CG-NAT on a standard x86-platform

April 18, 2017
CG-NAT Solution
CG-NAT on a standard x86-platform
CG-NAT can be implemented on a standard x86 platform, the main thing is to choose a software suite meeting requirements and performance.

Carriers use CG-NAT as they need it as much as billing. Due to the shortage of IPv4 addresses and slow-changing to IPv6, translation of local addresses to the public ones is the only way to connect new subscribers to the Internet. Choice of CG-NAT platform with necessary capacity and functions is one of the tasks of the highest priority. CG-NAT can be implemented on a standard x86 platform, the main thing is to choose a software suite meeting requirements and performance.

Specifics of CG-NAT

Carrier Grade NAT (CGN/CGNAT), aka Large Scale NAT (LSN), as against regular NAT, is designed for carriers due to its high performance, scalability and some additional functions:

  • quotes for users
  • limited session lifetime
  • Hairpinning – access inside network at external address not using Internet)
  • Full Cone NAT = EIM/EIF (Endpoint-Independent Mapping/Endpoint-Independent Filtering) ensures maximal compatibility of P2P clients located outside of NAT of different providers (games, IP-telephony, video conferences, torrents)
  • collection of analytics for lawful interception.


Hardware platforms CG—NAT

We do not cover here solutions embedded in server OS (Windows NAT, OpenBSD NAT, Linux iptables, and others), since they don’t have sufficient performance, scalability, and functional capabilities for carriers’ major networks and don’t support Full Cone NAT mode.

Carries can use on their networks several options of hardware solutions CG-NAT:

  1. Expansion modules for routers or separate hardware devices (Cisco, Juniper, F5 Networks, Huawei, A10, Ericsson).
  2. Software or virtualized solutions based on standard x86-servers (VAS Experts, Brain4Net, NFWare).

Each option has pros and cons. As we focus on the x86 solutions in this article, let’s consider them properly.

Cisco ASR Juniper MX

But firstly, some information on devices and modules.

Generally, usage of expansion modules for network hardware, or separate devices is quite a good option for major carriers with enough network hardware in their stock, that can perform CG-NAT.

For example, if your network has Cisco routers of ASR series (1000, 5000, 9000), you can easily add modules Carrier Grade Services Engine (CGSE) that have high performance up to 20 Gbit/sec and support:

  • NAT44 and NAT64 translation, 6rd, DS-lite, 4rd tunnelling
  • full compliance with RFC4787, RFC5382, RFC5508
  • CGv6 Bypass
  • Netflow9 protocolling
  • traffic control on the base of VRF
  • intra-chassis and inter-chassis backup.

But for these standard functions and high reliance, Cisco sets quite a high price (Cisco CRS-16/S-B with module CGSE – from 100 000 dollars) and supposes that you go on using its ecosystem in your network

The same situation is for multi-service modules MS-DPC by Juniper for MX routers. Bandwidth capacity up to 19 Gbit/sec and up 8.5 mln subscribers – good indicators, but the platform price (although lower than for Cisco) and necessity to purchase additional chassis and modules for backup make this solution impracticable for small carriers and providers.

F5 Viprion

Option with more advantages might be a solution implemented separately, like Viprion by F5 Networks.

Products of this company don’t impose specific requirements for the organization of the carrier’s network, it absolutely doesn’t matter, what the network is built on – whether it is Cisco, HP, Huawei, or anything else. They perform a certain task, i.e. to translate network addresses, and make it fast, safe, and for a quite reasonable price (F5 Networking Viprion Chassis CGNAT C2200 2-Slot Chassis AC Power with blade B2100 costs 40 000 dollars). The software of this equipment is designed for certain component parts of the hardware platform, which makes its combined operation stable enough. It’s like Mac or MacBook by Apple: component parts are standard, but since MacOS is optimized exactly for them — operation is perfect.

This option has disadvantages as well: a separate device for each network function means an additional space in the server room and more capital investments; price is lower than Cisco and Juniper, but is still high, especially for regional Internet providers; a large number of devices of different vendors means that control and interaction are more complex; the scalability of these solutions is possible, but is still too complex and expensive.

Let’s move to the program and virtualized solutions on x-86 platform.

First, virtualization – the trend of recent years is to get the most out of hardware by launching many different computational processes. Virtualization of servers has become popular many years ago, and recently, virtual networks have been gaining popularity, thus virtualizing the CG-NAT function wasn’t difficult for developers.


