For feedback and comments:
documentation.feedback@alcatel-lucent.com

Table of Contents Previous Next PDF

Network Address Translation Configuration Commands
Generic Commands
description
Syntax
 
description description-string
no description
Context
 
config>service>vprn>nat>outside>pool>address-range
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool>address-range
config>router>nat>outside>pool
config>router>nat>inside>subscriber-id
config>service>ipfix>export-policy
config>aaa>isa-radius-plcy>servers>server
config>service>upnp>upnp-policy
Description
 
This command creates a text description which is stored in the configuration file to help identify the content of the entity.
The no form of the command removes the string from the configuration.
Default
 
none
Parameters
 
string
The description character string. Allowed values are any string composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.
shutdown
Syntax
 
[no] shutdown
Context
 
config>srevice>vprn>nat>outside>pool>address-range
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool>address-range
config>router>nat>outside>pool
config>router>nat>inside>dual-stack-lite
config>router>nat>inside>nat64
config>router>nat>inside>redundancy>subscriber-identification
config>service>vprn>nat>inside>nat64
configure>router>nat>inside>deterministic>prefix
config>router>nat>inside>subscriber-id
config>router>nat>outside>pool>redundancy
config>service>ipfix>export-policy
Description
 
This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
ISA Configuration Commands
nat-group
Syntax
 
nat-group nat-group-id [create]
no nat-group nat-group-id
Context
 
config>isa
Description
 
This command configures an ISA NAT group.
active-mda-limit
Syntax
 
active-mda-limit number
no active-mda-limit
Context
 
config>isa>nat-group
Description
 
This command configures the number of active ISAs in active-standby ISA redundancy model for NAT. The active ISAs are automatically selected by the system and any the remaining ISA beyond the number of active limit will automatically assume the standby role. An ISA in the standby mode is idle until the failure of an active ISA occurs. Standby ISA can accept traffic from exactly one failed active ISA. Multiple standby ISAs can be configured in the system to protect against multiple simultaneous failures.
Once the active ISA fails, the standby ISA will start forwarding traffic. NAT translations from the failed ISA will have to be re-initiated by the clients and consequently setup on the newly active ISA.
In order for this commands to take effect, the intra-chassis redundancy mode must be set to active-standby (config>isa>nat-group>redundancy active-stanby).
Default
 
none
Parameters
 
number
Specifies the active MDA limit.
Values
1 — 14
failed-mda-limit
Syntax
 
failed-mda-limit [1..2]
no failed-mda-limit
Context
 
config>isa>nat-group
Description
 
This command configures the maximum number of supported simultaneously failures
in active-active intra-chassis NAT redundancy model. Traffic from the failed ISAs is distributed over the remaining ISA in the system. Memory resources are reserved in every ISA to accommodate new mappings from the failed ISA. However, bandwidth is not reserved and each ISA operates at max speed in all conditions (with failure or without the failure).
NAT translations are no preserved across switchovers and consequently they will have to be re-initiated by the clients.
In order for this commands to take effect, the intra-chassis redundancy mode must be set to active-active (config>isa>nat-group>redundancy active-active).
Default
 
none
Parameters
 
number
Specifies the number of simultaneous ISA failures supported in active-active intra-chassis NAT redundancy model.
Values
1 — 2
mda
Syntax
 
[no] mda mda-id
Context
 
config>isa>nat-group
Description
 
This command configures an ISA NAT group MDA.
Parameters
 
mda-id
Specifies the MDA ID in the slot/mda format.
Values
slot: 1 — 10
mda: 1 — 2
radius-accounting-policy
Syntax
 
radius-accounting-policy nat-accounting-policy
no radius-accounting-policy
Context
 
config>isa>nat-group
Description
 
This command specifies the RADIUS accounting policy to use for each MDA in this ISA group.
The no form of the command removes the policy ID from the configuration.
Default
 
none
Parameters
 
nat-accounting-policy
Reference to the nat-accounting-policy which defines:
Source IP addresses that will be assigned to BB-ISA cards.
Parameters related to RADIUS server itself .
List of RADIUS attributes that will be included in accounting messages.
redundancy
Syntax
y
redundancy {active-active|active-standby}
no redundancy
Context
 
config>isa>nat-group
Description
 
This command configures intra-chassis redundancy mode for NAT.
Default
 
none
Parameters
 
active-active
Specifies the intra-chassis redundancy active-active mode of operation of this NAT ISA group.
active-standby
Specifies the intra-chassis redundancy active-standby mode of operation of this NAT ISA group.
session-limits
Syntax
 
session-limits
Context
 
config>isa>nat-group
config>service>nat
Description
 
This command configures the ISA NAT group session limits.
reserved
Syntax
 
reserved num-sessions
no reserved
Context
 
config>isa>nat-group>session-limits
config>service>nat
Description
 
This command configures the number of sessions per block that will be reserved for prioritized sessions.
Parameters
 
num-sessions
Specifies the number of sessions reserved for prioritized sessions.
Values
0 — 4194303
watermarks
Syntax
 
watermarks high percentage low percentage
no watermarks
Context
 
config>isa>nat-group>session-limits
config>service>nat
Description
 
This command configures the ISA NAT group watermarks.
high percentage
Specifies the high watermark of the number of sessions for each MDA in this NAT ISA group.
Values
1— 100
low percentage
Specifies the low watermark of the number of sessions for each MDA in this NAT ISA group.
Values
0— 99
 
NAT Configuration Commands
nat
Syntax
 
[no] nat
Context
 
config>service>vprn
config>router
Description
 
This command configures, creates or deletes a NAT instance.
deterministic-script
Syntax
 
deterministic-script
Context
 
config>service>nat
Description
 
This command configures the script generated for deterministic NAT.
location
Syntax
 
location remote-url
no location
Context
 
config>service>nat>>deterministic-script
Description
 
This command configures the remote location where the Python script will be exported. The Python script is then used offline to perform reverse query. If this command is configured, the Python script generation is triggered by any modification of the deterministic NAT configuration. The new script reflects the change in mappings caused by configuration change. However, the script must be manually exported to the outside location with the admin nat save-determinisitic-nat command. The script cannot be stored locally on the system.
The script allows two forms of queries:
Forward - input is NAT inside parameters, output is NAT outside parameters.
Backward – input is NAT outside parameters, output is NAT inside parameters.
Forward Query:
user@external-server:/home/ftp/pub/det-nat-script$ ./det-nat.py -f -s 10 -a 20.0.5.10
output:
subscriber has public ip address 85.0.0.1 from service 0 and is using ports [1324 - 1353]
 
Reverse Query:
user@external-server:/home/ftp/pub/det-nat-script$./det-nat.py -b -s 0 -a 85.0.0.1 -p 3020
 
output:
subscriber has private ip address 20.0.5.66 from service 10
Default
 
none
Parameters
 
remote-url
A remote location where the script is stored:
[{ftp://|tftp://}<login>:<pswd>@ <remote-locn>/][<file-path>]
Maximum length is 180 characters.
inside
Syntax
 
inside
Context
 
config>service>vprn>nat
config>router>nat
Description
 
This command enters the “inside” contex to configure the inside NAT instance.
outside
Syntax
 
outside
Context
 
config>service>vprn>nat
config>router>nat
Description
 
This command enters the “outside” context to configure the outside NAT instance.
downstream-ip-filter
Syntax
 
downstream-ip-filter filter-id
no downstream-ip-filter
Context
 
config>router>nat>outside
config>service>vprn>nat>outside
Description
 
This command specifies a filter to apply to the downstream traffic after routing in the the outside virtual router instance and before the NAT function; it is useful for traffic that bypasses the egress filters applied in the inside virtual router instance, such as DSLite traffic.
The no form of the command removes the filter from the configuration.
Parameters
 
filter-id
Specifies a filter up to 64 characters in length.
downstream-ipv6-filter
Syntax
 
downstream-ipv6-filter filter-id
no downstream-ipv6-filter
Context
 
config>router>nat>outside
config>service>vprn>nat>outside
Description
 
This command configures the ipv6-filter for downstream traffic. This filter is applied to downstream traffic after it leaves the outside virtual router instance but before the NAT function is applied. This is useful for shared v6 filters that apply to all v6 DSM hosts.
The no form of the command removes the filter from the configuration.
Default
 
no downstream-ipv6-filter
Parameters
 
filter-id
Specifies an IPv6 filter up to 64 characters in length.
mtu
Syntax
 
mtu [512..9000]
no mtu
Context
 
config>service>vprn>nat>outside
Description
 
This command configures the Maximum Transmission Unit ( MTU) for downstream traffic flowing through this router (as outside NAT router). The system fragments IP datagrams exceeding the MTU.
The no form of the command reverts to the default.
Default
 
0
Parameters
 
[512..9000]
Specifies the MTU for downstream traffic.
destination-prefix
Syntax
 
[no] destination-prefix ip-prefix/length
Context
 
config>service>vprn>nat>inside
config>router>nat>inside
Description
 
This command configures a destination prefix. An (internal) static route will be created for this prefix. All traffic that hits this route will be subject to NAT. The system will not allow a destination-prefix to be configured if the configured nat-policy refers to an IP pool that resides in the same service (as this would result in a routing loop).
Parameters
 
ip-prefix
Specifies the IP prefix; host bits must be zero (0).
Values
a.b.c.d
length
Specifies the prefix length.
Values
0 — 32
deterministic
Syntax
 
deterministic
Context
 
config>service>vprn>nat>inside
configure>router>nat>inside
Description
 
This command enables the context to configure deterministic NAT.
classic-lsn-max-subscriber-limit
Syntax
 
classic-lsn-max-subscriber-limit max
no classic-lsn-max-subscriber-limit
Context
 
config>service>vprn>nat>inside>deterministic
configure>router>nat>inside>deterministic
Description
 
This command affects ingress hashing of the subscribers for deterministic NAT. It will also affect hashing of the subscribers for non-deterministic NAT if the both types of NAT are configured simultaneously. The hashing will ensure that traffic load is distributed over multiple MS-ISAs in the system. For deterministic LSN44, (32 – n) bits of the source IP address will be considered for hashing, where 2^n= classic-lsn-max-subscriber-limit.
The scope of this command is the inside routing instance. This command must match the largest subscriber limit of all pools that are referenced by nat-policies configured within the corresponding inside routing instance.
This parameter must be configured before any prefix is configured and can be modified only if there are no prefixes configured under the deterministic NAT CLI hierarchy.
If non-deterministic NAT is not used simultaneously with deterministic NAT within a routing context, then hashing for non-deterministic NAT will be performed based on the subscriber.
Default
 
none
Parameters
 
max
The power of 2 (2^n) number that must match the largest subscriber limit number in a deterministic pool referenced from this inside routing instance. The range for this command is the same as the subscriber-limit command under the pool hierarchy.
dslite-max-subscriber-limit
Syntax
 
dslite-max-subscriber-limit max
no dslite-max-subscriber-limit
Context
 
config>service>vprn>nat>inside>dslite
configure>router>nat>inside>dslite
configure>router>nat>inside>deterministic
Description
 
This command sets the value for the number of high order bits of the source IPv6 address that will be considered as DS-Lite subscriber. The remaining bits of the source IPv6 address will be masked off, effectively aggregation all IPv6 source addresses under the configured prefix length into a single DS-Lite subscriber. Source IPv4 addresses/ports of the traffic carried within the DS-Lite subscriber will be translated into a single outside IPv4 address and the corresponding deterministic port-block (port-blocks can be extended).
The range of values for subscriber-prefix-length in non-deterministic DS-Lite is limited from 32 to 64 (a prefix will be considered as a DS-Lite subscriber) or it can be set to a value of 128 (the source IPv6 address is considered as a DS-Lite subscriber).
In cases where deterministic DS-Lite is enabled in a giver inside routing context, the range of values of the subscriber-prefix-length depends on the value of dslite-max-subscriber-limit parameter as follows:
subscriber-prefix-length – n = [32..64,128]
where n = log2(dslite-max-subscriber-limit)
[or in an alternate form: dslite-max-subscriber-limit = 2^n.]
In other words the largest prefix length for the deterministic DS-lite subscriber will be 32+n, where n = log2(dslite-max-subscriber-limit). The subscriber prefix length can extend up to 64 bits. Beyond 64 bits for the subscriber prefix length, there only one value is allowed: 128. In the case n must be 0, which means that the mapping between B4 elements (or IPv6 address) and the IPv4 outside addresses is in 1:1 ratio (no sharing of outside IPv4 addresses).
This parameter can be changed only when there are no deterministic prefixes configured in the same routing context.
Default
128
Parameters
 
max
In non-deterministic DS-Lite this value can be 32 — 64,128 , assuming that the deterministic DS-Lite is not concurrently enabled in the same inside routing context.
In case that deterministic DS-Lite is enabled, this value can be within the range [(32+n)..64,128] where n = log2(dslite-max-subscriber-limit). The value of 128 is allowed only when n=0 (each subscriber is mapped to a single outside IPv4 IP address).
prefix
Syntax
 
prefix ip-prefix/length subscriber-type nat-sub-type nat-policy nat-policy-name [create]
prefix p-prefix/length subscriber-type nat-sub-type
no prefix ip-prefix/length subscriber-type nat-sub-type
Context
 
config>service>vprn>nat>inside>deterministic
configure>router>nat>inside>deterministic
Description
 
This command is applicable only to deterministic NAT (LSN44 or DS-Lite). It configures prefixes on the inside and their association with outside deterministic pools via the nat-policy. Subscribers within the prefix will be deterministically mapped to outside IP addresses and corresponding port-ranges in the associated pool.
Multiple prefixes within an inside routing instance can be defined and they can reference different nat-policies (and therefore outside pools and routing instances). Moreover, prefixes from multiple routing instances can share the same deterministic pool.
Non-deterministic NAT can be used simultaneously with deterministic NAT within the s ame inside routing instance. However, they cannot share the same pool.
Prefixes can be added/removed under the condition that the associated deterministic pool is in a ‘no shutdown’ mode.
Removing a prefix or modifying the map statement under it requires that the prefix be in a ‘shutdown’ mode.
The subscribers under the prefix are mapped deterministically into the outside IPv4 addresses and port ranges. Note that the subscribers in LSN44 are the IPv4 addresses under the configured prefix, while in DS-Lite the subscribers are IPv6 source addresses that fall under the configured prefix OR IPv6 sub-prefixes whose length is determined by the DS-Lite subscriber-prefix-length command.
Default
 
no prefix
Parameters
 
ip-prefix/length
A prefix on the inside encompassing subscribers that will be deterministically mapped to an outside IP address and port block in the corresponding pool.
Values
<ip-prefix/ip-pref*> <ipv4-prefix>/<ipv4-prefix-length> |
<ipv6-prefix>/<ipv6-prefix-length>
<ipv4-prefix> a.b.c.d (host bits must be 0)
<ipv4-prefix-length> [0..32]
<ipv6-prefix> x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
<ipv6-prefix-length> : [0..128]
<nat-sub-type> : classic-lsn-sub|dslite-lsn-sub
<nat-policy-name> Reference to a nat-policy that points to an outside pool and outside routing instance up to 32 characters in length.
map
Syntax
 
map start inside-ip-address end inside-ip-address to outside-ip-address
no map start inside-ip-address end inside-ip-address
Context
 
config>service>vprn>nat>inside>deterministic>prefix
configure>router>nat>inside>deterministic>prefix
Description
 
