Blog Viewer

Centralized Deterministic CGNAT

By Ricardo Dominguez posted 08-03-2023 00:00

  

Title Centralized Deterministic CGNAT

All you need to know on Centralized Deterministic NAT configuration, scale and performance on MX routers.                                               

Introduction

Internet Assigned Numbers Authority (IANA) allocated the last 5 IPv4 addresses blocks on February 3, 2011.

RIPE NCC run out of IPv4 addresses, it allocated the final /22 IPv4 address on November 25, 2019.

IPv6 adoption started more than 10 years ago and till June 2023, only 40% of the Internet traffic is over IPv6. 

Google IPv6 Adoption Statistics

Worldwide IPv6 usage, it varies country by country, Uruguay, USA, Mexico and Brazil lead IPv6 adoption in America; France, Germany and Finland in Europe; India, Malaysia and Japan in Asia; while Africa has few IPv6 endorsement.

Google Per Country IPv6 Adoption

In July 2022, about 33% of websites were just IPv6.

Top 1000 websites over IPv6

IPv4 still dominates and will continue dominating Internet traffic for a while, CGNAT is widely needed due to public IPv4 address exhaustion and the number of connected devices has overcome the IPv4 address space.

IPv4 NAT Alternatives

There’re many IPv4 NAT alternatives widely used, either, basic NAT, static source NAT,  destination NAT and Dynamic NAT.

NAT44 mainly involves three NAT alternatives: Dynamic NAT, Port Block Allocation (PBA) and Deterministic NAT.

Dynamic NAT NAT w/ BPA Deterministic NAT
Logging High Low Null
Security High Medium Medium
Ratio Subscribers / IP Public High Low Low

  

Dynamic NAT

Dynamic NAT allows mapping private IPv4 address (M) to public IPv4 address (N) from a pool, typically this M:N relation means many private IPv4 addresses to few public IPv4 addresses using port translation. Public IPv4 addresses are assigned dynamically. 

This kind of NAT involves high volume of logging, a log is created for a source private IP/Port to source public IP/Port translation, it requires a high storage capacity in logging servers. The security for this NAT is high as the public IP/Port can fall in any of the 64,512 port available per public IP. The subscribers/IP public ratio is excellent as it can use the total of the 64,512 port per public IP, meaning less public IP addresses waste.

NAT w/PBA

NAT w/PBA is a Dynamic NAT alternative, which assigns a block of ports per private IPv4 addresses. Using PBA reduces drastically the number of log entries, a port block is assigned to the first source private IP/Port to source public IP/Port translation, the rest of the same source private IPs will use same port block, only a log entry will be created for this port block, if the same source private IP needs more ports, another block can be assigned and new log entry will be generated for this new block.

When having PBA, the subscribers/IP public ratio can lead to some public IP addresses waste, In order to minimize this waste, it’s important to assign smaller port blocks per private IP and if needed, then add more blocks to same private IP.

Deterministic NAT

Deterministic NAT works similar to PBA in terms of allocating a block of ports per private IP but instead of generating a log entry to logging server, the entry is registered locally in Juniper MX router, the relation between source private IP/Port to corresponding public IP/Port block is setup when creating Deterministic NAT configuration and log server is no longer needed. A similar block of ports design as in the case of PBA is recommended to reduce wasting public IP addresses.

CGNAT Configuration Blocks

CGNAT configuration is quite simple if we follow/understand each of its configuration parts, I call building blocks to these parts, the CGNAT processing relies on Juniper MX SPC3 services card.

CGNAT Building Blocks

Service Set

It’s the main CGNAT building block, it groups the inside and outside multiservice interfaces along the NAT rule, this is where the translation takes place. The packets toward the inside multiservice interface are translated based on the NAT rule defined under this service-set. 

Having a next-hop style service represents an inside multiservice interface (private network addressing) and the outside multiservice interface (public network addressing).

Following is typical service-set configuration:

services {
    service-set PIC1_0 {
        stateful-firewall-rules ALLOW-ALL;
        nat-rule-sets CGNAT_IN_PIC1_0_SET;
        next-hop-service {
            inside-service-interface vms-1/0/0.1;
            outside-service-interface vms-1/0/0.2;
        }
    }
}

Firewall

A firewall rule is needed for the service-set, this firewall rule can accept everything as shown below or can do firewalling based on specific requirements.

services {
    policies {
        stateful-firewall-rule ALLOW-ALL {
            match-direction input;
            policy ACCEPT {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Multiservice Interface

The multiservice interface has 2 legs, one to the private network (inside) and one to public network (outside), the inside multiservice interface is in charge to send traffic to the Juniper MX SPC3 service card, so traffic can be translated. These interfaces are numbered according to the slot which SPC3 is inserted, PIC0 represents SPC3 NPU0 and PIC1 represents SPC3 NPU1, the port number is always 0.

A typical multiservice interface configuration is shown:

interfaces {
    vms-1/0/0 {
        unit 1 {
            family inet;
            service-domain inside;
        }
        unit 2 {
            family inet;
            service-domain outside;
        }
    }
}

CGNAT Routing Instance

The inside multiservice interface is assigned to a routing-instance, either a VRF or VR, these are used to send traffic to the corresponding mutiservice interface in next-hop CGNAT solution. A VR configuration displayed below:

routing-instances {
 PIC1_0 {
        instance-type virtual-router;
        interface vms-1/0/0.1;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop vms-1/0/0.1;
            }
        }
    }
}

NAT Rule

The NAT identifies the source private addressing and based on the source addressing along the ALGs does the source NAT, it calls a pool in the source NAT action.

A NAT rule is defined under a NAT rule-set, the NAT rule-set can have multiple NAT rules. A NAT Rule configuration:

services {
    nat {
        source {
            rule-set CGNAT_IN_PIC1_0_SET {
                rule CGNAT_IN_PIC1_0_RULE {
                    match {
                        source-address-name RANGE_1_0;
                        application APPS;
                    }
                    then {
                        source-nat {
                            pool {
                                PIC1_0;
                            }
                        }
                    }
                }
                match-direction input;
            }
        }
    }
}

Address Book

An address books contains address ranges, private source addressing is defined under these ranges. An address book configuration is below:

services {
    address-book {
        global {
            address RANGE_1_0 {
                address-range 172.16.0.2/32 {
                    to {
                        172.16.47.177/32;
                    }
                }
            }
        }
    }
}

CGNAT ALGs

Application Layer Gateways allows applications to work within NAT, Junos includes a rich ALGs for NAT such as FTP, DNS, H323, ICMP, SIP, RSTP, PPTP, SNMP, TFTP, etc. Most applications have evolved to function in an IPv4 NAT, working in the application layer.

An example of ALGs configuration:

applications {
    application-set APPS {
        application appl-junos-sip;
        application appl-junos-syslog;
    }
    application appl-junos-sip {
        application-protocol sip;
        protocol udp;
        destination-port 5060;
        inactivity-timeout 3600;
        learn-sip-register;
        sip-call-hold-timeout 36000;
    }
    application appl-junos-syslog {
        protocol udp;
        destination-port 514;
        inactivity-timeout 30;
    }
}

NAT Pool

The NAT pool contains the public IPv4 address to which private addressing  will be translated, the ports range available per public IPv4 address, if PBA or Deterministic NAT are used, it then also includes the port block-size and the IPv4 private addressing.

A Pool with deterministic CGNAT is shown:

services {
    nat {
        source {
            pool PIC1_0 {
                address {
                    192.168.30.0/32 to 192.168.31.255/32;
                }
                port {
                    range {
                        2048;
                        to {
                            65535;
                        }
                    }
                    deterministic {
                        block-size 2048;
                        host address-name RANGE_1_0;
                        include-boundary-addresses;
                    }
                }
            }
        }
    }
}

CGNAT Deterministic NAT44

One of the Service Providers concerns when deploying a centralized CGNAT solution, it’s the fact to modify or alter routing in order to send private IPv4 traffic to a centralized CGNAT solution. An alternative to this concern is the usage of a CGNAT VRF through the MPLS network, in which different BNG / PEs private IPv4 traffic is send dynamically through a CGNAT VRF to centralized CGNAT PE.

