Carrier Grade Network Address Translation (CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into fewer public IPv4 addresses.
This module provides an overview of CGN and describes how to configure CGN.
Restrictions for Carrier Grade Network Address Translation
-
Asymmetric routing with box-to-box (B2B) redundancy is not supported in Carrier Grade Network Address Translation (CGN) mode.
-
B2B redundancy is not supported on broadband with CGN; B2B is supported on standalone CGN.
-
Broadband is not supported with traditional NAT.
-
CGN does not support IP sessions.
-
NAT outside mappings are disabled automatically when CGN operating mode is configured using the ip nat settings mode cgn command.
-
CGN does not support integration with Cisco Performance Routing (PfR). Commands with the oer keyword are not supported. For example, the ip nat inside source route-map pool overload oer and the ip nat inside source list pool overload oer commands are not supported.
-
The match-in-vrf keyword for intra-VPN NAT is not supported with CGN.
-
If you specify a destination port to configure timeout in CGN mode, the destination port is ignored and the local port is considered for timeout.
-
The ip nat settings log-destination command is not supported in a Box-to-Box High-Availability set up.
Information About Carrier Grade Network Address Translation
Carrier Grade NAT Overview
Network Address Translation (NAT) is positioned between a private and public IP network and uses nonglobal, private IP addresses and a public IP address for translation. NAT dynamically maps one or more private IP addresses into one or more public (globally routable) IP addresses that use Network Address and Port Translation (NAPT) techniques. Traditionally, NAT boxes are deployed in residential home gateways (HGWs) to translate multiple private IP addresses that are configured on multiple devices inside the home to a single public IP address that is configured and provisioned on the HGW by the service provider. Service providers deploy NAT in such a way that multiple subscribers can share a single global IP address. The service provider NAT scales to several millions of NAT translations, making it a Carrier Grade NAT (CGN).
In CGN, packets that traverse from inside the network to outside require only the source address port translation; destination address port translation is not required. CGN can be standalone like traditional NAT or you can use it along with broadband access aggregation. CGN coexists with Intelligent Services Gateway (ISG) features such as Layer 4 Redirect and subscriber services such as traffic classes.
You can configure CGN by using the ip nat settings mode cgn command. Use the ip nat settings mode default command to change to the default or traditional NAT operating mode. In the CGN mode, you cannot configure any NAT outside mappings. Mode changes on an active NAT device are not allowed. However, when you change from the default NAT mode to CGN mode, all existing outside mappings have to be removed. Use the no ip nat settings support mapping outside command to remove all outside mappings and to prevent any new outside mappings from being configured. You can also remove outside mappings by using the no form of commands used to configure NAT outside. In case there are specific ports configured with TCP or UDP timeout values, remove the configuration of ip nat translation port protocol port timeout completely and configure the timeout values for these protocols using the same command. Alternatively, reload the device. Note, if you specify a destination port to configure timeout in CGN mode, the destination port is ignored and the local port is considered for timeout.
CGN increases the scalability of the number of NAT translations that can be supported because destination information is not stored.
CGN supports the following:
-
All application-level gateways (ALGs) that are supported by traditional NAT. For more information about supported ALGs, see the Using Application-Level Gateways with NAT module of the IP Addressing: NAT Configuration Guide.
-
Endpoint independent mapping and endpoint independent filtering.
-
Hairpinning by using VRF-Aware Software Infrastructure (VASI) and policy-based routing (PBR). Hairpinning occurs when two subscribers are behind the same NAT device but can see each other only by using the global IP address.
-
Interbox and intrabox redundancy.
-
Lawful intercept.
-
Logging of NAT high-speed logging (HSL) records. For more information about HSL, see the section “High-Speed Logging for NAT” in the Maintaining and Monitoring NAT module of the IP Addressing: NAT Configuration Guide.
-
Multihoming, which is the ability to support multiple outside interfaces to provide connectivity through redundant or standby exit points. Depending on the configured routing topology, any exit interface that is marked as an outside interface can use a translation that was created previously.
-
TCP timeout value of 2 hours and 4 minutes.
-
VPN routing and forwarding (VRF)-aware NAT.
-
CGN NAT can scale to higher number of translations on ESP200 using the ip nat settings scale bind command.
Carrier Grade NAT Support for Broadband Access Aggregation
You can configure Carrier Grade Network Address Translation (CGN) as an independent feature or use CGN along with broadband access aggregation.
Broadband access aggregation enables connections between multiple technologies such as cable, digital subscriber line (DSL), Ethernet, ISDN, and wireless devices that are connected to corporate VPNs, third-party applications, and the Internet.
