Carrier Grade NAT44 on IOS-XR Deployment Experience

Transcription

1

2 Carrier Grade NAT44 on IOS-XR Deployment Experience Nicolas Fevrier Rajendra Chayapathi Syed Hassan

3 Agenda Introduction NAT Principles and Mechanisms Bulk-Port Allocation Port limit Static Port Forwarding ALG Logging Hardware Deployment feedback Routing consideration and Best Practices Redundancy 3

4 INTRODUCTION

5 Introduction Do you think CGN is evil? Yes but it s a necessary one IPv4 address exhaustion End-to-end IPv6 traffic, are you ready? The same cards can be used for: NAT44 But also for smooth transition to IPv6 Let s jump directly into the deep end 5

6 Facts About IPv4 Shortage LIR are allocating their last blocks On 14 September 2012, the RIPE NCC started allocating from the last /8 of IPv4 addresses received from IANA IPv4 grey/black market is flourishing 6

7 Cisco s Strategy: 3 Pillars Cisco s strategy relies on three pillars Preserve (Business Continuity) NAT44 / CGN Optimize the IPv4 resource and allow growth Prepare (Encourage Adoption) Offer IPv6 to the customers 6rd: transport IPv6 on top of a IPv4 infrastructure Prosper (Interworking) DS-Lite, MAP-T/E: transport of the remaining IPv4 traffic on top of a IPv6 backbone NAT64: translate to the IPv4 at the border Among IOS-XR products, the ISM and VSM (ASR9000) and CGSE and CGSE+ (CRS) cards are the tools used to build these three pillars. 7

8 Vocabulary i2o / o2i: inside to outside / outside to input NAT/NAPT: Network Address (and Port) Translation CGx: carrier grade (CGN: Carrier Grade NAT) LSN: Large Scale NAT ALG: Application Layer Gateway GRT: Global Routing Table SL/SF: Stateless/Stateful 8

9 Translation Protocols Illustrated Stateful vs Stateless Example: we have 16 public addresses Stateless translation 1 external IP : 1 internal IP No multiplexing no DB needed Stateful translation 1 external IP : n internal IP Multiplexing DB to maintain 9

10 Stateless vs Stateful Stateless 1:1 translation i2o or o2i initiated sessions are treated equally Allows asymmetrical traffic Better convergence time Potential inline implementation No logging required Protocols: NAT64SL, 6rd, MAP-T Stateful 1:n translation (port multiplexing) Needs translation DB maintenance Logging scalability can be an issue Need static port forwarding or PCP to accept o2i initiated sessions May need ALGs In case of failover, we need to reestablish sessions on a new device Protocols: NAT44, NAT64SF, DS Lite 10

11 NAT44 Introduction Preserve the investment: buy time to prepare migration to IPv6 Not the solution but meets a vast majority of user current needs NAT vs NAPT Defined since 2001 (RFC3022, RFC4787, RFC5382, RFC5508) Unicast TCP/UDP/ICMP Stateful Permit multiplexing : several internal hosts will use the same external address, maximizing the IPv4 resource ALGs 11

12 NAT44 Overview IPv4 Traffic Source Address = Outside Address = IPv4 Backbone CGN IPv4 Internet Stateful translation protocol from an IPv4 space to another IPv4 space IPv4 space public or private Usually, from private (RFC1918) to public but not necessary Translation table or database (DB) maintained on the CGN card

13 NAT444 or Double NAT44 IPv4 Traffic Source Address = Outside Address = CPE IPv4 Backbone CGN IPv4 Internet Double step stateful translation: At CPE level Between home network and ISP access network At CGN level Between ISP network and public address network From CGN perspective: NAT44 = NAT444 Translated Address =

14 NAT PRINCIPLES and MECHANISMS

15 NAT Mechanisms Inside VRF NAT Engine Outside VRF Web Client Source :2493 Destination :80 Source :8442 Destination :80 Web Server: Translation table Collector : :8442 Logging Record Syslog Netflow Inside VRF NAT Engine Outside VRF Web Client Source :80 Destination :2493 Source :80 Destination :8442 Web Server:

16 NAT Principles EIM/EIF vs EDM/EDF EIM: End-point Independent Mapping destination address and port for i2o traffic not tracked If multiple destinations but source address and port are the same no other entry created Sometime referred as full cone NAT Dest A:80 Dest B:80 Source Y:1430 Dest B:80 Inside Outside Destination X:4828 Y:1430 * EDM: End-point Dependent Mapping Opposite of EIM Destination info is maintained in DB Source X:4828

17 NAT Principles EIM/EIF vs EDM/EDF EIF: End-point Independent Filtering Once entry is present in the table For o2i traffic, we don t verify source address/port Better scalability and larger support EDF: End-point Dependent Filtering Opposite of EIF Check the source addresses for o2i traffic Required in some situation: bill shock effect Source A:80 Dest Y:1430 Dest X:4828 Source B:4234 Inside X:482 8 Source C:80 Outsid e Destinatio n Y:1430 *

18 NAT Principles Paired IP Address Assignment We use the same external IP address mapping for all sessions associated with the same internal IP address (RFC4787) Each inside odd port is mapped to an outside odd port number Each inside even port is mapped to an outside even port number Outside Inside Source X:2104 Source A:10302 Source A:11238 Source X:23342 Source A:10985 Source X:48271 Source B:1045 Source B:1491 Source B:1228 Source Y:29301 Source Y:43017 Source Y:1024 Inside Outsid e X:2104 A: X: X: A:11238 A: Y:29301 B:1045 Y:43017 B:1491 Y:1024 B:1228

19 NAT Principles Hair Pinning Two endpoints on inside NAT can communicate to each others using external NAT IPv4 addresses and ports. Outside A:10302 B:11237 Inside Source X:2104 Source Y:11003

20 NAT Principles Address Allocation First flow per Inside source address CGN picks an Outside address that has at least 1/3 of its ports free All subsequent Flows from that Inside source will use the same Outside address. No? NAT IP1 IP2 IP3 IP4 IP5 IP6 IP7 IP8? Used port Free port Ok

21 NAT Principles Address Allocation If that Outside address is completely exhausted, then a random selection is made from the remaining addresses, repeated until an address is chosen or it is determined that none are available (which results in an ICMP error message)? NAT NAT Used Free? port port? IP1 IP2 IP3 IP4 IP5 IP6 IP7 IP8 IP1 IP2 IP3 IP4 IP5 IP6 IP7 IP8 ICMP error No

22 NAT Principles Port Allocation Ports are randomly picked from the list of available (unused) ports associated with the chosen Outside IP address Each port is allocated once, regardless of which L4 protocol (UDP, TCP) is being used in the Flow CGN creates a Translation binding (state) between Inside source IP address + port and Outside source IP address + port NAT? IP1? Inside Outside IPa:2104 Used port Free port IP1:10302

23 NAT Principles Port Allocation If the randomly chosen port is already being used, the selection increments (around a ring) until an available port is found; if none are available then an ICMP error message is sent If the Inside source already has a number of Flows equal to the configured per-user limit, then the allocation is rejected and an ICMP message is returned NAT? IP1 port-limit=8 Inside Outside IPa:Pa IP1:P1 IPa:Pb IP1:P2 IPa:Pc IP1:P3 IPa:Pd IP1:P4 IPa:Pe IP1:P5 IPa:Pf IP1:P6 IPa:Pg IP1:P7 IPa:Ph IP1:P8 IP1 ICMP error IPa:Pi No

24 Algorithm-based / Predefined NAT Often referred as Deterministic NAT, coming in future releases Opposite approach than random allocation mechanisms described before Allows predictable mapping of source addresses/ports between the inside and outside world Based on an algorithm, each internal address will be allocated an external address and range Predefined NAT is still stateful (translations are still stored in DB) Main benefit: logging is no longer necessary (but will still be possible) Main flaw: sub-optimal address allocation Addresses and port ranges are allocated regardless of the presence or usage of the internal users To meet requirements of certain ALGs, it will be necessary to allocate contiguous ports SDNAT (stateless) draft has been discontinued

25 BULK PORT ALLOCATION

26 Bulk Port Allocation Aims at reduces data generated by logging Bulk port allocation behavior A subscriber creates the first connection N contiguous ports are pre-allocated (ex: 2064 to 2080 if N=16) Bulk-allocation message (NFv9 and/or syslog) is logged for the port-range Additional connections (up to N) will use one of the pre-allocated ports New pool allocated if subscriber creates > N concurrent connections Bulk-delete message is logged when subscriber terminates all sessions from pre-allocated pool NAT Outside IP1 Logging Record Collector Syslog Netflow

27 Bulk Port Allocation When bulk size is changed, all current dynamic translations will be deleted Ports below dynamic start range (< 1024) are not allocated to bulk It can take one of the following values: 16, 32, 64, 128, 256, 512, 1024, 2048, 4096 (8 in IOS XR 4.3.1) port-limit / 4 bulk-port-alloc port-limit x 2 Recommendation: closest value to half the port-limit Orthogonal with Destination Based Logging, can NOT be configured together Port range allocation is random, in following examples we picked and for the sake of simplicity only

28 BPA Illustrated Example Bulk=16 Source Address = IPv4 Traffic NAT CGN Outside Address from pool = IPv4 Internet

29 BPA Illustrated Example Bulk= NAT 1 packet from to :80 IPv4 Internet packet from to : packet from to :80 3

30 BPA Illustrated Example Bulk= NAT IPv4 Internet 1 1 packet from to : packet from to :80 2

31 BPA Illustrated Example Bulk=16 Same rules for init and active timeout apply for bulk ports packet from to :80 BPA=16 can reduce the logging volume MUCH more than by 16 7

32 Bulk Port Allocation With NAT444, it s very likely that at least one device is connected behind the CPE at any given time Consequently, logging for the port allocation is generated once and the port block is never de-allocated or de-allocated many weeks or months later It s exactly what the protocol is supposed to do, but it creates some issues Potential issue with logging collector correlator Another issue could be the security. It makes one CPU always use the same port range and reduces the scope for attackers Workaround: DHCP lease time reduced to re-assign a different IP to the CPE every couple of weeks.

