CGN DHCP will not give out IP addresses

Product Discussions CGN - CGNAT & IPv6 Migration
1

Hi
why doesn’t my A10 1040CFW give out IP addresses from my INSIDE pool (100.64.x.x?)

!ACOS(config-class list)#show run
!Current configuration: 671 bytes    
!Configuration last updated at 15:35:23 IST Tue Apr 28 2020
!Configuration last saved at 15:35:25 IST Tue Apr 28 2020
!64-bit Advanced Core OS (ACOS) version 5.1.0, build 90 (Dec-21-2019,16:08)
!
class-list v4-sub-range-01 ipv4 
 0.0.0.0/0 lsn-lid 1 
!
lldp enable rx tx 
!
interface management 
 ip address 192.168.1.20 255.255.255.0 
!
interface ethernet 1 
 enable 
!
interface ethernet 2 
 enable 
 ip address 100.64.0.1 255.255.255.0 
 ip nat inside 
!
interface ethernet 3 
 enable 
!
interface ethernet 4 
!
interface ethernet 5 
!
interface ethernet 6 
!
interface ethernet 7 
!
interface ethernet 8 
 enable 
!
interface ethernet 9 
 enable 
!
!
cgnv6 nat pool lsn-pool-01 100.64.0.2 100.64.0.254 netmask /24 
!
cgnv6 nat pool-group lan-pool-group-01 
 member lsn-pool-01 
!
cgnv6 lsn-lid 1 
 name lsn-lid-01 
 source-nat-pool lsn-pool-01 
!
sflow setting local-collection 
!    
sflow collector ip 127.0.0.1 6343 
!
snmp-server enable service 
!
snmp-server location 192.168.1.8 
!
snmp-server host 192.168.1.8 version v2c Dicktowel2020! 
!
!
end

2

The A10 does not perform DHCP functions to the inside, CGN devices. The NAT is only performed on traffic which traverses the device. You will need an additional server/device to perform the DHCP functions for the CGN users.

3

aha, so the DHCP packet need to originate from separate source and the all the port mapping happens?

4

Correct - Typically the CGN User will receive an IP from some DHCP server, and then policy based routing for CGN addresses will redirect traffic to the A10 as a routed hop. When the A10 receives the traffic, NAT is performed, and traffic is forwarded upstream. That in mind, the lsn pool you define should contain routable public IP’s.
I have not tested a “wildcard” class-list definition like you have there with 0.0.0.0/0. That may work, but if traffic isn’t picked up by the lsn-lid, then I would advise defining the CGN address space you’re serving in DHCP in the class list.
One other item I noted is that you do not have an Outside interface defined. Perhaps you redacted for the post, but you’ll need one of those as well.

5

really appreciate your answer, my first CGN equipment so all help are welcomed :slight_smile:
version #2, please take a look:

!Current configuration: 686 bytes    
!Configuration last updated at 10:27:36 IST Wed Apr 29 2020
!Configuration last saved at 10:13:39 IST Wed Apr 29 2020
!64-bit Advanced Core OS (ACOS) version 5.1.0, build 90 (Dec-21-2019,16:08)
!
class-list v4-sub-range-01 ipv4 
 100.64.0.0/24 lsn-lid 1 
!
lldp enable rx tx 
!
interface management 
 ip address 192.168.1.20 255.255.255.0 
!
interface ethernet 1 
 name outside-to-wan 
 enable 
 ip address 10.0.0.0 255.255.255.254 
 ip nat outside 
!
interface ethernet 2 
 name inside-to-customers 
 enable 
 ip address 100.64.0.1 255.255.255.0 
 ip nat inside 
!
interface ethernet 3 
 enable 
!
interface ethernet 4 
!
interface ethernet 5 
!
interface ethernet 6 
!
interface ethernet 7 
!
interface ethernet 8 
 enable 
 ip nat outside 
!
interface ethernet 9 
 enable 
!
!
ip route 0.0.0.0 /0 10.0.0.1 
!
cgnv6 nat pool lsn-pool-01 100.64.0.2 100.64.0.254 netmask /24 
!
cgnv6 nat pool public 93.17.86.2 netmask /32 
!    
cgnv6 nat pool-group lan-pool-group-01 
 member lsn-pool-01 
!
cgnv6 lsn-lid 1 
 name lsn-lid-01 
 source-nat-pool lsn-pool-01

6

This is looking better, but it doesn’t look like you have the the “public” nat pool bound to the lsn-lid.
You also may wish to review adding port-batching to your cgnv6 nat pool config. the A10 Transition Solutions Guide (TRSOL in the documentation PDFs) has a lot of good info on the rest of the CGN features.

7

HI Again, some more questions :slight_smile:

class-list v4-sub-range-01 ipv4 
 100.64.0.0/24 lsn-lid 1 
!
vlan 21 
 untagged ethernet 2
 tagged ethernet 8
!
interface ethernet 2 
 name inside-to-customers 
 enable 
 ip nat inside 
!
interface ethernet 8 
 name outside-to-router 
 enable 
 ip nat outside !
!
ip route 0.0.0.0 /0 193.17.86.1 
!
ip-list ip-cgn-list-01 
 100.64.0.2 to 100.64.0.254 
!
ip-list ip-public-list-01 
 193.17.86.2 to 193.17.86.10 
!
cgnv6 nat pool lsn-pool-01 193.17.86.2 193.17.86.254 netmask /24 
!
cgnv6 nat pool-group lan-pool-group-01 
 member lsn-pool-01 
!
cgnv6 lsn-lid 1 
 name lsn-lid-01 
 source-nat-pool lsn-pool-01 
!
sflow setting local-collection 
!
sflow collector ip 127.0.0.1 6343 
!
snmp-server enable service 
!
snmp-server location 192.168.1.8 
!
snmp-server host 192.168.1.8 version v2c Dicktowel2020! 
!
!
end
!Current config commit point for partition 0 is 0 & config mode is classical-mode
ACOS#

8

Hi again, I’m still having trouble getting the NAT to work, my NE40e and 1040 config:

Huawei NE40e config:

#
interface Vlanif4
 description public-net
 ipv6 enable
 ip address 193.17.176.1 255.255.254.0
 ipv6 address 2A0F:9D80::/48 eui-64
 ipv6 address auto link-local
 ipv6 nd ra prefix 2A0F:9D80::/48 1000 1000
 undo ipv6 nd ra halt
#
interface GigabitEthernet0/3/2
 portswitch
 description public-net
 undo shutdown
 port link-type access
 port default vlan 4
 undo dcn
#
interface GigabitEthernet0/3/3
 portswitch
 description CGN-inside
 undo shutdown
 port link-type access
 port default vlan 5
 undo dcn
#
interface GigabitEthernet0/3/30
 portswitch
 description CGN-inside-testport
 undo shutdown
 port link-type access
 port default vlan 5

undo dcn

Acos config

class-list v4-sub-range-01 ipv4 
 100.64.0.0/24 lsn-lid 1 
!
vlan 4 
 untagged ethernet 8
!
vlan 5 
 untagged ethernet 9
!
lldp enable rx tx 
!
interface management 
 ip address 192.168.1.20 255.255.255.0 
!
interface ethernet 8 
 name outside-to-wan 
 enable 
 ip nat outside 
!
interface ethernet 9 
 name inside-to-customers 
 enable 
 ip nat inside 
!
!
ip route 0.0.0.0 /0 193.17.176.1 
!
ip-list cgn-list-01 
 100.64.0.10 to 100.64.0.200 
!
ip-list public-v4-01 
 193.17.176.10 to 193.17.176.200 
!
cgnv6 template logging log-template 
 include-destination 
 include-inside-user-mac 
!
!
cgnv6 nat pool lsn-pool-01 100.64.0.2 100.64.0.254 netmask /24 
!
cgnv6 lsn logging default-template log-template 
cgnv6 lsn logging pool ipv4-pool-01 template log-template 
!
cgnv6 nat icmp always-source-nat-errors 
cgnv6 nat icmp respond-to-ping 
!
cgnv6 nat icmpv6 respond-to-ping 
!
cgnv6 nat pool-group lan-pool-group-01 
 member lsn-pool-01 
!
cgnv6 lsn-lid 1 
 name lsn-lid-01 
 source-nat-pool lsn-pool-01 
!

cgnv6 fixed-nat inside ip-list cgn-list-01 nat ip-list public-v4-01 method use-all-nat-ips

end
9

For fixed-nat, you don’t need “lsn-lid 1” or the “cgnv6 nat pool lsn-pool-01”, so you may wish to remove those.
How do you plan to direct traffic to the A10? Is the A10 layer 2 adjacent to customer or a routed hop? If routed hop, you’ll need a route for return traffic to client.
I don’t see IP addresses on the A10 interfaces. If A10 is connected to untagged switchports, you can skip the “untag vlan” configuration and apply the IP addresses directly to the A10 interfaces.

10

I actually need “Port Address Translation” because I’m an ISP with limited amount of public IP addresses so I was thinking about 30-100 customers behind every public IP.
I’m going to have the 1040 connected in/out next to the core router Huawei NE40e-M2K that is going to act as DHCP as well initially.
When you say routed hop, do you mean a private link-net between inside and outside ports to core and then ip routes?
I’m having a really hard time understanding the CGN equipment and the communication logic between A10 and core.
Is it LSN that would equal “Port Address Translation”? (see attached picture)

image.png
image.png186×558 28.7 KB