CoA and DNAT

Adding, removing or replacing DNAT parameters in LSN44 can be achieved through NAT policy manipulation in an IP filter for ESM subscriber. The rules for NAT policy manipulation via CoA are given in Table: NAT policy changes via CoA . In L2-Aware NAT, CoA can be used to:

After the DNAT configuration is modified via CoA (enable or disable DNAT or change the default DNAT IP address), the existing flows affected by the change remain active for 5 more seconds while the new flows are created in accordance with the new configuration. After a 5 second timeout, the stale flows are cleared from the system.

The RADIUS attribute used to perform DNAT modifications is a composite attribute with the following format:

Alc-DNAT-Override (234) = ‟{<DNAT_state> | <DNAT-ip-addr>},[nat-policy]”

where: DNAT state = none | disable → and the DNAT-ip-addr parameter are mutually exclusive.

DNAT-ip-addr = Provides an implicit enable with the destination IPv4 address in dotted format (a.b.c.d) → and the DNAT-state parameter are mutually exclusive.

nat-policy = nat-policy name → This is an optional parameter. If it is not present, then the default NAT policy is assumed.

For example:

Alc-DNAT-Override=none → This negates any previous DNAT related override in the default nat-policy. Consequently, the DNAT functionality is set as originally defined in the default nat-policy. In case that the ‛none’ value is received while DNAT is already enabled, a CoA ACK is sent back to the originator.

Alc-DNAT-Override =none,nat-pol-1 → This re-enables DNAT functionality in the specific NAT policy with the name nat-policy-1.

Alc-DNAT-Override =none,10.1.1.1 → The DNAT-state and DNAT-ip-addr parameters are mutually exclusive within the same Alc-DNAT-Override attribute. Although a CoA ACK reply is returned to the RADIUS server, an error log message is generated in the SR OS indicating that the attempted override failed.

Alc-DNAT-Override =10.1.1.1 → This changes the default DNAT IP address to 1.1.1.1 in the default NAT policy. In case DNAT was disabled before receiving this CoA, it is implicitly enabled.

Alc-DNAT-Override =10.1.1.1,nat-pol-1 → This changes the default DNAT IP address to 10.1.1.1 in the specific NAT policy named nat-policy-1. DNAT is implicitly enabled if it was disabled before receiving this CoA.

The combination of sub-fields with the Alc-DNAT-Override RADIUS attribute and the corresponding actions are shown in Table: CoA and DNAT .

Table: CoA and DNAT
DNAT-state DNAT-ip-addr NAT policy DNAT action in L2-Aware NAT

none

-

-

Re-enable DNAT in the default NAT policy.

If DNAT was enabled before receiving this CoA, then no specific action is carried out by the SR OS with the exception of sending the CoA ACK back to the CoA server.

This negates any previous DNAT-related override in the default nat-policy. Consequently, the DNAT functionality is set as originally defined in the default nat-policy.

If the DNAT classifier is not present in the default nat-policy when this CoA is received, an error log message is raised.

none

-

nat-pol-name

Re-enable DNAT in the referenced NAT policy.

This negates any previous DNAT related override in the referenced nat-policy. Consequently, the DNAT functionality is set as originally defined in the referenced nat-policy.

If the DNAT classifier is not present in the referenced nat-policy when this CoA is received, a CoA ACK reply is returned to the RADIUS server and an error log message is generated in the SR OS indicating that the attempted override has failed.

none

a.b.c.d

-

These two parameters are mutually exclusive in the same Alc-DNAT-Override attribute.

Although a CoA ACK reply is returned to the RADIUS server, an error log message is generated in SR OS indicating that the attempted override has failed.

none

a.b.c.d

nat-pol-name

DNAT-state and DNAT-ip-address parameters are mutually exclusive in the same Alc-DNAT-Override attribute.

Although a CoA ACK reply is returned to the RADIUS server, an error log message is generated in SR OS indicating that the attempted override has failed.

disable

-

-

Disable DNAT in the default NAT policy.

If the DNAT classifier is not present in the default nat-policy when this CoA is received, a CoA ACK reply is returned to the RADIUS server and an error log message is generated in the SR OS indicating that the attempted override has failed.

disable

-

nat-pol-name

Disable DNAT in the referenced NAT policy.

If the DNAT classifier is not present in the referenced nat-policy when this CoA is received, a CoA ACK reply is returned to the RADIUS server and an error log message is generated in SR OS indicating that the attempted override has failed.

disable

a.b.c.d

-

The DNAT-state and DNAT-ip-address parameters are mutually exclusive in the same Alc-DNAT-Override attribute.

Although a CoA ACK reply is returned to the RADIUS server, an error log message is generated in SR OS indicating that the attempted override has failed.

disable

a.b.c.d

nat-pol-name

The DNAT-state and DNAT-ip-address parameters are mutually exclusive in the same Alc-DNAT-Override attribute.

Although a CoA ACK reply is returned to the RADIUS server, an error log message is generated in the SR OS indicating that the attempted override has failed.

-

a.b.c.d

-

The default destination IP address is changed in the default NAT policy.

-

a.b.c.d

nat-pol-name

The default destination IP address is changed in the referenced NAT policy.

-

-

-

or

nat-pol-name

A CoA NAK (error) is generated. Either DNAT-state or DNAT-ip-address parameters must be present in the Alc-DNAT-Override attribute.

If multiple Alc-DNAT-Override attributes with conflicting actions are received in the same CoA or Access-Accept, the action that occurred last takes precedence.

For example, if the following two Alc-DNAT-Override attributes are received in the same CoA, the last one takes effect and consequently DNAT is disabled in the default NAT policy:

Alc-DNAT-Override = ‟10.1.1.1‟

Alc-DNAT-Override = ‟disable‟

Parent topic: NAT and CoA