Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Mapping Between Field Values for IPFIX Flow Templates and Logs Exported From an MX Series Router or NFX250

An IETF draft defining IPFIX Information Elements for logging various NAT events is available in IETF as IPFIX Information Elements for logging NAT Events—draft-ietf-behave-ipfix-nat-logging-02. The flow monitoring template format for flow monitoring logs generated for NAT events comply with the templates defined in this draft for logging NAT44/NAT64 session create/delete, binding information base (BIB) create/delete, address exhaust, pool exhaustion, quota exceeded, address binding create/delete, port block allocation and de-allocation events. Also, this draft has an extension for NAT64. Support is implemented for logging events for both NAT44 and NAT64. Apart from those templates defined in this draft, no new user-defined templates are created for logging any NAT events.

The following table lists the extensions to the NAT events. The data record contains the corresponding natEvent value to identify the event that is being logged.

Event Name

Values

NAT44 Session create

1

NAT44 Session delete

2

NAT Addresses exhausted

3

NAT64 Session create

4

NAT64 Session delete

5

NAT44 BIB create

6

NAT44 BIB delete

7

NAT64 BIB create

8

NAT64 BIB delete

9

NAT ports exhausted

10

Quota exceeded

11

Address binding create

12

Address binding delete

13

Port block allocation

14

Port block deallocation

15

The following table describes the field IDs or values and the corresponding names for IPv6 addresses for IPFIX flows:

Field ID

Name

Size (Bytes)

Description

27

sourceIPv6Address

16

IPv6 source address

28

destinationIPv6Address

16

IPv6 destination address

281

postNATSourceIPv6Address

16

Translated source IPv6 address

282

postNATDestinationPv6Address

16

Translated destination IPv6 address

The following table describes the field names and whether they are required or not for NAT64 session creation and deletion events:

Field Name

Size (Bits)

Whether the Field Is Mandatory

timeStamp

64

Yes

vlanID/ingressVRFID

32

No

sourceIPv4Address

128

Yes

postNATSourceIPv4Address

32

Yes

protocolIdentifier

8

Yes

sourceTransportPort

16

Yes

postNAPTsourceTransportPort

16

Yes

destinationIPv4Address

128

No

postNATDestinationIPv4Address

32

No

destinationTransportPort

16

No

postNAPTdestinationTransportPort

16

No

natOriginatingAddressRealm

8

No

initiatorOctets

64

No

responderOctets

64

No

flowEndReason

8

No

natEvent

8

Yes

A NAT44 session creation template record can contain the following fields. The natEvent field contains a value of 1, which indicates a NAT44 session creation event. An example of such a template is as follows:

Field Name

Size (Bits)

Value

timeStamp

64

09:20:10:789

sourceIPv4Address

32

192.168.16.1

postNATSourceIPv4Address

32

192.0.2.100

protocolIdentifier

8

TC

sourceTransportPort

16

14800

postNAPTsourceTransportPort

16

1024

destinationIPv4Address

32

198.51.100.104

postNATDestinationIPv4Address

32

198.51.100.104

destinationTransportPort

16

80

postNAPTdestinationTransportPort

16

80

natOriginatingAddressRealm

8

0

initiatorOctets

64

No

responderOctets

64

No

flowEndReason

8

No

natEvent

8

1

A NAT44 session deletion template record can contain the following fields. The natEvent field contains a value of 2, which indicates a NAT44 session deletion event. An example of such a template is as follows:

Field Name

Size (Bits)

Value

timeStamp

64

09:20:10:789

sourceIPv4Address

32

192.168.16.1

postNATSourceIPv4Address

32

192.0.2.100

protocolIdentifier

8

TC

sourceTransportPort

16

14800

postNAPTsourceTransportPort

16

1024

destinationIPv4Address

32

198.51.100.104

postNATDestinationIPv4Address

32

198.51.100.104

destinationTransportPort

16

80

postNAPTdestinationTransportPort

16

80

natOriginatingAddressRealm

8

0

natEvent

8

2

To support all session termination reasons on NAT, existing flowEndReason information element is extended. A new CLI command session-end-reason is introduced to configure flowEndReason to be a part of J-Flow IPFIX template.

If the CLI is not configured or configured as default, the flowEndReason exports the default set information to fill in the data records. If the CLI is configured as custom, the flowEndReason exports the custom set information to fill in the data records.

The table lists the set of session termination values that can be exported:

Table 1: Session Termination Values

Session Close Reason

Session Close Reason string

Scenarios/Remark

Custom Set values

Default Set values

NAT_SESSION_CREATION

idle Timeout

When any session gets timeout

0x01

0x01

NAT_SESSION_CLOSE_TCP_CLIENT_RST

TCP CLIENT RST

 Receives a TCP packet from Client with RST FLAG set 

0x13

0xFF

NAT_SESSION_CLOSE_TCP_SERVER_RST

TCP SERVER RST

 Receives a TCP packet from Server with RST FLAG set

0x23

0xFF

NAT_SESSION_CLOSE_TCP_FIN

TCP FIN

Receives FIN Packet

0x03

0x03

NAT_SESSION_CLOSE_ICMP_ERR

ICMP Error

Receiving ICMP Error packet in Fast path. icmp related error messages mentioned below

0x10

0XFF

NAT_SESSION_CLOSE_NSRP

HA

Create a NAT session on active router. Now, Switch to backup Router Manually or by bringing down the pic on active router.  

Wait for the switchover and send traffic. Ensure the session is synchronized.

Now close the session.

0x20

0xFF

NAT_SESSION_CLOSE_POLICY_DELETE

policy delete

When you delete Policy rematch configuration with active session.

0x50

0xFF

NAT_SESSION_CLOSE_POLICY_UPDATE

policy update

When you Update Policy rematch configuration with active session.

0x60

0xFF

NAT_SESSION_CLOSE_JSF_PLUGIN

application failure or action

It is a very rare scenario and would be difficult to simulate. Please don’t have test case for this.

0x70

0xFF

NAT_SESSION_CLOSE_IFP_ZONECHANGED_SSCAN

session  interface zone changed

when redundancy switchover happens in ams interface

0x80

0xFF

NAT_SESSION_CLOSE_CLI

CLI

Force clear the session

0x04

0x04