Cisco GRS, CRS Configuration Manual

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco
CRS Router, Release 5.2.x

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Text Part Number: OL-32659-01

©

2014 Cisco Systems, Inc. All rights reserved.

CONTENTS

Preface

CHAPTER 1

CHAPTER 2

Preface ix

Changes to This Document ix

Obtaining Documentation and Submitting a Service Request ix

New and Changed Carrier Grade NAT Feature Information 1

New and Changed Carrier Grade NAT Features 1

Implementing Carrier Grade NAT on Cisco IOS XR Software 3

Carrier Grade NAT Overview and Benefits 3

Carrier Grade NAT Overview 3

Benefits of Carrier Grade NAT 4

IPv4 Address Shortage 4

NAT and NAPT Overview 4

Network Address and Port Mapping 4

Translation Filtering 5

Prerequisites for Implementing the Carrier Grade NAT 5

CGSE PLIM 6

CGSE Multi-Chassis Support 7

CGSE Plus PLIM 7

Information About Carrier Grade NAT 7

Implementing NAT with ICMP 7

ICMP Query Session Timeout 7

Implementing NAT with TCP 8

Address and Port Mapping Behavior 8

Internally Initiated Connections 8

Externally Initiated Connections 8

Implementing NAT 44 over ISM 8

OL-32659-01 iii

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Contents

Implementing NAT 64 over ISM 11

Double NAT 444 14

Address Family Translation 14

Cisco Carrier NAT Applications 14

IPv4/IPv6 Stateless Translator 14

IPv6 Rapid Deployment 15

Stateful NAT64 15

Dual Stack Lite 15

Port Control Protocol 16

Policy Functions 16

Application Level Gateway 16

FTP-ALG 16

RTSP-ALG 16

PPTP-ALG 17

TCP Maximum Segment Size Adjustment 17

Static Port Forwarding 17

1:1 Redundancy 18

Back-to-Back Deployment 18

Intelligent Port Management 18

Throughput Measurement 19

High Availability on the Data Path Service Virtual Interface (SVI) 20

External Logging 21

Netflow v9 Support 21

Syslog Support 21

Bulk Port Allocation 21

Destination-Based Logging 21

Implementing Carrier Grade NAT on Cisco IOS XR Software 22

Getting Started with the Carrier Grade NAT 22

Configuring the Service Role 22

Configuring the Service Instance and Location for the Carrier Grade NAT 23

Configuring the Service Virtual Interfaces 24

Configuring the Service Type Keyword Definition 27

Configuring an Inside and Outside Address Pool Map 28

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

iv OL-32659-01

Configuring the Infrastructure Service Virtual Interface 24

Configuring the Application Service Virtual Interface 26

Contents

Configuring the Policy Functions for the Carrier Grade NAT 30

Configuring Port Limit per Subscriber 30

Configuring the Timeout Value for the Protocol 32

Configuring the Timeout Value for the ICMP Protocol 32

Configuring the Timeout Value for the TCP Session 33

Configuring the Timeout Value for the UDP Session 35

Configuring the FTP ALG for NAT44 Instance 36

Configuring the RTSP ALG for NAT44 Instance 38

Configuring the PPTP ALG for a NAT44 Instance 39

Configuring the TCP Adjustment Value for the Maximum Segment Size 41

Configuring the Refresh Direction for the Network Address Translation 42

Configuring the Carrier Grade NAT for Static Port Forwarding 44

Configuring the Dynamic Port Ranges for NAT44 46

Configuring 1:1 Redundancy 47

Configuring Multiple Public Address Pools 48

Configuring Port Limit per VRF 50

Configuring Same Address Pool for Different NAT Instances 52

Configuring High Availability of Data Path Service Virtual Interface (SVI) 55

Configuring the Export and Logging for the Network Address Translation Table

Entries 57

Configuring the Server Address and Port for Netflow Logging 57

Configuring the Path Maximum Transmission Unit for Netflow Logging 59

Configuring the Refresh Rate for Netflow Logging 61

Configuring Session-Logging for a NAT44 or DS-Lite Instance 63

Configuring the Timeout for Netflow Logging 65

Configuring the Carrier Grade Service Engine 67

Bringing Up the CGSE Board 67

Configuring IPv4/IPv6 Stateless Translator (XLAT) 69

XLAT ServiceApp Configuration 69

XLAT Instance Configuration 70

Line Card Upgrade 71

Configuring IPv6 Rapid Development 72

Ping to BR Anycast Address 75

Enable Additional 6rd Features 75

OL-32659-01 v

UPGRADE FROM_ UBOOT to 559 & MANS FPGA to 0.41014 71

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Contents

Configuring Dual Stack Lite Instance 77

Configuring PCP Server for NAT44 Instance 81

Configuring PCP Server for DS-Lite Instance 82

Configuration Examples for Implementing the Carrier Grade NAT 84

Configuring a Different Inside VRF Map to a Different Outside VRF: Example 84

Configuring a Different Inside VRF Map to a Same Outside VRF: Example 85

Configuring ACL for a Infrastructure Service Virtual Interface: Example 86

NAT44 Configuration: Example 86

NAT64 Stateless Configuration: Example 88

Predefined NAT Configuration: Example 89

DS Lite Configuration: Example 90

IPv6 ServiceApp and Static Route Configuration 90

IPv4 ServiceApp and Static Route Configuration 90

DS Lite Configuration 90

Bulk Port Allocation and Syslog Configuration: Example 91

PPTP ALG Configuration: Example 91

NAT44 Instance 91

DBL Configuration: Example 91

NAT44 Instance 91

DS-Lite Instance 91

PCP Server Configuration: Example 91

NAT44 Instance 91

DS-Lite Instance 92

Services Redundancy Configuation (Active/Standby): Example 92

Configuration of Multiple Address Pools: Example 92

Configuration of Port Limit per VRF: Example 92

Configuration of Same Public Address Pool across Different NAT Instances: Example 93

High Availability on data Path SVI: Example 93

CHAPTER 3

External Logging 95

Bulk Port Allocation 95

Restrictions for Bulk Port Allocation 95

Session logging 96

Syslog Logging 96

Restrictions for Syslog 96

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

vi OL-32659-01

Contents

Syslog Message Format 96

Header 97

Structured Data 98

MSG 98

Netflow v9 Support 100

NetFlow Record Format 100

Frequently Asked Questions (FAQs) 115

OL-32659-01 vii

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Contents

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

viii OL-32659-01

Preface

The Preface contains these sections:

Changes to This Document, page ix

•

Obtaining Documentation and Submitting a Service Request, page ix

•

Changes to This Document

This table lists the technical changes made to this document since it was first released.

Table 1: Changes to This Document

Change SummaryDateRevision

Initial release of this document.July 2014OL-32659-01

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service
request, and gathering additional information, see What's New in Cisco Product Documentation, at: http://

www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.

Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical
documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The
RSS feeds are a free service.

OL-32659-01 ix

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Obtaining Documentation and Submitting a Service Request

Preface

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

x OL-32659-01

CHAPTER 1

New and Changed Carrier Grade NAT Feature
Information

This table summarizes the new and changed information for the Cisco IOS XR Carrier Grade NAT
Configuration Guide for the Cisco CRS Router, and tells you where the features are documented.

New and Changed Carrier Grade NAT Features, page 1

•

New and Changed Carrier Grade NAT Features

CGSE-PLUS 1:1
Redundancy

CGSE-PLUS
Back-to-Back
Deployment

CGSE-PLUS Intelligent
Port Management

DescriptionFeature

introduced.

introduced.

introduced.

Release

Release 5.2.0This feature was

Release 5.2.0This feature was

Release 5.2.0This feature was

Where DocumentedIntroduced/Changed in

Implementing Carrier
Grade NAT on Cisco IOS
XR Software chapter:

1:1 Redundancy, on page
18

Implementing Carrier
Grade NAT on Cisco IOS
XR Software chapter:

Back-to-Back
Deployment, on page 18

Implementing Carrier
Grade NAT on Cisco IOS
XR Software chapter:

Intelligent Port
Management, on page
18

OL-32659-01 1

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

New and Changed Carrier Grade NAT Features

New and Changed Carrier Grade NAT Feature Information

CGSE-PLUS High
Availability on the Data
Path Service Virtual
Interface (SVI)

CGSE-PLUS Throughput
Measurement

DescriptionFeature

introduced.

introduced.

Release

Release 5.2.0This feature was

Release 5.2.0This feature was

Where DocumentedIntroduced/Changed in

Implementing Carrier
Grade NAT on Cisco IOS
XR Software chapter:

High Availability on the
Data Path Service Virtual
Interface (SVI), on page
20

Implementing Carrier
Grade NAT on Cisco IOS
XR Software chapter:

Throughput
Measurement, on page
19

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

2 OL-32659-01

CHAPTER 2

Implementing Carrier Grade NAT on Cisco IOS
XR Software

This chapter provides an overview of the implementation of Carrier Grade NAT on Cisco IOS XR Software.

Carrier Grade NAT Overview and Benefits, page 3

•

Information About Carrier Grade NAT, page 7

•

Cisco Carrier NAT Applications, page 14

•

Policy Functions, page 16

•

External Logging, page 21

•

Implementing Carrier Grade NAT on Cisco IOS XR Software, page 22

•

Configuration Examples for Implementing the Carrier Grade NAT, page 84

•

Carrier Grade NAT Overview and Benefits

To implement the Carrier Grade NAT, you should understand the following concepts:

Carrier Grade NAT Overview

Carrier Grade Network Address Translation (CGN) is a large scale NAT that is capable of providing private
IPv4 to public IPv4 address translation in the order of millions of translations to support a large number of
subscribers, and at least 10 Gbps full-duplex bandwidth throughput.

CGN is a workable solution to the IPv4 address completion problem, and offers a way for service provider
subscribers and content providers to implement a seamless transition to IPv6. CGN employs network address
and port translation (NAPT) methods to aggregate many private IP addresses into fewer public IPv4 addresses.
For example, a single public IPv4 address with a pool of 32 K port numbers supports 320 individual private
IP subscribers assuming each subscriber requires 100 ports. For example, each TCP connection needs one
port number.

A CGN requires IPv6 to assist with the transition from IPv4 to IPv6.

OL-32659-01 3

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Benefits of Carrier Grade NAT

Benefits of Carrier Grade NAT

CGN offers these benefits:

Enables service providers to execute orderly transitions to IPv6 through mixed IPv4 and IPv6 networks.

•

Provides address family translation but not limited to just translation within one address family.

•

Delivers a comprehensive solution suite for IP address management and IPv6 transition.

•

IPv4 Address Shortage

A fixed-size resource such as the 32-bit public IPv4 address space will run out in a few years. Therefore, the
IPv4 address shortage presents a significant and major challenge to all service providers who depend on large
blocks of public or private IPv4 addresses for provisioning and managing their customers.

Service providers cannot easily allocate sufficient public IPv4 address space to support new customers that
need to access the public IPv4 Internet.

