SOLUTION OVERVIEW

Improve Network Scalability with BIG-IP CGNAT

Get seamless and secure IP address strategy as part of a suite of consolidated functions.

Improve Network Scalability with BIG-IP CGNAT

Carrier-Grade Network Scalability

CGNAT provides network scalability by conserving IPv4 addresses and easing IPv6 migration. Bridging IPv4 and IPv6 helps to ensure that new and existing applications are easily addressable, even with surging connectivity needs from consumers and devices.

IPv4 address allotments have run out all around the world. With global IPv4 addresses at their limit, service providers need to make the shift to IPv6. F5 BIG-IP Carrier-Grade NAT (CGNAT) supports both IPv6 and IPv4 addresses without costly hardware upgrades.

CGNAT is widely deployed today as part of a security strategy. BIG-IP CGNAT is often combined with BIG-IP Advanced Firewall Manager (AFM), providing a high-performance network firewall that can also mask subscriber addresses. This combination enables outgoing subscriber security services to be monetized by the service provider. BIG-IP AFM provides a comprehensive platform for security by enabling CGNAT, distributed denial-of-service (DDoS) protection, access control lists (ACLs), and intrusion prevention systems (IPSs).

F5 consolidates these security controls alongside CGNAT in the N6/S/Gi-LAN or the data center. This results in simpler management and operation, reduced operational costs, and more opportunities to monetize functions and services. These solutions can be deployed as a high-performance hardware appliance, a virtual network function (VNF), a cloud-native network function (CNF), or in a hybrid mode.

Key Benefits of BIG-IP CGNAT

1. Scale your network by managing IPV4 address depletion and IPV6 migration with flexible deployment options

Service providers are challenged to manage IPv4 devices and content while transitioning to newer IPv6 devices and applications. Because IPv6 devices and content are not backwards compatible with IPv4, IPv6 migration strategies need to support the coexistence of both. BIG-IP CGNAT provides carrier-grade scalability with a high number of IP address translations, fast NAT translation setup rates, high throughput, and high-speed logging.

BIG-IP CGNAT allows you to continue to deliver IPv4 connectivity and handle a large number of concurrent sessions as you manage IPv4 address depletion and plan for a seamless migration to IPv6. Functionality includes large scale NAT, NAT 44 (NAPT, PAT, port block allocation [PBA]), NAT 444, NAT64/DNS64, 464xlat, port control protocol (PCP), address/port persistence, endpoint-independent mapping and filtering (EIM/EIF), hairpinning, PIM-DM, and several application-layer gateways, including FTP, SIP, RTSP, PPTP, FTPS, FTP over TLS, FTPS explicit, TFTP, IP Sec IKEv2, and ESP. One of the biggest benefits of CGNAT in a service provider network is the ability to effectively “reclaim” large blocks of publicly-routable IPv4 address space from the customer “edge” network and make it available for use in other parts of the network—or to grow the business beyond a network’s owned IPv4 allocations. When using port block allocation (PBA), it is possible to see as high as 35-to-1 return on a large-scale NAT (LSN) pool resource through the BIG-IP CGNAT system.

BIG-IP CGNAT has a deterministic NAT capability that maps specific private IP addresses to public IP addresses and reduces logging requirements. Adding BIG-IP Policy Enforcement Manager (PEM), means that carriers can have a better understanding of what subscribers are doing on the network and can tie CGNAT configurations to service plans with destination-aware policies.

2. Scale for the Internet of Things (IoT)

By 2025, according to GSMA, there will be 24.6 billion IoT connections, up from 12 billion in 2019. Supporting IoT requires massive scale. From connected cars, to smart homes, to smart meters, and more, BIG-IP CGNAT helps service providers efficiently scale to support the millions of IoT devices, each requiring a network address. BIG-IP CGNAT can scale to tens of millions of IP address translations, provide translation setup rates in the order of a million per second, and offer tens of gigabits of performance. High-speed logging (HSL) capabilities further improve performance. This means you can reduce costs as you can handle your migration needs with fewer servers in the network.

3. Carrier-grade security

CGNAT is widely deployed as an important part of the security strategy. When combined with BIG-IP AFM, BIG-IP CGNAT provides all the benefits of a high-performance firewall. These include identity/subscriber-aware network firewall with integrated ACLs, IPS, and DDoS protections. Additionally, the session aware capabilities provide mitigation capabilities against sophisticated layer 7 DoS attacks that would go undetected with a layer 4-only solution. Working together, BIG-IP AFM and BIG-IP CGNAT support the match of the firewall address list and the port list for the source and destination address, along with a protocol to select NAT policy.

Subscriber and endpoint awareness enables insight into network traffic for optimization and monetization and enables the application of subscriber class-based and custom security policies. For example, a specific policy could be provided for a series of specific IoT end devices. Subscriber awareness for BIG-IP AFM and BIG-IP CGNAT enables log enrichment with subscriber-ID for firewall and CGNAT (NAPT and PBA logs), subscriber discovery, and dynamic policy provisioning for firewalls.

4. Consolidation of functions for reduced operational costs and services monetization

Efficiency is the key to reducing cost and increasing margins. The F5 BIG-IP family enables key service provider functions to be efficiently consolidated onto a single, high-performance solution. For example, BIG-IP CGNAT can be strategically deployed with BIG-IP Local Traffic Manager (LTM), BIG-IP PEM, and BIG-IP DNS (DNS caching). BIG-IP PEM provides intelligent traffic steering capabilities that enable traffic inspection and steering to services based on subscriber profiles (for example, service tiers). It also offers a comprehensive set of traffic classification capabilities to ensure that you can accurately determine what subscribers are doing in the network, and, based on that information, offer differentiated service plans, ultimately leading to increased revenues and regulated network usage.

A virtualized, containerized, and consolidated N6 LAN solution from F5 helps you build a cost-effective model, improving time to market for new services and decreasing network complexity. F5’s CNFs and VNFs are a core component within an efficient, virtual N6 LAN, offering the widest available range of services on the N6 LAN.

5. Efficient logging, simplified compliance

BIG-IP CGNAT excels at high-performance logging, which is a regulatory compliance requirement for many service providers. Correlating IP addresses and usage to users (and vice versa) can be tedious, time-consuming, and expensive. BIG-IP CGNAT offers extensive and flexible logging capabilities that can store information such as private-to-public IP address translation, URL/URI destination addresses, port numbers, times of day, and other customized session details. CGNAT enables efficient and customizable logs, such as the ability to insert MSISDN/IMSI and destination URL/URI fields into the logs.

BIG-IP CGNAT supports Internet Protocol Flow Information Export (IPFIX), a more compressed NAT logging method than syslog, reducing the amount of data per log entry which, in turn, reduces costs. IPv6 packet extension headers can be examined and filtered. This increases visibility capabilities for IPv6 traffic for event investigations or audits. BIG-IP CGNAT also efficiently manages PBA sets to optimally manage exclusions and simplify workflows. Logs can also be augmented with subscriber information, such as MSISDN.

Recent innovations improve the performance of CGNAT with high-speed log generation of individual security events. They are independently controlled for firewall policy, DDoS, IP intelligence, port misuse, protocol inspection, traffic intelligence, and NAT and log destinations and publishers consistent with the BIG-IP high speed logging framework. The ability to customize firewall and NAT log fields reduces the cost to generate, transmit, parse, and store log messages, increasing performance by only logging necessary fields while maintaining subscriber information for firewall and NAT logs.

BIG-IP CGNAT can scale to support the generation of millions of logging records and export them to a system logging server. It can also provide load balancing and UDP. Flexible options support a wide range of log collectors which include log rate limiting, UDP and TCP transport, load balancing and replication options, and Syslog, IPFIX, Splunk, and ArcSight formats.

6. NFV- and container-ready

BIG-IP CGNAT can be deployed in high performance hardware, or in software as a VNF (BIG-IP Virtual Edition), as part of F5’s packaged NFV S/Gi-LAN, Gi Firewall, or CGNAT solution, or as a CNF. F5 can help your transition to cloud- and software-defined architectures with virtual application delivery platforms that provide an agile, flexible, and efficient way to deploy advanced application and security services. Deployment in software increases agility and achieves automation and orchestration in cloud architectures.

Using these solutions as part of the F5 NFV Packaged Solution for Gi Firewall, S/Gi LAN, or CGNAT simplifies purchasing, deployment, and management with the aid of the F5 VNF Manager. Packages are purchased on a 5, 10, or 50 Gbps basis, and you can leverage the “Use-Before-Buy” option as traffic volumes for the service increase. Click here to access the NFV Packaged Solutions overview and learn more about this option.

SmartNIC offload for BIG-IP VE: Boost CGNAT Performance and Lower TCO

When performing CGNAT, there are two primary functions that require significant compute power: executing the actual translation from one IP address to another and logging that translation—as required by the U.S. Communications Assistance for Law Enforcement Act (CALEA).  SmartNICs are the latest addition to the Network Interface Card (NIC) family and can provide a solution for virtual (VNF) CGNAT deployments.

Boasting onboard programmable components such as FPGAs, NPUs, or SoCs, SmartNICs can perform user-specified networking functions on behalf of the applications or servers they’re connected to, alleviating strain on CPU resources and significantly improving performance. By offloading CGNAT functionality from an F5 BIG-IP VE to an Intel FPGA PAC N3000 SmartNIC, the total system throughput can be improved by around 30%. More importantly, the BIG-IP VE’s CPU utilization can also be reduced by approximately 80%—helping to prevent the VE from becoming overloaded! See the BIG-IP VE for SmartNICs overview for more information. 

Conclusion

CGNAT has proven to be an indispensable tool for supporting transitions to IPv6 and continues to prove its worth in today’s network by helping to scale and secure networks. For service providers who want to optimize their network scalability for IPv6, IoT and 5G, BIG-IP CGNAT provides a seamless and secure IP address strategy as part of a suite of consolidated network functions.