Disabling Flow Cache Entries in NAT and NAT64

The Disabling Flow Cache Entries in NAT and NAT64 feature allows you to disable flow cache entries for dynamic and static Network Address Translation (NAT) translations. Disabling flow cache entries for dynamic and static translations saves memory usage and helps in the scaling of NAT translations.


Note

Disabling flow cache entries results in lesser performance as this functionality does multiple database searches to find the most specific translation to use.

This module describes the feature and explains how to configure it.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for Disabling Flow Cache Entries in NAT and NAT64

  • You cannot disable flow cache entries in interface overload configuration because session entries are created even if flow entry creation is disabled.

  • Flow cache entries are created for application layer gateway (ALG) traffic because flow-specific information needs to be stored in the session entry for ALG traffic.

Information About Disabling Flow Cache Entries in NAT and NAT64

Disabling of Flow Cache Entries Overview

By default, Network Address Translation (NAT) creates a session (which is a 5-tuple entry) for every translation. A session is also called a flow cache entry. Flow cache entries create a NAT translation for every Internet Control Message Protocol (ICMP), TCP, and UDP flow and, hence, consume a lot of system memory.

Port Address Translation (PAT) or interface overload configurations must have flow cache entries enabled. However, dynamic and static NAT configurations can disable flow cache entries. Instead of creating sessions, dynamic and static NAT translations can translate a packet off the binding (or bindings if both inside and outside bindings are available). A binding or a half entry is an association between a local IP address and a global IP address.


Note

NAT, NAT64 (stateful and stateless), and carrier-grade NAT (CGN) translations support the disabling of flow cache entries.

When flow cache entry is enabled and a user has 100 sessions, 1 bind and 100 session are created. However, when flow cache entry is disabled, only one single bind is created for these sessions. Disabling flow cache entries for dynamic and static translations saves memory usage and provides more scalability for your dynamic or static translations.


Note
Disabling flow cache entries will result in lesser performance as this functionality performs multiple database searches to find the most specific translation to use.
When a packet is received for translation, the following processing happens:

  • If your NAT configuration is PAT, the configuration to disable flow cache entries is ignored and the packet is processed normally.

  • If your configuration is not PAT, the following processing happens:

    • If the packet is an application layer gateway (ALG) packet, a session is created.

    • If the packet is a non-ALG packet, a temporary session is created and this session is sent for translation. The packet is sent to Layer 3 or Layer 4 if your configuration is NAT or to Layer 4 or Layer 7 if your configuration is NAT64 (stateful or stateless).

How to Disable Flow Cache Entries in NAT and NAT64

Disabling Flow Cache Entries in Dynamic NAT

Flow cache entries are enabled by default when Network Address Translation (NAT) is configured. To disable flow cache entries, use the no ip nat create flow-entries command. Perform this task to disable flow cache entries in the dynamic translation of inside source address.


Note

Port Address Translation (PAT) or interface overload configuration, which is a type of dynamic NAT, requires flow cache entries. You cannot disable flow cache entries for PAT configurations.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
  4. access-list access-list-number permit source source-wildcard
  5. ip nat inside source list access-list-number pool name
  6. no ip nat create flow-entries
  7. interface type number
  8. ip address ip-address mask
  9. ip nat inside
  10. exit
  11. interface type number
  12. ip address ip-address mask
  13. ip nat outside
  14. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 3

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Example:

Device(config)# ip nat pool net-208 172.16.233.208 172.16.233.223 prefix-length 28

Defines a pool of global addresses to be allocated as needed.
Step 4

access-list access-list-number permit source source-wildcard

Example:

Device(config)# access-list 1 permit 192.168.34.0 0.0.0.255

Defines a standard access list that permits IP addresses that are to be translated.
Step 5

ip nat inside source list access-list-number pool name

Example:

Device(config)# ip nat inside source list 1 pool net-208

Establishes a dynamic source translation by specifying the pool and the access list specified in Steps 3 and 4, respectively.
Step 6

no ip nat create flow-entries

Example:

Device(config)# no ip nat create flow-entries

Disables the creation of flow cache entries.
Step 7

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/1

Specifies an interface and enters interface configuration mode.
Step 8

ip address ip-address mask

Example:

