Manual Chapter : Using PBA Mode to Reduce CGNAT Logging

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Using PBA Mode to Reduce CGNAT Logging

Overview: Using PBA mode to reduce CGNAT logging

Port block allocation (PBA) mode is a translation mode option that reduces CGNAT logging, by logging only the allocation and release of each block of ports. When a subscriber first establishes a network connection, the BIG-IP® system reserves a block of ports on a single IP address for that subscriber. The system releases the block when no more connections are using it. This reduces the logging overhead because the CGNAT logs only the allocation and release of each block of ports.

About PBA address translation mode

Port Block Allocation (PBA) mode provides you with the ability to log only the allocation and release of port blocks for a subscriber, instead of separately logging each network address translation (NAT) session as a separate translation event, as with network address and port translation (NAPT), thus reducing the number of log entries while maintaining legal mapping and reverse mapping requirements.

Restrictions

Configuration restrictions for PBA mode include these constraints.

  • PBA mode is compatible only with SP-DAG. If a VLAN is used that is not compatible with SP-DAG, then NAPT mode becomes active and an error is logged.
  • You can configure overlapping LSN prefixes only between pools of the same type, to ensure correct reverse mapping from a translation address and port to a subscriber.
  • The system allocates one primary port block for each subscriber, with the allocation of an additional overflow port block, as necessary.
  • The Client Connection Limit value constrains the number of subscriber connections, preventing any one subscriber from using an excessive number of connections.
  • PBA mode is available with NAT44, NAT64, and DS-Lite.

Behavior Characteristics

PBA mode manages connections by means of the following characteristics.

  • A zombie port block, which is a port block that has reached the Block Lifetime limit but cannot be released due to active connections, is released when all active connections become inactive, or when the Zombie Timeout value is reached.
  • Port allocation within an active port block occurs until all available ports become allocated, or until the Block Lifetime limit is exceeded.
  • The Block Idle Timeout value specifies the period between when the last connection using a port block is freed and when the port block can be reused.

Reduced Logging

When you use PBA mode, a log entry is sent when a block of ports is allocated for a subscriber, and again when a block of ports is released. Log entries include the range of ports (that is, the port block) from the start port through the end port. Several logging destinations are available for PBA mode, including Syslog, Splunk, and IPFIX.

About configuring PBA mode with route domains

Port block allocation (PBA) mode can be used with route domains to configure multiple subscriber networks in separate route domains. You can also partition subscriber networks and the Internet by using route domains.

A route domain that is used for the translation entry is not the subscriber route domain. The subscriber route domain is, instead, applied to the egress interface.

In the following configuration, multiple subscribers can connect to servers in Internet route domain 0. The BIG-IP® system allocates, to each subscriber, available port blocks from Internet route domain 0 that include unique addresses and ports.

Multiple subscriber networks connecting to Internet servers in Internet Route Domain     0

Multiple subscriber networks connecting to Internet servers in Internet Route Domain 0

In the next configuration, multiple subscribers can connect to servers in respective Internet route domains. The BIG-IP system allocates available port blocks from the respective Internet route domain to the corresponding subscriber. Allocated port blocks can differ only by route domain, and use identical address and port ranges; consequently, for this configuration, a service provider must provide a means to distinguish the connections of different route domains, as necessary.

Multiple subscriber networks connecting to Internet servers in separate Internet route     domains

Multiple subscriber networks connecting to Internet servers in separate Internet route domains

PBA log examples

Following are some examples of the elements that comprise a typical Port Block Allocation (PBA) mode log entry.

NAT44 HSL example

PBA log messages include several elements of interest. The following examples show typical log messages, and the table describes common information types.

Jul 23 09:33:42 www.siterequest.com "LSN_PB_ALLOCATED""10.10.10.1""5.5.5.9: 5555-6666"
Jul 23 09:33:42 www.siterequest.com "LSN_PB_RELEASED""10.10.10.1""5.5.5.9: 5555-6666"
Jul 23 09:33:42 www.siterequest.com "LSN_PB_ALLOCATED""10.10.10.1%55""5.5.5.9%22: 5555-6666"
Jul 23 09:33:42 www.siterequest.com "LSN_PB_RELEASED""10.10.10.1%55""5.5.5.9%22: 5555-6666"
Jul 23 10:46:31 www.siterequest.com "LSN_PB_ALLOCATED""2701: :200""5.5.5.9:5555-6666"
Jul 23 10:46:31 www.siterequest.com "LSN_PB_RELEASED""2701: :200""5.5.5.9:5555-6666"
Jul 23 09:36:33 www.siterequest.com "LSN_PB_ALLOCATED""2701: :200%11""5.5.5.9%22:5555-6666"
Jul 23 09:36:33 www.siterequest.com "LSN_PB_RELEASED""2701: :200%11""5.5.5.9%22:5555-6666"
Jul 23 09:36:33 www.siterequest.com "LSN_PB_ALLOCATED""2701: :200""5.5.5.9:5555-6666"
Jul 23 09:36:33 www.siterequest.com "LSN_PB_RELEASED""2701: :200"5.5.5.9:5555-6666"
Jul 23 09:36:33 www.siterequest.com "LSN_PB_ALLOCATED""2701: :200%33""5.5.5.9%22:5555-6666"
Jul 23 09:36:33 www.siterequest.com "LSN_PB_RELEASED""2701: :200%33""5.5.5.9%22:5555-6666"
Jul 23 10:56:13 www.siterequest.com lsn_event="LSN_PB_ALLOCATED",lsn_client="10.10.10.1",lsn_pb="5.5.5.9: 5555-6666"
Jul 23 10:56:13 www.siterequest.com lsn_event="LSN_PB_RELEASED",lsn_client="10.10.10.1",lsn_pb="5.5.5.9: 5555-6666"
Jul 23 10:56:13 www.siterequest.com lsn_event="LSN_PB_ALLOCATED",lsn_client="10.10.10.1%55",lsn_pb="5.5.5.9%22: 5555-6666"
Jul 23 10:56:13 www.siterequest.com lsn_event="LSN_PB_RELEASED",lsn_client="10.10.10.1%55",lsn_pb="5.5.5.9%22: 5555-6666"
Jul 23 10:57:08 www.siterequest.com lsn_event="LSN_PB_ALLOCATED",lsn_dslite_client="2701: :200",lsn_pb="5.5.5.9:5555-6666"
Jul 23 10:57:08 www.siterequest.com lsn_event="LSN_PB_RELEASED",lsn_dslite_client="2701: :200",lsn_pb="5.5.5.9:5555-6666"
Jul 23 10:57:08 www.siterequest.com lsn_event="LSN_PB_ALLOCATED",lsn_dslite_client="2701: :200%11",lsn_pb="5.5.5.9%22:5555-6666"
Jul 23 10:57:08 www.siterequest.com lsn_event="LSN_PB_RELEASED",lsn_dslite_client="2701: :200%11",lsn_pb="5.5.5.9%22:5555-6666"
Jul 23 10:57:08 www.siterequest.com lsn_event="LSN_PB_ALLOCATED",lsn_client="2701: :200",lsn_pb="5.5.5.9:5555-6666"
Jul 23 10:57:08 www.siterequest.com lsn_event="LSN_PB_RELEASED",lsn_client="2701: :200",lsn_pb="5.5.5.9:5555-6666"
Jul 23 10:57:08 www.siterequest.com lsn_event="LSN_PB_ALLOCATED",lsn_client="2701: :200%33",lsn_pb="5.5.5.9%22:5555-6666"
Jul 23 10:57:08 www.siterequest.com lsn_event="LSN_PB_RELEASED",lsn_client="2701: :200%33",lsn_pb="5.5.5.9%22:5555-6666"
Information Type Example Value Description
Timestamp Jul 23 10:57:08 Specifies the time and date that the system logged the event message.
Domain name www.siterequest.com Specifies the domain name of the client.
LSN event lsn_event="LSN_PB_ALLOCATED"; lsn_event="LSN_PB_RELEASED" Specifies the allocation or release of the port block.
Client address 10.10.10.1; 10.10.10.1%55; 2701: :200; 2701: :200%33; lsn_client="10.10.10.1"; lsn_client="10.10.10.1%55"; lsn_dslite_client="2701: :200"; lsn_dslite_client="2701: :200%11" Specifies the address of the client.
Port block address 5.5.5.9; 5.5.5.9%22 Specifies the address of the port block.
Port range start 5555 Specifies the start of the port range.
Port range end 6666 Specifies the end of the port range.

Task summary

Creating a PBA LSN pool

  • The CGNAT module must be provisioned before LSN pools can be configured.
  • Before associating a LSN pool with a log publisher, ensure that at least one log publisher exists on the BIG-IP® system.
You configure Large Scale NAT (LSN) pools for the CGNAT module to use in allowing efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Description field, type a description.
  5. For the Mode setting, select PBA for the pool's translation.
    Note that PBA mode for DS-lite is same as for NAT44, except that all clients behind the DS-Lite tunnel are managed as one subscriber. Port block limits are in accordance with each DS-lite tunnel.
  6. For the Port Block Allocation setting, specify your preferred PBA configuration.
    1. In the Block Size field, type the number of ports designated for a block.
    2. In the Block Lifetime field, type the number of seconds before a port block times out.
      Note: If you type a timeout other than 0, you can also specify a Zombie Timeout. A Block Lifetime value that is less than the Persistence Timeout value minimizes the number of zombie port blocks. The default value of 0 specifies no lifetime limit and indefinite use of the port block.
    3. In the Block Idle Timeout field, enter the timeout (in seconds) for after the port block becomes idle.
      Note: Typically, you want to use a Block Idle Timeout value less than the Persistence Timeout value, to minimize the number of zombie port blocks.
    4. In the Client Block Limit field, type the number of blocks that can be assigned to a single subscriber IP address.
    5. In the Zombie Timeout field, type the number of seconds before port block times out.
      A zombie port block is a timed out port block with one or more active connections. The default value of 0 specifies no timeout and an indefinite zombie state for the port block, as long as connections remain active. A value other than 0 specifies a timeout expiration, upon which existing connections are terminated, and the port block is released and returned to the pool.
  7. In the Configuration area, for the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
  8. Click Finished.
Your PBA LSN pool is now ready, and you can continue to configure your CGNAT.

Creating a VLAN for NAT

VLANs represent a collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
  4. In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. For the Interfaces setting, from the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary.
  6. From the Configuration list, select Advanced.
  7. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  8. In the MTU field, retain the default number of bytes (1500).
  9. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe box.
  10. From the Auto Last Hop list, select a value.
  11. From the CMP Hash list, select Source if this VLAN is the subscriber side or Destination if this VLAN is the Internet side.
  12. To enable the DAG Round Robin setting, select the check box.
  13. Click Finished.
    The screen refreshes, and displays the new VLAN from the list.
You now have one of two VLANs for your deterministic NAT. Repeat these steps to create a second VLAN to act as the destination if the first VLAN is the source or vice versa.

Creating a virtual server for an LSN pool

Virtual servers are matched based on source (client) addresses. Define a virtual server that references the CGNAT profile and the LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Servers screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Performance (Layer 4).
  5. For the Destination setting, in the Address field, type 0.0.0.0 to allow all traffic to be translated.
  6. In the Service Port field, type * or select * All Ports from the list.
  7. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  8. For the LSN Pool setting, select the pool that this server will draw on for translation addresses.
  9. In the Resources area of the screen, for the iRules setting, select the name of the iRule that you want to assign and using the Move button, move the name from the Available list to the Enabled list.
  10. Click Finished.
The custom CGNAT virtual server now appears in the CGNAT Virtual Servers list.