout": 600
},
"UDP": {
"ageing-timeout": 300
},
"ALL": {
"ageing-timeout": 300
}
}
}
]
}
NAT Pool Configuration
A NAT IP address pool includes a set of public IPv4 addresses that are used for network address translation. You can create multiple public IPv4 address pools and one pool includes a range of public IPv4 addresses. These pools allocate public IPv4 addresses to subscribers during address translation. While configuring a pool, you can define the group of public IPv4 addresses belonging to that pool by specifying the lowest and highest IP addresses.
The system allows you to create multiple pools and define the association among them. You can define the 'next-pool-name' that takes over when the current pool gets exhausted with the IPv4 addresses. When one pool gets exhausted, the next pool takes over and starts serving the IP addresses to subscribers when the address translation occurs.
In addition, you can define the port block allocation by specifying the port block size for that pool. So, each public IPv4 in the pool can be allocated a certain number of ports based on the port block size defined.
Syntax:
set forwarding-options address-translation pool <pool-name> <attribute> <value>
| Attribute | Description |
|---|---|
<pool-name> |
Specify the name of the address pool. |
ipv4-address |
Specify both the highest and lowest IPv4 addresses in the range of IPv4 addresses for the pool. |
ipv4-address high |
Specify the highest IPv4 address in the address pool. You must specify the highest IP address in the range of IP addresses. |
ipv4-address low |
Specify the lowest IPv4 address in the address pool. You must specify the lowest IP address in the range of IP addresses. |
next-pool-name |
Specify the name of the next address pool that is to be used when the current address pool is allocated completely. |
port-block-size |
The number of ports allocated in a block. The default value is 256. For information, about port block allocation, see the section "Port Block Allocation". |
Example Configuration:
The following commands configure nataddr_pool1 as the NAT pool and nataddr_pool2 as the next pool, and the port block size as defined 1024.
It indicates NAT pool nataddr_pool1 contains a range of public IPv4 addresses from 100.100.100.1 to 100.100.100.5 with the port block size 1024. With the port block size 1024, the system can allocate 63 ports to subscribers who have the same IPv4 address.
When the pool nataddr_pool1 has fully allocated its IPv4 addresses, the next pool named nataddr_pool2 will start allocating IPv4 addresses from its pool. The pool nataddr_pool2 includes a rage of IPv4 address from 100.100.101.1 to 100.100.101.150.
set forwarding-options address-translation pool nataddr_pool1 set forwarding-options address-translation pool nataddr_pool1 next-pool-name nataddr_pool2 set forwarding-options address-translation pool nataddr_pool1 port-block-size 1024 set forwarding-options address-translation pool nataddr_pool1 ipv4-address low 100.100.100.1 set forwarding-options address-translation pool nataddr_pool1 ipv4-address high 100.100.100.5 set forwarding-options address-translation pool nataddr_pool2 ipv4-address low 100.100.101.1 set forwarding-options address-translation pool nataddr_pool2 ipv4-address high 100.100.101.150
Example Configuration:
supervisor@rtbrick: cfg> show config forwarding-options address-translation pool
{
"rtbrick-config:pool": [
{
"pool-name": "nataddr_pool1",
"next-pool-name": "nataddr_pool2",
"port-block-size": "1024",
"ipv4-address": {
"low": "100.100.100.1",
"high": "100.100.100.5"
}
},
{
"pool-name": "nataddr_pool2",
"port-block-size": "128",
"ipv4-address": {
"low": "100.100.101.1",
"high": "100.100.101.150"
}
}
]
}
NAT Rule Configuration
You can define NAT rules only for static NAT. A NAT rule defines a match condition and a corresponding action. After you specify NAT rules, each packet is matched with each NAT rule. If a packet matches the condition specified in a rule, then the action corresponding to that match occurs. Match rules govern how the translation of private IPv4 addresses to public IPv4 addresses is performed.
