Inline CGNAT
Inline Carrier-Grade Network Address Translation (CGNAT) Overview
Inline Carrier-Grade Network Address Translation (CGNAT) integrates Network Address Port Translation (NAPT) directly into the Packet Forwarding Engine (PFE) . This integration enables efficient address and port management through NAT44 (IPv4-to-IPv4) and NAT64 (IPv6-to-IPv4) translations. As a result, there is no need for external service cards located in the BNG chassis or for an external SRX to perform the CGNAT function for BNG subscribers. Inline CGNAT is a licensed feature based on the number of subscriber activations.
Key functionalities include the allocation of fixed public IPv4 addresses and port blocks per subscriber, RADIUS accounting updates to report these allocations, and support for advertising public addresses within specific routing instances. Traffic handling is optimized by performing NAT translation after firewall filters and lawful interception for upstream traffic and before these services for downstream traffic.
Inline NAPT (Network Address Port Translation) operates on the subscriber Packet Forwarding Engine (PFE) itself, eliminating the need to route traffic to a separate service PFE for CGNAT (Carrier-Grade Network Address Translation) functions.
Inline CGNAT can be implemented on an individual subscriber basis using RADIUS. The feature includes updates to RADIUS accounting, enabling it to report the public IP and port blocks allocated to each subscriber. This integration ensures your subscriber management system remains in sync with NAT allocations, providing accurate and up-to-date information. Additionally, the feature supports advertising public addresses within specific routing instances, helping optimize routing and reduce latency.
Benefits of Inline CGNAT
-
Enhances network performance by integrating NAPT directly into the Packet Forwarding Engine, eliminating the need for external service cards.
- Improves scalability through efficient management of IP addresses and port resources, supporting large-scale subscriber deployments.
-
Facilitates straightforward configuration and monitoring with enhanced CLI commands, providing detailed insights into NAT pool allocations and usage.
-
Simplifies routing and subscriber management by enabling the advertisement of public IP addresses within specific routing instances.
-
Optimizes traffic handling by performing NAT translation in conjunction with firewall filters and lawful interception processes, ensuring seamless service delivery.
The feature supports the following functionalities:
-
Supports stateless and port-block-allocation based CGNAT.
-
Support NAT44 for PPPoE and DHCP subscribers by allocating a public IPv4 address and port block upon subscriber login, and reclaiming them upon logout.
-
Support NAT64 for PPPoEv6 and DHCPv6 subscribers by allocating a public IPv4 address and port block during subscriber login and reclaiming them upon logout.
-
Assign one public IPv4 address and port block for both IPv4 and IPv6 subscribers from a NAT pool specified in the dynamic profile. Routing will be configured to direct public address traffic to the subscriber's PFE.
-
Report the allocated IPv4 public address and port block to the RADIUS server as part of the accounting process for subscribers.
Configure Inline CGNAT
The Inline NAPT supports both NAT44 (IPv4-to-IPv4) and NAT64 (IPv6-to-IPv4) translations, ensuring your network can handle both legacy IPv4 and modern IPv6 traffic, facilitating a smooth transition and interoperability between the two protocols.
When configuring Inline CGNAT, define NAT pools specifying the range of public IP addresses
and ports available for translation. Each subscriber is assigned a fixed public IPv4 address
and a specific port block upon login, managed by the Packet Forwarding Engine. Configure these
parameters using enhanced CLI commands such as show subscribers, which
provides details on NAT pool allocations, and show network-access inline-napt
pool, which lists IP addresses in a specified NAT pool. These commands allow
effective monitoring and management of NAT resources, addressing any potential shortages or
misconfigurations promptly.
Along with a license to configure Inline CGNAT, you also need additional subscriber
management licenses. Before configuring Inline CGNAT, enable Unified-Services and the
required license support on the device. To enable Unified-Services on the device,
execute request system enable unified-services from the CLI and reboot
the device.
To set up the PFE with optimum resources for NAPT scaling, configure the line card with the following command:
[edit chassis]
{
fpc <slot> {
napt;
}
}
You can enable inline NAPT from RADIUS by sending VSA NAPT-NAT64-Enable with value 1 for a subscriber.
[edit dynamic-profiles name services]
{
inline-napt {
nat44 {
“disable:$junos-napt-nat64-enable;
}
}
}You can disable inline NAPT from RADIUS by sending VSA NAPT-NAT64-Enable with value 0 for a subscriber.
If VSA NAPT-NAT44-Enable is not sent from RADIUS, the NAPT NAT64 functionality is enabled by default.
To implement Inline CGNAT effectively, configure the NAT pools and dynamic profiles :
[edit services]
{
nat {
source {
pool POOL_NAME {
address IP_RANGE;
port {
range PORT_RANGE;
block-allocation {
block-size SIZE;
}
}
mapping-timeout TIMEOUT;
routing-instance INSTANCE_NAME;
}
}
}
}
For example:
[edit services]
{
nat {
source {
pool BBE-NAT-POOL {
address 192.168.0.1/32 to 192.168.0.2/32;
port {
range 5001 to 65000;
block-allocation {
block-size 1000;
}
}
mapping-timeout 120;
routing-instance CGN-VRF;
}
}
}
}
To map NAT pools to routing instances, use the following CLI command. This maps the defined NAT pool to the appropriate routing instance, enabling detailed and flexible network configurations.
[edit system]
{
services {
subscriber-management {
inline-napt {
routing-instance-pool-map {
routing-instance INSTANCE_NAME pool POOL_NAME;
}
}
}
}
}
For example:
[edit system]
{
services {
subscriber-management {
inline-napt {
routing-instance-pool-map {
routing-instance default pool BBE-NAT-POOL;
routing-instance sub-vrf1 pool BBE-NAT-POOL;
routing-instance sub-business pool BBE-NAT-POOL1;
}
}
}
}
}
By mapping NAT pools to specific routing instances, you can ensure that different network segments or subscriber groups have dedicated address translation setups, facilitating better management of NAT resources and improving overall network performance.
See Also
Monitor Inline CGNAT
Each subscriber is assigned a fixed public IPv4 address and a specific port block upon login, managed by the Packet Forwarding Engine.
You can view and monitor these parameters using enhanced CLI commands. The show
subscribers command provides details on NAT public addresses in use for
subscribers and CGNAT parameters specific to subscribers. The show network-access
inline-napt pool command, lists IP addresses in a specified NAT pool.
user@host> show subscribers detail Type: NAT IP Address: 192.168.0.1 Routing Instance: default Radius Accounting ID: 4 Session ID: 4 Login Time: 2024-12-11 00:13:28 IST IP Address Pool: BBE-CGNAT-POOL Type: NAT IP Address: 192.168.0.2 Routing Instance: VRF1 Radius Accounting ID: 10 Session ID: 10 Login Time: 2024-12-11 03:13:28 IST IP Address Pool: BBE-CGNAT-POOL Type: DHCP IP Address: 10.0.0.1 IP Netmask: 10.255.0.0 Primary DNS Address: 192.0.2.0 Secondary DNS Address: 192.0.2.1 Primary WINS Address: 192.0.2.3 Secondary WINS Address: 192.0.2.4 Logical System: default Routing Instance: default Interface: demux0.3073741824 Interface type: Dynamic Dynamic Profile Name: dhcp-demux-prof MAC Address: 00:00:5e:00:53:98 State: Active Radius Accounting ID: example :2304 Idle Timeout (seconds): 600 Login Time: 2024-12-11 14:43:52 PDT DHCP Options: len 52 35 01 01 39 02 02 40 3d 07 01 00 10 94 00 00 08 33 04 00 00 00 3c 0c 15 63 6c 69 65 6e 74 5f 50 6f 72 74 20 2f 2f 36 2f 33 2d 37 2d 30 37 05 01 06 0f 21 2c Service Sessions: 2 NAT Pool: BBE-CGNAT-POOL NAT Public IP Address: 192.168.0.1 NAT Port Block: 5001-6000 NAPT Block Allocation Time: 2024-12-11 14:43:52 PDT Type: DHCP IP Address: 10.0.0.2 IP Netmask: 10.255.0.0 Primary DNS Address: 192.0.2.0 Secondary DNS Address: 192.0.2.1 Primary WINS Address: 192.0.2.3 Secondary WINS Address: 192.0.2.4 Logical System: default Routing Instance: default Interface: demux0.3073741825 Interface type: Dynamic Dynamic Profile Name: dhcp-demux-prof MAC Address: 00:00:5e:00:53:98 State: Active Radius Accounting ID: example :2304 Idle Timeout (seconds): 600 Login Time: 2024-12-11 14:43:52 PDT DHCP Options: len 52 35 01 01 39 02 02 40 3d 07 01 00 10 94 00 00 08 33 04 00 00 00 3c 0c 15 63 6c 69 65 6e 74 5f 50 6f 72 74 20 2f 2f 36 2f 33 2d 37 2d 30 37 05 01 06 0f 21 2c Service Sessions: 2 NAT Pool: BBE-CGNAT-POOL NAT Public IP Address: 192.168.0.2 NAT Port Block: 5001-6000 NAPT Block Allocation Time: 2024-12-11 14:50:25 PDT
To view the details of the IP addresses and the allocated port block size, execute the
show network-access aaa statistics inline-napt pool <pool-name> and
show system subscriber-management inline-napt pool <pool-name>
commands.
user@host> show network-access aaa statistics inline-napt pool BBE-CGNAT-POOL Pool name: BBE-CGNAT-POOL Address total: 4 Addresses in use: 2 Address Usage (percent): 50 Out of Addresses: 0
user@host> show system subscriber-management inline-napt pool BBE-CGNAT-POOL External address Access PFE Routing-Instance Port block size Block use 172.16.0.1 ge-0/0/0 default 1000 2/60 172.16.0.2 ge-0/0/0 VRF1 1000 1/60
In case the subscriber has exhausted all the ports from the port-block size allocated to it, the following syslog message below is displayed.
PROCESSOR_IPV4_NAPT_BINDING_PORTBLOCK_LIMIT_EXCEEDED Napt Session port block limit exceeded. No free port available for IpAddr:10.1.1.1