Device(config-if)# ip address 10.114.11.39 255.255.255.0

Sets a primary IP address for the interface.
Step 9

ip nat inside

Example:

Device(config-if)# ip nat inside

Connects the interface to the inside network, which is subject to NAT.
Step 10

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.
Step 11

interface type number

Example:

Device(config)# interface gigabitethernet 0/1/1

Specifies an interface and enters interface configuration mode.
Step 12

ip address ip-address mask

Example:

Device(config-if)# ip address 172.16.232.182 255.255.255.240

Sets a primary IP address for an interface.
Step 13

ip nat outside

Example:

Device(config-if)# ip nat outside

Connects an interface to the outside network.
Step 14

end

Example:

Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Disabling Flow Cache Entries in Static NAT64

Flow cache entries are enabled by default in NAT. Perform the following task to disable flow entries in your stateful Network Address Translation 64 (NAT64) configuration.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ipv6 unicast-routing
  4. interface type number
  5. description string
  6. ipv6 enable
  7. ipv6 address {ipv6-address/ prefix-length | prefix-name sub-bits/ prefix-length}
  8. nat64 enable
  9. exit
  10. interface type number
  11. description string
  12. ip address ip-address mask
  13. nat64 enable
  14. exit
  15. nat64 prefix stateful ipv6-prefix/ length
  16. nat64 v6v4 static ipv6-address ipv4-address
  17. nat64 settings flow-entries disable
  18. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 3

ipv6 unicast-routing

Example:

Device(config)# ipv6 unicast-routing

Enables the forwarding of IPv6 unicast datagrams.

Step 4

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/0

Specifies an interface type and enters interface configuration mode.
Step 5

description string

Example:

Device(config-if)# description interface facing ipv6

Adds a description to an interface configuration.
Step 6

ipv6 enable

Example:

Device(config-if)# ipv6 enable

Enables IPv6 processing on an interface.

Step 7

ipv6 address {ipv6-address/ prefix-length | prefix-name sub-bits/ prefix-length}

Example:

Device(config-if)# ipv6 address 2001:DB8:1::1/96

Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface.

Step 8

nat64 enable

Example:

Device(config-if)# nat64 enable

Enables NAT64 translation on an IPv6 interface.
Step 9

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.
Step 10

interface type number

Example:

Device(config)# interface gigabitethernet 1/2/0

Specifies an interface type and enters interface configuration mode.
Step 11

description string

Example:

Device(config-if)# description interface facing ipv4

Adds a description to an interface configuration.
Step 12

ip address ip-address mask

Example:

Device(config-if)# ip address 209.165.201.1 255.255.255.0

Configures an IPv4 address for an interface.
Step 13

nat64 enable

Example:

Device(config-if)# nat64 enable

Enables NAT64 translation on an IPv4 interface.

Step 14

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.
Step 15

nat64 prefix stateful ipv6-prefix/ length

Example:

Device(config)# nat64 prefix stateful 2001:DB8:1::1/96
Defines the stateful NAT64 prefix to be added to IPv4 hosts to translate the IPv4 address into an IPv6 address.

  • The stateful NAT64 prefix can be configured in global configuration mode or in interface mode.
Step 16

nat64 v6v4 static ipv6-address ipv4-address

Example:

Device(config)# nat64 v6v4 static 2001:DB8:1::FFFE 209.165.201.1

Enables NAT64 IPv6-to-IPv4 static address mapping.
Step 17

nat64 settings flow-entries disable

Example:

Device(config)# nat64 settings flow-entries disable

Disables flow cache entries in the NAT64 configuration.
Step 18

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Disabling Flow Cache Entries in Static CGN

Flow cache entries are enabled by default when Network Address Translation (NAT) is configured. Perform this task to disable flow cache entries in a static carrier-grade NAT (CGN) configuration.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip nat settings mode cgn
  4. ip nat inside source static local-ip global-ip
  5. no ip nat create flow-entries
  6. interface virtual-template number
  7. ip nat inside
  8. exit
  9. interface type number
  10. ip nat outside
  11. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 3

ip nat settings mode cgn

Example:

Device(config)#  ip nat settings mode cgn

Enables CGN operating mode.
Step 4

ip nat inside source static local-ip global-ip

Example:

Device(config)# ip nat inside source static 192.168.2.1 192.168.34.2

Enables static CGN of the inside source address.
Step 5

no ip nat create flow-entries

Example:

Device(config)# no ip nat create flow-entries

Disables flow cache entries in static CGN mode.
Step 6

interface virtual-template number

Example:

Device(config)# interface virtual-template 1

Creates a virtual template interface that can be configured and applied dynamically when creating virtual access interfaces and enters interface configuration mode.

