Mapping Between Field Values for IPFIX Flow Templates and Logs Exported From an MX Series Router or NFX250
An IETF draft defining IPFIX Information Elements for logging various NAT events is available in IETF as IPFIX Information Elements for logging NAT Events—draft-ietf-behave-ipfix-nat-logging-02. The flow monitoring template format for flow monitoring logs generated for NAT events comply with the templates defined in this draft for logging NAT44/NAT64 session create/delete, binding information base (BIB) create/delete, address exhaust, pool exhaustion, quota exceeded, address binding create/delete, port block allocation and de-allocation events. Also, this draft has an extension for NAT64. Support is implemented for logging events for both NAT44 and NAT64. Apart from those templates defined in this draft, no new user-defined templates are created for logging any NAT events.
The following table lists the extensions to the NAT events. The data record contains the corresponding natEvent value to identify the event that is being logged.
Event Name |
Values |
---|---|
NAT44 Session create |
1 |
NAT44 Session delete |
2 |
NAT Addresses exhausted |
3 |
NAT64 Session create |
4 |
NAT64 Session delete |
5 |
NAT44 BIB create |
6 |
NAT44 BIB delete |
7 |
NAT64 BIB create |
8 |
NAT64 BIB delete |
9 |
NAT ports exhausted |
10 |
Quota exceeded |
11 |
Address binding create |
12 |
Address binding delete |
13 |
Port block allocation |
14 |
Port block deallocation |
15 |
The following table describes the field IDs or values and the corresponding names for IPv6 addresses for IPFIX flows:
Field ID |
Name |
Size (Bytes) |
Description |
---|---|---|---|
27 |
sourceIPv6Address |
16 |
IPv6 source address |
28 |
destinationIPv6Address |
16 |
IPv6 destination address |
281 |
postNATSourceIPv6Address |
16 |
Translated source IPv6 address |
282 |
postNATDestinationPv6Address |
16 |
Translated destination IPv6 address |
The following table describes the field names and whether they are required or not for NAT64 session creation and deletion events:
Field Name |
Size (Bits) |
Whether the Field Is Mandatory |
---|---|---|
timeStamp |
64 |
Yes |
vlanID/ingressVRFID |
32 |
No |
sourceIPv4Address |
128 |
Yes |
postNATSourceIPv4Address |
32 |
Yes |
protocolIdentifier |
8 |
Yes |
sourceTransportPort |
16 |
Yes |
postNAPTsourceTransportPort |
16 |
Yes |
destinationIPv4Address |
128 |
No |
postNATDestinationIPv4Address |
32 |
No |
destinationTransportPort |
16 |
No |
postNAPTdestinationTransportPort |
16 |
No |
natOriginatingAddressRealm |
8 |
No |
initiatorOctets |
64 |
No |
responderOctets |
64 |
No |
flowEndReason |
8 |
No |
natEvent |
8 |
Yes |
A NAT44 session creation template record can contain the following fields. The natEvent field contains a value of 1, which indicates a NAT44 session creation event. An example of such a template is as follows:
Field Name |
Size (Bits) |
Value |
---|---|---|
timeStamp |
64 |
09:20:10:789 |
sourceIPv4Address |
32 |
192.168.16.1 |
postNATSourceIPv4Address |
32 |
192.0.2.100 |
protocolIdentifier |
8 |
TC |
sourceTransportPort |
16 |
14800 |
postNAPTsourceTransportPort |
16 |
1024 |
destinationIPv4Address |
32 |
198.51.100.104 |
postNATDestinationIPv4Address |
32 |
198.51.100.104 |
destinationTransportPort |
16 |
80 |
postNAPTdestinationTransportPort |
16 |
80 |
natOriginatingAddressRealm |
8 |
0 |
initiatorOctets |
64 |
No |
responderOctets |
64 |
No |
flowEndReason |
8 |
No |
natEvent |
8 |
1 |
A NAT44 session deletion template record can contain the following fields. The natEvent field contains a value of 2, which indicates a NAT44 session deletion event. An example of such a template is as follows:
Field Name |
Size (Bits) |
Value |
---|---|---|
timeStamp |
64 |
09:20:10:789 |
sourceIPv4Address |
32 |
192.168.16.1 |
postNATSourceIPv4Address |
32 |
192.0.2.100 |
protocolIdentifier |
8 |
TC |
sourceTransportPort |
16 |
14800 |
postNAPTsourceTransportPort |
16 |
1024 |
destinationIPv4Address |
32 |
198.51.100.104 |
postNATDestinationIPv4Address |
32 |
198.51.100.104 |
destinationTransportPort |
16 |
80 |
postNAPTdestinationTransportPort |
16 |
80 |
natOriginatingAddressRealm |
8 |
0 |
natEvent |
8 |
2 |
To support all session termination reasons on NAT, existing flowEndReason
information element is extended. A new CLI command session-end-reason
is
introduced to configure flowEndReason
to be a part of J-Flow IPFIX template.
If the CLI is not configured or configured as default, the flowEndReason
exports the default set information to fill in the data records. If the CLI is configured as
custom, the flowEndReason
exports the custom set information to fill in the data
records.
The table lists the set of session termination values that can be exported:
Session Close Reason |
Session Close Reason string |
Scenarios/Remark |
Custom Set values |
Default Set values |
---|---|---|---|---|
NAT_SESSION_CREATION |
idle Timeout |
When any session gets timeout |
0x01 |
0x01 |
NAT_SESSION_CLOSE_TCP_CLIENT_RST |
TCP CLIENT RST |
Receives a TCP packet from Client with RST FLAG set |
0x13 |
0xFF |
NAT_SESSION_CLOSE_TCP_SERVER_RST |
TCP SERVER RST |
Receives a TCP packet from Server with RST FLAG set |
0x23 |
0xFF |
NAT_SESSION_CLOSE_TCP_FIN |
TCP FIN |
Receives FIN Packet |
0x03 |
0x03 |
NAT_SESSION_CLOSE_ICMP_ERR |
ICMP Error |
Receiving ICMP Error packet in Fast path. icmp related error messages mentioned below |
0x10 |
0XFF |
NAT_SESSION_CLOSE_NSRP |
HA |
Create a NAT session on active router. Now, Switch to backup Router Manually or by bringing down the pic on active router. Wait for the switchover and send traffic. Ensure the session is synchronized. Now close the session. |
0x20 |
0xFF |
NAT_SESSION_CLOSE_POLICY_DELETE |
policy delete |
When you delete Policy rematch configuration with active session. |
0x50 |
0xFF |
NAT_SESSION_CLOSE_POLICY_UPDATE |
policy update |
When you Update Policy rematch configuration with active session. |
0x60 |
0xFF |
NAT_SESSION_CLOSE_JSF_PLUGIN |
application failure or action |
It is a very rare scenario and would be difficult to simulate. Please don’t have test case for this. |
0x70 |
0xFF |
NAT_SESSION_CLOSE_IFP_ZONECHANGED_SSCAN |
session interface zone changed |
when redundancy switchover happens in ams interface |
0x80 |
0xFF |
NAT_SESSION_CLOSE_CLI |
CLI |
Force clear the session |
0x04 |
0x04 |