CGNAT
Last updated
Last updated
CGNAT is also called “large-scale” NAT. It is essentially just NAT with some extra features to be able to support running NAT for large numbers of customers, do RADIUS accounting for bandwidth usage, and do logging for lawful-intercept purposes. CGNAT allows multiple customers to share the same public address(es). Where regular NAT is NAT44, CGNAT is typically NAT444.
To use CGNAT with IOS-XE, you use the following command:
This mode does not allow outside-to-inside mappings. Any that were previously configured will be automatically disabled. This is because when running in CGNAT mode, the destination information is not retained in the stateful translation table. This increases the scalability of the number of NAT translations that can be supported, because only source IP/port information needs to be retained.
On R2, I’ve completed the "NAT44 within an INET VRF" lab, and added this setting. Now R2 does not track the outside addresses:
This is also called EIM (endpoint independent mapping), because the endpoint (destination) does not matter and is not tracked.
Since we are not tracking the destination, the same source IP/port is always translated to one outside IP/port, no matter what the destination is. For return traffic, the router does EIF (endpoint independent filtering) because the source address of the return traffic doesn’t matter.
This type of NAT is sometimes called “full cone NAT” because all traffic with the same internal IP/port are mapped to the same external IP/port. Any external host can send a packet to the internal host by sending traffic to that external IP/port.
This feature allows for VRF-aware NAT, as well as multihoming (multiple outside interfaces).
By default, the destination IP and port are not logged when using CGNAT. However, you can enable this using:
These can be exported to a netflow collector:
The pool used for external IPs is defined as follows:
Bulk port allocation is a way to further reduce logs. Each source IP is given a block of ports that will be used for the session. Only a single logging entry for the entire block that will be used is needed.
A per-source IP port limit can also be used to prevent one CPE from using all resources. The default (back in 2014) is 100.
You can also configure static port forwarding. The external address is automatically picked by the system. Traffic on port 80 to that external address will be translated to 10.1.1.1:80.
Logging to syslog or netflow v9 is supported. You might need to enable destination-based logging based on legal regulations. (Some web servers might not log port information). Netflow is preferred because it is lighter.
