Carrier-Grade NAT Configuration

Configuration Hierarchy

CG NAT Configuration Hierarchy

CGNAT Configuration

You must perform the following tasks to configure CG NAT.

  1. Configure NAT Pool

  2. Configure NAT Port Block Size

  3. Configure NAT Profile

  4. Configure NAT Rule

  5. NAT Service Profile Configuration

  6. Enable NAT Service Profile on Access Interface

  7. Enable NAT on External Interface

  8. Enable Logging for NAT

Configuration Syntax and Commands

The following sections describe the CGNAT configuration syntax and commands.

Configuring NAT Profile

A NAT profile defines how the NAT device has to perform the IPv4 address translation. NAT profile allows you to define an instance, IPv4 address pools, maximum number of translations, port block size and mapping a particular internal IPv4 address with a particular external IPv4 address for a deterministic address translation.

You can create NAT profile for an RBFS instance using the 'instance' option. Also, you can define the TCP or UDP traffic type for the profile.

A single NAT profile can be attached to subscribers across different instances. This means that regardless of which instance a subscriber belongs to, they can share the same NAT profile. For example, subscribers in different routing instances can be managed using the same NAT settings.

Subscribers within the same instance can be assigned different NAT profiles. Different groups of subscribers or services within the same instance can have tailored NAT configurations.

Syntax:

set forwarding-options address-translation profile <profile-name> <attribute> <value>

Attribute Description

<profile-name>

Specify the NAT profile name.

deterministic [true]

Specify deterministic as true to enable deterministic NAT for the profile. Deterministic NAT allows subscribers always to connect with a single public IP.

instance

Specify the RBFS instance.

ip-protocol

Specify the protocol: TCP or UDP.

ip-protocol ageing-timeout <ageing-timeout>

Specify the aging time value for the protocol.

max-rules

Specify the maximum number of rules for address translations for a public IPv4 address and for an interface.

pool

Specify the name of the public IP address pool.

The following commands configure the NAT profile named nat_profile1. The nat profile nat_profile1 is configured on the instanced vrf1 with a pool attached nataddr_pool1. Maximum rules are configured as 100 rules and the aging period is configured as 600 seconds for TCP traffic and 300 seconds for UDP traffic.

set forwarding-options address-translation profile nat_profile1
set forwarding-options address-translation profile nat_profile1 instance vrf1
set forwarding-options address-translation profile nat_profile1 pool nataddr_pool1
set forwarding-options address-translation profile nat_profile1 max-rules 100
set forwarding-options address-translation profile nat_profile1 ip-protocol TCP ageing-timeout 600
set forwarding-options address-translation profile nat_profile1 ip-protocol UDP ageing-timeout 300
set forwarding-options address-translation profile nat_profile1 ip-protocol ALL ageing-timeout 300

Example Configuration:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options address-translation profile
{
  "rtbrick-config:profile": [
    {
      "profile": "nat_profile1",
      "instance": "vrf1",
      "pool": "nataddr_pool1",
      "max-rules": "100",
      "ip-protocol": {
        "TCP": {
          "ageing-timeout": 600
        },
        "UDP": {
          "ageing-timeout": 300
        },
        "ALL": {
          "ageing-timeout": 300
        }
      }
    }
  ]
}

NAT Pool Configuration

A NAT IP address pool includes a set of public IPv4 addresses that are used for network address translation. You can create multiple public IPv4 address pools and one pool includes a range of public IPv4 addresses. These pools allocate public IPv4 addresses to subscribers during address translation. While configuring a pool, you can define the group of public IPv4 addresses belonging to that pool by specifying the lowest and highest IP addresses.

The system allows you to create multiple pools and define the association among them. You can define the 'next-pool-name' that takes over when the current pool gets exhausted with the IPv4 addresses. When one pool gets exhausted, the next pool takes over and starts serving the IP addresses to subscribers when the address translation occurs.

In addition, you can define the port block allocation by specifying the port block size for that pool. So, each public IPv4 in the pool can be allocated a certain number of ports based on the port block size defined.

Syntax:

set forwarding-options address-translation pool <pool-name> <attribute> <value>

Attribute Description

<pool-name>

Specify the name of the address pool.

ipv4-address

Specify both the highest and lowest IPv4 addresses in the range of IPv4 addresses for the pool.

ipv4-address high

Specify the highest IPv4 address in the address pool. You must specify the highest IP address in the range of IP addresses.

ipv4-address low

Specify the lowest IPv4 address in the address pool. You must specify the lowest IP address in the range of IP addresses.

next-pool-name

Specify the name of the next address pool that is to be used when the current address pool is allocated completely.

port-block-size

The number of ports allocated in a block. The default value is 256. For information, about port block allocation, see the section "Port Block Allocation".

Example Configuration:

The following commands configure nataddr_pool1 as the NAT pool and nataddr_pool2 as the next pool, and the port block size as defined 1024.

It indicates NAT pool nataddr_pool1 contains a range of public IPv4 addresses from 100.100.100.1 to 100.100.100.5 with the port block size 1024. With the port block size 1024, the system can allocate 63 ports to subscribers who have the same IPv4 address.

