For feedback, use the following:
ipd_online_feedback@alcatel-lucent.com
Table of Contents Previous Next Index PDF

Network Address Translation Configuration Commands
Generic Commands
description
Syntax 
description description-string
no description
Context 
config>srevice>vprn>nat>outside>pool>address-range
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool>address-range
config>router>nat>outside>pool
config>router>nat>inside>subscriber-id
config>service>ipfix>export-policy
Description 
This command creates a text description which is stored in the configuration file to help identify the content of the entity.
The no form of the command removes the string from the configuration.
Default 
none
Parameters 
string
The description character string. Allowed values are any string composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.
shutdown
Syntax 
[no] shutdown
Context 
config>srevice>vprn>nat>outside>pool>address-range
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool>address-range
config>router>nat>outside>pool
config>router>nat>inside>dual-stack-lite
config>router>nat>inside>nat64
config>router>nat>inside>redundancy>subscriber-identification
config>service>vprn>nat>inside>nat64
config>router>nat>inside>subscriber-id
config>service>ipfix>export-policy
Description 
This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
ISA Configuration Commands
nat-group
Syntax 
nat-group nat-group-id [create]
no nat-group nat-group-id
Context 
config>isa
Description 
This command configures an ISA NAT group.
active-mda-limit
Syntax 
active-mda-limit number
no active-mda-limit
Context 
config>isa>nat-group
Description 
This command configures the number of MDAs in this NAT ISA group that are intended for active use.
Parameters 
number
Specifies the active MDA limit.
mda
Syntax 
[no] mda mda-id
Context 
config>isa>nat-group
Description 
This command configures an ISA NAT group MDA.
Parameters 
mda-id
Specifies the MDA ID in the slot/mda format.
Values
slot: 1 — 10
mda: 1 — 2
radius-accounting-policy
Syntax 
radius-accounting-policy nat-accounting-policy
no radius-accounting-policy
Context 
config>isa>nat-group
Description 
This command specifies the RADIUS accounting policy to use for each MDA in this ISA group.
The no form of the command removes the policy ID from the configuration.
Default 
none
Parameters 
nat-accounting-policy
Reference to the nat-accounting-policy which defines:
Source IP addresses that will be assigned to BB-ISA cards.
Parameters related to RADIUS server itself .
List of RADIUS attributes that will be included in accounting messages.
session-limits
Syntax 
session-limits
Context 
config>isa>nat-group
Description 
This command configures the ISA NAT group session limits.
reserved
Syntax 
reserved num-sessions
no reserved
Context 
config>isa>nat-group>session-limits
Description 
This command configures the number of sessions per block that will be reserved for prioritized sessions.
Parameters 
num-sessions
Specifies the number of sessions reserved for prioritized sessions.
Values
0 — 4194303
watermarks
Syntax 
watermarks high percentage low percentage
no watermarks
Context 
config>isa>nat-group>session-limits
Description 
This command configures the ISA NAT group watermarks.
high percentage
Specifies the high watermark of the number of sessions for each MDA in this NAT ISA group.
Values
1— 100
low percentage
Specifies the low watermark of the number of sessions for each MDA in this NAT ISA group.
Values
0— 99
 
 
NAT Configuration Commands
nat
Syntax 
[no] nat
Context 
config>service>vprn
config>router
Description 
This command configures, creates or deletes a NAT instance.
deterministic-script
Syntax 
deterministic-script
Context 
config>service>nat
Description 
This command configures the script generated for deterministic NAT.
location
Syntax 
location remote-url
no location
Context 
config>service>nat>>deterministic-script
Description 
This command configures the remote location where the Python script will be exported. The Python script is then used offline to perform reverse query. If this command is configured, the Python script generation is triggered by any modification of the deterministic NAT configuration. The new script reflects the change in mappings caused by configuration change. However, the script must be manually exported to the outside location with the admin nat save-determinisitic-nat command. The script cannot be stored locally on the system.
The script allows two forms of queries:
Forward - input is NAT inside parameters, output is NAT outside parameters.
Backward – input is NAT outside parameters, output is NAT inside parameters.
Forward Query:
user@external-server:/home/ftp/pub/det-nat-script$ ./det-nat.py -f -s 10 -a 20.0.5.10
output:
subscriber has public ip address 85.0.0.1 from service 0 and is using ports [1324 - 1353]
 
Reverse Query:
user@external-server:/home/ftp/pub/det-nat-script$./det-nat.py -b -s 0 -a 85.0.0.1 -p 3020
 
output:
subscriber has private ip address 20.0.5.66 from service 10
Default 
none
Parameters 
remote-url
A remote location where the script is stored:
[{ftp://|tftp://}<login>:<pswd>@ <remote-locn>/][<file-path>]
Maximum length is 180 characters.
inside
Syntax 
inside
Context 
config>service>vprn>nat
config>router>nat
Description 
This command enters the “inside” contex to configure the inside NAT instance.
outside
Syntax 
outside
Context 
config>service>vprn>nat
config>router>nat
Description 
This command enters the “outside” context to configure the outside NAT instance.
mtu
Syntax 
mtu [512..9000]
no mtu
Context 
config>service>vprn>nat>outside
Description 
This command configures the Maximum Transmission Unit ( MTU) for downstream traffic flowing through this router (as outside NAT router). The system fragments IP datagrams exceeding the MTU.
The no form of the command reverts to the default.
Default 
0
Parameters 
[512..9000]
Specifies the MTU for downstream traffic.
destination-prefix
Syntax 
[no] destination-prefix ip-prefix/length
Context 
config>service>vprn>nat>inside
config>router>nat>inside
Description 
This command configures a destination prefix. An (internal) static route will be created for this prefix. All traffic that hits this route will be subject to NAT. The system will not allow a destination-prefix to be configured if the configured nat-policy refers to an IP pool that resides in the same service (as this would result in a routing loop).
Parameters 
ip-prefix
Specifies the IP prefix; host bits must be zero (0).
Values
a.b.c.d
length
Specifies the prefix length.
Values
0 — 32
deterministic
Syntax 
deterministic
Context 
config>service>vprn>nat>inside
Description 
This command enables the context to configure deterministic NAT.
classic-lsn-max-subscriber-limit
Syntax 
classic-lsn-max-subscriber-limit max
no classic-lsn-max-subscriber-limit
Context 
config>service>vprn>nat>inside>deterministic
configure>router>nat>inside>deterministic
Description 
This command affects ingress hashing of the subscribers for deterministic NAT. It will also affect hashing of the subscribers for non-deterministic NAT if the both types of NAT are configured simultaneously. The hashing will ensure that traffic load is distributed over multiple MS-ISAs in the system. For deterministic LSN44, (32 – n) bits of the source IP address will be considered for hashing, where 2^n= classic-lsn-max-subscriber-limit.
The scope of this command is the inside routing instance. This command must match the largest subscriber limit of all pools that are referenced by nat-policies configured within the corresponding inside routing instance.
This parameter must be configured before any prefix is configured and can be modified only if there are no prefixes configured under the deterministic NAT CLI hierarchy.
If non-deterministic NAT is not used simultaneously with deterministic NAT within a routing context, then hashing for non-deterministic NAT will be performed based on the subscriber.
Default 
none
Parameters 
max
The power of 2 (2^n) number that must match the largest subscriber limit number in a deterministic pool referenced from this inside routing instance. The range for this command is the same as the subscriber-limit command under the pool hierarchy.
dslite-max-subscriber-limit
Syntax 
dslite-max-subscriber-limit max
no dslite-max-subscriber-limit
Context 
config>service>vprn>nat>inside>dslite
configure>router>nat>inside>dslite
Description 
This command sets the value for the number of high order bits of the source IPv6 address that will be considered as DS-Lite subscriber. The remaining bits of the source IPv6 address will be masked off, effectively aggregation all IPv6 source addresses under the configured prefix length into a single DS-Lite subscriber. Source IPv4 addresses/ports of the traffic carried within the DS-Lite subscriber will be translated into a single outside IPv4 address and the corresponding deterministic port-block (port-blocks can be extended).
The range of values for subscriber-prefix-length in non-deterministic DS-Lite is limited from 32 to 64 (a prefix will be considered as a DS-Lite subscriber) or it can be set to a value of 128 (the source IPv6 address is considered as a DS-Lite subscriber).
In cases where deterministic DS-Lite is enabled in a giver inside routing context, the range of values of the subscriber-prefix-length depends on the value of dslite-max-subscriber-limit parameter as follows:
subscriber-prefix-length – n = [32..64,128]
where n = log2(dslite-max-subscriber-limit)
[or in an alternate form: dslite-max-subscriber-limit = 2^n.]
In other words the largest prefix length for the deterministic DS-lite subscriber will be 32+n, where n = log2(dslite-max-subscriber-limit). The subscriber prefix length can extend up to 64 bits. Beyond 64 bits for the subscriber prefix length, there only one value is allowed: 128. In the case n must be 0, which means that the mapping between B4 elements (or IPv6 address) and the IPv4 outside addresses is in 1:1 ratio (no sharing of outside IPv4 addresses).
This parameter can be changed only when there are no deterministic prefixes configured in the same routing context.
Default
128
Parameters 
max
In non-deterministic DS-Lite this value can be 32 — 64,128 , assuming that the deterministic DS-Lite is not concurrently enabled in the same inside routing context.
In case that deterministic DS-Lite is enabled, this value can be within the range [(32+n)..64,128] where n = log2(dslite-max-subscriber-limit). The value of 128 is allowed only when n=0 (each subscriber is mapped to a single outside IPv4 IP address).
 
prefix
Syntax 
prefix ip-prefix/length subscriber-type nat-sub-type nat-policy nat-policy-name [create]
prefix p-prefix/length subscriber-type nat-sub-type
no prefix ip-prefix/length subscriber-type nat-sub-type
Context 
config>service>vprn>nat>inside>deterministic
configure>router>nat>inside>deterministic
Description 
This command is applicable only to deterministic NAT (LSN44 or DS-Lite). It configures prefixes on the inside and their association with outside deterministic pools via the nat-policy. Subscribers within the prefix will be deterministically mapped to outside IP addresses and corresponding port-ranges in the associated pool.
Multiple prefixes within an inside routing instance can be defined and they can reference different nat-policies (and therefore outside pools and routing instances). Moreover, prefixes from multiple routing instances can share the same deterministic pool.
Non-deterministic NAT can be used simultaneously with deterministic NAT within the s ame inside routing instance. However, they cannot share the same pool.
Prefixes can be added/removed under the condition that the associated deterministic pool is in a ‘no shutdown’ mode.
Removing a prefix or modifying the map statement under it requires that the prefix be in a ‘shutdown’ mode.
The subscribers under the prefix are mapped deterministically into the outside IPv4 addresses and port ranges. Note that the subscribers in LSN44 are the IPv4 addresses under the configured prefix, while in DS-Lite the subscribers are IPv6 source addresses that fall under the configured prefix OR IPv6 sub-prefixes whose length is determined by the DS-Lite subscriber-prefix-length command.
Default 
no prefix
Parameters 
ip-prefix/length
A prefix on the inside encompassing subscribers that will be deterministically mapped to an outside IP address and port block in the corresponding pool.
Values
<ip-prefix/ip-pref*> <ipv4-prefix>/<ipv4-prefix-length> |
<ipv6-prefix>/<ipv6-prefix-length>
<ipv4-prefix> a.b.c.d (host bits must be 0)
<ipv4-prefix-length> [0..32]
<ipv6-prefix> x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
<ipv6-prefix-length> : [0..128]
<nat-sub-type> : classic-lsn-sub|dslite-lsn-sub
<nat-policy-name> Reference to a nat-policy that points to an outside pool and outside routing instance up to 32 characters in length.
 
