This article describes how to configure Port Quota/Session Quota for CGNAT on NetScaler.

Use Case

ISP vendor XYZ wants to limit the number of NAT ports/sessions per subscriber to ensure fair distribution of resources among users.

Quick recap of CGNAT Deterministic NAT & Port/Session Quotas

Large-scale network address translation (LSN) also known as carrier-grade NAT (CGNAT) is a technology that several telecom companies and internet service providers are implementing to deal with the exhaustion of IPV4 addresses issue and extend the lifespan of IPv4 addresses until the world slowly moves to IPv6 addresses. LSN allows single IPV4 address to be shared by multiple private network subscribers thus allowing large number of users to connect using limited IPV4 addresses.

In CGNAT configuration, if an admin wants to ensure that each subscriber gets a fair distribution of the shared resources, he can configure User Quotas. User Quotas can be used to restrict concurrent NAT sessions per subscriber. Quotas can be configured in two ways: Port Quotas and Session Quotas.

Port quota

The CGNAT ports used per subscriber at a given time can be limited for a particular protocol using port quota. For example, using this quota, a subscriber can be limited to a maximum of 500 TCP NAT ports.

When the CGNAT mappings for a subscriber exceeds the set limit, the subscriber will be denied allocation of additional NAT ports for that particular protocol.

Session quota

There may be scenarios wherein the number of concurrent sessions for a subscriber can differ (be more) from the port usage. Using session quota, you can limit the number of concurrent sessions per subscriber for a particular protocol.

When the number of concurrent CGNAT sessions exceeds the set limit for a subscriber, he will not be allowed to open additional sessions for that particular protocol.

Small example explaining the difference between Port count and Session count:

Consider a CGNAT configuration with Address Dependent Mapping. As we know for such configurations one private network IP/port will be mapped to same NAT IP/port as long as the destination address is same (irrespective of destination port). So, we may have ‘n’ number of sessions from internal private network to internet but the port usage may be only one.

Support for Quotas in NetScaler

The NetScaler administrators can configure Port Quota and Session quota by defining these under a transport profile. The transport profile is then bound to a CGNAT group. The quotas defined under the transport profile will then be applicable to any client that is connecting to this CGNAT/LSN group.

---

Instructions

Steps for configuring port quota and session quota on NS

Step 1: Create a LSN client and assign a range of subscriber IP addresses to it.

add lsn client <client-name>
bind lsn client <client-name> -network <IPaddress> -netmask <netmask>

On GUI,
Go to System >> Large Scale NAT >> Clients
And add a new client with corresponding network and netmask

Step 2: Create a LSN pool with NAT type as deterministic and assign a range of public IP addresses to it.

add lsn pool <pool-name>
bind lsn pool <pool-name> <NATIP >

On GUI,
Go to System >> Large Scale NAT >> Pools
And add a new pool with NAT IP addresses

Step 3: Create an LSN group and add LSN client(s) to it

add lsn group <group-name> -clientname <client-name> 

On GUI,
Go to System >> Large Scale NAT >> LSN Group
And add a new lsn group with corresponding client name

Step 4: Bind the LSN group with LSN pool(s)

bind lsn group <group-name> -poolname <pool-name>

On GUI,
Go to System >> Large Scale NAT >> LSN Group >> select the lsn group and click on Pools

Step 5: Create a transport profile with port quota and session quota

add lsn transportprofile <transportprofilename> <transportprotocol> [-sessiontimeout <secs>] [-finrsttimeout <secs>]  [-stuntimeout <positive_integer>] [-synidletimeout <positive_integer>] [-portquota <positive_integer>] [-sessionquota <positive_integer>] [-groupSessionLimit <positive_integer>] [-portpreserveparity ( ENABLED | DISABLED )] [-portpreserverange ( ENABLED | DISABLED )] [-syncheck ( ENABLED | DISABLED )]

On GUI,
Go to System >> Large Scale NAT >> Profiles >> Transport tab and Add a transport profile with session / port quota

Step 6: Bind the transport profile to the lsn group

On GUI,
Go to System >> Large Scale NAT >> LSN Group >> select the lsn group for editing and click on Transport profiles >> Bind the created transport profile

This article describes how to configure Port Quota/Session Quota for CGNAT on NetScaler.