When the pool nataddr_pool1 has fully allocated its IPv4 addresses, the next pool named nataddr_pool2 will start allocating IPv4 addresses from its pool. The pool nataddr_pool2 includes a rage of IPv4 address from 100.100.101.1 to 100.100.101.150.

set forwarding-options address-translation pool nataddr_pool1
set forwarding-options address-translation pool nataddr_pool1 next-pool-name nataddr_pool2
set forwarding-options address-translation pool nataddr_pool1 port-block-size 1024
set forwarding-options address-translation pool nataddr_pool1 ipv4-address low 100.100.100.1
set forwarding-options address-translation pool nataddr_pool1 ipv4-address high 100.100.100.5
set forwarding-options address-translation pool nataddr_pool2 ipv4-address low 100.100.101.1
set forwarding-options address-translation pool nataddr_pool2 ipv4-address high 100.100.101.150

Example Configuration:

supervisor@rtbrick: cfg> show config forwarding-options address-translation pool
{
  "rtbrick-config:pool": [
    {
      "pool-name": "nataddr_pool1",
      "next-pool-name": "nataddr_pool2",
      "port-block-size": "1024",
      "ipv4-address": {
        "low": "100.100.100.1",
        "high": "100.100.100.5"
      }
    },
    {
      "pool-name": "nataddr_pool2",
      "port-block-size": "128",
      "ipv4-address": {
        "low": "100.100.101.1",
        "high": "100.100.101.150"
      }
    }
  ]
}

NAT Rule Configuration

You can define NAT rules only for static NAT. A NAT rule defines a match condition and a corresponding action. After you specify NAT rules, each packet is matched with each NAT rule. If a packet matches the condition specified in a rule, then the action corresponding to that match occurs. Match rules govern how the translation of private IPv4 addresses to public IPv4 addresses is performed.

With NAT rules, you can define how address translation is applied to traffic, and how to handle various protocols and data traffic, such as TCP and UDP, to ensure proper address translation and the mappings of private addresses to public addresses.

Rules also define how to handle inbound and outbound traffic, different protocols, and data traffic such as TCP and UDP for ensuring the proper address translation of traffic.

Syntax:

set forwarding-options address-translation rule <rule-name> <attribute> <value>

Attribute Description

<rule-name>

Specify the name of the rule.

ordinal <ordinal-value>

Specify the ordinal value. An ordinal value is a numerical representation that indicates its relative position or order.

ordinal <ordinal-value> instance

Specify the RBFS instance name.

ordinal <ordinal-value> ip-protocol [tcp/udp]

Specify the IP protocol, TCP or UDP.

ordinal <ordinal-value> local [ipv4-address/port]

Specify the private IPv4 address or port number that needs to be translated.

ordinal <ordinal-value> public [ipv4-address/port]

Specify the public IPv4 address. This public IP will be mapped with the private IP in the translation table.

Port Block Size Configuration

You can configure port block size for an IP address pool. Based on the block size set, the number of ports is allocated to per IPv4 address and per protocol (TCP or UDP).

Syntax:

set forwarding-options address-translation pool <pool-name> port-block-size <value>

Attribute Description

<pool-name>

Specify the name of the pool.

port-block-size

Specify the value. Supported values include 64, 128, 256, 512, 1024, and 2048.

The following commands configure the public IP pool nataddr_pool10 and port-block-size as 2048. The address pool contains a range of public IPv4 addresses from 100.100.102.51 to 100.100.102.100. With the port block size 2048, it can allocate 31 ports to each IP address in the pool.

set forwarding-options address-translation pool nataddr_pool10
set forwarding-options address-translation pool nataddr_pool10 port-block-size 2048
set forwarding-options address-translation pool nataddr_pool10 ipv4-address low 100.100.102.51
set forwarding-options address-translation pool nataddr_pool10 ipv4-address high 100.100.102.100

Example:

supervisor@rtbrick: cfg> show config forwarding-options address-translation pool nataddr_pool10
{
  "rtbrick-config:pool": [
    {
      "pool-name": "nataddr_pool10",
      "port-block-size": "2048",
      "ipv4-address": {
        "low": "100.100.102.51",
        "high": "100.100.102.100"
      }
    }
  ]
}

Configuring NAT Service Profile

You must create a NAT service profile and attach the service profile with the access interface for enabling CGNAT on the interface.

Syntax:

set access service-profile <profile-name> <attribute> <value>

Attribute Description

<profile-name>

Name of the service profile.

profile <profile>

Specify the profile name for the address translation.

Enable NAT Service Profile on the Access Interface

It is required to attach the NAT service profile to the access interface for enabling address translation on the interface.

Syntax:

set access interface [double-tagged | single-tagged | untagged] <interface-name> <outer-vlan-min> <outer-vlan-max> <inner-vlan-min> <inner-vlan-max> service-profile-name <service-profile-name>

Attribute Description

service-profile

Configure global service profile.

