Currently-allocated NAT resources (such as a public IP address and a port block for a NAT subscriber) can be periodically refreshed via Interim-Update (I-U) accounting messages. This functionality is enabled by the periodic RADIUS logging facility. Its primary purpose is to keep logging information preserved for long-lived sessions in environments where NAT logs are periodically and deliberately deleted from the service provider’s network. This is typically the case in countries where privacy laws impose a limit on the amount of time that the information about customer’s traffic can be retained/stored in service provider’s network.
Periodic RADIUS logging for NAT is enabled by the following command:
configure
aaa
isa-radius-policy <name> create
[no] periodic-update interval <hours> [rate-limit <r>]
The configurable interval dictates the frequency of I-U messages that are generated for each currently allocated NAT resource (such as a public IP address and a port block).
By default, the I-U messages are sent in rapid succession for a subscriber without any intentional delay inserted by SR OS. For example, a NAT subscriber with 8 NAT policies, each configured with 40 port ranges generates 320 consecutive I-U messages at the expiration of the configured interval. This can create a surge in I-U message generation in cases where intervals are synchronized for multiple NAT subscribers. This can have adverse effects on the logging behavior. For example, the logging server can drop messages because of its inability to process the high rate of incoming I-U messages.
To prevent this, the rate of I-U message generation can be controlled by a rate-limit CLI parameter.
The periodic logging is applicable to both modes of RADIUS logging in NAT:
Acct-Multi-Session-Id AVP is enabled
In this case, accounting START/STOP messages are generated for each NAT resource (such as a public IP address and a port block) allocation/de-allocation. Acct-multi-session-id and acct-session-id messages in the periodic I-U messages for the currently allocated NAT resource are inherited from the acct START messages related to the same NAT resource.
Acct-Multi-Session-Id AVP is disabled
In this case, the acct START is generated for the first allocated NAT resource for the subscriber (a public IP address and a port block) and the acct STOP message is generated when the last NAT resource for the subscriber is released. All of the in-between port block allocations for the same subscriber trigger I-U messages with the same acct-session-id as the one contained in the acct START message. To differentiate between the port-block allocations, releases and updates within the I-U messages for the same NAT subscriber, the Alc-Acct-Triggered-Reason AVP is included in every periodic I-U message. Sending the Alc-Acct-Triggered-Reason AVP is configuration dependent (enabled in the isa-radius-policy>acct-include-attributes context).The supported values for Alc-Acct-Triggered-Reason AVP in I-U messages are:
Alc-Acct-Triggered-Reason=Nat-FREE (19) Generated when the port-block is released.
Alc-Acct-Triggered-Reason=Nat-MAP (20) Generated when the port-block is allocated.
Alc-Acct-Triggered-Reason = Nat-UPDATE (21) Generated during periodically scheduled I-U update.
The log for each port-block periodic update is carried in a separate I-U message.