33 Bulk Port Allocation: Configuration Config parser will enforce the selection respecting: 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096 port-limit / 4 bulk-port-alloc port-limit x 2 Recommendation: closest value to half the port-limit service cgn POC-1 service-type nat44 nat44-1 inside-vrf Inside-1 bulk-port-alloc size 256

34 PORT LIMIT

35 Per-user Port Limit For stateful translation protocols (NAT44, NAT64 SF, DS Lite), each user can be assigned a maximum number of ports. It prevents a single user to consume all port resources port-limit=8 IP1 NAT Inside IPa:Pa IPa:Pb IPa:Pc IPa:Pd Outside IP1:P1 IP1:P2 IP1:P3 IP1:P4? IPa:Pe IPa:Pf IPa:Pg IPa:Ph IPa:Pi IP1:P5 IP1:P6 IP1:P7 IP1:P8 No

36 Per-user Port Limit Port-limit can be defined per protocol But also per VRF allows different treatment for different type of customers Finding the proper port-limit is a very tricky exercise No simple rule of the thumb Different for each type of customer (ADSL, Mobile, Cable, Enterprise ) Different for each theater (Asia, Europe, Russia, Americas ) Scripts can be used to collect average and maximum port usage

37 Per-user Port Limit on CGSE Exceeding the port limit will trigger a syslog message: [Portblockrunout ivrf ] Portblockrunout: event name signifying the port limit hit event 17: it was hit by a UDP packet requesting the translation : is the subscribers private IP ivrf: name of the inside VRF 2005: private port number These messages are throttled For , once we report this message, we will not repeat them for the same subscriber until it goes below 70% of max limit and then goes up again and hits the port limit Can be used to quickly user consuming a lot of ports

38 Configuring Port-Limit It s a safety net preventing one user to use all resources For stateful translation protocols each user can be assigned a maximum number of ports NAT44 and NAT64SF will use keyword portlimit We can use every value between 1 to 65535, default is 100 Defined per protocol or globally since service cgn demo service-location preferred-active 0/1/CPU0 service-type nat44 nat44-1 portlimit 512 inside-vrf ivrf1 portlimit 256 inside-vrf ivrf2!!

39 STATIC PORT FORWARDING and PCP

40 Session Initiated From the Outside? IPv4 Traffic Map pool = /24 CGN IPv4 Internet Inside Outside TCP state 2 No entry in the NAT DB, o2i packets are discarded 1 1 With stateful translation mechanisms, a traffic initiated from the outside will be discarded Static Port Forwarding or Port Control Protocol necessary

41 Static Port Forwarding IPv4 Traffic Map pool = /24 CGN IPv4 Internet Inside Outside TCP state service cgn demo service-type nat44 nat1 inside-vrf insidevrf1 protocol tcp static-forward inside address port entries max Inside Outside TCP state : :80 static 4 3 Static-port-forwarding creates an entry in the NAT DB

42 Verifying Static-Port-Forwarding External address is picked by the system, not the user (based on hashing of inside address) RP/0/RP0/CPU0:R#sh cgn demo inside-translation protocol tcp inside-vrf Inside inside-address port s e Inside-translation details CGN instance : demo Inside-VRF : Inside Outside Protocol Inside Outside Translation Inside Outside Address Source Source Type to to Port Port Outside Inside Packets Packets tcp static 0 0 RP/0/RP0/CPU0:R#

43 Port Control Protocol PCP client on private network IPv4 Traffic Map pool = /24 CGN IPv4 Internet Host on public network PCP Server PCP allows applications to create mappings from an external IP address+proto+port to an internal IP address+proto+port PCP Server is a software instance via which clients request and manage explicit mappings PCP Client issues requests to a server A PCP Client can issue PCP requests on behalf of a third party device A PCP request is transported on UDP(v4/v6) packet with destination port 5351 Supported on CGSE cards for NAT44, NAT64 and DS-Lite

44 Port Control Protocol IPv4 Traffic Map pool = /24 CGN IPv4 Internet 1 MAP Request TCP 80 MAP Response 2 0: SUCCESS 4 FIN or RST Inside Outside TCP state Inside Outside TCP state : :80 pcp_explicit Inside Outside TCP state : :80 pcp_explicit

45 Port Control Protocol IPv4 Traffic PCP Req/Resp Map pool = /24 CGN IPv4 Internet 1 MAP Request TCP 80 MAP Response 2 11:CANNOT_PROVIDE_EXTERNAL Available external port: 84 0 Inside Outside TCP state : :80 dynamic Other result codes could be: 1:UNSUPP_VERSION 2:NOT_AUTHORIZED 3:MALFORMED_REQUEST 4:UNSUPP_OPCODE 5:UNSUPP_OPTION 6:MALFORMED_OPTION 7:NETWORK_FAILURE 8:NO_RESOURCES 9:UNSUPP_PROTOCOL 10:USER_EX_QUOTA 11:CANNOT_PROVIDE_EXTERNAL 12 ADDRESS_MISMATCH 13:EXCESSIVE_REMOTE_PEERS

46 Port Control Protocol IPv4 Traffic Map pool = /24 CGN IPv4 Internet 0 Inside Outside TCP state 1 PEER Request TCP 80 PEER Response 2 0: SUCCESS 4 FIN or RST 3 5 Inside Outside TCP state : :80 pcp_implicit Inside Outside TCP DB entry removed state

47 APPLICATION LAYER GATEWAYS

48 Need for ALG ALG are features allowing upper layer inspection to track a particular behavior (port negotiation, ) and make sure the protocol will be unaffected by the translation Cisco s position is to discourage the pursue of ALGs Applications are regularly rewritten and keeping track of each change is challenging NAT traversal is more generally handled at the application level Supported ALGs in CGN cards Active FTP (passive FTP doesn t need ALG) RTSP (used for some streaming services) PPTP (for legacy VPN applications)

49 Active FTP ALG In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port 21 then, client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server the server will then connect back to the client's specified data port from its local data port, which is port 20 ALG converts the network Layer address information found inside an application payload Note: Passive FTP Mode does NOT need any ALG

50 RTSP ALG Real-Time Streaming Protocol is not a streaming protocol It s a remote control protocol for streamers (which use RTP/RTCP or RDT) a text-based protocol based on methods (like requests) and transported on port554 RTSP session is not a connection per say since it s not tied to a transportlevel connection, even if transported by TCP Our implementation considers the server is located outside and clients are inside RTSP is used in many streamers like QuickTime or RealNetworks (less and less used with generalization of HTML5)

51 PPTP ALG Point to Point Tunneling Protocol is used by legacy VPN solutions Encapsulate PPP packets in IP GRE Translation of PPTP packet is challenging because we don t translate source ports but a peer caller ID field contained in the GRE header PAC: PPTP Access Concentrator, in the public side (Outside) PNS: PPTP Network Server, in the private side (Inside) PPTP PNS NAT IPv4 Internet PAC Control Connection (TCP1723)

52 Configuring ALGs We currently support three ALGs types for NAT44 (none for NAT64SF and only FTP for DS Lite) ActiveFTP (not needed for PassiveFTP) RSTP (for Real Audio G2 and windows media player), default port is 554 PPTP (for legacy VPN systems) service cgn demo service-type nat44 nat44-1 alg ActiveFTP alg rtsp port alg pptpalg!