With NAT rules, you can define how address translation is applied to traffic, and how to handle various protocols and data traffic, such as TCP and UDP, to ensure proper address translation and the mappings of private addresses to public addresses.
Rules also define how to handle inbound and outbound traffic, different protocols, and data traffic such as TCP and UDP for ensuring the proper address translation of traffic.
Syntax:
set forwarding-options address-translation rule <rule-name> <attribute> <value>
| Attribute | Description |
|---|---|
<rule-name> |
Specify the name of the rule. |
ordinal <ordinal-value> |
Specify the ordinal value. An ordinal value is a numerical representation that indicates its relative position or order. |
ordinal <ordinal-value> instance |
Specify the RBFS instance name. |
ordinal <ordinal-value> ip-protocol [tcp/udp] |
Specify the IP protocol, TCP or UDP. |
ordinal <ordinal-value> local [ipv4-address/port] |
Specify the private IPv4 address or port number that needs to be translated. |
ordinal <ordinal-value> public [ipv4-address/port] |
Specify the public IPv4 address. This public IP will be mapped with the private IP in the translation table. |
Port Block Size Configuration
You can configure port block size for an IP address pool. Based on the block size set, the number of ports is allocated to per IPv4 address and per protocol (TCP or UDP).
Syntax:
set forwarding-options address-translation pool <pool-name> port-block-size <value>
| Attribute | Description |
|---|---|
<pool-name> |
Specify the name of the pool. |
port-block-size |
Specify the value. Supported values include 64, 128, 256, 512, 1024, and 2048. |
The following commands configure the public IP pool nataddr_pool10 and port-block-size as 2048. The address pool contains a range of public IPv4 addresses from 100.100.102.51 to 100.100.102.100. With the port block size 2048, it can allocate 31 ports to each IP address in the pool.
set forwarding-options address-translation pool nataddr_pool10 set forwarding-options address-translation pool nataddr_pool10 port-block-size 2048 set forwarding-options address-translation pool nataddr_pool10 ipv4-address low 100.100.102.51 set forwarding-options address-translation pool nataddr_pool10 ipv4-address high 100.100.102.100
Example:
supervisor@rtbrick: cfg> show config forwarding-options address-translation pool nataddr_pool10
{
"rtbrick-config:pool": [
{
"pool-name": "nataddr_pool10",
"port-block-size": "2048",
"ipv4-address": {
"low": "100.100.102.51",
"high": "100.100.102.100"
}
}
]
}
Configuring NAT Service Profile
You must create a NAT service profile and attach the service profile with the access interface for enabling CGNAT on the interface.
Syntax:
set access service-profile <profile-name> <attribute> <value>
| Attribute | Description |
|---|---|
<profile-name> |
Name of the service profile. |
profile <profile> |
Specify the profile name for the address translation. |
Enable NAT Service Profile on the Access Interface
It is required to attach the NAT service profile to the access interface for enabling address translation on the interface.
Syntax:
set access interface [double-tagged | single-tagged | untagged] <interface-name> <outer-vlan-min> <outer-vlan-max> <inner-vlan-min> <inner-vlan-max> service-profile-name <service-profile-name>
| Attribute | Description |
|---|---|
service-profile |
Configure global service profile. |
<outer-vlan-min> |
Specify the minimum number of outer VLANs. Allowed range: 1 - 4094. |
<outer-vlan-max> |
Specify the maximum number of outer VLANs. Allowed range 1 - 4094. |
<inner-vlan-min> |
Specify the minimum number of inner VLANs. Allowed range: 1 - 4094. |
<inner-vlan-max> |
Specify the maximum number of inner VLANs. Allowed range 1 - 4094. |
service-profile-name |
Specify the name of the service profile. |
The following commands attach service profile nat_service to the interface (double-tagged) ifp-0/0/17. The configuration shows the minimum number of outer VLANs as 1000, the maximum number of outer VLANs as 1007, the minimum number of inner VLANs as 84 and the maximum number of inner VLANs as 4084. The access type configured is IPoE, service profile is NAT service. AAA profile name is ipoe-aaa and the gateway IFL is lo-0/0/0/100.
