Professional Documents
Culture Documents
Series Routers
The Intelligent Services Gateway (ISG) and Network Address Translation (NAT) Combination feature aims
to deploy both traditional ISG and NAT functionalities on a single Cisco ASR 1000 Series Aggregation
Services Router. This document describes the integration of ISG Internet Protocol over Ethernet (IPoE)
sessions and IPv4 NAT.
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
1
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Information About ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
2
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Call Flow for ISG and NAT Combination on the Cisco ASR 1000 Series Routers
When NAT is combined with the ISG on the same device, the following deployment models are available:
• The ISG access interface configured as a NAT inside interface
• The ISG uplink interface configured as a NAT outside interface
Call Flow for ISG and NAT Combination on the Cisco ASR 1000 Series Routers
The following figure shows the call flow for ISG and NAT combination on a Cisco ASR 1000 Series
Aggregation Services Router.
Figure 2: Call Flow for ISG and NAT Combination on a Cisco ASR 1000 Series Router
The following procedure describes the possible packet flow for traffic coming from a client device:
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
3
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
ISG Port-Bundle Host Key and NAT Considerations
1 A packet with source address 10.0.0.1 and TCP port 32000 is received on the ISG access interface and
the NAT inside interface.
2 The ISG classification is performed first. If an IP session exists for the client 10.0.0.1, all the ISG features
are applied to the packet, as required.
3 If the packet is forwarded to a NAT outside interface and is classified by the applicable NAT Access
Control List (ACL), the NAT function is performed on the packet and a NAT translation for the flow is
created in the Cisco QuantumFlow Processor (QFP), for example, the source address and port are translated
from 10.0.0.1:32000 to 2.2.2.2:4000.
The following procedure describes the possible packet flow for traffic returning to a client device:
1 Packet is received on the ISG uplink interface, which is also the NAT outside interface. The destination
address:port is 2.2.2.2:4000 (as shown in Figure 2: Call Flow for ISG and NAT Combination on a Cisco
ASR 1000 Series Router).
2 NAT is checked first. If the packet matches an active NAT translation in the QFP, the destination
address:port is translated, for example, 2.2.2.2:4000 is translated to 10.0.0.1:32000.
3 IP forwarding table lookup is performed. Because 10.0.0.1 maps to an IPoE session, all the relevant ISG
features can now be applied to the packet.
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
4
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
NAT Overloading and Port Parity
We recommend that you configure CGN using the ip nat setting mode cgn command to achieve the maximum
scalability in terms of the total number of translations. CGN does not show the outside entries (destination IP
addresses or port entries) in the NAT table. CGN reduces the amount of QFP DRAM required to store NAT
translations, and enables the platform to scale to a higher number of translations.
Protocol Inside Global IP Inside Local IP Outside Local IP Outside Global IP address:port
address:port address:port address:port
TCP 2.2.2.2:4000 10.0.0.1:32000 — —
Depending on the available QFP DRAM, a higher number of sessions or translations can be achieved, as
shown in the following example:
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
5
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
NAT Interface Overloading with VRF
There is a concept of port parity (even/odd) in NAT and NAT64. If a source port is in the port range of 0 to
1023, it is translated between ports 512 to 1023. If a source port range is more than 1023, it takes ports from
1024 onwards.
interface GigabitEthernet0/0/5.200
description ISG Access interface for WIFI SSID PROVIDERWIFI_01
encapsulation dot1Q 200
vrf forwarding PROVIDER_WIFI_01
ip nat inside # NAT inside interface config
ip address 10.232.0.3 255.248.0.0
service-policy type control default ISP_DEFAULT_RULES
service-policy type control ISP_RULES
ip subscriber l2-connected
initiator unclassified mac-address
arp ignore local
interface GigabitEthernet0/0/0
description Outside Interface
vrf forwarding PROVIDER_WIFI_01
ip address 192.168.66.20 255.255.255.240
ip nat outside #NAT outside interface
negotiation auto
end
interface Loopback100
description PROVIDER_WIFI_NAT source
vrf forwarding PROVIDER_WIFI_01
ip address 107.14.25.215 255.255.255.255
Note From the client IP range 10.232.0.0/16, the service provider perform NAT only on the traffic for DNS
query (acl PROVIDER_WIFI_NAT_ACL), and the IP address of loopback100 is used for the inside global
address.
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
6
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Best Practices for Configuring the ISG and NAT on the Cisco ASR 1000 Series Routers
Best Practices for Configuring the ISG and NAT on the Cisco
ASR 1000 Series Routers
The following are the recommended best practices to configure the ISG and NAT on the Cisco ASR 1000
Series Aggregation Services Routers:
• Restriction on the total QFP DRAM usage
At 97 percent DRAM utilization, depletion messages are displayed in the syslog as a warning message
to make the operator aware of low QFP DRAM availability. We recommend that you configure QFP
DRAM CAC in the system to avoid any unexpected behavior. The Call Admission Control (CAC)
functionality ensures that new subscriber sessions cannot be established when QFP DRAM utilization
exceeds the configured threshold.
The configuration example below demonstrates configuration of a QFP DRAM threshold set to 95
percent:
platform subscriber cac mem qfp 95.
• Set the maximum limit for total number of NAT translations:
◦ESP40: ip nat translation max-entries 1000000
◦ESP100: ip nat translation max-entries 4000000
• The ip nat translation max-entries all-host command can be used in scenarios where the Cisco ASR
1000 Series Router acting as ISG, performs NAT on all or most of the subscriber traffic. This helps the
operator to prevent a single host from occupying the entire translation table, while allowing a reasonable
upper limit to each host.
• The maximum number of translations per host can be configured using either of these ways:
◦Configuring the same number of maximum translation entries for all the subscribers using the
following command:
ip nat translation max-entries all-host maximum number of NAT entries for each host
◦Configuring the maximum translation entries for a given subscriber using the following command:
ip nat translation max-entries host ip-address [per-host NAT entry limit]
• Ensure that you keep the translations timeout low, around 2 minutes for TCP, and 1 minute for UDP
translations:
◦ip nat translation timeout 120
◦ip nat translation tcp-timeout 120
◦ip nat translation udp-timeout 60
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
7
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Configuration Examples for the ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
8
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Example: Configuring Class Maps to Include Subscriber Traffic
!
!
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
9
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Example: Configuring ISG Control Policy for Full and Lite Sessions
Example: Configuring ISG Control Policy for Full and Lite Sessions
policy-map type control ISG_NAT_CONTROL_DEFAULT
class type control ISP_TAL_MATCH event session-start
10 default-exit
!
class type control always event session-start
10 service-policy type service name NO_SERVICE
!
!
policy-map type control ISG_NAT_CONTROL
class type control ISP_TAL_USER event session-start
20 service-policy type service name INTERNET_SERVICE
30 service-policy type service name POSTPAID_SERVICE
40 authorize aaa list ISG_PROXY_LIST_INVALID password lab1 identifier mac-address
50 service-policy type service name L4REDIRECT_SERVICE
90 default-apply
!
class type control always event service-stop
1 service-policy type service unapply identifier service-name
!
class type control always event account-logon
10 authenticate aaa list WEB_LOGON
20 service-policy type service unapply name L4REDIRECT_SERVICE
30 service-policy type service name INTERNET_SERVICE
40 service-policy type service name POSTPAID_SERVICE
!
!
interface GigabitEthernet0/0/1
ip address 99.0.7.11 255.255.0.0
negotiation auto
!
interface GigabitEthernet0/0/2
description To N2X connection 802/3
ip address 191.0.0.1 255.0.0.0
ip nat inside # NAT inside interface
negotiation auto
service-policy type control default ISG_NAT_CONTROL_DEFAULT
service-policy type control ISG_NAT_CONTROL
ip subscriber l2-connected
initiator unclassified mac-address
!
interface GigabitEthernet0/0/3
description To N2X connection 802/2
ip address 192.0.0.1 255.0.0.0
ip nat inside # NAT inside interface
negotiation auto
service-policy type control default ISG_NAT_CONTROL_DEFAULT
service-policy type control ISG_NAT_CONTROL
ip subscriber l2-connected
initiator unclassified mac-address
!
!
interface GigabitEthernet0/3/0
description To N2X connection 201/1
ip address 193.0.0.1 255.0.0.0
ip nat inside # NAT inside interface
negotiation auto
service-policy type control default ISG_NAT_CONTROL_DEFAULT
service-policy type control ISG_NAT_CONTROL
ip subscriber l2-connected
initiator unclassified mac-address
!
interface GigabitEthernet0/3/4
description To N2X connection 803/3
ip address 194.0.0.1 255.0.0.0
ip nat outside #NAT outside interface
negotiation auto
!
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
10
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Example: Configuring Network Address Translation
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 5.28.8.15 255.255.0.0
negotiation auto
!
ip default-gateway 5.28.0.1
!
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
11
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Additional References
Additional References
Related Documents
Carrier Grade Network Address Translation IP Addressing: NAT Configuration Guide, Cisco IOS
XE Release 3S (ASR 1000)
MIBs
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
12
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Feature Information for ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/public/support/tac/home.shtml
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Table 3: Feature Information for ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
13
ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Feature Information for ISG and NAT Combination on the Cisco ASR 1000 Series Routers
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
14