NAT Deployment in Cloud Networks

Transcription

1

2 NAT Deployment in Cloud Networks Jason Yang CCIE #10467 Technical Marketing Engineer

3 Session Goals NAT is becoming the critical component of the Cloud Gateway, customers are thirsty for recommendations and best practices to design NAT with high scalability and high availability in the Hosted Cloud Networks. This session will share 1. How VRF Aware Network Address Translation (NAT) enables Cloud Gateway Architecture 2. Cloud Gateway High Availability Design 3. Performance, Scalability & Operation Best Practice* *This section will focus on ASR 1000 as the Cloud Gateway platform 3

4 Agenda Cloud Gateway Architecture enabled by VRF-Aware NAT Cloud Gateway HA Design Perf/Scale & Operation Best Practice Summary and Take Away 4

5 Cloud Gateway Architecture enabled by VRF-Aware NAT

6 Cloud Gateway Architecture Apps MPLS VPN Hosted Cloud Services Internet Partners PE GW AAA Location Multi-tenant VRF Aware VRF Scale Private/Overlapping Addressing access Common Services Network Address Translation Inter-VRFs Communication VRF Aware Service Infrastructure (VASI) High Availability Dual Box Design Stateless Redundancy NAT Scale Stateful Redundancy 6

7 VRF Aware NAT & VASI VRF NAT supports MPLS/VPN for Communication between remote hosts in different VPNs and Internet common servers. Intra-VPN communication. VRF-Aware Service Infrastructure (VASI) for Traffic flows and routing exchange across different VRFs VASI is implemented by using virtual interface pairs (vasileftx, vasirightx), where each of the interfaces in the pair is associated with a different VRF instance. Apply services such as NAT, ACL, Policing, ZBFW, IPsec, PBR. 7

8 Connectivity Model Summary Cloud Gateway Autonomous System Connectivity to the VPN network (a) Connectivity to the Cloud in Global (b) Connectivity to the Cloud in VRF Model 1 Model 2 Model 3 GW and PE are in different BGP AS Cloud Services is managed outside the business VPN network Inter-AS Option A (ebgp + back to back VRF) NAT Inside interface GW and PE are in different BGP AS - Cloud Services is managed outside the business VPN network Inter-AS Option B (ebgp + label) NAT inside interface NAT outside interface NAT outside interface N/A Requires VASI NAT outside in VASIleft Requires VASI NAT outside in VASIleft Routing over VASI ibgp ibgp ebgp GW and PE are in the same BGP AS Cloud Services is managed as part of business VPN network MP-iBGP NAT inside interface Requires VASI NAT outside in VASIleft AS: Autonomous System the most common 8

9 Connectivity Model 1a HCS service in global routing table Inter-AS Option A VRF/VLAN sub-interface as VRF aware NAT inside Interface Global interface as NAT outside interface AS65004 N x ebgp AS577 C_NetworkR C_NetworkB PE VRFR VRFB VRFG VRFR VRFB VRFG GW Global HCS SR S_Network C_NetworkG ip nat inside ip nat outside PE Provider Edge Router; GW Cloud Gateway Router; SR Service Router 9

10 Connectivity Model 1b HCS service in VRF Inter-AS Option A VRF/VLAN sub-interface as VRF aware NAT inside Interface VASI to facilitate Inter-VRF communication VASIleft VRF interface as NAT outside interface AS65004 N x ebgp AS577 C_NetworkR C_NetworkB PE VRFR VRFB VRFG VRFR VRFB VRFG GW Service VRF HCS SR S_Network C_NetworkG ip nat inside VASILeftx ip nat outside VASIRightx 10

11 Connectivity Model 2a HCS service in global route table Inter-AS Option B MPLS as VRF Aware of NAT inside interface Global Interface as NAT outside interface C_NetworkR AS x ebgp AS577 C_NetworkB PE MPLS MPLS GW Global HCS SR S_Network C_NetworkG ip nat inside ip nat outside 11

