Understanding CGN - Carrier Grade NAT

Carrier-Grade NAT (CGN) is also known as LSN (Large Scale NAT). And in my opinion, it should be called LSN since there is nothing for CGN to be a carrier-grade. It is just a NAT. With CGN, Service Providers do NAT44 on the CPE from a private address to another private address (Well known /10 prefix which is allocated by IANA) and another NAT44 on the Service Provider network. That’s why you can hear CGN, LSN, Double NAT, or NAT444. All of them refer to the same thing.

Carrier-Grade NAT CGN and so many IPv6 topics are covered in great detail in my IPv6 Zero to Hero Course.
But with CGN you are not enabling IPv6. CGN is a way to solve the IPv4 depletion problem in a very problematic way. Companies are also using trade-market to purchase IPv4 public addresses. The average cost per IPv4 address is around 8-10$ currently. This might increase over time. And it would be wise to expect to see much bigger DFZ space by the time because of de-aggregation.

With CGN, IPv4 private addresses are shared among many customers and those shared addresses are NATed at the CGN node twice.


Difference between Customer NAT (Residential NAT) and SP NAT (CGN, LSN)

With Residential NAT, a single public IPv4 address represents one household, with SP NAT (CGN, LSN), a single public IPv4 address is shared across multiple households

With Residential NAT, 16-bit port space(65000 TCP and UDP ports) is for a single household but with SP NAT, 16-bit port space of the IP address is shared among multiple households.

CGN can be deployed either Inline or Offline. Inline CGN deployment is more common in Enterprise and Residential networks as network traffic pass through the NAT box.

Offline CGN removes the NAT from the primary data path and utilizes source routing mechanisms to send the traffic to the NAT boxes. Offline CGN is a more common deployment model in the SP networks

Carrier-Grade NAT - CGN Advantages

  • It is well known NAT, two times NAT operation, customer and SP side, no IPv6 learning curve
  • CPE – Customer NAT doesn’t need to change
  • CPE doesn’t need to support IPv6

Carrier-Grade NAT - CGN Disadvantages

  • CGN is an IP address sharing solution, many users share the same Public IP address, there are problems with it
  • Some applications break, applications that can work with a single layer of NAT may not work with two layers of NAT
  • Sharing addresses makes operations/troubleshooting harder
  •  How many ports should be assigned to each user? It is called Port Spray
  • Many websites open 80-100 TCP connections (Newspapers), and some apps open hundreds of sessions (Google Map, etc.)
  • Intense logging will be needed for the Lawful intercept
  • Traceability of users behind Carrier-Grade NAT CGN
  • CGN in forwarding path (Inline deployment) becomes a single point of failure
  • Offline CGN deployment requires source routing which creates unnecessary complexity
  • CGN IP address getting blacklisted due to address sharing (Not every user is innocent)
Created by
Orhan Ergun

Orhan Ergun, CCIE/CCDE Trainer, Author of Many Networking Books, Network Design Advisor, and Cisco Champion 2019/2020/2021

He created OrhanErgun.Net 10 years ago and has been serving the IT industry with his renowned and awarded training.

Wrote many books, mostly on Network Design, joined many IETF RFCs, gave Public talks at many Forums, and mentored thousands of his students.  

Today, with his carefully selected instructors, OrhanErgun.Net is providing IT courses to tens of thousands of IT engineers. 

View profile