Large Scale Network Address Translation - DDoS ?· LARGE SCALE NETWORK ADDRESS TRANSLATION ... CONFIGURING…

Embed Size (px)

Text of Large Scale Network Address Translation - DDoS ?· LARGE SCALE NETWORK ADDRESS TRANSLATION ......

  • LARGE SCALE NETWORK ADDRESS TRANSLATIONHOW TO CONFIGURE LARGE SCALE NAT (LSN) ON A10 THUNDER/VTHUNDER CGN DEVICES

    DEPLOYMENT GUIDE

  • OVERVIEW

    In 2011, the Internet Assigned Numbers Authority (IANA) issued the last remaining /8 address blocks to the Regional Internet Registries, leaving the RIRs in control of assigning the remaining available IPv4 addresses. This posed a problem for Internet Service Providers (ISPs) to continue obtaining unallocated IPv4 address space, forcing a plan of action both to preserve the remaining IPv4 address space and to provide a mechanism for IPv6 translation. Many technologies have emerged to solve this problem, including NAT444, DS-Lite and 6rd; all of which are based upon a common foundation of Carrier Grade Network Address Translation (CGNAT).

    The A10 Networks Thunder Series is a family of both hardware and software appliances ready to match any deployment needed. The Carrier Grade Networking gateways have been designed to extend the service life of IPv4 infrastructure and provide a seamless migration to IPv6 networks. A10 Thunder CGN also comes with integrated Distributed Denial of Service (DDoS) protection of IP address pools to effectively eliminate targeted attacks. Thunder CGN software and hardware features together ensure maximum uptime of network resources to process subscriber traffic.

    This guide provides a basis for understanding the A10 Thunder CGN implementation, and includes an overview of the solution, design, scaling considerations and overall system configuration with optional features including traffic logging.

    Note: Sometimes CGNAT is also called Large Scale NAT (LSN), and this is the term used in the IETF documents referenced in this document.TALK

    WITH A10CONTACT USa10networks.com/contact

  • OVERVIEW ......................................................................................................................................................................................................................................................2

    CARRIER GRADE NAT .............................................................................................................................................................................................................................4

    DEPLOYMENT PREREQUISITES ...................................................................................................................................................................................................... 4

    Access to A10 Thunder CGN......................................................................................................................................................................................................................4

    ConfiguretheManagementInterface ......................................................................................................................................................................................................4

    BASE CONFIGURATION .........................................................................................................................................................................................................................5

    Reference Topology .....................................................................................................................................................................................................................................5

    INTERFACE CONFIGURATION ...........................................................................................................................................................................................................6

    NETWORK INTEGRATION ..................................................................................................................................................................................................................10

    Static Route Deployment ..........................................................................................................................................................................................................................10

    Dynamic Routing ........................................................................................................................................................................................................................................10

    VRRP-A CONFIGURATION .................................................................................................................................................................................................................11

    CGNAT CONFIGURATION (DYNAMIC LSN) .............................................................................................................................................................................15

    CGNATConfigurationSteps .....................................................................................................................................................................................................................15

    CONFIGURING FIXED-NAT (DETERMINISTIC NAT) ...........................................................................................................................................................21

    Fixed-NATConfigurationSteps................................................................................................................................................................................................................21

    LOGGING CONFIGURATION .............................................................................................................................................................................................................24

    LoggingConfigurationSteps....................................................................................................................................................................................................................24

    ADVANCED CONFIGURATION OPTIONS ..................................................................................................................................................................................27

    LoggingConfigurationSteps....................................................................................................................................................................................................................27

    Endpoint-Independent Mapping/Endpoint-Independent Filtering .....................................................................................................................................................27

    Static Mapping ............................................................................................................................................................................................................................................29

    Override Actions for Class-List Matches ................................................................................................................................................................................................29

    NAT IP Address Selection .........................................................................................................................................................................................................................30

    Hairpinning ..................................................................................................................................................................................................................................................30

    User Quotas .................................................................................................................................................................................................................................................31

    The Application Layer Gateway ...............................................................................................................................................................................................................32

    Protocol Port Overloading.........................................................................................................................................................................................................................33

    CGNAT Timeouts ........................................................................................................................................................................................................................................35

    System Resource Allocation ....................................................................................................................................................................................................................37

    Advanced CGNAT Logging .......................................................................................................................................................................................................................38

    CRITICAL DDOS MITIGATION FEATURES ................................................................................................................................................................................48

    IP Anomaly Filters ......................................................................................................................................................................................................................................48

    Connection Rate Limiting ............................................................................