Configuring NAT

This section provides information to configure NAT using the command line interface.

Topics in this section include:

  1. ISA Redundancy
  2. NAT Layer 2-Aware Configurations
  3. Large Scale NAT Configuration
  4. NAT Configuration Examples

ISA Redundancy

The 7750 SR supports ISA redundancy to provide reliable NAT even when an MDA fails. The active-mda-limit command allows an operator to specify how many MDAs will be active in a given NAT group. Any number of MDAs configured above the active-mda-limit will be spare MDAs; they take over the NAT function if one of the current active MDAs fail.

A sample configuration is as follows:

Configure
    isa
        nat-group 1 create
            active-mda-limit 1
            mda 1/2
            mda 2/2
            no shutdown
        exit
    exit
exit

Show commands are available to display the actual state of a nat-group and its corresponding MDAs:

show isa nat-group 1          
===============================================================================
ISA NAT Group 1
===============================================================================
Admin state       : inService           Operational state : inService
Active MDA limit  : 1                   Reserved sessions : 0
High Watermark (%): (Not Specified)     Low Watermark (%) : (Not Specified)
Last Mgmt Change  : 01/11/2010 15:05:36 
===============================================================================
===============================================================================
ISA NAT Group 1 members
===============================================================================
Group Member     State          Mda  Addresses  Blocks     Se-% Hi Se-Prio     
-------------------------------------------------------------------------------
1     1          active         1/2  0          0          0    N  0           
-------------------------------------------------------------------------------
No. of members: 1
===============================================================================

A maximum of four nat-groups can be configured. This gives the operator the ability to differentiate between different traffic types. Normal traffic could be routed to nat-group one, where a limited number of MDA without spare MDAs are available, while high priority traffic could make use of nat-group two, where several active MDAs and a spare MDA are configured. A maximum of six MDAs per nat-group can be configured.

A nat-group cannot become active (no shutdown) if the number of configured MDAs is lower than the active-mda-limit.

A given MDA can be configured in several nat-groups but it can only be active in a single nat-group at any moment in time. Spare MDAs can be shared in several nat-groups, but a spare can only become active in one nat-group at a time. Changing the active-mda-limit, adding or removing MDAs can only be done when the nat-group is shutdown.

Nat-groups that share spare MDAs must be configured with the same list of MDAs. It is possible to remove/add spare MDAs to a nat-group while the nat-group is admin enabled.

Configure
    isa
        nat-group 1 create
            active-mda-limit 1
            mda 1/2
            mda 2/2
            mda 3/1
            no shutdown
        exit
        nat-group 2 create
            active-mda-limit 1
            mda 1/2
            mda 2/2
            mda 3/1
            no shutdown
        exit
    exit
exit

Through show commands, it is possible to display an overview of all the nat-groups and MDAs.

show isa nat-group 
===============================================================================
ISA NAT Group Summary
===============================================================================
Mda  Group 1            Group 2           
-------------------------------------------------------------------------------
1/1  active             busy           
2/2  busy               active    
3/1  standby            standby 
===============================================================================

If an MDA fails, the spare (if available) will take over. All active sessions will be lost, but new incoming sessions will make use of the spare MDA.

In case of an MDA failure in a nat-group without any spare MDA, all traffic towards that MDA will be black-holed.

For L2-aware NAT, the operator has the possibility to clear all the subscribers on the affected MDA (clear nat isa), terminating all the subscriber leases. New incoming subscribers will make use of the MDAs that are still available in the nat-group.

NAT Layer 2-Aware Configurations

The following sections provide NAT Layer 2-Aware configurations.

