21 Mar

NetFlow Event Logger on ASR1k

ISP’s are not ready yet to deploy IPv6 to end customers and lack of IPv4 address spaces force them to use NAT in their networks. Unfortunately more and more governments require logging what users do and what IP addresses they are connecting to. NAT even logger to syslog is available for quite long time already. But with all AJAX and P2P applications logging, and especially querying logged data is ineffective. On ASR1k routers you can log NAT and firewall events using NetFlow v9.

NAT event logger logs three type of events – add event, remove event and invalid. First two appears when translation is created or deleted in NAT entry, third when translation can’t be created. With NetFlow event logging enabled, logs are sent to an off-box high-speed log collector. By default, this functionality is disabled therefor logs are sent to buffer on Route Processor. With a high number of NAT events this method is inefficient.

The structure of flow template is fixed and cannot be changed

templateId=259: id=259, fields=11
    field id=8 (ipv4 source address), offset=0, len=4
    field id=225 (natInsideGlobalAddress), offset=4, len=4
    field id=12 (ipv4 destination address), offset=8, len=4
    field id=226 (natOutsideGlobalAddress), offset=12, len=4
    field id=7 (transport source-port), offset=16, len=2
    field id=227 (postNAPTSourceTransportPort), offset=18, len=2
    field id=11 (transport destination-port), offset=20, len=2
    field id=228 (postNAPTDestinationTransportPort), offset=22, len=2
    field id=234 (ingressVRFID), offset=24, len=4
    field id=4 (ip protocol), offset=28, len=1
    field id=230 (natEvent), offset=29, len=1

Enabling NAT Event logger is pretty easy and require just one command, but it’s good to tune up timers such as how often template is going to be send to collector.

ip nat log translations flow-export v9 udp destination 5000

To enable firewall event logger following configuration is required

parameter-map type inspect global
 log flow-export v9 udp destination 5000
 log flow-export template timeout-rate 1

As a collector Cisco NetFlow Collector 6 can be used, but it does not recognize some fields from the template and have to be manually tuned per customer requirements. Also because NetFlow Event Logger can generate data flowsets every half second you have to consider collector performance.

5 thoughts on “NetFlow Event Logger on ASR1k

  1. Hi If I use Gig0 (mgmt-intf) for mgmt and connectivity back to my netflow collector. Is there to set the source as vrf mgmt-intf ? Setting it as Gig0 does not seem to work ? thanks
  2. We are not getting any destination IP and Destination Port at the collector corresponding to the NAT translation on the source IP and NATed IP are there in the NETFLOW packets.Are there any specific changes to be made for the same. We have used the same command as below for the translation. ip nat log translations flow-export v9 udp destination 5000
  3. When we changed from CGNAT to NAT overaload ,the destination IP and Destination Port started reflecting in the nat flow exports.I guess cisco does not support this feature with CGNAT.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: