9.12. Deterministic NAT¶
This mode of operation is implemented in accordance with RFC 7422 and eliminates the need for logging subscriber connections.
As in the Port Block Allocation mode, in this mode, NAT allocates port blocks for the subscribers. The difference is that the port blocks allocation is done algorithmically during the configuration process (instead of being allocated randomly when necessary). Therefore, you need to think in advance about the correspondence between the subscriber addresses and the external port blocks.
NAT supports Sequential
port block allocation mode:
reserved ports 1-1023 are not used,
the remaining ports (1024-65535) are divided into blocks according to the size specified in the pool configuration,
the first block is assigned to the first subscriber, the second block is assigned to the second one, etc.
The network address and the broadcast address are also considered subscribers, so their own blocks of addresses are allocated to them.
Note
When using this mode, you do not have the information about the destination addresses of subscriber connections. If you need to store information about destination addresses, then this mode of operation will not suit you.
Block Allocation¶
Let’s say you have 14 subscribers in the network 100.64.0.0/28
. Taking into account the network address and the broadcast address, you need 16 blocks.
In the pool, you have two external IP addresses 203.0.113.1 - 203.0.113.2
. Minus the reserved ones, 64512 ports are available to each IP address.
Thus, you can allocate 8064 ports to each subscriber:
Inside Address |
Outside Address & Port |
---|---|
100.64.0.0 |
203.0.113.1:1024-9087 |
100.64.0.1 |
203.0.113.1:9088-17151 |
100.64.0.2 |
203.0.113.1:17152-25215 |
100.64.0.3 |
203.0.113.1:25216-33279 |
100.64.0.4 |
203.0.113.1:33280-41343 |
100.64.0.5 |
203.0.113.1:41344-49407 |
100.64.0.6 |
203.0.113.1:49408-57471 |
100.64.0.7 |
203.0.113.1:57472-65535 |
100.64.0.8 |
203.0.113.2:1024-9087 |
100.64.0.9 |
203.0.113.2:9088-17151 |
100.64.0.10 |
203.0.113.2:17152-25215 |
100.64.0.11 |
203.0.113.2:25216-33279 |
100.64.0.12 |
203.0.113.2:33280-41343 |
100.64.0.13 |
203.0.113.2:41344-49407 |
100.64.0.14 |
203.0.113.2:49408-57471 |
100.64.0.15 |
203.0.113.2:57472-65535 |
Configuration¶
To configure the NAT according to the example above, do the following:
Create a
deterministic
pool with a block size of 8064:nat pool deterministic-pool range 203.0.113.1 203.0.113.2 type deterministic block-size 8064 enable
These commands are described in detail in the Pools section.
Create a subscriber group and configure it to use this pool:
nat subscriber-group deterministic-group pool deterministic-pool
These commands are described in detail in the Subscriber Groups section .
Create a NAT rule for a subnet
100.64.0.0/28
:nat rule subnet 100.64.0.0/28 subscriber-group deterministic-group
This command is described in detail in the Rules section.
Check¶
To check the resulting correspondence table, use the following command:
- show nat rule subnet A.B.C.D/M [vrf NAME]¶
- show nat64 rule subnet X:X::X:X/M [vrf NAME]¶
For example, for the above configuration the result would be:
nfware# show nat rule subnet 100.64.0.0/28
----------------------------------------
Subscriber Block
----------------------------------------
100.64.0.0 203.0.113.1:1024-9087
100.64.0.1 203.0.113.1:9088-17151
100.64.0.2 203.0.113.1:17152-25215
100.64.0.3 203.0.113.1:25216-33279
100.64.0.4 203.0.113.1:33280-41343
100.64.0.5 203.0.113.1:41344-49407
100.64.0.6 203.0.113.1:49408-57471
100.64.0.7 203.0.113.1:57472-65535
100.64.0.8 203.0.113.2:1024-9087
100.64.0.9 203.0.113.2:9088-17151
100.64.0.10 203.0.113.2:17152-25215
100.64.0.11 203.0.113.2:25216-33279
100.64.0.12 203.0.113.2:33280-41343
100.64.0.13 203.0.113.2:41344-49407
100.64.0.14 203.0.113.2:49408-57471
100.64.0.15 203.0.113.2:57472-65535
----------------------------------------