 
map
Syntax 
map start inside-ip-address end inside-ip-address to outside-ip-address
no map start inside-ip-address end inside-ip-address
Context 
config>service>vprn>nat>inside>deterministic
configure>router>nat>inside>deterministic>prefix
Description 
This command is applicable to prefixes in deterministic NAT (LSN44 and DS-Lite). Its purpose is to split the number of subscribers within the configured prefix over available sequence of outside IP addresses.
There are several rules guiding the usage of the map statement:
If the number of subscribers1 per configured prefix is greater than the subscriber-limit per outside IP parameter (2^n), then the lowest n bits of the map start <inside-addr-start> must be set to 0.
If the number of subscribers per configured prefix is equal or less than the subscriber-limit per outside IP parameter (2^n), then only one map command for this prefix is allowed. In this case there is no restriction on the lower n bits of the map start <inside-ip-addres>. The range of the inside IP addresses in such map statement represents the prefix itself.
<outside-ip-address> in the map statements must be unique amongst all map statements referencing the same pool. In other words, two map statements cannot reference the same <outside-ip-address> in a pool.
To modify map statements, the corresponding prefix must be in a shutdown mode.
Map statements can be configured automatically by the system, as soon as the prefix is enabled (no shutdown state) or they can be configured manually by the operator while the prefix is disabled.
The following is an example of the map statement for the LSN44 case:
The subscriber-limit in the pool is 128
The pool has an address range 128.251.0.1 - 128.251.0.10
The prefix is 10.0.0.0/24
The map statement is configured as:
map start 10.0.0.0 end 10.0.0.255 to 128.251.0.1
Since each outside IP address can accommodate only 128 hosts, the subscribers (IPv4 addresses in LSN44) from the 10.0.0.0/24 prefix will be split and mapped into two outside IP addresses
10.0.0.0 – 10.0.0.127 (10.0.0.0/25) - 128.251.0.1
10.0.0.128 – 10.0.0.255 (10.0.0.128/25) - 128.251.0.2
The first IP address range will be mapped to the ‘to’ address in the map statement => 128.251.0.1. The second IP address range will be mapped into the next consecutive IP address in the pool assuming that this IP address is free. In this case this consecutive address (128.251.0,2) would not be shown in the map statement.
For Deterministic DS-Lite, the example would be:
Tthe subscriber-limit in the pool is 128
The pool has an address range 128.251.0.1 - 128.251.0.10
The prefix is 2001:DB8::/56
The subscriber-prefix-length = 64
The map statement is configured as:
map start 2001:BD8::/64 end 2001:BD8::FF:0:0:0:0/64 to 128.251.0.1
There are 256 DS-Lite subscribers within the 2001:DB8::/56 prefix. Each subscriber will be a /64 IPv6 prefix as dictated by the subscriber-prefix-length command.
Since each outside IP address can accommodate only 128 hosts, the subscribers from the 2001:DB8::/56 prefix will be split and mapped into two outside IP addresses
2001:DB8:: – 2001:DB8:0:7F:: (2001:DB8::/57) - 128.251.0.1
2001:DB8:0:80:: – 2001:DB8:0:FF::(2001:DB8:0:FF::/57) - 128.251.0.2
The first IP prefix range will be mapped to the ‘to’ address in the map statement => 128.251.0.1. The second IP prefix range will be mapped into the next consecutive IP address in the pool assuming that this IP address is free. In this case this consecutive address (128.251.0,2) would not be shown in the map statement.
Default 
By default, the system will automatically divide the prefix and create the map statements when the prefix command is enabled (no shutdown). However, this automatic map provisioning can be overruled by manual configuration.
Parameters 
inside-ip-start
Start IPv4/v6 address or IPv6 prefix on the inside.
inside-ip-end
End IPv4/v6 address or IPv6 prefix on the inside. The number of subscribers (range of inside IPv4 addresses in LSN44 or IPv6 addresses or prefixes in DS-Lite) in the map statement does not have to be a power of 2. Rather it has to be a multiple of a power of two  m * 2^n, where m is the number of consecutive outside IP addresses to which the subscribers are mapped and the 2^n is the subscriber-limit per outside IP.
outside-ip-start
The first outside IPv4 address in the pool to which the subscribers are mapped. In case that the number of subscribers in the map statement is larger than the subscriber-limit for the outside-ip address, the consecutive outside IP addresses will be used for additional mappings. Those additional (consecutive) outside IP addresses are not shown in the map statement (only the first address is shown in the map statement).
dual-stack-lite
Syntax 
dual-stack-lite
Context 
config>service>vprn>nat>inside
config>router>nat>inside
Description 
This command enables the context to configure Dual Stack Lite parameters.
In order for the ds-lite feature to work, the ingress traffic (the IPv6 traffic that has to go to the NAT) must come from an IOM-3. If an IOM-2 is used, the IPv6 packet with destination the NAT will be dropped and an ICMP packet will be sent back.
address
Syntax 
[no] address ipv6-address
Context 
config>router>nat>inside>dual-stack-lite
config>service>vprn>nat>inside>dual-stack-lite
Description 
This command configures the IP address of the NAT redundancy peer in the realm of this virtual router instance.
subscriber-prefix-length
Syntax 
subscriber-prefix-length prefix-length
no subscriber-prefix-length
Context 
config>router>nat>inside>dual-stack-lite
Description 
This command sets the value for the number of high order bits of the source IPv6 address that will be considered as DS-Lite subscriber. The remaining bits of the source IPv6 address will be masked off, effectively aggregation all IPv6 source addresses under the configured prefix length into a single DS-Lite subscriber. Source IPv4 addresses/ports of the traffic carried within the DS-Lite subscriber will be translated into a single outside IPv4 address and the corresponding deterministic port-block (port-blocks can be extended).
The range of values for subscriber-prefix-length in non-deterministic DS-Lite is limited from 32 to 64 (a prefix will be considered as a DS-Lite subscriber) or it can be set to a value of 128 (the source IPv6 address is considered as a DS-Lite subscriber).
In cases where deterministic DS-Lite is enabled in a giver inside routing context, the range of values of the subscriber-prefix-length depends on the value of dslite-max-subscriber-limit parameter as follows:
subscriber-prefix-length – n = [32..64,128]
where n = log2(dslite-max-subscriber-limit)
[or in an alternate form: dslite-max-subscriber-limit = 2^n.]
In other words the largest prefix length for the deterministic DS-lite subscriber will be 32+n, where n = log2(dslite-max-subscriber-limit). The subscriber prefix length can extend up to 64 bits. Beyond 64 bits for the subscriber prefix length, there only one value is allowed: 128. In the case n must be 0, which means that the mapping between B4 elements (or IPv6 address) and the IPv4 outside addresses is in 1:1 ratio (no sharing of outside IPv4 addresses).
This parameter can be changed only when there are no deterministic prefixes configured in the same routing context.
The no form of the command reverts to the default.
Default 
128
Parameters 
prefix-length
In non-deterministic DS-Lite this value can be [32..64,128], assuming that the deterministic DS-Lite is not concurrently enabled in the same inside routing context. In case that deterministic DS-Lite is enabled, this value can be within the range [(32+n)..64,128] where n = log2(dslite-max-subscriber-limit). The value of 128 is allowed only when n=0 (each subscriber is mapped to a single outside IPv4 IP address).
Values
32 — 64
ip-fragmentation
Syntax 
ip-fragmentation {disabled|fragment-ipv6|fragment-ipv6-unless-ipv4-df-set}
no ip-fragmentation
Context 
configure>router>nat>inside>dslite>address
configure>router>nat>inside>>nat64
configure>service>vprn>nat>inside>nat64
configure>service>vprn>nat>inside>dslite>address
Description 
This command configures downstream IPv6 fragmentation behavior in DS-lite and NAT64. IPv6 fragmentation is performed in the ISA. IPv4 fragmentation is not affected by this command. If desired, downstream IPv4 packet can be fragmented in the carrier IOM before the packet reaches ISA (and the NAT function). The IPv4 fragmentation in the downstream direction can be set by the configure>router/vprn>nat>outside>mtu command
DS-Lite IPv6 Fragmentation in Downstream Direction (IPv4 to IPv6)
In case that the length of the received IPv4 packet is larger than the configured tunnel-mtu value while fragmentation is allowed, the resulting IPv6 packet will be fragmented (IPv4 is tunneled within IPv6). The maximum size of the of the fragmented IPv6 packet will be 48bytes larger than the configured tunnel-mtu value. This is due to the size of the tunneling IPv6 header: 40bytes basic IPv6 header + 8 bytes of extended fragmentation IPv6 header.
In case that fragmentation is not allowed while the IPv4 packet size is larger than configured tunnel-mtu size, the IPv4 packet will be dropped and an ICMPv4 Datagram Too Big message will be generated towards the source. The advertised mtu size in that ICMP message will be set to configured tunnel-mtu value.
NAT64 IPv6 Fragmentation in Downstream Direction (IPv4to IPv6)
In contrast to DS-lite, NAT64 transport is not based on tunneling. Instead, IP headers are translated between IPv4 and IPv6. Consequently, NAT64 fragmentation operates based on the ipv6-mtu, as opposed to tunnel-mtu in DS-lite which represents the size of the tunnel payload (IPv4 packet).
In case that the length of the translated IPv6 packet exceeds the size of the configured ipv6-mtu value while fragmentation is allowed, the resulting IPv6 packet will be fragmented. The maximum size of the of the fragmented IPv6 packet will be the configured ipv6-mtu value.
In case that fragmentation is not allowed while the translated IPv6 packet size is larger than configured ipv6-mtu size, the IPv4 packet (that is supposed to be translated into IPv6) will be dropped and an ICMPv4 Datagram Too Big message will be generated towards the source. The advertised mtu size in that ICMP message will be set to the ipv6-mtu value minus 28bytes. The 28bytes comes from the size of the IPv6 overhead of the translated packet (20bytes difference between the IP header sizes  40bytes in IPv6 vs 20bytes in IPv4; 8 bytes for extended IPv6 fragmentation header).
Default 
disabled
Parameters 
disabled
IPv6 Fragmentation is disabled. In case that the packet size is larger
than what is set by the mtu value (tunnel-mtu or ipv6-mtu) , the IPv4 packet will be dropped and ICPMv4 Datagram Too Big messages will be sent back to the source.
fragment-ipv6
IPv6 fragmentation will be performed in all cases, regardless of the DF bit setting in the tunneled/translated IPv4 packet.
fragment-ipv6-unless-ipv4-df-set
IPv6 Fragmentation will be performed only in cases when DF bit in tunneled/translated IPv4 packet is cleared.
tunnel-mtu
Syntax 
tunnel-mtu mtu-bytes
no tunnel-mtu
Context 
config>router>nat>inside>dual-stack-lit>address
config>service>vprn>nat>inside>dual-stack-lite
Description 
This command sets the size of the payload in IPv6 packet in downstream DS-lite direction. The payload is, in essence, the tunneled IPv4 packet.
l2-aware
Syntax 
l2-aware
Context 
config>router>nat>inside
Description 
This command enters the “l2-aware” context for configuration specific to Layer 2-aware NAT.
address
Syntax 
[no] address ip-address/mask
Context 
config>router>nat>inside
Description 
This command configures the IP address and mask of the subnet.
The no form of the command removes the IP address and prefix length from the configuration.
Default 
none
Parameters 
ip-address/mask
Specifies the IP address and maskof the subnet.
Values
ip-address: a.b.c.d
mask: 16 — 32
nat64
Syntax 
[no] nat64
Context 
config>service>vprn>inside
Description 
This command enables the context to configure NAT64.
The no form of the command disables NAT64.
drop-zero-ipv4-checksum
Syntax 
[no] drop-zero-ipv4-checksum
Context 
config>service>vprn>inside>nat64
Description 
This command specifies if UDP datagrams with zero IPv4 checksum are dropped.
If this command is disabled, the system calculates the IPv6 checksum for each such datagram.
ignore-tos
Syntax 
[no] ignore-tos
Context 
config>service>vprn>inside>nat64
Description 
This command specifies if the IPv4 Type Of Service (TOS) is ignored and the IPv6 traffic class bits set to zero.
If this command is disabled, the system copies the IPv4 TOS into the IPv6 traffic class.
Default 
disabled
insert-ipv6-fragment-header
Syntax 
[no] insert-ipv6-fragment-header
Context 
config>service>vprn>inside>nat64
Description 
This command specifies if the system always inserts an IPv6 fragment header, to indicate that the sender allows fragmentation.
The no form of the command does not allow the system to insert an IPv6 fragment header.
Default 
disabled
l2-aware
Syntax 
l2-aware
Context 
config>services>vprn>nat>inside
Description 
This command enters the “l2-aware” context for configuration specific to Layer 2-aware NAT.
address
Syntax 
[no] address ip-address/mask
Context 
config>services>vprn>nat>inside>l2-aware
Description 
This command configures a Layer 2-aware NAT address. This address will act as a local address of the system. Hosts connected to the inside service will be able to ARP for this address. To verify connectivity, a host can also ping the address. This address is typically used as next hop of the default route of a Layer 2-aware host. The given mask defines a Layer 2-aware subnet. The (inside) IP address used by anLayer 2-aware host must match one of the subnets defined here or it will be rejected.
Parameters 
ip-address
Specifies the IP address in a.b.c.d format.
mask
Specifies the mask.
Values
16 — 32
nat-policy
Syntax 
nat-policy nat-policy-name
no nat-policy
Context 
config>services>vprn>nat>inside
config>router>nat>inside
Description 
This command configures the NAT policy that will be used for large-scale NAT in this service.
The no form of the command removes the policy name from the configuration.
Parameters 
nat-policy-name
Specifies the NAT policy name.
Values
32 chars max
nat64
Syntax 
|[no] nat64
Context 
config>service>vprn>nat>inside
config>router>nat>inside
Description 
This command enables the context to configure NAT64 parameters.
The no form of the command disables NAT64.
drop-zero-ipv4-checksum
Syntax 
[no] drop-zero-ipv4-checksum
Context 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description 
This command enables the NAT64 node to drop received UDP datagrams with zero IPv4 checksum. By default, checksum is re-calculated for non-fragmented datagrams.
The no form of the command disabales the command.
Default 
disabled
ignore-tos
Syntax 
[no] ignore-tos
Context 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description 
This command specifies whether the IPv4 Type Of Service (TOS) is ignored and the IPv6 traffic class bits set to zero.
When disabled, the system copies the IPv4 TOS into the IPv6 traffic class.
The no form of the command recognizes the IPv4 Type Of Service (TOS).
Default 
disabled
insert-ipv6-fragment-header
Syntax 
[no] insert-ipv6-fragment-header
Context 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description 
This command specifies whether the NAT64 node will insert IPv6 fragment header to IPv6 packets for which the DF bit is not set in the corresponding IPv4 packet, and is not already a fragment.
The no form of the command disables the insertion.
Default 
disabled
ipv6-mtu
Syntax 
ipv6-mtu [1280..9212]
no ipv6-mtu
Context 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description 
This command sets the size of the IPv6 downstream packet in NAT64. This packet is translated from IPv4.
The no form of the command reverts to the default.
Default 
11520
Parameters 
[1280..9212]
Specifies the IPv6 MTU.
Values
1280 — 9212
prefix
Syntax 
prefix ipv6-prefix/prefix-length
no prefix
Context 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description 
This command configures the IPv6 prefix used to derive the IPv6 address from the IPv4 address, and is same as the prefix used by DNS64 to generate AAAA record returned for IPv4 endpoint resolution. NAT64 node announces this prefix in routing to attract traffic from IPv6 hosts. If the prefix is not configured, then a well known prefix, 64:FF9B::/96, is used.
The no form of the command removes the prefix from the NAT64 configuration.
Parameters 
ipv6-prefix/prefix-length
Specifies the NAT64 destination prefix.
Values
ipv6-prefix: x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
prefix-length 32, 40, 48, 56, 64, 96
set-tos
Syntax 
set-tos [0..255]
no set-tos
Context 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description 
This command specifies the value of the IPv4 Type Of Service (TOS) field. When enabled, the NAT64 node ignores IPv6 traffic-class and sets IPv4 TOS to supplied tos-value in the translated IPv4 packet.
The no form of the command reverts to the default.
Default 
0
Parameters 
[0..255]
Sets the IPv4 TOS to a fixed value the IPv6 Traffic Class and set the IPv4 TOS to a fixed value and ignores the IPv6 traffic class.
subscriber-prefix-length
Syntax 
subscriber-prefix-length prefix-length
no subscriber-prefix-length
Context 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description 
This command specifies the IPv6 address prefix length to be used for the NAT64 subscribers in this virtual router instance.
The no form of the command
Default 
128
Parameters 
prefix-length
Specifies the subscriber identification for Large Scale NAT.
Values
32 — 64
redundancy
Syntax 
redundancy
Context 
config>router>nat>inside
config>service>vprn>nat>inside
Description 
This command enables the context to configure redundancy parameters.
peer
Syntax 
peer ip-address
no peer
Context 
config>router>nat>inside>redundancy
config>service>vprn>nat>inside>redundancy
Description 
This command configures the IP address of the NAT redundancy peer in the realm of this virtual router instance.
While the import prefix of the outside NAT router instance associated with this virtual router instance is present, this system redirects the traffic received for the NAT function in this virtual router instance to the NAT peer.
Default 
none
ip-address
Speciies the IP address of the NAT redundancy peer.
steering-route
Syntax 
steering-route ip-prefix/length
no steering-route
Context 
config>router>nat>inside>redundancy
config>service>vprn>nat>inside>redundancy
Description 
This command configures the IP address of the steering route.
The steering route is used in the realm of this virtual router instance as an indirect next-hop for all the traffic that must be routed to the Large Scale NAT function.
The no form of the command removes the ip-prefix/length from the configuration.
Parameters 
ip-prefix/length
Specifies the IP address and length of the steering route.
Values
ip-prefix: a.b.c.d
ip-prefix-length: 0 — 32
subscriber-identification
Syntax 
subscriber-identification
Context 
config>router>nat>inside
Description 
This command enables the context to configure subscriber identification for Large Scale NAT.
attribute
Syntax 
attribute [vendor vendor-id] attribute-type attribute-type
no attribute
Context 
config>router>nat>inside>subscriber-id
configure>service>vprn>nat>inside>subscriber-identification
Description 
This command defines the attribute that will in addition to framed-ip-address (inside IP address) and service-id be used for correlating BNG subscriber with the NAT subscriber.
Only a single attribute at the time can be configured. The attribute will be extracted from the BNG accounting start and/or interim-update messages via Radius accounting proxy server. This attribute can be then optionally passed to the Large Scale NAT44 accounting server. User-name attribute (if included) in Large Scale NAT44 accounting messages will be automatically set to the subscriber-id string.
The attribute parameter can be changed at any given time and the change will be reflected automatically when the next interim-update message from the BNG host is received by Radius accounting proxy.
In case that the BNG accounting message in RADIUS accounting proxy does not contain this attribute, subscriber aware Large Scale NAT44 functionality for this particular subscriber will be disabled.
Default 
attribute vendor "alu" attribute-type "alc-sub-string"
Parameters 
vendor vendor-id
specifies the RADIUS vendor ID.
Values
standard, alu, 3gpp
Default
alu
attribute-type attribute-type
Specifies the RADIUS attribute to be used as subscriber. identifier
Values
alc-sub-string (alu) — Subscriber-id string (Alc-Subsc-ID-Str) is cached in Large Scale NAT44 application and used to correlate Large Scale NAT44 subscriber to BNG subscriber.
user-name (stnd) — User-Name standard Radius attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber.
class (stnd) — Class standard Radius attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber. Class attribute is initially set and send by Radius server. As such it must be echoed by BNG in all accounting messages.
station-id (stnd) — Calling-Station-Id Radius attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber.
imsi (3gpp) — International Mobile Subscriber Identification is used in WiFI Offload applications as a SIM card identifier.
imei (3gpp) — International Mobile Equipment Identification is used in WiFI Offload applications as a physical phone device identifier.
drop-unidentified-traffic
Syntax 
[no] drop-unidentified-traffic
Context 
config>router>nat>inside>subscriber-id
Description 
When this command denies address translation to subscribers that have not been identified via accounting messages sent by BNG and received by Radius accounting proxy. This command has effect only in Subscriber Aware Application.
Default 
no drop-unidentified-traffic
radius-proxy-server
Syntax 
radius-proxy-server router router-instance name server-name
no radius-proxy-server
Context 
config>router>nat>inside>subscriber-id
configure>service>vprn>nat>inside>subscriber-identification
Description 
This command configures RADIUS proxy server parameters. This is a reference to a RADIUS accounting proxy server in Subscriber Aware Large Scale NAT44 application. RADIUS accounting proxy server will cache attributes related to a BNG subscriber as they are received in standard accounting messages (RFC 2866). Radius accounting proxy server can be configured in any routing instance within 7750 SR.
Default 
none
Parameters 
router router-instance
Specifies the routing instance in which the RADIUS accounting proxy is configured.
name server-name
Specifies the name reference to the RADIUS accounting proxy server that is instantiated in 7750 SR.
mtu
Syntax 
mtu [512..9000]
no mtu
Context 
config>router>nat>outside
Description 
This command configures the MTU for downstream traffic flowing through this router (as outside NAT router). The system fragments IP datagrams exceeding the MTU.
Default 
none
Parameters 
[512..9000]
Specifies the MTU for downstream traffic.
pool
Syntax 
pool nat-pool-name [nat-group nat-group-id type pool-type create]
no pool nat-pool-name
Context 
config>service>vprn>nat>outside
config>router>nat>outside
Description 
This command configures a NAT pool.
Parameters 
nat-pool-name
Specifies the NAT pool name.
Values
32 chars max
nat-group-id
Specifies the NAT group ID.
Values
1 — 4
create
This parameter must be specified to create the instance.
pool-type
Species the pool type, either large-scale or L2-aware.
address-range
Syntax 
address-range start-ip-address end-ip-address [create]
no address-range start-ip-address end-ip-address
Context 
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool
Description 
This command configures a NAT address range.
Parameters 
start-ip-address
Specifies the beginning IP address in a.b.c.d form.
end-ip-address
Specifies the ending IP address in a.b.c.d. form.
create
This parameter must be specified to create the instance.
drain
Syntax 
[no] drain
Context 
config>service>vprn>nat>outside>pool>address-range
config>router>nat>outside>pool>address-range
Description 
This command starts or stops draining this NAT address range. When an address-range is being drained, it will not be used to serve new hosts. Existing hosts, however, will still be able to use the address that was assigned to them even if it is being drained.An address-range can only be deleted if the parent pool is shut down or if the range itself is effectively drained (no hosts are using the addresses anymore).
mode
Syntax 
mode {auto | napt | one-to-one}
no mode
Context 
config>router>nat>outside>pool
Description 
This command specifies the mode of operation of this NAT address pool.
The no form of the command reverts to the default.
Default 
auto
Parameters 
{auto | napt | one-to-one}
Specifies the mode of operation of this NAT pool.
port-forwarding-range
Syntax 
port-forwarding-range range-end
no port-forwarding-range
Context 
config>router>nat>outside>pool>address-range
Description 
This command configures the end of the port range available for port forwarding. The start of the range is always equal to one.
Note that the number of ports that can be configured is half of the available block => 64512 : 2 = 32256
In combination with port-forwarding-range the formulas are:
"max port-reservation blocks" = 65535 - "port-forwarding-range"
"max port-reservation ports" = (65535 - "port-forwarding-range") / 2
with:
the default min value for "port-forwarding-range" = 1023
Also, the same applies for max port-forwarding-range if the port-reservation is already configured:
"max port-forwarding-range" = 65535 - "port-reservation blocks"
"max port-forwarding-range" = 65535 - ("port-reservation ports" * 2)
The no form of the command reverts to the default.
Default 
1023
Parameters 
range-end
Specifies the port forwarding range.
Values
1023 — 65535
deterministic
Syntax 
deterministic
Context 
config>service>vprn>nat>outside>pool
Description 
This command configures deterministic NAT for this pool
port-reservation
Syntax 
port-reservation num-ports
no port-reservation
Context 
config>service>vprn>nat>outside>pool>deterministic
Description 
This command is applicable only to deterministic NAT. It configures the number of deterministic ports per subscriber (for example a subscriber is an inside IP address in LSN44 or IPv6 address or prefix in DS-lite). Once this command is enabled, the pool will transition into deterministic mode of operation. This means that the subscribers can use dynamic port-blocks in the pool only as a mean to expand the range of originally assigned deterministic ports. A pool with such property is referred to as deterministic pool. However, deterministic NAT and non-deterministic NAT cannot use the same pool simultaneously.
All subscribers in deterministic pool are pre-mapped during the configuration phase to outside IP addresses and deterministic port-blocks. Because of this, the deterministic pool cannot be oversubscribed with subscribers (first-come, first-served).
Once the deterministic pool becomes operational (no shutdown) a log is created. The same applies if the pool is disabled (shutdown). As a result of this ’one time’ logging, there will be no additional logging when a subscriber starts using ports from the pre-assigned deterministic port block. This drastically reduces the logging overhead. However, when a deterministic port block is expanded by a dynamic port block, a log will be created on any allocation/de-allocation of the dynamic port block. The logs are also created for static port forwards (including PCP).
The number of subscribers per outside IP address (subscriber-limit) multiplied by the number of deterministic ports per subscriber (port-reservation) will determine the port range of an outside IP address that will be dedicated to deterministic mappings. The number of subscribers per outside IP address in deterministic NAT must be power of 2 (2^n). Once the deterministic ports are allocated, the dynamic ports are carved out of the remaining port space of the same outside IP address according to the existing port-reservation command under the same hierarchy,
Parameters 
num-ports
Specifies the number of ports in a deterministic port block that is allocated and dedicated to a single subscribers during the configuration phase.
Values
1 — 65535
port-reservation
Syntax 
port-reservation blocks num-blocks
port-reservation ports num-ports
no port-reservation
Context 
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool
Description 
This command configures the size of the port-block that will be assigned to a host that is served by this pool. The number of ports configured here will be available to UDP, TCP and ICMP (as identifiers).
Parameters 
blocks num-blocks
Specifies the number of port-blocks per IP address. Setting num-blocks to one (1) for large scale NAT will enable 1:1 NAT for IP addresses in this pool.
Values
1 — 65535
ports num-ports
Specifies the number of ports per block.
Values
1 — 32256
mode
Syntax 
mode {auto|napt|one-to-one}
no mode
Context 
config>service>vprn>nat>outside>pool
Description 
This command configures the mode of operation of this NAT pool.
Parameters 
napt
Specifies NAPT (Network Address Port Translation)
auto
The system selects the actual mode based upon other configuration parameters; the actual mode can be NAPT or 1:1 NAT (also known as 'Basic NAT').
oneToOne
Indicates 1:1 NAT (also known as 'Basic NAT')
port-forwarding-dyn-block-reservation
Syntax 
[no] port-forwarding-dyn-block-reservation
Context 
configure>service>vprn>nat>outside>pool
configure>service>router>nat>outside>pool
Description 
This command will enable the reservation of the dynamic port blocks when the first port forward for the subscriber is created. The dynamic port bloc allocation is logged only if the block is being utilized (mapping are created). In other words, dynamic port block reservation due to the port forward creation but without any dynamic mapping, will not be logged.
The reserved port block will be released only when the last mapping in the block expires AND there is not port forward associated with the subscriber. The de-allocation log (syslog or Radius) will be generated when the dynamic port block is completely released.
Dynamic port block reservation can be enabled only if the configured maximum number of subscriber per outside IP address is less or equal then the maximum number of configured port blocks per outside IP address.
Default 
port-forwarding-dyn-block-reservation
port-forwarding-range
Syntax 
port-forwarding-range range-end
no port-forwarding-range
Context 
config>service>vprn>nat>outside>pool
Description 
This command specifies the end of the port range available for port forwarding. The start of the range is always equal to one.
Parameters 
range-end
Specifies the port forwarding range end.
Values
1023 — 65535
redundancy
Syntax 
redundancy
Context 
config>router>nat>outside>pool
Description 
This command enables the context to configure NAT pool redundancy parameters.
export
Syntax 
export ip-prefix/length
no export
Context 
config>router>nat>outside>pool>redundancy
Description 
This command configures the route to export to the peer. While the export prefix is configured and the value of the object tmnxNatPlLsnRedActive is equal to true, the system exports this prefix in the realm of the virtual router instance associated with this pool; to the NAT redundancy peer, the presence of this prefix is an indication that the Large Scale NAT function in this virtual router instance is active; hence, the export prefix of this system is the monitor prefix of the peer.
The export prefix must be different from the monitor prefix.
Parameters 
ip-prefix/length
Specifies the IP address and length of the prefix to be exported.
Values
ip-prefix: a.b.c.d
ip-prefix-length: 0 — 32
monitor
Syntax 
monitor ip-prefix/length
no monitor
Context 
config>router>nat>outside>pool>redundancy
Description 
This command configures the IP address of the prefix to be monitored.
While the monitor prefix is configured, the system monitors the presence of this prefix in the routing table of the virtual router instance associated with this pool; the presence of this prefix is an indication that the NAT redundancy peer is active; the monitor prefix of this system is the export prefix of the peer.
The monitor prefix must be different from the export prefix.
Parameters 
ip-prefix/length
Specifies the peer route to monitor.
Values
ip-prefix: a.b.c.d
ip-prefix-length: 0 — 32
subscriber-limit
Syntax 
subscriber-limit [1..65535]
no subscriber-limit
Context 
config>service>vprn>nat>outside
config>nat>outside>pool
Description 
This command configures the maximum number of subscribers per outside IP address. In case multiple port blocks per subscriber are used, the block size is typically small; all blocks assigned to a given subscriber belong to the same IP address; the subscriber limit guarantees that any subscriber can get a mimimum number of ports.
Default 
65535
Parameters 
limit
Specify the maximum number of subscribers per IP address.
Values
1 — 65535
watermarks
Syntax 
watermarks high percentage-high low percentage-low
no watermarks
Context 
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool
Description 
This command configures the watermarks for this NAT pool.
Parameters 
high percentage-high
Specifies the high percentage.
Values
1 — 100
low percentage-low
Specifies the low percentage.
Values
0 — 99
upstream-ip-filter
Syntax 
upstream-ip-filter filter-id
no upstream-ip-filter
Context 
config>service>vprn>nat>outside
Description 
This command configures the ip-filter for upstream traffic. This filter is applied to the upstream traffic after the NAT function and before it enters the outside virtual router instance; it is useful for traffic that bypasses the ingress filters applied in the inside virtual router instance, such as DSLite traffic.
Default 
none
Parameters 
filter-id
Specifies the identifier of an IP filter.
NAT Service Configuration Commands
nat-policy
Syntax 
nat-policy nat-policy-name [create]
no nat-policy nat-policy-name
Context 
config>service>nat
Description 
This commmand configures a NAT policy.
Parameters 
nat-policy-name
Specifies the NAT policy name.
Values
32 chars max
alg
Syntax 
alg
Context 
config>service>nat
Description 
This command enables the context to configure Application Level Gateway parameters of this policy.
ftp
Syntax 
[no] ftp
Context 
config>service>nat>alg
Description 
This command enables FTP ALG.
The no form of the command disables FTP ALG.
Default 
ftp
rtsp
Syntax 
[no] rtsp
Context 
config>service>nat>alg
Description 
This command enables RTSP ALG.
The no form of the command disables RTSP ALG.
Default 
no rtsp
sip
Syntax 
[no] sip
Context 
config>service>nat>alg
Description 
This command enables SIP ALG.
The no form of the command disables SIP ALG.
Default 
no sip
 
