Use the connection-limit default action command to specify the default connection limit action, for user connections not specified in the connection limit policy.

Use the undo connection-limit default action command to restore the default.

By default, connection limit is not enabled.

Examples

# Configure the default connection limit action as permit.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1] connection-limit default action permit

connection-limit default amount

Syntax

connection-limit default amount upper-limit max-amount lower-limit min-amount

undo connection-limit default amount [ upper-limit max-amount lower-limit min-amount ]

View

Connection limit policy view

Default level

2: System level

Parameters

upper-limit max-amount: Specifies the upper connection limit, in the range of 1 to 4294967295.

lower-limit min-amount: Specifies the lower connection limit, in the range of 1 to 4294967294. min-amount must be less than max-amount.

Description

Use the connection-limit default amount command to set default connection limit parameters.

Use the undo connection-limit default amount command to restore the default.

By default, the upper connection limit is 512, and lower connection limit is 256.

Examples

# Set the default upper connection limit to 200 and the lower connection limit to 50.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1] connection-limit default amount upper-limit 200 lower-limit 50

connection-limit policy

Syntax

connection-limit policy policy-number

undo connection-limit policy { policy-number | all }

View

System view

Default level

2: System level

Parameters

policy-number: Connection limit policy number, in the range of 0 to 19.

all: Specifies all connection limit policies.

Description

Use the connection-limit policy command to create a connection limit policy and enter connection limit policy view.

Use the undo connection-limit policy command to delete a specified or all connection limit policies.

Note the following:

· A connection limit policy contains a set of limit rules that are defined to limit specified connections. By default, the policy adopts default connection limit parameters.

· When creating a connection limit policy, you need to assign it a number that uniquely identifies that policy. Polices are matched by number in descending order.

· If a connection limit policy is bound to a NAT module, it is not allowed to modify existing limit rules in the policy, but you can add or remove limit rules.

· If a connection limit policy is applied in system view, it is not allowed to modify, add, or remove existing limit rules in the policy.

Examples

# Create a connection limit policy numbered 1 and enter its view.

<Sysname> system-view

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1]

display connection-limit policy

Syntax

display connection-limit policy { policy-number | all } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

policy-number: Number of a connection limit policy.

all: Displays all connection limit policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display connection-limit policy command to display a specific or all connection-limit policies.

Examples

# Display all connection limit policies configured.

<Sysname> display connection-limit policy all

There is 1 policy:

Connection-limit policy 1, refcount 0 ,3 limits

limit 1 acl 2000 per-source amount 1111 10

limit 2 acl 2001 per-destination amount 300 20

limit 3 acl 2002 per-service amount 400 50

# Display all connection limit policies configured.

<Sysname> display connection-limit policy all

There are 2 policies:

Connection-limit policy 0, refcount 1, 2 limits

limit 0 source any amount dns 100 http 200 tcp 300 other 400 rate 100 shared

limit 1 source 1.1.1.0 24 amount tcp 100 bandwidth 200 shared

Connection-limit policy 1, refcount 0, 1 limit

limit 4500 source 2.2.0.0 16 amount dns 200

Table 1 Output description

Field	Description
Connection-limit policy	Number of the connection limit policy
refcount 1, 2 limits	Number of times that a policy is referenced, and number of rules included in a policy.
limit	Number of rules in the policy. For more information, see the limit command in connection limit policy view.

display connection-limit statistics

Syntax

display connection-limit statistics [ source src-address { mask-length | mask } ] [ destination dst-address { mask-length | mask } ] [ destination-port { eq | gt | lt | neq | range } port-number ] [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

source src-address: Displays the connection limit statistics for the specified source address.

destination dst-address: Displays the connection limit statistics for the specified destination address.

mask-length: Mask length, in the range of 1 to 32.

mask: Network mask.

destination-port: Displays connection limit statistics based on the destination port number.

{ eq | gt | lt | neq | range }: Specifies the port(s) in different ways through different keywords.

· eq: Equal to the specified port number.

· gt: Greater than the specified port number.

· lt: Less than the specified port number.

· neq: Not equal to the specified port number.

· range: Specifies a port range.

port-number: Port number, in the range of 0 to 65,535. When the range keyword is specified, you need to specify the start-port and end-port. The start-port must be not greater than the end-port.

vpn-instance vpn-instance-name: Specifies the MPLS VPN to which a user belongs. vpn-instance-name is a case-sensitive character string of 1 to 19 characters. Without this option, the connection statistics of users on the public network are displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display connection-limit statistics command to display connection limit statistics.

Examples

# Display connection limit statistics.

<Sysname> display connection-limit statistics

source-ip dest-ip dest-port vpn-instance

192.168.0.210 --- --- ---

--------------------------------------------------------------------------

NAT amount upper-limit lower-limit limit-flag

2 200 100 0

Table 2 Output description

Field	Description
source-ip	Source IP address. “---” indicates no such information is available.
dest-ip	Destination IP address. “---” indicates no such information is available.
dest-port	Destination port number. “---” indicates no such information is available.
vpn-instance	Name of the MPLS VPN instance that a connection belongs to. “---” indicates that the connection does not belong to any MPLS VPN instance.
amount	Number of connections allowed to establish
upper-limit	Upper limit of connections
lower-limit	Lower limit of connections
limit-flag	Whether new connections are allowed, 0 means yes, 1 means no

display connection-limit statistics vpn-instance

Syntax

display connection-limit statistic [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

vpn-instance vpn-instance-name: Specifies the MPLS VPN that a user belongs to. vpn-instance-name is a case-sensitive string of 1 to 19 characters. Without this option, the connection limit statistics of all VPNs and non VPNs are displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display connection-limit statistics vpn-instance command to display connection limit statistics of the specified VPN.

Examples

# Display connection limit statistics of VPN 1.

<Sysname> display connection-limit statistics vpn-instance vpn1

VPN-instance Amount

vpn1 500

Table 3 Output description

Field	Description
VPN-instance	MPLS VPN instance name. Public indicates a public network user.
Amount	Connection limit statistics

display nat address-group

Syntax

display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

group-number: NAT address group number, in the range of 0 to 31. If this argument is not provided, the information of all NAT address pools is displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat address-group command to display the NAT address pool information.

