07 Apr

Carrier Grade NAT on ASR1000

IOS XE 3.6S was released recently introducing Carrier Grade NAT to ASR 1000 platform. CGN translates IPv4 addresses into IPv6 addresses and vice versa and is one of the most critical feature while world is slowly moving into IPv6 addressing. It can also be used for NAT44 (IPv4 private to IPv4 public) translation. What differs CGN from traditional NAT? CGN increases the scalability of the number of NAT translations that can be supported because destination information is not stored and works good with carrier services like broadband access aggregation (ie. PPPoE, DSL)

Carrier Grade NAT differs a little from traditional NAT. It does not support outside mappings, because it does not store destination IP address. There are also few other limitations on ASR1000 platform – IP Sessions are not supported nor box-to-box redundancy. Other features important for service providers, including Lawful Intercept, high-speed logging using NetFlow, vrf-awareness or multihoming, are supported.
CGN is enabled globally – you can’t have carrier grade and traditional NAT working together on same box. Old NAT configuration have to be removed prior to enabling CGN. Feature is enabled using command

ASR1000(config)# ip nat settings mode cgn

7 thoughts on “Carrier Grade NAT on ASR1000

  1. This is what i had in mind! The only question is what if you combine an asr1006 for BNG and enable CGN also? What will be the performance of the router in terms of the number of terminated subscriber and memory of course!Although i believe that with the upgraded rsp/memory that all asr1006 comes at least 48k subscriber would be more than enough in the box for simultaneously CGN and ppp termination!

  2. hi to all,
    we are just deploying a new ASR1004 with NAT44 / ip nat settings mode CGN .. seems that’s not working very well, anyone who has already deployed it ?? any PPT / best practises document ??
    thanks a lot to all.

  3. Hi,
    this is summary config for the ASR1004:

    boot system flash bootflash:asr1000rp1-adventerprisek9.03.06.02.S.152-2.S2.bin

    ….
    ….
    interface TenGigabitEthernet0/0/0
    description *** Physical Links to ASBR ***
    no ip address
    load-interval 30
    carrier-delay msec 100
    !

    interface TenGigabitEthernet0/0/0.3650
    description *** UPLINK TO INET ***
    encapsulation dot1Q 3650
    ip address 172.16.11.202 255.255.255.252
    ip nat outside
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 xxxx
    ip ospf network point-to-point
    ip ospf bfd
    !
    interface TenGigabitEthernet0/0/0.3651
    description *** DOWNLINK TO MOBILE USERS ***
    encapsulation dot1Q 3651
    ip address 172.16.11.205 255.255.255.252
    ip nat inside
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 xxxx
    ip ospf network point-to-point
    ip ospf bfd
    !

    ip nat settings mode cgn
    no ip nat settings support mapping outside

    ip access-list extended POOL1_TEST
    permit icmp 10.24.0.0 0.0.255.255 any
    permit ip 10.24.0.0 0.0.255.255 any
    !

    ip nat pool POOL1_TEST 109.111.120.112 109.111.120.119 netmask 255.255.255.248
    ip nat inside source list POOL1_TEST pool POOL1_TEST overload

    Should I remove overload ?? now testing with 2x end users, the Public IP used is always the same/the first ..
    With a normal laptop, NAT is working good but with mobile tests, not working well , maybe i should use more parameteres like ip virtual-reassambly ?? ip tcp mss-adjust ?? ip mtu (less than 1500) ??

    Making some icmp from the laptop, it’s working well, but i just don’t understand how it works as with CGN NAT, the outside IP/Port is not shown in the translations table. EJ:

    ASR1004-1#show ip nat translations
    Pro Inside global Inside local Outside local Outside global
    icmp 109.111.120.112:1 10.24.143.254:40 — —

    Thanks in advance to all.

Leave a Reply

%d bloggers like this: