Dataplane NAT Modes

The dataplane has several NAT modes that may be used. This mode is configured via the dataplane nat mode <mode> command from config mode.

The following modes are available:

simple

Simple NAT mode. Holds less information for each session, but only works with outbound NAT and static mappings.

endpoint-dependent

Endpoint-dependent NAT mode. The default mode. Uses more information to track each session, which also enables additional features such as out-to-in-only and twice-nat.

deterministic

Deterministic NAT (CGN) mode. Used for large-scale deployments with a focus on performance at a cost of using much more memory.

After changing the NAT mode, the dataplane must be restarted with service dataplane restart.

Note

There must be at least one inside and outside interface for NAT to function, see Network Address Translation and Outbound NAT for more details.

Simple NAT

Simple NAT is the most basic NAT mode. It tracks sessions in a hash table using four items:

  • Source IP address

  • Source port

  • Protocol

  • FIB table index

Simple NAT has a couple basic options that may be adjusted using the dataplane nat mode-options simple <option> command:

out2in-dpo

Enables out-to-in DPO

static-mapping-only

Static mapping only, disables dynamic translation of connections.

Endpoint-dependent NAT

Endpoint-dependent NAT mode is the default NAT mode on TNSR. Endpoint-dependent NAT mode tracks more information about each connection. As suggested by the name, the key difference is in tracking the destination of the connection:

  • Source IP address

  • Source port

  • Target IP address

  • Target port

  • Protocol

  • FIB table index

Some NAT features require this extra information, notably out-to-in-only and twice-nat.

Deterministic NAT

Deterministic NAT mode, also known as Carrier-Grade NAT (CGN) mode, is geared for maximum performance at a large scale. This performance comes at a price, however, in that it consumes greater amounts of memory to achieve its goals.

For more information on Deterministic NAT, see Deterministic NAT.