F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP CGNAT: Implementations
  5. Using Deterministic Mode to Simplify Logging
Manual Chapter : Using Deterministic Mode to Simplify Logging

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Using Deterministic Mode to Simplify Logging

About deterministic address translation mode

Deterministic address translation mode provides address translation that eliminates logging of every address mapping, while still allowing internal client address tracking using only an external address and port, and a destination address and port. Reverse mapping allows BIG-IP® CGNAT operators to respond to legal requests revealing the identity of the originator of a specific communication. A typical example is revealing the identity of file sharers or P2P network users accused of copyright theft.

Deterministic mode allows unique identification of internal client address based on:

  • External address and port (the address and port visible to the destination server)
  • Destination address and port (the service accessed by the client)
  • Time

Restrictions

Deterministic mode has these configuration restrictions:

  • Only NAT44 can use deterministic mode.
  • The subscriber (client-side) and Internet (server-side) interfaces (VLANs) must be set either as a source or destination address in the CMP Hash setting.
  • The complete set of all internal client addresses that will ever communicate through the CGNAT must be entered at configuration time.
    Note: This means that all virtual servers referring to an LSN pool through deterministic NAT mode must specify the source attribute with a value other than 0.0.0.0/0 or ::/0 (any/0, any6/0).
  • Use only the most specific address prefixes covering all customer addresses.
  • Members of two or more deterministic LSN pools must not overlap; in other words, every external address used for deterministic mapping must occur in only one LSN pool.
  • Deterministic mode does not support IPFIX.

Simplified logging

As an alternative to per-connection logging, deterministic mode maps internal addresses to external addresses algorithmically to calculate the mapping without relying on per-connection logging. Deterministic mode significantly reduces the logging burden while mapping a subscriber's inside IP address with an outside Internet address and port.

To decipher mapping generated by LSN pools using deterministic mode, you must use the DNAT utility that can be run from the system's tmsh command prompt.

Task summary

Creating a deterministic LSN pool

The CGNAT module must be provisioned before you can configure LSN pools.
Large Scale NAT (LSN) pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. For the Mode setting, select Deterministic for the pool's translation.
    Note that deterministic mode does not support DS-lite tunneling or NAT64.
  5. In the Configuration area, for the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  6. For deterministic mode, the Backup Member List must have at least one member, so type an address in the Address/Prefix Length field and click Add.
  7. Click Finished.
Your deterministic LSN pool is now ready, and you can continue to configure your CGNAT.

Creating a VLAN for NAT

VLANs represent a collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
  4. In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. For the Interfaces setting, from the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary.
  6. From the Configuration list, select Advanced.
  7. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  8. In the MTU field, retain the default number of bytes (1500).
  9. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe box.
  10. From the Auto Last Hop list, select a value.
  11. From the CMP Hash list, select Source if this VLAN is the subscriber side or Destination if this VLAN is the Internet side.
  12. To enable the DAG Round Robin setting, select the check box.
  13. Click Finished.
    The screen refreshes, and displays the new VLAN from the list.
You now have one of two VLANs for your deterministic NAT. Repeat these steps to create a second VLAN to act as the destination if the first VLAN is the source or vice versa.

Creating a virtual server for an LSN pool

Virtual servers are matched based on source (client) addresses. Define a virtual server that references the CGNAT profile and the LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Servers screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Performance (Layer 4).
  5. For the Destination setting, in the Address field, type 0.0.0.0 to allow all traffic to be translated.
  6. In the Service Port field, type * or select * All Ports from the list.
  7. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  8. For the LSN Pool setting, select the pool that this server will draw on for translation addresses.
  9. In the Resources area of the screen, for the iRules setting, select the name of the iRule that you want to assign and using the Move button, move the name from the Available list to the Enabled list.
  10. Click Finished.
The custom CGNAT virtual server now appears in the CGNAT Virtual Servers list.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information