LSN: Large Scale NAT

LSN: Large Scale NAT

Large scale NAT was previously known by different terms like NAT444 and Carrier Grade NAT (CGN). It is dicussed in depth by Jeff Doyle. LSN stems from the fact that NAT is applied at the provider-facing customer edge and customer-facing provider edge. NAT is applied twice- once at the Customer CPE and second time at the Provider router.

The Service Provider assigns an address out of Private IPv4 block (RFC 1918 addresses) to the customer side of each LSN. The provider facing side is assigned a Public IPv4 address to each LSN. Each customer uses another Private IPv4 block to address each device within the network.

So, if a device within the customer network wish to access the Internet, the CPE will perform the translation on the source IP address. This {inside Private IPv4 source IP address, port} mapping will be translated to {outside Private IPv4 address, port} mapping (aka NAT-Port Translation) at the CPE. At the LSN device, the {inside Private IPv4 address, port} mapping will be translated to another {outside Public IPv4 address, port} mapping.

NOTE: Each LSN can support multiple Customers. Only one Customer is attached to each LSN here for simplicity.

Network topology:

IP Address assignment and NAT44 on CPE routers:

Since inside and outside interfaces of the CPE routers are Private IPv4 addresses, care should be taken that these IP addresses do not overlap, otherwise, it could cause routing issues.

Hence, the CPE will use 192.168.1.0/24 block to address devices within the network. The Service Provider will use 10.0.0.0/8 block to assign addresses to the Customers. The interesting traffic to be NAT will be traffic with source address from 192.168.1.0/24 network.

CPE Configuration

CPE1 router:

interface Fastethernet 0/0

 description INSIDE Interface

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

interface Serial 0/0

 description OUTSIDE Interface

 ip address 10.1.0.2 255.255.255.252

 ip nat outside

ip access-list extended NAT_Eligible

 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list NAT_Eligible interface Serial 0/0 overload

CPE2 router:

interface Fastethernet 0/0

 description INSIDE interface

 ip address 192.168.1.1 255.255.255.0    !! All CPEs can use same Private IPv4 block 192.168.1.0/24 within their network

 ip nat inside

interface Serial 0/0

 description OUTSIDE interface

 ip address 10.2.0.2 255.255.255.252

 ip nat outside

ip access-list extended NAT_Traffic

 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list NAT_Traffic interface Serial 0/0 overload

IP Address assignment and NAT44 on LSN routers:

The customer-facing side of LSN is assigned a Private IPv4 address while the Internet-facing side is assigned a Public IPv4 address. Since Customer traffic is already NAT-ed once, the source address of the IP packet would have changed to the outside IPv4 address of the CPE device. So interesting traffic for LSN1 router will have source address from 10.1.0.0/30 network and interesting traffic for LSN2 router will have source address from 10.2.0.0/30 network.

LSN Configuration

LSN1 router:

interface Loopback 0

 ip address 1.1.1.1 255.255.255.255

interface Serial 0/0

 description Connected to CPE1

 ip address 10.1.0.1 255.255.255.252

 ip nat inside

interface Serial 0/1

 description Connected to Internet

 ip address 123.10.1.2 255.255.255.252

 ip nat outside

ip access-list extended CPE1_Traffic

 permit ip 10.1.0.0 0.0.0.3 any

ip nat inside source list CPE1_Traffic interface Serial 0/1 overload

LSN2 router:

interface Loopback 0

 ip address 2.2.2.2 255.255.255.255

interface Serial 0/0

 description Connected to CPE2

 ip address 10.2.0.1 255.255.255.252

 ip nat inside

interface Serial 0/1

 description Connected to Internet

 ip address 123.20.1.2 255.255.255.252

 ip nat outside

ip access-list extended CPE2_Traffic

 permit ip 10.2.0.0 0.0.0.3 any

ip nat inside source list CPE2_Traffic interface Serial 0/1 overload

Routing on CPE and LSN routers:

Within the Customer network, the customer devices point towards Default Gateway i.e. the CPE router. There is an eBGP connection between CPE and LSN routers. The LSN routers advertise only default-route to the CPEs.

OSPF runs within the SP Public network. There are iBGP sessions between LSNs and the Internet router.

CPE Routing

CPE1 router:

router bgp 65101

 neighbor 10.1.0.1 remote-as 100

CPE2 router:

router bgp 65102

 neighbor 10.2.0.1 remote-as 100

LSN Routing

LSN1 router:

router bgp 100

 neighbor 10.1.0.2 remote-as 65101

 neighbor 10.1.0.2 default-originate

 neighbor 10.1.0.2 route-map Default_Only out

 neighbor 3.3.3.3 remote-as 100               !iBGP with Internet router

 neighbor 3.3.3.3 update-source Loopback 0

 neighbor 2.2.2.2 remote-as 100               !iBGP with LSN2 router

 neighbor 2.2.2.2 update-source Loopback 0

 redistribute connected

router ospf 1

 network 1.1.1.1 0.0.0.0 area 0

 network 123.10.1.0 0.0.0.3 area 0

access-list 10 permit 0.0.0.0 0.0.0.0

route-map Default_Only

 match ip address 10

LSN2 router:

router bgp 100

 neighbor 10.2.0.2 remote-as 65102

 neighbor 10.2.0.2 default-originate

 neighbor 10.2.0.2 route-map Default_Only out

 neighbor 3.3.3.3 remote-as 100

 neighbor 3.3.3.3 update-source Loopback 0

 neighbor 1.1.1.1 remote-as 100              !iBGP with LSN1 router

 neighbor 1.1.1.1 update-source Loopback 0

 redistribute connected

router ospf 1

 network 2.2.2.2 0.0.0.0 area 0

 network 123.20.1.0 0.0.0.3 area 0

access-list 10 permit 0.0.0.0 0.0.0.0

route-map Default_Only

 match ip address 10

Verification:

If a PING is made from within the CPE1 router to an IP address 4.2.2.2 in the Internet, the CPE router will first perform NAT on the source IP address.

NAT on CPE1

CPE1# debug ip nat

NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [10]

NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [10]

NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [11]

NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [11]

NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [12]

NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [12]

NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [13]

NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [13]

NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [14]

NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [14]

CPE1# show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 10.1.0.2:2        192.168.1.1:2      4.2.2.2:2          4.2.2.2:2

The LSN1 router performs a second NAT on this ICMP traffic. This time the source IP address of these IP packets is the already NAT-ed 10.2.0.1.

NAT on LSN1

!---- debug ip nat ------

00:45:49.635: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [0]

00:45:49.635: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [0]

00:45:49.931: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [1]

00:45:49.951: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [1]

00:45:50.055: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [2]

00:45:50.063: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [2]

00:45:50.123: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [3]

00:45:50.127: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [3]

00:45:50.159: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [4]

00:45:50.159: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [4]

LSN1# show ip nat translations verbose

Pro Inside global      Inside local       Outside local      Outside global

icmp 123.10.1.2:0      10.1.0.2:0         4.2.2.2:0          4.2.2.2:0

    create 00:00:18, use 00:00:18 timeout:60000, left 00:00:41, Map-Id(In): 1,

    flags:

extended, use_count: 0, entry-id: 1, lc_entries: 0