[rbak-nsp] (CG)NAT traffic log.

Rafal golem at mtm-info.pl
Tue Feb 16 04:55:33 EST 2016 

Hello Piotr,



Enhanced nat (CGNAT) connection logging is ericsson proprietary. 
CGNAT isn't efficient nat, and I preffer you to stay with standard nat.
With cg nat you will quickly run out of microblocks (after like 1k-2k customers per card)
This is how does CGNAT logging works:
Once subscriber open session he get ports range (range of microblocks is assigned).
Then flow is generated which contains something like:
nat ip, public ip , start port , end port, time start/time end.
Because subscriber will be nat'ed always within this static port range you don't need
to know destination , because all connection opened will be within this range.
This saves disk space, however using CGNAT SE OS assign full microblock you
draining microblock resources very quickly. There is also compatibility problem with some
applications like torrents with CGNAT. If you consider staying with CGNAT, you need modify nfcap sources and
compile it with mods.

Standard nat assigns microblocks on demand so you can connect more subscribers per card (3-5 times more).


 subscriber default
....
   flow apply ip profile rflow-sub both



 flow collector SubsLog
  ip-address xxxxxxxx context kolektor
  port 7001
  export-version v5
  transport-protocol udp
  ip profile rflow-sub


in global (tune to your needs)
flow ip profile rflow-sub
 aggregation-cache-size 1024



This way it logs src ip dst ip , src port , dst port , time, etc..
I preffer using it with nfsen.


Rafal




Tuesday, February 16, 2016, 1:08:39 AM, you wrote:

,

I have to start using a NAT on SE100 but I have problem with loggin connections. 

I have configuration like this:

(…)
 nat logging-profile monitor
  transport-protocol udp
  export-version v9
  source 10.32.0.90 port 9000
  destination 10.32.0.10 context BGP port 9000

ip nat pool NATPOOL napt logging
  logging-profile monitor context BGP
  address X.X.X.97 to X.X.X.115

nat policy NAT_POLICY enhanced
! Default class
  drop
  icmp-notification
! Named classes
  access-group NAT-ACL
   class NAT1
    pool NATPOOL BGP
    admission-control tcp
    endpoint-independent filtering tcp
    endpoint-independent filtering udp
    inbound-refresh udp
    icmp-notification
(…)

I received packet on my server .10 but when I captured this using (I used nfdump/nfcapd software) I'm not able to read IP src, IP dst and other information. My output is similar to this:

Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2016-01-25 20:22:37.000     0.000     0          0.0.0.0:0     ->          0.0.0.0:0        2.4 M   131072     1
2016-01-25 20:22:37.000     0.000     0          0.0.0.0:0     ->          0.0.0.0:0        2.4 M    65536     1

Is it possible to configure some open source  collector to catch all information from this flow ? 


-- 
Piotr Łyczba




-- 
Best regards,
Ozga Rafal                          mailto:golem at mtm-info.pl

More information about the redback-nsp mailing list