start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address. Each address range can contain a maximum of 65535 addresses.

Usage guidelines

Application scenarios

A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.

Restrictions and guidelines

When you execute this command in a NAT address group, follow these restrictions and guidelines:

· You can add multiple address ranges to a NAT address group. Make sure the address ranges do not overlap in the NAT address group.

· The device supports a maximum of 65536 address ranges in total for all NAT address groups.

· Do not add addresses to a NAT address group that is bound to a global address pool. A NAT address group with manually assigned addresses cannot be bound to a global address pool.

· The NAT address group does not support the address command if the group has been used by NAT instance-based load balancing. If the address group contains addresses that are added by using the address command, the group cannot be used by NAT instance-based load balancing. The NAT instance-based load balancing feature allows a NAT instance to be associated with a service instance group that is bound to multiple failover groups. NAT services are evenly distributed among these failover groups.

· In a NAT instance, the NAT address group does not support the address command if the non-load-balancing mode or load balancing mode for CGN warm backup is configured in a vBRAS CP and UP separation (CUPS) scenario. If the address group contains addresses that are added by using the address command, you cannot configure the non-load-balancing mode or load balancing mode for CGN warm backup in a vBRAS CUPS scenario.

· If the NAT address group has been used by a NAT rule, and the address range to be deleted is already used by online users or not locked, you cannot use the undo address command to delete the address range from the group.

If a public IP address range in a NAT address group overlaps with a public IP address range in a NAT port block group, the NAT device might allocate the same port block to different users. This causes traceability issues or session establishment failure. In this case, the system will prompt you to select whether to deploy the configuration. If you select to deploy the configuration, make sure the port ranges in dynamic port block mappings that reference the NAT address group do not overlap with the port ranges in the NAT port block group.

If a public address range overlaps with the address range in static port block mappings, make sure the port ranges in static port block mappings do not overlap with those in dynamic port block mappings. Otherwise, the device might assign the same IP address and port block to two different users, in which condition NAT sessions might not be established for one user.

Examples

# Add two address ranges to an address group.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

cu warm-load-balance-mode enable

cu warm-standby-mode enable

global-ip-pool

nat address-group

block-size

Use block-size to set the port block size.

Use undo block-size to restore the default.

Syntax

block-size block-size

undo block-size

Default

The port block size is 256.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

block-size: Specifies the number of ports for a port block. The value range for this argument is 1 to 65535.

Usage guidelines

Application scenarios

You must set the port block size when you use port block-based NAT.

Recommended configuration

Set an appropriate port block size based on the number of private IP addresses, the number of public IP addresses, and the port range in the port block group.

Restrictions and guidelines

The port block size cannot be larger than the number of ports in the port range.

Examples

# Set the port block size to 1024 for port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] block-size 1024

Related commands

nat port-block-group

display nat address-group

Use display nat address-group to display NAT address group configuration.

Syntax

display nat address-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays the configuration for all NAT address groups.

Usage guidelines

Use this command to view the NAT address group configuration. The configuration varies by scenario.

· In a vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, this command displays information about NAT address groups and child address groups generated from them. A user coming online triggers the following generation behaviors:

¡ The NAT instance generates NAT subinstances whose names start with Sub. The NAT subinstances inherit the configuration of the NAT instance.

¡ The dynamic global address pool bound to the nat-central pool on the CP generates child address pools whose names start with Sub. The child address pools inherit the configuration of the parent address pool.

¡ The NAT address group bound to the dynamic global address pool generates child address groups whose names start with Sub. The child address groups inherit the configuration of the parent address group.

The NAT subinstances process NAT services. The child address groups obtain address ranges from the child address pools and assign IP addresses after address translation to users.

· In other scenarios, a user coming online does not trigger generation behaviors. This command displays only NAT address group configuration.

Examples

# Display configuration for all NAT address groups.

<Sysname> display nat address-group

NAT address group information:

Totally 8 NAT address groups.

Address group name/ID: group1/1

VPN instance: vpn1

Port range: 1024-65535

Failover group name: nat

Address information:

Start address End address Lock status

202.110.10.10 202.110.10.15 Unlocked

Config status: Active

Address group name/ID: group2/2

Port range: 1024-65535

Failover group name: trans

Address information:

Start address End address Lock status

202.110.10.20 202.110.10.25 Unlocked

202.110.10.30 202.110.10.35 Unlocked

Config status: Active

Address group name/ID: group3/3

Port range: 1024-65535

Failover group name: nat

Address information:

Start address End address Lock status

202.110.10.40 202.110.10.50 Unlocked

Config status: Active

Address group name/ID: group4/4

Port range: 10001-65535

Port block size: 500

Extended block number: 1

TCP port limit: 1000

UDP port limit: 2000

ICMP port limit: 3000

Port limit in total: 6000

Failover group name: nat

Address information:

Start address End address Lock status

202.110.10.60 202.110.10.65 Unlocked

Config status: Active

Address group name/ID: group5/5

Port range: 10001-65535

Port block size: 6400

Extended block number: 1

Extended block size: 64

Address information:

Start address End address Lock status

202.110.10.70 202.110.10.75 Unlocked

Config status: Active

Address group name/ID: group6

Port range: 1024-65535

Failover group name: nat

Address information:

Start address End address Lock status

--- --- Unlocked

Config status: Inactive

Reasons for inactive status:

The following items don't exist: address

Address group name/ID: 7/7

Port range: 10000-40000

Nat per-global-ip user-limit: 1

Port-single-alloc

TCP port limit: 100

UDP port limit: 100

ICMP port limit: 200

Port limit in total: 500

Instance name/ID: nat7/7

Address information:

Start address End address Lock status

--- --- Unlocked

Config status: Inactive

Reasons for inactive status:

The following items don't exist: address

Address group name/ID: 8/8

Port range: 10000-40000

Port block size: 1000

Instance name/ID: nat8/8

Totally 2 sub NAT address groups.

Address group name/ID: Sub_196630_7/98561

Instance name/ID: Sub_196630_nat7/129

Address information:

Start address End address Lock status

202.110.10.70 202.110.10.75 Unlocked

Config status: Active

Address group name/ID: Sub_196631_7/98817

Instance name/ID: Sub_196631_nat7/130

Address information:

Start address End address Lock status

202.110.10.80 202.110.10.85 Unlocked

Config status: Active

Table 1 Command output

Field	Description
Totally n NAT address groups	Total number of parent NAT address groups.
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
Port range	Port range for public IP addresses.
Port block size	Number of ports in a port block. This field is not displayed if the port block size is not set.
Extended block number	Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.
Extended block size	Number of ports in each extended port block. This field is not displayed if the extended port block size is not set.
Port-single-alloc	Port-by-port allocation method. This field is not displayed if this method is not set.
Extended-block multi-global-ip enable	Enabling of using the extended port block of a public IP address other than the public IP address of the pre-allocated port block. This field is not displayed if this feature is disabled.
TCP port limit	Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set.
UDP port limit	Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set.
ICMP port limit	Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set.
Port limit in total	Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set.
Instance name/ID	Name and ID of the NAT instance bound to the NAT address group.
Totally n sub NAT address groups	Number of child address groups generated by the parent NAT address group.
Address group name/ID	Name and ID of the NAT address group.
Address information	Information about the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays three hyphens (---).
Config status	Status of the NAT address group configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
Lock status	Whether the address range is locked: · Locked. · Unlocked. If no address range exists, this field displays three hyphens (---).
Reasons for inactive status	Reasons why the NAT address group configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist: address, and VPN instance · The following items don't exist: address · The following items don't exist: VPN instance

# Display configuration for NAT address group 1.

<Sysname> display nat address-group 1

Address group name/ID: group1/1

VPN instance: vpn1

Port range: 1024-65535

Instance name/ID: nat1/1

Address information:

Start address End address Lock status

202.110.10.10 202.110.10.15 Unlocked

Config status: Active

Table 2 Command output

Field	Description
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
Port range	Port range for public IP addresses.
Extended-block multi-global-ip enable	Enabling of using the extended port block of a public IP address other than the public IP address of the pre-allocated port block. This field is not displayed if this feature is disabled.
Instance name/ID	Name and ID of the NAT instance.
Address information	Information about the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address, this field displays three hyphens (---).
Config status	Status of the NAT address group configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
Lock status	Whether the address range is locked: · Locked. · Unlocked. If no address range exists, this field displays three hyphens (---).
Reasons for inactive status	Reasons why the NAT address group configuration does not take effect. This field is available when the Config status field displays Inactive. Possible reasons: · The following items don't exist: address, and VPN instance · The following items don't exist: address · The following items don't exist: VPN instance

Related commands

nat address-group

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# (In standalone mode.) ‌Display all NAT configuration information. (Interface-based NAT.)

<Sysname> display nat all

NAT hardware mode : Disabled

NAT address group information:

Totally 6 NAT address groups.

Address group name/ID: 1/1

VPN instance: vpn1

Port range: 1024-65535

Failover group name: nat

Address information:

Start address End address Lock status

202.110.10.10 202.110.10.15 Unlocked

Config status: Active

Address group name/ID: 2/2

Port range: 1024-65535

Failover group name: group1

Failover group name: trans

Address information:

Start address End address Lock status

202.110.10.20 202.110.10.25 Unlocked

202.110.10.30 202.110.10.35 Unlocked

Config status: Active

Address group name/ID: 3/3

Port range: 1024-65535

Failover group name: abc

Address information:

Start address End address Lock status

202.110.10.40 202.110.10.50 Unlocked

Config status: Active

Address group name/ID: 4/4

Port range: 10001-65535

Port block size: 500

Extended block number: 1

Failover group name: trans

Address information:

Start address End address Lock status

202.110.10.60 202.110.10.65 Unlocked

Config status: Active

Address group name/ID: 5/5

Port range: 10001-65535

Port block size: 6400

Extended block number: 1

Extended block size: 64

TCP port limit: 1000

UDP port limit: 2000

ICMP port limit: 3000

Port limit in total: 6000

Address information:

Start address End address Lock status

202.110.10.70 202.110.10.75 Unlocked

Config status: Active

Address group name/ID: 6/6

Port range: 1024-65535

Address information:

Start address End address Lock status

--- --- ---

Config status: Inactive

Reasons for inactive status:

The following items don't exist: address

NAT server group information:

Totally 3 NAT server groups.

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

2 --- --- ---

3 192.168.0.26 69 100

NAT inbound information:

Totally 1 NAT inbound rules.

Interface: Ten-GigabitEthernet3/1/1

ACL: 2038 Address group: 2 Add route: Y

NO-PAT: Y Reversible: N

VPN instance: vpn_nat

Service card: Slot 2

Config status: Active

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: Ten-GigabitEthernet3/1/2

ACL: 2036 Address group: 1 Port-preserved: Y

NO-PAT: N Reversible: N

Config status: Active

Interface: Ten-GigabitEthernet3/1/2

ACL: 2037 Address group: 1 Port-preserved: N

NO-PAT: Y Reversible: Y

VPN instance: vpn_nat

Config status: Active

NAT internal server information:

Totally 4 internal servers.

Interface: Ten-GigabitEthernet3/1/3

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23

Local IP/port : 192.168.10.15/23

Failover group name: group1

ACL : 2000

Service card : Slot 2

Config status : Active

Interface: Ten-GigabitEthernet3/1/4

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23-30

Local IP/port : 192.168.10.15-192.168.10.22/23

Global VPN : vpn1

Local VPN : vpn3

Service card : Slot 2

Config status : Active

Interface: Ten-GigabitEthernet3/1/4

Protocol: 255(Reserved)

Global IP/port: 50.1.1.100/---

Local IP/port : 192.168.10.150/---

Global VPN : vpn2

Local VPN : vpn4

ACL : 3000

Service card : Slot 2

Config status : Active

Interface: Ten-GigabitEthernet3/1/5

Protocol: 17(UDP)

Global IP/port: 50.1.1.2/23

Local IP/port : server group 1

192.168.0.26/23 (Connections: 10)

192.168.0.27/23 (Connections: 20)

Global VPN : vpn1

Local VPN : vpn3

Service card : Slot 2

Config status : Active

Static NAT mappings:

Totally 2 inbound static NAT mappings.

Net-to-net:

Global IP : 2.2.2.1 – 2.2.2.255

Local IP : 1.1.1.0

Netmask : 255.255.255.0

Global VPN : vpn2

Local VPN : vpn1

ACL : 2000

Reversible : Y

Config status: Active

IP-to-IP:

Global IP : 5.5.5.5

Local IP : 4.4.4.4

Global VPN : vpn3

Local VPN : vpn4

ACL : 2001

Reversible : Y

Config status: Active

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 1.1.1.1 - 1.1.1.255

Global IP : 2.2.2.0

Netmask : 255.255.255.0

Local VPN : vpn1

Global VPN : vpn2

ACL : 2000

Reversible : Y

Failover group name: abc

Config status: Active

IP-to-IP:

Local IP : 4.4.4.4

Global IP : 5.5.5.5

Local VPN : vpn1

Global VPN : vpn2

ACL: : 2001

Reversible : Y

Failover group name: group1

Config status: Active

Interfaces enabled with static NAT:

Totally 2 interfaces enabled with static NAT.

Interface: Ten-GigabitEthernet3/1/4

Service card : Slot 2

Config status: Active

Interface: Ten-GigabitEthernet3/1/6

Config status: Active

NAT DNS mappings:

Totally 2 NAT DNS mappings.

Domain name : www.example.com

Global IP : 6.6.6.6

Global port : 23

Protocol : TCP(6)

Config status: Active

Domain name : service.example.com

Global IP : 10.1.1.1

Global port : 12

Protocol : TCP(6)

Config status: Active

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Port-alloc-fail : Enabled

Port-block-alloc-fail : Disabled

Port-usage : Disabled

Port-block-usage : Enabled(90%)

Address-group-usage : Enabled(Threshold: 90%)

Bandwidth-usage : Enabled(Threshold: 90%)

NAT hairpinning:

Totally 2 interfaces enabled with NAT hairpinning.

Interface: Ten-GigabitEthernet3/1/4

Service card : Slot 2

Config status: Active

Interface: Ten-GigabitEthernet3/1/6

Service card : Slot 2

Config status: Active

NAT mapping behavior:

Mapping mode : Endpoint-Independent (TCP-5-Tuple)

ACL : 2050

Config status: Active

NAT ALG:

DNS : Disabled

FTP : Enabled

H323 : Disabled

ICMP-ERROR : Enabled

ILS : Disabled

MGCP : Disabled

NBT : Disabled

PPTP : Disabled

RTSP : Enabled

RSH : Disabled

SCCP : Disabled

SIP : Disabled

SQLNET : Disabled

TFTP : Disabled

XDMCP : Disabled

NAT port block group information:

Totally 3 NAT port block groups.

Port block group 1:

Port range: 1024-65535

Block size: 256

TCP port limit: 1000

UDP port limit: 2000

ICMP port limit: 3000

Port limit in total: 6000

Failover group name: nat

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 ---

192.168.3.1 192.168.3.254 ---

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Port block group 2:

Port range: 10001-30000

Block size: 500

Failover group name: group1

Local IP address information:

Start address End address VPN instance

10.1.1.1 10.1.10.255 ---

Global IP pool information:

Start address End address

202.10.10.101 202.10.10.120

Port block group 3:

Port range: 1024-65535

Block size: 256

Local IP address information:

Start address End address VPN instance

--- --- ---

Global IP pool information:

Start address End address

--- ---

NAT outbound port block group information:

Totally 2 outbound port block group items.

Interface: Ten-GigabitEthernet3/1/2

Port-block-group: 2

Config status : Active

Interface: Ten-GigabitEthernet3/1/2

Port-block-group: 10

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: port block group.

NAT Agency ALG:

FTP : Enabled

ICMP-ERROR : Enabled

SIP : Disabled

NAT extended port block report to RADIUS: Disabled

NAT abnormal-cu-connection auto-renew-lease: Disabled

NAT hardware ignore-flowredirect-method : Disabled

NAT redirect-cgn drop-upon-mismatch: Disabled

NAT attack-defense reverse-blacklist : Disabled

NAT attack-defense reverse-blacklist detect-threshold ip-port-level : 10kpps

NAT attack-defense reverse-blacklist aging-time : 600s

NAT hardware aging-accelerate dns : Disabled

# Display all NAT configuration information. (Global NAT.)

<Sysname> display nat all

NAT hardware mode : Disabled

NAT address group information:

Totally 1 NAT address groups.

Address group name/ID: 1/1

VPN instance: vpn1

Port range: 1024-65535

Address information:

Start address End address Lock status

202.110.10.10 202.110.10.15 Unlocked

Config status: Active

NAT instance information:

Totally 2 NAT instances.

Instance name/ID/type: a/10/normal

service-instance-group sgrp

nat port-block flow-trigger enable

nat outbound 3000 address-group 1

nat outbound port-block-group 1

undo nat gratuitous-arp-reply enable

bind vsrp-instance 1

nat protect-tunnel inside-vpn vpn1

nat mapping-behavior endpoint-independent system-default

Instance name/ID/type: inst1/20/normal

service-instance-group 2

cu warm-standby-mode enable

bind vsrp-instance 1

nat mapping-behavior endpoint-independent system-default

NAT logging:

Log enable : Disabled

Log format user-mac : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Port-alloc-fail : Disabled

Port-block-alloc-fail : Disabled

Port-usage : Disabled

Port-block-usage : Enabled(Threshold: 90%)

Address-group-usage : Enabled(Threshold: 90%)

Bandwidth-usage : Enabled(Threshold: 90%)

NAT mapping behavior:

Mapping mode : Endpoint-Independent (TCP-5-Tuple)

ACL : ---

Config status: Active

NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled

ICMP-ERROR : Enabled

ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RTSP : Enabled

RSH : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

Static NAT load balancing: Disabled

NAT Agency ALG:

FTP : Enabled

ICMP-ERROR : Enabled

SIP : Disabled

NAT extended port block report to RADIUS: Disabled

NAT abnormal-cu-connection auto-renew-lease: Disabled

NAT VSRP port: 60046

NAT hardware ignore-flowredirect-method : Disabled

NAT redirect-cgn drop-upon-mismatch: Disabled

NAT attack-defense reverse-blacklist : Disabled

NAT attack-defense reverse-blacklist detect-threshold ip-port-level : 10kpps

NAT attack-defense reverse-blacklist aging-time : 600s

NAT hardware aging-accelerate dns : Disabled

The output shows all NAT configuration information. Table 3 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.

Table 3 Command output

Field	Description
NAT hardware mode	Enabling status of hardware NAT: · Enabled. · Disabled.
NAT address group information	Information about the NAT address group. For the output description, see the display nat address-group command.
NAT instance information	Information about NAT instances. For the output description, see the display nat instance command.
NAT server group information	Information about the internal server group. For the output description, see the display nat server-group command.
NAT outbound information	Outbound dynamic NAT configuration. For the output description, see the display nat outbound command.
NAT internal server information	NAT Server configuration. For the output description, see the display nat server command.
Static NAT mappings	Static NAT mappings. For the output description, see the display nat static command.
NAT DNS mappings	NAT DNS mappings. For the output description, see the display nat dns-map command.
NAT logging	NAT logging configuration. For the output description, see the display nat log command.
NAT hairpinning	NAT hairpin configuration. If NAT hairpin is not configured, this field is not displayed.
Totally n interfaces enabled NAT hairpinning	Number of interfaces with NAT hairpin enabled.
Interface	NAT hairpin-enabled interface.
Service card	Service card that processes NAT traffic. If no service card is specified on the interface, this field is not displayed.
Config status	Status of the NAT hairpin configuration: Active.
NAT mapping behavior	Mapping behavior mode of PAT: · Connection-dependent. · Endpoint-Independent (TCP)—The mapping mode is endpoint-independent and only EIM entries for TCP connections are created. · Endpoint-Independent (TCP-5-Tuple)—The mapping mode is endpoint-independent, and 5-tuple session entries and EIM entries for TCP connections are created. · Endpoint-Independent (UDP)—The mapping mode is endpoint-independent and only EIM entries for UDP connections are created. · Endpoint-Independent (UDP-5-Tuple)—The mapping mode is endpoint-independent, and 5-tuple session entries and EIM entries for UDP connections are created.
ACL	ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---).
Config status	Status of the NAT mapping behavior configuration: · Active—The configuration is taking effect. · Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status field displays Inactive.
NAT ALG	NAT ALG configuration for different protocols.
NAT port block group information	Configuration information about NAT port block groups. For the output description, see the display nat port-block-group command.
NAT outbound port block group information	Configuration information about static port block mapping. For the output description, see the display nat static command.
NAT extended port block report to RADIUS	Enabling status of reporting mappings between user private IP addresses and extended port blocks to the RADIUS server: · Enabled. · Disabled.
Static NAT load balancing	Enabling status of load sharing for static NAT on NAT service engines: · Enabled. · Disabled.
NAT Agency ALG	Enabling status of ALG for PPPoE agency user packets: · Enabled. · Disabled.
NAT VSRP port	The TCP port number for establishing the data channel through which NAT sessions are backed up.
NAT abnormal-cu-connection auto-renew-lease	Whether a UP is enabled to automatically renew the lease of the IP address requested from the CP when the CP-UP connection is abnormal. · Enabled. · Disabled.
NAT hardware ignore-flowredirect-method	Enabling status of NAT ignoring the traffic redirection method: · Enabled. · Disabled.
NAT attack-defense reverse-blacklist	Enabling status of the NAT denylist feature: · Enabled. · Disabled.
NAT attack-defense reverse-blacklist detect-threshold ip-port-level	Threshold for triggering NAT to generate denylist entries, in kpps.
NAT attack-defense reverse-blacklist aging-time	Aging time for NAT denylist entries, in seconds.
NAT hardware aging-accelerate dns	Enabling status of NAT accelerating the aging of session entries and EIM entries generated during DNS packet processing: · Enabled. · Disabled.
NAT redirect-cgn drop-upon-mismatch	Enabling status of dropping the packets that are redirected to the CGN card but do not match NAT configuration: · Enabled. · Disabled.

display nat attack-defense reverse-blacklist

Use display nat attack-defense reverse-blacklist to display NAT denylist entries.

Syntax

In standalone mode:‌

display nat attack-defense reverse-blacklist [ vpn-instance vpn-instance-name ] [ victim-ip ip-address ] [ victim-port port ] [ protocol { tcp | udp } ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat attack-defense reverse-blacklist [ vpn-instance vpn-instance-name ] [ victim-ip ip-address ] [ victim-port port ] [ protocol { tcp | udp } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays NAT denylist entries for the public network.

victim-ip ip-address: Displays NAT denylist entries that have the specified IPv4 address.

victim-port port: Displays NAT denylist entries that have the specified port number. The value range for the port argument is 1 to 65535.

protocol: Displays NAT denylist entries that have the specified protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT denylist entries for all cards. In standalone mode:(In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Enabled with the NAT denylist feature, the device monitors packets in which the destination IP addresses are those of UNR routes generated by NAT for source address translation configurations that take effect.

If such packets are sent to the CPU for processing and their drop rate reaches the threshold set by using the nat attack-defense reverse-blacklist detect-threshold command, the device determines that they are attack packets. It generates a denylist entry for attack packets with the same destination IP address, port, and protocol type to block subsequent packets with the same characteristics.

To view the denylist entries generated by NAT, execute the display nat attack-defense reverse-blacklist command.

Examples

# (In standalone mode.) ‌Display NAT denylist entries for the specified slot.

<Sysname> display nat attack-defense reverse-blacklist slot 1

Slot: 1

Current total reverse blacklist entries: 2(IP+Port)

Victim information(IP,port): (129.3.0.143,1025)

Attacker information(IP,port): (100.205.1.16,1026)

Protocol: UDP, VPN: -

Created at: 2025-04-30 17:41:28, Remaining aging time: 5993

Victim information(IP,port): (129.3.0.143,1025)

Attacker information(IP,port): (100.205.1.15,1026)

Protocol: UDP, VPN: -

Created at: 2025-04-30 17:41:28, Remaining aging time: 5993

Table 4 Command output

Field	Description
Victim information(IP,port)	Information about the attack target: · IP—Destination IP address in the attack packets, which is the attacked NAT address. · Port—Destination port number in the attack packets.
Attacker information(IP,port)	Attacker information: · IP—IP address of the attack source. · Port—Port number of the attack source. This field is not displayed if address translation is in EIM mode.
Protocol	Protocol name.
VPN	VPN instance name. This field displays a hyphen (-) if the entry is on the public network.
Created at	Time when the denylist entry was created, in the YYYY-MM-DD hh:mm:ss format. · YYYY—Represents the year. · MM—Represents the month. · DD—Represents the day. · hh—Represents the hour. · mm—Represents the minute. · ss—Represents the second.
Remaining aging time	Remaining aging time of the NAT denylist entry, in the hh:mm:ss format. · hh—Represents the hour. · mm—Represents the minute. · ss—Represents the second.

Related commands

reset nat attack-defense reverse-blacklist

display nat dns-map

Use display nat dns-map to display NAT DNS mapping configuration.

Syntax

display nat dns-map

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT DNS mapping configuration.

<Sysname> display nat dns-map

NAT DNS mapping information:

Totally 2 NAT DNS mappings.

Domain name : www.example.com

Global IP : 6.6.6.6

Global port : 23

Protocol : TCP(6)

Config status: Active

Domain name : service.example.com

Global IP : 10.1.1.1

Global port : 12

Protocol : TCP(6)

Config status: Active

Table 5 Command output

Field	Description
NAT DNS mapping information	Information about the NAT DNS mappings.
Totally n NAT DNS mappings	Total number of NAT DNS mappings.
NAT DNS mapping information	Information about NAT DNS mappings.
Domain name	Domain name of the internal server.
Global IP	Public IP address of the internal server. · If Easy IP is configured, this field displays the IP address of the specified interface. · If you do not specify a public IP address, this field displays hyphens (---).
Global port	Public port number of the internal server.
Protocol	Protocol name and number of the internal server.
Config status	Status of the DNS mapping configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the DNS mapping configuration does not take effect. This field is available when the Config status field displays Inactive.

Related commands

nat dns-map

display nat eim

Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.

Syntax

In standalone mode:‌

display nat eim [ slot slot-number [ cpu cpu-number ] ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ local-vpn local-vpn-instance-name ]

In IRF mode:

display nat eim [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ local-vpn local-vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays EIM entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

protocol: Specifies a protocol by its type.

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

local-ip local-ip: Displays EIM entry information for a private IP address. The local-ip argument specifies a private IP address.

local-ip b4 ipv6-address: Displays EIM entry information for a B4 device IP address. The ipv6-address argument specifies the IPv6 address of a B4 device.

local-port local-port: Displays EIM entry information for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.

global-ip global-ip: Displays EIM entry information for a public IP address. The global-ip argument specifies a public IP address.

global-port global-port: Displays EIM entry information for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.

local-vpn vpn-instance-name: Displays information about EIM entries that contain the specified MPLS L3VPN instance to which private users belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The specified VPN instance must be the VPN instance carried in the packets sent from the private users to the public network, which corresponds to Local VPN for address translation.

Usage guidelines

EIM entries are created when PAT operates in EIM mode. An EIM entry is a three-tuple (source IP address, source port number, and protocol type) entry, and it records the mapping between a private address/port and a public address/port.

The EIM entry provides the following functions:

· The same EIM entry applies to subsequent connections initiated from the same source IP and port.

· The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.

If you do not specify the local-ip, local-port, global-ip, vpn-instance, or global-port keyword, this command displays information about all EIM entries for ICMP, TCP, and UDP protocols.

Examples

# (In standalone mode.) ‌Display information about all NAT EIM entries on the specified slot.

<Sysname> display nat eim slot 0

Slot 0:

Local IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

Local VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: -

Local IP/port: 192.168.100.200/2048

Global IP/port: 200.100.1.200/4096

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

Protocol: UDP(17)

Failover group name: -

Total entries found: 2

# (In standalone mode.) ‌Display information about NAT EIM entries for TCP on the specified slot.

<Sysname> display nat eim slot 0 cpu 0 protocol tcp

Slot 0:

Local IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

Local VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: -

Total entries found: 1

# (In standalone mode.) ‌Display information about NAT EIM entries for VPN instance vpn1 to which private users belong on the specified slot.

<Sysname> display nat eim local-vpn vpn1

Slot 0:

Local IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Destination IP/port: 202.38.1.1/21

DS-Lite tunnel peer: -

Local VPN: vpn1

Global VPN: vpn2

Protocol: TCP(6)

Failover group name: -

Total entries found: 1

Table 6 Command output

Field	Description
CPU	Number of the CPU.
Local IP/port	Private IP address and port number.
Global IP/port	Public IP address and port number after NAT.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	DS-Lite tunnel B4 address. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Protocol	Protocol name and number.
Failover group name	Failover group name. If no failover group is specified, this field displays a hyphen (-).
Total entries found	Total number of EIM entries.

Related commands

nat mapping-behavior

nat outbound

display nat eim statistics

Use display nat eim statistics to display NAT EIM entry statistics.

Syntax

In standalone mode:‌

display nat eim statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat eim statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entry statistics on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays EIM entry statistics on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

The NAT EIM entry statistics includes the following information:

· The number of EIM entries.

· The creation rate of EIM entries for TCP.

· The creation rate of EIM entries for UDP.

Examples

# (In standalone mode.) ‌Display EIM entry statistics for the specified slot.

<Sysname> display nat eim statistics slot 2

EIM: Total EIM entries.

TCP: Total EIM entries for TCP.

UDP: Total EIM entries for UDP.

Rate: Creating rate of EIM entries.

TCP rate: Creating rate of EIM entries for TCP.

UDP rate: Creating rate of EIM entries for UDP.

Slot EIM TCP UDP Rate TCP rate UDP rate

(entries/s) (entries/s) (entries/s)

2 0 0 0 0 0 0

Table 7 Command output

Field	Description
Total EIM entries	Total number of EIM entries.
Total EIM entries for TCP	Total number of EIM entries for TCP.
Total EIM entries for UDP	Total number of EIM entries for UDP.
Creating rate of EIM entries	Creation rate of EIM entries.
Creating rate of EIM entries for TCP	Creation rate of EIM entries for TCP.
Creating rate of EIM entries for UDP	Creation rate of EIM entries for UDP.

Related commands

nat mapping-behavior

display nat log

Use display nat log to display NAT logging configuration.

Syntax

display nat log

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT logging configuration. (Interface-based NAT.)

<Sysname> display nat log

NAT logging:

Log enable : Disabled

Log format user-mac : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Port-alloc-fail : Disabled

Port-block-alloc-fail : Disabled

Port-usage : Disabled

Port-block-usage : Enabled(Threshold: 90%)

Address-group-usage : Enabled(Threshold: 90%)

Bandwidth-usage : Enabled(Threshold: 90%)

# Display NAT logging configuration. (Global NAT.)

<Sysname> display nat log

NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Port-alloc-fail : Disabled

Port-block-alloc-fail : Disabled

Port-usage : Disabled

Port-block-usage : Enabled(Threshold: 90%)

Address-group-usage : Enabled(Threshold: 90%)

Bandwidth-usage : Enabled(Threshold: 90%)

NAT ip-pool 1

IP-usage : Enabled(Threshold: 100%)

IP-alloc-fail : Enabled

Table 8 Command output

Field	Description
NAT logging	NAT logging configuration.
Log enable	Whether NAT logging is enabled. · Enabled—NAT logging is enabled. If an ACL is specified for NAT logging, this field also displays the ACL number or name. · Disabled—NAT logging is disabled.
Log format user-mac	Whether configuring the system logs to carry the MAC addresses of online users in a NAT+BRAS scenario is enabled.
Flow-begin	Whether logging is enabled for NAT session establishment events.
Flow-end	Whether logging is enabled for NAT session removal events.
Flow-active	Whether logging is enabled for active NAT flows. If logging for active NAT flows is enabled, this field also displays the interval in minutes at which active flow logs are generated.
Port-block-assign	Whether logging is enabled for NAT444 port block assignment.
Port-block-withdraw	Whether logging is enabled for NAT444 port block withdrawal.
Port-alloc-fail	Whether logging is enabled for NAT port allocation failures.
Port-block-alloc-fail	Whether logging is enabled for NAT port block assignment failures.
Port-usage	Whether logging is enabled for port usage in port blocks. If logging for port usage in port blocks is enabled, this field also displays the usage threshold in percentage.
Port-block-usage	Logging is enabled for port block usage. The Threshold field displays the port block usage threshold in percentage. The default threshold value is 90%.
Address-group-usage	Whether logging is enabled for resource usage in address groups. If logging for resource usage in address groups is enabled, this field also displays the usage threshold in percentage.
Bandwidth-usage	Logging is enabled for the CGN card bandwidth usage. The Threshold field displays the threshold for the CGN card bandwidth usage, in percentage. The default threshold value is 90%.
NAT ip-pool xx	Logging configuration of the global address pool.
IP-usage	Logging is enabled for the IP usage in the global address pool. The Threshold field displays the usage threshold in percentage. The default threshold value is 80%.
IP-alloc-fail	Whether logging is enabled for address allocation failures in the global address pool.

Related commands

nat log enable

nat log flow-active

nat log flow-begin

nat log ip-alloc-fail

nat log ip-usage threshold

display nat no-pat

Use display nat no-pat command to display information about NAT NO-PAT entries.

Syntax

In standalone mode:‌

display nat no-pat [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat no-pat [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Default user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NO-PAT entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays NO-PAT entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

A NO-PAT entry records the mapping between a private address and a public address.

The NO-PAT entry provides the following functions:

· The same entry applies to subsequent connections initiated from the same source IP address.

· The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.

Outbound NO-PAT address translations create their own NO-PAT tables. These two types of tables are displayed separately.

Examples

# (In standalone mode.) ‌Display information about NO-PAT entries for the specified slot.

<Sysname> display nat no-pat slot 0

Slot 0:

Global IP: 200.100.1.100

Local IP: 192.168.100.100

Global VPN: vpn2

Local VPN: vpn1

Reversible: N

Type : Inbound

Local IP: 192.168.100.200

Global IP: 200.100.1.200

Reversible: Y

Type : Outbound

Total entries found: 2

Table 9 Command output

Field	Description
Global IP	Public IP address.
Local IP	Private IP address.
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP address belongs. If the public IP address does not belong to any VPN instance, this field is not displayed.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
Type	Type of the NO-PAT entry: · Inbound—A NO-PAT entry created during inbound dynamic NAT. · Outbound—A NO-PAT entry created during outbound dynamic NAT.
Total entries found	Total number of NO-PAT entries.