12 Connectivity Model 2b HCS service in VRF Inter-AS Option B MPLS as VRF Aware of NAT inside interface VASI to facilitate Inter-VRF communication VASILeft VRF interface as NAT outside interface C_NetworkR AS x ebgp AS577 C_NetworkB PE MPLS MPLS GW Service VRF HCS SR S_Network C_NetworkG ip nat inside VASILeftx ip nat outside VASIRightx 12

13 Connectivity Model 3 HCS service in VRF MP-iBGP MPLS as VRF Aware of NAT inside interface VASI to facilitate Inter-VRF communication VASILeft VRF interface as NAT outside interface C_NetworkR MP-iBGP AS65004 MP-iBGP C_NetworkB PE MPLS/VPN MPLS GW MPLS SR S_Network C_NetworkG ip nat inside VASILeftx ip nat outside VASIRightx 13

14 Connectivity Model 1 Control Plane Inter-AS Option A is the most secure and easiest to provision Inter-AS Option A may face manageability challenge as #s of VRFs grow GW and SR can run Static/IGP/BGP to exchange routes, though BGP scales and seamless ibgp can run in the VASI pairs to exchange routes between VRFs C_NetworkB C_NetworkR AS65004 PE VRFR VRFB VRFG N x ebgp AS VRFR Service VRF VRFB VRFG GW ebgp HCS AS223 SR S_Network C_NetworkG ibgp Cloud Service Network Advertised to the Customers NAT Pool Advertised to the Cloud 14

15 Connectivity Model 1 Data Plane Customer initiate the connection to the cloud Routing lookup performed before VRF- Aware NAT translation VASI allows customer VRF traffic flow to the Cloud Service VRF and Vice Versa For the return traffic, NAT performed in customer VRF first, then make the routing lookup. AS65004 N x ebgp AS577 ebgp C_NetworkB C_NetworkR PE VRFR VRFB VRFG VRFR VRFB VRFG GW Service VRF HCS AS223 SR S_Network ibgp C_NetworkG (S) (D) (S) (D) (D) (S) (D) (S)

16 Connectivity Model 1 Configuration interface GigabitEthernet0/0/0.2 description PE facing interface for VRFR encapsulation dot1q 2 vrf forwarding VRFR ip address ip nat inside interface vasileft1 vrf forwarding VRFR ip address ip nat outside interface vasiright1 vrf forwarding VRFS ip address interface GigabitEthernet0/0/1 description Cloud facing interface for Service VRF vrf forwarding VRFS ip address access-list 4 permit ip nat pool pool-pc prefix-length 30 ip nat inside source list 4 pool pool-pc vrf VRFR overload router bgp 577 address-family ipv4 vrf VRFS bgp router-id bgp log-neighbor-changes neighbor remote-as 223 neighbor description PEERING to SR neighbor active neighbor remote-as 577 neighbor next-hop-self neighbor description PEERING to VASI VRFR interface neighbor active address-family ipv4 vrf VRFR bgp router-id redistribute static neighbor remote-as 577 neighbor description PEERING to VASI VRFS interface neighbor activate neighbor prefix-list VRF_Pool out neighbor remote-as neighbor description PEERING to PE neighbor activate ip prefix-list VRF_Pool seq 5 permit /32 Ip route vrf VRFR null0 16

17 Connectivity Model 2 Control Plane Inter-AS Option B - single ebgp session to exchange VPN routes and labels Label spoofing could be concern GW and SR can run Static/IGP/BGP to exchange routes, though BGP scales and seamless ibgp can run in the VASI pairs to exchange routes between VRFs C_NetworkB L6 C_NetworkR AS65004 PE MPLS 1 x ebgp AS L Service VRF MPLS GW ebgp HCS AS223 SR S_Network C_NetworkG ibgp Cloud Service Network Advertised to the Customers NAT Pool Advertised to the Cloud 17

18 Connectivity Model 2 Data Plane Customer initiate the connection to the cloud VASI allows customer VRF traffic flow to the Cloud Service VRF and Vice Versa Label disposition, followed by routing lookup, then performed VRF-Aware NAT translation For the return traffic, NAT performed in customer VRF first, then make the routing lookup, then impose the label C_NetworkB C_NetworkR AS65004 PE MPLS 1 x ebgp MPLS AS577 GW Service VRF ebgp HCS AS223 SR S_Network ibgp C_NetworkG (S) (D) L (S) (D) L6 (D) (S) (D) (S)