#--------------------------------------------------
echo "Card Configuration"
#--------------------------------------------------
    card 1
        card-type iom3-xp
        mda 1
            mda-type m60-10/100eth-tx
        exit
        mda 2
            mda-type isa-bb
        exit
    exit
    card 2
        card-type iom3-xp
        mda 1
            mda-type m60-10/100eth-tx
        exit
        mda 2
            mda-type isa-bb
        exit
    exit
 
#--------------------------------------------------
echo "ISA Configuration"
#--------------------------------------------------
    isa
        nat-group 1 create
            description "1 active + 1 spare"
            active-mda-limit 1
            mda 1/2
            mda 2/2
            no shutdown
        exit
    exit
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
    router 
        ...
#--------------------------------------------------
echo "NAT (Network Side) Configuration"
#--------------------------------------------------
        nat
            outside
                pool "pool1" nat-group 1 type l2-aware create 
                    address-range 81.81.0.0 81.81.0.200 create
                    exit
                    no shutdown
                exit
            exit
        exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
    service
        customer 1 create
            description "Default customer"
        exit
        ...
        vprn 100 customer 1 create
            ...
            nat
                outside
                    pool "pool2" nat-group 1 type l2-aware create 
                        address-range 82.0.0.0 82.0.0.200 create
                        exit
                        no shutdown
                    exit
                exit
            exit
        exit
 
        vprn 101 customer 1 create
            ...
            nat
                inside
                    l2-aware
                        # Hosts in this service with IP addresses in these ranges
                        # will be subject to l2-aware NAT.
                        address 10.0.0.1/29
                        address 10.1.0.1/29
                    exit
                exit
            exit
        exit
        ...
        nat
            nat-policy "l2-aware-nat-policy1" create 
                pool "pool1" router Base
            exit
            nat-policy "l2-aware-nat-policy2" create 
                pool "pool2" router 100
            exit
        exit
        ...
    exit
#--------------------------------------------------
echo "Subscriber-mgmt Configuration"
#--------------------------------------------------
    subscriber-mgmt
        # Subscribers using these sub-profiles will be subject to l2-aware NAT.
        # The configured nat-policies will determine which IP pool will be used.
        sub-profile "l2-aware-profile1" create
            nat-policy "l2-aware-nat-policy1"
        exit
        sub-profile "l2-aware-profile2" create
            nat-policy "l2-aware-nat-policy2"
        exit
        ...
    exit 

Large Scale NAT Configuration

The following sections provide Large Scale NAT configuration examples.

configure
#--------------------------------------------------
echo "Card Configuration"
#--------------------------------------------------
    card 3
        card-type iom3-xp
        mda 1
            mda-type isa-bb
        exit
        mda 2
            mda-type isa-bb
        exit
    exit
#--------------------------------------------------
echo "ISA Configuration"
#--------------------------------------------------
    isa
        nat-group 1 create
            active-mda-limit 2
            mda 3/1
            mda 3/2
            no shutdown
        exit
    exit
#--------------------------------------------------
echo "Filter Configuration"
#--------------------------------------------------
    filter 
        ip-filter 123 create
            entry 10 create
                match 
                    src-ip 13.0.0.1/8
                exit 
                action nat
            exit 
        exit 
    exit 
#--------------------------------------------------
echo "NAT (Declarations) Configuration"
#--------------------------------------------------
    service
        nat
            nat-policy "ls-outPolicy" create 
            exit
        exit
    exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
    service
        customer 1 create
            description "Default customer"
        exit
        vprn 500 customer 1 create
            interface "ip-113.0.0.1" create
            exit
            nat
                outside
                    pool "nat1-pool" nat-group 1 type large-scale create 
                        port-reservation ports 200 
                        address-range 81.81.0.0 81.81.6.0 create
                        exit
                        no shutdown
                    exit
                exit
            exit
        exit
        vprn 550 customer 1 create
            interface "ip-13.0.0.1" create
            exit
        exit
        nat
            nat-policy "ls-outPolicy" create 
                pool "nat1-pool" router 500
                timeouts
                    udp hrs 5 
                    udp-initial min 4 
                exit
            exit
        exit
        vprn 500 customer 1 create
            router-id 10.21.1.2
            route-distinguisher 500:10
            vrf-target export target:500:1 import target:500:1
            interface "ip-113.0.0.1" create
                address 113.0.0.1/24
                static-arp 113.0.0.5 14:99:01:01:00:01
                sap 1/1/1:200 create
                exit
            exit
            no shutdown
        exit
        vprn 550 customer 1 create
            router-id 10.21.1.2
            route-distinguisher 550:10
            vrf-target export target:550:1 import target:550:1
            interface "ip-13.0.0.1" create
                address 13.0.0.1/8
                sap 1/2/1:900 create
                    ingress
                        filter ip 123
                    exit
                exit
            exit
            nat
                inside
                    nat-policy "ls-outPolicy"
                exit
            exit
            no shutdown
        exit
    exit
exit all

NAT Configuration Examples

The following output displays example configurations.