53 Verify ALG Activity When a translation database entry will be allocated based on ALG, it will appear like: RP/0/RP0/CPU0:R#sh cgn demo inside-translation protocol tcp inside-vrf Inside inside-address port s 1 e Inside-translation details CGN instance : demo Inside-VRF : Inside Outside Protocol Inside Outside Translation Inside Outside Address Source Source Type to to Port Port Outside Inside Packets Packets tcp dynamic tcp dynamic tcp dynamic tcp alg tcp dynamic 5 5 RP/0/RP0/CPU0:R#

54 LOGGING

55 Need for Logging Entries in NAT table are of temporary nature Any Stateful protocol (NAT44, NAT64SF, DS-Lite) requires logging Directive 2006/24/EC - Data Retention: EU Law Logging preserves the mapping information between an internal and external CGSE and ISM cards supports Netflow v9 and Syslog NAT Logging Record IPv4 Internet Syslog Netflow

56 What CGN information needs to be stored by ISPs? Source IP address and port translation history to be able to reliably identify the private IP translated to public IP at one precise moment further inspection of RADIUS or DHCP database can be performed to provide the identity of subscriber (e.g. MAC address of device or username) Format of the information (as long as translation can be inverted based on the input parameters): ASCII format Compressed text/binary files or relational database that contain translation history details Outcome of an algorithmic mapping of private IP address to public IP address/port

57 Dynamic or Pre-defined NAT? No definitive and easy answer The logging solutions Dynamic NAT Per-session logging (w/syslog or w/netflow) Bulk Port Allocation logging (w/syslog or w/netflow) Destination Based Logging w/syslog or w/netflow Pre-defined NAT Each choice is optimizing subset of requirements at the expense of others Pre-defined NAT

58 Destination-Based Logging DBL permits to specifically log destination address and port X1 X2 A Internal NAT External X3 Logging Record X4 Syslog Netflow Tim e Inside IP/Port Outside IP/Port Destination IP/Port T1 A:Pa IP1:P1 X1:Pd1 T2 A:Pb IP1:P2 X2:Pd2 T3 A:Pc IP1:P3 X3:Pd3 T4 A:Pd IP1:P4 X4:Pd4

59 Destination-Based Logging Why would you like to use DBL? Legal regulations in country Many web servers are not logging port information for each session (not respecting RFC6302 Logging Recommendations for Internet-Facing Servers) Others Need for data analytics solution e.g. Offers very detailed info on user behavior Why should you avoid using DBL? Privacy considerations Country regulations Interpretation of EU directive Conflicts with Bulk Port Allocation and Deterministic NAT Increased storage requirements 6 additional bytes in NFv9 to store A+P draft-ietf-behave-lsn-requirements REQ-12: A CGN SHOULD NOT log destination addresses or ports unless required to do so for administrative reasons

60 Destination-Based Logging The CGN card will generate templates 271 for Add records and templates 272 for Delete records service cgn POC-1 service-type nat44 nat44-1 inside-vrf Inside-1 map address-pool /17 external-logging netflow version 9 server address port 5000 session-logging!

61 Syslog or Netflow v9? Two options in CGN cards today: Syslog Netflow v9 Netflow is preferred since lighter Some customers select syslog: existing collection infrastructure based on syslog to guarantee multi-vendor interoperability Format Netflow v9 Binary Template based format Syslog ASCII RFC52432 Transport UDP UDP Sequence number Scalabilit y Yes in header High (tested) IPFIX doesn t bring anything to the CGN logging hence isn t considered Both NFv9 and Syslog can be configured simultaneously in a CGN system No Need BPA

62 Syslog or Netflow v9? Keep in mind before selecting your collector Traditional use of NFv9 or syslog requires much lower data rates (< 50k fps) NAT is still a relatively new application using NF hence there is no existing data analysis tool box available NAT requires the records to be stored in a Database Most NF collectors store only the analysis results in a DB, but not the records themselves and are therefore not suitable Templates for NAT44 NAT64SF DS Lite with or without Bulk-Allocation Destination-based-logging.

63 Syslog for CGN Message needs to comply to RFC5424 format Field are separated by space and non-applicable field are - <Priority> <Version> <Time stamp> <host name> - - <Application name (NAT44 or DSLITE)> - [Record 1][Record 2] [EventName <L4> <Original Source IP> <Inside VRF Name> <Original Source IPv6> < Translated Source IP> <Original Port> <Translated First Source Port> <Translated Last Source Port>] Example: NAT44 with Bulk-Port-Alloc May 31 10:30: NAT44 - [UserbasedA INVRFA ]

64 Netflow v9 for CGN Netflow v9 supports flexible field definition Light weight transport via UDP NFv9 records are in binary Based on templates containing IPFIX entities ( Supported since the first days on CGN Different behavior than Netflow on routers Record creation / deletion of NAT entries Doesn t count packets Doesn t sample packets headers Generated by the CGN card and not the MSC in the CRS or the LC in ASR9K

65 Netflow v9 templates for CGN A few examples

66 Netflow Packet Generation With default path MTU = 1500B, one netflow packet can hold around 50 creation records Generation is handled at the CPU core level An event (new translation or deletion of an existing one) will trigger the creation of a NF packet but it s not sent directly If other events happen for the same core, records are added to the NFv9 packet Packet is sent if we reach the MTU size or if we exceed one second

67 Configuring NFv9 Options NFv9 is supported for all stateful translation protocol. Only a single server can be defined for instance Templates are regenerated and sent by default every 500 packets or 30 minutes service cgn ISM service-type nat44 nat44-1 inside-vrf Inside-1 external-logging netflow version 9 server address port 123 path-mtu 2000! can be configured from 100 to 2000 refresh-rate 100! Regenerate NF record with template flowset every 100 logging packets timeout 10! Regenerate NF record with template flowset every 10 minutes session-logging! Session logging Enable Flag!

68 HARDWARE

69 Service Cards on IOS XR Routers Carrier Grade Service Engine (CGSE) for all CRS routers CGSE-PLUS for CRS-3 and CRS-X routers Integrated Service Module (ISM) for ASR9000 routers Virtualized Service Module (VSM) for ASR9000 routers with RSP440 Same form-factor than any Line Card No physical port / interfaces (except CGSE+ and VSM for future usage) Multi-purpose cards, they can be used for different applications Very similar to Intel server, they run a Linux distribution Use virtual interfaces to communicate with the rest of the system VSM introduces the Virtual Machines and the service chaining capability

70 Carrier Grade Service Engine (CGSE) Supported with CRS-1 / CRS-3 / CRS-X fabric 4-slot / 8-slot / 16-slot single/multi chassis Up to 12 cards in the 16-slot chassis Multi-purpose service card CGN Arbor TMS Monte Vista Linux distribution but configuration via IOS-XR 20M translations 1M sessions established per second 20Gbps

71 Carrier Grade Service Engine (CGSE) GLIK FPGA GLIK FPGA PLA M I D P L A N E ipse EgressQ epse IngressQ FabQs M I D P L A N E F A B R I C CGSE PLIM Paired with MSC40 or FP40. MSC40/FP40

72 Load-Balancing Traffic inside CGSE Cores 64 cores are available an each CGSE card (2^6) and LB decision is performed by the egress PSE ASIC (emetro) For i2o traffic, the least 6 bits of the source IP address will be used For o2i traffic, the least 6 bits of the destination IP address will be used. It implies that we can not assign a map pool prefix longer than /26 to use each core of the system: /26: each core will handle a single IP address from the map pool range (outside) /24: each core will handle 4 IP addresses from the map pool range (outside)

73 Carrier Grade Service Engine PLUS (CGSE+) Supported with CRS-3 / CRS-X fabric 8-slot / 16-slot single/multi chassis Up to 12 cards in the 16-slot chassis Multi-purpose service card CGN Arbor TMS (future) DPI / Analytics (future) Monte Vista Linux distribution but configuration via IOS-XR Current supports: NAT44 / 6rd 80M translations 1M+ sessions established per second 70+ Gbps

74 Carrier Grade Service Engine PLUS (CGSE+) DDR 16GB DDR 16GB Netlogic NPU Netlogic NPU Beluga PLA M I D P L A N E ipse EgressQ epse IngressQ FabQs M I D P L A N E F A B R I C CGSE+ PLIM MSC140/FP140 Paired with MSC140 or FP140 in a CRS-3 or CRS-X chassis Not supported in CRS-1 chassis

75 Integrated Service Module (ISM) Supported with RSP2 and RSP and 9010 chassis (not in 9001 or 99xx) Multi-purpose service card CGN CDS-IS/TV (discontinuated) RedHat Linux distribution but configuration via IOS-XR 20M translations 1M sessions established per second 14Gbps

76 ISM Architecture PPC DRAM 24GB 24GB Intel CPU I/O Hub Bridge Bridge Bridge Bridge Fabric ASIC B A C K P L A N E Application Domain IOS-XR Domain

77 Virtualized Service Module (VSM) Supported with RSP440 (and future RSPs) All 9x00 chassis except 9001 Multi-purpose service card CGN IPsec Mobile GW Service chaining KVM virtualized environment Current CGN Supports: NAT44 60M translations 10M+ sessions established per second 60Gbps

78 VSM Architecture SFP+ SFP+ SFP+ SFP+ Quad PHY 32GB DDR3 32GB DDR3 32GB DDR3 32GB DDR3 Crypto/DPI Assist Ivy Bridge Ivy Bridge Crypto/DPI Assist Crypto/DPI Assist Ivy Bridge Ivy Bridge Niantic Niantic Niantic Niantic Niantic Niantic Niantic 48 ports 10GE Typhoon NPU Typhoon NPU XAUI PCIe Fabric ASIC 0 Fabric ASIC 1 B A C K P L A N E Crypto/DPI Assist Application Processor Module (APM) Service Infra Module (SIM)