19 Connectivity Model 2 Configuration interface GigabitEthernet0/0/0 description PE facing interface ip address ip nat inside mpls bgp forwarding interface vasileft1 vrf forwarding VRFR ip address ip nat outside interface vasiright1 vrf forwarding VRFS ip address interface GigabitEthernet0/0/1 description Cloud facing interface for Service VRF vrf forwarding VRFS ip address access-list 4 permit ip nat pool pool-pc prefix-length 30 ip nat inside source list 4 pool pool-pc vrf VRFR overload router bgp 577 neighbor remote-as neighbor description PEERING to PE address-family ipv4 vrf VRFS bgp router-id bgp log-neighbor-changes neighbor remote-as 223 neighbor description PEERING to SR neighbor active neighbor remote-as 577 neighbor next-hop-self neighbor active neighbor description PEERING to VASI VRFR interface address-family ipv4 vrf VRFR bgp router-id redistribute static neighbor remote-as 577 neighbor description PEERING to VASI VRFS interface neighbor activate neighbor prefix-list VRF_Pool out address-family vpnv4 neighbor active neighbor send-community both ip prefix-list VRF_Pool seq 5 permit /32 Ip route vrf VRFR null0 19

20 Connectivity Model 2 Configuration (cont d) VASI becomes VRF termination point in the GW, an ideal place to apply per VRF Security and QoS policy interface vasileft1 vrf forwarding VRFR ip address ip access-group VASI-1-LEFT-IN in ip access-group VASI-1-LEFT-OUT out ip nat outside service-policy output Police_Cloud_ACCESS_VRFR_10meg* interface vasiright1 vrf forwarding VRFS ip address ip access-group VASI-1-RIGHT-IN in ip access-group VASI-1-RIGHT-OUT out *Queuing Policy is not supported, only policing and marking 20

21 Connectivity Model 3 Control Plane Cloud service is part of business VPN network MP-iBGP full mesh with all other PEs/RR/SR to exchange VPN routes and labels ebgp can run in the VASI pairs to exchange routes between VRFs L6 C_NetworkR MP-iBGP AS L3 MP-iBGP C_NetworkB PE MPLS/VPN L MPLS MPLS GW SR L1 S_Network C_NetworkG ebgp Cloud Service Network Advertised to the Customers NAT Pool Advertised to the Cloud 21

22 Connectivity Model 3 Data Plane Customer initiate the connection to the cloud VASI allows customer VRF traffic flow to the Cloud Service VRF and Vice Versa Label disposition, followed by routing lookup, then performed VRF-Aware NAT translation For the return traffic, NAT performed in customer VRF first, then make the routing lookup, then impose the label C_NetworkR MP-iBGP AS65004 MP-iBGP C_NetworkB PE MPLS/VPN MPLS GW MPLS SR S_Network ebgp C_NetworkG (S) (D) L (S) (D) L1 L6 (D) (S) L3 (D) (S)

23 Connectivity Model 3 Configuration interface GigabitEthernet0/0/0 description MPLS VPN facing interface ip address ip nat inside mpls ip interface vasileft1 vrf forwarding VRFR ip address ip nat outside interface vasiright1 vrf forwarding VRFS ip address ip policy route-map PBR_FW interface GigabitEthernet0/0/1 description Service facing interface ip address mpls ip route-map PBR_FW permit 10 match ip address PBR_FW set ip nexthop recursive vrf FW_VRF access-list 4 permit ip nat pool pool-pc prefix-length 30 ip nat inside source list 4 pool pool-pc vrf VRFR overload router bgp neighbor remote-as neighbor description PEERING to RR neighbor update-source loopback0 address-family ipv4 vrf VRFS redistribute connected neighbor remote-as neighbor local-as neighbor update-source vasiright1 neighbor active address-family ipv4 vrf VRFR redistribute static neighbor remote-as neighbor local-as neighbor update-source vasileft1 neighbor activate neighbor prefix-list VRF_Pool out default-information originate address-family vpnv4 neighbor active neighbor send-community both ip prefix-list VRF_Pool seq 5 permit /32 Ip route vrf VRFR null0 23

