1 Configuration
- 1.1 Simple Example
  - 1.1.1 Required Configuration
  - 1.1.2 Optional Configuration
- 1.2 set resources group address-group <name>
- 1.3 set service nat pool <name>
- 1.4 set service nat cgnat policy <name>
- 1.5 set service cgnat session-timeout
- 1.6 Other configuration commands
2 Operational Commands
- 2.1 show cgnat summary
- 2.2 show cgnat error
- 2.3 show nat pool
- 2.4 show cgnat policy
- 2.5 show cgnat subscriber
- 2.6 show cgnat public
- 2.7 show cgnat session

Configuration

Simple Example

Required Configuration

Address-group to match subscriber (source) addresses

set resources group address-group AG_MATCH1
set resources group address-group AG_MATCH1 address 10.10.1.0/28
set resources group address-group AG_MATCH1 address-range 10.10.1.20 to 10.10.1.30
set resources group address-group AG_MATCH1 address 10.10.1.10

NAT Pool to specify Public Addresses and how they are Allocated

set service nat pool NAT_POOL1 entry RANGE1 ip-address range start 10.10.3.1
set service nat pool NAT_POOL1 entry RANGE1 ip-address range end 10.10.3.63
set service nat pool NAT_POOL1 entry RANGE2 ip-address prefix 10.10.3.64/28
set service nat pool NAT_POOL1 type CGNAT
set service nat pool NAT_POOL1 address-allocation round-robin
set service nat pool NAT_POOL1 address-pooling paired
set service nat pool NAT_POOL1 port dynamic-block-allocation block-size 128
set service nat pool NAT_POOL1 port dynamic-block-allocation max-blocks-per-subscriber 8
set service nat pool NAT_POOL1 port allocation sequential
set service nat pool NAT_POOL1 port range start 1024
set service nat pool NAT_POOL1 port range end 65535

CGNAT Policy pulls together the 'match' address-group and the NAT pool

set service nat cgnat policy POLICY1 match source address-group AG_MATCH1
set service nat cgnat policy POLICY1 priority 10
set service nat cgnat policy POLICY1 translation pool NAT_POOL1

Assign the CGNAT Policy to the interface which routes to the external network

set service nat cgnat interface dp0p1s2 policy POLICY1

Optional Configuration

Session Timeouts

set service nat cgnat session-timeout tcp partially-open 240
set service nat cgnat session-timeout udp partially-open 240
set service nat cgnat session-timeout other partially-open 20

set service nat cgnat session-timeout udp established 1800
set service nat cgnat session-timeout tcp established 1800
set service nat cgnat session-timeout other established 30

Per-port established-state timeouts are available per port

set service nat cgnat session-timeout tcp port 53 established 10

Logging

set service nat cgnat log event subscriber
set service nat cgnat log event session
set service nat cgnat log event resource-constraint
set service nat cgnat log event port-block-allocation

set service nat pool NAT_POOL1 select event port-block-allocation

set service nat cgnat policy POLICY1 select event session all-subscribers
set service nat cgnat policy POLICY1 select event session creation
set service nat cgnat policy POLICY1 select event session deletion
set service nat cgnat policy POLICY1 select event subscriber

Note that enabling session logging will switch CGNAT to record destination address and port in sub-sessions (2-tuple sessions in tables within 3-tuple sessions). This will affect performance.

set resources group address-group <name>

CGNAT uses an address-group to match inside subscriber source addresses.

Parameter	Format	Description	Details

Parameter	Format	Description	Details
address	<h:h:h:h:h:h:h:h/x>	IPv6 subnet to match	not applicable for CGNAT
	<h:h:h:h:h:h:h:h>	IPv6 address to match	not applicable for CGNAT
	<x.x.x.x/x>	IP subnet to match	The first and last addresses in the prefix will be matched. For example, 10.10.1.0/28 will match address range 10.10.1.0 to 10.10.1.15.
	<x.x.x.x>	IP address to match
address-range	<h:h:h:h:h:h:h:h> to <h:h:h:h:h:h:h:h>	IPv6 address	not applicable for CGNAT
	<x.x.x.x> to <x.x.x.x>	IPv4 address
description	<text>	Address-group description

set service nat pool <name>

A NAT pool is used to specify the public addresses that CGNAT will use to translate inside source addresses to.