This command is applicable to prefixes in deterministic NAT (LSN44 and DS-Lite). Its purpose is to split the number of subscribers within the configured prefix over available sequence of outside IP addresses.
There are several rules guiding the usage of the map statement:
If the number of subscribers1 per configured prefix is greater than the subscriber-limit per outside IP parameter (2^n), then the lowest n bits of the map start <inside-addr-start> must be set to 0.
If the number of subscribers per configured prefix is equal or less than the subscriber-limit per outside IP parameter (2^n), then only one map command for this prefix is allowed. In this case there is no restriction on the lower n bits of the map start <inside-ip-addres>. The range of the inside IP addresses in such map statement represents the prefix itself.
<outside-ip-address> in the map statements must be unique amongst all map statements referencing the same pool. In other words, two map statements cannot reference the same <outside-ip-address> in a pool.
To modify map statements, the corresponding prefix must be in a shutdown mode.
Map statements can be configured automatically by the system, as soon as the prefix is enabled (no shutdown state) or they can be configured manually by the operator while the prefix is disabled.
The following is an example of the map statement for the LSN44 case:
The subscriber-limit in the pool is 128
The pool has an address range 128.251.0.1 - 128.251.0.10
The prefix is 10.0.0.0/24
The map statement is configured as:
map start 10.0.0.0 end 10.0.0.255 to 128.251.0.1
Since each outside IP address can accommodate only 128 hosts, the subscribers (IPv4 addresses in LSN44) from the 10.0.0.0/24 prefix will be split and mapped into two outside IP addresses
10.0.0.0 – 10.0.0.127 (10.0.0.0/25) - 128.251.0.1
10.0.0.128 – 10.0.0.255 (10.0.0.128/25) - 128.251.0.2
The first IP address range will be mapped to the ‘to’ address in the map statement => 128.251.0.1. The second IP address range will be mapped into the next consecutive IP address in the pool assuming that this IP address is free. In this case this consecutive address (128.251.0,2) would not be shown in the map statement.
For Deterministic DS-Lite, the example would be:
Tthe subscriber-limit in the pool is 128
The pool has an address range 128.251.0.1 - 128.251.0.10
The prefix is 2001:DB8::/56
The subscriber-prefix-length = 64
The map statement is configured as:
map start 2001:BD8::/64 end 2001:BD8::FF:0:0:0:0/64 to 128.251.0.1
There are 256 DS-Lite subscribers within the 2001:DB8::/56 prefix. Each subscriber will be a /64 IPv6 prefix as dictated by the subscriber-prefix-length command.
Since each outside IP address can accommodate only 128 hosts, the subscribers from the 2001:DB8::/56 prefix will be split and mapped into two outside IP addresses
2001:DB8:: – 2001:DB8:0:7F:: (2001:DB8::/57) - 128.251.0.1
2001:DB8:0:80:: – 2001:DB8:0:FF::(2001:DB8:0:FF::/57) - 128.251.0.2
The first IP prefix range will be mapped to the ‘to’ address in the map statement => 128.251.0.1. The second IP prefix range will be mapped into the next consecutive IP address in the pool assuming that this IP address is free. In this case this consecutive address (128.251.0,2) would not be shown in the map statement.
Default
 
By default, the system will automatically divide the prefix and create the map statements when the prefix command is enabled (no shutdown). However, this automatic map provisioning can be overruled by manual configuration.
Parameters
 
inside-ip-start
Start IPv4/v6 address or IPv6 prefix on the inside.
inside-ip-end
End IPv4/v6 address or IPv6 prefix on the inside. The number of subscribers (range of inside IPv4 addresses in LSN44 or IPv6 addresses or prefixes in DS-Lite) in the map statement does not have to be a power of 2. Rather it has to be a multiple of a power of two  m * 2^n, where m is the number of consecutive outside IP addresses to which the subscribers are mapped and the 2^n is the subscriber-limit per outside IP.
outside-ip-start
The first outside IPv4 address in the pool to which the subscribers are mapped. In case that the number of subscribers in the map statement is larger than the subscriber-limit for the outside-ip address, the consecutive outside IP addresses will be used for additional mappings. Those additional (consecutive) outside IP addresses are not shown in the map statement (only the first address is shown in the map statement).
dual-stack-lite
Syntax
 
dual-stack-lite
Context
 
config>service>vprn>nat>inside
config>router>nat>inside
Description
 
This command enables the context to configure Dual Stack Lite parameters.
In order for the ds-lite feature to work, the ingress traffic (the IPv6 traffic that has to go to the NAT) must come from an IOM-3. If an IOM-2 is used, the IPv6 packet with destination the NAT will be dropped and an ICMP packet will be sent back.
address
Syntax
 
[no] address ipv6-address
Context
 
config>router>nat>inside>dual-stack-lite
config>service>vprn>nat>inside>dual-stack-lite
Description
 
This command configures the IP address of the NAT redundancy peer in the realm of this virtual router instance.
subscriber-prefix-length
Syntax
 
subscriber-prefix-length prefix-length
no subscriber-prefix-length
Context
 
config>router>nat>inside>dual-stack-lite
Description
 
This command sets the value for the number of high order bits of the source IPv6 address that will be considered as DS-Lite subscriber. The remaining bits of the source IPv6 address will be masked off, effectively aggregation all IPv6 source addresses under the configured prefix length into a single DS-Lite subscriber. Source IPv4 addresses/ports of the traffic carried within the DS-Lite subscriber will be translated into a single outside IPv4 address and the corresponding deterministic port-block (port-blocks can be extended).
The range of values for subscriber-prefix-length in non-deterministic DS-Lite is limited from 32 to 64 (a prefix will be considered as a DS-Lite subscriber) or it can be set to a value of 128 (the source IPv6 address is considered as a DS-Lite subscriber).
In cases where deterministic DS-Lite is enabled in a giver inside routing context, the range of values of the subscriber-prefix-length depends on the value of dslite-max-subscriber-limit parameter as follows:
subscriber-prefix-length – n = [32..64,128]
where n = log2(dslite-max-subscriber-limit)
[or in an alternate form: dslite-max-subscriber-limit = 2^n.]
In other words the largest prefix length for the deterministic DS-lite subscriber will be 32+n, where n = log2(dslite-max-subscriber-limit). The subscriber prefix length can extend up to 64 bits. Beyond 64 bits for the subscriber prefix length, there only one value is allowed: 128. In the case n must be 0, which means that the mapping between B4 elements (or IPv6 address) and the IPv4 outside addresses is in 1:1 ratio (no sharing of outside IPv4 addresses).
This parameter can be changed only when there are no deterministic prefixes configured in the same routing context.
The no form of the command reverts to the default.
Default
 
128
Parameters
 
prefix-length
In non-deterministic DS-Lite this value can be [32..64,128], assuming that the deterministic DS-Lite is not concurrently enabled in the same inside routing context. In case that deterministic DS-Lite is enabled, this value can be within the range [(32+n)..64,128] where n = log2(dslite-max-subscriber-limit). The value of 128 is allowed only when n=0 (each subscriber is mapped to a single outside IPv4 IP address).
Values
32 — 64
ip-fragmentation
Syntax
 
ip-fragmentation {disabled|fragment-ipv6|fragment-ipv6-unless-ipv4-df-set}
no ip-fragmentation
Context
 
configure>router>nat>inside>dslite>address
configure>router>nat>inside>>nat64
configure>service>vprn>nat>inside>nat64
configure>service>vprn>nat>inside>dslite>address
Description
 
This command configures downstream IPv6 fragmentation behavior in DS-lite and NAT64. IPv6 fragmentation is performed in the ISA. IPv4 fragmentation is not affected by this command. If desired, downstream IPv4 packet can be fragmented in the carrier IOM before the packet reaches ISA (and the NAT function). The IPv4 fragmentation in the downstream direction can be set by the configure>router/vprn>nat>outside>mtu command
DS-Lite IPv6 Fragmentation in Downstream Direction (IPv4 to IPv6)
In case that the length of the received IPv4 packet is larger than the configured tunnel-mtu value while fragmentation is allowed, the resulting IPv6 packet will be fragmented (IPv4 is tunneled within IPv6). The maximum size of the of the fragmented IPv6 packet will be 48bytes larger than the configured tunnel-mtu value. This is due to the size of the tunneling IPv6 header: 40bytes basic IPv6 header + 8 bytes of extended fragmentation IPv6 header.
In case that fragmentation is not allowed while the IPv4 packet size is larger than configured tunnel-mtu size, the IPv4 packet will be dropped and an ICMPv4 Datagram Too Big message will be generated towards the source. The advertised mtu size in that ICMP message will be set to configured tunnel-mtu value.
NAT64 IPv6 Fragmentation in Downstream Direction (IPv4to IPv6)
In contrast to DS-lite, NAT64 transport is not based on tunneling. Instead, IP headers are translated between IPv4 and IPv6. Consequently, NAT64 fragmentation operates based on the ipv6-mtu, as opposed to tunnel-mtu in DS-lite which represents the size of the tunnel payload (IPv4 packet).
In case that the length of the translated IPv6 packet exceeds the size of the configured ipv6-mtu value while fragmentation is allowed, the resulting IPv6 packet will be fragmented. The maximum size of the of the fragmented IPv6 packet will be the configured ipv6-mtu value.
In case that fragmentation is not allowed while the translated IPv6 packet size is larger than configured ipv6-mtu size, the IPv4 packet (that is supposed to be translated into IPv6) will be dropped and an ICMPv4 Datagram Too Big message will be generated towards the source. The advertised mtu size in that ICMP message will be set to the ipv6-mtu value minus 28bytes. The 28bytes comes from the size of the IPv6 overhead of the translated packet (20bytes difference between the IP header sizes  40bytes in IPv6 vs 20bytes in IPv4; 8 bytes for extended IPv6 fragmentation header).
Default
 
disabled
Parameters
 
disabled
IPv6 Fragmentation is disabled. In case that the packet size is larger
than what is set by the mtu value (tunnel-mtu or ipv6-mtu) , the IPv4 packet will be dropped and ICPMv4 Datagram Too Big messages will be sent back to the source.
fragment-ipv6
IPv6 fragmentation will be performed in all cases, regardless of the DF bit setting in the tunneled/translated IPv4 packet.
fragment-ipv6-unless-ipv4-df-set
IPv6 Fragmentation will be performed only in cases when DF bit in tunneled/translated IPv4 packet is cleared.
tunnel-mtu
Syntax
 
tunnel-mtu mtu-bytes
no tunnel-mtu
Context
 
config>router>nat>inside>dual-stack-lit>address
config>service>vprn>nat>inside>dual-stack-lite
Description
 
This command sets the size of the payload in IPv6 packet in downstream DS-lite direction. The payload is, in essence, the tunneled IPv4 packet.
l2-aware
Syntax
 
l2-aware
Context
 
config>router>nat>inside
Description
 
This command enters the “l2-aware” context for configuration specific to Layer 2-aware NAT.
address
Syntax
 
[no] address ip-address/mask
Context
 
config>router>nat>inside
Description
 
This command configures the IP address and mask of the subnet.
The no form of the command removes the IP address and prefix length from the configuration.
Default
 
none
Parameters
 
ip-address/mask
Specifies the IP address and maskof the subnet.
Values
ip-address: a.b.c.d
mask: 16 — 32
nat64
Syntax
 
[no] nat64
Context
 
config>service>vprn>inside
Description
 
This command enables the context to configure NAT64.
The no form of the command disables NAT64.
drop-zero-ipv4-checksum
Syntax
 
[no] drop-zero-ipv4-checksum
Context
 
config>service>vprn>inside>nat64
Description
 
This command specifies if UDP datagrams with zero IPv4 checksum are dropped.
If this command is disabled, the system calculates the IPv6 checksum for each such datagram.
ignore-tos
Syntax
 
[no] ignore-tos
Context
 
config>service>vprn>inside>nat64
Description
 
This command specifies if the IPv4 Type Of Service (TOS) is ignored and the IPv6 traffic class bits set to zero.
If this command is disabled, the system copies the IPv4 TOS into the IPv6 traffic class.
Default
 
disabled
insert-ipv6-fragment-header
Syntax
 
[no] insert-ipv6-fragment-header
Context
 
config>service>vprn>inside>nat64
Description
 
This command specifies if the system always inserts an IPv6 fragment header, to indicate that the sender allows fragmentation.
The no form of the command does not allow the system to insert an IPv6 fragment header.
Default
 
disabled
l2-aware
Syntax
 
l2-aware
Context
 
config>services>vprn>nat>inside
Description
 
This command enters the “l2-aware” context for configuration specific to Layer 2-aware NAT.
address
Syntax
 
[no] address ip-address/mask
Context
 
config>services>vprn>nat>inside>l2-aware
Description
 
This command configures a Layer 2-aware NAT address. This address will act as a local address of the system. Hosts connected to the inside service will be able to ARP for this address. To verify connectivity, a host can also ping the address. This address is typically used as next hop of the default route of a Layer 2-aware host. The given mask defines a Layer 2-aware subnet. The (inside) IP address used by anLayer 2-aware host must match one of the subnets defined here or it will be rejected.
Parameters
 
ip-address
Specifies the IP address in a.b.c.d format.
mask
Specifies the mask.
Values
16 — 32
nat-policy
Syntax
 
nat-policy nat-policy-name
no nat-policy
Context
 
config>services>vprn>nat>inside
config>router>nat>inside
Description
 
This command configures the NAT policy that will be used for large-scale NAT in this service.
The no form of the command removes the policy name from the configuration.
Parameters
 
nat-policy-name
Specifies the NAT policy name.
Values
32 chars max
nat64
Syntax
 
|[no] nat64
Context
 
config>service>vprn>nat>inside
config>router>nat>inside
Description
 
This command enables the context to configure NAT64 parameters.
The no form of the command disables NAT64.
drop-zero-ipv4-checksum
Syntax
 
[no] drop-zero-ipv4-checksum
Context
 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description
 
This command enables the NAT64 node to drop received UDP datagrams with zero IPv4 checksum. By default, checksum is re-calculated for non-fragmented datagrams.
The no form of the command disabales the command.
Default
 
disabled
ignore-tos
Syntax
 
[no] ignore-tos
Context
 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description
 
This command specifies whether the IPv4 Type Of Service (TOS) is ignored and the IPv6 traffic class bits set to zero.
When disabled, the system copies the IPv4 TOS into the IPv6 traffic class.
The no form of the command recognizes the IPv4 Type Of Service (TOS).
Default
 
disabled
insert-ipv6-fragment-header
Syntax
 
[no] insert-ipv6-fragment-header
Context
 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description
 
This command specifies whether the NAT64 node will insert IPv6 fragment header to IPv6 packets for which the DF bit is not set in the corresponding IPv4 packet, and is not already a fragment.
The no form of the command disables the insertion.
Default
 
disabled
ipv6-mtu
Syntax
 
ipv6-mtu [1280..9212]
no ipv6-mtu
Context
 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description
 
This command sets the size of the IPv6 downstream packet in NAT64. This packet is translated from IPv4.
The no form of the command reverts to the default.
Default
 
11520
Parameters
 
[1280..9212]
Specifies the IPv6 MTU.
Values
1280 — 9212
prefix
Syntax
 
prefix ipv6-prefix/prefix-length
no prefix
Context
 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description
 
This command configures the IPv6 prefix used to derive the IPv6 address from the IPv4 address, and is same as the prefix used by DNS64 to generate AAAA record returned for IPv4 endpoint resolution. NAT64 node announces this prefix in routing to attract traffic from IPv6 hosts. If the prefix is not configured, then a well known prefix, 64:FF9B::/96, is used.
The no form of the command removes the prefix from the NAT64 configuration.
Parameters
 
ipv6-prefix/prefix-length
Specifies the NAT64 destination prefix.
Values
ipv6-prefix: x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
prefix-length 32, 40, 48, 56, 64, 96
set-tos
Syntax
 
set-tos [0..255]
no set-tos
Context
 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description
 
This command specifies the value of the IPv4 Type Of Service (TOS) field. When enabled, the NAT64 node ignores IPv6 traffic-class and sets IPv4 TOS to supplied tos-value in the translated IPv4 packet.
The no form of the command reverts to the default.
Default
 
