- Table of Contents
- 
                        - 06-Layer 3—IP Services Command Reference
- 00-Preface
- 01-ARP commands
- 02-IP addressing commands
- 03-DHCP commands
- 04-DNS commands
- 05-NAT commands
- 06-NAT66 commands
- 07-IP forwarding basics commands
- 08-Fast forwarding commands
- 09-Multi-CPU packet distribution commands
- 10-Adjacency table commands
- 11-IP performance optimization commands
- 12-UDP helper commands
- 13-IPv6 basics commands
- 14-DHCPv6 commands
- 15-IPv6 fast forwarding commands
- 16-AFT commands
- 17-Tunneling commands
- 18-GRE commands
- 19-ADVPN commands
- 20-WAAS commands
- 21-Web caching commands
- 22-HTTP proxy commands
 
- Related Documents
- 
                        
| Title | Size | Download | 
|---|---|---|
| 16-AFT commands | 154.34 KB | 
Contents
AFT commands
address
Use address to add an address range to an AFT address group.
Use address to remove an address range from an AFT address group.
Syntax
address start-address end-address
undo address start-address end-address
Default
No address ranges exist.
Views
AFT address group view
Predefined user roles
network-admin
mdc-admin
Parameters
start-address end-address: Specifies the start and end IP addresses for an address range. The end address cannot be lower than the start address. If they are the same, the address range has only one IP address.
Usage guidelines
An AFT address group is a set of address ranges. Dynamic AFT translates an IPv6 address to an IPv4 address in one of the address ranges.
Each address range can contain a maximum of 256 addresses.
Make sure the address ranges do not overlap.
Examples
# Add two address ranges to AFT address group 2.
<Sysname> system-view
[Sysname] aft address-group 2
[Sysname-aft-address-group-2] address 10.1.1.1 10.1.1.15
[Sysname-aft-address-group-2] address 10.1.1.20 10.1.1.30
Related commands
aft address-group
aft address-group
Use aft address-group to create an AFT address group and enter its view, or enter the view of an existing AFT address group.
Use undo aft address-group to delete an AFT address group.
Syntax
aft address-group group-id
undo aft address-group group-id
Default
No AFT address groups exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-id: Assigns an ID to the address group. The value range for this argument is 0 to 65535.
Usage guidelines
An AFT address group is a set of address ranges. Use the address command to add an address range.
The AFT address group is used in dynamic AFT. Dynamic AFT translates the source address of an IPv6 packet to an IPv4 address in the address group.
Examples
# Create AFT address group 1 and enter its view.
<Sysname> system-view
[Sysname] aft address-group 1
[Sysname-aft-address-group-1]
Related commands
address
aft v6tov4 source
display aft address-group
display aft configuration
aft alg
Use aft alg to enable AFT ALG for the specified or all supported protocols.
Use undo aft alg to disable AFT ALG for the specified or all supported protocols.
Syntax
aft alg { all | dns | ftp | http | icmp-error }
undo aft alg { all | dns | ftp | http | icmp-error }
Default
AFT ALG is enabled for DNS, FTP, ICMP error messages, and HTTP.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
all: Enables AFT ALG for all supported protocols.
dns: Enables AFT ALG for DNS.
ftp: Enables AFT ALG for FTP.
http: Enables AFT ALG for HTTP.
icmp-error: Enables AFT ALG for ICMP error packets.
Usage guidelines
AFT ALG translates address or port information in the application layer payloads.
For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires AFT ALG to translate the address and port information.
You can execute this command multiple times to enable AFT ALG for different protocols.
Examples
# Enable AFT ALG for FTP.
<Sysname> system-view
[Sysname] aft alg ftp
Related commands
display aft configuration
aft enable
Use aft enable to enable AFT on an interface.
Use undo aft enable to disable AFT on an interface.
Syntax
aft enable
undo aft enable
Default
AFT is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
You must enable AFT on interfaces connected to the IPv4 network and interfaces connected to the IPv6 network.
Examples
# Enable AFT on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] aft enable
Related commands
display aft configuration
aft log enable
Use aft log enable to enable AFT logging.
Use undo aft log enable to disable AFT logging.
Syntax
aft log enable
undo aft log enable
Default
AFT logging is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
For security auditing, you can enable AFT logging to record AFT session information. An AFT session is a session whose source and destination IP addresses are translated by AFT.
