Forum Discussion

rafaelbn_176840's avatar
rafaelbn_176840
Icon for Altocumulus rankAltocumulus
Apr 09, 2019

BIG-IP CGNAT Module - General Questions

Hello Devs!

We're deploying a high performance VE running only the CGNAT module. Our client asked some tricky questions that I could not find the answer on the documentation. Could you guys have a try at them? We are running v14.1.0.

1- On the LSN pool, running on PBA mode, when you configure the member prefix IPs as a /24 for example, how does the BIG-IP chooses which IP to use under the prefix? Is it random? Is there some rule? For example:

ltm lsn-pool pool_CGNAT_GPON-4711 {
egress-interfaces {
    VLAN889_TRANSITO-OUT-GPON
}
egress-interfaces-enabled
members {
    200.200.200.0%4712/24
}
mode pba
port-block-allocation {
    block-idle-timeout 900
    block-size 512
    client-block-limit 2
}
route-advertisement enabled
}

In this example, which IP would the first client be translated to? 200.200.200.1? 200.200.200.5? What I saw so far is pretty much random, but I don't know if the subscriber internal IPs plays on some kind of hashing... Any thoughts?

2- What happens if a CGNAT subscriber stays connected and generating steady traffic regarding logs. When the subscriber hits the BIG-IP for the first time, BIG-IP allocates a block for it and logs a LSN-ALLOCATE event. If this same subscriber stays connected and with steady traffic flow (and my pool do not hame a lifetime configured), for many days, we would not see the LSN-RELEASE event log message. Our client wanted to know if there's some kind of update log message, that sends a message every X amount of time, to kind of reiterate that this specific subscriber still have that IP. This is necessary for auditing purposes.

Very tricky question, I know.

Thanks, Rafael

1 Reply

  • Opened a ticket with F5. The answers are:

     

    1- It's random. BIG-IP will use a random IP/Block that is not currently already in use.

     

    2- BIG-IP do not have any other message. When you get a block, a LSN-ALLOCATE is logged. When it's release you get an LSN-RELEASE. If the subscriber is always on, you're not going to see any other logs.