Controlling Local Traffic Breakout; Nat In-Line Service Support - Cisco ASR 5000 Administration Manual

Enhanced wireless access gateway

Hide thumbs Also See for ASR 5000:

Administration manual (466 pages)

Installation manual (294 pages)

Installation procedure (8 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

page of 123

/ 123
Contents
Table of Contents
Bookmarks

Table of Contents

▀ Product Overview

Controlling Local Traffic Breakout

D-eWAG enables Local Traffic Breakout (direct IP access) based on the availability of Firewall-and-NAT policy for the

subscriber. If NAT is enabled for the subscriber then Local Traffic Breakout is enabled.

NAT In-line Service Support

NAT in-line service is required for Local Traffic Breakout support. Local Traffic Breakout is applied to subscriber

traffic based on the L3/L4 characteristics—source IP address, source port number, destination IP address, destination

port number, and the protocol. One-to-one NAT is applied only for direct IP data while the rest of the 3G data is

bypassed by NAT. This can be configured with the help of target-based NAT support. If NAT is enabled, all subscriber

IP is NATd. Private IP check of subscriber IP is bypassed.

If NAT is not enabled then all the user data goes to the GGSN.

Important:

after the data requiring NAT comes in.

Enabling Firewall-and-NAT Policy

The Firewall-and-NAT policy can be enabled for a subscriber in one of the following ways:

 Subscriber Template

 RADIUS AVP

 ECS Rulebase

The Firewall-and-NAT policy can either be specified in the ECS rulebase, which can in turn be specified in the

Subscriber Template, or the policy can be specified directly in the Subscriber Template.

Subscriber configuration has higher priority compared to the ECS rulebase configuration. Therefore, if Firewall-and-

NAT policies are configured both in the Subscriber Template and in the ECS rulebase, the policy specified in the

Subscriber Template is applied for the subscriber.

Target-based NAT Configuration

A NAT Realm (NAT IP Pool from where the NAT IP can be assigned to a subscriber) can be selected based on the

L3/L4 characteristics of the flows / connections coming from the subscriber.

This association is done with the help of Access rules configurations in the rulebase. The administrator can configure

the realm names along with the Access rules in the Firewall-and-NAT policy. The matching criteria for these rules in

the rulebase can be based on the L3/L4 parameter. This allows the realms to be selected based on L3/L4 parameters of

the flow (target-based NAT). When packets matching a given ruledef r1 are received, NAT is done using the NAT IP

address allocated to the subscriber from the realm configured for the ruledef r1. In this way, the NAT realm/NAT IP

address to be used for subscriber flows is decided during rule match.

If no NAT realm name is found in the ruledef matching the packet, or if it is specified to bypass NAT, NAT will not be

applied on the subscriber flow. The traffic is routed within the private network.

Thus for NAT to be applied, a realm name must be configured in the matching ruledef. If NAT has to be bypassed, then

a NAT realm must not be configured in the ruledef.

▄ Cisco ASR 5000 Enhanced Wireless Access Gateway Administration Guide

For D-eWAG, irrespective of the NAT pool type, NAT IP address is allocated only on demand—

DHCP-based Enhanced Wireless Access Gateway Overview

Table of Contents

Controlling Local Traffic Breakout; Nat In-Line Service Support - Cisco ASR 5000 Administration Manual

Controlling Local Traffic Breakout

NAT In-line Service Support

Related Manuals for Cisco ASR 5000

Related Content for Cisco ASR 5000

Table of Contents