Currently, the LS81VSNP boards installed in S7500 series switches support the NAT feature. In this manual, the LS81VSNP board is called LPU (line processing unit).

1.1 NAT Configuration Commands

1.1.1 display nat address-group

Syntax

display nat address-group

View

Any view

Parameters

None

Description

Use the display nat address-group command to display NAT address pool configuration.

Examples

# Display NAT address pool configuration.

<H3C> display nat address-group

NAT address-group information:

0 : from 1.1.1.1 to 1.1.1.2

1 : from 2.2.2.2 to 2.2.2.3 slot 3

1.1.2 display nat aging-time

Syntax

display nat aging-time

View

Any view

Parameters

None

Description

Use the display nat aging-time command to display the settings for NAT entry aging time.

Examples

# Display the settings for NAT table entry aging time.

<H3C> display nat aging-time

NAT aging-time value information:

In slot 6 , alg ---- aging-time value is 120 (seconds)

In slot 6 , ftp ---- aging-time value is 7200 (seconds)

The slot 6 NP-Timer configuration:

Selection of NP-Timer is : Fast-Timer

Fast-Timer : 120 seconds

Slow-Timer: 3600 seconds

Table 1-1 Description on the fields of the display nat aging-time command

Field	Description
NAT aging-time value information	NAT aging time information follows.
alg ---- aging-time value is 120 (seconds)	The aging time for ALG NAT entries is 120 seconds.
ftp ---- aging-time value is 7200 (seconds)	The aging time for FTP connections is 7200 seconds.
The slot 3 NP-timer configuration	The NP-timer settings on the board in slot 3 follows.
Selection of NP-timer is : Fast-Timer	The fast NP timer is selected.
Fast-Timer : 120 seconds	The fast timer is 120 seconds.
Slow-Timer : 3600 seconds	The slow timer is 3600 seconds.

1.1.3 display nat all

Syntax

display nat all

View

Any view

Parameters

None

Description

Use the display nat all command to display all information of the current NAT configurations, including NAT address pool, NAT ACL (ACL referenced by nat outbound command), internal server and aging time related configurations.

Examples

# Display all information of the current NAT configurations.

<H3C> display nat all

NAT address-group information:

0 : from 10.1.1.1 to 10.1.1.3

NAT outbound information:

No interfaces have been configured for NAT

Server in private network information:

No internal servers have been configured

The total nat server number is 0

NAT aging-time value information:

In slot 6 , alg ---- aging-time value is 120 (seconds)

In slot 6 , ftp ---- aging-time value is 7200 (seconds)

The slot 6 NP-Timer configuration:

Selection of NP-Timer is : Fast-Timer

Fast-Timer : 120 seconds

Slow-Timer: 3600 seconds

1.1.4 display nat blacklist

Syntax

display nat blacklist { all | ip [ ip-address ] slot slot-number }

View

Any view

Parameters

all: Displays all blacklist configurations and status.

ip: Displays IP address-specific blacklist configurations and status.

ip-address: IP address whose blacklist configuration you want to query.

slot-number: Slot number of an LPU.

Description

Use the display nat blacklist command to display the configurations and status of NAT blacklist.

l The display nat blacklist all command displays all blacklist configurations.

l The display nat blacklist ip [ ip-address ] slot slot-number command displays IP address-specific blacklist configurations and status.

Examples

# Display all blacklist configurations.

<H3C> display nat blacklist all

Blacklist function global configuration:

Blacklist function of the NO. 7 L3plus board is started.

Connection amount control is enabled.

Connection set-up rate control is enabled.

Amount control limit: 500 sessions.

Rate control limit: 250 session/s.

Special rate control limit: 250 session/s.

Global Committed Burst Size is 375

Special IP Committed Burst Size is 375

Global Extended Burst Size is 0

Special IP Extended Burst Size is 0

Altogether 1 IP addresses have special configuration:

Control limit configuration of IP 1.1.1.1:

Amount control limit: 100 sessions.

Rate control limit uses global configuration.

# Display blacklist status on the LPU in slot 6.

<H3C> display nat blacklist ip slot 6

This query may last a long time, please wait for a moment...

There are 6 ip address in blacklist.

192.168.1.4 192.168.1.1 192.168.1.5 192.168.1.2

192.168.1.6 192.168.1.3

1.1.5 display nat outbound

Syntax

display nat outbound

View

Any view

Parameters

None

Description

Use the display nat outbound command to display all ACL-NAT address pool associations.

Examples

# Display all ACL-NAT address pool associations.

<H3C> display nat outbound

NAT outbound information:

Vlan-interface2: acl(2001) --- NAT address-group(1) [no-pat] slot:3

Vlan-interface2: acl(2002) --- NAT address-group(0) slot:3

Vlan-interface3: acl(2001) --- NAT address-group(2) [no-pat] slot:3

Vlan-interface3: acl(2002) --- interface slot:3

1.1.6 display nat server

Syntax

display nat server

View

Any view

Parameters

None

Description

Use the display nat server command to display information about all internal servers.

Examples

# Display information about all internal servers.

<H3C> display nat server

Server in private network information:

Interface GlobalAddr GlobalPort InsideAddr InsidePort Pro Slot

Vlanif1 20.1.1.1 21(ftp) 10.1.1.1 21(ftp) 6(tcp) 6

The total nat server number is 1

1.1.7 display nat statistics

Syntax

display nat statistics slot slot-number

View

Any view

Parameters

slot-number: Slot number of an LPU.

Description

Use the display nat statistics command to display the current NAT statistics.

Examples

# Display the current NAT statistics.

<H3C> display nat statistics slot 6

Current statistics information in slot 6:

active inside user count: 0

active PAT session table count: 0

active NO-PAT session table count: 0

active SERVER session table count: 0

the number of processed packet: 0

1.1.8 nat address-group

Syntax

nat address-group group-number start-addr end-addr

undo nat address-group group-number

View

System view

Parameters

group-number: Address pool index, a number ranging from 0 to 319.

start-addr: Start IP address of the address pool.

end-addr: End IP address of the address pool.

Description

Use the nat address-group command to configure a NAT address pool.

Use the undo nat address-group command to delete a NAT address pool.

A NAT address pool is a set of consecutive public IP addresses. If start-addr and end-addr are the same, there is only one address in the pool.

Caution:

l A NAT address pool can contain at most 256 IP addresses.

l You cannot delete an address pool that has been associated with an ACL.

l An address pool can be used for NAPT (network address port translation) only when it contains no more than three addresses.

Examples

# Configure address pool 1 with addresses from 202.110.10.10 to 202.110.10.15.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat address-group 1 202.110.10.10 202.110.10.15

1.1.9 nat aging-time

Syntax

nat aging-time { alg time-value | np slow } slot slot-number

undo nat aging-time [ alg | np ] slot slot-number

View

System view

Parameters

alg: Sets the NAT connection aging time for CPU processed ALG (application layer gateway) NAT mapping entries

time-value: Aging time in seconds, ranging from 10 to 86,400. By default, it is 120.

np slow: Sets the NP (network processor) to use the slow aging timer (the aging time is 3,600 seconds). By default, the NP uses the fast aging timer (the aging time is 120 seconds).

slot-number: Slot number of an LPU.

Description

Use the nat aging-time command to set the NAT connection aging time for CPU processed ALG NAT mapping entries or the NAT connection aging time for NP processed NAT mapping entries. A NAT connection is terminated when its aging time expires.

Use the undo nat aging-time command to restore the default settings for NAT connection aging time. Executing this command will set the aging time for ALG entries to 120 seconds and enable the NP to use the fast aging timer.

Examples

# Set the NAT connection aging time for ALG entries to 245 seconds for the LPU in slot 6.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat aging-time alg 245 slot 6

1.1.10 nat b lacklist start

Syntax

nat blacklist start slot slot-number

undo nat blacklist start slot slot-number

View

System view

Parameters

slot slot-number: Specifies the slot number of an LPU.

Description

Use the nat blacklist start command to enable NAT blacklist for an LPU.

Use the undo nat blacklist start command to disable NAT blacklist for an LPU.

By default, the feature is disabled.

Examples

# Enable NAT blacklist for the LPU in slot 3.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist start slot 3

1.1.11 nat blacklist mode

Syntax

nat blacklist mode { all | amount | rate }

undo nat blacklist mode { all | amount | rate }

View

System view

Parameters

all: Configures to control both the number of NAT connections and the connection setup rate.

amount: Configures to control the number of NAT connections.

rate: Configures to control the connection setup rate.

& Note:

The connection here refers to an address mapping established during NAT, and connection setup rate refers to the rate at which NAT connection is established.

Description

Use the nat blacklist mode command to set the control mode of the NAT blacklist feature, thus using the feature to control the number of NAT connections, the connection setup rate, or both.

Use the undo nat blacklist mode command to cancel the setting of NAT blacklist control mode.

Caution:

l Each command that is used to modify blacklist-related configuration and is not source IP address-specific must be coupled with the reset nat session command.

l Although each blacklist-enabled LPU in the switch independently maintains its own blacklist information, blacklist-related configuration commands executed on the switch apply to all LPUs.

Examples

# Configure the NAT blacklist feature to control the number of NAT connections.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist mode amount

1.1.12 nat blacklist limit amount

Syntax

nat blacklist limit amount [ source user-ip ] amount-value

undo nat blacklist limit amount [ source user-ip ]

View

System view

Parameters

amount: Limits the number of NAT connections.

user-ip: IP address of a user.

amount-value: Control threshold for the number of NAT connections per user. This argument ranges from 20 to 20,000.

Description

Use the nat blacklist limit amount command to set the global or a specific control threshold for the number of NAT connections, so as to limit the number of NAT connections that can be established for each global user or a specific user.

Use the undo nat blacklist limit amount command to restore the default control threshold for the number of NAT connections.

The default control threshold for the number of NAT connections is 500.

l If you do not use the source keyword, the command applies to global users.

l If you use the source keyword, the command applies to the user with the specified IP address.

Caution:

l With the nat blacklist limit amount source user-ip command, you can set different specific thresholds to limit the NAT connection quantities of different specified users. While, with the nat blacklist limit rate source ip command, the specific thresholds you set to limit connection setup rate are for all specific users (users specified by the nat blacklist limit rate source user-ip command), and you cannot set different thresholds for different specific users.

l Each command that is used to modify blacklist-related configuration and is not source IP address-specific must be coupled with the reset nat session command.

l Although each blacklist-enabled LPU in the switch independently maintains its own blacklist information, blacklist-related configuration commands executed on the switch apply to all LPUs.

Examples

# Set the global threshold to control the number of NAT connections per user.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist limit amount 600

# Set a specific threshold to control the number of NAT connections of the user with IP address 1.1.1.2.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist limit amount source 1.1.1.2 800

1.1.13 nat blacklist limit rate

Syntax

nat blacklist limit rate [ source ip ] cir cir-value [ cbs cbs-value ebs ebs-value ]

undo nat blacklist limit rate [ source ip ]

View

System view

Parameters

source ip: Specifies that the control thresholds for connection setup rate are set for specific source IP addresses (IP addresses specified by the nat blacklist limit rate source user-ip command).

cir-value: CIR control threshold for connection setup rate, long time average rate on port, in the unit of sessions per second This argument ranges from 20 to 262,144. The default value is 250. (CIR: committed information rate.)

cbs-value: CBS control threshold for connection setup rate, in the unit of sessions per second. This argument ranges from cir-value to 90 x cir-value and must be less than 4,294,960. The default value is 375. (CBS: conformed burst size.)

ebs-value: EBS control threshold for connection setup rate, in the unit of sessions per second. This argument ranges from 0 to 90 x cir-value and must be less than or equal to cbs-value. The default value is 0. (EBS: extended burst size.)

Description

Use the nat blacklist limit rate command to set the global or specific control thresholds for connection setup rate (number of connections established per second).

Use the undo nat blacklist limit rate command to restore the default control thresholds for connection setup rate.

Note that:

l If you do not use the source ip keyword, the command applies to all global users.

l If you use the source ip keyword, the command applies to only specific users (users specified by the nat blacklist limit rate source user-ip command with source IP addresses).

l If you do not use the nat blacklist limit rate command, the system adopts the default values for cir-value, cbs-value, and ebs-value. They are 250, 375, and 0 respectively.

l If you only configure cir-value by using the nat blacklist limit rate command, the value of cbs-value is cir-value x 1.5 and the value of ebs-value is 0.

Caution:

l Each command that is used to modify blacklist-related configuration and is not source IP address-specific must be coupled with the reset nat session command.

l Although each blacklist-enabled LPU in the switch independently maintains its own blacklist information, blacklist-related configuration commands executed on the switch apply to all LPUs.

Examples

# Set the specific CIR, CBS and EBS control thresholds to 100, 500 and 40 respectively.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist limit rate source ip cir 100 cbs 500 ebs 40

1.1.14 nat blacklist limit rate source

Syntax

nat blacklist limit rate source user-ip

undo nat blacklist limit rate source user-ip

View

System view

Parameters

user-ip: IP address of a user.

Description

Use the nat blacklist limit rate source command to specify the IP address of a user, so as to adopt the specific connection setup rate control thresholds to the user.

Use the undo nat blacklist limit rate source command to remove the configuration.

Caution:

l Each command that is used to modify blacklist-related configuration and is not source IP address-specific must be coupled with the reset nat session command.

l Although each blacklist-enabled LPU in the switch independently maintains its own blacklist information, blacklist-related configuration commands executed on the switch apply to all LPUs.

Examples

# Specify to control user 2.2.2.2 with specific connection setup rate thresholds.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist limit rate source 2.2.2.2

1.1.15 nat outbound

Syntax

nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-number

undo nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-number

View

VLAN interface view

Parameters

address-group: Specifies an address pool to be used for NAT. If you do not specify an address pool in the command, the IP address of the current interface will be used as the translated source IP address, that is, the Easy IP feature is enabled.

no-pat: Specifies to use one-to-one NAT, so that only the source IP addresses in packets are translated while the port numbers are not translated.

acl-number: Index of an ACL, in the range from 2000 to 3999.

group-number: Index of a NAT address pool, in the range from 0 to 319.

slot-number: Slot number of an LPU, to which the address pool will be bound. All NAT operations using the NAT rule will be carried out on this LPU.

Description

Use the nat outbound command to associate an ACL with a NAT address pool, and bind the address pool to an LPU, so as to translate the addresses matching the ACL to the addresses in the pool on the LPU.

Use the undo nat outbound command to remove the configuration.

If you use the nat outbound command to associate an ACL with an address pool, the NAT process will use the IP addresses in the pool to translate the source addresses of the packets that match the ACL. You can configure multiple NAT associations on a VLAN interface, which is normally connected to an ISP network and serves as the egress of the internal network.

If you execute the nat outbound command without the address-group keyword, the Easy IP feature is implemented, and the IP address of the interface is used to translate the source addresses that match the specified ACL.

When you execute the nat outbound command on a VLAN interface with an address pool specified, the address pool should be on the same network segment with the IP address of the VLAN interface. Otherwise, NAT may not operate normally. In this case, you can use one of the following two ways to solve the problem.

1) Configuring a static route: Configure a static route to the VLAN interface on an upstream router (a router on the upstream network of the NAT-enabled switch).

2) Using routing protocol to advertise the routes of the IP addresses in the address pool. To do this, you need to configure static routes for the IP addresses in the address pool on the NAT-enabled switch, with the outbound interface being NULL. Note that the configured static route segments should accommodate the combined segments of the IP addresses in the address pool.

& Note:

l For NAT function, basic ACLs (2000 to 2999) support only source IP address as the filtering item, advanced ACLs (3000 to 3999) support both source IP address and destination IP address as filtering items. Other ACL filtering items are not supported currently.

l After you configure the nat outbound command with an ACL, any modifications to the ACL (adding/deleting rules) will not have effect on the NAT configuration.

Examples

Perform the following procedure to allow hosts on segment 10.110.10.0/24 to be translated into addresses from 202.110.10.10 to 202.110.10.12. Suppose VLAN-interface 2 is connected to an ISP network.

# Configure an ACL.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 2000

[H3C-acl-basic-2000] rule permit source 10.110.10.0 0.0.0.255

[H3C-acl-basic-2000] rule deny

[H3C-acl-basic-2000] quit

# Configure a NAT address pool.

[H3C] nat address-group 1 202.110.10.10 202.110.10.12

# Configure NAPT on the LPU in slot 3 with address pool 1.

[H3C] interface Vlan-interface 2

[H3C-Vlan-interface2] nat outbound 2000 address-group 1 slot 3

# Remove the NAPT configuration.

[H3C-Vlan-interface2] undo nat outbound 2000 address-group 1 slot 3

# Configure one-to-one NAT on the LPU in slot 3 with address pool 1.

[H3C-Vlan-interface2] nat outbound 2000 address-group 1 no-pat slot 3

# Remove the one-to-one NAT configuration.

[H3C-Vlan-interface2] undo nat outbound 2000 address-group 1 no-pat slot 3

# Configure the Easy IP feature, to directly use the IP address of VLAN-interface 2 for address translation.

[H3C-Vlan-interface2] nat outbound 2000 slot 3

# Remove the Easy IP configuration.

[H3C-Vlan-interface2] undo nat outbound 2000 slot 3

1.1.16 nat server

Syntax

1) Configure an internal server

l Use the following command when TCP/UDP is used.

nat server protocol pro-type global global-addr global-port inside host-addr host-port slot slot-number

l Use the following command when protocols other than TCP/UDP are used.

nat server protocol pro-type global global-addr inside host-addr slot slot-number

2) Delete an internal server

l Use the following command when TCP/UDP is used.

undo nat server protocol pro-type global global-addr global-port inside host-addr host-port slot slot-number

l Use the following command when protocols other than TCP/UDP are used.

undo nat server protocol pro-type global global-addr inside host-addr slot slot-number

3) Configure a group of consecutive internal servers

nat server protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port slot slot-number

4) Delete a group of consecutive internal servers

undo nat server protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port slot slot-number

View

VLAN interface view

Parameters

pro-type: Protocol carried by the IP protocol, which can be specified by using a keyword such as tcp, udp, or icmp.

global-addr: Public IP address provided for access from external networks.

global-port: Public port number provided for access from external networks.

host-addr: Private IP address of an internal server.

host-port: Private port number provided by the server, in the range from 0 to 65535. At the position of this argument, you can also use a keyword to indicate a well-known port. For example, you can use www for WWW service port 80, and ftp for ftp service port 21. Keyword any has the same meaning with port number 0, which indicates that the internal server can provide any available services in the internal network; but this is not supported currently.

Caution:

The global-port and host-port arguments are not needed if a protocol other than TCP and UDP is used which does not use port number.

global-port1, global-port2: Specifies a range of consecutive port numbers, which are one-to-one corresponding to the private addresses in the specified internal host address range. global-port2 must be larger than global-port1.

host-addr1, host-addr2: Specifies a range of consecutive addresses, which are one-to-one corresponding to the port numbers in the above port number range. host-addr2 must be larger than host-addr1.

slot-number: Slot number of an LPU.

Description

Use the nat server command to define mapping table entries for internal servers. By using the address and port number specified by the global-addr and the global-port arguments for an internal server, external users can access the internal server with the address and port number specified by the host-addr and host-port arguments.

Use the undo nat server command to delete an internal server mapping entry.

You can use the nat server command to allow some internal servers to be accessed by external users. Some examples of such servers are WWW, FTP, Telnet, POP3, and DNS.

Caution:

l Up to 128 internal servers can be configured in one nat server command.

l Up to 768 nat server commands can be configured for one VLAN interface.

l Up to 4,096 internal servers can be configured for one VLAN interface.

l Up to 1,024 nat server commands and 4,096 internal servers can be configured in a system.

& Note:

l The interface configured with this command is an egress of the internal network and should be directly connected to an ISP network.

l Currently, secondary address translations on a NAT connection is not supported.

l To use the NetMeeting software or enable an internal FTP server, you need to configure both the nat server and nat outbound commands. For details, refer to 1.1.15 “nat outbound”.

Examples

# Specify the IP address of the internal WWW server to be 10.110.10.10, the IP address of the internal FTP server to be 10.110.10.11, and allow external hosts to access the WWW server and FTP server by http://202.110.10.10:8080 and ftp://202.110.10.10 respectively. Suppose that VLAN-interface 2 is connected to an ISP network.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Vlan-interface 2

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www slot 3

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3

# Specify an internal host 10.110.10.12 which can be successfully pinged by external hosts using the ping 202.110.10.11 command.

[H3C-Vlan-interface2] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 slot 2

# Delete the WWW server.

[H3C-Vlan-interface2] undo nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www slot 3

# Delete the FTP server.

[H3C-Vlan-interface2] undo nat server protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3

# Specify an external address 202.110.10.10, map ports from 1001 to 1100 to the Telnet service of internal hosts from 10.110.10.1 to 10.110.10.100, thus allowing external access to 10.110.10.1 through 202.110.10.10:1001, access to 10.110.10.2 through 202.110.10.10:1002, and so on.

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet slot 5

1.1.17 reset nat

Syntax

reset nat session slot slot-number

View

User view

Parameters

slot-number: Slot number of an LPU.

Description

Use the reset nat session command to clear NAT mapping table from memory and NP (network processor).

Examples

# Clear the NAT mapping table established by the LPU in slot 3.

<H3C> reset nat session slot 3

1.1.18 nat ftp server

Syntax

nat ftp server global global-addr global-port inside host-addr host-port slot slot-number

undo nat ftp server global global-addr global-port inside host-addr host-port slot slot-number

View

VLAN interface view

Parameters

global-addr: Public IP address of an internal FTP server.

global-port: Public port number of the internal FTP server. This argument ranges from 0 to 12287. For port 21, you can use keyword ftp to replace this argument.

host-addr: Private IP address of the internal FTP server.

host-port: Private port number of the internal FTP server. This argument ranges from 0 to 65535. For port 21, you can use keyword ftp to replace this argument.

Caution:

Among the ports of a non-standard internal FTP server available to the private network (that is, port 0 through port 65535), do not use the known ports other than port 21. (You will be prompted in CLI if you specify them in the commands listed in the following commands.)

Among ports 0 through 65,535, any well-known ports other than port 21 cannot be used as the private ports of non-standard internal FTP servers. (You can see those well-known ports on CLI by command help.)

slot-number: Slot number of an LPU.

Description

Use the nat ftp server command to configure a non-standard internal FTP server.

Use the undo nat ftp server command to remove a non-standard internal FTP server configuration.

These two commands can be accompanied by other internal server-related commands, such as the nat server and undo nat server commands. In this case, bear in mind that:

l The nat server command can only be used to configure internal FTP servers that use private port 21.

l The undo nat server command can be used to remove internal FTP servers configured by the nat ftp server command.

l The undo nat ftp server command can be used to remove internal FTP servers configured by the nat server command.

Related commands: nat server.

Examples

# Configure a non-standard internal FTP server that uses 202.10.10.1 and 11225 as the public IP address and port number, and 1.1.1.3 and 1698 and the private IP address and port number.

<H3C> system-view

[H3C] interface vlan-interface 3

[H3C-Vlan-interface3] nat ftp server global 202.10.10.1 11225 inside 1.1.1.3 1698 slot 3

1.2 NAT Security Logging Configuration Commands

1.2.1 display ip userlog export

Syntax

display ip userlog export slot slot-number

View

Any view

Parameters

slot-number: Slot number of an LPU.

Description

Use the display ip userlog export command to display the configuration and statistics of NAT logging.

Examples

# Display the configuration of NAT logging.

<H3C> display ip userlog export slot 6

NAT:

IP userlog export is not enabled

Version 1 export is enabled

Export logs to 0.0.0.0 (Port: 0)

(DEFAULT)Export logs to 0.0.0.0 (Port: 0)

Export using source address 0.0.0.0

IP userlog flowbegin mode is not enabled

IP userlog active time: 0 minutes

0 logs exported in 0 udp datagrams

0 logs in 0 udp datagrams failed to output

0 entries buffered currently

1.2.2 ip userlog nat slot

Syntax

ip userlog nat slot slot-number acl acl-number

undo ip userlog nat slot slot-number

View

System view

Parameters

slot-number: Slot number of an LPU.

acl-number: Index of an ACL, in the range from 2000 to 3999.

Description

Use the ip userlog nat slot slot-number acl command to enable NAT logging and configure NAT logging ACL, which defines what packets’ information will be logged.

Use the undo ip userlog nat slot command to disable NAT logging.

By default, NAT logging is disabled for any LPU.

Examples

# Enable NAT logging on the LPU in slot 3, and use ACL 2000 as the logging ACL.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat slot 3 acl 2000

1.2.3 ip userlog nat active-time

Syntax

ip userlog nat active-time minutes

undo ip userlog nat active-time

View

System view

Parameters

minutes: Wait interval to log active NAT connections, in minutes. The NAT process will periodically log an active connection at this interval after the active time of the connection reaches this interval. This argument ranges from 10 to 120. The default value is 0, indicating the logging of active connections is disabled.

Description

Use the ip userlog nat active-time command to set the wait interval to log active NAT connections.

Use the undo ip userlog nat active-time command to disable the logging of active connections.

The NAT process performs logging when a NAT connection is deleted. It may be needed to have the NAT process regularly log the connections that keep active for a long time at a specific interval. You can use the command here to achieve this by setting the value of the corresponding timer on the SRPU.

Examples

# Set the wait interval to log active NAT connections to 30 minutes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat active-time 30

1.2.4 ip userlog nat export host

Syntax

ip userlog nat export [ slot slot-number ] host ip-address udp-port

undo ip userlog nat export [ slot slot-number ] host

View

System view

Parameters

ip-address: IP address of a log server, that is, the destination IP address for log packets. By default, it is 0.0.0.0, indicating NAT logging is disabled.

udp-port: UDP port number of a log server, that is, the destination port number for log packets. It ranges from 0 to 65535 and is 0 by default.

slot-number: Slot number of an LPU. If you specify the slot-number argument, the configuration is only effective for the specified LPU; otherwise, the configuration is effective for all LPUs. The configuration with the slot-number argument specified takes precedence over the global configuration.

Description

Use the ip userlog nat export host command to set the address and port number of the global destination server for log packets.

Use the undo ip userlog nat export host command to restore the default settings for global destination server.

Use the ip userlog nat export slot slot-number host command to set the address and port number of a specific destination server for log packets on a specified LPU.

Use the undo ip userlog nat export slot slot-number host command to restore the settings of global destination server for log packets on a specified LPU.

Examples

# Set the destination IP address and UDP port number of log packets on the LPU in slot 3 to 169.254.1.1 and 200 respectively.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat export slot 3 host 169.254.1.1 200

1.2.5 ip userlog nat export source-ip

Syntax

ip userlog nat export source-ip src-address

undo ip userlog nat export source-ip

View

System view

Parameters

src-address: Source IP address for log packets. The default source IP address is 0.0.0.0, indicating that the VLAN-interface IP address is used as the source IP address.

Description

Use the ip userlog nat export source-ip command to set the source IP address of log packets.

Use the undo ip userlog nat export source-ip command to restore the default source IP address setting.

By default, a log packet uses its VLAN interface IP address as its source IP address.

Examples

# Set the source IP address of log packets to 169.254.3.1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat export source-ip 169.254.3.1

1.2.6 ip userlog nat export version

Syntax

ip userlog nat export version version-number

undo ip userlog nat export version

View

System view

Parameters

version-number: Version of log packets. It defaults to 1, and can only be 1 currently because it is for the future use of network management software to identify extended log packets.

Description

Use the ip userlog nat export version command to set the version of log packets.

Use the undo ip userlog nat export version command to restore the default version of log packets.

Examples

# Set the version of log packets to 1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat export version 1

1.2.7 ip userlog nat mode flow-begin

Syntax

ip userlog nat mode flow-begin

undo ip userlog nat mode flow-begin

View

System view

Parameters

None

Description

Use the ip userlog nat mode flow-begin command to have NAT logging performed whenever an NAT connection is established.

Use the undo ip userlog nat mode flow-begin command to restore the default logging mode.

NAT logging has the following two modes, and you can choose one by using the commands here.

l Perform logging only when a NAT connection is deleted.

l Perform logging whenever a NAT connection is established or deleted.

By default, the NAT logging is performed only when a NAT connection is deleted.

Examples

# Configure to have NAT logging performed whenever a connection is established.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat mode flow-begin

Chapter 2 Netstream Configuration Commands

& Note:

Currently, the LS81VSNP boards installed in S7500 series switches support the Netstream feature. In this manual, the LS81VSNP board is called LPU.

2.1 Netstream Configuration Commands

2.1.1 display ip netstream cache

Syntax

display ip netstream cache slot slot-number

View

Any view

Parameters

slot-number: Slot number of an LPU.

Description

Use the display ip netstream cache command to display the Netstream configuration and status of the Netstream cache on the LPU in a specified slot.

Examples

# Display information about the Netstream cache of the LPU in slot 3.

<H3C> display ip netstream cache slot 6

IP netstream cache information in slot 6

Stream active timeout(minute) : 30

Stream inactive timeout(second): 60

Active stream entry : 1

Stream entry been counted : 1

Last statistics reset time : none

Protocol Total Packets Stream Packets

Streams /Sec /Sec /stream

----------------------------------------------------

Total 0 0 0 0

Table 2-1 Description on the fields of the display ip netstream cache command

Field	Description
Stream active timeout(minute) : 30	The current active aging time is 30 minutes.
Stream inactive timeout(second): 60	The current inactive aging time is 60 seconds.
Active stream entry : 1	The Netstream cache contains 1 active stream entries.
Stream entry been counted : 1	Netstream has output 1 stream entries.
Last statistics reset time : none	The statistics have never been cleared.
Protocol Total Packets Stream Packets Streams /sec /sec /stream	Protocol type, total number of streams, packet per second, stream per second..

2.1.2 display ip netstream export

Syntax

display ip netstream export slot slot-number

View

Any view

Parameters

slot-number: Slot number of an LPU.

Description

Use the display ip netstream export command to display information about Netstream export packets on the LPU in a specified slot.

Examples

# Display information about Netstream export packets of the LPU in slot 6.

<H3C> display ip netstream export slot 6

IP netstream export information in slot 6

IP netstream is enabled in slot 0

Version 9 export information

Template refresh (packet) : 20

Template timeout (minute) : 30

Stream source address : 0

Stream destination IP(UDP) : 2.1.1.1(0)

Exported stream number : 0

Exported UDP datagram number(failed number): 0(0)

Version 9 AS aggregation information:

Stream destination IP(UDP): 10.10.0.11 (30000)

Stream source address: 3.3.3.3

Exported stream number: 16

Exported UDP datagram number(failed number): 2(0)

Table 2-2 Description on the fields of the display ip netstream export command

Field	Description
IP netstream export information in slot 6	Information about Netstream export packets on the LPU in slot 6 will be followed.
IP netstream is enabled in slot : 0	Slot number of a board where Netstream is enabled
Version 9 export information:	The following is information about version 9 Netstream export packets
Stream source address:	Source IP address of Netstream export packets
Stream destination IP(UDP):	Destination IP address and UDP port number of Netstream export packets
Exported stream number:	Number of sent stream entries
Exported UDP datagram number(failed number):	Number of sent UDP packets (Number of UDP packets failed in sending)
Version 9 AS aggregation information:	The following is information about version 9 Netstream export packets when AS aggregation is enabled. This information is not displayed if AS aggregation is not enabled.

2.1.3 enable

Syntax

enable

undo enable

View

Netstream aggregation view

Parameters

None

Description

Use the enable command to enable the aggregation mode corresponding to current aggregation view.

Use the undo enable command to disable the aggregation mode.

By default, no aggregation mode is enabled.

Related commands: ip netstream aggregation.

Examples

# Enable the AS aggregation mode of Netstream.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream aggregation as

[H3C-aggregation-as] enable

# Disable the AS aggregation mode of Netstream.

[H3C-aggregation-as] undo enable

2.1.4 ip netstream aggregation

Syntax

ip netstream aggregation { as | protocol-port | destination-prefix | prefix | source-prefix }

View

System view

Parameters

as: Specifies the view for AS (autonomous system) aggregation mode. In this mode, the Netstream streams are classified by: source and destination AS numbers, outbound interface index.

protocol-port: Specifies the view for protocol-port aggregation mode. In this mode, the Netstream streams are classified by: protocol number, source and destination ports.

source-prefix: Specifies the view for source-prefix aggregation mode. In this mode, the Netstream streams are classified by: source AS number, source mask length and source prefix.

destination-prefix: Specifies the view for destination-prefix aggregation mode. In this mode, the Netstream streams are classified by: destination AS number, destination mask length, destination prefix, and outbound interface index.

prefix: Specifies the view for source- and destination-prefix aggregation mode. In this mode, the Netstream streams are classified by: source and destination AS numbers, source and destination mask lengths, source and destination prefixes, and outbound interface index.

Description

Use the ip netstream aggregation command to enter a Netstream aggregation view.

Under the aggregation view, you can enable/disable the aggregation function in the corresponding mode, and set the source IP address, the destination IP address and port number for Netstream export packets in version 9 format.

Related commands: enable, ip netstream export host, ip netstream export source.

Examples

# Enter Netstream AS aggregation view.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream aggregation as

[H3C-aggregation-as]

2.1.5 ip netstream export dscp

Syntax

ip netstream export dscp dscp-value

undo ip netstream export dscp

View

System view

Parameters

dscp-value: Differentiated services code point (DSCP) value, ranging from 0 to 63, with 0 as the default value.

Description

Use the ip netstream export dscp command to configure the DSCP value of Netstream export packets. Netstream export packets will be classified by their DSCP values.

Use the undo ip netstream export dscp command to restore the default DSCP value.

Examples

# Set the DSCP value of Netstream export packets to 60.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream export dscp 60

2.1.6 ip netstream export host

Syntax

ip netstream export host ip-address udp-port

undo ip netstream export host

View

System view, Netstream aggregation view

Parameters

ip-address: IP address of the destination host for Netstream export packets, in dotted decimal notation.

udp-port: UDP port number of the destination host for Netstream export packets.

Description

Use the ip netstream export host command to configure the IP address and UDP port number of the destination host for Netstream export packets.

Use the undo ip netstream export host command to restore the default IP address and port number.

By default:

l The destination IP address is 0.0.0.0 and the destination port number is 0 in system view.

l The destination IP address and port number in aggregation view are those configured in system view.

You can configure different destination IP addresses and port numbers for different aggregation modes.

Related commands: ip netstream aggregation, ip netstream export source.

Examples

# Configure the destination IP address and UDP port number for Netstream export packets to 172.16.105.48 and 50000 respectively.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream export host 172.16.105.48 50000

2.1.7 ip netstream export source

Syntax

ip netstream export source ip-address

undo ip netstream export source

View

System view, Netstream aggregation view

Parameters

ip-address: IP address, in dotted decimal notation.

Description

Use the ip netstream export source command to configure the source IP address of Netstream export packets, which will be used as the source address of UDP packets.

Use the undo ip netstream export source command to restore the default setting.

By default, the source IP address is 0.0.0.0, which indicates that the IP address of the corresponding outbound interface is used as the source IP address.

You can configure different source IP addresses for different aggregation modes.

Related commands: ip netstream aggregation, ip netstream export host.

Examples

# Configure the source IP address of Netstream export packets to 3.3.3.3.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream export source 3.3.3.3

2.1.8 ip netstream export version

Syntax

ip netstream export version version-number [ origin-as | peer-as ]

undo ip netstream export version

View

System view

Parameters

version-number: Version number for Netstream export packets. Currently, you can configure version 5 or version 9.

origin-as: Use original AS numbers as the AS numbers for individual IP addresses.

peer-as: Use peer AS numbers as the AS numbers for individual IP addresses.

Description

Use the ip netstream export version command to configure the version and the AS option for Netstream export packets in non-aggregation mode.