Implementing Carrier Grade NAT on Cisco IOS XR Software

NAT and NAPT Overview

A Network Address Translation (NAT) box is positioned between private and public IP networks that are
addressed with non-global private addresses and a public IP addresses respectively. A NAT performs the task
of mapping one or many private (or internal) IP addresses into one public IP address by employing both
network address and port translation (NAPT) techniques. The mappings, otherwise referred to as bindings,
are typically created when a private IPv4 host located behind the NAT initiates a connection (for example,
TCP SYN) with a public IPv4 host. The NAT intercepts the packet to perform these functions:

Rewrites the private IP host source address and port values with its own IP source address and port

•

values

Stores the private-to-public binding information in a table and sends the packet. When the public IP host

•

returns a packet, it is addressed to the NAT. The stored binding information is used to replace the IP
destination address and port values with the private IP host address and port values.

Traditionally, NAT boxes are deployed in the residential home gateway (HGW) to translate multiple private
IP addresses. The NAT boxes are configured on multiple devices inside the home to a single public IP address,
which are configured and provisioned on the HGW by the service provider. In enterprise scenarios, you can
use the NAT functions combined with the firewall to offer security protection for corporate resources and
allow for provider-independent IPv4 addresses. NATs have made it easier for private IP home networks to
flourish independently from service provider IP address provisioning. Enterprises can permanently employ
private IP addressing for Intranet connectivity while relying on a few NAT boxes, and public IPv4 addresses
for external public Internet connectivity. NAT boxes in conjunction with classic methods such as Classless
Inter-Domain Routing (CIDR) have slowed public IPv4 address consumption.

Network Address and Port Mapping

Network address and port mapping can be reused to map new sessions to external endpoints after establishing
a first mapping between an internal address and port to an external address. These NAT mapping definitions
are defined from RFC 4787:

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

4 OL-32659-01

Implementing Carrier Grade NAT on Cisco IOS XR Software

• Endpoint-independent mapping—Reuses the port mapping for subsequent packets that are sent from

the same internal IP address and port to any external IP address and port.

• Address-dependent mapping—Reuses the port mapping for subsequent packets that are sent from the

same internal IP address and port to the same external IP address, regardless of the external port.

CGN on ISM implements Endpoint-Independent Mapping.Note

Translation Filtering

RFC 4787 provides translation filtering behaviors for NATs. These options are used by NAT to filter packets
originating from specific external endpoints:

• Endpoint-independent filtering—Filters out only packets that are not destined to the internal address

and port regardless of the external IP address and port source.

Prerequisites for Implementing the Carrier Grade NAT

• Address-dependent filtering—Filters out packets that are not destined to the internal address. In

addition, NAT filters out packets that are destined for the internal endpoint.

• Address and port-dependent filtering—Filters out packets that are not destined to the internal address.

In addition, NAT filets out packets that are destined for the internal endpoint if the packets were not
sent previously.

Prerequisites for Implementing the Carrier Grade NAT

The following prerequisites are required to implement Carrier Grade NAT:

You must be running Cisco IOS XR software Release 3.9.1 or above.

•

You must have installed the CGN service package or the pie hfr-services-p.pie-x.x.x or

•

hfr-services-px.pie-x.x.x (where x.x.x specifies the release number of Cisco IOS XR software)

Note

You must be in a user group associated with a task group that includes the proper task IDs. The command

•

reference guides include the task IDs required for each command.

The CGN service package was termed as hfr-cgn-p.pie or hfr-cgn-px.pie for releases
prior to Cisco IOS XR Software Release 4.2.0. The CGN service package is referred as
hfr-services-p.pie or hfr-services-px.pie in Cisco IOS XR Software Release 4.2.0 and
later.

In case of Intra chassis redundancy, enable CGSE data and control path monitoring in configuration

•

mode, where R/S/CPU0 is the CGSE Location -

service-plim-ha location is R/S/CPU0 datapath-test

•

service-plim-ha location is R/S/CPU0 core-to-core-test

•

service-plim-ha location is R/S/CPU0 pci-test

•

OL-32659-01 5

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

CGSE PLIM

Implementing Carrier Grade NAT on Cisco IOS XR Software

service-plim-ha location is R/S/CPU0 coredump-extraction

•

service-plim-ha location R/S/CPU0 linux-timeout 500

•

service-plim-ha location R/S/CPU0 msc-timeout 500

•

Note

All the error conditions result in card reload that triggers switchover to standby CGSE.
The option of revertive switchover (that is disabled by default) and forced switchover
is also available and can be used if required. Contact Cisco Technical Support with
show tech-support cgn information.

In case of standalone CGSE (without intra chassis redundancy), enable CGSE data and control path

•

monitoring in configuration mode, where R/S/CPU0 is the CGSE Location with auto reload disabled
and

service-plim-ha location R/S/CPU0 datapath-test

•

service-plim-ha location R/S/CPU0 core-to-core-test

•

service-plim-ha location R/S/CPU0 pci-test

•

service-plim-ha location R/S/CPU0 coredump-extraction

•

service-plim-ha location R/S/CPU0 linux-timeout 500

•

service-plim-ha location R/S/CPU0 msc-timeout 500

•

(admin-config) hw-module reset auto disable location R/S/CPU0

•

Note

All the error conditions result in a syslog message. On observation of Heartbeat failures
or any HA test failure messages, contact Cisco Technical Support with show
tech-support cgn information.

Note

If you suspect user group assignment is preventing you from using a command, contact
your AAA administrator for assistance.

