LSN: Large Scale NAT
LSN: Large Scale NAT
Large scale NAT was previously known by different terms like NAT444 and Carrier Grade NAT (CGN). It is dicussed in depth by Jeff Doyle. LSN stems from the fact that NAT is applied at the provider-facing customer edge and customer-facing provider edge. NAT is applied twice- once at the Customer CPE and second time at the Provider router.
The Service Provider assigns an address out of Private IPv4 block (RFC 1918 addresses) to the customer side of each LSN. The provider facing side is assigned a Public IPv4 address to each LSN. Each customer uses another Private IPv4 block to address each device within the network.
So, if a device within the customer network wish to access the Internet, the CPE will perform the translation on the source IP address. This {inside Private IPv4 source IP address, port} mapping will be translated to {outside Private IPv4 address, port} mapping (aka NAT-Port Translation) at the CPE. At the LSN device, the {inside Private IPv4 address, port} mapping will be translated to another {outside Public IPv4 address, port} mapping.
NOTE: Each LSN can support multiple Customers. Only one Customer is attached to each LSN here for simplicity.
Network topology:
IP Address assignment and NAT44 on CPE routers:
Since inside and outside interfaces of the CPE routers are Private IPv4 addresses, care should be taken that these IP addresses do not overlap, otherwise, it could cause routing issues.
Hence, the CPE will use 192.168.1.0/24 block to address devices within the network. The Service Provider will use 10.0.0.0/8 block to assign addresses to the Customers. The interesting traffic to be NAT will be traffic with source address from 192.168.1.0/24 network.
CPE Configuration
CPE1 router:
interface Fastethernet 0/0
description INSIDE Interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial 0/0
description OUTSIDE Interface
ip address 10.1.0.2 255.255.255.252
ip nat outside
!
ip access-list extended NAT_Eligible
permit ip 192.168.1.0 0.0.0.255 any
!
ip nat inside source list NAT_Eligible interface Serial 0/0 overload
!
CPE2 router:
interface Fastethernet 0/0
description INSIDE interface
ip address 192.168.1.1 255.255.255.0 !! All CPEs can use same Private IPv4 block 192.168.1.0/24 within their network
ip nat inside
!
interface Serial 0/0
description OUTSIDE interface
ip address 10.2.0.2 255.255.255.252
ip nat outside
!
ip access-list extended NAT_Traffic
permit ip 192.168.1.0 0.0.0.255 any
!
ip nat inside source list NAT_Traffic interface Serial 0/0 overload
!
IP Address assignment and NAT44 on LSN routers:
The customer-facing side of LSN is assigned a Private IPv4 address while the Internet-facing side is assigned a Public IPv4 address. Since Customer traffic is already NAT-ed once, the source address of the IP packet would have changed to the outside IPv4 address of the CPE device. So interesting traffic for LSN1 router will have source address from 10.1.0.0/30 network and interesting traffic for LSN2 router will have source address from 10.2.0.0/30 network.
LSN Configuration
LSN1 router:
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
!
interface Serial 0/0
description Connected to CPE1
ip address 10.1.0.1 255.255.255.252
ip nat inside
!
interface Serial 0/1
description Connected to Internet
ip address 123.10.1.2 255.255.255.252
ip nat outside
!
ip access-list extended CPE1_Traffic
permit ip 10.1.0.0 0.0.0.3 any
!
ip nat inside source list CPE1_Traffic interface Serial 0/1 overload
!
LSN2 router:
interface Loopback 0
ip address 2.2.2.2 255.255.255.255
!
interface Serial 0/0
description Connected to CPE2
ip address 10.2.0.1 255.255.255.252
ip nat inside
!
interface Serial 0/1
description Connected to Internet
ip address 123.20.1.2 255.255.255.252
ip nat outside
!
ip access-list extended CPE2_Traffic
permit ip 10.2.0.0 0.0.0.3 any
!
ip nat inside source list CPE2_Traffic interface Serial 0/1 overload
!
Routing on CPE and LSN routers:
Within the Customer network, the customer devices point towards Default Gateway i.e. the CPE router. There is an eBGP connection between CPE and LSN routers. The LSN routers advertise only default-route to the CPEs.
OSPF runs within the SP Public network. There are iBGP sessions between LSNs and the Internet router.
CPE Routing
CPE1 router:
router bgp 65101
neighbor 10.1.0.1 remote-as 100
!
CPE2 router:
router bgp 65102
neighbor 10.2.0.1 remote-as 100
!
LSN Routing
LSN1 router:
router bgp 100
neighbor 10.1.0.2 remote-as 65101
neighbor 10.1.0.2 default-originate
neighbor 10.1.0.2 route-map Default_Only out
neighbor 3.3.3.3 remote-as 100 !iBGP with Internet router
neighbor 3.3.3.3 update-source Loopback 0
neighbor 2.2.2.2 remote-as 100 !iBGP with LSN2 router
neighbor 2.2.2.2 update-source Loopback 0
redistribute connected
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 123.10.1.0 0.0.0.3 area 0
!
access-list 10 permit 0.0.0.0 0.0.0.0
!
route-map Default_Only
match ip address 10
!
LSN2 router:
router bgp 100
neighbor 10.2.0.2 remote-as 65102
neighbor 10.2.0.2 default-originate
neighbor 10.2.0.2 route-map Default_Only out
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback 0
neighbor 1.1.1.1 remote-as 100 !iBGP with LSN1 router
neighbor 1.1.1.1 update-source Loopback 0
redistribute connected
!
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 123.20.1.0 0.0.0.3 area 0
!
access-list 10 permit 0.0.0.0 0.0.0.0
!
route-map Default_Only
match ip address 10
!
Verification:
If a PING is made from within the CPE1 router to an IP address 4.2.2.2 in the Internet, the CPE router will first perform NAT on the source IP address.
NAT on CPE1
CPE1# debug ip nat
NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [10]
NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [10]
NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [11]
NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [11]
NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [12]
NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [12]
NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [13]
NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [13]
NAT: s=192.168.1.1->10.1.0.2, d=4.2.2.2 [14]
NAT*: s=4.2.2.2, d=10.1.0.2->192.168.1.1 [14]
CPE1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.1.0.2:2 192.168.1.1:2 4.2.2.2:2 4.2.2.2:2
The LSN1 router performs a second NAT on this ICMP traffic. This time the source IP address of these IP packets is the already NAT-ed 10.2.0.1.
NAT on LSN1
!---- debug ip nat ------
00:45:49.635: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [0]
00:45:49.635: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [0]
00:45:49.931: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [1]
00:45:49.951: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [1]
00:45:50.055: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [2]
00:45:50.063: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [2]
00:45:50.123: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [3]
00:45:50.127: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [3]
00:45:50.159: NAT*: s=10.1.0.2->123.10.1.2, d=4.2.2.2 [4]
00:45:50.159: NAT*: s=4.2.2.2, d=123.10.1.2->10.1.0.2 [4]
LSN1# show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 123.10.1.2:0 10.1.0.2:0 4.2.2.2:0 4.2.2.2:0
create 00:00:18, use 00:00:18 timeout:60000, left 00:00:41, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 1, lc_entries: 0