Use the undo ip netstream export version command to restore the default configuration.

By default, version 5 is used and the AS option is peer-as.

Netstream can use three versions of Netstream export packets to send aged stream entries: version 5, version 8 and version 9. But currently, only version 5 and version 9 are configurable:

l If version 5 is configured: the system sends normal stream entries through version 5 packets and sends aggregated stream entries through version 8 packets.

l If version 9 is configured: the system sends all aged stream entries through version 9 packets.

Examples

# Configure to use version 5 Netstream export packets and use original AS numbers as the AS numbers for individual IP addresses.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream export version 5 origin-as

2.1.9 ip netstream inbound source

Syntax

ip netstream inbound source srcslot-number to dstslot-number [ acl acl-number ]

undo ip netstream inbound source srcslot-number to dstslot-number

View

System view

Parameters

srcslot-number: Slot number of an interface board.

dstslot-number: Slot number of an LPU.

acl-number: Index of an ACL.

Description

Use the ip netstream inbound source command to mirror the inbound packets on an interface board to an LPU and enable Netstream, a packet statistics function.

Use the undo ip netstream inbound source command to stop the mirroring and disable Netstream.

If the acl keyword is used in the ip netstream inbound source command, the streams on the interface board that match the ACL will be mirrored onto the LPU, which in turn collect packet statistics.

By default, Netstream is disabled.

& Note:

With ACL rules, up to 100 streams can be mirrored for Netstream statistics collection in the system.

Examples

# Mirror the inbound packets on the board in slot 3 to the LPU in slot 6 and enable Netstream.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream inbound source 3 to 6

2.1.10 ip netstream outbound source

Syntax

ip netstream outbound source srcslot-number to dstslot-number

undo ip netstream outbound source srcslot-number to dstslot-number

View

System view

Parameters

srcslot-number: Slot number of an interface board.

dstslot-number: Slot number of an LPU.

Description

Use the ip netstream outbound source command to mirror the outbound packets on an interface board to an LPU and enable Netstream.

Use the undo ip netstream outbound command to stop the mirroring and disable Netstream.

By default, Netstream is disabled.

Examples

# Mirror the outbound packets on the board in slot 3 to the LPU in slot 6 and enable Netstream.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream outbound source 3 to 6

2.1.11 ip netstream template refresh

Syntax

ip netstream template refresh packets

undo ip netstream template refresh

View

System view

Parameters

Packets: Threshold for the number of Netstream packets, ranging from 1 to 600, in packets.

Description

Use the ip netstream template refresh command to configure a packet threshold for updating the template of version 9 Netstream packets. When the number of transmitted packets exceeds the configured threshold, the system sends the newest template to the NSC (Netstream collector).

Use the undo ip netstream template refresh command to restore the default packet threshold.

By default, the packet threshold is 20.

Examples

# Set the packet threshold for updating the template to 100.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream template refresh 100

2.1.12 ip netstream template timeout

Syntax

ip netstream template timeout minutes

undo ip netstream template timeout

View

System view

Parameters

minutes: Template aging time, ranging from 1 to 3,600, in minutes.

Description

Use the ip netstream template timeout command to configure a template aging time. When the time for transmitting Netstream packets exceeds the configured aging time, the system sends the newest template to the NSC and counts time again.

Use the undo ip netstream template timeout command to restore the default aging time.

By default, the template aging time is 30 minutes.

Examples

# Set the template aging time to 60 minutes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream template timeout 60

2.1.13 ip netstream timeout active

Syntax

ip netstream timeout active minutes

undo ip netstream timeout active

View

System view

Parameters

minutes: Active aging time for Netstream entries in minutes, in the range of 5 to 60.

Description

Use the ip netstream timeout active command to configure the active aging time for Netstream entries.

Use the undo ip netstream timeout active command to restore the default active aging time.

By default, the active aging time is 30 minutes.

A stream entry will be aged out when the active time of this stream (the time elapsed since the stream entry was created) exceeds the time limit you set here.

Related commands: ip netstream timeout inactive.

Examples

# Configure the active aging time for Netstream entries to 60 minutes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream timeout active 60

2.1.14 ip netstream timeout inactive

Syntax

ip netstream timeout inactive seconds

undo ip netstream timeout inactive

View

System view

Parameters

seconds: Inactive aging time for Netstream entries in seconds, in the range of 60 to 600.

Description

Use the ip netstream timeout inactive command to configure the inactive aging time for Netstream entries.

Use the undo ip netstream timeout inactive command to restore the default inactive aging time.

By default, the inactive aging time for Netstream entries is 60 seconds.

A stream entry will be aged out when the inactive time of the stream (the time elapsed since the last packet of the stream passed the switch) exceeds the time limit you set here.

Related commands: ip netstream timeout active.

Examples

# Configure the inactive aging time for Netstream entries to 150 seconds.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip netstream timeout inactive 150

2.1.15 reset ip netstream statistics

Syntax

reset ip netstream statistics slot slot-number

View

User view

Parameters

slot-number: Slot number of an LPU.

Description

Use the reset ip netstream statistics command to clear the Netstream statistics and output statistics on a specified LPU and age out all the stream entries in the Netstream cache.

& Note:

Executing the reset ip netstream statistics command will forcibly age out the current stream entries in the NP. This forcible aging procedure may take a long time and stops the creation of any new entry until all current entries are aged out.

Examples

# Clear the Netstream statistics and age all the stream entries in the Netstream cache on the LPU in slot 6.

<H3C> reset ip netstream statistics slot 6

Chapter 3 Policy Routing Configuration Commands

& Note:

Currently, the LS81VSNP boards installed in S7500 series switches support the policy routing feature. In this manual, the LS81VSNP board is called LPU.

3.1 Policy Routing Configuration Commands

3.1.1 display qos-vlan traffic-redirect

Syntax

display qos-vlan [ vlan-id ] traffic-redirect

View

Any view

Parameters

vlan-id: ID of a VLAN interface, ranging from 1 to 4094.

Description

Use the display qos-vlan traffic-redirect command to display policy routing configuration.