79 Performance / Scalability CGSE CGSE+ ISM VSM Sessions 20M 80M 20M 60M Target: 80M+ Establishment Rate Bandwidth (IMIX) Physical Interfaces 1M/s 1M/s 1M/s Up to 13M/s 20Gbps 70Gbps 14Gbps 60Gbps No 2x10G (future) No 4x10G (Future) Platform CRS 4-slot CRS 8-slot CRS 16-slot CRS Multi- Chassis ASR9001 ASR9006 ASR9010 ASR9922 9k nv Satellite 9k nv Cluster CGN Card 3 x CGSE or CGSE+ 6 x CGSE or CGSE+ 12 x CGSE or CGSE+ Supported since Not supported 3 x ISM or VSM 6 x ISM or VSM VSM only VSM is compatible VSM support targeted for 5.2.0

80 DEPLOYMENT FEEDBACK

81 Deployment Tips CGSE(+) PLIM are considered high powered PLIMs Their power consumption is higher But more important, they generate more heat than other PLIMs (heat will naturally go up) In 16-slot chassis, their position must be thought carefully Some PLIMs are considered Thermally sensitive and can not be positioned above high powered PLIMs : CRS-1 OC768 (C/L-band) DWDM PLIM CRS-1 OC768 DPSK C/L-BAND STD CHAN PLIM So, CGSE should be positioned ideally in upper shelf If necessary, they can be positioned in lower shelf but in that case it s important to make sure another high-powered PLIM is inserted above it in upper shelf. upper shelf lower shelf

82 Key Deployment Takeaways Most majority of the ISM and CGSE deployments are done for NAT44 6rd Some new customers or customers with internal IPv4 shortage issues are now looking at DS-Lite (and MAP) MAP is interesting (stateless in the router / inline performance at 240G per card) but not much CPE yet DS-Lite is stateful (implies logging) but CPEs are very common Many customers are testing NAT64 but some applications are not supported at all on IPv6 (ex: Skype) Logging both syslog and netflow are used Some customers using both simultaneously Mobile are usually using far less ports (true for handheld, not for dongles)

83 Monitoring Options Prime Performance Manager supports CGSE/ISM NAT44/NAT64 monitoring Active Translation / Creating Rate I2O and O2I Forward Rate I2O Drop Port Limit Exceeded I2O Drop System Limit Reached Pool address totally free / used Expect scripts can be used to collect counters from show commands More scripts can be used to figure out the port user port usage (very important to figure out the proper port-limit) First, Get all IP outside addresses in use with a sh cgn nat44 NAT statistics Then, for each IP address, run a sh cgn nat44 NAT outside-translation proto $Prot outside-address $IP port start 1 end with $Prot: TCP/UDP/ICMP Logs can be used to spot customers exceeding the limits

84 Scripts Script will collect info on used ports per external address RP/0/RSP0/CPU0:R1#sh cgn nat44 nat44 pool-utilization inside-vrf IN address-r$ Public address pool utilization details NAT44 instance : nat44 VRF : IN Outside Number Number Address of of Free ports Used ports

85 Scripts RP/0/RP0/CPU0:R1#sh cgn nat44 NAT-1 outside-translation protocol tcp outside-address port start 1 end Inside Protocol Inside Outside Translation Inside Outside Address Source Source Type to to Port Port Outside Inside Packets Packets tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic 6 6

86 Scripts Sort Divide by BPA and round down Count Per user port usage - Top X users - Average - Port-limit tweaking For a BPA= Number of ports used per block ID - Top X blocks - Average usage - BPA tweaking

87 Sizing the Port-Limit and BPA No rule of thumb to define port-limit, BPA, timers Example for a broadband ISP in LATAM (using a script) 18 ports average per user Can not be used to determine the best port-limit i2o 50kpps per card o2i 70kpps per card Avg i2o packet size: 200B Avg o2i packet size:1200b percentage of users using less than X ports (starts at 99.8%)

88 Impact of CGN on Applications? Several customers have been testing extensively the most popular applications and successfully, for example: TFTP, SSH, Telnet IPSec VPN (Cisco Client), SSL VPN (AnyConnect Client) HTTP/HTTPS on popular sites (CNN, Facebook, Youtube, Google services, ) WebMail (Java) Skype, SkypeUpdate, Audio/Video/FileTransfer/Chat MSN Bit Torrent Netflix Video web sites like Crunchyroll.com, ign.com itunes store browsing, upgrade, Sony Media Go Store Steam Install and Update StarCraft 2, World of Warcraft, MineCraft,

89 Application Impacted by CGN A vast majority of users only need their internet connection for Web surfing s Skype Mobile Phone Apps on Wifi Occasionally p2p download These customers will never realize they are NATed Per complaint behavior: When customers are complaining about their connection (latency, applications not working mainly for hardcore gamers who need to be a node for multiplayer games), the ISP move them into a different VRF which is not NATed

90 Service Impacted by CGN Geo-localization services IP tracking services (advertisement system, not based on cookies)

91 ROUTING CONSIDERATION AND BEST PRACTICES

92 Types of Routing Two types of routing should be differentiated Intra-chassis routing Packets candidate for translation or tunnel encapsulation/decapsulation, when received on the router, should be forwarded to and from the CGN card Static routes and Access-List Based Forwarding will be use Extra-chassis routing Packets should also be attracted by the CGN system able to handle them properly Dynamic routing protocols (BGP or IGP) will be used to advertise the prefix

93 CGN Routing IPv4 Backbone Te0/0/0/0 ServiceApp1 inside VRF CGN Card ServiceApp2 outside VRF Te0/1/0/0 IPv4 Internet IGP Static Static Intra-Chassis Extra-Chassis ABF IGP/BGP

94 Intra-Chassis Routing Aimed at forwarding packets candidate for translation or tunnel encapsulation/decapsulation, to and from the CGN card For i2o traffic, two methods available Based on destination: static routes to the serviceapp interface in the global table to the serviceapp in the global table to the serviceapp in a named VRF in a named VRF table to the serviceapp should be advertised in IGP and/or ibgp Based on source or destination: Access-list Based Forwarding applied in ingress on the interface, could be VRF-aware or not For o2i traffic usually, we will rely on static routes to advertised a route back to the map pool range into the outside serviceapp should be advertised in external IGP or BGP

95 Extra-Chassis Routing It s necessary to attract traffic to the CGNAT device and determine which traffic is actually candidate to translation Asymmetrical traffic is not possible with CGNAT routing, o2i must follow the path of the i2o traffic That s why it s mandatory to advertise the map pool ranges to the external world to guarantee the symmetry Some example: Default Map pool Access BNG NAT CGN Core Public IP Internet

96 Extra-Chassis Routing A few other examples Core Private IP Default Full Table NAT Map pool CGN Peering Network Aggregate Internet L3VPN VRF Default Map pool Full Table NAT CGN Internet

97 NAT44 Static Route Configuration Create one static route in each VRF (inside and outside) All packets arriving in vrf inside should be directed to the CGN card through the serviceapp1 interface All packets arriving in vrf outside and targeted to addresses in the map pool range should be directed to the serviceapp2 interface RP/0/RSP0/CPU0:router(config)# router static vrf inside address-family ipv4 unicast /0 ServiceApp1! vrf outside address-family ipv4 unicast /24 ServiceApp2! Te0/0/0/0 ServiceApp1 inside VRF Translate to /24 CGN Card ServiceApp2 outside VRF Te0/1/0/0

98 NAT44 Static Route Configuration In many situations, physical interfaces can not be in a inside VRF but must be in the global routing table We could simply use a static default in the global ipv4 table pointing to serviceapp in the inside VRF, but a global default route is not recommended: ALL traffic with no route in the RIB will be attracted if the router has a full BGP table, no packets will be routed to serviceapp1 Translate to /24 RP/0/RSP0/CPU0:router(config)# router static address-family ipv4 unicast /0 vrf inside ServiceApp1! Te0/0/0/0 ServiceApp1 inside VRF CGN Card ServiceApp2 outside VRF Te0/1/0/0

99 NAT44 ABF Configuration Routing based on ACL enables decision based on source addresses Public sources can avoid NAT // Private can be sent for NAT translation RP/0/RSP0/CPU0:router(config)# ipv4 access-list ABF 10 permit ipv any nexthop1 vrf inside ipv permit ipv4 any any interface ServiceApp1 vrf inside ipv4 address /30 service cgn demo service-type nat44! interface TenGigE0/0/0/0 ipv4 address /24 ipv4 access-group ABF ingress /8 Te0/0/0/0 ServiceApp1 inside VRF Translate to /24 CGN Card ServiceApp2 outside VRF interface ServiceApp2 vrf outside ipv4 address /30 service cgn demo service-type nat44! interface TenGigE0/1/0/0 ipv4 address /24 Te0/1/0/ /8

100 NAT44 ABF Configuration Return traffic When you configure ABF for the i2o traffic, you don t need to do it for the o2i traffic o2i traffic must be routed to the correct Inside (default) VRF when it comes out of the Inside Service App RP/0/RSP0/CPU0:router(config)# router static vrf inside address-family ipv4 unicast /8 vrf default / Te0/0/0/0 ServiceApp1 inside VRF Translate to /24 CGN Card ServiceApp2 outside VRF RP/0/RSP0/CPU0:router(config)# router static address-family ipv4 unicast /24 vrf outside serviceapp2 Te0/1/0/ /8

101 NAT44 ABF Limitations What if the next-hop address in GRT isn t reachable (interface down for example)? RP/0/RSP0/CPU0:router(config)# router static vrf inside address-family ipv4 unicast /8 vrf default / Te0/0/0/0 ServiceApp1 inside VRF Translate to /24 CGN Card ServiceApp2 outside VRF RP/0/RSP0/CPU0:router(config)# router static address-family ipv4 unicast /24 vrf outside serviceapp2 Te0/1/0/ /8 Even if another path is available to reach /8 in the GRT, traffic is lost

102 NAT44 ABF Limitations What if the next-hop router points to the CGN router to reach /8? RP/0/RSP0/CPU0:router(config)# router static vrf inside address-family ipv4 unicast /8 vrf default / Te0/0/0/0 ServiceApp1 inside VRF Translate to /24 CGN Card ServiceApp2 outside VRF RP/0/RSP0/CPU0:router(config)# router static address-family ipv4 unicast /24 vrf outside serviceapp2 Te0/1/0/ /8 In this case, the traffic will eventually find it s way to /8 but via a suboptimal path

103 NAT44 ABF Limitations ABF is performed before MPLS labels are stripped from packets Consequently, packets are not matched Example, the CGN in PE case Workaround: loop fiber P Te0/6/0/2 0/0/CPU0 VRF Inside-1 0/1/CPU0 VRF Inside-2 SA1 SA3 Translate to /24 CGN Card Translate to /24 CGN Card SA SA Global Global 2 Labels Transport VRF 1 Label VRF PE

104 NAT44 ABF Limitations Other example, the CSC case (CGN in CE) P PE Te0/6/0/2 0/0/CPU0 VRF Inside-1 0/1/CPU0 VRF Inside-2 SA1 SA3 Translate to /24 CGN Card Translate to /24 CGN Card SA SA Global Global 3 Labels Transport VRF CSC 2 Labels VRF CSC 1 Label CSC CE

105 REDUNDANCY

106 CGSE/ISM Redundancy On both CRS/CGSE and ASR9000/ISM, we support 1:1 warm standby redundancy (not supported on CGSE+ today) Warm-standby translation state is not synchronized between active and standby, all connections will be re-established Pros: simple to configure, a single map pool is used Cons: only 1:1, one card on two will not be used 99% of the time An alternative with ABF is available Pros: offers more options like n:1 redundancy, converges very quickly Cons: we can not re-use the same map pool range, so we need to configure a second range

107 1:1 Warm-Standby Redundancy Configuration RP/0/RSP0/CPU0:CGN(config)# service cgn demo service-location preferred-active 0/1/CPU0 preferred-standby 0/3/CPU0 RP/0/RP0/CPU0:CGN#show services redundancy Service type Name Pref. Active Pref. Standby ServiceInfra ServiceInfra1 0/1/CPU0 Active ServiceInfra ServiceInfra2 0/3/CPU0 Active ServiceCgn demo 0/3/CPU0 Standby 0/1/CPU0 Active RP/0/RP0/CPU0:CGN#

108 CGSE/ISM Redundancy service cgn mets-cgn service-location preferred-active 0/1/CPU0 service-type nat44 nat44-1 inside-vrf Inside-1 map address-pool /24! service cgn mets-cgn-2 service-location preferred-active 0/3/CPU0 service-type nat44 nat44-2 inside-vrf Inside-2 map address-pool /24! service cgn mets-cgn-backup service-location preferred-active 0/7/CPU0 service-type nat44 nat44-backup inside-vrf ibackup map address-pool /24 Te0/6/0/ /24 VRF Inside-1 VRF Inside-2 VRF ibackup SA1 SA3 Translate to /24 CGN Card Translate to /24 CGN Card SA CGN Card SA SA5 Translate to /24 SA Global Global Global Te0/6/0/ /24

109 CGSE/ISM n:1 Redundancy ipv4 access-list ABF 10 permit ipv /24 any nexthop1 vrf Inside-1 ipv nexthop2 vrf ibackup ipv permit ipv /24 any nexthop1 vrf Inside-2 ipv nexthop2 vrf ibackup ipv permit ipv4 any any! router static address-family ipv4 unicast / description Ixia-i2o-Default /24 ServiceApp2 description Ixia-o2i-ABF /24 ServiceApp4 description Ixia-o2i-ABF /24 ServiceApp6 description Ixia-o2i-ABF VRF Inside-1 SA1 Translate to /24 CGN Card SA VRF Outside-1 Packets sourced from x /24 Te0/6/0/ /24 VRF Inside-2 SA3 Translate to /24 CGN Card SA VRF Outside-2 Te0/6/0/ / / /24 VRF ibackup SA5 Translate to /24 CGN Card SA Default

110 CGSE/ISM n:1 Redundancy ipv4 access-list ABF 10 permit ipv /24 any nexthop1 vrf Inside-1 ipv nexthop2 vrf ibackup ipv permit ipv /24 any nexthop1 vrf Inside-2 ipv nexthop2 vrf ibackup ipv permit ipv4 any any! router static address-family ipv4 unicast / description Ixia-i2o-Default /24 ServiceApp2 description Ixia-o2i-ABF /24 ServiceApp4 description Ixia-o2i-ABF /24 ServiceApp6 description Ixia-o2i-ABF VRF Inside-1 SA1 Translate to /24 CGN Card SA VRF Outside /24 Te0/6/0/ /24 VRF Inside-2 SA3 Translate to /24 CGN Card SA VRF Outside-2 Te0/6/0/ / / /24 VRF ibackup SA5 Translate to /24 CGN Card SA Default Packets sourced from x

111 CGSE/ISM n:1 Redundancy Limitations 1:1 warm standby redundancy N:1 ABF based redundancy Convergence time Up to 7s <1s CAPEX Impact on other resources (address map pools) Preemption when the first card gets back online Static port forwarding Needs a standby card for every active one No map pool necessary for the backup card No preemption, the new active card stays active No problem, the standby re-populates the table with the static entry Needs only a single backup card per router No map pool necessary for the backup card The initial active card regains the active role and create a 2 nd impact Since the backup card uses a different map pool, a new static entry will be created 111

112 Extra-Chassis Redundancy ipv4 access-list ABF-1 10 permit ipv4 any any nexthop1 vrf Inside-1 ipv nexthop2 vrf Inside-2 ipv nexthop3 ipv Te0/6/0/ /24 0/0/CPU0 VRF Inside-1 0/1/CPU0 VRF Inside-2 SA1 SA3 Translate to /24 CGN Card Translate to /24 CGN Card SA SA Global Global Te0/6/0/ /24 If routers are not directly connected, a GRE tunnel can be used to avoid routing loops Te0/0/0/ /24 0/0/CPU0 VRF ibackup SA5 Translate to /24 CGN Card SA Global Te0/0/0/ /24

113 Logging Redundancy CGN cards are generating syslog and NFv9 on UDP No mean to send backpressure if the server can t cope One single destination per type and inside-vrf Workarounds exist at the collector level: Virtual IP addresses on the collector Port SPAN on the switch were is connected the collector to replicate the logging flow (second server needs some tweaking to accept the trafffic) Directed-Broadcast on the last router (ex: the last interface is /30 and we will generate the logging traffic to , the broadcast address of this network. Only /24 will be advertised in IGP) RAID / DB redundancy is highly recommended at the server level

114 CONCLUSION

115 Conclusion CGN offers tools to buy time for your IPv6 preparation The same line cards can also be used for IPv6 migration (NAT64, 6rd, DS-lite) For the vast majority of usages: it just works Deployment must be considered carefully for Routing Logging infrastructure for collection and storage Timers, BPA, Port-Limit,

116 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 116

117

118 BACKUP SLIDES UNDERSTANDING TIMERS

119 Stateful Protocols Understanding the Stateful Translation NAT44 (like NAT64SF and DS Lite) performs a stateful translation Packet source address and port are rewritten Details are stored in a translation database A new packet from inside to outside will create a new entry in the table No activity during a configurable period of time will trigger the suppression of this entry We use different timers for different packet types and different situations

120 NAT44: TCP Establishment Source Address = Src: :12345 Dst: :80 ACK SYN IPv4 Traffic NAT CGN Inside Outside TCP state Inside Outside TCP state : :1025 Inactive Inside Outside TCP state : :1025 Active Outside Address from pool = Src: :1025 Dst: :80 IPv4 Internet SYN/ACK 3 Now, as long as TCP traffic is received in any direction within the active timer, state is maintained as Active. This behavior can be changed by configuration, considering only the i2o traffic to refresh the timers.

121 NAT44: End of TCP Session Source Address = Src: :12345 Dst: : IPv4 Traffic NAT CGN Inside Outside TCP state : :1025 Active Inside Outside TCP state Outside Address from pool = Src: :1025 Dst: :80 IPv4 Internet FIN or RST Default timers: TCP init: 120s ACK : :1025 Inactive Inside Outside TCP state 3 Initial timer expires DB is cleaned up : :1025 Inactive Note: We are not checking the sequence numbers in the NAT engine.

122 NAT44: TCP Initial Timeout Source Address = Src: :12345 Dst: :80 SYN 0 2 IPv4 Traffic NAT CGN Inside Outside TCP state Inside Outside TCP state Outside Address from pool = Src: :1025 Dst: :80 IPv4 Internet : :1025 Inactive Default timers: TCP init: 120s 4 Inside Outside TCP state : :1025 Inactive 3 Initial timer expires DB is cleaned up Note: we are checking all timers every 10ms to clean up the time-outs

123 NAT44: TCP Active Timeout Source Address = Src: :12345 Dst: :80 0 IPv4 Traffic NAT CGN Inside Outside TCP state Outside Address from pool = Src: :1025 Dst: :80 IPv4 Internet : :1025 Active No traffic matching the DB entry flows through the system Default timers: TCP active: 1800s 2 Inside Outside TCP state : :1025 Inactive 1 Initial timer expires DB is cleaned up Note: We are not sending any FIN/RST to either side (inside nor outside), the translation entry is simply removed from the table.

124 NAT44: Security Behavior Source Address = Src: :12345 Dst: :80 0 IPv4 Traffic NAT CGN Inside Outside TCP state Outside Address from pool = Src: :1025 Dst: :80 IPv4 Internet If we send TCP data packet before a complete TCP handshake 1 TCP Data 2 this packet is considered invalid and dropped without ICMP being generated.

125 NAT44: Security Behavior Source Address = Src: :12345 Dst: :80 SYN 0 2 IPv4 Traffic NAT CGN Inside Outside TCP state Inside Outside TCP state Outside Address from pool = Src: :1025 Dst: :80 IPv4 Internet : :1025 Inactive If we receive a TCP data packet before a complete TCP handshake 4 Inside Outside TCP state : :1025 Inactive TCP Data 3 this packet is translated back and passed to the host, but table state isn t changed from Inactive to Active. It stays at Inactive.

126 NAT44: UDP Packets Source Address = Src: :12345 Dst: :80 0 IPv4 Traffic NAT CGN Inside Outside UDP state Outside Address from pool = Src: :1025 Dst: :80 IPv4 Internet UDP 2 Inside Outside UDP state : :1025 Inactive UDP 3 4 Inside Outside UDP state : :1025 Active Now, as long as UDP traffic is received in any direction within the active timer, state is maintained as Active.

127 NAT44: UDP Timeout Case 1 Source Address = Src: :12345 Dst: :80 UDP 0 IPv4 Traffic NAT CGN Inside Outside UDP state : :1025 Inactive Outside Address from pool = Src: :1025 Dst: :80 Only I2O traffic passes through CGN, UDP state is Inactive 1 Now, no more I2O UDP traffic is received IPv4 Internet Default timers: UDP init: 30s 4 Inside Outside UDP state 2 Initial timer expires DB is cleaned up : :1025 Inactive

128 NAT44: UDP Timeout Case 2 Source Address = Src: :12345 Dst: :80 UDP 0 IPv4 Traffic NAT CGN Inside Outside UDP state : :1025 Active Outside Address from pool = Src: :1025 Dst: :80 IPv4 Internet UDP 0 1 Now, both I2O and O2I UDP stop flowing through the CGN Default timers: UDP active: 120s 4 Inside Outside UDP state 2 Initial timer expires DB is cleaned up : :1025 Active

129 NAT44: ICMP Source Address = Src: Dst: IPv4 Traffic 0 NAT CGN NAT Info Outside Address from pool = Src: Dst: IPv4 Internet ICMP No state in ICMP translation 2 NAT Info Only a DB entry ICMP ICMP 3 Now, as long as ICMP traffic is received in any direction within the timer, this entry will be maintained in the DB.

130 NAT44: ICMP Timeout Case Source Address = Src: Dst: ICMP IPv4 Traffic 2 0 NAT CGN NAT Info NAT Info Outside Address from pool = Src: Dst: IPv4 Internet ICMP Now, no more I2O and O2I ICMP flow through the CGN Default timers: ICMP: 60s 4 NAT Info 3 ICMP timer expires DB is cleaned up ICMP

131 Fine Tuning Timers For stateful translation protocols (NAT44, NAT64 SF, DS Lite), the NAT DB maintains timers for each entry service cgn demo service-type nat44 nat44-1 protocol udp session initial timeout 10 session active timeout 30 protocol tcp session initial timeout 30 session active timeout 120 protocol icmp timeout 30 service cgn demo service-type nat64 stateful nat64-1 protocol udp timeout 30 v4-init-timeout 10 protocol tcp session initial timeout 30 session active timeout 120 protocol icmp timeout 30 service cgn demo service-type ds-lite ds-lite1 protocol udp session active timeout 30 session init timeout 10 protocol tcp session active timeout 120 session init timeout 30 protocol icmp timeout 30 Default Initial Active TCP 120s 1800s UDP 30s 120s ICMP 60s

132 Refresh Direction Timers are refreshed when packets are translated in i2o or o2i direction. But an external attacker could send regularly one packet for every DB entry and eventually create a resource depletion To change this default behavior, we can make the timer refresh to only take into consideration Inside-to-Outside (i2o) packets This feature is not available for DS Lite service cgn POC-1 service-type nat44 nat44-1 refresh-direction Outbound! service-type nat64 stateful nat64-1 refresh-direction Outbound!

133 BACKUP SLIDES LOAD BALANCING

134 Load-balancing Traffic Between CGSEs SPA SPA SPA SPA SPA SPA BRIDGE BRIDGE BRIDGE BRIDGE PLA PLA PLA PLA M I D P L A N E ipse Egress Q ipse Egress Q ipse Egress Q epse epse epse IngressQ FabQs IngressQ FabQs IngressQ FabQs M I D P L A N E F A B R I C At egress PSE level: Hashing on source address to loadbalance traffic between 64 cores At ingress PSE level: Two static routes for one NH address pointing to two serviceapps interfaces (L3 or L4 LB is used depending on the configuration) ABF is possible too and is a better option. Note: using static routes will break the principle of same external IP address mapping for all sessions associated with the same internal IP address (RFC4787) we recommend ACL Based Forwarding.

135 DDR 16GB DDR 16GB SPA SPA SPA SPA SPA SPA Netlogic NPU Netlogic NPU BRIDGE BRIDGE PLA PLA PLA PLA M I D P L A N E ips E Egress Q ips E Egress Q ips E Egress Q epse epse epse IngressQ FabQs IngressQ FabQs IngressQ FabQs M I D P L A N E F A B R I C RP/0/RP0/CPU0:router(config)# router static vrf inside address-family ipv4 unicast /0 ServiceApp /0 ServiceApp /0 ServiceApp /0 ServiceApp /0 ServiceApp ! vrf outside address-family ipv4 unicast /24 Translate ServiceApp12 to / /16 ServiceApp22 ServiceApp /2 4 inside VRF ServiceApp /2 4 CGSE CGSE PLUS Translate to /16 outside VRF ServiceApp /2 4 ServiceApp /2 4

136 DDR 16GB DDR 16GB Netlogic NPU Netlogic NPU PLA ips E Egress Q epse IngressQ FabQs RP/0/RP0/CPU0:router(config)# + ACL definition here + ABF applied on ingress interface here! vrf outside address-family ipv4 unicast /24 ServiceApp /16 ServiceApp22 SPA SPA SPA SPA SPA SPA BRIDGE BRIDGE PLA PLA PLA M I D P L A N E ips E Egress Q ips E Egress Q epse epse IngressQ FabQs IngressQ FabQs M I D P L A N E F A B R I C ServiceApp /2 4 inside VRF ServiceApp /2 4 Translate to /24 CGSE CGSE PLUS Translate to /16 outside VRF ServiceApp /2 4 ServiceApp /2 4

137 Load-balancing Traffic inside ISM 24Gb 24Gb Based on the number of cores, we can t allocate a range more specific than /30 (4 public addresses) Load-balancing is different on the ISM than CGSE: First, it s performed by the ingress NPU (Trident or Typhoon on in the ingress card) where lookup is performed and a VQI is assigned for the destination Each VQI is linked to a particular Niantic port, hence to a particular dispatcher process on a CPU. (2 CPUs, 2 dispatchers running on 2 different ports 4 options). Second, the dispatcher process will determine which CGv6 application process should be handle this packet: - i2o traffic: hash is performed on the source address 32 bits - o2i traffic: hash is performed on the destination address 32 bits For DS-Lite, hash will be done on the B4 ipv6 address for i2o traffic and on the destination ipv4 address for o2i traffic.

