Cisco GRS Configuration Manual page 126

Frequently Asked Questions (FAQs)
A: In order to trace a subscriber, you should know the public source IP address (post NAT source address),
post NAT source port, protocol, and the time of usage. With these parameters, the steps to trace a subscriber
are as follows:
1 Search for the create event that has the matching public IP address, post NAT Source IP address
(postNATSourceIPv4Address) and protocol, egress VRF ID/Name and the time of the usage. Ensure that
the time of the create-event is the same or earlier than the time of usage reported. You may not find the
protocol entry or the exact post NAT source port in the logs if bulk allocation is enabled. In such cases,
find the create-event whose Post NAT Port Block Start and Post NAT Port Block End values include
the post NAT source port. The Pre NAT source IP address along with the corresponding ingress VRF
ID/Name will identify the subscriber.
2 The corresponding delete record may be found optionally to confirm that the subscriber was using the
specified public IP and port during the time of the reported usage.
Q: The Netflow records provide VRF IDs for ingress and egress VRFs. How will I know the VRF names?
A: The following are the two ways to find the VRF name from the VRF ID.
1 Use the command show rsi vrf-id <vrf-id> on the Router console to find VRF-ID to VRF-NAME
associations.
2 The CGv6 applications periodically send out option templates containing the VRF-ID to VRF-NAME
mapping. The Netflow collector software presents the information with VRF-Names rather than VRF IDs.
Q: Does the time format in Syslog or Netflow account for Day light saving?
A: The Syslog and Netflow formats report time corresponding to GMT/UTC. The Netflow header contains
the time in seconds that elapsed since EPOCH whereas the Syslog header contains time in human readable
formats. In both cases, the day light saving is not accounted. The Netflow/Syslog collectors have to make that
adjustments if needed.
Q: Since the Netflow and Syslog use UDP, how can we know if a packet containing translation record was
lost?
A: The Netflow header contains a field called Sequence Number. This number is indicates the count of the
packet coming from each Source ID. The Netflow collector traces the Seqence Number pertaining to each
unique Source ID. The sequence numbers should be increased by one for each packet sent out by the Source.
If the collector ever receives two successive packets with the same Source ID, but with a Sequence number
difference of more than 1, it indicate a packet loss. However, currently, no such mechanism exists for Syslog.
Q: What is the use of session-logging?
A: Session logging includes destination IP and port number as well. Though this information is not directly
useful in tracing the subscriber, in some cases, this information may be useful or may be mandated by the
legal authorities. There are cases where, legal authorities may not have the post NAT source 'port', however
may know the destination IP address (and optionally destination port, such as IP address and port of an e-mail
server). In the absence of post NAT source port information, a list of subscribers who used the specified public
IP during that time may have to be pruned further based on the destination IP and port information.
Q: How does the bulk port allocation reduce data volume of translation logs?
A: With bulk port allocation, subscribers are allocated a range of contiguous ports on a public IP. Quite often,
a subscriber will need more ports than just one. Especially AJAX based web pages and other web applications
simultaneously open several ports. In such cases, pre-allocated ports are used and only one log entry is made
that specifies the range of ports allocated to the user. Hence, bulk port allocation significantly reduces log
data volume and hence the demand on storage space needed for the translation logs.
Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router, Release 5.2.x
116
External Logging
OL-32659-01