What is the maximum number of CGNAT rules and pools that Versa FlexVNF supports?

For the low end platforms (4GB and lower mem) the limit is 1K rules and pools, but for the higher end it’s 4K, and can potentially be increased further.


Whats are the different NAT types and use-cases for each?


The basic-nat44 is 1:1 mapped and requires equal number of addresses in the rule and the pool. Dynamic NAT-44 is not 1:1 mapped and can have smaller number of IPs in the pool then those in the rule.

 

For NAPT-44 you can support at least as many private source IPs to be translated to a single public IP as there are ports defined for the NAPT source NAT pool. Additionally, if the connections are going to diverse destination IPs, we also allow reusing of the same port (8X). But this is dependent on entropy of the destination-IP. 

 

Here is a summary of NAT types supported:

 

•             Basic NAT-44: Static 1:1 mapped source NAT that can also be used as an inverse destination translation rule. Can't do port translations.

•             DNAT-44: Static 1:1 Dest NAT, can also translate ports.

•             Dynamic NAT-44: Dynamic source NAT with IP only translation.

•             NAPT-44: Dynamic Source IP and Port translations.

•             MAP-E:   IPv4 source IP/port translation along with tunneling in IPv6IPIP MAP-E tunnels.

•             Twice Basic NAT-44: Static 1:1 translation of source and destination IPv4 addresses concurrently. No port translation.

•             Twice Dynamic NAT-44: Dynamic source IP translation and static Dest IP and port translation (1:1) concurrently.

•             Twice Dynamic NAPT-44: Dynamic source IP and port translation, and static Dest IP and port translation (1:1) concurrently.

•             NPTv6: Source IPv6 Network prefix translation.

•             NAT64: Source and dest IPv6 address translation to IPv4 public addresses along with port translation.

•             Static mape: For tunneling IPv4 Lan over IPv6 access network to reach IPv4 public network.

•             Dynamic mape (under dev): Same as above, but with algorithmic translation of IPs.


What is the maximum number of ports that can be configured in an address pool?

The following port allocation schemes are defined under an address pool:

    - automatic: Use all non-reserved ports (63K)

    - range-based: Use only user-defined port range


What is the maximum number of CGNAT flows possible?

With one WAN IP (configured with napt-44 and automatic port selection scheme), Versa FlexVNF can create up to 0.5M NAT flows. This number is based on real traffic towards the Internet. Versa FlexVNF achieves this number by reusing a port if the destination is different. Traffic is hashed into multiple buckets based on the destination IP, destination port, and protocol. A port is chosen from the selected bucket. The default number of buckets (cgnat-scale-factor) is 8 and can be increased up to 32 (implies more memory consumption). A scale factor of 1 allows up to 63K flows, 2 allows 126K flows, etc. Configure the CGNAT scale factor per the following.

system {
    service-options {
        cgnat-scale-factor 16;
    }
}


When should precedence be configured under a rule?

Precedence should be configured in the NAT rule to break the tie when there are overlapping rules, in case a rule needs to match before the other rules. All rules have a default precedence value of "1." A rule with a higher precedence matches before the other rules. The following is an example to demonstrate when to configure precedence. In this case, Rule2 matches first because it has a higher precedence and packets from 192.168.130.16/28 subnet are NATTed using DIA_POOL.

root@gotham-cli(config)% show orgs org-services Customer1 cgnat rules 
Rule1 {
    from {
        routing-instance    riCustomer1;
        source-address      [ 192.168.130.0/24 ];
    }
    then {
        translated {
            translation-type basic-nat-44;
            source-pool      MPLS_POOL;
        }
    }
}
Rule2 {
    from {
        precedence          15;
        routing-instance    riCustomer1;
        source-address      [ 192.168.130.16/28 ];
    }
    then {
        translated {
            translation-type basic-nat-44;
            source-pool      DIA_POOL;
        }
    }
}


How can I configure timeouts for NAT sessions?

By default, NAT sessions follow global idle session timeouts. This can be configured under system/session container.

[edit]
root@gotham-cli(config)% show | compare 
 system {
     session {
         timeout-udp 30;
         timeout-tcp 240;
         timeout-icmp 10;
     }
 }


NAT provides the option to override these values for sessions that use a particular pool. Users can configure ICMP, UDP, and TCP mapping timeout to override default timeouts.

root@gotham-cli(config)% show orgs org-services Customer1 cgnat pools | details 
Customer1_SNAT_Pool {
    address              [ 102.74.68.0/24 ];
    icmp-mapping-timeout 60;
    udp-mapping-timeout   60;
    tcp-mapping-timeout   360;
}