3.2.24. cg-nat¶
Note
requires a specific license: CG-NAT.
CG-NAT configuration.
vsr running config# vrf <vrf> cg-nat
enabled¶
Enable/disable CG-NAT in this VRF.
vsr running config# vrf <vrf> cg-nat
vsr running cg-nat# enabled true|false
- Default value
true
pool¶
Pools of IP addresses for the CG-NAT rules.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56}
|
Pool name. |
address (mandatory)¶
IPv4 addresses in the pool.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56}
vsr running pool <string>{1,56}# address ADDRESS
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
|
An IPv4 address range, in the form addr4-addr4. |
allocation-mode¶
Set the way to allocate IP resources.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode
dynamic-block¶
Blocks are allocated dynamically to any user.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode dynamic-block
block-size (mandatory)¶
Number of ports that will be assigned to a given user.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode dynamic-block
vsr running dynamic-block# block-size <1-65535>
deterministic-block¶
Blocks are allocated deterministically. It means the same block is always allocated to the same user.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode deterministic-block
block-size¶
Number of ports that will be assigned to a given user.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode deterministic-block
vsr running deterministic-block# block-size <1-65535>
dynamic-port¶
Ports are allocated dynamically to any user.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode dynamic-port
port-algo¶
Port allocation algorithm for new mappings.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode dynamic-port
vsr running dynamic-port# port-algo PORT-ALGO
|
Description |
|---|---|
|
Select the first available port and preserve the parity: an even port will be mapped to an even port,and an odd port will be mapped to an odd port. |
|
Select the port randomly without parity preservation. |
|
Select the port randomly and preserve the parity. |
|
Select the first available port without parity preservation. |
port-overloading¶
Enable configuring port overloading.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode dynamic-port port-overloading
unique-destination¶
Overload a port only when the destination address is unique or destination address and port pair is unique.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode dynamic-port port-overloading
vsr running port-overloading# unique-destination UNIQUE-DESTINATION
|
Description |
|---|---|
|
Overload a port only when the destination address is unique. |
|
Overload a port when the destination address and port pair is unique. |
protocol¶
Enable port overloading for protocol TCP, UDP or both.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode dynamic-port port-overloading
vsr running port-overloading# protocol PROTOCOL
|
Description |
|---|---|
|
Transmission Control Protocol. |
|
User Datagram Protocol. |
|
Transmission Control Protocol and User Datagram Protocol. |
- Default value
both
factor¶
Select port factor multiplier. For example, with a port range of 64512 and a port factor of 2, the maximum port capacity will be 129024.
vsr running config# vrf <vrf> cg-nat pool <string>{1,56} allocation-mode dynamic-port port-overloading
vsr running port-overloading# factor FACTOR
|
Description |
|---|---|
|
Port factor of 2. |
|
Port factor of 4. |
|
Port factor of 8. |
|
Port factor of 16. |
|
Port factor of 32. |
|
Port factor of 64. |
|
Port factor of 128. |
rule¶
List of CG-NAT rules.
vsr running config# vrf <vrf> cg-nat rule <uint32>
|
Id and priority of the rule. Higher number means lower priority. |
deterministic-snat44¶
Deterministic source NAT44 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 match
outbound-interface (mandatory)¶
Interface to match on outbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 match
vsr running match# outbound-interface OUTBOUND-INTERFACE
|
An interface name. |
source¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 match source
ipv4-address (mandatory)¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 match source
vsr running source# ipv4-address IPV4-ADDRESS
|
An IPv4 prefix: address and CIDR mask. |
ds-lite¶
Enable Dual Stack Lite. It uses IPv4-in-IPv6 tunneling, with the tunnel endpoints (softwire address) for the NAT mapping, allowing overlap of the IPv4 source address spaces. An ipip tunnel interface with the option ‘ds-lite-aftr’ enabled is necessary.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 match ds-lite
softwire-address (mandatory)¶
Match on softwire address.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 match ds-lite
vsr running ds-lite# softwire-address SOFTWIRE-ADDRESS
|
An IPv6 prefix: address and CIDR mask. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
pool-name (mandatory)¶
Name of IP address pool used for translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
vsr running translate-to# pool-name <leafref>
port-algo¶
Port allocation algorithm for new mappings.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
vsr running translate-to# port-algo PORT-ALGO
|
Description |
|---|---|
|
Select the first available port and preserve the parity: an even port will be mapped to an even port,and an odd port will be mapped to an odd port. |
|
Select the port randomly without parity preservation. |
|
Select the port randomly and preserve the parity. |
|
Select the first available port without parity preservation. |
max-conntracks-per-user¶
Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
vsr running translate-to# max-conntracks-per-user <uint32>
endpoint-mapping¶
NAT endpoint mapping behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
vsr running translate-to# endpoint-mapping ENDPOINT-MAPPING
|
Description |
|---|---|
|
Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port. |
|
Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port. |
endpoint-filtering¶
NAT endpoint filtering behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
vsr running translate-to# endpoint-filtering ENDPOINT-FILTERING
|
Description |
|---|---|
|
Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst). |
|
Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ). |
hairpinning¶
Enable communication between two hosts on the internal network, using their mapped endpoint.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
vsr running translate-to# hairpinning true|false
address-pooling¶
CG-NAT Address Pooling mode.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
vsr running translate-to# address-pooling ADDRESS-POOLING
|
Description |
|---|---|
|
In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE. |
|
In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to
vsr running translate-to# conntrack-based-routing true|false
port-overloading¶
Enable configuring port overloading.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to port-overloading
unique-destination¶
Overload a port only when the destination address is unique or destination address and port pair is unique.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to port-overloading
vsr running port-overloading# unique-destination UNIQUE-DESTINATION
|
Description |
|---|---|
|
Overload a port only when the destination address is unique. |
|
Overload a port when the destination address and port pair is unique. |
protocol¶
Enable port overloading for protocol TCP, UDP or both.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to port-overloading
vsr running port-overloading# protocol PROTOCOL
|
Description |
|---|---|
|
Transmission Control Protocol. |
|
User Datagram Protocol. |
|
Transmission Control Protocol and User Datagram Protocol. |
- Default value
both
factor¶
Select port factor multiplier. For example, with a port range of 64512 and a port factor of 2, the maximum port capacity will be 129024.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat44 translate-to port-overloading
vsr running port-overloading# factor FACTOR
|
Description |
|---|---|
|
Port factor of 2. |
|
Port factor of 4. |
|
Port factor of 8. |
|
Port factor of 16. |
|
Port factor of 32. |
|
Port factor of 64. |
|
Port factor of 128. |
deterministic-snat64¶
Deterministic source NAT64 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 match
outbound-interface (mandatory)¶
Interface to match on outbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 match
vsr running match# outbound-interface OUTBOUND-INTERFACE
|
An interface name. |
source¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 match source
ipv6-address (mandatory)¶
Match on source address. Minimum prefix length is /80.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 match source
vsr running source# ipv6-address IPV6-ADDRESS
|
An IPv6 prefix: address and CIDR mask. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
pool-name (mandatory)¶
Name of IP address pool used for translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# pool-name <leafref>
port-algo¶
Port allocation algorithm for new mappings.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# port-algo PORT-ALGO
|
Description |
|---|---|
|
Select the first available port and preserve the parity: an even port will be mapped to an even port,and an odd port will be mapped to an odd port. |
|
Select the port randomly without parity preservation. |
|
Select the port randomly and preserve the parity. |
|
Select the first available port without parity preservation. |
max-conntracks-per-user¶
Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# max-conntracks-per-user <uint32>
endpoint-mapping¶
NAT endpoint mapping behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# endpoint-mapping ENDPOINT-MAPPING
|
Description |
|---|---|
|
Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port. |
|
Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port. |
endpoint-filtering¶
NAT endpoint filtering behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# endpoint-filtering ENDPOINT-FILTERING
|
Description |
|---|---|
|
Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst). |
|
Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ). |
hairpinning¶
Enable communication between two hosts on the internal network, using their mapped endpoint.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# hairpinning true|false
address-pooling¶
CG-NAT Address Pooling mode.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# address-pooling ADDRESS-POOLING
|
Description |
|---|---|
|
In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE. |
|
In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# conntrack-based-routing true|false
destination-prefix¶
NAT64 destination prefix. Allowed prefix lengths are 32, 40, 48, 56, 64, and 96.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to
vsr running translate-to# destination-prefix DESTINATION-PREFIX
|
An IPv6 prefix: address and CIDR mask. |
port-overloading¶
Enable configuring port overloading.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to port-overloading
unique-destination¶
Overload a port only when the destination address is unique or destination address and port pair is unique.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to port-overloading
vsr running port-overloading# unique-destination UNIQUE-DESTINATION
|
Description |
|---|---|
|
Overload a port only when the destination address is unique. |
|
Overload a port when the destination address and port pair is unique. |
protocol¶
Enable port overloading for protocol TCP, UDP or both.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to port-overloading
vsr running port-overloading# protocol PROTOCOL
|
Description |
|---|---|
|
Transmission Control Protocol. |
|
User Datagram Protocol. |
|
Transmission Control Protocol and User Datagram Protocol. |
- Default value
both
factor¶
Select port factor multiplier. For example, with a port range of 64512 and a port factor of 2, the maximum port capacity will be 129024.