0
Parameters
 
[0..255]
Sets the IPv4 TOS to a fixed value the IPv6 Traffic Class and set the IPv4 TOS to a fixed value and ignores the IPv6 traffic class.
subscriber-prefix-length
Syntax
 
subscriber-prefix-length prefix-length
no subscriber-prefix-length
Context
 
config>service>vprn>nat>inside>nat64
config>router>nat>inside>nat64
Description
 
This command specifies the IPv6 address prefix length to be used for the NAT64 subscribers in this virtual router instance.
The no form of the command
Default
 
128
Parameters
 
prefix-length
Specifies the subscriber identification for Large Scale NAT.
Values
32 — 64
redundancy
Syntax
 
redundancy
Context
 
config>router>nat>inside
config>service>vprn>nat>inside
Description
 
This command enables the context to configure redundancy parameters.
peer
Syntax
 
peer ipv4-address
no peer
Context
 
config>router>nat>inside>redundancy
config>service>vprn>nat>inside>redundancy
Description
 
This command is used in LSN44 multi-chassis redundancy in conjunction with filters. The configuredpeer address is an IPv4 address that is configured under an interface on the peering LSN44 node (active or standby). This IPv4 interface address is advertized via routing on the inside in order to attract traffic from the standby to the active LSN44 node.
If configured, the steering-route will be advertized only from the active LSN44 node. Consequently, upstream traffic for LSN44 will be attracted to the active LSN44 node. The nat action in the ipv4-filter on the active LSN44 node will forward traffic to the local MS-ISA where LSN44 function is performed. However, in that case that upstream traffic somehow arrives on the standby LSN44 node, the nat action in the IPv4-filter will forward traffic to the peer address (active LSN44 node).
The no form of the command removes the peer ipv4-address from the configuration.
Default
 
none
Parameters
 
ipv4-address
Specifies the IP address of the NAT redundancy peer.
Values
ipv4-address: a.b.c.d
peer6
Syntax
 
peer6 ipv6-address
no peer6
Context
 
config>router>nat>inside>redundancy
config>service>vprn>nat>inside>redundancy
Description
 
This command is used in NAT64 multi-chassis redundancy in conjunction with filters. The configured peer6 address is an IPv6 address configured under an interface on the peering NAT64 node (active or standby). This IPv6 interface address is advertized via routing on the inside in order to attract traffic from the standby to the active NAT64 node.
Under normal circumstances, the NAT64 prefix will be advertized only from the active NAT64 node. Consequently, upstream traffic for NAT64 will be attracted to the active NAT64 node. The nat action in the ipv6-filter on the active NAT64 node will forward traffic to the local MS-ISA where NAT64 function is performed. However, in that case that upstream traffic somehow arrives on the standby NAT64 node, the nat action in the IPv6-filter will forward traffic to the peer6 address (active NAT64 node).
The no form of the command removes the peer6 ip-address from the configuration.
Default
 
none
Parameters
 
ipv6-address
Specifies the IPv6 address of the NAT redundancy peer.
Values
ipv6-address: ipv6-address - x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
steering-route
Syntax
 
steering-route ip-prefix/length
no steering-route
Context
 
config>router>nat>inside>redundancy
config>service>vprn>nat>inside>redundancy
Description
 
This command is optionally used in LSN44 multi-chassis redundancy when filters are used on the inside to send traffic destined for the LSN44 function to MS-ISA, where NAT is performed.
If configured, the steering-route is advertized only from the active LSN44 node: the purpose is to bring the LSN44 node activity awareness to downstream routers. In this fashion, downstream routers can make a more intelligent decision when forwarding traffic in the upstream direction. Based on the steering-route, traffic can be sent directly towards the active LSN44 node. This route avoids an extra forwarding hop which would ensue in the case without LSN44 activity awareness, where the upstream traffic can be forwarded to the standby LSN44 node and then to the active LSN44 node.
LSN44 node activity (active/stanby) is evaluated per isa-group based on monitoring routes advertized on the outside.
The no form of the command removes the ip-prefix/length from the configuration.
Default
 
none
Parameters
 
ip-prefix/length
Specifies the IP address and length of the steering route.
Values
ip-prefix: a.b.c.d
ip-prefix-length: 0 — 32
subscriber-identification
Syntax
 
subscriber-identification
Context
 
config>router>nat>inside
Description
 
This command enables the context to configure subscriber identification for Large Scale NAT.
attribute
Syntax
 
attribute [vendor vendor-id] attribute-type attribute-type
no attribute
Context
 
config>router>nat>inside>subscriber-id
configure>service>vprn>nat>inside>subscriber-identification
Description
 
This command defines the attribute that will in addition to framed-ip-address (inside IP address) and service-id be used for correlating BNG subscriber with the NAT subscriber.
Only a single attribute at the time can be configured. The attribute will be extracted from the BNG accounting start and/or interim-update messages via Radius accounting proxy server. This attribute can be then optionally passed to the Large Scale NAT44 accounting server. User-name attribute (if included) in Large Scale NAT44 accounting messages will be automatically set to the subscriber-id string.
The attribute parameter can be changed at any given time and the change will be reflected automatically when the next interim-update message from the BNG host is received by Radius accounting proxy.
In case that the BNG accounting message in RADIUS accounting proxy does not contain this attribute, subscriber aware Large Scale NAT44 functionality for this particular subscriber will be disabled.
Default
 
attribute vendor "alu" attribute-type "alc-sub-string"
Parameters
 
vendor vendor-id
specifies the RADIUS vendor ID.
Values
standard, alu, 3gpp
Default
alu
attribute-type attribute-type
Specifies the RADIUS attribute to be used as subscriber. identifier
Values
alc-sub-string (alu) — Subscriber-id string (Alc-Subsc-ID-Str) is cached in Large Scale NAT44 application and used to correlate Large Scale NAT44 subscriber to BNG subscriber.
user-name (stnd) — User-Name standard Radius attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber.
class (stnd) — Class standard Radius attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber. Class attribute is initially set and send by Radius server. As such it must be echoed by BNG in all accounting messages.
station-id (stnd) — Calling-Station-Id Radius attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber.
imsi (3gpp) — International Mobile Subscriber Identification is used in WiFI Offload applications as a SIM card identifier.
imei (3gpp) — International Mobile Equipment Identification is used in WiFI Offload applications as a physical phone device identifier.
drop-unidentified-traffic
Syntax
 
[no] drop-unidentified-traffic
Context
 
config>router>nat>inside>subscriber-id
Description
 
When this command denies address translation to subscribers that have not been identified via accounting messages sent by BNG and received by Radius accounting proxy. This command has effect only in Subscriber Aware Application.
Default
 
no drop-unidentified-traffic
radius-proxy-server
Syntax
 
radius-proxy-server router router-instance name server-name
no radius-proxy-server
Context
 
config>router>nat>inside>subscriber-id
configure>service>vprn>nat>inside>subscriber-identification
Description
 
This command configures RADIUS proxy server parameters. This is a reference to a RADIUS accounting proxy server in Subscriber Aware Large Scale NAT44 application. RADIUS accounting proxy server will cache attributes related to a BNG subscriber as they are received in standard accounting messages (RFC 2866). Radius accounting proxy server can be configured in any routing instance within 7750 SR.
Default
 
none
Parameters
 
router router-instance
Specifies the routing instance in which the RADIUS accounting proxy is configured.
name server-name
Specifies the name reference to the RADIUS accounting proxy server that is instantiated in 7750 SR.
mtu
Syntax
 
mtu [512..9000]
no mtu
Context
 
config>router>nat>outside
Description
 
This command configures the MTU for downstream traffic flowing through this router (as outside NAT router). The system fragments IP datagrams exceeding the MTU.
Default
 
none
Parameters
 
[512..9000]
Specifies the MTU for downstream traffic.
pool
Syntax
 
pool nat-pool-name [nat-group nat-group-id type pool-type [applications applications] create]
no pool nat-pool-name
Context
 
config>service>vprn>nat>outside
config>router>nat>outside
Description
 
This command creates a NAT pool in the outside routing context. The nat pool defines the parameters that will be used for IP address and port translation within the pool.
Default
 
none
Parameters
 
nat-pool-name
Specifies the NAT pool name.
Values
32 chars max
nat-group-id
Specifies the NAT group ID.
Values
1 — 4
create
This parameter must be specified to create the instance.
pool-type
Species the pool type, either large-scale or L2-aware.
applications applications
This creation-time parameter configures the nat-pool for protocol agnostic operation. The IP addresses are translated in 1:1 fashion regardless of the protocol. No ports are translated for TCP or UDP traffic. Traffic through the pool can be initiated from inside or outside. When nat-pool is configured in agnostic mode, certain parameters in the pool are pre-set and cannot be changed:
mode one-to-one
no port-forward-range
no port-reservation
subscriber-limit 1
deterministic port-reservation 65536.
This pool is used to configure static 1:1 NAT, where the operator have the control of the mapping between the inside and outside IP addresses. The static IP address mapping is using CLI constructs used in deterministic NAT (prefix and map deterministic NAT commands in the inside routing context).
ALG for TCP/UDP are supported in protocol agnostic pool.
Values
agnostic
address-range
Syntax
 
address-range start-ip-address end-ip-address [create]
no address-range start-ip-address end-ip-address
Context
 
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool
Description
 
This command configures a NAT address range.
Parameters
 
start-ip-address
Specifies the beginning IP address in a.b.c.d form.
end-ip-address
Specifies the ending IP address in a.b.c.d. form.
create
This parameter must be specified to create the instance.
drain
Syntax
 
[no] drain
Context
 
config>service>vprn>nat>outside>pool>address-range
config>router>nat>outside>pool>address-range
Description
 
This command starts or stops draining this NAT address range. When an address-range is being drained, it will not be used to serve new hosts. Existing hosts, however, will still be able to use the address that was assigned to them even if it is being drained.An address-range can only be deleted if the parent pool is shut down or if the range itself is effectively drained (no hosts are using the addresses anymore).
mode
Syntax
 
mode {auto | napt | one-to-one}
no mode
Context
 
config>router>nat>outside>pool
Description
 
This command specifies the mode of operation of this NAT address pool.
The no form of the command reverts to the default.
Default
 
auto
Parameters
 
{auto | napt | one-to-one}
Specifies the mode of operation of this NAT pool.
port-forwarding-range
Syntax
 
port-forwarding-range range-end
no port-forwarding-range
Context
 
config>router>nat>outside>pool>address-range
Description
 
This command configures the end of the port range available for port forwarding. The start of the range is always equal to one.
Note that the number of ports that can be configured is half of the available block => 64512 : 2 = 32256
In combination with port-forwarding-range the formulas are:
"max port-reservation blocks" = 65535 - "port-forwarding-range"
"max port-reservation ports" = (65535 - "port-forwarding-range") / 2
with:
the default min value for "port-forwarding-range" = 1023
Also, the same applies for max port-forwarding-range if the port-reservation is already configured:
"max port-forwarding-range" = 65535 - "port-reservation blocks"
"max port-forwarding-range" = 65535 - ("port-reservation ports" * 2)
The no form of the command reverts to the default.
Default
 
1023
Parameters
 
range-end
Pecifies the end of the port range available for port forwarding.
Values
1023 — 65535
deterministic
Syntax
 
deterministic
Context
 
config>service>vprn>nat>outside>pool
Description
 
This command configures deterministic NAT for this pool
port-reservation
Syntax
 
port-reservation num-ports
no port-reservation
Context
 
config>service>vprn>nat>outside>pool>deterministic
Description
 
This command is applicable only to deterministic NAT. It configures the number of deterministic ports per subscriber (for example a subscriber is an inside IP address in LSN44 or IPv6 address or prefix in DS-lite). Once this command is enabled, the pool will transition into deterministic mode of operation. This means that the subscribers can use dynamic port-blocks in the pool only as a mean to expand the range of originally assigned deterministic ports. A pool with such property is referred to as deterministic pool. However, deterministic NAT and non-deterministic NAT cannot use the same pool simultaneously.
All subscribers in deterministic pool are pre-mapped during the configuration phase to outside IP addresses and deterministic port-blocks. Because of this, the deterministic pool cannot be oversubscribed with subscribers (first-come, first-served).
Once the deterministic pool becomes operational (no shutdown) a log is created. The same applies if the pool is disabled (shutdown). As a result of this ’one time’ logging, there will be no additional logging when a subscriber starts using ports from the pre-assigned deterministic port block. This drastically reduces the logging overhead. However, when a deterministic port block is expanded by a dynamic port block, a log will be created on any allocation/de-allocation of the dynamic port block. The logs are also created for static port forwards (including PCP).
The number of subscribers per outside IP address (subscriber-limit) multiplied by the number of deterministic ports per subscriber (port-reservation) will determine the port range of an outside IP address that will be dedicated to deterministic mappings. The number of subscribers per outside IP address in deterministic NAT must be power of 2 (2^n). Once the deterministic ports are allocated, the dynamic ports are carved out of the remaining port space of the same outside IP address according to the existing port-reservation command under the same hierarchy,
Parameters
 
num-ports
Specifies the number of ports in a deterministic port block that is allocated and dedicated to a single subscribers during the configuration phase.
Values
1 — 65535
port-reservation
Syntax
 
port-reservation blocks num-blocks
port-reservation ports num-ports
no port-reservation
Context
 
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool
Description
 
This command configures the size of the port-block that will be assigned to a host that is served by this pool. The number of ports configured here will be available to UDP, TCP and ICMP (as identifiers).
Parameters
 
blocks num-blocks
Specifies the number of port-blocks per IP address. Setting num-blocks to one (1) for large scale NAT will enable 1:1 NAT for IP addresses in this pool.
Values
1 — 65535
ports num-ports
Specifies the number of ports per block.
Values
1 — 32256
mode
Syntax
 
mode {auto|napt|one-to-one}
no mode
Context
 
config>service>vprn>nat>outside>pool
Description
 
This command configures the mode of operation of this NAT pool.
Parameters
 
napt
Specifies NAPT (Network Address Port Translation)
auto
The system selects the actual mode based upon other configuration parameters; the actual mode can be NAPT or 1:1 NAT (also known as 'Basic NAT').
oneToOne
Indicates 1:1 NAT (also known as 'Basic NAT')
port-forwarding-dyn-block-reservation
Syntax
 
[no] port-forwarding-dyn-block-reservation
Context
 
configure>service>vprn>nat>outside>pool
configure>service>router>nat>outside>pool
Description
 
This command will enable the reservation of the dynamic port blocks when the first port forward for the subscriber is created. The dynamic port bloc allocation is logged only if the block is being utilized (mapping are created). In other words, dynamic port block reservation due to the port forward creation but without any dynamic mapping, will not be logged.
The reserved port block will be released only when the last mapping in the block expires AND there is not port forward associated with the subscriber. The de-allocation log (syslog or Radius) will be generated when the dynamic port block is completely released.
Dynamic port block reservation can be enabled only if the configured maximum number of subscriber per outside IP address is less or equal then the maximum number of configured port blocks per outside IP address.
Default
 
port-forwarding-dyn-block-reservation
port-forwarding-range
Syntax
 
port-forwarding-range range-end
no port-forwarding-range
Context
 
config>service>vprn>nat>outside>pool
Description
 
This command specifies the end of the port range available for port forwarding. The start of the range is always equal to one.
Parameters
 
range-end
Specifies the port forwarding range end.
Values
1023 — 65535
redundancy
Syntax
 
redundancy
Context
 
config>router>nat>outside>pool
Description
 
This command enables the context to configure NAT pool redundancy parameters.
export
Syntax
 
export ip-prefix/length
no export
Context
 
config>router>nat>outside>pool>redundancy
Description
 
This command configures the route to export to the peer. While the export prefix is configured and the value of the object tmnxNatPlLsnRedActive is equal to true, the system exports this prefix in the realm of the virtual router instance associated with this pool; to the NAT redundancy peer, the presence of this prefix is an indication that the Large Scale NAT function in this virtual router instance is active; hence, the export prefix of this system is the monitor prefix of the peer.
The export prefix must be different from the monitor prefix.
Parameters
 
ip-prefix/length
Specifies the IP address and length of the prefix to be exported.
Values
ip-prefix: a.b.c.d
ip-prefix-length: 0 — 32
follow
Syntax
 
follow router router-instance pool name
no follow
Context
 
configure>service>vprn>nat>outside>pool>redundancy
configure>router> nat>outside>pool>redundancy
Description
 