block-limit
Syntax 
block-limit [1..40]
no block-limit
Context 
config>service>nat>alg
Description 
This command configures the maximum number of port blocks per subscriber.
The no form of the command reverts to the default.
Default 
1
filtering
Syntax 
filtering filtering-mode
no filtering
Context 
config>service>nat>nat-policy
Description 
This command configures the filtering of the NAT policy.
Parameters 
filtering-mode
Specifies the way that inbound traffic is filtered.
Values
address-and-port-dependent | endpoint-independent
ipfix-export-policy
Syntax 
ipfix-export-policy [32 chars max]
no ipfix-export-policy
Context 
config>service>nat>nat-policy
Description 
This command configures the IP flow information export protocol.
The no form of the command removes the
pool
Syntax 
pool nat-pool-name service-name service-name
pool nat-pool-name router router-instance
no pool
Context 
config>service>nat>nat-policy
Description 
This command configures the NAT pool of this policy.
Parameters 
nat-pool-name
Specifies the name of the NAT pool.
Values
32 chars max
router-instance
Specifies the router instance the pool belongs to, either by router name or service ID.
Values
router-name: “Base” | “management”
Default
Base
Values
1 — 2147483648
svc-name — a string up to 64 characters in length.
service-name
Specifies the name of the service.
Values
64 chars max
port-limits
Syntax 
port-limits
Context 
config>service>nat>nat-policy
Description 
This command configures the port limits of this policy.
forwarding
Syntax 
forwarding limit
no forwarding
Context 
config>service>nat>nat-policy>port-limits
Description 
This command configures the maximum number of port forwarding entries.
Parameters 
limit
Specifies the maximum number of port forwarding entries per subscriber.
Default
0
reserved
Syntax 
reserved num-ports
no reserved
Context 
config>service>nat>nat-policy>port-limits
Description 
This command configures the number of ports per block that will be reserved for prioritized sessions.
Parameters 
num-ports
Specifies the number of ports to reserve for prioritized sessions.
Values
1 — 65534
watermarks
Syntax 
watermarks high percentage-high low percentage-low
no watermarks
Context 
config>service>nat>nat-policy port-limits
Description 
This command configures the port usage watermarks for the NAT policy.
Parameters 
percentage-high
Specifies the high percentage.
Values
1 — 100
percentage-low
Specifies the low percentage.
Values
0 — 99
priority-sessions
Syntax 
[no] priority-sessions
Context 
config>service>nat>nat-policy
Description 
This command configures the prioritized sessions of this NAT policy.
fc
Syntax 
[no] fc fc-name
Context 
config>service>nat>nat-policy>priority-sessions
Description 
This command configures the forwarding classes that have their sessions prioritized.
Parameters 
fc-name
Specifies the forwarding class.
Values
be | l2 | af | l1 | h2 | ef | h1 | nc
max
Syntax 
max num-sessions
no max
Context 
config>service>nat>nat-policy>session-limits
Description 
This command configures the session limit of this policy. The session limit is the maximum number of sessions allowed for a subscriber associated with this policy
Parameters 
num-sessions
Specifies the session limit.
Values
1 — 65535
tcp-mss-adjust
Syntax 
tcp-mss-adjust segment-size
no tcp-mss-adjust
Context 
config>service>nat>nat-policy
Description 
This command configures the value to adjust the TCP Maximum Segment Size (MSS) option.
The no form of the command returns the segment size to the default.
Default 
0
Parameters 
segment-size
specifies the value to put into the TCP Maximum Segment Size (MSS) option if not already present, or if the present value is higher.
Values
0, 160 — 10240
timeouts
Syntax 
[no] timeouts
Context 
config>service>nat>nat-policy
Description 
This command configures session idle timeouts for this policy.
icmp-query
Syntax 
icmp-query [min minutes] [sec seconds]
no icmp-query
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the timeout applied to an ICMP query session.
Parameters 
min minutes
Specifies the timeout, in minutes, applied to an ICMP query session
Values
1 — 4
Default
1
sec seconds
Specifies the timeout, in seconds, applied to an ICMP query session
Values
1 — 59
sip
Syntax 
sip min minutes] [sec seconds]
no sip
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the SIP inactive media timeout.
Parameters 
min minutes
Specifies the SIP inactive media timeout, in minutes.
Values
1 — 4
Default
1
sec seconds
Specifies the SIP inactive media timeout, in seconds.
Values
1 — 59
subscriber-retention
Syntax 
subscriber-retention [hrs hours] [min minutes]
no subscriber-retention
Context 
config>service>nat>nat-policy>timeouts
Description 
This command specifies the subscriber retention timeout, the time a NAT subscriber and its associated IP address is kept after all hosts and associated port blocks have expired.
If a NAT subscriber host appears before the retention timeout has elapsed, it will be given the same outside IP address.
Parameters 
hrs hours
Configures the hours a subscribers’s IP address is kept after all hosts and port blocks have expired.
Values
1 — 24
min minutes
Configures the minutes a subscribers’s IP address is kept after all hosts and port blocks have expired.
Values
1 — 59
icmp-query
Syntax 
icmp-query [min minutes] [sec seconds]
no icmp
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the timeout applied to an ICMP query session.
Parameters 
minutes
Specifies the timeout in minutes.
Values
1 — 4
seconds
Specifies the timeout in seconds.
Values
1 — 59
tcp-established
Syntax 
tcp-established [hrs hours] [min minutes] [sec seconds]
no tcp-established
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the idle timeout applied to a TCP session in the established state.
Parameters 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
tcp-syn
Syntax 
tcp-syn [hrs hours] [min minutes] [sec seconds]
no tcp-syn
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the timeout applied to a TCP session in the SYN state.
Parameters 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
tcp-time-wait
Syntax 
tcp-time-wait [min minutes] [sec seconds]
no tcp-time-wait
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the timeout applied to a TCP session in a time-wait state.
Parameters 
minutes
Specifies the timeout minutes field.
Values
1 — 4
seconds
Specifies the timeout seconds field.
Values
1 — 59
tcp-transitory
Syntax 
tcp-transitory [hrs hours] [min minutes] [sec seconds]
no tcp-transitory
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the idle timeout applied to a TCP session in a transitory state.
Parameters 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
udp
Syntax 
udp [hrs hours] [min minutes] [sec seconds]
no udp
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the UDP mapping timeout.
Parameters 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
udp-dns
Syntax 
udp-dns [hrs hours] [min minutes] [sec seconds]
no udp-dns
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the timeout applied to a UDP session with destination port 53.
Parameters 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
udp-initial
Syntax 
udp-initial [min minutes] [sec seconds]
no udp-initial
Context 
config>service>nat>nat-policy>timeouts
Description 
This command configures the UDP mapping timeout applied to new sessions.
Parameters 
minutes
Specifies the timeout minutes field.
Values
1 — 4
seconds
Specifies the timeout seconds field.
Values
1 — 59
udp-inbound-refresh
Syntax 
[no] udp-inbound-refresh
Context 
config>service>nat>nat-policy>timeouts
Description 
This command specifies the NAT inbound refresh behavior.
Default 
disabled
 
