LSN and L2-Aware NAT flow logging

LSN and L2-Aware NAT flow logging allows each BB-ISA card to export the creation and deletion of NAT flows to an external server. A NAT flow, or a Fully Qualified Flow, consists of the following parameters: inside IP, inside port, outside IP, outside port, foreign IP, foreign port, and protocol (UDP, TCP, ICMP).

Owner               : LSN-Host@10.10.10.101
Router              : 1
Policy              : mnp
FlowType            : UDP               
Inside IP Addr      : 10.10.10.101                            
Inside Port         : 20001            
Outside IP Addr     : 192.168.20.28                           
Outside Port        : 2001             
Foreign IP Addr     : 192.168.5.4                             
Foreign Port        : 20001            
Dest IP Addr        : 192.168.5.4                             
Nat Group           : 1                
Nat Group Member    : 1 

The foreign IP address is the original IPv4 destination address as received by NAT on the inside. The destination IP address is the translated foreign IP address if that destination NAT is active (the destination NAT translates the destination IPv4 address of the packet).

Additional information, such as the inside or outside service ID and subscriber string, can be added to a flow record.

Flow logging can be deployed as an alternative to port-range logging or can be complementary (providing a more granular log for offline reporting or compliance). Certain operators have legal and compliance requirements that require extremely detailed logs, created per flow, to be exportable from the NAT node.

Because the setup rate of new flows is excessive, logging to an internal facility (like compact flash) is not possible except in debugging mode (which must specify match criteria down to the inside IP and service level).

Flow logging can be enabled on a per-NAT policy basis and, consequently, it is initiated from each BB-ISA card. The flow records can be exported to an external collector in an IPFIX format or a syslog format, both of which use UDP as the transport protocol. These UDP streams are stateless because of the significant volume of transactions. However they do contain sequence numbers so packet loss can be identified. They egress the chassis at the fc nc.

IPFIX and SYSLOG flow logging are configured using respective flow logging policies (such as ipfix-export-policy and syslog-export-policy). Each flow logging policy supports two destinations (collectors). One ipfix-export-policy and one syslog-export-policy can be used simultaneously in any one NAT group.