L2-Aware NAT destination-based multiple NAT policies

Multiple NAT policies for a L2-Aware subscriber can be selected based on the destination IP address of the packet. This allows the operator to assign different NAT pools and outside routing contexts based on the traffic destinations.

The mapping between the destination IP prefix and the NAT policy is defined in a nat-prefix-list. This nat-prefix-list is applied to the L2-Aware subscriber through a subscriber profile. After the subscriber traffic arrives to the MS-ISA where NAT is performed, an additional lookup based on the destination IP address of the packet is executed to select the specific NAT policy (and consequently the outside NAT pool). Failure to find the specific NAT policy based on the destination IP address lookup results in the selection of the default NAT policy referenced in the subscriber profile.

CLI example:

--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
   nat  
     nat-policy "l2aw nat policy" create                
       pool "l2aw-nat-pool" router 1
     exit
     nat-policy "another-l2aw-nat-policy" create
        pool "another-l2aw-nat-pool" router 2
     exit
nat-policy "default-nat-policy" create
        pool "default-nat-pool" router Base
     exit
         
     nat-prefix-list "prefixlist1" application l2-aware-dest-to-policy create
        prefix 192.168.0.0/30 nat-policy "l2aw-nat-pol"
          prefix 192.168.0.64/30 nat-policy "l2aw-nat-pol"
          prefix 192.168.0.128/30 nat-policy "l2aw-nat-pol"
          prefix 192.168.1.0/30 nat-policy "another-l2aw-nat-pol"
          prefix 192.168.1.64/30 nat-policy "another-l2aw-nat-pol"
          prefix 192.168.1.128/30 nat-policy "another-l2aw-nat-pol" 
        exit        
    exit
#--------------------------------------------------
echo "Subscriber-mgmt Configuration"
#--------------------------------------------------
    subscriber-mgmt        
        sub-profile "sub_profile" create            
            nat-policy "def-nat-policy"
            nat-prefix-list "prefixlist1"            
        exit

As displayed in the example, multiple IP prefixes can be mapped to the same NAT policy.

The NAT prefix list cannot reference the default NAT policy. The default NAT policy is the one that is referenced directly under the subscriber profile.

Parent topic: L2-Aware NAT