IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 3S
Enabling NAT High-Speed Logging per VRF
Downloads: This chapterpdf (PDF - 1.29MB) The complete bookPDF (PDF - 5.39MB) | The complete bookePub (ePub - 1.18MB) | Feedback

Enabling NAT High-Speed Logging per VRF

Enabling NAT High-Speed Logging per VRF

The Enabling NAT High-Speed Logging Per VRF feature provides the ability to enable and disable Network Address Translation (NAT) high-speed logging (HAL) for virtual routing and forwarding (VRF) instances.

This module provides information about how to enable HSL for VRFs.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Enabling NAT High-Speed Logging per VRF

High-Speed Logging for NAT

Network Address Translation (NAT) supports high-speed logging (HSL). When HSL is configured, NAT provides a log of the packets flowing through the routing devices (similar to the Version 9 NetFlow-like records) to an external collector. Records are sent for each binding (binding is the address binding between the local address and the global address to which the local address is translated) and when sessions are created and destroyed. Session records contain the full 5-tuple of information (the source IP address, destination IP address, source port, destination port, and protocol). A tuple is an ordered list of elements. NAT also sends an HSL message when a NAT pool runs out of addresses (also called pool exhaustion). Because the pool exhaustion messages are rate limited, each packet that hits the pool exhaustion condition does not trigger an HSL message.

The table below describes the templates for HSL bind and session create or destroy.

Table 1  Template for HSL Bind and Session Create or Destroy

Field

Format

ID

Value

Source IP address

IPv4 address

8

varies

Translated source IP address

IPv4 address

225

varies

Destination IP address

IPv4 address

12

varies

Translated destination IP address

IPv4 address

226

varies

Original source port

16-bit port

7

varies

Translated source port

16-bit port

227

varies

Original destination port

16-bit port

11

varies

Translated destination port

16-bit port

228

varies

Virtual routing and forwarding (VRF) ID

32-bit ID

234

varies

Protocol

8-bit value

4

varies

Event

8-bit value

230

0-Invalid

1-Adds event

2-Deletes event

Unix timestamp in milliseconds

64-bit value

323

varies
Note   

Based on your release version, this field will be available.

The table below describes the HSL pool exhaustion templates.

Table 2  Template for HSL Pool Exhaustion

Field

Format

ID

Values

NAT pool ID

32-bit value

283

varies

NAT event

8-bit value

230

3-Pool exhaust

How to Configure Enabling NAT High-Speed Logging per VRF

Enabling High-Speed Logging of NAT Translations

You can enable or disable high-speed logging (HSL) of all Network Address Translation (NAT) translations or only translations for specific VPNs.

You must first use the ip nat log translations flow-export v9 udp destination command to enable HSL for all VPN and non-VPN translations. VPN translations are also known as Virtual Routing and Forwarding (VRF) translations.

After you enable HSL for all NAT translations, you can then use the ip nat log translations flow-export v9 vrf-name command to enable or disable translations for specific VPNs. When you use this command, HSL is disabled for all VPNs, except for the ones the command is explicitly enabled.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip nat log translations flow-export v9 udp destination addr port source interface interface-number

    4.    ip nat log translations flow-export v9 {vrf-name | global-on}

    5.    exit


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip nat log translations flow-export v9 udp destination addr port source interface interface-number


    Example:
    Device(config)# ip nat log translations flow-export v9 udp destination 10.10.0.1 1020 source GigabitEthernet 0/0/0
     

    Enables the high-speed logging of all VPN and non-VPN translations.

     
    Step 4 ip nat log translations flow-export v9 {vrf-name | global-on}


    Example:
    Device(config)# ip nat log translations flow-export v9 VPN-18
     

    Enables or disables the high-speed logging of specific NAT VPN translations.

     
    Step 5 exit


    Example:
    Device(config)# exit
     

    (Optional) Exits global configuration mode and enters privileged EXEC mode.

     

    Configuration Examples for Enabling NAT High-Speed Logging per VRF

    Example: Enabling High-Speed Logging of NAT Translations

    Device# configure terminal
    Device(config)# ip nat log translations flow-export v9 udp destination 10.10.0.1 1020 source GigabitEthernet 0/0/0
    Device(config)# ip nat log translations flow-export v9 VPN-18
    Device(config)# exit

    Additional References for Enabling NAT High-Speed Logging per VRF

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Command List, All Releases

    NAT commands

    Cisco IOS IP Addressing Services Command Reference

    Standards and RFCs

    Standard/RFC

    Title

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for Enabling NAT High-Speed Logging per VRF

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 3 Feature Information for Enabling NAT HIgh-Speed Logging per VRF

    Feature Name

    Releases

    Feature Information

    Enabling NAT High-Speed Logging per VRF

    Cisco IOS XE Release 3.1S

    The Enabling NAT High-Speed Logging per VRF feature provides the ability to enable and disable Network Address Translation (NAT) high-speed logging (HAL) for virtual routing and forwarding (VRF) instances.

    The following commands were introduced or modified: ip nat log translations flow-export.