24 Design of NAT Pool Pool per VRF 1. Easy of maintenance 2. Easy of debugging 3. Add/Remove customers without service disruption ip nat pool customer1-nat-pool prefix-length 24 ip access-list extended customer1-acl deny ip <router-generated-ip> permit ip ip nat inside source list customer1-acl pool customer1-nat-pool overload vrf customer1-vrf ip nat pool customer2-nat-pool prefix-length 24 ip access-list extended customer2-acl deny ip <router-generated-ip> permit ip ip nat inside source list customer2-acl pool customer2-nat-pool overload vrf customer2-vrf 24 Shared Pool by all VRFs 1. Efficient use of addresses 2. Less configuration 3. Removing of one customer cause interruption of all other customers NAT ip nat pool shared-nat-pool prefix-length 16 ip access-list extended shared-cust-acl deny ip <router-generated-ip> permit ip ip nat inside source list shared-cust-acl pool shared-nat-pool overload vrf customer1-vrf ip nat inside source list shared-cust-acl pool shared-nat-pool overload vrf customer2-vrf

25 What Mode of NAT to Run - NAT vs. CGN Session Entry Traditional NAT full 5 tuples {protocol, source address, source port, destination address, destination port} Default timeout 24 hrs for TCP 15 mins for TCP Outside mapping rule (ip nat outside source) Supported Carrier Grade NAT (CGN) 3 tuples - {protocol, source address, source port} Not supported EIM/EIF Not Supported Supported High Speed Logging (HSL) Bulk logging and Port Block Allocation Log full tuples Not Supported No destination info in the logging record Supported Salability - Double than traditional NAT License No license required Require license 25

26 NAT vs. CGN Session Entry Traditional NAT Pro Inside global Inside local Outside local Outside global tcp : : : :23 CGN Pro Inside global Inside local Outside local Outside global tcp : :

27 NAT vs. CGN EIM/EIF Endpoint-Independent Mapping (EIM) provides a stable, long-term binding where internal hosts may connect by utilizing the same NAT binding for multiple external hosts (as long as the internal port does not change) Endpoint-Independent Filtering (EIF) is closely related to EIM, and controls which external servers may access a host using an established binding Pro Inside global Inside local Outside local Outside global tcp : : This is typical for peer-to-peer applications and some Internet messenger protocols. SrcIP:Port DstIP:Port SrcIP:Port DstIP:Port X:x Y1:y1 X1:x1 Y1:y1 inside CGN outside SrcIP:Port DstIP:Port SrcIP:Port DstIP:Port X:x Y2:y2 X1:x1 Y2:y2 EIM implies X1:x1 = X2:x2 for all Y:y (Y1:y1 and Y2:y2) 27

28 NAT vs. CGN High Speed Logging (HSL) High speed NAT device generate NAT transaction events (creation/deletion) in the rate of >100k events/sec, syslog is not able to support it. HSL enables NAT datapath directly export the transaction records (NetFlowv9-like) to an external collector. Field Source IP address Translated source IP address Format IPv4 address IPv4 address Destination IP address Info not available IPv4 in address CGN Translated destination IP address Original source port Translated source port IPv4 address 16-bit port 16-bit port Original Destination destination Info port not available 16-bit in port CGN Translated destination port VRF ID Protocol Event Mode Mode 16-bit port 32-bit ID 8-bit value 0-Invalid 1-Adds event 2-Deletes event Unix timestamp in milliseconds 64-bit value 28