Related commands

nat outbound

display nat outbound

Use display nat outbound to display information about outbound dynamic NAT.

Syntax

display nat outbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# (In standalone mode.) ‌Display information about outbound dynamic NAT. (Interface-based NAT.)

<Sysname> display nat outbound

NAT outbound information:

Totally 2 NAT outbound rules.

Interface: Ten-GigabitEthernet3/1/1

ACL: 2036 Address group: 1 Port-preserved: Y

NO-PAT: N Reversible: N

Service card: Slot 5

Config status: Active

Interface: Ten-GigabitEthernet3/1/2

ACL: 2037 Address group: 2 Port-preserved: N

NO-PAT: Y Reversible: Y

VPN instance: vpn_nat

Service card: Slot 5

Config status: Active

Interface: Ten-GigabitEthernet3/1/1

DS-Lite B4 ACL: 2100 Address group: 0 Port-preserved: N

NO-PAT: N Reversible: N

Service card: Slot 5

Config status: Active

# Display information about outbound dynamic NAT. (Global NAT.)

<Sysname> display nat outbound

NAT outbound information:

Totally 3 NAT outbound rules.

nat instance: instance1

ACL: 3001 Address group: 1 Port-preserved: N

NO-PAT: N Reversible: N

Config status: Active

nat instance: instance2

ACL: 3010 Address group: 10 Port-preserved: N

NO-PAT: N Reversible: N

Config status: Active

nat instance: instance3

ACL: 3011 Address group: 11 Port-preserved: N

NO-PAT: N Reversible: N

Config status: Active

Table 10 Command output

Field	Description
NAT outbound information	Information about outbound dynamic NAT.
Totally n NAT outbound rules	Total number of outbound dynamic NAT rules.
Interface	Interface where the outbound dynamic NAT rule is configured.
nat instance	Name of the NAT instance where the outbound dynamic NAT rule is configured.
ACL	IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---).
DS-Lite B4 ACL	Number or name of the IPv6 ACL used by DS-Lite port block mapping.
Address group	Address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---).
Port-preserved	Whether to try to preserve the port numbers for PAT.
NO-PAT	Whether NO-PAT is used: · Y—NO-PAT is used. · N—PAT is used.
Reversible	Whether reverse address translation is allowed: · Y—Reverse address translation is allowed. · N—Reverse address translation is not allowed.
VPN instance	MPLS L3VPN instance to which the NAT address group belongs. If the NAT address group does not belong to any VPN instance, the field is not displayed.
Service card	Service card that processes NAT traffic. If no service card is specified on the interface, this field is not displayed.
Config status	Status of the outbound dynamic NAT configuration: · Active—The configuration is taking effective. · Inactive—The configuration is not taking effective.
Reasons for inactive status	Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist or aren't effective: global VPN, interface IP address, address group, and ACL. · NAT address conflicts.

Related commands

nat outbound

display nat outbound port-block-group

Use display nat outbound port-block-group to display information about NAT port block group application.

Syntax

display nat outbound port-block-group

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about NAT port block group application. (Interface-based NAT.)

<Sysname> display nat outbound port-block-group

NAT outbound port block group information:

Totally 2 outbound port block group items.

Interface: Ten-GigabitEthernet3/1/2

Port-block-group: 2

Config status : Active

Interface: Ten-GigabitEthernet3/1/2

Port-block-group: 10

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: port block group.

# Display information about NAT port block group application. (Global NAT.)

<Sysname> display nat outbound port-block-group

NAT outbound port block group information:

Totally 1 outbound port block group items.

nat instance: hello

port-block-group: 10

Config status : Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: port block group.

Table 11 Command output

Field	Description
Interface	Interface to which a port block group is applied.
nat instance	Name of the NAT instance to which a port block group is applied.
Port-block-group	ID of the port block group.
Config status	Status of the port block group application: · Active—The application is taking effective. · Inactive—The application is not taking effective.
Reasons for inactive status	Reasons why the port block group application fails. This field is available when the Config status field displays Inactive.

Related commands

nat outbound port-block-group

display nat port-block

Use display nat port-block to display NAT port block mappings.

Syntax

In standalone mode:‌

display nat port-block { dynamic | static } [ { global-ip | local-ip } ipv4-source-address ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

display nat port-block dynamic ds-lite-b4 [ ipv6 ipv6-source-address ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

In IRF mode:

display nat port-block { dynamic | static } [ { global-ip | local-ip } ipv4-source-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ verbose ]

display nat port-block dynamic ds-lite-b4 [ ipv6 ipv6-source-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays dynamic port block mappings.

ds-lite-b4: Displays port block mappings for DS-Lite.

static: Displays static port block mappings.

global-ip ipv4-source-address: Specifies a source public IPv4 address.

local-ip ipv4-source-address: Specifies a source private IPv4 address. The ipv4-source-address argument specifies an internal server that initiates connections to the external network by its source address.

ipv6 ipv6-source-address: Specifies a source IPv6 address. The ipv6-source-address argument specifies a DS-Lite B4 element by its source IPv6 address.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays port block mappings on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays port block mappings on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about NAT port block mappings. If you do not specify this keyword, this command displays brief information about NAT port block mappings.

Examples

# (In standalone mode.) ‌Display static port block mappings for the specified slot.

<Sysname> display nat port-block static slot 1

Slot 1:‌

Local VPN Local IP Global IP Port block Connections Extend

--- 100.100.100.113 202.202.100.101 513-768 0 ---

--- 100.100.100.114 202.202.100.101 769-1024 0 ---

--- 100.100.100.112 202.202.100.101 257-512 0 ---

--- 100.100.100.111 202.202.100.101 1-256 0 ---

Total mappings found: 4

# (In standalone mode.) ‌Display detailed information about static port block mappings for the specified slot.

<Sysname> display nat port-block static slot 1 verbose

Slot 1:

Static port block entry

Local IP : 200.1.24.219

Local vpn : ---(0)

Global IP : 202.2.1.8

Global vpn : ---(0)

Port block : 24774-26023

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Static port block entry

Local IP : 200.1.40.231

Local vpn : ---(0)

Global IP : 0.0.0.0

Global vpn : ---(0)

Port block : ---

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Total mappings found: 2

# (In standalone mode.) ‌Display dynamic port block mappings.

<Sysname> display nat port-block dynamic slot 1

Slot 1:

Local VPN Local IP Global IP Port block Connections Extend

--- 101.1.1.12 192.168.135.201 10001-11024 1 ---

Total mappings found: 1

# (In standalone mode.) ‌Display DS-Lite port block mappings.

<Sysname> display nat port-block dynamic ds-lite-b4 slot 1

Slot 1:

Local VPN DS-Lite B4 addr Global IP Port block Connections Extend

--- 2000::2 192.168.135.201 10001-11024 1 ---

Total mappings found: 1

# (In standalone mode.) ‌Display detailed information about dynamic port block mappings for the specified slot.

<Sysname> display nat port-block dynamic slot 1 verbose

Slot 1:

Dynamic port block entry

Local IP : 200.1.24.219

Local vpn : ---(0)

Global IP : 202.2.1.8

Global vpn : ---(0)

Port block : 24774-26023

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Dynamic port block entry

Local IP : 200.1.40.231

Local vpn : ---(0)

Global IP : 202.2.1.10

Global vpn : ---(0)

Port block : 32274-33523

Connections : 0

FailgroupID : 16

PortLimit TCP : N/A

PortLimit UDP : N/A

PortLimit ICMP : N/A

PortLimit total : 100

PortUsed TCP : 0

PortUsed UDP : 0

PortUsed ICMP : 0

PortUsed total : 0

Extend port block: N

Total mappings found: 2

Table 12 Command output

Field	Description
Local VPN	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field displays hyphens (---).
Local IP	Private IP address.
DS-Lite B4 addr	IPv6 address of the DS-Lite B4 element.
Global IP	Public IP address. If no public address is allocated due to insufficient public network resources, this field displays 0.0.0.0.
Port block	Port block defined by a start port and an end port. If public network resources are insufficient, this field displays hyphens (---).
Connections	Number of connections to ports in the port block.
Extend	Ext indicates an extended port block. If the port block is not an extended port block, this field displays hyphens (---).
Total mappings found	Total number of port block mappings.

Table 13 Command output

Field	Description
Local IP	Private IP address.
Local vpn	MPLS L3VPN instance to which the private IP address belongs. If the private IP address does not belong to any VPN instance, this field displays ---(0).
Global IP	Global IP address. If no public address is allocated due to insufficient public network resources, this field displays 0.0.0.0.
Global vpn	MPLS L3VPN instance to which the global IP address belongs. If the global IP address does not belong to any VPN instance, this field displays ---(0).
Port block	Port block defined by a start port number and an end port number. If public network resources are insufficient, this field displays hyphens (---).
Connections	Number of connections to ports in the port block.
FailgroupID	ID of the failover group to which port block mappings belong.
PortLimit TCP	Maximum number of ports that can be assigned to TCP.
PortLimit UDP	Maximum number of ports that can be assigned to UDP.
PortLimit ICMP	Maximum number of ports that can be assigned to ICMP.
PortLimit total	Maximum number of ports that are available for assignment.
PortUsed TCP	Number of ports assigned to TCP packets.
PortUsed UDP	Number of ports assigned to UDP packets.
PortUsed ICMP	Number of ports assigned to ICMP packets.
PortUsed total	Total number of ports in use.
Extend port block	Whether the port block is an extended port block: · Y—The port block is an extended port block. · N—The port block is not an extended port block.
Total mappings found	Total number of port block mappings.

display nat port-block-group

Use display nat port-block-group to display information about NAT port block groups.

Syntax

display nat port-block-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT port block group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays information about all NAT port block groups.

Examples

# Display information about all NAT port block groups.

<Sysname> display nat port-block-group

NAT port block group information:

Totally 3 NAT port block groups.

Port block group 1:

Port range: 1024-65535

Block size: 256

TCP port limit: 1000

UDP port limit: 2000

ICMP port limit: 3000

Port limit in total: 6000

Failover group name: nat

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 ---

192.168.3.1 192.168.3.254 ---

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Port block group 2:

Port range: 10001-30000

Block size: 500

Failover group name: trans

Local IP address information:

Start address End address VPN instance

10.1.1.1 10.1.10.255 ---

Global IP pool information:

Start address End address

202.10.10.101 202.10.10.120

Port block group 3:

Port range: 1024-65535

Block size: 256

Failover group name: nat

Local IP address information:

Start address End address VPN instance

--- --- ---

Global IP pool information:

Start address End address

--- ---

# Display information about NAT port block group 1.

<Sysname> display nat port-block-group 1

Port block group 1:

Port range: 1024-65535

Block size: 256

TCP port limit: 1000

UDP port limit: 2000

ICMP port limit: 3000

Port limit in total: 6000

Failover group name: nat

Local IP address information:

Start address End address VPN instance

172.16.1.1 172.16.1.254 ---

192.168.1.1 192.168.1.254 ---

192.168.3.1 192.168.3.254 ---

Global IP pool information:

Start address End address

201.1.1.1 201.1.1.10

201.1.1.21 201.1.1.25

Table 14 Command output

Field	Description
Port block group	ID of the NAT port block group.
Port range	Port range for the public IP addresses.
Block size	Number of ports in a port block.
TCP port limit	Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set.
UDP port limit	Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set.
ICMP port limit	Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set.
Port limit in total	Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set.
Failover group name	Name of the failover group specified for the NAT port block group. This field is not displayed if no failover group is specified.
Local IP address information	Information about private IP addresses.
Global IP pool information	Information about public IP addresses.
Start address	Start IP address of a private or public IP address range. If no start IP address is specified for the address range, this field displays hyphens (---).
End address	End IP address of a private or public IP address range. If no end IP address is specified for the address range, this field displays hyphens (---).
VPN instance	MPLS L3VPN instance to which the private IP address range belongs. If no VPN instance is specified for the private address range, this field displays hyphens (---).

Related commands

nat port-block-group

display nat server

Use display nat server to display NAT server mappings.

Syntax

display nat server

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# (In standalone mode.) ‌Display NAT server mappings. (Interface-based NAT.)

<Sysname> display nat server

NAT internal server information:

Totally 4 internal servers.

Interface: Ten-GigabitEthernet3/1/3

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23

Local IP/port : 192.168.10.15/23

Failover group name: group1

Config status : Active

Interface: Ten-GigabitEthernet3/1/4

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23-30

Local IP/port : 192.168.10.15-192.168.10.22/23

Global VPN : vpn1

Local VPN : vpn3

Config status : Active

Interface: Ten-GigabitEthernet3/1/4

Protocol: 255(Reserved)

Global IP/port: 50.1.1.100/---

Local IP/port : 192.168.10.150/---

Global VPN : vpn2

Local VPN : vpn4

Service card : Slot 5

Config status : Active

Interface: Ten-GigabitEthernet3/1/5

Protocol: 17(UDP)

Global IP/port: 50.1.1.2/23

Local IP/port : server group 1

1.1.1.1/21 (Connections: 10)

192.168.100.200/80 (Connections: 20)

Global VPN : vpn1

Local VPN : vpn10

Service card : Slot 5

Config status : Active

# Display NAT server mappings. (Global NAT.)

<Sysname> display nat server

NAT internal server information:

Totally 4 internal servers.

NAT instance: a

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23

Local IP/port : 192.168.10.15/23

Config status : Active

NAT instance: b

Protocol: 6(TCP)

Global IP/port: 50.1.1.1/23-30

Local IP/port : 192.168.10.15-192.168.10.22/23

Global VPN : vpn1

Local VPN : vpn3

Config status : Active

NAT instance: c

Protocol: 255(Reserved)

Global IP/port: 50.1.1.100/---

Local IP/port : 192.168.10.150/---

Global VPN : vpn2

Local VPN : vpn4

Config status : Active

NAT instance: d

Protocol: 17(UDP)

Global IP/port: 50.1.1.2/23

Local IP/port : server group 1

1.1.1.1/21 (Connections: 10)

192.168.100.200/80 (Connections: 20)

Global VPN : vpn1

Local VPN : vpn3

Config status : Active

Table 15 Command output

Field	Description
NAT internal server information	Information about NAT server mappings.
Totally n internal servers	Total number of NAT server mappings.
NAT instance	NAT instance where the NAT server mapping is configured.
Interface	Interface where the NAT server mapping is configured.
Protocol	Protocol number and name of the internal server.
Global IP/port	Public IP address and port number of the internal server. · Global IP—A single IP address or an IP address range. If you use Easy IP, this field displays the IP address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---). · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---).
Local IP/port	For common NAT server mappings, this field displays the private IP address and port number of the server. · Local IP—A single IP address or an IP address range. · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). For load sharing NAT server mappings, this field displays the internal server group ID, IP address, port number, and number of connections of each member.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Service card	Service card that processes NAT traffic. If no service card is specified on the interface, this field is not displayed.
Failover group name	Name of the failover group that is bound to the NAT server. This field is not displayed if no failover group is specified.
Config status		Status of the NAT server mapping configuration: · Active—The configuration is taking effect. · Inactive—The configuration is not taking effect.
Reasons for inactive status		Reasons why the NAT server mapping does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist or aren't effective: local VPN, global VPN, interface IP address, server group, and ACL—The MPLS L3VPN instance to which the private IP addresses belong, MPLS L3VPN instance to which the public IP addresses belong, interface IP addresses, server group, or ACL does not exist or is not effective. · Server configuration conflicts—A NAT server configuration conflict has occurred. · NAT address conflicts—A NAT address conflict has occurred. · failover group—The specified failover group does not exist or is not a CGN-type failover group.

Related commands

nat server

display nat session

Use display nat session to display sessions that have been NATed.

Syntax

In standalone mode:‌

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ slot slot-number [ cpu cpu-number ] ] [ brief | verbose ]

In IRF mode:

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.

destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. If you do not specify a VPN instance, this command displays NAT sessions that do not belong to any VPN instance.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Displays IPv4 unicast session entries for the specified protocol. If you do not specify a protocol, the command displays NAT session entries for all supported protocols. Supported IPv4 transport layer protocols include DCCP, ICMP, RawIP, SCTP, TCP, UDP, and UDP-Lite.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT sessions on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays NAT sessions on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

brief: Display brief information about NAT sessions.

verbose: Display detailed information about NAT sessions. If you do not specify this keyword, this command displays brief information about NAT sessions.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all NAT sessions.

Examples

# (In standalone mode.) ‌Display detailed information about NAT sessions for the specified slot.

<Sysname> display nat session slot 0 verbose

Slot 0:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet3/1/1

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.10/1877

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet3/1/2

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36

Role: Standby

Failover group ID: 1

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

# (In standalone mode.) ‌Display brief information about NAT sessions for the specified slot.

<Sysname> display nat session slot 0 brief

Slot 0:

Protocol Source IP/port Destination IP/port Global IP/port

TCP 10.2.1.58/2477 20.1.1.2/1025 30.2.4.9/226

Total sessions found: 1

Table 16 Command output

Field	Description
CPU	Number of the CPU.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/VLL ID	The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · VLL ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or VLL ID is specified, a hyphen (-) is displayed for the related field.
Protocol	Transport layer protocol type: DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite.
Inbound interface	Input interface.
State	NAT session status.
Application	Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports.
Role	Role in the failover group: · Master—Primary node. · Standby—Secondary node.
Failover group ID	ID of the failover group. When the primary node is processing services and sessions are established on the secondary node, this field displays a hyphen (-).
Start time	Time when the session starts.
TTL	Remaining NAT session lifetime in seconds.
Initiator->Responder	Number of packets and packet bytes from the initiator to the responder.
Responder->Initiator	Number of packets and packet bytes from the responder to the initiator.
Total sessions found	Total number of sessions.
Source IP/port	Source IP address and port number of the initiator.
Destination IP/port	Destination IP address and port number of the initiator.
Global IP/port	Public IP address and port number.

Related commands

reset nat session

display nat static

Use display nat static to display static NAT mappings.

Syntax

display nat static

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# (In standalone mode.) ‌Display static NAT mappings. (Interface-based NAT.)

<Sysname> display nat static

Static NAT mappings:

Totally 2 inbound static NAT mappings.

Net-to-net:

Global IP : 1.1.1.1 - 1.1.1.255

Local IP : 2.2.2.0

Netmask : 255.255.255.0

Global VPN : vpn2

Local VPN : vpn1

ACL : 2000

Reversible : Y

Config status: Active

IP-to-IP:

Global IP : 5.5.5.5

Local IP : 4.4.4.4

Global VPN : vpn3

Local VPN : vpn4

ACL : 2001

Reversible : Y

Config status: Active

Totally 2 outbound static NAT mappings.

Net-to-net:

Local IP : 1.1.1.1 - 1.1.1.255

Global IP : 2.2.2.0

Netmask : 255.255.255.0

Local VPN : vpn1

Global VPN : vpn2

ACL : 2000

Reversible : Y

Config status: Active

IP-to-IP:

Local IP : 4.4.4.4

Global IP : 5.5.5.5

Local VPN : vpn4

Global VPN : vpn3

ACL: : 2000

Reversible : Y

Config status: Active

Interfaces enabled with static NAT:

Totally 2 interfaces enabled with static NAT.

Interface: Ten-GigabitEthernet3/1/2

Service card : Slot 5

Config status: Active

Interface: Ten-GigabitEthernet3/1/3

Config status: Active

# Display static NAT mappings. (Global NAT.)

<Sysname> display nat static

Static NAT mappings:

Totally 2 inbound static NAT mappings.

Net-to-net:

Global IP : 1.1.1.1 - 1.1.1.255

Local IP : 2.2.2.0

Netmask : 255.255.255.0

Global VPN : vpn2

Local VPN : vpn1

ACL : 2000

Reversible : Y

Config status: Active

IP-to-IP:

Global IP : 4.4.4.4

Local IP : 5.5.5.5

Global VPN : vpn4

Local VPN : vpn3

ACL : 2000

Reversible : Y

Config status: Inactive

Reasons for inactive status:

The following items don't exist or aren't effective: local VPN, global VPN.

NAT instances enabled with static NAT:

Totally 2 NAT instances enabled with static NAT.

NAT instance: instance1

Config status: Active

NAT instance: instance2

Config status: Active

Table 17 Command output

Field	Description
Static NAT mappings	Information about static NAT mappings.
Totally n inbound static NAT mappings	Total number of inbound static NAT mappings.
Totally n outbound static NAT mappings	Total number of outbound static NAT mappings.
Net-to-net	Net-to-net static NAT mapping.
IP-to-IP	One-to-one static NAT mapping.
Local IP	Private IP address or address range.
Global IP	Public IP address or address range.
Netmask	Network mask.
Local VPN	MPLS L3VPN instance to which the private IP addresses belong. If the private IP addresses do not belong to any VPN instance, this field is not displayed.
Global VPN	MPLS L3VPN instance to which the public IP addresses belong. If the public IP addresses do not belong to any VPN instance, this field is not displayed.
ACL	ACL number or name. If no ACL is specified, this field is not displayed.
Reversible	Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed.
Interfaces enabled with static NAT	Interfaces that are enabled with static NAT.
Totally n interfaces enabled with static NAT	Total number of interfaces enabled with static NAT.
Interface	Interface enabled with static NAT.
NAT instances enabled with static NAT	NAT instances with static NAT enabled.
Totally n NAT instances enabled with static NAT	Total number of NAT instances with static NAT enabled.
NAT instance	Name of the NAT instance.
Service card	Service card that processes NAT traffic. If no service card is specified on the interface, this field is not displayed.
Packet type ignore	Whether the NAT device checks the protocol packet type when TCP, ICMP, or SCTP packet exchanges trigger the creation of session entries. · If this field displays Y, the NAT device does not check the protocol packet type. · If this field is not displayed, the NAT device checks the protocol packet type.
Config status	Status of the static NAT mapping configuration: · Active—The configuration is taking effect. · Inactive—The configuration is not taking effect.
Reasons for inactive status	Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist or aren't effective: local VPN, global VPN, and ACL—The MPLS L3VPN instance to which the private IP addresses belong, MPLS L3VPN instance to which the public IP addresses belong, or ACL does not exist or is not effective. · NAT address conflicts—A NAT address conflict occurred. · failover group—The specified failover group does not exist or is not a CGN-type failover group.

Related commands

nat static

nat static net-to-net

nat static enable

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

In standalone mode:‌

display nat statistics [ summary ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat statistics [ summary ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT statistics on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays NAT statistics on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display detailed information about all NAT statistics.

<Sysname> display nat statistics

Slot 0:

Total session entries: 100

Total EIM entries: 1

Total inbound NO-PAT entries: 0

Total outbound NO-PAT entries: 0

Total static port block entries: 10

Total dynamic port block entries: 15

Active static port block entries: 0

Active dynamic port block entries: 0

Port block entries deployed by PPPoE gateway: 0

Total PAT entries: 0

Table 18 Command output

Field	Description
Total session entries	Number of NAT session entries.
Total EIM entries	Number of EIM entries.
Total inbound NO-PAT entries	Number of inbound NO-PAT entries.
Total outbound NO-PAT entries	Number of outbound NO-PAT entries.
Total static port block entries	Number of static port block mappings.
Total dynamic port block entries	Number of dynamic port block mappings that can be created (including those for both locked and unlocked IP addresses). It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. If the user-defined extended port block size is different from the pre-allocated port block size, the device calculates the number of dynamic port block mappings that can be created based on the port block size of 64.
Active static port block entries	Number of static port block mappings that are in use.
Active dynamic port block entries	Number of dynamic port block mappings that have been created (including those for both locked and unlocked IP addresses). It equals the number of dynamically assigned port blocks.
Port block entries deployed by PPPoE gateway	Number of port block entries deployed by the PPPoE gateway.
Total PAT entries	Number of PAT entries.

# Display summary information about all NAT statistics.

<Sysname> display nat statistics summary

EIM: Total EIM entries.

SPB: Total static port block entries.

DPB: Total dynamic port block entries.

ASPB: Active static port block entries.

ADPB: Active dynamic port block entries.

Slot Sessions EIM SPB DPB ASPB ADPB

0 100 1 10 15 0 0

Table 19 Command output

Field	Description
Sessions	Number of NAT session entries.
EIM	Number of EIM entries.
SPB	Number of static port block mappings.
DPB	Number of dynamic port block mappings that can be created (including those for both locked and unlocked IP addresses). It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. If the user-defined extended port block size is different from the pre-allocated port block size, the device calculates the number of dynamic port block mappings that can be created based on the port block size of 64.
ASPB	Number of static port block mappings in use.
ADPB	Number of dynamic port block mappings that have been created (including those for both locked and unlocked IP addresses). It equals the number of dynamically assigned port blocks.

display nat statistics hardware-session-resource

Use display nat statistics hardware-session-resource to display statistics about driver sessions on CGN cards.

Syntax

In standalone mode:

display nat statistics hardware-session-resource [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat statistics hardware-session-resource [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command display statistics about driver sessions on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics about driver sessions on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Driver sessions include 3-tuple and 5-tuple sessions. A packet is directly forwarded by the driver once it matches a driver session.

You can use this command to view the following information:

· Maximum number of driver sessions that can be created on a CGN card.

· Number of driver sessions created on a CGN card.

· Peak number of driver sessions created on a CGN card. It is the maximum number of driver sessions created on the CGN card in one of the following periods:

¡ From startup of the CGN card to execution of the display nat statistics hardware-session-resource command.

¡ From execution of the reset nat statistics hardware-session-resource command to the next execution of the display nat statistics hardware-session-resource command.

Examples

# Display statistics about driver sessions on all CGN cards.

<Sysname> display nat statistics hardware-session-resource

slot 4:

Maximum number of sessions: 40000000

Used sessions: 32000000

Current session usage: 80%

Peak number of used sessions: 32000000

Peak session usage: 80%

Peak time: 2024-09-02 10:14:41

slot 5:

Maximum number of sessions: 40000000

Used sessions: 32000000

Current session usage: 80%

Peak number of used sessions: 32000000

Peak session usage: 80%

Peak time: 2024-09-02 10:14:41

Total:

Maximum number of sessions: 80000000

Used sessions: 64000000

Current device session usage: 80%

Table 20 Command output

Field	Description
Maximum number of sessions	Maximum number of driver sessions that can be created on the CGN card.
Used sessions	Number of driver sessions created on the CGN card.
Peak number of used sessions	Peak number of driver sessions created on the CGN card.
Peak session usage	Peak session resource usage on the CGN card, which is the percentage of the peak number of created driver sessions to the maximum number of driver sessions that can be created.
Peak time	UTC when the number of driver sessions on the CGN card reaches the peak in the YYYY-MM-DD hh:mm:ss format. This field displays 0000-00-00 00:00:00 in the following circumstances: · No traffic is sent to the CGN card. · The CGN card does not have any sessions. · Execute the reset nat statistics hardware-session-resource command. The peak time is recalculated if the system time is not UTC.
Current device session usage	Total driver session resource usage for all CGN cards.

Related commands

reset nat statistics hardware-session-resource

display nat statistics packet

Use display nat statistics packet to display statistics about packets processed by CGN cards.

Syntax

In standalone mode:

display nat statistics packet [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display nat statistics packet [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays packet statistics for NAT on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays packet statistics for NAT on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command displays real-time statistics about incoming and outgoing packets and bytes and their rates on CGN cards, helping you determine whether traffic is load shared between CGN cards.

Examples

# Display statistics about packets processed by CGN cards.

<Sysname> display nat statistics packet

slot 5:

Input bandwidth : 160000 Mbps, Used bandwidth : 64000 Mbps, usage: 40%

Output bandwidth : 160000 Mbps, Used bandwidth : 64000 Mbps, usage: 40%

Input : 100 packets, 10000 bytes

Output: 100 packets, 10000 bytes

Last 3 seconds input rate : 100 packets/sec, 10000 bytes/sec, 80000 bits/sec

Last 3 seconds output rate: 100 packets/sec, 10000 bytes/sec, 80000 bits/sec

Input peak bandwidth usage : 80%, peak time: 2022-08-10 10:14:41

Output peak bandwidth usage: 80%, peak time: 2022-08-10 10:14:41

Total bandwidth usage:

Input bandwidth : 160000 Mbps, Used bandwidth : 64000 Mbps, usage: 40%

Output bandwidth : 160000 Mbps, Used bandwidth : 64000 Mbps, usage: 40%

Input : 100 packets, 10000 bytes

Output: 100 packets, 10000 bytes

Table 21 Command output

Field	Description
Input bandwidth	Maximum inbound bandwidth supported by the CGN card in Mbps.
Output bandwidth	Maximum outbound bandwidth supported by the CGN card in Mbps.
Used bandwidth	Used bandwidth in Mbps.
usage	Bandwidth usage in percentage.
Input	Number of packets and bytes that the CGN card receives from the interface card. This field displays 0 for a non-CGN card.
Output	Number of packets and bytes that the CGN card sends to the interface card. This field displays 0 for a non-CGN card.
Last n seconds input rate	Input rates (in pps, Bps, and bps) for the last n seconds.
Last n seconds output rate	Output rates (in pps, Bps, and bps) for the last n seconds.
Input peak bandwidth usage	Peak inbound bandwidth usage of the CGN card. It is the highest bandwidth usage in one of the following period: · From startup of the CGN card to the execution of the display nat statistics packet command. · From executing the reset nat statistics packet command to executing the display nat statistics packet command. This field displays 0% if no traffic is sent to the CGN card or you execute the reset nat statistics packet command.
Output peak bandwidth usage	Peak outbound bandwidth usage of the CGN card. It is the highest bandwidth usage in one of the following period: · From startup of the CGN card to the execution of the display nat statistics packet command. · From the execution of the reset nat statistics packet command to the execution of the display nat statistics packet command. This field displays 0% if the CGN card does not send any packet or you execute the reset nat statistics packet command.
peak time	UTC when the CGN card bandwidth usage reaches the peak in the YYYY-MM-DD hh:mm:ss format. This field displays 0000-00-00 00:00:00 in the following circumstances: · No traffic is sent to the CGN card. · The CGN card does not send any packets. · You execute the reset nat statistics packet command. The peak time is recalculated if the system time is not UTC.

Related commands

reset nat statistics packet

display nat user-table

Use display nat user-table to display user table information for online users.

Syntax

In standalone mode:‌

display nat user-table [ global ipv4 start-address [ end-address ] | local { ipv4 ipv4-address | ipv6 ipv6–address } | user-id user-id | user-name user-name | nat-instance instance-name ] [ user-type { dynamic | static } ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

In IRF mode:

Parameters

global ipv4 start-address [ end-address ]: Specifies the public IPv4 addresses of users. The start-address argument specifies the start IPv4 address, and the end-address argument specifies the end IPv4 address. If you do not specify an end IPv4 address, this command displays user table information for online users that use the specified start IPv4 address.

local ipv4 ipv4-address: Specifies the private IPv4 address of a user.

local ipv6 ipv6-address: Specifies the private IPv6 address of a user.

user-id user-id: Specifies the user ID of a user, in the range of 1 to FFFFFFFF.

user-name user-name: Specifies the username of a user, a string of 1 to 253 characters.

nat-instance instance-name: Specifies an NAT instance by its name, a string of 1 to 31 characters.

user-type: Specifies a user type. If you do not specify a user type, this command displays user table information for all online users.

dynamic: Specifies the dynamic user type. Dynamic users are assigned public addresses by NAT, including NAT444 users and DS-Lite users.

static: Specifies the static user type. Static users are assigned static mappings by an external module (for example, PPPoE gateway), including PPPoEGW users and PPPoEA users.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays user table information for online users on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays user table information for online users on all member devices. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Display detailed user table information for online users. If you do not specify this keyword, this command displays brief user table information for online users.

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command is applicable to the NAT and BRAS unification scenario.

To view user table information for an online PPPoE or IPoE user by user ID or username:

1. Execute the display access-user command to obtain the user ID and the username of the user.

2. Specify the user ID or username in the display nat user-table command.

In a vBRAS CUPS scenario, you cannot view the user table information for online users if you execute the display nat user-table user-name user-name command on UPs.

