Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

CGN Implementation: Best Practices

The following topics present the best practices for carrier-grade NAT implementation on MS-DPCs using the Layer 3 services package:

Use APP and Round-Robin Address-Allocation

Scenario:

  • Address-pooling paired (APP) allows a private IP address to be mapped to the same public IP address from a NAT pool for all its sessions. The binding between private IP and public IP is triggered by the first packet seen from such private host.
  • By default, an MS-DPC or MS-PIC allocates ports from a NAT pool in a sequential fashion from each consecutive IP address available in the pool.
  • Sequential allocation, together with APP, can result in mapping multiple private hosts to the same public IP address, resulting in fast port exhaustion for the interested public IP address while other ports are still available from the remaining of NAT pool.

Best Practice: Configure round-robin address allocation for the NAT pool used by traffic served with APP. Round-robin allocation allocates ports from different IP addresses.

The following snippet provides an example of round-robin address allocation.

user@router# show services nat pool natpool-1 
address-range low 9.9.9.1 high 9.9.9.10;
port {
    automatic;
}
address-allocation round-robin;  
mapping-timeout 120;

Do Not Use EIM with SIP

Scenario:

  • Session Initiation Protocol (SIP) traffic requires an Application Level Gateway (ALG) to allow SIP servers and clients on the public side of the CGNAT to communicate with the SIP hosts on the private side.
  • The SIP ALG opens the pinholes in the CGNAT router to permit the forwarding of outbound traffic based on any supported SIP feature.
  • Endpoint-independent mapping (EIM) is not needed by SIP to function, nor by the SIP ALG to create the flows for forwarding the SIP traffic

Best Practice: Do not configure EIM together with the SIP ALG; doing so adds processing overhead with no benefit.

user@router# show services nat rule natrule-1
match-direction input;
term 1 {
    from {
	applications junos-sip;
    }
    then {
        translated {
            source-pool natpool-3;
            translation-type {
                napt-44;
            }
            address-pooling paired;

Do Not Use EIM with HTTP, DNS, or When Not Needed

Scenario:

  • Most Internet traffic uses HTTP, and there is no browser on any OS that reuses the same source port for sending traffic to different destinations. EIM provides no benefit for HTTP traffic.
  • Because none of the junos-algs require EIM to work, avoid using EIM with the ALGs.
  • EIM allocates memory for each mapping; this is in addition to the memory used for flow allocation. This reduces the maximum number of flows that can be established through the services PIC, and causes processing overhead for the creation and deletion of flows and mappings.
  • Don’t enable EIM for applications that are defined ALGs or are known not to use Session Traversal Utilities for NAT(STUN) servers to discover the presence of a NAT router.
  • Enable EIM for applications that do reuse the source ports and rely on a CGNAT device to maintain the same address:port mapping for all traffic sent to different destinations, such as on-line gaming applications like Xbox and PS3, or applications that use unilateral self-address fixing methods (UNSAF). see (IETF RFC 3424 IAB Considerations for UNilateral Self-Address Fixing (UNSAF) Across Network Address Translation).

Define PBA Blocks Based on User Profiles

Scenario:

  • When a user connects to a website that requires the establishment of a significant number of sockets for a single HTML page, a corresponding number of new ports must be allocated. Port blocks should be large enough to prevent continual allocation of new blocks.
  • If the number of concurrent sessions exceeds the number of ports available in the active port block, the other allocated port-blocks will be scanned for available ports to use or a new block will be allocated from the free block pool.
  • The process of continually scanning the allocated port-blocks and/or allocating additional blocks from the free block pool could result in experienced latency for setting up new sessions and delay loading of web pages.
  • Having a user continuously allocating or de-allocating from different PBA blocks impacts performance.