29 NAT vs. CGN Bulk Logging and Port Block Allocation (BPA) Problem: High setup/teardown rates on NAT devices cause customers to have to store Terabits of data a day for NAT HSL. Customer want to see this volume of logging significantly reduced. Solution: Provide each end user with a block of ports. Only log when the block get (dis)associated with a user. For example: a BPA configuration with set size 8 and step size of 4. Set 0 = {1024, 1028, 1032, 1036, 1040, 1044, 1048, 1052} Set 1 = {1025, 1029, 1033, 1037, 1041, 1045, 1049, 1053} Set 2 = {1026, 1030, 1034, 1038, 1042, 1046, 1050, 1054} Set 3 = {1027, 1031, 1035, 1039, 1043, 1045, 1051, 1055} Field Source IP address Translated source IP address VRF ID Protocol Event Unix timestamp in milliseconds Port block start Port block step size Number of ports in the block Format IPv4 address IPv4 address 32-bit ID 8-bit value 0-Invalid 1-Adds event 2-Deletes event 64-bit value 16-bit port 16-bit step size 16-bit number 29

30 Cloud Gateway HA Design

31 High Availability Design Dual-GWs; Dual-PEs; Dual-SRs Fast Failure Detection: BFD (sub-second) may not all platforms support BFD Common Failure Detection: BGP (~tens of sec) BGP determines the active path, symmetric routing and convergence time GWs are in (stateless) active/standby from NAT perspective C_NetworkR AS65004 N x ebgp/bfd AS577 ebgp/bfd AS223 C_NetworkB PE1 VRFR VRFR GW1 GW Service VRF Service VRF HCS SR1 SR2 S_Network C_NetworkG PE2 VRFR VRFR GW2 ibgp 31

32 Failover Scenario GW1-SR1 BGP session down PE1-GW1-SR1 active path; PE2-GW2-SR2 standby path. GW1-SR1 BGP session down GW1 withdraw S_Network from PE1 PE2-GW2-SR2 become the best, GW2 will begin to set up NAT translations C_NetworkB AS65004 C_NetworkR C_NetworkG VRFR PE VRFR PE2 N x ebgp/bfd VRFR VRFR AS577 GW1 GW GW2 Service VRF ebgp/bfd Service VRF HCS AS223 SR1 SR S_Network ibgp 32

33 Failover Scenario PE1-GW1 BGP session down PE1-GW1-SR1 active path; PE2-GW2-SR2 standby path. PE1-GW1 BGP session down GW1 is still advertising the NAT_Pool to SR1, which cause SR1 to blackhole customer traffic to GW1 C_NetworkR AS65004 N x ebgp/bfd AS ebgp/bfd AS223 C_NetworkB PE1 VRFR VRFR GW1 GW Service VRF Service VRF HCS SR1 SR S_Network C_NetworkG PE2 VRFR VRFR GW2 ibgp 33

34 Failover Scenario PE1-GW1 BGP session down (cont d) Solution: BGP VRF Aware Conditional Advertisement The condition is that C_networkR exist in BGP VRFR table in GW1, then GW1 can advertise NAT_Pool to VASIRight, otherwise withdraw NAT_Pool back from VASIRight C_NetworkR AS65004 N x ebgp/bfd AS ebgp/bfd AS223 C_NetworkB PE1 VRFR VRFR GW1 GW Service VRF Service VRF HCS SR1 SR S_Network C_NetworkG PE2 VRFR VRFR GW2 ibgp 34

35 Failover Scenario PE1-GW1 BGP session down (cont d) interface GigabitEthernet0/0/0.2 description PE facing interface for VRFR encapsulation dot1q 2 vrf forwarding VRFR ip address ip nat inside bfd interval 50 min_rx 50 multiplier 3 interface vasileft1 vrf forwarding VRFR ip address ip nat outside interface vasiright1 vrf forwarding VRFS ip address interface GigabitEthernet0/0/1 description Cloud facing interface for Service VRF vrf forwarding VRFS ip address access-list 4 permit ip nat pool pool-pc prefix-length 30 ip nat inside source list 4 pool pool-pc vrf VRFR overload ip prefix-list VRF_Pool seq 5 permit /32 ip prefix-list p1-adv-1 seq 5 permit /32 ip prefix-list p1-exist-1 seq 5 permit /32 router bgp 577 address-family ipv4 vrf VRFS bgp router-id bgp log-neighbor-changes neighbor remote-as 223 neighbor description PEERING to SR neighbor active neighbor remote-as 577 neighbor next-hop-self neighbor description PEERING to VASI VRFR interface neighbor active address-family ipv4 vrf VRFR bgp router-id redistribute static neighbor remote-as 577 neighbor description PEERING to VASI VRFS interface neighbor activate neighbor advertise-map ADV-1 exist-map EXIST-1 neighbor prefix-list VRF_Pool out neighbor remote-as neighbor description PEERING to PE neighbor activate route-map ADV-1 permit 10 match ip address prefix-list p1-adv-1 route-map EXIST-1 permit 10 match ip address prefix-list p1-exist-1 Ip route vrf VRFR null0 35