PPP over Ethernet (PPPoE) connects hosts on a network over a simple bridging device to a remote aggregation concentrator. PPPoE is the predominant access protocol in broadband networks worldwide.
For PPPoE to work with CGN, either the virtual templates or the RADIUS server must provide the Network Address Translation (NAT) inside configuration. The NAT inside configuration can be downloaded as part of the RADIUS authentication or alternatively configure the ip nat inside command on the virtual template. This gets cloned into a virtual access interface that inherits the ip nat inside configuration. For the RADIUS server to provide the NAT inside configuration, configure the aaa policy interface-config allow-subinterface global command or configure the Cisco attribute-value pairs (AV pairs) lcp:allow-subinterface=yes and then include lcp:interface-config=ip nat inside in the RADIUS profile on a per-subscriber basis.
You can terminate a PPPoE session either in the global routing table or at a VRF instance.
CGN supports dual-stack (IPv4 and IPv6) PPP sessions. However, only IPv4 traffic is subject to NAT. The IPv6 traffic is not translated; it is routed as per the IPv6 routing configuration.
How to Configure Carrier Grade Network Address Translation
Based on your network configuration, you can configure static, dynamic, or dynamic PAT Carrier Grade NAT.
![]() Note | You must use at least one of the configurations described in the following tasks for Carrier Grade NAT to work. |
Configuring Static Carrier Grade NAT
Static address translation (static NAT) allows one-to-one mapping between local and global addresses. Use the ip nat inside source static command to enable static NAT of the inside source address.
SUMMARY STEPS
- enable
- configure terminal
- ip nat settings mode cgn
- ip nat inside source static local-ip global-ip
- interface gigabitethernet card/spaslot/port.subinterface-number
- ip nat inside
- exit
- interface type number
- ip nat outside
- end
- show ip nat translations [verbose]
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step1 | enable Example: |
| ||
Step2 | configure terminal Example: | Enters global configuration mode. | ||
Step3 | ip nat settings mode cgn Example: | Enables CGN operating mode. | ||
Step4 | ip nat inside source static local-ip global-ip Example: | Enables static Carrier Grade NAT of the inside source address. | ||
Step5 | interface gigabitethernet card/spaslot/port.subinterface-number Example: | Configures an interface and enters interface configuration mode.
| ||
Step6 | ip nat inside Example: | Indicates that the interface is connected to the inside network (the network that is subject to NAT translation). | ||
Step7 | exit Example: | Exits interface configuration mode and enters global configuration mode. | ||
Step8 | interface type number Example: | Configures an interface and enters interface configuration mode. | ||
Step9 | ip nat outside Example: | Indicates that the interface is connected to the outside network. | ||
Step10 | end Example: | Exits interface configuration mode and enters privileged EXEC mode. | ||
Step11 | show ip nat translations [verbose] Example: | Displays active NAT translations. |
Example
The following is sample output from the show ip nat translations command:
Device# show ip nat translationsPro Inside global Inside local Outside local Outside globaludp 10.5.5.1:1025 192.0.2.1:4000 --- ---udp 10.5.5.1:1024 192.0.2.3:4000 --- ---udp 10.5.5.1:1026 192.0.2.2:4000 --- ---Total number of translations: 3
The following is sample output from the show ip nat translations verbose command:
Device# show ip nat translations verbosePro Inside global Inside local Outside local Outside globaludp 10.5.5.1:1025 192.0.2.1:4000 --- --- create: 02/15/12 11:38:01, use: 02/15/12 11:39:02, timeout: 00:00:00 Map-Id(In): 1 Mac-Address: 0000.0000.0000 Input-IDB: TenGigabitEthernet1/1/0 entry-id: 0x0, use_count:1udp 10.5.5.1:1024 192.0.2.3:4000 --- --- create: 02/15/12 11:38:00, use: 02/15/12 11:39:02, timeout: 00:00:00 Map-Id(In): 1 Mac-Address: 0000.0000.0000 Input-IDB: TenGigabitEthernet1/1/0 entry-id: 0x0, use_count:1udp 10.5.5.1:1026 192.0.2.2:4000 --- --- create: 02/15/12 11:38:00, use: 02/15/12 11:39:02, timeout: 00:00:00 Map-Id(In): 1 Mac-Address: 0000.0000.0000 Input-IDB: TenGigabitEthernet1/1/0 entry-id: 0x0, use_count:1Total number of translations: 3
Configuring Dynamic Carrier Grade NAT
Dynamic address translation (dynamic NAT) maps unregistered IP addresses to registered IP addresses from a pool of registered IP addresses.