AFT can log the following events:
· An AFT port block is created.
· An AFT port block is deleted.
· An AFT session is established.
To log AFT session establishment events, you must also execute the aft log flow-begin command.
· An AFT session is removed.
To log AFT session removal events, you must also execute the aft log flow-end command.
The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable AFT logging.
<Sysname> system-view
[Sysname] aft log enable
Related commands
aft log flow-begin
aft log flow-end
display aft configuration
aft log flow-begin
Use aft log flow-begin to enable AFT session establishment logging.
Use undo aft log flow-begin to disable AFT session establishment logging.
Syntax
aft log flow-begin
undo aft log flow-begin
Default
AFT session establishment logging is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This feature enables the AFT module to generate a log entry for every AFT session establishment event.
AFT session establishment logging takes effect only after you enable AFT logging.
Examples
# Enable AFT session establishment logging.
<Sysname> system-view
[Sysname] aft log flow-begin
Related commands
aft log enable
aft log flow-end
display aft configuration
aft log flow-end
Use aft log flow-end to enable AFT session removal logging.
Use undo aft log flow-end to disable AFT session removal logging.
Syntax
aft log flow-end
undo aft log flow-end
Default
AFT session removal logging is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This feature enables the AFT module to generate a log entry for every AFT session removal event.
AFT session removal logging takes effect only after you enable AFT logging.
Examples
# Enable AFT session removal logging.
<Sysname> system-view
[Sysname] aft log flow-end
Related commands
aft log enable
aft log flow-begin
aft prefix-general
Use aft prefix-general to configure a general prefix.
Use undo aft prefix-general to delete a general prefix.
Syntax
aft prefix-general prefix-general prefix-length
undo aft prefix-general prefix-general prefix-length
Default
No general prefixes exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
prefix-general: Specifies the general prefix.
prefix-length: Specifies the prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.
Usage guidelines
A general prefix is an IPv6 address prefix of 32, 40, 48, 56, 64, or 96 bits. A general prefix can be used for source and destination address translation between IPv4 and IPv6.
When a general prefix is used alone, it provides IPv6-to-IPv4 source and destination address translation. If a source or destination IPv6 address matches the general prefix, AFT translates it to the embedded IPv4 address.
When a general prefix is used in the aft v4tov6 source or aft v4tov6 destination command, it provides IPv4-to-IPv6 source or destination address translation. If a source or destination IPv4 address matches the ACL, AFT constructs the IPv6 address by using the general prefix and the IPv4 address.
A general prefix cannot be on the same subnet as any interface on the device.
A general prefix must be different from a NAT64 prefix or an IVI prefix.
Examples
# Specify 2000:db8e:: as a general prefix and set its prefix length to 32.
<Sysname> system-view
[Sysname] aft prefix-general 2000:db8e:: 32
Related commands
aft v4tov6 destination
aft v4tov6 source
display aft configuration
aft prefix-ivi
Use aft prefix-ivi to configure an IVI prefix.
Use undo aft prefix-ivi to delete an IVI prefix.
Syntax
aft prefix-ivi prefix-ivi
undo aft prefix-ivi prefix-ivi
Default
No IVI prefixes exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
prefix-ivi: Specifies an IVI prefix.
Usage guidelines
An IVI prefix is an IPv6 address prefix whose length is fixed at 32 bits. An IVI prefix can be used for IPv6-to-IPv4 source address translation and IPv4-to-IPv6 destination address translation.
When an IVI prefix is used alone, it provides IPv6-to-IPv4 source address translation. If a source IPv6 address matches the IVI prefix, AFT translates it to the embedded IPv4 address.
When an IVI prefix is used in the aft v4tov6 destination command, it provides IPv4-to-IPv6 destination address translation. If a destination IPv4 address matches the ACL, AFT constructs the IPv6 address by using the IVI prefix and the IPv4 address.
An IVI prefix must be different from a NAT64 prefix or a general prefix.
Examples
# Specify 3000:db8e:: as an IVI prefix.
<Sysname> system-view
[Sysname] aft prefix-ivi 3000:db8e::
Related commands
aft v4tov6 destination
display aft configuration
aft prefix-nat64
Use aft prefix-nat64 to configure a NAT64 prefix.
Use undo aft prefix-nat64 to delete a NAT64 prefix.