IPoE subscriber with outer VLAN between 1000 and 1007, and inner VLAN between 84 and 4084 will be matched with this NAT service profile and a corresponding action will be taken. Anything outside these vlans will not have any action from this NAT service profile.
set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 access-type IPoE set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 access-profile-name ipoe set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 service-profile-name nat_service set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 aaa-profile-name ipoe-aaa set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 gateway-ifl lo-0/0/0/100
{
"rtbrick-config:interface": {
"double-tagged": [
{
"interface-name": "ifp-0/0/17",
"outer-vlan-min": 1000,
"outer-vlan-max": 1007,
"inner-vlan-min": 84,
"inner-vlan-max": 4084,
"access-type": "IPoE",
"access-profile-name": "ipoe",
"service-profile-name": "nat_service",
"aaa-profile-name": "ipoe-aaa",
"gateway-ifl": "lo-0/0/0/100"
}
]
}
}
The following commands configure a double-tagged interface ifp-0/0/6 and outer VLAN minimum value is 1000, maximum value as 1007, inner VLAN minimum value as 84 and maximum value as 4084. The access type configured is PPPoE, service profile is NAT service. AAA profile name is configured as ipoe-aaa.
It indicates PPPoE subscriber with outer VLAN between 1000 and 1007, and inner VLAN between 84 and 4084 will be matched with this NAT service profile and a corresponding action will be taken. Anything outside these vlans will not have any action from this NAT service profile.
set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 access-type PPPoE set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 access-profile-name pppoe set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 service-profile-name nat_service set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 aaa-profile-name ipoe-aaa
Example:
{
"rtbrick-config:interface": {
"double-tagged": [
{
"interface-name": "ifp-0/0/16",
"outer-vlan-min": 1000,
"outer-vlan-max": 1007,
"inner-vlan-min": 84,
"inner-vlan-max": 4084,
"access-type": "PPPoE",
"access-profile-name": "pppoe",
"service-profile-name": "nat_service",
"aaa-profile-name": "ipoe-aaa"
},
]
}
}
Enable NAT on External Interface
It is required to enable the NAT on the external (core-facing) interface.
Syntax:
set interface <interface-name> unit <unit-id> address-translation direction <public>
| Attribute | Description |
|---|---|
<interface-name> |
Name of the interface. |
<unit-id> |
Configure the number of sub-interfaces under the physical interface. |
public |
Specify 'public' for the external interface. |
The following commands configure the external interface ifp-0/1/64 for IPv4 address translation. 'Unit' logical identifier for this physical interface. Direction 'public' shows the configuration on external interface for address translation.
set interface ifp-0/1/64 unit 100 set interface ifp-0/1/64 unit 100 address-translation set interface ifp-0/1/64 unit 100 address-translation direction public
supervisor@rtbrick.net: cfg> show config interface ifp-0/1/64 unit 100
{
"rtbrick-config:unit": [
{
"unit-id": 100,
"address-translation": {
"direction": "public"
}
}
]
}
Enable Logging for NAT
You can optionally enable logging for CGNAT operations.
| All RBFS logs and related information is available in the RBFS Logging User Guide. For the list of RBFS logs, see Log Reference. |
set log bd <name> <options>
| Attribute | Description |
|---|---|
level |
Specify the log level. |
module |
Specify the log module. |
plugin-alias |
Specify the plugin-alias URL. Plugin-alias is an external logging host server to which you can export logs. For example, Graylog. |
The following commands configure logging for NAT module natd with a log level 'debug'.
set log bd natd set log bd natd module nat set log bd natd module nat level debug
supervisor@rtbrick.net: cfg> show config log bd natd
{
"rtbrick-config:bd": [
{
"bd-name": "natd",
"module": [
{
"module-name": "nat",
"level": "debug"
}
]
}
]
}