Skip to main content

CGNAT (Carrier-grade NAT) IPs and Cisco Umbrella

mpourman
  • Updated
  • min read

Overview

This knowledge base (KB) article provides a high-level overview of Carrier-Grade NAT (CGNAT) and examines whether the CGNAT IP range can be used as a registered network in the Umbrella Dashboard.

What is CGNAT?

Carrier-Grade NAT (CGN or CGNAT), also known as Large-Scale NAT (LSN), is a type of NAT used by Internet Service Providers (ISPs) to extend the lifespan of IPv4 by allowing multiple customers to share a single public IP address. The standards and requirements for CGNAT are defined in RFC 6888.

In practice, ISPs assign private IP addresses from the 100.64.0.0/10 range, as defined in RFC 6598, to the WAN interfaces of customer routers. This private range is not routable on the public Internet and is used internally by the ISP for NAT processes. The customer router's WAN interface is assigned an IP address from this range.

Understanding CGNAT: Comparison with Traditional NAT

To better understand CGNAT, let’s compare it with traditional NAT:

 

1- Traditional NAT:

    • In a traditional NAT setup, the WAN interface of the customer’s router is assigned a routable public IPv4 address.
    • NAT translates private IP addresses (e.g., RFC 1918 ranges) to the public IP address, enabling multiple devices on the customer's private network to share a single public IP.
    • Example:
      • Customer A is assigned the public IP 50.40.20.1.
      • Customer B is assigned the public IP 50.40.20.2.
      • Both customers implement NAT locally on their routers.

Traditional NAT.jpg

2-CGNAT:

    • In a CGNAT setup, the WAN interfaces of Customer A and Customer B are assigned IP addresses from the 100.64.0.0/10 range (CGNAT private address space).
    • The ISP implements an additional layer of NAT (CGNAT) to translate traffic from the 100.64.x.x range into a shared public IPv4 address.
    • Example:
      • Customer A is assigned 100.64.1.1, and Customer B is assigned 100.64.1.2.
      • Both customers’ traffic is NATed by the ISP's CGNAT device to a shared public IP
      • This approach allows the ISP to use public IPv4 addresses by serving multiple customers with a single public IP.

 

CGNAT.jpg

 

CGNAT IPs should not be registered as either static or dynamic networks in the Umbrella Dashboard

Certain service provides, such as Starlink, assign CGNAT IP addresses to the WAN interfaces of their customers’ network devices.

    • CGNAT IPs should not be registered as either static or dynamic networks in the Umbrella Dashboard because they are shared among multiple subscribers.
    • Registering a CGNAT egress IP would falsely claim ownership of an IP that is used by other customers as well.
    • Networks registered with CGNAT IPs will be subject to immediate de-registration.
    • Repeated attempts to register CGNAT IPs violate Umbrella’s product terms and may result in further corrective actions.

Starlink does not provide static IPs as stated in their own documentation.
Public IPs from Starlink can not be registered either as they are dynamic and may be part of the CGNAT range. Cisco Umbrella customers using Starlink should consider non-network identity deployment methods like virtual appliances, roaming clients, or Umbrella integrated network devices.

Was this article helpful?

1 out of 1 found this helpful
Have more questions? Submit a request

Related articles