08-14-2013 05:35 AM
Hello people,
a big project is on the way and I have to be 100% sure that we buy the right licenses for ASR9006 with ISM module for CGNAT.
The ASR will be used as a BRAS/BNG for a large amount of subscribers (PPPoE and IPoE for IPv4 and IPv6)
I see three licenses:
A9K-CGN-LIC-5M
CGN License Unit for 5 Million translations
A9K-DSLT-LIC-5M
DS-Lite License Unit for 5 Million translations
A9K-NAT64-LIC-5M
NAT64 License Unit for 5 Million translations
I have checked the data sheet, and I want to double/tripple check what licenses have to be acquired.
Customer wants to use Stateful NAT44 and NAT64, probably DS-Lite, too.
The fist license (CGN) is for NAT44, second is for DS-Lite and third for NAT64 and I have to buy all these?
It's for 10M translations, which means 2xlicense per service.
I am asking because every license is really really expensive and a big part of budget goes for only the licenses.
I can remember that I did some testing on ISM card 7 months ago, where I have configured stateful NAT64 and it was working with A9K-CGN-LIC
license.
p.s. Meanwhile I tried to add two licenses for CGN and NAT64 each, and I got this message:
Minimum 1 and maximum 3 quantity can be selected for category Carrier Grade V6 (CGV6) when A9K-NAT64-LIC-5M license is selected.
Please adjust selections in CGNAT
Why can't I add 10M translations (two licenses) for each service? Probably because maximum number of translations are 20M for IPv4 and 15M for IPv6. If we combine this then the capacity is exceeded.
Am I right?
Solved! Go to Solution.
08-16-2013 01:37 AM
Hi,
if your customer wants to deploy all 3 scenarios (NAT44, DS-Lite and NAT64) in parallel, they need all 3 licenses.
It can be configured as multiple "service-type" instances under the same "service cgn" instance on the ISM.
You are right that CCW allows max. three 5M licenses if NAT64 is added (because NAT64 needs more memory, we can't guarantee 20M sessions if some of them are NAT64), but if you need >5M NAT44 sessions, you can buy an additional NAT44 license as a spare.
You are right that buying all in advance would be pretty expensive. Did you consider buying NAT64 (or even DS-Lite) licenses later, when your customer is sure that such services are deployable?
While deploying NAT44 CGN is easy (it works with existing CPE's and the new CGN44-enabled service can be launched quickly), keep in mind that DS-Lite or NAT64 require to make the access network IPv6-enabled (or IPv6-only) first. And then, to deploy DS-Lite, your customer needs to qualify new CPE's first before launching the new CGN44-enabled service. And for commercially viable NAT64, they need to qualify new CLAT Android phones or similar, make the GGSN and database systems ready for v6-only contexts, etc., it's a long way to a new v6-only service/tariff that would potentially utilize the 5M sessions license.
Also, CGN requires VRF's to be utilized, so you will need at least the IVRF license (up to 8 VRF's) for each linecard that has a VRF configured on its interface (typically the user-facing card). In combination with BNG, the user-facing card that terminates BNG sessions must be -SE, and also the RSP440-SE is needed.
To support inline Stateless CGN (MAP-T, MAP-E & 6RD), also linecards need a CGv6 license (eg. MOD80 -TR/-SE needs A9K-M80-V6-INLN). For this, the ISM is still needed in the chassis, but the traffic don't pass through it anymore, so no additional session licenses are required.
hth
josef
08-19-2013 12:58 AM
The licenses may not be enforced yet in the current XR release, so it is possible to use it unlicensed for non-commercial things like testing and playing around. Of course any commercial deployment or pilot requires to have all licenses installed, to not to violate the support contract.
NAT64 itself is not breaking applications (TCP, UDP, ICMP), the problem is that many apps can't work in v6-only environment. The OS itself is usually ok (DHCPv6 and DNSv6 are supported on majority of PC's and smartphones, including Android, iOS, Symbian...). However, some applications simply can't work without ipv4 - they can't open ipv6 socket, don't handle v6 data structs properly, use ipv4 literals instead of DNS name in URL's, etc. For example Skype, MSN, VPN clients, etc. Good solution is RFC 6877 (464XLAT), code is available for Android. It uses CLAT function to present the usual ipv4 API to apps, but then internally translates the packets to ipv6 using NAT46. The rest of the network works normally as v6-only with NAT64/DNS64 for v4 Internet access.