Step 7

ip nat inside

Example:

Device(config-if)# ip nat inside

Connects the interface to the inside network, which is subject to NAT.
Step 8

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.
Step 9

interface type number

Example:

Device(config)# interface gigabitethernet 2/1/1

Specifies an interface and enters interface configuration mode.
Step 10

ip nat outside

Example:

Device(config-if)# ip nat outside

Connects an interface to the outside network.
Step 11

end

Example:

Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Configuration Examples for Disabling Flow Cache Entries in NAT and NAT64

Example: Disabling Flow Cache Entries in Dynamic NAT

Device# configure terminal
Device(config)# ip nat pool net-208 172.16.233.208 172.16.233.223 prefix-length 28
Device(config)# access-list 1 permit 192.168.34.0 0.0.0.255
Device(config)# ip nat inside source list 1 pool net-208
Device(config)# no ip nat create flow-entries
Device(config)# interface gigabitethernet 0/0/1
Device(config-if)# ip address 10.114.11.39 255.255.255.0
Device(config-if)# ip nat inside
Device(config-if)# exit
Device(config)# interface gigabitethernet 0/1/1
Device(config-if)# ip address 172.16.232.182 255.255.255.240
Device(config-if)# ip nat outside
Device(config-if)# end

Example: Disabling Flow Cache Entries in Static NAT64

The following example shows a static stateful Network Address Translation 64 (NAT64):

Device# configure terminal
Device(config)# ipv6 unicast-routing
Device(config)# interface gigabitethernet 0/0/0
Device(config-if)# description interface facing ipv6
Device(config-if)# ipv6 enable
Device(config-if)# ipv6 address 2001:DB8:1::1/96 
Device(config-if)# nat64 enable
Device(config-if)# exit
Device(config)# interface gigabitethernet 1/2/0
Device(config-if)# description interface facing ipv4
Device(config-if)# ip address 209.165.201.1 255.255.255.0
Device(config-if)# nat64 enable
Device(config-if)# exit
Device(config)# nat64 prefix stateful 2001:DB8:1::1/96
Device(config)# nat64 v6v4 static 2001:DB8:1::FFFE 209.165.201.1
Device(config)# nat64 settings flow-entries disable
Device(config)# end

Example: Disabling Flow Cache Entries in Static CGN

The following example shows a stateful carrier-grade NAT (CGN) configuration that disables the creation of flow cache entries: 

Device# configure terminal
Device(config)# ip nat settings mode cgn
Device(config)# ip nat inside source static 192.168.2.1 192.168.34.2
Device(config)# no ip nat create flow-entries
Device(config)# interface virtual-template 1
Device(config-if)# ip nat inside
Device(config-if)# exit
Device(config)# interface gigabitethernet 2/1/1
Device(config-if)# ip nat outside
Device(config-if)# end

Additional References for Disabling Flow Cache Entries in NAT and NAT64

Related Documents

Related Topic Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

NAT commands

Cisco IOS IP Addressing Services Command Reference

Carrier-grade NAT

“Carrier-Grade Network Address Translation” module in IP Addressing NAT Configuration Guide

Stateful NAT64

“Stateful Network Address Translation 64” module in IP Addressing NAT Configuration Guide

Stateless NAT64

“Stateless Network Address Translation 64” module in IP Addressing NAT Configuration Guide

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information for Disabling Flow Cache Entries in NAT and NAT64

Table 1. Feature Information for Disabling Flow Cache Entries in NAT and NAT64

Feature Name

Releases

Feature Information

Disabling Flow Cache Entries in NAT and NAT64

Cisco IOS XE Release 3.10S

The Disabling of Flow Cache Entries in NAT and NAT64 feature allows you to disable flow entries for dynamic and static NAT translations. By default, flow entries are created for all Network Address Translation (NAT) translations.

The following commands were introduced or modified: ip nat create flow-entries , nat64 settings flow-entries disable , and show ip nat translations .