A topology with this scenario is show below, this topology will be used for CGNAT scalability testing.

A BNG or PE receives private IPv4 traffic across different access interfaces which are assigned to CGNAT VRF, MX480 in our testing topology is acting as such PE. This PE in its CGNAT VRF receives a default route to points traffic to same VRF in CGNAT PE. Through this default route traffic will be routed from Remote PEs to CGNAT PE through MPLS network.

PTX10K1-36MR is acting a peering node emulating Internet peering and public IP addressing, to have a more realistic scenario, a 15K OSPF and 15K LDP routes are being injected to PTX10K1-36MR and such routes are sent to both CGNAT PE and remote PE. 2M IPv4 routes are also injected to duplicate the size of the Internet IPv4 table and 500K IPv6 routes are tripling the IPv6 Internet table.

Scalability Topology

MX960 is acting as CGNAT PE, it includes 2 x MPC10E for access and uplink connections, it also has 400G interfaces for uplink connections, to perform CGNAT functions, it has 7 x SPC3 LC. See below:

jnpr@HERCULES-RE0> show chassis hardware | no-more 
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                JN125E69xxxx      MX960
Midplane         REV 04   750-047849   ACRFxxxx          Enhanced MX960 Backplane
FPM Board        REV 03   710-014974   CAFXxxxx          Front Panel Display
PDM              Rev 01   740-063049   QCS1936xxxx       Power Distribution Module
PEM 0            Rev 11   740-027760   QCS1934xxxx       PS 4.1kW; 200-240V AC in
PEM 1            Rev 10   740-027760   QCS1717xxxx       PS 4.1kW; 200-240V AC in
PEM 2            Rev 11   740-027760   QCS1930xxxx       PS 4.1kW; 200-240V AC in
PEM 3            Rev 11   740-027760   QCS1934xxxx       PS 4.1kW; 200-240V AC in
Routing Engine 0 REV 05   750-072925   CAMGxxxx          RE-S-2X00x6
Routing Engine 1 REV 05   750-072925   CALGxxxx          RE-S-2X00x6
CB 0             REV 29   750-070866   CAMAxxxx          Enhanced MX SCB 3
CB 1             REV 29   750-070866   CAMFxxxx          Enhanced MX SCB 3
CB 2             REV 29   750-070866   CAMFxxxx          Enhanced MX SCB 3
FPC 1            REV 31   750-073435   CANBxxxx          SPC3
  CPU                     BUILTIN      BUILTIN           SPC3 vCPP Broadwell
  PIC 0                   BUILTIN      BUILTIN           SPC3-PIC
  PIC 1                   BUILTIN      BUILTIN           SPC3-PIC
FPC 2            REV 32   750-073435   CAPBxxxx          SPC3
  CPU                     BUILTIN      BUILTIN           SPC3 vCPP Broadwell
  PIC 0                   BUILTIN      BUILTIN           SPC3-PIC
  PIC 1                   BUILTIN      BUILTIN           SPC3-PIC
FPC 3            REV 32   750-073435   CANGxxxx          SPC3
  CPU                     BUILTIN      BUILTIN           SPC3 vCPP Broadwell
  PIC 0                   BUILTIN      BUILTIN           SPC3-PIC
  PIC 1                   BUILTIN      BUILTIN           SPC3-PIC
FPC 4            REV 29   750-073435   CAMRxxxx          SPC3
  CPU                     BUILTIN      BUILTIN           SPC3 vCPP Broadwell
  PIC 0                   BUILTIN      BUILTIN           SPC3-PIC
  PIC 1                   BUILTIN      BUILTIN           SPC3-PIC
FPC 5            REV 48   750-078633   EAAAxxxx          MPC10E 3D MRATE-10xQSFPP
  CPU            REV 21   750-072571   EAAAxxxx          FMPC PMB
  PIC 0                   BUILTIN      BUILTIN           MRATE-5xQSFPP
    Xcvr 0       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 1       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 2       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 3       REV 01   740-061405   1ECQ155xxxx       QSFP-100G-SR4-T2
  PIC 1                   BUILTIN      BUILTIN           MRATE-5xQSFPP
    Xcvr 0       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 1       REV 01   740-061405   1ECQ155xxxx       QSFP-100G-SR4-T2
    Xcvr 2       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 3       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 4       REV 01   740-090165   2H2TSAA52xxxx     QSFP56-DD-400G-AOC-3M
FPC 7            REV 47   750-070395   CAMWxxxx          MPC10E 3D MRATE-15xQSFPP
  CPU            REV 19   750-072571   CAMXxxxx          FMPC PMB
  PIC 0                   BUILTIN      BUILTIN           MRATE-5xQSFPP
    Xcvr 0       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 1       REV 01   740-061405   1ECQ155xxxx       QSFP-100G-SR4-T2
    Xcvr 2       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
  PIC 1                   BUILTIN      BUILTIN           MRATE-5xQSFPP
    Xcvr 0       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 1       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 2       REV 01   740-061405   1ECQ153xxxx       QSFP-100G-SR4-T2
    Xcvr 3       REV 01   740-061405   1ECQ152xxxx       QSFP-100G-SR4-T2
    Xcvr 4       REV 01   740-090165   2H2TSAA52xxxx     QSFP56-DD-400G-AOC-3M
  PIC 2                   BUILTIN      BUILTIN           MRATE-5xQSFPP
FPC 8            REV 32   750-073435   CANGxxxx          SPC3
  CPU                     BUILTIN      BUILTIN           SPC3 vCPP Broadwell
  PIC 0                   BUILTIN      BUILTIN           SPC3-PIC
  PIC 1                   BUILTIN      BUILTIN           SPC3-PIC
FPC 9            REV 31   750-073435   CAMPxxxx          SPC3
  CPU                     BUILTIN      BUILTIN           SPC3 vCPP Broadwell
  PIC 0                   BUILTIN      BUILTIN           SPC3-PIC
  PIC 1                   BUILTIN      BUILTIN           SPC3-PIC
FPC 10           REV 32   750-073435   CANBxxxx          SPC3
  CPU                     BUILTIN      BUILTIN           SPC3 vCPP Broadwell
  PIC 0                   BUILTIN      BUILTIN           SPC3-PIC
  PIC 1                   BUILTIN      BUILTIN           SPC3-PIC
Fan Tray 0       REV 01   740-057995   ACDDxxxx          Enhanced Fan Tray
Fan Tray 1       REV 01   740-057995   ACDDxxxx          Enhanced Fan Tray

