IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 3S (ASR 1000)
Disabling Flow Cache Entries in NAT and NAT64
Downloads: This chapterpdf (PDF - 1.34MB) The complete bookPDF (PDF - 5.17MB) | The complete bookePub (ePub - 1.74MB) | Feedback

Disabling Flow Cache Entries in NAT and NAT64

Disabling Flow Cache Entries in NAT and NAT64

The Disabling Flow Cache Entries in NAT and NAT64 feature allows you to disable flow cache entries for dynamic and static Network Address Translation (NAT) translations. Disabling flow cache entries for dynamic and static translations saves memory usage and helps in the scaling of NAT translations.


Note


Disabling flow cache entries results in lesser performance as this functionality does multiple database searches to find the most specific translation to use.


This module describes the feature and explains how to configure it.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Disabling Flow Cache Entries in NAT and NAT64

  • You cannot disable flow cache entries in interface overload configuration because session entries are created even if flow entry creation is disabled.
  • Flow cache entries are created for application layer gateway (ALG) traffic because flow-specific information needs to be stored in the session entry for ALG traffic.

Information About Disabling Flow Cache Entries in NAT and NAT64

Disabling of Flow Cache Entries Overview

By default, Network Address Translation (NAT) creates a session (which is a 5-tuple entry) for every translation. A session is also called a flow cache entry. Flow cache entries create a NAT translation for every Internet Control Message Protocol (ICMP), TCP, and UDP flow and, hence, consume a lot of system memory.

Port Address Translation (PAT) or interface overload configurations must have flow cache entries enabled. However, dynamic and static NAT configurations can disable flow cache entries. Instead of creating sessions, dynamic and static NAT translations can translate a packet off the binding (or bindings if both inside and outside bindings are available). A binding or a half entry is an association between a local IP address and a global IP address.


Note


NAT, NAT64 (stateful and stateless), and carrier-grade NAT (CGN) translations support the disabling of flow cache entries.


When flow cache entry is enabled and a user has 100 sessions, 1 bind and 100 session are created. However, when flow cache entry is disabled, only one single bind is created for these sessions. Disabling flow cache entries for dynamic and static translations saves memory usage and provides more scalability for your dynamic or static translations.


Note


Disabling flow cache entries will result in lesser performance as this functionality performs multiple database searches to find the most specific translation to use.
When a packet is received for translation, the following processing happens:
  • If your NAT configuration is PAT, the configuration to disable flow cache entries is ignored and the packet is processed normally.
  • If your configuration is not PAT, the following processing happens:
    • If the packet is an application layer gateway (ALG) packet, a session is created.
    • If the packet is a non-ALG packet, a temporary session is created and this session is sent for translation. The packet is sent to Layer 3 or Layer 4 if your configuration is NAT or to Layer 4 or Layer 7 if your configuration is NAT64 (stateful or stateless).

How to Disable Flow Cache Entries in NAT and NAT64

Disabling Flow Cache Entries in Dynamic NAT

Flow cache entries are enabled by default when Network Address Translation (NAT) is configured. To disable flow cache entries, use the no ip nat create flow-entries command. Perform this task to disable flow cache entries in the dynamic translation of inside source address.


Note


Port Address Translation (PAT) or interface overload configuration, which is a type of dynamic NAT, requires flow cache entries. You cannot disable flow cache entries for PAT configurations.


SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

    4.    access-list access-list-number permit source source-wildcard

    5.    ip nat inside source list access-list-number pool name

    6.    no ip nat create flow-entries

    7.    interface type number

    8.    ip address ip-address mask

    9.    ip nat inside

    10.    exit

    11.    interface type number

    12.    ip address ip-address mask

    13.    ip nat outside

    14.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1enable


    Example:
    Device> enable
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}


    Example:
    Device(config)# ip nat pool net-208 172.16.233.208 172.16.233.223 prefix-length 28
     

    Defines a pool of global addresses to be allocated as needed.

     
    Step 4access-list access-list-number permit source source-wildcard


    Example:
    Device(config)# access-list 1 permit 192.168.34.0 0.0.0.255
     

    Defines a standard access list that permits IP addresses that are to be translated.

     
    Step 5ip nat inside source list access-list-number pool name


    Example:
    Device(config)# ip nat inside source list 1 pool net-208
     

    Establishes a dynamic source translation by specifying the pool and the access list specified in Steps 3 and 4, respectively.

     
    Step 6no ip nat create flow-entries


    Example:
    Device(config)# no ip nat create flow-entries
     

    Disables the creation of flow cache entries.

     
    Step 7interface type number


    Example:
    Device(config)# interface gigabitethernet 0/0/1
     

    Specifies an interface and enters interface configuration mode.

     
    Step 8ip address ip-address mask


    Example:
    Device(config-if)# ip address 10.114.11.39 255.255.255.0
     

    Sets a primary IP address for the interface.

     
    Step 9ip nat inside


    Example:
    Device(config-if)# ip nat inside
     

    Connects the interface to the inside network, which is subject to NAT.

     
    Step 10exit


    Example:
    Device(config-if)# exit
     

    Exits interface configuration mode and returns to global configuration mode.

     
    Step 11interface type number


    Example:
    Device(config)# interface gigabitethernet 0/1/1
     

    Specifies an interface and enters interface configuration mode.

     
    Step 12ip address ip-address mask


    Example:
    Device(config-if)# ip address 172.16.232.182 255.255.255.240
     

    Sets a primary IP address for an interface.

     
    Step 13ip nat outside


    Example:
    Device(config-if)# ip nat outside
     

    Connects an interface to the outside network.

     
    Step 14end


    Example:
    Device(config-if)# end
     

    Exits interface configuration mode and returns to privileged EXEC mode.

     

    Disabling Flow Cache Entries in Static NAT64

    Flow cache entries are enabled by default in NAT. Perform the following task to disable flow entries in your stateful Network Address Translation 64 (NAT64) configuration.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ipv6 unicast-routing

      4.    interface type number

      5.    description string

      6.    ipv6 enable

      7.    ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}

      8.    nat64 enable

      9.    exit

      10.    interface type number

      11.    description string

      12.    ip address ip-address mask

      13.    nat64 enable

      14.    exit

      15.    nat64 prefix stateful ipv6-prefix/length

      16.    nat64 v6v4 static ipv6-address ipv4-address

      17.    nat64 settings flow-entries disable

      18.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       
      Enables privileged EXEC mode.
      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 ipv6 unicast-routing


      Example:
      Device(config)# ipv6 unicast-routing
       

      Enables the forwarding of IPv6 unicast datagrams.

       
      Step 4 interface type number


      Example:
      Device(config)# interface gigabitethernet 0/0/0
       

      Specifies an interface type and enters interface configuration mode.

       
      Step 5 description string


      Example:
      Device(config-if)# description interface facing ipv6
       

      Adds a description to an interface configuration.

       
      Step 6 ipv6 enable


      Example:
      Device(config-if)# ipv6 enable
       

      Enables IPv6 processing on an interface.

       
      Step 7 ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}


      Example:
      Device(config-if)# ipv6 address 2001:DB8:1::1/96 
       

      Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface.

       
      Step 8 nat64 enable


      Example:
      Device(config-if)# nat64 enable
       

      Enables NAT64 translation on an IPv6 interface.

       
      Step 9 exit


      Example:
      Device(config-if)# exit
       

      Exits interface configuration mode and returns to global configuration mode.

       
      Step 10 interface type number


      Example:
      Device(config)# interface gigabitethernet 1/2/0
       

      Specifies an interface type and enters interface configuration mode.

       
      Step 11 description string


      Example:
      Device(config-if)# description interface facing ipv4
       

      Adds a description to an interface configuration.

       
      Step 12 ip address ip-address mask


      Example:
      Device(config-if)# ip address 209.165.201.1 255.255.255.0
       

      Configures an IPv4 address for an interface.

       
      Step 13 nat64 enable


      Example:
      Device(config-if)# nat64 enable
       

      Enables NAT64 translation on an IPv4 interface.

       
      Step 14 exit


      Example:
      Device(config-if)# exit
       

      Exits interface configuration mode and returns to global configuration mode.

       
      Step 15 nat64 prefix stateful ipv6-prefix/length


      Example:
      Device(config)# nat64 prefix stateful 2001:DB8:1::1/96
       
      Defines the stateful NAT64 prefix to be added to IPv4 hosts to translate the IPv4 address into an IPv6 address.
      • The stateful NAT64 prefix can be configured in global configuration mode or in interface mode.
       
      Step 16 nat64 v6v4 static ipv6-address ipv4-address


      Example:
      Device(config)# nat64 v6v4 static 2001:DB8:1::FFFE 209.165.201.1
       

      Enables NAT64 IPv6-to-IPv4 static address mapping.

       
      Step 17 nat64 settings flow-entries disable


      Example:
      Device(config)# nat64 settings flow-entries disable
       

      Disables flow cache entries in the NAT64 configuration.

       
      Step 18 end


      Example:
      Device(config)# end
       

      Exits global configuration mode and returns to privileged EXEC mode.

       

      Disabling Flow Cache Entries in Static CGN

      Flow cache entries are enabled by default when Network Address Translation (NAT) is configured. Perform this task to disable flow cache entries in a static carrier-grade NAT (CGN) configuration.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    ip nat settings mode cgn

        4.    ip nat inside source static local-ip global-ip

        5.    no ip nat create flow-entries

        6.    interface virtual-template number

        7.    ip nat inside

        8.    exit

        9.    interface type number

        10.    ip nat outside

        11.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         
        Enables privileged EXEC mode.
        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 ip nat settings mode cgn


        Example:
        Device(config)#  ip nat settings mode cgn
         

        Enables CGN operating mode.

         
        Step 4 ip nat inside source static local-ip global-ip


        Example:
        Device(config)# ip nat inside source static 192.168.2.1 192.168.34.2
         

        Enables static CGN of the inside source address.

         
        Step 5 no ip nat create flow-entries


        Example:
        Device(config)# no ip nat create flow-entries
         

        Disables flow cache entries in static CGN mode.

         
        Step 6 interface virtual-template number


        Example:
        Device(config)# interface virtual-template 1
         

        Creates a virtual template interface that can be configured and applied dynamically when creating virtual access interfaces and enters interface configuration mode.

         
        Step 7 ip nat inside


        Example:
        Device(config-if)# ip nat inside
         

        Connects the interface to the inside network, which is subject to NAT.

         
        Step 8 exit


        Example:
        Device(config-if)# exit
         

        Exits interface configuration mode and returns to global configuration mode.

         
        Step 9 interface type number


        Example:
        Device(config)# interface gigabitethernet 2/1/1
         

        Specifies an interface and enters interface configuration mode.

         
        Step 10 ip nat outside


        Example:
        Device(config-if)# ip nat outside
         

        Connects an interface to the outside network.

         
        Step 11 end


        Example:
        Device(config-if)# end
         

        Exits interface configuration mode and returns to privileged EXEC mode.

         

        Configuration Examples for Disabling Flow Cache Entries in NAT and NAT64

        Example: Disabling Flow Cache Entries in Dynamic NAT

        Device# configure terminal
        Device(config)# ip nat pool net-208 172.16.233.208 172.16.233.223 prefix-length 28
        Device(config)# access-list 1 permit 192.168.34.0 0.0.0.255
        Device(config)# ip nat inside source list 1 pool net-208
        Device(config)# no ip nat create flow-entries
        Device(config)# interface gigabitethernet 0/0/1
        Device(config-if)# ip address 10.114.11.39 255.255.255.0
        Device(config-if)# ip nat inside
        Device(config-if)# exit
        Device(config)# interface gigabitethernet 0/1/1
        Device(config-if)# ip address 172.16.232.182 255.255.255.240
        Device(config-if)# ip nat outside
        Device(config-if)# end

        Example: Disabling Flow Cache Entries in Static NAT64

        The following example shows a static stateful Network Address Translation 64 (NAT64):

        Device# configure terminal
        Device(config)# ipv6 unicast-routing
        Device(config)# interface gigabitethernet 0/0/0
        Device(config-if)# description interface facing ipv6
        Device(config-if)# ipv6 enable
        Device(config-if)# ipv6 address 2001:DB8:1::1/96 
        Device(config-if)# nat64 enable
        Device(config-if)# exit
        Device(config)# interface gigabitethernet 1/2/0
        Device(config-if)# description interface facing ipv4
        Device(config-if)# ip address 209.165.201.1 255.255.255.0
        Device(config-if)# nat64 enable
        Device(config-if)# exit
        Device(config)# nat64 prefix stateful 2001:DB8:1::1/96
        Device(config)# nat64 v6v4 static 2001:DB8:1::FFFE 209.165.201.1
        Device(config)# nat64 settings flow-entries disable
        Device(config)# end

        Example: Disabling Flow Cache Entries in Static CGN

        The following example shows a stateful carrier-grade NAT (CGN) configuration that disables the creation of flow cache entries:

        Device# configure terminal
        Device(config)# ip nat settings mode cgn
        Device(config)# ip nat inside source static 192.168.2.1 192.168.34.2
        Device(config)# no ip nat create flow-entries
        Device(config)# interface virtual-template 1
        Device(config-if)# ip nat inside
        Device(config-if)# exit
        Device(config)# interface gigabitethernet 2/1/1
        Device(config-if)# ip nat outside
        Device(config-if)# end

        Additional References for Disabling Flow Cache Entries in NAT and NAT64

        Related Documents

        Related Topic Document Title

        Cisco IOS commands

        Cisco IOS Master Command List, All Releases

        NAT commands

        Cisco IOS IP Addressing Services Command Reference

        Carrier-grade NAT

        “Carrier-Grade Network Address Translation” module in IP Addressing NAT Configuration Guide

        Stateful NAT64

        “Stateful Network Address Translation 64” module in IP Addressing NAT Configuration Guide

        Stateless NAT64

        “Stateless Network Address Translation 64” module in IP Addressing NAT Configuration Guide

        Technical Assistance

        Description Link

        The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

        To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

        Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​support

        Feature Information for Disabling Flow Cache Entries in NAT and NAT64

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 1 Feature Information for Disabling Flow Cache Entries in NAT and NAT64

        Feature Name

        Releases

        Feature Information

        Disabling Flow Cache Entries in NAT and NAT64

        Cisco IOS XE Release 3.10S

        The Disabling of Flow Cache Entries in NAT and NAT64 feature allows you to disable flow entries for dynamic and static NAT translations. By default, flow entries are created for all Network Address Translation (NAT) translations.

        The following commands were introduced or modified: ip nat create flow-entries, nat64 settings flow-entries disable, and show ip nat translations.