Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3144
Views
0
Helpful
5
Replies

CGNAT license - need clarification

Go to solution
smailmilak
Level 4
Level 4

‎08-14-2013 05:35 AM

Hello people,

a big project is on the way and I have to be 100% sure that we buy the right licenses for ASR9006 with ISM module for CGNAT.

The ASR will be used as a BRAS/BNG for a large amount of subscribers (PPPoE and IPoE for IPv4 and IPv6)

I see three licenses:

A9K-CGN-LIC-5M

           CGN License Unit for 5 Million translations

A9K-DSLT-LIC-5M

           DS-Lite License Unit for 5 Million translations

A9K-NAT64-LIC-5M

           NAT64 License Unit for 5 Million translations

I have checked the data sheet, and I want to double/tripple check what licenses have to be acquired.

Customer wants to use Stateful NAT44 and NAT64, probably DS-Lite, too.

The fist license (CGN) is for NAT44, second is for DS-Lite and third for NAT64 and I have to buy all these?

It's for 10M translations, which means 2xlicense per service.

I am asking because every license is really really expensive and a big part of budget goes for only the licenses.

I can remember that I did some testing on ISM card 7 months ago, where I have configured stateful NAT64 and it was working with A9K-CGN-LIC
license.

p.s. Meanwhile I tried to add two licenses for CGN and NAT64 each, and I got this message:

Minimum 1 and maximum 3 quantity can be selected for category Carrier Grade V6 (CGV6) when A9K-NAT64-LIC-5M license is selected.

Please adjust selections in CGNAT

Why can't I add 10M translations (two licenses) for each service? Probably because maximum number of translations are 20M for IPv4 and 15M for IPv6. If we combine this then the capacity is exceeded.

Am I right?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jungerma
Cisco Employee
Cisco Employee

‎08-16-2013 01:37 AM

Hi,

if your customer wants to deploy all 3 scenarios (NAT44, DS-Lite and NAT64) in parallel, they need all 3 licenses.

It can be configured as multiple "service-type" instances under the same "service cgn" instance on the ISM. 

You are right that CCW allows max. three 5M licenses  if NAT64 is added (because NAT64 needs more memory, we can't guarantee  20M sessions if some of them are NAT64), but if you need >5M NAT44  sessions, you can buy an additional NAT44 license as a spare.

You are right that buying all in advance would be  pretty expensive. Did you consider buying NAT64 (or even DS-Lite)  licenses later, when your customer is sure that such services are  deployable?

While deploying NAT44 CGN is easy (it  works with existing CPE's and the new CGN44-enabled service can be  launched quickly), keep in mind that DS-Lite or NAT64 require to make  the access network IPv6-enabled (or IPv6-only) first. And then, to  deploy DS-Lite, your customer needs to qualify new CPE's first before  launching the new CGN44-enabled service. And for commercially viable  NAT64, they need to qualify new CLAT Android phones or similar, make the  GGSN and database systems ready for v6-only contexts, etc., it's a long  way to a new v6-only service/tariff that would potentially utilize the  5M sessions license.

Also, CGN requires VRF's to be utilized, so you will  need at least the IVRF license (up to 8 VRF's) for each linecard that  has a VRF configured on its interface (typically the user-facing card).  In combination with BNG, the user-facing card that terminates BNG  sessions must be -SE, and also the RSP440-SE is needed.

To support inline Stateless CGN (MAP-T, MAP-E & 6RD), also linecards need a CGv6 license (eg. MOD80 -TR/-SE needs  A9K-M80-V6-INLN). For this, the ISM is still needed in the chassis, but  the traffic don't pass through it anymore, so no additional session  licenses are required.

hth

josef

View solution in original post

0 Helpful

Go to solution
jungerma
Cisco Employee
Cisco Employee
In response to smailmilak

‎08-19-2013 12:58 AM

The licenses may not be enforced yet in the current XR release, so it is possible to use it unlicensed for non-commercial things like testing and playing around. Of course any commercial deployment or pilot requires to have all licenses installed, to not to violate the support contract.