A Deterministic CGNAT was chosen in order to minimize syslog entries to an eternal logging system. MX980 is running Junos 21.2R3 version.

The following diagram shows MX960 CGNAT process.

MX960 has MPLS interfaces through which private IPv4 traffic is received, this traffic is assigned to CGNAT VRF (same VRF in remote PEs), this VRF advertises a default route to remote PEs, so these PE can send traffic via MPLS network to the CGNAT PE. An input CGNAT VRF forwarding-options FW Filter sends IPv4 private traffic to different VRs based on the source IPv4 subnet, each VR corresponds to a SPC3 NPU.

Traffic arrives to internal VRs and it’s sent to inside multiservice interface via a static route, this multiservice interface is bound to SPC3 NPU, so traffic can be NATed, a NAT rule performs Deterministic NAT.

Once traffic has been NATed, a static route with public address is programmed in routing table pointed to outside multiservice interface, this route is created with a static protocol preference of 1. A policy-statement is used to announce public address through BGP.

When traffic comes from Internet, it’s matched with such static route and pointed to outside multiservice interface, this interface pertains to a SPC3 NPU and traffic is translated from public addressing to corresponding private addressing and sent to inside multiservice interface’s VR. Another VR static route sends traffic from each VR to CGNAT VRF, so this traffic can be sent to its remote PE via MPLS network.

Sessions Scalability

A 24 million sessions are processes per each SPC3 NPU, for a total of 336 million sessions in MX960.

