Both port partitions, initial and extended, are served on a first-come-first-served basis. The initial port partition guarantees at least one port block for each of the preconfigured number of subscribers per outside IP address (configure router nat outside pool port-block-extension ports num-ports subscriber-limit number command). If there are more subscribers in the network than the preconfigured number of NAT subscribers, then this space becomes oversubscribed.
Extended port partitioning, however, does not guarantee that each of the existing NAT subscriber receives additional port blocks. Each subscriber can allocate additional free port blocks only if they are available, up to the maximum combined limit (initial and extended) set in the NAT policy (configure service nat nat-policy block-limit command).
For optimized NAT pool management and correct capacity planning, understanding the following parameters in the operator’s network is essential:
IP address compression ratio (the number of subscribers who share one outside IP address)
subscriber oversubscription ratio (the number of NAT subscribers who are active simultaneously)
statistical port usage for subscribers (the percentage of subscribers who are heavy, medium, and light port users)
port block sizes
Based on the previous parameters, an average port block per subscriber can be determined and the following parameters in NAT can be set:
the subscriber limit per outside IP address configured in the NAT pool
the size of the initial and extended port blocks configured in the NAT pool
the maximum number of port blocks per subscriber configured in NAT policy
the outside IP address range configured in the NAT pool
The following are reasonable guidelines with an example that can serve as an initial configuration for operators who are unsure of their current traffic patterns in terms of port usage for their subscribers.
An operator has 10,000 subscribers that require NAT, but only 8,000 of them are active simultaneously. This means that the operator can allow oversubscription of outside (NAT) IP address.
Average port usage:
60% of the subscribers are light port users with less than 1000 ports.
30% of the subscribers are medium port users with less than 2000 ports.
10% of the subscribers are heavy port users with less than 4000 ports.
These assumptions lead to the following calculations:
8,000 active subscribers x (0.6 x 1000 + 0.3 x 2,000 + 0.1 x 4,000) = 12,800,000 total ports.
Consider that one outside IP address can accommodate ~50,000 (64K ports less the static port forwards and well known ports). This yields 256 outside IP addresses (/24) in a pool therefore, 12,800,000 / 50,000 = 256.
The compression ratio is 8,000 divided by 256 equals ~32 (32 subscribers share one outside IP address), therefore the subscriber limit equals 32.
Based on this calculation, a reasonable size for the initial port block size is 1000 ports and the extended port block size is 335 ports.
The maximum number of port blocks per subscriber is set to 10 to accommodate heavy users with 4,000 ports (1000 + 9 x 335 = 4015)
Setting the subscriber limit in a pool to 32, the initial and extended port block sizes to 1000 and 335 respectively, the maximum number of port blocks per subscriber to 10, and configuring a /24 address range in a pool would produce the needed results. This assumes that the subscribers are properly load-balanced over ISAs or ESAs. The following is an example configuration.
[configure service vprn ‟demo vprn” nat outside pool ‟demo pool”]
port-reservation {
ports 1000
}
l2-aware {
port-block-extension {
ports 335
subscriber-limit 32
}
}
port-forwarding {
range-end 15000
}
[configure service nat nat-policy ‟demo-policy”]
block-limit 10