CGN DHCP will not give out IP addresses
Marre
Member ✭
Hi
why doesn't my A10 1040CFW give out IP addresses from my INSIDE pool (100.64.x.x?)
!ACOS(config-class list)#show run
!Current configuration: 671 bytes
!Configuration last updated at 15:35:23 IST Tue Apr 28 2020
!Configuration last saved at 15:35:25 IST Tue Apr 28 2020
!64-bit Advanced Core OS (ACOS) version 5.1.0, build 90 (Dec-21-2019,16:08)
!
class-list v4-sub-range-01 ipv4
0.0.0.0/0 lsn-lid 1
!
lldp enable rx tx
!
interface management
ip address 192.168.1.20 255.255.255.0
!
interface ethernet 1
enable
!
interface ethernet 2
enable
ip address 100.64.0.1 255.255.255.0
ip nat inside
!
interface ethernet 3
enable
!
interface ethernet 4
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!
interface ethernet 8
enable
!
interface ethernet 9
enable
!
!
cgnv6 nat pool lsn-pool-01 100.64.0.2 100.64.0.254 netmask /24
!
cgnv6 nat pool-group lan-pool-group-01
member lsn-pool-01
!
cgnv6 lsn-lid 1
name lsn-lid-01
source-nat-pool lsn-pool-01
!
sflow setting local-collection
!
sflow collector ip 127.0.0.1 6343
!
snmp-server enable service
!
snmp-server location 192.168.1.8
!
snmp-server host 192.168.1.8 version v2c Dicktowel2020!
!
!
end
Comments
The A10 does not perform DHCP functions to the inside, CGN devices. The NAT is only performed on traffic which traverses the device. You will need an additional server/device to perform the DHCP functions for the CGN users.
aha, so the DHCP packet need to originate from separate source and the all the port mapping happens?
Correct - Typically the CGN User will receive an IP from some DHCP server, and then policy based routing for CGN addresses will redirect traffic to the A10 as a routed hop. When the A10 receives the traffic, NAT is performed, and traffic is forwarded upstream. That in mind, the lsn pool you define should contain routable public IP's.
I have not tested a "wildcard" class-list definition like you have there with 0.0.0.0/0. That may work, but if traffic isn't picked up by the lsn-lid, then I would advise defining the CGN address space you're serving in DHCP in the class list.
One other item I noted is that you do not have an Outside interface defined. Perhaps you redacted for the post, but you'll need one of those as well.
really appreciate your answer, my first CGN equipment so all help are welcomed :)
version #2, please take a look:
!Current configuration: 686 bytes
!Configuration last updated at 10:27:36 IST Wed Apr 29 2020
!Configuration last saved at 10:13:39 IST Wed Apr 29 2020
!64-bit Advanced Core OS (ACOS) version 5.1.0, build 90 (Dec-21-2019,16:08)
!
class-list v4-sub-range-01 ipv4
100.64.0.0/24 lsn-lid 1
!
lldp enable rx tx
!
interface management
ip address 192.168.1.20 255.255.255.0
!
interface ethernet 1
name outside-to-wan
enable
ip address 10.0.0.0 255.255.255.254
ip nat outside
!
interface ethernet 2
name inside-to-customers
enable
ip address 100.64.0.1 255.255.255.0
ip nat inside
!
interface ethernet 3
enable
!
interface ethernet 4
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!
interface ethernet 8
enable
ip nat outside
!
interface ethernet 9
enable
!
!
ip route 0.0.0.0 /0 10.0.0.1
!
cgnv6 nat pool lsn-pool-01 100.64.0.2 100.64.0.254 netmask /24
!
cgnv6 nat pool public 93.17.86.2 netmask /32
!
cgnv6 nat pool-group lan-pool-group-01
member lsn-pool-01
!
cgnv6 lsn-lid 1
name lsn-lid-01
source-nat-pool lsn-pool-01
This is looking better, but it doesn't look like you have the the "public" nat pool bound to the lsn-lid.
You also may wish to review adding port-batching to your cgnv6 nat pool config. the A10 Transition Solutions Guide (TRSOL in the documentation PDFs) has a lot of good info on the rest of the CGN features.
HI Again, some more questions :)
class-list v4-sub-range-01 ipv4
100.64.0.0/24 lsn-lid 1
!
vlan 21
untagged ethernet 2
tagged ethernet 8
!
interface ethernet 2
name inside-to-customers
enable
ip nat inside
!
interface ethernet 8
name outside-to-router
enable
ip nat outside !
!
ip route 0.0.0.0 /0 193.17.86.1
!
ip-list ip-cgn-list-01
100.64.0.2 to 100.64.0.254
!
ip-list ip-public-list-01
193.17.86.2 to 193.17.86.10
!
cgnv6 nat pool lsn-pool-01 193.17.86.2 193.17.86.254 netmask /24
!
cgnv6 nat pool-group lan-pool-group-01
member lsn-pool-01
!
cgnv6 lsn-lid 1
name lsn-lid-01
source-nat-pool lsn-pool-01
!
sflow setting local-collection
!
sflow collector ip 127.0.0.1 6343
!
snmp-server enable service
!
snmp-server location 192.168.1.8
!
snmp-server host 192.168.1.8 version v2c Dicktowel2020!
!
!
end
!Current config commit point for partition 0 is 0 & config mode is classical-mode
ACOS#
Hi again, I'm still having trouble getting the NAT to work, my NE40e and 1040 config:
Huawei NE40e config:
Acos config
For fixed-nat, you don't need "lsn-lid 1" or the "cgnv6 nat pool lsn-pool-01", so you may wish to remove those.
How do you plan to direct traffic to the A10? Is the A10 layer 2 adjacent to customer or a routed hop? If routed hop, you'll need a route for return traffic to client.
I don't see IP addresses on the A10 interfaces. If A10 is connected to untagged switchports, you can skip the "untag vlan" configuration and apply the IP addresses directly to the A10 interfaces.
I actually need "Port Address Translation" because I'm an ISP with limited amount of public IP addresses so I was thinking about 30-100 customers behind every public IP.
I'm going to have the 1040 connected in/out next to the core router Huawei NE40e-M2K that is going to act as DHCP as well initially.
When you say routed hop, do you mean a private link-net between inside and outside ports to core and then ip routes?
I'm having a really hard time understanding the CGN equipment and the communication logic between A10 and core.
Is it LSN that would equal "Port Address Translation"? (see attached picture)