Configuring Deterministic NAT Allocation for DS-Lite
Deterministic NAT allocation for DS-Lite LSN deployments is a type of NAT resource allocation in which the Citrix ADC appliance pre-allocates, from the LSN NAT IP pool and on the basis of the specified port block size, an LSN NAT IP address and a block of ports to each subscriber (subscriber behind B4 device).
Note: This feature is supported in release 11.0 build 64.x and later.
The appliance sequentially allocates NAT resources to these subscribers. It assigns the first block of ports on the beginning NAT IP address to the beginning subscriber IP address. The next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. At that point, the first port block on the next NAT address is assigned to the subscriber, and so on.
The Citrix ADC appliance logs the allocated NAT IP address and the port block for a subscriber. For a connection, a subscriber can be identified by just its mapped NAT IP address and port block. For this reason, the Citrix ADC appliance does not log the creation or deletion of an LSN session.
A DS-Lite subscriber can have only one deterministic port block. If the entire block of ports is being used, the Citrix ADC appliance drops any new connection from the subscriber.
Example: Deterministic DS-Lite
In this example, a deterministic DS-Lite configuration includes four subscribers with IP addresses 188.8.131.52, 184.108.40.206, 220.127.116.11, and 18.104.22.168. These ipv4 subscribers are behind a B4 device having the IPv6 address 2001:DB8::3:4. In this configuration, the port block size is set to 20480 and LSN NAT IP address pool has IP addresses in the range 203.0.113.41-203.0.113.42.
The Citrix ADC appliance sequentially pre-allocates, from the LSN NAT IP pool and on the basis of the set port block size, an LSN NAT IP address and a block of ports to each subscriber. It assigns the first block of ports (1024-21503) on the beginning NAT IP address (203.0.113.41) to the beginning subscriber IP address (22.214.171.124). The next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. At that point, the first port block on the next NAT IP address is assigned to the subscriber, and so on. The Citrix ADC logs the NAT IP address and the block of ports allocated for each subscriber.
The Citrix ADC appliance does not log any LSN session created or deleted for these subscribers.
The following table lists the NAT IP address and blocks of ports allocated to each subscriber in this example:
|Subscriber IP address||Allocated NAT IP address||Allocated Block of Ports||IPv6 address of B4|
|126.96.36.199||203.0.113.41||1024 - 21503||2001:DB8::3:4|
|188.8.131.52||203.0.113.41||21504 - 41983||2001:DB8::3:4|
|184.108.40.206||203.0.113.41||41984 - 62463||2001:DB8::3:4|
|220.127.116.11||203.0.113.42||1024 - 21503||2001:DB8::3:4|
You need to configure deterministic NAT as part of the DS-Lite configuration. For instructions on configuring DS-Lite, see Configuring DS-Lite.
While configuring DS-Lite, make sure that you:
- Set the NAT Type parameter to Deterministic when adding the LSN pool and the LSN group.
- Set the desired port block size parameter when adding the LSN group, unless you can accept the default value.
Points to Consider before Configuring Deterministic DS-Lite
Consider the following points before configuring deterministic DS-Lite:
- The complete IP address of each subscriber must be specified in a separate add lsn client command, by setting the Network and Netmask parameters. (Set Netmask to 255.255.255.255.) Also the IPv4 address of the B4 device specified in Network6 parameter must be complete (/128 prefix). In other words, Network and Network6 parameter do not accept addresses other than /32 bit mask and /128 prefix, respectively.
- The Citrix ADC appliance drops connections from subscribers that are not specified in any deterministic DS-Lite configuration but are behind B4 devices specified in a deterministic DS-lite configuration.
- The Citrix ADC appliance recognizes subscribers having the same IPv4 address as different subscribers if they are behind different B4 devices. A combination of subscriber IPv4 address and B4 device defines a unique subscriber in the LSN client entity of a DS-Lite configuration.
Sample Deterministic DS-Lite Configuration:
The following configuration uses the settings listed in section Example: Deterministic DS-Lite.
add lsn client LSN-DSLITE-CLIENT-10 Done bind lsn client LSN-DSLITE-CLIENT-10 -network 18.104.22.168 -netmask 255.255.255.255 -network6 2001:DB8::3:4/128 Done bind lsn client LSN-DSLITE-CLIENT-10 -network 22.214.171.124 -netmask 255.255.255.255 -network6 2001:DB8::3:4/128 Done bind lsn client LSN-DSLITE-CLIENT-10 -network 126.96.36.199 -netmask 255.255.255.255 -network6 2001:DB8::3:4/128 Done bind lsn client LSN-DSLITE-CLIENT-10 -network 188.8.131.52 -netmask 255.255.255.255 -network6 2001:DB8::3:4/128 Done add lsn pool LSN-DSLITE-POOL-10 -nattype DETERMINISTIC Done bind lsn pool LSN-DSLITE-POOL-10 203.0.113.41-203.0.113.42 Done add lsn ip6profile LSN-DSLITE-PROFILE-10 -type DS-Lite -network6 2001:DB8::5:6 Done add lsn group LSN-DSLITE-GROUP-10 -clientname LSN-DSLITE-CLIENT-10 -nattype DETERMINISTIC -portblocksize 20480 -ip6profile LSN-DSLITE-PROFILE-10 Done bind lsn group LSN-DSLITE-GROUP-10 -poolname LSN-DSLITE-POOL-10 Done