IPFlow Information Export Protocol Commands
ipfix
Syntax 
ipfix
Context 
config>service
Description 
This command enables the context to configure IPFIX parameters.
ipfix-export-policy
Syntax 
ipfix-export-policy policy-name [create]
no ipfix-export-policy policy-name
Context 
config>service>ipfix
Description 
This command creates an IPFIX export policy with a set of transport parameters that will be used to transmit IPFIX records generated by an application within 7750 SR node to an external collector node. This policy name can be referenced from each application within 7750 SR that requires flow logging.
Default 
none
Parameters 
policy-name
Specifies the name of the policy that can be referenced within an application in 7750 SR node that requires flow logging.
collector
Syntax 
collector router router-instance ip ip-address [create]
no collector router router-instance ip ip-address
Context 
config>service>ipfix>export-policy
Description 
This command defines an external collector node that will collect IPFIX records sent by 7750 SR node. The IPFIX records will be streamed to the collector node using UDP transport. Traffic is originated from a random ephemeral UDP port to the destination port 4739. Up to two collector nodes can be defined for redundancy purposes.
UDP streams are stateless due to the significant volume of transactions. However they do contain 32bit sequence numbers such that packet loss can be identified.
Multiple IPFIX records are sent in a single UDP packet. UDP packet transmission is triggered when the packet size containing IPFIX records exceeds the configured MTU value or the internal timer which is set to 250ms, whichever occurs first.
Default 
none
Parameters 
router router-instance
Router instance from which the collector node is reachable.
Values
<router-name>|<service-id>
router-name: "Base"
service-id : 1 — 2147483647
ip ip-address
IPv4 address of the external collector node to which IPFIX records will be sent.
mtu
Syntax 
mtu [512..9212]
no mtu
Context 
config>service>ipfix>export-policy
Description 
This command sets the MTU size of the UDP packet containing IPFIX records destined for the collector node. Multiple records will be stuffed into a single IP packet until stuffing an additional data record would exceed MTU or the internal timer of 250ms expires.
Default 
1500
Parameters 
[512..9212]
Specifies the the Maximum Transmission Unit range.
source-address
Syntax 
source-address ip-address
no source-address
Context 
config>service>ipfix>export-policy
Description 
This command configures the source address from which UDP streams containing IPFIX flow records will be sourced.
Default 
none
Parameters 
ip-address
Source IPv4 address from which UDP streams are sent.
template-refresh-timeout
Syntax 
template-refresh-timeout [hrs hours] [min minutes] [sec seconds]
no template-refresh-timeout
Context 
config>service>ipfix>export-policy
Description 
This command configures the time interval in which Template Set messages are sent to the collector node. Template sets is an IPFIX message that defines fields for subsequent IPFIX messages but contains no data of its own. In other words, IPFIX data is NOT passed as set of TLVs, but instead data is encoded with a scheme defined through the Template Set message.
Default 
10 minutes
Parameters 
hrs hours
Specifies the time interval, in hours, after which IPFIX templates are resent to this collector.
Values
1 — 24
min minutes
Specifies the time interval, in minutes, after which IPFIX templates are resent to this collector.
Values
1 — 59
sec seconds
Specifies the time interval, in seconds, after which IPFIX templates are resent to this collector.
Values
1 — 59
 
NAT Accounting Policy Commands
nat-accounting-policy
Syntax 
nat-accounting-policy policy-name [create]
no nat-accounting-policy policy-name
Context 
config>aaa
Description 
This command creates a policy template related to transport of accounting messages from the BB-ISA card to the accounting server. It also defines accounting attributes that will be included in accounting messages. The policy template will be instantiated once it is applied to the BB-ISA cards in the nat-group.
The no form of the command removes the policy name from the configuration.
Default 
none
Parameters 
policy-name
Specifies the name of the NAT accounting policy that can be referenced by a NAT application.
include-radius-attribute
Syntax 
[no] include-radius-attribute
Context 
config>aaa>nat-accounting-policy
Description 
This command enables the context to specify the RADIUS parameters that the system should include into RADIUS authentication-request messages.
called-station-i
Syntax 
[no] called-station-id
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command includes called station id attributes.
The no form of the command excludes called station id attributes.
frame-counters
Syntax 
[no] frame-counters
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command includes the frame-counters attribute.
The no form of the command excludes frame-counters attribute.
framed-ip-addr
Syntax 
[no] framed-ip-addr
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the framed-ip-addr attribute.
The no form of the command excludes called framed-ip-addr attributes.
hardware-timestamp
Syntax 
[no] hardware-timestamp
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the hardware timestamp attributes.
The no form of the command excludes the hardware timestamp attributes.
inside-service-id
Syntax 
[no] inside-service-id
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the NAT inside service ID attributes.
The no form of the command excludes NAT inside service ID attributes.
multi-session-id
Syntax 
[no] multi-session-id
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the multi-session-id attributes.
The no form of the command excludes the multi-session-id attributes.
 
 
nas-identifier
Syntax 
[no] nas-identifier
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the NAS-Identifier attributes.
The no form of the command excludes NAS-Identifier attributes.
nat-subscriber-string
Syntax 
[no] nat-subscriber-string
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the NAT subscriber string attributes.
The no form of the command excludes NAT subscriber string attributes.
octet-counters
Syntax 
[no] octet-counters
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the octet-counters attributes.
The no form of the command excludes octet-counters attributes.
outside-ip
Syntax 
[no] outside-ip
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the outside IP attributes.
The no form of the command excludes outside IP attributes.
outside-service-id
Syntax 
[no] outside-service-id
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the NAT outside service ID attributes.
The no form of the command excludes NAT outside service ID attributes.
port-range-block
Syntax 
[no] port-range-block
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the NAT port range block attributes.
The no form of the command excludes NAT port range block attributes.
release-reason
Syntax 
[no] release-reason
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the release reason attributes.
The no form of the command excludes release reason attributes.
session-time
Syntax 
[no] session-time
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of the session-time attributes.
The no form of the command excludes session-time attributes.
subscriber-data
Syntax 
[no] subscriber-data
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of subscriber data attributes.
The no form of the command excludes subscriber data attributes.
user-name
Syntax 
[no] user-name
Context 
config>aaa>nat-acct-plcy>include-radius-attribute
Description 
This command enables the inclusion of user name attributes.
The no form of the command excludes user name attributes.
radius-accounting-server
Syntax 
radius-accounting-server
Context 
config>aaa>nat-acct-plcy
Description 
This command creates the context for defining RADIUS accounting server attributes under a given session authentication policy.
access-algorithm
Syntax 
access-algorithm {direct | round-robin}
no access-algorithm
Context 
config>aaa>nat-acct-plcy>radius-acct-server
Description 
This command configures the algorithm used to access the list of configured RADIUS servers.
Default 
direct
Parameters 
direct
Specifies that the first server will be used as primary server for all requests, the second as secondary and so on.
round-robin
Specifies that the first server will be used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.
retry
Syntax 
retry count
Context 
config>aaa>nat-acct-plcy>radius-acct-server
Description 
This command configures the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.
The no form of the command reverts to the default value.
Default 
3
Parameters 
count
Specifies the retry count.
Values
1 — 10
router
Syntax 
router router-instance
router service-name service-name
no router
Context 
config>aaa>nat-acct-plcy>radius-acct-server
Description 
This command specifies the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.
The no form of the command reverts to the default value.
server
Syntax 
server server-index address ip-address secret key [hash | hash2] [port port] [create]
no server server-index
Context 
config>aaa>nat-acct-plcy>radius-acct-server
Description 
This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.
Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried.
The no form of the command removes the server from the configuration.
Default 
none
Parameters 
server-index
The index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.
Values
1 — 16 (a maximum of 5 accounting servers)
address ip-address
The IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.
secret key
Values
The secret key to access the RADIUS server. This secret key must match the password on the RADIUS server.
secret-key — A string up to 20 characters in length.
hash-key — A string up to 33 characters in length.
hash2-key — A string up to 55 characters in length.
hash
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
hash2
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
port
Specifies the UDP port number on which to contact the RADIUS server for authentication.
Values
1 — 65535
source-address-range
Syntax 
source-address-range start-ip-address end-ip-address
no source-address
Context 
config>aaa>nat-acct-plcy>radius-acct-server
Description 
This command configures the source address of the RADIUS packet. The system IP address must be configured in order for the RADIUS client to work. See Configuring a System Interface in the 7750 SR OS Router Configuration Guide. Note that the system IP address must only be configured if the source-address is not specified. When the no source-address command is executed, the source address is determined at the moment the request is sent. This address is also used in the nas-ip-address attribute: over there it is set to the system IP address if no sourceaddress was given.
The no form of the command reverts to the default value.
Default 
systemIP address
Parameters 
ip-address
The IP prefix for the IP match criterion in dotted decimal notation.
Values
0.0.0.0 - 255.255.255.255
timeout
Syntax 
timeout seconds
Context 
config>aaa>nat-acct-plcy>radius-acct-server
Description 
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of the command reverts to the default value.
Default 
5
Parameters 
seconds
Specifies the time the router waits for a response from a RADIUS server.
 
NAT Subscriber Management Commands
nat-policy
Syntax 
nat-policy policy-name
no nat-policy
Context 
config>subscriber-mgmt>sub-profile
Description 
This command configures the NAT policy to be used for subscribers associated with this subscriber profile.
Parameters 
policy-name
Specifies the policy name.
Values
32 chars max
 
save-deterministic-script
Syntax 
save-deterministic-script
Context 
admin>nat
Description 
This command saves the script that calculates Deterministic NAT map entries.
Once the location for the Python deterministic NAT script is configured, the script is generated/updated every time deterministic NAT configuration is modified. However, the script must be manually exported to the remote location. This command triggers the export of the script to a remote location.
 
 
NAT Show Commands
nat-accounting-policy
Syntax 
nat-accounting-policy
nat-accounting-policy policy-name
nat-accounting-policy policy-name associations
nat-accounting-policy
Context 
show>aaa
Description 
This command displays NAT accounting policy information.
Parameters 
policy-name
Specifies the NAT policy name.
Values
32 chars max
associations
Keyword that displays the router instances and/or subscriber profiles associated with the NAT policy.
Sample Output
A:SR12_PPPOE# show aaa nat-accounting-policy "my-acct-plcy" 
===============================================================================
NAT accounting policy "my-acct-plcy"
===============================================================================
Description                 : my accounting policy
-------------------------------------------------------------------------------
RADIUS accounting server settings
-------------------------------------------------------------------------------
Access algorithm            : direct
Retry                       : 3
Router                      : 101
Source address start        : 10.10.10.10
Source address end          : 10.10.10.20
Timeout (s)                 : 5
Last management change      : 01/28/2012 14:47:59
Include attributes          : framed-ip-addr nas-identifier nat-subscriber-
                              string user-name inside-service-id outside-
                              service-id outside-ip port-range-block hardware-
                              timestamp release-reason multi-session-id frame-
                              counters octet-counters session-time
===============================================================================
===============================================================================
Servers for "my-acct-plcy"
===============================================================================
Index Address         Port  
-------------------------------------------------------------------------------
1     17.0.0.5        1813  
2     17.0.0.1        1813  
===============================================================================
===============================================================================
Servers ISA group connection status for "my-acct-plcy"
===============================================================================
Index Group Member State                      Tx-rq      Rq-timeout Send-retry
-------------------------------------------------------------------------------
1     3     1      out-of-service             3          1          2
1     3     2      out-of-service             9          3          6
2     3     1      in-service                 1          0          0
2     3     2      out-of-service             6          2          4
===============================================================================
A:SR12_PPPOE#
 
 
A:SR12_PPPOE# show aaa nat-accounting-policy "my-acct-plcy" associations  
===============================================================================
NAT groups associated with "my-acct-plcy"
===============================================================================
Group
-------------------------------------------------------------------------------
1
3
-------------------------------------------------------------------------------
No. of groups: 2
===============================================================================
A:SR12_PPPOE#
 
nat-group
Syntax 
nat-group
nat-group nat-group-id [associations]
nat-group nat-group-id member [1..255] [statistics]
nat-group [nat-group-id] members
Context 
show>isa
Description 
This command displays ISA NAT group information.
Parameters 
nat-group-id
Specifies the NAT group ID.
Values
1 — 4
statistics
Keyword; displays NAT group statistics.
Sample Output
show isa nat-group
===============================================================================
ISA NAT Group Summary
===============================================================================
Mda Group 1 Group 2 Group 3
-------------------------------------------------------------------------------
3/1 active - -
3/2 - active busy
4/1 - busy active
4/2 - standby standby
===============================================================================
*A:SR12_PPPOE>config>isa>nat-group# show isa nat-group 1       
===============================================================================
ISA NAT Group 1
===============================================================================
Admin state                 : inService
Operational state           : inService
Active MDA limit            : 2
 
-------------------------------------------------------------------------------
NAT specific information for ISA group 1
-------------------------------------------------------------------------------
Reserved sessions           : 0
High Watermark (%)          : (Not Specified)
Low Watermark (%)           : (Not Specified)
Accounting policy           : my-acct-plcy
Last Mgmt Change            : 01/28/2012 14:47:59
-------------------------------------------------------------------------------
===============================================================================
ISA Group 1 members
===============================================================================
Group Member     State          Mda  Addresses  Blocks     Se-% Hi Se-Prio
-------------------------------------------------------------------------------
1     1          active         3/1  3          3          < 1  N  0
1     2          active         3/2  4          4          < 1  N  0
-------------------------------------------------------------------------------
No. of members: 2
===============================================================================
A:SR12_PPPOE#
 
 
*A:SR12_PPPOE>config>isa>nat-group# show isa nat-group   
===============================================================================
ISA NAT Group Summary
===============================================================================
Mda  Group 1            Group 2            Group 3            Group 4           
-------------------------------------------------------------------------------
2/1  -                  provisioned        -                  -                 
3/1  active             -                  up                 -                 
3/1  active             -                  up                 -                 
3/2  active             -                  up                 -                 
3/2  active             -                  up                 -                 
===============================================================================
A:SR12_PPPOE#
 
 
*A:SR12_PPPOE>config>isa>nat-group# show isa nat-group 1 
===============================================================================
ISA NAT Group 1
===============================================================================
Admin state                 : inService
Operational state           : inService
Active MDA limit            : 2
 
-------------------------------------------------------------------------------
NAT specific information for ISA group 1
-------------------------------------------------------------------------------
Reserved sessions           : 0
High Watermark (%)          : (Not Specified)
Low Watermark (%)           : (Not Specified)
Accounting policy           : my-acct-plcy
Last Mgmt Change            : 01/28/2012 14:47:59
-------------------------------------------------------------------------------
===============================================================================
ISA Group 1 members
===============================================================================
Group Member     State          Mda  Addresses  Blocks     Se-% Hi Se-Prio
-------------------------------------------------------------------------------
1     1          active         3/1  3          3          < 1  N  0
1     2          active         3/2  4          4          < 1  N  0
-------------------------------------------------------------------------------
No. of members: 2
===============================================================================
A:SR12_PPPOE#
 
 
A:SR12_PPPOE# show isa nat-group 3 member 1 statistics 
===============================================================================
ISA NAT Group 3 Member 1
===============================================================================
no resource                                               : 0
pkt rx on wrong port                                      : 0
unsupported protocol                                      : 0
no host or host group                                     : 0
no ip or port                                             : 0
no matching flow                                          : 3
max flow exceeded                                         : 0
TCP no flow for RST                                       : 0
TCP no flow for FIN                                       : 0
TCP no flow                                               : 0
addr. dep. filtering                                      : 0
ICMP type unsupported                                     : 0
ICMP local unsupported                                    : 0
ICMP checksum error                                       : 0
ICMP embedded checksum error                              : 0
ICMP unsupported L4                                       : 0
ICMP too short                                            : 0
ICMP length error                                         : 0
Pkt not IPv4 or IPv6                                      : 0
Pkt rcv error                                             : 0
Pkt error                                                 : 0
IPv4 header checksum violation                            : 0
IPv4 header malformed                                     : 0
IPv4 malformed packet                                     : 0
IPv4 ttl zero                                             : 0
IPv4 opt /IPv6 ext headers                                : 0
IPv4 undefined error                                      : 0
IPv6 fragments unsupported                                : 0
TCP/UDP malformed                                         : 0
TCP/UDP checksum failure                                  : 0
TCP/UDP length error                                      : 0
Pkt send error                                            : 0
no buf to copy pkt                                        : 0
no policy                                                 : 0
locked by mgmt core                                       : 0
port range log failed                                     : 0
MTU exceeded                                              : 0
DS Lite unrecognized next hdr                             : 0
DS Lite unknown AFTR                                      : 0
too many fragments for IP packet                          : 0
too many fragmented packets                               : 0
too many fragment holes                                   : 0
too many frags buffered                                   : 0
fragment list expired                                     : 0
fragment rate too high                                    : 0
flow log failed                                           : 0
no multiple host or subscr. IPs allowed                   : 0
to local                                                  : 1
to local ignored                                          : 0
NAT64 disabled                                            : 0
NAT64 invalid src addr                                    : 0
NAT64 frag has zero checksum                              : 0
NAT64 v4 has zero checksum                                : 0
NAT64 ICMP frag unsupported                               : 0
CPM out of memory                                         : 0
new flow                                                  : 1
TCP closed                                                : 1
TCP expired                                               : 0
UDP expired                                               : 0
ICMP expired                                              : 0
ICMP local                                                : 0
found flow                                                : 34
ARPs ignored                                              : 4
Fragments RX L2A                                          : 0
Fragments RX LSN                                          : 0
Fragments RX DSL                                          : 0
Fragments RX OUT                                          : 0
Fragments TX L2A                                          : 0
Fragments TX LSN                                          : 0
Fragments TX DSL                                          : 0
Fragments TX NAT64                                        : 0
Fragments TX OUT                                          : 0
flow create logged                                        : 0
flow delete logged                                        : 0
flow log pkt tx                                           : 0
===============================================================================
A:SR12_PPPOE#
 
config>isa# show isa nat-group 1 member 1 statistics
===============================================================================
ISA NAT Group 1 Member 1
===============================================================================
no resource                                               : 0
     [eNatFlowNoResource]                     "no resource",\
         ->the default, all errors without more specific reason
 
     [eNatFlowWrongPort]                      "pkt rx on wrong port",\
         -> packet came in on wrong port on ISA
 
     [eNatFlowWrongProt]                      "unsupported protocol",\
         -> protocol  is not UDMP/TCP/ICMP
 
     [eNatFlowNoHostGrp]                      "no host or host group",\
         -> can not create new host group because out of resources, or 
current host group is not usable at the moment (because in a transient 
state)
 
     [eNatFlowNoIpOrPort]                     "no ip or port",\
          -> no Ip or port range available
 
     [eNatFlowNoMatchingFlow]                 "no matching flow",\
         -> no matching flow found
 
     [eNatFlowMaxExceeded]                    "max flow exceeded",\
          -> max flows for subscriber exceeded
 
     [eNatFlowTcpUnexpectedRst]               "TCP no flow for RST",\
     [eNatFlowTcpUnexpectedFin]               "TCP no flow for FIN",\
     [eNatFlowTcpUnexpected]                  "TCP no flow",\
         -> TCP state machine problem
 
     [eNatFlowAddressDependentFiltering]      "addr. dep. filtering",\
         -> pkt dropped because of addr. dependent filtering
 
     [eNatFlowUnsupportedICMP]                "ICMP type unsupported",\
         -> unsupported icmp type
 
     [eNatFlowUnsupportedLocalICMP]           "ICMP local unsupported",\
         -> packet to ip address on ISA is not an echo request
 
     [eNatFlowIcmpChecksumError]              "ICMP checksum error",\
         -> ICMP checksum error
 
     [eNatFlowIcmpEmbeddedPktChecksumError]   "ICMP embedded checksum 
error",\
         -> checksum error on embedded IP header
 
     [eNatFlowIcmpEmbeddedPktUnsupportedL4]   "ICMP unsupported L4",\
         -> embedded IP packet is not UDP/TCP
 
     [eNatFlowIcmpTooShort]                   "ICMP too short",\
         -> packet too short to include the ICMP header
 
     [eNatFlowIcmpLengthError]                "ICMP length error",\
         -> packet too short to include the embedded header
 
     [eNatFlowPacketErrorNotIp]               "Pkt not IPv4 or IPv6",\
     [eNatFlowPacketErrorRecv]                "Pkt rcv error",\
     [eNatFlowPacketError]                    "Pkt error",\
     [eNatFlowPacketErrorIpv4HdrChk]          "IPv4 header checksum 
violation",\
     [eNatFlowPacketErrorIpv4HdrMal]          "IPv4 header malformed",\
     [eNatFlowPacketErrorIpv4PktMal]          "IPv4 malformed packet",\
     [eNatFlowPacketErrorIpv4TtlZero]         "IPv4 ttl zero",\
     [eNatFlowPacketErrorIpv4Optv6Ext]        "IPv4 opt /IPv6 ext headers",\
     [eNatFlowPacketErrorIpv4Bad]             "IPv4 undefined error", \
     [eNatFlowPacketErrorIpv6Frag]            "IPv6 fragments unsupported",\
     [eNatFlowPacketErrorTcpUdpMal]           "TCP/UDP malformed",\
     [eNatFlowPacketErrorTcpUdpChk]           "TCP/UDP checksum failure",\
     [eNatFlowPacketErrorTcpUdpLen]           "TCP/UDP length error",\
         -> malformed incoming packet
 
     [eNatFlowPacketSendError]                "Pkt send error",\
         -> failed to tx the packet
 
     [eNatFlowPacketNoCpyBuf]                 "no buf to copy pkt",\
         -> failed to copy the packet to another buffer needed for 
correct processing
 
     [eNatFlowLockedByMgmtCore]               "locked by mgmt core",\
         -> resources temp. locked by the mgmt core
 
     [eNatFlowPRLogFailed]                    "port range log failed",\
         -> port range log failed
 
     [eNatFlowMtuExceeded]                    "MTU exceeded",\
         -> outgoing packet too big for DS-Lite tunnel or nat64 mtu
 
     [eNatFlowDslUnrecNextHdr]                "DS Lite unrecognized next 
hdr",\
         ->ipv6 pkt has wrong next header
 
     [eNatFlowDslUnknownAFTR]                 "DS Lite unknown AFTR",\
         -> AFTR address is unrecognised
 
     [eNatFlowTooManyFragsForIpPkt]           "too many fragments for IP 
packet",\
     [eNatFlowTooManyFragmentedPkts]          "too many fragmented 
packets",\
     [eNatFlowTooManyFragHoles]               "too many fragment holes",\
     [eNatFlowFragListExpire]                 "fragment list expired",\
     [eNatFlowTooManyFragBufs]                "too many frags buffered",\
     [eNatFlowFragRateTooHigh]                "fragment rate too high",\
         -> various fragment problems
 
     [eNatFlowNoPolicy]                       "no policy",\
         ->vrf not mapped to a policy
 
     [eNatFlowLogFailed]                      "flow log failed",\
         -> flow logging can not follow the setup rate
 
     [eNatFlowMultiHostOrSubscrIp]            "no multiple host or 
subscr. IPs allowed",\
         ->multiple hosts or subscribers on the inside in use without 
port translation
 
     [eNatFlowToLocalError]                   "to local ignored",\
        -> radius authentication failure (?)
 
     [eNatFlow64Disabled]                     "NAT64 disabled",\
         -> nat64 was disabled
 
     [eNatFlow64InvalidSource]                "NAT64 invalid src addr",\
         -> source address matches pref64
 
     [eNatFlow64FragZeroChecksum]             "NAT64 frag has zero 
checksum",\
         -> v4 UDP frag has zero checksum
 
     [eNatFlow64ZeroChecksum]                 "NAT64 v4 has zero checksum",\
         -> v4 UDP has zero checksum, and policy configured to drop
 
     [eNatFlow64FragIcmp]                     "NAT64 ICMP frag unsupported"\
         ->v4 fragmented ICMP
l2-aware-hosts
Syntax 
l2-aware-hosts [outside-router router-instance] [outside-ip outside-ip-address] [inside-ip-prefix ip-prefix/mask]
Context 
show>service>nat
Description 
This command displays layer-2 aware NAT hosts.
Parameters 
nat-policy-name
Specifies the NAT policy name.
Values
32 chars max
nat-group-id
Specifies the NAT group ID.
Values
1 — 4
router-instance
Specifies the router instance.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
outside-ip-address
Specifies the outside IP address.
Values
a.b.c.d
sub-ident
Specifies the identifier.
Values
32 chars max
Sample Output
show service nat l2-aware-hosts
===============================================================================
Layer-2-Aware NAT hosts
===============================================================================
Inside IP Out-Router Outside IP Subscriber
-------------------------------------------------------------------------------
13.0.0.100 Base 81.81.0.0 Sub001
13.0.0.102 Base 81.81.0.0 Sub001
13.0.0.101 Base 81.81.0.203 Sub002
13.0.0.103 Base 81.81.0.0 Sub003
-------------------------------------------------------------------------------
No. of hosts: 4
===============================================================================
l2-aware-subscribers
Syntax 
l2-aware-subscribers [nat-policy nat-policy-name] [nat-group nat-group-id] [member [1..255]] [outside-router router-instance] [outside-ip outside-ip-address]
l2-aware-subscribers subscriber sub-ident
Context 
show>service>nat
Description 
This command displays layer-2 aware NAT subscribers.
Parameters 
nat-policy-name
Specifies the NAT policy name.
Values
32 chars max
nat-group-id
Specifies the NAT group ID.
Values
1 — 4
router-instance
Specifies the router instance.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
outside-ip-address
Specifies the outside IP address.
Values
a.b.c.d
sub-ident
Specifies the identifier.
Values
32 chars max
Sample Output
show service nat l2-aware-subscribers
===============================================================================
Layer-2-Aware NAT subscribers
===============================================================================
Subscriber Policy Group/Member
Outside IP Router Ports
-------------------------------------------------------------------------------
Sub001 outPolicy 1/1
81.81.0.0 Base 32-33
Sub002 outPolicy2 1/1
81.81.0.203 Base 32-41
Sub003 outPolicy 1/1
81.81.0.0 Base 34-35
-------------------------------------------------------------------------------
No. of subscribers: 3
===============================================================================
 
 
show service nat l2-aware-subscribers subscriber “Sub881”
===============================================================================
Layer-2-Aware NAT subscriber Sub001
===============================================================================
Policy : outPolicy
ISA NAT group : 1
ISA NAT group member : 1
Outside router : Base
Outside IP : 81.81.0.0
ICMP Port usage (%) : < 1
ICMP Port usage high : false
UDP Port usage (%) : < 1
UDP Port usage high : false
TCP Port usage (%) : < 1
TCP Port usage high : false
Session usage (%) : < 1
Session usage high : false
Number of sessions : 0
Number of reserved sessions : 0
Ports : 32-33
===============================================================================
nat-policy
Syntax 
nat-policy nat-policy-name associations
nat-policy nat-policy-name
nat-policy nat-policy-name statistics
nat-policy
Context 
show>service>nat
Description 
This command displays NAT policy information.
Parameters 
nat-policy-name
Specifies the NAT Policy name.
Values
32 chars max
associations
Keyword; displays the router instances and/or subscriber profiles associated with the NAT policy.
statistics
Keyword; displays statistics of the specified NAT policy.
Sample Output
show service nat nat-policy
===============================================================================
NAT policies
===============================================================================
Policy Description
-------------------------------------------------------------------------------
outPolicy
outPolicy2
outPolicy3
-------------------------------------------------------------------------------
No. of NAT policies: 3
===============================================================================
 
 
*A:SR12_PPPOE>show>router>nat#  show service nat nat-policy "priv-nat-policy" 
===============================================================================
NAT Policy priv-nat-policy
===============================================================================
Pool                                  : privpool
Router                                : Base
Filtering                             : endpointIndependent
Block limit                           : 4
Reserved ports                        : 0
Port usage High Watermark (%)         : (Not Specified)
Port usage Low Watermark (%)          : (Not Specified)
Port forwarding limit                 : 64
Session limit                         : 65535
Reserved sessions                     : 0
Session usage High Watermark (%)      : (Not Specified)
Session usage Low Watermark (%)       : (Not Specified)
ALG enabled                           : ftp rtsp sip 
Prioritized forwarding classes        : (Not Specified)
Timeout TCP established (s)           : 7440
Timeout TCP transitory (s)            : 240
Timeout TCP SYN (s)                   : 15
Timeout TCP TIME-WAIT (s)             : 0
Timeout UDP mapping (s)               : 300
Timeout UDP initial (s)               : 15
Timeout UDP DNS (s)                   : 15
Timeout ICMP Query (s)                : 60
Timeout SIP Inactive Media (s)        : 120
Subscriber retention (s)              : 0
UDP inbound refresh                   : false
TCP MSS Adjust                        : (Not Specified)
Destination-NAT IP                    : (Not Specified)
IPFIX export policy                   : (Not Specified)
Last Mgmt Change                      : 01/28/2012 14:47:59
===============================================================================
*A:SR12_PPPOE>show>router>nat# 
 
 
show service nat nat-policy “outPolicy2” associations
===============================================================================
NAT Policy outPolicy2 Subscriber Profile Associations
===============================================================================
sub_prof_B_3
-------------------------------------------------------------------------------
No. of subscriber profiles: 1
===============================================================================
 
show service nat nat-policy “outPolicy2” statistics
===============================================================================
NAT Policy outPolicy2 Statistics
===============================================================================
mda 3/1
-------------------------------------------------------------------------------
hostsActive 	: 1
hostsPeak 	: 1
sessionsTcpCreated 	: 0
sessionsTcpDestroyed 	: 0
sessionsUdpCreated 	: 0
sessionsUdpDestroyed 	: 0
sessionsIcmpQueryCreated 	: 0
sessionsIcmpQueryDestroyed 	: 0
===============================================================================
 
pcp-server-policy
Syntax 
pcp-server-policy
pcp-server-policy name
Context 
show>router>nat
Description 
This command displays PCP server policy information.
port-forwarding-entries
Syntax 
port-forwarding-entries
Context 
show>router>nat
Description 
This command displays port forwarding entries.
Sample Output
*A:SR12_PPPOE#  show service nat port-forwarding-entries 
===============================================================================
NAT port forwarding entries
===============================================================================
Subscriber
iRtr       iAddress                                prot iPort type              
oRtr       oAddress                          persist-id oPort expiry            
 
===============================================================================
100        1.2.3.4                                 tcp  666   classic-lsn-sub
Base       13.0.0.6                          N/A        666   N/A               
 
100        1.2.3.4                                 udp  666   classic-lsn-sub
Base       13.0.0.6                          N/A        666   N/A               
 
-------------------------------------------------------------------------------
No. of entries: 2
===============================================================================
*A:SR12_PPPOE# 
 
dual-stack-lite-subscribers
Syntax 
dual-stack-lite-subscribers subscriber dslite-sub-id
dual-stack-lite-subscribers [nat-policy nat-policy-name] [nat-group nat-group-id] [member [1..255]] [outside-router router-instance] [outside-ip outside-ip-address] [inside-ip-prefix ipv6-prefix]
Context 
show>router>nat
Description 
This command displays Dual Stack Lite subscriber information.
Parameters 
subscriber dslite-sub-id
Specifies the identification of LSN subscribers of a particular virtual router instance.
Values
dslite-sub-id: ipv6-address - x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
nat-policy nat-policy-name
Specifies the NAT policy name up to 32 characters in length.
nat-group nat-group-id
Specifies the NAT group ID.
Values
1 — 4
member [1..255]
Identifies the member ID of a NAT ISA group.
outside-router router-instance
Specifies the router instance.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
outside-ip outside-ip-address
Specifies the outside IP address.
inside-ip-prefix ipv6-prefix
Specifies the inside IP address.
Sample Output
*A:SR12_PPPOE# show router 100 nat dual-stack-lite-subscribers 
===============================================================================
Large-Scale NAT subscribers
===============================================================================
Subscriber                       Policy                           Group/Member
  Outside IP                              Router                  Ports
-------------------------------------------------------------------------------
2001:470:1F00:FFFF::189
                                 priv-nat-policy                  3/2
  13.0.0.5                                Base                    504           
-------------------------------------------------------------------------------
No. of subscribers: 1
===============================================================================
*A:SR12_PPPOE#
l2-aware-blocks
Syntax 
l2-aware-blocks [outside-ip-prefix ip-prefix/length] [outside-port [1..65535]] [pool pool-name]
Context 
show>router>nat
Description 
This command displays Layer 2 aware NAT blocks.
Parameters 
ip-prefix
Specifies the IP prefix.
Values
a.b.c.d (host bits must be 0)
length
Specifies the IP prefix length.
Values
1 — 32
pool-name
Specifies the pool name.
Values
32 chars max
Sample Output
show router nat l2-aware-blocks
===============================================================================
Layer-2-Aware NAT blocks for Base
===============================================================================
81.81.0.0 [32..33]
Pool 	: MyPool
Policy 	: outPolicy
Started 	: 2010/02/04 16:24:55
Subscriber ID 	: Sub001
81.81.0.0 [34..35]
Pool 	: MyPool
Policy 	: outPolicy
Started 	: 2010/02/04 16:25:24
Subscriber ID 	: Sub003
81.81.0.203 [32..41]
Pool 	: MyPool2
Policy 	: outPolicy2
Started	: 2010/02/04 16:25:21
Subscriber ID 	: Sub002
-------------------------------------------------------------------------------
Number of blocks: 3
===============================================================================
lsn-blocks
Syntax 
lsn-blocks [inside-router router-instance] [inside-ip ip-address] [outside-ip-prefix ip-prefix/length] [outside-port [1..65535]] [pool pool-name]
Context 
show>router>nat
Description 
This command displays large scale NAT blocks.
Parameters 
router-instance
Specifies the router instance name and service ID.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
ip-address
Specifies the IP address in a.b.c.d format.
ip-prefix
Specifies the IP prefix.
Values
a.b.c.d (host bits must be 0)
length
Specifies the IP prefix length.
Values
1 — 32
pool-name
Specifies the pool name.
Values
32 chars max
Sample Output
*A:SR12_PPPOE>show>router>nat# show router Base nat lsn-blocks 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
13.0.0.5 [1024..1527]
Pool                                  : privpool
Policy                                : priv-nat-policy
Started                               : 2012/01/28 19:10:17
Inside router                         : vprn100
Inside IP address                     : 2001:470:1F00:FFFF::189
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
A:SR12_PPPOE#
lsn-hosts
Syntax 
lsn-hosts host ip-address
lsn-hosts [outside-router router-instance] [outside-ip ip-address] [inside-ip-prefix ip-prefix/mask]
Context 
show>router
Description 
This command displays large scale NAT hosts.
Parameters 
router-instance
Specifies the router instance name and service ID.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
ip-address
Specifies the IP address in a.b.c.d format.
ip-prefix
Specifies the IP prefix.
Values
a.b.c.d (host bits must be 0)
length
Specifies the IP prefix length.
Values
1 — 32
pool-name
Specifies the pool name.
Values
32 chars max
Sample Output
show router 588 nat lsn-hosts
===============================================================================
Large-Scale NAT hosts for router 550
===============================================================================
Inside IP Out-Router Outside IP
-------------------------------------------------------------------------------
13.0.0.5 500 81.81.0.0
13.0.0.6 500 81.81.3.1
13.0.0.7 500 81.81.0.0
13.0.0.8 500 81.81.0.0
13.0.0.9 500 81.81.3.1
13.0.0.10 500 81.81.0.0
-------------------------------------------------------------------------------
No. of hosts: 6
===============================================================================
 
show router 558 nat lsn-hosts host 13.8.8.5
===============================================================================
Large-Scale NAT host details
===============================================================================
Policy : ls-outPolicy
ISA NAT group : 1
ISA NAT group member : 1
Outside router : vprn500
Outside IP : 81.81.0.0
ICMP Port usage (%) : < 1
ICMP Port usage high : false
UDP Port usage (%) : 2
UDP Port usage high : false
TCP Port usage (%) : < 1
TCP Port usage high : false
Session usage (%) : < 1
Session usage high : false
Number of sessions : 5
Number of reserved sessions : 0
Ports : 1432-1631
===============================================================================
pool
Syntax 
pool pool-name
pool
Context 
show>router>nat
Description 
This command displays NAT pool information.
Parameters 
pool-name
Specifies the pool name.
Values
32 chars max
Sample Output
show router nat pool
===============================================================================
NAT pools
===============================================================================
Pool NAT-group Type Admin-state
-------------------------------------------------------------------------------
MyPool 1 l2Aware inService
MyPool2 1 l2Aware inService
-------------------------------------------------------------------------------
No. of pools: 2
===============================================================================
 
 
*A:SR12_PPPOE>show>router>nat# show router "Base" nat pool "privpool" 
===============================================================================
NAT Pool privpool
===============================================================================
ISA NAT Group                         : 3
Pool type                             : largeScale
Admin state                           : inService
Mode                                  : auto (napt)
Port forwarding range                 : 1 - 1023
Port reservation                      : 128 blocks
Block usage High Watermark (%)        : (Not Specified)
Block usage Low Watermark (%)         : (Not Specified)
Subscriber limit per IP address       : 65535
Active                                : true
Last Mgmt Change                      : 01/28/2012 14:47:59
===============================================================================
NAT address ranges of pool privpool
===============================================================================
Range                                                          Drain Num-blk
-------------------------------------------------------------------------------
13.0.0.5 - 13.0.0.6                                                  1
-------------------------------------------------------------------------------
No. of ranges: 1
===============================================================================
NAT members of pool privpool ISA NAT group 3
===============================================================================
Member                                                        Block-Usage-% Hi
-------------------------------------------------------------------------------
1                                                             < 1           N
2                                                             < 1           N
-------------------------------------------------------------------------------
No. of members: 2
===============================================================================
A:SR12_PPPOE#
summary
Syntax 
summary
Context 
show>router>nat
Description 
This command displays the NAT information summary.
Sample Output
*A:SR12_PPPOE>show>router>nat# show router Base nat summary 
===============================================================================
NAT pools
===============================================================================
Pool                             NAT-group  Type       Admin-state
-------------------------------------------------------------------------------
privpool                         3          largeScale inService
pubpool                          1          largeScale inService
-------------------------------------------------------------------------------
No. of pools: 2
===============================================================================
A:SR12_PPPOE#
 
NAT Tools Commands
nat-group
Syntax 
nat-group nat-group-id member [1..255] l2-aware-subscribers
nat-group nat-group-id member [1..255] statistics
Context 
clear>nat>isa
Description 
This command clears ISA nat-group commands related statistics or removes all the subscribers that are associated with a specific nat-group member
Parameters 
nat-group-id
Specifies the NAT group ID to clear.
Values
1 — 4
statistics
Specifies to clear the NAT group ID’s statistics.
l2-aware-subscribers
Specifies to clear the NAT group ID’s l2-aware subscribers.
 
NAT Tools Commands
nat
Syntax 
nat
Context 
tools>dump
tools>perform
Description 
This command enables the dump or perform tools for NAT.
isa
Syntax 
isa
Context 
tools>dump>nat
Description 
This command enables the dump tools for NAT ISA.
resources
Syntax 
resources mda mda-id
Context 
tools>dump>nat>isa
Description 
This command enables dump ISA resources for an MDA.
Sample Output
AR12_PPPOE# tools dump nat isa resources mda 3/1       
 
Resource Usage for Slot #3 Mda #1:
 
                                | Total        | Allocated    | Free
 -------------------------------+--------------+--------------+--------------
                          Flows |      6291456 |            0 |      6291456
                       Policies |          256 |            2 |          254
                    Port-ranges |      1310720 |          128 |      1310592
                          Ports |  12884901888 |            0 |  12884901888
                   IP-addresses |        65536 |            1 |        65535
              Large-scale hosts |       524288 |            0 |       524288
           L2-aware subscribers |        65536 |            0 |        65536
                 L2-aware hosts |        65536 |            0 |        65536
                 Delayed ICMP's |          200 |            0 |          200
                    ALG session |      1572864 |            0 |      1572864
                     LI entries |         8191 |            0 |         8191
        Upstream fragment lists |        16384 |            0 |        16384
      Downstream fragment lists |        16384 |            0 |        16384
        Upstream fragment holes |       131072 |            0 |       131072
      Downstream fragment holes |       131072 |            0 |       131072
         Upstream fragment bufs |        13824 |            0 |        13824
       Downstream fragment bufs |        13824 |            0 |        13824
           flow log dest. set 0 |            2 |            0 |            2
         flow log packets set 0 |           50 |            0 |           50
           flow log dest. set 1 |            2 |            0 |            2
         flow log packets set 1 |           50 |            0 |           50
           flow log dest. set 2 |            1 |            0 |            1
         flow log packets set 2 |           50 |            0 |           50
 
A:SR12_PPPOE#
sessions
Syntax 
sessions [nat-group nat-group-id] [mda mda-id] [protocol {icmp|tcp|udp}] [inside-ip ip-address] [inside-router router-instance] [inside-port port-number] [outside-ip ip-address] [outside-port port-number] [foreign-ip ip-address] [foreign-port port-number]
Context 
tools>dump>nat
Description 
This command dumps ISA sessions.
Sample Output
*A:SR12_PPPOE# tools dump nat sessions 
===============================================================================
Matched 2 sessions on Slot #3 MDA #1
===============================================================================
Owner               : LSN-Host@1.2.3.4
Router              : 100
FlowType            : UDP PortFwd       
Inside IP Addr      : 1.2.3.4           Inside Port         : 666              
Outside IP Addr     : 13.0.0.6          Outside Port        : 666              
Foreign IP Addr     : *                 Foreign Port        : *
Dest IP Addr        : *                 Dest Port           : *
-------------------------------------------------------------------------------
Owner               : LSN-Host@1.2.3.4
Router              : 100
FlowType            : TCP PortFwd       
Inside IP Addr      : 1.2.3.4           Inside Port         : 666              
Outside IP Addr     : 13.0.0.6          Outside Port        : 666              
Foreign IP Addr     : *                 Foreign Port        : *
Dest IP Addr        : *                 Dest Port           : *
-------------------------------------------------------------------------------
===============================================================================
 
===============================================================================
Matched 1 session on Slot #3 MDA #2
===============================================================================
Owner               : LSN-Host@2001:470:1F00:FFFF::189
Router              : 100
FlowType            : TCP               Timeout (sec)       : 6769             
Inside IP Addr      : 138.203.16.218    Inside Port         : 41555            
Outside IP Addr     : 13.0.0.5          Outside Port        : 1529             
Foreign IP Addr     : 15.0.0.1          Foreign Port        : 22               
Dest IP Addr        : 15.0.0.1          Dest Port           : 22               
-------------------------------------------------------------------------------
===============================================================================
*A:SR12_PPPOE#
port-forwarding-action
Syntax 
port-forwarding-action
l2-aware
Syntax 
l2-aware create subscriber sub-ident-string ip ip-address protocol {tcp|udp} [port port] lifetime lifetime [outside-ip ip-address] [outside-port port]
l2-aware delete subscriber sub-ident-string ip ip-address protocol {tcp|udp} port port
l2-aware modify subscriber sub-ident-string ip ip-address protocol {tcp|udp} port port lifetime lifetime
Context 
tools>perform>nat>port-forwarding-action
Description 
This command Layer-2-Aware NAT port forwarding action
lsn
Syntax 
­lsn create router router-instance [b4 ipv6-address] [aftr ipv6-address] ip ip-address protocol {tcp|udp} [port port] lifetime lifetime [outside-ip ipv4-address] [outside-port port]
­lsn delete router router-instance [b4 ipv6-address] ip ip-address protocol {tcp|udp} port port
­lsn modify router router-instance [b4 ipv6-address] ip ip-address protocol {tcp|udp} port port lifetime lifetime
Context 
tools>perform>nat>port-forwarding-action
Description 
This command enables large-scale NAT port forwarding actions.
Sample Output
*A:SR12_PPPOE# tools perform nat port-forwarding-action  lsn create router 100 
ip 1.2.3.4 protocol tcp lifetime infinite outside-port 666 
*A:SR12_PPPOE# tools perform nat port-forwarding-action  lsn create router 100 
ip 1.2.3.4 protocol udp lifetime infinite outside-port 666 
*A:SR12_PPPOE# configure system persistence nat-port-forwarding location cf3: 
*A:SR12_PPPOE# tools dump persistence nat-port-forwarding 
----------------------------------------
Persistence Info
----------------------------------------
Client                : nat-fwds
File Info :
 Filename             : cf3:\nat_fwds.002
 File State           : CLOSED (Not enough space on disk)
Subsystem Info :
 Nbr Of Registrations : 524288
 Registrations In Use : 2
 Subsystem State      : NOK
*A:SR12_PPPOE#  
 
show+service+nat
|   |   |   +---l2-aware-hosts
|   |   |   +---l2-aware-subscribers
|   |   |   +---lsn-subscribers
|   |   |   +---nat-policy
|   |   |   +---pcp-server-policy
|   |   |   +---port-forwarding-entries
|   |   |   |   +---classic-lsn-sub
|   |   |   |   +---dslite-lsn-sub
|   |   |   |   +---l2-aware-sub
|   |   |   |   +---nat64-lsn-sub
 
NAT Filter Commands
action
Syntax 
action nat
no action
Context 
config>filter>ip-filter>entry
Description 
This command specifies packets matching the entry criteria will be subject to large-scale NAT.
 
 
 
 
 
1
Subscriber in LSN44 is equals to an inside IPv4 address, while in DS-Lite, the subscriber can be an IPv6 address or IPv6 prefix. If the subscriber-prefix-length command is set to 128, then the subscriber in DS-Lite is an IPv6 address. Otherwise it will be an IPv6 prefix with length in the range [32..64] as set by the subscriber-prefix-length command.