Use the display qos-vlan vlan-id traffic-redirect command to display policy routing configuration on a specified VLAN interface.

Examples

# Display policy routing configuration on all VLAN interfaces.

<H3C> display qos-vlan traffic-redirect

Vlan 1 traffic-redirect

Inbound:

Matches: Acl 2001 rule 0 running

Redirected to: next-hop 13.53.3.3 slot 5

Vlan 2 traffic-redirect

Inbound:

Matches: Acl 2000 rule 0 running

Redirected to: next-hop 3.3.3.3 slot 6

# Display policy routing configuration on VLAN–interface 2.

<H3C> display qos-vlan 2 traffic-redirect

Vlan 2 traffic-redirect

Inbound:

Matches: Acl 2000 rule 0 running

Redirected to: next-hop 3.3.3.3 slot 6

3.1.2 traffic-redirect inbound ip-group

Syntax

1) Redirect packets to a specified VLAN interface

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] interface vlan-interface interface-number [ remark { dscp dscp | { precedence precedence | tos tos }* } ] slot slot-number

undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ]

2) Redirect packets to a specified IP address

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] next-hop ipaddr &1-3 [ remark { dscp dscp | { precedence precedence | tos tos }* } ] slot slot-number

undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameters

acl-number: ACL number, ranging from 2000 to 3999.

acl-name: ACL name, a string of 1 to 32 characters.

rule rule: Specifies a rule in the ACL. The rule argument represents the number of an ACL rule and ranges from 0 to 127. If rule rule is not provided, all rules in the specified ACL will be applied.

system-index index: Specifies a system index for the specified ACL rule. The two parameters are optional. The index argument ranges from 0 to 4,294,967,295. When an ACL rule is applied, the system automatically assigns a system index to the rule for search purpose. But you can also manually specify a system index for an ACL rule when executing these commands. Generally, you are not recommended to do so.

interface vlan-interface interface-number: Specifies the VLAN interface to which packets are redirected. The interface-number argument is the index of a VLAN interface, which ranges from 2 to 4094.

dscp dscp: Specifies the value of differential services code point. The dscp argument ranges from 0 to 63 and defaults to 0. Packets can be classified by their DSCP values.

precedence precedence: Specifies a precedence, which will be used to remark packets. The precedence argument ranges from 0 to 7 and defaults to 0.

tos tos: Specifies the value of type of service. The tos argument ranges from 0 to 15 and defaults to 0. Packets can be classified by their ToS values.

slot slot-number: Specifies the slot number of an LPU.

next-hop ipaddr &1-3: Specifies the IP address(es) to which packets are redirected. You can specify at most three IP addresses in one command line.

Description

Use the traffic-redirect inbound ip-group command to redirect inbound packets that match a specified ACL or ACL rule on an LPU.

Use the undo traffic-redirect inbound ip-group command to remove the inbound packet redirection configuration.

You can redirect packets to a specified VLAN interface or specified IP addresses.

If all specified IP addresses are unreachable, the packets will be forwarded depending on their destination IP addresses, but the action defined by the remark keyword (if any) will still be performed.

Caution:

l With ACL rules, up to 100 streams can be redirected in the system.

l Up to 3,000 traffic-redirect inbound ip-group commands can be configured.

l Totally up to 3,000 traffic-redirect inbound ip-group and traffic-redirect outbound ip-group commands can be configured.

Examples

# Configure to redirect the inbound packets that match ACL 2100 on LPU in slot 5 to 10.13.152.1 (the next hop).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 3

[H3C-vlan3] traffic-redirect inbound ip-group 2100 next-hop 10.13.152.1 slot 5

3.1.3 traffic-redirect outbound ip-group

Syntax

1) Redirect packets to a specified VLAN interface

traffic-redirect outbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] interface vlan-interface interface-number [ remark { dscp dscp | { precedence precedence | tos tos }*} ] slot slot-number

undo traffic-redirect outbound ip-group { acl-number | acl-name } [ rule rule ]

2) Redirect packets to a specified IP address

traffic-redirect outbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] next-hop ipaddr &1-3 [ remark { dscp dscp | { precedence precedence | tos tos } *} ] slot slot-number

undo traffic-redirect outbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameters

acl-number: ACL number, ranging from 2000 to 3999.

acl-name: ACL name, a string of 1 to 32 characters.

dscp dscp: Specifies the value of differential services code point. The dscp argument ranges from 0 to 63 and defaults to 0. Packets can be classified by their DSCP values.

precedence precedence: Specifies a precedence, which will be used to remark packets.. The precedence argument ranges from 0 to 7 and defaults to 0.

tos tos: Specifies the value of type of service. The tos argument ranges from 0 to 15 and defaults to 0. Packets can be classified by their ToS values.

slot slot-number: Specifies the slot number of an LPU.

next-hop ipaddr &1-3: Specifies the IP address(es) to which packets are redirected. You can specify at most three IP addresses in one command line.

Description

Use the traffic-redirect outbound ip-group command to redirect outbound packets that match a specified ACL or ACL rule on an LPU.

Use the undo traffic-redirect outbound ip-group command to disable the outbound packet redirection configuration.

You can redirect packets to a specified VLAN interface or IP addresses.

Caution:

l Up to 100 ACL rule-filtered streams can be redirected in the system.

l Up to 3,000 traffic-redirect outbound ip-group commands can be configured.

l Totally up to 3,000 traffic-redirect inbound ip-group and traffic-redirect outbound ip-group commands can be configured.

Examples

# Configure to redirect the outbound packets that match ACL 2100 on the LPU in slot 5 to 10.13.152.2 (the next hop).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 3

[H3C-vlan3] traffic-redirect outbound ip-group 2100 next-hop 10.13.152.2 slot 5

H3C S7500 Series Command Manual(Release 3100 Series)-(V1.04)

1.1.2 display nat aging-time

1.1.4 display nat blacklist

1.1.5 display nat outbound

1.1.9 nat aging-time

1.1.10 nat blacklist start

1.1.15 nat outbound

1.2.2 ip userlog nat slot

Chapter 2 Netstream Configuration Commands

3.1.2 traffic-redirect inbound ip-group

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us

1.1.10 nat b lacklist start