Understanding NAT Event Logging in Flow Monitoring Format on an MX Series Router or NFX250
Starting with Junos OS Release 14.2R2 and 15.1R1, you can configure MX Series routers with MS-MPCs and MS-MICs to log network address translation (NAT) events using the Junos Traffic Vision (previously known as Jflow) version 9 or IPFIX (version 10) template format. You can also configure MX Series routers with MX-SPC3 services cards with this capability starting from Junos OS Release 19.3R2.
NAT event logger generates messages in flow monitoring format for various NAT events, such as the creation of a NAT entry, deletion of a NAT entry, and for invalid NAT processing (such as NAT address pools or address values being exhausted for allocation). These events also support NAT64 translations (translation of IPv6 addresses to IPv4 addresses), binding information base (BIB) events, and more detailed error generation. The generated records or logs for NAT events in flow template format are sent from the MS-MIC or MS-MPC or MX-SPC3 to the specified host or external device that functions as the NetFlow collector. This method of generating flow monitoring records for NAT events enables cohesive and streamlined analysis of NAT traffic and troubleshooting of NAT-related problems. You can enable the capability to send flow monitoring records for NAT operations to an external collector and the capability to use the system logging protocol (syslog) to generate session logging for different services at the same time.
The flow records and the templates are encapsulated in an UDP or IP packet and sent to the collector. However, TCP-based logging of monitoring records for NAT events is not supported. Carrier-grade NAT (CGN) devices are required to log events creation and deletion of translations and information about the resources it manages. Flow monitoring logs can be optionally configured in your network topology in addition to the system logging (syslog) capability, which causes logs to be saved from the PIC to either the in the /var/log directory of the Routing Engine (local) or to an external server (remote). Generally, flow collectors are the part of a vast network infrastructure containing several third-party devices, which perform various correlations and mappings with logs of other databases. Therefore, collection of NAT-related flow monitoring records as logs or template records is useful on the hosts or devices that function as collectors in an overall and comprehensive perspective. You can enable logging of flow monitoring records for NAT events at the service-set level to enable version 9 or IPFIX flow records to be generated as logs when NAT is configured on the router.
The NetFlow collector receives flow records in version 9 or IPFIX format from one or more exporters. It processes the received export packets by parsing and saving the flow record details. Flow records can be optionally aggregated before being stored on the hard disk. The NetFlow collector is also referred to as the collector. The exporter monitors packets entering an observation point and creates flows from these packets. The information from these flows is exported in the form of flow records to the NetFlow Collector. An observation point is a location in the network where IP packets can be overseen and monitored; for example, one or a set of interfaces on a network device such as a router. Every observation point is associated with an observation domain, which is a cluster of observation points, and constitutes the largest aggregatable set of flow information at the network device with NetFlow services enabled.
A FlowSet is a generic term for a collection of Flow Records that have a similar pattern or format. In an export packet, one or more FlowSets follow the packet header. A Template FlowSet comprises one or more template records that have been grouped together in an export packet. An Options Template FlowSet contains one or more Options Template records that are combined together in an export packet. A Data FlowSet is one or more records, of the same type, that are grouped together in an export packet. Each record is either a flow data record or an options data record that has been previously specified by a Template Record or an Options Template Record. One of the essential elements in the NetFlow format is the Template FlowSet. Templates vastly enhance the flexibility of the Flow Record format because they allow the collector to process Flow Records without necessarily knowing the interpretation of all the data in the Flow Record.
You can configure the capability to transmit records or log
messages in version 9 and IPFIX traffic flow formats generated for
NAT events to an external, off-box high-speed NetFlow collector for
easy and effective monitoring and diagnosis of the logs. By default,
this functionality is disabled. With a high number of NAT events,
this mechanism of exporting logs to an external log collector might
cause scaling considerations such as loss of a few flow records.
To enable the mechanism to record logging messages in flow monitoring
format for NAT events, you can now include the jflow-log statement at the [edit services] hierarchy level. You
can configure a collector, which is an external host to which the
flow monitoring formatted logs are sent, or a group of collectors.
A group of collectors is useful in scenarios in which you want to
combine a set of collector devices and define common settings for
logging NAT events for all the collectors in the cluster or group.
