9.5. Subscriber Groups#

In order to configure general traffic processing rules for one or more subscriber subnets, use subscriber groups. They can help to identify which pool is used to translate connections, as well as to limit the resource usage. Subscriber groups are linked to the subscriber subnets using NAT rules. This section describes the creation and configuration of the subscriber groups.

9.5.1. Subscriber Group Creation#

nat subscriber-group NAME#

Create a NAME subscriber group and switch to its configuration mode.

All the settings described below are performed in the subscriber group configuration mode.

9.5.2. Assigning Pool#

If there’s no pool assigned to the subscriber group, its traffic will be processed without address translation. In order for NAT to start translating addresses, you need to specify which pool’s public addresses will be used for translation.

pool NAME [secondary NAME]#

Assign the NAME pool to the subscriber group. The pool must be created and enabled in advance. A single pool can be assigned to several subscriber groups at the same time.

If the NAME pool is a NAT, type pool, then you can use the secondary option to specify a backup pool that will be used if all of the IP addresses of the primary pool are exhausted.

To unassign the pool, use the no pool command.

9.5.3. Assigning Access Lists#

NAT access lists provide more precise control over how the subscriber group’s traffic is translated, for example:

  • translate the connections to some IP addresses or ports using a different pool,

  • do not translate connections to some IP addresses or ports at all,

  • prohibit traffic to some IP addresses or ports.

These are only some of the NAT access lists capabilities. A detailed description of all the features can be found in the Access Lists section.

<ip|ipv6> dp-access-list NAME <inside|outside>#

After executing this command, the NAME access list of the specified type (ip or ipv6) will be assigned to the subscriber group.

Access lists are checked only when a subscriber creates a new connection. Linking or changing the access list does not affect existing connections. When using the inside option, the access list will be checked for outbound subscriber connections. When using the outside option, the access list will be checked for inbound subscriber connections.

9.5.4. Limits#

To prevent any single subscriber from using too much of the common resources, such as public ports or NAT sessions, it is possible to set limitations:

limits port-map-entries (1-536870911)#

Set the maximum number of ports that a single subscriber can use. In case a set limit would be reached and a new port will be required, NAT will not allocate any additional ports and drop all traffic sent through this connection. Existing ports will not be affected.

limits port-block-entries (1-536870911)#

Set the maximum number of public port blocks that a single subscriber can use. In case a set limit would be reached and a new port block will be required, NAT will not allocate any additional port blocks and drop all traffic sent through this connection. Existing port blocks will not be affected.

limits session-entries (1-536870911)#

Set the maximum number of NAT sessions that a single subscriber can use. In case a set limit would be reached and a new connection will be required, NAT will not create any new sessions and drop all traffic sent through this connection. Existing connections will not be affected.

9.5.5. Show Commands#

show <nat|nat64> subscribers [vrf NAME]#

Display the information on connected subscribers: internal IP address, number of opened ports, and sessions.

nfware# show nat subscriber
------------------------------------------------------------
Subscriber          Port Map Entries    Session Entries
------------------------------------------------------------
192.168.96.81        110                 110
192.168.225.203      120                 122
192.168.162.86       9                   9
192.168.254.197      55                  55
192.168.237.222      2                   2
192.168.55.176       37                  41
------------------------------------------------------------
show nat64 subscribers X:X::X:X [{counters|vrf NAME}]#
show nat subscribers A.B.C.D [{counters|vrf NAME}]#

Display current (at the moment) and overall (over a whole period of the operation) counters for specified subscriber.

Current Counters

Description

Ports

The number of opened ports

Port Blocks

The number of allocated port blocks. You can configure a pool in Port Block Allocation mode (see Port Block Allocation section) to allocate not only one port but also blocks. For example, to reduce logs

Sessions

The number of opened sessions

Overall Counters

Description

Ports opened

The number of opened ports

Port Blocks allocated

The number of allocated port blocks

Sessions created

The number of created sessions

Port Map Failure Drops

See RFC 7659 for reference:

  • the limit on the number of ports/blocks per subscriber

is exceeded

  • there are no free ports (taking into account paired

limits and pool settings)
show nat subscriber-group NAME <ip|ipv6> dp-access-list <inside|outside>#

Display the ACL configuration for inside and outside network and the number of times each ACL rule has been matched.