L2-Aware NAT functionality is tightly coupled with ESM and therefore, the type of the residential gateway supported in L2-Aware NAT depends on the anti-spoof setting of the ESM subscriber. In this context, the residential gateway types can be:
bridged
Subscriber-hosts behind the residential gateway are individually set up in the BNG and their IP and MAC addresses are known to the BNG during the host setup phase (DHCP/PPPoE).
routed with NAT
The only residential gateway is set up in the BNG. The residential gateway IP and MAC address is known in the BNG during the set up phase. Subscriber hosts behind the residential gateway are not known in the BNG, but instead, they are hidden behind the residential gateway’s NAT.
routed without NAT
The residential gateway is set up in the BNG. Hosts behind residential gateway’s NAT are not set up in the BNG. The control plane in the BNG is not aware of their IP and MAC addresses. To forward data traffic from these routed hosts in the upstream direction, the anti-spoof in BNG must be set to nh-mac. In the downstream direction, a frame route pointing to the residential gateway must be present in the BNG.
Note that DHCP relay on the residential gateway is disabled. If it was enabled, then routed hosts could be set up in BNG with lease-populate [nbr-of-leases] l2-header [mac ieee-address] command under the group interface.
Anti-spoof settings in ESM that are relevant to this context include:
mac-ip
Anti-spoof is based on the MAC address and the source IP address of the host. This anti-spoof type is more stringent and secure.
nh-mac
Anti-spoof is based only on the MAC address of the host. This is used in the presence of IP hosts behind the routed RG without NAT. The IP addresses of these hosts are exposed within the data traffic received by BNG, even though those hosts were never explicitly set up in the BNG (using DHCP/PPP). Nh-mac anti-spoof ensures that data traffic from unknown (unknown on the control plane level) IP addresses pass through BNG in the upstream direction. These hosts are behind a known subscriber host, that is, in this case, a routed residential gateway without NAT.
In addition to the anti-spoof setting, an additional CLI command is required in BNG to select the needed residential gateway type:
configure subscr-mgmt sub-prof nat-access-mode {auto | bridged}
The relationship between the anti-spoof setting in ESM, nat-access-mode CLI flag and a compatible residential gateway model is shown in Table: Anti-spoof setting comparisons .
| Model no. | Home model | Anti-spoof | NAT access mode CLI flag | Supported in SR OS | Comments |
|---|---|---|---|---|---|
1 |
Bridged RG |
mac-ip |
auto bridged |
Yes |
All bridged subscriber hosts are eligible for L2-Aware NAT with the most stringent anti-spoof settings. If there is only one host behind the bridged RG, then this model becomes the same as model 3. |
2 |
Bridged RG |
nh-mac |
bridged |
Yes |
All bridged subscriber hosts are eligible for L2-Aware NAT. In this model, MAC addresses within the subscriber and SAP must be unique. Even though the anti-spoof in ESM is set to nh-mac, the NAT function still checks the source IP address of the upstream traffic and drops any traffic from spoofed IP addresses (IP source address that do not belong to the bridged hosts, as initially setup in ESM). |
3 |
Routed RG with NAT |
mac-ip |
auto bridged |
Yes |
Subscriber hosts behind the residential gateway are hidden behind routed RG’s NAT and are not visible in BNG. |
4 |
Routed RG with NAT |
nh-mac |
auto bridged |
Yes |
This combination is supported but with inferior anti-spoofing. |
5 |
Routed RG, no NAT |
mac-ip |
— |
No |
This combination is not supported. The mac-ip anti-spoof in ESM blocks traffic for the host with an exposed source IP address that resides behind the RG. Those hosts are not set up in the BNG on the control plane level (DHCP/PPPoE is not sent from those hosts). |
6 |
Routed RG, no NAT |
nh-mac |
auto bridged |
Yes |
Subscriber hosts with exposed source IP addresses pass the nh-mac anti-spoof check and are eligible for L2-Aware NAT. |