36 SIP SIP SIP ESP ESP RP RP GW Intra-Chassis Redundancy - ASR 1000 built for Carrier-Grade HA Redundant ESP / RP on ASR 1006 and ASR 1013 Zero packet loss on RP fail-over < 50ms loss for ESP fail-over Intra-chassis Stateful Switchover (SSO) Support for NAT IOS XE also provides full support for Network Resiliency NSR/GR for BGP BFD SSO Support for ISSU Crypto Assist. Crypto SPA Aggreg. SPA CPU FECP QFP PPE BQS IOCP SPA SPA Aggreg. SPA Crypto Assist. IOCP SPA Crypto CPU FECP SPA Aggreg. SPA QFP PPE BQS IOCP SPA 36

37 Performance, Scalability & Operation Best Practice

38 SIP SIP SIP ESP ESP RP RP ASR1000 Building Blocks Crypto Assist. FECP PPE QFP interconnect BQS interconn. Embedded Midplane Service Processor Handles forwarding plane traffic SPA Interface Processor Houses SPA s Buffer packets in & out interconnect SPA Aggreg. SPA IOCP SPA interconn. CPU GE switch Route Processor Handles control plane Manages system SPA Aggreg. SPA Route Processor (RP) Handles control plane traffic Manages CPU system FECP Embedded interconn. GE switch Service Processor (ESP) interconnect IOCP SPA SPA Aggreg. SPA Crypto Assist. IOCP SPA PPE QFP Handles forwarding plane traffic BQS SPA Interface Processor interconnect (SIP) Shared Port Adapters provide interface connectivity Centralized Forwarding Architecture All traffic flows through interconnect the active ESP, standby is synchronized with all flow state with a dedicated 10-Gbps link Distributed Control Architecture All major system components have a powerful control processor dedicated for control and management planes 38

39 NAT <> ESP Resources Dependency ACL/ACE, Route-map NAT sessions NAT VFR re-assembly Memory for FECP QFP client / driver Statistics ACL ACEs copy NAT config objects DDRAM Boot Flash (OBFL, ) JTAG Ctrl Reset / Pwr Ctrl Temp Sensor EEPROM FECP E-RP* PCI* E-CSR TCAM Resource DRAM Packet Processor Engines PPE 1 PPE 2 PPE 3 PPE 4 PPE 5 Packet Buffer DRAM QFP complex PPE 6 PPE 7 PPE 8 PPE 40 BQS GE, 1Gbps I 2 C SPA Control SPA Bus ESI, 11.2Gbps SPA-SPI, 11.2Gbps Hypertransport, 10Gbps Other Reset / Pwr Ctrl Crypto (Nitrox-II CN2430) SA table DRAM Dispatcher Packet Buffer SPI Mux Interconnect Interconnect RPs RPs ESP RPs SIPs 39

40 ASR1000 NAT Scalability (uni-dimensional) ASR 1001 ASR 1002-X ESP5 ESP10 ESP20 ESP40 ESP100 ESP200 NAT Sessions (classic) NAT Sessions (CGN) 250k 2M 250k 1M 2M 2M 4M 4M 500k 4M 500k 1.75M 4M 4M 12M 12M NAT Pools VRFs for VRF-Aware NAT Route-maps w/ NAT 4k 4k 1k 1k 4k 4k 4k 4k