Syntax
aft prefix-nat64 prefix-nat64 prefix-length
undo aft prefix-nat64 prefix-nat64 prefix-length
Default
No NAT64 prefixes exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
prefix-nat64: Specifies a NAT64 prefix.
prefix-length: Specifies the NAT64 prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.
Usage guidelines
A NAT64 prefix is an IPv6 address prefix of 32, 40, 48, 56, 64, or 96 bits. A NAT64 prefix can be used for IPv4-to-IPv6 source address translation and IPv6-to-IPv4 destination address translation.
When a NAT64 prefix is used alone, it provides IPv6-to-IPv4 destination address translation. If a destination IPv6 address matches the NAT64 prefix, AFT translates it to the embedded IPv4 address.
When a NAT64 prefix is used alone or in the aft v4tov6 source command, it also provides IPv4-to-IPv6 source address translation. AFT constructs the IPv6 address by using the NAT64 prefix and the source IPv4 address. If the NAT64 prefix is used in the aft v4tov6 source command, AFT only translates packets permitted by the ACL.
A NAT64 prefix cannot be on the same subnet as any of the interfaces on the device.
A NAT64 prefix must be different from an IVI prefix or a general prefix.
Examples
# Specify 2000:db8e:: as a NAT64 prefix and set its prefix length to 32.
<Sysname> system-view
[Sysname] aft prefix-nat64 2000:db8e:: 32
Related commands
aft v4tov6 source
display aft configuration
aft turn-off tos
Use aft turn-off tos to set the ToS field to 0 for IPv4 packets translated from IPv6 packets.
Use undo aft turn-off tos to restore the default.
Syntax
aft turn-off tos
undo aft turn-off tos
Default
The ToS field value of translated IPv4 packets is the same as the Traffic Class field value of original IPv6 packets.
Views
System view
Predefined user roles
network-admin
mdc-admin
Examples
# Set the ToS field to 0 for IPv4 packets translated from IPv6 packets.
<Sysname> system-view
[Sysname] aft turn-off tos
aft turn-off traffic-class
Use aft turn-off traffic-class to set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.
Use undo aft turn-off traffic-class to restore the default.
Syntax
aft turn-off traffic-class
undo aft turn-off traffic-class
Default
The Traffic Class field value of translated IPv6 packets is the same as the ToS field value of original IPv4 packets.
Views
System view
Predefined user roles
network-admin
mdc-admin
Examples
# Set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.
<Sysname> system-view
[Sysname] aft turn-off traffic-class
aft v4tov6 destination
Use aft v4tov6 destination to configure an IPv4-to-IPv6 destination address translation policy.
Use undo aft v4tov6 destination to delete an IPv4-to-IPv6 destination address translation policy.
Syntax
aft v4tov6 destination acl { name ipv4-acl-name prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] } }
undo aft v4tov6 destination acl { name ipv4-acl-name | number ipv4-acl-number }
Default
No IPv4-to-IPv6 destination address translation policies exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
acl: Identifies IPv4 packets for address translation. AFT translates destination addresses for IPv4 packets permitted by the ACL.
name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.
prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate destination addresses for packets permitted by the ACL.
prefix-ivi prefix-ivi: Specifies an IVI prefix. AFT uses the IVI prefix to translate destination addresses for packets permitted by the ACL.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which translated IPv6 addresses belong. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 addresses belong to the public network, do not specify this option.
Usage guidelines
You must specify different ACLs for different IPv4-to-IPv6 destination address translation policies.
You can specify a nonexistent IVI prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.
Examples
# Configure the device to use IVI prefix 3000:db8e:: to translate IPv4 destination addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft prefix-ivi 3000:db8e::
[Sysname] aft v4tov6 destination acl number 2000 prefix-ivi 3000:db8e::
# Configure the device to use general prefix 2000:db8e::/32 to translate IPv4 destination addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v4tov6 destination acl number 2000 prefix-general 2000:db8e:: 32
Related commands
aft prefix-general
aft prefix-ivi
display aft configuration
aft v4tov6 source
Use aft v4tov6 source to configure an IPv4-to-IPv6 source address translation policy.
Use undo aft v4tov6 source to delete an IPv4-to-IPv6 source address translation policy.
