Network address translation

For BNG CUPS, NAT responsibilities are divided between the CPF and UPF.

The role of the CPF is to associate the subscriber session with NAT during the session authentication phase. This process consists mainly of allocating the outside IP address and port-block to the NAT subscriber session. These parameters are submitted to the UPF through the PFCP association.

The UPF performs NAT on the data traffic. On the UPF, NAT runs on MS-ISA service adapters, including the Integrated Service Adapter (ISA), Virtual ISA (vISA), and Extended Service Adapter (ESA). For the inside IP addresses, the incoming data traffic is sprayed across ISAs. This traffic spraying is based on the subscriber context, which typically represents a residence. For the outside IP addresses, the NAT prefix that is received from the CPF is segmented into smaller subnets and equally distributed across ISAs. This approach requires fair load distribution of traffic across service adapters in the upstream and downstream directions.

A UP NAT policy template contains parameters that define NAT behavior for a group of subscribers within a NAT pool. This NAT behavior includes support for ALGs, setting limits for the number of NAT flows per subscriber, protocol timer definitions, flow-based logging, watermarks, and so on. The UP NAT policy configuration allows the NAT behavior to be customized for different groups of subscribers within the same NAT pool.

Although the UP NAT policy template is configured on the UPF, its assignment to the NAT-enabled session is performed on the CPF during the authentication phase, using a reference in the CP NAT profile configuration.

The roles of the CP NAT profile and UP NAT policy can be summarized as follows:

• The CP NAT profile is configured on the CPF and identifies NAT subscribers during the authentication phase. Parameters defined in the CP NAT profile affect the selection of the NAT pool within a specific outside routing context. This includes the allocation of the outside IP addresses, port-blocks, and NAT mode of operation (NAPT or 1:1). These resources are managed by the CPF.

• The UP NAT policy template is configured on the UPF and is used to define NAT behavior for a group of subscribers within a NAT pool. This behavior is closer to the NAT translation in the forwarding plane (for example, ALGs and protocol timers).

Many NAT configuration parameters are defined in the UP NAT policy template (up-nat-policy) or the CP NAT profile (see UP NAT policy template). There are also some parameters that may be used for NAT configuration that require further granularity of definition, such as the UPNP policy that enables the dynamic port forward allocation. If a UPNP policy is used for NAT, it must be defined in the configure subscriber-management sub-profile context, as shown in the following example:

configure {
   subscriber-management {
       sub-profile name {
           upnp-policy policy-name
       }
   }
}

A NAT group represents a collection of ISAs that are used to process NAT traffic for subscribers. NAT traffic is distributed over multiple ISAs in a NAT group to achieve better performance and scale. BNG CUPS supports a single NAT group per UPF, however, other NAT groups can be configured in the system outside CUPS.

A NAT group is a mandatory configuration. After the NAT group is defined, it must be referenced by a PFCP association. A NAT group is configured using commands in the configure isa nat-group context.

See Provisioning residential NAT for BNG CUPS for a configuration example.

Aggregated NAT logging based on port blocks is performed on the CPF, and flow-based logging can be enabled on the UPF. Because a number of logs are produced in flow logging, flow logs are exported directly from the ISA, bypassing the CPF and the CPM on the UPF.

The UPF supports flow logging in IPFIX format. An IPFIX export policy must be configured in the configure service ipfix export-policy context, as shown in the following example:

configure {
   service {
      ipfix {
         export-policy name
       }
   }
}

After the export policy is configured, it must be associated with a UP NAT policy, as shown in the following example:

configure {
   service {
      nat {
         up-nat-policy name {
             flow-logging-policy {
                 ipfix ref: export-policy-name
             }
         }
      }
   }
}

The following watermarks are supported on the UPF:

• The session-level watermarks on the member ISA level monitor the NAT flow usage against the configured limit per member ISA. They are configured using the NAT group, as shown in the following example:

  configure {
     isa {
        nat-group id {
           session-limits {
               watermarks {
                   high number
                   low number
               }
           }
        }
     }
  }
  

• The session-level watermarks on the subscriber level monitor the NAT flows usage against the configured limit per subscriber. They are configured using the UP NAT policy, as shown in the following example:

  configure {
     service {
        nat id {
           up-nat-policy name {
               session-limits {
                   watermarks {
                      high number 
                      low number
                  }
               }
           }
        }
     }
  }
  

• The port usage watermarks on the subscriber level are used to monitor port usage against the configured limit per subscriber. They are configured using the UP NAT policy, as shown in the following example:

  configure {
     service {
        nat id {
           up-nat-policy name {
               port-limits {
                   watermarks {
                      high number
                      low number
                  }
               }
           }
        }
     }
  }
  

• On the CPF, a watermark threshold can be configured in either absolute value or percentages to monitor micronet usage within a NAT outside pool. See the CMG BNG CUPS Control Plane Function Guide for more information.

ISA redundancy on the UPF level supports two modes of operation:

• In the N:M active/standby mode, M number of standby ISAs protect N number of active ISAs.

• The all active mode supports failure of up to two ISAs simultaneously. During an ISA failure, the configuration from the failed ISA is distributed over the remaining operational ISAs.

Both modes are stateless which means that NAT binding must be re-established after the switchover.

ISA redundancy is configured in the configure isa nat-group context and active/standby mode is enabled using the following commands:

configure {
   isa {
      nat-group id {
         mda mda-id 
             redundancy {
                 active-mda-limit number 
                 intra-chassis {
                     active-standby
                }
             }
         }
      }
   }

These commands associate MDAs with the NAT group, set the mode of operation to active/standby, and configure the number of active ISAs in the NAT group. Any ISAs within the NAT group that are in excess of the configured number are automatically considered standby.

All active mode is enabled using the following commands:

configure {
   isa {
      nat-group id {
         mda mda-id 
             redundancy {
                 active-mda-limit number 
                 intra-chassis {
                     active-active {
                        failed-mda-limit number 
                     }
                   }
               }
            }
         }