Contents

AFT commands· 1

address· 1

aft address-group· 1

aft alg· 2

aft enable· 3

aft log enable· 4

aft log flow-begin· 5

aft log flow-end· 5

aft log port-alloc-fail 6

aft log port-block-assign· 7

aft log port-block-withdraw· 7

aft port-block flow-trigger enable· 8

aft prefix-general 8

aft prefix-ivi 9

aft prefix-nat64· 10

aft turn-off tos· 11

aft turn-off traffic-class· 11

aft v4tov6 destination· 12

aft v4tov6 source· 13

aft v6server 15

aft v6tov4 source· 16

display aft address-group· 17

display aft address-mapping· 18

display aft configuration· 19

display aft no-pat 21

display aft port-block· 22

display aft session· 23

display aft statistics· 25

reset aft session· 26

AFT commands

address

Use address to add an address range to an AFT address group.

Use undo address to remove an address range from an AFT address group.

Syntax

address start-address end-address

undo address start-address end-address

Default

No address ranges exist.

Views

AFT address group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start and end IP addresses for an address range. The end address cannot be lower than the start address. If they are the same, the address range has only one IP address.

Usage guidelines

An AFT address group is a set of address ranges. Dynamic AFT translates an IPv6 address to an IPv4 address in one of the address ranges.

You can add multiple address ranges to an AFT address group by repeating this command. Make sure the address ranges do not overlap in the AFT address group.

All AFT address groups can contain a maximum of 4096 address ranges in total.

 Examples

# Add two address ranges to AFT address group 2.

<Sysname> system-view

[Sysname] aft address-group 2

[Sysname-aft-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-aft-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

aft address-group

aft address-group

Use aft address-group to create an AFT address group and enter its view, or enter the view of an existing AFT address group.

Use undo aft address-group to delete an AFT address group.

Syntax

aft address-group group-id

undo aft address-group group-id

Default

No AFT address groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the address group. The value range for this argument is 0 to 65535.

Usage guidelines

An AFT address group is a set of address ranges. Use the address command to add an address range.

The AFT address group is used in dynamic AFT. Dynamic AFT translates the source address of an IPv6 packet to an IPv4 address in the address group.

Examples

# Create AFT address group 1 and enter its view.

<Sysname> system-view

[Sysname] aft address-group 1

[Sysname-aft-address-group-1]

Related commands

address

aft v6tov4 source

display aft address-group

display aft configuration

aft alg

Use aft alg to enable AFT ALG for the specified or all supported protocols.

Use undo aft alg to disable AFT ALG for the specified or all supported protocols.

Syntax

aft alg { all | dns | ftp | http | icmp-error }

undo aft alg { all | dns | ftp | http | icmp-error }

Default

AFT ALG is enabled for DNS, FTP, ICMP error messages, and HTTP.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables AFT ALG for all supported protocols.

dns: Enables AFT ALG for DNS.

ftp: Enables AFT ALG for FTP.

http: Enables AFT ALG for HTTP.

icmp-error: Enables AFT ALG for ICMP error packets.

Usage guidelines

AFT ALG translates address or port information in the application layer payload.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires AFT ALG to translate the address and port information.

You can execute this command multiple times to enable AFT ALG for different protocols.

Examples

# Enable AFT ALG for FTP.

<Sysname> system-view

[Sysname] aft alg ftp

Related commands

display aft configuration

 

aft enable

Use aft enable to enable AFT on an interface.

Use undo aft enable to disable AFT on an interface.

Syntax

aft enable

undo aft enable

Default

AFT is disabled on an interface.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

You must enable AFT on interfaces connected to the IPv4 network and interfaces connected to the IPv6 network.

Examples

# Enable AFT on GigabitEthernet 0/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] aft enable

Related commands

display aft configuration

aft log enable

Use aft log enable to enable AFT logging.

Use undo aft log enable to disable AFT logging.

Syntax

aft log enable

undo aft log enable

Default

AFT logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For security auditing, you can enable AFT logging to record AFT session information. An AFT session is a session whose source and destination IP addresses are translated by AFT.

AFT can log the following events:

·     An AFT port block is assigned.

To log AFT port block assignments, you must also execute the aft log port-block-assign command.

·     An AFT port block is withdrawn.

To log AFT port block withdrawals, you must also execute the aft log port-block-withdraw command.

·     An AFT port allocation fails.

To log AFT port allocation failures, you must also execute the aft log port-alloc-fail command.

·     An AFT session is established.

To log AFT session establishment events, you must also execute the aft log flow-begin command.

·     An AFT session is removed.

To log AFT session removal events, you must also execute the aft log flow-end command.

The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable AFT logging.

<Sysname> system-view

[Sysname] aft log enable

Related commands

aft log flow-begin

aft log flow-end

aft log port-alloc-fail

aft log port-block-assign

aft log port-block-withdraw

display aft configuration

aft log flow-begin

Use aft log flow-begin to enable AFT session establishment logging.

Use undo aft log flow-begin to disable AFT session establishment logging.

Syntax

aft log flow-begin

undo aft log flow-begin

Default

AFT session establishment logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the AFT module to generate a log entry for every AFT session establishment event.

AFT session establishment logging takes effect only after you enable AFT logging.

Examples

# Enable AFT session establishment logging.

<Sysname> system-view

[Sysname] aft log flow-begin

Related commands

aft log enable

aft log flow-end

display aft configuration

aft log flow-end

Use aft log flow-end to enable AFT session removal logging.

Use undo aft log flow-end to disable AFT session removal logging.

Syntax

aft log flow-end

undo aft log flow-end

Default

AFT session removal logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the AFT module to generate a log entry for every AFT session removal event.

AFT session removal logging takes effect only after you enable AFT logging.

Examples

# Enable AFT session removal logging.

<Sysname> system-view

[Sysname] aft log flow-end

Related commands

aft log enable

aft log flow-begin

display aft configuration

aft log port-alloc-fail

Use aft log port-alloc-fail to enable AFT port allocation failure logging.

Use undo aft prefix-general to disable AFT port allocation failure logging.

Syntax

aft log port-alloc-fail

undo aft log port-alloc-fail

Default

AFT port allocation failure logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables AFT to generate logs for dynamic AFT port allocation failures. A port allocation failure occurs when all ports in the assigned port block are all occupied.

This command takes effect only after you execute the aft log enable command.

Examples

# Enable AFT port allocation failure logging.

<Sysname> system-view

[Sysname] aft log port-alloc-fail

Related commands

aft log enable

display aft configuration

aft log port-block-assign

Use aft log port-block-assign to enable AFT port block assignment logging.

Use undo aft log port-block-assign to disable AFT port block assignment logging.

Syntax

aft log port-block-assign

undo aft log port-block-assign

Default

AFT port block assignment logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables AFT to generate logs for AFT port block assignments.

This command takes effect only after you execute the aft log enable command.

Examples

# Enable AFT port block assignment logging.

<Sysname> system-view

[Sysname] aft log port-block-assign

Related commands

aft log enable

display aft configuration

aft log port-block-withdraw

Use aft log port-block-withdraw to enable AFT port block withdrawal logging.

Use undo aft log port-block-assign to disable AFT port block withdrawal logging.

Syntax

aft log port-block-withdraw

undo aft log port-block-withdraw

Default

AFT port block withdrawal logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables AFT to generate logs for AFT port block withdrawals.

This command takes effect only after you execute the aft log enable command.

Examples

# Enable AFT port block withdrawal logging.

<Sysname> system-view

[Sysname] aft log port-block-withdraw

Related commands

aft log enable

display aft configuration

aft port-block flow-trigger enable

Use aft port-block flow-trigger enable to enable flow-triggered port block assignment.

Use undo aft port-block flow-trigger enable to disable flow-triggered port block assignment.

Syntax

aft port-block flow-trigger enable

undo aft port-block flow-trigger enable

Default

Flow-triggered port block assignment is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For port block-based dynamic AFT, this feature allocates address and port block resources to IPv6 hosts. When an IPv6 host initiates a connection, the device allocates an IPv4 address and a port block for address translation. AFT translates the IPv6 address to the IPv4 address, and source ports to ports in the port block for subsequent connections from the IPv6 host until the ports in the port block are exhausted.

You cannot modify the enabling status of flow-triggered port block assignment if a user is online or AFT translation entries exist.

Examples

# Enable flow-triggered port block assignment.

<Sysname> system-view

[Sysname] aft port-block flow-trigger enable

aft prefix-general

Use aft prefix-general to configure a general prefix.

Use undo aft prefix-general to delete a general prefix.

Syntax

aft prefix-general prefix-general prefix-length

undo aft prefix-general prefix-general prefix-length

Default

No general prefixes exist.

Views

System view

Predefined user roles

network-admin

Parameters

prefix-general: Specifies the general prefix.

prefix-length: Specifies the prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.

Usage guidelines

A general prefix is an IPv6 address prefix of 32, 40, 48, 56, 64, or 96 bits. A general prefix can be used for source and destination address translation between IPv4 and IPv6.

When a general prefix is used alone, it provides IPv6-to-IPv4 source and destination address translation. If a source or destination IPv6 address matches the general prefix, AFT translates it to the embedded IPv4 address.

When a general prefix is used in the aft v4tov6 source or aft v4tov6 destination command, it provides IPv4-to-IPv6 source or destination address translation. If a source or destination IPv4 address matches the ACL, AFT constructs the IPv6 address by using the general prefix and the IPv4 address.

A general prefix cannot be on the same subnet as any interface on the device.

A general prefix must be different from a NAT64 prefix or an IVI prefix.

Examples

# Specify 2000:db8e:: as a general prefix and set its prefix length to 32.

<Sysname> system-view

[Sysname] aft prefix-general 2000:db8e:: 32

Related commands

aft v4tov6 destination

aft v4tov6 source

display aft configuration

aft prefix-ivi

Use aft prefix-ivi to configure an IVI prefix.

Use undo aft prefix-ivi to delete an IVI prefix.

Syntax

aft prefix-ivi prefix-ivi

undo aft prefix-ivi prefix-ivi

Default

No IVI prefixes exist.

Views

System view

Predefined user roles

network-admin

Parameters

prefix-ivi: Specifies an IVI prefix.

Usage guidelines

An IVI prefix is an IPv6 address prefix whose length is fixed at 32 bits. An IVI prefix can be used for IPv6-to-IPv4 source address translation and IPv4-to-IPv6 destination address translation.

When an IVI prefix is used alone, it provides IPv6-to-IPv4 source address translation. If a source IPv6 address matches the IVI prefix, AFT translates it to the embedded IPv4 address.

When an IVI prefix is used in the aft v4tov6 destination command, it provides IPv4-to-IPv6 destination address translation. If a destination IPv4 address matches the ACL, AFT constructs the IPv6 address by using the IVI prefix and the IPv4 address.

An IVI prefix must be different from a NAT64 prefix or a general prefix.

Examples

# Specify 3000:db8e:: as an IVI prefix.

<Sysname> system-view

[Sysname] aft prefix-ivi 3000:db8e::

Related commands

aft v4tov6 destination

display aft configuration

aft prefix-nat64

Use aft prefix-nat64 to configure a NAT64 prefix.

Use undo aft prefix-nat64 to delete a NAT64 prefix.

Syntax

aft prefix-nat64 prefix-nat64 prefix-length

undo aft prefix-nat64 prefix-nat64 prefix-length

Default

No NAT64 prefixes exist.