Examples

# Display brief user table information for online users on the specified slot.

<Sysname> display nat user-table slot 1

Slot 1:

Total Users found: 2

UP User ID : 0x382005a0

CP User ID : 0x81bb7b25

Local IP : 10.1.1.10

VPN instance name/index : ---/0

Address group : 9

NAT instance : 1

Global IP : 200.1.0.1

Start port : 1024

Block size : 384

Port total : 640

Number of extended port block allocated : 5

Number of ports used in the extended port block : 617

Extended port block info :

200.1.0.0 (1024-1151)

200.1.0.2 (1024-1151)

200.1.0.3 (1024-1151)

200.1.0.1 (1408-1535)

200.1.0.1 (1536-1663)

Number of times to allocate extended port block : 5

Number of times to withdrawn extended port block : 0

Peak number of extended port block allocated : 5

Peak time : 2022-11-07 21:29:44

Total/TCP/UDP/ICMP port limit : ---/---/---/---

TCP/UDP/ICMP port current : 0/1001/0

Total/TCP/UDP/ICMP sessions : 1001/0/1001/0

UP User ID : 0x38200443

CP User ID : 0x81bb7b26

Local IP : 1.1.5.90

VPN instance name/index : ---/0

Address group : 10

NAT instance : 1

Global IP : 6.1.1.237

Start port : 13003

Block size : 1001

Port total : 1001

Number of extended port block allocated : 0

Number of ports used in the extended port block : 0

Extended port block info : ---

Number of times to allocate extended port block : 0

Number of times to withdrawn extended port block : 0

Peak number of extended port block allocated : 0

Peak time : 0000-00-00 00:00:00

Total/TCP/UDP/ICMP port limit : ---/---/---/---

TCP/UDP/ICMP port current : 0/0/0

Total/TCP/UDP/ICMP sessions : 0/0/0/0

# Display detailed user table information for online users on the specified slot.

<Sysname> display nat user-table slot 3 verbose

Slot: 3

Total Users found: 2

User type : NAT444

UP User ID : 0x382016e8

CP User ID : 0x81bb7b31

Local IP : 1.1.1.11

VPN instance name/index : ---/0

Address group : 9

NAT instance : 9

Global IP : 6.1.1.130

Start port : 35025

Block size : 1001

Port total : 1001

Number of extended port block allocated : 0

Number of ports used in the extended port block : 0

Extended port block info : ---

Number of times to allocate extended port block : 0

Number of times to withdrawn extended port block : 0

Peak number of extended port block allocated : 0

Peak time : 0000-00-00 00:00:00

Total/TCP/UDP/ICMP port limit : ---/---/---/---

TCP/UDP/ICMP port current : 0/2/0

Port limit discard count : 0

Total/TCP/UDP/ICMP sessions : 2/0/2/0

Total/TCP/UDP/ICMP reverse sessions : 0/0/0/0

User type : NAT444

UP User ID : 0x382016e7

CP User ID : 0x81bb7b33

Local IP : 1.1.1.10

VPN instance name/index : ---/0

Address group : 9

NAT instance : 9

Global IP : 6.1.1.239

Start port : 29019

Block size : 1001

Port total : 1001

Number of extended port block allocated : 0

Number of ports used in the extended port block : 0

Extended port block info : ---

Number of times to allocate extended port block : 0

Number of times to withdrawn extended port block : 0

Peak number of extended port block allocated : 0

Peak time : 0000-00-00 00:00:00

Total/TCP/UDP/ICMP port limit : ---/---/---/---

TCP/UDP/ICMP port current : 0/2/0

Port limit discard count : 0

Total/TCP/UDP/ICMP sessions : 2/0/2/0

Total/TCP/UDP/ICMP reverse sessions : 0/0/0/0

Table 22 Command output

Field	Description
Total Users found	Total number of online users.
User type	User type: · NAT444. · DS-Lite. · PPPoEGW. · PPPoEA.
UP User ID	ID assigned by the BRAS to the local online user. This field displays the local online user ID assigned by the BRAS in a NAT and BRAS unification scenario. In scenarios without NAT and BRAS unification, this field displays hyphens (---).
CP User ID	Online user ID assigned by the CP in a vBRAS CUPS scenario. This field displays the online user ID assigned by the CP in a vBRAS CUPS and NAT and BRAS unification scenario. In other scenarios, this field displays hyphens (---).
Local IP	Private IP address of the user. This field is displayed only when the IP address of the online user in the unification scenario does not belong to any VPN instance. When the user type is PPPoEGW, this field displays three hyphens (---).
Local IP segment/mask length	Private network segment and mask length of the user. This field is displayed only when the IP address of the online user in the unification scenario belongs to a VPN instance.
VPN instance name/index	Name and index of the VPN instance to which the user belongs. If the user does not belong to any VPN instance, this field displays ---/0. When the user type is PPPoEGW, this field displays three hyphens (---).
Address group	ID of the NAT address group used by the user.
Port block group	ID of the static NAT port block group used by the user.
NAT instance	NAT instance used by the user. If the user comes online through interface-based NAT configuration, no field value is displayed.
Global IP	Public IP address of the user.
Start port	Start port number pre-allocated to the user. If the User type field displays PPPoEA, this field indicates the start port number of the available port range.
End port	End port number of the available port range. This field is displayed only when the User type field displays PPPoEA.
Block size	Port block size pre-allocated to the user.
Port total	Total number of ports allocated to the user, including: · Number of ports in the port block pre-allocated to the user. · Number of ports in all extended port blocks.
Number of extended port block allocated	Number of extended port blocks allocated to the user.
Number of ports used in the extended port block	Number of used ports in the extended port blocks.
Extended port block info	The public IP address and port range information in the first, second, third, fourth, and fifth allocation of extended port blocks. This field displays three hyphens (---) if no extended port block is allocated to the user.
Number of times to allocate extended port block	Number of extended port block allocations when the user is online.
Number of times to withdrawn extended port block	Number of extended port block withdrawals when the user is online.
Peak number of extended port block allocated	Historical maximum number of extended port blocks allocated to the user.
Peak time	Time when the historical maximum number of extended port blocks allocated to the user is reached. The value of this field is in the YYYY-MM-DD hh:mm:ss format. · YYYY—Year. · MM—Month. · DD—Day. · hh—Hour. · mm—Minute. · ss—Second. This field displays 0000-00-00 00:00:00 if no extended port blocks are allocated to the user when the user is online.
Total/TCP/UDP/ICMP port limit	Maximum number of ports to be assigned to all protocols and maximum number of ports to be assigned to each protocol. They can be set by using the port-limit command.
TCP/UDP/ICMP port current	Number of ports used by TCP, UDP, and ICMP. The same port number can be assigned to different protocols in EIM mode.
Port limit discard count	Number of port block allocation failures after the NAT port usage exceeds the upper limit. If the upper limit is not exceeded, this field displays 0.
Total/TCP/UDP/ICMP sessions	Total number of new forward sessions, and the numbers of new forward sessions created by TCP, UDP, and ICMP, including 5-tuple sessions and EIM sessions.
Total/TCP/UDP/ICMP reverse sessions	Total number of new reverse sessions, and the numbers of new reverse sessions created by TCP, UDP, and ICMP, including 5-tuple sessions and EIM sessions.

Related commands

display access-user (UCM commands in BRAS Services Command Reference)

extended-block multi-global-ip enable

Use extended-block multi-global-ip enable to enable using the extended port block of a public IP address other than the public IP address of the pre-allocated port block.

Use undo extended-block multi-global-ip enable to disable using the extended port block of a public IP address other than the public IP address of the pre-allocated port block.

Syntax

extended-block multi-global-ip enable

undo extended-block multi-global-ip enable

Default

Using the extended port block of a public IP address other than the public IP address of the pre-allocated port block is disabled.

Views

NAT address group view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

When the pre-allocated port resources of the public IP address run out, if extended port blocks have been configured, the system will apply for extended port block resources for users. Before you enable this feature, a private IP address can only apply for the extended port block resources of one public IP address. If the port block resources of this public IP address run out, the system does not apply for extended port block resources for users, which affects user services. To resolve this issue, enable this feature. When the port block resources of the public IP address corresponding to the private IP address run out, the system applies for extended port block resources of other public IP addresses.

Restrictions and guidelines

To have this feature take effect, make sure the NAT address group has extended port blocks.

Enabling this feature might reduce the number of users that can come online. Enabling this feature based on the actual situation.

If the system has already applied for extended port block resources of a public IP address other than the public IP address of the pre-allocated port block, disabling this feature does not affect the allocated extended port block resources.

After you set the maximum number of VPN users sharing one single public address in port block-based NAT by using the nat per-global-ip user-limit command, do not execute the extended-block multi-global-ip enable command. If you execute the extended-block multi-global-ip enable command, the specified maximum number of VPN users sharing one single public address might be different from the actual number.

Examples

# Enable using the extended port block of a public IP address other than the public IP address of the pre-allocated port block.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] extended-block multi-global-ip enable

Related commands

nat address-group

nat per-global-ip user-limit

global-ip-pool

Use global-ip-pool to add a public IP address range to a NAT port block group.

Use undo global-ip-pool to remove a public IP address range from a NAT port block group.

Syntax

global-ip-pool start-address end-address

undo global-ip-pool start-address end-address

Default

No public IP address ranges exist.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of a public IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one public IP address is specified. A public IP address range can contain a maximum of 65535 addresses.

Usage guidelines

Application scenarios

The NAT device computes a static port block mapping before address translation. The mapping is between a private IP address and a public IP address with a port block.

When an internal user initiates a connection to the external network, the system performs the following operations:

· Locates a static mapping based on the private IP address of the user and obtains the public IP address and the port block in the mapping.

· Selects a public port number in the port block.

· Translates the private IP address to the public IP address and assigns the selected public port number.

The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.

Restrictions and guidelines

Every time you execute this command, an address range can contain a maximum of 256 public IP addresses. All public IP address ranges in one port block group cannot overlap.

For interface-based NAT, the NAT device will allocate the same port block to different users in the following conditions, which causes traceability issues or session establishment failure:

· Public IP address ranges in different NAT port block groups overlap.

· A public IP address range in a NAT port block group overlaps with a public IP address range in a NAT address group.

In this case, the system will prompt you to select whether to deploy the configuration. If you select to deploy the configuration, make sure the port ranges in the NAT port block group do not overlap with the port ranges in dynamic port block mappings that reference the NAT address group.

When you use global NAT for address translation, public IP address ranges in different port block groups cannot overlap.

Examples

# Add a public IP address range to the port block group 1. The public IP address range consists of IP addresses from 202.10.1.1 to 202.10.1.10.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] global-ip-pool 202.10.1.1 202.10.1.10

Related commands

address

nat instance

nat port-block-group

local-ip-address

Use local-ip-address to add a private IP address range to a NAT port block group.

Use undo local-ip-address to remove a private IP address range from a NAT port block group.

Syntax

local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]

undo local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]

Default

No private IP address ranges exist in a NAT port block group.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of a private IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one private IP address is specified.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address range belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address range does not belong to any VPN instance, do not specify this option.

Usage guidelines

Application scenarios

The NAT device computes a static port block mapping before address translation. The mapping is between a private IP address and a public IP address with a port block.

When an internal user initiates a connection to the external network, the system performs the following operations:

· Locates a static mapping based on the private IP address of the user and obtains the public IP address and the port block in the mapping.

· Selects a public port number in the port block.

· Translates the private IP address to the public IP address and assigns the selected public port number.

Static port block assigns a unique port block to each private IP address.

Restrictions and guidelines

You can add multiple private IP address ranges to the same port block group.

· The private IP address ranges in the same VPN instance cannot overlap.

· The private IP address ranges that do not belong to any VPN instances cannot overlap.

When you add private IP address ranges to different port block groups with the same VPN instance, make sure the IP address ranges do not overlap.

In a NAT port block group, the number of private IP addresses cannot be larger than the number of assignable port blocks. Otherwise, some private IP addresses cannot obtain port blocks. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.

Examples

# Add a private IP address range to port block group 1. The private IP address range consists of IP addresses from 172.16.1.1 to 172.16.1.255.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] local-ip-address 172.16.1.1 172.16.1.255

Related commands

nat port-block-group

lock address

Use lock address to lock an address segment in a NAT address group.

Use undo lock address to unlock an address segment in a NAT address group.

Syntax

lock address [ start-address end-address ]

undo lock address [ start-address end-address ]

Default

No address segment is locked in a NAT address group.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of an address segment. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one IP address is locked.

Usage guidelines

Application scenarios

You might have the following requirements when you manage a NAT address group:

· Reserve some address ranges in the NAT address group for maintenance. The addresses (excluding those already used by online users) are no longer used for address translation of new online users.

· Due to service planning, you must update or delete all address ranges in the NAT address group.

This feature can meet the above requirements.

Operating mechanism

To lock all address ranges in an address group, execute this command without specifying any parameters. All addresses in the address group cannot be used for address translation.

To lock some address ranges in an address group, execute the lock address start-address end-address command. The locked addresses cannot be used for address translation. If the specified address segment includes some or all of the addresses in an address range within the address group, this command locks all addresses in that address range. For example, if an address group has address range 10.1.1.1 to 10.1.1.15, and you specify the address segment as 10.1.1.1 to 10.1.1.10, this command locks address range 10.1.1.1 to 10.1.1.15.

After you lock address ranges in a NAT address group, NAT processes the assigned and unassigned address resources as follows:

· NAT does not actively reclaim the used address resources in the address ranges. NAT services that exist before this command is executed are not affected.

· Unassigned address resources are no longer assigned to users. Locked addresses are excluded from resource usage calculation of the address group.

Recommended configuration

As a best practice, use different locking methods to meet different requirements.

· To reserve some address ranges in a NAT address group for maintenance, execute the lock address start-address end-address command to lock them. Then, execute the nat user-table change-global-ip command to replace the public IP addresses to be locked, or force the users that use the addresses offline. After you confirm that no users are using the addresses, execute the undo address command to remove the address ranges from the address group.

· To reserve all address ranges in a NAT address group for maintenance, execute the lock address command to lock them. Then, execute the nat user-table change-global-ip command to replace the public IP addresses to be locked, or force the users that use the addresses offline. After you confirm that no users are using the addresses, execute the undo address command to remove all address ranges from the address group.

After you execute the lock address command, the address usage of the address group is 0.

Restrictions and guidelines

You cannot lock address ranges in a NAT address group in one of the following conditions:

· The NAT address group has been bound to a global address pool.

· You have enabled hardware NAT by using the nat hardware-mode enable command.

· Interface-based NAT is used for address translation.

To lock multiple address segments, repeat the lock address start-address end-address command.

If you execute the lock address start-address end-address command multiple times in the same address group, make sure the specified address segments do not overlap.

You can execute this command for up to five times in the same NAT address group.

Examples

# Lock address segment 1.1.1.1 to 1.1.1.10 in NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] lock address 1.1.1.1 1.1.1.10

# Lock all address ranges in NAT address group 2.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] lock address

Related commands

display nat address-group

display nat instance address-group

nat address-group bind-ip-pool

nat hardware-mode enable

user-table change-global-ip

nat address-group

Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.

Use undo nat address-group to delete a NAT address group.

Syntax

nat address-group group-id [ vpn-instance vpn-instance-name ]

undo nat address-group group-id

Default

No NAT address groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To create an address group for the public network, do not specify this option.

Usage guidelines

Application scenarios

A NAT address group can contain multiple address ranges. Dynamic NAT translates the source IP address of a packet to an IP address in the address group.

For interface-based NAT, you can only use the address command to add address ranges to an address group.

For global NAT, you can use one of the following methods to add address ranges to an address group:

· Use the address command.

· Use the nat address-group bind-ip-pool command to bind a NAT address group to a global address pool. The global address pool assigns address ranges to the NAT address group.

You can bind a NAT address group to a global address pool only if the following conditions are met:

¡ The NAT address group is created for the public network.

¡ Port block parameters are configured or the port-by-port allocation method is enabled for the NAT address group.

Recommended configuration

In scenarios where public address resources are limited and users in different VPNs must be assigned with the same public addresses, you can bind different address groups that contain overlapping address ranges to different VPN instances.

Route advertisement

After you specify an address group for address translation, NAT advertises host routes for all addresses in the address group to the public network or VPN instance.

· If the address group is not bound to a VPN instance, the advertised host routes belong to the public network.

· If the address group is bound to a VPN instance, the advertised host routes belong to the VPN instance.

Restrictions and guidelines

You can configure multiple address groups for the public network or a VPN instance. However, you must make sure they do not contain overlapping address ranges.

When you delete or edit a NAT address group, follow these restrictions and guidelines:

· You cannot use the undo nat address-group command to delete a NAT address group in use.

· You cannot repeat the nat address-group command to change the VPN instance bound to a NAT address group. To change the VPN instance, first execute the undo nat address-group command to delete the NAT address group. Then, execute the nat address-group command to re-create the NAT address group and bind it to a new VPN instance.

· You can bind a NAT address group to a VPN instance when you perform either of the following tasks, but not both:

¡ Execute the nat address-group command to create the address group.

¡ Execute the nat inbound or nat outbound command to specify the address group for inbound or outbound dynamic NAT, respectively.

If the NAT address group has been bound to a VPN instance when you perform either of the tasks, you cannot specify a VPN instance for it.

Examples

# Create a NAT address group numbered 1.

<Sysname> system-view

[Sysname] nat address-group 1

Related commands

address

display nat address-group

display nat all

nat outbound

port-block

port-single-alloc

nat address-group-usage enable

Use nat address-group-usage enable to enable logging for resource usage in NAT address groups.

Use undo nat address-group-usage enable to disable logging for resource usage in NAT address groups.

Syntax

nat address-group-usage enable

undo nat address-group-usage enable

Default

Logging for resource usage in NAT address groups is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, logging for resource usage in NAT address groups is enabled. A log is generated when the resource usage in a NAT address group reaches or exceeds 90%. Disable this feature when the device outputs too many log messages or such logs are not of interest.

Examples

# Disable logging for resource usage in NAT address groups.

<Sysname> system-view

[Sysname] undo nat address-group-usage enable

Related commands

display nat all

display nat log

nat address-group-usage threshold

Use nat address-group-usage threshold to set the threshold for resource usage in NAT address groups.

Use undo nat address-group-usage threshold to restore the default.

Syntax

nat address-group-usage threshold threshold-value

undo nat address-group-usage threshold

Default

The threshold for resource usage in NAT address groups is 90%.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies a threshold in percentage. The value range is 40 to 100.

Usage guidelines

Operating mechanism

The device generates a log in the following scenarios:

· The device reports a threshold violation event when the resource usage in a NAT address group reaches or exceeds the threshold.

· The device reports a resource usage recovery event when the resource usage in a NAT address group drops below 87.5% of the threshold.

Restrictions and guidelines

This command takes effect only after you enable both NAT logging and logging for resource usage in NAT address groups.

Examples

# Set the threshold for resource usage in NAT address groups to 80%.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat address-group-usage enable

[Sysname] nat address-group-usage threshold 80

Related commands

nat log enable

nat alg

Use nat alg to enable NAT ALG for the specified or all supported protocols.

Use undo nat alg to disable NAT ALG for the specified or all supported protocols.

Syntax

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet |tftp | xdmcp }

Default

NAT ALG is disabled for all supported protocols except for FTP, ICMP error packets, and RTSP.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables NAT ALG for all supported protocols.

dns: Enables NAT ALG for DNS.

ftp: Enables NAT ALG for FTP.

H323: Enables NAT ALG for H323.

icmp-error: Enables NAT ALG for ICMP error packets.

ils: Enables NAT ALG for ILS.

mgcp: Enables NAT ALG for MGCP.

nbt: Enables NAT ALG for NBT.

pptp: Enables NAT ALG for PPTP.

rsh: Enables NAT ALG for RSH.

rtsp: Enables NAT ALG for RTSP.

sccp: Enables NAT ALG for SCCP.

sip: Enables NAT ALG for SIP.

sqlnet: Enables NAT ALG for SQLNET.

tftp: Enables NAT ALG for TFTP.

xdmcp: Enables NAT ALG for XDMCP.

Usage guidelines

Operating mechanism

NAT ALG translates address or port information in the application layer payload to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information to establish the data connection.

Restrictions and guidelines

After you execute the nat alg h323 command, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view or NAT instance view. After you execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view or NAT instance view, you cannot execute the nat alg h323 command.

Examples

# Enable NAT ALG for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

Related commands

display nat all

nat mapping-behavior endpoint-independent { tcp | udp } *

nat attack-defense

Use nat attack-defense to limit the rate of sending protocol packets on a NAT service card to the CPU.

Use undo nat attack-defense to restore the default.

Syntax

In standalone mode:

nat attack-defense { alg | other | tcp | tcp-syn } rate rate-value slot slot-number [ cpu cpu-number ]

undo nat attack-defense { alg | other | tcp | tcp-syn } rate slot slot-number [ cpu cpu-number ]

nat attack-defense forward udp rate rate-value slot slot-number [ cpu cpu-number ]

undo nat attack-defense forward udp rate slot slot-number [ cpu cpu-number ]

nat attack-defense reverse udp { packet-rate packet-rate-value | rate rate-value } slot slot-number [ cpu cpu-number ]

undo nat attack-defense reverse udp { packet-rate | rate } slot slot-number [ cpu cpu-number ]

In IRF mode:

nat attack-defense { alg | other | tcp | tcp-syn } rate rate-value chassis chassis-number slot slot-number [ cpu cpu-number ]

undo nat attack-defense { alg | other | tcp | tcp-syn } rate chassis chassis-number slot slot-number [ cpu cpu-number ]

nat attack-defense forward udp rate rate-value chassis chassis-number slot slot-number [ cpu cpu-number ]

undo nat attack-defense forward udp rate chassis chassis-number slot slot-number [ cpu cpu-number ]

nat attack-defense reverse udp { packet-rate packet-rate-value | rate rate-value } chassis chassis-number slot slot-number [ cpu cpu-number ]

undo nat attack-defense reverse udp { packet-rate | rate } chassis chassis-number slot slot-number [ cpu cpu-number ]

Default

Limit the rate to 4000 Kpps for sending forward UDP packets to the CPU.

Limit the rate to 65 Mbps for sending reverse UDP packets to the CPU.

Limit the rate to 4000 Kpps for sending forward TCP SYN packets to the CPU.

Limit the rate to 64 Kpps for sending TCP packets (excluding the forward TCP SYN packets) to the CPU.

Limit the rate to 500 Kpps for sending packets after ALG resolution and processing to the CPU.

Limit the rate to 65 Mbps for sending other protocol packets to the CPU.

Views

System view

Predefined user roles

network-admin

Parameters

alg: Specifies protocol packets that are processed by NAT ALG.

other: Specifies packets of other protocols, including fragments and RawIP packets.

tcp: Specifies TCP packets except forward TCP SYN packets.

tcp-syn: Specifies forward TCP SYN packets.

forward: Specifies forward protocol packets that are sent by session initiators.

reverse: Specifies reverse protocol packets that are sent by session responders.

udp: Specifies UDP packets.

packet-rate packet-rate-value: Sets the rate limit of sending reverse UDP packets to the CPU, in Kpps. The value is an integer in the range of 1 to 4000.

rate rate-value: Sets the rate limit of sending protocol packets to the CPU. The value is an integer in the range of 1 to 4000. The rate unit and limited rate vary by protocol packet type:

· Protocol packets specified by the other keyword and reverse UDP packet—The rate unit is Mbps and this option limits the flow rate of sending packets to the CPU.

· TCP packets, forward TCP SYN packets, packets processed by NAT ALG, and forward UDP packets—The rate unit is Kpps and this option limits the packet rate of sending packets to the CPU.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Application scenarios

To protect system resources from running out due to processing a large number of protocol packets, you can adjust the rate of sending protocol packets on a NAT service card to the CPU as required.

Operating mechanism

When the rate of sending packets to the CPU for a protocol exceeds the limit, the NAT service card determines that an attack occurs. It enters attack detection state and drops subsequent packets of this protocol. This feature avoids CPU resources exhaustion caused by processing a large number of protocol packets, which makes sure the system can operate correctly when it experiences such an attack.

Recommended configuration

When the session creation rate is high for a protocol, you can limit the rate of sending packets to the CPU for this protocol. To view the protocol-specific session creation rate, execute the display session statistics command.

As a best practice to limit the rate of sending reverse UDP packets to the CPU, perform one of the following tasks as required:

· If the UDP packets are large in size but low in quantity, use the nat attack-defense reverse udp rate command.

· If the UDP packets are small in size but high in quantity, use the nat attack-defense reverse udp packet-rate command. This command is typically used.

Restrictions and guidelines

The nat attack-defense reverse udp packet-rate and nat attack-defense reverse udp rate commands are mutually exclusive.

Examples

# Limit the rate to 20 Kpps for sending forward UDP packets to the CPU on the specified slot.

<Sysname> system-view

[Sysname] nat attack-defense forward udp rate 20 slot 2

# Limit the rate to 30 Mbps for sending reverse UDP packets to the CPU on the specified slot.

<Sysname> system-view

[Sysname] nat attack-defense reverse udp rate 30 slot 2

# Limit the rate to 40 Kpps for sending reverse UDP packets to the CPU on the specified slot.

<Sysname> system-view

[Sysname] nat attack-defense reverse udp packet-rate 40 slot 2

Related commands

display session statistics (Security Command Reference)

nat attack-defense reverse-blacklist aging-time

Use nat attack-defense reverse-blacklist aging-time to set the aging time for NAT denylist entries.

Use undo nat attack-defense reverse-blacklist aging-time to restore the default.

Syntax

nat attack-defense reverse-blacklist aging-time time

undo nat attack-defense reverse-blacklist aging-time

Default

The aging time for NAT denylist entries is 600 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Specifies the aging time for NAT denylist entries, in the range of 10 to 86400 seconds.

Usage guidelines

Operating mechanism

By default, the aging time for NAT denylist entries is 600 seconds. After the aging time expires, NAT deletes the entries from the denylist. Then, it continues to monitor packets with destination IP addresses in the deleted entries.

Recommended configuration

As a best practice, if the denylist has a high risk of mistaken blocking, set a shorter aging time for the denylist entries. If attack traffic persists for a long time or has a large scale, set a longer aging time for the denylist entries.

Restrictions and guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the aging time for NAT denylist entries to 1000 seconds.

<Sysname> system-view

[Sysname] nat attack-defense reverse-blacklist aging-time 1000

Related commands

nat attack-defense reverse-blacklist enable

display nat attack-defense reverse-blacklist

nat attack-defense reverse-blacklist detect-threshold

Use nat attack-defense reverse-blacklist detect-threshold to set the threshold for triggering NAT to generate denylist entries.

Use undo nat attack-defense reverse-blacklist detect-threshold to restore the default.

Syntax

nat attack-defense reverse-blacklist detect-threshold ip-port-level ip-port-level-threshold-value

undo nat attack-defense reverse-blacklist detect-threshold ip-port-level

Default

The threshold for triggering NAT to generate denylist entries is 10 kpps.

Views

System view

Predefined user roles

network-admin

Parameters

ip-port-level ip-port-level-threshold-value: Specifies the threshold for triggering NAT to generate denylist entries, in kpps. The value range for the ip-port-level-threshold-value argument is 1 to 256.

Usage guidelines

The generated denylist entries vary by address translation mode:

· In Endpoint-Independent Mapping (EIM) mode, the device creates three-tuple denylist entries based on the destination IP address, destination port, and protocol type of packets.

· In Address and Port-Dependent Mapping (APDM) mode, the device creates five-tuple denylist entries based on the source IP address, source port, protocol type, destination IP address, and destination port of packets.

To view the denylist entries generated by NAT, execute the display nat attack-defense reverse-blacklist command.

Examples

# Set the threshold for triggering NAT to generate denylist entries to 50 kpps.

<Sysname> system-view

[Sysname] nat attack-defense reverse-blacklist detect-threshold ip-port-level 50

Related commands

display nat attack-defense reverse-blacklist

nat attack-defense reverse-blacklist detect-threshold

nat attack-defense reverse-blacklist enable

Use nat attack-defense reverse-blacklist enable to enable the NAT denylist feature.

Use undo nat attack-defense reverse-blacklist enable to disable the NAT denylist feature.

Syntax

nat attack-defense reverse-blacklist enable

undo nat attack-defense reverse-blacklist enable

Default

The NAT denylist feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

If you configure source address translation and do not configure destination address translation on the device, the device automatically generates UNR host routes for the source address translation configurations that take effect. The destination IP addresses of the routes are the public IP addresses in the source address translation configurations, and the output interface is interface Null 0.

When the device receives a packet from the public network in which the destination IP address matches that of a UNR route, it first finds the corresponding NAT session entry. If no corresponding NAT session entry is found (indicating that no internal user initiates a connection to the public network), the device sends the packet to the CPU and the CPU drops the packet.

A large number of such packets or an illegal traffic attack consumes vast CPU resources, which affects normal service operation. To resolve such an issue, enable this feature.

Operating mechanism

The NAT denylist feature blocks attack traffic targeting specific destination IP addresses, ports, and protocol types. It enhances network security by monitoring and intercepting abnormal traffic. Enabled with this feature, the device monitors packets with destination IP addresses matching those of UNR routes, and processes them as follows:

1. Finds the corresponding NAT session entries. If the device finds the corresponding NAT session entries, it performs reverse address translation. If the device does not find the corresponding NAT session entries, it goes to step 2.

2. Finds the destination address translation configurations that match the destination IP addresses. If the device finds matching configurations, it performs destination address translation. If the device does not find matching configurations, it goes to step 3.

3. Searches for entries (including EIM and NO-PAT entries) that support destination IP address translation. If the device finds such entries, it performs reverse address translation. If the device does not find such entries, it sends the packets to the CPU. The CPU processes and drops the packets.

When the dropped packet rate reaches the specified threshold, the device determines that the packets are attack packets. It generates a denylist entry for attack packets with the same destination IP address, port, and protocol type to block subsequent packets with the same characteristics.

Examples

# Enable the NAT IP blacklist feature.

<Sysname> system-view

[Sysname] nat attack-defense reverse-blacklist enable

Related commands

display nat attack-defense reverse-blacklist

nat attack-defense reverse-blacklist aging-time

nat attack-defense reverse-blacklist detect-threshold

reset nat attack-defense reverse-blacklist

nat dns-map

Use nat dns-map to configure a NAT DNS mapping.

Use undo nat dns-map to remove a NAT DNS mapping.

Syntax

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

undo nat dns-map domain domain-name

Default

No NAT DNS mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, example.com). The domain name can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.

protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.

interface interface-type interface-number: Enables Easy IP to use the IP address of the interface specified by its type and number as the public address of the internal server.

ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.

port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:

· A number in the range of 1 to 65535.

· A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.

Usage guidelines

Application scenarios

NAT DNS mapping must cooperate with the NAT Server feature.

Operating mechanism

NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server. The cooperation allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.

You can configure multiple NAT DNS mappings.

Examples

# Configure a NAT DNS mapping to map the domain name www.example.com to the public IP address 202.112.0.1, public port number 12345, and protocol type TCP.

<Sysname> system-view

[Sysname] nat dns-map domain www.example.com protocol tcp ip 202.112.0.1 port 12345

Related commands

display nat all

display nat dns-map

nat server

nat extended-port-block report-radius enable

Use nat extended-port-block report-radius enable to enable reporting mappings between user private IP addresses and extended port blocks to the RADIUS server.

Use undo nat extended-port-block report-radius enable to disable reporting mappings between user private IP addresses and extended port blocks to the RADIUS server.

Syntax

nat extended-port-block report-radius enable

undo nat extended-port-block report-radius enable

Default

The device does not report mappings between user private IP addresses and extended port blocks to the RADIUS server.

Views

System view

NAT instance view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In scenarios with NAT and BRAS unification, after a RADIUS authenticated user obtains a private address, the device pre-allocates a public IP address and port block to the user, and reports the mapping to the RADIUS server. The RADIUS server stores the mapping for the online user. If an extended port block is later assigned to the user instead of the pre-allocated port block, the device, without this feature, does not update the mapping to the RADIUS server. In this case, user tracing might fail.

To solve the problem, you can use this feature to report the mapping between the user private IP address and the extended port block to the RADIUS server. This feature is helpful for user tracing in NAT and BRAS unification with extended port blocks configured.

Operating mechanism

After you enable this feature, if the connection initiated by a user to the public network uses an extended port block, the device reports the following information to the RADIUS server for user tracing:

· Private address.

· Corresponding public address.

· Extended port block.

Restrictions and guidelines

Enable this feature in NAT instance view for global NAT, and enable this feature in system view for interface-based NAT.

You cannot enable or disable this feature when a PPPoE or IPoE user is online.

In system view, this command and the nat instance command are mutually exclusive. They cannot be both configured.

Examples

# Enable reporting mappings between user private IP addresses and extended port blocks to the RADIUS server.

<Sysname> system-view

[Sysname] nat extended-port-block report-radius enable

Related commands

nat instance

port-block block-size

nat hardware aging-accelerate dns enable

Use nat hardware aging-accelerate dns enable to enable NAT to accelerate the aging of session entries and EIM entries generated during DNS packet processing.

Use undo nat hardware aging-accelerate dns enable to disable NAT from accelerating the aging of session entries and EIM entries generated during DNS packet processing.

Syntax

nat hardware aging-accelerate dns enable

undo nat hardware aging-accelerate dns enable

Default

NAT does not accelerate the aging of session entries and EIM entries generated during DNS packet processing.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In a scenario where a CGN card processes NAT services, a large number of DNS packets in user traffic might cause port resource exhaustion due to slow ageout of hardware entries. As a result, users cannot deploy new services. To alleviate or resolve such an issue, you can configure this feature.

Operating mechanism

When the NAT device performs address translation on DNS requests and replies, it generates NAT session entries. If you enable the EIM mode on the NAT device, it also generates EIM entries. By default, the session management module updates and ages NAT session entries, and EIM entries age out after all associated NAT session entries have aged out.

With this feature enabled, the NAT device accelerates the aging of session entries and EIM entries generated during DNS packet processing. This quickly releases port resources to prevent new service deployment failure due to port resource exhaustion.

Recommended configuration

As a best practice, enable this feature in a scenario where a CGN card processes NAT services.

Restrictions and guidelines

This command takes effect only on a device installed with a CGN card.

Examples

# Enable NAT to accelerate the aging of session entries and EIM entries generated during DNS packet processing.

<Sysname> system-view

[Sysname] nat hardware aging-accelerate dns enable

Related commands

display nat all

nat log bandwidth-usage threshold

Use nat log bandwidth-usage threshold to set the CGN card bandwidth usage threshold.

Use undo nat log bandwidth-usage threshold to restore the default.

Syntax

nat log bandwidth-usage threshold threshold-value

undo nat log bandwidth-usage threshold

Default

The CGN card bandwidth usage threshold is 90%.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies a threshold in percentage. The value range is 20 to 100.

Usage guidelines

The device generates a log in the following scenarios:

· To report a threshold violation event when the bandwidth usage of the CGN card reaches or exceeds the threshold.

· To report a threshold recovery event when the bandwidth usage of the CGN card drops below 87.5% of the threshold from a threshold crossing value.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Set the CGN card bandwidth usage threshold to 80%.

<Sysname> system-view

[Sysname] nat log bandwidth-usage threshold 80

Related commands

nat log enable

Use nat log enable to enable NAT logging.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]

undo nat log enable

Default

NAT logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Specifies an ACL.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

You must enable NAT logging before you enable the following features: NAT session logging (logging for active NAT flows, NAT flow establishment events, and NAT flow removal events), NAT444 user logging, NAT444 alarm logging, logging for port usage in port blocks, logging for NAT port block usage, and logging for resource usage in NAT address groups.

The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable

Related commands

display nat all

display nat log

nat address-group-usage threshold

nat log flow-active

nat log flow-begin

nat log flow-end

nat log format user-mac

nat log port-alloc-fail

nat log port-block port-usage threshold

nat log port-block usage enable

nat log port-block-alloc-fail

nat log port-block-assign

nat log port-block-withdraw

nat log flow-active

Use nat log flow-active to enable logging for active NAT flows and set the logging interval.

Use undo nat log flow-active to disable logging for active NAT flows.

Syntax

nat log flow-active time-value

undo nat log flow-active

Default

Logging for active NAT flows is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.

Usage guidelines

Application scenarios

Active NAT flows are NAT sessions that last for a long time or undeleted EIM entries. To periodically record the connection state of active NAT flows, enable this feature.

Operating mechanism

The logging feature helps track active NAT flows by periodically logging the active NAT flows.

Restrictions and guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

If you specify an ACL when you execute the nat log enable command, only flows matching the permit rule might trigger active NAT flow logs. If you do not specify any ACL when you execute the nat log enable command, all flows processed by NAT might trigger active NAT flow logs.

Examples

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log flow-active 10

Related commands

display nat all

display nat log

nat log enable

nat log flow-begin

Use nat log flow-begin to enable logging for NAT flow (NAT session or EIM entry) establishment events.

Use undo nat log flow-begin to disable logging for NAT flow establishment events.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

Logging for NAT flow establishment events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

If you specify an ACL when you execute the nat log enable command, only flows matching the permit rule might trigger NAT flow establishment logs. If you do not specify any ACL when you execute the nat log enable command, all flows processed by NAT might trigger NAT flow establishment logs.

Examples

# Enable logging for NAT flow establishment events.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log flow-begin

Related commands

display nat all

display nat log

nat log enable

nat log flow-end

Use nat log flow-end to enable logging for NAT flow removal events.

Use undo nat log flow-end to disable logging for NAT flow removal events.

Syntax

nat log flow-end

undo nat log flow-end

Default

Logging for NAT flow removal events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

If you specify an ACL when you execute the nat log enable command, only flows matching the permit rule might trigger NAT flow removal logs. If you do not specify any ACL when you execute the nat log enable command, all flows processed by NAT might trigger NAT flow removal logs.

Examples

# Enable logging for NAT flow removal events.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log flow-end

Related commands

display nat all

display nat log

nat log enable

nat log format user-mac

Use nat log format user-mac to configure the system logs to carry the MAC addresses of online users in a NAT+BRAS scenario.

Use undo nat log format user-mac to restore the default.

Syntax

nat log format user-mac

undo nat log format user-mac

Default

The system logs do not carry the MAC addresses of online users in a NAT+BRAS scenario.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you configure this command, the system logs controlled by the following commands will carry the MAC addresses of online users in a NAT+BRAS scenario:

· nat log port-block port-usage threshold

· nat log port-alloc-fail

Examples

# Configure the system logs to carry the MAC addresses of online users in a NAT+BRAS scenario.

<Sysname> system-view

[Sysname] nat log format user-mac

Related commands

display nat log

nat log enable

nat log port-block port-usage threshold

nat log port-alloc-fail

Use nat log port-alloc-fail to enable logging for NAT port resource exhaustion.

Use undo nat log port-alloc-fail to disable logging for NAT port resource exhaustion.

Syntax

nat log port-alloc-fail

undo nat log port-alloc-fail

Default

Logging for NAT port resource exhaustion is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

After you configure the port-by-port allocation method or EIM mode and enable this feature, the device generates a log in the following scenarios:

· If the port-limit command is not executed, the device generates a log when NAT port resources are exhausted or restore.

· If the port-limit command is executed, the device generates a log when the NAT port resources assigned to a protocol are exhausted or restore.

Prerequisites

Before configuring this feature, you must configure the custom log outputting feature. For more information, see fast log output in Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

This command takes effect only after you enable NAT logging by using the nat log enable command.

Examples

# Enable logging for NAT port resource exhaustion.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log port-alloc-fail

Related commands

display nat all

display nat log

nat log enable

nat log port-block port-usage threshold

Use nat log port-block port-usage threshold to enable logging for port usage in port blocks and set the usage threshold.

Use undo nat log port-block port-usage threshold to disable logging for port usage in port blocks.

Syntax

nat log port-block port-usage threshold value

undo nat log port-block port-usage threshold

Default

Logging for port usage in port blocks is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies a threshold in the range of 40 to 100 in percentage.

Usage guidelines

This feature enables the device to generate a log when the port usage in a port block exceeds the threshold.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for port usage in port blocks and set the threshold to 90%.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log port-block port-usage threshold 90

Related commands

display nat all

display nat log

nat log enable

nat log port-block usage enable

Use nat log port-block usage enable to enable logging for NAT port block usage.

Use undo nat log port-block usage enable to disable logging for NAT port block usage.

Syntax

nat log port-block usage enable

undo nat log port-block usage enable

Default

Logging for NAT port block usage is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, logging for NAT port block usage is enabled. A log is generated when the NAT port block usage reaches or exceeds 90%. Disable this feature when the device outputs too many log messages or such logs are not of interest.

Examples

# Disable logging for NAT port block usage.

<Sysname> system-view

[Sysname] undo nat log port-block usage enable

Related commands

display nat all

display nat log

nat log port-block usage threshold

Use nat log port-block usage threshold to set the NAT port block usage threshold.

Use undo nat log port-block port-usage threshold to restore the default.

Syntax

nat log port-block usage threshold value

undo nat log port-block usage threshold

Default

The NAT port block usage threshold is 90%.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies a threshold in the range of 40 to 100 in percentage.

Usage guidelines

A log is generated when the NAT port block usage exceeds the threshold.

This command takes effect only after you use the nat log enable command to enable NAT logging and use the nat log port-block usage enable command to enable logging for NAT port block usage.

Examples

# Set the NAT port block usage threshold to 80%.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log port-block usage enable

[Sysname] nat log port-block usage threshold 80

Related commands

display nat all

display nat log

nat log enable

nat log port-block usage enable

nat log port-block-alloc-fail

Use nat log port-block-alloc-fail to enable logging for NAT port block resource exhaustion.

Use undo nat log port-block-alloc-fail to disable logging for NAT port block resource exhaustion.

Syntax

nat log port-block-alloc-fail

undo nat log port-block-alloc-fail

Default

Logging for NAT port block resource exhaustion is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to generate logs when the port block resources in dynamic port block mappings are exhausted.

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for NAT port block resource exhaustion.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log port-block-alloc-fail

Related commands

display nat all

display nat log

nat log enable

nat log port-block-assign

Use nat log port-block-assign to enable NAT444 user logging for port block assignment.

Use undo nat log port-block-assign to disable NAT444 user logging for port block assignment.

Syntax

nat log port-block-assign

undo nat log port-block-assign

Default

NAT444 user logging is disabled for port block assignment.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

NAT444 user logs are used for user tracing. The NAT444 gateway generates a user log whenever it assigns or withdraws a port block. The log includes the private IP address, public IP address, and port block. You can use the public IP address and port numbers to locate the user's private IP address from the user logs.

Operating mechanism

The NAT444 gateway generates a port block assignment user log in the following conditions:

· For static port block mapping, the NAT444 gateway generates a user log when it translates the first connection from a private IP address.

· For dynamic port block mapping, the NAT444 gateway generates a user log when it assigns or extends a port block for a private IP address.

Restrictions and guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable NAT444 user logging for port block assignment.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log port-block-assign

Related commands

display nat all

display nat log

nat log enable

nat log port-block-withdraw

Use nat log port-block-withdraw to enable NAT444 user logging for port block withdrawal.

Use undo nat log port-block-withdraw to disable NAT444 user logging for port block withdrawal.

Syntax

nat log port-block-withdraw

undo nat log port-block-withdraw

Default

NAT444 user logging is disabled for port block withdrawal.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

Operating mechanism

The NAT444 gateway generates a port block withdrawal user log in the following conditions:

· For static port block mapping, the NAT444 gateway generates a user log when all connections from a private IP address are disconnected.

· For dynamic port block mapping, the NAT444 gateway generates a user log when all the following conditions are met:

¡ The port blocks (including the extended ones) assigned to the private IP address are withdrawn.

¡ The corresponding mapping entry is deleted.

Restrictions and guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable NAT444 user logging for port block withdrawal.

<Sysname> system-view

[Sysname] nat log enable

[Sysname] nat log port-block-withdraw

Related commands

display nat all

display nat log

nat log enable

nat mapping-behavior endpoint-independent { tcp | udp } *

Use nat mapping-behavior endpoint-independent to specify the Endpoint-Independent Mapping mode for PAT.

Use undo nat mapping-behavior endpoint-independent to restore the default.

Syntax

nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } *

undo nat mapping-behavior endpoint-independent

Default

Connection-Dependent Mapping applies.

Views

System view

Predefined user roles

network-admin

Parameters

tcp: Creates EIM entries for TCP connections.

udp: Creates EIM entries for UDP connections.

Usage guidelines

PAT supports the following types of NAT mappings:

· Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.

· Connection-Dependent Mapping—Uses the same IP and port mapping for packets of the same connection. Different IP and port mappings are used for different connections although the connections might have the same source IP address and port number. It is secure because it allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host.

When you specify the EIM mode for PAT, follow these restrictions and guidelines:

· For interface-based NAT, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view if any one of the following commands has been executed on the device:

¡ nat static outbound.

¡ nat static outbound net-to-net.

¡ nat alg h323.

· For interface-based NAT, you cannot execute the nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } * command in system view if load sharing NAT server mappings have been configured on the device.

· For global NAT, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view if any one of the following commands has been executed on the device:

¡ nat static outbound.

¡ nat static outbound net-to-net.

¡ nat alg h323.

After you execute the nat mapping-behavior endpoint-independent command, EIM entries and five-tuple session entries are always created for ICMP connections.

The existing and newly configured dynamic NO-PAT rules do not take effect if you specify the Endpoint-Independent Mapping mode for outbound dynamic PAT rules.

Examples

# Apply the Endpoint-Independent Mapping mode and create EIM entries for TCP packet address translation.

<Sysname> system-view

[Sysname] nat mapping-behavior endpoint-independent tcp

Related commands

display nat eim

display nat eim statistics

nat outbound

nat server (interface-based NAT)

nat static outbound

nat static outbound net-to-net

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule.

Use undo nat outbound to delete an outbound dynamic NAT rule.

Syntax

NO-PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id [ vpn-instance vpn-instance-name ] no-pat [ reversible ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

PAT:

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ vpn-instance vpn-instance-name ] [ port-preserved ]

undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]

Default

No outbound dynamic NAT rules exist.

Views

Interface view

NAT instance view

Predefined user roles

network-admin

Parameters

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group for NAT. The value range for the group-id argument is 0 to 65535. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group do not belong to any VPN instance, do not specify this option.

no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

reversible: Enables reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the external network to the internal network.

port-preserved: Tries to preserve port number for PAT. This keyword does not take effect on dynamic port block mappings.

Usage guidelines

Application scenarios

For outbound dynamic NAT, address mappings between the private and public networks are dynamically generated during connection establishment. Use outbound dynamic NAT in scenarios where a large number of internal users need to access the external network.

Operating mechanism

Outbound dynamic NAT supports the following modes:

· PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.

· NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

The dynamic port block mapping does not support the NO-PAT mode.

Restrictions and guidelines

When you specify a NAT address group, follow these restrictions and guidelines:

· An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.

· You can bind a NAT address group to a VPN instance when you execute the nat address-group or nat outbound command, but not both. If you have bound a NAT address group to a VPN instance by using one command, you cannot bind it to a VPN instance when you execute the other command.

· When a port range and port block parameters are specified in the NAT address group, this command configures a dynamic port block mapping rule. Packets matching the ACL permit rule are processed by dynamic port block mapping.

If you specify the EIM mode for PAT by executing the nat mapping-behavior endpoint-independent command in system view, NO-PAT configurations do not take effect.

After you execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in a NAT instance, you cannot configure NO-PAT in that NAT instance. After you configure NO-PAT in a NAT instance, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in that NAT instance.

When you specify an ACL, follow these restrictions and guidelines:

· After you enable hardware NAT, the ACL can only filter packets by IP address, port number, protocol type, and VPN.

· An ACL can be used by only one outbound dynamic NAT rule on an interface or in a NAT instance.

· If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.

· If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.

· Outbound dynamic NAT rules with ACLs configured on an interface or in a NAT instance take precedence over those without ACLs. The device matches packets against ACLs based on either the ACL names or ACL numbers. ACL names take precedence over ACL numbers.

¡ ACL names—The device matches packets based on the alphabetical order of the ACL names.

¡ ACL numbers—A higher ACL number indicates higher priority.

· For dynamic port block mappings, make sure the ACL rules in a newly added NAT rule do not overlap with ACL rules in existing NAT rules that already have matching traffic.

· After you enable hardware NAT, only the IP addresses, ports, protocols, and VPNs in ACL rules can be matched.

When you add outbound dynamic NAT rules, follow these restrictions and guidelines:

· An ACL uniquely identifies an outbound dynamic NAT rule. If an outbound dynamic NAT rule does not reference an ACL, it permits all packets to pass. You cannot edit an outbound dynamic NAT rule by repeating this command. For example, you cannot repeat this command to change the PAT mode to NO-PAT mode. To edit a rule, use the undo nat outbound command to delete the rule first, and then execute the nat outbound command.

· You can repeat this command to configure multiple outbound dynamic NAT rules with different ACLs specified on an interface or in a NAT instance.

The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

When you execute this command in a NAT instance, follow these restrictions and guidelines:

· The address-group keyword is a must. If the specified NAT address group is bound to a global address pool, the outbound dynamic rule must use the PAT method.

· If the specified NAT address group is used for NAT instance-based load balancing, you cannot use the address command to add addresses to the NAT address group.

· Outbound dynamic rules in different NAT instances cannot use the same NAT address group.

The nat outbound command in interface view and the nat instance command in system view are mutually exclusive. They cannot be both configured.

Examples

# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an outbound dynamic PAT rule on interface Ten-GigabitEthernet 3/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat outbound 2001 address-group 1

[Sysname-Ten-GigabitEthernet3/1/1] quit

# Configure an outbound NO-PAT rule on interface Ten-GigabitEthernet 3/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat outbound 2001 address-group 1 no-pat

[Sysname-Ten-GigabitEthernet3/1/1] quit

# Enable Easy IP to use the IP address of Ten-GigabitEthernet 3/1/1 as the translated address.

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet 3/1/1] nat outbound 2001

[Sysname-Ten-GigabitEthernet 3/1/1] quit

# Configure an outbound NO-PAT rule on Ten-GigabitEthernet 3/1/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat outbound 2001 address-group 1 no-pat reversible

# Configure an outbound PAT rule in NAT instance cgn1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1] nat outbound 2001 address-group 1

[Sysname-nat-instance-cgn1] quit

Related commands

address

display nat eim

display nat outbound

nat instance

nat mapping-behavior

nat outbound ds-lite-b4

Use nat outbound ds-lite-b4 to configure DS-Lite B4 address translation.

Use undo nat outbound ds-lite-b4 to remove the DS-Lite B4 address translation configuration.

Syntax

nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name } address-group group-id

undo nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name }

Default

No DS-Lite B4 address translation configuration exists.

Views

Interface view

NAT instance view

Predefined user roles

network-admin

Parameters

ipv6-acl-number: Specifies the number of an IPv6 ACL to match the IPv6 addresses of B4 elements. The value range for the argument is 2000 to 3999.

name ipv6-acl-name: Specifies the name of an IPv6 ACL to match the IPv6 addresses of B4 elements. The ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

address-group group-id: Specifies an address group by its ID. The value range for this argument is 0 to 65535.

Usage guidelines

Application scenarios

DS-Lite B4 address translation applies to the scenario where a DS-Lite tunnel connects an IPv6 network to an IPv4 network. DS-Lite port block mapping is configured on the AFTR's interface connected to the external IPv4 network and performs dynamic port block mapping based on the B4 element. The B4 element refers to a B4 router or a DS-Lite host.

Operating mechanism

DS-Lite B4 address translation dynamically maps a public IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network.

Restrictions and guidelines

The nat outbound ds-lite-b4 command in interface view and the nat instance command in system view are mutually exclusive. They cannot be both configured.

After you enable hardware NAT by using the nat hardware-mode enable command, you cannot use the nat outbound ds-lite-b4 command on an interface.

When multiple DS-Lite port block mappings are configured on an interface or in a NAT instance, the device matches packets against ACLs based on either the ACL names or ACL numbers. ACL names take precedence over ACL numbers.

· ACL names—The device matches packets based on the alphabetical order of the ACL names.

· ACL numbers—A higher ACL number indicates higher priority.

Examples

# Configure IPv6 ACL 2100 to identify packets from subnet 2000::/64.

<Sysname> system-view

[Sysname] acl ipv6 basic 2100

[Sysname-acl-ipv6-basic-2100] rule permit source 2000::/64

[Sysname-acl-ipv6-basic-2100] quit

# Create address group 1 and add public addresses 202.110.10.10 through 202.110.10.12 to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

# Set the port block size to 256.

[Sysname-address-group-1] port-block block-size 256

[Sysname-address-group-1] quit

# Configure DS-Lite port block mapping on Ten-GigabitEthernet 3/1/1 to use address group 1 to translate packets permitted by ACL 2100.

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat outbound ds-lite-b4 2100 address-group 1

Related commands

display nat outbound

nat hardware-mode enable

nat instance

nat outbound port-block-group

Use nat outbound port-block-group to apply a NAT port block group to outbound traffic.

Use undo nat outbound port-block-group to remove a NAT port block group application.

Syntax

nat outbound port-block-group group-id

undo nat outbound port-block-group group-id

Default

No NAT port block group is applied to outbound traffic.

Views

Interface view

NAT instance view

Predefined user roles

network-admin

Parameters

group-id: Specifies a NAT port block group by its ID. The value range for this argument is 0 to 65535.

Usage guidelines

Operating mechanism

If a NAT rule uses a NAT port block group, the system automatically computes the NAT444 mappings and creates entries for them. When a private IP address accesses the public network, the private IP address is translated to the mapped public IP address, and the ports are translated to ports in the selected port block.

You can apply multiple NAT port block groups to an interface or a NAT instance.

Restrictions and guidelines

Different NAT instances cannot use the same port block group.

The nat outbound port-block-group command in interface view and the nat instance command in system view are mutually exclusive. They cannot be both configured.

Do not execute this command for NAT instance-based load balancing. If this command is executed in a NAT instance, the NAT instance does not support load balancing using failover groups.

In the NAT instance configured with CGN warm backup mode, you cannot apply a NAT port block group to outbound traffic. In warm backup mode, only dynamic port block assignment to online users in a unification scenario is supported.

Examples

# Apply NAT port block group 1 to the outbound direction of Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat outbound port-block-group 1

Related commands

cu warm-load-balance-mode enable

cu warm-standby-mode enable

display nat all

display nat outbound port-block-group

display nat port-block

nat instance

nat port-block-group

nat per-global-ip user-limit

Use nat per-global-ip user-limit to set the maximum number of VPN users sharing one single public address in PAT mode or port block-based NAT.

Use undo nat per-global-ip user-limit to restore the default.

Syntax

nat per-global-ip user-limit max-number

undo nat per-global-ip user-limit

Default

By default, the number of VPN users that can share one single public IP address is not limited.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of VPN users, in the range of 1 to 4096.

Usage guidelines

Application scenarios

In PAT mode or port block-based NAT, multiple VPN users can share one single public IP address. If the number of VPN users exceeds the upper limit, the device fails to assign ports to users. New users cannot access the external network, and existing online users cannot initiate new connections. To prevent too many VPN users from using one single public IP address, you can perform this task to evenly distribute users among public IP addresses.

Restrictions and guidelines

In port block-based NAT, this command limits only the number of port blocks pre-allocated to users. For example, if a NAT device has one public IP address and five port blocks, it can pre-allocate port blocks for five users by default. If you set the value for max-number to 2, the NAT device can pre-allocate port blocks to only two users.

After you execute this command in port block-based NAT, do not execute the extended-block multi-global-ip enable command. If you execute the extended-block multi-global-ip enable command, the specified maximum number of VPN users sharing one single public address might be different from the actual number.

The feature takes effect only on new online users and does not affect existing online users.

Examples

# Set the maximum number to 500 for VPN users sharing one single public IP address in PAT mode.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] nat per-global-ip user-limit 500

Related commands

extended-block multi-global-ip enable

nat port-block flow-trigger enable

Use nat port-block flow-trigger enable to enable flow-triggered port block assignment.

Use undo nat port-block flow-trigger enable to disable flow-triggered port block assignment.

Syntax

nat port-block flow-trigger enable

undo nat port-block flow-trigger enable

Default

Flow-triggered port block assignment is disabled.

Views

System view

NAT instance view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

The flow-triggered port block assignment feature is applicable to port block-based NAT. If unification is not configured between NAT and BRAS, you must enable this feature. If unification is configured, for users to come online successfully, do not enable this feature.

Restrictions and guidelines

The nat port-block flow-trigger enable command and the nat instance command are mutually exclusive. They cannot be both configured.

You cannot enable this feature in the NAT instance configured with CGN warm backup mode. In such a backup mode, only port block assignment to online users in a unification scenario is supported.

You cannot modify the enabling status of flow-triggered port block assignment if a user is online or global NAT entries exist.

Examples

# Enable flow-triggered port block assignment.

<Sysname> system-view

[Sysname] nat port-block flow-trigger enable

Related commands

cu warm-load-balance-mode enable

cu warm-standby-mode enable

nat instance

nat static enable

Use nat static enable to enable static NAT on an interface or in a NAT instance.

Use undo nat static enable to disable static NAT on an interface or in a NAT instance.

Syntax

nat static enable

undo nat static enable

Default

Static NAT is disabled.

Views

Interface view

NAT instance view

Predefined user roles

network-admin

Usage guidelines

Static NAT mappings take effect on an interface or in a NAT instance only after you enable static NAT on the interface or in the NAT instance.

The nat static enable command in interface view and the nat instance command in system view are mutually exclusive. They cannot be both configured.

A NAT instance does not support this command if the NAT instance is configured with load balancing using failover groups.

In the NAT instance configured with CGN warm backup mode, you cannot enable static NAT.

After you execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in a NAT instance, you cannot execute the nat static enable command in that NAT instance. After you execute the nat static enable command in a NAT instance, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in that NAT instance.

Examples

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat static enable

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT in NAT instance cgn1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1] nat static enable

[Sysname-nat-instance-cgn1] quit

Related commands

cu warm-load-balance-mode enable

cu warm-standby-mode enable

display nat all

display nat static

nat instance

nat static

nat static net-to-net

nat static outbound

Use nat static outbound to configure a one-to-one mapping for outbound static NAT.

Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.

Syntax

nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ failover-group group-name ] [ packet-type-ignore ]

undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-ip: Specifies a private IP address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.

global-ip: Specifies a public IP address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP address. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. For more information about failover groups, see High Availability Configuration Guide. For the configuration to take effect, specify a CGN-type failover group. To deploy configuration successfully, do not specify this option after you enable hardware NAT.

packet-type-ignore: Ignores the protocol packet type when the device creates session entries for TCP, ICMP, or SCTP. If you do not specify this keyword, the NAT device checks the protocol packet type and creates session entries for only protocol packets that pass the check. For example, the NAT device creates session entries for TCP packets only when the packet type is SYN or ACK.

Usage guidelines

Operating mechanism

When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

Recommended configuration

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

When you configure a one-to-one outbound static NAT mapping for CGN, specify the failover group that has a CGN card as the primary node in the mapping. Otherwise, the translation of reverse packets fails.

When you configure a one-to-one outbound static NAT mapping for a NAT instance, specify a failover group for the mapping. Otherwise, the mapping does not take effect and the device cannot perform address translation.

In an asymmetric routing scenario, if a session contains different types of protocol packets that are forwarded by different NAT devices, protocol packets of some types might be discarded. As a result, session status cannot be updated through protocol packet exchanges, causing abnormal service traffic forwarding. To avoid such an issue, specify the packet-type-ignore keyword when you use this command.

Restrictions and guidelines

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the external network to the public IP address.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

After you execute the nat static outbound command, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view. After you execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view, you cannot execute the nat static outbound command.

Examples

# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001

Related commands

display nat all

display nat static

nat instance

nat mapping-behavior endpoint-independent { tcp | udp } *

nat static enable

nat static outbound net-to-net

Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.

Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.

Syntax

nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ failover-group group-name ]

undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

local-start-address local-end-address: Specifies a private address range which can contain a maximum of 256 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.

global-network: Specifies a public network address.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.

mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.

mask: Specifies the mask of the public network address.

acl: Specifies an ACL to define the destination IP addresses that internal hosts can access. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

ipv4-acl-number: Specifies an ACL number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the external network to the public IP addresses. For the configuration to take effect, specify a CGN-type failover group. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. For the configuration to take effect, specify a failover group of the default type. To deploy configuration successfully, do not specify this option after you enable hardware NAT. For more information about failover groups, see High Availability Configuration Guide.

Usage guidelines

Operating mechanism

Specify a private network through a start address and an end address, and a public network through a public address and a mask.

When the source address of a packet from the internal network matches the private address range, the source address is translated into a public address in the public address range. When the destination address of a packet from the external network matches the public address range, the destination address is translated into a private address in the private address range.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

Recommended configuration

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

When you configure a net-to-net outbound static NAT mapping for CGN, specify the failover group that has a CGN card as the primary node in the mapping. Otherwise, the translation of reverse packets fails.

When you configure a net-to-net outbound static NAT mapping for a NAT instance, specify a failover group for the mapping. Otherwise, the mapping does not take effect and the device cannot perform address translation.

Restrictions and guidelines

The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated from the external network to the public IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

After you execute the nat static outbound net-to-net command, you cannot execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view. After you execute the nat mapping-behavior endpoint-independent { tcp | udp } * command in system view, you cannot execute the nat static outbound net-to-net command.

Examples

# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24

# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001

Related commands

display nat all

display nat static

nat instance

nat mapping-behavior endpoint-independent { tcp | udp } *

nat static enable

nat user-agency alg

Use nat user-agency alg to enable ALG for PPPoE agency user packets.

Use undo nat user-agency alg to disable ALG for PPPoE agency user packets.

Syntax

nat user-agency alg { all | ftp | icmp-error | sip }

undo nat user-agency alg { all | ftp | icmp-error | sip }

Default

For PPPoE agency users, ALG is enabled for FTP and ICMP error packets and disabled for SIP packets.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables ALG for all supported protocol packets.

ftp: Enables ALG for FTP packets.

icmp-error: Enables ALG for ICMP error packets.

sip: Enables ALG for SIP packets.

Usage guidelines

Application scenarios

In a PPPoE agency scenario, users might use some application layer protocols (such as FTP, SIP, and H.323). The IP address and port information carried in the application layer payloads might not be correctly processed during address translation, causing connection failure or application malfunction. To enhance the compatibility of NAT devices with specific application layer protocols, resolve potential issues during address translation, and ensure correct communication and connection when users use such applications, enable ALG.

Operating mechanism

After you enable ALG, users come online successfully through PPPoE. If the destination port and protocol type of packets received from or sent to the external network by an online PPPoE agency user match the ALG translation condition, the NAT device translates the address and port information in the application layer payloads. This makes sure specific application layer protocols can operate correctly and avoids connection or communication failure in a NAT scenario. For more information about PPPoE agency, see PPP configuration in BRAS Services Configuration Guide.

Restrictions and guidelines

ALG consumes ACL resources of the device. To view ACL resource usage, use the display qos-acl resource command. If the ACL resources are not enough, you will fail to execute the nat user-agency alg command. Delete unnecessary ACL configuration and try again.

The nat user-agency alg command is only supported in standard mode.

Examples

# Enable ALG for SIP packets received or sent by PPPoE agency users.

<Sysname> system-view

[Sysname] nat user-agency alg sip

Related commands

display qos-acl resource (ACL and QoS Command Reference)

port-block

Use port-block to configure port block parameters for a NAT address group.

Use undo port block to restore the default.

Syntax

port-block block-size block-size [ extended-block-number extended-block-number [ extended-block-size extended-block-size] ]

undo port-block

Default

Port block parameters are not configured for a NAT address group.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

block-size block-size: Specifies the port block size. The value range for the block-size argument is 65535. If the extended port block size is set, the value of the block-size argument must be an integral multiple of 64. In a NAT address group, the port block size cannot be larger than the number of ports in the port range.

extended-block-number extended-block-number: Specifies the number of extended port blocks, in the range of 1 to 5. When a private IP address accesses the public network, but the ports in the selected port block are all occupied, the NAT444 gateway extends port blocks one by one for the private IP address.

extended-block-size extended-block-size: Specifies the number of ports in an extended port block. The value of the extended-block-size argument must be an integral multiple of 64 in the range of 64 to 8192. If you do not specify this option, the extended port block size is the same as the block-size argument. In a NAT address group, the extended port block size cannot be larger than the number of ports in the port range.

Usage guidelines

Operating mechanism

The device pre-allocates a port block to an internal user when dynamic port block assignment is triggered in the following conditions:

· In a NAT and BRAS unification scenario, the user passes authentication and comes online.

· In a scenario without NAT and BRAS unification, the device translates the source IP address of the packet from the user when the user initiates the first connection to the external network.

When the pre-allocated port block of a user is used up, the system allocates an extended port block to the user if the extended port blocks are configured. The system withdraws the extended port block when the user releases all ports in the extended port block.

Restrictions and guidelines

For dynamic port block mappings, port block parameters are required in the NAT address group if the address group is used for outbound address translation.

You must configure port block parameters for a NAT address group in one of the following scenarios:

· The NAT address group is used for dynamic port block mappings in outbound address translation.

· The NAT address group is bound to a global address pool.

When you configure or modify port block parameters, follow these restrictions and guidelines:

· If you use the port by port allocation mode for the NAT address group, you cannot configure the port block parameters.

· In NAT and BRAS unification scenarios, you cannot modify the port block parameters when online users exist.

Examples

# Set the port block size to 256 and the number of extended port blocks to 1 in NAT address group 2.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] port-block block-size 256 extended-block-number 1

Related commands

nat address-group

port-single enable

port-limit

Use port-limit to set the maximum number of ports that can be assigned to a protocol.

Use undo port-limit to delete the configuration.

Syntax

port-limit { icmp | tcp | total | udp } number

undo port-limit { icmp | tcp | total | udp }

Default

No upper limit is set for a protocol.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

Parameters

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

total: Sets the total number of ports that can be assigned for all protocols.

udp: Specifies the UDP protocol.

number: Specifies the maximum number of ports. The value range is 0 to 65535 when the icmp, tcp, or udp keyword is specified. The value range is 0 to 196605 when the total keyword is specified.

Usage guidelines

This command is applicable only to port block-based NAT or dynamic PAT.

Examples

# Allow NAT address group 1 to assign a maximum of 10 ports for TCP.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-limit tcp 10

# Allow NAT port block group 1 to assign a maximum of 10 ports for TCP.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] port-limit tcp 10

Related commands

nat address-group

nat port-block-group

port-single enable

port-range

Use port-range to specify a port range for public IP addresses.

Use undo port-range to restore the default.

Syntax

port-range start-port-number end-port-number

undo port-range

Default

The port range for public IP addresses is 1 to 65535.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

Parameters

start-port-number end-port-number: Specifies the start port number and end port number for the port range. The end port number cannot be smaller than the start port number. As a best practice, set the start port number to be equal to or larger than 1024 to avoid an application protocol identification error.

Usage guidelines

The port range must include all ports that public IP addresses use for address translation.

The number of ports in a port range cannot be smaller than the port block size.

Examples

# Specify the port range as 1024 to 65535 for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-range 1024 65535

# Specify the port range as 30001 to 65535 for NAT port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] port-range 30001 65535

Related commands

nat address-group

nat port-block-group

port-single-alloc enable

Use port-single-alloc enable to enable the port-by-port allocation method.

Use undo port-single-alloc enable to restore the default.

Syntax

port-single-alloc enable

undo port-single-alloc enable

Default

The port reuse allocation method is enabled.

Views

NAT address group view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

An EIM entry is uniquely identified by a three-tuple of source IP address, source port number, and protocol type. A session entry is uniquely identified by a five-tuple of source IP address, source port number, protocol type, destination IP address, and destination port number. Based on the EIM or session entries, you can use the following port allocation methods for PAT:

· Port reuse—Different EIM entries or session entries can use the same port number of a public address as the source port number after address translation.

· Port-by-port—Different EIM entries or session entries must use different port numbers of a public address. This allocation method is suitable for users with few NAT services and port numbers required.

Restrictions and guidelines

When you configure a port allocation method for dynamic PAT, you cannot switch it in one minute.

The port-single-alloc enable command and the port-block command are mutually exclusive.

Examples

# Enable the port-by-port allocation method for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-single-alloc enable

Related commands

port-block

reset nat attack-defense reverse-blacklist

Use reset nat attack-defense reverse-blacklist to clear NAT denylist entries.

Syntax

In standalone mode:‌

reset nat attack-defense reverse-blacklist [ vpn-instance vpn-instance-name ] [ victim-ip ip-address ] [ victim-port port ] [ protocol { tcp | udp } ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset nat attack-defense reverse-blacklist [ vpn-instance vpn-instance-name ] [ victim-ip ip-address ] [ victim-port port ] [ protocol { tcp | udp } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

System view

Predefined user roles

network-admin

Parameters

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command clears NAT denylist entries for the public network.

victim-ip ip-address: Clears NAT denylist entries that have the specified IPv4 address.

victim-port port: Clears NAT denylist entries that have the specified port number. The value range for the port argument is 1 to 65535.

protocol: Clears NAT denylist entries that have the specified protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears NAT denylist entries for all cards. In standalone mode:(In standalone mode.) In standalone mode:

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) ‌Clear NAT denylist entries for the specified slot.

<Sysname> reset nat attack-defense reverse-blacklist slot 1

Related commands

display nat attack-defense reverse-blacklist

reset nat eim

Use reset nat eim to delete NAT EIM entries.

