Understand Port Allocation on Dynamic PAT for FTD Cluster 7.0

Introduction

This document describes how port block-based distribution operates in Dynamic PAT for Firewall Cluster after version 7.0 and later.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Network Address Translation (NAT) on Cisco Secure Firewall

Components Used

The information in this document is based on these software and hardware versions:

• Firepower Management Center 7.3.0
• Firepower Threat Defense 7.2.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

Network Diagram

Logical Topology

Interface Configuration

• Configure Inside interface member of Inside Zone.

For example, configure an interface with IP address 192.168.10.254 and name it Inside. This Inside interface is the Gateway for internal network 192.168.10.0/24.

• Configure Outside interface member of Outside Zone.

For example, configure an interface with IP address 10.10.10.254 and name it Outside. This Outside interface is facing external networks.

Network Object Configuration

Even though cluster PAT can work with the egress interface or even a single IP to map all traffic, the best practice is to use an IP pool with at least the same number of IPs as the number of FTD units in the cluster. 

For example, the network objects used for Real and mapped IP addresses are Inside-Network and Mapped-IPGroup respectively.

Inside-Network represents the internal network 192.168.10.0/24. 

Mapped-IPGroup (made of Mapped-IP-1 10.10.10.100 and Mapped-IP-2 10.10.10.101), is used to map all internal traffic to the Outside-Zone. 

Dynamic PAT Configuration

• Configure a Dynamic NAT rule for outbound traffic. This NAT rule maps the internal network subnet to the external NAT Pool.

For example, Inside-Zone to Outside-Zone traffic from Inside-Network is translated to Mapped-IPGroup Pool.

Final Configuration

Final Lab Setup.

Verify

Use this section to confirm that your configuration works properly.

Verify IP Interface and NAT Configuration

> show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel1 Inside 192.168.10.254 255.255.255.0 manual
Port-channel2 Outside 10.10.10.254 255.255.255.0 manual

> show running-config nat
!
object network Inside-Network
nat (Inside,Outside) dynamic pat-pool Mapped_IPGroup

Verify Port Block Allocation

After Firepower 7.0, the improved PAT port block allocation ensures that the control unit keeps ports in reserve for joining nodes, and proactively reclaims unused ports. This is how the port allocation works:

• On a cluster that is just being brought up, the Control unit initially owns 50% of ports and the rest are reserved.
• The number of port blocks owned per unit are adjusted as more nodes join the cluster.
• Control unit reserves port blocks for (N+1) nodes until the cluster is full. Cluster member limit is defined by the  cluster-member-limit    command, configured under the cluster group configuration level.
• By default, cluster-member-limit is 16.

  > show cluster info
  Cluster FTD-Cluster: On
  Interface mode: spanned
  Cluster Member Limit : 16
  [...]
• When the amount of cluster members reaches the value configured  with  cluster-member-limit, all the port blocks are distributed across cluster members.

For example, in a cluster group made of two units (N=2) with a default value of cluster member limit of 16, it is observed that port allocation is defined for N+1 members, in this case, 3. This leaves some ports reserved for the next unit until maximum cluster limit is reached.

Additionally, it is a best practice to configure the   cluster-member-limit  to match the number of units planned for the cluster deployment. 

For example, in a cluster group made of two units (N=2) with value of cluster member limit of 2,it is observed that port allocation is distributed evenly across all cluster units. None of the reserved ports are left.

Verify Port Block Reclamation

• Whenever a new node joins or leaves a cluster, unused ports and excess port blocks from all units must be released to the control unit.
• If the port blocks are already being used, the least-used ones are marked for reclamation.
• New connections are not allowed on reclaimed port blocks. They are released to the control unit when the last port is cleared.

Troubleshooting Commands

This section provides information you can use to troubleshoot your configuration.

• Check the cluster-member-limit value configured:

> show cluster info
Cluster FTD-Cluster: On
Interface mode: spanned
Cluster Member Limit : 2 
[...]

> show running-config cluster
cluster group FTD-Cluster
key *****
local-unit unit-2-1
cluster-interface Port-channel48 ip 172.16.2.1 255.255.0.0
cluster-member-limit 2 
[...]

• Display a summary of the port blocks distribution among the units in the cluster:

> show nat pool cluster summary

• Display the current assignment of port blocks per PAT address to the owner and backup unit:

> show nat pool cluster
IP Outside:Mapped_IPGroup 10.10.10.100
[1024-1535], owner unit-1-1, backup unit-2-1
[1536-2047], owner unit-1-1, backup unit-2-1
[2048-2559], owner unit-1-1, backup unit-2-1
[2560-3071], owner unit-1-1, backup unit-2-1
[...]
IP Outside:Mapped_IPGroup 10.10.10.101
[1024-1535], owner unit-1-1, backup unit-2-1
[1536-2047], owner unit-1-1, backup unit-2-1
[2048-2559], owner unit-1-1, backup unit-2-1
[2560-3071], owner unit-1-1, backup unit-2-1
[...]

• Display  information related to distribution and usage  of port blocks:

> show nat pool detail
TCP PAT pool Outside, address 10.10.10.100
        range 17408-17919, allocated 2 *
        range 27648-28159, allocated 2
TCP PAT pool Outside, address 10.10.10.101
        range 17408-17919, allocated 1 *
        range 27648-28159, allocated 2
[...]

Related Information

• Cisco Technical Support & Downloads