Carrier Grade NAT NetFlow is supported by our NetFlow solution because it’s just NAT. This post will explain a few concepts in and around Carrier Grade NAT (CGN) as well as how it impacts the NetFlow exports. If however, you are looking for a post on Carrier Grade NAT Reporting with Bulk Port Allocation. That is in my other post.
Carrier Grade NAT or Large Scale NAT
Carrier-Grade NAT (CGN) is used by service providers to assign private RFC 1918 IPv4 addresses to their customers rather than public, globally unique IPv4 addresses. Traditional NAT or Customer Premise Equipment (CPE NAT) is used at customer networks where they connect to a service provider. NAT is used to translate between private internal IPv4 addresses and one or a few public addresses assigned by the provider. CGN appears within the service provider network where it translates between private and public IPv4 addresses. The private side of CGN faces the provider’s customers.
You might be asking yourself “What is the real difference between traditional (i.e. CPE) NAT and CGN?” The answer is scale. Carrier grade is really sort of misleading which is why there is an effort underway to reference it as Large Scale NAT (LSN). Other than scale, there really is no difference between these NAT implementations.
It is possible that a customer’s router would CPE-NAT from an IPv4 address (e.g. 10.1.1.1) to another IPv4 address (e.g. 172.16.1.1) and then the ISP would LSN 172.16.1.1 to a third IPv4 address (220.127.116.11). This scenario is sometimes referred to as NAT444 . It’s an attractive configuration because existing CPE NATs can be used with no modifications. NATs do not care whether their outside IPv4 addresses are public or private. As a result, from the CPE NAT’s perspective nothing is different. Service providers deploying this architecture do not have to impose special equipment requirements on their customers or require customers to change out existing equipment. Any old NAT will do.
There are also variations of NAT444 that incorporate IPv6 such as NAT64 and NAT464. The goal of this post however is to make reference to Carrier Grade NAT NetFlow support. Before I dive into this, I want to finish up by sharing that carrier-grade NAT has been proposed as an approach for mitigating IPv4 address exhaustion. However, critics of carrier-grade NAT (LSN) argue the following aspects:
- Like any form of NAT, it breaks the end-to-end principle.
- It has significant security, scalability and reliability problems, by virtue of being stateful.
- It makes record keeping for law-enforcement operations more difficult, except if the translation of the addresses is logged.
- It makes it impossible to host services.
- It does not solve the IPv4 address exhaustion problem when a routable IP address is needed, such as in web hosting.
Regardless of how the above shakes out, we currently have Carrier Grade NAT NetFlow support. Similar to the NAT reporting we provide for firewalls, CGN NetFlow support is provided in a similar fashion. To get started, the Cisco router must be running IOS XR software Release 3.9.1 or above.
Configuring Carrier Grade NAT NetFlow
The following steps can be used to configure Carrier Grade NAT NetFlow in Cisco IOS XR Software
- service cgn instance-name
- service-type nat44 nat1
- inside-vrf vrf-name
- external-logging netflowv9
- Options (see descriptions below):
7a) address address port number
7b) path-mtu value
7c) refresh-rate value
7e) timeout value
- end or commit
7a: Configures the IPv4 address and port number 45 to log Netflow entries for the NAT table.
7b: Configures the path MTU with the value of 2900 for the netflowv9-based external-logging facility.
7c: Configures the refresh rate value of 50 to log Netflow-based external logging information for an inside VRF.
7d: Configures the session logging for a NAT44 or DS-Lite instance.
7e: Configures the timeout value of 50 for Netflow logging of NAT table entries for an inside VRF.
NetFlow Vs. Syslog
For those customers thinking about using syslog over NetFlow for logging these Carrier Grade NAT details, keep in mind what it says in the Cisco documentation “In Cisco IOS XR Software Release 4.2.1 and later, the DS Lite and NAT44 features support Syslog as an alternative to Netflow. Syslog uses ASCII format and hence can be read by users. However, the log data volume is higher in Syslog than Netflow.” NetFlow and now IPFIX are the future. Vendors converting NetFlow to syslog are providing a kludge approach that won’t work if the company needs to scale the data collection.
Carrier Grade NAT Reporting
Reach out to our team if you are looking for a Carrier Grade NAT reporting or high speed logging solution. A single scalable NetFlow collector can consume over 100K flows per second.