NAT Changes in Release 14.0

This chapter identifies features and functionality added to, modified for, or deprecated from 14.0 NAT software releases.

Topics covered in this chapter are:

IMPORTANT:

Enhancements to Diameter, GTPP, and RADIUS in release 14.0 are located in the Accounting Management Changes chapter.

Enhancements to SNMP MIB in release 14.0 are located in the SNMP MIB Changes chapter.

Enhancements to Web Element Manager (WEM) in release 14.0 are located in the Web Element Manager Changes chapter.

NAT Feature Changes as of June 29, 2012

This section provides information on NAT feature changes in release 14.0.

IMPORTANT:

For more information regarding features in this section, refer to the NAT Administration Guide for this release.

New NAT Features

This section identifies new NAT features available in release 14.0.

IP Reassembly Timer

New nat ip downlink reassembly-timeout command added in ACS Configuration Mode to configure the maximum duration for IP reassembly timer.

Refer to the New NAT Configuration Commands section of this reference for more information.

Modified NAT Features

This section identifies NAT features modified in release 14.0. There are two kinds of modified features: enhancements and behavior changes. Enhancements are feature changes based on customer change requests. Behavior changes are feature changes that modify an existing behavior and may result from software error corrections (bug fixes).

Flow-checkpointing ICSR Support

This release supports the following in Firewall-and-NAT Policy:
  • Enable/Disable checkpointing of basic NAT related information
  • Enable/Disable checkpointing of SIP and H323 ALG related information
  • Enable/Disable ICSR recovery for basic NAT flows and SIP flows
  • Configure maximum basic flows that can be checkpointed

Refer to the nat check-point-info command in the New NAT Configuration Commands section of this reference for more information.

NAT64 Translation Changes

For NAT64, Network address translation and Protocol translation are done on the packets. The uplink IPv6 packets that are destined to hosts in the IPv4 network must be protocol translated to IPv4 packets and forwarded. The downlink IPv4 packets destined to hosts in IPv6 network must be protocol translated to IPv6 packets and then forwarded.

Previous Behavior: One-to-One NAT IP was used for NATing either IPv4 or IPv6 traffic but not both. No 1:1 NAT64 binding table was used. All downlink traffic received on 1:1 NAT64 IP was translated to client IPv6 addresses irrespective of the interface ID used for uplink.

New Behavior: One-to-One NAT IP allocated to a subscriber can be simultaneously used for NATing IPv4 traffic and IPv6 traffic. 1:1 NAT64 binding table is maintained to store the interface ID/prefix. The downlink traffic is translated based on the binding table.

NBR Support

NBRs can now support both IPv4 and IPv6 addresses in case of an IPv4v6 subscriber. If the existing “ip subscriber-ip-address” is used for IPV4 or IPv4v6 call, IPv4 address will be generated and IPv6 address will be generated for IPv6 only call. New attributes, subscriber-ipv4-address and subscriber-ipv6-address are added to hold IPv4 and IPv6 addresses respectively. Refer to the attribute command in the Modified NAT Configuration Commands section of this reference for more information.

Updating Firewall-and-NAT Policy in Mid-session

The Firewall-and-NAT policy can be updated mid-session provided the policy was enabled during call setup. In this release, Firewall-and-NAT policy can also be updated during mid-session rulebase update through Gx and Gy. Mid-session rulebase update support from RADIUS server and CLI is already present.

Previous Behavior: Firewall-and-NAT policy was not updated during mid-session rulebase update via Gx and Gy.

New Behavior: Firewall-and-NAT policy can be updated during Gx/Gy mid-session rulebase update if the new rulebase has Firewall-and-NAT policy configured and the old Firewall-and-NAT policy is configured through old rulebase.

NAT Configuration Management Changes as of June 29, 2012

This section provides information on NAT configuration command changes in release 14.0.

IMPORTANT:

For more information regarding commands in this section, refer to the Command Line Interface Reference for this release.

New NAT Configuration Commands

This section identifies new NAT commands available in release 14.0.

nat check-point-info

This command enables or disables the checkpointing for basic NAT, H323 ALG and SIP ALG recovery. ICSR recovery can be enabled or disabled for basic NAT and SIP flows.

Firewall-and-NAT Policy Configuration Mode

[ default | no ] nat
check-point-info { basic [ icsr-also | limit-flows limit ] | h323-alg | sip-alg [ icsr-also ] }

nat ip downlink reassembly-timeout

This command configures the maximum duration for which IP packet fragments are retained.

ACS Configuration Mode

[ default ] nat
ip downlink reassembly-timeout timeout

Modified NAT Configuration Commands

This section identifies NAT commands modified in release 14.0.

attribute

This command specifies the order of fields in EDRs. The following new attributes are added to this command.

  • subscriber-ipv4-address: For NAT in-line service, this attribute generates the subscriber IPv4 address in the NBR.
  • subscriber-ipv6-address: For NAT in-line service, this attribute generates the subscriber IPv6 prefix in the NBR.

EDR Format Configuration Mode

attribute attribute { [ format { MM/DD/YY-HH:MM:SS | MM/DD/YYYY-HH:MM:SS | YYYY/MM/DD-HH:MM:SS | YYYYMMDDHHMMSS | seconds } ] [ localtime ] | [ { ip | tcp } { bytes | pkts } { downlink | uplink } ] priority priority }no attribute attribute [ { ip | tcp } { bytes | pkts } { downlink | uplink } ] [ priority priority ]

Deprecated NAT Configuration Commands

This section identifies deprecated NAT commands that are no longer supported in release 14.0.

nat icsr-flow-recovery

This command enables or disables the NAT ICSR Flow checkpointing support for subscribers in a Firewall-and-NAT policy.

Firewall-and-NAT Policy Configuration Mode

[ default | no ] nat
icsr-flow-recovery

NAT Performance Management Changes as of June 29, 2012

This section provides information on NAT performance management changes in release 14.0.

IMPORTANT:

For more information regarding bulk statistics in this section, refer to the Statistics and Counters Reference for this release.

For more information regarding commands in this section, refer to the Command Line Interface Reference for this release.

New NAT Bulk Statistics

This section identifies new NAT bulk statistics available in release 14.0.

The following bulk statistics are new in this release:

NAT-Realm Schema

  • nat-rlm-bind-updates
  • nat-rlm-bytes-txferred
  • nat-rlm-ip-flows

Modified NAT Bulk Statistics

This section identifies NAT bulk statistics modified in release 14.0.

None for this release.

Deprecated NAT Bulk Statistics

This section identifies deprecated NAT bulk statistics that are no longer supported in release 14.0.

The following bulk statistics are deprecated for this release:

NAT-Realm Schema

  • nat-bind-updates
  • nat-rlm-bytes-tx
  • nat-rlm-flows

New NAT Performance Commands

This section identifies new NAT performance commands available in release 14.0.

None for this release.

Modified NAT Performance Commands

This section identifies NAT performance commands modified in release 14.0.

show active-charging fw-and-nat policy name

This command displays Firewall-and-NAT Policy information.

Exec Mode

The following fields have been added to the output of this command:
  • Flow recovery status
    • Basic NAT flows
    • Recoverable basic NAT flows
    • SIP-ALG
  • ICSR Flow-recovery status
    • Basic NAT
The following field has been deprecated from the output of this command:
  • Non-ALG

show active-charging nat statistics

This command displays NAT realm statistics.

Exec Mode

show
active-charging nat statistics instance instance_number
The following fields have been added to the output of this command:
  • Total IP Alloc Reqs
  • Total IP Dealloc Reqs
  • Total Port-Chunk Alloc Reqs
  • Total Port-Chunk Dealloc Reqs
  • Total IP Alloc failure
  • Total Port-Chunk Alloc failure
  • Total IP Alloc Bounce
  • Total IP Audit Req
  • Total IP Audit Failure
  • Total IP Alloc failure while recovery is in progress
  • Total Port-Chunk Alloc failure while recovery is in progress

show active-charging subsytem all

This command shows service and configuration counters for the ACS subsystem.

Exec Mode

The following fields have been added to the output of this command:
  • NAT flows processed
  • NAT44 flows processed
  • NAT44 N-1 flows processed
  • NAT44 1-1 flows processed
  • NAT64 flows processed
  • NAT64 N-1 flows processed
  • NAT64 1-1 flows processed
  • NAT44 bypass flows
  • NAT64 bypass flows

show active-charging subsytem facility acsmgr instance

This command shows service and configuration counters for the ACS subsystem.

Exec Mode

The following fields have been added to the output of this command:
  • NAT flows processed
  • NAT44 flows processed
  • NAT44 N-1 flows processed
  • NAT44 1-1 flows processed
  • NAT64 flows processed
  • NAT64 N-1 flows processed
  • NAT64 1-1 flows processed
  • NAT44 bypass flows
  • NAT64 bypass flows

Deprecated NAT Performance Commands

This section identifies deprecated NAT performance commands that are no longer supported in release 14.0.

None for this release.

NAT Security Management Changes as of June 29, 2012

This section provides information on NAT security management changes in release 14.0.

None in this release.