Views

System view

Predefined user roles

network-admin

Parameters

prefix-nat64: Specifies a NAT64 prefix.

prefix-length: Specifies the NAT64 prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.

Usage guidelines

A NAT64 prefix is an IPv6 address prefix of 32, 40, 48, 56, 64, or 96 bits. A NAT64 prefix can be used for IPv4-to-IPv6 source address translation and IPv6-to-IPv4 destination address translation.

When a NAT64 prefix is used alone, it provides IPv6-to-IPv4 destination address translation. If a destination IPv6 address matches the NAT64 prefix, AFT translates it to the embedded IPv4 address.

When a NAT64 prefix is used alone or in the aft v4tov6 source command, it also provides IPv4-to-IPv6 source address translation. AFT constructs the IPv6 address by using the NAT64 prefix and the source IPv4 address. If the NAT64 prefix is used in the aft v4tov6 source command, AFT only translates packets permitted by the ACL.

A NAT64 prefix cannot be on the same subnet as any of the interfaces on the device.

A NAT64 prefix must be different from an IVI prefix or a general prefix.

Examples

# Specify 2000:db8e:: as a NAT64 prefix and set its prefix length to 32.

<Sysname> system-view

[Sysname] aft prefix-nat64 2000:db8e:: 32

Related commands

aft v4tov6 source

display aft configuration

aft turn-off tos

Use aft turn-off tos to set the ToS field to 0 for IPv4 packets translated from IPv6 packets.

Use undo aft turn-off tos to restore the default.

Syntax

aft turn-off tos

undo aft turn-off tos

Default

The ToS field value of translated IPv4 packets is the same as the Traffic Class field value of original IPv6 packets.

Views

System view

Predefined user roles

network-admin

Examples

# Set the ToS field to 0 for IPv4 packets translated from IPv6 packets.

<Sysname> system-view

[Sysname] aft turn-off tos

aft turn-off traffic-class

Use aft turn-off traffic-class to set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.

Use undo aft turn-off traffic-class to restore the default.

Syntax

aft turn-off traffic-class

undo aft turn-off traffic-class

Default

The Traffic Class field value of translated IPv6 packets is the same as the ToS field value of original IPv4 packets.

Views

System view

Predefined user roles

network-admin

Examples

# Set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.

<Sysname> system-view

[Sysname] aft turn-off traffic-class

aft v4tov6 destination

Use aft v4tov6 destination to configure an IPv4-to-IPv6 destination address translation policy.

Use undo aft v4tov6 destination to delete an IPv4-to-IPv6 destination address translation policy.

Syntax

aft v4tov6 destination acl { name ipv4-acl-name prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] } }

undo aft v4tov6 destination acl { name ipv4-acl-name | number ipv4-acl-number }

Default

No IPv4-to-IPv6 destination address translation policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Identifies IPv4 packets for address translation. AFT translates destination addresses for IPv4 packets permitted by the ACL.

name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.

prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate destination addresses for packets permitted by the ACL.

prefix-ivi prefix-ivi: Specifies an IVI prefix. AFT uses the IVI prefix to translate destination addresses for packets permitted by the ACL.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which translated IPv6 addresses belong. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 addresses belong to the public network, do not specify this option.

Usage guidelines

You must specify different ACLs for different IPv4-to-IPv6 destination address translation policies.

You can specify a nonexistent IVI prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.

Examples

# Configure the device to use IVI prefix 3000:db8e:: to translate IPv4 destination addresses to IPv6 for IPv4 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft prefix-ivi 3000:db8e::

[Sysname] aft v4tov6 destination acl number 2000 prefix-ivi 3000:db8e::

# Configure the device to use general prefix 2000:db8e::/32 to translate IPv4 destination addresses to IPv6 for IPv4 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft v4tov6 destination acl number 2000 prefix-general 2000:db8e:: 32

Related commands

aft prefix-general

aft prefix-ivi

display aft configuration

aft v4tov6 source

Use aft v4tov6 source to configure an IPv4-to-IPv6 source address translation policy.

Use undo aft v4tov6 source to delete an IPv4-to-IPv6 source address translation policy.

Syntax

Static IPv4-to-IPv6 source address mapping:

aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance ipv6-vpn-instance-name ]

undo aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ]

IPv4-to-IPv6 source address translation policy using a NAT64 prefix or general prefix:

aft v4tov6 source acl { name ipv4-acl-name prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } }

undo aft v4tov6 source acl { name ipv4-acl-name | number ipv4-acl-number }

Default

No IPv4-to-IPv6 source address translation policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.

ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be on the same subnet as any interface on the device.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.

acl: Identifies IPv4 packets for address translation. AFT translates source addresses for packets permitted by the ACL.

name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.

prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate source IPv4 address for packets permitted by the ACL.

prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the NAT64 prefix to translate source IPv4 address for packets permitted by the ACL.

Usage guidelines

The IPv4 and IPv6 addresses in different static mappings must be both unique.

You must specify different ACLs for IPv4-to-IPv6 source address translation policies that use NAT64 prefixes or general prefixes.

You can specify a nonexistent NAT64 prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.

Examples

# Map IPv4 source address 2.2.2.123 to IPv6 source address 3001::5.

<Sysname> system-view

[Sysname] aft v4tov6 source 2.2.2.123 3001::5

# Configure the device to use NAT64 prefix 2000::/32 to translate IPv4 source addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft prefix-nat64 2000:: 32

[Sysname] aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32

# Configure the device to use general prefix 3000::/32 to translate IPv4 source addresses to IPv6 for IPv4 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft v4tov6 source acl number 2000 prefix-general 3000:: 32

Related commands

aft prefix-general

aft prefix-nat64

display aft configuration

aft v6server

Use aft v6server to configure an AFT mapping for an IPv6 internal server.

Use undo aft v6server to delete an AFT mapping for an IPv6 internal server.

Syntax

aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ]

undo aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ]

Default

The IPv6 internal server does not have an AFT mapping.

Views

System view

Predefined user roles

network-admin

Parameters

protocol protocol-type: Specifies a transport layer protocol by its type. The protocol-type argument can be tcp or udp.

ipv4-destination-address: Specifies an IPv4 address.

ipv4-port-number: Specifies an IPv4 port number in the range of 1 to 65535.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.

ipv6-destination-address: Specifies an IPv6 address.

ipv6-port-number: Specifies an IPv6 port number in the range of 1 to 65535.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.

Usage guidelines

The AFT mappings for different IPv6 internal servers cannot be the same.

Examples

# Map IPv6 address 3001::5 and port number 1720 of an IPv6 internal server to IPv4 address 2.2.2.123 and port number 1720 for TCP packets.

<Sysname> system-view

[Sysname] aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720

Related commands

display aft configuration

aft v6tov4 source

Use aft v6tov4 source to configure an IPv6-to-IPv4 source address translation policy.

Use undo aft v6tov4 source to delete an IPv6-to-IPv4 source address translation policy.

Syntax

Static IPv6-to-IPv4 source address mapping:

aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ]

undo aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ]

Dynamic IPv6-to-IPv4 source address translation policy:

aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } { address-group group-id [ no-pat | port-block-size blocksize ] | interface interface-type interface-number } [ vpn-instance ipv4-vpn-instance-name ]

undo aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] }

Default

No IPv6-to-IPv4 source address translation policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 address.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 address belongs to the public network, do not specify this option.

ipv4-address: Specifies an IPv4 address.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the IPv4 address belongs to the public network, do not specify this option.

acl ipv6: Identifies IPv6 packets for address translation. AFT translates source addresses for IPv6 packets permitted by the ACL.

name ipv6-acl-name: Specifies an IPv6 ACL by its name. The ipv6-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

number ipv6-acl-number: Specifies an IPv6 ACL by its number in the range of 2000 to 3999.

prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The prefix-length argument represents a prefix length, which can be 32, 40, 48, 56, 64, or 96. AFT translates source IPv6 addresses for packets whose destination IPv6 addresses match the NAT64 prefix.

address-group group-id: Specifies an AFT address group by its ID in the range of 0 to 65535.

no-pat: Specifies the NO-PAT mode. If you do not specify the keyword, AFT uses the PAT mode.

port-block-size blocksize: Specifies the port block size in the range of 100 to 64512. If you do not specify the option, the port range will not be divided.

interface interface-type interface-number: Specifies an interface by its type and number. AFT translates source IPv6 addresses to the primary IPv4 address of the specified interface.

Usage guidelines

If you set a port block size, the port range (1024 to 65535) will be divided into port blocks by the port block size. For example, if you set the port block size to 1000, the port range is divided into port blocks 1024 to 2023, 2024 to 3023, and so on. The port blocks are used for PAT.

The IPv4 or IPv6 addresses in different static mappings cannot be the same.

You must specify different ACLs, NAT64 prefixes, and AFT address groups for different dynamic translation policies.

You can specify a nonexistent NAT64 prefix in a policy, but the policy takes effect only after you configure the prefix.

Examples

# Map source IPv6 address 3001::5 to source IPv4 address 2.2.2.123.

<Sysname> system-view

[Sysname] aft v6tov4 source 3001::5 2.2.2.123

# Configure the device to use AFT address group 0 to translate IPv6 source addresses to IPv4 address for IPv6 packets permitted by ACL 2000.

<Sysname> system-view

[Sysname] aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100

Related commands

display aft configuration

display aft port-block

display aft address-group

Use display aft address-group to display AFT address group information.

Syntax

display aft address-group [ group-id ]

View

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies an AFT address group ID in the range of 0 to 65535. If you do not specify this argument, the command displays information about all AFT address groups.

Examples

# Display information about all AFT address groups.

<Sysname> display aft address-group

There are 3 AFT address groups.

Group ID           Start address         End address

1                  202.110.10.10         202.110.10.15

2                  202.110.10.20         202.110.10.25

                   202.110.10.30         202.110.10.35

6                  ---                   ---

# Display information about AFT address group 1.

<Sysname> display aft address-group 1

Group ID           Start address         End address

1                  202.110.10.10         202.110.10.15

Table 1 Command output

Field	Description
There are n AFT address groups	Total number of existing AFT address groups.
Group ID	Address group ID.
Start address	Start IP address of an address range. If you do not specify the start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify the end address, this field displays three hyphens (---).

 

display aft address-mapping

Use aft address-mapping to display AFT mappings.

Syntax

display aft address-mapping [ slot slot-number ]

View

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT mappings for all cards.

Examples

# Display AFT mappings.

<Sysname> display aft address-mapping

Slot 1:

IPv6: Source IP/port: 2000:0:FF01:101:100::8/1024

      Destination IP/port: 5000::1717:1714/1025

      VPN instance/VLAN ID/Inline ID: -/-/-

      Protocol: TCP(6)

IPv4: Source IP/port: 1.1.1.1/1031

      Destination IP/port: 23.23.23.20/1025

      VPN instance/VLAN ID/Inline ID: -/-/-

      Protocol: TCP(6)

 

Total address mapping found: 1

Table 2 Command output

Field	Description
IPv4	IPv4 address information.
IPv6	IPv6 address information.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
VPN instance/VLAN ID/Inline ID	The fields identify the following information: ·     VPN instance—MPLS L3VPN instance to which the session belongs. ‌ ·     VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. ·     Inline ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite.

 

display aft configuration

Use display aft configuration to display AFT configuration.

Syntax

display aft configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display AFT configuration.

<Sysname> display aft configuration

aft address-group 1

 address 202.110.10.10 202.110.10.15

 address 101.1.1.100 101.1.1.200

 

aft prefix-nat64 2000:: 32

 

aft prefix-ivi 3000:DB8E::

 

aft prefix-general 2000:DB8E:: 32

 

aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100

 

aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32

 

aft v4tov6 destination acl number 2000 prefix-ivi 3000:DB8E::

 

aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720

 

aft turn-off tos

 

aft turn-off traffic-class

 

aft log enable

aft log flow-begin

aft log flow-end

aft log port-block-assign

aft log port-block-withdraw

aft log port-alloc-fail

 

interface GigabitEthernet0/0/1

  aft enable

 

AFT ALG:

  DNS        : Enabled

  FTP        : Enabled

  HTTP       : Enabled

  ICMP-ERROR : Enabled

Table 3 Command output

Field	Description
aft address-group XX	AFT address group ID.
address	Address range of AFT address group.
aft prefix-nat64 X:X::X:X	NAT64 prefix.
aft prefix-ivi X:X::X:X	IVI prefix.
aft prefix-general X:X::X:X	General prefix.
aft v6tov4 source acl ipv6	Information about the IPv6-to-IPv4 source address translation policy: ·     number—Number of the IPv6 ACL. ·     name—Name of the IPv6 ACL. ·     address-group—ID of the AFT address group. ·     port-block-size—Port block size.
aft v4tov6 source acl	Information about the IPv4-to-IPv6 source address translation policy: ·     number—Number of the IPv4 ACL. ·     name—Name of the IPv4 ACL. ·     prefix-nat64—NAT64 prefix and its prefix length.
aft v4tov6 destination acl	Information about the IPv4-to-IPv6 source address translation policy: ·     number—Number of the IPv4 ACL. ·     name—Name of the IPv4 ACL. ·     prefix-ivi—IVI prefix.
aft v6server protocol	An AFT mapping is configured for an IPv6 internal server.
aft turn-off tos	The ToS field is set to 0 for IPv4 packets translated from IPv6 packets
aft turn-off traffic-class	The Traffic Class field is set to 0 for IPv6 packets translated from IPv4 packets.
aft log enable	AFT logging is enabled.
aft log flow-begin	AFT session establishment logging is enabled.
aft log flow-end	AFT session removal logging is enabled.
aft log port-block-assign	AFT port block assignment logging is enabled.
aft log port-block-withdraw	AFT port block withdrawal logging is enabled.
aft log port-alloc-fail	AFT port allocation failure logging is enabled.
aft v6tov4 source XX::XX	Source IPv6 address for address translation.
interface GigabitEthernet0/0/1	Interface on which AFT is enabled.
aft enable	AFT is enabled.
AFT ALG	AFT ALG status: Enabled or Disabled.

 

display aft no-pat

Use display aft no-pat to display AFT NO-PAT entries.

Syntax

display aft no-pat [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT NO-PAT entries for all cards.

Usage guidelines

An AFT NO-PAT entry records a mapping between an IPv4 address and an IPv6 address without ports.

Examples

# Display AFT NO-PAT entries.

<Sysname> display aft no-pat

Slot 1:

IPv6 address: 3006::0002

IPv4 address: 200.100.1.100

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

IPv6 address: 4016::1102

IPv4 address: 202.120.12.110

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

Total entries found: 2

Table 4 Command output

Field	Description
IPv6 address	Original IPv6 address.
IPv4 address	Translated IPv4 address.
IPv4 VPN	VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed.
IPv6 VPN	VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed.
Total entries found	Total number of AFT NO-PAT entries.

 

display aft port-block

Use display aft port-block to display AFT port block mappings.

Syntax

display aft port-block [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT port block mappings for all cards.

Examples

# Display AFT port block mappings.

<Sysname> display aft port-block

Slot 1:

IPv6 address: 3006::0002

IPv4 address: 200.100.1.100

Port block  : [1024 – 1123]

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

IPv6 address: 4016::1102

IPv4 address: 202.120.12.110

Port block  : [1024 – 1200]

IPv4 VPN    : vpn2

IPv6 VPN    : vpn1

 

Total entries found: 2

Table 5 Command output

Field	Description
IPv6 address	Original IPv6 address.
IPv4 address	Translated IPv4 address.
Port block	Port range for the translated IPv4 address.
IPv4 VPN	VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed.
IPv6 VPN	VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed.
Total entries found	Total number of AFT port block mapping entries.

 

display aft session

Use display aft session to display AFT sessions.

Syntax

display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ slot slot-number ] [ verbose ]

display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Displays IPv4 AFT sessions.

source-ip source-ip-address: Specifies the source IPv4 address of the packets that initiate AFT sessions.

destination-ip destination-ip-address: Specifies the destination IPv4 address of the packets that initiate AFT sessions.

vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays AFT sessions for the public network.

ipv6: Displays IPv6 AFT sessions.

source-ip source-ipv6-address: Specifies the source IPv6 address of the packets that initiate AFT sessions.

destination-ip destination-ipv6-address: Specifies the destination IPv6 address of the packets that initiate AFT sessions.

vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays AFT sessions for the public network.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT sessions for all cards.

verbose: Display detailed information about AFT sessions. If you do not specify this keyword, this command displays brief information about AFT sessions.

Usage guidelines

If you do not specify any parameters, this command displays all AFT sessions.

Examples

# Display detailed information about AFT sessions for the specified slot.

<Sysname> display aft session ipv4 slot 0 verbose

Slot 1:

Initiator:

  Source IP/port: 192.168.1.18/1877

  Destination IP/port: 102.128.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet0/0/1

Responder:

  Source IP/port: 102.128.1.55/22

  Destination IP/port: 192.168.1.18/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet0/0/2

State: TCP_SYN_SENT

Application: SSH

Start time: 2020-02-13 19:12:36    TTL: 28s

Initiator->Responder:            1 packets         48 bytes

Responder->Initiator:            0 packets          0 bytes

Total sessions found: 1

Table 6 Command output

Field	Description
Initiator	Session information about the initiator.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/Inline ID	The fields identify the following information: ·     VPN instance—MPLS L3VPN instance to which the session belongs. ‌ ·     VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. ·     Inline ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or inline ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite.
Inbound interface	Input interface.
Responder	Session information about the responder.
APP	Application layer protocol, such as FTP and DNS. This field displays unknown for the protocol types that are identified by non-well-known ports and are not user-defined.
State	AFT session state.
Start time	Time when the session starts.
TTL	Remaining lifetime of the session, in seconds.
Initiator->Responder	Number of packets and bytes from the initiator to the responder.
Responder->Initiator	Number of packets and bytes from the responder to the initiator.
Total sessions found	Total number of AFT sessions.

 

Related commands

reset aft session

display aft statistics

Use display aft statistics to display AFT statistics.

Syntax

display aft statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT statistics for all cards.

Usage guidelines

If you do not specify any parameters, this command displays all AFT statistics.

Examples

# Display all AFT statistics.

<Sysname> display aft statistics

Total NO-PAT entries found: 0

Total port-block entries found: 0

Total IPv4 sessions: 0

Total IPv6 sessions: 0

Table 7 Command output

Field	Description
Total NO-PAT entries found	Total number of AFT NO-PAT entries.
Total port-block entries found	Total number of AFT port block mappings.
Total IPv4 sessions	Total number of IPv4 sessions created by AFT.
Total IPv6 sessions	Total number of IPv6 sessions created by AFT.

 

reset aft session

Use reset aft session to delete AFT sessions.

Syntax

reset aft session [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes AFT sessions for all cards.

Usage guidelines

After you delete AFT sessions, the corresponding AFT NO-PAT entries and port block mappings are also deleted.

Examples

# Delete AFT sessions for the specified slot.

<Sysname> reset aft session slot 2

Related commands

display aft session