To configure a collector and its parameters, such as the source
IP address from which the records are sent and the destination address
of the collector, include the collector collector-name statement and its substatements at the [edit services
jflow-log] hierarchy level. To specify a collector group or
a cluster, include the collector-group collector-group-name statement and its substatements at the [edit services
jflow-log] hierarchy level.
You need to configure a template profile and associate it with
the collector. The profile defines the characteristics of the flow
monitoring record template, such as the version of flow monitoring
(version 9 or IPFIX), the refresh rate, in either packets or seconds,
and the type of service or application (NAT in this case) for which
flow records must be sent to the collector. To specify a template
profile, include the template-profile template-profile-name statement at the [edit services jflow-log] hierarchy
level. To specify the maximum number of messages to be collected per
second for NAT error events, include the message-rate-limit messages-per-second statement at the [edit
interfaces ms-interface-name service-options
jflow-log] hierarchy level.
Use of version 9 and IPFIX allows you to define a flow record
template suitable for IPv4 traffic, IPv6 traffic, MPLS traffic, a
combination of IPv4 and MPLS traffic, or peer AS billing traffic.
Templates and the fields included in the template are transmitted
to the collector periodically, and the collector need not be aware
of the router configuration. You must define a template profile properties
for a NAT service and associate the defined template profile with
a service set to enable the flow monitoring log functionality for
NAT events. To define the template profile characteristics for recording
flow monitoring logs for NAT events, include the template-profile template-profile-name statement at the [edit
services jflow-log] hierarchy level. To associate the template
profile for recording flow monitoring logs for NAT events with a service-set
level, which applies for all the services in the system, include the template-profile template-profile-name statement at the [edit services service-set service-set-name] hierarchy level.
To view statistical information on the logs generated in flow
monitoring format for the interfaces and service sets configured on
the system, use the show services service-sets statistics jflow-log command.
The following system log messages for various NAT events are logged using the system logging (syslog) capability:
JSERVICES_SESSION_OPEN
JSERVICES_SESSION_CLOSE
JSERVICES_NAT_OUTOF_ADDRESSES
JSERVICES_NAT_OUTOF_PORTS
JSERVICES_NAT_RULE_MATCH
JSERVICES_NAT_POOL_RELEASE
JSERVICES_NAT_PORT_BLOCK_ALLOC
JSERVICES_NAT_PORT_BLOCK_RELEASE
JSERVICES_NAT_PORT_BLOCK_ACTIVE
The following NAT events are logged using the flow monitoring log capability using version 9 and IPFIX flow templates:
NAT44 session create
NAT44 session delete
NAT addresses exhausted
NAT64 session create
NAT64 session delete
NAT44 BIB create
NAT44 BIB delete
NAT64 BIB create
NAT64 BIB delete
NAT ports exhausted
NAT quota exceeded
NAT Address binding create
NAT Address binding delete
NAT port block allocation
NAT port block release
NAT port block active
Table 1 describes the flow template format for NAT44 session creation and deletion events. The Information Element (IE) names and their IANA IDs are as defined in the IP Flow Information Export (IPFIX) Entities specification by the Internet Assigned Numbering Authority (IANA).
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
|
observationTimeMilliseconds |
64 |
323 |
|
sourceIPv4Address |
32 |
8 |
|
postNATSourceIPv4Address |
32 |
225 |
|
protocolIdentifier |
8 |
4 |
|
sourceTransportPort |
16 |
7 |
|
postNAPTsourceTransportPort |
16 |
227 |
|
destinationIPv4Address |
32 |
12 |
|
postNATDestinationIPv4Address |
32 |
226 |
|
destinationTransportPort |
16 |
11 |
|
postNAPTdestinationTransportPort |
16 |
228 |
|
natOriginatingAddressRealm |
8 |
229 |
|
natEvent |
8 |
230 |
|
flowDurationMilliseconds |
32 |
161 |
|
initiatorPackets |
64 |
298 |
|
responderPackets |
64 |
299 |
|
flowDirection |
8 |
61 |
Table 2 describes the flow template format for NAT64 session creation and deletion events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
|
observationTimeMilliseconds |
64 |
323 |
|
sourceIPv6Address |
128 |
27 |
|
postNATSourceIPv6Address |
32 |
225 |
|
protocolIdentifier |
8 |
4 |
|
sourceTransportPort |
16 |
7 |
|
postNAPTsourceTransportPort |
16 |
227 |
|
destinationIPv6Address |
128 |
28 |
|
postNATDestinationIPv6Address |
32 |
226 |
|
destinationTransportPort |
16 |
11 |
|
postNAPTdestinationTransportPort |
16 |
228 |
|
natOriginatingAddressRealm |
8 |
229 |
|
natEvent |
8 |
230 |
|
flowDurationMilliseconds |
32 |
161 |
|
initiatorPackets |
64 |
298 |
|
responderPackets |
64 |
299 |
|
flowDirection |
8 |
61 |
Table 3 describes the flow template format for NAT44 binding information base (BIB) creation and deletion events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
sourceIPv4Address |
32 |
8 |
postNATSourceIPv4Address |
32 |
225 |
protocolIdentifier |
8 |
4 |
sourceTransportPort |
16 |
7 |
postNAPTsourceTransportPort |
16 |
227 |
natEvent |
8 |
230 |
Table 4 describes the flow template format for NAT64 binding information base (BIB) creation and deletion events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
sourceIPv6Address |
128 |
27 |
postNATSourceIPv6Address |
32 |
225 |
protocolIdentifier |
8 |
4 |
sourceTransportPort |
16 |
7 |
postNAPTsourceTransportPort |
16 |
227 |
natEvent |
8 |
230 |
Table 5 describes the flow template format for addresses exhaustion events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
natEvent |
8 |
230 |
natPoolName |
512 |
284 |
Table 6 describes the flow template format for ports exhaustion events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
natEvent |
8 |
230 |
postNATSourceIPv4Address |
32 |
225 |
protocolIdentifier |
8 |
4 |
Table 7 describes the flow template format for NAT44 quota exceeded events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
natEvent |
8 |
230 |
sourceIPv4Address |
32 |
8 |
Table 8 describes the flow template format for NAT64 quota exceeded events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
natEvent |
8 |
230 |
sourceIPv6Address |
128 |
27 |
Table 9 describes the flow template format for NAT44 address binding creation and deletion events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
natEvent |
8 |
230 |
sourceIPv4Address |
32 |
8 |
postNATSourceIPv4Address |
32 |
225 |
Table 10 describes the flow template format for NAT64 address binding creation and deletion events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
natEvent |
8 |
230 |
sourceIPv6Address |
128 |
27 |
postNATSourceIPv4Address |
32 |
225 |
Table 11 describes the flow template format for NAT44 port block allocation and deallocation events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
sourceIPv4Address |
32 |
8 |
postNATSourceIPv4Address |
32 |
225 |
portRangeStart |
16 |
361 |
portRangeEnd |
16 |
362 |
portRangeStepSize |
16 |
363 |
portRangeNumPorts |
16 |
364 |
observationTimeMilliseconds (time when PBA allocated) Note:
This IE is not included in flow templates when using the MX-SPC3 services card. |
64 |
323 |
natEvent |
8 |
230 |
Table 12 describes the flow template format for NAT64 port block allocation and deallocation events.
Information Element (IE) |
Size (bits) |
IANA ID |
|---|---|---|
observationTimeMilliseconds |
64 |
323 |
sourceIPv6Address |
128 |
27 |
postNATSourceIPv4Address |
32 |
225 |
portRangeStart |
16 |
361 |
portRangeEnd |
16 |
362 |
portRangeStepSize |
16 |
363 |
portRangeNumPorts |
16 |
364 |
observationTimeMilliseconds (time when port block allocation (PBA) is configured) Note:
This IE is not included in flow templates when using the MX-SPC3 services card. |
64 |
323 |
natEvent |
8 |
230 |
In all of the aforementioned templates, the natEvent field maps to one of the values listed in Table 13, depending on the type of event.
natEvent Value |
natEvent Name |
|---|---|
1 |
NAT44 Session create |
2 |
NAT44 Session delete |
3 |
NAT Addresses exhausted |
4 |
NAT64 Session create |
5 |
NAT64 Session delete |
6 |
NAT44 BIB create |
7 |
NAT44 BIB delete |
8 |
NAT64 BIB create |
9 |
NAT64 BIB delete |
10 |
NAT ports exhausted |
11 |
NAT Quota exceeded |
12 |
NAT Address binding create |
13 |
NAT Address binding delete |
14 |
NAT port block allocation |
15 |
NAT port block release |
16 |
NAT port block active |
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.