138 BACKUP SLIDES NAT CONFIGURATION

139 Virtual Service Interfaces Interconnecting CGSE/ISM card to the rest of the system Configuration is only needed on the router/xr side, addresses on the CGN/Linux side will be automatically created To direct traffic into the CGN card, we ll need one or several of these options: static routes redistribution ACL based forwarding rules ServiceInfra interface For CGN card management One per card mandatory ServiceApp interfaces To interconnect GRT address-family Physical Interface VLAN or VRF inside and outside to the CGN card ServiceApp1 VRF or address-family ServiceInfra1 CGN Card ServiceApp2 VRF or address-family Physical Interface VLAN

140 NAT44 Configuration To avoid routing loops, VRF are mandatory with NAT44 Inside VRF must be non-default Outside VRF is optional, we can use the Default or a named VRF RP/0/RSP0/CPU0:Router(config)# vrf inside address-family ipv4 unicast! vrf outside address-family ipv4 unicast! interface te0/0/0/0 vrf inside ipv4 add /24! interface te0/1/0/0 vrf outside ipv4 add /24! Te0/0/0/0 interface ServiceApp1 vrf inside ipv4 address service cgn demo service-type nat44! interface ServiceApp2 vrf outside ipv4 address service cgn demo service-type nat44 ServiceApp1 inside VRF CGN Card ServiceApp2 outside VRF Te0/1/0/0

141 NAT44 Configuration Create a nat44 instance nat1 and associate an outside pool (Public IPv4 addresses) to a given inside VRF A single nat44 instance can be created per CGN card Several mechanisms exist to push traffic in2out into ServiceApp1 A static route with the map pool range will be necessary to send out2in traffic to the CGN card via ServiceApp2 service cgn demo service-type nat44 nat1 inside-vrf inside map address-pool /24! Mapping to the default VRF in public side service cgn demo service-type nat44 nat1 inside-vrf inside map outside-vrf outside address-pool /24! Mapping to the VRF outside in public side ServiceApp1 Inside VRF Translate to /24 CGN Card ServiceApp2 outside VRF or Default

142 NAT44 Configuration Tips In current XR release, we can not configure two map pools under one VRF inside (coming in the near future) RP/0/RP0/CPU0:Router(config-cgn-invrf)#show Fri Jun 15 16:54: PDT service cgn demo service-type nat44 nat44-1 inside-vrf Inside-2 map address-pool /24! RP/0/RP0/CPU0:Router(config-cgn-invrf)#map address-pool /24 RP/0/RP0/CPU0:Router(config-cgn-invrf)#show Fri Jun 15 16:56: PDT service cgn demo service-type nat44 nat44-1 inside-vrf Inside-2 map address-pool /24! RP/0/RP0/CPU0:Router(config-cgn-invrf)#

143 NAT44 Configuration Tips To overcome this limit we can configure several inside VRFs: RP/0/RP0/CPU0:Router(config-cgn-invrf)#show Fri Jun 15 16:54: PDT service cgn demo service-type nat44 nat44-1 inside-vrf Inside-1 map address-pool /24! inside-vrf Inside-2 map address-pool /24! RP/0/RP0/CPU0:Router(config-cgn-invrf)# Challenge will now reside in directing the traffic to both inside VRF Total of all map pools can not be larger than addresses It doesn t need to be into a single /16 or contiguous ranges

144 NAT44 Show Commands RP/0/RP0/CPU0:Router#show cgn demo stat sum Statistics summary of NAT44 instance: demo' Number of active translations: Number of sessions: Translations create rate: 0 Translations delete rate: 0 Inside to outside forward rate: Outside to inside forward rate: 0 Inside to outside drops port limit exceeded: 0 Inside to outside drops system limit reached: 0 Inside to outside drops resorce depletion: 0 No translation entry drops: 0 PPTP active tunnels: 0 PPTP active channels: 0 PPTP ctrl message drops: 0 Number of subscribers: 0 Drops due to session db limit exceeded: 0 Pool address totally free: Pool address used: External Address Ports Used Translation entries allocated in DB Additional flows inside these translations Rate in sessions per second Rate in packets per second Packets dropped because of port-limit for inside user is reached Packets discarded because we reached the limit of 20M sessions or 1M internal users Packets dropped because no public L4 Port could be allocated

145 NAT44 Show Commands RP/0/RP0/CPU0:Router#show cgn demo stat sum Statistics summary of NAT44 instance: demo' Number of active translations: Number of sessions: Translations create rate: 0 Translations delete rate: 0 Inside to outside forward rate: Outside to inside forward rate: 0 Inside to outside drops port limit exceeded: 0 Inside to outside drops system limit reached: 0 Inside to outside drops resorce depletion: 0 No translation entry drops: 0 PPTP active tunnels: 0 PPTP active channels: 0 PPTP ctrl message drops: 0 Number of subscribers: 0 Drops due to session db limit exceeded: 0 Pool address totally free: Pool address used: External Address Ports Used out2in drops because of no entry in the translation DB PPTP/GRE sessions/tunnels info Private addresses having at least one active translation Packets dropped after exceeding the 20M sessions Addresses available in the pool Addresses used in the pool External addresses and ports allocated

146 NAT44 Show Commands Pool utilization statistics RP/0/RP0/CPU0:Router#show cgn demo pool-utilization inside-vrf Inside address-range Public address pool utilization details CGN instance : demo VRF : Inside Outside Number Number Address of of Free ports Used ports

147 NAT44 Show Commands Translation statistics from an inside address perspective RP/0/RP0/CPU0:router#sh cgn demo inside-translation protocol tcp inside-vrf Inside inside-address port start 1 end Inside-translation details CGN instance : demo Inside-VRF : Inside Outside Protocol Inside Outside Translation Inside Outside Address Source Source Type to to Port Port Outside Inside Packets Packets tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic

148 NAT44 Show Commands Translation statistics from an outside address perspective RP/0/RP0/CPU0:router#sh cgn demo outside-translation protocol tcp outside-vrf Outside outside-address port start 1024 end Outside-translation details CGN instance : demo Outside-VRF : Outside Inside Protocol Outside Inside Translation Inside Outside Address Destination Destination Type to to Port Port Outside Inside Packets Packets tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic tcp dynamic

149 BACKUP SLIDES CONFIGURATION AND TROUBLESHOOTING TIPS

150 Protecting ServiceInfra Interface w/ an ACL ServiceInfra interfaces are virtual tunnels between the router and the CGN card and are mandatory to boot and manage it Even if the prefix used for this card isn t supposed to be advertised outside of the router, it s recommended to configure a filter to protect it from potential DoS attack RP/0/RP0/CPU0:router(config)# ipv4 access-list ServiceInfraFilter 100 permit ipv4 host any 101 permit ipv4 host any! interface ServiceInfra1 ipv4 address service-location 0/0/CPU0 ipv4 access-group ServiceInfraFilter egress!

151 Sending Logging Reports in a VRF ServiceInfra interfaces are part of the global routing table and they are the source interfaces for syslog or netflow messages. If the collector is located in the Inside VRF, it s not possible to send it any reports by default We need to use ABF to overcome this limitation interface GigabitEthernet0/3/1/0 vrf Inside ipv4 address ! service cgn cgn1 service-location preferred-active 0/0/CPU0 preferred-standby 0/2/CPU0 service-type nat44 NAT44 inside-vrf Inside map address-pool /20 external-logging syslog server address port 3000 session-logging

152 Sending Logging Reports in a VRF We define and apply an ABF on the serviceinfra interface ipv4 access-list acl1 10 permit udp /24 host nexthop1 vrf Inside 20 permit ipv4 any any! interface ServiceInfra2 ipv4 address service-location 0/2/CPU0 ipv4 access-group acl1 ingress!! router static vrf Inside address-family ipv4 unicast /0 ServiceApp /32 GigabitEthernet0/3/1/0!!

153 Dynamic Port Range For stateful translation protocols, the dynamic translations start from We can change this starting value from 1 to service cgn POC-1 service-type nat44 nat44-1 dynamic-port-range start 2000!

154 ICMP Rate-Limiting We can define an ICMP rate-limiter for CGN card (ISM, CGSE) For CRS/CGSE: should be a multiple of 64, less than For ASR9K/ISM: should be a multiple of 8, less than 8184 It can be 0 (zero) service cgn ISM protocol icmp rate-limit 8184!!

155 Using these Features Creatively How to reduce the number of users per external address? A customer requested to limit the number of internal users allowed to used each external addresses of their map pool. Only for NAT44 (no dynamic-range config in DS-Lite) Step 1: define port-limit and bulk-port-range to the same value. Ex: 4096 ports: rounddown[( )/4096]=15 potential inside addresses for each external address Ex: 2048 ports: rounddown[( )/2048]=31 BPA= BPA= , Step 2: if we need to reduce the number of users to something smaller than 15, let define the dynamic-port-range to an higher value Ex: BPA/port-limit=4096, dynamic-range start=24575 rounddown[( )/4096]=10

156 Changing Logging DSCP Marketing Not possible to change the DSCP marking of syslog or netflow packets generated by ISM or CGSE card. But a remarking can be done at the egress interface level with the proper QoS policy RP/0/RP1/CPU0:Yanks#show policy-map interface gig 0/6/3/0.2 GigabitEthernet0/6/3/0.2 direction input: Service Policy not installed GigabitEthernet0/6/3/0.2 output: NF Class NF Classification statistics (packets/bytes) (rate - kbps) Matched : 37991/ Transmitted : 37991/ Total Dropped : 0/0 0 Queueing statistics Queue ID : 23 Taildropped(packets/bytes) : 0/0 Class class-default Classification statistics (packets/bytes) (rate - kbps) Matched : 0/0 0 Transmitted : 0/0 0 Total Dropped : 0/0 0 Queueing statistics Queue ID : 23 High watermark (bytes)/(ms) : 0/0 Inst-queue-len (bytes)/(ms) : 0/0 Avg-queue-len (bytes)/(ms) : 0/0 Taildropped(packets/bytes) : 0/0 RP/0/RP1/CPU0:Yanks#sh run policy-map Wed Sep 5 03:46: PDT policy-map NF class NF set dscp cs5! class class-default! end-policy-map!