CGSE PLIM

A Carrier-Grade Services Engine (CGSE) is a physical line interface module (PLIM) for the Cisco CRS-1
Router. When the CGSE is attached to a single CRS modular service card (forwarding engine), it provides
the hardware system running applications such as NAT44, XLAT, Stateful NAT64 and DS-Lite. An individual
application module consumes one CRS linecard slot. Multiple modules can be placed inside a single CRS
chassis to add capacity, scale, and redundancy.

There can be only one ServiceInfra SVI per CGSE Slot. This is used for the Management Plane and is required
to bring up CGSE. This is of local significance within the chassis.

ServiceApp SVI is used to forward the data traffic to the CGSE applications. You can scale up to 256
ServiceApp interfaces for each CGSE. These interfaces can be advertised in IGP/EGP.

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

6 OL-32659-01

Implementing Carrier Grade NAT on Cisco IOS XR Software

CGSE Multi-Chassis Support

The CGSE line card is supported in a multi-chassis configuration. 16 CGSE line cards are supported on each
Cisco CRS Router chassis. A maximum of 32 CGN instances are supported.

For CGN applications, such as NAT44, NAT64, XLAT, DS-Lite and 6RD, a maximum of 20 million sessions
are supported by each CGSE line card.

CGSE Plus PLIM

CGSE Plus is a mutli-service PLIM for the Cisco CRS-3 Router. The module has a maximum packet processing
speed of 40 Gbps full-duplex with a reduced boot time and latency.

CGSE Plus PLIM

Note

The actual throughput of the application depends on the software logic and the CPU cycles consumed by
the software.

It also supports services redundancy and QoS for service applications.

CGSE Plus is brought up in two modes:

• CGN mode — The Cisco IOS XR and Linux software are tuned to host CGN applications such as NAT44

and 6RD.

• SESH mode — The Cisco IOS XR and Linux software are tuned to host future applications such as

Arbor DDoS services.

For more information on CGSE Plus PLIM, see Cisco CRS Carrier Grade Services Engine Physical Layer

Interface Module Installation Note.

Information About Carrier Grade NAT

These sections provide the information about implementation of NAT using ICMP and TCP:

Implementing NAT with ICMP

This section explains how the Network Address Translation (NAT) devices work in conjunction with Internet
Control Message Protocol (ICMP).

The implementations of NAT varies in terms of how they handle different traffic.

ICMP Query Session Timeout

RFC 5508 provides ICMP Query Session timeouts. A mapping timeout is maintained by NATs for ICMP
queries that traverse them. The ICMP Query Session timeout is the period during which a mapping will stay
active without packets traversing the NATs. The timeouts can be set as either Maximum Round Trip Time
(Maximum RTT) or Maximum Segment Lifetime (MSL). For the purpose of constraining the maximum RTT,
the Maximum Segment Lifetime (MSL) is considered a guideline to set packet lifetime.

OL-32659-01 7

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Implementing NAT with TCP

If the ICMP NAT session timeout is set to a very large duration (240 seconds) it can tie up precious NAT
resources such as Query mappings and NAT Sessions for the whole duration. Also, if the timeout is set to
very low it can result in premature freeing of NAT resources and applications failing to complete gracefully.
The ICMP Query session timeout needs to be a balance between the two extremes. A 60-second timeout is a
balance between the two extremes.

Implementing NAT with TCP

This section explains the various NAT behaviors that are applicable to TCP connection initiation. The detailed
NAT with TCP functionality is defined in RFC 5382.

Address and Port Mapping Behavior

A NAT translates packets for each TCP connection using the mapping. A mapping is dynamically allocated
for connections initiated from the internal side, and potentially reused for certain connections later.

Implementing Carrier Grade NAT on Cisco IOS XR Software

Internally Initiated Connections

A TCP connection is initiated by internal endpoints through a NAT by sending SYN packet. All the external
IP address and port used for translation for that connection are defined in the mapping.

Generally for the client-server applications where an internal client initiates the connection to an external
server, to translate the outbound SYN, the resulting inbound SYN-ACK response mapping is used, the
subsequent outbound ACK, and other packets for the connection.

The 3-way handshake corresponds to method of connection initiation.

Externally Initiated Connections

For the first connection that is initiated by an internal endpoint NAT allocates the mapping. For some situations,
the NAT policy may allow reusing of this mapping for connection initiated from the external side to the
internal endpoint.

Implementing NAT 44 over ISM

These sections provide the information about implementation of NAT.

The following figure illustrates the implementation of NAT 44 over ISM

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

8 OL-32659-01

Implementing Carrier Grade NAT on Cisco IOS XR Software

The components of this illustration are as follows:

Private IP4 subscribers: It denotes a private network.

•

Interface/VLAN: It denotes a designated interface or VLAN which is associated with the VRF.

•

Inside VRF: It denotes the VRF that handles packets coming from the subscriber network. It is known

•

as inside VRF as it forwards packets from the private network.

App SVI: It denotes an application interface that forwards the data packet to and from the ISM. The data

•

packet may be sent from another line card through a backplane. Because the ISM card does not have a
physical interface, the APP SVI acts as a logical entry into it.

The inside VRF is bound to an App SVI. There are 2 App SVIs required; one for the inside VRF and
the other one for the outside VRF. Each App SVI pair will be associated with a unique "inside VRF"
and a unique public IP address pool. The VRF consists of a static route for forwarding packets to App
SVI1.

Outside VRF: It denotes the VRF that handles packets going out to the public network. It is known as

•

outside VRF as it forwards packets from the public network.

Public IPV4: It denotes a public network.