SUMMARY STEPS
- enable
- configure terminal
- ip nat settings mode cgn
- access-list standard-access-list-number permit source wildcard
- access-list standard-access-list-number permit source wildcard
- route-map map-tag
- match ip address [access-list-number]
- match ip next-hop [access-list-number]
- exit
- ip nat pool name start-ip end-ip prefix-length prefix-length
- ip nat inside source route-map name pool name
- interface gigabitethernet card/spaslot/port.subinterface-number
- ip nat inside
- exit
- interface type number
- ip nat outside
- end
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step1 | enable Example: |
| ||
Step2 | configure terminal Example: | Enters global configuration mode. | ||
Step3 | ip nat settings mode cgn Example: | Enables CGN operating mode. | ||
Step4 | access-list standard-access-list-number permit source wildcard Example: |
| ||
Step5 | access-list standard-access-list-number permit source wildcard Example: |
| ||
Step6 | route-map map-tag Example: | Defines conditions for redistributing routes from one routing protocol into another or enables policy routing and enters route-map configuration mode. | ||
Step7 | match ip address [access-list-number] Example: | Distributes any routes that have a destination network number address that is permitted by a standard access list, an extended access list, or a prefix list or performs policy routing on packets. | ||
Step8 | match ip next-hop [access-list-number] Example: | Redistributes any routes that have a next-hop router address passed by one of the specified access lists. | ||
Step9 | exit Example: | Exits route-map configuration mode and enters global configuration mode. | ||
Step10 | ip nat pool name start-ip end-ip prefix-length prefix-length Example: | Defines a pool of IP addresses for NAT. | ||
Step11 | ip nat inside source route-map name pool name Example: | Enables dynamic NAT of the inside source address. | ||
Step12 | interface gigabitethernet card/spaslot/port.subinterface-number Example: | Configures an interface and enters interface configuration mode.
| ||
Step13 | ip nat inside Example: | Indicates that the interface is connected to the inside network (the network that is subject to NAT translation). | ||
Step14 | exit Example: | Exits interface configuration mode and enters global configuration mode. | ||
Step15 | interface type number Example: | Configures an interface and enters interface configuration mode. | ||
Step16 | ip nat outside Example: | Indicates that the interface is connected to the outside network. | ||
Step17 | end Example: | Exits interface configuration mode and enters privileged EXEC mode. |
Configuring Dynamic Port Address Carrier Grade NAT
Port Address Translation (PAT) or overloading is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one mapping) by using different ports. PAT enables thousands of users to connect to the Internet by using only one real global IP address.
SUMMARY STEPS
- enable
- configure terminal
- ip nat settings mode cgn
- ip nat inside source list number pool name [overload]
- ip nat pool name start-ip end-ip netmask netmask
- access-list standard-access-list-number permit source wildcard
- interface gigabitethernet card/spaslot/port.subinterface-number
- ip nat inside
- exit
- interface type number
- ip nat outside
- end
- show ip nat statistics
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step1 | enable Example: |
| ||
Step2 | configure terminal Example: | Enters global configuration mode. | ||
Step3 | ip nat settings mode cgn Example: | Enables CGN operating mode. | ||
Step4 | ip nat inside source list number pool name [overload] Example: |
| ||
Step5 | ip nat pool name start-ip end-ip netmask netmask Example: | Defines a pool of IP addresses for NAT. | ||
Step6 | access-list standard-access-list-number permit source wildcard Example: | Defines a standard access list and specifies a host. | ||
Step7 | interface gigabitethernet card/spaslot/port.subinterface-number Example: | Configures an interface and enters interface configuration mode.