41 ASR1000 NAT Performance (uni-dimensional) g ASR 1001 ASR 1002-X ESP5 ESP10 ESP20 ESP40 ESP100 ESP200 NAT Session Setup Rate NAT (classic) Performance NAT (CGN) Performance NAT (classic) Throughput 50cps 230cps(pat) 50kcps 100kcps 200kcps(dyn) 139kcps(pat) 200kcps(dyn) 95kcps(pat) 250kcps(pat) 300kcps(pat) 3Mpps 10Mpps 3Mpps 6Mpps 8Mpps 9Mpps 23Mpps 45Mpps 2.2Mpps - 2.2Mpps 5Mpps 7Mpps 7Mpps 18Mpps 34Mpps 5Gbps 36Gbps 5Gbps 10Gbps 20Gbps 40Gbps 100Gbps 200Gbps 41

42 Application Layer Gateway (ALG) ASR 1000 support comprehensive ALGs With ALG traffic, "any any" ACL is not supported. This could lead to undesired payload translations, causing unexpected application behavior ALG VFR vtcp L4 VRF HA FTP Yes No tco Yes Yes H323 No Yes tcp,udp Yes Yes RTSP Yes Yes tcp Yes Yes SCCP No No tcp Yes Yes SIP Yes Yes tcp,udp Yes Yes TFTP No N/A udp Yes Yes NETBIOS No No tcp,udp Yes Yes RCMD No No tcp Yes Yes LDAP No No tcp Yes Yes DNS Yes Yes tcp,udp Yes Yes SUNPRC Yes No tcp Yes Yes MSRPC Yes No tcp Yes Yes PPTP No tcp Yes Yes 42

43 ASR 1000 HSL Supported Collector Isarflow Lancope ActionPacked 43

44 Key System Resources to Monitor show mem stat IOS Forwarding Manager Forwarding Manager QFP Client Driver Datapath show proc cpu sort show plat hardware qfp active tcam resource-manager -usage 85% show plat hardware qfp active infra exmem statistics SIP RP memory TCAM resource DRAM pkt memory crypto assist RP CPU ESP memory FECP CPU QFP 75% show plat show plat software software status status controlprocessor brief control-processor brief show plat hardware qfp active datapath util summary 44

45 ASR 1000 Cloud Gateway Monitoring Guide (1) It is general best practice that ASR 1000 in live deployment RP/IOS/ESP CPU and Memory utilization do not exceed 75% in steady state It is general best practice that ASR 1000 in live deployment QFP DRAM utilization do not exceed 85% in steady state 45

46 ASR 1000 Cloud Gateway Monitoring Guide (2) For TCAM monitoring, keep an eye on syslog: %QFPTCAMRM-6-TCAM_RSRC_ERR: F0: QFP_sp: Allocation failed because of insufficient TCAM resources in the system Recommendations 1. Test out TCAM utilization before making changes 2. Always there should be unused TCAM entries which are = or > the size of biggest ACL on the router. Be aware of the TCAM deny jump issue 46

47 SET the Limit Set NAT max-entries per system to no more than platform scale: ip nat translation max-entries <number of entries> Be aware of that 1. NAT sessions scaling numbers are based on a few pools 2. PAT session scaling numbers are expected to be reduced while the number of overload pools are rising 3. One data point we have is ESP20 support 500k sessions w/ 1200 overload pools vs. 2M session w/ a few pools Set NAT max-entries per VRF to prevent single customer starving entire system translation limit: ip nat translation max-entries vrf <vrf_name> <number of entries> 47

48 Features Interaction This architecture is proven with following features on Cloud Gateway, do not enable more features unless been tested prior to deployment. VRF Aware NAT + VASI + MP-BGP On VASI: ACL, Policing/Marking MQC, PBR, ebgp or ibgp 48

