9.4. Pools¶

In order for NAT to provide subscribers with access to the global network, it needs to specify a set of public IP addresses to which the private IP addresses of subscribers will be translated. To do this, you need to create at least one pool, and set at least one IP address range for it. This section describes how to do this, as well as additional features for configuring pools.

Pool Creation¶

nat pool NAME¶: Create a NAME pool and switch to its configuration mode.

All the settings described below are performed in the pool configuration mode.

Adding IP addresses¶

To begin working with a pool, you need to add at least one range of public IP addresses to it.

range A.B.C.D A.B.C.D¶

Two A.B.C.D parameters are used to set the range of IP addresses added to the pool. The first parameter is the first address in the range, the second parameter is the last address in the range. If you need to add only one IP address, you can do this by using this address as both the first and second parameter, for example, range 203.0.113.1 203.0.113.1.

One pool can contain several ranges, both adjacent and not adjacent to each other by IP addresses. The number of ranges, as well as their size, is not limited, but the total number of IP addresses in one pool should not exceed 65536.

To delete a range, use the same command with the no prefix. You can delete previously added ranges partially. For example, if you created the range 203.0.113.1 203.0.113.5 range, but you no longer want to use 203.0.113.2 and 203.0.113.3 addresses in it, you can delete them: no range 203.0.113.2 203.0.113.3. Subscriber sessions that use these addresses will be automatically deleted without any impact on subscribers who use another public IP addresses from this pool. The system will automatically split the pool range on two one:

nat pool default-pool
range 203.0.113.1 203.0.113.1
range 203.0.113.4 203.0.113.5
enable

If you want to return it, type range 203.0.113.2 203.0.113.3 and the system will automatically merge these two pool ranges.

Pool Type Configuration¶

There are four different types of pools:

NAPT (default type): Pools of this type tranlate both the IP addresses and ports, meaning a single public IP address can be used by many subscribers.

NAT: Pools of this type translate only the IP addresses, meaning each subscriber is assigned a public IP address, and it can no longer be used by other subscribers. Ports are not translated in this mode.

Port Block Allocation: This type is used to enable the Port Block Allocation mode, which allows you to reduce the number of messages sent to the logging server. This mode of operation is described in detail in the Port Block Allocation section.

Deterministic: This type is used to enable the Deterministic NAT mode, which avoids the need to use a logging server. This mode of operation is described in detail in the Deterministic NAT section.

type <nat|napt|port-block-allocation block-size (64-64512)|deterministic block-size (64-64512)>¶: Set the pool type. You can change the type only for the disabled pools. Enabling and disabling pools is described in Pool Enable section. For the port-block-allocation and deterministic types the size of the port blocks must be specified.

Address Allocation Modes¶

Two modes of public IP addresses allocation are supported:

Paired (default mode)

In this mode, when a subscriber establishes a connection via NAT for the first time, it gets a port on a random public IP address from the pool allocated to this subscriber. This IP address is paired with the subscriber and is used for all its subsequent sessions. This mode can be useful when a subscriber is working with applications that use several connections at the same time and expect that all the connections will be made from a single IP address.

If all the ports of the IP address paired for the subscriber are exhausted, the subscriber won’t be able to establish any new connections, and all packets for such connections will be dropped. For example, this may occur, if one IP address gets paired with too many subscribers. In order to avoid this, you can configure the maximum number of subscribers a single public IP address can be paired with. This setting is described in the Limitations section.

Arbitrary: In this mode, for each new subscriber connection a port on a random public IP address will be assigned from the pool allocated to this subscriber. A randomly selected address may or may not already have ports allocated to this subscriber.

pooling (arbitrary|paired)¶: Set the address allocation mode. You can change the mode only for disabled pools. Enabling and disabling pools is described in Pool Enable section.

Pool VRF¶

By default, after NAT translates the packet, this packet is forwarded in the same VRF in which NAT received it. To change the VRF in which the packet is forwarded, use the following command:

vrf NAME¶: Configure the VRF in which packets are forwarded after being translated using this pool. Use the no version of this command to get back to the default behavior.

Caution

If the interface ip nat inside is in a VRF, the VRF in the pool must be specified even if it is the default VRF.

Pool Enable¶

enable¶

This command enables the pool. After enabling the pool, it will not be possible to change its type and address allocation mode.

If you need to change any of the settings listed above, you need to disable the pool using the no enable command.

Before disabling the pool, you need to make sure that:

the pool is not used by any of the subscriber groups (no pool in the group configuration mode),
the pool is not used in NAT access lists (no <ip|ipv6> dp-access-list ...),
the pool is not used in static mappings (no nat static ...).

Otherwise, you will not be able to disable such pool.

Subscriber connections that use this pool will be automatically deleted when it is disabled.

Limitations¶

When using the paired IP address allocation mode, a situation may occur in which too many subscribers are paired with a single public IP address. This may quickly exhaust all the available ports on this address and make the subscribers unable to create new connections.

In order to avoid this, you can configure the maximum number of subscribers a single public IP address can be paired with.

ratio (1-65535)¶: Set the maximum number of subscribers on one external IP address when using the paired mode. By default, the number of subscribers is unlimited.

Resource Usage Thresholds¶

To automatically monitor pools state, you can configure the upper and lower resource usage thresholds. What exactly is considered as a resource depends on the pool type.

NAPT: For the pools of this type, ports available for allocation on public IP addresses are the resource.
NAT: State monitoring is not provided for the pools of this type.
Port Block Allocation: For the pools of this type, port blocks available for allocation on public IP addresses are the resource.
Deterministic: For the pools of this type, port blocks available for allocation on public IP addresses are the resource.

To get notified when the usage thresholds are exceeded, you need to configure the SNMP traps.

thresholds low (0-100)¶: Set a lower threshold as a percentage. If the number of resources used is below the threshold, the system will generate natv2NotificationPoolUsageLow notifications in accordance with RFC 7659.

thresholds high (0-100)¶: Set an upper threshold as a percentage. If the number of resources used exceeds the threshold, the system will generate natv2NotificationPoolUsageHigh notifications in accordance with RFC 7659.

thresholds notification-interval <1-3600>¶: Set an interval between notifications about exceeding the specified resource usage thresholds. By default, notifications are sent every 20 seconds.

Show Commands¶

show nat pool¶: Display all created NAT pools with the ICMP, UDP, TCP, and GRE port usage table.

show nat pool NAME¶

If you want to see the particular pool, specify its NAME. For example:

nfware# show nat pool default-pool
----------------------------------
Protocol  Used      Free      Load
----------------------------------
ICMP      0         8322945     0%
TCP       0         8322945     0%
UDP       0         8322945     0%
GRE       0         8322945     0%

Where Free = Number_of_IP_addresses_from_NAT_pool x Number_of_available_ports_(65535).

show nat pool NAME counters¶

clear nat pool NAME counters¶: Display how many Port Map Entries/Creations/Failure Drops were. Entries mean the current value, and Creations mean the all-time value.

show nat pool NAME ip¶: Display the information (how many ports for ICMP, UPD, TCP, and GRE are busy by a specific IP address as a percentage) for all IP addresses in the specified pool.

show nat pool NAME ip A.B.C.D¶: You can also specify the IP address and then see how many ports for each protocol are used, free and loaded (as a percentage).

show nat pool NAME paired¶: Display which internal IP address is bound to the external one.