9.11. Port Block Allocation¶
This mode allows you to significantly reduce the number of logs about subscriber connections passing through NAT.
In standard mode NAT allocates a new external port for each new connection. In this case, either the fact of allocating a port or the fact of establishing a connection is logged, depending on the type of logging used.
In the Port Block Allocation mode, a whole block of external ports is immediately allocated to the subscriber, then only the ports from the allocated block are used for each new connection. When the subscriber closes all of its connections, the port block allocated to it is released. In this case, the events of allocating and releasing a block of ports are logged, which reduces the number of logs by the factor of hundreds. The log message format is described in detail in the Logging section.
The port blocks are protocol-independent. For example, if a port block
12032-12287 is allocated to the subscriber, then both of its TCP and UDP connections will use this block.
When using this mode, the destination address is not logged. The logs contain only the private address of the subscriber, its public IP address, and a port block. If you need to store information about destination addresses, then this mode of operation will not suit you.
For a minimal configuration, you need to perform the following steps.
port-blocktype logging, for example, using the IPFIX protocol:
nat log server 0 type ipfix ip 192.168.1.200 port 4739 nat log type port-block enable nat log enable
These commands are described in detail in the Logging section.
nat pool pba-pool range 203.0.113.1 203.0.113.5 type port-block-allocation block-size 256 enable
In this example, blocks of 256 ports are used. If the client needs more than 256 ports, additional blocks will be allocated to it. These commands are described in detail in the Pools section.
Create a subscriber group and configure it to use this pool:
nat subscriber-group pba-group pool pba-pool limits port-block-entries 3
In this example, a limit of 3 port blocks per subscriber is set. This means that with a block size of 256 ports, a maximum of 768 ports will be available to one subscriber. These commands are described in detail in the Subscriber Groups section.
Set the subscriber subnet that will use this group:
nat rule subnet 100.64.0.0/16 subscriber-group pba-group
This command is described in detail in the Rules section.