8/3/2019 NAT Application Note

1/5

Application

Note

High Performance NetworkAddress Translation (NAT)

8/3/2019 NAT Application Note

2/5

SituationFor many years, network architects and engineers have designed their networks using a public IPv4

address and their own private IPv4 addresses with Network Address Translation (NAT) for bettersecurity and simplification of IP address management. NAT involves the inspection and re-writing ofportions of TCP or UDP packets passing through the device. These packets have checksums tomake sure that data is not corrupted in transit, so if a source or destination address must betranslated, a new checksum must be computed forevery packet. (see Figure 1)

Critical Business IssueSome commercial service providers have limited IPv4 public addresses available making NetworkAddress Translation (NAT) deployments a fact of life for over a decade. With the increasing numberof devices accessing the Internet, it is not uncommon that thousands of people/devices are beingserved by one public IP address. An effective and high performance NAT operation will be requiredfor these commercial service providers.

NAT is a function that almost any router or firewall can perform. Unfortunately, the computationalload that NAT places on the router or firewall often puts artificial limits on the amount of data that can

be processed or the speeds at which these devices can operate. Because this is done at the logicaledge of a companys network, any inbound or outbound network traffic must pass through this device.This means the most intensive computational work is performed where all of the traffic is aggregatedand must pass from/to the private network at very high speeds.

A problem can arise at high throughputs because simple NAT work can overwhelm the mostcommonly used devices on the market today. This means that network architects need to buy morefirewalls or routers at high costs to have the computing power required for their network.

Figure 1

8/3/2019 NAT Application Note

3/5

Customer ScenarioA major cable company needs to provide Network Address Translation (NAT) and Port AddressTranslation (PAT) of TCP and UDP traffic at the edge of its network. The edge is rapidly approaching2 GB user traffic with up to 10,000 private IPv4 addresses served by one public IPv4 address, andthe current firewall device (Cisco PIX) is not capable of performing NAT/PAT at these speeds reliably.

The cost of the infrastructure is increasing rapidly as higher capacity firewalls are needed to keep upwith growth. As this network grows, the requirements for the junction between private/publicnetworks are beginning to outstrip the ability of network devices to efficiently and cost-effectivelyperform this work.

The cable company is looking to provide NAT/PAT services without affecting router and firewallperformance, and they must do it at very high speeds with cost as a major consideration.

In Figure 2 below, the Cisco Catalyst switches are operating at Layer 3. NAT is required for most (butnot all) traffic between the internal and external networks. A pair of PIX firewalls is deployed for NATbetween the pair of Catalyst switches. This topology requires an additional Cisco Catalyst switchbecause there is a requirement to selectively and transparently provide connectivity from some non-private (i.e. public) addressed clients within the internal network, which do not require NAT. The PIX

firewalls will perform NAT on all connections that route through them, but the Cisco Catalyst will passsome traffic directly past the PIX so that NAT is not performed.

As the traffic increases on the cable companys network, the amount of traffic being processed by thePIX firewalls is beginning to overwhelm their processing capabilities. Upgrading the PIX firewalls to 2GB throughput is possible, but cost prohibitive.

Figure 2

8/3/2019 NAT Application Note

4/5

8/3/2019 NAT Application Note

5/5

SummaryA10 Networks AX Series Advanced Traffic Manager Next-generation Server Load Balancer iscapable of high-speed, efficient NAT/PAT operations at speeds required by the largest networks inthe world. The AX Series employs A10s Advanced Core Operating System (ACOS) to combine the

performance of multi-core CPUs with standard ASICs and specialized FPGAs for the bestprice/performance in todays market.

Contact Information

Corporate Headquarters A10 Sales

A10 Networks, Inc.

2309 Bering Drive

San Jose, CA 95131

USA

Website

http://www.a10networks.com

N. America: +1-888-A10-6363

sales@a10networks.com

International: +1-408-325-8616

sales@a10networks.com

China: +86 10 8515-0698

china_sales@a10networks.com

APAC: +886-2-2657-3198

apac_sales@a10networks.com

http://www.a10networks.com/mailto:sales@a10networks.commailto:sales@a10networks.commailto:china_sales@a10networks.commailto:apac_sales@a10networks.commailto:apac_sales@a10networks.commailto:china_sales@a10networks.commailto:sales@a10networks.commailto:sales@a10networks.comhttp://www.a10networks.com/