Contents

AFT commands· 1

address· 1

aft address-group· 2

aft alg· 2

aft enable· 3

aft flow-redirect disable· 4

aft log enable· 5

aft log flow-begin· 6

aft log flow-end· 6

aft log port-block· 7

aft port-block synchronization enable· 8

aft port-block-group· 9

aft port-load-balance enable· 10

aft prefix-general 11

aft prefix-ivi 12

aft prefix-nat64· 13

aft remote-backup port-alloc· 14

aft turn-off tos· 15

aft turn-off traffic-class· 16

aft v4server 16

aft v4tov6 destination· 17

aft v4tov6 source· 19

aft v6server 21

aft v6tov4 source· 22

aft v6tov4 source port-block-group· 24

block-size· 25

display aft address-group· 26

display aft address-mapping· 27

display aft configuration· 29

display aft no-pat 32

display aft port-block· 33

display aft session· 35

display aft statistics· 37

ip-address· 40

ipv6-prefix· 41

port-range· 42

reset aft session· 43

reset aft statistics· 43

vrrp vrid· 44

AFT commands

Non-default vSystems do not support some of the AFT commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.

address

Use address to add an address range to an AFT address group.

Use address to remove an address range from an AFT address group.

Syntax

address start-address end-address

undo address start-address end-address

Default

No address ranges exist.

Views

AFT address group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

start-address end-address: Specifies the start and end IP addresses for an address range. The end address cannot be lower than the start address. If they are the same, the address range has only one IP address.

Usage guidelines

An AFT address group is a set of address ranges. Dynamic AFT translates an IPv6 address to an IPv4 address in one of the address ranges.

Each address range can contain a maximum of 256 addresses.

Make sure the address ranges do not overlap.

 Examples

# Add two address ranges to AFT address group 2.

<Sysname> system-view

[Sysname] aft address-group 2

[Sysname-aft-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-aft-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

aft address-group

aft address-group

Use aft address-group to create an AFT address group and enter its view, or enter the view of an existing AFT address group.

Use undo aft address-group to delete an AFT address group.

Syntax

aft address-group group-id

undo aft address-group group-id

Default

No AFT address groups exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

group-id: Assigns an ID to the address group. The value range for this argument is 0 to 65535.

Usage guidelines

An AFT address group is a set of address ranges. Use the address command to add an address range.

The AFT address group is used in dynamic AFT. Dynamic AFT translates the source address of an IPv6 packet to an IPv4 address in the address group.

Examples

# Create AFT address group 1 and enter its view.

<Sysname> system-view

[Sysname] aft address-group 1

[Sysname-aft-address-group-1]

Related commands

address

aft v6tov4 source

display aft address-group

display aft configuration

aft alg

Use aft alg to enable AFT ALG for the specified or all supported protocols.

Use undo aft alg to disable AFT ALG for the specified or all supported protocols.

Syntax

aft alg { all | dns | ftp | h323 | http | icmp-error | rtsp | sip }

undo aft alg { all | dns | ftp | h323 | http | icmp-error | rtsp | sip }

Default

AFT ALG is enabled for DNS, FTP, H.323, HTTP, ICMP error messages, RSTP, and SIP.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

all: Enables AFT ALG for all supported protocols.

dns: Enables AFT ALG for DNS.

ftp: Enables AFT ALG for FTP.

h323: Enables AFT ALG for H.323.

http: Enables AFT ALG for HTTP.

icmp-error: Enables AFT ALG for ICMP error packets.

rtsp: Enables AFT ALG for RSTP.

sip: Enables AFT ALG for SIP.

Usage guidelines

Non-default vSystems do not support this command.

AFT ALG translates address or port information in the application layer payloads.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires AFT ALG to translate the address and port information.

You can execute this command multiple times to enable AFT ALG for different protocols.

Examples

# Enable AFT ALG for FTP.

<Sysname> system-view

[Sysname] aft alg ftp

Related commands

display aft configuration

aft enable

Use aft enable to enable AFT on an interface.

Use undo aft enable to disable AFT on an interface.

Syntax

aft enable

undo aft enable

Default

AFT is disabled on an interface.

Views

Interface view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

You must enable AFT on interfaces connected to the IPv4 network and interfaces connected to the IPv6 network.

Examples

# Enable AFT on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] aft enable

Related commands

display aft configuration

aft flow-redirect disable

Use aft flow-redirect disable to disable AFT from generating OpenFlow entries.

Use undo aft flow-redirect disable to enable AFT to generate OpenFlow entries.

Syntax

aft flow-redirect { all | dynamic | prefix | static | v6server } disable

undo aft flow-redirect { all | dynamic | prefix | static | v6server } disable

Default

AFT does not generate OpenFlow entries based on prefix translation, but generates OpenFlow entries based on dynamic AFT, static AFT, and the AFT mappings for IPv6 internal servers.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Specifies dynamic AFT, prefix translation, static AFT, and AFT mappings for IPv6 internal servers.

dynamic: Specifies dynamic AFT.

prefix: Specifies prefix translation.

static: Specifies static AFT.

v6server: Specifies AFT mappings for IPv6 internal servers.

Usage guidelines

If you enable AFT to generate OpenFlow entries, the system will generate OpenFlow entries based on existing and new AFT configuration.

If you disable OpenFlow entry generation based on AFT, the system will not generate OpenFlow entries based on AFT configuration and will delete the existing AFT-based OpenFlow entries. The deletion of OpenFlow entries might cause traffic interruption.

If IPv6-to-IPv4 source address dynamic translation policy is configured, disable OpenFlow entry generation based on prefix translation and static AFT as a best practice. Otherwise, the translation policy might not take effect.

Examples

# Disable static AFT from generating OpenFlow entries.

<Sysname> system-view

[Sysname] aft flow-redirect static disable

aft log enable

Use aft log enable to enable AFT logging.

Use undo aft log enable to disable AFT logging.

Syntax

aft log enable

undo aft log enable

Default

AFT logging is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

For security auditing, you can enable AFT logging to record AFT session information. An AFT session is a session whose source and destination IP addresses are translated by AFT.

AFT can log the following events:

·     An AFT port block is created.

·     An AFT port block is deleted.

·     An AFT session is established.

To log AFT session establishment events, you must also execute the aft log flow-begin command.

·     An AFT session is removed.

To log AFT session removal events, you must also execute the aft log flow-end command.

The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable AFT logging.

<Sysname> system-view

[Sysname] aft log enable

Related commands

aft log flow-begin

aft log flow-end

display aft configuration

aft log flow-begin

Use aft log flow-begin to enable AFT session establishment logging.

Use undo aft log flow-begin to disable AFT session establishment logging.

Syntax

aft log flow-begin

undo aft log flow-begin

Default

AFT session establishment logging is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

This feature enables the AFT module to generate a log entry for every AFT session establishment event.

AFT session establishment logging takes effect only after you enable AFT logging.

Examples

# Enable AFT session establishment logging.

<Sysname> system-view

[Sysname] aft log flow-begin

Related commands

aft log enable

aft log flow-end

display aft configuration

aft log flow-end

Use aft log flow-end to enable AFT session removal logging.

Use undo aft log flow-end to disable AFT session removal logging.

Syntax

aft log flow-end

undo aft log flow-end

Default

AFT session removal logging is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

This feature enables the AFT module to generate a log entry for every AFT session removal event.

AFT session removal logging takes effect only after you enable AFT logging.

Examples

# Enable AFT session removal logging.

<Sysname> system-view

[Sysname] aft log flow-end

Related commands

aft log enable

aft log flow-begin

display aft configuration

aft log port-block

Use aft log port-block to enable AFT port block logging.

Use undo aft log port-block to disable AFT port block logging.

Syntax

aft log port-block { alarm | assign | withdraw }

undo aft log port-block { alarm | assign | withdraw }

Default

AFT port block logging is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

alarm: Enables logging for port exhaustion in an AFT port block.

assign: Enables logging for AFT port block assignment.

withdraw: Enables logging for AFT port block withdrawal.

Usage guidelines

After you configure this command, AFT generates logs when an AFT port block is assigned or withdrawn, and an AFT port block has assigned all its ports.

AFT port block logging takes effect only after you execute the aft log enable command to enable AFT logging.

Examples

# Enable AFT port block logging.

<Sysname> system-view

[Sysname] aft log port-block assign

Related commands

aft log enable

aft port-block synchronization enable

Use aft port-block synchronization enable to enable dynamic AFT port block mapping synchronization.

Use undo aft port-block synchronization enable to disable dynamic AFT port block mapping synchronization.

Syntax

aft port-block synchronization enable

undo aft port-block synchronization enable

Default

Dynamic AFT port block mapping synchronization is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

Dynamic AFT port block mapping synchronization enables the master and the backup to synchronize dynamic port block mappings, which ensures smooth switchover without service interruption.

In an HA group network, dynamic AFT port block mapping synchronization takes effect after you enable service entry hot backup by using the hot-backup enable command.

In an IRF network, dynamic AFT port block mapping synchronization takes effect after you enable session synchronization for stateful failover by using the session synchronization enable command.

Examples

# Enable dynamic AFT port block mapping synchronization.

<Sysname> system-view

[Sysname] aft port-block synchronization enable

Related commands

aft v6tov4 source

hot-backup enable (High Availability Command Reference)

session synchronization enable (Security Command Reference)

aft port-block-group

Use aft port-block-group to create an AFT port block group and enter its view, or enter the view of an existing AFT port block group.

Use undo aft port-block-group to delete an AFT port block group.

Syntax

aft port-block-group block-group-id

undo aft port-block-group block-group-id

Default

No AFT port block groups exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

block-group-id: Assigns an ID to the AFT port block group. The value range for this argument is 0 to 65535.

Usage guidelines

Non-default vSystems do not support this command.

An AFT port block group can be used in a port block group-based IPv6-to-IPv4 source address static translation policy for IPv6-to-IPv4 source address translation.

An AFT port block group contains the following settings:

·     Address ranges:

¡     IPv4 address ranges used for IPv6-to-IPv4 source address translation, specified by using the ip-address command.

¡     IPv6 prefix ranges used to match the IPv6 addresses to be translated, specified by using the ipv6-prefix command.

·     Port range specified by using the port-range command. The port range will be divided into port blocks of the specified port block size. Each port block is paired with an IPv4 address to match an IPv6 prefix for IPv6-to-IPv4 source address translation.

·     Port block size specified by using the block-size command.

Examples

# Create AFT port block group 1 and enter its view.

<Sysname> system-view

[Sysname] aft port-block-group 1

[Sysname-aft-port-block-group-1]

Related commands

aft v6tov4 source

block-size

display aft configuration

ip-address

ipv6-prefix

port-range

aft port-load-balance enable

Use aft port-load-balance enable to enable AFT port halving.

Use undo aft port-load-balance enable to disable AFT port halving.

Syntax

In standalone mode:

aft port-load-balance enable slot slot-number

undo aft port-load-balance enable

In IRF mode:

aft port-load-balance enable chassis chassis-number

undo aft port-load-balance enable

The following compatibility matrix shows the support of hardware platforms for this command:

 

Hardware platform	Module type	Command compatibility
M9006 M9010 M9014	Blade 4 firewall module	No
	Blade 5 firewall module	No
	NAT module	No
M9010-GM	Encryption module	No
M9016-V	Blade 5 firewall module	No
M9008-S M9012-S	Blade 4 firewall module	Yes
	Intrusion prevention service (IPS) module	Yes
	Video network gateway module	Yes
M9008-S-6GW	IPv6 module	Yes
M9008-S-V	Blade 4 firewall module	Yes
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16	Blade 5 firewall module	No
M9000-X06 M9000-X10	Blade 6 firewall module	No

‌

Default

AFT port halving is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

slot slot-number: Specifies a card by its slot number. This device will use the lower half of the port block. (In standalone mode.)

chassis chassis-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. This device will use the lower half of the port block. (In IRF mode.)

Usage guidelines

Non-default vSystems do not support this command.

AFT supports IRF hot backup in active/standby and dual-active mode. The AFT configuration for IRF hot backup depends on the deployment mode.

·     In dual-active mode, if the two IRF member devices in an IRF fabric use the same AFT address group, the devices might map different IPv6 addresses and ports to the same IPv4 address and port. To avoid this situation, enable AFT port halving on the devices. After you enable AFT port halving, each port block will be equally divided between the two devices. The two devices will use different ports to translate packets from different IP addresses, avoiding port assignment conflicts.

·     In active/standby mode, you do not need to enable AFT port halving on the IRF member devices.

This command is exclusive with the aft remote-backup port-alloc command.

Examples

# Enable AFT port halving.

<Sysname> system-view

[Sysname] aft port-load-balance enable slot 1

Related commands

aft remote-backup port-alloc

aft prefix-general

Use aft prefix-general to configure a general prefix.

Use undo aft prefix-general to delete a general prefix.

Syntax

aft prefix-general prefix-general prefix-length

undo aft prefix-general prefix-general prefix-length

Default

No general prefixes exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

prefix-general: Specifies the general prefix.

prefix-length: Specifies the prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.

Usage guidelines

Non-default vSystems do not support this command.

A general prefix is an IPv6 address prefix of 32, 40, 48, 56, 64, or 96 bits. A general prefix can be used for source and destination address translation between IPv4 and IPv6.

When a general prefix is used alone, it provides IPv6-to-IPv4 source and destination address translation. If a source or destination IPv6 address matches the general prefix, AFT translates it to the embedded IPv4 address.

When a general prefix is used in the aft v4tov6 source or aft v4tov6 destination command, it provides IPv4-to-IPv6 source or destination address translation. If a source or destination IPv4 address matches the ACL, AFT constructs the IPv6 address by using the general prefix and the IPv4 address.

A general prefix cannot be on the same subnet as any interface on the device.

A general prefix must be different from a NAT64 prefix or an IVI prefix.

Examples

# Specify 2000:db8e:: as a general prefix and set its prefix length to 32.

<Sysname> system-view

[Sysname] aft prefix-general 2000:db8e:: 32

Related commands

aft v4tov6 destination

aft v4tov6 source

display aft configuration

aft prefix-ivi

Use aft prefix-ivi to configure an IVI prefix.

Use undo aft prefix-ivi to delete an IVI prefix.

Syntax

aft prefix-ivi prefix-ivi

undo aft prefix-ivi prefix-ivi

Default

No IVI prefixes exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

prefix-ivi: Specifies an IVI prefix.

Usage guidelines

Non-default vSystems do not support this command.

An IVI prefix is an IPv6 address prefix whose length is fixed at 32 bits. An IVI prefix can be used for IPv6-to-IPv4 source address translation and IPv4-to-IPv6 destination address translation.

When an IVI prefix is used alone, it provides IPv6-to-IPv4 source address translation. If a source IPv6 address matches the IVI prefix, AFT translates it to the embedded IPv4 address.

When an IVI prefix is used in the aft v4tov6 destination command, it provides IPv4-to-IPv6 destination address translation. If a destination IPv4 address matches the ACL, AFT constructs the IPv6 address by using the IVI prefix and the IPv4 address.

An IVI prefix must be different from a NAT64 prefix or a general prefix.

Examples

# Specify 3000:db8e:: as an IVI prefix.

<Sysname> system-view

[Sysname] aft prefix-ivi 3000:db8e::

Related commands

aft v4tov6 destination

display aft configuration

aft prefix-nat64

Use aft prefix-nat64 to configure a NAT64 prefix.

Use undo aft prefix-nat64 to delete a NAT64 prefix.

Syntax

aft prefix-nat64 prefix-nat64 prefix-length

undo aft prefix-nat64 prefix-nat64 prefix-length

Default

No NAT64 prefixes exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

prefix-nat64: Specifies a NAT64 prefix.

prefix-length: Specifies the NAT64 prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.

Usage guidelines

A NAT64 prefix is an IPv6 address prefix of 32, 40, 48, 56, 64, or 96 bits. A NAT64 prefix can be used for IPv4-to-IPv6 source address translation and IPv6-to-IPv4 destination address translation.

When a NAT64 prefix is used alone, it provides IPv6-to-IPv4 destination address translation. If a destination IPv6 address matches the NAT64 prefix, AFT translates it to the embedded IPv4 address.

When a NAT64 prefix is used alone or in the aft v4tov6 source command, it also provides IPv4-to-IPv6 source address translation. AFT constructs the IPv6 address by using the NAT64 prefix and the source IPv4 address. If the NAT64 prefix is used in the aft v4tov6 source command, AFT only translates packets permitted by the ACL.

A NAT64 prefix cannot be on the same subnet as any of the interfaces on the device.

A NAT64 prefix must be different from an IVI prefix or a general prefix.

Examples

# Specify 2000:db8e:: as a NAT64 prefix and set its prefix length to 32.

<Sysname> system-view

[Sysname] aft prefix-nat64 2000:db8e:: 32

Related commands

aft v4tov6 source

display aft configuration

aft remote-backup port-alloc

Use aft remote-backup port-alloc to specify AFT port ranges for the two devices in the HA group.

Use undo remote-backup port-alloc to restore the default.

Syntax

aft remote-backup port-alloc { primary | secondary }

undo aft remote-backup port-alloc

Default

The two devices in the HA group share AFT port resources.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

primary: Specifies the lower half of the port block.

secondary: Specifies the higher half of the port block.

Usage guidelines

In the HA group in dual-active mode, different IP+port combinations on the two devices might be translated to the same AFT IP+port resources due to the following reasons:

·     The two devices in the HA group share AFT addresses.

·     The same AFT port range is assigned to each device.

To avoid this situation, execute this command on the primary device to equally divide the port resources for the two devices. Executing the command on the primary device also makes the remaining half of the port block be automatically assigned to the secondary device. For example, if you execute the ft remote-backup port-alloc secondary command on the primary device, the aft remote-backup port-alloc primary command is automatically executed on the secondary device. For more information about configuring the HA group, see High Availability Configuration Guide.

You do not need to execute this command for the HA group in active/standby mode. No port conflict exists in active/standby mode because only one device processes AFT services.

This command is exclusive with the aft port-load-balance enable command.

Examples

# Specify the primary device in the HA group to use the lower half of the port block.

<Sysname> system-view

[Sysname] aft remote-backup port-alloc primary

Related commands

aft port-load-balance enable

aft turn-off tos

Use aft turn-off tos to set the ToS field to 0 for IPv4 packets translated from IPv6 packets.

Use undo aft turn-off tos to restore the default.

Syntax

aft turn-off tos

undo aft turn-off tos

Default

The ToS field value of translated IPv4 packets is the same as the Traffic Class field value of original IPv6 packets.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Set the ToS field to 0 for IPv4 packets translated from IPv6 packets.

<Sysname> system-view

[Sysname] aft turn-off tos

aft turn-off traffic-class

Use aft turn-off traffic-class to set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.

Use undo aft turn-off traffic-class to restore the default.

Syntax

aft turn-off traffic-class

undo aft turn-off traffic-class

Default

The Traffic Class field value of translated IPv6 packets is the same as the ToS field value of original IPv4 packets.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.

<Sysname> system-view

[Sysname] aft turn-off traffic-class

aft v4server

Use aft v4server to configure an AFT mapping for an IPv4 internal server.

Use undo aft v4server to delete an AFT mapping for an IPv4 internal server.

Syntax

aft v4server protocol protocol-type ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ] ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] [ vrrp virtual-router-id ]

undo aft v4server protocol { tcp | udp } ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ]

Default

No AFT mapping for an IPv4 internal server is configured.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

protocol protocol-type: Specifies a transport layer protocol by its type. The protocol-type argument can be tcp or udp.

ipv6-destination-address: Specifies an IPv6 address.

ipv6-port-number: Specifies an IPv6 port number in the range of 1 to 65535.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.

ipv4-destination-address: Specifies an IPv4 address.

ipv4-port-number: Specifies an IPv4 port number in the range of 1 to 65535.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.

vrrp virtual-router-id: Binds the IPv4 server to a VRRP group on the IPv6 network. The virtual-router-id parameter represents the virtual router ID of the VRRP group, in the range of 1 to 255.

Usage guidelines

Non-default vSystems do not support this command.

This command maps the IPv4 address and port number of an IPv4 server to an IPv6 address and port number. IPv6 hosts can use the IPv6 address and port number to access the services provided by the IPv4 server.

In an HA hot backup network, execute this command on the primary device to bind an AFT IPv4 server to an HA-associated VRRP group on the IPv6 network. If not, ARP might fail to resolve an IPv4-mapped IPv6 address into a correct MAC address.

An IPv4 server can be bound to only one VRRP group. You can execute this command multiple times to change the bound VRRP group for the IPv4 server.

The AFT mappings for different IPv4 internal servers cannot be the same.

Examples

# Map IPv4 address 2.2.2.123 and port number 1720 of an IPv4 internal server to IPv6 address 3001::5  and port number 1720 for TCP packets.

<Sysname> system-view

[Sysname] aft v4server protocol tcp 3001::5 1720 2.2.2.123 1720

aft v4tov6 destination

Use aft v4tov6 destination to configure an IPv4-to-IPv6 destination address translation policy.

Use undo aft v4tov6 destination to delete an IPv4-to-IPv6 destination address translation policy.

Syntax

aft v4tov6 destination acl { name ipv4-acl-name prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] } }

undo aft v4tov6 destination acl { name ipv4-acl-name | number ipv4-acl-number }

Default

No IPv4-to-IPv6 destination address translation policies exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

acl: Identifies IPv4 packets for address translation. AFT translates destination addresses for IPv4 packets permitted by the ACL.

name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.

prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate destination addresses for packets permitted by the ACL.

prefix-ivi prefix-ivi: Specifies an IVI prefix. AFT uses the IVI prefix to translate destination addresses for packets permitted by the ACL.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which translated IPv6 addresses belong. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 addresses belong to the public network, do not specify this option.

Usage guidelines

Non-default vSystems do not support this command.

You must specify different ACLs for different IPv4-to-IPv6 destination address translation policies.

You can specify a nonexistent IVI prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.

Examples

# Configure the device to use IVI prefix 3000:db8e:: to translate IPv4 destination addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft prefix-ivi 3000:db8e::

[Sysname] aft v4tov6 destination acl number 2000 prefix-ivi 3000:db8e::

# Configure the device to use general prefix 2000:db8e::/32 to translate IPv4 destination addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft v4tov6 destination acl number 2000 prefix-general 2000:db8e:: 32

Related commands

aft prefix-general

aft prefix-ivi

display aft configuration

aft v4tov6 source

Use aft v4tov6 source to configure an IPv4-to-IPv6 source address translation policy.

Use undo aft v4tov6 source to delete an IPv4-to-IPv6 source address translation policy.

Syntax

IPv4-to-IPv6 source address static mapping:

aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance ipv6-vpn-instance-name ] [ vrrp virtual-router-id ]

undo aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ]

IPv4-to-IPv6 source address translation policy using a NAT64 prefix or general prefix:

aft v4tov6 source acl { name ipv4-acl-name prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } }

undo aft v4tov6 source acl { name ipv4-acl-name | number ipv4-acl-number }

Default

No IPv4-to-IPv6 source address translation policies exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

ipv4-address: Specifies an IPv4 address.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.

ipv6-address: Specifies an IPv6 address. The IPv6 address in a static mapping cannot be on the same subnet as any interface on the device.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.

acl: Identifies IPv4 packets for address translation. AFT translates source addresses for packets permitted by the ACL.

name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.

prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate source IPv4 address for packets permitted by the ACL.

prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the NAT64 prefix to translate source IPv4 address for packets permitted by the ACL.

vrrp virtual-router-id: Binds the IPv4-to-IPv6 source address translation policy to a VRRP group on the IPv6 network. The virtual-router-id parameter represents the virtual router ID of the VRRP group, in the range of 1 to 255.

Usage guidelines

Non-default vSystems do not support this command.

In an HA hot backup network, execute this command on the primary device to bind an IPv4-to-IPv6 source address translation policy to an HA-associated VRRP group on the IPv6 network. If not, ARP might fail to resolve an IPv4-mapped IPv6 address into a correct MAC address.

An IPv4-to-IPv6 source address translation policy can be bound to only one VRRP group. You can execute this command multiple times to change the bound VRRP group for the policy.

The IPv4 or IPv6 addresses in different static mappings cannot be the same.

You must specify different ACLs for IPv4-to-IPv6 source address translation policies that use NAT64 prefixes or general prefixes.

You can specify a nonexistent NAT64 prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.

Examples

# Map IPv4 source address 2.2.2.123 to IPv6 source address 3001::5.

<Sysname> system-view

[Sysname] aft v4tov6 source 2.2.2.123 3001::5

# Configure the device to use NAT64 prefix 2000::/32 to translate IPv4 source addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft prefix-nat64 2000:: 32

[Sysname] aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32

# Configure the device to use general prefix 3000::/32 to translate IPv4 source addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft v4tov6 source acl number 2000 prefix-general 3000:: 32

Related commands

aft prefix-general

aft prefix-nat64

display aft configuration

aft v6server

Use aft v6server to configure an AFT mapping for an IPv6 internal server.

Use undo aft v6server to delete an AFT mapping for an IPv6 internal server.

Syntax

aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ] [ vrrp virtual-router-id ]

undo aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ]

Default

An IPv6 internal server does not have an AFT mapping.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

protocol protocol-type: Specifies a transport layer protocol by its type. The protocol-type argument can be tcp or udp.

ipv4-destination-address: Specifies an IPv4 address.

ipv4-port-number: Specifies an IPv4 port number in the range of 1 to 65535.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.

ipv6-destination-address: Specifies an IPv6 address.

ipv6-port-number: Specifies an IPv6 port number in the range of 1 to 65535.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.

vrrp virtual-router-id: Binds the IPv6 server to a VRRP group on the IPv4 network. The virtual-router-id parameter represents the virtual router ID of the VRRP group, in the range of 1 to 255.

Usage guidelines

Non-default vSystems do not support this command.

This command maps the IPv6 address and port number of an IPv6 server to an IPv4 address and port number.

In an HA hot backup network, execute this command on the primary device to bind an AFT IPv6 server to an HA-associated VRRP group on the IPv4 network. If not, ARP might fail to resolve an IPv6-mapped IPv4 address into a correct MAC address.

An IPv6 server can be bound to only one VRRP group. You can execute this command multiple times to change the bound VRRP group for the IPv6 server.

The AFT mappings for different IPv6 internal servers cannot be the same.

Examples

# Map IPv6 address 3001::5 and port number 1720 of an IPv6 internal server to IPv4 address 2.2.2.123 and port number 1720 for TCP packets.

<Sysname> system-view

[Sysname] aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720

Related commands

display aft configuration

aft v6tov4 source

Use aft v6tov4 source to configure an IPv6-to-IPv4 source address translation policy.

Use undo aft v6tov4 source to delete an IPv6-to-IPv4 source address translation policy.

Syntax

IPv6-to-IPv4 source address static mapping:

aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ] [ vrrp virtual-router-id ]

undo aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ]

IPv6-to-IPv4 source address translation policy:

aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } { address-group group-id [ no-pat | port-block-size blocksize  [ extended-block-number extended-block-number ] [ port-range start-port-number end-port-number ]] | interface interface-type interface-number } [ vpn-instance ipv4-vpn-instance-name ]

undo aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] }

Default

No IPv6-to-IPv4 source address translation policies exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

ipv6-address: Specifies an IPv6 address.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.

ipv4-address: Specifies an IPv4 address.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.

vrrp virtual-router-id: Binds the IPv6-to-IPv4 source address translation policy to a VRRP group on the IPv4 network. The virtual-router-id parameter represents the virtual router ID of the VRRP group, in the range of 1 to 255.

acl ipv6: Identifies IPv6 packets for address translation. AFT translates source addresses for IPv6 packets permitted by the ACL.

name ipv6-acl-name: Specifies an IPv6 ACL by its name. The ipv6-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

number ipv6-acl-number: Specifies an IPv6 ACL by its number in the range of 2000 to 3999.

prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The prefix-length argument represents a prefix length, which can be 32, 40, 48, 56, 64, or 96. AFT translates source IPv6 addresses for packets whose destination IPv6 addresses match the NAT64 prefix.

address-group group-id: Specifies an AFT address group by its ID in the range of 0 to 65535.

no-pat: Specifies the NO-PAT mode. If you do not specify the keyword, AFT uses the PAT mode.

port-block-size blocksize: Specifies the port block size in the range of 100 to 64512. If you do not specify the option, the port range will not be divided.

extended-block-number extended-block-number: Specifies the number of extended port blocks, in the range of 1 to 5. When the IPv6 address accesses the IPv4 address, but the ports in the selected port block are all occupied, AFT extends port blocks one by one for the IPv6 address. An IPv6 address can be assigned a maximum of extended-block-number extended port blocks.

port-range start-port-number end-port-number: Specifies the start port number and end port number of a port range for the IPv4 address. The value range for the start-port-number argument are is 1024 to 65535, and the default value is 1024. The value range for the end-port-number argument are is 1024 to 65535, and the default value is 65535. The end port number cannot be smaller than the start port number.

interface interface-type interface-number: Specifies an interface by its type and number. AFT translates source IPv6 addresses to the primary IPv4 address of the specified interface.

Usage guidelines

If you set a port block size, the port range (1024 to 65535) will be divided into port blocks by the port block size. For example, if you set the port block size to 1000, the port range is divided into port blocks 1024 to 2023, 2024 to 3023, and so on. The port blocks are used for PAT.

The IPv4 or IPv6 addresses in different static mappings cannot be the same.

You must specify different ACLs, NAT64 prefixes, and AFT address groups for different IPv6-to-IPv4 source address translation policies.

You can specify a nonexistent NAT64 prefix in a policy, but the policy takes effect only after you configure the prefix.

In an HA hot backup network, execute this command on the primary device to bind an IPv6-to-IPv4 source address translation policy to an HA-associated VRRP group on the IPv4 network. If not, ARP might fail to resolve an IPv6-mapped IPv4 address into a correct MAC address.

An IPv6-to-IPv4 source address translation policy can be bound to only one VRRP group. You can execute this command multiple times to change the bound VRRP group for the policy.

Examples

# Map source IPv6 address 3001::5 to source IPv4 address 2.2.2.123.

<Sysname> system-view

[Sysname] aft v6tov4 source 3001::5 2.2.2.123

# Configure the device to use AFT address group 0 to translate source addresses for IPv6 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100

Related commands

display aft configuration

display aft port-block

aft v6tov4 source port-block-group

Use aft v6tov4 source to configure a port block group-based IPv6-to-IPv4 source address static translation policy.

Use undo aft v6tov4 source to delete a port block group-based IPv6-to-IPv4 source address static translation policy.

Syntax

aft v6tov4 source port-block-group group-id

undo aft v6tov4 source port-block-group group-id

Default

No port block group-based IPv6-to-IPv4 source address static translation policies exist.

Views

System

Predefined user roles

network-admin

context-admin

Parameters

group-id: Specifies a port block group by its ID for the policy. The value range for this argument is 0 to 65535.

Usage guidelines

Non-default vSystems do not support this command.

After a policy is created, the device algorithmically maps each IPv6 prefix to a unique IPv4 address and port block pair according to the policy's port block group configuration. If not enough unique IPv4 address and port block pairs are available, excessive IPv6 prefixes will be ignored and IPv6 addresses matching those IPv6 prefixes cannot be translated.

The total number of IPv6 prefixes that can be mapped equals to the total number of unique IPv4 address and port block pairs in the policy, which is calculated as follows:

Total number of IPv6 prefixes that can be mapped = N × M, where:

·     N is the total number of port blocks in the port block group, which is result of dividing the port range by the port block size.

·     M is the total number of IPv4 addresses in the policy available for IPv6-to-IPv4 source address translation.

For example, assuming that a policy contains two IPv4 addresses (X1 and Y1) and n port blocks. The device takes n IPv6 prefixes in the port block group, maps them to the same IPv4 address paired in turn with the first to nth port blocks. The created static port block mappings are as follows:

·     IPv6 prefix x1<-->IPv4 address X1 + Port block 1

·     IPv6 prefix x2<-->IPv4 address X1 + Port block 2

·     …

·     IPv6 prefix xn<-->IPv4 address X1 + Port block n

·     IPv6 prefix y1<-->IPv4 address Y1 + Port block 1

·     IPv6 prefix y2<-->IPv4 address Y1 + Port block 2

·     …

·     IPv6 prefix yn<-->IPv4 address Y1 + Port block n.

For an IPv6-initiated session packet, AFT first identifies the matching static port block mapping entry based on the IPv6 prefix that the packet's source IPv6 address matches. Then, AFT translates the source IPv6 address of the packet into the IPv4 address and a TCP or UDP port number in the port block of the matching entry.

Examples

# Create AFT port block group 1. In the port block group, specify the IPv4 address range, IPv6 prefix range and prefix length, port block size, and port block range.

<Sysname> system-view

[Sysname] aft port-block-group 1

[Sysname-aft-port-block-group-1] address 10.1.1.1 10.1.1.15

[Sysname-aft-port-block-group-1] ipv6-prefix 100::100 100::a00 120

[Sysname-aft-port-block-group-1] block-size 1024

[Sysname-aft-port-block-group-1] port-range 1024 65535

[Sysname-aft-port-block-group-1] quit

# Create an IPv6-to-IPv4 source address static translation policy based on port block group 1.

[Sysname] aft v6tov4 source port-block-group 1

Related commands

aft port-block-group

aft v6tov4 source

display aft configuration

block-size

Use block-size to set the port block size for a port block group.

Use undo block-size to restore the default.

Syntax

block-size block-size-value

undo block-size

Default

The default port block size is 256.

Views

AFT port block group view

Predefined user roles

network-admin

context-admin

Parameters

block-size-value: Specifies the number of ports per port block, in the range of 1 to 65535.

Usage guidelines

Non-default vSystems do not support this command.

The port range in a port block group will be divided into port blocks of the specified port block size. AFT pairs each port block in the port range in turn with each IPv4 address and creates one-to-one mappings between the IPv4 address-port block pairs and IPv6 prefixes. Set an appropriate port block size for the port block group to meet the AFT translation requirements.

The number of ports in a port range cannot be smaller than the port block size.

Examples

# Set the port block size to 1024 for port block group 1.

<Sysname> system-view

[Sysname] aft port-block-group 1

[Sysname-port-block-group-1] block-size 1024

Related commands

aft v6tov4 source

display aft configuration

port-range

display aft address-group

Use display aft address-group to display AFT address group information.

Syntax

display aft address-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

group-id: Specifies an AFT address group ID in the range of 0 to 65535. If you do not specify this argument, the command displays information about all AFT address groups.

Examples

# Display information about all AFT address groups.

<Sysname> display aft address-group

There are 3 AFT address groups.

Group ID   VRID   Start address         End address

1                 202.110.10.10         202.110.10.15

2                 202.110.10.20         202.110.10.25

                  202.110.10.30         202.110.10.35

6                 ---                   ---

# Display information about AFT address group 1.

<Sysname> display aft address-group 1

Group ID   VRID   Start address         End address

1                 202.110.10.10         202.110.10.15

Table 1 Command output

Field	Description
There are n AFT address groups	Total number of existing AFT address groups.
Group ID	Address group ID.
VRID	Virtual router ID of a VRRP group. If no VRRP group is specified, this field displays three hyphens (---).
Start address	Start IP address of an address range. If you do not specify the start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify the end address, this field displays three hyphens (---).

 

display aft address-mapping

Use aft address-mapping to display AFT mappings.

Syntax

In standalone mode:

display aft address-mapping [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display aft address-mapping [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

View

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT mappings for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT mappings for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display AFT mappings.

<Sysname> display aft address-mapping

Slot 1:

IPv6: Source IP/port: 2000:0:FF01:101:100::8/1024

      Destination IP/port: 5000::1717:1714/1025

      VPN instance/VLAN ID/Inline ID: -/-/-

      Protocol: TCP(6)

IPv4: Source IP/port: 1.1.1.1/1031

      Destination IP/port: 23.23.23.20/1025

      VPN instance/VLAN ID/Inline ID: -/-/-

      Protocol: TCP(6)

 

Total address mappings found: 1

Table 2 Command output

Field	Description
IPv4	IPv4 address information.
IPv6	IPv6 address information.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
VPN instance/VLAN ID/Inline ID	The fields identify the following information: ·     VPN instance—MPLS L3VPN instance to which the session belongs. ·     VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. ·     Inline ID—Inline to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite.

 

display aft configuration

Use display aft configuration to display AFT configuration.

Syntax

display aft configuration

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Usage guidelines

To view AFT configurations by using the display aft configuration command, you must execute commands to configure the configurations first except the AFT ALG configuration.

Examples

# Display AFT configuration.

<Sysname> display aft configuration

aft address-group 1

VRID: 1

 address 202.110.10.10 202.110.10.15

 address 101.1.1.100 101.1.1.200

 

aft remote-backup port-alloc primary

 

aft port-block-group 1

  ip-address 20.1.1.20 20.1.1.30

  ipv6-prefix 100::100 100::110 128

  block-size 100

  port-range 1024 2000

 

aft prefix-ivi 3000:DB8E::

 

aft prefix-general 2000:DB8E:: 32

 

aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100

extended-block-number 5 port-range 1024 65535

 

aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32

 

aft v4tov6 destination acl number 2000 prefix-ivi 3000:DB8E::

 

aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720

 

aft v4server protocol tcp 3001::5 1800 2.2.2.123 1800

 

aft turn-off tos

 

aft turn-off traffic-class

 

aft log enable

 

aft log flow-begin

 

aft log flow-end

 

aft log port-block assign

 

aft log port-block withdraw

 

aft log port-block alarm

 

 

interface GigabitEthernet1/0/1

 aft enable

 

aft flow-redirect dynamic disable

 

AFT ALG:

  DNS        : Enabled

  FTP        : Enabled

  HTTP       : Enabled

  ICMP-ERROR : Enabled

  RTSP       : Enabled

  SIP        : Enabled

  H323       : Enabled

Table 3 Command output

Field	Description
aft address-group XX	AFT address group ID.
VRID	Virtual router ID (VRRP group number).
address	Address ranges in the AFT address group.
aft port-load-balance enable slot XX	AFT port halving is enabled. In standalone mode: The XX is in slot number format, which represents the slot number of a card. In IRF mode: The XX is in the chassis chassis-number format represents the member ID of an IRF member device.
aft remote-backup port-alloc XX	The XX indicates the AFT port ranges used by the primary and secondary devices in the HA group. ·     primary—The primary device uses the lower half of the port block, and the secondary device uses the higher half of the port block. ·     secondary—The primary device uses the higher half of the port block, and the secondary device uses the lower half of the port block.
aft port-block-group XX	AFT port block identified by ID XX. An AFT port block group contains the following settings: ·     ip-address—IPv4 address ranges used for IPv6-to-IPv4 source address translation. ·     ipv6-prefix—IPv6 prefix ranges for IPv6-to-IPv4 source address translation. ·     block-size—Port block size of the port block group. ·     port-range—Port range of the port block group.
aft prefix-nat64 X:X::X:X	NAT64 prefix address.
aft prefix-ivi X:X::X:X	IVI prefix.
aft prefix-general X:X::X:X	General prefix.
aft v6tov4 source XX	IPv6-to-IPv4 source address translation policy. For more information, see the aft v6tov4 source command.
aft v4tov6 source XX	IPv4-to-IPv6 source address translation policy. For more information, see the aft v4tov6 source command.
aft v4tov6 destination XX	IPv4-to-IPv6 destination address translation policy. For more information, see the aft v4tov6 destination command.
aft v6server	AFT mapping for an IPv6 internal server.
aft v4server	AFT mapping for an IPv4 internal server.
aft turn-off tos	Value of the ToS field in IPv4 packets translated from IPv6 packets.
aft turn-off traffic-class	Value of the Traffic Class field in IPv6 packets translated from IPv4 packets.
aft log enable	AFT logging is enabled.
aft log flow-begin	AFT session establishment logging is enabled.
aft log flow-end	AFT session removal logging is enabled.
aft log port-block-assign	AFT port block assignment logging is enabled.
aft log port-block-withdraw	AFT port block withdrawal logging is enabled.
aft log port-block alarm	AFT port block exhaustion logging is enabled.
interface XXX	AFT-enabled interface.
aft enable	AFT is enabled.
aft flow-redirect XX disable	OpenFlow entry generation based on AFT is disabled. For information about XX, see aft flow-redirect disable.
AFT ALG	AFT ALG status: ·     Enabled. ·     Disabled.
undo aft port-block synchronization enable	Dynamic AFT port block mapping synchronization is disabled.

‌

display aft no-pat

Use display aft no-pat to display AFT NO-PAT entries.

Syntax

In standalone mode:

display aft no-pat [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display aft no-pat [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT NO-PAT entries for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT NO-PAT entries for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

An AFT NO-PAT entry records a mapping between an IPv4 address and an IPv6 address without ports.

Examples

# (In standalone mode.) Display AFT NO-PAT entries.

<Sysname> display aft no-pat

Slot 1:

IPv6 address: 3006::0002

IPv4 address: 200.100.1.100

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

IPv6 address: 4016::1102

IPv4 address: 202.120.12.110

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

Total entries found: 2

Table 4 Command output

Field	Description
IPv6 address	Original IPv6 address.
IPv4 address	Translated IPv4 address.
IPv4 VPN	VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed.
IPv6 VPN	VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed.
Total entries found	Total number of AFT NO-PAT entries.

 

display aft port-block

Use display aft port-block to display AFT port block mappings.

Syntax

In standalone mode:

display aft port-block { dynamic | static } [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display aft port-block { dynamic | static } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

dynamic: Specifies dynamic port block mappings.

static: Specifies static port block mappings.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT port block mappings for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT port block mappings for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display dynamic AFT port block mappings on the specified slot.

<Sysname> display aft port-block dynamic slot 1

Slot 1:

IPv6 address: 3006::0002

IPv4 address: 200.100.1.100

Port block  : [1024 – 1123]

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

IPv6 address: 4016::1102

IPv4 address: 202.120.12.110

Port block  : [1024 – 1200]

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

Port-block mapping state: Normal

 

Total entries found: 2

# (In standalone mode.) Display static AFT port block mappings on slot 1.

<Sysname> display aft port-block static slot 1

Slot 1:

IPv6 Prefix:  3006::/16

IPv4 Address: 200.100.1.100

Port block  : [1024 – 1123]

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

IPv6 Prefix: 4016::/16

IPv4 Address: 202.120.12.110

Port block  : [1024 – 1200]

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

Total entries found: 2

Table 5 Command output

Field	Description
IPv6 address	IPv6 address to be translated. This field is available only in dynamic port block mappings.
IPv6 Prefix	IPv6 prefix to match the IPv6 addresses to be translated. This field is available only in static port block mappings.
IPv4 Address	Translated IPv4 address.
Port block	Port range for the translated IPv4 address.
IPv4 VPN	VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed.
IPv6 VPN	VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed.
Port-block mapping state	State of a dynamic port block. Options are: ·     Normal—Dual-device hot backup has not backed up the dynamic port block or the device works in standalone mode. ·     Backed up—Dual-device hot backup has backed up the dynamic port block. ·     Restored—Dual-device hot backup has restored the dynamic port block from the backup.
Total entries found	Total number of AFT port block mapping entries.

 

display aft session

Use display aft session to display AFT sessions.

Syntax

In standalone mode:

display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

In IRF mode:

display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ verbose ]

display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

ipv4: Displays IPv4 AFT sessions.

source-ip source-ip-address: Specifies the source IPv4 address of the packets that initiate AFT sessions.

destination-ip destination-ip-address: Specifies the destination IPv4 address of the packets that initiate AFT sessions.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays AFT sessions for the public network.

ipv6: Displays IPv6 AFT sessions.

source-ip source-ipv6-address: Specifies the source IPv6 address of the packets that initiate AFT sessions.

destination-ip destination-ipv6-address: Specifies the destination IPv6 address of the packets that initiate AFT sessions.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays AFT sessions for the public network.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT sessions for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT sessions for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Display detailed information about AFT sessions. If you do not specify this keyword, this command displays brief information about AFT sessions.

Usage guidelines

If you do not specify any parameters, this command displays all AFT sessions.

Examples

# (In standalone mode.) Display detailed information about AFT sessions for the specified slot.

<Sysname> display aft session ipv4 slot 1 verbose

Slot 1:

Initiator:

  Source IP/port: 192.168.1.18/1877

  Destination IP/port: 102.128.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/1

Responder:

  Source IP/port: 102.128.1.55/22

  Destination IP/port: 192.168.1.18/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/2

App: SSH   State: TCP_SYN_SENT

Start time: 2011-07-29 19:12:36  TTL: 28s

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Total sessions found: 1

Table 6 Command output

Field	Description
Initiator	Session information about the initiator.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
VPN instance/VLAN ID/Inline ID	The fields identify the following information: ·     VPN instance—MPLS L3VPN instance to which the session belongs. ·     VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. ·     Inline ID—Inline to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite.
Inbound interface	Input interface.
Responder	Session information about the responder.
APP	Application layer protocol, such as FTP and DNS. This field displays unknown for the protocol types that are identified by non-well-known ports and are not user-defined.
State	AFT session state.
Start time	Time when the session starts.
TTL	Remaining lifetime of the session, in seconds.
Initiator->Responder	Number of packets and bytes from the initiator to the responder.
Responder->Initiator	Number of packets and bytes from the responder to the initiator.
Total sessions found	Total number of AFT sessions.

 

Related commands

reset aft session

display aft statistics

Use display aft statistics to display AFT statistics.

Syntax

In standalone mode:

display aft statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display aft statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT statistics for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command displays all AFT statistics.

Examples

# Display all AFT statistics.

<Sysname> display aft statistics

Total NO-PAT entries found: 0

Total port-block entries found: 0

Total IPv4 sessions: 0

Total IPv6 sessions: 0

Dropped packets: 3006

  Configuration sequence changed: 0

  Failed to transfer payload: 0

  Failed to transfer packet header: 0

  Packet examination failed before packet sending: 0

  Failed to translate destination address: 0

  The translated destination address is invalid: 0

  Failed to translate source address: 0

  Failed to transfer FSBUF to MBUF: 0

  Session ext-info is null: 0

  Peer session is null: 0

  Failed to get translation information from session: 0

  Failed to create session: 0

  Failed to fragment the MBUF: 0

  Failed to create fast forwarding table: 0

  Failed to formalize session: 0

  Other reasons: 0

Table 7 Command output

Field	Description
Total NO-PAT entries found	Total number of AFT NO-PAT entries.
Total port-block entries found	Total number of AFT port block mappings.
Total IPv4 sessions	Total number of AFT IPv4 sessions.
Total IPv6 sessions	Total number of AFT IPv6 sessions.
Dropped packets	Number of packets dropped by AFT.
Configuration sequence changed	Number of packets dropped due to configuration sequence changes.
Failed to transfer payload	Number of packets dropped due to ALG failures.
Failed to transfer packet header	Number of packets dropped due to packet header transformation failures.
Packet examination failed before packet sending	Number of packets dropped due to packet examination failures before packet sending.
Failed to translate destination address	Number of packets dropped due to destination address translation failures.
The translated destination address is invalid	Number of packets dropped due to the invalidity of the translated destination address.
Failed to translate source address	Number of packets dropped due to source address translation failures.
Failed to transfer FSBUF to MBUF	Number of packets dropped due to FSBUF-to-MBUF transformation failures.
Session ext-info is null	Number of packets dropped due to session extended information acquisition failures.
Peer session is null	Number of packets dropped due to peer session lookup failures.
Failed to get translation information from session	Number of packets dropped due to translation information acquisition failures from sessions.
Failed to create session	Number of packets dropped due to session creation failures.
Failed to fragment the MBUF	Number of packets dropped due to fragmentation failures.
Failed to create fast forwarding table	Number of packets dropped due to fast forwarding table creation failures.
Failed to formalize session	Number of packets dropped due to session formalization failures.
Other reasons	Number of packets dropped due to other reasons.

 

Related commands

reset aft statistics

ip-address

Use ip-address to add an IPv4 address range to an AFT port block group.

Use undo ip-address to remove an IPv4 address range from an AFT port block group.

Syntax

ip-address start-address end-address [ vpn-instance vpn-name ]

undo ip-address start-address end-address [ vpn-instance vpn-name ]

Default

An AFT port block group does not contain IPv4 address ranges.

Views

AFT port block group view

Predefined user roles

network-admin

context-admin

Parameters

start-address end-address: Specifies the start and end IP addresses for an address range. The end address cannot be lower than the start address. If they are the same, the address range has only one IP address.

vpn-instance vpn-name: Specifies an MPLS L3VPN instance to which the IPv4 address or IPv4 address range belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address or IPv4 address range belongs to the public network, do not specify this option..

Usage guidelines

Non-default vSystems do not support this command.

For IPv6-initiated session packets, a port block group-based IPv6-to-IPv4 source address translation policy translates the packets' source IPv6 addresses into IPv4 addresses in the address range of the port block group.

You can execute this command multiple times to add multiple IPv4 address ranges to a port block group. When you add address ranges to an AFT port block group, follow these guidelines:

·     Each address range can contain a maximum of 256 addresses.

·     The address ranges within the same port block group cannot not overlap.

·     Different port block group can use overlapping address ranges but the overlapping address ranges must have non-overlapping port ranges.

Examples

# Add an IPv4 address range (10.1.1.1 to 10.1.1.15) to AFT port block group 1.

<Sysname> system-view

[Sysname] aft port-block-group 1

[Sysname-aft-port-block-group-1] ip-address 10.1.1.1 10.1.1.15

Related commands

aft v6tov4 source

display aft configuration

ipv6-prefix

Use ipv6-prefix to add an IPv6 prefix range to an AFT port block group.

Use undo ipv6-prefix to remove an IPv6 prefix range from an AFT port block group.

Syntax

ipv6-prefix ipv6-start-prefix ipv6-end-prefix prefix-length [ vpn-instance vpn-name ]

undo ipv6-prefix ipv6-start-prefix ipv6-end-prefix prefix-length [ vpn-instance vpn-name ]

Default

An AFT port block group does not contain IPv6 prefix ranges.

Views

AFT port block group view

Predefined user roles

network-admin

context-admin

Parameters

ipv6-start-prefix: Specifies the start IPv6 prefix of the IPv6 prefix range.

ipv6-end-prefix: Specifies the end IPv6 prefix of the IPv6 prefix range.

prefix-length: Specifies the prefix length in the range of 1 to 128.

vpn-instance vpn-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 addresses belong. The vpn-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 addresses belong to the public network, do not specify this option.

Usage guidelines

Non-default vSystems do not support this command.

For IPv6-initiated session packets, a port block group-based IPv6-to-IPv4 source address translation policy translates the packets' source IPv6 addresses into IPv4 addresses in the address range of the port block group.

You can execute this command multiple times to add multiple IPv6 prefix ranges to a port block group. After an IPv6-to-IPv4 source address translation policy is created based on the port block group, the device maps each IPv6 prefix to a unique IPv4 address and port block pair according to the port block group configuration. If not enough unique IPv4 address and port block pairs are available, excessive IPv6 prefixes will be ignored and IPv6 addresses matching those IPv6 prefixes cannot be translated.

The IPv6 prefix ranges within the same AFT port block group must meet the following requirements:

·     IPv6 prefix ranges within the same VPN instance cannot overlap.

·     IPv6 prefix ranges that belong to the public network cannot overlap.

The IPv6 prefix ranges in different AFT port block groups must meet the following requirements:

·     IPv6 prefix ranges in the same VPN instance cannot overlap.

·     IPv6 prefix ranges that belong to the public network can overlap.

Examples

# Add an IPv6 prefix range (240E:00D8:8200:0000::/64 to 240E:00D8:8200:0007::/64) to AFT port block group 1.

<Sysname> system-view

[Sysname] aft port-block-group 1

[Sysname-aft-port-block-group-1] ipv6-prefix 240E:00D8:8200:0000:: 240E:00D8:8200:0007:: 64

Related commands

aft v6tov4 source

display aft configuration

port-range

Use port-range to specify the port range for an AFT port block group.

Use undo port-range to restore the default port range for an AFT port block group.

Syntax

port-range start-port-number end-port-number

undo port-range

Default

An AFT port block group uses port range 1 to 65535.

Views

AFT port block group view

Predefined user roles

network-admin

context-admin

Parameters

start-port-number end-port-number: Specifies the start and end port numbers for the port  range. The end port number cannot be lower than the start port number. As a best practice, set the start port number to 1024 or higher to avoid application protocol identification errors.

Usage guidelines

Non-default vSystems do not support this command.

The port range in a port block group will be divided into port blocks of the specified port block size.

The number of ports in a port range cannot be smaller than the port block size.

Examples

# Specify port range 1024 to 65535 for AFT port block group 1.

<Sysname> system-view

[Sysname] aft port-block-group 1

[Sysname-aft-port-block-group-1] port-range 1024 65535

Related commands

·     aft port-block-group

·     aft v6tov4 source

·     block-size

·     display aft configuration

reset aft session

Use reset aft session to clear AFT sessions.

Syntax

In standalone mode:

reset aft session [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset aft session [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears AFT sessions for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears AFT sessions for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

After you clear AFT sessions, the corresponding AFT NO-PAT entries and port block mappings are also cleared.

Examples

# Clear all AFT sessions.

<Sysname> reset aft session

Related commands

display aft session

reset aft statistics

Use reset aft statistics to clear AFT statistics.

Syntax

In standalone mode:

reset aft statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset aft statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears AFT statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears AFT statistics for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

The AFT statistics include the number of dropped packets, the number of NO-PAT entries, and the number of port block entries. This command only resets the counter for dropped packets.

Examples

# Clear all AFT statistics.

<Sysname> reset aft statistics

Related commands

display aft statistics

vrrp vrid

Use vrrp vrid to bind a VRRP group to an AFT address group.

Use undo vrrp vrid to restore the default.

Syntax

vrrp vrid virtual-router-id

undo vrrp vrid

Default

An AFT address group is not bound to any VRRP group.

Views

AFT address group view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

virtual-router-id: Specifies a VRRP group by its virtual router ID in the range of 1 to 255.

Usage guidelines

On an HA network, the virtual IP address of the VRRP group might be on the same subnet as the public IP addresses in the AFT address group. In this case, both of the HA group members might reply to ARP requests for MAC addresses corresponding to these public IP addresses. As a result, MAC addresses in ARP replies and ARP entries on the Layer 3 devices connected to the HA group might be incorrect. To avoid this situation, execute this command to force the master device to use the virtual MAC address of VRRP group in ARP replies. For more information about configuring the HA group, see High Availability Configuration Guide.

For active/standby HA, execute this command on the primary device in the HA group.

For dual-active HA, select one of the following methods for VRRP group binding according to the AFT resource allocation between the two devices in the HA group:

·     If the two devices share the same AFT address group, execute the vrrp vrid command on the primary device. To prevent different master devices from using the same IP-port mapping for different hosts, specify the PAT translation mode and execute the aft remote-backup port-alloc command on the primary device.

·     If the two devices use different AFT address groups, user traffic with different source IPv6 addresses is identified by ACLs in AFT rules. To enable different master devices to translate the forward user traffic, specify different gateway addresses for different internal users. To direct the reverse traffic to different master devices, bind AFT address groups to different VRRP groups on the primary device.

If you execute the vrrp vrid command multiple times, the most recent configuration takes effect.

Examples

# Bind VRRP group 1 to AFT address group 2.

<Sysname> system-view

[Sysname] aft address-group 2

[Sysname-aft-address-group-2] vrrp vrid 1

Related commands

display aft address-group