NAT64 itself is not breaking applications (TCP, UDP, ICMP), the problem is that many apps can't work in v6-only environment. The OS itself is usually ok (DHCPv6 and DNSv6 are supported on majority of PC's and smartphones, including Android, iOS, Symbian...). However, some applications simply can't work without ipv4 - they can't open ipv6 socket, don't handle v6 data structs properly, use ipv4 literals instead of DNS name in URL's, etc. For example Skype, MSN, VPN clients, etc. Good solution is RFC 6877 (464XLAT), code is available for Android. It uses CLAT function to present the usual ipv4 API to apps, but then internally translates the packets to ipv6 using NAT46. The rest of the network works normally as v6-only with NAT64/DNS64 for v4 Internet access.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jungerma
Cisco Employee
Cisco Employee

‎08-16-2013 01:37 AM

Hi,

if your customer wants to deploy all 3 scenarios (NAT44, DS-Lite and NAT64) in parallel, they need all 3 licenses.

It can be configured as multiple "service-type" instances under the same "service cgn" instance on the ISM. 

You are right that CCW allows max. three 5M licenses  if NAT64 is added (because NAT64 needs more memory, we can't guarantee  20M sessions if some of them are NAT64), but if you need >5M NAT44  sessions, you can buy an additional NAT44 license as a spare.

You are right that buying all in advance would be  pretty expensive. Did you consider buying NAT64 (or even DS-Lite)  licenses later, when your customer is sure that such services are  deployable?

While deploying NAT44 CGN is easy (it  works with existing CPE's and the new CGN44-enabled service can be  launched quickly), keep in mind that DS-Lite or NAT64 require to make  the access network IPv6-enabled (or IPv6-only) first. And then, to  deploy DS-Lite, your customer needs to qualify new CPE's first before  launching the new CGN44-enabled service. And for commercially viable  NAT64, they need to qualify new CLAT Android phones or similar, make the  GGSN and database systems ready for v6-only contexts, etc., it's a long  way to a new v6-only service/tariff that would potentially utilize the  5M sessions license.

Also, CGN requires VRF's to be utilized, so you will  need at least the IVRF license (up to 8 VRF's) for each linecard that  has a VRF configured on its interface (typically the user-facing card).  In combination with BNG, the user-facing card that terminates BNG  sessions must be -SE, and also the RSP440-SE is needed.

To support inline Stateless CGN (MAP-T, MAP-E & 6RD), also linecards need a CGv6 license (eg. MOD80 -TR/-SE needs  A9K-M80-V6-INLN). For this, the ISM is still needed in the chassis, but  the traffic don't pass through it anymore, so no additional session  licenses are required.

hth

josef

0 Helpful

Go to solution
smailmilak
Level 4
Level 4
In response to jungerma

‎08-16-2013 02:05 AM

Thank you Josef.

I still wonder why stateful NAT64 was working with non-NAT64  license, we had only CGN license. Is this because I did not have multiple service-type licenses, like you mentioned in your post?

Customer will probably use only NAT44, because NAT64 is breaking a lot of applications as far as I know.

Customer acquired new IPv6 modems and they will probably use dual-stack, and IPv4 will be NATed...not sure yet.

A part of network is already IPv6 enabled, and we will continue to enable it on all network devices.

VRF license will be bought, and also SE line cards which will be used for subscribers and connectivity to core network.

TR line cards will not be bought because they are only good for network facing side, and I think SE can be used for both.

0 Helpful

Go to solution
jungerma
Cisco Employee
Cisco Employee
In response to smailmilak

‎08-19-2013 12:58 AM

The licenses may not be enforced yet in the current XR release, so it is possible to use it unlicensed for non-commercial things like testing and playing around. Of course any commercial deployment or pilot requires to have all licenses installed, to not to violate the support contract.

NAT64 itself is not breaking applications (TCP, UDP, ICMP), the problem is that many apps can't work in v6-only environment. The OS itself is usually ok (DHCPv6 and DNSv6 are supported on majority of PC's and smartphones, including Android, iOS, Symbian...). However, some applications simply can't work without ipv4 - they can't open ipv6 socket, don't handle v6 data structs properly, use ipv4 literals instead of DNS name in URL's, etc. For example Skype, MSN, VPN clients, etc. Good solution is RFC 6877 (464XLAT), code is available for Android. It uses CLAT function to present the usual ipv4 API to apps, but then internally translates the packets to ipv6 using NAT46. The rest of the network works normally as v6-only with NAT64/DNS64 for v4 Internet access.

0 Helpful

Go to solution
smailmilak
Level 4
Level 4
In response to jungerma

‎08-19-2013 01:47 AM

Very good explanation. Thank you very much. I will also take a look into inline NAT on Typoon line cards, I hope that there are some good data sheets or webinars about that.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents