Translation of Network Addresses – CG-NAT

VAS EXPERTS DPI function of network address and port translation allows the carrier to share one public IPv4 address with multiple subscribers, prolongs the use of the limited IPv4 addressing space, and simplifies the transition to IPv6 addressing. Since the DPI platform is designed for huge loads with deep traffic analysis, it can easily perform the address translation function (Carrier-Grade NAT), in addition to which, the customer receives a full set of standard DPI tools.

  • Uses effectively the limited IPv4 addressing space
  • Complies with industry standards defined in RFC 6888, RFC 4787.
  • Ensures transparent operation of peer-to-peer protocols (torrents, games).
  • Allows to limit number of TCP and UDP ports for the subscriber (protection against DDoS).


Technical Solution

Technical Solution

  • To implement CG-NAT function, VAS EXPERTS DPI shall be introduced “out-of-line”.
  • To ensure fail-safety, stand-by platform is recommended.
  • License VAS EXPERTS DPI COMPLETE is necessary to make CG-NAT function available.
  • Performance of the address translation function depends on the chosen hardware platform and the license for VAS EXPERTS DPI software (VAS EXPERTS DPI 6, VAS EXPERTS DPI 20, VAS EXPERTS DPI 40 and higher).


Using the Paired IP address pooling function Use of Paired IP address pooling function

All the subscriber’s connections from one “gray” internal address are anchored to one external “white” IP-address.

Using Hairpinning Technology Hairpinning Usage of Hairpinning Technology

Subscribers inside NAT intercommunicate not translation addresses. Any machine on the local network outside of NAT can access another machine on the same network at the external address of the router.

Setting limits for TCP and UDP connections for the subscriber Setting limits on TCP and UDP connections for subscribers

For each IP address pool, number of TCP and UDP connections is limited for the subscriber individually, which allows the carrier to allocate safely resources of addressing space between corporate and private clients. When not activated, connections are closed releasing ports.

Translation logging Translation logging

Network broadcasts are written to a text file or sent to an external collector via the IPFIX protocol (aka NetFlow v10).