CGNAT

CGNAT on IOS-XE

CGNAT is also called “large-scale” NAT. It is essentially just NAT with some extra features to be able to support running NAT for large numbers of customers, do RADIUS accounting for bandwidth usage, and do logging for lawful-intercept purposes. CGNAT allows multiple customers to share the same public address(es). Where regular NAT is NAT44, CGNAT is typically NAT444.

To use CGNAT with IOS-XE, you use the following command:

ip nat settings mode cgnat

This mode does not allow outside-to-inside mappings. Any that were previously configured will be automatically disabled. This is because when running in CGNAT mode, the destination information is not retained in the stateful translation table. This increases the scalability of the number of NAT translations that can be supported, because only source IP/port information needs to be retained.

On R2, I’ve completed the "NAT44 within an INET VRF" lab, and added this setting. Now R2 does not track the outside addresses:

This is also called EIM (endpoint independent mapping), because the endpoint (destination) does not matter and is not tracked.

Since we are not tracking the destination, the same source IP/port is always translated to one outside IP/port, no matter what the destination is. For return traffic, the router does EIF (endpoint independent filtering) because the source address of the return traffic doesn’t matter.

This type of NAT is sometimes called “full cone NAT” because all traffic with the same internal IP/port are mapped to the same external IP/port. Any external host can send a packet to the internal host by sending traffic to that external IP/port.

This feature allows for VRF-aware NAT, as well as multihoming (multiple outside interfaces).

By default, the destination IP and port are not logged when using CGNAT. However, you can enable this using:

ip nat settings log-destination

These can be exported to a netflow collector:

ip nat log translations flow-export v9 udp destination 172.27.61.85 20000

CGNAT on IOS-XR

The pool used for external IPs is defined as follows:

service cgn NAME
 service-type nat44 NAME
  inside-vrf NAME
   ! if outside is in default table
   map address-pool 100.0.0.0/24
   
   ! if outside is in a vrf
   map outside-vrf NAME address-pool 100.0.0.0/24

Bulk port allocation is a way to further reduce logs. Each source IP is given a block of ports that will be used for the session. Only a single logging entry for the entire block that will be used is needed.

service cgn NAME
 service-type nat44 NAME
  inside-vrf NAME
   bulk-port-alloc size <size, ex. 32, 64, 256>

A per-source IP port limit can also be used to prevent one CPE from using all resources. The default (back in 2014) is 100.

service cgn NAME
 service-loclation preferred-active 0/1/CPU0
  service-type nat44 NAME
   portlimit 512

You can also configure static port forwarding. The external address is automatically picked by the system. Traffic on port 80 to that external address will be translated to 10.1.1.1:80.

service cgn NAME
 service-type nat44 NAME
  inside-vrf NAME
   protocol tcp
    static-forward inside address 10.1.1.1 port 80

Logging to syslog or netflow v9 is supported. You might need to enable destination-based logging based on legal regulations. (Some web servers might not log port information). Netflow is preferred because it is lighter.

service cgn NAME
 service-type nat44 NAME
  inside-vrf NAME
   external-logging netflow ver 9
    server
     address 1.2.3.4 port 123

Further Reading

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-10/nat-xe-16-10-book/iadnat-cgn.html

https://docplayer.net/60685759-Carrier-grade-nat44-on-ios-xr-deployment-experience.html

PreviousInternet Reachability between VRFsNextNAT64 Stateful

Last updated