The show services sessions count command shows the total number of current sessions being handled by the MX.

jnpr@HERCULES-RE0> show services sessions count 
Interface   Service set                        Valid      Invalid      Pending  Other state
vms-1/0/0   PIC1_0                          23151274            0            0            0
vms-1/1/0   PIC1_1                          23102769            0            0            0
vms-2/0/0   PIC2_0                          24017927            0            0            0
vms-2/1/0   PIC2_1                          23955501            0            0            0
vms-3/0/0   PIC3_0                          23796227            0            0            0
vms-3/1/0   PIC3_1                          23777050            0            0            0
vms-4/0/0   PIC4_0                          24000000            0            0            0
vms-4/1/0   PIC4_1                          24000000            0            0            0
vms-8/0/0   PIC8_0                          24000000            0            0            0
vms-8/1/0   PIC8_1                          24000000            0            0            0
vms-9/0/0   PIC9_0                          24000000            0            0            0
vms-9/1/0   PIC9_1                          24000000            0            0            0
vms-10/0/0  PIC10_0                         24000000            0            0            0
vms-10/1/0  PIC10_1                         24000000            0            0            0

To check the creation of the pre-NAT, post NAT, and non-NAT’d sessions within the specified service set:

jnpr@HERCULES-RE0> show services sessions source-prefix 172.17.13.13 
Session ID: 98784248804, Service-set: PIC2_0, Policy name: ACCEPT/131089, State: Stand-alone, Timeout: 286, Valid
  In: 172.17.13.13/2329 --> 192.168.8.13/80;tcp, Conn Tag: 0x0, If: vms-2/0/0.1, Pkts: 7, Bytes: 523, 
  Out: 192.168.8.13/80 --> 192.168.34.107/48766;tcp, Conn Tag: 0x0, If: vms-2/0/0.2, Pkts: 54, Bytes: 78044, 
Session ID: 167503726581, Service-set: PIC2_0, Policy name: ACCEPT/131089, State: Stand-alone, Timeout: 114, Valid
  In: 172.17.13.13/2722 --> 192.168.8.115/80;tcp, Conn Tag: 0x0, If: vms-2/0/0.1, Pkts: 7, Bytes: 523, 
  Out: 192.168.8.115/80 --> 192.168.34.107/48148;tcp, Conn Tag: 0x0, If: vms-2/0/0.2, Pkts: 54, Bytes: 78044,

To verify the service set summary information for all services interfaces

jnpr@HERCULES-RE0> show services service-sets summary 
             Service sets                                                                           CPU
Interface    configured             Bytes used        Session bytes used     Policy bytes used      utilization
vms-1/0/0          1           6967242496 (44.19%) 18237778944 (83.61%)       7214816 ( 0.82%)        76.36 %
vms-1/1/0          1           6967260704 (44.19%) 15117384960 (69.31%)       7214816 ( 0.82%)        79.69 % 
vms-2/0/0          1           6967277056 (44.19%) 18372119808 (84.23%)       7214912 ( 0.82%)        83.27 %
vms-2/1/0          1           6967285040 (44.19%) 15039570432 (68.95%)       7214816 ( 0.82%)        78.60 % 
vms-3/0/0          1           6943506064 (44.09%) 18244572672 (83.65%)       7214800 ( 0.82%)        53.45 %
vms-3/1/0          1           6818853168 (44.12%) 15118995456 (69.32%)       7214800 ( 0.82%)        84.47 %
vms-4/0/0          1           6701310560 (42.94%) 18432000000 (84.51%)       7214816 ( 0.82%)        53.36 %
vms-4/1/0          1           6701327888 (42.94%) 18432000000 (84.51%)       7214816 ( 0.82%)        52.41 %
vms-8/0/0          1           6701305280 (42.94%) 18432000000 (84.51%)       7214912 ( 0.82%)        51.47 %
vms-8/1/0          1           6701292576 (42.94%) 18432000000 (84.51%)       7214800 ( 0.82%)        53.94 %
vms-9/0/0          1           6701298448 (42.94%) 18432000000 (84.51%)       7214768 ( 0.82%)        53.58 %
vms-9/1/0          1           6701310192 (42.94%) 18432000000 (84.51%)       7214688 ( 0.82%)        52.05 %
vms-10/0/0         1           6701338368 (42.94%) 18432000000 (84.51%)       7214800 ( 0.82%)        52.52 %
vms-10/1/0         1           6701311584 (42.94%) 18432000000 (84.51%)       7214816 ( 0.82%)        52.62 %

