On 4/28/20 4:53 PM, William Herrin wrote:
How small is small? Up to a certain size regular NAT with enough logging to trace back abusers will tend to work fine. if we're talking single-digit gbps, it may not be worth the effort to consider the wonderful world of CGNAT.
Depending on how many IPs you need to reclaim and what your target IP:subscriber ratio is, you may be able to eliminate the need for a lot of logging by assigning a range of TCP/UDP ports to a single inside IP so that the TCP/UDP port number implies a specific subscriber. You can't get rid of all the state tracking without also having the CPE know which ports to use (in which case you might as well use LW4o6 or MAP), but at least you can get it down to where you really only need to log (or block and dole out public IPs as needed) port-less protocols. -- Brandon Martin