Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-NAT66 commands | 124.30 KB |
Contents
NAT66 commands
display nat66 all
Use display nat66 all to display all NAT66 configurations.
Syntax
display nat66 all
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display all NAT66 configurations.
<Sysname> display nat66 all
NAT66 source information:
Totally 1 source rules.
Interface(outbound): GigabitEthernet1/0/1
Original prefix/prefix-length: 11::/64
Original VPN-instance: vpn1
Translated prefix/prefix-length: 22::/64 PAT
Translated VPN-instance: vpn1
NAT66 destination information:
Totally 1 destination rules.
Interface(inbound): GigabitEthernet1/0/2
Original prefix/prefix-length: FD01:203:405::/48 Protocol TCP 6000
Translated prefix/prefix-length: 1::/48 4000
Table 1 Command output
|
Field |
Description |
|
NAT66 source information |
Configuration information about NAT66 source address translation. |
|
NAT66 destination information |
Configuration information about NAT66 destination address translation. |
|
Totally n source rules |
Total number of source address translation rules. |
|
Totally n destination rules |
Total number of destination address translation rules. |
|
Interface(outbound) |
Interface configured with NAT66 source address translation rules. |
|
Interface(inbound) |
Interface configured with NAT66 destination address translation rules. |
|
Original prefix/prefix-length: xxx Protocol yyy zzz |
Prefix and prefix length before NAT66 translation: · xxx—Prefix and prefix length before NAT66 translation. · Protocol—Transport layer protocol. Options for yyy include IPv6-ICMP, UDP, and TCP. If you have not specified a transport layer protocol, this field is not displayed. · zzz: —External port number used by an internal server to provide services. If you have not specified an external port number, no port number is displayed. |
|
Original VPN instance |
VPN instance to which the prefix before NAT66 translation belong. If the prefix before NAT66 translation belongs to the public network, this field is not displayed. |
|
Translated prefix/prefix-length: xxx yyy PAT |
Prefix and prefix length after NAT66 translation: · xxx—Prefix and prefix length after NAT66 translation. · yyy—Port number of an internal server in the internal network. If you have not specified the port number, no port number is displayed. · PAT—Uses PAT for address translation. If you have not specified PAT, it is not displayed. |
|
Translated VPN instance |
VPN instance to which the prefix after NAT66 translation belong. If the prefix after NAT66 translation belongs to the public network, this field is not displayed. |
Related commands
nat66 prefix destination
nat66 prefix source
display nat66 session
Use display nat66 session to display NAT66 sessions.
Syntax
display nat66 session [ [ responder ] { source-ip source-ip-start [ source-ip-end ] | destination-ip destination-ip-start [ destination-ip-end ] | source-port source-port | destination-port destination-port | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | application application-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | interface { interface-name | interface-type interface-number } } * [ vpn-instance vpn-instance-name ] [ slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
context-operator
vsys-admin
vsys-operator
Parameters
responder: Displays NAT66 sessions by responder. If you do not specify this keyword, this command displays NAT66 sessions by initiator.
source-ip source-ip-start [ source-ip-end ]: Displays NAT66 sessions for the specified source IPv6 address or source IPv6 address range. To specify only one source IPv6 address, specify only the source-ip-start argument. To specify a source IPv6 address range, specify both the source-ip-start and source-ip-end arguments. The source-ip-start and source-ip-end arguments specify the start and end source IPv6 addresses of the source IPv6 address range, respectively. The specified IPv6 address must be the source IPv6 address of the packet that triggers the session establishment.
destination-ip destination-ip-start [ destination-ip-end ]: Displays NAT66 sessions for the specified destination IPv6 address or destination IPv6 address range. To specify only one destination IPv6 address, specify only the destination-ip-start argument. To specify a destination IPv6 address range, specify both the destination-ip-start and destination-ip-end arguments. The destination-ip-start and destination-ip-end arguments specify the start and end destination IPv6 addresses of the destination IPv6 address range, respectively. The specified IP address must be the destination IPv6 address of the packet that triggers the session establishment.
source-port source-port: Specifies a source port by its number. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The value range for the destination-port argument is 0 to 65535.
protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol, including DCCP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite.