This command implicitly enables Pool Fate-Sharing Group (PFSG) which is required in case of multiple NAT policies per inside routing context. A NAT pool configured with this command will not advertize or monitor any route in order to change its (activity) state but instead it will directly follow the state of the lead pool in the PFSG. Once the lead pool changes its (activity) state, all the remaining pools following the lead pool will change their state accordingly.
Default
 
no follow
Parameters
 
router router-instance
Specifies the routing instance where the lead pool resides.
Values
<router-name>|<service-id>
router-name - "Base"
service-id - [1..2147483647]
pool name
The pool whose activity state is being shared up to 32 characters in length.
monitor
Syntax
 
monitor ip-prefix/length
no monitor
Context
 
config>router>nat>outside>pool>redundancy
Description
 
This command configures the IP address of the prefix to be monitored.
While the monitor prefix is configured, the system monitors the presence of this prefix in the routing table of the virtual router instance associated with this pool; the presence of this prefix is an indication that the NAT redundancy peer is active; the monitor prefix of this system is the export prefix of the peer.
The monitor prefix must be different from the export prefix.
Parameters
 
ip-prefix/length
Specifies the peer route to monitor.
Values
ip-prefix: a.b.c.d
ip-prefix-length: 0 — 32
subscriber-limit
Syntax
 
subscriber-limit [1..65535]
no subscriber-limit
Context
 
config>service>vprn>nat>outside
config>nat>outside>pool
Description
 
This command configures the maximum number of subscribers per outside IP address. In case multiple port blocks per subscriber are used, the block size is typically small; all blocks assigned to a given subscriber belong to the same IP address; the subscriber limit guarantees that any subscriber can get a mimimum number of ports.
Default
 
65535
Parameters
 
limit
Specify the maximum number of subscribers per IP address.
Values
1 — 65535
watermarks
Syntax
 
watermarks high percentage-high low percentage-low
no watermarks
Context
 
config>service>vprn>nat>outside>pool
config>router>nat>outside>pool
Description
 
This command configures the watermarks for this NAT pool.
Parameters
 
high percentage-high
Specifies the high percentage.
Values
1 — 100
low percentage-low
Specifies the low percentage.
Values
0 — 99
upstream-ip-filter
Syntax
 
upstream-ip-filter filter-id
no upstream-ip-filter
Context
 
config>service>vprn>nat>outside
config>router>nat>outside
Description
 
This command configures the ip-filter for upstream traffic. This filter is applied to the upstream traffic after the NAT function and before it enters the outside virtual router instance; it is useful for traffic that bypasses the ingress filters applied in the inside virtual router instance, such as DSLite traffic.
Default
 
none
Parameters
 
filter-id
Specifies the identifier of an IP filter.
upstream-ipv6-filter
Syntax
 
upstream-ipv6-filter filter-id
no upstream-ipv6-filter
Context
 
config>router>nat>outside
config>service>vprn>nat>outside
Description
 
This command configures the ipv6-filter for upstream traffic. This filter is applied to the upstream traffic after the NAT function and before it enters the outside virtual router instance. This is useful for shared v6 filters that apply to all v6 DSM hosts.
Default
 
no upstream-ipv6-filter
Parameters
 
filter-id
Specifies the identifier of an ipv6-filter.
NAT Service Configuration Commands
nat-policy
Syntax
 
nat-policy nat-policy-name [create]
no nat-policy nat-policy-name
Context
 
config>service>nat
Description
 
This commmand configures a NAT policy.
Parameters
 
nat-policy-name
Specifies the NAT policy name.
Values
32 chars max
alg
Syntax
 
alg
Context
 
config>service>nat
Description
 
This command enables the context to configure Application Level Gateway parameters of this policy.
ftp
Syntax
 
[no] ftp
Context
 
config>service>nat>alg
Description
 
This command enables FTP ALG.
The no form of the command disables FTP ALG.
Default
 
ftp
pptp
Syntax
 
[no] pptp
Context
 
config>service>nat>alg
Description
 
This command enables PPTP application-level gateway (ALG).
The call-id is captured in the outgoing call management messages and along with the source IP address and the source TCP, is translated by NAT. Once the PPTP call is established, the call-id in the associated GRE packet in the incoming direction (from outside to inside) is correspondingly translated so that it matches the call-id mapping established during the call establishment phase. The call-ids used in the mappings are selected randomly and they try to honor parity (odds/even).
A PPTP session can be initiated only from the inside of NAT.
GRE traffic is allowed through NAT only if the corresponding mapping exists. This mapping is created during the call negotiation phase.
There can be seven calls (GRE tunnels) per control session.
Default
 
disabled
rtsp
Syntax
 
[no] rtsp
Context
 
config>service>nat>alg
Description
 
This command enables RTSP ALG.
The no form of the command disables RTSP ALG.
Default
 
no rtsp
sip
Syntax
 
[no] sip
Context
 
config>service>nat>alg
Description
 
This command enables SIP ALG.
The no form of the command disables SIP ALG.
Default
 
no sip
block-limit
Syntax
 
block-limit [1..40]
no block-limit
Context
 
config>service>nat>alg
Description
 
This command configures the maximum number of port blocks per subscriber.
The no form of the command reverts to the default.
Default
 
1
filtering
Syntax
 
filtering filtering-mode
no filtering
Context
 
config>service>nat>nat-policy
Description
 
This command configures the filtering of the NAT policy.
Parameters
 
filtering-mode
Specifies the way that inbound traffic is filtered.
Values
address-and-port-dependent | endpoint-independent
ipfix-export-policy
Syntax
 
ipfix-export-policy [32 chars max]
no ipfix-export-policy
Context
 
config>service>nat>nat-policy
Description
 
This command configures the IP flow information export protocol.
The no form of the command removes the
pool
Syntax
 
pool nat-pool-name service-name service-name
pool nat-pool-name router router-instance
no pool
Context
 
config>service>nat>nat-policy
Description
 
This command configures the NAT pool of this policy.
Parameters
 
nat-pool-name
Specifies the name of the NAT pool.
Values
32 chars max
router-instance
Specifies the router instance the pool belongs to, either by router name or service ID.
Values
router-name: “Base” | “management”
Default
Base
Values
1 — 2147483648
svc-name — a string up to 64 characters in length.
service-name
Specifies the name of the service.
Values
64 chars max
port-limits
Syntax
 
port-limits
Context
 
config>service>nat>nat-policy
Description
 
This command configures the port limits of this policy.
forwarding
Syntax
 
forwarding limit
no forwarding
Context
 
config>service>nat>nat-policy>port-limits
Description
 
This command configures the maximum number of port forwarding entries.
Parameters
 
limit
Specifies the maximum number of port forwarding entries per subscriber.
Default
0
reserved
Syntax
 
reserved num-ports
no reserved
Context
 
config>service>nat>nat-policy>port-limits
Description
 
This command configures the number of ports per block that will be reserved for prioritized sessions.
Parameters
 
num-ports
Specifies the number of ports to reserve for prioritized sessions.
Values
1 — 65534
watermarks
Syntax
 
watermarks high percentage-high low percentage-low
no watermarks
Context
 
config>service>nat>nat-policy port-limits
Description
 
This command configures the port usage watermarks for the NAT policy.
Parameters
 
percentage-high
Specifies the high percentage.
Values
1 — 100
percentage-low
Specifies the low percentage.
Values
0 — 99
priority-sessions
Syntax
 
[no] priority-sessions
Context
 
config>service>nat>nat-policy
Description
 
This command configures the prioritized sessions of this NAT policy.
fc
Syntax
 
[no] fc fc-name
Context
 
config>service>nat>nat-policy>priority-sessions
Description
 
This command configures the forwarding classes that have their sessions prioritized.
Parameters
 
fc-name
Specifies the forwarding class.
Values
be | l2 | af | l1 | h2 | ef | h1 | nc
max
Syntax
 
max num-sessions
no max
Context
 
config>service>nat>nat-policy>session-limits
Description
 
This command configures the session limit of this policy. The session limit is the maximum number of sessions allowed for a subscriber associated with this policy
Parameters
 
num-sessions
Specifies the session limit.
Values
1 — 65535
tcp-mss-adjust
Syntax
 
tcp-mss-adjust segment-size
no tcp-mss-adjust
Context
 
config>service>nat>nat-policy
Description
 
This command configures the value to adjust the TCP Maximum Segment Size (MSS) option.
The no form of the command returns the segment size to the default.
Default
 
0
Parameters
 
segment-size
specifies the value to put into the TCP Maximum Segment Size (MSS) option if not already present, or if the present value is higher.
Values
0, 160 — 10240
timeouts
Syntax
 
[no] timeouts
Context
 
config>service>nat>nat-policy
Description
 
This command configures session idle timeouts for this policy.
icmp-query
Syntax
 
icmp-query [min minutes] [sec seconds]
no icmp-query
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the timeout applied to an ICMP query session.
Parameters
 
min minutes
Specifies the timeout, in minutes, applied to an ICMP query session
Values
1 — 4
Default
1
sec seconds
Specifies the timeout, in seconds, applied to an ICMP query session
Values
1 — 59
sip
Syntax
 
sip min minutes] [sec seconds]
no sip
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the SIP inactive media timeout.
Parameters
 
min minutes
Specifies the SIP inactive media timeout, in minutes.
Values
1 — 4
Default
1
sec seconds
Specifies the SIP inactive media timeout, in seconds.
Values
1 — 59
subscriber-retention
Syntax
 
subscriber-retention [hrs hours] [min minutes]
no subscriber-retention
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command specifies the subscriber retention timeout, the time a NAT subscriber and its associated IP address is kept after all hosts and associated port blocks have expired.
If a NAT subscriber host appears before the retention timeout has elapsed, it will be given the same outside IP address.
Parameters
 
hrs hours
Configures the hours a subscribers’s IP address is kept after all hosts and port blocks have expired.
Values
1 — 24
min minutes
Configures the minutes a subscribers’s IP address is kept after all hosts and port blocks have expired.
Values
1 — 59
icmp-query
Syntax
 
icmp-query [min minutes] [sec seconds]
no icmp
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the timeout applied to an ICMP query session.
Parameters
 
minutes
Specifies the timeout in minutes.
Values
1 — 4
seconds
Specifies the timeout in seconds.
Values
1 — 59
tcp-established
Syntax
 
tcp-established [hrs hours] [min minutes] [sec seconds]
no tcp-established
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the idle timeout applied to a TCP session in the established state.
Parameters
 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
tcp-syn
Syntax
 
tcp-syn [hrs hours] [min minutes] [sec seconds]
no tcp-syn
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the timeout applied to a TCP session in the SYN state.
Parameters
 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
tcp-time-wait
Syntax
 
tcp-time-wait [min minutes] [sec seconds]
no tcp-time-wait
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the timeout applied to a TCP session in a time-wait state.
Parameters
 
minutes
Specifies the timeout minutes field.
Values
1 — 4
seconds
Specifies the timeout seconds field.
Values
1 — 59
tcp-transitory
Syntax
 
tcp-transitory [hrs hours] [min minutes] [sec seconds]
no tcp-transitory
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the idle timeout applied to a TCP session in a transitory state.
Parameters
 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
udp
Syntax
 
udp [hrs hours] [min minutes] [sec seconds]
no udp
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the UDP mapping timeout.
Parameters
 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
udp-dns
Syntax
 
udp-dns [hrs hours] [min minutes] [sec seconds]
no udp-dns
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the timeout applied to a UDP session with destination port 53.
Parameters
 
hours
Specifies the timeout hours field.
Values
1 — 24
minutes
Specifies the timeout minutes field.
Values
1 — 59
seconds
Specifies the timeout seconds field.
Values
1 — 59
udp-initial
Syntax
 
udp-initial [min minutes] [sec seconds]
no udp-initial
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command configures the UDP mapping timeout applied to new sessions.
Parameters
 
minutes
Specifies the timeout minutes field.
Values
1 — 4
seconds
Specifies the timeout seconds field.
Values
1 — 59
udp-inbound-refresh
Syntax
 
[no] udp-inbound-refresh
Context
 
config>service>nat>nat-policy>timeouts
Description
 
This command specifies the NAT inbound refresh behavior.
Default
 
disabled
pcp-server-policy
Syntax
 
pcp-server-policy name [create]
no pcp-server-policy name
Context
 
config>service>nat
Description
 
This command configures a a PCP server policy name.
The no form of the command removes the name from the configuration.
Parameters
 
name
Specifies a PCP server policy name up to 32 characters in length.
lifetime
Syntax
 
lifetime minimum [60..86399] maximum [61..86400]
no lifetime
Context
 
config>service>nat>pcp-server-policy
Description
 
This command configures the lifetime of explicit mappings made by the PCP servers.
Parameters
 
minimum [60..86399]
Specifies the minimum lifetime of explicit mappings made by the PCP servers using this PCP policy, in seconds.
maximum [61..86400]
Specifies the maximum lifetime of explicit mappings made by the PCP servers using this PCP policym in seconds.
max-description-size
Syntax
 
max-description-size size
no max-description-size
Context
 
config>service>nat>pcp-server-policy
Description
 
This command specifies the maximum length of mapping descriptions made by the PCP servers using this PCP policy.
Default
 
64
Parameters
 
size
Specifies the maximum length of mapping descriptions made by the PCP servers.
Values
1 — 64
opcode
Syntax
 
[no] opcode
Context
 
config>service>nat>pcp-server-policy
Description
 
This command specifies the PCP opcodes supported by the PCP servers using this PCP policy.
 
announce
Syntax
 
[no] announce
Context
 
config>service>nat>pcp-server-policy>opcode
Description
 
This command enables/disables support for the announce opcode.
get
Syntax
 
[no] get
Context
 
config>service>nat>pcp-server-policy>opcode
Description
 
This command enables/disables support for the get opcode.
map
Syntax
 
[no] map
Context
 
config>service>nat>pcp-server-policy>opcode
Description
 
This command enables/disables support for the map opcode.
option
Syntax
 
[no] option
Context
 
config>service>nat>pcp-server-policy
Description
 
This command configures the PCP options supported by the PCP servers using this PCP policy..
description
Syntax
 
[no] description
Context
 
config>service>nat>pcp-server-policy>option
Description
 
This command enables/disables support for the description option.
next
Syntax
 
[no] next
Context
 
config>service>nat>pcp-server-policy>option
Description
 
This command enables/disables support for the next option
port-reservation
Syntax
 
[no] port-reservation
Context
 
config>service>nat>pcp-server-policy>option
Description
 
This command enables/disables support for the port-reservation option
prefer-failure
Syntax
 
[no] prefer-failure
Context
 
config>service>nat>pcp-server-policy>option
Description
 
This command enables/disables support for the prefer-failure option
third-party
Syntax
 
[no] third-party
Context
 
config>service>nat>pcp-server-policy>option
Description
 
This command enables/disables support for the third-party option
version
Syntax
 
version minimum [1..255] maximum [1..255]
no version
Context
 
config>service>nat>pcp-server-policy
Description
 
This command configures the accepted protocol version range.
Parameters
 
minimum [1..255]
specifies the minimum protocol version supported by the PCP servers using this PCP policy.
Default
1
maximum [1..255]
specifies the maximum protocol version supported by the PCP servers using this PCP policy.
Values
1
 
