Currently, the
LS81VSNP boards installed in S7500 series switches support the NAT feature. In
this manual, the LS81VSNP board is called LPU (line processing unit).
Syntax
display nat
address-group
View
Any view
Parameter
None
Description
Use the display nat address-group
command to display NAT address pool configuration.
Example
# Display NAT address pool configuration.
<H3C> display nat address-group
NAT address-group information:
0 : from 1.1.1.1 to
1.1.1.2
1 : from 2.2.2.2 to
2.2.2.3 slot 3
Syntax
display nat aging-time
View
Any view
Parameter
None
Description
Use the display nat aging-time command
to display the settings for NAT entry aging time.
Example
# Display the settings for NAT table entry
aging time.
<H3C> display nat aging-time
NAT aging-time value information:
NAT aging-time value
information:
alg ---- aging-time value is
120 (seconds)
ftp ---- aging-time value is
7200 (seconds)
The slot 3 NP-timer configuration:
Selection of NP-timer is :
Fast-Timer
Fast-Timer : 300 seconds
Slow-Timer : 3600 seconds
Table 1-1 Description
on the fields of the display nat aging-time command
|
Field
|
Description
|
|
NAT aging-time value information
|
NAT aging time information follows.
|
|
alg ---- aging-time value is 120
(seconds)
|
The aging time for ALG NAT entries is 120
seconds.
|
|
ftp ---- aging-time value is 7200
(seconds)
|
The aging time for FTP connections is
7200 seconds.
|
|
The slot 3 NP-timer configuration
|
The NP-timer settings on the board in
slot 3 follows.
|
|
Selection of NP-timer is : Fast-Timer
|
The fast NP timer is selected.
|
|
Fast-Timer : 300 seconds
|
The fast timer is 300 seconds.
|
|
Slow-Timer : 3600 seconds
|
The slow timer is 3600 seconds.
|
Syntax
display nat all
View
Any view
Parameter
None
Description
Use the display nat all command to
display all information of the current NAT configurations, including NAT
address pool, NAT ACL (ACL referenced by nat outbound command), internal
server and aging time related configurations.
Example
# Display all information of the current
NAT configurations.
<H3C> display nat all
NAT address-group information:
1 : from 3.3.3.6
to 3.3.3.8 slot: 5
NAT outbound information:
Vlan-interface3: acl(2000) --- NAT
address-group(1) slot: 5
Server in private network
information:
Interface GlobalAddr
GlobalPort InsideAddr InsidePort Pro Slot
Vlanif3 3.3.3.10
21(ftp) 192.168.1.10 21(ftp) 6(tcp) 5
NAT aging-time value information:
alg ---- aging-time value is 120
(seconds)
ftp ---- aging-time value is 7200
(seconds)
The slot 5 NP-timer configuration:
Selection of NP-timer is :
Fast-Timer
Fast-Timer : 300 seconds
Slow-Timer : 3600 seconds
1.1.4 display nat blacklist
Syntax
display nat
blacklist { all | ip [ ip-address ] slot
slot-number }
View
Any view
Parameter
all:
Displays all blacklist configurations and status.
ip: Displays
IP address-specific blacklist configurations and status.
ip-address:
IP address whose blacklist configuration you want to query.
slot-number:
Slot number of an LPU.
Description
Use the display nat blacklist command
to display the configurations and status of NAT blacklist.
l
The display nat blacklist all command
displays all blacklist configurations.
l
The display nat blacklist ip [ ip-address
] slot slot-number command displays IP address-specific
blacklist configurations and status.
Example
# Display all blacklist configurations.
<H3C> display nat blacklist all
Blacklist function global
configuration:
Blacklist function of the NO. 7
L3plus board is started.
Connection amount control is
enabled.
Connection set-up rate control is
enabled.
Amount control limit: 500 sessions.
Rate control limit: 250 session/s.
Special rate control limit: 250
session/s.
Global Committed Burst Size is 375
Special IP Committed Burst Size is
375
Global Extended Burst Size is 0
Special IP Extended Burst Size is 0
Altogether 1 IP addresses have
special configuration:
Control limit configuration of IP
1.1.1.1:
Amount control limit: 100 sessions.
Rate control limit uses global
configuration.
# Display blacklist status on the LPU in
slot 6.
<H3C> display nat blacklist ip
slot 6
This query may last a long time,
please wait for a moment...
There are 6 ip address in
blacklist.
192.168.1.4
192.168.1.1 192.168.1.5 192.168.1.2
192.168.1.6 192.168.1.3
1.1.5 display
nat outbound
Syntax
display nat
outbound
View
Any view
Parameter
None
Description
Use the display nat outbound command
to display all ACL-NAT address pool associations.
Example
# Display all ACL-NAT
address pool associations.
<H3C> display nat outbound
NAT outbound information:
Vlan-interface2: acl(2001) --- NAT
address-group(1) [no-pat] slot:3
Vlan-interface2: acl(2002) --- NAT
address-group(0) slot:3
Vlan-interface3: acl(2001) --- NAT
address-group(2) [no-pat] slot:3
Vlan-interface3: acl(2002) ---
interface slot:3
Syntax
display nat
server
View
Any view
Parameter
None
Description
Use the display
nat server command to display information about all internal
servers.
Example
# Display information about all internal
servers.
<H3C> display nat server
Server in private network
information:
Interface GlobalAddr
GlobalPort InsideAddr InsidePort Pro Slot
Vlanif2 1.1.1.1
80(www) 4.4.4.4 80(www) 6(tcp) 3
Vlanif2 2.2.2.2
53(dns) 3.3.3.3 53(dns) 17(udp) 3
Vlanif3 2.2.2.3
69(tftp) 4.4.4.5 69(tftp) 17(udp) 3
Syntax
display nat
statistics slot slot-number
View
Any view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the display nat statistics
command to display the current NAT statistics.
Example
# Display the
current NAT statistics.
<H3C> display nat statistics
slot 3
Current statistics information in
slot 3:
active PAT session table count in
CPU: 0
active PAT session table count in
NP: 1
active NO-PAT session table count:
0
active SERVER session table count:
0
the number of good packet in NP: 0
the number of bad packet in NP: 0
Syntax
nat address-group group-number start-addr end-addr
undo nat address-group group-number
View
System view
Parameter
group-number:
Address pool index, a number ranging from 0 to 319.
start-addr:
Start IP address of the address pool.
end-addr:
End IP address of the address pool.
Description
Use the nat address-group command to
configure a NAT address pool.
Use the undo nat address-group command
to delete a NAT address pool.
A NAT address pool is a set of consecutive
public IP addresses. If start-addr and end-addr are the same,
there is only one address in the pool.
Caution:
l
A NAT address pool can contain at most 256 IP
addresses.
l
You cannot delete an address pool that has been
associated with an ACL.
l
An address pool can be used for NAPT (network
address port translation) only when it contains no more than three addresses.
Example
# Configure address pool 1 with addresses
from 202.110.10.10 to 202.110.10.15.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat address-group 1
202.110.10.10 202.110.10.15
1.1.9 nat aging-time
Syntax
nat aging-time { alg time-value | np slow } slot slot-number
undo nat aging-time [ alg | np ] slot slot-number
View
System view
Parameter
alg: Sets
the NAT connection aging time for CPU processed ALG (application layer gateway)
NAT mapping entries
time-value:
Aging time in seconds, ranging from 10 to 86,400. By default, it is 120.
np slow: Sets
the NP (network processor) to use the slow aging timer (the aging time is 3,600
seconds). By default, the NP uses the fast aging timer (the aging time is 300
seconds).
slot-number:
Slot number of an LPU.
Description
Use the nat aging-time command to
set the NAT connection aging time for CPU processed ALG NAT mapping entries or
the NAT connection aging time for NP processed NAT mapping entries. A NAT
connection is terminated when its aging time expires.
Use the undo nat aging-time command
to restore the default settings for NAT connection aging time. Executing this
command will set the aging time for ALG entries to 120 seconds and enable the
NP to use the fast aging timer.
Example
# Set the NAT connection aging time for ALG
entries to 245 seconds for the LPU in slot 6.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat aging-time alg 245 slot 6
Syntax
nat blacklist start slot slot-number
undo nat blacklist start slot slot-number
View
System view
Parameter
slot slot-number: Specifies the slot number of an LPU.
Description
Use the nat blacklist start command
to enable NAT blacklist for an LPU.
Use the undo nat blacklist start command
to disable NAT blacklist for an LPU.
By default, the feature is disabled.
Example
# Enable NAT blacklist for the LPU in slot
3.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist start slot 3
Syntax
nat blacklist mode { all | amount | rate }
undo nat blacklist mode { all | amount | rate }
View
System view
Parameter
all:
Configures to control both the number of NAT connections and the connection
setup rate.
amount:
Configures to control the number of NAT connections.
rate:
Configures to control the connection setup rate.
The connection here
refers to an address mapping established during NAT, and connection setup rate
refers to the rate at which NAT connection is established.
Description
Use the nat blacklist mode
command to set the control mode of the NAT blacklist feature, thus using
the feature to control the number of NAT connections, the connection setup
rate, or both.
Use the undo nat blacklist mode command
to cancel the setting of NAT blacklist control mode.
Caution:
l
Each command that is used to modify blacklist-related
configuration and is not source IP address-specific must be coupled with the reset
nat session command.
l
Although each blacklist-enabled LPU in the
switch independently maintains its own blacklist information, blacklist-related
configuration commands executed on the switch apply to all LPUs.
Example
# Configure the NAT blacklist feature to
control the number of NAT connections.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist mode amount
Syntax
nat blacklist limit amount [ source user-ip ] amount-value
undo nat blacklist limit amount [ source user-ip ]
View
System view
Parameter
amount:
Limits the number of NAT connections.
user-ip: IP
address of a user.
amount-value:
Control threshold for the number of NAT connections per user. This argument
ranges from 20 to 20,000.
Description
Use the nat blacklist limit
amount command to set the global or a specific control threshold for the
number of NAT connections, so as to limit the number of NAT connections that
can be established for each global user or a specific user.
Use the undo nat blacklist limit amount
command to restore the default control threshold for the number of NAT
connections.
The default control threshold for the
number of NAT connections is 500.
l
If you do not use the source keyword, the
command applies to global users.
l
If you use the source keyword, the
command applies to the user with the specified IP address.
Caution:
l
With the nat blacklist limit amount source
user-ip command, you can set different specific thresholds to limit the
NAT connection quantities of different specified users. While, with the nat
blacklist limit rate source ip command, the specific
thresholds you set to limit connection setup rate are for all specific users
(users specified by the nat blacklist limit rate source user-ip
command), and you cannot set different thresholds for different specific users.
l
Each command that is used to modify
blacklist-related configuration and is not source IP address-specific must be
coupled with the reset nat session command.
l
Although each blacklist-enabled LPU in the
switch independently maintains its own blacklist information, blacklist-related
configuration commands executed on the switch apply to all LPUs.
Example
# Set the global threshold to control the
number of NAT connections per user.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist limit amount 600
# Set a specific threshold to control the
number of NAT connections of the user with IP address 1.1.1.2.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist limit amount
source 1.1.1.2 800
Syntax
nat blacklist limit rate [ source ip ] cir cir-value [ cbs
cbs-value ebs ebs-value ]
undo nat blacklist limit rate [ source ip ]
View
System view
Parameter
source ip:
Specifies that the control thresholds for connection setup rate are set for
specific source IP addresses (IP addresses specified by the nat blacklist
limit rate source user-ip command).
cir-value:
CIR control threshold for connection setup rate, long time average rate on
port, in the unit of sessions per second This argument ranges from 20 to
262,144. The default value is 250. (CIR: committed information rate.)
cbs-value:
CBS control threshold for connection setup rate, in the unit of sessions per
second. This argument ranges from cir-value to 90 x cir-value
and must be less than 4,294,960. The default value is 375. (CBS: conformed
burst size.)
ebs-value:
EBS control threshold for connection setup rate, in the unit of sessions per
second. This argument ranges from 0 to 90 x cir-value and must be less
than or equal to cbs-value. The default value is 0. (EBS: extended burst
size.)
Description
Use the nat blacklist limit rate
command to set the global or specific control thresholds for connection setup
rate (number of connections established per second).
Use the undo nat blacklist limit rate
command to restore the default control thresholds for connection setup rate.
Note that:
l
If you do not use the source ip
keyword, the command applies to all global users.
l
If you use the source ip keyword, the
command applies to only specific users (users specified by the nat blacklist
limit rate source user-ip command with source IP addresses).
l
If you do not use the nat blacklist limit
rate command, the system adopts the default values for cir-value, cbs-value,
and ebs-value. They are 250, 375, and 0 respectively.
l
If you only configure cir-value by using
the nat blacklist limit rate command, the value of cbs-value is cir-value
x 1.5 and the value of ebs-value is 0.
Caution:
l
With the nat blacklist limit amount source
user-ip command, you can set different specific thresholds to limit the
NAT connection quantities of different specified users. While, with the nat
blacklist limit rate source ip command, the specific
thresholds you set to limit connection setup rate are for all specific users
(users specified by the nat blacklist limit rate source user-ip
command), and you cannot set different thresholds for different specific users.
l
Each command that is used to modify
blacklist-related configuration and is not source IP address-specific must be
coupled with the reset nat session command.
l
Although each blacklist-enabled LPU in the
switch independently maintains its own blacklist information, blacklist-related
configuration commands executed on the switch apply to all LPUs.
Example
# Set the specific CIR, CBS and EBS control
thresholds to 100, 500 and 40 respectively.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist limit rate source
ip cir 100 cbs 500 ebs 40
Syntax
nat blacklist limit rate source user-ip
undo nat
blacklist limit rate source user-ip
View
System view
Parameter
user-ip: IP
address of a user.
Description
Use the nat blacklist limit rate source
command to specify the IP address of a user, so as to adopt the specific
connection setup rate control thresholds to the user.
Use the undo nat blacklist limit
rate source command to remove the configuration.
Caution:
l
With the nat blacklist limit amount source
user-ip command, you can set different specific thresholds to limit the
NAT connection quantities of different specified users. While, with the nat
blacklist limit rate source ip command, the specific
thresholds you set to limit connection setup rate are for all specific users
(users specified by the nat blacklist limit rate source user-ip
command), and you cannot set different thresholds for different specific users.
l
Each command that is used to modify
blacklist-related configuration and is not source IP address-specific must be
coupled with the reset nat session command.
l
Although each blacklist-enabled LPU in the
switch independently maintains its own blacklist information, blacklist-related
configuration commands executed on the switch apply to all LPUs.
Example
# Specify to control user 2.2.2.2 with
specific connection setup rate thresholds.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] nat blacklist limit rate source
2.2.2.2
1.1.15 nat
outbound
Syntax
nat outbound acl-number [ address-group group-number
[ no-pat ] ] slot slot-number
undo nat outbound acl-number [ address-group group-number
[ no-pat ] ] slot slot-number
View
VLAN interface view
Parameter
address-group: Specifies an address pool to be used for NAT. If you do not
specify an address pool in the command, the IP address of the current interface
will be used as the translated source IP address, that is, the Easy IP feature
is enabled.
no-pat:
Specifies to use one-to-one NAT, so that only the source IP addresses in
packets are translated while the port numbers are not translated.
acl-number:
Index of an ACL, in the range from 2000 to 3999.
group-number:
Index of a NAT address pool, in the range from 0 to 319.
slot-number:
Slot number of an LPU, to which the address pool will be bound. All NAT
operations using the NAT rule will be carried out on this LPU.
Description
Use the nat outbound command to
associate an ACL with a NAT address pool, and bind the address pool to an LPU,
so as to translate the addresses matching the ACL to the addresses in the pool
on the LPU.
Use the undo nat outbound command to
remove the configuration.
If you use the nat outbound command
to associate an ACL with an address pool, the NAT process will use the IP
addresses in the pool to translate the source addresses of the packets that
match the ACL. You can configure multiple NAT associations on a VLAN interface,
which is normally connected to an ISP network and serves as the egress of the
internal network.
If you execute the nat outbound
command without the address-group keyword, the Easy IP feature is
implemented, and the IP address of the interface is used to translate the
source addresses that match the specified ACL.
When you execute the nat outbound
command on a VLAN interface with an address pool specified, the address pool
should be on the same network segment with the IP address of the VLAN
interface. Otherwise, NAT may not operate normally. In this case, you can use
one of the following two ways to solve the problem.
1)
Configuring a static route: Configure a static
route to the VLAN interface on an upstream router (a router on the upstream
network of the NAT-enabled switch).
2)
Using routing protocol to advertise the routes
of the IP addresses in the address pool. To do this, you need to configure
static routes for the IP addresses in the address pool on the NAT-enabled
switch, with the outbound interface being NULL. Note that the configured static
route segments should accommodate the combined segments of the IP addresses in
the address pool.
l
For NAT function, basic ACLs (2000 to 2999) support only source IP address as the filtering item, advanced
ACLs (3000 to 3999) support both source IP address and
destination IP address as filtering items. Other ACL filtering items are not
supported currently.
l
After you configure the nat outbound
command with an ACL, any modifications to the ACL (adding/deleting rules) will
not have effect on the NAT configuration.
Example
Perform the following procedure to allow
hosts on segment 10.110.10.0/24 to be translated into addresses from
202.110.10.10 to 202.110.10.12. Suppose VLAN interface 2 is connected to an ISP
network.
# Configure an ACL.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 2000
[H3C-acl-basic-2000] rule permit
source 10.110.10.0 0.0.0.255
[H3C-acl-basic-2000] rule deny
[H3C-acl-basic-2000] quit
# Configure a NAT address pool.
[H3C] nat address-group 1
202.110.10.10 202.110.10.12
# Configure NAPT on the LPU in slot 3 with
address pool 1.
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] nat outbound
2000 address-group 1 slot 3
# Remove the NAPT configuration.
[H3C-Vlan-interface2] undo nat
outbound 2000 address-group 1 slot 3
# Configure one-to-one NAT on the LPU in
slot 3 with address pool 1.
[H3C-Vlan-interface2] nat outbound
2000 address-group 1 no-pat slot 3
# Remove the one-to-one NAT configuration.
[H3C-Vlan-interface2] undo nat
outbound 2000 address-group 1 no-pat slot 3
# Configure the Easy IP feature, to
directly use the IP address of VLAN interface 2 for address translation.
[H3C-Vlan-interface2] nat outbound
2000 slot 3
# Remove the Easy IP configuration.
[H3C-Vlan-interface2] undo nat outbound
2000 slot 3
Syntax
1)
Configure an internal server
l
Use the following command when TCP/UDP is used.
nat server protocol pro-type global global-addr global-port inside
host-addr host-port slot slot-number
l
Use the following command when protocols other
than TCP/UDP are used.
nat server protocol pro-type global global-addr inside host-addr slot slot-number
2)
Delete an internal server
l
Use the following command when TCP/UDP is used.
undo nat
server protocol pro-type global global-addr global-port inside host-addr host-port slot
slot-number
l
Use the following command when protocols other
than TCP/UDP are used.
undo nat server protocol pro-type global global-addr inside
host-addr slot slot-number
3)
Configure a group of consecutive internal
servers
nat server protocol
pro-type global global-addr global-port1 global-port2
inside host-addr1 host-addr2 host-port slot slot-number
4)
Delete a group of consecutive internal servers
undo nat server protocol pro-type global global-addr global-port1
global-port2 inside host-addr1 host-addr2 host-port slot
slot-number
View
VLAN interface view
Parameter
pro-type:
Protocol carried by the IP protocol, which can be specified by using a keyword
such as tcp, udp, or icmp.
global-addr:
Public IP address provided for access from external networks.
global-port:
Public port number provided for access from external networks.
host-addr:
Private IP address of an internal server.
host-port:
Private port number provided by the server, in the range from 0 to 65535. At
the position of this argument, you can also use a keyword to indicate a
well-known port. For example, you can use www for WWW service port 80,
and ftp for ftp service port 21. Keyword any has the same meaning
with port number 0, which indicates that the internal server can provide any
available services in the internal network; but this is not supported
currently.
Caution:
The global-port
and host-port arguments are not needed if a protocol other than TCP and
UDP is used which does not use port number.
global-port1,
global-port2: Specifies a range of consecutive port numbers, which are
one-to-one corresponding to the private addresses in the specified internal
host address range. global-port2 must be larger than global-port1.
host-addr1,
host-addr2: Specifies a range of consecutive addresses, which are
one-to-one corresponding to the port numbers in the above port number range. host-addr2
must be larger than host-addr1.
slot-number:
Slot number of an LPU.
Description
Use the nat server command to define
mapping table entries for internal servers. By using the address and port
number specified by the global-addr and the global-port arguments
for an internal server, external users can access the internal server with the
address and port number specified by the host-addr and host-port arguments.
Use the undo nat server command to
delete an internal server mapping entry.
You can use the nat server command
to allow some internal servers to be accessed by external users. Some examples
of such servers are WWW, FTP, Telnet, POP3, and DNS.
Caution:
l
Up to 128 internal servers can be configured in
one nat server command.
l
Up to 768 nat server commands can be configured for one VLAN interface.
l
Up to 4,096 internal servers can be configured
for one VLAN interface.
l
Up to 1,024 nat
server commands and 4,096 internal servers can be
configured in a system.
l
The interface configured with this command is an
egress of the internal network and should be directly connected to an ISP
network.
l
Currently, secondary address translations on a
NAT connection is not supported.
l
To use the NetMeeting software or enable an
internal FTP server, you need to configure both the nat server and nat
outbound commands. For details, refer to 1.1.15 “nat outbound”.
Example
# Specify the IP address of the internal
WWW server to be 10.110.10.10, the IP address of the internal FTP server to be 10.110.10.11,
and allow external hosts to access the WWW server and FTP server by
http://202.110.10.10:8080 and ftp://202.110.10.10 respectively. Suppose that
VLAN interface 2 is connected to an ISP network.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] nat server
protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www slot 3
[H3C-Vlan-interface2] nat server
protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3
# Specify an internal host 10.110.10.12
which can be successfully pinged by external hosts using the ping
202.110.10.11 command.
[H3C-Vlan-interface2] nat server
protocol icmp global 202.110.10.11 inside 10.110.10.12 slot 2
# Delete the WWW server.
[H3C-Vlan-interface2] undo nat server
protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www slot 3
# Delete the FTP server.
[H3C-Vlan-interface2] undo nat server
protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3
# Specify an external address
202.110.10.10, map ports from 1001 to 1100 to the Telnet service of internal
hosts from 10.110.10.1 to 10.110.10.100, thus allowing external access to
10.110.10.1 through 202.110.10.10:1001, access to 10.110.10.2 through 202.110.10.10:1002,
and so on.
[H3C-Vlan-interface2] nat server
protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100
telnet slot 5
Syntax
reset nat session slot slot-number
View
User view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the reset nat session command to
clear NAT mapping table from memory and NP (network processor).
Example
# Clear the NAT mapping table established
by the LPU in slot 3.
<H3C> reset nat session slot 3
Syntax
nat ftp server global global-addr global-port inside host-addr host-port slot
slot-number
undo nat ftp server global global-addr global-port inside host-addr host-port slot
slot-number
View
VLAN interface view
Parameter
global-addr:
Public IP address of an internal FTP server.
global-port:
Public port number of the internal FTP server. This argument ranges from 0 to
12287. For port 21, you can use keyword ftp to replace this argument..
host-addr:
Private IP address of the internal FTP server.
host-port:
Private port number of the internal FTP server. This argument ranges from 0 to
65535. For port 21, you can use keyword ftp to replace this argument.
Caution:
Among the ports of
a non-standard internal FTP server available to the private network (that is, port
0 through port 65535), do not use the known ports other than port 21. (You will
be prompted in CLI if you specify them in the commands listed in the following
commands.)
Among ports 0
through 65,535, any well-known ports other than port 21 cannot be used as the
private ports of non-standard internal FTP servers. (You can see those
well-known ports on CLI by command help.)
slot-number:
Slot number of an LPU.
Description:
Use the nat ftp server command to
configure a non-standard internal FTP server.
Use the undo nat ftp server command
to remove a non-standard internal FTP server configuration.
These two commands can be accompanied by
other internal server-related commands, such as the nat server and undo
nat server commands. In this case, bear in mind that:
l
The nat server command can only be used
to configure internal FTP servers that use private port 21.
l
The undo nat server command can be used
to remove internal FTP servers configured by the nat ftp server command.
l
The undo nat ftp server command can be
used to remove internal FTP servers configured by the nat server
command.
Related command: nat server.
Example
# Configure a non-standard internal FTP
server that uses 202.10.10.1 and 11225 as the public IP address and port
number, and 1.1.1.3 and 1698 and the private IP address and port number.
<H3C> system-view
[H3C] interface vlan-interface 3
[H3C-Vlan-interface3] nat ftp server
global 202.10.10.1 11225 inside 1.1.1.3 1698 slot 3
Syntax
display ip userlog export slot slot-number
View
Any view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the display ip userlog export command
to display the configuration and statistics of NAT logging.
Example
# Display the configuration of NAT logging.
<H3C> display ip userlog export
slot 6
NAT:
IP userlog export is not enabled
Version 1 export is enabled
Export logs to 0.0.0.0 (Port: 0)
(DEFAULT)Export logs to 0.0.0.0
(Port: 0)
Export using source address 0.0.0.0
IP userlog flowbegin mode is not
enabled
IP userlog active time: 0 minutes
0 logs exported in 0 udp datagrams
0 logs in 0 udp datagrams failed to
output
0 entries buffered currently
Syntax
ip userlog nat slot slot-number acl acl-number
undo ip userlog nat slot slot-number
View
System view
Parameter
slot-number:
Slot number of an LPU.
acl-number:
Index of an ACL, in the range from 2000 to 3999.
Description
Use the ip userlog nat slot slot-number
acl command to enable NAT logging and configure NAT logging ACL, which
defines what packets’ information will be logged.
Use the undo ip userlog nat slot command
to disable NAT logging.
By default, NAT logging is disabled for any
LPU.
Example
# Enable NAT logging on the LPU in slot 3,
and use ACL 2000 as the logging ACL.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat slot 3 acl 2000
Syntax
ip userlog nat active-time minutes
undo ip userlog nat active-time
View
System view
Parameter
minutes:
Wait interval to log active NAT connections, in minutes. The NAT process will
periodically log an active connection at this interval after the active time of
the connection reaches this interval. This argument ranges from 10 to 120. The
default value is 0, indicating the logging of active connections is disabled.
Description
Use the ip userlog nat active-time command
to set the wait interval to log active NAT connections.
Use the undo ip userlog nat active-time command
to disable the logging of active connections.
The NAT process performs logging when a NAT
connection is deleted. It may be needed to have the NAT process regularly log
the connections that keep active for a long time at a specific interval. You
can use the command here to achieve this by setting the value of the
corresponding timer on the SRPU.
Example
# Set the wait interval to log active NAT
connections to 30 minutes.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat active-time 30
Syntax
ip userlog nat export [ slot slot-number ] host ip-address udp-port
undo ip userlog nat export [ slot slot-number ] host
View
System view
Parameter
ip-address:
IP address of a log server, that is, the destination IP address for log
packets. By default, it is 0.0.0.0, indicating NAT logging is disabled.
udp-port:
UDP port number of a log server, that is, the destination port number for log
packets. It ranges from 0 to 65535 and is 0 by default.
slot-number:
Slot number of an LPU. If you specify the slot-number argument, the
configuration is only effective for the specified LPU; otherwise, the
configuration is effective for all LPUs. The configuration with the slot-number
argument specified takes precedence over the global configuration.
Description
Use the ip userlog nat export host command
to set the address and port number of the global destination server for log
packets.
Use the undo ip userlog nat export host command
to restore the default settings for global destination server.
Use the ip userlog nat export slot slot-number
host command to set the address and port number of a specific destination
server for log packets on a specified LPU.
Use the undo ip userlog nat export slot slot-number
host command to restore the settings of global destination server for log
packets on a specified LPU.
Example
# Set the destination IP address and UDP
port number of log packets on the LPU in slot 3 to 169.254.1.1 and 200 respectively.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat export slot 3
host 169.254.1.1 200
Syntax
ip userlog nat export source-ip src-address
undo ip userlog nat export source-ip
View
System view
Parameter
src-address:
Source IP address for log packets. The default source IP address is 0.0.0.0,
indicating that the VLAN interface IP address is used as the source IP address.
Description
Use the ip userlog nat export source-ip command
to set the source IP address of log packets.
Use the undo ip userlog nat export
source-ip command to restore the default source IP address setting.
By default, a log packet uses its VLAN
interface IP address as its source IP address.
Example
# Set the source IP address of log packets
to 169.254.3.1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat export source-ip
169.254.3.1
Syntax
ip userlog nat export version version-number
undo ip userlog nat export version
View
System view
Parameter
version-number: Version of log packets. It defaults to 1, and can only be 1
currently because it is for the future use of network management software to
identify extended log packets.
Description
Use the ip userlog nat export version command
to set the version of log packets.
Use the undo ip userlog nat export
version command to restore the default version of log packets.
Example
# Set the version of log packets to 1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat export version 1
Syntax
ip userlog nat mode flow-begin
undo ip userlog nat mode flow-begin
View
System view
Parameter
None
Description
Use the ip userlog nat mode flow-begin command
to have NAT logging performed whenever an NAT connection is established.
Use the undo ip userlog nat mode
flow-begin command to restore the default logging mode.
NAT logging has the following two modes,
and you can choose one by using the commands here.
l
Perform logging only when a NAT connection is
deleted.
l
Perform logging whenever a NAT connection is
established or deleted.
By default, the NAT logging is performed
only when a NAT connection is deleted.
Example
# Configure to have NAT logging performed
whenever a connection is established.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip userlog nat mode flow-begin
Chapter
2 Netstream Configuration Commands
Currently, the
LS81VSNP boards installed in S7500 series switches support the Netstream
feature. In this manual, the LS81VSNP board is called LPU.
Syntax
display ip netstream cache slot slot-number
View
Any view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the display ip netstream cache
command to display the Netstream configuration and status of the Netstream
cache on the LPU in a specified slot.
Example
# Display information about the Netstream
cache of the LPU in slot 3.
<H3C> display ip netstream
cache slot 3
IP netstream cache information in
slot 3
Stream active timeout(minute) : 15
Stream inactive timeout(second): 60
Active stream entry : 50
Stream entry been statistics :
15
Last statistics reset time :
none
Protocol Total Packets
Stream Packets Active(sec) Idle(sec)
Streams
/sec /sec /stream /stream /stream
IP-other 13
0 0 1 10 33038
UDP-other 2
0 0 1 10 214748
Total 15
0 0 1 10 28633
Table 2-1 Description
on the fields of the display ip netstream cache command
|
Field
|
Description
|
|
Stream active timeout(minute) : 15
|
The current active aging time is 15
minutes.
|
|
Stream inactive timeout(second): 60
|
The current inactive aging time is 60
seconds.
|
|
Active stream entry : 50
|
The Netstream cache contains 50 active stream
entries.
|
|
Stream entry been statistics : 15
|
Netstream has output 15 stream entries.
|
|
Last statistics reset time : none
|
The statistics have never been cleared.
|
|
Protocol, Total Streams, Packets/sec, Stream/sec,
Packets/stream, Active(sec)/stream, Idle(sec)/stream
|
Protocol type, total number of streams,
packet per second, stream per second, average number of packets per stream,
average active time per stream, and average inactive time per stream.
|
Syntax
display ip netstream export slot slot-number
View
Any view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the display ip netstream export command
to display information about Netstream export packets on the LPU in a specified
slot.
Example
# Display information about Netstream
export packets of the LPU in slot 6.
<H3C> display ip netstream
export slot 6
IP netstream export information in
slot 6
IP netstream is enabled in slot : 3
Version 9 export information:
Stream destination IP(UDP):
10.10.0.10 (30000)
Stream source address: 3.3.3.3
Exported stream number: 16
Exported UDP datagram number(failed
number): 16(0)
Version 9 AS aggregation
information:
Stream destination IP(UDP): 10.10.0.11
(30000)
Stream source address: 3.3.3.3
Exported stream number: 16
Exported UDP datagram number(failed
number): 2(0)
Table 2-2 Description
on the fields of the display ip netstream export command
|
Field
|
Description
|
|
IP netstream export information in slot 6
|
Information about Netstream export
packets on the LPU in slot 6 will be followed.
|
|
IP netstream is enabled in slot : 3
|
Slot number of a board where Netstream is
enabled
|
|
Version 9 export information:
|
The following is information about
version 9 Netstream export packets
|
|
Stream destination IP(UDP):
|
Destination IP address and UDP port
number of Netstream export packets
|
|
Not destination address for exported
packet.
|
This information is displayed if you do
not configure the destination IP address for Netstream export packets.
|
|
Stream source address:
|
Source IP address of Netstream export
packets
|
|
Exported stream number:
|
Number of sent stream entries
|
|
Exported UDP datagram number(failed
number):
|
Number of sent UDP packets (Number of UDP
packets failed in sending)
|
|
Version 9 AS aggregation information:
|
The following is information about version
9 Netstream export packets when AS aggregation is enabled. This information
is not displayed if AS aggregation is not enabled.
|
Syntax
enable
undo enable
View
Netstream aggregation view
Parameter
None
Description
Use the enable command to enable the
aggregation mode corresponding to current aggregation view.
Use the undo enable command to
disable the aggregation mode.
By default, no aggregation mode is enabled.
Related command: ip netstream
aggregation.
Example
# Enable the AS aggregation mode of
Netstream.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream aggregation as
[H3C-aggregation-as] enable
# Disable the AS aggregation mode of
Netstream.
[H3C-aggregation-as] undo enable
Syntax
ip netstream aggregation { as | protocol-port | destination-prefix | prefix
| source-prefix }
View
System view
Parameter
as:
Specifies the view for AS (autonomous system) aggregation mode. In this mode,
the Netstream streams are classified by: source and destination AS numbers,
outbound interface index.
protocol-port: Specifies the view for protocol-port aggregation mode. In this
mode, the Netstream streams are classified by: protocol number, source and
destination ports.
source-prefix: Specifies the view for source-prefix aggregation mode. In this
mode, the Netstream streams are classified by: source AS number, source mask
length and source prefix.
destination-prefix: Specifies the view for destination-prefix aggregation mode. In
this mode, the Netstream streams are classified by: destination AS number,
destination mask length, destination prefix, and outbound interface index.
prefix:
Specifies the view for source- and destination-prefix aggregation mode. In this
mode, the Netstream streams are classified by: source and destination AS
numbers, source and destination mask lengths, source and destination prefixes,
and outbound interface index.
Description
Use the ip netstream aggregation
command to enter a Netstream aggregation view.
Under the aggregation view, you can
enable/disable the aggregation function in the corresponding mode, and set the
source IP address, the destination IP address and port number for Netstream
export packets in version 9 format.
Related commands: enable, ip
netstream export host, and ip netstream export source.
Example
# Enter Netstream AS aggregation view.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream aggregation as
[H3C-aggregation-as]
Syntax
ip netstream export dscp dscp-value
undo ip netstream export dscp
View
System view
Parameter
dscp-value:
Differentiated services code point (DSCP) value, ranging from 0 to 63, with 0
as the default value.
Description
Use the ip netstream export dscp
command to configure the DSCP value of Netstream export packets. Netstream
export packets will be classified by their DSCP values.
Use the undo ip netstream export dscp
command to restore the default DSCP value.
Example
# Set the DSCP value of Netstream export
packets to 60.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream export dscp 60
Syntax
ip netstream export host ip-address udp-port
undo ip netstream export host
View
System view or Netstream aggregation view
Parameter
ip-address:
IP address of the destination host for Netstream export packets, in dotted
decimal notation.
udp-port:
UDP port number of the destination host for Netstream export packets.
Description
Use the ip netstream export host command
to configure the IP address and UDP port number of the destination host for
Netstream export packets.
Use the undo ip netstream export host
command to restore the default IP address and port number.
By default:
l
The destination IP address is 0.0.0.0 and the
destination port number is 0 in system view.
l
The destination IP address and port number in
aggregation view are those configured in system view.
You can configure different destination IP
addresses and port numbers for different aggregation modes.
Related command: ip netstream
aggregation and ip netstream export source.
Example
# Configure the destination IP address and
UDP port number for Netstream export packets to 172.16.105.48 and 50000
respectively.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream export host
172.16.105.48 50000
Syntax
ip netstream export source ip-address
undo ip netstream export source
View
System view or Netstream aggregation view
Parameter
ip-address:
IP address, in dotted decimal notation.
Description
Use the ip netstream export source
command to configure the source IP address of Netstream export packets, which
will be used as the source address of UDP packets.
Use the undo ip netstream export source command
to restore the default setting.
By default, the source IP address is
0.0.0.0, which indicates that the IP address of the corresponding outbound
interface is used as the source IP address.
You can configure different source IP
addresses for different aggregation modes.
Related commands: ip netstream
aggregation and ip netstream export host.
Example
# Configure the source IP address of
Netstream export packets to 3.3.3.3.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream export source
3.3.3.3
Syntax
ip netstream export version version-number [ origin-as | peer-as
]
undo ip netstream export version
View
System view
Parameter
version-number: Version number for Netstream export packets. Currently, you can configure
version 5 or version 9.
origin-as:
Use original AS numbers as the AS numbers for individual IP addresses.
peer-as: Use
peer AS numbers as the AS numbers for individual IP addresses.
Description
Use the ip netstream export version command
to configure the version and the AS option for Netstream export packets in
non-aggregation mode.
Use the undo ip netstream export version
command to restore the default configuration.
By default, version 5 is used and the AS
option is peer-as.
Netstream can use three versions of
Netstream export packets to send aged stream entries: version 5, version 8 and
version 9. But currently, only version 5 and version 9 are configurable:
l
If version 5 is configured: the system sends
normal stream entries through version 5 packets and sends aggregated stream
entries through version 8 packets.
l
If version 9 is configured: the system sends all
aged stream entries through version 9 packets.
Example
# Configure to use version 5 Netstream
export packets and use original AS numbers as the AS numbers for individual IP
addresses.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream export version 5
origin-as
Syntax
ip netstream
inbound source srcslot-number to dstslot-number [ acl
acl-number ]
undo ip netstream inbound source srcslot-number to dstslot-number
View
System view
Parameter
srcslot-number: Slot number of an interface board.
dstslot-number: Slot number of an LPU.
acl-number:
Index of an ACL.
Description
Use the ip netstream inbound
source command to mirror the inbound packets on an interface board to an
LPU and enable Netstream, a packet statistics function.
Use the undo ip netstream inbound
source command to stop the mirroring and disable Netstream.
If the acl
keyword is used in the ip netstream inbound source command, the streams
on the interface board that match the ACL will be mirrored onto the LPU, which
in turn collect packet statistics.
By default,
Netstream is disabled.
With ACL rules, up
to 100 streams can be mirrored for Netstream statistics collection in the
system.
Example
# Mirror the inbound packets on the board
in slot 3 to the LPU in slot 6 and enable Netstream.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream inbound source 3
to 6
Syntax
ip netstream outbound source srcslot-number to dstslot-number
undo ip netstream outbound source srcslot-number to dstslot-number
View
System view
Parameter
srcslot-number: Slot number of an interface board.
dstslot-number: Slot number of an LPU.
Description
Use the ip netstream outbound
source command to mirror the outbound packets on an interface board to an
LPU and enable Netstream.
Use the undo ip netstream outbound
command to stop the mirroring and disable Netstream.
By default, Netstream is disabled.
Example
# Mirror the outbound packets on the board
in slot 3 to the LPU in slot 6 and enable Netstream.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream outbound source 3
to 6
Syntax
ip netstream template refresh packets
undo ip netstream template refresh
View
System view
Parameter
Packets: Threshold for the number of Netstream packets, ranging from 1 to
600, in packets.
Description
Use the ip netstream template refresh
command to configure a packet threshold for updating the template of version 9
Netstream packets. When the number of transmitted packets exceeds the
configured threshold, the system sends the newest template to the NSC
(Netstream collector).
Use the undo ip netstream template
refresh command to restore the default packet threshold.
By default, the packet threshold is 20.
Example
# Set the packet threshold for updating the
template to 100.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream template refresh
100
Syntax
ip netstream template timeout minutes
undo ip netstream template timeout
View
System view
Parameter
minutes:
Template aging time, ranging from 1 to 3,600, in minutes.
Description
Use the ip netstream template timeout
command to configure a template aging time. When the time for transmitting
Netstream packets exceeds the configured aging time, the system sends the
newest template to the NSC and counts time again.
Use the undo ip netstream template
timeout command to restore the default aging time.
By default, the template aging time is 30
minutes.
Example
# Set the template aging time to 60
minutes.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream template timeout
60
Syntax
ip netstream timeout active minutes
undo ip netstream timeout active
View
System view
Parameter
minutes:
Active aging time for Netstream entries in minutes, in the range of 5 to 60.
Description
Use the ip netstream timeout active command
to configure the active aging time for Netstream entries.
Use the undo ip netstream timeout active
command to restore the default active aging time.
By default, the active aging time is 30
minutes.
A stream entry will be aged out when the
active time of this stream (the time elapsed since the stream entry was
created) exceeds the time limit you set here.
Related command: ip netstream timeout
inactive.
Example
# Configure the active aging time for
Netstream entries to 60 minutes.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream timeout active 60
Syntax
ip netstream timeout inactive seconds
undo ip netstream timeout inactive
View
System view
Parameter
seconds:
Inactive aging time for Netstream entries in seconds, in the range of 60 to
600.
Description
Use the ip netstream timeout inactive command
to configure the inactive aging time for Netstream entries.
Use the undo ip netstream timeout
inactive command to restore the default inactive aging time.
By default, the inactive aging time for
Netstream entries is 60 seconds.
A stream entry will be aged out when the
inactive time of the stream (the time elapsed since the last packet of the
stream passed the switch) exceeds the time limit you set here.
Related command: ip netstream timeout
active.
Example
# Configure the inactive aging time for
Netstream entries to 150 seconds.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] ip netstream timeout inactive
150
Syntax
reset ip netstream statistics slot slot-number
View
User view
Parameter
slot-number:
Slot number of an LPU.
Description
Use the reset ip netstream statistics command
to clear the Netstream statistics and output statistics on a specified LPU and
age out all the stream entries in the Netstream cache.
Executing the reset
ip netstream statistics command will forcibly age out the current stream
entries in the NP. This forcible aging procedure may take a long time and stops
the creation of any new entry until all current entries are aged out.
Example
# Clear the Netstream statistics and age
all the stream entries in the Netstream cache on the LPU in slot 6.
<H3C> reset ip netstream
statistics slot 6
Currently, the
LS81VSNP boards installed in S7500 series switches support the policy routing
feature. In this manual, the LS81VSNP board is called LPU.
Syntax
display qos-vlan [ vlan-id ] traffic-redirect
View
Any view
Parameters
vlan-id: ID
of a VLAN interface, ranging from 1 to 4094.
Description
Use the display qos-vlan
traffic-redirect command to display policy routing configuration.
Use the display qos-vlan vlan-id
traffic-redirect command to display policy routing configuration on a specified
VLAN interface.
Example
# Display policy routing configuration on
all VLAN interfaces.
<H3C> display qos-vlan
traffic-redirect
Vlan 1 traffic-redirect
Inbound:
Matches: Acl 2001 rule 0 running
Redirected to: next-hop
13.53.3.3 slot 5
Vlan 2 traffic-redirect
Inbound:
Matches: Acl 2000 rule 0 running
Redirected to: next-hop 3.3.3.3
slot 6
# Display policy routing configuration on
VLAN–interface 2.
<H3C> display qos-vlan 2
traffic-redirect
Vlan 2 traffic-redirect
Inbound:
Matches: Acl 2000 rule 0 running
Redirected to: next-hop 3.3.3.3
slot 6
Syntax
1)
Redirect packets to a specified VLAN interface
traffic-redirect inbound ip-group { acl-number | acl-name } [ rule
rule [ system-index index ] ] interface vlan-interface
interface-number [ remark { dscp dscp | { precedence
precedence | tos tos }* } ] slot slot-number
undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule
rule ]
2)
Redirect packets to a specified IP address
traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index
index ] ] next-hop ipaddr &1-3 [ remark
{ dscp dscp | { precedence precedence | tos tos
}* } ] slot slot-number
undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule
rule ]
View
VLAN view
Parameters
acl-number:
ACL number, ranging from 2000 to 3999.
acl-name:
ACL name, a string of 1 to 32 characters.
rule rule:
Specifies a rule in the ACL. The rule argument represents the number of
an ACL rule and ranges from 0 to 127. If rule rule is not
provided, all rules in the specified ACL will be applied.
system-index
index: Specifies a system index for the specified ACL rule. The two
parameters are optional. The index argument ranges from 0 to
4,294,967,295. When an ACL rule is applied, the system automatically assigns a
system index to the rule for search purpose. But you can also manually specify
a system index for an ACL rule when executing these commands. Generally, you
are not recommended to do so.
interface vlan-interface
interface-number: Specifies the VLAN interface to which packets are
redirected. The interface-number argument is the index of a VLAN
interface, which ranges from 2 to 4094.
dscp dscp: Specifies the value of differential services code point. The dscp
argument ranges from 0 to 63 and defaults to 0. Packets can be classified by
their DSCP values.
precedence precedence: Specifies a precedence,
which will be used to remark packets. The precedence argument ranges
from 0 to 7 and defaults to 0.
tos tos:
Specifies the value of type of service. The tos argument ranges from 0
to 15 and defaults to 0. Packets can be classified by their ToS values.
slot slot-number: Specifies the slot number of an LPU.
next-hop ipaddr
&1-3: Specifies the IP address(es) to which packets are redirected. You can
specify at most three IP addresses in one command line.
Description
Use the traffic-redirect inbound
ip-group command to redirect inbound packets that match a specified ACL or
ACL rule on an LPU.
Use the undo traffic-redirect inbound
ip-group command to remove the inbound packet redirection configuration.
You can redirect packets to a specified
VLAN interface or specified IP addresses.
If all specified IP addresses are
unreachable, the packets will be forwarded depending on their destination IP
addresses, but the action defined by the remark keyword (if any) will
still be performed.
Caution:
l
With ACL rules, up to 100 streams can be
redirected in the system.
l
Up to 3,000 traffic-redirect inbound ip-group
commands can be configured.
l
Totally up to 3,000 traffic-redirect inbound
ip-group and traffic-redirect outbound ip-group commands can be
configured.
Example
# Configure to redirect the inbound packets
that match ACL 2100 on LPU in slot 5 to 10.13.152.1 (the next hop).
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] vlan 3
[H3C-vlan3] traffic-redirect inbound
ip-group 2100 next-hop 10.13.152.1 slot 5
Syntax
1)
Redirect packets to a specified VLAN interface
traffic-redirect outbound ip-group { acl-number | acl-name } [ rule rule [ system-index
index ] ] interface vlan-interface interface-number
[ remark { dscp dscp | { precedence precedence
| tos tos }*} ] slot slot-number
undo traffic-redirect outbound ip-group { acl-number | acl-name } [ rule rule ]
2)
Redirect packets to a specified IP address
traffic-redirect outbound ip-group { acl-number | acl-name } [ rule rule [ system-index
index ] ] next-hop ipaddr &1-3 [ remark
{ dscp dscp | { precedence precedence | tos tos
} *} ] slot slot-number
undo traffic-redirect outbound ip-group { acl-number | acl-name } [ rule rule ]
View
VLAN view
Parameter
acl-number:
ACL number, ranging from 2000 to 3999.
acl-name:
ACL name, a string of 1 to 32 characters.
rule rule:
Specifies a rule in the ACL. The rule argument represents the number of
an ACL rule and ranges from 0 to 127. If rule rule is not
provided, all rules in the specified ACL will be applied.
system-index
index: Specifies a system index for the specified ACL rule. The two
parameters are optional. The index argument ranges from 0 to
4,294,967,295. When an ACL rule is applied, the system automatically assigns a
system index to the rule for search purpose. But you can also manually specify
a system index for an ACL rule when executing these commands. Generally, you
are not recommended to do so.
interface vlan-interface
interface-number: Specifies the VLAN interface to which packets are
redirected. The interface-number argument is the index of a VLAN
interface, which ranges from 2 to 4094.
dscp dscp: Specifies the value of differential services code point. The dscp
argument ranges from 0 to 63 and defaults to 0. Packets can be classified by
their DSCP values.
precedence precedence: Specifies a precedence,
which will be used to remark packets.. The precedence argument ranges
from 0 to 7 and defaults to 0.
tos tos:
Specifies the value of type of service. The tos argument ranges from 0
to 15 and defaults to 0. Packets can be classified by their ToS values.
slot slot-number: Specifies the slot number of an LPU.
next-hop ipaddr
&1-3: Specifies the IP address(es) to which packets are redirected. You can
specify at most three IP addresses in one command line.
Description
Use the traffic-redirect outbound
ip-group command to redirect outbound packets that match a specified ACL or
ACL rule on an LPU.
Use the undo traffic-redirect outbound
ip-group command to disable the outbound packet redirection configuration.
You can redirect packets to a specified
VLAN interface or IP addresses.
If all specified IP addresses are
unreachable, the packets will be forwarded depending on their destination IP
addresses, but the action defined by the remark keyword (if any) will
still be performed.
Caution:
l
Up to 100 ACL rule-filtered streams can be
redirected in the system.
l
Up to 3,000 traffic-redirect outbound
ip-group commands can be configured.
l
Totally up to 3,000 traffic-redirect inbound
ip-group and traffic-redirect outbound ip-group commands can be
configured.
Example
# Configure to redirect the outbound
packets that match ACL 2100 on the LPU in slot 5 to 10.13.152.2 (the next hop).
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] vlan 3
[H3C-vlan3] traffic-redirect outbound
ip-group 2100 next-hop 10.13.152.2 slot 5