•

Implementing NAT 44 over ISM

The following figure illustrates the path of the data packet from a private network to a public network in a
NAT implementation.

The packet goes through the following steps when it travels from the private network to the public network:

OL-32659-01 9

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Implementing NAT 44 over ISM

1

In the network shown in this figure, the packet travels from the host A (having the IP address 10.222.5.55)
in the private network to host B (having the IP address 5.5.5.2) in the public network. The private address
has to be mapped to the public address by NAT44 that is implemented in ISM.

2

The packet enters through the ingress port on the Gigabit Ethernet (GigE) interface at Slot 0. While using
NAT44, it is mandatory that the packet enters through VRF.

3

Once the packet reaches the designated interface or VLAN on ASR9K, it is forwarded to the inside VRF
either through static routing or ACL-based forwarding (ABL). After the inside VRF determines that the
packet needs address translation, it is forwarded to the App SVI that is bound to the VRF.

4

The packet is forwarded by AppSVI1 through a default static route (ivrf1). The destination address and
the port get translated because of the CGN configuration applied on ISM.

5

The ISM applies NAT44 to the packet and a translation entry is created. The CGN determines the destination
address from the FIB Look Up. It pushes the packet to the egress port.

6

The packet is then forwarded to the egress port on the interface through App SVI2. An inside VRF is
mapped to an outside VRF. The outside VRF is associated with this interface. The packet is forwarded by
App SVI2 through the default static route (ovrf1). Then the packet is sent to the public network.

7

The packets that do not need the address translation can bypass the App SVI and can be forwarded to the
destination through a different static route and a different egress port.

Implementing Carrier Grade NAT on Cisco IOS XR Software

The following figure illustrates the path of the packet coming from the public network to the private network.

The packet goes through the following steps when it travels from the public network to the private network:

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

10 OL-32659-01

Implementing Carrier Grade NAT on Cisco IOS XR Software

1

In the network shown in this figure, the packet travels from the host A (having the IP address 10.222.5.55)
in the public network to host B (having the IP address 5.5.5.2) in the private network. The public address
has to be mapped to the private address by NAT44 that is implemented in ISM.

2

The packet enters through the ingress port on the Gigabit Ethernet (GigE) interface at Slot 0.

3

Once the packet reaches the designated interface or VLAN on ASR9K, it is forwarded to the outside VRF
either through static routing or ACL-based forwarding (ABL).

4

The packet is forwarded by App SVI2 through a default static route. The destination address and the port
are mapped to the translated address.

5

The ISM applies NAT44 to the packet. The CGN determines the destination address from the FIB Look
Up. It pushes the packet to the egress port.

6

The packet is then forwarded to the egress port on the interface through App SVI2. Then the packet is sent
to the private network through the inside VRF.

7

The packets that do not need the address translation can bypass the App SVI and can be forwarded to the
destination through a different static route and a different egress port.

Implementing NAT 64 over ISM

Implementing NAT 64 over ISM

This section explains how NAT64 is implemented over ISM. The figure illustrates the implementation of
NAT64 over ISM.

The components of this implementation are as follows:

OL-32659-01 11

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Implementing NAT 64 over ISM

• Private IP6 subscribers – It denotes a private network.

Interface/VLAN- It denotes a designated interface or VLAN which is associated with the VRF.

•

• Inside VRF – It denotes the VRF that handles packets coming from the subscriber network. It is known

as inside VRF as it forwards packets from the private network.

App SVI- It denotes an application interface that forwards the data packet to and from the ISM. The

•

data packet may be sent from another line card through a backplane. Because the ISM card does not
have a physical interface, the APP SVI acts as a logical entry into it.

The inside VRF is bound to an App SVI. There are 2 App SVIs required; one for the inside VRF and
the other one for the outside VRF. Each App SVI pair will be associated with a unique "inside VRF"
and a unique public IP address pool. The VRF consists of a static route for forwarding packets to App
SVI1.

Outside VRF- It denotes the VRF that handles packets going out to the public network. It is known as

•

outside VRF as it forwards packets from the public network.

Public IPV4- It denotes a public network.

•

The following figure illustrates the path of the data packet from a private network to a public network in a
NAT64 implementation.

Implementing Carrier Grade NAT on Cisco IOS XR Software

The packet goes through the following steps when it travels from the private network to the public network:

1

In the network shown in this figure, the packet travels from the host A (having the IP address
3001:DB8:E0E:E03::/40) in the private network to host B (having the IP address 11.11.11.2) in the public
network. The private address has to be mapped to the public address by NAT64 that is implemented in
ISM.

2

The packet enters through the ingress port on the Gigabit Ethernet (GigE) interface at Slot 3.

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

12 OL-32659-01

Implementing Carrier Grade NAT on Cisco IOS XR Software

3

Once the packet reaches the designated interface or VLAN on ASR9K, it is forwarded to the inside VRF
either through static routing or ACL-based forwarding (ABL). Based on this routing decision, the packet
that needs address translation is determined and is forwarded to the App SVI that is bound to the VRF.

4

The packet is forwarded by AppSVI1 through a default static route. The destination address and the port
get translated because of the CGN configuration applied on ISM.

5

The ISM applies NAT64 to the packet and a translation entry is created. The CGN determines the destination
address from the FIB Look Up. It pushes the packet to the egress port.

6

The packet is then forwarded to the egress port on the interface through App SVI2. The packet is forwarded
by App SVI2 through the default static route. Then the packet is sent to the public network.

7

The packets that do not need the address translation can bypass the App SVI and can be forwarded to the
destination through a different static route and a different egress port.

The following figure illustrates the path of the packet coming from the public network to the private network.

