Carrier Grade NAT

Tony Wicks tony at
Tue Jul 29 21:28:53 UTC 2014

OK, as someone with experience running CGNAT to fixed broadband customers in
general, here are a few answers to common questions. This is based on the
setup I use which is CGNAT is done on the BNG (Cisco ASR1K6).

1. APNIC ran out of IPv4 a couple of years ago, so unless you want to pay
USD $10+ per IP then CGNAT is the only option.
2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable
thing, perhaps one day, but certainly not today (I really hate clueless
people who shout to the hills that IPv6 is the "solution" for today's
internet access)
3. 99.99% of customers don't notice they are transiting CGNAT, it just
4. You need to log NAT translations for LI purposes. (IP source/destination,
Port source/destination, time) Surprisingly this does not produce that big a
database burden. However as Cisco's Netflow NAT logging is utterly useless
you need to use syslog and this ramps up the ASR CPU a bit.
5. NAT translation timeouts are important, XBOX and PlayStation suck.
6. 10,000 customers= approximately  200,000 active translations and 1-2
/24's to be comfortable
7. CGNAT protects your customers from all sorts of nasty's like small DDOS
attacks and attacks on their crappy CPE
8. DDOS on CGNAT pool IP's are a pain in the rear and happen often.
9. In New Zealand we are not a state of the USA so spammed DCMA emails can
be redirected to /dev/null. If a rights holder wishes to have a potential
violation investigated (translation logs) they need to pay a $25 fee, so in
general they don't bother. Police need a search warrant so they generally
only ask for user info when they actually can justify it, so it's not a big
10. It is not uncommon for people who run some game servers and websites
(like banks) to be completely clueless/confused about cgnat and randomly
block IP's as large numbers of users connect from  single IP. This is not a
big issue in practice.



More information about the NANOG mailing list