VPRN service example:

configure service vprn 100 nat
                inside
                    nat-policy "priv-nat-policy"
                    destination-prefix 0.0.0.0/0
                    dual-stack-lite
                        subscriber-prefix-length 128
                        address 2001:470:1F00:FFFF::190
                            tunnel-mtu 1500
                        exit
                        no shutdown
                    exit
                    redundancy
                        no peer
                        no steering-route
                    exit
                    subscriber-identification
                        shutdown
                        no attribute
                        no description
                        no radius-proxy-server
                    exit
                    l2-aware
                    exit
                exit
                outside
                    no mtu
                exit

Router NAT example:

configure router nat
            outside
                no mtu
                pool "privpool" nat-group 3 type large-scale create 
                    no description
                    port-reservation blocks 128 
                    port-forwarding-range 1023
                    redundancy
                        no export
                        no monitor
                    exit
                    subscriber-limit 65535
                    no watermarks
                    mode auto
                    address-range 13.0.0.5 13.0.0.6 create
                        no description
                        no drain
                    exit
                    no shutdown
                exit
                pool "pubpool" nat-group 1 type large-scale create 
                    no description
                    port-reservation blocks 1 
                    port-forwarding-range 1023
                    redundancy
                        no export
                        no monitor
                    exit
                    subscriber-limit 65535
                    no watermarks
                    mode auto
                    address-range 138.203.8.241 138.203.8.247 create
                        no description
                        no drain
                    exit
                    no shutdown
                exit
            exit

Service NAT example:

configure service nat
            nat-policy "priv-nat-policy" create
                alg
                    ftp
                    rtsp
                    sip
                exit
                block-limit 4
                no destination-nat
                no description
                filtering endpoint-independent
                pool "privpool" router Base
                no ipfix-export-policy
                port-limits
                    forwarding 64
                    no reserved
                    no watermarks
                exit
                priority-sessions
                exit
                session-limits
                    max 65535
                    no reserved
                    no watermarks
                exit
                timeouts
                    icmp-query min 1 
                    sip min 2 
                    no subscriber-retention
                    tcp-established hrs 2 min 4 
                    tcp-syn sec 15 
                    no tcp-time-wait
                    tcp-transitory min 4 
                    udp min 5 
                    udp-initial sec 15 
                    udp-dns sec 15 
                exit
                no tcp-mss-adjust
                no udp-inbound-refresh
            exit
            nat-policy "pub-nat-policy" create
                alg
                    ftp
                    no rtsp
                    no sip
                exit
                block-limit 1
                no destination-nat
                no description
                filtering endpoint-independent
                pool "pubpool" router Base
                no ipfix-export-policy
                port-limits
                    no forwarding
                    no reserved
                    no watermarks
                exit
                priority-sessions
                exit
                session-limits
                    max 65535
                    no reserved
                    no watermarks
                exit
                timeouts
                    icmp-query min 1 
                    sip min 2 
                    no subscriber-retention
                    tcp-established hrs 2 min 4 
                    tcp-syn sec 15 
                    no tcp-time-wait
                    tcp-transitory min 4 
                    udp min 5 
                    udp-initial sec 15 
                    udp-dns sec 15 
                exit
                no tcp-mss-adjust
                no udp-inbound-refresh
            exit

Configuring VSR-NAT

This section provides information about the VSR-NAT functionality, including licensing requirements, statistics collection, and examples of show command output.

