Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| en:dpi:opt_cgnat:cgnat_description:start [2024/08/21 07:43] – [CG-NAT Benefits] elena.krasnobryzh | en:dpi:opt_cgnat:cgnat_description:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Description and use cases ====== | ||
| - | {{indexmenu_n> | ||
| - | Carrier Grade Network Address Translation allows you: | ||
| - | - to share one public IPv4 address between several subscribers without losing the quality of Internet connection – you can assign up to 100 private IP addresses for one public IP address (the ideal ratio is 1:10); | ||
| - | - to extend the use of limited IPv4 address space and reduce the cost of buying IPv4 addresses by 90%; | ||
| - | - to prepare the network for IPv6 addressing with Dual Stack v4-v6 (support both versions of the protocol simultaneously). | ||
| - | |||
| - | When using NAT, keep in mind that in this case NAT is a service provided by DPI, which is not a router and operates in **transparent bridging mode**. Consider this when implementing and configuring your equipment. | ||
| - | |||
| - | ===== Types ===== | ||
| - | === CG-NAT (NAT44) === | ||
| - | Network address and port translation allows multiple subscribers to share a single IPv4 public address and expands the use of a limited IPv4 address space. | ||
| - | |||
| - | === BiNAT (NAT 1:1) === | ||
| - | 1-to-1 network address translation allows you to provide a static public IP address service without changing the settings on the CPE through the translation of all ports of the private address into one public address. | ||
| - | |||
| - | ===== Use cases ===== | ||
| - | ==== L3-Connected NAT ==== | ||
| - | |||
| - | In the Bridge mode ([[en: | ||
| - | |||
| - | === Implementation Example === | ||
| - | |||
| - | The network has a router R1, which is a gateway for local subscribers with addresses 10.0.0.0/ | ||
| - | |||
| - | {{dpi: | ||
| - | |||
| - | On R1, our border is the gateway. In order to ensure the passage of traffic from the Internet to subscribers, | ||
| - | After that, the traffic for the NAT pool will be routed from BR to R1, on the way to which it will be NATed when it gets to DPI. Traffic to addresses without NAT translation will be dropped on DPI. | ||
| - | |||
| - | ==== L2-Connected NAT ==== | ||
| - | In [[en: | ||
| - | |||
| - | === Implementation Example === | ||
| - | In this scheme, the gateway for subscribers is the DPI. IP address 10.10.10.1 is configured on DPI, IP address 10.10.10.2 is configured on the Border Router. Let us allocate subnet 100.0.0.0/ | ||
| - | |||
| - | {{dpi: | ||
| - | |||
| - | ===== Implementation options ===== | ||
| - | === CG-NAT === | ||
| - | {{dpi: | ||
| - | |||
| - | This is a classic scheme of including a CG-NAT device in the network – between the BNG and the router to provide network address translation. NAT log is transferred via IPFIX protocol (NetFlow v10) to a dedicated server or VM, where the database of this QoE Stor and GUI is installed. This solution allows efficient storage and searching of NAT logs. | ||
| - | |||
| - | === СG-NAT + DPI === | ||
| - | {{dpi: | ||
| - | |||
| - | We offer to combine CG-NAT functionality with DPI on one device, not only to broadcast addresses, but also to detect and classify traffic by protocols and directions, to use common channel policing, to mark traffic, to work with statistics (Full NetFlow and Clickstream). | ||
| - | |||
| - | Additional subscriber information might be used in sales, marketing and technical support departments. | ||
| - | |||
| - | === CG-NAT + DPI + BNG === | ||
| - | {{dpi: | ||
| - | |||
| - | The best option is to combine CG-NAT, DPI and BNG functionality on a single device. In this way to build a flexible and easily manageable core network – this significantly reduces the TCO (Total Cost of Ownership) through compactness, | ||
| - | |||
| - | In this scheme, in addition to network address translation and deep traffic analysis, IPoE/PPPoE subscriber authorization, | ||
| - | |||
| - | ===== CG-NAT Benefits ===== | ||
| - | === Full Cone NAT (EIM+EIF) === | ||
| - | The CG-NAT function uses Full Cone NAT (EIM+EIF) technology, which allows sending packets coming from any external system via an external displayed TCP/UDP port, which is a source of traffic from the subscriber. Ensures maximal compatibility of P2P clients located outside of NAT of different providers (games, IP-telephony, | ||
| - | |||
| - | EIM (Endpoint-Independent Mapping) provides a stable external IP address and port (for a period of time) to which external hosts can connect.\\ | ||
| - | EIF (Endpoint-Independent Filtering) controls which external hosts can connect to an internal host. | ||
| - | |||
| - | === Hairpinning === | ||
| - | Subscribers inside the NAT access each other’s public addresses without translating and forwarding packets outside the device. | ||
| - | |||
| - | === Limits on TCP and UDP connections for a subscriber === | ||
| - | A limit of the number of TCP and UDP connections per subscriber is set individually for each IP address pool, which allows the operator to sparingly allocate address space resources between corporate and private clients. In the absence of activity, unused connections are closed, freeing up ports. | ||
| - | |||
| - | === Paired IP address pooling function === | ||
| - | All subscriber connections from one IP-private internal address are bound to one external address. | ||
| - | |||
| - | === Translation logging === | ||
| - | Network translations are recorded in a text file or transmitted to an external collector via the IPFIX protocol (also known as NetFlow v10). | ||
| - | |||
| - | === Transparency for P2P and online gaming === | ||
| - | Predictable NAT behavior is provided by the Full Cone and HairPinning functions. User quotas ensure an even distribution of public IP ports between subscribers, | ||
| - | |||
| - | === ALG support === | ||
| - | It is important for operators to maintain connectivity for all application services and users while ensuring application integrity. ALG ensures that protocols — such as FTP, TFTP, RTSP, PPTP, SIP, ICMP, H.323, ESP, MGCP and DNS — remain operational. Many legacy NAT implementations do not provide this level of transparency. | ||
| - | |||
| - | === VLAN and On-Stick support === | ||
| - | In CG-NAT, VLAN support saves ports in the operator’s equipment and increases the efficiency of using NIC. This makes it possible to determine downstream and upstream traffic not by NIC, but by VLAN ID, which in turn makes it possible to use the same network interface card for both downstream and upstream traffic. This option is especially effective when used together with LACP. | ||
| - | |||
| - | === LACP === | ||
| - | Link Aggregation Control Protocol allows you to combine several physical ports to form a single logical channel and increase fault tolerance. | ||
| - | |||
| - | === Availability === | ||
| - | The reliability of the solution is guaranteed by using the standby modes Active-Standby and Active-Active. In both variants, two devices are involved: if the first one (active) fails, then traffic is switched to the second one without loss using routing protocols. | ||