9.11. Port Block Allocation¶

This mode allows you to significantly reduce the number of logs about subscriber connections passing through NAT.

In standard mode NAT allocates a new external port for each new connection. In this case, either the fact of allocating a port or the fact of establishing a connection is logged, depending on the type of logging used.

In the Port Block Allocation mode, a whole block of external ports is immediately allocated to the subscriber, then only the ports from the allocated block are used for each new connection. When the subscriber closes all of its connections, the port block allocated to it is released. In this case, the events of allocating and releasing a block of ports are logged, which reduces the number of logs by the factor of hundreds. The log message format is described in detail in the Logging section.

The port blocks are protocol-independent. For example, if a port block 12032-12287 is allocated to the subscriber, then both of its TCP and UDP connections will use this block.

Note

When using this mode, the destination address is not logged. The logs contain only the private address of the subscriber, its public IP address, and a port block. If you need to store information about destination addresses, then this mode of operation will not suit you.

Configuration¶

For a minimal configuration, you need to perform the following steps.

Configure port-block type logging, for example, using the IPFIX protocol:
```
nat log server 0 type ipfix ip 192.168.1.200 port 4739
nat log type port-block enable
nat log enable
```
These commands are described in detail in the Logging section.
Create port-block-allocation type pool:
```
nat pool pba-pool
 range 203.0.113.1 203.0.113.5
 type port-block-allocation block-size 256
 enable
```
In this example, blocks of 256 ports are used. If the client needs more than 256 ports, additional blocks will be allocated to it. These commands are described in detail in the Pools section.
Create a subscriber group and configure it to use this pool:
```
nat subscriber-group pba-group
 pool pba-pool
 limits port-block-entries 3
```
In this example, a limit of 3 port blocks per subscriber is set. This means that with a block size of 256 ports, a maximum of 768 ports will be available to one subscriber. These commands are described in detail in the Subscriber Groups section.
Set the subscriber subnet that will use this group:
```
nat rule subnet 100.64.0.0/16 subscriber-group pba-group
```
This command is described in detail in the Rules section.

Interim NAT Logs¶

Interim NAT logs keep track of which port blocks are assigned to specific internal IP addresses by sending NAT log messages for the specified period. They are essential when you need to understand that a port block is still assigned to a user.

The configuration steps are simple:

interim log enable¶: Enable interim logs.

no interim log enable¶: Disable interim logs.

interim log period (1-44640)¶: Set the interval in minutes for sending messages.

no interim log period¶: Delete the interval.