49 Common Issues - TCAM Deny-Jump (1) Problem Description: In ASR 1000 IPsec/FW/NAT deployment, user may see following message: %CPP_FM-3-CPP_FM_TCAM_ERROR: F0: cpp_sp: TCAM limit exceeded Error Message Explanation: This is an protection mechanism prevents system from crashing with WATCH-DOG timeout error or malloc failure. Root Cause Analysis: 1. Classification engine in the TCAM can only represent permit. 2. System convertes the DENY entries into PERMIT ones using cross product 3. This recursive nature cause the required number of entries to explode. 49

50 Common Issues - TCAM Deny-Jump (2) Workaround: 1. Before deploying the platform in production, apply the configuration in lab 2. Modify the ACLs to use multiple specific permit statement, and try to reduce or eliminate the explicit use of deny statement 3. Use PBR to bypass NAT Original NAT Config VASI & PBR to bypass NAT ip nat inside source list NAT-ACL pool NAT-POOL overload ip access-list extended NAT-ACL deny ip any permit ip any ip nat inside source list NAT-ACL pool NAT-POOL overload interface GigabitEthernet0/0/1 description nat inside interface ip address ip nat inside ip policy route-map no-nat-rmap interface vasileft1 ip address interface vasiright1 ip address ip access-list extended NAT-ACL permit ip any ip access-list extended bypass-nat permit ip any route-map no-nat-rmap permit 10 match ip address bypass-nat set interface vasileft1 4. Static NAT Original NAT Config Identity NAT ip nat inside source list NAT-ACL pool NAT-POOL overload ip access-list extended NAT-ACL deny ip host any permit ip any ip nat inside source static no-alias ip nat inside source list NAT-ACL pool NAT-POOL overload ip access-list extended NAT-ACL permit ip any Solutions: 1. IOS XE3.10 introduced the SW classification engine to handle deny-jump like classification 2. System still use TCAM as long as it has room, in case TCAM does not fit, it will switch to SW classification engine. 50

51 Common Issues - NAT ADDR ALLOC FAILURE (1) Problem Description: In ASR 1000 PAT/Overload configuration, system get error message: "%NAT-6-ADDR_ALLOC_FAILURE: Address allocation failed; pool 1 may be exhausted Debug Information that should be gathered: show platform hardware qfp active feature nat data pool show platform hardware qfp active feature nat data port show platform hardware qfp active feature nat data stat show platform hardware qfp active feature nat data base show ip nat translation inc <global address of interest> Common Reason for Failure: 1. Customer has a small pool which is being consumed by non-pattable binds. 2. A non-pattable bind will show in 'sh ip nat trans' as a single local associated with a single global IP address. 3. It consumes an entire address in the pool

52 Common Issues - NAT ADDR ALLOC FAILURE (2) Solution 1 1. A non-pattable bind could be created by packet with a non-pattable protocol. 2. The best way to prevent this is to tighten the ACL to exclude non-pattable protocols. access-list 100 permit udp any access-list 100 permit tcp any access-list 100 permit icmp any Solution 2 1. A non-pattable bind could be created by ALG like DNS which does not have ports in its L7 header has requested a global NAT address. 2. Often customers do not need the DNS ALG so the solution is to turn it off. 3. Below shows the most common ALGs which produce non-pattable binds being turned off. no ip nat service dns udp no ip nat service dns tcp no ip nat service netbios-ns tcp no ip nat service netbios-ns udp no ip nat service netbios-ssn no ip nat service netbios-dgm no ip nat service ldap 52

53 Summary and Take Away

54 NAT Deployment in Cloud Networks Summary and Take Away Follow proven connectivity models Stateless failover with BGP/BFD High scale, high performance NAT on ASR 1000 Monitor key system resources proactively Cloud Gateway 200Gbps HA BGP VASI NAT/CGN Connectivity HSL ALG 12M Sess 54

55 Relevant Sessions at Cisco Live 2014 Breakout Sessions BRKSPG IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers BRKARC-2019 Operating an ASR 1000 BRKARC IOS XE Advanced Troubleshooting (NAT, VPN, FW packet forwarding) 55

56 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 56

57 Continue Your Education Demos in the Cisco Campus (ASR1001-X Live Demo) Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 57

58 Thank you.

59