157 Changing Logging DSCP Marketing Syslog / CS5 NetFlow v9 / CS5

158 Troubleshooting Tips Makes sure the traffic is indeed pushed to and from the CGN cards Show interface serviceapp * is always expressed from the router perspective, so Pkts out: going into the CGN cards Pkts in: coming from the CGN cards into the router RP/0/RSP0/CPU0:Nets#sh int serviceapp * accounting ServiceApp1 Protocol Pkts In Chars In Pkts Out Chars Out IPV4_UNICAST ServiceApp2 Protocol Pkts In Chars In Pkts Out Chars Out IPV4_UNICAST RP/0/RSP0/CPU0:Nets#

159 Troubleshooting Tips We can use show interface serviceapp * accounting rates to get some trends on the traffics going through the system

160 Troubleshooting Tips When using ABF: configure hardware count in ABF in order to see ABF match statistics You should see Hits increase as ingress traffic is directed to ServiceApp NH interface TenGigE0/0/5/0 vrf LOOPBACK ipv4 address load-interval 30 ipv4 access-group ABF ingress hardware-count! RP/0/RP0/CPU0:router#show access-lists ABF hardware ingress detail location 0/0/CPU0 ACL name: ABF Sequence Number: 10 Grant: permit Logging: OFF Per ace icmp: ON Next Hop Enable: ON VRF Table Id: 4096 Next-hop: Default Next Hop: OFF Hits: Statistics pointer: 0x7ff5f Number of TCAM entries: 1

161 Troubleshooting Tips on ISM Be extra careful with the unix level commands, one is very useful though: RP/0/RSP0/CPU0:BNG#run attach 0/5/cpu0 Sat Dec 22 06:33: UTC attach: Starting session 1 to node 0/5/cpu0 # # # show_nat44_stats CORE-ID #SESSIONS(%UTIL) #USERS(%UTIL) (19.6%) 1877(1.43%) (19.5%) 1870(1.43%) (19.6%) 1878(1.43%) (19.6%) 1875(1.43%) 4 0(0.0%) 0(0.00%) 5 0(0.0%) 0(0.00%) 6 0(0.0%) 0(0.00%) 7 0(0.0%) 0(0.00%) Total Sessions: Total users: 7500 Main DB size is and User DB size is #exit RP/0/RSP0/CPU0:BNG#

162 Troubleshooting Tips on CGSE # show_nat44_stats CORE ID #SESSIONS(UTIL) #USERS(UTIL) (11.2%) 5109(31.18%) (11.3%) 5085(31.04%) (12.4%) 5143(31.39%) (12.0%) 5121(31.26%) (12.3%) 5171(31.56%) (12.1%) 5154(31.46%) (12.1%) 5048(30.81%) (10.9%) 5124(31.27%) (12.0%) 5122(31.26%) (12.4%) 5091(31.07%) (11.5%) 5128(31.30%) (12.1%) 5108(31.18%) (12.5%) 5218(31.85%) (12.2%) 5147(31.41%) (11.5%) 5146(31.41%) (12.6%) 5148(31.42%) (12.8%) 5087(31.05%) (11.7%) 5068(30.93%) (11.2%) 5125(31.28%) (11.1%) 5136(31.35%) (12.3%) 5133(31.33%) (11.2%) 5159(31.49%) (12.3%) 5137(31.35%) (12.0%) 5164(31.52%) (12.5%) 5098(31.12%) (12.3%) 5092(31.08%) (12.7%) 5153(31.45%) (10.7%) 5127(31.29%) (11.4%) 5149(31.43%) (12.3%) 5116(31.23%) (11.9%) 5120(31.25%) (11.5%) 5081(31.01%) (12.0%) 5028(30.69%) (11.2%) 5077(30.99%) (11.3%) 5066(30.92%) (12.0%) 5083(31.02%) (12.1%) 5110(31.19%) (11.8%) 5116(31.23%) (12.4%) 5035(30.73%) (11.8%) 5063(30.90%) (11.2%) 5072(30.96%) (11.7%) 5068(30.93%) (11.2%) 5110(31.19%) (12.3%) 5084(31.03%) (10.8%) 5115(31.22%) (10.5%) 5078(30.99%) (11.7%) 5075(30.98%) (11.9%) 5068(30.93%) (11.2%) 5105(31.16%) (11.3%) 5080(31.01%) (11.4%) 5107(31.17%) (12.3%) 5110(31.19%) (11.3%) 5119(31.24%) (11.2%) 5136(31.35%) (11.6%) 5016(30.62%) (11.9%) 5115(31.22%) (12.0%) 5022(30.65%) (11.3%) 5026(30.68%) (11.5%) 5072(30.96%) (10.9%) 5064(30.91%) (12.1%) 5044(30.79%) (12.3%) 5083(31.02%) (11.3%) 5100(31.13%) (11.7%) 5073(30.96%)

163 Online Diagnostics Optionally, configure Diagnostics on the CGSE card If we use redundant cards, active being in 0/0/CPU0 RP/0/RP0/CPU0:CRS(config)# service-plim-ha location 0/0/CPU0 datapath-test service-plim-ha location 0/0/CPU0 core-to-core-test service-plim-ha location 0/0/CPU0 pci-test service-plim-ha location 0/0/CPU0 coredump-extraction service-plim-ha location 0/0/CPU0 linux-timeout 500 service-plim-ha location 0/0/CPU0 msc-timeout 500! An error detected will trigger the reload of the PLIM. If the card is in stand-alone (no redundancy), we add the configuration: RP/0/RP0/CPU0:CRS(admin-config)# hw-module reset auto disable location 0/0/CPU0!

164 Online Diagnostics Optionally, configure Diagnostics on the ISM card RP/0/RP0/CPU0:ASR9000(config)# service-cgv6-ha location 0/2/CPU0 puntpath-test service-cgv6-ha location 0/2/CPU0 datapath-test!

165 Performance / Scalability Per Blade Limits CGSE CGSE+ ISM VSM NAT44 instances supported 1 per card 1 per card 1 per card 1 (at FCS) DS Lite instances supported 64 per chassis N/A 64 per chassis Future 6rd instances supported 64 per chassis 64 per chassis? Future NAT64 instances supported 64 per chassis N/A? Future Number of service infra Number of service app 890 (2000 per system) IP pool supported /16 to /26 (max addresses)? 244 (per system) 4096 /16 to /26 (max addresses) Future: longer prefix /16 to /30 (max addresses) /16 to /30 (max addresses) Max Static Port forwarding 2K tested 6K 6K 6K Max number of NAT users 1M 1M (2M) 1M 4M

166 Comparing the CGN Platforms Parameter CGSE CGSE+ ISM VSM Configuration CLIs Same Same Same Same Uses SVI Yes Yes Yes Yes Network Processor Yes (Metro) Yes (Pogo) No, handled by a dedicated process Packet distribution One level: NAT44 load-balancing on egress Metro One level: NAT44 load-balancing on egress Pogo Two levels a) by ingress LC using VQI b) NAT44 load-balancing within Dispatcher process Yes (Typhoon) Egress FIB Lookup On imetro On ipogo Within CGv6 App On ServiceApp placement Anywhere Anywhere Associated with Niantic port/vqi? Associated with NP ports / Niantic ports # of CGv6 instances 64 (4 octeons) 8 (2 Westmeres) 48 (in 2 logical groups) Stateless protocols (in CGN card) 6rd, NAT64SL 6rd, (NAT64SL future) 6rd, MAP-T/E Future: 6rd, MAP-T/E Inline support No No Yes for SL protocols Future

167 BACKUP SLIDES PPTP ALG DETAILS

168 PPTP ALG PNS Control Connection (TCP1723) PPTP NAT IPv4 Internet PAC Inside Call-ID Outgoing Call Reply Outgoing Call Request Inside Call-ID Outside Call-ID Outbound Call Translation DataBase Two tuples are mapped and an entry is created in the translation DB

169 PPTP ALG PNS Control Connection (TCP1723) PPTP NAT IPv4 Internet PAC Incoming Call Request Inside Call-ID Outside Call- ID Outside Call-ID Incoming Call Reply Inbound Call Translation DataBase Two tuples are mapped and an entry is created in the translation DB

170 PPTP ALG PNS Control Connection (TCP1723) PPTP NAT IPv4 Internet PAC Inside Call-ID Call Disconnect Notify Call Clear Request Outside Call-ID Disconnect Translation DataBase Depending on the side initiating the disconnection, the Inside-Call-ID or Outside-Call-ID tuple will be marked for deletion from the translation DB