CPS Scalability

A SPC3 NPU is able to create 350K sessions per second. The below commands show SPC3 NPU created sessions per second plus some commands to show NAT deterministic port used per source specific source prefixes.

jnpr@HERCULES-RE0> show services sessions analysis interface vms-1/0/0 | no-more 
  Interface:   vms-1/0/0
Session Analysis Statistics:
  Created sessions per Second             :349718       
jnpr@HERCULES-RE0> show services sessions analysis interface vms-1/1/0 | no-more 
  Interface:   vms-1/1/0
Session Analysis Statistics:
  Created sessions per Second             :350586       
jnpr@HERCULES-RE0> show services sessions analysis interface vms-2/0/0 | no-more 
  Interface:   vms-2/0/0
Session Analysis Statistics:
  Created sessions per Second             :354758       
jnpr@HERCULES-RE0> show services sessions analysis interface vms-2/1/0 | no-more 
  Interface:   vms-2/1/0
Session Analysis Statistics:
  Created sessions per Second             :350945       

jnpr@HERCULES-RE0> show services sessions analysis interface vms-10/0/0 | no-more 
  Interface:   vms-10/0/0
Session Analysis Statistics:
  Created sessions per Second             :349739       
jnpr@HERCULES-RE0> show services sessions analysis interface vms-10/1/0 | no-more 
  Interface:   vms-10/1/0
Session Analysis Statistics:      
  Created sessions per Second             :349661       
jnpr@HERCULES-RE0> show services nat source deterministic host-ip 172.16.13.13
Pool name: PIC1_0
Port-overloading-factor:     1     Port block size: 2048
Used/total port blocks: 12208/15872
Host_IP                       External_IP                         Port_Block              Ports_Used/
                                                                    Range                 Ports_Total
172.16.13.13                  192.168.30.107                     47104-49151                475/2048*1
jnpr@HERCULES-RE0> show services nat source deterministic host-ip 172.16.21.1 
Pool name: PIC1_0
Port-overloading-factor:     1     Port block size: 2048
Used/total port blocks: 12208/15872
Host_IP                       External_IP                         Port_Block              Ports_Used/
                                                                    Range                 Ports_Total
172.16.21.1                   192.168.30.173                     26624-28671               1137/2048*1
jnpr@HERCULES-RE0> show services nat source deterministic host-ip 172.22.64.100
Pool name: PIC10_1
Port-overloading-factor:     1     Port block size: 2048
Used/total port blocks: 12208/15872
Host_IP                       External_IP                         Port_Block              Ports_Used/
                                                                    Range                 Ports_Total
172.22.64.100                 192.168.56.3                       12288-14335               1500/2048*1
jnpr@HERCULES-RE0> show services nat source deterministic host-ip 172.22.100.1 
Pool name: PIC10_1
Port-overloading-factor:     1     Port block size: 2048
Used/total port blocks: 12208/15872
Host_IP                       External_IP                         Port_Block              Ports_Used/
                                                                    Range                 Ports_Total
172.22.100.1                  192.168.57.41                      18432-20479               1500/2048*1

Throughput Scalability

TCP and UDP was sent for each SPC3 NPU, achieving 43Gbps traffic per NPU for 86Gbps per SPC3.

jnpr@HERCULES-RE0> show interfaces vms-1/0/0 | match rate 
  Input rate     : 43856358840 bps (3939511 pps)
  Output rate    : 43786116440 bps (3934187 pps)
jnpr@HERCULES-RE0> show interfaces vms-1/1/0 | match rate    
  Input rate     : 43727908616 bps (3903294 pps)
  Output rate    : 43772798392 bps (3910550 pps)
jnpr@HERCULES-RE0> show interfaces vms-2/0/0 | match rate    
  Input rate     : 43712820872 bps (3897532 pps)
  Output rate    : 43717330680 bps (3899817 pps)
jnpr@HERCULES-RE0> show interfaces vms-2/1/0 | match rate    
  Input rate     : 43786348896 bps (3905616 pps)
  Output rate    : 43779873432 bps (3905836 pps)
jnpr@HERCULES-RE0> show interfaces vms-3/0/0 | match rate    
  Input rate     : 43664313600 bps (3896582 pps)
  Output rate    : 43685011128 bps (3898347 pps)
jnpr@HERCULES-RE0> show interfaces vms-3/1/0 | match rate    
  Input rate     : 43746453608 bps (3906043 pps)
  Output rate    : 43803887088 bps (3910859 pps)
jnpr@HERCULES-RE0> show interfaces vms-4/0/0 | match rate    
  Input rate     : 42540707872 bps (7135832 pps)
  Output rate    : 42540774400 bps (7135836 pps)
jnpr@HERCULES-RE0> show interfaces vms-4/1/0 | match rate    
  Input rate     : 42538505160 bps (7136517 pps)
  Output rate    : 42538437240 bps (7136512 pps)
jnpr@HERCULES-RE0> show interfaces vms-8/0/0 | match rate    
  Input rate     : 42631235520 bps (7150655 pps)
  Output rate    : 42631231888 bps (7150653 pps)
jnpr@HERCULES-RE0> show interfaces vms-8/1/0 | match rate    
  Input rate     : 42637096432 bps (7152354 pps)
  Output rate    : 42637123304 bps (7152360 pps)
jnpr@HERCULES-RE0> show interfaces vms-9/0/0 | match rate    
  Input rate     : 42557953936 bps (7140223 pps)
  Output rate    : 42558116360 bps (7140251 pps)
jnpr@HERCULES-RE0> show interfaces vms-9/1/0 | match rate    
  Input rate     : 42546741608 bps (7136974 pps)
  Output rate    : 42546799144 bps (7136984 pps)
jnpr@HERCULES-RE0> show interfaces vms-10/0/0 | match rate   
  Input rate     : 42547510624 bps (7137326 pps)
  Output rate    : 42547487864 bps (7137318 pps)
jnpr@HERCULES-RE0> show interfaces vms-10/1/0 | match rate    
  Input rate     : 42566244520 bps (7139603 pps)
  Output rate    : 42566295184 bps (7139606 pps)

Conclusion

Juniper MX960 SPC3 can be deployed as a centralized CGNAT solution, allowing a complete and diverse NAT types and supporting up to 52M of sessions and 90Gbps throughput per SPC3. A MX960 can support till 7 x SPC3 and 400GigE interfaces

Useful links

Glossary

  • ALG: Application Layer Gateway

  • BNG: Broadband Network Gateway

  • CGNAT: Carrier Grade NAT

  • CPS: Calls per Second

  • FW: Firewall

  • IANA: Internet Assigned Numbers Authority

  • IPv4: Internet Protocol version 4

  • IPv6: Internet Protocol version 6

  • MPLS: Multiprotocol Label Switching

  • NAPT: Network Address Port Translation

  • NAT: Network Address Translation

  • NAT44: Translates an IPv4 to another IPv4

  • PBA: Port Block Allocation

  • PE: Provider Edge

  • RIPE NCC: Réseaux IP Européens Network Coordination Centre

  • VR: Virtual Router

  • VRF: Virtual Routing and Forwarding

Acknowledgments

Thanks to Nicolas Fevrier for the opportunity and guidance to write this tech post. Thanks to Dirk van den Borne for encouraging me to create a tech post. Thanks also to Octavio Leonel, Mark Denny and Paul Lachapelle for the review and suggestions.

Comments

If you want to reach out for comments, feedback or questions, drop us a mail at:

Revision History

Version Author(s) Date Comments
1 Ricardo Dominguez August 2023 Initial Publication


#SolutionsandTechnology
#MXSeries

Permalink