Virtualized CG-NAT is built on the basis of the SDN/NFV concept – centralized network control and virtualization of network functions. Sometimes, this solution is also called vCGNAT. Its main advantages are:

  • Usage of standard x86-servers as the virtualization platform. It is cheap and all-purpose, there are many price-mix producers on the market, maintenance of such servers is an easy job as well.
  • Resources consumption pattern Pay-as-you-Grow, that ensures more flexibility through virtualization of all components of the solution’s architecture.
  • Easy scalability – at any time and as fast as possible the system performance can be increased.
  • Integration with other SDN solutions and centralized control, if you decide to transit other network functions on a virtual platform.

But things can’t be all that good. In spite of all advantages, the implementation of such solutions is quite complex and requires specific qualifications. First of all, the development of NFV/SDN technologies and their introduction on the carriers’ networks require large investments in the infrastructure of data centers. As some research estimate, up to 2018 NFV/SDN development cost will be distributed as follows:

  • 4% – NFVI equipment with $1,4
  • 23% – NFV and MANO software with $6,8
  • 4% – SDN HW equipment with $1,3
  • 5% – SDN software with $1,5
  • 64% – datacentres and IT-systems equipment with $19,0.

NFV is quite a young technology, so there might be difficulties with standardization and compatibility. Many companies use it only as a training area not trusting it to maintain operating services. Also, there are some complexities in the reasoning of the decision to choose virtual network systems, because not so many real cases can be mentioned as examples. An unknown platform means a risk for business.

technical solution CGN

So, we come to the most universal and simple decision – CG—NAT on a multifunctional platform of traffic control and analysis system DPI. Why on this particular platform?

DPI software is quite a complex development, and highly skilled programmers with great experience can write it. That’s why this version of the CG-NAT software part is reliable, optimized, and effective. Russian DPI developers use standard x-86 servers, including VAS Experts for its Stingray Service Gateway. Moreover, you can choose and purchase equipment or use the one you already have, the main thing is that equipment meets all necessary specifications (CPU, RW memory, network cards with Bypass) and has adequate performance. We have mentioned above all advantages of the standard x86-platform.

Beside compliance with industry standards defined in RFC 6888, RFC 4787, such solution CG–NAT has all advantages of separate devices of well-known producers:

  • Full Cone NAT (EIM/EIF)
  • use of Paired IP address pooling function
  • usage of Hairpinning technology
  • setting limits on TCP and UDP-connections for subscribers
  • translation logging (IPFIX protocol) and data export to LESS-3.

Carrier or Internet provider gets CG-NAT in Complete version without additional charge. Today, many carriers and Internet providers install DPI systems on their networks. The reason is the necessity to filter URLs by lists of government, the opportunity to control traffic pliantly optimizing available Bandwidth, and analyze network in real-time. To that end, to purchase DPI and get high-performance CG-NAT, in addition, looks very challenging. Concerning competitive platforms, only Procera offers CG-NAT as a part of the DPI platform, but this solution is licensed and expensive.

Such a system is modernized easily, and performance is increased by purchasing licenses, no additional hardware modules. If one takes into account that Stingray Service Gateway is customized to your network by the producer itself, and the CG-NAT function is activated by one configuration command, then the process of integration and launch is reduced to a minimum. Since Stingray is software, then testing its operation is simple: just to request a distribution package from the developer, install it on a compatible server, and only then make a decision.

It must be mentioned that such a CG-NAT option has disadvantages: chosen independently hardware can affect functional efficiency of the whole system, CG-NAT is a function, when it fails, the network stops operating, which means that backup is needed and this is an additional Stingray device.

Regardless of all these disadvantages, usage of CG-NAT embedded in Stingray Service Gateway on the base of standard x86-platform is a simple and efficient solution for translation of network addresses and ports, that allows carriers to provide one public IPv4 address to more than one subscriber.

To get more detailed information on the advantages of Stingray Service Gateway and how to use it effectively on carriers networks, as well as on migration from other platforms, please, contact experts of VAS Experts – developer and providers of Stingray platform analysis system.

We use cookies to optimize site functionality and give you the best possible experience. To learn more about the cookies we use, please visit our Cookies Policy. By clicking ‘Okay’, you agree to our use of cookies. Learn more.