08-16-2013 01:37 AM
Hi,
if your customer wants to deploy all 3 scenarios (NAT44, DS-Lite and NAT64) in parallel, they need all 3 licenses.
It can be configured as multiple "service-type" instances under the same "service cgn" instance on the ISM.
You are right that CCW allows max. three 5M licenses if NAT64 is added (because NAT64 needs more memory, we can't guarantee 20M sessions if some of them are NAT64), but if you need >5M NAT44 sessions, you can buy an additional NAT44 license as a spare.
You are right that buying all in advance would be pretty expensive. Did you consider buying NAT64 (or even DS-Lite) licenses later, when your customer is sure that such services are deployable?
While deploying NAT44 CGN is easy (it works with existing CPE's and the new CGN44-enabled service can be launched quickly), keep in mind that DS-Lite or NAT64 require to make the access network IPv6-enabled (or IPv6-only) first. And then, to deploy DS-Lite, your customer needs to qualify new CPE's first before launching the new CGN44-enabled service. And for commercially viable NAT64, they need to qualify new CLAT Android phones or similar, make the GGSN and database systems ready for v6-only contexts, etc., it's a long way to a new v6-only service/tariff that would potentially utilize the 5M sessions license.
Also, CGN requires VRF's to be utilized, so you will need at least the IVRF license (up to 8 VRF's) for each linecard that has a VRF configured on its interface (typically the user-facing card). In combination with BNG, the user-facing card that terminates BNG sessions must be -SE, and also the RSP440-SE is needed.
To support inline Stateless CGN (MAP-T, MAP-E & 6RD), also linecards need a CGv6 license (eg. MOD80 -TR/-SE needs A9K-M80-V6-INLN). For this, the ISM is still needed in the chassis, but the traffic don't pass through it anymore, so no additional session licenses are required.
hth
josef
08-16-2013 02:05 AM
Thank you Josef.
I still wonder why stateful NAT64 was working with non-NAT64 license, we had only CGN license. Is this because I did not have multiple service-type licenses, like you mentioned in your post?
Customer will probably use only NAT44, because NAT64 is breaking a lot of applications as far as I know.
Customer acquired new IPv6 modems and they will probably use dual-stack, and IPv4 will be NATed...not sure yet.
A part of network is already IPv6 enabled, and we will continue to enable it on all network devices.
VRF license will be bought, and also SE line cards which will be used for subscribers and connectivity to core network.
TR line cards will not be bought because they are only good for network facing side, and I think SE can be used for both.
08-19-2013 12:58 AM
The licenses may not be enforced yet in the current XR release, so it is possible to use it unlicensed for non-commercial things like testing and playing around. Of course any commercial deployment or pilot requires to have all licenses installed, to not to violate the support contract.
NAT64 itself is not breaking applications (TCP, UDP, ICMP), the problem is that many apps can't work in v6-only environment. The OS itself is usually ok (DHCPv6 and DNSv6 are supported on majority of PC's and smartphones, including Android, iOS, Symbian...). However, some applications simply can't work without ipv4 - they can't open ipv6 socket, don't handle v6 data structs properly, use ipv4 literals instead of DNS name in URL's, etc. For example Skype, MSN, VPN clients, etc. Good solution is RFC 6877 (464XLAT), code is available for Android. It uses CLAT function to present the usual ipv4 API to apps, but then internally translates the packets to ipv6 using NAT46. The rest of the network works normally as v6-only with NAT64/DNS64 for v4 Internet access.
08-19-2013 01:47 AM
Very good explanation. Thank you very much. I will also take a look into inline NAT on Typoon line cards, I hope that there are some good data sheets or webinars about that.
08-19-2013 02:26 AM
Yes, there are good resources for inline MAP-E and MAP-T, for example:
http://www.ciscoknowledgenetwork.com/files/300_11-06-2012-NGN-IPv4-Exhaust-IPv6-Strategy.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide