CGN: Carrier-grade NAT


Every network engineer with some experience knows RFC1918 address space from the top of their head. So no need to explain that almost every office, home user and some datacenter networks are using IP’s from this RFC. So far, so good. But, what if you have a large network with more then 10 physical locations and need to hook things together? This is where CGN comes in handy.

If you have multiple offices or locations and one of the NAT-performing routers has the same subnet on the inside as on the outside (the outside being the main office network here), no routing will be possible for this network. Specially when dealing with a lot of branch offices (and more IT personel) it becomes more difficult to know exactly what RFC1918 ranges are in use, and where. For example, i have worked for a large enterprise where somebody in Spain wanted to maintain control over the local network (idiot). He just figured it would be handy to configure 10.0.0.0/8 as local network and everything worked until he had to open a VPN tunnel to the main office in Amsterdam. As the main office network equipment was using the 10.0.10.0/24 things started to fall apart.

This is where RFC 6598 comes in handy. This RFC reserves an IPv4 prefix that can be used for internal addressing, separately from the RFC1918 addresses. Result: no overlap, yet no use of publicly routable addresses. The chosen prefix is 100.64.0.0/10.

cgn

It’s good to know that, for networking purposes, there is a complete /10 range that can be used (obviously isolated from anything else). CGN has drawbacks such as complexity and administation. But in a large enterprise CGN would definatly be the way to go.

Here you can find some great test results!