Nat-policy change for L2-Aware NAT is supported through a sub-profile change triggered in CoA. However, change of sub-profile alone through CoA does not trigger generation of a new RADIUS accounting message and therefore NAT events related to NAT policy changes are not promptly logged. For this reason, each CoA initiating the sub-profile change in a NAT environment must do one of the following:
Change the sla-profile.
Include the Alc-Trigger-Acct-Interim VSA in the CoA messages.
Note that the sla-profile has to be changed and not just refreshed. In other words, replacing the existing sla-profile with the same one does not trigger a new accounting message.
Both of these events trigger an accounting update at the time CoA is processed. This keeps NAT logging current. The information about NAT resources for logging purposes is conveyed in the following RADIUS attributes:
Alc-Nat-Port-Range-Freed VSA → NAT resources released because of CoA.
Alc-Nat-Port-Range VSA → NAT resources in use. These can be the existing NAT resources which were not affected by CoA or they can be new NAT resource allocated because of CoA.
NAT logging behavior because of CoA depends on the deployed accounting mode of operation. This is described in Table: NAT-policy change and CoA in L2Aware NAT. The interim-update keyword must be configured for host/session accounting for Interim-Update messages to be triggered:
configure
subscriber-mgmt
radius-accounting-policy <name>
session-accounting interim-update
configure
subscriber-mgmt
radius-accounting-policy <name>
host-accounting interim-update
Table Legend:
AATR (Alc-Acct-Triggered-Reason) VSA — This VSA is optionally carried in Interim-Update messages that are triggered by CoA.
ATAI (Alc-Trigger-Acct-Interim) VSA — this VSA can be carried in CoA to trigger Interim-Update message. The string carried in this VSA is reflected in the triggered Interim-Update message.
I-U (Interim-Update Message)
| Host or session accounting | Queue-instance accounting | Comments | |
|---|---|---|---|
|
CoA Sub-prof change + ATAI VSA |
Single I-U with:
|
Single I-U with:
|
Single I-U message is triggered by CoA. |
|
CoA Sub-profile change + Sla-profile change |
First I-U:
Second I-U:
|
Acct Stop:
Acct Start:
|
Two accounting messages are triggered in succession. |
|
CoA Sub-profile change |
— |
— |
No accounting messages are triggered by CoA. The next regular I-U messages contain:
|
|
CoA Sub-profile change+ Sla-profile-change + ATAI VSA |
First I-U:
Second I-U:
|
Acct Stop:
Acct Start:
|
Two accounting messages are triggered in succession. |
For example, the second CoA row describes the outcome triggered by CoA carrying new sub and sla profiles. In host/session accounting mode this creates two Interim-Update messages. The first Interim-Messages carries information about:
the released NAT resources at the time when CoA is activated
existing NAT resources that are not affected by CoA
new NAT resources allocated at the time when CoA is activated
The second Interim-Update message carries information about the NAT resources that are in use (existing and new) when CoA is activated.
From this, the operator can infer which NAT resources are released by CoA and which NAT resources continue to be in use when CoA is activated.