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. Names invalid and other are not allowed.
interface interface-type interface-number: Specifies an interface by its type and number.
state: Specifies a NAT66 session state. Table 2 describes the available NAT66 session states.
|
Field |
Description |
|
dccp-closereq |
A request was sent to close the DCCP connection. |
|
dccp-closing |
The DCCP protocol is closing the connection. |
|
dccp-open |
The DCCP connection is fully open. |
|
dccp-partopen |
The DCCP connection is half open. |
|
dccp-request |
A request was sent to initiate a DCCP connection. |
|
dccp-respond |
A DCCP-Response packet was sent. |
|
dccp-timewait |
The DCCP protocol is in waiting state. |
|
icmpv6-reply |
An ICMPv6 echo reply was sent. |
|
icmpv6-request |
A request was sent to initiate an ICMPv6 connection. |
|
rawip-open |
The RawIP connection is open. |
|
rawip-ready |
The RawIP connection is ready. |
|
sctp-closed |
The SCTP connection is closed. |
|
sctp-cookie-echoed |
The SCTP connection is not fully established. |
|
sctp-cookie-wait |
The SCTP connection is in waiting state. |
|
sctp-established |
The SCTP connection was established. |
|
sctp-shutdown-ack-sent |
A shutdown ACK chunk was sent. |
|
sctp-shutdown-recd |
An SCTP shutdown chunk was received. |
|
sctp-shutdown-sent |
An SCTP shutdown chunk was sent. |
|
tcp-close |
The TCP connection is closed. |
|
tcp-close-wait |
The TCP connection is waiting for being closed. |
|
tcp-est |
The TCP connection was established. |
|
tcp-fin-wait |
A FIN packet was sent to close the connection. |
|
tcp-last-ack |
The TCP connection is in the last acknowledgement state. |
|
tcp-syn-recv |
The server received a SYN packet from the client and sent an ACK packet. |
|
tcp-syn-sent |
The client sent a SYN packet to initiate a connection and is waiting for the server's response. |
|
tcp-syn-sent2 |
The TCP connection is in the second connection request state. |
|
tcp-time-wait |
The session termination initiator received a FIN packet and returned an ACK packet. |
|
udp-open |
The UDP connection is open. |
|
udp-ready |
The UDP connection is ready. |
|
udplite-open |
The UDP-Lite connection is open. |
|
udplite-ready |
The UDP-Lite connection is ready. |
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT66 sessions on the public network.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT66 sessions for all member devices.
verbose: Displays detailed information about NAT66 sessions. If you do not specify this keyword, the command displays brief information about NAT66 sessions.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all NAT66 sessions.
Examples
# Display brief information about NAT66 sessions for the specified slot.
<Sysname> display nat66 session slot 1
Slot 1:
Initiator:
Source IP/port: FD01:203:405::1/4048
Destination IP/port: 2001:DB8:1::100/21
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Total sessions found: 1
# Display detailed information about NAT66 sessions for the specified slot.
<Sysname> display nat session slot 1 verbose
Slot 1:
Initiator:
Source IP/port: FD01:203:405::1/4048
Destination IP/port: 2001:DB8:1::100/21
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Trust
Responder:
Source IP/port: 2001:DB8:1::100/21
Destination IP/port: 1:0:0:309::1/4048
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
State: TCP_ESTABLISHED
Application: FTP
Rule ID: -/-/-
Rule name:
Start time: 2018-12-10 09:19:28 TTL: 3585s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Table 3 Command output
|
Field |
Description |
|
Initiator |
Session information about the initiator. |
|
Responder |
Session information about the responder. |
|
Source IP/port |
Source IPv6 address and port number. |
|
Destination IP/port |
Destination IPv6 address and port number. |
|
VPN instance/VLAN ID/Inline ID |
This field is not supported in the current software version. · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—ID of the VLAN to which the session belongs for Layer 2 forwarding. · Inline ID—ID of the INLINE to which the session belongs for Layer 2 forwarding. If no settings are specified, this field displays slash-separated hyphens (-/-/-). |
|
Protocol |
Transport layer protocol type: DCCP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite. The number after the protocol is the protocol number. |
|
Inbound interface |
Input interface. |
|
Source security zone |
Security zone to which the input interface belongs. If the input interface does not belong to any security zone, this field displays a hyphen (-). |
|
State |
NAT66 session state. |
|
Application |
Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports. |
|
Rule ID |
ID of the security policy rule. |
|
Rule name |
Name of the security policy rule. |
|
Start time |
Time when the session starts. |
|
TTL |
Remaining lifetime of the NAT66 session, in seconds. |
|
Initiator->Responder |
Number of packets and packet bytes from the initiator to the responder. |
|
Responder->Initiator |
Number of packets and packet bytes from the responder to the initiator. |
|
Total sessions found |
Total number of sessions. |
Related commands
reset nat66 session
display nat66 statistics
Use display nat66 statistics to display NAT66 statistics.
Syntax
display nat66 statistics [ summary ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
context-operator
vsys-admin
vsys-operator
Parameters
summary: Displays NAT66 statistics summary. If you do not specify this keyword, the command displays detailed NAT66 statistics.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT66 statistics for all member devices.
Examples
# Display detailed NAT66 statistics.
<Sysname> display nat66 statistics
Slot 1:
Total session entries: 100
Total outbound NO-PAT entries: 100
Table 4 Command output
|
Field |
Description |
|
Total session entries |
Number of NAT66 session entries. |
|
Total outbound NO-PAT entries |
Number of outbound NAT66 NO-PAT session entries. |
# Display NAT66 statistics summary.
<Sysname> display nat66 statistics summary
Slot Sessions
1 100
Table 5 Command output
|
Field |
Description |
|
Sessions |
Number of NAT66 session entries. |
nat66 prefix destination
Use nat66 prefix destination to configure an IPv6 prefix mapping for IPv6 destination address translation.
Use undo nat66 prefix destination to remove an IPv6 prefix mapping for IPv6 destination address translation.
Syntax
nat66 prefix destination [ protocol pro-type ] original-ipv6-prefix prefix-length [ global-port ] [ vpn-instance original-vpn-instance-name ] translated-ipv6-prefix prefix-length [ local-port ] [ vpn-instance translated-vpn-instance-name ]
undo nat66 prefix destination [ protocol pro-type ] original-ipv6-prefix prefix-length [ global-port ] [ vpn-instance original-vpn-instance-name ] translated-ipv6-prefix prefix-length [ local-port ] [ vpn-instance translated-vpn-instance-name ]
Default
No IPv6 prefix mappings are configured for IPv6 destination address translation.
Views
Interface view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
protocol pro-type: Specifies a protocol type. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:
· A number in the range of 1 to 255. The values 50 (ESP) and 51 (AH) are not supported.
· A protocol name of ipv6-icmp, tcp, or udp.
original-ipv6-prefix: Specifies the original IPv6 prefix. For IPv6 destination address translation, specify the external prefix.
global-port: Specifies a public port number for the internal server, in the range of 1 to 65535. If you do not specify this argument, the translation will be performed no matter what the destination port number is. You can specify this argument only when the protocol type is TCP or UDP.
vpn-instance original-vpn-instance-name: Specifies the MPLS L3VPN instance to which the original IPv6 prefix belongs. The original-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the original IPv6 prefix belongs to the public network, do not specify this option.
translated-ipv6-prefix: Specifies the translated IPv6 prefix. For IPv6 destination address translation, specify the internal prefix.
prefix-length: Specifies a prefix length, in the range of 1 to 128.
local-port: Specifies a private port number for the internal server, in the range of 1 to 65535. If you do not specify this argument, the value for this argument is the same as the value of the global-port argument. If you do not specify the global-port and local-port arguments, the port number is not translated. You can specify this argument only when the protocol type is TCP or UDP.
vpn-instance translated-vpn-instance-name: Specifies the MPLS L3VPN instance to which the translated IPv6 prefix belongs. The translated-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the translated IPv6 prefix belongs to the public network, do not specify this option.
Usage guidelines
To allow external users to access internal servers (such as Web or FTP server), configure IPv6 destination prefix mappings on the interface connected to the external network.
When you configure IPv6 destination prefix mappings, follow these restrictions and guidelines:
· The prefix length before and after NAT66 must be the same.
· On one interface on the public network or in the same VPN instance, the mapping between an external prefix and an internal prefix must be unique.
· On different interfaces on the public network or in the same VPN instance, one external prefix cannot be mapped to different internal prefixes.
· The translated IPv6 prefix cannot be the same as the prefix of the public IPv6 address of the NAT66 device or the prefix of the IPv6 address of an external host.
· The command does not support modifying an existing IPv6 prefix mapping. To modify it, first execute the undo nat66 prefix destination command to remove the mapping, and then configure the new one.
This feature cannot perform translation on AH or ESP packets.
Examples
# On GigabitEthernet 1/0/1, configure an IPv6 destination prefix mapping to translate IPv6 prefix 2001::/64 to IPv6 prefix 2101::/64.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat66 prefix destination 2001:: 64 2101:: 64
# On GigabitEthernet 1/0/1, configure an IPv6 destination prefix mapping to translate IPv6 prefix 2001::/64 and port 64 to IPv6 prefix 2101::/64 and port 200 for packets destined for the internal FTP server.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat66 prefix destination 2001:: 64 protocol tcp 100 2101:: 64 200
Related commands
display nat66 all
nat66 prefix source
Use nat66 prefix source to configure an IPv6 prefix mapping for IPv6 source address translation.
Use undo nat66 prefix source to remove an IPv6 prefix mapping for IPv6 source address translation.
Syntax
nat66 prefix source original-ipv6-prefix prefix-length [ vpn-instance original-vpn-instance-name ] translated-ipv6-prefix prefix-length [ vpn-instance translated-vpn-instance-name ] [ pat ]
undo nat66 prefix source original-ipv6-prefix prefix-length [ vpn-instance original-vpn-instance-name ] translated-ipv6-prefix prefix-length [ vpn-instance translated-vpn-instance-name ] [ pat ]
Default
No IPv6 prefix mappings are configured for IPv6 source address translation.
Views
Interface view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
original-ipv6-prefix: Specifies the original IPv6 prefix. For IPv6 source address translation, specify the internal prefix.
vpn-instance original-vpn-instance-name: Specifies the MPLS L3VPN instance to which the original IPv6 prefix belongs. The original-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the original IPv6 prefix belongs to the public network, do not specify this option.
translated-ipv6-prefix: Specifies the translated IPv6 prefix. For IPv6 source address translation, specify the external prefix.
prefix-length: Specifies a prefix length, in the range of 1 to 128.
pat: Uses the PAT mode for address translation. In this mode, port information is translated. If you do not specify this keyword, the device does not translate port information.
vpn-instance translated-vpn-instance-name: Specifies the MPLS L3VPN instance to which the translated IPv6 prefix belongs. The translated-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the translated IPv6 prefix belongs to the public network, do not specify this option.
Usage guidelines
NAT66 source address translation is applicable to the following scenarios:
· Single internal and external network—The NAT66 device is connected to an internal network and an external network. Hosts in the internal network uses locally routed IPv6 prefixes. When an internal host sends packets to access the external network, the NAT66 device translates the source IPv6 address prefix in the packets to a global unicast address prefix.
· Redundancy and load sharing—Multiple NAT66 devices are deployed between two IPv6 networks and they use ECMPs for load sharing. To allow any NAT66 device to process IPv6 traffic among different sites, configure the same source prefix mappings on these NAT66 devices.
· Multihoming—In a multihomed network, NAT66 devices are connected to an internal network and multiple external networks. One internal prefix is mapped to different external prefixes on the NAT66 devices, so that one internal address can be translated to multiple external addresses.
When you configure source prefix mappings, follow these restrictions and guidelines:
· Source prefix mappings are typically configured on the interface connected to the external network.
· The prefix length before and after NAT66 in a mapping must be the same if this mapping does not support port translation.
· On one interface on the public network or in the same VPN instance, the mapping between an internal prefix and an external prefix must be unique.
· On different interfaces on the public network or in the same VPN instance, different internal prefixes cannot be mapped to the same external prefix.
· The translated IPv6 prefix cannot be the same as the prefix of the public IPv6 address of the NAT66 device or the prefix of the destination public IPv6 address.
· The command does not support modifying an existing prefix mapping. To modify it, first execute the undo nat66 prefix source command to remove the mapping, and then configure the new one.
This feature cannot perform translation on AH or ESP packets.
Examples
# On GigabitEthernet 1/0/1, configure an IPv6 source prefix mapping to translate IPv6 prefix FD9C:58ED:7D73:2::/64 to 2101::/64.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat66 prefix source fd9C:58ed:7d73:2:: 64 2101:: 64
# On GigabitEthernet 1/0/1, configure an IPv6 source prefix mapping in PAT mode to translate IPv6 prefix FD9C:58ED:7D73:2::/64 to 2101::/64.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat66 prefix source fd9C:58ed:7d73:2:: 64 2101:: 64 pat
Related commands
display nat66 all
reset nat66 session
Use reset nat66 session to delete NAT66 sessions.
Syntax
reset nat66 session [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command deletes NAT66 sessions for all member devices.
Examples
# Delete NAT66 sessions for the specified slot.
<Sysname> reset nat66 session slot 1
Related commands
display nat66 session
