Application Note

High Performance Network Address Translation (NAT)

Situation For many years, network architects and engineers have designed their networks using a public IPv4 address and their own private IPv4 addresses with Network Address Translation (NAT) for better security and simplification of IP address management. NAT involves the inspection and re-writing of portions of TCP or UDP packets passing through the device. These packets have checksums to make sure that data is not corrupted in transit, so if a source or destination address must be translated, a new checksum must be computed for every packet. (see Figure 1)

Figure 1

Critical Business Issue Some commercial service providers have limited IPv4 public addresses available making Network Address Translation (NAT) deployments a fact of life for over a decade. With the increasing number of devices accessing the Internet, it is not uncommon that thousands of people/devices are being served by one public IP address. An effective and high performance NAT operation will be required for these commercial service providers. NAT is a function that almost any router or firewall can perform. Unfortunately, the computational load that NAT places on the router or firewall often puts artificial limits on the amount of data that can be processed or the speeds at which these devices can operate. Because this is done at the logical edge of a companys network, any inbound or outbound network traffic must pass through this device. This means the most intensive computational work is performed where all of the traffic is aggregated and must pass from/to the private network at very high speeds. A problem can arise at high throughputs because simple NAT work can overwhelm the most commonly used devices on the market today. This means that network architects need to buy more firewalls or routers at high costs to have the computing power required for their network.

Customer Scenario A major cable company needs to provide Network Address Translation (NAT) and Port Address Translation (PAT) of TCP and UDP traffic at the edge of its network. The edge is rapidly approaching 2 GB user traffic with up to 10,000 private IPv4 addresses served by one public IPv4 address, and the current firewall device (Cisco PIX) is not capable of performing NAT/PAT at these speeds reliably. The cost of the infrastructure is increasing rapidly as higher capacity firewalls are needed to keep up with growth. As this network grows, the requirements for the junction between private/public networks are beginning to outstrip the ability of network devices to efficiently and cost-effectively perform this work. The cable company is looking to provide NAT/PAT services without affecting router and firewall performance, and they must do it at very high speeds with cost as a major consideration. In Figure 2 below, the Cisco Catalyst switches are operating at Layer 3. NAT is required for most (but not all) traffic between the internal and external networks. A pair of PIX firewalls is deployed for NAT between the pair of Catalyst switches. This topology requires an additional Cisco Catalyst switch because there is a requirement to selectively and transparently provide connectivity from some nonprivate (i.e. public) addressed clients within the internal network, which do not require NAT. The PIX firewalls will perform NAT on all connections that route through them, but the Cisco Catalyst will pass some traffic directly past the PIX so that NAT is not performed. As the traffic increases on the cable companys network, the amount of traffic being processed by the PIX firewalls is beginning to overwhelm their processing capabilities. Upgrading the PIX firewalls to 2 GB throughput is possible, but cost prohibitive.

Figure 2

Solution The AX Series Advanced Traffic Manager from A10 Networks is capable of performing all of these functions far more efficiently than a PIX firewall, and the new topology (see Figure 3) reduces complexity and cost. High performance NAT is one of the core functions of the AX Series. The AX Series with its Advanced Core Operating System (ACOS) to harness the power of multi-CPU, multicore processing, provides the high performance NAT system to handle tens of thousands of concurrent sessions. All of this technology is packed into the AX Series so that the problems of todays growing networks can be easily and cost effectively solved. In this topology, all Layer 3 traffic is passed through a redundant pair of AX 3200s where source NAT is selectively performed. The AX 3200s connect directly to the Cisco Catalyst switches via 10GB interfaces. In the previous topology, a path that avoided the PIX firewalls was needed in order to have some of the traffic bypass NAT. There is no need to have an additional network path in this configuration because the AX switches selectively perform NAT/PAT, so one layer of Cisco Catalyst switches is eliminated. The AX 3200s perform source NAT on connections where the source/destination address pair involves private address space, while the connections that do not need NAT are simply processed through.

Figure 3
The topology with an AX has some major advantages: - AX can do intelligent NAT/PAT at very high speeds and low latency - Less hardware, lower power consumption, less cooling - Higher performance and throughput - Lower cost - Industrys best price/performance

Summary

A10 Networks AX Series Advanced Traffic Manager Next-generation Server Load Balancer is capable of high-speed, efficient NAT/PAT operations at speeds required by the largest networks in the world. The AX Series employs A10s Advanced Core Operating System (ACOS) to combine the performance of multi-core CPUs with standard ASICs and specialized FPGAs for the best price/performance in todays market.

Contact Information
Corporate Headquarters A10 Networks, Inc. 2309 Bering Drive San Jose, CA 95131 USA Website http://www.a10networks.com A10 Sales N. America: +1-888-A10-6363 sales@a10networks.com China: +86 10 8515-0698 china_sales@a10networks.com

International: +1-408-325-8616 sales@a10networks.com

APAC: +886-2-2657-3198 apac_sales@a10networks.com