Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-AFT commands | 308.28 KB |
Contents
aft log port-block usage threshold
aft port-block synchronization enable
AFT commands
Non-default vSystems do not support some of the AFT commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
address
Use address to add an address range to an AFT address group.
Use undo address to remove an address range from an AFT address group.
Syntax
address start-address end-address
undo address start-address end-address
Default
No address ranges exist.
Views
AFT address group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
start-address end-address: Specifies the start and end IP addresses for an address range. The end address cannot be lower than the start address. If they are the same, the address range has only one IP address.
Usage guidelines
An AFT address group is a set of address ranges. Dynamic AFT translates an IPv6 address to an IPv4 address in one of the address ranges.
Each address range can contain a maximum of 256 addresses.
Make sure the address ranges do not overlap.
Examples
# Add two address ranges to AFT address group 2.
<Sysname> system-view
[Sysname] aft address-group 2
[Sysname-aft-address-group-2] address 10.1.1.1 10.1.1.15
[Sysname-aft-address-group-2] address 10.1.1.20 10.1.1.30
Related commands
aft address-group
aft address-group
Use aft address-group to create an AFT address group and enter its view, or enter the view of an existing AFT address group.
Use undo aft address-group to delete an AFT address group.
Syntax
aft address-group group-id
undo aft address-group group-id
Default
No AFT address groups exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
group-id: Assigns an ID to the address group. The value range for this argument is 0 to 65535.
Usage guidelines
An AFT address group is a set of address ranges. Use the address command to add an address range.
The AFT address group is used in dynamic AFT. Dynamic AFT translates the source address of an IPv6 packet to an IPv4 address in the address group.
Examples
# Create AFT address group 1 and enter its view.
<Sysname> system-view
[Sysname] aft address-group 1
[Sysname-aft-address-group-1]
Related commands
address
aft v6tov4 source
display aft address-group
display aft configuration
aft alg
Use aft alg to enable AFT ALG for the specified or all supported protocols.
Use undo aft alg to disable AFT ALG for the specified or all supported protocols.
Syntax
aft alg { all | dns | ftp | h323 | http | icmp-error | rtsp | sip }
undo aft alg { all | dns | ftp | h323 | http | icmp-error | rtsp | sip }
Default
AFT ALG is enabled for DNS, FTP, H.323, HTTP, ICMP error messages, RSTP, and SIP.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
all: Enables AFT ALG for all supported protocols.
dns: Enables AFT ALG for DNS.
ftp: Enables AFT ALG for FTP.
h323: Enables AFT ALG for H.323.
http: Enables AFT ALG for HTTP.
icmp-error: Enables AFT ALG for ICMP error packets.
rtsp: Enables AFT ALG for RSTP.
sip: Enables AFT ALG for SIP.
Usage guidelines
AFT ALG translates address or port information in the application layer payloads.
For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires AFT ALG to translate the address and port information.
You can execute this command multiple times to enable AFT ALG for different protocols.
Examples
# Enable AFT ALG for FTP.
<Sysname> system-view
[Sysname] aft alg ftp
Related commands
display aft configuration
aft enable
Use aft enable to enable AFT on an interface.
Use undo aft enable to disable AFT on an interface.
Syntax
aft enable
undo aft enable
Default
AFT is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
You must enable AFT on interfaces connected to the IPv4 network and interfaces connected to the IPv6 network.
Examples
# Enable AFT on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] aft enable
Related commands
display aft configuration
aft log enable
Use aft log enable to enable AFT logging.
Use undo aft log enable to disable AFT logging.
Syntax
aft log enable
undo aft log enable
Default
AFT logging is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
For security auditing, you can enable AFT logging to record AFT session information. An AFT session is a session whose source and destination IP addresses are translated by AFT.
AFT can log the following events:
· An AFT port block is created.
· An AFT port block is deleted.
· An AFT session is established.
To log AFT session establishment events, you must also execute the aft log flow-begin command.
· An AFT session is removed.
To log AFT session removal events, you must also execute the aft log flow-end command.
The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable AFT logging.
<Sysname> system-view
[Sysname] aft log enable
Related commands
aft log flow-begin
aft log flow-end
display aft configuration
aft log flow-begin
Use aft log flow-begin to enable AFT session establishment logging.
Use undo aft log flow-begin to disable AFT session establishment logging.
Syntax
aft log flow-begin
undo aft log flow-begin
Default
AFT session establishment logging is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This feature enables the AFT module to generate a log entry for every AFT session establishment event.
AFT session establishment logging takes effect only after you enable AFT logging.
Examples
# Enable AFT session establishment logging.
<Sysname> system-view
[Sysname] aft log flow-begin
Related commands
aft log enable
aft log flow-end
display aft configuration
aft log flow-end
Use aft log flow-end to enable AFT session removal logging.
Use undo aft log flow-end to disable AFT session removal logging.
Syntax
aft log flow-end
undo aft log flow-end
Default
AFT session removal logging is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This feature enables the AFT module to generate a log entry for every AFT session removal event.
AFT session removal logging takes effect only after you enable AFT logging.
Examples
# Enable AFT session removal logging.
<Sysname> system-view
[Sysname] aft log flow-end
Related commands
aft log enable
aft log flow-begin
aft log port-block
Use aft log port-block to enable AFT port block logging.
Use undo aft log port-block to disable AFT port block logging.
Syntax
aft log port-block { alarm | assign | withdraw }
undo aft log port-block { alarm | assign | withdraw }
Default
AFT port block logging is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
alarm: Enables logging for port exhaustion in an AFT port block.
assign: Enables logging for AFT port block assignment.
withdraw: Enables logging for AFT port block withdrawal.
Usage guidelines
After you configure this command, AFT generates logs when an AFT port block is assigned or withdrawn, and an AFT port block has assigned all its ports.
AFT port block logging takes effect only after you execute the aft log enable command to enable AFT logging.
Examples
# Enable AFT port block logging.
<Sysname> system-view
[Sysname] aft log port-block assign
Related commands
aft log enable
aft log port-block usage threshold
Use aft log port-block usage threshold to set the AFT port block usage threshold.
Use undo aft log port-block usage threshold to restore the default.
Syntax
aft log port-block usage threshold threshold-value
undo aft log port-block usage threshold
Default
The AFT port block usage threshold is 90%.
Views
System view
Predefined user roles
network-admin
mdc-admin
vsys-admin
Parameters
threshold-value: Specifies a threshold in the range of 40 to 100 in percentage.
Usage guidelines
A log is generated when the AFT port block usage exceeds the threshold.
This command takes effect only after you use the aft log enable command to enable AFT logging.
Examples
# Set the AFT port block usage threshold to 60%.
<Sysname> system-view
[Sysname] aft log port-block usage threshold 60
Related commands
aft log enable
aft port-block synchronization enable
Use aft port-block synchronization enable to enable dynamic AFT port block mapping synchronization.
Use undo aft port-block synchronization enable to disable dynamic AFT port block mapping synchronization.