Command	Format	Details

Command	Format	Details
entry <range-name> ip-address range start	<x.x.x.x>	IPv4 Address
entry <range-name> ip-address range end	<x.x.x.x>	IPv4 Address
entry <range-name> ip-address prefix	<x.x.x.x/x>	IPv4 address and mask. First and last addresses are used provided they are not '.0' or '.255'. For example, 10.10.3.0/28 would give range 10.10.3.1-10.10.3.15.
entry <range-name> ip-address subnet	<x.x.x.x/x>	IPv4 subnet and mask. First and last addresses are never used. For example, 10.10.3.0/28 would give range 10.10.3.1-10.10.3.14.
type	CGNAT	Only option. Required for future compatibility.
address-allocation	round-robin	Addresses are allocated from the NAT pool in a round-robin fashion. Only option. Required for future compatibility.
address-pooling	paired	Internal IP addresses are paired with external IP addresses. An internal IP address will never use more than one external IP address at any given time. Only option. Required for future compatibility.
port dynamic-block-allocation block-size	<64..4096>	The number of ports in a block (multiple of 64 only).
port dynamic-block-allocation max-blocks-per-subscriber	<1..32>	Maximum number of port-blocks per subscriber
port allocation	random	Allocate ports randomly from within the current 'active' port-block.
	sequential	Allocate ports sequentially from within the current 'active' port-block.
port range start	<0..65535>	Start of port rang. It is recommended that this is set no lower than 1024.
range end	<0..65535>	End of port range.
blacklist address-group	<addr-grp-name>	The address-group identifying the pool addresses being blacklisted. Adding external IP addresses or prefixes to a blacklist address group will cause sessions creating using that external address to be cleared, and for that address to no longer be used to create new sessions. It is useful on a live system where the administrator wants to prevent an address in the NAT pool form being used for CGNAT mappings. This has an advantage over reconfiguring the NAT pool range to exclude that address in that reconfiguring the NAT pool range will cause all sessions using that NAT pool to be torn down.

set service nat cgnat policy <name>

A CGNAT policy ties together an address-group for matching inside source addresses with a NAT pool for specifying the set of external public addresses to use. A CGNAT policy is the thing that is attached to an interface,

Command	Format	Description

Command	Format	Description
match source address-group	<addr-grp-name>	Address group name
translation pool	<nat-pool-name>	NAT pool name
priority	<1..9999>	The priority of CGNAT policy. Multiple CGNAT policies on an interface are evaluated in order of priority, with the lowest numerical priority first.

set service cgnat session-timeout

Established-state timeout values may be configured per port (a destination port in outbound traffic).


other	partially-open	<10..240>	Non-TCP/UDP 'partially-open' timeout in seconds
	established	<30..1800>	Non-TCP/UDP 'established' timeout in seconds
udp	partially-open	<10..240>	UDP 'partially-open' timeout in seconds
	established	<30..1800>	UDP 'established' timeout in seconds
tcp	partially-open	<10..240>	TCP 'partially-open' timeout in seconds
	partially-closed	<10..240>	TCP 'partially-closed' timeout in seconds
	established	<30..14400>	TCP 'established' timeout in seconds

Other configuration commands

set service cgnat ...


cpu-affinity event session	<0..65535>	Number of the core to process session events on
disable-hairpinning		Disable hairpinning in CGNAT device
export event ...		Used to control logging
max-dest-per-session	<1..64>	Max number of destination records that can be associated with a session
max-sessions	<1..33554432>	System-wide maximum number of sessions
select warning event resource-constraint ...
snat-alg-bypass		Enable SNAT ALG traffic to bypass CGNAT

Operational Commands

show cgnat summary

The error and summary statistics will count every packet that matches either of the following two criteria:

outbound packet whose source address matches a CGNAT policy, or
inbound packet who's destination address is a CGNAT public address

