Applies To:

Show Versions Show Versions

Manual Chapter: IPFIX Templates for CGNAT Events
Manual Chapter
Table of Contents   |   << Previous Chapter

Overview: IPFIX logging templates

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX information elements (IEs) and templates used to log the F5 CGNAT events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the establishment of an inbound NAT64 session.

IPFIX information elements for CGNAT events

Information elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single CGNAT event. These tables list all the IEs used in F5 CGNAT events, and differentiate IEs defined by IANA from IEs defined by F5 products.

IANA-Defined IPFIX information elements

Information Elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier, at http://www.iana.org/assignments/ipfix/ipfix.xml. The F5 CGNAT implementation uses a subset of these IEs to publish CGNAT events. This subset is summarized in the table below. Please refer to the IANA site for the official description of each field.

Information Element (IE) Size (Bytes) IANA ID
destinationIPv4Address 4 12
destinationTransportPort 2 11
egressVRFID 4 235
flowDurationMilliseconds 4 161
flowStartMilliseconds 8 152
ingressVRFID 4 234
natEvent 1 230
natOriginatingAddressRealm 1 229
natPoolName Variable 284
observationTimeMilliseconds 8 323
postNAPTDestinationTransportPort 2 228
postNAPTSourceTransportPort 2 227
postNATDestinationIPv4Address 4 226
postNATDestinationIPv6Address 16 282
postNATSourceIPv4Address 4 225
protocolIdentifier 1 4
sourceIPv4Address 4 8
sourceIPv6Address 16 27
sourceTransportPort 2 7
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

IPFIX enterprise information elements

Description

IPFIX provides specifications for enterprises to define their own Information Elements. F5 currently does not use any non-standard IEs for CGNAT Events.

Individual IPFIX templates for each event

These tables specify the IPFIX templates used by F5 to publish CGNAT Events.

Each template contains a natEvent information element (IE). This element is currently defined by IANA to contain values of 1 (Create Event), 2 (Delete Event) and 3 (Pool Exhausted). In the future, it is possible that IANA will standardize additional values to distinguish between NAT44 and NAT64 events, and to allow for additional types of NAT events. For example, the http://datatracker.ietf.org/doc/draft-ietf-behave-ipfix-nat-logging Internet Draft proposes additional values for this IE for such events.

F5 uses the standard Create and Delete natEvent values in its IPFIX Data Records, rather than new (non-standard) specific values for NAT44 Create, NAT64 Create, and so on.

You can infer the semantics of each template (for example, whether or not the template applies to NAT44 Create, NAT64 Create, or DS-Lite Create) from the template's contents rather than from distinct values in the natEvent IE.

F5 CGNAT might generate different variants of NAT Session Create/Delete events, to cater to customer requirements such as the need to publish destination address information, or to specifically omit such information. Each variant has a distinct template.

The “Pool Exhausted” natEvent value is insufficiently descriptive to cover the possible NAT failure cases. Therefore, pending future updates to the natEvent Information Element, F5 uses some non-standard values to cover the following cases:

  • 10 – Translation Failure
  • 11 – Session Quota Exceeded
  • 12 – Port Quota Exceeded

The following tables enumerate and define the IPFIX templates, and include the possible natEvent values for each template.

NAT44 session create – outbound variant

Description

This event is generated when a NAT44 client session is received from the subscriber side and the LSN process successfully translates the source address/port.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
egressVRFID 4 The "LSN" routing-domain ID.
sourceIPv4Address 4  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTSourceTransportPort 2  
destinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natOriginatingAddressRealm 1 1 (private/internal realm, subscriber side).
natEvent 1 1 (for Create event).

NAT44 session delete – outbound variant

Description

This event is generated when a NAT44 client session is received from the subscriber side and the LSN process finishes the session.

By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
egressVRFID 4 The "LSN" routing-domain ID.
sourceIPv4Address 4  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTSourceTransportPort 2  
destinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natOriginatingAddressRealm 1 1 (private/internal realm, subscriber side).
natEvent 1 2 (for Delete event).
flowStartMilliseconds 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 4 Duration in ms.

NAT44 session create – inbound variant

Description

This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "LSN" routing-domain ID.
egressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPv4Address 4  
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (public/external realm, Internet side).
natEvent 1 1 (for Create event).

NAT44 session delete – inbound variant

Description

This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side. This event is the deletion of the inbound connection.

By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "LSN" routing-domain ID.
egressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPv4Address 4  
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (public/external realm, Internet side).
natEvent 1 2 (for Delete event).
flowStartMilliseconds 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 4 Duration in ms.

NAT44 translation failed

Description

This event reports a NAT44 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natEvent 1 10 for Transmission Failed.
natPoolName Variable This IE is omitted for NetFlow v9.

NAT44 quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT44 translation.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
natEvent 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded.
natPoolName Variable This IE is omitted for NetFlow v9.

NAT64 session create – outbound variant

Description

This event is generated when a NAT64 client session is received from the subscriber side and the LSN process successfully translates the source address/port.

Note: The destinationIPv6Address is not reported, since the postNATdestinationIPv4Address value is derived algorithmically from the IPv6 representation in destinationIPv6Address, as specified in RFC 6146 and RFC 6502.
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
egressVRFID 4 The "LSN" routing-domain ID.
sourceIPv6Address 16  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTSourceTransportPort 2  
postNATDestinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natOriginatingAddressRealm 1 1 (private/internal realm, subscriber side).
natEvent 1 1 (for Create event).

NAT64 session delete – outbound variant

Description

This event is generated when a NAT64 client session is received from the subscriber side and the LSN process finishes the outbound session.

By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
egressVRFID 4 The "LSN" routing-domain ID.
sourceIPv6Address 16  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTSourceTransportPort 2  
postNATDestinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natOriginatingAddressRealm 1 1 (private/internal realm, subscriber side).
natEvent 1 2 (for Delete event).
flowStartMilliseconds 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 4 Duration in ms.

NAT64 session create – inbound variant

Description

This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side.

Note: postNATSourceIPv6Address is not reported since this value can be derived algorithmically from by appending the well-known NAT64 prefix 64:ff9b:: to sourceIPv4Address.
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "LSN" routing-domain ID.
egressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPv6Address 16  
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (public/external realm, Internet side).
natEvent 1 1 (for Create event).

NAT64 session delete – inbound variant

Description

This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side. This event is the deletion of the inbound connection.

Note: postNATSourceIPv6Address is not reported since this value can be derived algorithmically from by appending the well-known NAT64 prefix 64:ff9b:: to sourceIPv4Address.

By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "LSN" routing-domain ID.
egressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPv6Address 16  
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (public/external realm, Internet side).
natEvent 1 2 (for Delete event).
flowStartMilliseconds 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 4 Duration in ms.

NAT64 translation failed

Description

This event reports a NAT64 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
sourceIPv6Address 16  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natEvent 1 10 for Transmission Failed.
natPoolName Variable This IE is omitted for NetFlow v9.

NAT64 quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT64 translation.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
sourceIPv6Address 16  
natEvent 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded.
natPoolName Variable This IE is omitted for NetFlow v9.

DS-Lite session create – outbound variant

Description

This event is generated when a DS-Lite client session is received on the subscriber side and the LSN process successfully translates the source address/port. The client's DS-Lite IPv6 remote endpoint address is reported using IE lsnDsLiteRemoteV6asSource.

Note: The sourceIPv6Address stores different information in this template from the equivalent NAT64 template. In the NAT64 create and delete templates, sourceIPv6Address holds the client's IPv6 address. In this DS-Lite template, it holds the remote endpoint address of the DS-Lite tunnel.
Note: The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this attribute may be added in the future.
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
egressVRFID 4 The "LSN" routing-domain ID.
sourceIPv4Address 4  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTSourceTransportPort 2  
sourceIPv6Address 16 DS-Lite remote endpoint IPv6 address.
destinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natOriginatingAddressRealm 1 1 (private/internal realm, subscriber side).
natEvent 1 1 (for Create event).

DS-Lite session delete – outbound variant

Description

This event is generated when a DS-Lite client session is received from the subscriber side and the LSN process finishes with the outbound session.

Note: The sourceIPv6Address stores different information in this template from the equivalent NAT64 template. In the NAT64 create and delete templates, sourceIPv6Address holds the client's IPv6 address. In this DS-Lite template, it holds the remote endpoint address of the DS-Lite tunnel.
Note: The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this attribute may be added in the future.

By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
egressVRFID 4 The "LSN" routing-domain ID.
sourceIPv4Address 4  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTSourceTransportPort 2  
sourceIPv6Address 16 DS-Lite remote endpoint IPv6 address.
destinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natOriginatingAddressRealm 1 1 (private/internal realm, subscriber side).
natEvent 1 2 (for Delete event).
flowStartMilliseconds 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 4 Duration in ms.

DS-Lite session create – inbound variant

Description

This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "LSN" routing-domain ID.
egressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPv6Address 16 DS-Lite remote endpoint IPv6 address.
postNATDestinationIPv4Address 4  
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (public/external realm, Internet side).
natEvent 1 1 (for Create event).

DS-Lite session delete – inbound variant

Description

This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side. This event marks the end of the inbound connection, when the connection is deleted.

By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "LSN" routing-domain ID.
egressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPv6Address 16  
postNATDestinationIPv4Address 4  
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (public/external realm, Internet side).
natEvent 1 2 (for Delete event).
flowStartMilliseconds 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 4 Duration in ms.

DS-Lite translation failed

Description

This event reports a DS-Lite Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4 IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite tunnel terminated on the BIG-IP.
protocolIdentifier 1  
sourceTransportPort 2  
sourceIPv6Address 16 IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address 4 0 (zero) if obscured.
destinationTransportPort 2 0 (zero) if obscured.
natEvent 1 10 for Transmission Failed.
natPoolName Variable This IE is omitted for NetFlow v9.

DS-Lite quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT translation in a DS-Lite context.

Information Element (IE) Size (Bytes) Notes
observationTimeMilliseconds 8  
ingressVRFID 4 The "client" routing-domain ID.
sourceIPv4Address 4  
sourceIPv6Address 16 DS-Lite remote endpoint IPv6 address.
natEvent 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded.
natPoolName Variable This IE is omitted for NetFlow v9.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)