Best Practice: Define PBA blocks with a size that is a power of 2 or 4 related to the average number of sessions a user is expected to have active. For example, if a user is expected to have an average of approximately 200 to 250 sessions active, configuring the PBA block size to 512 or 1024 will provide a liberal allocation.

user@router# show services nat pool natpool-1 
address-range low 9.9.9.1 high 9.9.9.10;
            port {
                automatic;
               secure-port-block-allocation {
                   block-size 1024; 
                   max-blocks-per-user 8; /* Max 2048, default 8 */
                   active-block-timeout 300; 
               }
            }
            mapping-timeout 300;

Do Not Change the PBA Configuration on Running Systems

Scenario:

  • PBA settings in NAT pools are mapped to memory at the time of the Service PIC boot up and cannot be changed while processing traffic.
  • Do not change the following settings:
    • Update any NAT pool PBA configuration.
    • Change a PBA NAT pool to a non-PBA NAT pool.
    • Change a non-PBA NAT pool to a PBA NAT pool.

    Any of these changes result in the logging of the following message:

    PBA_CATASTROPIC_CHANGE: The recent PBA configuration changes will reflect in the Service-PIC only after deactivate and activate of the service-set again

Best Practice: When changing PBA configurations, restart the services PIC if possible. Minimally, you must deactivate and reactivate the affected service set.

Do Not Allocate Excessively Large NAT Pools

Scenario:

  • The maximum number of flows supported by the MS-DPC and each PIC on an MS-DPC is 8 million.
  • Assuming that the 8 million flow maximum consists of 4 million sessions (1 reverse flow for each forward flow), these sessions would require a maximum of 4 million ports that are available from 64 IP addresses within the 1024 to 65,535 ports range (64K ports per IP address).
  • Do not configure ports to support more than 8 million flows; they will never be needed.
  • This scenario assumes that APP, EIM, and EIF are not enabled. When they are enabled, the total number of flows is lower, which means that you should configure the number of IP addresses in the NAT pool based on the maximum supported flows.

Best Practice: Do not configure NAT pools with more than 64 addresses (that is, a /26 network) and round-robin configured and 64K ports from each address.

Configure the System Log for PBA Only When Needed

Scenario:

  • Session logging can negatively affect performance depending on the frequency of creation and deletion of flows.
  • PBA is meant to reduce the need for logging.
  • Deterministic NAT is designed to eliminate the need for logging.
  • All system log messages created by the services PIC constitutes traffic that will be sent to the Packet Forwarding Engine. competing with user traffic to reach the external destination.
  • Use logging to the system log at the service-set level rather than at the services PIC interface level when possible.
  • Do not enable logging for redundant information. When using PBA, you don’t need to configure logs per session because knowing the PBA block and the block size enables you to derive the ports allocated to each user. In this case, a log that reports all sessions created by that user with ports belonging to a block is redundant. If you have configured deterministic NAT (DetNat) a log is completely unnecessary because all information on port allocation can be deduced mathematically.
  • Rate-limit the number of logs generated from an sp- interface. When not set, the default limits apply: 10K for the local host system log server (RE) and 200K for the external system log server.
    user@router# show interfaces sp-1/1/0 services-options 
    system log {
    host 1.2.3.4 {
        services info;
    }
    message-rate-limit 1000;
}
  • Always system log to an external server to avoid loading the Routing Engine and specify system log class to restrict logging.
    • If you do not specify system log class, all log messages are allowed (subject to priority check and rate limiting).
    • When you specify system log class, only messages meeting the class criteria are retained.
    • Use the show services service-sets statistics system log detail command to check what is being dropped by unconfigured classes.
      user@router# show services service-set S-SET-1 system log 
      host 1.2.3.4 {
        services info;
    class {
        session-logs open close;
        packet-logs;
        stateful-firewall-logs;
        alg-logs;
        nat-logs;
        ids-logs;

Best Practice: System log generation can be rule-based or event-based.

  • Use rule- based system logging with care; it generates a log for every packet that enters the rule term, since rule-based logging is not subject to class or priority filtering.
  • System log messages can be dropped only as a result of message rate limiting. Make sure you have set a realistic rate-limit that is unlikely to be exceeded.
  • Use rule-based logging only for discarded traffic (a relatively small percentage of the traffic) or for troubleshooting. Since rule-based logging applies to all traffic that enters the PIC and creates a flow, logging can be excessive, resulting in reaching the configured induce rate limit with a consequent loss of needed logs.
    cli# show services stateful-firewall
    rule rule-sfw-accept {
    match-direction input-output;
    term term-sfw-accept {
        then {
            accept;
            system log;
        }
    }
}
rule rule-sfw-reject {
    match-direction input-output;
    term term-sfw-reject {
        then {
            reject;
            system log;
        }
    }
}
 

    All rule match logs are enabled by their respective rules:

    • ASP_COS_RULE_MATCH (class-of-service rules)
    • ASP_COS_RULE_MATCH (class-of-service rules)
    • ASP_IDS_RULE_MATCH (ids rules)
    • ASP_NAT_RULE_MATCH (nat rule)
    • ASP_SFW_RULE_ACCEPT (stateful firewall rules)
    • ASP_SFW_RULE_DISCARD
    • ASP_SFW_RULE_REJECT

Use Redundant Service PIC (RSP) Interfaces for Failover

  • The usage of Redundant Service PIC (RSP) interfaces, allows the active services PIC to perform an immediated switchover to the secondary services PIC in case of major issues that require a services PIC reboot.
  • This results in a minimal service impact for user traffic.
  • There are two modes for redunancy: warm-standby (default) and hot-standby. Hot-standby provides 1:1 redundancy, while warm-standby provides 1:N redundancy. With both modes , there is no impact on the UDP forwarding.
  • When the secondary services PIC is shared among multiple RSPs, only warm-standby is possible and the impact to traffic is limited to the time to load the appropriate configuration on the secondary PIC.
    user@router# show interfaces rsp0 
    redundancy-options {
    primary sp-0/1/0;
    secondary sp-1/1/0;
    hot-standby;
}

Contain the Effects of Missing IP Fragments

Scenario:

  • IP fragments are buffered as they arrive to facilitate the integrity check of the completely reassembled packet before being serviced by the services PIC.
  • Missing fragments cause received fragments to be held until the internal buffer is full and are flushed out. This causes CPU usage overhead and reduced traffic forwarding.

Best Practice: Configure the fragment-limit, the maximum number of fragments for a packet, and reassembly-timeout, the maximum wait for a missing fragment, after which all other fragments for the same packet are flushed out.

user@router# show interfaces sp-0/0/0
services-options {
    open-timeout 5;
    close-timeout 5;
    inactivity-timeout 30;
    tcp-tickles 4;
    fragment-limit 10;    
    reassembly-timeout 3; 
    cgn-pic;
}

Do Not Use Configurations Prone to Routing Loops

Scenario:

  • Sudden and persistent high CPU usage is most likely an indication of packet looping between the Packet Forwarding Engine and the services PIC. Depending on whether the configuration uses interface-style or next-hop-style service sets, different network flaps can lead to routing loops.

Ensure that only the intended traffic is allowed to reach the services PIC and is serviced based on service set rule.

  • Configure a firewall filter that accepts only the traffic meant to go to the services PIC on the output direction of the sp- interface. That is, accept only traffic identified in the NAT rule from option as received from the source-address that identifies the customer private network; discard and log all the rest.
  • Allow only intended traffic to be serviced by the service set by configuring the stateful-firewall rules and NAT rules to translate only the traffic from the customer private source address ranges and intended applications. Although this does not prevent unintended traffic from being processed by the services PIC, it prevents the creation of flows, objects, and states that are not consistent with the expected traffic and are likely to be problematic.

Published: 2013-08-14

Supported Platforms

Published: 2013-08-14

Previous Page Next Page