Related commands: nat address-group.

Examples

# Display the NAT address pool information.

<Sysname> display nat address-group

NAT address-group information:

There are currently 2 nat address-group(s)

1 : from 202.110.10.10 to 202.110.10.15

2 : from 202.110.10.20 to 202.110.10.25

# Display the information of NAT address group 1.

<Sysname> display nat address-group 1

NAT address-group information:

1 : from 202.110.10.10 to 202.110.10.15

Table 4 Output description

Field	Description
NAT address-group information	NAT address pool information
There are currently 2 nat address-group(s)	There are currently two NAT address groups.
1 : from 202.110.10.10 to 202.110.10.15	The range of IP addresses in address pool 1 is from 202.110.10.10 to 202.110.10.15

display nat aging-time

Syntax

display nat aging-time [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat aging-time command to display the NAT aging time settings for various protocols.

Related commands: nat aging-time.

Examples

# Display the NAT aging time settings for various protocols.

<Sysname> display nat aging-time

NAT aging-time value information:

tcp ---- aging-time value is 86400 (seconds)

udp ---- aging-time value is 300 (seconds)

icmp ---- aging-time value is 60 (seconds)

pptp ---- aging-time value is 86400 (seconds)

dns ---- aging-time value is 60 (seconds)

tcp-fin ---- aging-time value is 60 (seconds)

tcp-syn ---- aging-time value is 60 (seconds)

ftp-ctrl ---- aging-time value is 7200 (seconds)

ftp-data ---- aging-time value is 300 (seconds)

no-pat ---- aging-time value is 240 (seconds)

Table 5 Output description

Field	Description
NAT aging-time value information	NAT aging time settings for various protocols
tcp	NAT aging time for TCP
udp	NAT aging time for UDP
icmp	NAT aging time for ICMP
pptp	NAT aging time for PPTP
dns	NAT aging time for DNS
tcp-fin	NAT aging time for TCP FIN and RST connections
tcp-syn	NAT aging time for TCP SYN connection
ftp-ctrl	NAT aging time for FTP control link
ftp-data	NAT aging time for FTP data link
no-pat	NAT aging time in NO-PAT mode

display nat all

Syntax

display nat all [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat all command to display all NAT configuration information.

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address-group information:

There are currently 1 nat address-group(s)

1 : from 202.110.10.10 to 202.110.10.15

NAT bound information:

There are currently 1 nat bound rule(s)

Interface: vlan-interface20

Direction: outbound ACL: 2009 Address-group: 1 NO-PAT: N

NAT server in private network information:

There are currently 1 internal server(s)

Interface: vlan-interface11, Protocol: 6(tcp)

Global: 5.5.5.5 : 80(www)

Local : 192.1.1.1 : 80(www)

NAT static information:

There are currently 1 NAT static configuration(s)

single static:

Local-IP : 1.1.1.1

Global-IP : 2.2.2.2

Local-VPN : ---

NAT static enabled information:

Interface Direction

vlan-interface14 out-static

NAT aging-time value information:

tcp ---- aging-time value is 86400 (seconds)

udp ---- aging-time value is 300 (seconds)

icmp ---- aging-time value is 60 (seconds)

pptp ---- aging-time value is 86400 (seconds)

dns ---- aging-time value is 60 (seconds)

tcp-fin ---- aging-time value is 60 (seconds)

tcp-syn ---- aging-time value is 60 (seconds)

ftp-ctrl ---- aging-time value is 7200 (seconds)

ftp-data ---- aging-time value is 300 (seconds)

NAT log information:

log enable : enable

flow-begin : enable

flow-active : 40(minutes)

# Display all NAT configuration information.

<Sysname> display nat all

NAT address-group information:

There are currently 2 nat address-group(s)

1 : from 202.110.10.10 to 202.110.10.15

2 : from 202.110.10.20 to 202.110.10.25

NAT bound information:

There are currently 1 nat bound rule(s)

Interface: Vlan-interface15

Direction: outbound ACL: 2036 Address-group: --- NO-PAT: N

VPN-instance: ---

Out-interface: ---

Next-hop: ---

NAT server in private network information:

There are currently 1 internal server(s)

Interface: Vlan-interface10, Protocol: 6(tcp)

Global: 50.1.1.1 : 23(telnet)

Local : 192.168.10.15 : 23(telnet)

NAT static information:

There are currently 1 NAT static configuration(s)

single static:

Local-IP : 20.0.0.100

Global-IP : 10.0.0.100

Local-VPN :

NAT static enabled information:

Interface Direction

Vlan-interface12 out-static

Table 6 Output description

Field	Description
NAT address-group information	NAT address pool information
There are currently 1 nat address-group(s)	For description on the specific fields, see the display nat address-group command.
NAT bound information:	Configuration information about internal address-to-external address translation. For description on the specific fields, see the display nat bound command.
NAT server in private network information	Internal server information. For description on the specific fields, see the display nat server command.
NAT static information	Information about static NAT. For description on the specific fields, see the display nat static command.
NAT static enabled information	Information about static NAT entries and interface(s) with static NAT enabled. For description on the specific fields, see the display nat static command.
NAT aging-time value information	NAT aging time information. For description on the specific fields, see the display nat aging-time command.
NAT log information	NAT logging configuration information. For description on the specific fields, see the display nat log command.

display nat bound

Syntax

display nat bound [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat bound command to display the NAT configuration information.

Related commands: nat outbound.

Examples

# Display the NAT configuration information.

<Sysname> display nat bound

NAT bound information:

There are currently 2 nat bound rule(s)

Interface:Vlan-interface10

Direction: outbound ACL: 2000 Address-group: 319 NO-PAT: Y

VPN-instance: vpn1

Out-interface: ---

Next-hop: 100.100.100.1

Interface:Vlan-interface20

Direction: outbound ACL: 2001 Address-group: --- NO-PAT: N

VPN-instance: ---

Out-interface: ---

Next-hop: ---

Table 7 Output description

Field	Description
NAT bound information:	Display configured NAT address translation information
Interface	The interface associated with a NAT address pool.
Direction	Address translation direction: inbound or outbound.
ACL	ACL number
Address-group	Address group number. The field is displayed as null in Easy IP mode.
NO-PAT	Support for NO-PAT mode or not
VPN-instance	VPN instance name of the private network where the NAT address pool belongs. The field is displayed as “---” if it is not configured.
Output-interface	The specified outbound interface. The field is displayed as “---” if it is not configured.
Next-hop	The specified next hop address. The field is displayed as “---” if it is not configured.

display nat connection-limit

Syntax

display nat connection-limit [ source src-address { mask-length | mask } ] [ destination dst-address { mask-length | mask } ] [ destination-port { eq | gt | lt | neq | range } port-number ] [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

source src-address: Displays the connection limit statistics of a specified source address.

destination dst-address: Displays the connection limit statistics of a specified destination address.

mask: Network mask.

mask-length: The length of net mask, in the range of 1 to 32.

destination-port: Displays connection limit statistics based on the destination port number.

{ eq | gt | lt | neq | range }: Specifies the port(s) in different ways through different keywords.

· eq: Equal to the specified port number.

· gt: Greater than the specified port number.

· lt: Less than the specified port number.

· neq: Not equal to the specified port number.

· range: Specifies a port range.

vpn-instance vpn-instance-name: Specifies the MPLS VPN that a user belongs to. The vpn-instance-name argument is a string of 1 to 31 characters. Without this option, the connection statistics of users on the public network are displayed.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat connection-limit command to display NAT connection limit statistics.

Examples

# Display NAT connection limit statistics.

<Sysname> display nat connection-limit

source-ip dest-ip dest-port vpn-instance

192.168.0.210 --- --- ---

--------------------------------------------------------------------------

NAT amount upper-limit lower-limit limit-flag

2 50 20 0

Table 8 Output description

Field	Description
source-ip	Source IP address of the connection. “---“ indicates that the value is not available.
dest-ip	Destination IP address of the connection. “---“ indicates that the value is not available.
dest-port	Destination port of the connection. “---“ indicates that the value is not available.
vpn-instance	MPLS VPN instance that a connection belongs to. “---“ indicates that the connection does not belong to any MPLS VPN instance.
NAT	Indicates that the connection is created through NAT
amount	Number of active connections
upper-limit	Upper limit of connections
lower-limit	Lower limit of connections
limit-flag	Whether new connections are allowed to establish: 0 means yes, 1 means no

display nat dns-map

Syntax

display nat dns-map [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat dns-map command to display NAT DNS mapping configuration information.

Related commands: nat dns-map.

Examples

# Display NAT DNS mapping configuration information.

<Sysname> display nat dns-map

NAT DNS mapping information:

There are currently 2 NAT DNS mapping(s)

Domain-name: www.server.com

Global-IP : 202.113.16.117

Global-port: 80(www)

Protocol : 6(tcp)

Domain-name: ftp.server.com

Global-IP : 202.113.16.100

Global-port: 21(ftp)

Protocol : 6(tcp)

Table 9 Output description

Field	Description
NAT DNS mapping information	NAT DNS mapping information
There are currently 2 DNS mapping(s)	There are two DNS mapping entries
Domain-name	Domain name of the internal server
Global-IP	Public IP address of the internal server
Global-port	Public port number of the internal server
Protocol	Protocol type of the internal server

display nat log

Syntax

display nat log [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat log command to view the NAT logging configuration information.

Related commands: nat log enable, nat log flow-active, and nat log flow-begin.

Examples

# View the NAT logging configuration information.

<Sysname> display nat log

NAT log information:

log enable : enable acl 2000

flow-begin : enable

flow-active : 10(minutes)

Table 10 Output description

Field	Description
NAT log information :	NAT logging configuration information
log enable : enable acl 2000	Logging data flows matching ACL 2000.
flow-begin : enable	Logging newly established sessions
flow-active : 10(minutes)	Interval in logging active flows (10 minutes)

display nat server

Syntax

display nat server [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat server command to display information about internal servers.

Related commands: nat server.

Examples

# Display information about internal servers.

<Sysname> display nat server

NAT server in private network information:

There are currently 2 internal server(s)

Interface: Vlan-interface10, Protocol: 6(tcp)

Global: 100.100.120.120 : 21(ftp)

Local : 192.168.100.100 : 21(ftp)

Interface: Vlan-interface11, Protocol: 6(tcp)

Global: 100.100.100.121 : 80(www)

Local : 192.168.100.101 : 80(www) vpn2

Table 11 Output description

Field	Description
Server in private network information	Information about internal servers
Interface	Internal server interface
Protocol	Protocol type
Global	Public IP address and port number of a server, and the name of the VPN that the public address belongs to.
Local	Private IP address and port number of a server, and the name of the VPN that the private IP address belongs to.

display nat session

Syntax

Standalone mode:

display nat session [ vpn-instance vpn-instance-name ] slot slot-number [ source { global global-address | inside inside-address } ] [ destination dst-address ] [ | { begin | exclude | include } regular-expression ]

IRF mode:

display nat session [ vpn-instance vpn-instance-name ] chassis chassis-number slot slot-number [ source { global global-address | inside inside-address } ] [ destination dst-address ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

vpn-instance vpn-instance-name: Displays NAT entries for the specified MPLS L3VPN. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Without this option, NAT entries of the public network are displayed.

slot slot-number: Specifies a card by its slot number. Use this option when your switch is operating in standalone (the default) mode (only supported on the main control board).

chassis chassis-number slot slot-number: Specifies a card on an IRF member switch. The chassis-number argument represents the ID of the IRF member switch, and the slot-number argument represents the number of the slot that holds the card. You can display the member ID and slot number with the display device command. Use this option when your switch is operating in IRF mode.

source global global-address: Displays NAT entries for the specified external source IP address.

source inside inside-address: Displays NAT entries for the specified internal source IP address.

destination dst-address: Displays NAT entries for the specified destination IP address.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat session command to display dynamic NAT entries.

Examples

# Display dynamic NAT entries.

<Sysname> display nat session slot 2

There are currently 1 NAT session:

Protocol GlobalAddr Port InsideAddr Port DestAddr Port

TCP 162.105.26.51 12288 200.0.0.28 512 162.105.26.246 512

status:11 TTL:00:00:10 Left:00:00:02 VPN:vpn1

Table 12 Output description

Field	Description
Protocol	Protocol type
GlobalAddr Port	External IP address and port number after translation
InsideAddr Port	Internal IP address and port number before translation
DestAddr Port	Destination IP address and port number
VPN	Name of the MPLS L3VPN instance to which NAT entries belong
status	Status of NAT entries
TTL	Lifetime of NAT entries, in the format of hh:mm:ss
Left	Remaining lifetime of NAT entries, in the format of hh:mm:ss

display nat static

Syntax

display nat static [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display nat static command to display static NAT entries and interface(s) with static NAT enabled.

Related commands: nat static and nat outbound static.

Examples

# Display static NAT entries and interface(s) with static NAT enabled.

<Sysname> display nat static

NAT static information:

There are currently 1 NAT static configuration(s)

single static:

Local-IP : 20.0.0.100

Global-IP : 10.0.0.100

Local-VPN : ---

NAT static enabled information:

Interface Direction

Vlan-interface10 out-static

Table 13 Output description

Field	Description
NAT static information	Configuration information of static NAT
single static	One-to-one static NAT
Local-IP	Private IP address
Global-IP	Public IP address
Local-VPN	VPN that the private IP address belongs to.
NAT static enabled information	Information about static NAT enabled on the interface(s)
Interface	Interface on which static NAT is configured
Direction	Direction of packets to be translated

display userlog export

Syntax

Standalone mode:

display userlog export slot slot-number [ | { begin | exclude | include } regular-expression ]

IRF mode:

display userlog export chassis chassis-number slot slot-number [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

slot-number: Specifies a card by its slot number. Use this argument when your switch is operating in standalone (the default) mode (only supported on the main control board).

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display userlog export command to view the configuration and statistics of logs output to the log server.

This command can display all types of logs output to the log server, but it only displays NAT logs in this document.

Related commands: reset userlog nat export

Examples

# Display the configuration and statistics of the NAT logs for the card in Slot 2.

<Sysname> display userlog export slot 2

nat:

Export Version 1 logs to log server : enabled

Source address of exported logs : 5.5.5.6

Address of log server : 1.1.1.2 (port: 2000)

Total Logs/UDP packets exported : 137/85

VPN-instance : test

Logs in buffer : 0

# Display the configuration and statistics of the NAT logs for the card in Slot 1.

<Sysname> display userlog export slot 1

nat:

No userlog export is enabled

Table 14 Output description

Field	Description
nat	NAT log information
Export Version 1 logs to log server	NAT logs of version 1 are exported to the log server.
Export logs to (port:)	IP address and port number of the log server
Source address of exported logs	Source address of exported NAT logs. (If no source IP address is configured, this field is not displayed.)
Address of log server	Log server address, including the IP address and port number.
Total Logs/UDP packets exported	Total number of the logs sent and that of the UDP packets carrying NAT logs. (The term "UDP packets" refers to the UDP packets carrying NAT logs. A UDP packet can carry multiple pieces of NAT logs.)
VPN-instance	VPN where the log server resides
Logs in buffer	Total number of flow or NAT logs buffered
No userlog export is enabled	NAT log function is not enabled, or enabled but without exporting to the information center, or enabled to be exported to the log server, but without configuring the IP address and UDP port number of the corresponding log server

limit acl

Syntax

limit limit-id acl acl-number [ { per-destination | per-service | per-source } * amount max-amount min-amount ]

undo limit limit-id [ { per-destination | per-service | per-source } * amount max-amount min-amount ]

View

Connection limit policy view

Default level

2: System level

Parameters

limit-id: Number for a rule in the connection limit policy, in the range of 0 to 255.

acl-number: Number of an ACL, in the range of 2000 to 3999. User connections matching this ACL are to be limited.

per-destination: Limits connections by destination address.

per-service: Limits connections by service type.

per-source: Limits connections by source address.

amount: Limits the number of connections.

max-amount: Upper limit of connections, in the range of 1 to 4294967295.

min-amount: Lower limit of connections, in the range of 1 to 4294967294. min-amount must be less than max-amount.

Description

Use the limit acl command to configure an ACL based connection limit rule.

Use the undo limit command to remove a connection limit rule.

Note the following:

· If no limit type is specified, the command limits connections by source address using the default connection limit parameters (upper and lower limits) configured with the connection-limit default amount command.

· If you specify multiple limit types in one limit rule, they work together to limit and count user connections. For example, with both per-destination and per-service limit types specified, the limit rule limits and counts the user connections of the specified service that are destined to the specified destination IP address.

Related commands: connection-limit policy and display connection-limit policy.

Examples

# Configure a limit rule for connection limit policy 1 to limit connections initiated from 192.168.0.0/24 by destination address, setting the upper and lower connection limits to 200 and 100 respectively. Suppose that users 192.168.0.1 and 192.168.0.100 access the same public network server. If the number of connections from the two users to the server reaches 200, no new connections can be established until the connection number goes below 100.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 192.168.0.0 0.0.0.255

[Sysname-acl-basic-2001] quit

[Sysname] connection-limit policy 1

[Sysname-connection-limit-policy-1] limit 1 acl 2001 per-destination amount 200 100

nat address-group

Syntax

nat address-group group-number [ start-address end-address ]

undo nat address-group group-number [ start-address end-address ]

View

System view

Default level

2: System level

Parameters

group-number: Index of the address pool, in the range of 0 to 31.

start-address: Start IP address of the address pool.

end-address: End IP address of the address pool. The end-address must be greater than or equal to the start-address. An address pool can contain four IP addresses at most.

Description

Use the nat address-group command to configure an address pool for NAT. When the start and end IP addresses are specified, this command specifies an address pool. Without the start and end IP addresses specified, the command places you into the address group view.

Use the undo nat address-group command to remove an address pool or address group.

An address pool consists of a set of consecutive IP addresses. When an internal packet is to be forwarded to the external network, an address is selected from the pool to replace the original source address. If the start-address and end-address parameters have the same value, there is only one IP address in the address pool.

Note the following:

· You cannot remove an address pool that has been associated with an ACL.

· An address pool is not needed in the case of Easy IP where the interface’s public IP address is used as the translated IP address.

Related commands: display nat address-group.

NOTE:

· The length of an address pool (the number of addresses in the pool) is 4.

· Address pools cannot overlap each other.

Examples

# Configure an address pool numbered 1 that contains addresses 202.110.10.10 to 202.110.10.15.

<Sysname> system-view

[Sysname] nat address-group 1 202.110.10.10 202.110.10.15

nat aging-time

Syntax

nat aging-time { dns | ftp-ctrl | ftp-data | icmp | no-pat | pptp | tcp | tcp-fin | tcp-syn | udp } seconds

undo nat aging-time { dns | ftp-ctrl | ftp-data | icmp | no-pat | pptp | tcp | tcp-fin | tcp-syn | udp } [ seconds ]

View

System view

Default level

2: System level

Parameters

dns: Specifies the NAT aging time for DNS.

ftp-ctrl: Specifies the NAT aging time for FTP control link.

ftp-data: Specifies the NAT aging time for FTP data link.

icmp: Specifies the NAT aging time for ICMP.

no-pat: Specifies the NAT aging time in No-PAT mode.

pptp: Specifies the NAT aging time for PPTP.

tcp: Specifies the NAT aging time for TCP.

tcp-fin: Specifies the NAT aging time for TCP FIN or RST connection.

tcp-syn: Specifies the NAT aging time for TCP SYN connection.

udp: Specifies the NAT aging time for UDP.

seconds: NAT aging time, in the range of 10 to 86400 seconds.

Description

Use the nat aging-time command to set NAT aging time.

Use the undo nat aging-time command to restore the default.

The default NAT aging times of various protocols are as follows:

· 10 seconds for DNS

· 300 seconds for FTP control link

· 300 seconds for FTP data link

· 10 seconds for ICMP

· 240 seconds in NO-PAT mode

· 300 seconds for PPTP

· 300 seconds for TCP

· 10 seconds for TCP FIN and RST connections

· 10 seconds for TCP SYN connections

· 240 seconds for UDP

A NAT entry is not permanent. You can use this command to configure NAT aging time for TCP, UDP, ICMP, and other protocols. If a NAT entry is not used within the configured time, it will be aged out. For example, when a user with IP address 10.110.10.10 and port number 2000 establishes an external TCP connection, NAT assigns an IP address and a port number for the user. If, within a preconfigured aging time, the TCP connection is not used, the system will remove it.

In NO-PAT mode, if the private network is big and the users frequently go online and offline, you can set a smaller aging time to speed up the release of addresses.

Related commands: display nat aging-time.

Examples

# Set the NAT aging time for TCP to 240 seconds.

<Sysname> system-view

[Sysname] nat aging-time tcp 240

nat alg

Syntax

nat alg { all | dns | ftp | h323 | ils | nbt | sip }

undo nat alg { all | dns | ftp | h323 | ils | nbt | sip }

View

System view

Default level

2: System level

Parameters

all: Supports all special protocols.

dns: Supports DNS.

ftp: Supports FTP.

h323: Supports H.323.

ils: Supports ILS.

nbt: Supports NBT.

sip: Supports SIP.

Description

Use the nat alg command to enable NAT application layer gateway for one or more protocols.

Use the undo nat alg command to disable NAT application layer gateway.

By default, NAT application layer gateway is enabled.

Examples

# Enable NAT application layer gateway for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

nat connection-limit-policy

Syntax

nat connection-limit-policy policy-number

undo nat connection-limit-policy policy-number

View

System view

Default level

2: System level

Parameters

policy-number: Number of the connection limit policy, in the range of 0 to 19.

Description

Use the nat connection-limit-policy command to bind a connection limit policy with the NAT module.

Use the undo nat connection-limit-policy command to remove the binding.

If you want to modify a connection limit policy that has been bound to NAT, you need to remove the binding with the undo nat connection-limit-policy command first.

Examples

# Bind connection limit policy 1 with the NAT module.

<Sysname> system-view

[Sysname] nat connection-limit-policy 1

# Remove the binding between connection limit policy 1 and the NAT module.

<Sysname> system-view

[Sysname] undo nat connection-limit-policy 1

nat dns-map

Syntax

nat dns-map domain domain-name protocol pro-type ip global-ip port global-port

undo nat dns-map domain domain-name

View

System view

Default level

2: System level

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a string containing no more than 255 case-insensitive characters. It consists of several labels separated by dots (.). Each label has no more than 63 characters that must begin and end with letters or digits. (dashes (-) can be included).

protocol pro-type: Specifies the protocol type used by the internal server, tcp or udp.

ip global-ip: Specifies the public IP address used by the internal server to provide services to the external network.

port global-port: Specifies the port number used by the internal server to provide services to the external network. The global-port argument is in the range of 1 to 65535.

Description

Use the nat dns-map command to map the domain name to the public network information of an internal server.

Use the undo nat dns-map command to remove a DNS mapping.

The switch supports up to 16 DNS mappings.

Related commands: display nat dns-map.

Examples

# A company provides Web service to external users. The domain name of the internal server is www.server.com, and the public IP address is 202.112.0.1. Configure a DNS mapping, so that internal users can access the Web server using its domain name.

<Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port www

nat link-down reset-session enable

Syntax

nat link-down reset-session enable

undo nat link-down reset-session enable

View

System view

Default level

2: System level

Parameters

None

Description

Use the nat link-down reset-session enable command to enable aging out NAT entries upon master link failure.

Use the undo nat link-down reset-session enable command to restore the default.

By default, this feature is disabled.

Examples

# Enable aging out NAT entries upon master link failure.

<Sysname> system-view

[Sysname] nat link-down reset-session enable

nat log enable

Syntax

nat log enable [ acl acl-number ]

undo nat log enable

View

System view

Default level

2: System level

Parameters

acl acl-number: Specifies an ACL by its number, which is in the range of 2000 to 3999. If no ACL is specified, the command enables NAT logging for all data flows.

Description

Use the nat log enable command to enable NAT logging.

Use the undo nat log enable command to disable NAT logging.

By default, the NAT logging function is disabled.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable acl 2001

nat log flow-active

Syntax

nat log flow-active minutes

undo nat log flow-active

View

System view

Default level

2: System level

Parameters

minutes: Interval for logging active NAT sessions, in the range of 10 to 120 minutes.

Description

Use the nat log flow-active command to enable logging for active NAT sessions and set the logging interval.

Use the undo nat log flow-active command to disable this function.

By default, this function is disabled.

This function helps track active flows by logging them regularly. Without this function, logs are generated only when a session is established or deleted and no logs are available for tracking a session that lasts for a long period of time.

Examples

# Enable logging for active NAT sessions and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

nat log flow-begin

Syntax

nat log flow-begin

undo nat log flow-begin

View

System view

Default level

2: System level

Parameters

None

Description

Use the nat log flow-begin command to enable logging of NAT session establishment events.

Use the undo nat log flow-begin command to restore the default.

By default, no log is generated when a session is established.

Examples

# Enable logging of NAT session establishment events.

<Sysname> system-view

[Sysname] nat log flow-begin

nat outbound

Syntax

nat outbound acl-number [ address-group group-number [ no-pat ] ]

undo nat outbound acl-number [ address-group group-number [ no-pat ] ]

View

Interface view

Default level

2: System level

Parameters

acl-number: ACL number, in the range of 2000 to 3999.

address-group group-number: Specifies an existing address pool for NAT by its index. The group-number argument ranges from 0 to 31.

no-pat: Indicates that no many-to-many NAT is implemented. If this keyword is not configured, many-to-one NAT is implemented using the TCP/UDP port information.

Description

Use the nat outbound command to associate an ACL with an address pool. Packets matching the associated ACL will be serviced by NAT. If no address pool is specified, the IP address of the interface will be used for NAT, which means Easy IP is enabled.

Use the undo nat outbound command to remove the address association on the outbound interface.

Note the following:

· You can configure multiple associations or use the undo command to remove an association on an interface that serves as the egress of an internal network to external networks.

· When an ACL rule is not operative, no new NAT session entry depending on the rule can be created. However, existing connections are still available for communication.

· If a packet matches the specified next hop, the packet will be translated using an IP address in the address pool; if not, the packet will not be translated.

· You can bind an ACL to only one address pool on an interface; an address pool can be bound to multiple ACLs.

NOTE:

For some devices, the ACL rules referenced by the same interface cannot conflict. The source IP address, destination IP address and VPN instance information in any two ACL rules cannot be the same. For basic ACLs (numbered from 2000 to 2999), if the source IP address and VPN instance information in any two ACL rules are the same, a conflict occurs.

Examples

# Enable NAT for hosts in the 10.110.10.0/24 segment, using addresses 202.110.10.10 to 202.110.10.12 as the external IP addresses. Assume that VLAN-interface 200 is connected to the external network.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-basic-2001] rule deny

[Sysname-acl-basic-2001] quit

# Configure a NAT address pool.

[Sysname] nat address-group 1 202.110.10.10 202.110.10.12

# To use TCP/UDP port information in translation, do the following:

[Sysname] interface vlan-interface 200

[Sysname-Vlan-interface200] nat outbound 2001 address-group 1

# To ignore the TCP/UDP port information in translation, do the following:

<Sysname> system-view

[Sysname] interface Vlan-interface 200

[Sysname-Vlan-interface200] nat outbound 2001 address-group 1 no-pat

# To use the IP address of VLAN-interface 200 for NAT, do the following:

<Sysname> system-view

[Sysname] interface vlan-interface 200

[Sysname-Vlan-interface200] nat outbound 2001

nat outbound static

Syntax

nat outbound static

undo nat outbound static

View

Interface view

Default level

2: System level

Parameters

None

Description

Use the nat outbound static command to enable static NAT on an interface, making the configured static NAT mappings take effect.

Use the undo nat outbound static command to disable static NAT on the interface.

Related commands: display nat static.

Examples

# Configure a one-to-one NAT mapping and enable static NAT on VLAN-interface 200.

<Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2

[Sysname] interface Vlan-interface 200

[Sysname-Vlan-interface200] nat outbound static

nat server

Syntax

nat server protocol pro-type global { global-address | interface interface-type interface-number | current-interface } [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ]

undo nat server protocol pro-type global { global-address | interface interface-type interface-number | current-interface } [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ]

nat server protocol pro-type global { global-address | interface interface-type interface-number | current-interface } global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ]

undo nat server protocol pro-type global { global-address | interface interface-type interface-number | current-interface } global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ]

View

Interface view

Default level

2: System level

Parameters

protocol pro-type: Specifies a protocol type. pro-type supports TCP, UDP, and ICMP. If ICMP is specified, do not specify any port number for the internal server.

global-address: Public IP address for the internal server.

interface: Specifies the address of the interface as the public IP address of the internal server.

interface-type interface-number: Specifies the interface type and interface number. The specified interface must be a loopback interface that already exists.

current-interface: Specifies the IP address of the current interface as the public address of the internal server.

global-port1, global-port2: Specifies a range of ports that have a one-to-one correspondence with the IP addresses of the internal hosts. global-port2 must be greater than global-port1.

local-address1, local-address2: Defines a consecutive range of addresses that have a one-to-one correspondence with the range of ports. local-address2 must be greater than local-address1 and that the number of addresses must match that of the specified ports.

local-port: Port number provided by the internal server, in the range of 0 to 65535 (excluding the FTP port number 20).

· You can use the service names to represent those well-known port numbers. For example, you can use www to represent port number 80, and ftp to represent port number 21.

· You can use the keyword any to represent port number 0, which means all types of services are supported. This has the same effect as a static translation between the global-address and local-address.

global-port: Global port number for the internal server, in the range of 0 to 65535.

local-address: Internal IP address of the internal server.

vpn-instance local-name: Specifies the MPLS VPN to which the internal server belongs. local-name specifies the VPN instance name, a case-sensitive string of 1 to 31 characters. Without this parameter, the internal server is a common internal server that does no belong to any MPLS VPN.

Description

Use the nat server command to define an internal server.

Using the address and port defined by the global-address and global-port parameters, external users can access the internal server with an IP address of local-address and a port of local-port.

Use the undo nat server command to remove the configuration.

Note the following:

· If one of the two arguments global-port and local-port is set to any, the other must also be set to any or remain undefined.

· Using this command, you can configure internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) to provide services for external users. An internal server can reside on a private network or an MPLS VPN.

· Up to 256 internal server configuration commands can be configured on an interface. The number of internal servers that each command can define equals the difference between global-port2 and global-port1. Up to 4096 internal servers can be configured on an interface. The system allows up to 1024 internal server configuration commands.

· In general, this command is configured on an interface that serves as the egress of an internal network and connects to the external networks.

· The switch supports using an interface address as the public IP address of an internal server, which is Easy IP.

· If you specify the internal server to use the IP address of the current interface as its public IP address, other internal servers must not use that IP address as their public IP address.

Related commands: display nat server.

NOTE:

If pro-type is not TCP (protocol identifier 6) or UDP (protocol identifier 17), you can configure one-to-one NAT between an internal IP address and an external IP address only, but cannot specify port numbers..

Examples

# Allow external users to access the internal Web server 10.110.10.10 on the LAN through http://202.110.10.10:8080, and the internal FTP server 10.110.10.11 in MPLS VPN vrf10 through ftp://202.110.10.10/. VLAN-interface 10 is connected to the external network.

<Sysname> system-view

[Sysname] interface Vlan-interface 10

[Sysname-Vlan-interface10] nat server protocol tcp global 202.110.10.10 inside 10.110.10.10 www

[Sysname- Vlan-interface10] quit

[Sysname] ip vpn-instance vrf10

[Sysname-vpn-instance] route-distinguisher 100:001

[Sysname-vpn-instance] vpn-target 100:1 export-extcommunity

[Sysname-vpn-instance] vpn-target 100:1 import-extcommunity

[Sysname-vpn-instance] quit

[Sysname] interface Vlan-interface 10

[Sysname-Vlan-interface10] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10

# Allow external hosts to ping the host with an IP address of 10.110.10.12 in VPN vrf10 by using the command ping 202.110.10.11.

<Sysname> system-view

[Sysname] interface Vlan-interface 10

[Sysname-Vlan-interface100] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

# Allow external hosts to access the Telnet services of internal servers 10.110.10.1 to 10.110.10.100 in MPLS VPN vrf10 through the public address of 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can telnet to 202.110.10.10:1001 to access 10.110.10.1, telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

<Sysname> system-view

[Sysname] interface Vlan-interface 10

[Sysname-Vlan-interface10] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10

# Remove the Web server.

<Sysname> system-view

[Sysname] interface Vlan-interface 10

[Sysname-Vlan-interface10] undo nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www

# Remove the FTP server from VPN vrf10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] undo nat server protocol tcp global 202.110.10.11 21 inside 10.110.10.11 ftp vpn-instance vrf10

nat static

Syntax

nat static local-ip [ vpn-instance local-name ] global-ip

undo nat static local-ip [ vpn-instance local-name ] global-ip

View

System view

Default level

2: System level

Parameters

local-ip: Internal IP address.

vpn-instance local-name: Name of the VPN to which the internal IP address belongs. local-name specifies the MPLS L3VPN, a case-sensitive character string of 1 to 31 characters.

global-ip: External IP address.

Description

Use the nat static command to configure a one-to-one static NAT mapping.

Use the undo nat static command to remove a one-to-one static NAT mapping.

If no VPN is specified, the internal IP address is a common private network address.

Related commands: display nat static.

Examples

# In system view, configure static NAT mapping between internal IP address 192.168.1.1 and external IP address 2.2.2.2.

<Sysname> system-view

[Sysname] nat static 192.168.1.1 2.2.2.2

nat static net-to-net

Syntax

nat static net-to-net local-start-address local-end-address global global-network { netmask-length | netmask }

undo nat static net-to-net local-start-address local-end-address global global-network { netmask-length | netmask }

View

System view

Default level

2: System level

Parameters

local-start-address local-end-address: Private network address range, which contains at most 255 IP addresses.

local-network: Private network address.

global-network: Public network address.

mask-length: Length of the network mask.

mask: Network mask.

Description

Use the nat static net-to-net command to configure a net-to-net static NAT mapping.

Use the undo nat static net-to-net command to remove a net-to-net static NAT mapping.

Note the following:

The IP addresses of the private network must be on the same network segment according to the mask length of the public network address.

Related commands: display nat static.

Examples

# Configure a bidirectional static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static net-to-net 192.168.1.0 2.2.2.0 24

reset nat session

Syntax

Standalone mode:

reset nat session slot slot-number

IRF mode:

reset nat session chassis chassis-number slot slot-number

View

User view

Default level

2: System level

Parameters

slot slot-number: Clears the address translation table on the card. The argument slot-number specifies a card by its slot number. Use this argument when your switch is operating in standalone (the default) mode (only supported on the main control board).

chassis chassis-number slot slot-number: Clears the address translation table on the specified card of the specified member device. The chassis-number argument represents the ID of the IRF member switch, and the slot-number argument represents the number of the slot that holds the card. You can display the member ID and slot number with the display device command. Use this option when your switch is operating in IRF mode (only supported on the main control board)..

Description

Use the reset nat session command to clear the address translation table and release the memory dynamically assigned for storing the table.

Examples

# Clear the address translation table of the card in slot 0.

<Sysname> reset nat session slot 0

reset userlog nat export

Syntax

Standalone mode:

reset userlog nat export slot slot-number

IRF mode:

reset userlog nat export chassis chassis-number slot slot-number

View

User view

Default level

2: System level

Parameters

slot slot-number: Clears NAT log statistics on the specified card. The argument slot-number specifies a card by its slot number. Use this argument when your switch is operating in standalone (the default) mode.

chassis chassis-number slot slot-number: Clears NAT log statistics on the specified card of the specified member device. The chassis-number argument represents the ID of the IRF member switch, and the slot-number argument represents the number of the slot that holds the card. You can display the member ID and slot number with the display device command. Use this option when your switch is operating in IRF mode.

Description

Use the reset userlog nat export command to clear NAT log statistics.

Once the NAT log function is enabled, the system will take statistics for NAT logs periodically.

Related commands: display userlog export.

Examples

# Clear the NAT log information of slot 0

<Sysname> reset userlog nat export slot 0

reset userlog nat logbuffer

Syntax

Standalone mode:

reset userlog nat logbuffer slot slot-number

IRF mode:

reset userlog nat logbuffer chassis chassis-number slot slot-number

View

User view

Default level

2: System level

Parameters

slot slot-number: Specifies a card by its slot number. Use this argument when your switch is operating in standalone mode (only supported on the main control board).

Description

Use the reset userlog nat logbuffer command to clear the NAT log buffer.

NOTE:

Clear NAT log buffer only when necessary.

Examples

# Clear the NAT log buffer of the card in slot 0

<Sysname> reset userlog nat logbuffer slot 0

userlog nat export host

Syntax

Standalone mode:

userlog nat export slot slot-number host { ipv4-address | ipv6 ipv6-address } udp-port

undo userlog nat export slot slot-number host { ipv4-address | ipv6 ipv6-address }

IRF mode:

userlog nat export chassis chassis-number slot slot-number host { ipv4-address | ipv6 ipv6-address } udp-port

undo userlog nat export chassis chassis-number slot slot-number host { ipv4-address | ipv6 ipv6-address }

View

System view

Default level

2: System level

Parameters

slot slot-number: Specifies a card by its slot number. Use this option when your switch is operating in standalone mode (only supported on the main control board).

ipv4-address: IPv4 address of the NAT log server. It must be a valid unicast IPv4 address and cannot be a loopback address.

ipv6 ipv6-address: IPv6 address of the NAT log server. It must be a valid unicast IPv6 address.

udp-port: UDP port number of the NAT log server, in the range of 0 to 65535.

Description

Use the userlog nat export host command to specify the IP address and UDP port number of the NAT log server that receives NAT logs.

Use the undo userlog nat export host command to restore the default.

By default, no NAT log server IP address or UDP port number is configured.

In standalone mode, each interface card can be configured with a separate NAT log server for load sharing. The packets exported from these interface cards are numbered independently.

In IRF mode, each interface card of a member switch can be configured with a separate NAT log server for load sharing. The packets exported from these interface cards are numbered independently (sequence numbers in the packet headers).

Note the following:

· You must specify the NAT log server to successfully export NAT logs in UDP packets.

· H3C recommends using a UDP port number greater than 1024 to avoid conflicting with common UDP port numbers.

· Each interface card can be configured with a separate NAT log server for load sharing. The packets exported from these interface cards are numbered independently (sequence numbers in the packet headers). If you do not specify the slot slot-number combination, this command applies to all interface cards with no NAT log server IP address or UDP port number configured.

Related commands: userlog nat export source-ip.

Examples

# Export the NAT logs of interface card 0 to NAT log server with IP address 169.254.1.1 and port number 2000.

<Sysname> system-view

[Sysname] userlog nat export slot 0 host 169.254.1.1 2000

userlog nat export source-ip

Syntax

userlog nat export source-ip ip-address

undo userlog nat export source-ip

View

System view

Default level

2: System level

Parameters

ip-address: Source IP address for the UDP packets.

Description

Use the userlog nat export source-ip command to configure the source IP address for the UDP packets that carry NAT logs.

Use the undo userlog nat export source-ip command to restore the default.

By default, the source IP address of the UDP packets that carry NAT logs is the IP address of the interface that sends the UDP packets.

Related commands: userlog nat export host.

Examples

# Use 169.254.1.2 as the source IP address of the UDP packets that carry NAT logs.

<Sysname> system-view

[Sysname] userlog nat export source-ip 169.254.1.2

userlog nat export version

Syntax

userlog nat export version version-number

undo userlog nat export version

View

System view

Default level

2: System level

Parameters

version-number: Version number for the NAT log packets. The system supports only version 1.

Description

Use the userlog nat export version command to set the version number of the NAT log packets.

Use the undo userlog nat export version command to restore the default.

By default, the version number of NAT log packets is 1.

Examples

# Set the version number of NAT log packets to 1.

<Sysname> system-view

[Sysname] userlog nat export version 1

userlog nat syslog

Syntax

userlog nat syslog

undo userlog nat syslog

View

System view

Default level

2: System level

Parameters

None

Description

Use the userlog nat syslog command to configure the switch to export NAT logs to the information center.

Use the undo userlog nat syslog command to restore the default.

By default, NAT logs are exported to the NAT log server.

NAT logs may consume a large volume of memory. H3C does not recommend exporting large amounts of NAT logs to the information center.

Examples

# Export NAT logs to the information center.

<Sysname> system-view

[Sysname] userlog nat syslog

06-Layer 3 - IP Services Command Reference

connection-limit default action

connection-limit policy

display connection-limit policy

display nat dns-map

display nat server

display nat session

nat address-group

nat link-down reset-session enable

nat log flow-active

nat outbound static

nat static

reset nat session

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us