Syntax
IPv4-to-IPv6 source address static mapping:
aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance ipv6-vpn-instance-name ]
undo aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ]
IPv4-to-IPv6 source address translation policy using a NAT64 prefix or general prefix:
aft v4tov6 source acl { name ipv4-acl-name prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } }
undo aft v4tov6 source acl { name ipv4-acl-name | number ipv4-acl-number }
Default
No IPv4-to-IPv6 source address translation policies exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.
ipv6-address: Specifies an IPv6 address. The IPv6 address in a static mapping cannot be on the same subnet as any interface on the device.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.
acl: Identifies IPv4 packets for address translation. AFT translates source addresses for packets permitted by the ACL.
name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.
prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate source IPv4 address for packets permitted by the ACL.
prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the NAT64 prefix to translate source IPv4 address for packets permitted by the ACL.
Usage guidelines
The IPv4 or IPv6 addresses in different static mappings cannot be the same.
You must specify different ACLs for IPv4-to-IPv6 source address translation policies that use NAT64 prefixes or general prefixes.
You can specify a nonexistent NAT64 prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.
Examples
# Map IPv4 source address 2.2.2.123 to IPv6 source address 3001::5.
<Sysname> system-view
[Sysname] aft v4tov6 source 2.2.2.123 3001::5
# Configure the device to use NAT64 prefix 2000::/32 to translate IPv4 source addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft prefix-nat64 2000:: 32
[Sysname] aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32
# Configure the device to use general prefix 3000::/32 to translate IPv4 source addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v4tov6 source acl number 2000 prefix-general 3000:: 32
aft prefix-general
aft prefix-nat64
display aft configuration
aft v6server
Use aft v6server to configure an AFT mapping for an IPv6 internal server.
Use undo aft v6server to delete an AFT mapping for an IPv6 internal server.
Syntax
aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ]
undo aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ]
Default
The IPv6 internal server does not have an AFT mapping.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
protocol protocol-type: Specifies a transport layer protocol by its type. The protocol-type argument can be tcp or udp.
ipv4-destination-address: Specifies an IPv4 address.
ipv4-port-number: Specifies an IPv4 port number in the range of 1 to 65535.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.
ipv6-destination-address: Specifies an IPv6 address.
ipv6-port-number: Specifies an IPv6 port number in the range of 1 to 65535.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.
Usage guidelines
The AFT mappings for different IPv6 internal servers cannot be the same.
Examples
# Map IPv6 address 3001::5 and port number 1720 of an IPv6 internal server to IPv4 address 2.2.2.123 and port number 1720 for TCP packets.
<Sysname> system-view
[Sysname] aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720
Related commands
display aft configuration
aft v6tov4 source
Use aft v6tov4 source to configure an IPv6-to-IPv4 source address translation policy.
Use undo aft v6tov4 source to delete an IPv6-to-IPv4 source address translation policy.
Syntax
IPv6-to-IPv4 source address static mapping:
aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ]
undo aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ]
IPv6-to-IPv4 source address translation policy:
aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } { address-group group-id [ no-pat | port-block-size blocksize ] | interface interface-type interface-number } [ vpn-instance ipv4-vpn-instance-name ]
undo aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] }
Default
No IPv6-to-IPv4 source address translation policies exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6-address: Specifies an IPv6 address.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.
ipv4-address: Specifies an IPv4 address.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.
acl ipv6: Identifies IPv6 packets for address translation. AFT translates source addresses for IPv6 packets permitted by the ACL.
name ipv6-acl-name: Specifies an IPv6 ACL by its name. The ipv6-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv6-acl-number: Specifies an IPv6 ACL by its number in the range of 2000 to 3999.
prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The prefix-length argument represents a prefix length, which can be 32, 40, 48, 56, 64, or 96. AFT translates source IPv6 addresses for packets whose destination IPv6 addresses match the NAT64 prefix.
address-group group-id: Specifies an AFT address group by its ID in the range of 0 to 65535.
no-pat: Specifies the NO-PAT mode. If you do not specify the keyword, AFT uses the PAT mode.
port-block-size blocksize: Specifies the port block size in the range of 100 to 64512. If you do not specify the option, the port range will not be divided.
interface interface-type interface-number: Specifies an interface by its type and number. AFT translates source IPv6 addresses to the primary IPv4 address of the specified interface.
