Currently, the LS81VSNP boards installed in S7500 series switches support the NAT feature. In this manual, the LS81VSNP board is called LPU (line processing unit).

1.1 NAT Configuration Commands

1.1.1 display nat address-group

Syntax

display nat address-group

View

Any view

Parameter

None

Description

Use the display nat address-group command to display NAT address pool configuration.

Example

# Display NAT address pool configuration.

<H3C> display nat address-group

NAT address-group information:

0 : from 1.1.1.1 to 1.1.1.2

1 : from 2.2.2.2 to 2.2.2.3 slot 3

1.1.2 display nat aging-time

Syntax

display nat aging-time

View

Any view

Parameter

None

Description

Use the display nat aging-time command to display the settings for NAT entry aging time.

Example

# Display the settings for NAT table entry aging time.

<H3C> display nat aging-time

NAT aging-time value information:

alg ---- aging-time value is 120 (seconds)

ftp ---- aging-time value is 7200 (seconds)

The slot 3 NP-timer configuration:

Selection of NP-timer is : Fast-Timer

Fast-Timer : 300 seconds

Slow-Timer : 3600 seconds

Table 1-1 Description on the fields of the display nat aging-time command

Field	Description
NAT aging-time value information	NAT aging time information follows.
alg ---- aging-time value is 120 (seconds)	The aging time for ALG NAT entries is 120 seconds.
ftp ---- aging-time value is 7200 (seconds)	The aging time for FTP connections is 7200 seconds.
The slot 3 NP-timer configuration	The NP-timer settings on the board in slot 3 follows.
Selection of NP-timer is : Fast-Timer	The fast NP timer is selected.
Fast-Timer : 300 seconds	The fast timer is 300 seconds.
Slow-Timer : 3600 seconds	The slow timer is 3600 seconds.

1.1.3 display nat all

Syntax

display nat all

View

Any view

Parameter

None

Description

Use the display nat all command to display all information of the current NAT configurations, including NAT address pool, NAT ACL (ACL referenced by nat outbound command), internal server and aging time related configurations.

Example

# Display all information of the current NAT configurations.

<H3C> display nat all

NAT address-group information:

1 : from 3.3.3.6 to 3.3.3.8 slot: 5

NAT outbound information:

Vlan-interface3: acl(2000) --- NAT address-group(1) slot: 5

Server in private network information:

Interface GlobalAddr GlobalPort InsideAddr InsidePort Pro Slot

Vlanif3 3.3.3.10 21(ftp) 192.168.1.10 21(ftp) 6(tcp) 5

NAT aging-time value information:

alg ---- aging-time value is 120 (seconds)

ftp ---- aging-time value is 7200 (seconds)

The slot 5 NP-timer configuration:

Selection of NP-timer is : Fast-Timer

Fast-Timer : 300 seconds

Slow-Timer : 3600 seconds

1.1.4 display nat blacklist

Syntax

display nat blacklist { all | ip [ ip-address ] slot slot-number }

View

Any view

Parameter

all: Displays all blacklist configurations and status.

ip: Displays IP address-specific blacklist configurations and status.

ip-address: IP address whose blacklist configuration you want to query.

slot-number: Slot number of an LPU.

Description

Use the display nat blacklist command to display the configurations and status of NAT blacklist.

l The display nat blacklist all command displays all blacklist configurations.

l The display nat blacklist ip [ ip-address ] slot slot-number command displays IP address-specific blacklist configurations and status.

Example

# Display all blacklist configurations.

<H3C> display nat blacklist all

Blacklist function global configuration:

Blacklist function of the NO. 7 L3plus board is started.

Connection amount control is enabled.

Connection set-up rate control is enabled.

Amount control limit: 500 sessions.

Rate control limit: 250 session/s.

Special rate control limit: 250 session/s.

