Applies To:
Show VersionsBIG-IP LTM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Using Deterministic Mode to Simplify Logging
About deterministic address translation mode
Deterministic address translation mode provides address translation that eliminates logging of every address mapping, while still allowing internal client address tracking using only an external address and port, and a destination address and port. Reverse mapping allows BIG-IP® CGNAT operators to respond to legal requests revealing the identity of the originator of a specific communication. A typical example is revealing the identity of file sharers or P2P network users accused of copyright theft.
Deterministic mode allows unique identification of internal client address based on:
- External address and port (the address and port visible to the destination server)
- Destination address and port (the service accessed by the client)
- Time
Restrictions
Deterministic mode has these configuration restrictions:
- Only NAT44 can use deterministic mode.
- The subscriber (client-side) and Internet (server-side) interfaces (VLANs) must be set either as a source or destination address in the CMP Hash setting.
- The complete set of all internal client addresses that will ever communicate through the
CGNAT must be entered at configuration time.Note: This means that all virtual servers referring to an LSN pool through deterministic NAT mode must specify the source attribute with a value other than 0.0.0.0/0 or ::/0 (any/0, any6/0).
- Use only the most specific address prefixes covering all customer addresses.
- Members of two or more deterministic LSN pools must not overlap; in other words, every external address used for deterministic mapping must occur in only one LSN pool.
- Deterministic mode does not support IPFIX.
Simplified logging
As an alternative to per-connection logging, deterministic mode maps internal addresses to external addresses algorithmically to calculate the mapping without relying on per-connection logging. Deterministic mode significantly reduces the logging burden while mapping a subscriber's inside IP address with an outside Internet address and port.
To decipher mapping generated by LSN pools using deterministic mode, you must use the DNAT utility that can be run from the system's tmsh command prompt.