Implementing NAT 64 over ISM

The packet goes through the following steps when it travels from the public network to the private network:

1

In the network shown in this figure, the packet travels from the host A (having the IP address 11.11.11.2)
in the public network to host B (having the IP address 3001:DB8:E0E:E03::) in the private network. The
public address has to be mapped to the private address by NAT64 that is implemented in ISM.

2

The packet enters through the ingress port on the Gigabit Ethernet (GigE) interface at Slot 3.

OL-32659-01 13

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Double NAT 444

3

4

5

6

7

Double NAT 444

The Double NAT 444 solution offers the fastest and simplest way to address the IPv4 depletion problem
without requiring an upgrade to IPv6 anywhere in the network. Service providers can continue offering new
IPv4 customers access to the public IPv4 Internet by using private IPv4 address blocks, if the service provider
is large enough; However, they need to have an overlapping RFC 1918 address space, which forces the service
provider to partition their network management systems and creates complexity with access control lists
(ACL).

Double NAT 444 uses the edge NAT and CGN to hold the translation state for each session. For example,
both NATs must hold 100 entries in their respective translation tables if all the hosts in the residence of a
subscriber have 100 connections to hosts on the Internet). There is no easy way for a private IPv4 host to
communicate with the CGN to learn its public IP address and port information or to configure a static incoming
port forwarding.

Implementing Carrier Grade NAT on Cisco IOS XR Software

Once the packet reaches the designated interface or VLAN on ASR9K, it is forwarded to the outside VRF
either through static routing or ACL-based forwarding (ABL). Based on this routing decision, the packet
is forwarded to the App SVI that is bound to the VRF.

The packet is forwarded by App SVI2 through a default static route. The destination address and the port
are mapped to the translated address.

The ISM applies NAT64 to the packet. The CGN determines the destination address from the FIB Look
Up. It pushes the packet to the egress port.

The packet is then forwarded to the egress port on the interface through App SVI2. Then the packet is sent
to the private network through the inside VRF.

The packets that do not need the address translation can bypass the App SVI and can be forwarded to the
destination through a different static route and a different egress port.

Address Family Translation

The IPv6-only to IPv4-only protocol is referred to as address family translation (AFT). The AFT translates
the IP address from one address family into another address family. For example, IPv6 to IPv4 translation is
called NAT 64 or IPv4 to IPv6 translation is called NAT 46.

Cisco Carrier NAT Applications

These applications are deployed on the CGSE line card.

IPv4/IPv6 Stateless Translator

IPv4/IPv6 Stateless Translator (XLAT), which runs on the CRS Carrier Grade Services Engine (CGSE),
enables an IPv4-only endpoint that is situated in an IPv4-only network, to communicate with an IPv6-only
end-point that is situated in an IPv6-only network. This like-to-unlike address family connectivity paradigm
provides backwards compatibility between IPv6 and IPv4.

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

14 OL-32659-01

Implementing Carrier Grade NAT on Cisco IOS XR Software

A Stateless XLAT (SL-XLAT) does not create or maintain any per-session or per-flow data structures. It is
an algorithmic operation performed on the IP packet headers that results in the translation of an IPv4 packet
to an IPv6 packet, and vice-versa. SL-XLAT requires Cisco IOS XR Software Release 3.9.3 or 4.0.1 or 4.1.0
or later.

IPv6 Rapid Deployment

IPv6 Rapid Deployment (6RD) is a mechanism that allows service providers to provide a unicast IPv6 service
to customers over their IPv4 network.

Stateful NAT64

The Stateful NAT64 (Network Address Translation 64) feature provides a translation mechanism that translates
IPv6 packets into IPv4 packets and vice versa. NAT64 allows IPv6-only clients to contact IPv4 servers using
unicast UDP, TCP, or ICMP. The public IPv4 address can be shared with several IPv6-only clients. NAT64
supports communication between:

IPv6 Rapid Deployment

NAT64 is implemented on the Cisco CRS router CGSE platform. CGSE (Carrier Grade Service Engine) has
four octeons and supports 20 Gbps full duplex traffic. It works on Linux operating system and traffic into
CGSE is forwarded using serviceApp interfaces. SVIs (Service Virtual Interfaces) are configured to enable
traffic to flow in and out of CGSE.

Each NAT64 instance configured is associated with two serviceApps for the following purposes:

NAT64 instance parameters are configured using the CGN CLI. The NAT64 application in the octeons updates
its NAT64 instance and serviceApp databases, which are used to perform the translation between IPv6 and
IPv4 and vice versa.

Active CGN instance configuration is replicated in the standby CGN instance through the XR control plane.
Translations that are established on the Active CGN instance are exported to the Standby CGN instance as
the failure of the Active CGN affects the service until translations are re-established through normal packet
flow. Service interruption is moderate for the given fault detection time and translation learning rate in terms
of seconds or tens of seconds for a large translation database.

Dual Stack Lite

IPv6 Network and Public IPv4 Internet

•

Public IPv6 Internet and IPv4 Network

•

One serviceApp is used to carry traffic from IPv6 side

•

Another serviceApp is used to carry traffic from IPv4 side of the NAT64.

•

The Dual Stack Lite (DS-Lite) feature enables legacy IPv4 hosts and server communication over both IPv4
and IPv6 networks. Also, IPv4 hosts may need to access IPv4 internet over an IPv6 access network. The IPv4
hosts will have private addresses which need to have network address translation (NAT) completed before
reaching the IPv4 internet. The Dual Stack Lite application has these components:

OL-32659-01 15

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Port Control Protocol

Implementing Carrier Grade NAT on Cisco IOS XR Software

Basic Bridging BroadBand Element (B4): This is a Customer Premises Equipment (CPE) router that

•

is attached to the end hosts. The IPv4 packets entering B4 are encapsulated using a IPv6 tunnel and sent
to the Address Family Transition Router (AFTR).

Address Family Transition Router(AFTR): This is the router that terminates the tunnel from the B4.

•

It decapsulates the tunneled IPv4 packet, translates the network address and routes to the IPv4 network.
In the reverse direction, IPv4 packets coming from the internet are reverse network address translated
and the resultant IPv4 packets are sent the B4 using a IPv6 tunnel.

The Dual Stack Lite feature helps in these functions:

1

Tunnelling IPv4 packets from CE devices over IPv6 tunnels to the CGSE blade.

2

Decapsulating the IPv4 packet and sending the decapsulated content to the IPv4 internet after completing
network address translation.

3

In the reverse direction completing reverse-network address translation and then tunnelling them over
IPv6 tunnels to the CPE device.

IPv6 traffic from the CPE device is natively forwarded.

Port Control Protocol

Port Control Protocol (PCP) allows an IPv6 or IPv4 host to control how incoming IPv6 or IPv4 packets are
translated and forwarded by a network address translator.

PCP version 1 as documented in http://tools.ietf.org/html/draft-ietf-pcp-base-19 is supported.

It also allows packets to be received from the Internet to a host and allows a host to reduce keepalive traffic
of connections to a server.

Policy Functions

Application Level Gateway

The Application Level Gateway (ALG) deals with the applications that are embedded in the IP address payload.
Active File Transfer Protocol (FTP), Point-to-Point Tunneling Protocol (PPTP), and Real Time Streaming
Protocol (RTSP) are supported.

FTP-ALG

CGN supports both passive and active FTP. FTP clients are supported with inside (private) address and servers
with outside (public) addresses. Passive FTP is provided by the basic NAT function. Active FTP is used with
the ALG.

RTSP-ALG

CGN supports the Real Time Streaming Protocol (RTSP), an application-level protocol for control over the
delivery of data with real-time properties. RTSP provides an extensible framework to enable controlled,

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

16 OL-32659-01

Implementing Carrier Grade NAT on Cisco IOS XR Software

on-demand delivery of real-time data, such as audio and video. Sources of data can include both live data
feeds and stored clips.

PPTP-ALG

PPTP is a network protocol that enables secure transfer of data from a remote client to a private enterprise
server by creating a Virtual Private Network (VPN). It is used to provide IP security at the network layer.
PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

PPTP-ALG is a CGN solution that allows traffic from all clients through a single PPTP tunnel.

A PPTP tunnel is instantiated on the TCP port. This TCP connection is then used to initiate and manage a
second GRE tunnel to the same peer.

PPTP uses an access controller and network server to establish a connection.

PPTP Access Controller (PAC)

A device attached to one or more PSTN or ISDN lines capable of PPP operation and handling the PPTP
protocol. It terminates the PPTP tunnel and provides VPN connectivity to a remote client.

PPTP Network Server (PNS)

A device which provides the interface between the Point-to-Point Protocol (encapsulated in the PPTP protocol)
and a LAN or WAN. The PNS uses the PPTP protocol to support tunneling between a PPTP PAC and the
PNS. It requests to establish a VPN connectivity using PPTP tunnel.

Control Connection

A control connection is established between a PAC and a PNS for TCP.

Tunnel

A tunnel carries GRE encapsulated PPP datagrams between a PAC and a PNS

TCP Maximum Segment Size Adjustment

Note

Active FTP, PPTP ALG, and RTSP ALG are supported on NAT44 applications. Active FTP and RTSP
ALG are supported on DS-Lite applications.

TCP Maximum Segment Size Adjustment

When a host initiates a TCP session with a server, the host negotiates the IP segment size by using the maximum
segment size (MSS) option. The value of the MSS option is determined by the maximum transmission unit
(MTU) that is configured on the host.

Static Port Forwarding

Static port forwarding helps in associating a private IP address and port with a statically allocated public IP
and port. After you have configured static port forwarding, this association remains intact and does not get
removed due to timeouts until the CGSE is rebooted. In case of redundant CGSE cards, it remains intact until
both of the CGSEs are reloaded together or the router is reloaded. There are remote chances that after a reboot,
this association might change. This feature helps in cases where server applications running on the private
network needs access from public internet.

OL-32659-01 17

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

1:1 Redundancy

1:1 Redundancy

CGSE and CGSE Plus support 1:1 redundancy. Two CGSE or CGSE Plus cards can be placed in the
active-standby configuration. The card that comes up first gets into the active mode first. If the first card that
is in the active mode fails, the second card that is in the standby mode becomes active and processes the traffic.
When the failure occurs, the switchover occurs within a second. This redundancy model is in the warm standby
mode as the second card is already booted and preconfigured. Once it becomes active, it only has to re-establish
the sessions.

Implementing Carrier Grade NAT on Cisco IOS XR Software

Note

The 1:1 redundancy feature does not support the mixing of CGSE and CGSE Plus cards. So ensure that
you use either two CGSE cards or two CGSE Plus cards.

You can check the status of the redundancy of the CGSE or CGSE Plus cards by using the show services
redundancy command.

The failover and failback operations can be forced by using the service redundancy command.

Back-to-Back Deployment

The CGSE and CGSE-PLUS cards can be used in Back-to-Back CRS chasis configuration. In this configuration,
the active card and the standby card are in different chasis, thereby supporting inter-chasis redundancy. The
performance of the cards on different chasis would be the same as it would be if they were co-allocated on
the same chasis.

Note

The two CGSE or CGSE-PLUS cards that are used in redundancy configuration can be in the same chassis
or different chassis.

Intelligent Port Management

Intelligent Port Management is an efficient and flexible way of managing the public ports. This management
process consists of the following features:

Configuration of multiple public address pools

•

Reduction of the minimum size of bulk allocation

•

Configuration of port limit per VRF

•

Configuration of same public pool across different NAT instances

•

Configuration of Multiple Public Address Pools

From this release onwards, you can create multiple pools of address for each inside VRF. This configuration
currently supports 8 address pools that do not overlap with each other.

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

18 OL-32659-01

Implementing Carrier Grade NAT on Cisco IOS XR Software

Throughput Measurement

Note

Ensure that you do not add more than 8 address pools as it might result in verification errors, thereby
leading to the rejection of the configuration.

Some of the considerations regarding the configuration of multiple public address pools are as follows:

The outside VRF and outside ServiceApp remain the same for different pools of addresses for a given

•

inside VRF.

Note

If the outside VRF and the outside ServiceApp are changed, then there are chances that
a subscriber packet is routed onto different outside VRFs and different ServiceApps at
various times. Hence if you try to configure different address pools with different outside
VRF and different ServiceApps, the configuration is rejected.

The maximum size of the public address pool is 65536 addresses per CGN instance.

•

The minimum size of the public address pool is 64 addresses.

•

When a particular address pool is deleted, the associated translations are also deleted.

•

Reduction of the Minimum Size of Bulk Allocation

The minimum size of bulk allocation has been reduced to 8. This size can be specified by using the
bulk-port-alloc size command.

Configuration of Port Limit per VRF

For NAT44, you can configure different port limits for different inside-VRF instances. The port limit specified
per VRF overrides the port limit value specified globally. But if the port limit per VRF is not specified, then
the global port limit is applied. This configuration is supported for CGSE as well as CGSE-PLUS.

If the port limit is reduced, CGSE or CGSE-PLUS card will not terminate any translation. But no new
translations are created until the usage by the subscribers for that VRF falls below the port limit.

Configuration of Same Public Address Pool across Different NAT instances

A public address pool can be reused by different instances of NAT. But the address pool can be reused only
by different CGN instances on different service cards. The syslog gives details on the CGN instances and the
address pool that is being reused.

Two or more different instances of CGN can act as active-standby in an N:1 redundancy. In such configurations,
two CGSE cards can be in active mode with different address pools. A third CGSE card can act a common
standby for both of them. In this case, it makes easy if the third CGSE card is allowed to reuse the address
pools used on the other 2 CGSE cards.

Throughput Measurement

The service card, like CGSE, has smaller throughput compared to the other cards in the platform. Therefore
it drops packets at the service application interface if the traffic diverted to it is more than it can handle. Hence
it becomes very important to measure the throughput for a service card. From this release onwards, the

OL-32659-01 19

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

Implementing Carrier Grade NAT on Cisco IOS XR Software

High Availability on the Data Path Service Virtual Interface (SVI)

throughput of the CGSE card for the last 1 second and the last 5 minutes can be seen by using the show cgn
utilization throughput command.

Considerations

Some of the considerations of the throughput measurement feature are as follows:

The traffic processed by CGSE is measured in terms of bits per second and packets per second for the

•

last 1 second as well as the last 5 minutes.

The throughput measurement is done of rthe traffic coming into CGSE, either from Inside-to-Outside

•

direction or from Outside-to-Inside direction.

High Availability on the Data Path Service Virtual Interface (SVI)

The CGSE already supports high availability tests to detect failures within specific CPU cores (the
service-plim-ha core-to-core test) so that an alert is generated if one or more CPU cores of a CGSE card should
fail. If configured, the CGSE card goes for a reload and traffic is diverted to standby (or other active cards
depending on the configuration) upon detecting any core failures. The CGSE already supports similar test to
confirm the integrity of the packet path by sending test packets via ServiceInfra interface (the service-plim-ha
data-path test). The card can configured to reload upon failure of this test as well.

However, till now, there were no test mechanism to confirm the integrity of path via ServiceApp interfaces
(which bring in and send out subscriber traffic). With this release, a test mechanism has been added for
ServiceApp interfaces configured for 6RD application (for both V4 and V6 ServiceApps). The test can be
enabled via configuration. The test packets are generated from CGSE and made to traverse through the fabric
and come back in to CGSE via ServiceApp interfaces. Should there be a failure in receiving the packets, a
syslog message is generated to alert the administrator. Optionally, the ServiceApp interfaces can be configured
to be shut down upon detecting failure of this test. Shutting down the failed ServiceApp interfaces is useful
in case of active-active configuration where traffic is automatically diverted to other CGSE blades and hence
traffic loss can be prevented without manual intervention.

After the high availability feature is configured, the CGSE can detect the conditions where the data path SVI
(ServiceApp interface) is not able to forward traffic. If such a condition is detected, then the following actions
are taken:

A syslog message is logged by default.

•

The SVI can be shut down. But you need to ensure that the packets are diverted to the SVIs of the other

•

available CGSEs.

Considerations

Some of the considerations regarding the high availability on the data path SVIs are as follows:

In the current release, the high availability configuration is supported only for V4 and V6 ServiceApps

•

of 6rd application.

In case of a failure, the syslog message is generated irrespective of the shutdown of the SVI instance.

•

Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x

20 OL-32659-01