| ||
Step8 | ip nat inside Example: | Indicates that the interface is connected to the inside network (the network that is subject to NAT translation). | ||
Step9 | exit Example: | Exits interface configuration mode and enters global configuration mode. | ||
Step10 | interface type number Example: | Configures an interface and enters interface configuration mode. | ||
Step11 | ip nat outside Example: | Indicates that the interface is connected to the outside network. | ||
Step12 | end Example: | Exits interface configuration mode and enters privileged EXEC mode. | ||
Step13 | show ip nat statistics Example: | Displays NAT statistics. |
Example
The following is sample output from the show ip nat statistics command:
Device# show ip nat statisticsTotal active translations: 3 (0 static, 3 dynamic; 3 extended)Outside interfaces: TenGigabitEthernet2/0/0, TenGigabitEthernet2/1/0, TenGigabitEthernet2/2/0 TenGigabitEthernet2/3/0Inside interfaces: TenGigabitEthernet1/0/0, TenGigabitEthernet1/1/0, TenGigabitEthernet1/2/0 TenGigabitEthernet1/3/0Hits: 59230465 Misses: 3CEF Translated packets: 0, CEF Punted packets: 0Expired translations: 0Dynamic mappings:-- Inside Source[Id: 1] access-list 102 pool mypool refcount 3 pool mypool: netmask 255.255.255.0 start 10.5.5.1 end 10.5.5.5 type generic, total addresses 5, allocated 1 (20%), misses 0nat-limit statistics: max entry: max allowed 2147483647, used 3, missed 0Pool stats drop: 0 Mapping stats drop: 0Port block alloc fail: 0IP alias add fail: 0Limit entry add fail: 0
Logging Destination IP Address and Port Details in Carrier Grade NAT (CGN) Mode
In the Carrier Grade NAT (CGN) mode, the destination IP address and port details are not logged when High Speed Logging (HSL) records are generated. You can still log the destination IP address and destination port details using the classic NAT mode, but that does not support Endpoint-independent filtering (EIF).
Once the ip nat settings log-destination command is configured in the Carrier Grade NAT (CGN) mode, the destination IP address and destination port details are included in the add and delete HSL records.
To enable including the destination IP and destination port information in the HSL messages for Carrier Grade NAT (CGN) mode, use the following ip nat settings log-destination command.
Example
Device# show run | in logip nat settings log-destinationip nat log translations flow-export v9 udp ipv6-destination 2001::2 30000 source GigabitEthernet0/0/3ip nat log translations flow-export v9 udp destination 172.27.61.85 20000
Configuration Examples for Carrier Grade Network Address Translation
Example: Configuring Static Carrier Grade NAT
Device# configure terminalDevice(config)# ip nat settings mode cgnDevice(config)# ip nat inside source static 192.168.2.1 192.168.34.2Device(config)# interface gigabitethernet 0/0/6Device(config-if)# ip nat insideDevice(config-if)# exitDevice(config)# interface gigabitethernet 0/0/0Device(config-if)# ip nat outsideDevice(config-if)# end
Example: Configuring Dynamic Carrier Grade NAT
Device# configure terminalDevice(config)# ip nat settings mode cgnDevice(config)# access-list 1 permit 10.1.1.0 0.0.0.255Device(config)# access-list 2 permit 10.5.5.0 0.0.0.255Device(config)# route-map nat-route-mapDevice(config-route-map)# match ip address 1Device(config-route-map)# match ip next-hop 2Device(config-route-map)# exitDevice(config)# ip nat pool nat-pool 10.1.1.1 10.1.254.254 prefix-length 16Device(config)# ip nat inside source route-map nat-route-map pool nat-poolDevice(config)# interface gigabitethernet 0/0/5Device(config-if)# ip nat insideDevice(config-if)# exitDevice(config)# interface gigabitethernet 0/0/1Device(config-if)# ip nat outsideDevice(config-if)# end
Example: Configuring Dynamic Port Address Carrier Grade NAT
Device# configure terminalDevice(config)# ip nat settings mode cgnDevice(config)# ip nat inside source list 1 pool nat-pool overloadDevice(config)# ip nat pool nat-pool 10.1.1.1 10.1.254.254 netmask 255.255.0.0Device(config)# access-list 1 permit 172.16.0.0 255.255.0.0Device(config)# interface gigabitethernet 0/0/4Device(config-if)# ip nat insideDevice(config-if)# exitDevice(config)# interface gigabitethernet 0/0/3Device(config-if)# ip nat outsideDevice(config-if)# end
Additional References for Carrier Grade Network Address Translation
Related Documents
Related Topic | Document Title |
---|---|
Cisco IOS commands | Master Command List, All Releases |
NAT commands | IP Addressing Command Reference |
NAT ALGs | “Using Application-Level Gateways with NAT” |
HSL messages | “Monitoring and Maintaining NAT” |
Standards and RFCs
Standard/RFC | Title |
---|---|
RFC 4787 | Network Address Translation (NAT) Behavioral Requirements for Unicast UDP |
RFC 5582 | Location-to-URL Mapping Architecture and Framework |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. | http://www.cisco.com/support |
Feature Information for Carrier Grade Network Address Translation
Feature Name | Releases | Feature Information | ||
---|---|---|---|---|
Carrier Grade Network Address Translation | Cisco IOS XE Release 3.6S | Carrier Grade Network Address Translation (CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into fewer public IPv4 addresses. The following commands were introduced or modified: ip nat settings mode and ip nat settings support mapping outside .
|