CGNAT Summary
  Sessions:                       
    Active sessions                                 2
      Sessions created                             ~2
      Sessions destroyed                           ~0
    Active sub-sessions                             4
      Sub-sessions created                         ~4
      Sub-sessions destroyed                       ~0
    Maximum table size                       33554432
    Table full                                     No
  Public address mapping table:   
    Used                                            2
  Subscriber address table:       
    Used                                            2
    Max                                         65536
  Out:                            
    Translated packets                            ~12
               bytes                             ~336
    Did not match CGNAT policy                      0
    Untranslatable packets                          0
    Hairpinned packets                              0
  In:                             
    Translated packets                             ~0
               bytes                               ~0
    Unknown source addr or port                    ~0
    Did not match CGNAT session                     0
    Did not match CGNAT pool                        0
  Session hash tables:            
    Created                                         1
    Destroyed                                       0
  PCP sessions created                              0
  PCP errors                                        0
  Memory allocation failures                        0
  Resource limitation failures                      0
  Thread contention errors                          0
  Packet buffer errors                              0

Counts marked with a tilde (~) are approximate. These are collated from each CGNAT policy every time the "show cgnat summary" command is run. The policy counts are only updated approximately every 20 secs from similar counts in the subscriber data structures.

Sessions

Sessions
Active sessions	Active sessions. An original global atomic counter. This is not simply 'sessions created less sessions destroyed'.
Sessions created	Sum of 'sessions created' counts on all CGNAT policies.
Sessions destroyed	Sum of 'sessions destroyed' counts on all CGNAT policies.
Active sub-sessions	Count of current sub-sessions. An original global atomic counter. This is not simply 'sub-sessions created less sub-sessions destroyed'.
Sub-sessions created	Sum of 'sub-sessions created' counts on all CGNAT policies.
Sub-sessions destroyed	Sum of 'sub-sessions destroyed' counts on all CGNAT policies.
Maximum table size	Configurable maximum session table size. (This value applies to sessions, not sessions plus sub-sessions)
Table full	Set when the 'active sessions' count exceeds 'Maximum table size'.
Public address mapping table
Used	Active public addresses in use by CGNAT. An original global atomic counter. There is no maximum value for this table. Its size is constrained by the number of addresses in the NAT pool used by CGNAT.
Subscriber address table
Used	Active CGNAT subscribers. An original global atomic counter.
Max	Maximum CGNAT subscribers allowed in the subscriber address table. Configurable. Default 64k.
Out
Translated packets	Count of outbound packets translated. Sum of 'Out packets' counts on all CGNAT policies.
Translated bytes	Total byte count of the outbound translated packets. (IP header and payload). Sum of 'Out bytes' counts on all CGNAT policies.
Did not match CGNAT policy	Subscriber address did not match any CGNAT policy on the outbound interface.
Untranslatable packets	Untranslatable packets. Sum of error counts 'Untranslatable IP protocol' and 'Untranslatable ICMP message'
Hairpinned packets	Count of hairpinned packets.
In
Translated packets	Count of inbound packets translated. Sum of 'In packets' counts on all CGNAT policies.
Translated bytes	Total byte count of the inbound translated packets. (IP header and payload). Sum of 'In bytes' counts on all CGNAT policies.
Unknown source addr or port	Sum of 'In, unknown source' counts on all CGNAT policies. Counts inbound packets whose dest address and port have matched a session, but whose source address and port have failed to match a sub-session. Only applies when sub-sessions are being recorded for this session.
Did not match CGNAT session	Destination address, port and protocol did not match a CGNAT session and the destination address does not match a CGNAT public address.
Did not match CGNAT pool	Destination address does not match a CGNAT public address.
Session Hash Tables
Created	A hash table may be created for each main session in order to store sub-sessions if: Destination addr and port are being recorded, and More than one destination address and port is seen for the same source address, port, and protocol. Creation and maintenance of these tables is an expensive operation. If many hash tables are being created and destroyed then performance may degrade somewhat. These counters are designed to provide some indication that this may be occurring. Typically multiple sub-sessions per main session will occur with peer-to-peer gaming.
Destroyed

PCP sessions created	Sessions created by the Port Control Protocol
PCP errors	Failures when trying to create a PCP session.
Memory allocation failures	Sum of all memory allocation failures. Use "show cgnat error" to see details.
Resource limitation failures	Sum of all resource limitation failures. Use "show cgnat error" to see details.
Thread contention errors	Sum of all thread contention errors. Use "show cgnat error" to see details.
Packet buffer errors	Sum of all packet buffer errors. Use "show cgnat error" to see details.

show cgnat error

$ show cgnat error
CGNAT Global Counts                                                  In          Out
  Unable to translate packet:
    Subscriber address did not match a CGNAT policy                   0            0
    Packet did not match a CGNAT session                              0            0
    Destination address did not match CGNAT pool                      0            0
    CGNAT bypassed by SNAT-ALG packets                                0            0
    Untranslatable IP protocol                                        0            0
    Untranslatable ICMP message                                       0            0
  Resource limitations:
    Subscriber port-block limit                                       0            0
    No free port-blocks on selected public address                    0            0
    No free public addresses in NAT pool                              0            0
    Subscriber table full                                             0            0
    Session table full                                                0            0
    Dest session table full                                           0            0
  Memory allocation failures:
    Failed to allocate session                                        0            0
    Failed to allocate destination session                            0            0
    Failed to allocate port block                                     0            0
    Failed to allocate public address                                 0            0
    Failed to allocate subscriber address                             0            0
  Thread contention errors:
    Lost race to insert session into table                            0            0
    Lost race to insert destination session into table                0            0
    Subscriber address destroyed while waiting for lock               0            0
  Packet buffer errors:
    IP header not available in message buffer                         0            0
    L4 header not available in message buffer                         0            0
    Prepare message buffer for header change failed                   0            0
  PCP errors:            .
    PCP invalid or missing argument                                   0            0
    PCP public address and port not available                         0            0
  Other:
    ICMP Echo Request for CGNAT public address                        0            0
    Unknown                                                           0            0

N/A = Means that count is not applicable in this direction
OK = Means that count is applicable in this direction

