Order of configuration steps in deterministic DS-Lite

Configure deterministic DS-Lite in the following order:

1. Configure DS-Lite subscriber-prefix-length.
2. Configure dslite-max-subscriber-limit.
3. Configure deterministic prefix (using a NAT policy).
4. Optionally configure map statements under the prefix.
5. Configure DS-Lite AFTR endpoints.
6. Enable (no shutdown) DS-Lite node.

Modifying the dslite-max-subscriber-limit requires that all nat-policies be removed from the inside routing context.

To migrate a non-deterministic DS-Lite configuration to a deterministic DS-Lite configuration, the non-deterministic DS-Lite configuration must be first removed from the system. The following steps should be followed:

1. Shutdown DS-Lite node.
2. Remove DS-Lite AFTR endpoints.
3. Remove global NAT policy.
4. Configure/modify DS-Lite subscriber-prefix-length.
5. Configure dslite-max-subscriber-limit.
6. Reconfigure global NAT policy.
7. Configure deterministic prefix.
8. Optionally configure one or more manual map statements under the prefix.
9. Reconfigure DS-Lite AFTR endpoints.
10. Enable (no shutdown) DS-Lite node.
11. Configuration Restrictions in Deterministic NAT.

• NAT pool

  • To modify nat pool parameters, the nat pool must be in a shutdown state.

  • Shutting down the nat pool by configuration (shutdown command) is not allowed in case that any NAT policy referencing this pool is active. In other words, all configured prefixes referencing the pool via the NAT policy must be deleted system-wide before the pool can be shut down. when the pool is enabled again, all prefixes referencing this pool (with the NAT policy) have to be recreated. For a large number of prefixes, this can be performed with an offline configuration file executed using the exec command.

• NAT policy

  • All NAT policies (deterministic and non-deterministic) in the same inside routing-instance must point to the same nat-group.

  • A NAT policy (be it a global or in a deterministic prefix) must be configured before one can configure an AFTR endpoint.

• NAT group

  The active-mda-limit in a nat-group cannot be modified as long as a deterministic prefix using that NAT group exists in the configuration (even if that prefix is shutdown). In other words, all deterministic prefixes referencing (with the NAT policy) any pool in that nat-group, must be removed.

• deterministic mappings (prefix and map statements)

  • Non-deterministic policy must be removed before adding deterministic mappings.

  • Modifying, adding or deleting prefix and map statements in deterministic DS-Lite requires that the corresponding nat pool is enabled (in no-shutdown state).

  • Removing an existing prefix statement requires that the prefix node is in a shutdown state.

  config>service>vprn>nat>inside>deterministic# info 
  ----------------------------------------------
              classic-lsn-max-subscriber-limit 128
  prefix 10.0.5.0/24 subscriber-type classic-lsn-sub nat-policy "det" 
                  map start 10.0.5.0 end 10.0.5.127 to 192.168.0.7
                   map start 10.0.5.128 end 10.0.5.255 to 192.168.0.2
             shutdown
  
  config>service>vprn>nat>inside>deterministic# info 
  ----------------------------------------------
              dslite-max-subscriber-limit 128
    prefix 2001:db8:0:1/64 subscriber-type dslite-lsn-sub nat-policy "det" 
  map start 2001:db8::/64 end 2001:db8::FF:0:0:0:0/64 to 10.0.0.5  
   shutdown
  
  config>service>vprn>nat>inside>ds-lite#
                 subscriber-prefix-length 64
                 no shutdown
  

  Similarly, the map statements can be added or removed only if the prefix node is in a shutdown state.

  There are a few rules governing the configuration of the map statement:

  • If the number of subscribers per configured prefix is greater than the subscriber-limit per outside IP parameter (2^n), then the lowest n bits of the map start <inside-ip-address> must be set to 0.

  • If the number of subscribers per configured prefix is equal or less than the subscriber-limit per outside IP parameter (2^n), then only one map command for this prefix is allowed. In this case there is no restriction on the lower n bits of the map start <inside-ip-address>. The range of the inside IP addresses in such map statement represents the prefix itself.

  The outside-ip-address in the map statements must be unique amongst all map statements referencing the same pool. In other words, two map statements cannot reference the same <outside-ip-address> in a pool.

• configuration parameters

  • The subscriber-limit in deterministic nat pool must be a power of 2.

  • The NAT inside classic-lsn-max-subscriber-limit must be power of 2 and at least as large as the largest subscriber-limit in any deterministic nat pool referenced by this routing instance. To change this parameter, all nat-policies in that inside routing instance must be removed.

  • The NAT inside ds-lite-max-subscriber-limit must be power of 2 and at least as large as the largest subscriber-limit in any deterministic nat pool referenced by this routing instance. To change this parameter, all nat-policies in that inside routing instance must be removed.

  • In DS-Lite, the [subscriber-prefix-length - log2(dslite-max-subscriber-limit)] value must fall within [32 to 64, 128].

  • In DS-Lite, the subscriber-prefix-length can be only modified if the DS-Lite CLI node is in the shutdown state and there are no deterministic DS-Lite prefixes configured.

• miscellaneous

  • Deterministic NAT is not supported in combination with 1:1 NAT. Therefore the nat pool cannot be in mode 1:1 when used as deterministic pool. Even if each subscriber is mapped to its own unique outside IP (sub-limit=1, det-port-reservation ports (65535-1023), NAPT (port translation) function is still performed.

  • Wildcard port forwards (including PCP) map to the wildcard port ranges and not the deterministic port range. Consequently logs are generated for static port forwards using PCP.