IPFlow Information Export Protocol Commands
ipfix
Syntax
 
ipfix
Context
 
config>service
Description
 
This command enables the context to configure IPFIX parameters.
ipfix-export-policy
Syntax
 
ipfix-export-policy policy-name [create]
no ipfix-export-policy policy-name
Context
 
config>service>ipfix
Description
 
This command creates an IPFIX export policy with a set of transport parameters that will be used to transmit IPFIX records generated by an application within 7750 SR node to an external collector node. This policy name can be referenced from each application within 7750 SR that requires flow logging.
Default
 
none
Parameters
 
policy-name
Specifies the name of the policy that can be referenced within an application in 7750 SR node that requires flow logging.
collector
Syntax
 
collector router router-instance ip ip-address [create]
no collector router router-instance ip ip-address
Context
 
config>service>ipfix>export-policy
Description
 
This command defines an external collector node that will collect IPFIX records sent by 7750 SR node. The IPFIX records will be streamed to the collector node using UDP transport. Traffic is originated from a random ephemeral UDP port to the destination port 4739. Up to two collector nodes can be defined for redundancy purposes.
UDP streams are stateless due to the significant volume of transactions. However they do contain 32bit sequence numbers such that packet loss can be identified.
Multiple IPFIX records are sent in a single UDP packet. UDP packet transmission is triggered when the packet size containing IPFIX records exceeds the configured MTU value or the internal timer which is set to 250ms, whichever occurs first.
Default
 
none
Parameters
 
router router-instance
Router instance from which the collector node is reachable.
Values
<router-name>|<service-id>
router-name: "Base"
service-id : 1 — 2147483647
ip ip-address
IPv4 address of the external collector node to which IPFIX records will be sent.
mtu
Syntax
 
mtu [512..9212]
no mtu
Context
 
config>service>ipfix>export-policy
Description
 
This command sets the MTU size of the UDP packet containing IPFIX records destined for the collector node. Multiple records will be stuffed into a single IP packet until stuffing an additional data record would exceed MTU or the internal timer of 250ms expires.
Default
 
1500
Parameters
 
[512..9212]
Specifies the the Maximum Transmission Unit range.
source-address
Syntax
 
source-address ip-address
no source-address
Context
 
config>service>ipfix>export-policy
Description
 
This command configures the source address from which UDP streams containing IPFIX flow records will be sourced.
Default
 
none
Parameters
 
ip-address
Source IPv4 address from which UDP streams are sent.
template-refresh-timeout
Syntax
 
template-refresh-timeout [hrs hours] [min minutes] [sec seconds]
no template-refresh-timeout
Context
 
config>service>ipfix>export-policy
Description
 
This command configures the time interval in which Template Set messages are sent to the collector node. Template sets is an IPFIX message that defines fields for subsequent IPFIX messages but contains no data of its own. In other words, IPFIX data is NOT passed as set of TLVs, but instead data is encoded with a scheme defined through the Template Set message.
Default
 
10 minutes
Parameters
 
hrs hours
Specifies the time interval, in hours, after which IPFIX templates are resent to this collector.
Values
1 — 24
min minutes
Specifies the time interval, in minutes, after which IPFIX templates are resent to this collector.
Values
1 — 59
sec seconds
Specifies the time interval, in seconds, after which IPFIX templates are resent to this collector.
Values
1 — 59
 
AAA Policy Commands
isa-radius-policy
Syntax
 
isa-radius-policy name [create]
no isa-radius-policy name
Context
 
config>aaa
Description
 
This command creates a policy template related to transport of accounting messages from the BB-ISA card to the accounting server. It also defines accounting attributes that will be included in accounting messages. The policy template will be instantiated once it is applied to the BB-ISA cards in the nat-group.
The no form of the command removes the policy name from the configuration.
Default
 
none
Parameters
 
name
Specifies the name of the ISA RADIUS policy that can be referenced by a NAT application.
acct-include-attributes
Syntax
 
[no] acct-include-attributes
Context
 
config>aaa>isa-radius-plcy
Description
 
This command configures attributes to be included in RADIUS accounting messages.
auth-include-attributes
Syntax
 
auth-include-attributes
Context
 
config>aaa>isa-radius-plcy
Description
 
This command configures attributes to be included in RADIUS authentication messages.
acct-delay-time
Syntax
 
[no] acct-delay-time
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
 
acct-trigger-reason
Syntax
 
[no] acct-trigger-reason
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
 
called-station-id
Syntax
 
[no] called-station-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command includes called station id attributes.
The no form of the command excludes called station id attributes.
calling-station-id
Syntax
 
[no] calling-station-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command enables the inclusion of the calling-station-id attribute in RADIUS authentication requests and RADIUS accounting messages.
Default
 
no calling-station-id
circuit-id
Syntax
 
[no] circuit-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attribributes
Description
 
This command enables the generation of the agent-circuit-id for RADIUS.
dhcp-options
Syntax
 
[no] dhcp-options
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command enables insertion of RADIUS VSA containing all dhcp-options from dhcp-discover (or dhcp-request) message. The VSA contains all dhcp-options in a form of the string. If required (the total length of all dhcp-options exceeds 255B), multiple VSAs are included.
Default
 
no dhcp-options
dhcp-vendor-class-id
Syntax
 
[no] dhcp-vendor-class-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command includes the “[26-6527-36] Alc-DHCP-Vendor-Class-Id” attribute in RADIUS accounting messages. The content of the DHCP Vendor-Class-Identifier option (60) is mapped in this attribute.
Default
 
no dhcp-vendor-class-id
dhcp6-options
Syntax
 
[no] dhcp6-options
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
If a DHCPv6 stack is active for a UE, this attribute defines if options received in the last DHCPv6 message should be reflected.
Default
 
no alc-dhcp6-options
dhcp6-options
Syntax
 
[no] dhcp6-options
Context
 
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
If authentication was triggered by DHCPv6, this knob defines if options received in that DHCPv6 message should be reflected in the radius Access-Request.
Default
 
no alc-dhcp6-options
ipv6-address
Syntax
 
[no] ipv6-address
Context
 
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This attribute defines if the ipv6 address of the UE is present during authentication if the datatrigger packet is IPv6.
Default
 
no ipv6-address
ipv6-address
Syntax
 
[no] ipv6-address
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
If an active IA_NA lease exists, this attribute defines if the IA_NA address of the UE is present in accounting.
Default
 
no ipv6-address
include-radius-attribute
Syntax
 
[no] include-radius-attribute
Context
 
config>aaa>nat-accounting-policy
Description
 
This command enables the context to specify the RADIUS parameters that the system should include into RADIUS authentication-request messages.
frame-counters
Syntax
 
[no] frame-counters
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command includes the frame-counters attribute.
The no form of the command excludes frame-counters attribute.
framed-ip-addr
Syntax
 
[no] framed-ip-addr
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command enables the inclusion of the framed-ip-addr attribute.
The no form of the command excludes called framed-ip-addr attributes.
framed-ip-netmask
Syntax
 
[no] framed-ip-netmask
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the framed-ip-netmask attribute.
The no form of the command disables the inclusion.
framed-ipv6-prefix
Syntax
 
[no] framed-ipv6-prefix
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
If an active SLAAC lease exists, this attribute defines if the SLAAC prefix of the UE is present in accounting..
Default
 
no framed-ipv6-prefix
hardware-timestamp
Syntax
 
[no] hardware-timestamp
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the hardware timestamp attributes.
The no form of the command excludes the hardware timestamp attributes.
inside-service-id
Syntax
 
[no] inside-service-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the NAT inside service ID attributes.
The no form of the command excludes NAT inside service ID attributes.
mac-address
Syntax
 
[no] mac-address
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command enables the generation of the client MAC address RADIUS attribute.
multi-session-id
Syntax
 
[no] multi-session-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the multi-session-id attributes.
The no form of the command excludes the multi-session-id attributes.
nas-identifier
Syntax
 
[no] nas-identifier
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command enables the inclusion of the NAS-Identifier attributes.
The no form of the command excludes NAS-Identifier attributes.
nas-ip-address-origin
Syntax
 
nas-ip-address-origin {isa-ip|system-ip}
no nas-ip-address-origin
Context
 
config>aaa>isa-radius-plcy
Description
 
This command specifies the RADIUS NAS-IP-Address attribute.
The no form of the command reverts to the default.
Default
 
systemip
Parameters
 
systemip
Specifies that the value of the object TIMETRA-VRTR-MIB::vRiaIpAddress.1.1.1 is used.
isaip
Specifies that a value in the range specified by tmnxRadIsaPlcySrvSrcAddrStart and tmnxRadIsaPlcySrvSrcAddrEnd is used that corresponds to the ISA card that transmits the Access-Request packet or the Accounting-Request packet.
nas-port-id
Syntax
 
[no] nas-port-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command enables the generation of the nas-port-id RADIUS attribute. Optionally, the value of this attribute (the SAP-id) can be prefixed by a fixed string and suffixed by the circuit-id or the remote-id of the client connection. If a suffix is configured, but no corresponding data is available, the suffix used will be 0/0/0/0/0/0.
nas-port-type
Syntax
 
[no] nas-port-type
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This commmand enables the generation of the NAS-Port-Type RADIUS attribute
The no form of the command disables the generation.
nat-subscriber-string
Syntax
 
[no] nat-subscriber-string
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the NAT subscriber string attributes.
The no form of the command excludes NAT subscriber string attributes.
octet-counters
Syntax
 
[no] octet-counters
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the octet-counters attributes.
The no form of the command excludes octet-counters attributes.
outside-ip
Syntax
 
[no] outside-ip
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the outside IP attributes.
The no form of the command excludes outside IP attributes.
outside-service-id
Syntax
 
[no] outside-service-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the NAT outside service ID attributes.
The no form of the command excludes NAT outside service ID attributes.
port-range-block
Syntax
 
[no] port-range-block
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the NAT port range block attributes.
The no form of the command excludes NAT port range block attributes.
release-reason
Syntax
 
[no] release-reason
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the release reason attributes.
The no form of the command excludes release reason attributes.
remote-id
Syntax
 
[no] remote-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command enables the sending of remote ID option. The client DHCP Unique Identifier (DUID) is used as the remote ID.
The no form of the command disables the sending of remote ID option relay packet.
wifi-ssid-vlan
Syntax
 
[no] wifi-ssid-vlan
Context
 
config>aaa>isa-radius-plcy>auth-include-attributes
Description
 
This command enables including the per-SSID VLAN ID in Alc-Wlan-SSID-VLAN.
password
password password [hash|hash2]
no password
Context
 
config>aaa>isa-radius-plcy
Description
 
This command specifies the password that is used in the RADIUS access requests.It shall be specified as a string of up to 32 characters in length.
The no form of the command resets the password to its default of ALU and will be stored using hash/hash2 encryption.
Default
 
ALU
Parameters
 
password
Specifies a password string up to 32 characters in length.
hash
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
hash2
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
session-time
Syntax
 
[no] session-time
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of the session-time attributes.
The no form of the command excludes session-time attributes.
subscriber-data
Syntax
 
[no] subscriber-data
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of subscriber data attributes.
The no form of the command excludes subscriber data attributes.
subscriber-id
Syntax
 
[no] subscriber-id
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command specifies that subscriber ID attributes should be included into RADIUS accounting messages.
ue-creation-type
Syntax
 
[no] ue-creation-type
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables including the Alc-Wlan-Ue-Creation-Type.
user-name
Syntax
 
[no] user-name
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables the inclusion of user name attributes.
The no form of the command excludes user name attributes.
wifi-rssi
Syntax
 
[no] wifi-rssi
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables including the Alc-RSSI.
wifi-ssid-vlan
Syntax
 
[no] wifi-ssid-vlan
Context
 
config>aaa>isa-radius-plcy>acct-include-attributes
Description
 
This command enables including the per-SSID VLAN ID in the Alc-Wlan-SSID-VLAN.
acct-update-triggers
Syntax
 
acct-update-triggers
Context
 
config>aaa>isa-radius-plcy
Description
 
This command enables the context to enable or disable the sending of triggered interim-updates, with the exception of the following:
After an update interval change, an interim update is always sent to indicate the start of the new interval.
Mobility-triggered updates are configured in the (service vprn <svc-id>|router) wlan-gw mobility-triggered-acct context.
NAT port block allocation depends on the inclusion of NAT-related attributes (port-range, outside-service, outside-ip).
address-state
Syntax
 
[no] address-state
Context
 
config>aaa>isa-radius-plcy>acct-update-triggers
Description
 
If enabled, an interim-update will be sent for a DSM UE whenever a DHCP, SLAAC or DHCPv6 address gets allocated or freed.
Default
 
no address-state
radius-accounting-server
Syntax
 
radius-accounting-server
Context
 
config>aaa>nat-acct-plcy
Description
 
This command creates the context for defining RADIUS accounting server attributes under a given session authentication policy.
access-algorithm
Syntax
 
access-algorithm {direct | round-robin | hash-based}
no access-algorithm
Context
 
config>aaa>isa-radius-plcy>servers
Description
 
This command configures the algorithm used to access the list of configured RADIUS servers.
Default
 
direct
Parameters
 
direct
Specifies that the first server will be used as primary server for all requests, the second as secondary and so on.
round-robin
Specifies that the first server will be used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.
hashed-based
Specifies that the selection is based on the hash-based procedures.
retry
Syntax
 
retry count
Context
 
config>aaa>isa-radius-plcy>servers
Description
 
This command configures the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.
The no form of the command reverts to the default value.
Default
 
3
Parameters
 
count
Specifies the retry count.
Values
1 — 10
router
Syntax
 
router router-instance
router service-name service-name
no router
Context
 
config>aaa>isa-radius-plcy>servers
Description
 
This command specifies the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.
The no form of the command reverts to the default value.
server
Syntax
 
server server-index [create]
no server server-index
Context
 
config>aaa>isa-radius-plcy>servers
Description
 
This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.
Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried.
The no form of the command removes the server from the configuration.
Default
 
none
Parameters
 
server-index
The index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.
Values
1 — 16 (a maximum of 5 accounting servers)
source-address-range
Syntax
 
source-address-range start-ip-address
no source-address
Context
 
config>aaa>isa-radius-plcy>servers
Description
 
This command configures the source address of the RADIUS packet. The system IP address must be configured in order for the RADIUS client to work. See Configuring a System Interface in the 7750 SR OS Router Configuration Guide. Note that the system IP address must only be configured if the source-address is not specified. When the no source-address command is executed, the source address is determined at the moment the request is sent. This address is also used in the nas-ip-address attribute: over there it is set to the system IP address if no sourceaddress was given.
The no form of the command reverts to the default value.
Default
 
systemIP address
Parameters
 
ip-address
The IP prefix for the IP match criterion in dotted decimal notation.
Values
0.0.0.0 - 255.255.255.255
timeout
Syntax
 
timeout [sec seconds] [min minutes]
no timeout
Context
 
config>aaa>isa-radius-plcy>servers
Description
 
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of the command reverts to the default value.
Default
 