Usage guidelines
If you set a port block size, the port range (1024 to 65535) will be divided into port blocks by the port block size. For example, if you set the port block size to 1000, the port range is divided into port blocks 1024 to 2023, 2024 to 3023, and so on. The port blocks are used for PAT.
The IPv4 or IPv6 addresses in different static mappings cannot be the same.
You must specify different ACLs, NAT64 prefixes, and AFT address groups for different IPv6-to-IPv4 source address translation policies.
You can specify a nonexistent NAT64 prefix in a policy, but the policy takes effect only after you configure the prefix.
Examples
# Map source IPv6 address 3001::5 to source IPv4 address 2.2.2.123.
<Sysname> system-view
[Sysname] aft v6tov4 source 3001::5 2.2.2.123
# Configure the device to use AFT address group 0 to translate source addresses for IPv6 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100
Related commands
display aft configuration
display aft port-block
display aft address-group
Use display aft address-group to display AFT address group information.
Syntax
display aft address-group [ group-id ]
View
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
group-id: Specifies an AFT address group ID in the range of 0 to 65535. If you do not specify this argument, the command displays information about all AFT address groups.
Examples
# Display information about all AFT address groups.
<Sysname> display aft address-group
There are 3 AFT address groups.
Group number Start address End address
1 202.110.10.10 202.110.10.15
2 202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
6 --- ---
# Display information about AFT address group 1.
<Sysname> display aft address-group 1
Group number Start address End address
1 202.110.10.10 202.110.10.15
Table 1 Command output
| Field | Description | 
| There are n AFT address groups | Total number of existing AFT address groups. | 
| Group number | Address group ID. | 
| Start address | Start IP address of an address range. If you do not specify the start address, this field displays three hyphens (---). | 
| End address | End IP address of an address range. If you do not specify the end address, this field displays three hyphens (---). | 
display aft address-mapping
Use aft address-mapping to display AFT mappings.
Syntax
In standalone mode:
display aft address-mapping [ slot slot-number ]
In IRF mode:
display aft address-mapping [ chassis chassis-number slot slot-number ]
View
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT mappings for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT mappings for all cards. (In IRF mode.)
Examples
# (In standalone mode.) Display AFT mappings.
<Sysname> display aft address-mapping
Slot 1:
IPv6: Source IP/port: 2000:0:FF01:101:100::8/1024
Destination IP/port: 5000::1717:1714/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
IPv4: Source IP/port: 1.1.1.1/1031
Destination IP/port: 23.23.23.20/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Total address mappings found: 1
Table 2 Command output
| Field | Description | 
| IPv4 | IPv4 address information. | 
| IPv6 | IPv6 address information. | 
| Source IP/port | Source IP address and port number. | 
| Destination IP/port | Destination IP address and port number. | 
| VPN instance/VLAN ID/Inline ID | The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · Inline ID—Inline to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for the related field. | 
| Protocol | Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite. | 
display aft configuration
Use display aft configuration to display AFT configuration.
Syntax
display aft configuration
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display AFT configuration.
<Sysname> display aft configuration
aft address-group 1
address 202.110.10.10 202.110.10.15
address 101.1.1.100 101.1.1.200
aft prefix-ivi 3000:DB8E::
aft prefix-general 2000:DB8E:: 32
aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100
aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32
aft v4tov6 destination acl number 2000 prefix-ivi 3000:DB8E::
aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720
aft turn-off tos
aft turn-off traffic-class
aft log enable
aft log flow-begin
aft log flow-end
interface GigabitEthernet1/0/1
aft enable
aft flow-redirect dynamic disable
AFT ALG:
DNS : Enabled
FTP : Enabled
HTTP : Enabled
ICMP-ERROR : Enabled
Table 3 Command output
| Field | Description | 
| aft address-group XX | AFT address group ID. | 
| address | Address ranges in the AFT address group. | 
| aft prefix-nat64 X:X::X:X | NAT64 prefix address. | 
| aft prefix-ivi X:X::X:X | IVI prefix. | 
| aft prefix-general X:X::X:X | General prefix. | 
| aft v6tov4 source XX | IPv6-to-IPv4 source address translation policy. For more information, see the aft v6tov4 source command. | 
| aft v4tov6 source XX | IPv4-to-IPv6 source address translation policy. For more information, see the aft v4tov6 source command. | 
| aft v4tov6 destination XX | IPv4-to-IPv6 destination address translation policy. For more information, see the aft v4tov6 destination command. | 
| aft v6server protocol | AFT mapping for the IPv6 internal server. | 
| aft turn-off tos | Value of the ToS field in IPv4 packets translated from IPv6 packets. | 
| aft turn-off traffic-class | Value of the Traffic Class field in IPv6 packets translated from IPv4 packets. | 
| aft log enable | AFT logging is enabled. | 
| aft log flow-begin | AFT session establishment logging is enabled. | 
| aft log flow-end | AFT session removal logging is enabled. | 
| interface XXX | AFT-enabled interface. | 
| aft enable | AFT is enabled. | 
| aft flow-redirect XX disable | OpenFlow entry generation based on AFT is disabled. For information about XX, see aft flow-redirect disable. | 
| AFT ALG | AFT ALG status: · Enabled. · Disabled. | 
display aft no-pat
Use display aft no-pat to display AFT NO-PAT entries.
