The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Bulk Logging and Port Block Allocation feature allocates a block of ports for translation instead of allocating individual ports. This feature is supported only in carrier-grade Network Address Translation (CGN) mode.
This module provides information about the feature and how to configure it.
Enable the carrier-grade Network Address Translation (CGN) mode before enabling the Bulk Logging and Port Block Allocation feature.
Enable paired-address pooling for this feature to work.
The Bulk Logging and Port Block Allocation feature is not supported on interface overload configurations because Network Address Translation (NAT) does not own the port space, the device owns it. You can configure an interface-overload mapping with this feature; however, no messages will be logged for the configuration.
Destination information is not logged.
Application layer gateways (ALGs) that require consecutive port pairings only work when bulk-port allocation is configured with a step size of one. For more information on step size, see “Bulk Logging and Port Block Allocation Overview.”
ALG ports can be used for bulk-port allocation; however, this can cause degraded performance in sessions associated with these ports. If your configuration does not need ALGs, we recommend that you disable ALGs using the CLI.
Syslog is not supported.
Low ports, ports below 1024, are not supported; any application that requires a low port does not work with this feature.
Bulk-port allocation pools must not overlap with static NAT mappings (particularly static mappings with ports) for this feature to work.
The ip nat service full-range command is not supported.
The Bulk Logging and Port Block Allocation feature allocates ports to users in blocks, instead of allocating individual ports. When a session is started from inside the network, instead of allocating a single global IP address and a global port, multiple global ports of a single global IP address are allocated for Network Address Translation (NAT) of traffic. Based on the volume of translations, additional blocks of ports can be allocated.
To allocate port sets, you can use either the consecutive port-set method or the scattered port-set method. In the consecutive port-set method, a user is allocated a set of ports with consecutive port numbers. It is easy to determine the port numbers in the consecutive method and this as a result, can be a security threat.
The Bulk Logging and Port Block Allocation feature uses the scattered port-set method, which allows you to define a start port number, a step value, and the number of ports to allocate. For example, if the starting port number is 4000, the step value is four, and the number of ports is 512, then the step value of four is added to 4000 to get the second port number. Four is added again to 4004 to get the third port number and this process repeats until you have 512 ports in the port set. This method of port-set allocation provides better security.
Some application layer gateways (ALGs) require two consecutive global ports to operate correctly. These ALGs are supported with this feature only when a step value of one is configured, which allocates a consecutive port set.
You must enable NAT paired-address pooling support for this feature to work. This feature also supports Point-to-Point Tunneling Protocol (PPTP).
 Note |
This feature is supported only in carrier-grade NAT (CGN) mode; therefore only source information is logged when this feature is configured. Destination information is not logged. For more information about CGN, see the “Carrier-Grade Network Address Translation" module in IP Addressing: NAT Configuration Guide. |
Port size is configurable and determines the number of ports allocated in each port set. However, ports below 1024, also known as low ports, will not work when bulk logging and port-block allocation is configured.
The first port that is allocated is always the first port in the set. Initially, ports are likely to be allocated in a linear method; however, as sessions are released and ports are freed, the allocation is semi-random. A port set is freed when the last session referencing it is freed.
A few port sets are reserved for users using a specific global IP address. Therefore, when allocated ports are used up, a session can use a reserved port set. If all reserved port sets are used, the session is dropped.
|
Paired-Address Pooling Limit |
Default Bulk-Port Allocation Port Size |
Maximum Port Step Size |
|---|---|---|
|
120 |
512 ports |
8 |
|
30 |
2048 ports |
2 |
|
60 |
1024 ports |
4 |
|
250 |
256 ports |
4 |
|
500 |
128 ports |
8 |
|
1000 |
64 ports |
16 |
The Bulk Logging and Port Block Allocation feature reduces the volume of Network Address Translation (NAT) high-speed logging (HSL). The reduction is accomplished by dynamically allocating a block of global ports instead of a single global port.
Messages are usually logged when a session is created and destroyed. In bulk port allocation, messages are logged when a port set is allocated or freed.
|
Field |
Format |
ID |
Value |
|---|---|---|---|
|
Source IP address |
IPv4 address |
8 |
Varies |
|
Translated source address |
IPv4 address |
225 |
Varies |
|
VRF1 ID |
32-bit ID |
234 |
Varies |
|
Protocol |
8-bit value |
4 |
Varies |
|
Event |
8-bit value |
230 |
|
|
UNIX timestamp in milliseconds |
64-bit value |
323 |
Varies |
|
Port block start |
16-bit port |
361 |
Varies |
|
Port block step size |
16-bit step size |
363 |
Varies |
|
Number of ports in the block |
16-bit number |
364 |
Varies |
Enable carrier-grade Network Address Translation (CGN) mode.
Enable NAT paired-address pooling.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
interface type number Example: |
Specifies an interface and enters interface configuration mode. |
| Step 4 |
ip nat inside Example: |
Connects the interface to the inside network, which is subject to Network Address Translation (NAT). |
| Step 5 |
exit Example: |
Exits interface configuration mode and returns to global configuration mode. |
| Step 6 |
interface type number Example: |
Specifies an interface and enters interface configuration mode. |
| Step 7 |
ip nat outside Example: |
Connects the interface to the outside network. |
| Step 8 |
exit Example: |
Exits interface configuration mode and returns to global configuration mode. |
| Step 9 |
ip nat settings mode cgn Example: |
Enables CGN mode. |
| Step 10 |
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} Example: |
Defines a pool of global addresses to be allocated as needed. |
| Step 11 |
access-list access-list-number permit source [source-wildcard] Example: |
Defines a standard access list that permits addresses that are to be translated. |
| Step 12 |
ip nat inside source list access-list-number pool name Example: |
Establishes dynamic NAT by specifying the access list and the IP address pool defined in Step 10 and Step 11. |
| Step 13 |
ip nat settings pap bpa set-size 512 step-size 8 Example: |
Configures bulk-port allocation. |
| Step 14 |
ip nat log translations flow-export v9 udp destination addr port Example: |
Enables the high-speed logging (HSL) of all NAT translations. |
| Step 15 |
end Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
| Step 16 |
show ip nat translations Example: |
Displays active NAT translations. |
In the following example, dynamic carrier-grade NAT (CGN) and paired-address pooling is configured for bulk-port allocation.
Device# configure terminal
Device(config)# interface gigabitethernet 0/0/0
Device(config-if)# ip nat inside
Device(config-if)# exit
Device(config)# interface gigabitethernet 1/0/1
Device(config-if)# ip nat outside
Device(config-if)# exit
Device(config)# ip nat settings mode cgn
Device(config)# ip nat pool net-208 192.168.202.129 192.168.202.132 prefix-length 24
Device(config)# access-list 1 permit source 192.168.34.0 0.0.0.255
Device(config)# ip nat inside source list 1 pool net-208
Device(config)# ip nat settings pap bpa set-size 512 step-size 8
Device(config)# ip nat log translations flow-export v9 udp destination 10.1.1.1 2055
Device(config)# end| Step 1 |
show ip nat bpa Example:Displays Network Address Translation (NAT) bulk logging and port-block allocation settings. The following is sample output from the show ip nat bpa command: |
| Step 2 |
show ip nat pool namepool-name Example:Displays NAT pool and port statistics. The following is sample output from the show ip nat pool name pool1 command: The following is sample output from the show ip nat pool name pool3 command: |
| Related Topic | Document Title |
|---|---|
|
Cisco IOS Commands |
|
|
NAT commands |
|
|
Carrier-grade NAT |
“Carrier-Grade Network Address Translation” module in the IP Addressing NAT Configuration Guide |
|
Paired-address pooling support |
“Paired-Address Pooling Support in NAT” module in the IP Addressing NAT Configuration Guide |
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feedback