5
Parameters
 
sec seconds
Specifies the wait for a response from a RADIUS server in seconds.
min minutes
Specifies the wait for a response from a RADIUS server in minutes.
accounting
Syntax
 
accounting [port udp-port]
no accounting
Context
 
config>aaa>isa-radius-plcy>servers>server
Description
 
This command configures accounting for this server.
port port
Specifies the UDP port number on which to contact the RADIUS server for authentication.
Values
1 — 65535
authentication
Syntax
 
authentication [port udp-port]
no authentication
Context
 
config>aaa>isa-radius-plcy>servers>server
Description
 
This command configures authentication for this server.
Parameters
 
port port
Specifies the UDP port number on which to contact the RADIUS server for authentication.
Values
1 — 65535
coa
Syntax
 
coa [port udp-port]
no coa
Context
 
config>aaa>isa-radius-plcy>servers>server
Description
 
This command configures Change of Authorization (CoA) messages.
ip-address
Syntax
 
ip-address ip-address
no ip-address
Context
 
config>aaa>isa-radius-plcy>servers>server
Description
 
Configures the The IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.
secret
Syntax
 
secret secret-key | hash-key [hash|hash2]
no secret
Context
 
config>aaa>isa-radius-plcy>servers>server
Description
 
This command configures the secret key to access the RADIUS server. This secret key must match the password on the RADIUS server.
hash
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
hash2
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
user-name-format
Syntax
 
user-name-format user-name-format [mac-format mac-format]
no user-name-format
Context
 
config>aaa>isa-radius-plcy
Description
 
This command defines the format of the user-name field in the session authentication request sent to the RADIUS server. For authentication of IPv6 triggers (ICMPv6, DHCPv6, IPv6 data-trigger) the user-name format will always fall back to mac only.
The no form of the command switches to the default format, mac.
Default
 
By default, the MAC source address of the DHCP DISCOVER message is used in the user-name field.
Parameters
 
user-name-format
Specifies the user name format in RADIUS message.
mac-format
Specifies how a MAC address is represented when contacting a RADIUS server. This is only used while the value of is equal to the DHCP client vendor options and if the MAC address is used by default of the DHCP client vendor options.
Examples: ab: 00:0c:f1:99:85:b8 Alcatel-Lucent 7xxx style
XY- 00-0C-F1-99-85-B8 IEEE canonical style
mmmm. 0002.03aa.abff Cisco style
 
NAT Subscriber Management Commands
nat-policy
Syntax
 
nat-policy policy-name
no nat-policy
Context
 
config>subscriber-mgmt>sub-profile
Description
 
This command configures the NAT policy to be used for subscribers associated with this subscriber profile.
Parameters
 
policy-name
Specifies the policy name.
Values
32 chars max
save-deterministic-script
Syntax
 
save-deterministic-script
Context
 
admin>nat
Description
 
This command saves the script that calculates Deterministic NAT map entries.
Once the location for the Python deterministic NAT script is configured, the script is generated/updated every time deterministic NAT configuration is modified. However, the script must be manually exported to the remote location. This command triggers the export of the script to a remote location.
upnp
Syntax
 
upnp
Context
 
config>service
Description
 
This command enables the context to configure UPnP parameters
Default
 
upnp
upnp-policy
Syntax
 
upnp-policy policy-name [create]
no upnp-policy policy-name
Context
 
config>service>upnp
Description
 
This command creates a new upnp-policy or enters the configuration context of an existing upnp-policy .
The no form of the command removes the upnp-policy policy-name from the configuration.
Default
 
none
Parameters
 
policy-name
Specifies the name of the UPnP policy up to 32 characters in length.
upnp-policy
Syntax
 
upnp-policy policy-name
no upnp-policy
Context
 
config>subscr-mgmt>sub-prof
Description
 
This command enables UPnP IGD services for the subscriber. All ESM hosts of the subscriber could use the UPnP protocol to create port mapping. This featurse only support L2-Aware NAT host.
UPnP parameters are defined in the referenced upnp-policy configured in the configure>service>upnp context.
Default
 
no upnp-policy
Parameters
 
policy-name
Specifies the UPnP (Universal Plug 'n Play) policy associated with this subscriber profile up to 32 characters in length.
http-listening-port
Syntax
 
http-listening-port [1..65535]
no http-listening-port
Context
 
config>service>upnp>upnp-policy
Description
 
This command specifies the listening port of UPnP server.
The no form of the command reverts to the default.
Default
 
5000
Parameters
 
[1..65535]
Specifies the HTTP TCP port this UPnP IGD listens to.
mapping-limit
Syntax
 
mapping-limit [1..256]
no mapping-limit
Context
 
config>service>upnp>upnp-policy
Description
 
This command specifies the maximum number of UPnP mapping per subscriber.
The no form of the command reverts to the default.
Default
 
256
Parameters
 
[1..256]
Specifies the upper limit of the number of UPnP mappings per subscriber.
strict-mode
Syntax
 
[no] strict-mode
Context
 
config>service>upnp>upnp-policy
Description
 
This command enable UPnP strict mode. With strict-mode, system only allows changes to existing UPnP mapping if the request comes from same UPnP client.
Default
 
no strict-mode
 
NAT Show Commands
nat-accounting-policy
Syntax
 
nat-accounting-policy
nat-accounting-policy policy-name
nat-accounting-policy policy-name associations
nat-accounting-policy
Context
 
show>aaa
Description
 
This command displays NAT accounting policy information.
Parameters
 
policy-name
Specifies the NAT policy name.
Values
32 chars max
associations
Keyword that displays the router instances and/or subscriber profiles associated with the NAT policy.
Sample Output
A:SR12_PPPOE# show aaa nat-accounting-policy "my-acct-plcy" 
===============================================================================
NAT accounting policy "my-acct-plcy"
===============================================================================
Description                 : my accounting policy
-------------------------------------------------------------------------------
RADIUS accounting server settings
-------------------------------------------------------------------------------
Access algorithm            : direct
Retry                       : 3
Router                      : 101
Source address start        : 10.10.10.10
Source address end          : 10.10.10.20
Timeout (s)                 : 5
Last management change      : 01/28/2012 14:47:59
Include attributes          : framed-ip-addr nas-identifier nat-subscriber-
                              string user-name inside-service-id outside-
                              service-id outside-ip port-range-block hardware-
                              timestamp release-reason multi-session-id frame-
                              counters octet-counters session-time
===============================================================================
===============================================================================
Servers for "my-acct-plcy"
===============================================================================
Index Address         Port  
-------------------------------------------------------------------------------
1     17.0.0.5        1813  
2     17.0.0.1        1813  
===============================================================================
===============================================================================
Servers ISA group connection status for "my-acct-plcy"
===============================================================================
Index Group Member State                      Tx-rq      Rq-timeout Send-retry
-------------------------------------------------------------------------------
1     3     1      out-of-service             3          1          2
1     3     2      out-of-service             9          3          6
2     3     1      in-service                 1          0          0
2     3     2      out-of-service             6          2          4
===============================================================================
A:SR12_PPPOE#
 
 
A:SR12_PPPOE# show aaa nat-accounting-policy "my-acct-plcy" associations  
===============================================================================
NAT groups associated with "my-acct-plcy"
===============================================================================
Group
-------------------------------------------------------------------------------
1
3
-------------------------------------------------------------------------------
No. of groups: 2
===============================================================================
A:SR12_PPPOE#
 
nat-group
Syntax
 
nat-group
nat-group nat-group-id [associations]
nat-group nat-group-id statistics mda mda-id
nat-group nat-group-id member [1..255]
nat-group nat-group-id member [1..255] reassembly-statistics
nat-group nat-group-id member [1..255] statistics
nat-group [nat-group-id] members
Context
 
show>isa
Description
 
This command lists all used (active) member ISAs (or group members). Up to 16 group members can be displayed (16 is the supported number of LAG links). Members can share physical ISAs (MDAs) and the physical locality of the group members can be determined from the Mda column in the output.
The number of group members will be <=X and the actual number of displayed group members will depend on the configuration based calculation.
Parameters
 
nat-group-id
Specifies the NAT group ID.
Values
1 — 4
statistics
Keyword; displays NAT group statistics.
member
Displays statistics information about the resources of a member of a NAT ISA group.
reassembly-statistics
Displays statistics information about IP datagram reassembly on NAT-capable ISA groups.
associations
Displays associations applicable to the specified NAT group.
Sample Output
show isa nat-group
===============================================================================
ISA NAT Group Summary
===============================================================================
Mda Group 1 Group 2 Group 3
-------------------------------------------------------------------------------
3/1 active - -
3/2 - active busy
4/1 - busy active
4/2 - standby standby
===============================================================================
 
 
show isa nat-group 1 members
===============================================================================
ISA Group 1 members
===============================================================================
Group Member  State   Mda  Addresses  Blocks   Se-% Hi Se-Prio  
-------------------------------------------------------------------------------
1     1       active  1/2  17         2088      < 1  N  0					
1     2       active  1/2  17         2088      < 1  N  0					
1     3       active  1/2  17         2088      < 1  N  0					
1     4       active  2/2  17         2088      < 1  N  0					
1     5       active  2/2  17         2088      < 1  N  0					
 
-------------------------------------------------------------------------------
No. of members: 5
===============================================================================
 
 
*A:SR12_PPPOE>config>isa>nat-group# show isa nat-group 1       
===============================================================================
ISA NAT Group 1
===============================================================================
Admin state                 : inService
Operational state           : inService
Active MDA limit            : 2
-------------------------------------------------------------------------------
NAT specific information for ISA group 1
-------------------------------------------------------------------------------
Reserved sessions           : 0
High Watermark (%)          : (Not Specified)
Low Watermark (%)           : (Not Specified)
Accounting policy           : my-acct-plcy
Last Mgmt Change            : 01/28/2012 14:47:59
-------------------------------------------------------------------------------
===============================================================================
ISA Group 1 members
===============================================================================
Group Member     State          Mda  Addresses  Blocks     Se-% Hi Se-Prio
-------------------------------------------------------------------------------
1     1          active         3/1  3          3          < 1  N  0
1     2          active         3/2  4          4          < 1  N  0
-------------------------------------------------------------------------------
No. of members: 2
===============================================================================
A:SR12_PPPOE#
 
 
*A:SR12_PPPOE>config>isa>nat-group# show isa nat-group   
===============================================================================
ISA NAT Group Summary
===============================================================================
Mda  Group 1            Group 2            Group 3            Group 4           
-------------------------------------------------------------------------------
2/1  -                  provisioned        -                  -                 
3/1  active             -                  up                 -                 
3/1  active             -                  up                 -                 
3/2  active             -                  up                 -                 
3/2  active             -                  up                 -                 
===============================================================================
A:SR12_PPPOE#
 
 
*A:SR12_PPPOE>config>isa>nat-group# show isa nat-group 1 
===============================================================================
ISA NAT Group 1
===============================================================================
Admin state                 : inService
Operational state           : inService
Active MDA limit            : 2
 
-------------------------------------------------------------------------------
NAT specific information for ISA group 1
-------------------------------------------------------------------------------
Reserved sessions           : 0
High Watermark (%)          : (Not Specified)
Low Watermark (%)           : (Not Specified)
Accounting policy           : my-acct-plcy
Last Mgmt Change            : 01/28/2012 14:47:59
-------------------------------------------------------------------------------
===============================================================================
ISA Group 1 members
===============================================================================
Group Member     State          Mda  Addresses  Blocks     Se-% Hi Se-Prio
-------------------------------------------------------------------------------
1     1          active         3/1  3          3          < 1  N  0
1     2          active         3/2  4          4          < 1  N  0
-------------------------------------------------------------------------------
No. of members: 2
===============================================================================
A:SR12_PPPOE#
 
 
A:SR12_PPPOE# show isa nat-group 3 member 1 statistics 
===============================================================================
ISA NAT Group 3 Member 1
===============================================================================
no resource                                               : 0
pkt rx on wrong port                                      : 0
unsupported protocol                                      : 0
no host or host group                                     : 0
no ip or port                                             : 0
no matching flow                                          : 3
max flow exceeded                                         : 0
TCP no flow for RST                                       : 0
TCP no flow for FIN                                       : 0
TCP no flow                                               : 0
addr. dep. filtering                                      : 0
ICMP type unsupported                                     : 0
ICMP local unsupported                                    : 0
ICMP checksum error                                       : 0
ICMP embedded checksum error                              : 0
ICMP unsupported L4                                       : 0
ICMP too short                                            : 0
ICMP length error                                         : 0
Pkt not IPv4 or IPv6                                      : 0
Pkt rcv error                                             : 0
Pkt error                                                 : 0
IPv4 header checksum violation                            : 0
IPv4 header malformed                                     : 0
IPv4 malformed packet                                     : 0
IPv4 ttl zero                                             : 0
IPv4 opt /IPv6 ext headers                                : 0
IPv4 undefined error                                      : 0
IPv6 fragments unsupported                                : 0
TCP/UDP malformed                                         : 0
TCP/UDP checksum failure                                  : 0
TCP/UDP length error                                      : 0
Pkt send error                                            : 0
no buf to copy pkt                                        : 0
no policy                                                 : 0
locked by mgmt core                                       : 0
port range log failed                                     : 0
MTU exceeded                                              : 0
DS Lite unrecognized next hdr                             : 0
DS Lite unknown AFTR                                      : 0
too many fragments for IP packet                          : 0
too many fragmented packets                               : 0
too many fragment holes                                   : 0
too many frags buffered                                   : 0
fragment list expired                                     : 0
fragment rate too high                                    : 0
flow log failed                                           : 0
no multiple host or subscr. IPs allowed                   : 0
to local                                                  : 1
to local ignored                                          : 0
NAT64 disabled                                            : 0
NAT64 invalid src addr                                    : 0
NAT64 frag has zero checksum                              : 0
NAT64 v4 has zero checksum                                : 0
NAT64 ICMP frag unsupported                               : 0
CPM out of memory                                         : 0
new flow                                                  : 1
TCP closed                                                : 1
TCP expired                                               : 0
UDP expired                                               : 0
ICMP expired                                              : 0
ICMP local                                                : 0
found flow                                                : 34
ARPs ignored                                              : 4
Fragments RX L2A                                          : 0
Fragments RX LSN                                          : 0
Fragments RX DSL                                          : 0
Fragments RX OUT                                          : 0
Fragments TX L2A                                          : 0
Fragments TX LSN                                          : 0
Fragments TX DSL                                          : 0
Fragments TX NAT64                                        : 0
Fragments TX OUT                                          : 0
flow create logged                                        : 0
flow delete logged                                        : 0
flow log pkt tx                                           : 0
===============================================================================
A:SR12_PPPOE#
 
 
config>isa# show isa nat-group 1 member 1 statistics
===============================================================================
ISA NAT Group 1 Member 1
===============================================================================
no resource                                               : 0
     [eNatFlowNoResource]                     "no resource",\
         ->the default, all errors without more specific reason
 
     [eNatFlowWrongPort]                      "pkt rx on wrong port",\
         -> packet came in on wrong port on ISA
 
     [eNatFlowWrongProt]                      "unsupported protocol",\
         -> protocol  is not UDMP/TCP/ICMP
 
     [eNatFlowNoHostGrp]                      "no host or host group",\
         -> can not create new host group because out of resources, or 
current host group is not usable at the moment (because in a transient 
state)
 
     [eNatFlowNoIpOrPort]                     "no ip or port",\
          -> no Ip or port range available
 
     [eNatFlowNoMatchingFlow]                 "no matching flow",\
         -> no matching flow found
 
     [eNatFlowMaxExceeded]                    "max flow exceeded",\
          -> max flows for subscriber exceeded
 
     [eNatFlowTcpUnexpectedRst]               "TCP no flow for RST",\
     [eNatFlowTcpUnexpectedFin]               "TCP no flow for FIN",\
     [eNatFlowTcpUnexpected]                  "TCP no flow",\
         -> TCP state machine problem
 
     [eNatFlowAddressDependentFiltering]      "addr. dep. filtering",\
         -> pkt dropped because of addr. dependent filtering
 
     [eNatFlowUnsupportedICMP]                "ICMP type unsupported",\
         -> unsupported icmp type
 
     [eNatFlowUnsupportedLocalICMP]           "ICMP local unsupported",\
         -> packet to ip address on ISA is not an echo request
 
