4. Network address translation

This chapter provides an overview of Network Address Translation (NAT) functionality for BNG CUPS.

4.1. Residential NAT

For BNG CUPS, NAT responsibilities are divided between the CPF and UPF.

The role of the CPF is to associate the subscriber session with NAT during the session authentication phase. This process consists mainly of allocating the outside IP address and port-block to the NAT subscriber session. Those parameters are submitted to the UPF through the PFCP association.

The UPF performs NAT on the data traffic. On the UPF, NAT runs on MS-ISA service adapters, including the Integrated Service Adapter (ISA), Virtual ISA (vISA), and Extended Service Adapter (ESA). For the inside IP addresses, the incoming data traffic is sprayed across ISAs. This traffic spraying is based on the subscriber context, which typically represents a residence. For the outside IP addresses, the NAT prefix that is received from the CPF is segmented into smaller subnets and equally distributed across ISAs. This approach requires fair load distribution of traffic across service adapters in the upstream and downstream directions.

Note:

This chapter refers to all service adapter types as ISAs, except when it’s necessary to identify a specific type. For additional information about MS-ISA service adapters, refer to the 7450 ESS, 7750 SR, and VSR Multiservice Integrated Service Adapter and Extended Services Appliance Guide.

For more information about NAT terminology and an overview of Residential NAT that outlines the division of NAT responsibilities between the CPF and UPF, refer to the CMG BNG CUPS Control Plane Function Guide.

4.2. UP NAT policy template

A UP NAT policy template contains parameters that define NAT behavior for a group of subscribers within a NAT pool. This NAT behavior includes support for ALGs, setting limits for the number of NAT flows per subscriber, protocol timer definitions, flow-based logging, watermarks, and so on. The UP NAT policy configuration allows the NAT behavior to be customized for different groups of subscribers within the same NAT pool.

Although the UP NAT policy template is configured on the UPF, its assignment to the NAT-enabled session is performed on the CPF during the authentication phase, using a reference in the CP NAT profile configuration.

The roles of the CP NAT profile and UP NAT policy can be summarized as follows:

  1. CP NAT profile
    The CP NAT profile is configured on the CPF and is used to identify NAT subscribers during the authentication phase. Parameters defined in the CP NAT profile affect the selection of the NAT pool within a given outside routing context. This includes the allocation of the outside IP addresses, port-blocks, and NAT mode of operation (NAPT or 1:1). These resources are managed by the CPF.
  2. UP NAT policy template
    The UP NAT policy template is configured on the UPF and is used to define NAT behavior for a group of subscribers within a NAT pool. This behavior is closer to the NAT translation in the forwarding plane (for example, ALGs and protocol timers).

4.3. Configuration guidelines

4.3.1. Configuring NAT subscriber in the sub-profile

Many NAT configuration parameters are defined in the UP NAT policy template (up-nat-policy) or the CP NAT profile (see UP NAT policy template). There are also some parameters that may be used for NAT configuration that require further granularity of definition, such as the UPNP policy that enables the dynamic port forward allocation. If a UPNP policy is used for NAT, it must be defined in the configure subscriber-management sub-profile context.

The following example shows the UPNP policy configured in the subscriber-management sub-profile context.

configure {
   subscriber-management {
       sub-profile name {
           upnp-policy policy-name
       }
   }
}

4.3.2. NAT group

A NAT group represents a collection of ISAs that are used to process NAT traffic for subscribers. NAT traffic is distributed over multiple ISAs in a NAT group to achieve better performance and scale. BNG CUPS supports a single NAT group per UPF, however, other NAT groups can be configured in the system outside CUPS.

A NAT group is a mandatory configuration. After the NAT group is defined, it must be referenced by a PFCP association. A NAT group is configured using commands in the configure isa nat-group context. For a configuration example, see Intra-chassis redundancy, Minimum configuration steps.

4.3.3. Accounting and logging

Aggregated NAT logging based on port blocks is performed on the CPF, and flow-based logging can be enabled on the UPF. Because a number of logs are produced in flow logging, flow logs are exported directly from the ISA, bypassing the CPF and the CPM on the UPF.