<outer-vlan-min>

Specify the minimum number of outer VLANs. Allowed range: 1 - 4094.

<outer-vlan-max>

Specify the maximum number of outer VLANs. Allowed range 1 - 4094.

<inner-vlan-min>

Specify the minimum number of inner VLANs. Allowed range: 1 - 4094.

<inner-vlan-max>

Specify the maximum number of inner VLANs. Allowed range 1 - 4094.

service-profile-name

Specify the name of the service profile.

The following commands attach service profile nat_service to the interface (double-tagged) ifp-0/0/17. The configuration shows the minimum number of outer VLANs as 1000, the maximum number of outer VLANs as 1007, the minimum number of inner VLANs as 84 and the maximum number of inner VLANs as 4084. The access type configured is IPoE, service profile is NAT service. AAA profile name is ipoe-aaa and the gateway IFL is lo-0/0/0/100.

IPoE subscriber with outer VLAN between 1000 and 1007, and inner VLAN between 84 and 4084 will be matched with this NAT service profile and a corresponding action will be taken. Anything outside these vlans will not have any action from this NAT service profile.

set access interface double-tagged ifp-0/0/17 1000 1007 84 4084
set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 access-type IPoE
set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 access-profile-name ipoe
set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 service-profile-name nat_service
set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 aaa-profile-name ipoe-aaa
set access interface double-tagged ifp-0/0/17 1000 1007 84 4084 gateway-ifl lo-0/0/0/100
{
  "rtbrick-config:interface": {
    "double-tagged": [
      {
        "interface-name": "ifp-0/0/17",
        "outer-vlan-min": 1000,
        "outer-vlan-max": 1007,
        "inner-vlan-min": 84,
        "inner-vlan-max": 4084,
        "access-type": "IPoE",
        "access-profile-name": "ipoe",
        "service-profile-name": "nat_service",
        "aaa-profile-name": "ipoe-aaa",
        "gateway-ifl": "lo-0/0/0/100"
      }
    ]
  }
}

The following commands configure a double-tagged interface ifp-0/0/6 and outer VLAN minimum value is 1000, maximum value as 1007, inner VLAN minimum value as 84 and maximum value as 4084. The access type configured is PPPoE, service profile is NAT service. AAA profile name is configured as ipoe-aaa.

It indicates PPPoE subscriber with outer VLAN between 1000 and 1007, and inner VLAN between 84 and 4084 will be matched with this NAT service profile and a corresponding action will be taken. Anything outside these vlans will not have any action from this NAT service profile.

set access interface double-tagged ifp-0/0/16 1000 1007 84 4084
set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 access-type PPPoE
set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 access-profile-name pppoe
set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 service-profile-name nat_service
set access interface double-tagged ifp-0/0/16 1000 1007 84 4084 aaa-profile-name ipoe-aaa

Example:

{
  "rtbrick-config:interface": {
    "double-tagged": [
      {
        "interface-name": "ifp-0/0/16",
        "outer-vlan-min": 1000,
        "outer-vlan-max": 1007,
        "inner-vlan-min": 84,
        "inner-vlan-max": 4084,
        "access-type": "PPPoE",
        "access-profile-name": "pppoe",
        "service-profile-name": "nat_service",
        "aaa-profile-name": "ipoe-aaa"
      },
    ]
  }
}

Enable NAT on External Interface

It is required to enable the NAT on the external (core-facing) interface.

Syntax:

set interface <interface-name> unit <unit-id> address-translation direction <public>

Attribute Description

<interface-name>

Name of the interface.

<unit-id>

Configure the number of sub-interfaces under the physical interface.

public

Specify 'public' for the external interface.

The following commands configure the external interface ifp-0/1/64 for IPv4 address translation. 'Unit' logical identifier for this physical interface. Direction 'public' shows the configuration on external interface for address translation.

set interface ifp-0/1/64 unit 100
set interface ifp-0/1/64 unit 100 address-translation
set interface ifp-0/1/64 unit 100 address-translation direction public
supervisor@rtbrick.net: cfg> show config interface ifp-0/1/64 unit 100
{
  "rtbrick-config:unit": [
    {
      "unit-id": 100,
      "address-translation": {
        "direction": "public"
      }
    }
  ]
}

Enable Logging for NAT

You can optionally enable logging for CGNAT operations.

All RBFS logs and related information is available in the RBFS Logging User Guide. For the list of RBFS logs, see Log Reference.

set log bd <name> <options>

Attribute Description

level

Specify the log level.

module

Specify the log module.

plugin-alias

Specify the plugin-alias URL. Plugin-alias is an external logging host server to which you can export logs. For example, Graylog.

The following commands configure logging for NAT module natd with a log level 'debug'.

set log bd natd
set log bd natd module nat
set log bd natd module nat level debug
supervisor@rtbrick.net: cfg> show config log bd natd
{
  "rtbrick-config:bd": [
    {
      "bd-name": "natd",
      "module": [
        {
          "module-name": "nat",
          "level": "debug"
        }
      ]
    }
  ]
}