The number of deterministic mappings that a single outside IP address can sustain is determined through the configuration of the outside pool.
The port allocation per an outside IP is shown in Figure: Outside pool configuration.
The well-known ports are predetermined and are in the range 0 — 1023.
The upper limit of the port range for static port forwards (wildcard range) is determined by the existing port-forwarding-range command.
The range of ports allocated for deterministic mappings (DetP) is determined by multiplying the number of subscribers per outside IP (subscriber-limit command) with the number of ports per deterministic block (deterministic>port-reservation command). The number of subscribers per outside IP in deterministic NAT must be power of 2 (2^n).
The remaining ports, extending from the end of the deterministic port range to the end of the total port range (65,535) are used for dynamic port allocation. The size of each dynamic port block is determined with the existing port-reservation command.
The determinisitic>port-reservation command enables deterministic mode of operation for the pool.
Examples:
Three examples follow, with deterministic Large Scale NAT44, where the requirements are:
300, 500 or 700 (three separate examples) ports are in each deterministic port block.
A subscriber (an inside IPv4 address in LSN44) can extend its deterministic ports by a minimum of one dynamic port-block and by a maximum of four dynamic port blocks.
Each dynamic port-block contains 100 ports.
Oversubscription of dynamic port blocks is 4:1. This means that 1/4th of inside IP addresses may be starved out of dynamic port blocks in worst case scenario.
The wildcard (static) port range is 3000 ports.
In the first case, the ideal case is examined where an arbitrary number of subscribers per outside IP address is allocated according to our requirements described above. Then the limitation of the number of subscribers being power of 2 is factored in.
| Well-known ports1 | Static port range1 | Number of ports in deterministic block1 | Number of deterministic blocks | Number of ports in dynamic block1 | Number of dynamic blocks1 | Number of inside IP addresses per outside IP address1 | Block limit per inside IP address1 | Wasted ports |
|---|---|---|---|---|---|---|---|---|
0-1023 |
1024-4023 |
300 |
153 |
100 |
153 |
153 |
5 |
312 |
0-1023 |
1024-4023 |
500 |
102 |
100 |
102 |
102 |
5 |
312 |
0-1023 |
1024-4023 |
700 |
76 |
100 |
76 |
76 |
5 |
712 |
The example in Table: Contiguous number of subscribers shows how port ranges would be carved out in ideal scenario.
The other values are calculated according to the fixed requirements.
port-block-limit includes the deterministic port block plus all dynamic port-blocks.
Next, in Table: Preserving Det/Dyn port ratio with 2^n subscribers, a more realistic example with the number of subscribers being equal to 2^n are considered. The ratio between the deterministic ports and the dynamic ports per port-block just like in the example above: 3/1, 5/1 and 7/1 are preserved. In this case, the number of ports per port-block is dictated by the number of subscribers per outside IP address.
| Well-known ports1 | Static port range1 | Number of ports in deterministic block1 | Number of deterministic blocks | Number of ports in dynamic block1 | Number of dynamic blocks | Number of inside IP addresses per outside IP address1 | Block limit per inside IP address1 | Wasted ports |
|---|---|---|---|---|---|---|---|---|
0-1023 |
1024-4023 |
180 |
256 |
60 |
256 |
256 |
5 |
72 |
0-1023 |
1024-4023 |
400 |
128 |
80 |
128 |
128 |
5 |
72 |
0-1023 |
1024-4023 |
840 |
64 |
120 |
64 |
64 |
5 |
72 |
The final example (Table: Fixed number of deterministic ports with 2^n subscribers) is similar as Table: Contiguous number of subscribers with the difference that the number of deterministic port blocks fixed are kept, as in the original example (300, 500 and 700).
| Well-known ports | Static port range | Number of ports in deterministic block | Number of deterministic blocks | Number of ports in dynamic block | Number of dynamic blocks | Number of inside IP addresses per outside IP address | Block limit per inside IP address | Wasted ports |
|---|---|---|---|---|---|---|---|---|
0-1023 |
1024-4023 |
300 |
128 |
180 |
128 |
128 |
5 |
72 |
0-1023 |
1024-4023 |
500 |
64 |
461 |
64 |
64 |
5 |
8 |
0-1023 |
1024-4023 |
700 |
64 |
261 |
64 |
64 |
5 |
8 |
The three examples from above should give us a perspective on the size of deterministic and dynamic port blocks in relation to the number of subscribers (2^n) per outside IP address. Operators should run a similar dimensioning exercise before they start configuring their deterministic NAT.
The CLI for the highlighted case in the Table: Contiguous number of subscribers is displayed:
configure
service
vprn
nat
outside
pool mypool
port-reservation ports 180
deterministic
port-reservation 300
subscriber-limit 128
port-forwarding-range 4023
Where:
128 subs * 300ports = 38,400 deterministic port range
128 subs * 180ports = 23,040 dynamic port range
Det+dyn available ports = 65,536 – 4024 = 61,512
Det+dyn usable pots = 128*300 + 128 *180 = 61,440 ports
72 ports per outside-ip are wasted.
configure
service
nat
nat-policy mypolicy
block-limit 5 1 deterministic port block + 4 dynamic port blocks
This configuration allows 128 subscribers (inside IP addresses in LSN44) for each outside address (compression ratio is 128:1) with each subscriber being assigned up to 1020 ports (300 deterministic and 720 dynamic ports over 4 dynamic port blocks).
The outside IP addresses in the pool and their corresponding port ranges are organized as shown in Figure: Outside address ranges.
Assuming that the above graph depicts an outside deterministic pool, the number of subscribers that can be accommodated by this deterministic pool is represented by purple squares (number of IP addresses in an outside pool * subscriber-limit). The number of subscribers across all configured prefixes on the inside that are mapped to the same deterministic pool must be less than the outside pool can accommodate. In other words, an outside address pool in deterministic NAT cannot be oversubscribed.
The following is a CLI representation of a deterministic pool definition including the outside IP ranges:
pool ‛mypool’ nat-group 1 type large-scale
port-reservation {blocks <dynBlocks>} | {ports <ports>}
deterministic
port-reservation <ports>
subscriber-limit <sub-limit>
port-forwarding-range <pfRange>
address-range <start-ip-address> <end-ip-address>
address-range <start-ip-address> <end-ip-address>