This section provides information to configure NAT using the command line interface.
The 7750 SR supports ISA redundancy to provide reliable NAT even when an MDA fails. The active-mda-limit command allows an operator to specify how many MDAs will be active in a given NAT group. Any number of MDAs configured above the active-mda-limit will be spare MDAs; they take over the NAT function if one of the current active MDAs fail.
A sample configuration is as follows:
Show commands are available to display the actual state of a nat-group and its corresponding MDAs:
A maximum of four nat-groups can be configured. This gives the operator the ability to differentiate between different traffic types. Normal traffic could be routed to nat-group one, where a limited number of MDA without spare MDAs are available, while high priority traffic could make use of nat-group two, where several active MDAs and a spare MDA are configured. A maximum of six MDAs per nat-group can be configured.
A nat-group cannot become active (no shutdown) if the number of configured MDAs is lower than the active-mda-limit.
A given MDA can be configured in several nat-groups but it can only be active in a single nat-group at any moment in time. Spare MDAs can be shared in several nat-groups, but a spare can only become active in one nat-group at a time. Changing the active-mda-limit, adding or removing MDAs can only be done when the nat-group is shutdown.
Nat-groups that share spare MDAs must be configured with the same list of MDAs. It is possible to remove/add spare MDAs to a nat-group while the nat-group is admin enabled.
Through show commands, it is possible to display an overview of all the nat-groups and MDAs.
If an MDA fails, the spare (if available) will take over. All active sessions will be lost, but new incoming sessions will make use of the spare MDA.
In case of an MDA failure in a nat-group without any spare MDA, all traffic towards that MDA will be black-holed.
For L2-aware NAT, the operator has the possibility to clear all the subscribers on the affected MDA (clear nat isa), terminating all the subscriber leases. New incoming subscribers will make use of the MDAs that are still available in the nat-group.
The following sections provide NAT Layer 2-Aware configurations.
The following sections provide Large Scale NAT configuration examples.
The following output displays example configurations.
VPRN service example:
Router NAT example:
Service NAT example:
This section provides information about the VSR-NAT functionality, including licensing requirements, statistics collection, and examples of show command output.
Appropriate licensing is required to enable the VSR-NAT functionality in the system. However, no further licensing enforcement is performed based on resource utilization, such as the consumed bandwidth or the number of NAT bindings.
The following NAT-related functionality is enabled through licensing:
You can use the CLI or MIB on VSR-NAT to get more information about the number of LSN bindings and LSN bandwidth.
Table 63 describes the licenses required to unlock the VSR-NAT functionality.
NAT License Title | Functionality Enabled | License Purchased |
LSN | LSN Pool
| The following two scaling licenses are required:
You must purchase both licenses to enable the LSN functionality. |
L2AWARE | L2Aware Pool
| Purchase the L2-Aware license to enable the functionality. The LSN scaling license is not required. Note: The L2-Aware NAT functionality can only be used with the VBNG. |
UPnP | UPnP commands
| Purchase the UPnP license to enable the functionality. Note: The UPnP functionality can only be used with the L2-Aware NAT. |
GEO REDUNDANCY | Geo-redundancy Pool
| Purchase the Geo Redundancy license to enable the functionality. |
A NAT subscriber is an internal entity whose true identity is hidden outside the network. The NAT subscriber is represented by a binding that is a set of stateful mappings between the internal and external representations of the subscriber. From the licensing perspective, the terms “NAT bindings” and “NAT subscribers” can be used interchangeably.
VSR-NAT collects the number of LSN subscribers for licensing purposes; the L2-Aware NAT subscribers are excluded from this count. An LSN subscriber is defined as follows:
The number of LSN subscribers (LSN44, DS-Lite, and NAT64) in VSR-NAT is sampled every hour on the hour (for example, at 00:00 am, 01:00 am, 02:00 am, and so on). Each sample is a snapshot of the number of subscribers at the time that the statistics are collected.
The CLI can be used to view the following information:
For the list of CLI commands available for use, see VSR-NAT Show Command Examples.
The measurement of LSN bandwidth includes translated packets and octets in the upstream and downstream direction. Packets that are rejected for any reason and traffic carrying logging information are both excluded from the statistics.
LSN bandwidth statistics for VSR-NAT are collected every 10 minutes. The bandwidth is derived as a difference in octet count between the two consecutive collection intervals, divided by a 10 minute interval. There is no bandwidth differentiation per LSN type (LSN44, DS-Lite, and NAT64) or per direction. Aggregate bandwidth values per node are maintained in kb/s units. L2-Aware NAT and WLAN GW statistics are not included in the statistics collection.
The CLI can be used to view the following LSN bandwidth information:
For the list of CLI commands available for use, see section 7.24.4 VSR-NAT Show Command Examples.
The following CLI commands are available for use:
The following output shows examples of NAT statistics.
Weekly display example:
24-hour display example:
Peak display example:
Table 64 describes the NAT statistics output fields.
Label | Description |
Index | The entry number of the displayed value. A weekly display contains 7 entries, one for each of the last 7 days. A 24-hour display can contain up to 24 values for NAT subscribers (statistics are collected hourly) and 144 values for NAT bandwidth (statistics are collected every 10 minutes). |
Time | The timestamp of the statistics collection. The bandwidth is averaged in 10 minute intervals. Consequently, bandwidth value at a specific time represents the average bandwidth for the last 10 minute period. |
Value | The value for the number of NAT subscribers at a specific time, or the average bandwidth in kb/s for the last 10 minute period. |
Average | In the weekly display, the average daily value for the number of NAT subscribers or the NAT bandwidth. |
Peak | In the weekly display, the daily peak value for the number of NAT subscribers or the NAT bandwidth. |
To meet flexible scaling requirements in common compute platforms, operators can use the CLI to select VSR-NAT scaling profiles that correspond to the amount of memory allocated in the VM.
The following scaling profiles have predefined upper scaling limits and are available for VSR-NAT and IPv6 FW:
The default scaling profile is profile1.
Scaling profiles are applied under the following CLI hierarchy:
A scaling profile can be changed only when the NAT group is in a shutdown state. After the scaling profile is changed and the NAT group is activated (no shutdown), the system tries to allocate necessary memory. If successful, the vISA transitions in-service; if unsuccessful (for example, if there is not enough memory in the system), the NAT group remains in the shutdown state.
Without sufficient resources to accommodate the required scaling profile, the vMDA where the vISA resides transitions into a failed state, followed by logs describing the failure:
NAT on ESA offers two scaling profiles, each of them adapted to the amount of memory allocated to the VM.
The default scaling profile is profile1.
Scaling profiles are configurable under the following CLI hierarchy:
A scaling profile can be changed using CLI only when all ESA-VMs in a NAT group are removed from the configuration.
For example, in the following case, transitioning from profile2 to profile1 is not possible until esa-vm 1/1 is removed from the CLI: