Similarly to LSN, an L2-Aware NAT subscriber is assigned a single outside IP address per NAT pool, with one or more port blocks tied to the IP address. The outside IP address is shared by multiple subscribers, each with its own unique set of port blocks.
To ensure that a predetermined number of subscribers receive NAT service, an outside IP address and at least one port block on that IP address must be guaranteed. For this reason, the port blocks space in a pool is divided into two partitions:
port block space reserved for new L2-Aware NAT subscribers
Each new subscriber is guaranteed to receive at least one port block, referred to as the initial port block. The keyword is a predetermined number of subscribers who are guaranteed at least one port block. This number is defined by the subscriber-limit multiplied by the number of outside addresses in a pool. If the overall number of subscribers in the network requiring the NAT service is larger, then the guaranteed PB space becomes oversubscribed.
port block space reserved for the extended port-blocks of existing NAT subscribers
This port partition can be used by subscribers who exhaust their ports in the initial port block and need additional ports. Pending on the availability and configuration, they are assigned additional port blocks.
Without this type of port space partitioning, the outside IP addresses and the NAT pool may become overtaken by users with heavier port consumption. This denies access to NAT services to a majority of users with lower port consumption.
This division of port space is controlled by limiting the number of subscribers per an outside IP address and configuring the size of the initial port block.
The following shows configuration information relevant to port-block allocation in L2-Aware NAT:
initial port block size for new subscribers
MD-CLI
configure service vprn <service-name> nat outside pool <name> port-reservation { ports <number> }Classic CLI
The pool name must be type l2-aware.
port-reservation blocks num can be set only if port-block-extension is not enabled.
configure service vprn <id> nat outside pool <name> port-reservation blocks <num> port-reservation ports <num>the extended port block size for existing subscribers and the maximum number of subscribers per outside IP address. The size of the initial port blocks and extended port block may differ.
MD-CLI
configure service vprn <service-name> nat outside pool <name> l2-aware { port-block-extension { ports <number> subscriber-limit <number> } }Classic CLI
The pool name must be type l2-aware.
configure service vprn <id> nat outside pool <name> port-block-extensions ports <num> subscriber-limit <num>upper boundary for static port forwards
MD-CLI
[configure service vprn <service-name> nat outside pool <name>] port-forwarding { range-end <number> }Classic CLI
configure service vprn <id> nat outside pool <name> port-forwarding-range <range-end>
Figure: Port space partitioning for an outside IP address shows the effects of the commands.
The maximum number of port blocks that can be allocated per subscriber is controlled by the following configuration in the NAT policy.
MD-CLI
[configure service nat nat-policy <name>]
block-limit <number>
Classic CLI
configure service nat nat-policy <name>
block-limit <number>