Unable to translate packet:	In	Out	Comment

Unable to translate packet:	In	Out	Comment
Subscriber address did not match a CGNAT policy	N/A	OK	Subscriber address did not match a CGNAT policy
Packet did not match a CGNAT session	OK	N/A	Inbound pkts that do not match a CGNAT session and whose dest addr does match a CGNAT policy. These are dropped.
Destination address did not match CGNAT pool	OK	N/A	Inbound pkts that do not match a CGNAT session and whose dest addr does not match a CGNAT policy. These are forwarded untranslated.
CGNAT bypassed by SNAT-ALG packets	N/A	OK	Pkt do not match a CGNAT session and does not match a CGNAT policy and SNAT is cfgd and pkt matches an ALG session or tuple. Pkt is forwarded unchanged.
Untranslatable IP protocol	OK	OK	Protocol is not one of the following: TCP, UDP, UDP-lite, DCCP or ICMP
Untranslatable ICMP message	OK	OK	ICMP type is not one of: echo-req, echo-reply, dest unreach, redirect, time-exceeded, or parameter-problem
Resource limitations:
Subscriber port-block limit	N/A	OK	CGNAT policy config contains the max number of port-blocks that anyone subscriber may use at any one time. Once this is reached, further mapping requests will fail, and this count will increment.
No free port-blocks on the selected public address	N/A	OK	Counts mapping failures that occur when a subscriber is within his port-block limit but there are no free port-blocks on the paired public address. This can occur when 1. the max port-blocks per subscriber and port-block size equate to more than 64512 ports, or 2. More than one subscriber is using the same public address, which will occur if there are totally unused public addresses.
No free public addresses in NAT pool	N/A	OK	All port-blocks on all public addresses are in use. This only affects new subscribers, i.e. subscribers that do not already have a paired public address.
Subscriber table full	N/A	OK	Affects new subscribers. The size of the subscriber hash table is configurable. Default is 64k.
Session table full	N/A	OK	Max number of main sessions (tuple is: source/subscriber addr, source port, and protocol aka 3-tuple session). The size of the session table is configurable. Default is 32m.
Dest session table full	N/A	OK	Max number of destination records, or sub-sessions, per main session. Configurable. Default is 64. The tuple is a destination address and port.
Memory allocation failures:			Note that there can be a delay between a chunk of memory no longer being visible in a show output and the memory for that chunk actually being freed. Background garbage collectors and RCU callbacks mean this delay can be in the order of tens of seconds.
Failed to allocate session	N/A	OK
Failed to allocate destination session	N/A	OK
Failed to allocate port block	N/A	OK
Failed to allocate public address	N/A	OK
Failed to allocate subscriber address	N/A	OK
Thread contention errors:
Lost race to insert session into table	N/A	OK	This occurs if two forwarding threads both try and create an identical session (src addr, src port, and protocol) at the same time. The first to be added to the session table 'wins' the race. The losing thread will drop the packet and release the mapping it had previously obtained.
Lost race to insert destination session into table	N/A	OK	This occurs if two forwarding threads both try and create an identical sub-session (dest addr, dest port) on the same main session at the same time. The first to be added to the sub-session table 'wins' the race. The losing thread will drop the packet.
Public address destroyed while waiting for lock	N/A	N/A	No longer applicable.
Subscriber address destroyed while waiting for lock	N/A	OK	This may occur if two forwarding threads try and create new mappings for the same subscriber while at the same time the subscriber table is being cleared. This is unlikely ever to occur.
Packet buffer errors:
IP header not available in message buffer	OK	OK	Pkt does not contain all of the IP header. (Note that the system reassembles IP fragments before CGNAT sees the pkt).
L4 header not available in message buffer	OK	OK	Pkt does not contain all of the layer 4 header (e.g. TCP, UDP etc.). This can also apply to pkts embedded within ICMP error messages. i.e. we will attempt to translate any such embedded pkts if there is enough of the pkt to allow us to do so.
Prepare message buffer for header change failed	OK	OK	It is possible for the system to receive a pkt into multiple pkt buffers. CGNAT will detect this and attempt to coalesce these such that the l3 and l4 headers are in the same pkt buffer. If this fails then the pkt is dropped. This typically happens when there are no pkt buffers in the buffer pool.
Cannot advance beyond end of message buffer	N/A	N/A	No longer applicable.
PCP errors:			In/Out direction is meaningless for PCP. We store any errors in the 'Out' counter for convenience.
PCP invalid or missing argument	N/A	OK
PCP public address and port not available	N/A	OK
Other:
ICMP Echo Request for CGNAT public address	OK	N/A	An ICMP echo request has been sent to a CGNAT public address, and no CGNAT session exists for that flow. Reply with an ICMP echo-reply and drop the request pkt. This is not actually an error. No translation takes place.
Unknown			Should never occur.

show nat pool

v@vm-rtr2-1:~$ show nat pool
NAT Pool POOL1
  Active                                          Yes
  Type                                          cgnat
  User count                                        1
    User addresses                                 29
  Addresses:                      
    Address pooling                            paired
    Address allocation                    round-robin
    Address count                                  79
    Contention ratio                           1:2.72
    Address Ranges:               
      RANGE2 (prefix)
        Range                 10.10.3.64 - 10.10.3.79
        Address count                              16
        Prefix:                         10.10.3.64/28
      RANGE1 (range)
        Range                  10.10.3.1 - 10.10.3.63
        Address count                              63
  Last Allocated Address:         
    TCP                                          none
    UDP                                    10.10.3.65
    Other                                        none
  Ports:                          
    Port allocation                        sequential
    Port range                             1024-65535
    Port count                                  64512
    Port-block size                               128
    Max port-blocks per user                        8
  Logging:                        
    Log port-block allocation                     Yes
    Log all                                        No
  Translation Mappings:           
    Active                                          2
    Total requests                                  2
      Ok                                            2
      Failed                                        0
  Port Block Allocation:          
    Active                                          2
    Total                                           2
    Total Freed                                     0
    Total Failures                                  0
    Failures exceeding max                          0

Active	Yes/No. A NAT pool may become inactive momentarily as it is reconfigured or deleted
Type	Always 'cgnat'
User count

DANOS

Carrier Grade NAT (CGNAT)