Syntax
In standalone mode:
display aft no-pat [ slot slot-number ]
In IRF mode:
display aft no-pat [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT NO-PAT entries for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT NO-PAT entries for all cards. (In IRF mode.)
Usage guidelines
An AFT NO-PAT entry records a mapping between an IPv4 address and an IPv6 address without ports.
Examples
# (In standalone mode.) Display AFT NO-PAT entries.
<Sysname> display aft no-pat
Slot 1:
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
Table 4 Command output
| Field | Description | 
| IPv6 address | Original IPv6 address. | 
| IPv4 address | Translated IPv4 address. | 
| IPv4 VPN | VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed. | 
| IPv6 VPN | VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed. | 
| Total entries found | Total number of AFT NO-PAT entries. | 
display aft port-block
Use display aft port-block to display AFT port block mappings.
Syntax
In standalone mode:
display aft port-block [ slot slot-number ]
In IRF mode:
display aft port-block [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT port block mappings for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT port block mappings for all cards. (In IRF mode.)
Examples
# (In standalone mode.) Display AFT port block mappings.
<Sysname> display aft port-block
Slot 1:
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
Port block : [1024 – 1123]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
Port block : [1024 – 1200]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
Table 5 Command output
| Field | Description | 
| IPv6 address | Original IPv6 address. | 
| IPv4 address | Translated IPv4 address. | 
| Port block | Port range for the translated IPv4 address. | 
| IPv4 VPN | VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed. | 
| IPv6 VPN | VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed. | 
| Total entries found | Total number of AFT port block mapping entries. | 
display aft session
Use display aft session to display AFT sessions.
Syntax
In standalone mode:
display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
In IRF mode:
display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ]
display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ipv4: Displays IPv4 AFT sessions.
source-ip source-ip-address: Specifies the source IPv4 address of the packets that initiate AFT sessions.
destination-ip destination-ip-address: Specifies the destination IPv4 address of the packets that initiate AFT sessions.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays AFT sessions for the public network.
ipv6: Displays IPv6 AFT sessions.
source-ip source-ipv6-address: Specifies the source IPv6 address of the packets that initiate AFT sessions.
destination-ip destination-ipv6-address: Specifies the destination IPv6 address of the packets that initiate AFT sessions.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays AFT sessions for the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT sessions for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT sessions for all cards. (In IRF mode.)
verbose: Display detailed information about AFT sessions. If you do not specify this keyword, this command displays brief information about AFT sessions.
Usage guidelines
If you do not specify any parameters, this command displays all AFT sessions.
Examples
# (In standalone mode.) Display detailed information about AFT sessions for the specified slot.
<Sysname> display aft session ipv4 slot 1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 102.128.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Responder:
Source IP/port: 102.128.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
App: SSH State: TCP_SYN_SENT
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Table 6 Command output
| Field | Description | 
| Initiator | Session information about the initiator. | 
| Source IP/port | Source IP address and port number. | 
| Destination IP/port | Destination IP address and port number. | 
| VPN instance/VLAN ID/Inline ID | The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · Inline ID—Inline to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for the related field. | 
| Protocol | Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite. | 
| Inbound interface | Input interface. | 
| Responder | Session information about the responder. | 
| APP | Application layer protocol, such as FTP and DNS. This field displays unknown for the protocol types that are identified by non-well-known ports and are not user-defined. | 
| State | AFT session state. | 
| Start time | Time when the session starts. | 
| TTL | Remaining lifetime of the session, in seconds. | 
| Initiator->Responder | Number of packets and bytes from the initiator to the responder. | 
| Responder->Initiator | Number of packets and bytes from the responder to the initiator. | 
| Total sessions found | Total number of AFT sessions. | 
Related commands
reset aft session
display aft statistics
Use display aft statistics to display AFT statistics.
