Certain residential deployments use multiple NAT outside IP addresses on routed physical raw (unknown encapsulation) packets, typically one per service. This feature provides similar support for multiple NAT outside IP addresses (up to four) per BRG (in other words, per subscriber) on vRGW. These addresses fall within locally-defined NAT pools on vRGW, but are assigned and managed by an external backend system. Each NAT outside IP address typically corresponds to a service, for instance, an HSI service may be NAT’ed to a different outside IP address than the voice service.
The NAT outside IP address and the corresponding NAT policy associated with the subscriber is provided by a VSA (Alc-Nat-Outside-IPs) in the RADIUS access-accept message or the CoA. Up to four instances of this VSA can be included in the RADIUS access-accept message or the CoA, which provides multiple NAT outside IP addresses for a BRG. The NAT pool referred to within the NAT policy must be configured for external assignment. If the provided outside IP address in the VSA does not fall in the NAT pool referenced within the corresponding NAT policy, then the outside IP address (and the mapping) is ignored. If the outside IP address falls within the NAT pool, and is not already allocated, then it is assigned to the L2-Aware subscriber. If the NAT policy contained in the VSA refers to a NAT pool that is not configured for external assignment, then the host setup fails. The external system is responsible for ensuring the stickiness of the outside IP addresses for the subscriber, if needed.
The system internally chooses an ISA in the NAT group to anchor an L2-Aware subscriber, such as the ISA, to where the NAT flows for the subscriber are created, based on upstream data or static port forwards. If a NAT outside IP address does not fall within the address block owned by the NAT ISA that anchors the L2-Aware subscriber, then the NAT outside IP address (/32) is added to the FDB with the ISA as the next hop. Otherwise, the downstream traffic forwarding to the NAT ISA for the L2-Aware subscriber follows the aggregate route corresponding to the address block owned by the NAT ISA.
The NAT outside IP address to use for a flow on the NAT ISA is based on a destination IP address lookup in a nat-prefix-list specified in the sub-profile for the subscriber. The nat-prefix-list contains a list of IP prefixes to NAT-policy mappings. The destination IP lookup in the nat-prefix-list provides the NAT policy to use. The NAT outside IP address that is associated with this NAT-policy is then used as the translated source IP.
config>service
nat
nat-policy "nat-policy-voice" create
pool "voice-pool" router 401
exit
nat-prefix-list "nat-prefix-list-voice" application l2-aware-dest-to-policy create
prefix 203.0.113.235/16 nat-policy "nat-policy-voice"
exit
exit
config>subscr-mgmt
sub-profile "sub-prof-hsi-voice" create
nat-policy "default-policy"
nat-prefix-list "nat-prefix-list-voice"
exit
config>service>vprn>nat>outside
pool "voice-pool" nat-group 1 type l2-aware create
port-reservation blocks 1
external-assignment
exit
To add a new NAT outside IP address for a subscriber by CoA, AAA must provide updated NAT outside IP-to-nat-policy mappings. AAA associates the correct sub-profile (containing the nat-prefix-list to map a destination IP prefix with the NAT policy that contains the new NAT outside IP address) with the subscriber; that is, the sub-profile associated with the subscriber needs to be changed using CoA. The CoA must always contain all the <NAT outside IP to-nat-policy> mappings associated with the subscriber (because it is cumulative). When the entire port range is available to the subscriber, the port-reservation blocks num-blocks command should be configured as 1 if external-assignment is enabled on the NAT pool.
All associated NAT outside IP addresses and corresponding NAT policies can be displayed via the show service nat l2-aware-subscribers command.
A:Dut-A# show service nat l2-aware-subscribers
===============================================================================
Layer-2-Aware NAT subscribers
===============================================================================
Subscriber : sub-2-4-ext
-------------------------------------------------------------------------------
ISA NAT group : 1
ISA NAT group member : 1
UPnP policy : (None)
Default NAT policy : nat-policy-hsi
Per-host port block size : N/A
Firewall policy : (None)
Policy : nat-policy-hsi
Purpose : nat
Outside router : vprn100
Outside IP : 198.51.100.235
DNAT default IP address override : (Not Specified)
DNAT disabled by override : false
Ports : 1024-5119
Policy : nat-policy-voice
Purpose : nat
Outside router : vprn100
Outside IP : 198.51.100.245
DNAT default IP address override : (Not Specified)
DNAT disabled by override : false
Ports : 1024-5119
-------------------------------------------------------------------------------
No. of subscribers: 1
The nat pool show command output shows the attribute that controls external assignment.
show router 70 nat pool "vprn l2aw"
===============================================================================
NAT Pool vprn l2aw
===============================================================================
Description : (Not Specified)
ISA NAT Group : 4
Pool type : l2Aware
Applications : (None)
Admin state : outOfService
Mode : auto (napt)
Port forwarding dyn blocks reserved : 0
Port forwarding range : 1 - 1023
Port reservation : 128 blocks
Block usage High Watermark (%) : (Not Specified)
Block usage Low Watermark (%) : (Not Specified)
Block usage (%) : < 1
External assignment : true
Last Mgmt Change : 05/17/2016 13:41:04
===============================================================================