Subscriber Awareness - CGNAT

Carrier-Grade Network Address Translation (CGNAT) is a network technology used by service providers to manage the scarcity of IPv4 addresses by enabling multiple subscribers to share a single public IP address. It works by translating private IP addresses (used within the subscriber’s local network) into public IPs as traffic flows to and from the internet. CGNAT is critical for large-scale internet access, mobile networks, and ISPs, as it eliminates the need to assign a public IP address to every individual subscriber.

CGNAT efficiently manages IP address shortages by reusing a limited pool of public IPs, maintains a NAT table mapping private IPs to public IPs for each session and records details about session translations (for example, IPs, ports, Subscriber IDs) in logs for auditing, monitoring, and troubleshooting.

Importance of Logging a Subscriber ID in the Translation Log

Logging subscriber IDs syslog or hsl logs is essential for visibility, compliance, and troubleshooting purposes. Subscriber IDs (for example, IMSI, MSISDN, or NAI) uniquely identify subscribers in a network. When included in syslog or hsl logs, Subscriber IDs enable service providers to:

  • Correlate Events with Subscribers:

    • Match NAT events (for example, translations and errors) to individual subscribers.

    • Simplify mapping between private/public IPs and Subscriber identities.

  • Simplify Troubleshooting:

    • Quickly identify the subscriber causing issues like high traffic, misuse, or NAT errors.

    • Accelerates resolution by directly pinpointing problematic sessions.

  • Compliance and Accountability:

    • Satisfy regulatory requirements for tracking user activity.

    • Maintain complete visibility into subscriber-level activities for enhanced auditing.

Procedures

Follow the steps in the below sections to enable and verify the Subscriber ID Logging feature in CGNAT.

Subscriber Creation

Subscribers are created dynamically through RADIUS message integration. See Subscriber Creation for more information.

Apply Log Profile

To enable subscriber ID logging in CGNAT, you must configure a log profile. The log profile defines the parameters for logging CGNAT events.

  1. Copy the following example into the cgnat-log-profile.yaml file.

    apiVersion: k8s.f5net.com/v1
kind: logProfile
metadata:
 name: cgnat-log-profile
spec:
 nat:
  enabled: true # Enable CGNAT Logging
  logSubscriberID: true # Enable Subscriber ID in Logs
  publisher: my-log-publisher # Specify the log destination

  2. Run the following command to apply the subscriber aware profile.

    kubectl apply -f cgnat-log-profile.yaml -n <name_space>

  3. Verify that the CGNAT log profile is applied by checking the f5ingress logs.

    For more information on CGNAT Log Profile, see F5BigNatPolicy CRD page.

Apply Log Profile to a SecureContext

Associate the log profile and subscriber-aware features with the SecureContext to ensure proper data flow.

1. Add the following example in secure-context-cgnat.yamls file.

apiVersion: k8s.f5net.com/v1
kind: secureContext
metadata:
 name: secure-context-cgnat
spec:
 radiusProfile: my-radius-profile # RADIUS profile for subscriber awareness
 logProfile: cgnat-log-profile # Attach log profile

  1. Apply the Secure Context CR.

    kubectl apply -f secure-context.yaml -n <name_space>

  2. Verify that the RADIUS secure context is applied by checking the f5ingress logs.

    For more information on RADIUS Secure Context, see F5BigContextSecure CRD page.

Verify Subscriber ID in Translation Log

Once the configuration is applied, verify the inclusion of subscriber IDs in NAT syslog or hsl logs.

  1. Access logs.

    Monitor logs through the configured log destination (log publisher).

  2. Verify log fields.

    Ensure the following details appear in the log:

Key Description
Timestamp The time of the event
Event Type LSN_ADD / LSN_DELETE (log NAT creation and deletion events)
Subscriber ID Indicates the subscriber’s identity
Private IP Subscriber’s private IP address
Public IP and Port Allocated resources for outgoing traffic

Sample output:

timestamp=2023-10-04T14:30:00, event=LSN_ADD, private_ip=192.168.1.10, public_ip=203.0.113.15:50001, subscriber_id=+12345678901
timestamp=2023-10-04T14:32:10, event=LSN_DELETE, private_ip=192.168.1.10, public_ip=203.0.113.15:50001, subscriber_id=+12345678901

  1. Troubleshooting Logs.

    If subscriber IDs are missing or logs are incomplete:

    • Check RADIUS Integration: Ensure the RADIUS accounting messages are being sent correctly and contain required attributes.

    • Log Profile Settings: Verify the logSubscriberID parameter in the log profile is enabled.

    • System Monitoring: Review fw_lsn_log_stat for counters like log_attempts, log_failures, or subscriber_id_not_found.