Topics in this section include:

  1. VSR-NAT Licensing
  2. Statistics Collection For LSN Bindings
  3. Statistics Collection For LSN Bandwidth
  4. Statistics Collection and HA
  5. VSR-NAT Show Command Examples

VSR-NAT Licensing

Appropriate licensing is required to enable the VSR-NAT functionality in the system. However, no further licensing enforcement is performed based on resource utilization, such as the consumed bandwidth or the number of NAT bindings.

The following NAT-related functionality is enabled through licensing:

  1. LSN (LSN44, DS-Lite, and NAT64)
  2. L2-Aware NAT
  3. UPnP
  4. Geo-redundancy

You can use the CLI or MIB on VSR-NAT to get more information about the number of LSN bindings and LSN bandwidth.

Table 42 describes the licenses required to unlock the VSR-NAT functionality.

Table 42:  NAT Licenses Required to Unlock NAT Functionality 

NAT License Title

Functionality Enabled

License Purchased

LSN

LSN Pool

  1. configure router nat outside pool name type large-scale
  2. configure service nat outside pool name type large-scale

The following two scaling licenses are required:

  1. license for the number of LSN bindings
  2. license for consumed bandwidth

You must purchase both licenses to enable the LSN functionality.

L2AWARE

L2Aware Pool

  1. configure router nat outside pool name type l2-aware
  2. configure service nat outside pool name type l2-aware

Purchase the L2-Aware license to enable the functionality. The LSN scaling license is not required.

Note: The L2-Aware NAT functionality can only be used with the VBNG.

UPnP

UPnP commands

  1. configure subscriber-mgmt sub-profile sub-prof-name upnp-policy upnp-pol-name

Purchase the UPnP license to enable the functionality.

Note: The UPnP functionality can only be used with the L2-Aware NAT.

GEO REDUNDANCY

Geo-redundancy Pool

  1. configure router nat outside pool redundancy
  2. configure service nat outside pool redundancy

Purchase the Geo Redundancy license to enable the functionality.

Statistics Collection For LSN Bindings

A NAT subscriber is an internal entity whose true identity is hidden outside the network. The NAT subscriber is represented by a binding that is a set of stateful mappings between the internal and external representations of the subscriber. From the licensing perspective, the terms “NAT bindings” and “NAT subscribers” can be used interchangeably.

VSR-NAT collects the number of LSN subscribers for licensing purposes; the L2-Aware NAT subscribers are excluded from this count. An LSN subscriber is defined as follows:

  1. Large Scale NAT44 (or CGN): the subscriber is an internal IPv4 address.
  2. DS-Lite: the subscriber is identified by the CPE IPv6 address (B4 element) or an IPv6 prefix. The selection of the address or prefix as the representation of a DS-Lite subscriber is configuration-dependent.
  3. NAT64: the subscriber is an IPv6 address.

The number of LSN subscribers (LSN44, DS-Lite, and NAT64) in VSR-NAT is sampled every hour on the hour (for example, at 00:00 am, 01:00 am, 02:00 am, and so on). Each sample is a snapshot of the number of subscribers at the time that the statistics are collected.

The CLI can be used to view the following information:

  1. 24 samples (one per hour) in the current day
  2. Maximum value for each of the last 7 days
  3. Average value for each of the last 7 days
  4. Maximum value since the system booted

For the list of CLI commands available for use, see section 7.24.5 VSR-NAT Show Command Examples.

Statistics Collection For LSN Bandwidth

The measurement of LSN bandwidth includes translated packets and octets in the upstream and downstream direction. Packets that are rejected for any reason and traffic carrying logging information are both excluded from the statistics.

LSN bandwidth statistics for VSR-NAT are collected every 10 minutes. The bandwidth is derived as a difference in octet count between the two consecutive collection intervals, divided by a 10 minute interval. There is no bandwidth differentiation per LSN type (LSN44, DS-Lite, and NAT64) or per direction. Aggregate bandwidth values per node are maintained in kbps units. L2-Aware NAT and WLAN GW statistics are not included in the statistics collection.

The CLI can be used to view the following LSN bandwidth information:

  1. 144 bandwidth values for the current day (bandwidth statistics are collected every 10 minutes)
  2. Maximum bandwidth value for each of the last 7 days
  3. Average bandwidth value for each of the last 7 days
  4. Maximum bandwidth value since the system booted

For the list of CLI commands available for use, see section 7.24.5 VSR-NAT Show Command Examples.

Statistics Collection and HA

The LSN and subscriber statistics are synchronized between DP-VMs, where DP-VM redundancy is deployed.

VSR-NAT Show Command Examples

The following CLI commands are available for use:

  1. show system license-statistics 24-hours application nat
  2. show system license-statistics week application nat
  3. show system license-statistics peak application nat

The following output shows examples of NAT statistics.

Weekly display example:

*A:Dut-A>show system license-statistics week application nat
=====================================================================
week license statistics for nat
========================================================================
index       time                average              peak
---------------------------------------------------------------------
LSN subscribers
1           2016/02/01 00:00:00 370                  456
2           2016/01/31 00:00:00 375                  512
3           2016/01/30 00:00:00 374                  510
4           2016/01/29 00:00:00 373                  478
5           2016/01/28 00:00:00 360                  450
6           2016/01/27 00:00:00 370                  496
7           2016/01/26 00:00:00 373                503
LSN bandwidth
1           2016/02/01 00:00:00 12472623           12472623
2           2016/01/31 00:00:00 12472623            12472623
3           2016/01/30 00:00:00 12472623            12472623
4           2016/01/29 00:00:00 12472623            12472623
5           2016/01/28 00:00:00 12472623             12472623
6           2016/01/27 00:00:00 12472623            12472623
7           2016/01/26 00:00:00 12472623           12472623
---------------------------------------------------------------------
No. of license statistics entries: 14 
=====================================================================

24-hour display example:

*A:Dut-A# show system license-statistics 24-hours application nat 
========================================================================
24 hours license statistics for nat
========================================================================
index       time                value                
------------------------------------------------------------------------
LSN subscribers
1           2016/06/29 19:00:00 512                  
2           2016/06/29 20:00:00 512                  
LSN bandwidth
1           2016/06/29 18:10:00 0                    
2           2016/06/29 18:20:00 0                    
3           2016/06/29 18:30:00 0                    
4           2016/06/29 18:40:00 2996286              
5           2016/06/29 18:50:00 12472524             
6           2016/06/29 19:00:00 12472424             
7           2016/06/29 19:10:00 12471020             
8           2016/06/29 19:20:00 12471980             
9           2016/06/29 19:30:00 12471566             
10          2016/06/29 19:40:00 12471881             
11          2016/06/29 19:50:00 12472116             
12          2016/06/29 20:00:00 12472623             
------------------------------------------------------------------------
No. of license statistics entries: 14
========================================================================

Peak display example:

========================================================================
*A:Dut-A# show system license-statistics peak application nat     
========================================================================
peak license statistics for nat
========================================================================
                                      time                peak
------------------------------------------------------------------------
LSN subscribers                       2016/06/29 19:00:00 512
LSN bandwidth                         2016/06/29 20:00:00 12472623
------------------------------------------------------------------------
No. of license statistics entries: 2
========================================================================

Table 43 describes the NAT statistics output fields.

Table 43:  NAT Statistics Output Fields 

Label

Description

Index

The entry number of the displayed value.

A weekly display contains 7 entries, one for each of the last 7 days.

A 24-hour display can contain up to 24 values for NAT subscribers (statistics are collected hourly) and 144 values for NAT bandwidth (statistics are collected every 10 minutes).

Time

The timestamp of the statistics collection.

The bandwidth is averaged in 10 minute intervals. Consequently, bandwidth value at a specific time represents the average bandwidth for the last 10 minute period.

Value

The value for the number of NAT subscribers at a specific time, or the average bandwidth in kbps for the last 10 minute period.

Average

In the weekly display, the average daily value for the number of NAT subscribers or the NAT bandwidth.

Peak

In the weekly display, the daily peak value for the number of NAT subscribers or the NAT bandwidth.