Global Committed Burst Size is 375

Special IP Committed Burst Size is 375

Global Extended Burst Size is 0

Special IP Extended Burst Size is 0

Altogether 1 IP addresses have special configuration:

Control limit configuration of IP 1.1.1.1:

Amount control limit: 100 sessions.

Rate control limit uses global configuration.

# Display blacklist status on the LPU in slot 6.

<H3C> display nat blacklist ip slot 6

This query may last a long time, please wait for a moment...

There are 6 ip address in blacklist.

192.168.1.4 192.168.1.1 192.168.1.5 192.168.1.2

192.168.1.6 192.168.1.3

1.1.5 display nat outbound

Syntax

display nat outbound

View

Any view

Parameter

None

Description

Use the display nat outbound command to display all ACL-NAT address pool associations.

Example

# Display all ACL-NAT address pool associations.

<H3C> display nat outbound

NAT outbound information:

Vlan-interface2: acl(2001) --- NAT address-group(1) [no-pat] slot:3

Vlan-interface2: acl(2002) --- NAT address-group(0) slot:3

Vlan-interface3: acl(2001) --- NAT address-group(2) [no-pat] slot:3

Vlan-interface3: acl(2002) --- interface slot:3

1.1.6 display nat server

Syntax

display nat server

View

Any view

Parameter

None

Description

Use the display nat server command to display information about all internal servers.

Example

# Display information about all internal servers.

<H3C> display nat server

Server in private network information:

Interface GlobalAddr GlobalPort InsideAddr InsidePort Pro Slot

Vlanif2 1.1.1.1 80(www) 4.4.4.4 80(www) 6(tcp) 3

Vlanif2 2.2.2.2 53(dns) 3.3.3.3 53(dns) 17(udp) 3

Vlanif3 2.2.2.3 69(tftp) 4.4.4.5 69(tftp) 17(udp) 3

1.1.7 display nat statistics

Syntax

display nat statistics slot slot-number

View

Any view

Parameter

slot-number: Slot number of an LPU.

Description

Use the display nat statistics command to display the current NAT statistics.

Example

# Display the current NAT statistics.

<H3C> display nat statistics slot 3

Current statistics information in slot 3:

active PAT session table count in CPU: 0

active PAT session table count in NP: 1

active NO-PAT session table count: 0

active SERVER session table count: 0

the number of good packet in NP: 0

the number of bad packet in NP: 0

1.1.8 nat address-group

Syntax

nat address-group group-number start-addr end-addr

undo nat address-group group-number

View

System view

Parameter

group-number: Address pool index, a number ranging from 0 to 319.

start-addr: Start IP address of the address pool.

end-addr: End IP address of the address pool.

Description

Use the nat address-group command to configure a NAT address pool.

Use the undo nat address-group command to delete a NAT address pool.

A NAT address pool is a set of consecutive public IP addresses. If start-addr and end-addr are the same, there is only one address in the pool.

Caution:

l A NAT address pool can contain at most 256 IP addresses.

l You cannot delete an address pool that has been associated with an ACL.

l An address pool can be used for NAPT (network address port translation) only when it contains no more than three addresses.

Example

# Configure address pool 1 with addresses from 202.110.10.10 to 202.110.10.15.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat address-group 1 202.110.10.10 202.110.10.15

1.1.9 nat aging-time

Syntax

nat aging-time { alg time-value | np slow } slot slot-number

undo nat aging-time [ alg | np ] slot slot-number

View

System view

Parameter

alg: Sets the NAT connection aging time for CPU processed ALG (application layer gateway) NAT mapping entries

time-value: Aging time in seconds, ranging from 10 to 86,400. By default, it is 120.

np slow: Sets the NP (network processor) to use the slow aging timer (the aging time is 3,600 seconds). By default, the NP uses the fast aging timer (the aging time is 300 seconds).

slot-number: Slot number of an LPU.

Description

Use the nat aging-time command to set the NAT connection aging time for CPU processed ALG NAT mapping entries or the NAT connection aging time for NP processed NAT mapping entries. A NAT connection is terminated when its aging time expires.

Use the undo nat aging-time command to restore the default settings for NAT connection aging time. Executing this command will set the aging time for ALG entries to 120 seconds and enable the NP to use the fast aging timer.

Example

# Set the NAT connection aging time for ALG entries to 245 seconds for the LPU in slot 6.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat aging-time alg 245 slot 6

1.1.10 nat b lacklist start

Syntax

nat blacklist start slot slot-number

undo nat blacklist start slot slot-number

View

System view

Parameter

slot slot-number: Specifies the slot number of an LPU.

Description

Use the nat blacklist start command to enable NAT blacklist for an LPU.

Use the undo nat blacklist start command to disable NAT blacklist for an LPU.

By default, the feature is disabled.

Example

# Enable NAT blacklist for the LPU in slot 3.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist start slot 3

1.1.11 nat blacklist mode

Syntax

nat blacklist mode { all | amount | rate }

undo nat blacklist mode { all | amount | rate }

View

System view

Parameter

all: Configures to control both the number of NAT connections and the connection setup rate.

amount: Configures to control the number of NAT connections.

rate: Configures to control the connection setup rate.

& Note:

The connection here refers to an address mapping established during NAT, and connection setup rate refers to the rate at which NAT connection is established.

Description

Use the nat blacklist mode command to set the control mode of the NAT blacklist feature, thus using the feature to control the number of NAT connections, the connection setup rate, or both.

Use the undo nat blacklist mode command to cancel the setting of NAT blacklist control mode.

Caution:

l Each command that is used to modify blacklist-related configuration and is not source IP address-specific must be coupled with the reset nat session command.

l Although each blacklist-enabled LPU in the switch independently maintains its own blacklist information, blacklist-related configuration commands executed on the switch apply to all LPUs.

Example

# Configure the NAT blacklist feature to control the number of NAT connections.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist mode amount

1.1.12 nat blacklist limit amount

Syntax

nat blacklist limit amount [ source user-ip ] amount-value

undo nat blacklist limit amount [ source user-ip ]

View

System view

Parameter

amount: Limits the number of NAT connections.

user-ip: IP address of a user.

amount-value: Control threshold for the number of NAT connections per user. This argument ranges from 20 to 20,000.

Description

Use the nat blacklist limit amount command to set the global or a specific control threshold for the number of NAT connections, so as to limit the number of NAT connections that can be established for each global user or a specific user.

Use the undo nat blacklist limit amount command to restore the default control threshold for the number of NAT connections.

The default control threshold for the number of NAT connections is 500.

l If you do not use the source keyword, the command applies to global users.

l If you use the source keyword, the command applies to the user with the specified IP address.

Caution:

l With the nat blacklist limit amount source user-ip command, you can set different specific thresholds to limit the NAT connection quantities of different specified users. While, with the nat blacklist limit rate source ip command, the specific thresholds you set to limit connection setup rate are for all specific users (users specified by the nat blacklist limit rate source user-ip command), and you cannot set different thresholds for different specific users.

l Each command that is used to modify blacklist-related configuration and is not source IP address-specific must be coupled with the reset nat session command.

l Although each blacklist-enabled LPU in the switch independently maintains its own blacklist information, blacklist-related configuration commands executed on the switch apply to all LPUs.

Example

# Set the global threshold to control the number of NAT connections per user.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist limit amount 600

# Set a specific threshold to control the number of NAT connections of the user with IP address 1.1.1.2.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist limit amount source 1.1.1.2 800

1.1.13 nat blacklist limit rate

Syntax

nat blacklist limit rate [ source ip ] cir cir-value [ cbs cbs-value ebs ebs-value ]

undo nat blacklist limit rate [ source ip ]

View

System view

Parameter

source ip: Specifies that the control thresholds for connection setup rate are set for specific source IP addresses (IP addresses specified by the nat blacklist limit rate source user-ip command).

cir-value: CIR control threshold for connection setup rate, long time average rate on port, in the unit of sessions per second This argument ranges from 20 to 262,144. The default value is 250. (CIR: committed information rate.)

cbs-value: CBS control threshold for connection setup rate, in the unit of sessions per second. This argument ranges from cir-value to 90 x cir-value and must be less than 4,294,960. The default value is 375. (CBS: conformed burst size.)

ebs-value: EBS control threshold for connection setup rate, in the unit of sessions per second. This argument ranges from 0 to 90 x cir-value and must be less than or equal to cbs-value. The default value is 0. (EBS: extended burst size.)

Description

Use the nat blacklist limit rate command to set the global or specific control thresholds for connection setup rate (number of connections established per second).

Use the undo nat blacklist limit rate command to restore the default control thresholds for connection setup rate.

Note that:

l If you do not use the source ip keyword, the command applies to all global users.

l If you use the source ip keyword, the command applies to only specific users (users specified by the nat blacklist limit rate source user-ip command with source IP addresses).

l If you do not use the nat blacklist limit rate command, the system adopts the default values for cir-value, cbs-value, and ebs-value. They are 250, 375, and 0 respectively.

l If you only configure cir-value by using the nat blacklist limit rate command, the value of cbs-value is cir-value x 1.5 and the value of ebs-value is 0.

Caution:

l Each command that is used to modify blacklist-related configuration and is not source IP address-specific must be coupled with the reset nat session command.

l Although each blacklist-enabled LPU in the switch independently maintains its own blacklist information, blacklist-related configuration commands executed on the switch apply to all LPUs.

Example

# Set the specific CIR, CBS and EBS control thresholds to 100, 500 and 40 respectively.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist limit rate source ip cir 100 cbs 500 ebs 40

1.1.14 nat blacklist limit rate source

Syntax

nat blacklist limit rate source user-ip

undo nat blacklist limit rate source user-ip

View

System view

Parameter

user-ip: IP address of a user.

Description

Use the nat blacklist limit rate source command to specify the IP address of a user, so as to adopt the specific connection setup rate control thresholds to the user.

Use the undo nat blacklist limit rate source command to remove the configuration.

Caution:

l Each command that is used to modify blacklist-related configuration and is not source IP address-specific must be coupled with the reset nat session command.

l Although each blacklist-enabled LPU in the switch independently maintains its own blacklist information, blacklist-related configuration commands executed on the switch apply to all LPUs.

Example

# Specify to control user 2.2.2.2 with specific connection setup rate thresholds.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] nat blacklist limit rate source 2.2.2.2

1.1.15 nat outbound

Syntax

nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-number

undo nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slot-number

View

VLAN interface view

Parameter

address-group: Specifies an address pool to be used for NAT. If you do not specify an address pool in the command, the IP address of the current interface will be used as the translated source IP address, that is, the Easy IP feature is enabled.

no-pat: Specifies to use one-to-one NAT, so that only the source IP addresses in packets are translated while the port numbers are not translated.

acl-number: Index of an ACL, in the range from 2000 to 3999.

group-number: Index of a NAT address pool, in the range from 0 to 319.

slot-number: Slot number of an LPU, to which the address pool will be bound. All NAT operations using the NAT rule will be carried out on this LPU.

Description

Use the nat outbound command to associate an ACL with a NAT address pool, and bind the address pool to an LPU, so as to translate the addresses matching the ACL to the addresses in the pool on the LPU.

Use the undo nat outbound command to remove the configuration.

If you use the nat outbound command to associate an ACL with an address pool, the NAT process will use the IP addresses in the pool to translate the source addresses of the packets that match the ACL. You can configure multiple NAT associations on a VLAN interface, which is normally connected to an ISP network and serves as the egress of the internal network.

If you execute the nat outbound command without the address-group keyword, the Easy IP feature is implemented, and the IP address of the interface is used to translate the source addresses that match the specified ACL.

When you execute the nat outbound command on a VLAN interface with an address pool specified, the address pool should be on the same network segment with the IP address of the VLAN interface. Otherwise, NAT may not operate normally. In this case, you can use one of the following two ways to solve the problem.

1) Configuring a static route: Configure a static route to the VLAN interface on an upstream router (a router on the upstream network of the NAT-enabled switch).

2) Using routing protocol to advertise the routes of the IP addresses in the address pool. To do this, you need to configure static routes for the IP addresses in the address pool on the NAT-enabled switch, with the outbound interface being NULL. Note that the configured static route segments should accommodate the combined segments of the IP addresses in the address pool.

& Note:

l For NAT function, basic ACLs (2000 to 2999) support only source IP address as the filtering item, advanced ACLs (3000 to 3999) support both source IP address and destination IP address as filtering items. Other ACL filtering items are not supported currently.

l After you configure the nat outbound command with an ACL, any modifications to the ACL (adding/deleting rules) will not have effect on the NAT configuration.

Example

Perform the following procedure to allow hosts on segment 10.110.10.0/24 to be translated into addresses from 202.110.10.10 to 202.110.10.12. Suppose VLAN interface 2 is connected to an ISP network.

# Configure an ACL.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 2000

[H3C-acl-basic-2000] rule permit source 10.110.10.0 0.0.0.255

[H3C-acl-basic-2000] rule deny

[H3C-acl-basic-2000] quit

# Configure a NAT address pool.

[H3C] nat address-group 1 202.110.10.10 202.110.10.12

# Configure NAPT on the LPU in slot 3 with address pool 1.

[H3C] interface Vlan-interface 2

[H3C-Vlan-interface2] nat outbound 2000 address-group 1 slot 3

# Remove the NAPT configuration.

[H3C-Vlan-interface2] undo nat outbound 2000 address-group 1 slot 3

# Configure one-to-one NAT on the LPU in slot 3 with address pool 1.

[H3C-Vlan-interface2] nat outbound 2000 address-group 1 no-pat slot 3

# Remove the one-to-one NAT configuration.

[H3C-Vlan-interface2] undo nat outbound 2000 address-group 1 no-pat slot 3

# Configure the Easy IP feature, to directly use the IP address of VLAN interface 2 for address translation.

[H3C-Vlan-interface2] nat outbound 2000 slot 3

# Remove the Easy IP configuration.

[H3C-Vlan-interface2] undo nat outbound 2000 slot 3

1.1.16 nat server

Syntax

1) Configure an internal server

l Use the following command when TCP/UDP is used.

nat server protocol pro-type global global-addr global-port inside host-addr host-port slot slot-number

l Use the following command when protocols other than TCP/UDP are used.

nat server protocol pro-type global global-addr inside host-addr slot slot-number

2) Delete an internal server

l Use the following command when TCP/UDP is used.

undo nat server protocol pro-type global global-addr global-port inside host-addr host-port slot slot-number

l Use the following command when protocols other than TCP/UDP are used.

undo nat server protocol pro-type global global-addr inside host-addr slot slot-number

3) Configure a group of consecutive internal servers

nat server protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port slot slot-number

4) Delete a group of consecutive internal servers

undo nat server protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port slot slot-number

View

VLAN interface view

Parameter

pro-type: Protocol carried by the IP protocol, which can be specified by using a keyword such as tcp, udp, or icmp.

global-addr: Public IP address provided for access from external networks.

global-port: Public port number provided for access from external networks.

host-addr: Private IP address of an internal server.

host-port: Private port number provided by the server, in the range from 0 to 65535. At the position of this argument, you can also use a keyword to indicate a well-known port. For example, you can use www for WWW service port 80, and ftp for ftp service port 21. Keyword any has the same meaning with port number 0, which indicates that the internal server can provide any available services in the internal network; but this is not supported currently.

Caution:

The global-port and host-port arguments are not needed if a protocol other than TCP and UDP is used which does not use port number.

global-port1, global-port2: Specifies a range of consecutive port numbers, which are one-to-one corresponding to the private addresses in the specified internal host address range. global-port2 must be larger than global-port1.

host-addr1, host-addr2: Specifies a range of consecutive addresses, which are one-to-one corresponding to the port numbers in the above port number range. host-addr2 must be larger than host-addr1.

slot-number: Slot number of an LPU.

Description

Use the nat server command to define mapping table entries for internal servers. By using the address and port number specified by the global-addr and the global-port arguments for an internal server, external users can access the internal server with the address and port number specified by the host-addr and host-port arguments.

Use the undo nat server command to delete an internal server mapping entry.

You can use the nat server command to allow some internal servers to be accessed by external users. Some examples of such servers are WWW, FTP, Telnet, POP3, and DNS.

Caution:

l Up to 128 internal servers can be configured in one nat server command.

l Up to 768 nat server commands can be configured for one VLAN interface.

l Up to 4,096 internal servers can be configured for one VLAN interface.

l Up to 1,024 nat server commands and 4,096 internal servers can be configured in a system.

& Note:

l The interface configured with this command is an egress of the internal network and should be directly connected to an ISP network.

l Currently, secondary address translations on a NAT connection is not supported.

l To use the NetMeeting software or enable an internal FTP server, you need to configure both the nat server and nat outbound commands. For details, refer to 1.1.15 “nat outbound”.

Example

# Specify the IP address of the internal WWW server to be 10.110.10.10, the IP address of the internal FTP server to be 10.110.10.11, and allow external hosts to access the WWW server and FTP server by http://202.110.10.10:8080 and ftp://202.110.10.10 respectively. Suppose that VLAN interface 2 is connected to an ISP network.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Vlan-interface 2

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www slot 3

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3

# Specify an internal host 10.110.10.12 which can be successfully pinged by external hosts using the ping 202.110.10.11 command.

[H3C-Vlan-interface2] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 slot 2

# Delete the WWW server.

[H3C-Vlan-interface2] undo nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www slot 3

# Delete the FTP server.

[H3C-Vlan-interface2] undo nat server protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3

# Specify an external address 202.110.10.10, map ports from 1001 to 1100 to the Telnet service of internal hosts from 10.110.10.1 to 10.110.10.100, thus allowing external access to 10.110.10.1 through 202.110.10.10:1001, access to 10.110.10.2 through 202.110.10.10:1002, and so on.

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet slot 5

1.1.17 reset nat

Syntax

reset nat session slot slot-number

View

User view

Parameter

slot-number: Slot number of an LPU.

Description

Use the reset nat session command to clear NAT mapping table from memory and NP (network processor).

Example

# Clear the NAT mapping table established by the LPU in slot 3.

<H3C> reset nat session slot 3

1.1.18 nat ftp server

Syntax

nat ftp server global global-addr global-port inside host-addr host-port slot slot-number

undo nat ftp server global global-addr global-port inside host-addr host-port slot slot-number

View

VLAN interface view

Parameter

global-addr: Public IP address of an internal FTP server.

global-port: Public port number of the internal FTP server. This argument ranges from 0 to 12287. For port 21, you can use keyword ftp to replace this argument..

host-addr: Private IP address of the internal FTP server.

host-port: Private port number of the internal FTP server. This argument ranges from 0 to 65535. For port 21, you can use keyword ftp to replace this argument.

Caution:

Among the ports of a non-standard internal FTP server available to the private network (that is, port 0 through port 65535), do not use the known ports other than port 21. (You will be prompted in CLI if you specify them in the commands listed in the following commands.)

Among ports 0 through 65,535, any well-known ports other than port 21 cannot be used as the private ports of non-standard internal FTP servers. (You can see those well-known ports on CLI by command help.)

slot-number: Slot number of an LPU.

Description:

Use the nat ftp server command to configure a non-standard internal FTP server.

Use the undo nat ftp server command to remove a non-standard internal FTP server configuration.

These two commands can be accompanied by other internal server-related commands, such as the nat server and undo nat server commands. In this case, bear in mind that:

l The nat server command can only be used to configure internal FTP servers that use private port 21.

l The undo nat server command can be used to remove internal FTP servers configured by the nat ftp server command.

l The undo nat ftp server command can be used to remove internal FTP servers configured by the nat server command.

Related command: nat server.

Example

# Configure a non-standard internal FTP server that uses 202.10.10.1 and 11225 as the public IP address and port number, and 1.1.1.3 and 1698 and the private IP address and port number.

<H3C> system-view

[H3C] interface vlan-interface 3

[H3C-Vlan-interface3] nat ftp server global 202.10.10.1 11225 inside 1.1.1.3 1698 slot 3

1.2 NAT Security Logging Configuration Commands

1.2.1 display ip userlog export

Syntax

display ip userlog export slot slot-number

View

Any view

Parameter

slot-number: Slot number of an LPU.

Description

Use the display ip userlog export command to display the configuration and statistics of NAT logging.

Example

# Display the configuration of NAT logging.

<H3C> display ip userlog export slot 6

NAT:

IP userlog export is not enabled

Version 1 export is enabled

Export logs to 0.0.0.0 (Port: 0)

(DEFAULT)Export logs to 0.0.0.0 (Port: 0)

Export using source address 0.0.0.0

IP userlog flowbegin mode is not enabled

IP userlog active time: 0 minutes

0 logs exported in 0 udp datagrams

0 logs in 0 udp datagrams failed to output

0 entries buffered currently

1.2.2 ip userlog nat slot

Syntax

ip userlog nat slot slot-number acl acl-number

undo ip userlog nat slot slot-number

View

System view

Parameter

slot-number: Slot number of an LPU.

acl-number: Index of an ACL, in the range from 2000 to 3999.

Description

Use the ip userlog nat slot slot-number acl command to enable NAT logging and configure NAT logging ACL, which defines what packets’ information will be logged.

Use the undo ip userlog nat slot command to disable NAT logging.

By default, NAT logging is disabled for any LPU.

Example

# Enable NAT logging on the LPU in slot 3, and use ACL 2000 as the logging ACL.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat slot 3 acl 2000

1.2.3 ip userlog nat active-time

Syntax

ip userlog nat active-time minutes

undo ip userlog nat active-time

View

System view

Parameter

minutes: Wait interval to log active NAT connections, in minutes. The NAT process will periodically log an active connection at this interval after the active time of the connection reaches this interval. This argument ranges from 10 to 120. The default value is 0, indicating the logging of active connections is disabled.

Description

Use the ip userlog nat active-time command to set the wait interval to log active NAT connections.

Use the undo ip userlog nat active-time command to disable the logging of active connections.

The NAT process performs logging when a NAT connection is deleted. It may be needed to have the NAT process regularly log the connections that keep active for a long time at a specific interval. You can use the command here to achieve this by setting the value of the corresponding timer on the SRPU.

Example

# Set the wait interval to log active NAT connections to 30 minutes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat active-time 30

1.2.4 ip userlog nat export host

Syntax

ip userlog nat export [ slot slot-number ] host ip-address udp-port

undo ip userlog nat export [ slot slot-number ] host

View

System view

Parameter

ip-address: IP address of a log server, that is, the destination IP address for log packets. By default, it is 0.0.0.0, indicating NAT logging is disabled.

udp-port: UDP port number of a log server, that is, the destination port number for log packets. It ranges from 0 to 65535 and is 0 by default.

slot-number: Slot number of an LPU. If you specify the slot-number argument, the configuration is only effective for the specified LPU; otherwise, the configuration is effective for all LPUs. The configuration with the slot-number argument specified takes precedence over the global configuration.

Description

Use the ip userlog nat export host command to set the address and port number of the global destination server for log packets.

Use the undo ip userlog nat export host command to restore the default settings for global destination server.

Use the ip userlog nat export slot slot-number host command to set the address and port number of a specific destination server for log packets on a specified LPU.

Use the undo ip userlog nat export slot slot-number host command to restore the settings of global destination server for log packets on a specified LPU.

Example

# Set the destination IP address and UDP port number of log packets on the LPU in slot 3 to 169.254.1.1 and 200 respectively.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat export slot 3 host 169.254.1.1 200

1.2.5 ip userlog nat export source-ip

Syntax

ip userlog nat export source-ip src-address

undo ip userlog nat export source-ip

View

System view

Parameter

src-address: Source IP address for log packets. The default source IP address is 0.0.0.0, indicating that the VLAN interface IP address is used as the source IP address.

Description

Use the ip userlog nat export source-ip command to set the source IP address of log packets.

Use the undo ip userlog nat export source-ip command to restore the default source IP address setting.

By default, a log packet uses its VLAN interface IP address as its source IP address.

Example

# Set the source IP address of log packets to 169.254.3.1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat export source-ip 169.254.3.1

1.2.6 ip userlog nat export version

Syntax

ip userlog nat export version version-number

undo ip userlog nat export version

View

System view

Parameter

version-number: Version of log packets. It defaults to 1, and can only be 1 currently because it is for the future use of network management software to identify extended log packets.

Description

Use the ip userlog nat export version command to set the version of log packets.

Use the undo ip userlog nat export version command to restore the default version of log packets.

Example

# Set the version of log packets to 1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat export version 1

1.2.7 ip userlog nat mode flow-begin

Syntax

ip userlog nat mode flow-begin

undo ip userlog nat mode flow-begin

View

System view

Parameter

None

Description

Use the ip userlog nat mode flow-begin command to have NAT logging performed whenever an NAT connection is established.

Use the undo ip userlog nat mode flow-begin command to restore the default logging mode.

NAT logging has the following two modes, and you can choose one by using the commands here.

l Perform logging only when a NAT connection is deleted.

l Perform logging whenever a NAT connection is established or deleted.

By default, the NAT logging is performed only when a NAT connection is deleted.

Example

# Configure to have NAT logging performed whenever a connection is established.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] ip userlog nat mode flow-begin

Chapter 2 Netstream Configuration Commands

& Note:

Currently, the LS81VSNP boards installed in S7500 series switches support the Netstream feature. In this manual, the LS81VSNP board is called LPU.

2.1 Netstream Configuration Commands

2.1.1 display ip netstream cache

Syntax

display ip netstream cache slot slot-number

View

Any view

Parameter

slot-number: Slot number of an LPU.

Description

Use the display ip netstream cache command to display the Netstream configuration and status of the Netstream cache on the LPU in a specified slot.

Example

# Display information about the Netstream cache of the LPU in slot 3.

<H3C> display ip netstream cache slot 3

IP netstream cache information in slot 3

Stream active timeout(minute) : 15

Stream inactive timeout(second): 60

Active stream entry : 50

Stream entry been statistics : 15

Last statistics reset time : none

Protocol Total Packets Stream Packets Active(sec) Idle(sec)

�

Table of Contents

40-NAT-Netstream-Policy Routing Command

1.1.2 display nat aging-time

1.1.4 display nat blacklist

1.1.5 display nat outbound

1.1.9 nat aging-time

1.1.10 nat blacklist start

1.1.15 nat outbound

1.2.2 ip userlog nat slot

Chapter 2 Netstream Configuration Commands

1.1.10 nat b lacklist start