The UPF supports flow logging in IPFIX format. An IPFIX export policy must be configured in the configure service ipfix export-policy context, as shown in the following example:

configure {
   service {
      ipfix {
         export-policy name
       }
   }
}

After the export policy is configured, it must be associated with a UP NAT policy, as shown in the following example:

configure {
   service {
      nat {
         up-nat-policy name {
             flow-logging-policy {
                 ipfix ref: export-policy-name
             }
         }
      }
   }
}

4.3.4. Watermarks

The following watermarks are supported on the UPF:

  1. session-level watermarks on the member ISA level
    Session-level watermarks on the member ISA level monitor NAT flow usage against the configured limit per member ISA. They are configured using the NAT group, as shown in the following example:
    configure {
       isa {
          nat-group id {
             session-limits {
                 watermarks {
                     high number
                     low number
                 }
             }
          }
       }
    }
  2. session-level watermarks on the subscriber level
    Session-level watermarks on the subscriber level monitor NAT flows usage against the configured limit per subscriber. They are configured using the UP NAT policy, as shown in the following example:
    configure {
       service {
          nat id {
             up-nat-policy name {
                 session-limits {
                     watermarks {
                        high number 
                        low number
                    }
                 }
             }
          }
       }
    }
  3. port usage watermarks on the subscriber level
    Port usage watermarks on the subscriber level are used to monitor port usage against the configured limit per subscriber. They are configured using the UP NAT policy, as shown in the following example:
    configure {
       service {
          nat id {
             up-nat-policy name {
                 port-limits {
                     watermarks {
                        high number
                        low number
                    }
                 }
             }
          }
       }
    }
  4. watermarks threshold on the CPF level
    On the CPF, a watermark threshold, in either absolute value or percentages, can be configured to monitor micronet usage within a NAT outside pool. For more information, refer to the CMG BNG CUPS Control Plane Function Guide.

4.3.5. Intra-chassis redundancy

4.3.5.1. Configuration overview

ISA redundancy on the UPF level supports two modes of operation:

  1. N:M active/standby mode
    In this mode, M number of standby ISAs protect N number of active ISAs.
  2. All active mode
    This mode supports failure of up to two ISAs simultaneously. During an ISA failure, the configuration from the failed ISA is distributed over the remaining operational ISAs.

Both modes are stateless which means that NAT binding will have to be re-established after the switchover.

ISA redundancy is configured in the configure isa nat-group context.

Active/standby mode is enabled using the following commands:

configure {
   isa {
      nat-group id {
         mda mda-id 
             redundancy {
                 active-mda-limit number 
                 intra-chassis {
                     active-standby
                }
             }
         }
      }
   }

These commands associate MDAs with the NAT group, set the mode of operation to active/standby, and configure the number of active ISAs in the NAT group. Any ISAs within the NAT group that are in excess of the configured number are automatically considered standby.

All active mode is enabled using the following commands:

configure {
   isa {
      nat-group id {
         mda mda-id 
             redundancy {
                 active-mda-limit number 
                 intra-chassis {
                     active-active {
                        failed-mda-limit number 
                     }
                   }
               }
            }
         }
      }

4.3.5.2. Minimum configuration steps

The following are the minimum configuration steps required to provision residential NAT on BNG CUPS.

  1. Configure the CPF as described in the CMG BNG CUPS Control Plane Function Guide.
  2. Configure the UPF NAT policy template.
    configure {
       service {
          nat {
             up-nat-policy “pol-1” {
     
             }
          }
       }
    Note:

    The UP NAT policy must be created and it is sufficient to use the default parameters.

  3. Configure the NAT group, including the ISA redundancy mode.
    configure {
       isa {
          nat-group 1 {
             mda 1/2
             mda 3/1
             mda 2/2
             redundancy {
                 active-mda-limit 2
                 intra-chassis {
                    active-standby
                 }
             }
          }
       }
    }
  4. Associate the NAT group created in Step 3 with the PFCP interface.
    configure {
        subscriber-mgmt {
           pfcp {
               association “profile-1” {
                   nat {
                      nat-group 1
                   }
           }
       }
    }