     [eNatFlowIcmpChecksumError]              "ICMP checksum error",\
         -> ICMP checksum error
 
     [eNatFlowIcmpEmbeddedPktChecksumError]   "ICMP embedded checksum 
error",\
         -> checksum error on embedded IP header
 
     [eNatFlowIcmpEmbeddedPktUnsupportedL4]   "ICMP unsupported L4",\
         -> embedded IP packet is not UDP/TCP
 
     [eNatFlowIcmpTooShort]                   "ICMP too short",\
         -> packet too short to include the ICMP header
 
     [eNatFlowIcmpLengthError]                "ICMP length error",\
         -> packet too short to include the embedded header
 
     [eNatFlowPacketErrorNotIp]               "Pkt not IPv4 or IPv6",\
     [eNatFlowPacketErrorRecv]                "Pkt rcv error",\
     [eNatFlowPacketError]                    "Pkt error",\
     [eNatFlowPacketErrorIpv4HdrChk]          "IPv4 header checksum 
violation",\
     [eNatFlowPacketErrorIpv4HdrMal]          "IPv4 header malformed",\
     [eNatFlowPacketErrorIpv4PktMal]          "IPv4 malformed packet",\
     [eNatFlowPacketErrorIpv4TtlZero]         "IPv4 ttl zero",\
     [eNatFlowPacketErrorIpv4Optv6Ext]        "IPv4 opt /IPv6 ext headers",\
     [eNatFlowPacketErrorIpv4Bad]             "IPv4 undefined error", \
     [eNatFlowPacketErrorIpv6Frag]            "IPv6 fragments unsupported",\
     [eNatFlowPacketErrorTcpUdpMal]           "TCP/UDP malformed",\
     [eNatFlowPacketErrorTcpUdpChk]           "TCP/UDP checksum failure",\
     [eNatFlowPacketErrorTcpUdpLen]           "TCP/UDP length error",\
         -> malformed incoming packet
 
     [eNatFlowPacketSendError]                "Pkt send error",\
         -> failed to tx the packet
 
     [eNatFlowPacketNoCpyBuf]                 "no buf to copy pkt",\
         -> failed to copy the packet to another buffer needed for 
correct processing
 
     [eNatFlowLockedByMgmtCore]               "locked by mgmt core",\
         -> resources temp. locked by the mgmt core
 
     [eNatFlowPRLogFailed]                    "port range log failed",\
         -> port range log failed
 
     [eNatFlowMtuExceeded]                    "MTU exceeded",\
         -> outgoing packet too big for DS-Lite tunnel or nat64 mtu
 
     [eNatFlowDslUnrecNextHdr]                "DS Lite unrecognized next 
hdr",\
         ->ipv6 pkt has wrong next header
 
     [eNatFlowDslUnknownAFTR]                 "DS Lite unknown AFTR",\
         -> AFTR address is unrecognised
 
     [eNatFlowTooManyFragsForIpPkt]           "too many fragments for IP 
packet",\
     [eNatFlowTooManyFragmentedPkts]          "too many fragmented 
packets",\
     [eNatFlowTooManyFragHoles]               "too many fragment holes",\
     [eNatFlowFragListExpire]                 "fragment list expired",\
     [eNatFlowTooManyFragBufs]                "too many frags buffered",\
     [eNatFlowFragRateTooHigh]                "fragment rate too high",\
         -> various fragment problems
 
     [eNatFlowNoPolicy]                       "no policy",\
         ->vrf not mapped to a policy
 
     [eNatFlowLogFailed]                      "flow log failed",\
         -> flow logging can not follow the setup rate
 
     [eNatFlowMultiHostOrSubscrIp]            "no multiple host or 
subscr. IPs allowed",\
         ->multiple hosts or subscribers on the inside in use without 
port translation
 
     [eNatFlowToLocalError]                   "to local ignored",\
        -> radius authentication failure (?)
 
     [eNatFlow64Disabled]                     "NAT64 disabled",\
         -> nat64 was disabled
 
     [eNatFlow64InvalidSource]                "NAT64 invalid src addr",\
         -> source address matches pref64
 
     [eNatFlow64FragZeroChecksum]             "NAT64 frag has zero 
checksum",\
         -> v4 UDP frag has zero checksum
 
     [eNatFlow64ZeroChecksum]                 "NAT64 v4 has zero checksum",\
         -> v4 UDP has zero checksum, and policy configured to drop
 
     [eNatFlow64FragIcmp]                     "NAT64 ICMP frag unsupported"\
         ->v4 fragmented ICMP
 
l2-aware-hosts
Syntax
 
l2-aware-hosts [outside-router router-instance] [outside-ip outside-ip-address] [inside-ip-prefix ip-prefix/mask]
Context
 
show>service>nat
Description
 
This command displays layer-2 aware NAT hosts.
Parameters
 
nat-policy-name
Specifies the NAT policy name.
Values
32 chars max
nat-group-id
Specifies the NAT group ID.
Values
1 — 4
router-instance
Specifies the router instance.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
outside-ip-address
Specifies the outside IP address.
Values
a.b.c.d
sub-ident
Specifies the identifier.
Values
32 chars max
Sample Output
show service nat l2-aware-hosts
===============================================================================
Layer-2-Aware NAT hosts
===============================================================================
Inside IP Out-Router Outside IP Subscriber
-------------------------------------------------------------------------------
13.0.0.100 Base 81.81.0.0 Sub001
13.0.0.102 Base 81.81.0.0 Sub001
13.0.0.101 Base 81.81.0.203 Sub002
13.0.0.103 Base 81.81.0.0 Sub003
-------------------------------------------------------------------------------
No. of hosts: 4
===============================================================================
l2-aware-subscribers
Syntax
 
l2-aware-subscribers [nat-policy nat-policy-name] [nat-group nat-group-id] [member [1..255]] [outside-router router-instance] [outside-ip outside-ip-address]
l2-aware-subscribers subscriber sub-ident
Context
 
show>service>nat
Description
 
This command displays layer-2 aware NAT subscribers.
Parameters
 
nat-policy-name
Specifies the NAT policy name.
Values
32 chars max
nat-group-id
Specifies the NAT group ID.
Values
1 — 4
router-instance
Specifies the router instance.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
outside-ip-address
Specifies the outside IP address.
Values
a.b.c.d
sub-ident
Specifies the identifier.
Values
32 chars max
Sample Output
show service nat l2-aware-subscribers
===============================================================================
Layer-2-Aware NAT subscribers
===============================================================================
Subscriber Policy Group/Member
Outside IP Router Ports
-------------------------------------------------------------------------------
Sub001 outPolicy 1/1
81.81.0.0 Base 32-33
Sub002 outPolicy2 1/1
81.81.0.203 Base 32-41
Sub003 outPolicy 1/1
81.81.0.0 Base 34-35
-------------------------------------------------------------------------------
No. of subscribers: 3
===============================================================================
 
 
show service nat l2-aware-subscribers subscriber “Sub881”
===============================================================================
Layer-2-Aware NAT subscriber Sub001
===============================================================================
Policy : outPolicy
ISA NAT group : 1
ISA NAT group member : 1
Outside router : Base
Outside IP : 81.81.0.0
ICMP Port usage (%) : < 1
ICMP Port usage high : false
UDP Port usage (%) : < 1
UDP Port usage high : false
TCP Port usage (%) : < 1
TCP Port usage high : false
Session usage (%) : < 1
Session usage high : false
Number of sessions : 0
Number of reserved sessions : 0
Ports : 32-33
===============================================================================
nat-policy
Syntax
 
nat-policy nat-policy-name associations
nat-policy nat-policy-name
nat-policy nat-policy-name statistics
nat-policy
Context
 
show>service>nat
Description
 
This command displays NAT policy information.
Parameters
 
nat-policy-name
Specifies the NAT Policy name.
Values
32 chars max
associations
Keyword; displays the router instances and/or subscriber profiles associated with the NAT policy.
statistics
Keyword; displays statistics of the specified NAT policy.
Sample Output
show service nat nat-policy
===============================================================================
NAT policies
===============================================================================
Policy Description
-------------------------------------------------------------------------------
outPolicy
outPolicy2
outPolicy3
-------------------------------------------------------------------------------
No. of NAT policies: 3
===============================================================================
 
 
*A:SR12_PPPOE>show>router>nat#  show service nat nat-policy "priv-nat-policy" 
===============================================================================
NAT Policy priv-nat-policy
===============================================================================
Pool                                  : privpool
Router                                : Base
Filtering                             : endpointIndependent
Block limit                           : 4
Reserved ports                        : 0
Port usage High Watermark (%)         : (Not Specified)
Port usage Low Watermark (%)          : (Not Specified)
Port forwarding limit                 : 64
Session limit                         : 65535
Reserved sessions                     : 0
Session usage High Watermark (%)      : (Not Specified)
Session usage Low Watermark (%)       : (Not Specified)
ALG enabled                           : ftp rtsp sip 
Prioritized forwarding classes        : (Not Specified)
Timeout TCP established (s)           : 7440
Timeout TCP transitory (s)            : 240
Timeout TCP SYN (s)                   : 15
Timeout TCP TIME-WAIT (s)             : 0
Timeout UDP mapping (s)               : 300
Timeout UDP initial (s)               : 15
Timeout UDP DNS (s)                   : 15
Timeout ICMP Query (s)                : 60
Timeout SIP Inactive Media (s)        : 120
Subscriber retention (s)              : 0
UDP inbound refresh                   : false
TCP MSS Adjust                        : (Not Specified)
Destination-NAT IP                    : (Not Specified)
IPFIX export policy                   : (Not Specified)
Last Mgmt Change                      : 01/28/2012 14:47:59
===============================================================================
*A:SR12_PPPOE>show>router>nat# 
 
 
show service nat nat-policy “outPolicy2” associations
===============================================================================
NAT Policy outPolicy2 Subscriber Profile Associations
===============================================================================
sub_prof_B_3
-------------------------------------------------------------------------------
No. of subscriber profiles: 1
===============================================================================
 
show service nat nat-policy “outPolicy2” statistics
===============================================================================
NAT Policy outPolicy2 Statistics
===============================================================================
mda 3/1
-------------------------------------------------------------------------------
hostsActive 	: 1
hostsPeak 	: 1
sessionsTcpCreated 	: 0
sessionsTcpDestroyed 	: 0
sessionsUdpCreated 	: 0
sessionsUdpDestroyed 	: 0
sessionsIcmpQueryCreated 	: 0
sessionsIcmpQueryDestroyed 	: 0
===============================================================================
 
pcp-server-policy
Syntax
 
pcp-server-policy
pcp-server-policy name
Context
 
show>router>nat
Description
 
This command displays PCP server policy information.
port-forwarding-entries
Syntax
 
port-forwarding-entries
Context
 
show>router>nat
Description
 
This command displays port forwarding entries.
Sample Output
*A:SR12_PPPOE#  show service nat port-forwarding-entries 
===============================================================================
NAT port forwarding entries
===============================================================================
Subscriber
iRtr       iAddress                                prot iPort type              
oRtr       oAddress                          persist-id oPort expiry            
 
===============================================================================
100        1.2.3.4                                 tcp  666   classic-lsn-sub
Base       13.0.0.6                          N/A        666   N/A               
 
100        1.2.3.4                                 udp  666   classic-lsn-sub
Base       13.0.0.6                          N/A        666   N/A               
 
-------------------------------------------------------------------------------
No. of entries: 2
===============================================================================
*A:SR12_PPPOE# 
 
dual-stack-lite-subscribers
Syntax
 
dual-stack-lite-subscribers subscriber dslite-sub-id
dual-stack-lite-subscribers [nat-policy nat-policy-name] [nat-group nat-group-id] [member [1..255]] [outside-router router-instance] [outside-ip outside-ip-address] [inside-ip-prefix ipv6-prefix]
Context
 
show>router>nat
Description
 
This command displays Dual Stack Lite subscriber information.
Parameters
 
subscriber dslite-sub-id
Specifies the identification of LSN subscribers of a particular virtual router instance.
Values
dslite-sub-id: ipv6-address - x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
nat-policy nat-policy-name
Specifies the NAT policy name up to 32 characters in length.
nat-group nat-group-id
Specifies the NAT group ID.
Values
1 — 4
member [1..255]
Identifies the member ID of a NAT ISA group.
outside-router router-instance
Specifies the router instance.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
outside-ip outside-ip-address
Specifies the outside IP address.
inside-ip-prefix ipv6-prefix
Specifies the inside IP address.
Sample Output
*A:SR12_PPPOE# show router 100 nat dual-stack-lite-subscribers 
===============================================================================
Large-Scale NAT subscribers
===============================================================================
Subscriber                       Policy                           Group/Member
  Outside IP                              Router                  Ports
-------------------------------------------------------------------------------
2001:470:1F00:FFFF::189
                                 priv-nat-policy                  3/2
  13.0.0.5                                Base                    504           
-------------------------------------------------------------------------------
No. of subscribers: 1
===============================================================================
*A:SR12_PPPOE#
l2-aware-blocks
Syntax
 
l2-aware-blocks [outside-ip-prefix ip-prefix/length] [outside-port [1..65535]] [pool pool-name]
Context
 
show>router>nat
Description
 
This command displays Layer 2 aware NAT blocks.
Parameters
 
ip-prefix
Specifies the IP prefix.
Values
a.b.c.d (host bits must be 0)
length
Specifies the IP prefix length.
Values
1 — 32
pool-name
Specifies the pool name.
Values
32 chars max
Sample Output
show router nat l2-aware-blocks
===============================================================================
Layer-2-Aware NAT blocks for Base
===============================================================================
81.81.0.0 [32..33]
Pool 	: MyPool
Policy 	: outPolicy
Started 	: 2010/02/04 16:24:55
Subscriber ID 	: Sub001
81.81.0.0 [34..35]
Pool 	: MyPool
Policy 	: outPolicy
Started 	: 2010/02/04 16:25:24
Subscriber ID 	: Sub003
81.81.0.203 [32..41]
Pool 	: MyPool2
Policy 	: outPolicy2
Started	: 2010/02/04 16:25:21
Subscriber ID 	: Sub002
-------------------------------------------------------------------------------
Number of blocks: 3
===============================================================================
lsn-blocks
Syntax
 
lsn-blocks [inside-router router-instance] [inside-ip ip-address] [outside-ip-prefix ip-prefix/length] [outside-port [1..65535]] [pool pool-name]
Context
 
show>router>nat
Description
 
This command displays large scale NAT blocks.
Parameters
 
router-instance
Specifies the router instance name and service ID.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
ip-address
Specifies the IP address in a.b.c.d format.
ip-prefix
Specifies the IP prefix.
Values
a.b.c.d (host bits must be 0)
length
Specifies the IP prefix length.
Values
1 — 32
pool-name
Specifies the pool name.
Values
32 chars max
Sample Output
*A:SR12_PPPOE>show>router>nat# show router Base nat lsn-blocks 
===============================================================================
Large-Scale NAT blocks for Base
===============================================================================
13.0.0.5 [1024..1527]
Pool                                  : privpool
Policy                                : priv-nat-policy
Started                               : 2012/01/28 19:10:17
Inside router                         : vprn100
Inside IP address                     : 2001:470:1F00:FFFF::189
-------------------------------------------------------------------------------
Number of blocks: 1
===============================================================================
A:SR12_PPPOE#
lsn-hosts
Syntax
 
lsn-hosts host ip-address
lsn-hosts [outside-router router-instance] [outside-ip ip-address] [inside-ip-prefix ip-prefix/mask]
Context
 
show>router
Description
 
This command displays large scale NAT hosts.
Parameters
 
router-instance
Specifies the router instance name and service ID.
Values
router-name: Base , management
service-id: 1 — 2147483647
svc-name: A string up to 64 characters in length.
ip-address
Specifies the IP address in a.b.c.d format.
ip-prefix
Specifies the IP prefix.
Values
a.b.c.d (host bits must be 0)
length
Specifies the IP prefix length.
Values
1 — 32
pool-name
Specifies the pool name.
Values
32 chars max
Sample Output
show router 588 nat lsn-hosts
===============================================================================
Large-Scale NAT hosts for router 550
===============================================================================
Inside IP Out-Router Outside IP
-------------------------------------------------------------------------------
13.0.0.5 500 81.81.0.0
13.0.0.6 500 81.81.3.1
13.0.0.7 500 81.81.0.0
13.0.0.8 500 81.81.0.0
13.0.0.9 500 81.81.3.1
13.0.0.10 500 81.81.0.0
-------------------------------------------------------------------------------
No. of hosts: 6
===============================================================================
 
show router 558 nat lsn-hosts host 13.8.8.5
===============================================================================
Large-Scale NAT host details
===============================================================================
Policy : ls-outPolicy
ISA NAT group : 1
ISA NAT group member : 1
Outside router : vprn500
Outside IP : 81.81.0.0
ICMP Port usage (%) : < 1
ICMP Port usage high : false
UDP Port usage (%) : 2
UDP Port usage high : false
TCP Port usage (%) : < 1
TCP Port usage high : false
Session usage (%) : < 1
Session usage high : false
Number of sessions : 5
Number of reserved sessions : 0
Ports : 1432-1631
===============================================================================
pool
Syntax
 
pool pool-name
pool
Context
 
show>router>nat
Description
 
This command displays NAT pool information.
Parameters
 
pool-name
Specifies the pool name.
Values
32 chars max
Sample Output
show router nat pool
===============================================================================
NAT pools
===============================================================================
Pool NAT-group Type Admin-state
-------------------------------------------------------------------------------
MyPool 1 l2Aware inService
MyPool2 1 l2Aware inService
-------------------------------------------------------------------------------
No. of pools: 2
===============================================================================
 
