Dynamic vs Fixed CGNAT

Community Forum Forums Thunder and AX Series Dynamic vs Fixed CGNAT

This topic contains 1 reply, has 2 voices, and was last updated by avatar ericn 9 months, 3 weeks ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #15022

    Trying to use dynamic CGNAT, with a class list under one subnet and lid id. Have 50+ client subnets and want them to automatically receive nats from that pool. But, I have to enter each client subnet individually (which defeats the purpose). What’s the resolution? Also, when is it appropriate to use fixed vs dynamic CGNAT? Or do you use both?


    Fixed NAT is a way of configuring CGNAT so that internal addresses are deterministicly assigned to you public addresses. The table tells you: this internal address will always be one of these source ports on this public address.

    Most commonly, this is used so that rules can be applied on some upstream device: This public address with these source ports is allowed to that destination, but the same address with different source ports is not. Fixed NAT can also, depending on various factors, reduce the amount of logging.

    Dynamic NAT can be much more efficient in sharing the Public IPs for your internal users, so if public IPv4 addresses are at a premium, you may need to use Dynamic NAT to support your users.

    One way or another, you will need to tell ACOS what your internal, private, IP addresses are. For Fixed NAT, from what I’m hearing, you would probably need to use the ip-list feature, and for DynamicNAT we use the class-list feature.

    In many networks, the internal address space can be summarized with a /16 netmask. As class lists, like routing tables, take the most specific match first, you may be able to reduce the class-list size by defining an aggregated network and then defining the exceptions.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Comments are closed.