Syntax
In standalone mode:
display aft statistics [ slot slot-number ]
In IRF mode:
display aft statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT statistics for all cards. (In IRF mode.)
Usage guidelines
If you do not specify any parameters, this command displays all AFT statistics.
Examples
# Display all AFT statistics.
<Sysname> display aft statistics
Total NO-PAT entries found: 0
Total port-block entries found: 0
Total IPv4 sessions: 0
Total IPv6 sessions: 0
Dropped packets: 3006
Configuration sequence changed: 0
Failed to transfer payload: 0
Failed to transfer packet header: 0
Packet examination failed before packet sending: 0
Failed to translate destination address: 0
The translated destination address is invalid: 0
Failed to translate source address: 0
Failed to transfer FSBUF to MBUF: 0
Session ext-info is null: 0
Peer session is null: 0
Failed to get translation information from session: 0
Failed to create session: 0
Failed to fragment the MBUF: 0
Failed to create fast forwarding table: 0
Failed to formalize session: 0
Other reasons: 0
Table 7 Command output
| Field | Description | 
| Total NO-PAT entries found | Total number of AFT NO-PAT entries. | 
| Total port-block entries found | Total number of AFT port block mappings. | 
| Total IPv4 sessions | Total number of AFT IPv4 sessions. | 
| Total IPv6 sessions | Total number of AFT IPv6 sessions. | 
| Dropped packets | Number of packets dropped by AFT. | 
| Configuration sequence changed | Number of packets dropped due to configuration sequence changes. | 
| Failed to transfer payload | Number of packets dropped due to ALG failures. | 
| Failed to transfer packet header | Number of packets dropped due to packet header transformation failures. | 
| Packet examination failed before packet sending | Number of packets dropped due to packet examination failures before packet sending. | 
| Failed to translate destination address | Number of packets dropped due to destination address translation failures. | 
| The translated destination address is invalid | Number of packets dropped due to the invalidity of the translated destination address. | 
| Failed to translate source address | Number of packets dropped due to source address translation failures. | 
| Failed to transfer FSBUF to MBUF | Number of packets dropped due to FSBUF-to-MBUF transformation failures. | 
| Session ext-info is null | Number of packets dropped due to session extended information acquisition failures. | 
| Peer session is null | Number of packets dropped due to peer session lookup failures. | 
| Failed to get translation information from session | Number of packets dropped due to translation information acquisition failures from sessions. | 
| Failed to create session | Number of packets dropped due to session creation failures. | 
| Failed to fragment the MBUF | Number of packets dropped due to fragmentation failures. | 
| Failed to create fast forwarding table | Number of packets dropped due to fast forwarding table creation failures. | 
| Failed to formalize session | Number of packets dropped due to session formalization failures. | 
| Other reasons | Number of packets dropped due to other reasons. | 
Related commands
reset aft statistics
reset aft session
Use reset aft session to clear AFT sessions.
Syntax
In standalone mode:
reset aft session [ slot slot-number ]
In IRF mode:
reset aft session [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears AFT sessions for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears AFT sessions for all cards. (In IRF mode.)
Usage guidelines
After you clear AFT sessions, the corresponding AFT NO-PAT entries and port block mappings are also cleared.
Examples
# Clear all AFT sessions.
<Sysname> reset aft session
Related commands
display aft session
reset aft statistics
Use reset aft statistics to clear AFT statistics.
Syntax
In standalone mode:
reset aft statistics [ slot slot-number ]
In IRF mode:
reset aft statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears AFT statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears AFT statistics for all cards. (In IRF mode.)
Usage guidelines
The AFT statistics include the number of dropped packets, the number of NO-PAT entries, and the number of port block entries. This command only resets the counter for dropped packets.
Examples
# Clear all AFT statistics.
<Sysname> reset aft statistics
Related commands
display aft statistics
 Login
Login