Syntax

In standalone mode:‌

reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ local-vpn local-vpn-instance-name ] [ slot slot-number ]

In IRF mode:

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command deletes NAT EIM entries of all protocol types.

icmp: Specifies the ICMP protocol.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

local-ip b4 ipv6-address: Deletes the EIM entry for a B4 device IPv6 address. The ipv6-address argument specifies the IPv6 address of a B4 device.

local-ip local-ip: Deletes the EIM entry for a private IP address. The local-ip argument specifies a private IP address.

local-port local-port: Deletes the EIM entry for a private port. The local-port argument specifies a private port number in the range of 0 to 65535.

global-ip global-ip: Deletes the EIM entry for a public IP address. The global-ip argument specifies a public IP address.

global-port global-port: Deletes the EIM entry for a public port. The global-port argument specifies a public port number in the range of 0 to 65535.

local-vpn vpn-instance-name: Deletes EIM entries that contain the specified MPLS L3VPN instance to which private users belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The specified VPN instance must be the VPN instance carried in the packets sent from the private users to the public network, which corresponds to Local VPN for address translation.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes NAT EIM entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command deletes NAT EIM entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

Usage guidelines

If you do not specify the local-ip, local-port, global-ip, local-vpn, or global-port keyword, this command deletes all EIM entries for ICMP, TCP, and UDP protocols.

Examples

# (In standalone mode.) ‌Delete all NAT EIM entries for the specified slot.

<Sysname> reset nat eimslot 0

Related commands

display nat session

display nat eim statistics

nat mapping-behavior

reset nat session

Use reset nat session to clear NAT sessions.

Syntax

In standalone mode:‌

reset nat session [ protocol { tcp | udp } ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset nat session [ protocol { tcp | udp } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

protocol: Specifies a protocol by its type. If you do not specify this keyword, the command clears NAT sessions of all protocol types.

tcp: Specifies the TCP protocol.

udp: Specifies the UDP protocol.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears NAT sessions on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears NAT sessions on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) ‌Clear NAT sessions for the specified slot.

<Sysname> reset nat session slot 0

Related commands

display nat session

reset nat statistics hardware-session-resource

Use reset nat statistics hardware-session-resource to clear peak information about driver sessions on CGN cards.

Syntax

In standalone mode:

reset nat statistics hardware-session-resource [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset nat statistics hardware-session-resource [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears peak information about driver sessions on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears peak information about driver sessions on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Clear peak information about driver sessions on a CGN card.

<Sysname> reset nat statistics hardware-session-resource slot 5

Related commands

display nat statistics hardware-session-resource

reset nat statistics packet

Use reset nat statistics packet to clear statistics about packets processed by CGN cards.

Syntax

In standalone mode:

reset nat statistics packet[ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset nat statistics packet[ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears packet statistics for NAT on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears packet statistics for NAT on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command clears input packets, input bytes, and their rates on CGN cards.

Examples

# Clear statistics about packets processed by CGN cards.

<Sysname> reset nat statistics packet slot 5

Related commands

display nat statistics packet

snmp-agent trap enable nat

Use snmp-agent trap enable nat to enable SNMP notifications for NAT.

Use undo snmp-agent trap enable nat to disable SNMP notifications for NAT.

Syntax

Default

SNMP notifications are enabled for NAT.

Views

System view

Predefined user roles

network-admin

Parameters

address-group-alloc-fail: Enables SNMP notifications for port block allocation failures in a NAT address group.

address-group-usage: Enables SNMP notifications for the resource usage in a NAT address group.

bandwidth-usage: Enables SNMP notifications for the CGN card bandwidth usage.

ip-pool-add-fail: Enables SNMP notifications for failing to add a subnet to a NAT address pool.

ip-pool-alloc-fail: Enables SNMP notifications for address allocation failures in a global address pool.

ip-pool-usage: Enables SNMP notifications for the address usage in a global address pool.

port-alloc-fail: Enables SNMP notifications for the port allocation failures in a NAT address group.

port-usage: Enables SNMP notifications for the port usage in a port block.

Usage guidelines

The device generates an SNMP notification in the following scenarios:

· If SNMP notifications are enabled for port block allocation failures in a NAT address group:

¡ The device generates a notification when the port block resources in the address group are used up.

¡ The device reports a recovery event when the port block usage in the address group drops below 87.5%.

· If SNMP notifications are enabled for the address group resource usage:

¡ The device reports a threshold violation event when the address group resource usage reaches or exceeds the threshold.

¡ The device reports a threshold recovery event when the address group resource usage drops below 87.5% of the threshold from a threshold crossing value.

To set the threshold for address group resource usage, execute the nat address-group-usage threshold command.

· If SNMP notifications are enabled for the CGN card bandwidth usage:

¡ The device reports a threshold violation event when the bandwidth usage of the CGN card reaches or exceeds the threshold.

¡ The device reports a threshold recovery event when the bandwidth usage of the CGN card drops below the threshold.

To set the CGN card bandwidth usage threshold, execute the nat log bandwidth-usage threshold command.

· If SNMP notifications are enabled for failing to add a subnet to a global address pool, the device generates a notification when the UP fails to add a subnet to the global address pool. The subnet is requested from the IP address pool on the CP.

· If SNMP notifications are enabled for address allocation failures in a global address pool:

¡ The device generates a notification when the address resources in the global address pool are used up.

¡ The device reports a recovery event when the address usage in the global address pool drops below or drops to 87.5%.

· If SNMP notifications are enabled for the address usage in a global address pool:

¡ The device reports a threshold violation event when the address usage in the global address pool reaches or exceeds the subnet acquisition threshold.

¡ The device reports a threshold recovery event when the address usage in a global address pool drops below the subnet acquisition threshold.

To set the subnet acquisition threshold, execute the ip-usage-threshold command.

· If SNMP notifications are enabled for port allocation failures in a NAT address group:

¡ The device generates a notification when the public port resources are used up.

¡ The device reports a recovery event when the port usage in the address group drops below 87.5%.

· If SNMP notifications are enabled for the port usage in a port block:

¡ The device reports a threshold violation event when the port usage in the port block reaches or exceeds the port block usage threshold.

¡ The device reports a threshold recovery event when the port usage in the port block drops below or drops to 87.5% of the threshold from a threshold crossing value.

To set the port block usage threshold, execute the nat log port-block port-usage threshold command.

For the notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

To enable or disable all SNMP notifications for NAT, do not specify any parameters.

Examples

# Enable all SNMP notifications for NAT.

<Sysname> system-view

[Sysname] snmp-agent trap enable nat

Related commands

ip-usage-threshold

nat address-group-usage threshold

nat log bandwidth-usage threshold

nat log port-block port-usage threshold

Global NAT commands

bind dhcp-server-pool

Use bind dhcp-server-pool to bind a dynamic global address pool to an IP pool or IP pool group that is created on the DHCP server.

Use undo bind dhcp-server-pool to unbind a dynamic global address pool from an IP pool or IP pool group.

Syntax

bind dhcp-server-pool server-pool-name

undo bind dhcp-server-pool

Default

A dynamic global address pool is not bound to any IP pool.

Views

Global address pool view

Predefined user roles

network-admin

Parameters

server-pool-name: Specifies the name of an IP pool or IP pool group that is created on the DHCP server (referred to as DHCP pool in this chapter), a case-insensitive string of 1 to 63 characters.

Usage guidelines

Operating mechanism

Before a UP device needs NAT addresses for address translation, it sends a subnet request to the CP device. The CP device assigns the received subnet to the dynamic global address pool on the UP device for address translation.

For more information about the DHCP server, see the DHCP server configuration in Layer 3—IP Services Configuration Guide.

Restrictions and guidelines

On a CUPS network, execute this command on each UP device.

When you configure the pool bindings on a UP, follow these restrictions and guidelines:

· Do not bind a static global address pool to a DHCP pool or pool group.

· For the up-backup command to be successfully executed on a UP backup network, execute this command before executing the bind dhcp-server-pool command.

· As a best practice, bind dynamic global address pools on the master and backup UP devices to the same DHCP pool or pool group on a UP backup network.

· The pool or pool group binding does not support modification. To modify a binding, first execute the undo bind dhcp-server-pool command to remove the binding, and then execute the bind dhcp-server-pool command to configure a new one.

· You cannot remove pool or pool group bindings if online PPPoE or IPoE users exist.

· For successful subnet acquisition, the specified IP pool must be a nat-central one that has been configured on the CP.

· For successful subnet acquisition, the specified IP pool group must have at least one nat-central pool and it must have been configured on the CP.

Examples

# On the UP device, bind dynamic global address pool nat to DHCP pool pool1.

<sysname> system-view

[sysname] nat ip-pool nat dynamic

[sysname-nat-ip-pool-nat] bind dhcp-server-pool pool1

Related commands

ip-usage-threshold

section

subnet length

up-backup

display nat instance

Use display nat instance to display NAT instance information.

Syntax

display nat instance [ instance-name instance-name ] [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance-name instance-name: Specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays information about all NAT instances.

brief: Displays brief information about NAT instances.

verbose: Displays detailed information about NAT instances.

Usage guidelines

If you do not specify the brief or verbose keyword, this command displays only the configuration for NAT instances.

In a vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, a user coming online triggers the following generation behaviors:

· The NAT instance generates NAT subinstances whose names start with Sub. The NAT subinstances inherit the configuration of the NAT instance.

· The dynamic global address pool bound to the nat-central pool on the CP generates child address pools whose names start with Sub. The child address pools inherit the configuration of the parent address pool.

· The NAT address group bound to the dynamic global address pool generates child address groups whose names start with Sub. The child address groups inherit the configuration of the parent address group.

The NAT subinstances process NAT services. The child address groups obtain address ranges from the child address pools and assign IP addresses after address translation to users. This command displays information about the NAT address groups and child address groups.

In a non-vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, a user coming online does not trigger generation behaviors. This command displays NAT instance information.

Examples

# Display the configuration for all NAT instances.

<Sysname> display nat instance

NAT instance information:

Totally 2 NAT instance.

Instance name/ID/type: instance1/10/normal

service-instance-group sgrp

nat port-block flow-trigger enable

nat outbound 3000 address-group 1

nat outbound port-block-group 1

nat centralized-backup enable

nat centralized-backup manual switch

nat centralized-backup auto switchback disable

nat address-group 1 bind-ip-pool pool1

bind vsrp-instance 1

nat protect-tunnel inside-vpn vpn1

nat mapping-behavior endpoint-independent system-default

Instance name/ID/type: instance2/11/normal

service-instance-group group1

cu warm-load-balance-mode enable

bind vsrp-instance 1

bind vsrp-instance 2

nat protect-tunnel inside-vpn vpn1

nat mapping-behavior endpoint-independent system-default

# Display the configuration for the specified NAT instance.

<Sysname> display nat instance instance-name instance1

Instance name/ID/type: instance1/10/normal

service-instance-group group1

nat outbound 3000 address-group 1

nat outbound port-block-group 1

nat port-block flow-trigger enable

nat centralized-backup enable

nat centralized-backup manual switch

nat centralized-backup auto switchback disable

nat mapping-behavior endpoint-independent system-default

Table 23 Command output

Field	Description
Totally n NAT instances	Total number of NAT instances.
Instance xxx	Name of the NAT instance.
Instance name/ID/type	Name, ID, and type of the NAT instance. NAT instances include the following types: · normal—Normal NAT instance. · user-agency—PPPoE agency NAT instance.
service-instance-group group1	Service instance group associated with the NAT instance.
nat outbound 3000 address-group 1	Outbound dynamic NAT rule.
nat outbound port-block-group 1	Outbound static NAT port block mapping.
nat port-block flow-trigger enable	Whether flow-triggered port block assignment is enabled. This field is not displayed if flow-triggered port block assignment is disabled.
nat centralized-backup enable	Centralized backup is enabled for distributed CGN.
nat centralized-backup manual switch	Traffic on the distributed CGN device is manually switched to the centralized CGN device.
nat centralized-backup auto switchback disable	Traffic auto switchback from the centralized CGN device to the distributed CGN device is disabled.
nat address-group xxx bind-ip-pool yyy	A NAT address group is bound to a global NAT address pool. xxx specifies a NAT address group by its name. yyy specifies a global NAT address pool by its name.
cu warm-standby-mode enable	The non-load-balancing mode for CGN warm backup is enabled. If you do not enable this backup mode, this field is not displayed.
cu warm-load-balance-mode enable	The load-balancing mode for CGN warm backup is enabled. If you do not enable this backup mode, this field is not displayed.
bind vsrp-instance xxx	A VSRP instance is bound to the NAT instance. xxx specifies a VSRP instance by its name.
nat protect-tunnel inside-vpn xxx	A VPN instance whose traffic can enter protection tunnels. xxx specifies a VPN instance by its name.
nat mapping-behavior endpoint-independent xxx	Mapping behavior mode for outbound dynamic PAT in the NAT instance: · nat mapping-behavior endpoint-independent system-default—The mapping mode is that set by executing the nat mapping-behavior endpoint-independent command in system view. · nat mapping-behavior endpoint-independent tcp—The mapping mode is EIM and only EIM entries for TCP connections are created. · nat mapping-behavior endpoint-independent tcp-5-tuple—The mapping mode is EIM and only 5-tuple session entries for TCP connections are created. · nat mapping-behavior endpoint-independent tcp tcp-5-tuple—The mapping mode is EIM, and EIM entries and 5-tuple session entries for TCP connections are created. · nat mapping-behavior endpoint-independent udp—The mapping mode is EIM and only EIM entries for UDP connections are created. · nat mapping-behavior endpoint-independent udp-5-tuple—The mapping mode is EIM and only 5-tuple session entries for UDP connections are created. · nat mapping-behavior endpoint-independent udp udp-5-tuple—The mapping mode is EIM, and EIM entries and 5-tuple session entries for UDP connections are created.

# Display brief information about all NAT instances.

<Sysname> display nat instance brief

NAT instance information:

Totally 2 NAT instances.

Instance name/ID/type: nat1/1/normal

Backup mode: Centralized backup for distributed CGN

Instance name/ID/type: nat2/2/normal

Backup mode: 1:N Inter-device

Totally 3 NAT subinstances.

Instance name/ID/type: Sub_196630_nat5/129/normal

Running role: Master

UPID (Local/Peer): 1024/1025

Virtual MAC of access interface: 0000-5e00-0102

Instance name/ID/type: Sub_196631_nat5/130/normal

Running role: Master

UPID (Local/Peer): 1024/1026

Virtual MAC of access interface: 0000-5e00-0103

Instance name/ID/type: Sub_196627_nat5/131/normal

Running role: Backup

UPID (Local/Peer): 1024/1025

Virtual MAC of access interface: 0000-5e00-0104

Table 24 Command output

Field	Description
Totally n NAT instances	Total number of NAT instances.
Instance name/ID/type	Name, ID, and type of the NAT instance. NAT instances include the following types: · normal—Normal NAT instance. · user-agency—PPPoE agency NAT instance.
Backup mode	Backup mode of the NAT instance: · Intra-device. · 1:1 Inter-device. · N:1 Inter-device. · 1:N Inter-device. · Centralized backup for distributed CGN. · -: Non-backup.
Running role	Role of the NAT instance that takes effect: · Init. · Master. · Backup. · Failed. This value is supported only in N:1 Inter-device mode.
Take over UPID	ID of the backup UP that takes over the master UP in N:1 Inter-device mode.
Totally n NAT subinstances	Number of NAT subinstances generated by the parent NAT instance.
UPID (Local/Peer)	IDs of the local and peer UP management instances: · Local—Local UP management instance ID. · Peer—Peer UP management instance ID.
Virtual MAC of access interface	Virtual MAC address of the interface used for user access.

# Display detailed information about all NAT instances.

<Sysname> display nat instance verbose

NAT instance information:

Totally 3 NAT instance.

Instance name/ID/type: nat1/1/normal

service-instance-group 1

nat outbound 3001 address-group 2

nat address-group 2 bind-ip-pool pool1

cu warm-load-balance-mode enable

bind vsrp-instance 12

nat mapping-behavior endpoint-independent system-default

Backup mode: 1:N Inter-device

Running role: Master

Instance name/ID/type: nat2/2/normal

service-instance-group 2

nat outbound 3002 address-group 2

nat address-group 2 bind-ip-pool pool2

cu warm-load-balance-mode enable

bind vsrp-instance 12

nat mapping-behavior endpoint-independent system-default

Backup mode: 1:N Inter-device

Totally 2 NAT subinstances.

Instance name/ID/type: Sub_196630_nat2/129/normal

service-instance-group 2

nat outbound 3002 address-group Sub_196630_2

nat address-group Sub_196630_2 bind-ip-pool Sub_196630_pool2

cu warm-load-balance-mode enable

bind vsrp-instance 12

Running role: Master

UPID (Local/Peer): 1024/1025

Virtual MAC of access interface: 0000-5e00-0102

Instance name/ID/type: Sub_196631_nat2/130/normal

service-instance-group 2

nat outbound 3002 address-group Sub_196631_2

nat address-group Sub_196631_2 bind-ip-pool Sub_196631_pool2

cu warm-load-balance-mode enable

bind vsrp-instance 12

nat mapping-behavior endpoint-independent system-default

Running role: Master

UPID (Local/Peer): 1024/1026

Virtual MAC of access interface: 0000-5e00-0103

Instance name/ID/type: nat3/3/normal

service-instance-group 3

nat outbound 3003 address-group 3

nat address-group 3 bind-ip-pool pool3

cu warm-load-balance-mode enable

bind vsrp-instance 12

nat mapping-behavior endpoint-independent system-default

Running mode: 1:N Inter-device

Totally 0 NAT subinstances.

Table 25 Command output

Field	Description
NAT instance information	Detailed information about the NAT instance. For more information about the field description, see Table 23 and Table 24.

Related commands

nat instance

display nat instance address-group

Use display nat instance address-group to display information about a NAT address group in a NAT instance.

Syntax

display nat instance instance-name instance-name address-group group-id [ failover-group group-name ] [ resource-usage ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance-name instance-name: Specifies a NAT instance name, a case-sensitive string of 1 to 31 characters.

group-id: Specifies a NAT address group by its ID. The value range for this argument is 0 to 65535.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about IP addresses of all failover groups.

resource-usage: Displays resource usage for each IP address. If you do not specify this keyword, the command displays summary information about the IP addresses and the overall address usage.

Usage guidelines

In a NAT instance, a NAT address group can be configured separately or bound to a global address pool.

· When you bind an address group to a global address pool and associate one or more failover groups with the service instance group that is bound to the NAT instance, the global address pool assigns IP addresses to each failover group.

You can execute this command to display information about the address group, global address pool, IP addresses assigned to each failover group, and address usage.

· When you add addresses by using the address command, you can execute this command to display information about the address group and address usage.

In a vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, a user coming online triggers the following generation behaviors:

· The NAT instance generates NAT subinstances whose names start with Sub. The NAT subinstances inherit the configuration of the NAT instance.

In a non-vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, a user coming online does not trigger generation behaviors. This command displays information about a NAT address group in a NAT instance.

Examples

# Display information about NAT address group 1 in NAT instance instance1.

<Sysname> display nat instance instance-name instance1 address-group 1

(E): Exclude locked IP (I): Include locked IP

Instance : instance1

Address group name/ID : 1/1

VPN instance : vpn1

IP pool name : 1

Subnet length (Initial/Extended) : 27/30

Usage thresholds (High/Low) : 80%/20%

Total IP usage(E) : 1%

Total port usage(E) : 0%

Address info:

Subnet Mask Total Lock status

202.38.1.0 255.255.255.224 32 Unlocked

Failover-group: cgn1

Total IP count : 16(Locked: 0, Unlocked: 16)

IP usage(E) : 1%

Port usage(E) : 3%

Address info:

StartIP Total Initial Lock status

202.38.1.0 16 Y Unlocked

Failover-group: cgn2

Total IP count : 16(Locked: 0, Unlocked: 16)

IP usage(E) : 1%

Port usage(E) : 3%

Address info:

StartIP Total Initial Lock status

202.38.1.16 16 Y Unlocked

Table 26 Command output

Field	Description
(E): Exclude locked IP	Exclude locked IP addresses during address usage calculation.
(I): Include locked IP	Include locked IP addresses during address usage calculation.
Instance	Name of the NAT instance.
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
IP pool name	Name of the global address pool bound to the address group. If you add addresses by using the address command, this field is not displayed.
Subnet length(Initial/Extended)	Mask length for the initial and extended subnets. · Initial—Mask length for the initial subnet. · Extended—Mask length for the extended subnet. If you add addresses by using the address command, this field is not displayed.
Usage thresholds (High/Low)	Thresholds of the global address pool: · High—Subnet acquisition threshold. · Low—Subnet release threshold. If you add addresses by using the address command, this field is not displayed.
Totally n sub address groups	Number of child address groups generated by the parent NAT address group.
Total IP usage(E)	Unlocked IP address usage in the address group. This usage only represents the usage information about IP addresses. For information about the resource usage in the address group, see the Total port usage field. If the address usage is greater than 0% but less than 1%, this field displays 1%. If the address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer.
Total port usage(E)	Port usage of unlocked IP addresses in the address group. If the port usage is greater than 0% but less than 1%, this field displays 1%. If the port usage is greater than 1%, this field displays a value that is rounded down to the nearest integer.
Address info	Usage information about the address range that the NAT address group obtains: · Subnet—Start subnet in the address range. · Mask—Mask for the start subnet in the address range. · Total—Total number of IP addresses in the address range. · Lock status—Whether the address range is locked. ¡ Locked. ¡ Unlocked.
Failover-group	Name of the failover group associated with the service instance group that is bound to the NAT instance: · Total IP count—Total number of IP addresses in the address range that the failover group obtains. · IP usage—IP address usage. If the IP address usage is greater than 0% but less than 1%, this field displays 1%. If the IP address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. · Port usage—Port usage. If the port usage is greater than 0% but less than 1%, this field displays 1%. If the port usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. · Address info—Usage information about the address range that the failover group obtains: ¡ StartIP—Start IP address in the address range. ¡ Total—Total number of IP addresses in the address range. ¡ Initial—Whether the address range is an initial subnet. When the address group is bound to the global address pool, Y indicates the initial subnet, and N indicates an extended subnet. This field displays three hyphens (---) if the address group is not bound to any global address pool. ¡ Lock status—Whether the address range is locked. Options include Locked and Unlocked.

# Display information about NAT address group 1 in NAT instance instance1 and the address usage.

<Sysname> display nat instance instance-name instance1 address-group 1 resource-usage

(E): Exclude locked IP (I): Include locked IP

Instance : instance1

Address group name/ID : 1/1

IP pool name : nat-ip-pool1

Total IP usage(E) : 75%

Total port usage(E) : 63%

Failover-group : group1

Total IP count : 8(Locked: 0, Unlocked: 8)

IP usage(E) : 100%

Port usage(E) : 100%

IP Port usage(E) Lock status

150.1.1.0 100% Unlocked

150.1.1.1 100% Unlocked

150.1.1.2 100% Unlocked

150.1.1.3 100% Unlocked

150.1.1.4 100% Unlocked

150.1.1.5 100% Unlocked

150.1.1.6 100% Unlocked

150.1.1.7 100% Unlocked

Failover-group : group2

Total IP count : 8(Locked: 0, Unlocked: 8)

IP usage(E) : 12.5%

Port usage(E) : 25%

IP Port usage(E) Lock status

150.1.1.8 50% Unlocked

150.1.1.9 50% Unlocked

150.1.1.10 50% Unlocked

150.1.1.11 50% Unlocked

150.1.1.12 0% Unlocked

150.1.1.13 0% Unlocked

150.1.1.14 0% Unlocked

150.1.1.15 0% Unlocked

Table 27 Command output

Field	Description
(E): Exclude locked IP	Exclude locked IP addresses during address usage calculation.
(I): Include locked IP	Include locked IP addresses during address usage calculation.
Instance	Name of the NAT instance.
Address group name/ID	Name and ID of the address group bound to the NAT instance.
IP pool name	Name of the global address pool.
Total IP usage(E)	Unlocked IP address usage in the address group. This usage only represents the usage information about IP addresses. For information about the resource usage in the address group, see the Total port usage field. If the IP usage is greater than 0% but less than 1%, this field displays 1%. If the IP usage is greater than 1%, this field displays a value that is rounded down to the nearest integer.
Total port usage(E)	Port usage of unlocked IP addresses in the address group. If the port usage is greater than 0% but less than 1%, this field displays 1%. If the port usage is greater than 1%, this field displays a value that is rounded down to the nearest integer.
Failover-group	Name of the failover group associated with the service instance group that is bound to the NAT instance.
Total IP count	Total number of IP addresses that the global address pool has assigned to the failover group.
IP usage(E)	Unlocked IP address usage in the failover group. If the IP address usage is greater than 0% but less than 1%, this field displays 1%. If the IP address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer.
Port usage(E/I)	Port usage of unlocked IP addresses in the failover group or port usage of each IP address (including locked IP addresses). The usage is the ratio of the used ports to the total number of ports. If the port usage is greater than 0% but less than 1%, this field displays 1%. If the port usage is greater than 1%, this field displays a value that is rounded down to the nearest integer.
IP	IP address that the global address pool assigns to the failover group.
Lock status	Whether the IP address is locked: · Locked. · Unlocked.

Related commands

ip-usage-threshold

nat ip-pool

subnet length

display nat instance statistics

Use display nat instance statistics to display statistics for address translation services processed by NAT instances on the UP.

Syntax

display nat instance [ instance-name instance-name ] statistics

Views

User view

Predefined user roles

network-admin

network-operator

Parameters

instance-name instance-name: Specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a NAT instance, this command displays statistics for address translation services processed by all NAT instances.

Usage guidelines

In a vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, a user coming online triggers the following generation behaviors:

· The NAT instance generates NAT subinstances whose names start with Sub. The NAT subinstances inherit the configuration of the NAT instance.

In a non-vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, a user coming online does not trigger generation behaviors. This command displays statistics for address translation services processed by NAT instances.

Examples

# Display statistics for address translation services processed by all NAT instances.

<Sysname> display nat instance statistics

NAT instance statistics:

Totally 2 NAT instances.

Instance name/ID: instance1/10

Failover group name: nat1

Session entries: 0

EIM entries: 0

User table entries: 0

Total session setup entries: 0

Total session teardown entries: 0

Total EIM setup entries: 0

Total EIM teardown entries: 0

Failover group name: nat2

Session entries: 0

EIM entries: 0

User table entries: 0

Total session setup entries: 0

Total session teardown entries: 0

Total EIM setup entries: 0

Total EIM teardown entries: 0

Instance name/ID: instance2/11

Totally 1 NAT subinstances.

Instance name/ID: Sub_196630_instance2/129

Failover group name: nat3

Session entries: 0

EIM entries: 0

User table entries: 0

Total session setup entries: 0

Total session teardown entries: 0

Total EIM setup entries: 0

Total EIM teardown entries: 0

Failover group name: nat4

Session entries: 0

EIM entries: 0

User table entries: 0

Total session setup entries: 0

Total session teardown entries: 0

Total EIM setup entries: 0

Total EIM teardown entries: 0

Table 28 Command output

Field	Description
Instance name/ID	Name and ID of the NAT instance.
Totally n NAT subinstances	Number of NAT subinstances generated by the parent NAT instance.
Instance ID	ID of the NAT instance.
Failover group name	Name of the failover group.
Session entries	Number of session entries that are being used.
EIM entries	Number of EIM entries that are being used.
User table entries	Number of user tables.
Total session setup entries	Total number of session entries created by the failover group, including the number of session entries that are being used and the aging session entries.
Total session teardown entries	Total number of aging session entries for the failover group.
Total EIM setup entries	Total number of EIM entries created by the failover group.
Total EIM teardown entries	Total number of aging EIM entries for the failover group.
Total dynamically allocated addresses	Number of public IP addresses dynamically allocated by the address group based on the number of failover groups in the service instance group associated with the NAT instance.

Related commands

reset nat instance statistics

display nat ip-pool

Use display nat ip-pool to display the configuration and usage of global address pools.

Syntax

display nat ip-pool [ pool-name [ section section-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool-name: Specifies a global address pool by its name, a case-insensitive string of 1 to 31 characters. If the pool name contains spaces, you must use quotation marks (") to enclose the name, for example, "pool 1". If you do not specify a pool name, this command displays information about all global address pools.

section section-id: Specifies an address section by its ID, in the range of 0 to 4294967295. If you do not specify an address section ID, this command displays information about all address sections in the global address pool.

Usage guidelines

In a vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, a user coming online triggers the following generation behaviors:

· The NAT instance generates NAT subinstances whose names start with Sub. The NAT subinstances inherit the configuration of the NAT instance.

In a non-vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, a user coming online does not trigger generation behaviors. This command displays the configuration and usage of global address pools.

Examples

# Display the configuration and usage of all global address pools.

<Sysname> display nat ip-pool

NAT IP pool information:

Totally 1 NAT ip pools.

Pool name : pool

Type of pool : Static

Subnet length (Initial/Extended): 27/27

Usage thresholds (High/Low) : 80%/20%

Total IP count : 65536

Locked IP count : 0

Available IP count : 65536

Usage(E) : 0%

Section info:

ID Subnet Mask Total Used Lock status

---------------------------------------------------------------------------

0 7.7.0.0 255.255.0.0 65536 0 Unlocked

Table 29 Command output

Field	Description
(E): Exclude locked IP	Exclude locked IP addresses during address usage calculation.
NAT IP pool information	Information about global address pools.
Totally n NAT IP pools	Total number of global parent address pools.
Pool name	Name of the global address pool.
Type of pool	Type of the global address pool: · Dynamic—Dynamic global address pool. · Static—Static global address pool.
UPID (Local/Peer)	UP management instance ID: · Local—Local UP management instance ID. · Peer—Peer UP management instance ID.
Subnet length (Initial/Extended)	Mask length for the initial and extended subnets. · Initial—Mask length for the initial subnet. · Extend—Mask length for the extended subnet.
Usage thresholds (High/Low)	Thresholds of the global address pool: · High—Subnet acquisition threshold. · Low—Subnet release threshold.
Instance name/ID	Name and ID of the NAT instance bound to the NAT address group.
Totally n sub IP pools	Number of child address pools generated by the global parent address pool.
Total IP count	Total number of IP addresses in the global address pool.
Locked IP count	Total number of locked IP addresses in the global address pool.
Available IP count	Total number of available IP addresses in the global address pool.
Usage(E)	Unlocked address usage of the global address pool. If the address usage is greater than 0% but less than 1%, this field displays 1%. If the address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer.
Section info	Information about address sections in the global address pool: · ID—Subnet ID. · Subnet—Subnet address. · Mask—Subnet mask. · Total—Total number of IP addresses in the address section. · Used—Number of used IP addresses in the address section. · Lock status—Whether the address section is locked. ¡ Locked. ¡ Unlocked.

# Display information about address section 0 in global address pool pool1.

<Sysname> display nat ip-pool pool1 section 0

Section ID : 0

Subnet : 150.1.1.0

Mask : 255.255.255.0

Total IP count : 256

Locked IP count : 0

Available IP count : 240

Available IPs:

StartIP Total

150.1.1.16 16

150.1.1.32 32

150.1.1.64 64

150.1.1.128 128

Used IPs:

StartIP UsedCount InstanceID InstanceName

AddressGroupID AddressGroupName

150.1.1.0 8 1 cgn1

1 1

150.1.1.8 8 127 cgn2

10 10

Table 30 Command output

Field	Description
Section ID	ID of the address section in the global address pool.
Subnet	Subnet address.
Mask	Subnet mask.
Total IP count	Total number of IP addresses in the address section.
Locked IP count	Total number of locked IP addresses in the address section.
Available IP count	Total number of available IP addresses in the address section.
Available IPs	Information about the available IP addresses in the address section: · StartIP—Start IP address in the available addresses. · Total—Total number of available IP addresses.
Used IPs	Information about the used IP addresses in the address section: · StartIP—Start IP address in the used addresses. · UsedCount—Total number of used IP addresses in the address section. · InstanceID—ID of the NAT instance that uses this address section. · InstanceName—Name of the NAT instance that uses this address section. · AddressGroupID—ID of the NAT address group that uses this address section. · AddressGroupName—Name of the NAT address group that uses this address section. Available values include: ¡ Name of the child address group whose name starts with Sub. A child address group is generated by the parent NAT address group in load balancing mode for CGN warm backup. ¡ Value for the AddressGroupID field.

Related commands

ip-usage-threshold

nat ip-pool

subnet length

ip-usage-threshold

Use ip-usage-threshold to set the subnet acquisition and release thresholds in a global address pool.

Use undo ip-usage-threshold to restore the default.

Syntax

ip-usage-threshold upper-limit upper-value lower-limit lower-value

undo ip-usage-threshold

Default

The subnet acquisition threshold is 80%, and the subnet release threshold is 20%.

Views

Global address pool view

Predefined user roles

network-admin

Parameters

upper-value: Specifies the subnet acquisition threshold, in percentage. The value range is 1 to 100.

lower-value: Specifies the subnet release threshold, in percentage. The value range is 0 to 99. The value for this argument must be lower than the value for the upper-value argument.

Usage guidelines

Operating mechanism

After a NAT address group is bound to a static global address pool, the NAT address group requests or releases subnets as follows:

· When the IP usage of the NAT address group reaches or exceeds the subnet acquisition threshold, the NAT address group requests an extended subnet from the global address pool.

· When the IP usage of the NAT address group drops below the subnet release threshold, the NAT address group releases free extended subnets to the global address pool.

After a NAT address group is bound to a dynamic global address pool, the NAT device periodically calculates the IP usage of the dynamic global address pool:

· When the IP usage reaches or exceeds the subnet acquisition threshold, the UP requests a new subnet from the CP.

· When the IP usage drops below the subnet release threshold, the UP notifies the CP to reclaim free extended subnets.

Recommended configuration

As a best practice, use the default threshold settings. If you need to modify the subnet acquisition and release thresholds, make sure the gap between the two thresholds are over 60%.

Examples

# In a static global address pool, set the subnet acquisition and release thresholds to 90% and 20%, respectively.

<Sysname> system-view

[Sysname] nat ip-pool pool1

[Sysname-nat-ip-pool-pool1] ip-usage-threshold upper-limit 90 lower-limit 20

# In a dynamic global address pool, set the subnet acquisition and release thresholds to 90% and 20%, respectively.

<Sysname> system-view

[Sysname] nat ip-pool pool1 dynamic

[Sysname-nat-ip-pool-pool1] ip-usage-threshold upper-limit 90 lower-limit 20

Related commands

nat ip-pool

section

subnet length

lock section

Use lock section to lock an address segment in a global address pool.

Use undo lock section to unlock an address segment in a global address pool.

Syntax

lock section [ start-ip mask { mask-length | mask } ]

undo lock section [ start-ip mask { mask-length | mask } ]

Default

No address segment is locked in a global address pool.

Views

Global address pool view

Predefined user roles

network-admin

Parameters

start-ip: Specifies the start IP address in the locked address segment, in dotted decimal notation.

mask mask-length: Specifies the mask length for the locked address segment, in the range of 16 to 32.

mask mask: Specifies the mask for the locked address segment, in dotted decimal notation.

Usage guidelines

Application scenarios

You might have the following requirements when you manage a global address pool:

· Reserve some addresses in the global address pool for maintenance. The addresses (excluding those already used by online users) are no longer used for address translation of new online users.

· Due to service planning, you must update or delete all address sections in the global address pool.

This feature can meet the above requirements.

Operating mechanism

To lock all address sections in a global address pool, execute this command without specifying any parameters. All addresses in the global address pool cannot be used for address translation.

To lock some address sections in a global address pool, execute the lock section start-ip mask { mask-length | mask } command. The locked addresses cannot be used for address translation.

· For a static global address pool, if the specified address segment includes all or some of the addresses in an address section in the address pool, this command locks all addresses in that address section. For example, if the static global address pool has address section 10.1.1.0/26, and you configure the start-ip and mask-length as 10.1.1.1 and 28, respectively, this command locks address section 10.1.1.0/26.

· For a dynamic global address pool, if the specified address segment includes all or some of the addresses in a requested public address section, this command locks all addresses in that public address section. For example, if the requested public address section is 10.1.1.0/26, and you configure the start-ip and mask-length as 10.1.1.1 and 28, respectively, this command locks address section 10.1.1.0/26.

After you lock address sections in a global address pool, NAT processes the assigned and unassigned address resources as follows:

· NAT does not actively reclaim the used address resources in the address sections. NAT services that exist before this command is executed are not affected.

· Unassigned address resources are no longer assigned to users. Locked addresses are excluded from resource usage calculation of the global address pool.

· For a dynamic global address pool, locked address sections are no longer automatically released to the DHCP server. To manually release the address sections, use the nat ip-pool release command.

Recommended configuration

As a best practice, use different locking methods to meet different requirements.

· To reserve some address sections in a global address pool for maintenance, execute the lock section start-ip mask { mask-length | mask } command to lock them. Then, execute the nat user-table change-global-ip command to replace the public IP addresses to be locked, or force the users that use the addresses offline. After you confirm that no users are using the addresses, execute the undo section command to remove the address sections from the static global address pool or execute the nat ip-pool release command to release the address sections for the dynamic global address pool.

· To reserve all address sections in a global address pool for maintenance, execute the lock section command to lock them.

If online users are using addresses in the global address pool, execute the nat user-table change-global-ip command to replace the public IP addresses used by users, or force the users offline. After you confirm that no users are using the addresses, execute the undo section command to remove the address sections from the static global address pool or execute the nat ip-pool release command to release the address sections for the dynamic global address pool.

Restrictions and guidelines

To lock multiple address segments, repeat the lock section start-ip mask { mask-length | mask } command.

If you execute the lock section start-ip mask { mask-length | mask } command multiple times in the same global address pool, make sure the specified address segments do not overlap.

Examples

# Lock address segment 1.1.1.0/24 in global address pool pool1.

<Sysname> system-view

[Sysname] nat ip-pool pool1

[Sysname-nat-ip-pool-pool1] lock section 1.1.1.0 mask 24

# Lock all address sections in global address pool pool2.

<Sysname> system-view

[Sysname] nat ip-pool pool2

[Sysname-nat-ip-pool-pool2] lock section

Related commands

display nat ip-pool

nat ip-pool

user-table change-global-ip

nat abnormal-cu-connection auto-renew-lease

Use nat abnormal-cu-connection auto-renew-lease to enable a UP to automatically renew the IP address lease when the CP-UP connection is abnormal.

Use undo nat abnormal-cu-connection auto-renew-lease to disable a UP from automatically renewing the IP address lease when the CP-UP connection is abnormal.

Syntax

nat abnormal-cu-connection auto-renew-lease

undo nat abnormal-cu-connection auto-renew-lease

Default

A UP does not automatically renew the lease of the IP addresses requested from the CP when the CP-UP connection is abnormal.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In the CUPS scenario, a UP periodically renews the IP addresses requested from the CP when the CP-UP connection is normal. If the CP-UP connection fails, the IP addresses are automatically released after the lease expires, and the lease is not renewed. As a result, the user entry and NAT session entry corresponding to the IP addresses are deleted, causing traffic interruption due to public resource changes. In addition, when the address usage in the global address pool on the UP is greater than or equal to the subnet acquisition threshold, the UP cannot request a new subnet from the CP. This might cause service disruption due to insufficient NAT address resources. To avoid such an issue, enable this feature on the UP.

Operating mechanism

If the CP-UP connection fails, the UP enabled with this feature performs the following tasks before the connection is restored:

· The UP automatically renews the lease of the IP addresses requested from the CP.

· If the address usage in the global address pool on the UP is less than the subnet release threshold, the global address pool reserves address resources and does not release them,

After the CP-UP connection is restored, the UP performs the following tasks:

· The default renewal mechanism of the global address pool on the UP is restored. The UP does not automatically renew the lease of the IP addresses requested from the CP when the CP-UP connection is abnormal.

· If the address usage in the global address pool on the UP is less than the subnet release threshold, the global address pool releases addresses,

Restrictions and guidelines

This command takes effect only in the vBRAS CUPS scenario.

After you enable this feature on a UP, pay attention to the CP-UP connection status. As a best practice to prevent the CP from assigning a public IP address to different UPs, disable this feature if the connection remains abnormal for a long time and the CP operates correctly. If the CP assigns a public IP address to different UPs, address and route conflicts will occur and return traffic cannot reach the correct device.

Examples

# Enable a UP to automatically renew the IP address lease when the CP-UP connection is abnormal.

<Sysname> system-view

[Sysname] nat abnormal-cu-connection auto-renew-lease

nat address-group bind-ip-pool

Use nat address-group bind-ip-pool to bind a NAT address group to a global address pool.

Use undo nat address-group bind-ip-pool to unbind a NAT address group from a global address pool.

Syntax

nat address-group group-id bind-ip-pool pool-name

undo nat address-group group-id bind-ip-pool

Default

A NAT address group is not bound to any global address pool.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

group-id: Specifies a NAT address group by its ID. The value range for this argument is 0 to 65535.

pool-name: Specifies a global address pool by its name, a case-insensitive string of 1 to 31 characters. If the address pool name contains spaces, you must use quotation marks (") to enclose the pool name, for example, "pool 1". You must specify an existing global address pool.

Usage guidelines

Operating mechanism

The binding allows a global address pool to assign an initial subnet to the bound NAT address group.

For load sharing for global NAT, the initial subnet is assigned as follows:

· In a NAT and BRAS unification scenario, the number of initial subnets to assign equals the number of failover groups in the service instance group that is associated with the NAT instance. This ensures that different failover groups use different initial subnets.

· In a scenario without NAT and BRAS unification, only one initial subnet is assigned to the NAT address group. In this case, all failover groups in the associated service instance group share one initial subnet.

For global NAT without load sharing, one initial subnet is assigned to the NAT address group.

Restrictions and guidelines

You can bind NAT address groups to global address pools only when the following requirements are met:

· The NAT address groups are not bind to any VPN instances.

· The NAT address groups have port block parameters configured by using the port-block command or use the port-by-port allocation method configured by using the port-single-alloc command.

You cannot perform the following operations on a NAT address group that has been bound to a global address pool:

· Use the address command to add addresses to the NAT address group.

· Cancel bindings.

¡ Cancel the port block parameter settings of the NAT address group.

¡ Use the port reuse port allocation mode for the NAT address group.

· Specify the address group in an outbound dynamic NO-PAT rule.

When you execute this command in a NAT instance, follow these restrictions and guidelines:

· One NAT address group can be bound to only one global address pool. Different NAT address groups can be bound to the same global address pool.

· When a NAT address group contains locked addresses, you cannot bind it to a global address pool.

· You cannot cancel the binding when online users exist in the NAT instance.

· You cannot cancel the binding if you have specified the address-group group-id option when executing the nat outbound command in NAT instance view.

· You cannot configure the binding if the NAT instance is associated with the service instance group that is bound to an inter-system failover group. If you have configured a binding for the NAT instance, the service instance group associated with the NAT instance cannot be bound to an inter-system failover group. For more information about inter-system failover groups, see failover group configuration in High Availability Configuration Guide.

· In the NAT instance configured with CGN warm backup mode, you cannot specify IDs for the dynamic global address pool to which the NAT address group has been bound. To execute the up-backup command in the NAT instance, do not bind the NAT address group to the global address pool.

On a NAT instance-based load balancing network, a global address pool cannot be bound to NAT address groups in different NAT instances.

Examples

# Bind NAT address group 1 to global address pool pool1.

<Sysname> system-view

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1] nat address-group 1 bind-ip-pool pool1

Related commands

cu warm-load-balance-mode enable

cu warm-standby-mode enable

ip-usage-threshold

nat ip-pool

subnet length

up-backup

nat gratuitous-arp-reply enable

Use nat gratuitous-arp-reply enable to enable gratuitous ARP packet reply.

Use undo nat gratuitous-arp-reply enable to disable gratuitous ARP packet reply.

Syntax

nat gratuitous-arp-reply enable

undo nat gratuitous-arp-reply enable

Default

Gratuitous ARP packet reply is disabled.

Views

NAT instance view

Predefined user roles

network-admin

Usage guidelines

By default, the NAT device sends an ARP reply if it receives a gratuitous ARP packet from another device on the same network and the NAT address is the same as the IP address in the gratuitous ARP packet. After the device sending the gratuitous ARP packet receives the ARP reply, it considers that an address conflict exists. Then, it displays a log message about the conflict and informs the administrator to change the IP address.

To reduce the number of ARP reply packets, you can disable this feature if the NAT address will not conflict with IP addresses of any other devices on the same network.

Examples

# Disable gratuitous ARP packet reply for the NAT device.

<Sysname> system-view

[Sysname] nat instance inst id 1

[Sysname-nat-instance-inst] undo nat gratuitous-arp reply enable

Related commands

display nat instance

nat instance

Use nat instance to create a NAT instance and enter its view, or enter the view of an existing NAT instance.

Use undo nat instance to delete the specified NAT instance.

Syntax

nat instance instance-name [ id id ] [ type user-agency ]

undo nat instance instance-name

Default

No NAT instances exist.

Views

System view

Predefined user roles

network-admin

Parameters

instance-name: Specifies a NAT instance name, a case-sensitive string of 1 to 31 characters. A NAT instance name cannot begin with "Sub". If the instance name contains spaces, use quotation marks to enclose the instance name (for example, "xxx xxx").

id id: Specifies a NAT instance ID in the range of 1 to 127. This option is a must for creating a NAT instance, and it is optional for entering the view of an existing NAT instance.

type user-agency: Specifies the PPPoE agency type. If you do not specify this parameter, the command creates a normal NAT instance. To enter the view of a PPPoE agency NAT instance, you must specify this parameter. To enter the view of a normal NAT instance, do not specify this parameter.

Usage guidelines

Application scenarios

According to the application scope of NAT rules, NAT supports the following application types:

· Interface-based NAT—Uses NAT rules (such as static NAT rules and dynamic NAT rules) configured on a per interface basis to translate packets. It is applicable to a network with a fixed output interface.

· Global NAT—Uses NAT rules configured on a per NAT instance basis to translate packets. The packets are redirected to the NAT instance by using a QoS policy. The service card in the service instance group associated with the NAT instance performs address translation. Global NAT is applicable to a network with unfixed output interfaces. You do not need to change the NAT configuration if the packet output interface changes.

On a PPPoE agency network, you can use a PPPoE agency NAT instance to enable a campus user to access an external network from different endpoints with the same account.

Restrictions and guidelines

A NAT instance takes effect when the following requirements are met:

· The NAT instance is associated with a service instance group.

· The service instance group is associated with a failover group and the primary node in the failover group can normally process services.

When you create or delete a NAT instance, follow these restrictions and guidelines:

· The NAT instance name and ID must be unique. Different NAT instances cannot use the same NAT instance ID.

· A maximum of 16 NAT instances can be created.

· You cannot delete a NAT instance if the NAT instance contains an online user.

· The nat instance command in system view cannot coexist with the following commands:

¡ failover-group (NAT address group view or NAT port block group view).

¡ nat centralized-backup enable (system view).

¡ nat extended-port-block report-radius enable (system view).

¡ nat hairpin enable (interface view).

¡ nat hardware ignore-flowredirect-method enable (system view).

¡ nat inbound (interface view).

¡ nat outbound (interface view).

¡ nat outbound ds-lite-b4 (interface view).

¡ nat outbound easy-ip failover-group (interface view).

¡ nat outbound port-block-group (interface view).

¡ nat port-block flow-trigger enable (interface view).

¡ nat server (interface view).

¡ nat service (interface view).

¡ nat static enable (interface view).

To change the type of a NAT instance, you must use the undo nat instance command to delete that NAT instance, and then execute the nat instance command to create a NAT instance of the new type.

A PPPoE agency NAT instance supports only the service-instance-group command.

For NAT to work correctly, associate the service instance group bound to a PPPoE agency NAT instance with only one failover group. To avoid packet loss, use interface cards that support hardware NAT as the primary node and secondary node in the associated failover group.

Examples

# Create a NAT instance named cgn1 with instance ID 1, and enter its view.

<Sysname> system-view

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1]

# Create a PPPoE agency NAT instance named agency1 with instance ID 2, and enter its view.

<Sysname> system-view

[Sysname] nat instance agency1 id 2 type user-agency

[Sysname-nat-instance-agency1]

Related commands

display nat instance

failover-group

nat centralized-backup enable

nat extended-port-block report-radius enable

nat hairpin enable

nat hardware ignore-flowredirect-method enable

nat inbound

nat outbound

nat outbound ds-lite-b4

nat outbound easy-ip failover-group

nat outbound port-block-group

nat port-block flow-trigger enable

nat server

nat service

nat static enable

service-instance-group

nat ip-pool

Use nat ip-pool to create a global address pool and enter its view, or enter the view of an existing global address pool.

Use undo nat ip-pool to delete a global address pool and its configuration.

Syntax

nat ip-pool pool-name [ dynamic [ backup ] ]

undo nat ip-pool pool-name

Default

No global address pools exist.

Views

System view

Predefined user roles

network-admin

Parameters

pool-name: Specifies the name of a global address pool, a case-insensitive string of 1 to 31 characters. A global address pool name cannot begin with "Sub". If the address pool name contains spaces, you must use quotation marks (") to enclose the pool name, for example, "pool 1".

dynamic: Creates a dynamic global address pool. If you do not specify this keyword, you create a static global address pool.

backup: Creates a backup global address pool. This keyword is supported only on the backup UP device.

Usage guidelines

Application scenarios

A global address pool is a set of public IPv4 addresses. It facilitates unified management of NAT addresses on the device and resolves issues of uneven NAT resource allocation and resource waste. After you configure a global address pool, address resources are regulated uniformly through the global address pool. Address resource application and release are dynamically triggered by traffic or user demands.

Operating mechanism

A global address pool is a set of public IPv4 addresses. It can be one of the following types:

· Static global address pool—Allows the NAT module to manage addresses in a centralized way on a single device. It operates as follows:

a. After you bind a NAT address group to the pool, the pool assigns an initial subnet to this NAT address group.

b. When an internal user initiates the first connection to the external network, the NAT device uses an IP address in the initial subnet for address translation.

c. When the initial subnet usage reaches or exceeds the acquisition threshold, the device requests an extended subnet from the pool. If the initial subnet usage drops below the release threshold, the device releases free extended subnets to the pool.

· Dynamic global address pool—Provides unified NAT address acquisition and management for all UP devices on the CUPS network. On each UP device, a dynamic global address pool is created and bound to a DHCP pool or pool group. After receiving a public address request from the UP device, the CP device requests address resources from the bound DHCP pool or pool group. The DHCP server manages the IP pool resources and allows resources sharing among multiple NAT devices.

Restrictions and guidelines

The backup global address pool takes effect on a backup UP device only when the backup UP device works as the master UP device.

You cannot delete a global address pool that is bound to a NAT address group.

You cannot modify the type of a global address pool directly. To modify the pool type, execute the undo nat ip-pool command to delete the pool, and then execute the nat ip-pool command to create a new one.

Examples

# Create a static global address pool named pool1 and enter its view.

<sysname> system-view

[sysname] nat ip-pool pool1

[sysname-nat-ip-pool-pool1]

Related commands

bind dhcp-server-pool

ip-usage-threshold

nat instance

section

subnet length

nat ip-pool release

Use nat ip-pool release to release a public address segment requested by a dynamic global address pool from the DHCP server.

Syntax

nat ip-pool pool-name release start-ip mask { mask-length | mask }

Default

The UP notifies the CP of reclaiming idle address segments when the address usage of the dynamic global address pool is less than the release threshold.

Views

System view

Predefined user roles

network-admin

Parameters

pool-name: Specifies the global address pool name, a case-sensitive string of 1 to 31 characters. The name cannot start with Sub. If the pool name contains spaces, you must use quotation marks (") to enclose the name, for example, "pool 1". The specified name must be the name of a dynamic global address pool.

start-ip: Specifies the start IP address of the address segment to be released, in dotted decimal notation.

mask mask-length: Specifies the mask length for the address segment to be released, in the range of 16 to 32.

mask mask: Specifies the mask for the address segment to be released, in dotted decimal notation.

Usage guidelines

Application scenarios

In the CUPS scenario, after you execute the bind dhcp-server-pool command on the UP to bind a dynamic global address pool to a DHCP pool, the UP requests a subnet from the CP before it performs address translation. To actively release subnet addresses obtained from the CP due to service planning, use this command.

Operating mechanism

If the address segment to be released partially overlaps with a subnet obtained by the global address pool, the system attempts to release all IP addresses in the subnet.

If online users are using the address segment to be released, it cannot be released. You can execute the lock section command to lock the address segment used by the users. Execute the nat user-table change-global-ip command to forcibly replace the public IP addresses used by the users or force the users offline. Then, release the address segment again.

Restrictions and guidelines

In a vBRAS CUPS scenario enabled with the load balancing mode for CGN warm backup, you can release address segments in child address pools by specifying the parent address pool name.

For this command to take effect in a UP backup network, execute it on the UP where the master NAT instance resides.

If a released address segment is not locked in the DHCP pool, the NAT module might obtain that address segment again, which is normal. To prevent the NAT module from requesting the released address segment, lock it in the DHCP pool.

Examples

# Release address segment 200.1.1.0/24 in dynamic global address pool pool1.

<Sysname> system-view

[Sysname] nat ip-pool pool1 release 200.1.1.0 mask 24

Related commands

display nat ip-pool

lock section

user-table change-global-ip

nat log ip-add-fail

Use nat log ip-add-fail to enable logging for failing to add an address to a global address pool.

Use undo nat log ip-add-fail to disable logging for failing to add an address to a global address pool.

Syntax

nat log ip-add-fail

undo nat log ip-add-fail

Default

Logging is disabled for failing to add an address to a global address pool.

Views

Global address pool view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

This feature enables the device to generate logs for failing to add an address to a global address pool.

Such conditions are as follows:

· The IP addresses in the subnet requested from the CP by the dynamic global address pool on the UP overlap with the IP addresses in other global address pools.

· The number of IP addresses in the global address pool on the UP has reached the limit.

Restrictions and guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for failing to add an address to global address pool poo1.

<Sysname> system-view

[Sysname] nat ip-pool pool1

[Sysname-nat-ip-pool-pool1] nat log ip-add-fail

Related commands

display nat all

display nat log

ip-usage-threshold

nat log enable

nat log ip-alloc-fail

Use nat log ip-alloc-fail to enable logging for address allocation failures caused by address exhaustion in a global address pool.

Use undo nat log ip-alloc-fail to disable logging for address allocation failures caused by address exhaustion in a global address pool.

Syntax

nat log ip-alloc-fail

undo nat log ip-alloc-fail

Default

Logging is disabled for address allocation failures caused by address exhaustion in a global address pool.

Views

Global address pool view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

This feature enables the device to generate logs in one of the following conditions:

· The device fails to allocate IP addresses because the global address pool has no assignable IP addresses.

· The global address pool usage drops to 87.5%.

Restrictions and guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Enable logging for address allocation failures caused by address exhaustion in the global address pool.

<Sysname> system-view

[Sysname] nat ip-pool pool1

[Sysname-nat-ip-pool-pool1] nat log ip-alloc-fail

Related commands

display nat all

display nat log

nat log enable

nat log ip-usage threshold

Use nat log ip-usage threshold to set the IP usage threshold for a global address pool.

Use undo nat log ip-usage threshold to restore the default.

Syntax

nat log ip-usage threshold value

undo nat log ip-usage threshold

Default

The IP usage threshold is 80% for global address pools.

Views

Global address pool view

Predefined user roles

network-admin

Parameters

value: Specifies a threshold in the range of 60 to 100 in percentage.

Usage guidelines

Application scenarios

The device generates logs when the IP usage of the global address pool exceeds the threshold or drops below 87.5% of the threshold.

Restrictions and guidelines

This command takes effect only after you use the nat log enable command to enable NAT logging.

Examples

# Set the IP usage threshold to 70% for global address pool pool1.

<Sysname> system-view

[Sysname] nat ip-pool pool1

[Sysname-nat-ip-pool-pool1] nat log ip-usage threshold 70

Related commands

display nat all

display nat log

nat log enable

nat mapping-behavior endpoint-independent

Use nat mapping-behavior endpoint-independent to specify the Endpoint-Independent Mapping or Connection-Dependent Mapping mode for PAT in a NAT instance.

Use undo nat mapping-behavior endpoint-independent to restore the default.

Syntax

nat mapping-behavior endpoint-independent { { tcp [ tcp-5-tuple ] | tcp-5-tuple } | { udp [ udp-5-tuple ] | udp-5-tuple } *

undo nat mapping-behavior endpoint-independent

Default

Configuration of the nat mapping-behavior endpoint-independent command in system view applies.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

tcp: Creates EIM entries for TCP connections.

udp: Creates EIM entries for UDP connections.

tcp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for TCP connections. If you do not specify this keyword but specify the tcp keyword, only EIM entries are created. If you specify this keyword but do not specify the tcp keyword, only session entries are created.

udp-5-tuple: Creates five-tuple (source IP, source port, protocol, destination address, and destination port) session entries for UDP connections. If you do not specify this keyword but specify the udp keyword, only EIM entries are created. If you specify this keyword but do not specify the udp keyword, only session entries are created.

Usage guidelines

Application scenarios

By default, configuration of the nat mapping-behavior endpoint-independent command in system view applies. All NAT instances use the same mapping mode for PAT, which cannot meet the requirement of using different mapping modes for different traffic.

To resolve such an issue, you can create different NAT instances and configure different mapping modes as required in the NAT instances. Then, configure a QoS policy to redirect traffic to different NAT instances.

Operating mechanism

PAT supports the following types of NAT mappings:

· Endpoint-Independent Mapping (EIM)—Uses the same IP and port mapping (EIM entry) for packets from the same source IP and port to any destinations. EIM allows external hosts to initiate connections to the translated IP addresses and ports of internal hosts. This mode allows internal hosts behind different NAT gateways to access each other.

· Connection-Dependent Mapping (CDM)—Uses the same IP and port mapping for packets of the same connection. Different IP and port mappings are used for different connections although the connections might have the same source IP address and port number. It is secure because it allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host.

To specify the Endpoint-Independent Mapping mode for PAT in a NAT instance, use the nat mapping-behavior endpoint-independent { { tcp [ tcp-5-tuple ] } | { udp [ udp-5-tuple ] } * command.

To specify the Connection-Independent Mapping mode for PAT in a NAT instance, use the nat mapping-behavior endpoint-independent { tcp-5-tuple | udp-5-tuple } * command.

Restrictions and guidelines

You cannot execute this command in a NAT instance in the following conditions:

· The nat alg h323 command has been executed in system view.

· The nat static enable command has been executed in the NAT instance.

· The NAT instance has NO-PAT configuration.

Changing the mapping mode in a NAT instance deletes all session entries and EIM entries in that NAT instance.

· You can change the mapping mode in the NAT instance again only after all the session entries and EIM entries are deleted from that NAT instance.

· Deleting session entries and EIM entries might cause traffic interruption. Use this command with caution.

Examples

# Specify the Endpoint-Independent Mapping mode for PAT and create only EIM entries for TCP connections.

<Sysname> system-view

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1] nat mapping-behavior endpoint-independent tcp

Related commands

display nat eim

display nat eim statistics

display nat instance

nat alg

nat outbound

nat static enable

nat port-block failover-service rebalance enable

Use nat port-block failover-service rebalance enable to enable reload balancing for port block-based NAT services after a service card failure and failure recovery in a NAT instance.

Use undo nat port-block failover-service rebalance enable to disable reload balancing for port block-based NAT services after a service card failure and failure recovery in a NAT instance.

Syntax

nat port-block failover-service rebalance enable

undo nat port-block failover-service rebalance enable

Default

Reload balancing is disabled for port block-based NAT services after a service card failure and failure recovery in a NAT instance.

Views

NAT instance view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

The service cards in a NAT instance can load balance NAT services as follows:

1. Assign the service cards to failover groups, associate the failover groups with a service instance group, and then associate the service instance group with the NAT instance.

2. The NAT device implements load balancing on the service cards in the failover groups based on a load balancing algorithm.

In a NAT and BRAS unification scenario, the NAT device allocates online users relatively evenly to each failover group in the load balancing group based on a load balancing algorithm for service load balancing. If a failover group fails, the NAT device migrates all users in the faulty failover group to the failover group with the fewest users. Once the faulty failover group recovers, only new online users are allocated to it. NAT services are not reload balanced in multiple failover groups.

The aforementioned mechanism causes the following issues:

· After users are migrated to the failover group with the fewest users, the number of users in the target failover group might exceed the upper limit supported by the target failover group.

· After a failover group fails and recovers, users are not evenly allocated to each failover group.

Use this feature to resolve such issues.

Operating mechanism

In a NAT and BRAS unification scenario, after you enable this feature in a NAT instance, the NAT device implements load balancing as follows:

· If a failover group fails in the service instance group associated with the NAT instance, the NAT device performs the following tasks:

¡ Evenly allocates the public IP addresses of the failover group to the remaining normal failover groups based on a load balancing algorithm.

¡ Allocates users in the faulty failover group to the remaining normal failover groups as evenly as possible.

During the process, the NAT device makes sure the tracing information (public IP addresses and port numbers) of users in the faulty failover group remains unchanged.

· After the faulty failover group recovers, the NAT device performs the following tasks:

¡ Evenly reallocates public IP addresses to each failover group based on a load balancing algorithm.

¡ Reallocates users to each failover group as evenly as possible and makes sure the tracing information (public IP addresses and port numbers) of users remains unchanged.

This process does not guarantee that all users migrated from the faulty failover group to other failover groups can be migrated back to the faulty failover group after it recovers.

Restrictions and guidelines

This command takes effect only in NAT and BRAS unification scenarios.

When online users exist, you can change the enabling status of this feature. However, reload balancing is implemented only after a failover group fails and recovers.

After you execute this command in NAT instance view, the service instance group associated with the NAT instance cannot be bound to a failover group used for inter-system service backup. For more information about failover groups used for inter-system service backup, see failover group configuration in High Availability Configuration Guide.

Examples

# In NAT instance cgn with ID 1, enable reload balancing for port block-based NAT services after a service card failure and failure recovery.

<Sysname> system-view

[Sysname] nat instance cgn id 1

[Sysname-nat-instance-cgn] nat port-block failover-service rebalance enable

Related commands

nat instance

nat redirect-cgn drop-upon-mismatch

Use nat redirect-cgn drop-upon-mismatch to drop the packets that are redirected to the CGN card but do not match NAT configuration.

Use undo nat redirect-cgn drop-upon-mismatch to restore the default.

Syntax

nat redirect-cgn drop-upon-mismatch

undo nat redirect-cgn drop-upon-mismatch

Default

The device transparently transmits the packets that are redirected to the CGN card but do not match NAT configuration to an interface card. Then, it performs a routing table lookup to forward the packets to the public network.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

By default, the device transparently transmits the packets that are redirected to the CGN card but do not match NAT configuration to an interface card. Then, it performs a routing table lookup to forward the packets to the public network. If the packets carry private addresses, use this command to drop such packets to avoid expose of the private addresses before NAT to the public network.

Restrictions and guidelines

Configuring this feature degrades the forwarding performance. As a best practice, do not configure this feature.

This command takes effect only on global NAT.

Examples

# Drop the packets that are redirected to the CGN card but do not match NAT configuration.

<Sysname> system-view

[Sysname] nat redirect-cgn drop-upon-mismatch

Related commands

display nat all

nat server

Use nat server to create a NAT server mapping (also called NAT server rule). The mapping maps the private IP address and port of an internal server to a public address and port.

Use undo nat server to delete a mapping.

Syntax

A single public address with no public port:

nat server global global-address [ vpn-instance global-vpn-instance-name ] inside local-address [ vpn-instance local-vpn-instance-name ] [ reversible ]

undo nat server global global-address [ vpn-instance global-vpn-instance-name ]

A single public address with a single public port:

nat server protocol pro-type global { global-address | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ reversible ]

undo nat server protocol pro-type global { global-address | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]

NAT interface address as the public address with a single public port:

nat server protocol pro-type global interface interface-type interface-number global-port [ vpn-instance global-vpn-instance-name ] inside local-address local-port [ vpn-instance local-vpn-instance-name ] [ reversible ]

undo nat server protocol pro-type global interface interface-type interface-number global-port [ vpn-instance global-vpn-instance-name ]

Default

No NAT server mappings exist.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. The protocol type format can be one of the following:

· A number in the range of 1 to 255.

· A protocol name of icmp, tcp, or udp.

global: Specifies the external network information that the server uses to provide services to the external network.

global-address: Specifies the public address of the internal server.

interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The primary IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.

inside: Specifies the internal information of the server.

local-port: Specifies the private port number. The private port number format can be one of the following:

· A number in the range of 1 to 65535, excluding FTP port 20.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet.

global-port: Specifies the public port number. The format requirement is the same as the requirement for the local-port argument.

local-address: Specifies the private IP address of an internal server.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address of the internal server belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the internal server belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the internal server does not belong to any VPN instance, do not specify this option.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.

Usage guidelines

Application scenarios

When internal servers provide services (such as FTP and Web) for external networks, the NAT device allows external users to use specific NAT addresses and ports to access the internal servers. You can configure the NAT server mappings to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.

The following table describes the address-port mappings between an external network and an internal network for NAT Server.

Table 31 Address-port mappings for NAT Server

External network	Internal network
One public address	One private address
One public address and one public port number	One private address and one private port number

Restrictions and guidelines

By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings.

When you configure Easy IP for NAT server mappings, following these restrictions and guidelines:

· As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.

· If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicting address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.

The vpn-instance parameter is required if you deploy NAT Server for VPNs. The public address of the internal server and the output interface must belong to the same VPN instance, and the internal server and the input interface must belong to the same VPN instance.

The NAT server mapping configuration fails or does not take effect in either of the following conditions:

· Hardware resources are insufficient.

· The combination of the protocol type, public address, and public port number is not unique among NAT server mappings in one NAT instance.

In NAT instance-based load balancing, a public address cannot be mapped to multiple private addresses in NAT server mappings. If a public address is mapped to multiple private addresses in NAT server mappings for the NAT instance, the NAT instance does not support load balancing using multiple failover groups.

In the NAT instance configured with CGN warm backup mode, you cannot create or delete a NAT server.

Examples

# Configure a NAT server mapping in NAT instance inst to allow external users to access the internal Web server at 10.110.10.10 through https://202.110.10.10:8080.

<Sysname> system-view

[Sysname] nat instance inst id 1

[Sysname-nat-instance-inst] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 https

Related commands

cu warm-load-balance-mode enable

cu warm-standby-mode enable

display nat all

display nat server

nat server-group

nat user-table change-global-ip

Use nat user-table change-global-ip to replace a public IP address segment used by online users.

Syntax

nat user-table change-global-ip [ public | vpn-instance vpn-instance-name ] start-address { end-address | mask { mask-length | mask } }

Views

System view

Predefined user roles

network-admin

Parameters

public: Specifies online users on the public network.

vpn-instance vpn-instance-name: Specifies online users in the specified VPN instance. If you do not specify either the public keyword or the vpn-instance vpn-instance-name option, this command replaces the public IP address segment used by all online users.

start-address: Specifies the start IP address of the public IP address segment used by online users, in dotted decimal notation.

end-address: Specifies the end IP address of the public IP address segment used by online users, in dotted decimal notation.

mask mask-length: Specifies the mask length for the public IP address segment used by online users, in the range of 1 to 32.

mask mask: Specifies the mask for the public IP address range used by online users, in dotted decimal notation.

Usage guidelines

Application scenarios

You might have the following requirements when you manage a NAT address group of global address pool:

· Reserve some addresses in the NAT address group or global address pool for maintenance. The addresses (excluding those already used by online users) are no longer used for address translation.

· Due to service planning, you must update or delete all addresses in the NAT address group or global address pool.

This feature can meet the above requirements. If the locked addresses are being used by online users, use the nat user-table change-global-ip command to forcibly replace the addresses or force the users offline. Then, delete or release the addresses in the NAT address group or global address pool.

Restrictions and guidelines

After you execute the nat user-table change-global-ip command, you can use the display nat user-table command to view online user information. If the public IP address replacement fails, execute the nat user-table change-global-ip command again.

After you execute nat user-table change-global-ip command, users are forcibly offline if public IP address replacement fails due to insufficient public IP addresses.

For the nat user-table change-global-ip command to take effect in a UP backup network, execute it on the UP where the master NAT instance resides.

Examples

# Replace public IP address segment 200.1.1.0/24 used by online users.

<Sysname> system-view

[Sysname] nat user-table change-global-ip 200.1.1.0 mask 24

Related commands

display nat user-table

reset nat instance statistics

Use reset nat instance statistics to delete statistics for address translation services processed by NAT instances on the UP.

Syntax

reset nat instance [ instance-name instance-name ] statistics

Views

User view

Predefined user roles

network-admin

Parameters

instance-name instance-name: Specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a NAT instance, this command deletes statistics for address translation services processed by all NAT instances.

Usage guidelines

This command deletes the following statistics:

· Total number of session entries created by the failover group, including the number of session entries that are being used and aging session entries.

· Total number of aging session entries for the failover group.

· Total number of EIM entries created by the failover group.

· Total number of aging EIM entries for the failover group.

Examples

# Delete statistics for address translation services processed by all NAT instances.

<Sysname> reset nat instance statistics

Related commands

display nat instance statistics

section

Use section to configure an address section in a global address pool.

Use undo section to delete an address section from a global address pool.

Syntax

section section-id start-ip mask { mask-length | mask }

undo section section-id

Default

No address sections are configured in a global address pool.

Views

Global address pool view

Predefined user roles

network-admin

Parameters

section-id: Specifies the ID of the address section, in the range of 0 to 255.

start-ip: Specifies the start IP address in the section, in dotted decimal notation.

mask mask-length: Specifies the mask length for the section, in the range of 16 to 32.

mask mask: Specifies the mask for the section, in dotted decimal notation.

Usage guidelines

A global address pool supports a maximum of 256 address sections.

Different global address pools cannot have overlapping IP addresses. Addresses in global address pools cannot overlap with addresses in NAT address groups, NAT port block groups, or NAT server mappings.

You cannot modify address section attributes directly by using the command. To modify a section, execute the undo section command to delete the section, and then execute the section command to configure a new one.

You cannot delete a section if addresses in this section have been assigned to a NAT instance and are being used by online users or unlocked.

You cannot use this command to add address sections to dynamic global address pools.

Examples

# In global address pool pool1, specify the start IP address as 200.1.1.1 and set the mask length to 24 for section 0.

<Sysname>system-view

[Sysname] nat ip-pool pool1

[Sysname-nat-ip-pool-pool1] section 0 200.1.1.1 mask 24

Related commands

ip-usage-threshold

nat ip-pool

subnet length

service-instance-group

Use service-instance-group to associate a service instance group with a NAT instance.

Use undo service-instance-group to disassociate a service instance group from a NAT instance.

Syntax

service-instance-group service-instance-group-name

undo service-instance-group

Default

A NAT instance does not have any associated service instance groups.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

service-instance-group-name: Specifies a service instance group name, a case-sensitive string of 1 to 31 characters. If the service instance group name contains spaces, use quotation marks to enclose the group name (for example, "xxx xxx"). You can specify a nonexistent service instance group, but the association takes effect after you create the service instance group by using the service-instance-group command. For more information about the service instance group, see service instance group configuration in High Availability Configuration Guide.

Usage guidelines

Application scenarios

The service card in the associated service instance group performs address translation for traffic that matches NAT rules in the NAT instance.

Restrictions and guidelines

When you execute this command, follow these restrictions and guidelines:

· For a NAT instance to take effect, associate it with a CGN-type service instance group.

· A NAT instance can be associated with only one service instance group. Different NAT instances cannot be associated with the same service instance group.

· In the NAT and BRAS unification scenario, you can cancel the association between the NAT instance and the service instance group only after all users go offline. The association cannot be canceled if a user is online.

· In other scenarios, you cannot cancel the association between the NAT instance and the service instance group when address translation entries of the NAT instance exist.

· You cannot use a service instance group for both inter-system and intra-system service backup.

¡ If the backup channel is configured on a VSRP group, a service instance group associated with the NAT instance can only be used for inter-system service backup.

¡ If a service instance group associated with the NAT instance is bound to intra-system service backup groups, the backup channel cannot be configured on a VSRP instance.

· In the NAT instance configured with CGN warm backup mode, the service instance group associated with the NAT instance must be bound to a failover group used for intra-system backup, or the NAT instance cannot associate with the service instance group.

The service instance group associated with a NAT instance can be bound to only one intra-system failover group in one of the following conditions:

· The NAT instance is configured with static port block mappings or NO-PAT dynamic mappings.

· Addresses in NAT address groups of the outbound address translation rules for the NAT instance are manually assigned by using the address command.

Examples

# Associate NAT instance cgn1 with service instance group group1.

<Sysname> system-view

[Sysname ] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1] service-instance-group group1

Related commands

cu warm-load-balance-mode enable

cu warm-standby-mode enable

nat instance

service-instance-group (High Availability Command Reference)

subnet length

Use subnet length to specify the initial or extended subnet mask.

Use undo subnet length to restore the default.

Syntax

subnet length initial { mask-length | mask } [ extend { mask-length | mask } ]

undo subnet length

Default

The initial or extended subnet mask length is 27, and the mask is 255.255.255.224.

Views

Global address pool view

Predefined user roles

network-admin

Parameters

initial mask-length: Specifies an initial subnet mask length, in the range of 18 to 32.

initial mask: Specifies an initial subnet mask, in dotted decimal notation.

extend mask-length: Specifies an extended subnet mask length, in the range of 18 to 32.

extend mask: Specifies an extended subnet mask, in dotted decimal notation.

Usage guidelines

Operating mechanism

If a NAT address group is bound to a global address pool for NAT resource acquisition, the subnet allocation and release procedure is as follows:

· The global address pool assigns public addresses to the NAT address group based on the initial subnet mask. If the pool has fewer address resources than those specified by the initial subnet mask, the device extends the initial subnet mask length for subnet allocation.

· When the initial subnet usage of the NAT address group reaches or exceeds the subnet acquisition threshold, the NAT address group requests an extended subnet from the global address pool.

¡ If the pool has fewer address resources than the requested subnet, the device allocates a subnet by using a mask length longer than the extended mask length.

¡ If the pool has more address resources than the requested subnet, the device allocates a subnet based on the extended subnet mask.

¡ If the pool has no resources, the address allocation fails.

· When the initial subnet usage of the NAT address group drops below the subnet release threshold, free extended subnets are released.

Restrictions and guidelines

You cannot assign an extended subnet to the NAT address group if the extend option is not specified for this command.

You cannot modify the initial or extended mask length (or mask) in a global address pool when a NAT address group is bound to the pool.

Examples

# In global address pool pool1, set the initial subnet mask length to 25, and the extended subnet mask length to 27.

<Sysname> system-view

[Sysname] nat ip-pool pool1

[Sysname-nat-ip-pool-pool1] subnet length initial 25 extend 27

Related commands

ip-usage-threshold

nat ip-pool

section

up-backup

Use up-backup to specify IDs of the local and peer dynamic global address pools.

Use undo up-backup to remove IDs of the local and peer dynamic global address pools.

Syntax

up-backup local-up-id up-id1 peer-up-id up-id2

undo up-backup

Default

The IDs of local and peer dynamic global address pools are not specified.

Views

Global address pool view

Predefined user roles

network-admin

Parameters

local-up-id up-id1: Specifies the local UP management instance ID as the local global address pool identification. The value range for the up-id1 argument is 1024 to 2047.

peer-up-id up-id2: Specifies the peer UP management instance ID as the peer global address pool identification. The value range for the up-id2 argument is 1024 to 2047.

Usage guidelines

Applications scenarios

This command is applicable to the CP-UP separation scenario with UP hot backup configured. To back up NAT entries and address information, you must execute this command on both the master and backup UP devices. The following example describes the command configuration:

· On the local UP device, execute the up-backup local-up-id 1024 peer-up-id 1025 command.

· On the peer UP device, execute the up-backup local-up-id 1025 peer-up-id 1024 command.

Restrictions and guidelines

For this command to be successfully executed, execute this command before executing the bind dhcp-server-pool command.

In the NAT instance, the warm backup mode and other backup modes are mutually exclusive. In the global address pool view configured with CGN warm backup, you cannot specify IDs of dynamic global address pools.

This command does not support modifying IDs of local and peer dynamic global address pools. To modify them, execute the undo up-backup command to remove the existing identifiers, and then execute the up-backup command to specify new ones.

Examples

# Specify the ID of the local dynamic global address pool as 1024, and the ID of the peer dynamic global address pool as 1025.

<sysname> system-view

[sysname] nat ip-pool pool dynamic

[sysname-nat-ip-pool-pool] up-backup local-up-id 1024 peer-up-id 1025

Related commands

bind dhcp-server-pool

cu warm-load-balance-mode enable

cu warm-standby-mode enable

user-table change-failover-group

Use user-table change-failover-group to manually switch the failover group that processes the specified NAT service in the user table.

Syntax

user-table { ipv4 ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] change-failover-group group-name

Default

The device specifies the failover group that processes NAT services automatically.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

ipv4 ipv4-address: Specifies an IPv4 address for the access user.

ipv4 ipv4-address: Specifies an IPv6 address for the access user.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.

group-name: Specifies a failover group name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

Application scenarios

In a NAT and BRAS unification scenario, the access device assigns a NAT instance to users for NAT services. When the service instance group associated with the NAT instance contains multiple failover groups, the failover groups load share NAT services. If a failover group cannot sense that the master node is faulty (for example, the register is faulty), the backup node does not switch to a master node and the NAT instance does not migrate users to other failover groups. As a result, the NAT instance does not perform address translation for the users and traffic forwarding is abnormal.

To resolve the issue, use this command to migrate the users to a failover group that operates correctly in the NAT instance for processing NAT services.

To view information about access users, execute the display access-user command. The information includes the IP addresses of users assigned by the access device and the VPN instances to which the users belong.

Restrictions and guidelines

When you execute the user-table change-failover-group command, follow these guidelines:

· The NAT instance must be the same as that assigned to the users by the access device.

· The failover group after switching must be in the service instance group associated with the NAT instance. It must have a node that can process services correctly and have enough resources.

Examples

# Manually switch the failover group that process NAT services for the user whose IPv4 address is 1.1.1.1 to group2.

<Sysname> system-view

[Sysname] nat instance nat id 1

[Sysname-nat-instance-nat] user-table ipv4 1.1.1.1 change-failover-group group2

Interface-based NAT commands

display nat address-group resource-usage

Use display nat address-group resource-usage to display the NAT address group resource usage.

Syntax

display nat address-group [ group-id ] resource-usage [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 4294967295. If you do not specify this argument, the command displays the address usage of all NAT address groups.

verbose: Displays the overall resource usage of a NAT address group and the resource usage of each group member. If you do not specify this keyword, the command displays only the overall resource usage of the NAT address group.

Usage guidelines

The resource usage of a NAT address group includes the following information:

· Address usage—Ratio of the number of used IP addresses to the total number of IP addresses. The used IP addresses are public IP addresses that have been assigned to users for address translation.

· Port usage—Ratio of the number of assigned ports to the total number of ports. If you set the maximum number of VPN users sharing one single public address in PAT mode by using the nat per-global-ip user-limit command, the port usage might be different. This is normal and needs no actions.

The system calculates the resource usage of a NAT address group only after a failover group is bound to the address group.

Examples

# Display the address resource usage of NAT address group 1.

<Sysname> display nat address-group 1 resource-usage

(E): Exclude locked IP (I): Include locked IP

Address group name/ID: group1/1

VPN instance: vpn1

Port range: 1024-10000

Nat per-global-ip user-limit:4096

Port-single-alloc

Total IP addresses: 12(Locked: 0, Unlocked: 12)

Used IP addresses: 12(Locked: 0, Unlocked: 12)

IP usage(E): 100%

Port usage(E): 12%

Address information:

Start address End address Lock status

202.110.10.10 202.110.10.15 Unlocked

202.110.10.20 202.110.10.25 Unlocked

Config status: Active

Table 32 Command output

Field	Description
(E): Exclude locked IP	Exclude locked IP addresses during address usage calculation.
(I): Include locked IP	Include locked IP addresses during address usage calculation.
Totally n NAT address groups	Total number of NAT address groups.
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
Port range	Port range for public IP addresses.
Nat per-global-ip user-limit	Maximum number of VPN users sharing one single public address in PAT mode.
Port-single-alloc	Port-by-port allocation method. This field is not displayed if this method is not set.
Extended-block multi-global-ip enable	Enabling of using the extended port block of a public IP address other than the public IP address of the pre-allocated port block. This field is not displayed if this feature is disabled.
Instance name/ID	Name and ID of the NAT instance bound to the NAT address group.
Total IP addresses	Total number of IP addresses that the NAT address group contains. This field displays 0 if no failover group is bound to the NAT address group. · Locked—Total number of locked IP addresses. · Unlocked—Total number of unlocked IP addresses.
Used IP addresses	Total number of IP addresses that the NAT address group has used. This field displays 0 if no failover group is bound to the NAT address group. · Locked—Total number of locked IP addresses. · Unlocked—Total number of unlocked IP addresses.
IP usage(E)	Unlocked address usage of the NAT address group. The value is displayed as follows: · If the address usage is greater than 0% but less than 1%, this field displays 1%. · If the address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. This field displays 0 if no failover group is bound to the NAT address group.
Port usage(E)	Port usage of unlocked IP addresses in the NAT address group. The value is displayed as follows: · If the port usage is greater than 0% but less than 1%, this field displays 1%. · If the port usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. This field displays 0 if no failover group is bound to the NAT address group.
Address information	Information about the address ranges in the address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address for the range, this field displays three hyphens (---).
Lock status	Whether the address range is locked: · Locked. · Unlocked. If no address range exists, this field displays three hyphens (---).
Config status	Status of the NAT address group: · Active—The NAT address group is taking effective. · Inactive—The NAT address group is not taking effective.
Reasons for inactive status	Reasons why the NAT address group configuration does not take effect. This field is available when the Config status field displays Inactive. The following are possible reasons that the system might display: · The following items don't exist: address, and VPN instance · The following items don't exist: address · The following items don't exist: VPN instance

# Display the overall resource usage of all NAT address groups and the resource usage of each group member.

<Sysname> display nat address-group resource-usage verbose

(E): Exclude locked IP (I): Include locked IP

NAT address group information:

Totally 2 NAT address groups.

Address group name/ID: group2/2

Port range: 1024-1000

Port block size: 100

IP usage(E): 100%

Port usage(E): 0%

Port usage of group members:

Start address End address Port usage(I) Lock status

202.110.10.10 202.110.10.15 50% Unlocked

202.110.10.20 202.110.10.25 50% Unlocked

Address group name/ID: group3/3

Port range: 1024-65535

TCP port limit: 100

UDP port limit: 100

ICMP port limit: 100

Instance name/ID: nat1/1

IP usage(E): 0%

Port usage(E): 0%

Port usage of group members:

Start address End address Port usage(I) Lock status

10.1.1.1 10.1.1.10 0% Unlocked

Table 33 Command output

Field	Description
(E): Exclude locked IP	Exclude locked IP addresses during address usage calculation.
(I): Include locked IP	Include locked IP addresses during address usage calculation.
Totally n NAT address groups	Total number of NAT address groups.
Address group name/ID	Name and ID of the NAT address group.
VPN instance	Name of the VPN instance to which the NAT address group is bound. The command output does not display this field if you did not bind the NAT address group to a VPN instance when you executed the nat address-group command.
Port range	Port range for public IP addresses.
Port block size	Number of ports in a port block. This field is not displayed if the port block size is not set.
Extended block number	Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.
Extended block size	Number of ports in each extended port block. This field is not displayed if the extended port block size is not set.
Extended-block multi-global-ip enable	Enabling of using the extended port block of a public IP address other than the public IP address of the pre-allocated port block. This field is not displayed if this feature is disabled.
TCP port limit	Maximum number of ports that can be assigned to the TCP protocol. This field is not displayed if the maximum number is not set.
UDP port limit	Maximum number of ports that can be assigned to the UDP protocol. This field is not displayed if the maximum number is not set.
ICMP port limit	Maximum number of ports that can be assigned to the ICMP protocol. This field is not displayed if the maximum number is not set.
Port limit in total	Maximum number of ports that can be assigned to the TCP, UDP, and ICMP protocols. This field is not displayed if the maximum number is not set.
Instance name/ID	Name and ID of the NAT instance.
IP usage(E)	Unlocked address usage of the NAT address group. The value is displayed as follows: · If the address usage is greater than 0% but less than 1%, this field displays 1%. · If the address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. · This field displays 0 if no failover group is bound to the NAT address group.
Port usage(E)	Port usage of unlocked IP addresses in the NAT address group. The value is displayed as follows: · If the address usage is greater than 0% but less than 1%, this field displays 1%. · If the address usage is greater than 1%, this field displays a value that is rounded down to the nearest integer. · This field displays 0 if no failover group is bound to the NAT address group.
Failover group name	Name of the failover group that is bound to the NAT address group. This field is not displayed if no failover group is specified.
Port usage of group members	Port usage of the address ranges in the address group. This field displays 0 if no failover group is bound to the NAT address group.
Start address	Start IP address of an address range. If you do not specify a start address, this field displays three hyphens (---).
End address	End IP address of an address range. If you do not specify an end address, this field displays three hyphens (---).
Lock status	Whether the address range is locked: · Locked. · Unlocked. If no address range exists, this field displays three hyphens (---).
Config status	Status of the NAT address group: · Active—The NAT address group is taking effective. · Inactive—The NAT address group is not taking effective.
Reasons for inactive status	Reasons why the NAT address group configuration does not take effect. This field is available when the Config status field displays Inactive. Possible reasons: · The following items don't exist: address, and VPN instance · The following items don't exist: address · The following items don't exist: VPN instance

Related commands

nat address-group

display nat configuration global-address

Use display nat configuration global-address to display the public address information in NAT configuration.

Syntax

display nat configuration global-address [ vpn-instance vpn-instance-name ] [ ipv4 ipv4-address ] [ failover-group group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4 ipv4-address: Specifies a public IPv4 address. If you do not specify a public IPv4 address, this command displays information about all public addresses in NAT configuration.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. For more information about failover groups, see High Availability Command Reference.

Usage guidelines

Use this command to view the public address information in NAT configuration for only interface-based NAT that uses a CGN card to process NAT services.

Examples

# Display the public address information in NAT configuration.

<Sysname> display nat configuration global-address

Total number of configured global addresses: 4

VPN instance : --

Start IP : 2.2.2.2

End IP : 2.2.2.2

Configuration type : Static

Failover group name: cgn

Association count : 1

VPN instance : --

Start IP : 2.2.2.10

End IP : 2.2.2.200

Configuration type : Static

Failover group name: cgn

Association count : 1

VPN instance : --

Start IP : 11.1.1.1

End IP : 11.1.1.10

Configuration type : Dynamic

Failover group name: cgn

Association count : 1

VPN instance : --

Start IP : 202.10.1.1

End IP : 202.10.1.10

Configuration type : Port-block-group

Failover group name: cgn

Association count : 1

Table 34 Command output

Field	Description
Total number of configured global addresses	Total number of public address ranges in NAT configuration.
VPN instance	VPN instance to which the public address range belongs. This field displays two hyphens (--) if no VPN instance is specified.
Start IP	Start IP address of the public address range.
End IP	End IP address of the public address range.
Configuration type	Configuration type for the public address range. · Static—Static NAT configured by using the nat static outbound or nat static outbound net-to-net command. · Dynamic—Dynamic NAT configured by using the nat address-group or nat outbound command. · Port-block-group—Static port block mapping configured by using the nat port-block-group command. · Server—NAT server configured by using the nat server command. · Dynamic Easy IP—Dynamic NAT with Easy IP. · Server Easy IP—NAT server with Easy IP.
Failover group name	Name of the failover group to which the public address range belongs.
Association count	Number of times that the public address range is associated.

display nat server-group

Use display nat server-group to display internal server group configuration.

Syntax

display nat server-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies the ID of the internal server group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays configuration about all internal server groups.

Examples

# Display configuration about all internal server groups.

<Sysname> display nat server-group

NAT server group information:

Totally 3 NAT server groups.

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

2 --- --- ---

3 192.168.0.26 69 100

# Display configuration about internal server group 1.

<Sysname> display nat server-group 1

Group Number Inside IP Port Weight

1 192.168.0.26 23 100

192.168.0.27 23 500

Table 35 Command output

Field	Description
NAT server group information	Information about NAT server groups.
Totally n NAT server groups	Total number of NAT server groups.
Group Number	ID of the internal server group.
Inside IP	Private IP address of a member in the internal server group. If no address is specified, this field displays hyphens (---).
Port	Private port number of a member in the internal server group. If no port number is specified, this field displays hyphens (---).
Weight	Weight of a member in the internal server group. If no weight value is specified, this field displays hyphens (---).

Related commands

nat server-group

failover-group

Use failover-group to specify a failover group for a NAT address group or a NAT port block group.

Use undo failover-group to restore the default.

Syntax

failover-group group-name

undo failover-group

Default

No failover group is specified for a NAT address group or NAT port block group.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

Parameters

group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. You can specify a nonexistent failover group for this command. The configuration takes effect only after you use the failover group command to create the failover group.

Usage guidelines

Application scenarios

If you use a failover group for dynamic NAT or port block-based address translation, make sure the failover group has a CGN card as the primary node.

Restrictions and guidelines

For a NAT port block group or configuration that uses a NAT address group to perform address translation on matching traffic as expected, specify a failover group of the default type for the NAT port block group or NAT address group.

After you specify a failover group for a NAT address group or a NAT port block group, do not configure the nat service command to specify a traffic processing slot.

The failover group command in NAT address group view or NAT port block group view cannot coexist with the nat instance command in system view.

Examples

# Specify failover group nat-failover for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] failover-group nat-failover

# Specify failover group nat-failover for NAT port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] failover-group nat-failover

Related commands

failover group (High Availability Command Reference)

nat instance

nat service

user-group (AAA commands in BRAS Services Command Reference)

inside ip

Use inside ip to add a member to an internal server group.

Use undo inside ip to remove a member from an internal server group.

Syntax

inside ip inside-ip port port-number [ weight weight-value ]

undo inside ip inside-ip port port-number

Default

No members exist in an internal server group.

Views

Internal server group view

Predefined user roles

network-admin

Parameters

inside-ip: Specifies the IP address of an internal server. You can add a maximum of 16 members to an internal server group.

port port-number: Specifies the port number of an internal server, in the range of 1 to 65535.

weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100. An internal server with a larger weight receives a larger percentage of connections in the internal server group.

Examples

# Add a member with IP address 10.1.1.2 and port number 30 to internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

[Sysname-nat-server-group-1] inside ip 10.1.1.2 port 30

Related commands

nat server-group

nat hairpin enable

Use nat hairpin enable to enable NAT hairpin.

Use undo nat hairpin enable to disable NAT hairpin.

Syntax

nat hairpin enable

undo nat hairpin enable

Default

NAT hairpin is enabled, and cannot be disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.

Restrictions and guidelines

The nat hairpin enable command in interface view and the nat instance command in system view are mutually exclusive. They cannot be both configured.

After you enable hardware NAT by using the nat hardware-mode enable command, the device automatically enables NAT hairpin on all interfaces. You cannot enable or disable NAT hairpin on interfaces by using the nat hairpin enable or undo nat hairpin enable command, respectively. If you enable NAT hairpin on interfaces first, the device automatically deletes configuration for the nat hairpin enable command once hardware NAT is enabled.

Examples

# Enable NAT hairpin on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat hairpin enable

Related commands

display nat all

nat hardware-mode enable

nat instance

nat hardware ignore-flowredirect-method enable

Use nat hardware ignore-flowredirect-method enable to enable NAT to ignore the traffic redirection method so that traffic can be forwarded through hardware.

Use undo nat hardware ignore-flowredirect-method enable to disable NAT from ignoring the traffic redirection method. Traffic might not be forwarded through hardware.

Syntax

nat hardware ignore-flowredirect-method enable

undo nat hardware ignore-flowredirect-method enable

Default

NAT considers the traffic redirection method and address translation traffic might not be forwarded through hardware.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

When interface-based NAT uses a CGN card to provide address translation, reverse traffic cannot be forwarded through hardware when the following conditions are met:

· Configure NAT Server on the interface connected to the private network.

· Configure outbound dynamic NAT (for example, the nat outbound command) on the interface connected to the public network.

This might cause slow forwarding speed for reverse traffic. To resolve such an issue, use this command.

Operating mechanism

For the CGN card to process traffic requiring address translation in the above application scenario, apply a QoS policy on the interfaces connected to the private and public networks, respectively.

· The QoS policy applied to the interface connected to the private network is used to redirect the traffic requiring outbound source address translation to the CGN card.

· The QoS policy applied to the interface connected to the public network is used to redirect traffic requiring destination address translation to the CGN card.

The storage location of the session entries generated by outbound source address translation (for example, location A) is different from that of the session entries generated by destination address translation (for example, location B). Whether traffic matches the QoS policy affects the location where the NAT device looks up the session entries for a match.

· If traffic matches the QoS policy, the NAT device looks up the session entries at location A for a match.

· If traffic does not match the QoS policy, the NAT device looks up the session entries at location B for a match.

If a matching session entry is found at the corresponding location, the device performs address translation and forwards the traffic through hardware. If no match is found at the corresponding location, the traffic cannot be forwarded through hardware.

When reverse traffic arrives at the interface connected to the public network on the NAT device, it matches the QoS policy applied on the interface. This triggers the NAT device to looks up a matching session entry at location A. However, location A does not contain the session entries generated by destination address translation, the lookup fails and the traffic cannot be forwarded through hardware.

After you execute the nat hardware ignore-flowredirect-method enable command on the device, the device stores the session entries generated by destination address translation at location A. This enables reverse traffic to be forwarded through hardware.

Restrictions and guidelines

You cannot execute the nat hardware ignore-flowredirect-method enable command in the following conditions:

· The nat instance command is executed.

· The Endpoint-Independent Mapping mode is applied.

Executing the nat hardware ignore-flowredirect-method enable command halves the maximum number of NAT sessions that can be created on the CGN card. If the number cannot meet the actual service requirements, do not execute the command.

To avoid traffic forwarding failure on a DS-Lite network, do not execute the nat hardware ignore-flowredirect-method enable command on the NAT device.

Examples

# Enable NAT to ignore the traffic redirection method so that traffic can be forwarded through hardware.

<Sysname> system-view

[Sysname] nat hardware ignore-flowredirect-method enable

This command will delete all NAT session entries created when the traffic redirection method was not ignored. Continue? [Y/N]:y

Related commands

nat instance

nat hardware-mode enable

Use nat hardware-mode enable to enable hardware NAT.

Use undo nat hardware-mode enable to disable hardware NAT.

Syntax

nat hardware-mode enable

undo nat hardware-mode enable

Default

Hardware NAT is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

For software NAT, the CPU processes NAT services. Software NAT has high requirements for CPU performance.

For hardware NAT, the hardware chip processes NAT services. Hardware NAT transfers the features that consume CPU performance to the hardware chip for processing, so that the CPU can timely process other important tasks. Hardware NAT performance is not limited by the CPU performance.

The device supports hardware NAT only when it is installed with the CSPEX-2304X-G, CSPEX-2314X-G, CSPEX-2314X-G1, or CSPEX-2314X-G2 card.

Recommended configuration

Hardware NAT is provided by the hardware chip of an interface card, which is applicable to scenarios that have high requirements for NAT processing performance. In the current software version, hardware NAT supports few commands, and only interface-based NAT supports hardware NAT.

Enable hardware NAT on the device in scenarios that meet the following conditions:

· The device is installed with an interface card that supports hardware NAT.

· The commands supported by hardware NAT can meet service requirements.

· The scenarios have high requirements for NAT processing performance.

As a best practice, do not enable hardware NAT in other scenarios.

Prerequisites

When you use the hardware chip of an interface card for processing NAT services, redirect traffic to the interface card as follows:

· To redirect traffic from the public network to the private network, use the nat service command and specify the interface card.

· To redirect traffic from the private network to the public network, configure a QoS policy to redirect traffic to the interface card specified in the nat service command.

Restrictions and guidelines

Hardware NAT supports the following commands:

· nat address-group

· address

· nat alg

· nat hairpin enable

· nat instance type user-agency

· nat log enable

· nat log flow-begin

· nat log flow-end

· nat outbound

· nat server

· nat service

· nat static enable

· nat static inbound

· nat static inbound net-to-net

· nat static outbound

· nat static outbound net-to-net

For information about support for the parameters in a command, see the corresponding command in this document.

After you enable hardware NAT and complete NAT settings, you can use the following commands to display and verify the configuration. To clear NAT sessions, execute the reset command in user view.

· display nat address-group

· display nat all

· display nat log

· display nat outbound

· display nat server

· display nat session

· display nat static

· display nat statistics

· reset nat session

When you enable or disable hardware NAT, follow these restrictions and guidelines:

· After you execute the nat hardware-mode enable command, the device automatically deletes configuration not supported by hardware NAT.

· If you execute the nat hardware-mode enable command and then execute the undo nat hardware-mode enable command, the device does not restore the deleted configuration.

· When you enable or disable hardware NAT, the device automatically deletes all the existing session entries and relation entries.

· After you disable hardware NAT, wait for a minimum of 1 minute before you enable it again. If you fail to do so, the configuration does not take effect.

Examples

# Enable hardware NAT.

<Sysname> system-view

[Sysname] nat hardware-mode enable

Related commands

address

display nat address-group

display nat all

display nat log

display nat outbound

display nat server

display nat session

display nat static

display nat statistics

nat address-group

nat alg

nat hairpin enable

nat instance

nat log enable

nat log flow-begin

nat log flow-end

nat outbound

nat server

nat service

nat static enable

nat static inbound

nat static inbound net-to-net

nat static outbound

nat static outbound net-to-net

reset nat session

nat hardware-mode port-alloc

Use nat hardware-mode port-alloc to set the maximum number of attempts for hardware NAT to allocate ports in PAT mode.

Use undo nat hardware-mode port-alloc to restore the default.

Syntax

nat hardware-mode port-alloc number

undo nat hardware-mode port-alloc

Default

Hardware NAT attempts to allocate ports in PAT mode up to three times.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of attempts for hardware NAT to allocate ports. The value range is 3 to 255.

Usage guidelines

Application scenarios

When the device enabled with hardware NAT allocates ports, a conflict in five-tuple after NAT or a port collision causes port allocation failure. In this case, the NAT device automatically attempts to allocate another available port to the private user. Use this command to set the maximum number of attempts for hardware NAT to allocate ports.

Recommended configuration

More port collisions indicate greater network delay and processing workload, affecting network performance. As a best practice, use the default setting. To change the maximum number of attempts for hardware NAT to allocate ports, contact H3C Support to make sure the specified maximum number can meet service expectations.

Restrictions and guidelines

This command takes effect only after you enable hardware NAT by using the nat hardware-mode enable command.

Examples

# Set the maximum number of attempts to 10 for hardware NAT to allocate ports in PAT mode.

<Sysname> system-view

[Sysname] nat hardware-mode enable

[Sysname] nat hardware-mode port-alloc 10

Related commands

nat hardware-mode enable

nat hardware-mode server-limit

Use nat hardware-mode server-limit to set the maximum number of sessions that all public users can establish to access internal servers for hardware NAT.

Use undo nat hardware-mode server-limit to restore the default.

Syntax

nat hardware-mode server-limit number

undo nat hardware-mode server-limit

Default

All public users can establish up to 262144 sessions to access internal servers for hardware NAT.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of sessions that all public users can establish to access internal servers for hardware NAT. The value range is 1 to 1048575.

Usage guidelines

Application scenarios

Too many sessions established by public users to access internal servers consume a large number of device session resources. As a result, other users cannot establish new sessions. Use this command to set the maximum number of sessions that all public users can establish to access internal servers.

Recommended configuration

As a best practice, use the default setting. To change the maximum number of sessions that all public users can establish to access internal servers for hardware NAT, contact H3C Support to make sure the specified maximum number can meet service expectations.

Restrictions and guidelines

This command takes effect only after you enable hardware NAT by using the nat hardware-mode enable command.

Examples

# Set the maximum number of sessions that all public users can establish to access internal servers for hardware NAT to 30000.

<Sysname> system-view

[Sysname] nat hardware-mode enable

[Sysname] nat hardware-mode server-limit 30000

Related commands

nat hardware-mode enable

nat hardware-mode user-limit

Use nat hardware-mode user-limit to set the maximum number of sessions that can be established per user for hardware NAT.

Use undo nat hardware-mode user-limit to restore the default.

Syntax

nat hardware-mode user-limit number

undo nat hardware-mode user-limit

Default

A user can establish up to 1024 sessions for hardware NAT.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of sessions that can be established per user for hardware NAT, in the range of 1 to 65535.

Usage guidelines

Application scenarios

Too many sessions established by a single user consume a large number of device port resources and session resources. As a result, other users cannot establish new connections to access the external network. Use this command to set the maximum number of sessions that can be established per user.

Recommended configuration

As a best practice, use the default setting. To change the maximum number of sessions that can be established per user for hardware NAT, contact H3C Support to make sure the specified maximum number can meet service expectations.

Restrictions and guidelines

This command takes effect only after you enable hardware NAT by using the nat hardware-mode enable command.

Examples

# Set the maximum number of sessions that can be established per user for hardware NAT to 5000.

<Sysname> system-view

[Sysname] nat hardware-mode enable

[Sysname] nat hardware-mode user-limit 5000

Related commands

nat hardware-mode enable

nat outbound easy-ip failover-group

Use nat outbound easy-ip failover-group to specify a failover group for Easy IP.

Use undo nat outbound easy-ip failover-group to restore the default.

Syntax

nat outbound easy-ip failover-group group-name

undo nat outbound easy-ip failover-group

Default

No failover group is specified for Easy IP.

Views

Interface view

Predefined user roles

network-admin

Parameters

group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

Application scenarios

If you configured Easy IP for outbound NAT, configure this command to direct outbound flows that need address translation to the specified failover group.

Restrictions and guidelines

For the Easy IP dynamic address translation configuration to perform address translation on matching traffic as expected, specify a failover group of the default type for Easy IP.

This command is mutually exclusive with the nat service command.

The nat outbound easy-ip failover-group command in interface view and the nat instance command in system view are mutually exclusive. They cannot be both configured.

Examples

# Specify failover group nat-failover for Easy IP on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat outbound easy-ip failover-group nat-failover

Related commands

display nat outbound

nat instance

nat outbond

nat service

nat port-block-group

Use nat port-block-group to create a NAT port block group and enter its view, or enter the view of an existing NAT port block group.

Use undo nat port-block-group to delete a NAT port block group.

Syntax

nat port-block-group group-id

undo nat port-block-group group-id

Default

No NAT port block groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the NAT port block group. The value range for this argument is 0 to 65535.

A NAT port block group is configured to implement static port block mapping.

You must configure the following items for a NAT port block group:

· A minimum of one private IP address range (see the local-ip-address command).

· A minimum of one public IP address range (see the global-ip-address command).

· A port range (see the port-range command).

· A port block size (see the block-size command).

The system computes static port block mappings according to the port block group configuration, and creates entries for the mappings.

Examples

# Create NAT port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1]

Related commands

block-size

display nat all

display nat port-block-group

global-ip-pool

local-ip-address

nat outbound port-block-group

port-range

nat server

Use nat server to create a NAT server mapping (also called NAT server rule). The mapping maps the private IP address and port of an internal server to a public address and port.

Use undo nat server to delete a mapping.

Syntax

Common NAT server mapping:

· A single public address with no or a single public port:

nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ] [ failover-group group-name ]

undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]

· A single public address with consecutive public ports:

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ failover-group group-name ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ]

· Consecutive public addresses with no single public port:

nat server protocol pro-type global global-address1 global-address2 [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ failover-group group-name ]

undo nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ]

· Consecutive public addresses with a single public port:

nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside { local-address [ local-port1 local-port2 ] | [ local-address | local-address1 local-address2 ] [ local-port ] } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ failover-group group-name ]

undo nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ]

Load sharing NAT server mapping:

nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ failover-group group-name ]

undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ]

ACL-based NAT server mapping:

nat server global { ipv4-acl-number | name ipv4-acl-name } inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ failover-group group-name ]

undo nat server global { ipv4-acl-number | name ipv4-acl-name }

Default

No NAT server mappings exist.

Views

Interface view

Predefined user roles

network-admin

Parameters

protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:

· A number in the range of 1 to 255.

· A protocol name of icmp, tcp, or udp.

global: Specifies the external network information that the server uses to provide services to the external network.

global-address: Specifies the public address of an internal server.

global-address1 global address2: Specifies a public IP address range, which can include a maximum of 10000 addresses. The global-address1 argument specifies the start address, and the global address2 argument specifies the end address that must be greater than the start address.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

current-interface: Enables Easy IP on the current interface. The primary IP address of the interface is used as the public address for the internal server.

global-port: Specifies the public port number. The public port number format can be one of the following:

· A number in the range of 1 to 65535.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet.

global-port1 global-port2: Specifies a public port number range, which can include a maximum of 256 ports. The global-port1 argument specifies the start port, and the global-port2 argument specifies the end port that must be greater than the start port. The public port number format can be one of the following:

· A number in the range of 1 to 65535. Both the start port and the end port support this format.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.

inside: Specifies the internal information of the server.

local-address: Specifies the private IP address of an internal server.

local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and the local-address2 argument specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.

local-port: Specifies the private port number. The private port number format can be one of the following:

· A number in the range of 1 to 65535, excluding FTP port 20.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet.

local-port1 local-port2: Specifies a private port number range, which can include a maximum of 256 ports. The local-port1 argument specifies the start port, and the local-port2 argument specifies the end port that must be greater than the start port. The private port number format can be one of the following:

· A number in the range of 1 to 65535. Both the start port and the end port support this format.

· A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses of NAT server mappings belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

server-group group-id: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-id argument specifies the internal server group ID. The value range for this argument is 0 to 65535. This option is not supported by hardware NAT.

acl: Specifies an ACL. If you specify an ACL, only packets permitted by the ACL can be translated by using the mapping. This keyword is not supported by hardware NAT.

ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

failover-group group-name: Specifies a failover group by its name, a case-sensitive string of 1 to 63 characters. For the configuration to take effect, specify a failover group of the default type. For more information about failover groups, see High Availability Configuration Guide. To deploy configuration successfully, do not specify this option after you enable hardware NAT.

Usage guidelines

Application scenarios

You can configure the NAT server mapping to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.

Operating mechanism

NAT server mappings are usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port.

The following table describes the address-port mappings between an external network and an internal network for NAT Server.

Table 36 Address-port mappings for NAT Server

External network	Internal network
One public address	One private address
One public address and one public port number	One private address and one private port number
One public address and N consecutive public port numbers	One private address and one private port number
	N consecutive private addresses and one private port number
	One private address and N consecutive private port numbers
N consecutive public addresses	One private address
N consecutive public addresses	N consecutive private addresses
N consecutive public addresses and one public port number	One private address and one private port number
	N consecutive private addresses and one private port number
	One private address and N consecutive private port numbers
One public address and one public port number	One internal server group
One public address and N consecutive public port numbers
N consecutive public addresses and one public port number
Public addresses matching an ACL	One private address
Public addresses matching an ACL	One private address and one private port

Recommended configuration (internal servers using Easy IP)

As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.

If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicting address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.

Recommended configuration (load shared internal servers)

When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:

· One public address and N consecutive public port numbers are mapped to one internal server group.

· N consecutive public addresses and one public port number are mapped to one internal server group.

Recommended configuration (VPN networks)

The vpn-instance parameter is required if you deploy NAT Server for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Recommended configuration (NAT Server for CGN)

When you configure a NAT server mapping for CGN, specify the failover group that has a CGN card as the primary node in the mapping. This directs external-to-internal traffic to the failover group, which avoids address translation failure for the traffic.

To make sure NAT operates correctly, perform the following tasks for different internal servers that use the same public addresses and are specified with failover groups:

· Bind the same failover group to the internal servers on the same interface.

· Bind the same failover group to the internals servers on different interfaces.

Restrictions and guidelines

The number of the nat server commands that can be configured on an interface varies by device model. The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface. This restriction also applies when Easy IP is used. The number of internal servers that each command can define equals the number of public ports in the specified public port range.

When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. To avoid incorrect operation of NAT and packet loss, do not specify the same IP address for the global-address argument and the local-address argument.

The nat server command in interface view and the nat instance command in system view are mutually exclusive. They cannot be both configured.

After you configure load sharing NAT server mappings, you cannot execute the nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } * command in system view. After you execute the nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } * command in system view, you cannot configure load sharing NAT server mappings.

For ACL-based NAT server mappings, the device matches packets against ACLs based on either the ACL names or ACL numbers. ACL names take precedence over ACL numbers.

· ACL names—The device matches packets based on the alphabetical order of the ACL names.

· ACL numbers—A higher ACL number indicates higher priority.

Examples

# Allow external users to access the internal Web server at 10.110.10.10 through https://202.110.10.10:8080.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 https

[Sysname-Ten-GigabitEthernet3/1/1] quit

# Allow external users to access the internal FTP server at 10.110.10.11 in the VPN instance vrf10 through ftp://202.110.10.10.

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10

[Sysname-Ten-GigabitEthernet3/1/1] quit

# Allow external hosts to ping the host at 10.110.10.12 in the VPN instance vrf10 by using the ping 202.110.10.11 command.

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10

[Sysname-Ten-GigabitEthernet3/1/1] quit

# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 in the VPN instance vrf10 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10

# Configure ACL-based NAT Server to allow users to use IP addresses in subnet 192.168.0.0/24 to access the internal server at 10.0.0.172.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule 5 permit ip destination 192.168.0.0 0.0.0.255

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat server global 3000 inside 10.0.0.172

Related commands

display nat all

display nat server

nat instance

nat mapping-behavior endpoint-independent { tcp | udp } *

nat server-group

Use nat server-group to create an internal server group and enter its view, or enter the view of an existing internal server group.

Use undo nat server-group to delete an internal server group.

Syntax

nat server-group group-id

undo nat server-group group-id

Default

No internal server groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Assigns an ID to the internal server group. The value range for this argument is 0 to 65535.

An internal server group can contain multiple members configured by the inside ip command.

Examples

# Create internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

Related commands

display nat all

display nat server-group

inside ip

nat server

nat service

Use nat service to specify a traffic processing slot for a NAT interface.

Use undo nat service to restore the default.

Syntax

In standalone mode:‌

nat service slot slot-number

undo nat service slot

In IRF mode:

nat service chassis chassis-number slot slot-number

undo nat service chassis

Default

No traffic processing slot is specified for a NAT interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed. (In IRF mode.) ‌

Usage guidelines

Application scenarios

You must specify a NAT-capable service card for a NAT interface. Otherwise, the NAT configuration on the interface does not take effect.

Recommended configuration

The NAT traffic on a NAT interface must all be processed on the same slot. The traffic processing slot can be any of the NAT-capable slots on the device. If the slot where the NAT interface resides is NAT-capable, specify this slot as the traffic processing slot as a best practice.

If multiple NAT interfaces use the same NAT address group or public IP address, you must specify the same traffic processing slot for the interfaces. If you specify different traffic processing slots for the interfaces, the NAT configuration might not take effect and the configuration might be removed during configuration restoration. Configuration restoration can be caused by device reboot or software update.

Restrictions and guidelines

To change the traffic processing slot for a NAT interface, execute the undo nat service command to remove the existing setting, and then execute the nat service command.

If you configure this command on an interface that performs outbound dynamic NAT, Easy IP, or port block-based NAT, do not specify a failover group for a NAT address group or NAT port block group in the NAT configuration.

The nat service command in interface view and the nat instance command in system view are mutually exclusive. They cannot be both configured.

Examples

# (In standalone mode.) ‌Specify slot 5 to process NAT traffic.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] nat service slot 5

Related commands

failover-group

nat instance

nat static inbound

Use nat static inbound to configure a one-to-one mapping for inbound static NAT.

Use undo nat static inbound to delete a one-to-one mapping for inbound static NAT.

Syntax

nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ packet-type-ignore ]

undo nat static inbound global-ip [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

global-ip: Specifies a public IP address.

local-ip: Specifies a private IP address.

acl: Specifies an ACL to identify the internal hosts that can access the external network. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP address. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

Usage guidelines

Application scenarios

For address translation from a public IP address to a private IP address, configure inbound one-to-one static NAT.

· When the destination IP address of a packet from the private network to the public network matches the local-ip, the destination IP address is translated into the global-ip.

· When the source IP address of a packet from the public network to the private network matches the global-ip, the source IP address is translated into the local-ip.

Recommended configuration

Restrictions and guidelines

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

· If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address is not translated for connections actively initiated from the internal network to the private IP address.

· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP address are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static inbound 2.2.2.2 192.168.1.1

Related commands

display nat all

display nat static

nat static enable

nat static inbound net-to-net

Use nat static inbound net-to-net to configure a net-to-net mapping for inbound static NAT.

Use undo nat static inbound net-to-net to remove a net-to-net mapping for inbound static NAT.

Syntax

nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

undo nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ]

Default

No NAT mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

global-start-address global-end-address: Specifies a public address range which can contain a maximum of 256 addresses. The global-end-address must not be lower than global-start-address. If they are the same, only one public address is specified.

vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.

local-network: Specifies a private network address.

mask-length: Specifies the mask length of the private network address, in the range of 8 to 31.

mask: Specifies the mask of the private network address.

vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private network address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private network address does not belong to any VPN instance, do not specify this option.

acl: Specifies an ACL to identify the internal hosts that can access the external network. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

ipv4-acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

reversible: Enables reverse address translation for connections actively initiated from the internal network to the private IP addresses. To deploy configuration successfully, do not specify this keyword after you enable hardware NAT.

Usage guidelines

Application scenarios

For address translation from a public network to a private network, configure inbound net-to-net static NAT.

Operating mechanism

· When the destination IP address of a packet from the private network matches the private address range, the destination IP address is translated into a public address in the public address range.

· When the source IP address of a packet from the public network matches the public address range, the source IP address is translated into a private address in the private address range.

Restrictions and guidelines

Specify a public network through a start address and an end address, and a private network through a private address and a mask.

The public end address cannot be greater than the greatest IP address in the subnet determined by the public start address and the private network mask. For example, if the private address is 2.2.2.0 with a mask 255.255.255.0 and the public start address is 1.1.1.100, the public end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When you specify an ACL, follow these restrictions and guidelines:

· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated from the internal network to the private IP addresses are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:

¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT between public network address 202.100.1.0/24 and private network address 192.168.1.0/24.

<Sysname> system-view

[Sysname] nat static inbound net-to-net 202.100.1.1 202.100.1.255 local 192.168.1.0 24

Related commands

display nat all

display nat static

nat static enable

CGN availability commands

bind vsrp-instance

Use bind vsrp-instance to bind a NAT instance to a VSRP instance.

Use undo bind vsrp-instance to restore the default.

Syntax

bind vsrp-instance vsrp-instance-name

undo bind vsrp-instance [ vsrp-instance-name ]

Default

A NAT instance is not bound to any VSRP instance.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

vsrp-instance-name: Specifies a VSRP instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

This feature provides a NAT data backup channel for the following CGN backup networks:

· Inter-device CGN hot backup.

· Inter-device warm backup in load balancing mode.

· Inter-device CGN warm backup in non-load-balancing mode.

Operating mechanism

VSRP establishes a TCP data backup channel for NAT services after a NAT instance is associated with a VSRP instance. The master device backs up the following data to the backup device through the channel:

· Session entries created for online users in a NAT+BRAS scenario.

· Subnets assigned to the NAT module by the DHCP server in a vBRAS CP and UP separation (CUPS) architecture.

· VRF information in NAT session entries created when users from a VRF access external networks.

Restrictions and guidelines

When you bind a NAT instance to a VSRP instance, follow these restrictions and guidelines:

· You can bind multiple NAT instances to one VSRP instance. A NAT instance can be bound to only one VSRP instance.

· In a non-CUPS architecture, a NAT instance can be bound to only one VSRP instance.

· In a vBRAS CUPS architecture, one NAT instance can be bound to multiple VSRP instances if you configure non-load-balancing mode for CGN warm backup.

· To change the bound VSRP instance for the NAT instance, execute the undo bind vsrp-instance command to remove the existing setting, and then execute the bind vsrp-instance command.

· You cannot use a service instance group for both inter-system and intra-system service backup.

¡ If the backup channel is configured on a VSRP instance, a service instance group associated with the NAT instance can only be used for inter-system service backup.

¡ If a service instance group associated with the NAT instance is bound to intra-system service backup groups, the backup channel cannot be configured on a VSRP instance.

· You can bind the NAT instance to a VSRP instance that does not exist. This command takes effect only when the VSRP instance is configured.

Before unbinding a NAT instance from a VSRP instance by executing the undo bind vsrp-instance command, you must clear user session entries on the master device by using the cut access-user command.

Examples

# Bind a VSRP instance to NAT instance inst.

<Sysname> system-view

[Sysname] nat instance inst id 1

[Sysname-nat-instance-inst] bind vsrp-instance vsrp1

Related commands

display nat instance

service-instance-group

vsrp instance (VSRP in High Availability Command Reference)

cu warm-load-balance-mode enable

Use cu warm-load-balance-mode enable to configure the load balancing mode for CGN warm backup in a vBRAS CUPS scenario.

Use undo cu warm-load-balance-mode enable to restore the default.

Syntax

cu warm-load-balance-mode enable

undo cu warm-load-balance-mode enable

Default

CGN backup is disabled in a vBRAS CUPS scenario.

Views

NAT instance view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

In a vBRAS CUPS scenario enabled with warm backup mode, traffic switches to backup UPs for address translation. The CGN warm backup works as follows:

· Non-load-balancing scenario—Contains N master UPs and one backup UP. The master UPs load share NAT services and the backup UP provides backup services only for the master UP that fails first. After you configure the non-load-balancing mode for CGN warm backup on all UPs, a master UP backs up user table information to the backup UP, including address mappings. When the backup UP switches to a master UP, the public addresses might change.

· Load balancing scenario—Contains N + 1 master UPs. Each master UP forms a backup relationship with each of the N master UPs. The N + 1 master UPs load share NAT services. In a backup relationship, if the master UP fails, the backup UP takes over to process NAT services. After you configure the load balancing mode for CGN warm backup on all UPs, the master UP backs up address member information for NAT address groups to the backup UP. When the backup UP switches to a master UP, the public addresses do not change.

Restrictions and guidelines

In a vBRAS CUPS scenario configured with warm backup mode, make sure the specified UP backup mode and CGN backup mode allow users to come online.

Table 37 Combinations of UP backup modes and CGN backup modes

UP backup mode	CGN backup mode	Whether users can come online
Cold standby	No backup relationship between UPs	√
	Warm backup in load balancing mode	×
	Warm backup in non-load-balancing mode	×
	Inter-device hot backup	×
Warm load balancing	No backup relationship between UPs	√
	Warm backup in load balancing mode	√
	Warm backup in non-load-balancing mode	×
	Inter-device hot backup	×
Warm standby	No backup relationship between UPs	√
	Warm backup in load balancing mode	×
	Warm backup in non-load-balancing mode	√
	Inter-device hot backup	√
Hot standby	No backup relationship between UPs	√
	Warm backup in load balancing mode	×
	Warm backup in non-load-balancing mode	×
	Inter-device hot backup	√

Prerequisites

You can configure the load balancing mode for CGN warm backup in a NAT instance only when the NAT instance name is in the range of 1 to 16 characters.

In a NAT instance, the dynamic global address pool to which the NAT address group binds must meet the following requirements:

· The dynamic global address pool must already exist.

· The global address pool is not bound to any address group in another NAT instance.

· You do not specify an ID of the global address pool.

· The name must be in the range of 1 to 16 characters.

Restrictions and guidelines

Use the following commands to configure NAT rules:

· nat outbound

· nat outbound ds-lite-b4

In the NAT stance configured with load balancing mode, follow these guidelines:

· If a service instance group is associated with the NAT instance, you can associate the service instance group with multiple failover groups. The failover groups must be used for intra-system backup.

· Do not specify the no-pat keyword when you configure an outbound dynamic NAT rule by using the nat outbound command.

An address translation rule can only use an existing address group. The address group must be configured with port block parameters by using the port-block command and does not contain addresses added by using the address command.

· You can only bind an existing NAT address group to a global address pool when executing the nat address-group bind-ip-pool command. The address group must be configured with port block parameters by using the port-block command and does not contain addresses added by using the address command.

· Do not execute the following commands when the load balancing mode is configured:

¡ nat centralized-backup enable

¡ nat outbound port-block-group

¡ nat port-block flow-trigger enable

¡ nat server

¡ nat static enable

When you change the backup mode from load balancing mode to another mode, follow these guidelines:

· To change CGN warm backup mode to non-load-balancing mode, first disable the load balancing mode by executing the undo cu warm-load-balance-mode enable command, and then execute the cu warm-standby-mode enable command.

· Do not change the backup mode if PPPoE or IPoE users are online.

· Do not change the backup mode if the NAT instance is associated with multiple VSRP instances.

Examples

# Configure load balancing mode for CGN warm backup.

<Sysname> system-view

[Sysname] nat instance 1 id 1

[Sysname-nat-instance-1] cu warm-load-balance-mode enable

Related commands

nat centralized-backup enable

nat outbound port-block-group

nat port-block flow-trigger enable

nat server

nat static enable

cu warm-standby-mode enable

Use cu warm-standby-mode enable to configure the non-load-balancing mode for CGN warm backup in a vBRAS CUPS scenario.

Use undo cu warm-standby-mode enable to restore the default.

Syntax

cu warm-standby-mode enable

undo cu warm-standby-mode enable

Default

CGN backup is disabled in a vBRAS CUPS scenario.

Views

NAT instance view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

In a vBRAS CUPS scenario enabled with warm backup mode, traffic switches to backup UPs for address translation. The CGN warm backup works as follows:

Restrictions and guidelines

In a vBRAS CUPS scenario enabled with warm backup mode, make sure the specified UP backup mode and CGN backup mode allow users to come online.

Table 38 Combinations of UP backup modes and CGN backup modes

UP backup mode	CGN backup mode	Whether users can come online
Cold standby	No backup relationship between UPs	√
	Warm backup in load balancing mode	×
	Warm backup in non-load-balancing mode	×
	Inter-device hot backup	×
Warm load balancing	No backup relationship between UPs	√
	Warm backup in load balancing mode	√
	Warm backup in non-load-balancing mode	×
	Inter-device hot backup	×
Warm standby	No backup relationship between UPs	√
	Warm backup in load balancing mode	×
	Warm backup in non-load-balancing mode	√
	Inter-device hot backup	√
Hot standby	No backup relationship between UPs	√
	Warm backup in load balancing mode	×
	Warm backup in non-load-balancing mode	×
	Inter-device hot backup	√

Prerequisites

In a NAT instance, the dynamic global address pool to which the NAT address group binds must meet the following requirements:

· The dynamic global address pool must already exist.

· The global address pool is not bound to any address group in another NAT instance.

· You do not specify an ID of the global address pool.

Restrictions and guidelines

Use the following commands to configure NAT rules:

· nat outbound

· nat outbound ds-lite-b4

In a NAT stance configured with non-load-balancing mode, follow these guidelines:

· If a service instance group is associated with the NAT instance, you can associate the service instance group with only one failover group. The failover group must be used for intra-system backup.

· Do not specify the no-pat keyword when you configure an outbound dynamic NAT rule by using the nat outbound command.

· You cannot execute the following commands:

¡ nat centralized-backup enable

¡ nat outbound port-block-group

¡ nat port-block flow-trigger enable

¡ nat server

¡ nat static enable

When you change the backup mode from non-load-balancing mode to another mode, follow these guidelines:

· Do not change the backup mode if the NAT instance is associated with multiple VSRP instances.

· To change CGN warm backup mode to load balancing mode, first disable the non-load-balancing mode by executing the undo cu warm-standby-mode enable command, and then execute the cu warm-load-balance-mode enable command.

· Do not change the backup mode if PPPoE or IPoE users are online.

Examples

# Configure non-load-balancing mode for CGN warm backup.

<Sysname> system-view

[Sysname] nat instance cgn-a id 1

[Sysname-nat-instance-cgn-a] cu warm-standby-mode enable

Related commands

cu warm-load-balance-mode enable

nat centralized-backup enable

nat outbound port-block-group

nat port-block flow-trigger enable

nat server

nat static enable

display nat mpls-tunnel

Use display nat mpls-tunnel to display MPLS protection tunnel information for NAT.

Syntax

display nat mpls-tunnel [ instance instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance instance-name: Specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters. If the value for the nat-instance-name argument includes spaces, enclose the value in quotation marks (" "). If you do not specify a NAT instance, this command displays MPLS protection tunnel information for all NAT instances.

Usage guidelines

In a scenario configured with inter-device CGN hot backup or CGN warm backup in non-load-balancing mode, you must bind a NAT instance to a VSRP instance. The MPLS or SRv6 protection tunnel created by using the VSRP instance performs the following tasks:

· Back up data of the NAT instance.

· The system forwards the traffic from the backup device to the master device through protection tunnels for NAT service processing.

Use this command to view MPLS protection tunnel information for NAT.

Examples

# Display MPLS protection tunnel information for NAT.

<Sysname> display nat mpls-tunnel

MPLS tunnel info:

NAT instance name/ID = instance1/100:

Local VPN:

VPN instance name/index: /0

MPLS label : 1279

Local label count: 1

Peer VPN:

VPN instance name/index: /0

NID : 2

MPLS label : 1407

Vsrp-instance : 1

Peer label count: 1

Total label statistics:

Total local labels: 1

Total peer labels : 1

Table 39 Command output

Field	Description
MPLS tunnel info	MPLS protection tunnel information for NAT.
NAT instance name/ID	Name and ID of the NAT instance,
Local VPN	Local MPLS label information.
Peer VPN	Peer MPLS label information.
VPN instance name/index	Name or index of the VPN instance.
NID	Index of the NHLFE entry.
MPLS label	Value of the MPLS label.
Vsrp-instance	Name of the VSRP instance to which the NAT instance binds.
Local label count	Number of local labels for the NAT instance.
Peer label count	Number of peer labels for the NAT instance.
Total label statistics	Label statistics for all NAT instances.
Total local labels	Number of local labels for all NAT instances.
Total peer labels	Number of peer labels for all NAT instances.

Related commands

bind vsrp-instance

protect lsp-tunnel for-all-instance (High Availability Command Reference)

display nat srv6-tunnel

Use display nat srv6-tunnel to display SRv6 protection tunnel information for NAT.

Syntax

display nat srv6-tunnel [ instance instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance instance-name: Specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters. If the value for the nat-instance-name argument includes spaces, enclose the value in quotation marks (" "). If you do not specify a NAT instance, this command displays SRv6 protection tunnel information for all NAT instances.

Usage guidelines

· Back up data for the NAT instance.

· The system forwards the traffic from the backup device to the master device through protection tunnels for NAT service processing.

Use this command to view SRv6 protection tunnel information for NAT.

Examples

# Display SRv6 protection tunnel information for NAT.

<Sysname> display nat srv6-tunnel

SRv6 tunnel info:

NAT instance name/ID = instance1/1:

Local VPN:

VPN instance name/index: /0

Locator name : locator1

End.DT4 SID : 400::1:0:0

End.DT6 SID : 400::1:0:1

VPN instance name/index: vpn1/1

Locator name : locator1

End.DT4 SID : 400::1:0:2

End.DT6 SID : 400::1:0:3

Local SID count: 2

Peer VPN:

VPN instance name/index: /0

Locator name : locator2

End.DT4 SID : 100:1::100

End.DT6 SID : 100:1::101

VPN instance name/index: vpn1/1

Locator name : locator2

End.DT4 SID : 100:1::102

End.DT6 SID : 100:1::103

Peer SID count: 2

Total SID statistics:

Total local SIDs: 2

Total peer SIDs : 2

Table 40 Command output

Field	Description
SRv6 tunnel info	SRv6 protection tunnel information for NAT.
NAT instance name/ID	Name and ID of the NAT instance.
Local VPN	Information about the local SRv6 protection tunnel.
Peer VPN	Information about the peer SRv6 protection tunnel.
VPN instance name/index	Name or index of the VPN instance.
Locator name	Name of the locator.
End.DT4 SID	Value of the SID in End.DT4 type.
End.DT4 VNID	Value of the virtual next hop ID in End.DT4 type.
End.DT6 SID	Value of the SID in End.DT6 type.
End.DT6 VNID	Value of the virtual next hop ID in End.DT6 type.
Local SID count	Number of local SIDs for the NAT instance.
Peer SID count	Number of peer SIDs for the NAT instance.
Total SID statistics	SID statistics for all NAT instances.
Total local SIDs	Number of local SIDs for all NAT instances.
Total peer SIDs	Number of peer SIDs for all NAT instances.

Related commands

bind vsrp-instance

protect srv6-tunnel for-all-instance (High Availability Command Reference)

nat centralized-backup auto switchback disable

Use nat centralized-backup auto switchback disable to disable traffic auto switchback for centralized backup of distributed CGN.

Use undo nat centralized-backup auto switchback disable to restore the default.

Syntax

nat centralized-backup auto switchback disable

undo nat centralized-backup auto switchback disable

Default

Auto switchback is enabled for centralized backup of distributed CGN.

Views

NAT instance view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In centralized backup for distributed CGN, the following methods are available to switch over the traffic to the centralized CGN device:

· Automatic switchover—When a distributed CGN card fails, traffic is automatically switched to the centralized CGN device. To enable auto switchover, execute the nat centralized-backup enable command.

· Manual switchover—Traffic is manually switched to the centralized CGN device after you execute the nat centralized-backup manual switch command.

Recommended configuration

Execute this command on a distributed CGN device if you want the centralized CGN device to perform address translation for the distributed CGN device all the time. In other cases, do not execute this command.

Restrictions and guidelines

This command is available only after you enable centralized backup for distributed CGN by using the nat centralized-backup enable command.

Examples

# In NAT instance cgn1, disable traffic auto switchback for centralized backup of distributed CGN.

<Sysname> system-view

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance- cgn1] nat centralized-backup enable

[Sysname-nat-instance- cgn1] nat centralized-backup auto switchback disable

Related commands

nat centralized-backup enable

nat centralized-backup manual switch

nat centralized-backup enable

Use centralized-backup enable to enable centralized backup for distributed CGN.

Use undo nat centralized-backup enable to disable centralized backup for distributed CGN.

Syntax

nat centralized-backup enable

undo nat centralized-backup enable

Default

Centralized backup for distributed CGN is disabled.

Views

System view

NAT instance view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

With this feature enabled on a distributed CGN device, when the CGN card on the device fails, the QoS policy or policy-based routing for redirecting traffic to the centralized CGN device takes effect. When the faulty CGN card recovers, the QoS policy or PBR no longer takes effect and the traffic is again redirected to the distributed CGN device. Online users are not affected during the traffic switchover and switchback.

Restrictions and guidelines

The undo nat centralized-backup enable command is not available when one of the following commands is used:

· nat centralized-backup manual switch.

· nat centralized-backup auto switchback disable.

Creating NAT instance and enabling this feature in system view are mutually exclusive. They cannot be both configured.

In the NAT instance configured with CGN warm backup mode, you cannot enable centralized backup for distributed CGN.

Examples

# Enable centralized backup for distributed CGN.

<Sysname> system-view

[Sysname] nat centralized-backup enable

# Enable centralized backup for distributed CGN in NAT instance cgn with ID 1.

<Sysname> system-view

[Sysname] nat instance cgn id 1

[Sysname-nat-instance-cgn] nat centralized-backup enable

Related commands

cu warm-load-balance-mode enable

cu warm-standby-mode enable

nat centralized-backup manual switch

nat centralized-backup auto switchback disable

nat instance

nat centralized-backup switchback delay

Use nat centralized-backup switchback delay to set the auto switchback delay time for centralized backup of distributed CGN.

Use undo nat centralized-backup switchback delay to restore the default.

Syntax

nat centralized-backup switchback delay delay-time

undo nat centralized-backup switchback delay

Default

The auto switchback delay time for centralized backup of distributed CGN is 60 seconds.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

delay-time: Specifies the auto switchback delay time. The value range for this argument is 0 to 1800 seconds. For traffic to be switched back to the distributed CGN device immediately, set the value to 0.

Usage guidelines

Application scenarios

In centralized backup for distributed CGN, traffic is switched to the centralized CGN device when a distributed CGN card fails. When the distributed CGN card is restored, traffic is switched back to it. You can use this command to set the switchback delay time.

Recommended configuration

To set the switchback delay time, follow these guidelines:

· As a best practice, use the default switchback delay time.

· In a scenario enabled with centralized backup of distributed CGN and global NAT service load sharing, traffic might fail to be evenly allocated to the failover groups in the load sharing group at the beginning of the switchback and is reallocated afterwards. As a result, session entries and EIM entries for some users on a CGN card are deleted and re-created on another CGN card, which leads to traffic interruption. To make sure the traffic is evenly allocated, you can increase the switchback delay time.

Restrictions and guidelines

This command is available only after you enable centralized backup for distributed CGN by using the nat centralized-backup enable command.

Examples

# Set auto switchback delay time for centralized backup of distributed CGN to 80 seconds.

<Sysname> system-view

[Sysname] nat instance cgn1 id 1

[Sysname-nat-instance-cgn1] nat centralized-backup enable

[Sysname-nat-instance-cgn1] nat centralized-backup switchback delay 80

Related commands

nat centralized-backup enable

nat protect-tunnel inside-vpn

Use nat protect-tunnel inside-vpn to specify a VPN instance whose traffic can enter protection tunnels.

Use undo nat protect-tunnel inside-vpn to restore the default.

Syntax

nat protect-tunnel inside-vpn vpn-instance-name

undo nat protect-tunnel inside-vpn vpn-instance-name

Default

Traffic that belongs to VPN instances cannot enter protection tunnels.

Views

NAT instance view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies the MPLS L3VPN instance which the traffic can access protection tunnels belongs to. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

Users from VPN instances access the external networks through inter-device CGN cards hot backup mechanism. When downstream traffic and upstream traffic are transmitted through different paths, the system forwards the customer-side traffic to the backup device. The backup device cannot process NAT services and discards the traffic.

Operating mechanism

If you specify a VPN instance, the system forwards the VPN instance traffic from the backup device to the master device through protection tunnels for NAT service processing.

Restrictions and guidelines

For a VPN user, the specified VPN instance must be the VPN instance to which the user belongs.

Examples

# Specify VPN instance vpn1 whose traffic can enter protection tunnels.

<Sysname> system-view

[Sysname] nat instance inst id 1

[Sysname-nat-instance-inst] nat protect-tunnel inside-vpn vpn1

Related commands

display nat instance

nat vsrp-port

Use nat vsrp-port to specify the TCP port number for establishing NAT service backup data channels.

Use undo nat vsrp-port to restore the default.

Syntax

nat vsrp-port port-number

undo nat vsrp-port

Default

The default TCP port number is 60046.

Views

System view

Predefined user roles

network-admin

Parameters

port-number: Specifies a TCP port number in the range of 1 to 65535. The TCP port cannot be used by other services and cannot be a well-known port.

Usage guidelines

Application scenarios

In an inter-device backup scenario, the NAT module establishes a TCP data channel for NAT service associated with a VSRP instance on the VSRP group. The NAT service backup channel is initiated by the peer with the lower IP address to the peer with the higher IP address. You can use this command to change the TCP port number for establishing the data channel.

Restrictions and guidelines

To modify the TCP port number successfully, you must specify the same TCP port number on the master and backup devices. If the TCP port numbers are different, the TCP connection cannot be established.

Examples

# Specify TCP port 30000 for VSRP to establish data channels for NAT services.

<Sysname> system-view

[Sysname] nat vsrp-port 30000

23-NAT Command Reference

Generic NAT commands

Application scenarios

Restrictions and guidelines

Application scenarios

Recommended configuration

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Operating mechanism

Recommended configuration

Restrictions and guidelines

Application scenarios

Recommended configuration

Route advertisement

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Recommended configuration

Restrictions and guidelines

Recommended configuration

Restrictions and guidelines

Application scenarios

Application scenarios

Operating mechanism

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Recommended configuration

Restrictions and guidelines

nat log flow-active

Application scenarios

Operating mechanism

Restrictions and guidelines

Operating mechanism

Prerequisites

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

nat outbound ds-lite-b4

Application scenarios

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

nat static enable

Operating mechanism

Recommended configuration

Restrictions and guidelines

Operating mechanism

Recommended configuration

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios