Search
Try It Now

CGNAT for Broadband Networks

CGNAT network diagram showing private IPv4 subscribers translated through Bison Router CGNAT to the public IPv4 Internet

Overview

CGNAT is an integral part of the Bison Router BNG solution. The platform provides several CGNAT modules, including SNAT44, Deterministic SNAT44, 1:1 NAT, and NAT64. Together, they cover the key CGNAT features and operating modes required by modern ISPs.

SNAT44

SNAT44 is Bison Router's port-block-based IPv4 Source NAT module. It is the most flexible SNAT implementation in the platform, allowing operators to dynamically change both the internal subscriber address space and the outside translation address space of a NAT map. Translation addresses can also be temporarily excluded from service without stopping the CGNAT service.

BisonRouter SNAT44 CGNAT supports:

  • SNAT44 and DNAT44 translation.
  • Endpoint Independent Mapping (EIM).
  • NAT translation session limit per host.
  • Subscriber CPS (connections-per-second) limiting to cap the number of new connections a subscriber can create per second.
  • Protection against DDoS attacks originating from inside the ISP network by limiting abusive NAT session creation.
  • Hairpinning, also known as NAT loopback.
  • NAT Event Logging (NEL) through IPFIX and Netflow v9.
  • High availability for SNAT44 maps.
  • Performance up to 15 Mpps and 120 Gbit/s.
  • ALG support for PPTP, ICMP, and traceroute.
  • Support for major protocols and applications, including SIP, FTP, RTSP, IPsec and GRE-based VPNs, and gaming consoles.

Deterministic SNAT44

Bison Router Deterministic NAT implements the deterministic SNAT44 algorithm described in RFC 7422. It gives every internal subscriber a predictable outside address and port range, which simplifies log collection for law-enforcement requests.

BisonRouter Deterministic SNAT44 CGNAT supports:

  • SNAT44 and DNAT44 translation.
  • Endpoint Independent Mapping (EIM).
  • NAT translation session limit per host.
  • Subscriber CPS (connections-per-second) limiting to cap the number of new connections a subscriber can create per second.
  • Protection against DDoS attacks originating from inside the ISP network by limiting abusive NAT session creation.
  • Deterministic outside address and port selection.
  • Hairpinning, also known as NAT loopback.
  • NAT Event Logging through IPFIX and Netflow v9 when needed.
  • Performance up to 15 Mpps and 120 Gbit/s.
  • ALG support for PPTP, ICMP, and traceroute.

Deterministic NAT Tradeoffs

Deterministic SNAT44 can provide better performance than other Bison Router NAT implementations, and the deterministic port selection process means operators do not normally need NEL for subscriber attribution.

It works best when the internal subscriber address space is densely populated. Sparse internal address spaces can lead to inefficient memory and outside address utilization.

NAT High Availability

Bison Router high-availability SNAT44 allows operators to build two-node CGNAT clusters. A single HA group runs in Master-Backup mode; by running multiple HA groups on the same two machines, operators can also build active-active deployments where each node is Master for one group and Backup for another.

High-availability mode is currently supported for SNAT44 maps.