 
*A:SR12_PPPOE>show>router>nat# show router "Base" nat pool "privpool" 
===============================================================================
NAT Pool privpool
===============================================================================
ISA NAT Group                         : 3
Pool type                             : largeScale
Admin state                           : inService
Mode                                  : auto (napt)
Port forwarding range                 : 1 - 1023
Port reservation                      : 128 blocks
Block usage High Watermark (%)        : (Not Specified)
Block usage Low Watermark (%)         : (Not Specified)
Subscriber limit per IP address       : 65535
Active                                : true
Last Mgmt Change                      : 01/28/2012 14:47:59
===============================================================================
NAT address ranges of pool privpool
===============================================================================
Range                                                          Drain Num-blk
-------------------------------------------------------------------------------
13.0.0.5 - 13.0.0.6                                                  1
-------------------------------------------------------------------------------
No. of ranges: 1
===============================================================================
NAT members of pool privpool ISA NAT group 3
===============================================================================
Member                                                        Block-Usage-% Hi
-------------------------------------------------------------------------------
1                                                             < 1           N
2                                                             < 1           N
-------------------------------------------------------------------------------
No. of members: 2
===============================================================================
A:SR12_PPPOE#
summary
Syntax
 
summary
Context
 
show>router>nat
Description
 
This command displays the NAT information summary.
Sample Output
*A:SR12_PPPOE>show>router>nat# show router Base nat summary 
===============================================================================
NAT pools
===============================================================================
Pool                             NAT-group  Type       Admin-state
-------------------------------------------------------------------------------
privpool                         3          largeScale inService
pubpool                          1          largeScale inService
-------------------------------------------------------------------------------
No. of pools: 2
===============================================================================
A:SR12_PPPOE#
upnp
Syntax
 
upnp
Context
 
show>service
Description
 
This command enables the context to display UPnP policy parameters.
upnp-policy
Syntax
 
upnp-policy policy-name
upnp-policy policy-name statistics
upnp-policy
Context
 
show>service>upnp
Description
 
This commands displays upnp-policy related information.
Without any parameters the system outputs a list of configured UPnP policies.
Parameters
 
policy-name
The system displays the configuration of the specified policy.
statistics
The system displays statistics for the specified policy.
Sample OUTPUT
show service upnp upnp-policy 
===============================================================================
UPnP policies
===============================================================================
Policy                           Description
-------------------------------------------------------------------------------
test                             
-------------------------------------------------------------------------------
No. of UPnP policies: 1
===============================================================================
 
show service upnp upnp-policy "test" 
===============================================================================
UPnP Policy test
===============================================================================
Description                 : (Not Specified)
Mapping limit               : 256
Strict mode                 : false
HTTP listening port         : 5000
Last Mgmt Change            : 01/26/2015 19:23:41
-------------------------------------------------------------------------------
Active mappings             : 2
Mapped subscribers          : 1
Associated subscribers      : 1
===============================================================================
 
 
show service upnp upnp-policy "test" statistics 
===============================================================================
UPnP Policy test Statistics
===============================================================================
rx SSDP M-SEARCH                                        : 109
rx HTTP GET device description                          : 0
rx HTTP GET service description                         : 109
rx UPnP AddPortMapping                                  : 6
rx UPnP ClearPortMapping                                : 0
rx UPnP DeletePortMapping                               : 1
rx UPnP ForceTermination                                : 0
rx UPnP GetConnectionTypeInfo                           : 0
rx UPnP GetExternalAddress                              : 6
rx UPnP GetGenericPortMappingEntry                      : 43
rx UPnP GetNATRSIPStatus                                : 8
rx UPnP GetSpecificPortMappingEntry                     : 1
rx UPnP GetStatusInfo                                   : 49
rx UPnP RequestConnection                               : 0
rx UPnP SetConnectionType                               : 0
rx UPnP unsupported optional action                     : 6
rx UPnP invalid request                                 : 0
tx SSDP M-SEARCH                                        : 109
tx TCP reset                                            : 0
tx HTTP OK                                              : 109
tx UPnP OK                                              : 101
tx UPnP error                                           : 19
drop no memory                                          : 0
portmapping created                                     : 4
portmapping updated                                     : 1
portmapping failed: conflict with other host            : 0
portmapping failed: conflict with pinhole               : 0
portmapping failed: hit limits                          : 0
portmapping failed: other reason                        : 0
===============================================================================
 
 
 
 
NAT Clear Commands
upnp-mappings
Syntax
 
upnp-mappings subscriber sub-ident-string protocol {tcp|udp} outside-port port-number
upnp-mappings subscriber sub-ident-string
Context
 
clear>nat
Description
 
This command remove UPnP mappings for the specified subscriber. If protocol and outside-port are not specified, then all UPnP mappings of subscriber will be removed.
Parameters
 
subscriber sub-ident-string
clears mappings for the specified subscriber.
protocol {tcp|udp}
Clears the mappings for the specified protocol.
outside-port port-number
Clears mappings for the specified outside-port.
upnp-policy-statistics
Syntax
 
upnp-policy-statistics policy-name
Context
 
clear>nat
Description
 
This command clears UPnP policy statistics.
Parameters
 
policy-name
Clears UPnP policy statistics for the specified policy.
nat-group
Syntax
 
nat-group nat-group-id member [1..255] l2-aware-subscribers
nat-group nat-group-id member [1..255] statistics
Context
 
clear>nat>isa
Description
 
This command clears ISA nat-group commands related statistics or removes all the subscribers that are associated with a specific nat-group member
Parameters
 
nat-group-id
Specifies the NAT group ID to clear.
Values
1 — 4
statistics
Specifies to clear the NAT group ID’s statistics.
l2-aware-subscribers
Specifies to clear the NAT group ID’s l2-aware subscribers.
 
NAT Tools Commands
nat
Syntax
 
nat
Context
 
tools>dump
tools>perform
Description
 
This command enables the dump or perform tools for NAT.
isa
Syntax
 
isa
Context
 
tools>dump>nat
Description
 
This command enables the dump tools for NAT ISA.
resources
Syntax
 
resources mda mda-id
Context
 
tools>dump>nat>isa
Description
 
This command enables dump ISA resources for an MDA.
Sample Output
AR12_PPPOE# tools dump nat isa resources mda 3/1       
 
Resource Usage for Slot #3 Mda #1:
 
                                | Total        | Allocated    | Free
 -------------------------------+--------------+--------------+--------------
                          Flows |      6291456 |            0 |      6291456
                       Policies |          256 |            2 |          254
                    Port-ranges |      1310720 |          128 |      1310592
                          Ports |  12884901888 |            0 |  12884901888
                   IP-addresses |        65536 |            1 |        65535
              Large-scale hosts |       524288 |            0 |       524288
           L2-aware subscribers |        65536 |            0 |        65536
                 L2-aware hosts |        65536 |            0 |        65536
                 Delayed ICMP's |          200 |            0 |          200
                    ALG session |      1572864 |            0 |      1572864
                     LI entries |         8191 |            0 |         8191
        Upstream fragment lists |        16384 |            0 |        16384
      Downstream fragment lists |        16384 |            0 |        16384
        Upstream fragment holes |       131072 |            0 |       131072
      Downstream fragment holes |       131072 |            0 |       131072
         Upstream fragment bufs |        13824 |            0 |        13824
       Downstream fragment bufs |        13824 |            0 |        13824
           flow log dest. set 0 |            2 |            0 |            2
         flow log packets set 0 |           50 |            0 |           50
           flow log dest. set 1 |            2 |            0 |            2
         flow log packets set 1 |           50 |            0 |           50
           flow log dest. set 2 |            1 |            0 |            1
         flow log packets set 2 |           50 |            0 |           50
 
A:SR12_PPPOE#
sessions
Syntax
 
sessions [nat-group nat-group-id] [mda mda-id] [protocol {icmp|tcp|udp}] [inside-ip ip-address] [inside-router router-instance] [inside-port port-number] [outside-ip ipv4-address] [outside-port port-number] [foreign-ip ipv4-address] [foreign-port port-number] [dslite-address ipv6-address] [destination-ip ipv4-address] [destination-port port-number] [wlan-gw-ue ieee-address] [upnp]
Context
 
tools>dump>nat
Description
 
This command dumps ISA sessions.
Sample Output
*A:SR12_PPPOE# tools dump nat sessions 
===============================================================================
Matched 2 sessions on Slot #3 MDA #1
===============================================================================
Owner               : LSN-Host@1.2.3.4
Router              : 100
FlowType            : UDP PortFwd       
Inside IP Addr      : 1.2.3.4           Inside Port         : 666              
Outside IP Addr     : 13.0.0.6          Outside Port        : 666              
Foreign IP Addr     : *                 Foreign Port        : *
Dest IP Addr        : *                 Dest Port           : *
-------------------------------------------------------------------------------
Owner               : LSN-Host@1.2.3.4
Router              : 100
FlowType            : TCP PortFwd       
Inside IP Addr      : 1.2.3.4           Inside Port         : 666              
Outside IP Addr     : 13.0.0.6          Outside Port        : 666              
Foreign IP Addr     : *                 Foreign Port        : *
Dest IP Addr        : *                 Dest Port           : *
-------------------------------------------------------------------------------
===============================================================================
 
===============================================================================
Matched 1 session on Slot #3 MDA #2
===============================================================================
Owner               : LSN-Host@2001:470:1F00:FFFF::189
Router              : 100
FlowType            : TCP               Timeout (sec)       : 6769             
Inside IP Addr      : 138.203.16.218    Inside Port         : 41555            
Outside IP Addr     : 13.0.0.5          Outside Port        : 1529             
Foreign IP Addr     : 15.0.0.1          Foreign Port        : 22               
Dest IP Addr        : 15.0.0.1          Dest Port           : 22               
-------------------------------------------------------------------------------
===============================================================================
*A:SR12_PPPOE#
histogram
Syntax
 
histogram router router-instance pool pool-name bucket-size [1..65536] num-buckets [2..50]
Context
 
tools>dump>nat
Description
 
This command displays a NAT pool port usage histogram
Parameters
 
router router-instance
 
pool pool-name
Specifies the identification of the NAT pool.
bucket-size [1..65536]
Specifies the unit of the X-axis of the histogram; a value of ten, for example, would return in a histogram with results for [0-9], [10-19], [20-29], ... ports.
num-buckets [2..50]
Specifies the size of the histogram; a value of five, for example, would result in five results: [0-9], [10-19], [20-29], [30-39], [40-infinite].
 
port-forwarding-action
Syntax
 
port-forwarding-action
Context
 
tools>dump>nat
Description
 
This command displays NAT port forwarding actions.
l2-aware
Syntax
 
l2-aware create subscriber sub-ident-string ip ip-address protocol {tcp|udp} [port port] lifetime lifetime [outside-ip ip-address] [outside-port port]
l2-aware delete subscriber sub-ident-string ip ip-address protocol {tcp|udp} port port
l2-aware modify subscriber sub-ident-string ip ip-address protocol {tcp|udp} port port lifetime lifetime
Context
 
tools>perform>nat>port-forwarding-action
Description
 
This command Layer-2-Aware NAT port forwarding action.
lsn
Syntax
 
lsn create router router-instance [b4 ipv6-address] [aftr ipv6-address] ip ip-address protocol {tcp|udp} [port port] lifetime lifetime [outside-ip ipv4-address] [outside-port port]
lsn delete router router-instance [b4 ipv6-address] ip ip-address protocol {tcp|udp} port port
lsn modify router router-instance [b4 ipv6-address] ip ip-address protocol {tcp|udp} port port lifetime lifetime
Context
 
tools>perform>nat>port-forwarding-action
Description
 
This command enables large-scale NAT port forwarding actions.
Sample Output
*A:SR12_PPPOE# tools perform nat port-forwarding-action  lsn create router 100 
ip 1.2.3.4 protocol tcp lifetime infinite outside-port 666 
*A:SR12_PPPOE# tools perform nat port-forwarding-action  lsn create router 100 
ip 1.2.3.4 protocol udp lifetime infinite outside-port 666 
*A:SR12_PPPOE# configure system persistence nat-port-forwarding location cf3: 
*A:SR12_PPPOE# tools dump persistence nat-port-forwarding 
----------------------------------------
Persistence Info
----------------------------------------
Client                : nat-fwds
File Info :
 Filename             : cf3:\nat_fwds.002
 File State           : CLOSED (Not enough space on disk)
Subsystem Info :
 Nbr Of Registrations : 524288
 Registrations In Use : 2
 Subsystem State      : NOK
*A:SR12_PPPOE#  
 
show+service+nat
|   |   |   +---l2-aware-hosts
|   |   |   +---l2-aware-subscribers
|   |   |   +---lsn-subscribers
|   |   |   +---nat-policy
|   |   |   +---pcp-server-policy
|   |   |   +---port-forwarding-entries
|   |   |   |   +---classic-lsn-sub
|   |   |   |   +---dslite-lsn-sub
|   |   |   |   +---l2-aware-sub
|   |   |   |   +---nat64-lsn-sub
 
NAT Filter Commands
action
Syntax
 
action nat [nat-policy-name nat-policy-name]
no action
Context
 
config>filter>ip-filter>entry
Description
 
This command specifies packets matching the entry criteria will be subject to large-scale NAT.
Default
 
no action nat
Parameters
 
nat
Specifies that traffic matching the specified criteria will be diverted to NAT.
policy-name nat-policy-name
Specifies the NAT policy to be used.
 
 
1
Subscriber in LSN44 is equals to an inside IPv4 address, while in DS-Lite, the subscriber can be an IPv6 address or IPv6 prefix. If the subscriber-prefix-length command is set to 128, then the subscriber in DS-Lite is an IPv6 address. Otherwise it will be an IPv6 prefix with length in the range [32..64] as set by the subscriber-prefix-length command.