Syntax
aft port-block synchronization enable
undo aft port-block synchronization enable
Default
Dynamic AFT port block mapping synchronization is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command. After you execute this command in the default vSystem, the command takes effect in both the default vSystem and non-default vSystems.
Dynamic AFT port block mapping synchronization enables the master and the backup to synchronize dynamic port block mappings, which ensures smooth switchover without service interruption.
On a hot backup system, dynamic AFT port block mapping synchronization takes effect after you enable service entry hot backup by using the hot-backup enable command.
In an IRF network, dynamic AFT port block mapping synchronization takes effect after you enable session synchronization for stateful failover by using the session synchronization enable command.
Examples
# Enable dynamic AFT port block mapping synchronization.
<Sysname> system-view
[Sysname] aft port-block synchronization enable
Related commands
aft v6tov4 source
hot-backup enable (High Availability Command Reference)
session synchronization enable (Security Command Reference)
aft port-block-group
Use aft port-block-group to create an AFT port block group and enter its view, or enter the view of an existing AFT port block group.
Use undo aft port-block-group to delete an AFT port block group.
Syntax
aft port-block-group block-group-id
undo aft port-block-group block-group-id
Default
No AFT port block groups exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
block-group-id: Assigns an ID to the AFT port block group. The value range is 0 to 65535.
Usage guidelines
An AFT port block group can be used in a port block group-based IPv6-to-IPv4 source address static translation policy for IPv6-to-IPv4 source address translation.
An AFT port block group contains the following settings:
· Address ranges:
¡ IPv4 address ranges used for IPv6-to-IPv4 source address translation, specified by using the ip-address command.
¡ IPv6 prefix ranges used to match the IPv6 addresses to be translated, specified by using the ipv6-prefix command.
· Port range specified by using the port-range command. The port range will be divided into port blocks of the specified port block size. Each port block is paired with an IPv4 address to match an IPv6 prefix for IPv6-to-IPv4 source address translation.
· Port block size specified by using the block-size command.
Examples
# Create AFT port block group 1 and enter its view.
<Sysname> system-view
[Sysname] aft port-block-group 1
[Sysname-aft-port-block-group-1]
Related commands
aft v6tov4 source
block-size
display aft configuration
ip-address
ipv6-prefix
port-range
aft port-load-balance enable
Use aft port-load-balance enable to enable AFT port halving.
Use undo aft port-load-balance enable to disable AFT port halving.
Syntax
aft port-load-balance enable slot slot-number
undo aft port-load-balance enable
Default
AFT port halving is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
slot slot-number: Specifies an IRF member device by its member ID. This device will use the lower half of the port block.
Usage guidelines
Non-default vSystems do not support this command. After you execute this command in the default vSystem, the command takes effect in both the default vSystem and non-default vSystems.
AFT supports IRF hot backup in active/standby and dual-active mode. The AFT configuration for IRF hot backup depends on the deployment mode.
· In dual-active mode, if the two IRF member devices in an IRF fabric use the same AFT address group, the devices might map different IPv6 addresses and ports to the same IPv4 address and port. To avoid this situation, enable AFT port halving on the devices. After you enable AFT port halving, each port block will be equally divided between the two devices. The two devices will use different ports to translate packets from different IP addresses, avoiding port assignment conflicts.
· You do not need to enable AFT port halving on the IRF member devices in active/standby mode.
This command is exclusive with the aft remote-backup port-alloc command.
Examples
# Enable AFT port halving.
<Sysname> system-view
[Sysname] aft port-load-balance enable slot 1
Related commands
aft remote-backup port-alloc
aft prefix-general
Use aft prefix-general to configure a general prefix.
Use undo aft prefix-general to delete a general prefix.
Syntax
aft prefix-general prefix-general prefix-length
undo aft prefix-general prefix-general prefix-length
Default
No general prefixes exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
prefix-general: Specifies the general prefix.
prefix-length: Specifies the prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.
Usage guidelines
A general prefix is an IPv6 address prefix of 32, 40, 48, 56, 64, or 96 bits. A general prefix can be used for source and destination address translation between IPv4 and IPv6.
When a general prefix is used alone, it provides IPv6-to-IPv4 source and destination address translation. If a source or destination IPv6 address matches the general prefix, AFT translates it to the embedded IPv4 address.
When a general prefix is used in the aft v4tov6 source or aft v4tov6 destination command, it provides IPv4-to-IPv6 source or destination address translation. If a source or destination IPv4 address matches the ACL, AFT constructs the IPv6 address by using the general prefix and the IPv4 address.
A general prefix cannot be on the same subnet as any interface on the device.
A general prefix must be different from a NAT64 prefix or an IVI prefix.
Examples
# Specify 2000:db8e:: as a general prefix and set its prefix length to 32.
<Sysname> system-view
[Sysname] aft prefix-general 2000:db8e:: 32
Related commands
aft v4tov6 destination
aft v4tov6 source
display aft configuration
aft prefix-ivi
Use aft prefix-ivi to configure an IVI prefix.
Use undo aft prefix-ivi to delete an IVI prefix.
Syntax
aft prefix-ivi prefix-ivi
undo aft prefix-ivi prefix-ivi
Default
No IVI prefixes exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
prefix-ivi: Specifies an IVI prefix.
Usage guidelines
An IVI prefix is an IPv6 address prefix whose length is fixed at 32 bits. An IVI prefix can be used for IPv6-to-IPv4 source address translation and IPv4-to-IPv6 destination address translation.
When an IVI prefix is used alone, it provides IPv6-to-IPv4 source address translation. If a source IPv6 address matches the IVI prefix, AFT translates it to the embedded IPv4 address.
When an IVI prefix is used in the aft v4tov6 destination command, it provides IPv4-to-IPv6 destination address translation. If a destination IPv4 address matches the ACL, AFT constructs the IPv6 address by using the IVI prefix and the IPv4 address.
An IVI prefix must be different from a NAT64 prefix or a general prefix.
Examples
# Specify 3000:db8e:: as an IVI prefix.
<Sysname> system-view
[Sysname] aft prefix-ivi 3000:db8e::
Related commands
aft v4tov6 destination
display aft configuration
aft prefix-nat64
Use aft prefix-nat64 to configure a NAT64 prefix.
Use undo aft prefix-nat64 to delete a NAT64 prefix.
Syntax
aft prefix-nat64 prefix-nat64 prefix-length
undo aft prefix-nat64 prefix-nat64 prefix-length
Default
No NAT64 prefixes exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
prefix-nat64: Specifies a NAT64 prefix.
prefix-length: Specifies the NAT64 prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.
Usage guidelines
A NAT64 prefix is an IPv6 address prefix used to construct an IPv6 address representing an IPv4 node in an IPv6 network. The IPv6 hosts do not use a constructed IPv6 address as their real IP address. The length of a NAT64 prefix can be 32, 40, 48, 56, 64, or 96. A NAT64 prefix can be a network-specific prefix (NSP) or well-known prefix (WKP). An NSP is assigned by an organization and is usually a subnet from the organization’s IPv6 prefix. The WKP for NAT64 is 64:ff9b::/96. If no NSP is not configured, NAT64 uses the WKP to preform address translation.
When a NAT64 prefix is used alone, it provides IPv6-to-IPv4 destination address translation. If a destination IPv6 address matches the NAT64 prefix, AFT translates it to the embedded IPv4 address.
When a NAT64 prefix is used alone or in the aft v4tov6 source command, it also provides IPv4-to-IPv6 source address translation. AFT constructs the IPv6 address by using the NAT64 prefix and the source IPv4 address. If the NAT64 prefix is used in the aft v4tov6 source command, AFT only translates packets permitted by the ACL.
When you configure a 96-bit NAT64 prefix, make sure bits 64 through 71 are all 0.
A NAT64 prefix cannot be on the same subnet as any of the interfaces on the device.
A NAT64 prefix must be different from an IVI prefix or a general prefix.
Examples
# Specify 2000:db8e:: as a NAT64 prefix and set its prefix length to 32.
<Sysname> system-view
[Sysname] aft prefix-nat64 2000:db8e:: 32
Related commands
aft v4tov6 source
display aft configuration
aft remote-backup port-alloc
Use aft remote-backup port-alloc to specify AFT port ranges for the two devices in the hot backup system.
Use undo remote-backup port-alloc to restore the default.
Syntax
aft remote-backup port-alloc { primary | secondary }
undo aft remote-backup port-alloc
Default
The two devices in the hot backup system share AFT port resources.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
primary: Specifies the lower half of the port block.
secondary: Specifies the higher half of the port block.
Usage guidelines
Non-default vSystems do not support this command. After you execute this command in the default vSystem, the command takes effect in both the default vSystem and non-default vSystems.
In the hot backup system in dual-active mode, different IP+port combinations on the two devices might be translated to the same AFT IP+port resources due to the following reasons:
· The two devices in the hot backup system share AFT addresses.
· The same AFT port range is assigned to each device.
To avoid this situation, execute this command on the primary device to equally divide the port resources for the two devices. Executing the command on the primary device also makes the remaining half of the port block be automatically assigned to the secondary device. For example, if you execute the aft remote-backup port-alloc secondary command on the primary device, the aft remote-backup port-alloc primary command is automatically executed on the secondary device. For more information about configuring the hot backup system, see RBM-based hot backup configuration in High Availability Configuration Guide.
You do not need to execute this command for the hot backup system in active/standby mode. No port conflict exists in active/standby mode because only one device processes AFT services.
This command is exclusive with the aft port-load-balance enable command.
Examples
# Specify the primary device in the hot backup system to use the lower half of the port block.
<Sysname> system-view
[Sysname] aft remote-backup port-alloc primary
Related commands
aft port-load-balance enable
aft turn-off tos
Use aft turn-off tos to set the ToS field to 0 for IPv4 packets translated from IPv6 packets.
Use undo aft turn-off tos to restore the default.
Syntax
aft turn-off tos
undo aft turn-off tos
Default
The ToS field value of translated IPv4 packets is the same as the Traffic Class field value of original IPv6 packets.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Set the ToS field to 0 for IPv4 packets translated from IPv6 packets.
<Sysname> system-view
[Sysname] aft turn-off tos
aft turn-off traffic-class
Use aft turn-off traffic-class to set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.
Use undo aft turn-off traffic-class to restore the default.
Syntax
aft turn-off traffic-class
undo aft turn-off traffic-class
Default
The Traffic Class field value of translated IPv6 packets is the same as the ToS field value of original IPv4 packets.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.
<Sysname> system-view
[Sysname] aft turn-off traffic-class
aft v4server
Use aft v4server to configure an AFT mapping for an IPv4 internal server.
Use undo aft v4server to delete an AFT mapping for an IPv4 internal server.
Syntax
aft v4server protocol protocol-type ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ] ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] [ vrrp virtual-router-id ]
undo aft v4server protocol { tcp | udp } ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ]
Default
No AFT mapping for an IPv4 internal server is configured.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
protocol protocol-type: Specifies a transport layer protocol by its type. The protocol-type argument can be tcp or udp.
ipv6-destination-address: Specifies an IPv6 address.
ipv6-port-number: Specifies an IPv6 port number in the range of 0 to 65535.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv6 address belongs to the public network, do not specify this option.
ipv4-destination-address: Specifies an IPv4 address.
ipv4-port-number: Specifies an IPv4 port number in the range of 0 to 65535.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv4 address belongs to the public network, do not specify this option.
vrrp virtual-router-id: Binds the IPv4 server to a VRRP group on the IPv6 network. The virtual-router-id parameter represents the virtual router ID of the VRRP group, in the range of 1 to 255.
Usage guidelines
Application scenarios
This command maps the IPv4 address and port number of an IPv4 server to an IPv6 address and port number. IPv6 hosts can use the IPv6 address and port number to access the services provided by the IPv4 server.
Recommended configuration
On a hot backup system, execute this command on the primary device to bind an AFT IPv4 server to a hot backup-associated VRRP group on the IPv6 network. If not, ARP might fail to resolve an IPv4-mapped IPv6 address into a correct MAC address.
Restrictions and guidelines
An IPv4 server can be bound to only one VRRP group. You can execute this command multiple times to change the bound VRRP group for the IPv4 server.
The AFT mappings for different IPv4 internal servers cannot be the same.
When an IPv4 server moves from a VPN to the public network or another VPN, and its IPv4 address and port number do not change, do not edit the public network or VPN information by repeating this command. To edit the public network or VPN information, first execute the undo aft v4server command to delete the AFT mapping for the IPv4 server, and then execute the aft v4server command.
Examples
# Map IPv4 address 2.2.2.123 and port number 1720 of an IPv4 internal server to IPv6 address 3001::5 and port number 1720 for TCP packets.
<Sysname> system-view
[Sysname] aft v4server protocol tcp 3001::5 1720 2.2.2.123 1720
aft v4tov6 destination
Use aft v4tov6 destination to configure an IPv4-to-IPv6 destination address translation policy.
Use undo aft v4tov6 destination to delete an IPv4-to-IPv6 destination address translation policy.
Syntax
aft v4tov6 destination acl { name ipv4-acl-name prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] } }
undo aft v4tov6 destination acl { name ipv4-acl-name | number ipv4-acl-number }
Default
No IPv4-to-IPv6 destination address translation policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
acl: Identifies IPv4 packets for address translation. AFT translates destination addresses for IPv4 packets permitted by the ACL.
name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.
prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate destination addresses for packets permitted by the ACL.
prefix-ivi prefix-ivi: Specifies an IVI prefix. AFT uses the IVI prefix to translate destination addresses for packets permitted by the ACL.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which translated IPv6 addresses belong. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv6 addresses belong to the public network, do not specify this option.
Usage guidelines
You must specify different ACLs for different IPv4-to-IPv6 destination address translation policies.
You can specify a nonexistent IVI prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.
Examples
# Configure the device to use IVI prefix 3000:db8e:: to translate IPv4 destination addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft prefix-ivi 3000:db8e::
[Sysname] aft v4tov6 destination acl number 2000 prefix-ivi 3000:db8e::
# Configure the device to use general prefix 2000:db8e::/32 to translate IPv4 destination addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v4tov6 destination acl number 2000 prefix-general 2000:db8e:: 32
Related commands
aft prefix-general
aft prefix-ivi
display aft configuration
aft v4tov6 source
Use aft v4tov6 source to configure an IPv4-to-IPv6 source address translation policy.
Use undo aft v4tov6 source to delete an IPv4-to-IPv6 source address translation policy.
Syntax
IPv4-to-IPv6 source address static mapping:
aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance ipv6-vpn-instance-name ] [ vrrp virtual-router-id ]
undo aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ]
IPv4-to-IPv6 source address translation policy using a NAT64 prefix or general prefix:
aft v4tov6 source acl { name ipv4-acl-name prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } }
undo aft v4tov6 source acl { name ipv4-acl-name | number ipv4-acl-number }
Default
No IPv4-to-IPv6 source address translation policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv4-address: Specifies an IPv4 address.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv4 address belongs to the public network, do not specify this option.
ipv6-address: Specifies an IPv6 address. The IPv6 address in a static mapping cannot be on the same subnet as any interface on the device.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv6 address belongs to the public network, do not specify this option.
acl: Identifies IPv4 packets for address translation. AFT translates source addresses for packets permitted by the ACL.
name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.
prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate source IPv4 address for packets permitted by the ACL.
prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the NAT64 prefix to translate source IPv4 address for packets permitted by the ACL.
vrrp virtual-router-id: Binds the IPv4-to-IPv6 source address translation policy to a VRRP group on the IPv6 network. The virtual-router-id parameter represents the virtual router ID of the VRRP group, in the range of 1 to 255.
Usage guidelines
On a hot backup system, execute this command on the primary device to bind an IPv4-to-IPv6 source address translation policy to a hot backup-associated VRRP group on the IPv6 network. If not, ARP might fail to resolve an IPv4-mapped IPv6 address into a correct MAC address.
An IPv4-to-IPv6 source address translation policy can be bound to only one VRRP group. You can execute this command multiple times to change the bound VRRP group for the policy.
The IPv4 or IPv6 addresses in different static mappings cannot be the same.
You must specify different ACLs for IPv4-to-IPv6 source address translation policies that use NAT64 prefixes or general prefixes.
You can specify a nonexistent NAT64 prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.
Examples
# Map IPv4 source address 2.2.2.123 to IPv6 source address 3001::5.
<Sysname> system-view
[Sysname] aft v4tov6 source 2.2.2.123 3001::5
# Configure the device to use NAT64 prefix 2000::/32 to translate IPv4 source addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft prefix-nat64 2000:: 32
[Sysname] aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32
# Configure the device to use general prefix 3000::/32 to translate IPv4 source addresses to IPv6 addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v4tov6 source acl number 2000 prefix-general 3000:: 32
aft prefix-general
aft prefix-nat64
display aft configuration
aft v6server
Use aft v6server to configure an AFT mapping for an IPv6 internal server.
Use undo aft v6server to delete an AFT mapping for an IPv6 internal server.
Syntax
aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ] [ vrrp virtual-router-id ]
undo aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ]
Default
No AFT mapping for an IPv6 internal server is configured.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
protocol protocol-type: Specifies a transport layer protocol by its type. The protocol-type argument can be tcp or udp.
ipv4-destination-address: Specifies an IPv4 address.
ipv4-port-number: Specifies an IPv4 port number in the range of 0 to 65535.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv4 address belongs to the public network, do not specify this option.
ipv6-destination-address: Specifies an IPv6 address.
ipv6-port-number: Specifies an IPv6 port number in the range of 0 to 65535.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv6 address belongs to the public network, do not specify this option.
vrrp virtual-router-id: Binds the IPv6 server to a VRRP group on the IPv4 network. The virtual-router-id parameter represents the virtual router ID of the VRRP group, in the range of 1 to 255.
Usage guidelines
Application scenarios
During the transition from IPv4 to IPv6, some services are migrated to IPv6 servers. This command maps the IPv6 address and port number of an IPv6 server to an IPv4 address and port number. IPv4 hosts can use the IPv4 address and port number to access the services provided by the IPv6 server.
Recommended configuration
On a hot backup system, execute this command on the primary device to bind an AFT IPv6 server to a hot backup-associated VRRP group on the IPv4 network. If not, ARP might fail to resolve an IPv6-mapped IPv4 address into a correct MAC address.
Restrictions and guidelines
An IPv6 server can be bound to only one VRRP group. You can execute this command multiple times to change the bound VRRP group for the IPv6 server.
The AFT mappings for different IPv6 internal servers cannot be the same.
If an IPv6 server moves from a VPN to the public network or another VPN, and its IPv6 address and port number do not change, do not edit the public network or VPN information by repeating this command. To edit the public network or VPN information, first execute the undo aft v6server command to delete the AFT mapping for the IPv6 server, and then execute the aft v6server command.
Examples
# Map IPv6 address 3001::5 and port number 1720 of an IPv6 internal server to IPv4 address 2.2.2.123 and port number 1720 for TCP packets.
<Sysname> system-view
[Sysname] aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720
Related commands
display aft configuration
aft v6tov4 source
Use aft v6tov4 source to configure an IPv6-to-IPv4 source address translation policy.
Use undo aft v6tov4 source to delete an IPv6-to-IPv4 source address translation policy.
Syntax
IPv6-to-IPv4 source address static mapping:
aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ] [ vrrp virtual-router-id ]
undo aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ]
IPv6-to-IPv4 source address translation policy:
aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } { address-group group-id [ no-pat | port-block-size blocksize [ extended-block-number extended-block-number ] [ port-range start-port-number end-port-number ]] | interface interface-type interface-number } [ vpn-instance ipv4-vpn-instance-name ]
undo aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] }
Default
No IPv6-to-IPv4 source address translation policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address: Specifies an IPv6 address.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv6 address belongs to the public network, do not specify this option.
ipv4-address: Specifies an IPv4 address.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv4 address belongs to the public network, do not specify this option.
vrrp virtual-router-id: Binds the IPv6-to-IPv4 source address translation policy to a VRRP group on the IPv4 network. The virtual-router-id parameter represents the virtual router ID of the VRRP group, in the range of 1 to 255.
acl ipv6: Identifies IPv6 packets for address translation. AFT translates source addresses for IPv6 packets permitted by the ACL.
name ipv6-acl-name: Specifies an IPv6 ACL by its name. The ipv6-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv6-acl-number: Specifies an IPv6 ACL by its number in the range of 2000 to 3999.
prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The prefix-length argument represents a prefix length, which can be 32, 40, 48, 56, 64, or 96. AFT translates source IPv6 addresses for packets whose destination IPv6 addresses match the NAT64 prefix.
address-group group-id: Specifies an AFT address group by its ID in the range of 0 to 65535.
no-pat: Specifies the NO-PAT mode. If you do not specify the keyword, AFT uses the PAT mode.
port-block-size blocksize: Specifies the port block size in the range of 100 to 64512. If you do not specify the option, the port range will not be divided.
extended-block-number extended-block-number: Specifies the number of extended port blocks, in the range of 1 to 5. When the IPv6 address accesses the IPv4 address, but the ports in the selected port block are all occupied, AFT extends port blocks one by one for the IPv6 address. An IPv6 address can be assigned a maximum of extended-block-number extended port blocks.
port-range start-port-number end-port-number: Specifies the start port number and end port number of a port range for the IPv4 address. The value range for the start-port-number argument are is 1024 to 65535, and the default value is 1024. The value range for the end-port-number argument are is 1024 to 65535, and the default value is 65535. The end port number cannot be smaller than the start port number.
interface interface-type interface-number: Specifies an interface by its type and number. AFT translates source IPv6 addresses to the primary IPv4 address of the specified interface.
Usage guidelines
If you set a port block size, the port range (1024 to 65535) will be divided into port blocks by the port block size. For example, if you set the port block size to 1000, the port range is divided into port blocks 1024 to 2023, 2024 to 3023, and so on. The port blocks are used for PAT.
The IPv4 or IPv6 addresses in different static mappings cannot be the same.
You must specify different ACLs, NAT64 prefixes, and AFT address groups for different IPv6-to-IPv4 source address translation policies.
You can specify a nonexistent NAT64 prefix in a policy, but the policy takes effect only after you configure the prefix.
On a hot backup system, execute this command on the primary device to bind an IPv6-to-IPv4 source address translation policy to a hot backup-associated VRRP group on the IPv4 network. If not, ARP might fail to resolve an IPv6-mapped IPv4 address into a correct MAC address.
An IPv6-to-IPv4 source address translation policy can be bound to only one VRRP group. You can execute this command multiple times to change the bound VRRP group for the policy.
Examples
# Map source IPv6 address 3001::5 to source IPv4 address 2.2.2.123.
<Sysname> system-view
[Sysname] aft v6tov4 source 3001::5 2.2.2.123
# Configure the device to use AFT address group 0 to translate source addresses for IPv6 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100
Related commands
display aft configuration
display aft port-block
aft v6tov4 source port-block-group
Use aft v6tov4 source port-block-group to configure a port block group-based IPv6-to-IPv4 source address static translation policy.
Use undo aft v6tov4 source port-block-group to delete a port block group-based IPv6-to-IPv4 source address static translation policy.
Syntax
aft v6tov4 source port-block-group group-id
undo aft v6tov4 source port-block-group group-id
Default
No port block group-based IPv6-to-IPv4 source address static translation policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
group-id: Specifies a port block group by its ID for the policy in the range of 0 to 65535.
Usage guidelines
After a policy is created, the device algorithmically maps each IPv6 prefix to a unique IPv4 address and port block pair according to the policy's port block group configuration. If not enough unique IPv4 address and port block pairs are available, excessive IPv6 prefixes will be ignored and IPv6 addresses matching those IPv6 prefixes cannot be translated.
The total number of IPv6 prefixes that can be mapped equals to the total number of unique IPv4 address and port block pairs in the policy, which is calculated as follows:
Total number of IPv6 prefixes that can be mapped = N × M, where:
· N is the total number of port blocks in the port block group, which is result of dividing the port range by the port block size.
· M is the total number of IPv4 addresses in the policy available for IPv6-to-IPv4 source address translation.
For example, assuming that a policy contains two IPv4 addresses (X1 and Y1) and n port blocks. The device takes n IPv6 prefixes in the port block group, maps them to the same IPv4 address paired in turn with the first to nth port blocks. The created static port block mappings are as follows:
· IPv6 prefix x1<-->IPv4 address X1 + Port block 1
· IPv6 prefix x2<-->IPv4 address X1 + Port block 2
· …
· IPv6 prefix xn<-->IPv4 address X1 + Port block n
· IPv6 prefix y1<-->IPv4 address Y1 + Port block 1
· IPv6 prefix y2<-->IPv4 address Y1 + Port block 2
· …
· IPv6 prefix yn<-->IPv4 address Y1 + Port block n.
For an IPv6-initiated session packet, AFT first identifies the matching static port block mapping entry based on the IPv6 prefix that the packet's source IPv6 address matches. Then, AFT translates the source IPv6 address of the packet into the IPv4 address and a TCP or UDP port number in the port block of the matching entry.
Examples
# Create AFT port block group 1. In the port block group, specify the IPv4 address range, IPv6 prefix range and prefix length, port block size, and port block range.
<Sysname> system-view
[Sysname] aft port-block-group 1
[Sysname-aft-port-block-group-1] address 10.1.1.1 10.1.1.15
[Sysname-aft-port-block-group-1] ipv6-prefix 100::100 100::a00 120
[Sysname-aft-port-block-group-1] block-size 1024
[Sysname-aft-port-block-group-1] port-range 1024 65535
[Sysname-aft-port-block-group-1] quit
# Create an IPv6-to-IPv4 source address static translation policy based on port block group 1.
[Sysname] aft v6tov4 source port-block-group 1
Related commands
aft port-block-group
aft v6tov4 source
display aft configuration
block-size
Use block-size to set the port block size for a port block group.
Use undo block-size to restore the default.
Syntax
block-size block-size-value
undo block-size
Default
The default port block size is 256.
Views
AFT port block group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
block-size-value: Specifies the number of ports per port block, in the range of 1 to 65535.
Usage guidelines
The port range in a port block group will be divided into port blocks of the specified port block size. AFT pairs each port block in the port range in turn with each IPv4 address and creates one-to-one mappings between the IPv4 address-port block pairs and IPv6 prefixes. Set an appropriate port block size for the port block group to meet the AFT translation requirements.
The number of ports in a port range cannot be smaller than the port block size.
Examples
# Set the port block size to 1024 for port block group 1.
<Sysname> system-view
[Sysname] aft port-block-group 1
[Sysname-port-block-group-1] block-size 1024
Related commands
aft v6tov4 source
display aft configuration
port-range
display aft address-group
Use display aft address-group to display AFT address group information.
Syntax
display aft address-group [ group-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
group-id: Specifies an AFT address group ID in the range of 0 to 65535. If you do not specify this argument, the command displays information about all AFT address groups.
Examples
# Display information about all AFT address groups.
<Sysname> display aft address-group
There are 3 AFT address groups.
Group ID VRID Start address End address
1 202.110.10.10 202.110.10.15
2 202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
6 --- ---
# Display information about AFT address group 1.
<Sysname> display aft address-group 1
Group ID VRID Start address End address
1 202.110.10.10 202.110.10.15
Table 1 Command output
|
Field |
Description |
|
There are n AFT address groups |
Total number of existing AFT address groups. |
|
Group ID |
Address group ID. |
|
VRID |
Virtual router ID of a VRRP group. If no VRRP group is specified, this field displays three hyphens (---). |
|
Start address |
Start IP address of an address range. If you do not specify the start address, this field displays three hyphens (---). |
|
End address |
End IP address of an address range. If you do not specify the end address, this field displays three hyphens (---). |
display aft address-mapping
Use aft address-mapping to display AFT mappings.
Syntax
display aft address-mapping [ slot slot-number ]
View
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT mappings for all member devices.
Examples
# Display AFT mappings.
<Sysname> display aft address-mapping
Slot 1:
IPv6: Source IP/port: 2000:0:FF01:101:100::8/1024
Destination IP/port: 5000::1717:1714/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
IPv4: Source IP/port: 1.1.1.1/1031
Destination IP/port: 23.23.23.20/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Total address mappings found: 1
Table 2 Command output
|
Field |
Description |
|
IPv4 |
IPv4 address information. |
|
IPv6 |
IPv6 address information. |
|
Source IP/port |
Source IP address and port number. |
|
Destination IP/port |
Destination IP address and port number. |
|
VPN instance/VLAN ID/Inline ID |
The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · Inline ID—Inline to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for the related field. |
|
Protocol |
Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite. |
display aft configuration
Use display aft configuration to display AFT configuration.
Syntax
display aft configuration
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Usage guidelines
To view AFT configurations by using the display aft configuration command, you must execute commands to configure the configurations first except the AFT ALG configuration.
Examples
# Display AFT configuration.
<Sysname> display aft configuration
aft address-group 1
VRID: 1
address 202.110.10.10 202.110.10.15
address 101.1.1.100 101.1.1.200
aft remote-backup port-alloc primary
aft port-block-group 1
ip-address 20.1.1.20 20.1.1.30
ipv6-prefix 100::100 100::110 128
block-size 100
port-range 1024 2000
aft prefix-ivi 3000:DB8E::
aft prefix-general 2000:DB8E:: 32
aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100
extended-block-number 5 port-range 1024 65535
aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32
aft v4tov6 destination acl number 2000 prefix-ivi 3000:DB8E::
aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720
aft v4server protocol tcp 3001::5 1800 2.2.2.123 1800
aft turn-off tos
aft turn-off traffic-class
aft log enable
aft log flow-begin
aft log flow-end
aft log port-block assign
aft log port-block withdraw
aft log port-block alarm
interface GigabitEthernet1/0/1
aft enable
aft flow-redirect dynamic disable
AFT ALG:
DNS : Enabled
FTP : Enabled
HTTP : Enabled
ICMP-ERROR : Enabled
RTSP : Enabled
SIP : Enabled
H323 : Enabled
Table 3 Command output
|
Field |
Description |
|
aft address-group XX |
AFT address group ID. |
|
VRID |
Virtual router ID (VRRP group number). |
|
address |
Address ranges in the AFT address group. |
|
aft port-load-balance enable slot XX |
AFT port halving is enabled. The XX is in slot number format, which represents the member ID of an IRF member device. |
|
aft remote-backup port-alloc XX |
The XX indicates the AFT port ranges used by the primary and secondary devices in the hot backup system. · primary—The primary device uses the lower half of the port block, and the secondary device uses the higher half of the port block. · secondary—The primary device uses the higher half of the port block, and the secondary device uses the lower half of the port block. |
|
aft port-block-group XX |
AFT port block identified by ID XX. An AFT port block group contains the following settings: · ip-address—IPv4 address ranges used for IPv6-to-IPv4 source address translation. · ipv6-prefix—IPv6 prefix ranges for IPv6-to-IPv4 source address translation. · block-size—Port block size of the port block group. · port-range—Port range of the port block group. |
|
aft prefix-nat64 X:X::X:X |
NAT64 prefix address. |
|
aft prefix-ivi X:X::X:X |
IVI prefix. |
|
aft prefix-general X:X::X:X |
General prefix. |
|
aft v6tov4 source XX |
IPv6-to-IPv4 source address translation policy. For more information, see the aft v6tov4 source command. |
|
aft v4tov6 source XX |
IPv4-to-IPv6 source address translation policy. For more information, see the aft v4tov6 source command. |
|
aft v4tov6 destination XX |
IPv4-to-IPv6 destination address translation policy. For more information, see the aft v4tov6 destination command. |
|
aft v6server |
AFT mapping for an IPv6 internal server. |
|
aft v4server |
AFT mapping for an IPv4 internal server. |
|
aft turn-off tos |
Value of the ToS field in IPv4 packets translated from IPv6 packets. |
|
aft turn-off traffic-class |
Value of the Traffic Class field in IPv6 packets translated from IPv4 packets. |
|
aft log enable |
AFT logging is enabled. |
|
aft log flow-begin |
AFT session establishment logging is enabled. |
|
aft log flow-end |
AFT session removal logging is enabled. |
|
aft log port-block-assign |
AFT port block assignment logging is enabled. |
|
aft log port-block-withdraw |
AFT port block withdrawal logging is enabled. |
|
aft log port-block alarm |
AFT port block exhaustion logging is enabled. |
|
interface XXX |
AFT-enabled interface. |
|
aft enable |
AFT is enabled. |
|
AFT ALG |
AFT ALG status: · Enabled. · Disabled. |
|
undo aft port-block synchronization enable |
Dynamic AFT port block mapping synchronization is disabled. |
display aft no-pat
Use display aft no-pat to display AFT NO-PAT entries.
Syntax
display aft no-pat [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT NO-PAT entries for all member devices.
Usage guidelines
An AFT NO-PAT entry records a mapping between an IPv4 address and an IPv6 address without ports.
Examples
# Display AFT NO-PAT entries.
<Sysname> display aft no-pat
Slot 1:
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
Table 4 Command output
|
Field |
Description |
|
IPv6 address |
Original IPv6 address. |
|
IPv4 address |
Translated IPv4 address. |
|
IPv4 VPN |
VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed. |
|
IPv6 VPN |
VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed. |
|
Total entries found |
Total number of AFT NO-PAT entries. |
display aft port-block
Use display aft port-block to display AFT port block mappings.
Syntax
display aft port-block { dynamic | static } [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
dynamic: Specifies dynamic port block mappings.
static: Specifies static port block mappings.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT port block mappings for all member devices.
Examples
# Display dynamic AFT port block mappings on the specified slot.
<Sysname> display aft port-block dynamic slot 1
Slot 1:
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
Port block : [1024 – 1123]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
Port block : [1024 – 1200]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Port-block mapping state: Normal
Total entries found: 2
# Display static AFT port block mappings on slot 1.
<Sysname> display aft port-block static slot 1
Slot 1:
IPv6 Prefix: 3006::/16
IPv4 Address: 200.100.1.100
Port block : [1024 – 1123]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 Prefix: 4016::/16
IPv4 Address: 202.120.12.110
Port block : [1024 – 1200]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
Table 5 Command output
|
Field |
Description |
|
IPv6 address |
IPv6 address to be translated. This field is available only in dynamic port block mappings. |
|
IPv6 Prefix |
IPv6 prefix to match the IPv6 addresses to be translated. This field is available only in static port block mappings. |
|
IPv4 Address |
Translated IPv4 address. |
|
Port block |
Port range for the translated IPv4 address. |
|
IPv4 VPN |
VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed. |
|
IPv6 VPN |
VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed. |
|
Port-block mapping state |
State of a dynamic port block. Options are: · Normal—Dual-device hot backup has not backed up the dynamic port block or the device works in standalone mode. · Backed up—Dual-device hot backup has backed up the dynamic port block. · Restored—Dual-device hot backup has restored the dynamic port block from the backup. |
|
Total entries found |
Total number of AFT port block mapping entries. |
display aft session
Use display aft session to display AFT sessions.
Syntax
display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
ipv4: Displays IPv4 AFT sessions.
source-ip source-ip-address: Specifies the source IPv4 address of the packets that initiate AFT sessions.
destination-ip destination-ip-address: Specifies the destination IPv4 address of the packets that initiate AFT sessions.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays AFT sessions for the public network.
ipv6: Displays IPv6 AFT sessions.
source-ip source-ipv6-address: Specifies the source IPv6 address of the packets that initiate AFT sessions.
destination-ip destination-ipv6-address: Specifies the destination IPv6 address of the packets that initiate AFT sessions.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays AFT sessions for the public network.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT sessions for all member devices.
verbose: Display detailed information about AFT sessions. If you do not specify this keyword, this command displays brief information about AFT sessions.
Usage guidelines
If you do not specify any parameters, this command displays all AFT sessions.
Examples
# Display detailed information about AFT sessions for the specified slot.
<Sysname> display aft session ipv4 slot 1 verbose
Slot 1:
Initiator:
Source IP/port: 10.1.1.1/217
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 20.1.1.1/217
Destination IP/port: 10.1.1.1/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Local
State: ICMP_REPLY
Application: ICMP
Rule ID: -/-/-
Rule name:
Start time: 2022-07-18 09:42:38 TTL: 28s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Table 6 Command output
|
Field |
Description |
|
Initiator |
Session information about the initiator. |
|
Source IP/port |
Source IP address and port number. |
|
Destination IP/port |
Destination IP address and port number. |
|
DS-Lite tunnel peer |
Address of the B4 end on the DS-Lite tunnel. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-). |
|
VPN instance/VLAN ID/Inline ID |
The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · Inline ID—Inline to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for the related field. |
|
Protocol |
Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite. |
|
Inbound interface |
Input interface. |
|
Responder |
Session information about the responder. |
|
Source security zone |
Security zone to which the input interface belongs. |
|
State |
AFT session state. |
|
Application |
Application layer protocol, such as FTP and DNS. This field displays unknown for the protocol types that are identified by non-well-known ports and are not user-defined. |
|
Rule ID |
ID of the security policy rule. |
|
Rule name |
Name of the security policy rule. |
|
Start time |
Time when the session starts. |
|
TTL |
Remaining lifetime of the session, in seconds. |
|
Initiator->Responder |
Number of packets and bytes from the initiator to the responder. |
|
Responder->Initiator |
Number of packets and bytes from the responder to the initiator. |
|
Total sessions found |
Total number of AFT sessions. |
Related commands
reset aft session
display aft statistics
Use display aft statistics to display AFT statistics.
Syntax
display aft statistics [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT statistics for all member devices.
Usage guidelines
If you do not specify any parameters, this command displays all AFT statistics.
Examples
# Display all AFT statistics for the specified slot.
<Sysname> display aft statistics slot 1
Slot 1:
Total NO-PAT entries found: 0
Total port-block entries found: 0
Total IPv4 sessions: 0
Total IPv6 sessions: 0
Total not match AFT: 0
Dropped packets: 0
Configuration sequence changed: 0
Failed to transfer payload: 0
Failed to transfer packet header: 0
Packet examination failed before packet sending: 0
Failed to translate destination address: 0
The translated destination address is invalid: 0
Failed to translate source address: 0
Failed to transfer FSBUF to MBUF: 0
Session ext-info is null: 0
Peer session is null: 0
Failed to get translation information from session: 0
Failed to create session: 0
Failed to fragment the MBUF: 0
Failed to create fast forwarding table: 0
Failed to formalize session: 0
Other reasons: 0
Table 7 Command output
|
Field |
Description |
|
Total NO-PAT entries found |
Total number of AFT NO-PAT entries. |
|
Total port-block entries found |
Total number of AFT port block mappings. |
|
Total IPv4 sessions |
Total number of AFT IPv4 sessions. |
|
Total IPv6 sessions |
Total number of AFT IPv6 sessions. |
|
Total not match AFT |
Total number of packets that fail to match AFT configuration. |
|
Dropped packets |
Number of packets dropped by AFT. |
|
Configuration sequence changed |
Number of packets dropped due to configuration sequence changes. |
|
Failed to transfer payload |
Number of packets dropped due to ALG failures. |
|
Failed to transfer packet header |
Number of packets dropped due to packet header transformation failures. |
|
Packet examination failed before packet sending |
Number of packets dropped due to packet examination failures before packet sending. |
|
Failed to translate destination address |
Number of packets dropped due to destination address translation failures. |
|
The translated destination address is invalid |
Number of packets dropped due to the invalidity of the translated destination address. |
|
Failed to translate source address |
Number of packets dropped due to source address translation failures. |
|
Failed to transfer FSBUF to MBUF |
Number of packets dropped due to FSBUF-to-MBUF transformation failures. |
|
Session ext-info is null |
Number of packets dropped due to session extended information acquisition failures. |
|
Peer session is null |
Number of packets dropped due to peer session lookup failures. |
|
Failed to get translation information from session |
Number of packets dropped due to translation information acquisition failures from sessions. |
|
Failed to create session |
Number of packets dropped due to session creation failures. |
|
Failed to fragment the MBUF |
Number of packets dropped due to fragmentation failures. |
|
Failed to create fast forwarding table |
Number of packets dropped due to fast forwarding table creation failures. |
|
Failed to formalize session |
Number of packets dropped due to session formalization failures. |
|
Other reasons |
Number of packets dropped due to other reasons. |
Related commands
reset aft statistics
ip-address
Use ip-address to add an IPv4 address range to an AFT port block group.
Use undo ip-address to remove an IPv4 address range from an AFT port block group.
Syntax
ip-address start-address end-address [ vpn-instance vpn-name ]
undo ip-address start-address end-address [ vpn-instance vpn-name ]
Default
An AFT port block group does not contain IPv4 address ranges.
Views
AFT port block group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
start-address end-address: Specifies the start and end IP addresses for an address range. The end address cannot be lower than the start address. If they are the same, the address range has only one IP address.
vpn-instance vpn-name: Specifies an MPLS L3VPN instance to which the IPv4 address or IPv4 address range belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. If the IPv4 address or IPv4 address range belongs to the public network, do not specify this option..
Usage guidelines
For IPv6-initiated session packets, a port block group-based IPv6-to-IPv4 source address translation policy translates the packets' source IPv6 addresses into IPv4 addresses in the address range of the port block group.
You can execute this command multiple times to add multiple IPv4 address ranges to a port block group. When you add address ranges to an AFT port block group, follow these guidelines:
· Each address range can contain a maximum of 256 addresses.
· The address ranges within the same port block group cannot overlap.
· Different port block groups can use overlapping address ranges but the overlapping address ranges must have non-overlapping port ranges.
Examples
# Add an IPv4 address range (10.1.1.1 to 10.1.1.15) to AFT port block group 1.
<Sysname> system-view
[Sysname] aft port-block-group 1
[Sysname-aft-port-block-group-1] ip-address 10.1.1.1 10.1.1.15
Related commands
aft v6tov4 source
display aft configuration
ipv6-prefix
Use ipv6-prefix to add an IPv6 prefix range to an AFT port block group.
Use undo ipv6-prefix to remove an IPv6 prefix range from an AFT port block group.
Syntax
ipv6-prefix ipv6-start-prefix ipv6-end-prefix prefix-length [ vpn-instance vpn-name ]
undo ipv6-prefix ipv6-start-prefix ipv6-end-prefix prefix-length [ vpn-instance vpn-name ]
Default
An AFT port block group does not contain IPv6 prefix ranges.
Views
AFT port block group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-start-prefix: Specifies the start IPv6 prefix of the IPv6 prefix range.
ipv6-end-prefix: Specifies the end IPv6 prefix of the IPv6 prefix range.
prefix-length: Specifies the prefix length in the range of 1 to 128.
vpn-instance vpn-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 addresses belong. To have the configuration take effect, make sure the specified MPLS L3VPN instance already exists. The vpn-name argument is a case-sensitive string of 1 to 31 characters. If the IPv6 addresses belong to the public network, do not specify this option.
Usage guidelines
For IPv6-initiated session packets, a port block group-based IPv6-to-IPv4 source address translation policy translates the packets' source IPv6 addresses into IPv4 addresses in the address range of the port block group.
You can execute this command multiple times to add multiple IPv6 prefix ranges to a port block group. After an IPv6-to-IPv4 source address translation policy is created based on the port block group, the device maps each IPv6 prefix to a unique IPv4 address and port block pair according to the port block group configuration. If not enough unique IPv4 address and port block pairs are available, excessive IPv6 prefixes will be ignored and IPv6 addresses matching those IPv6 prefixes cannot be translated.
The IPv6 prefix ranges within the same AFT port block group must meet the following requirements:
· IPv6 prefix ranges within the same VPN instance cannot overlap.
· IPv6 prefix ranges that belong to the public network cannot overlap.
The IPv6 prefix ranges in different AFT port block groups must meet the following requirements:
· IPv6 prefix ranges in the same VPN instance cannot overlap.
· IPv6 prefix ranges that belong to the public network can overlap.
Examples
# Add an IPv6 prefix range (240E:00D8:8200:0000::/64 to 240E:00D8:8200:0007::/64) to AFT port block group 1.
<Sysname> system-view
[Sysname] aft port-block-group 1
[Sysname-aft-port-block-group-1] ipv6-prefix 240E:00D8:8200:0000:: 240E:00D8:8200:0007:: 64
Related commands
aft v6tov4 source
display aft configuration
port-range
Use port-range to specify the port range for an AFT port block group.
Use undo port-range to restore the default port range for an AFT port block group.
Syntax
port-range start-port-number end-port-number
undo port-range
Default
An AFT port block group uses port range 1 to 65535.
Views
AFT port block group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
start-port-number end-port-number: Specifies the start and end port numbers for the port range. The end port number cannot be lower than the start port number. As a best practice, set the start port number to 1024 or higher to avoid application protocol identification errors.
Usage guidelines
The port range in a port block group will be divided into port blocks of the specified port block size.
The number of ports in a port range cannot be smaller than the port block size.
Examples
# Specify port range 1024 to 65535 for AFT port block group 1.
<Sysname> system-view
[Sysname] aft port-block-group 1
[Sysname-aft-port-block-group-1] port-range 1024 65535
Related commands
aft port-block-group
aft v6tov4 source
block-size
display aft configuration
reset aft session
Use reset aft session to clear AFT sessions.
Syntax
reset aft session [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears AFT sessions for all member devices.
Usage guidelines
After you clear AFT sessions, the corresponding AFT NO-PAT entries and port block mappings are also cleared.
Examples
# Clear AFT sessions for the specified slot.
<Sysname> reset aft session slot 1
Related commands
display aft session
reset aft statistics
Use reset aft statistics to clear AFT statistics.
Syntax
reset aft statistics [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears AFT statistics for all member devices.
Usage guidelines
The AFT statistics include the number of dropped packets, the number of NO-PAT entries, and the number of port block entries. This command only resets the counter for dropped packets.
Examples
# Clear AFT statistics for the specified slot.
<Sysname> reset aft statistics slot 1
Related commands
display aft statistics
vrrp vrid
Use vrrp vrid to bind a VRRP group to an AFT address group or an AFT port block group.
Use undo vrrp vrid to restore the default.
Syntax
AFT address group view:
vrrp vrid virtual-router-id
undo vrrp vrid virtual-router-id
AFT port block group view:
vrrp vrid virtual-router-id
undo vrrp vrid
Default
An AFT address group or AFT port block group is not bound to any VRRP group.
Views
AFT address group view
AFT port block group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
virtual-router-id: Specifies a VRRP group by its virtual router ID in the range of 1 to 255.
Usage guidelines
On a hot backup system, the virtual IP address of the VRRP group might be on the same subnet as the public IP addresses in the AFT address group or port block group. In this case, both of the hot backup members might reply to ARP requests for MAC addresses corresponding to these public IP addresses. As a result, MAC addresses in ARP replies and ARP entries on the Layer 3 devices connected to the hot backup system might be incorrect. To avoid this situation, execute this command to force the master device to use the virtual MAC address of VRRP group in ARP replies. For more information about configuring the hot backup system, see RBM-based hot backup configuration in High Availability Configuration Guide.
For active/standby hot backup, execute this command on the primary device in the hot backup system.
For dual-active hot backup, select one of the following methods for VRRP group binding according to the AFT resource allocation between the two devices in the hot backup system:
· If the two devices share the same AFT address group, execute the vrrp vrid command on the primary device. To prevent different master devices from using the same IP-port mapping for different hosts, specify the PAT translation mode and execute the aft remote-backup port-alloc command on the primary device.
· If the two devices use different AFT address groups, user traffic with different source IPv6 addresses is identified by ACLs in AFT rules. To enable different master devices to translate the forward user traffic, specify different gateway addresses for different internal users. To direct the reverse traffic to different master devices, bind AFT address groups to different VRRP groups on the primary device.
As a best practice, do not use an AFT port block group for address translation in a dual-active hot backup system. If you use an AFT port block group for address translation, AFT service anomalies might occur when a device in the system is faulty.
If you execute the vrrp vrid command multiple times, the most recent configuration takes effect.
Examples
# Bind VRRP group 1 to AFT address group 2.
<Sysname> system-view
[Sysname] aft address-group 2
[Sysname-aft-address-group-2] vrrp vrid 1
Related commands
display aft address-group