vsr running config# vrf <vrf> cg-nat rule <uint32> deterministic-snat64 translate-to port-overloading
vsr running port-overloading# factor FACTOR
|
Description |
|---|---|
|
Port factor of 2. |
|
Port factor of 4. |
|
Port factor of 8. |
|
Port factor of 16. |
|
Port factor of 32. |
|
Port factor of 64. |
|
Port factor of 128. |
dynamic-snat44¶
Dynamic source NAT44 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match
source-application¶
The source application to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match
vsr running match# source-application SOURCE-APPLICATION
|
Description |
|---|---|
|
No description. |
|
No description. |
destination-application¶
The destination application to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match
vsr running match# destination-application DESTINATION-APPLICATION
|
Description |
|---|---|
|
No description. |
|
No description. |
outbound-interface (mandatory)¶
Interface to match on outbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match
vsr running match# outbound-interface OUTBOUND-INTERFACE
|
An interface name. |
source (deprecated)¶
Attention
source-addressMatch on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match source
ipv4-address (deprecated)¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match source
vsr running source# ipv4-address IPV4-ADDRESS
|
An IPv4 prefix: address and CIDR mask. |
source-address¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match source-address
ADDRESS¶
The address, network, address-group or network-group to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match source-address
vsr running source-address# ADDRESS
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
|
No description. |
|
No description. |
not¶
Excluded address or network from the match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match source-address
vsr running source-address# not NOT
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
destination-address¶
Match on destination address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match destination-address
ADDRESS¶
The address, network, address-group or network-group to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match destination-address
vsr running destination-address# ADDRESS
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
|
No description. |
|
No description. |
not¶
Excluded address or network from the match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match destination-address
vsr running destination-address# not NOT
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
protocol¶
Select protocol to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol
tcp¶
Match TCP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol tcp
Source port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol tcp
vsr running tcp# source-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
Destination port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol tcp
vsr running tcp# destination-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
udp¶
Match UDP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol udp
Source port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol udp
vsr running udp# source-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
Destination port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol udp
vsr running udp# destination-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
icmp¶
Match ICMP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol icmp
Match ICMP message type.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match protocol icmp
vsr running icmp# icmp-type [not] VALUE
The ICMP message type value to match.
VALUE
|
Description |
|---|---|
|
Any ICMP type. |
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Network unreachable. |
|
Host unreachable. |
|
Protocol unreachable. |
|
Port unreachable. |
|
Fragmentation needed. |
|
Source route failed. |
|
Network unknown. |
|
Host unknown. |
|
Network prohibited. |
|
Host prohibited. |
|
TOS network unreachable. |
|
TOS host unreachable. |
|
Communication prohibited. |
|
Host precedence violation. |
|
Precedence cutoff. |
|
Source quench. |
|
Redirect. |
|
Network redirect. |
|
Host redirect. |
|
TOS network redirect. |
|
TOS host redirect. |
|
Router advertisement. |
|
Router solicitation. |
|
TTL exceeded. |
|
Time to Live exceeded in Transit. |
|
Fragment Reassembly Time Exceeded. |
|
Parameter problem. |
|
Bad IP header. |
|
Missing a Required Option. |
|
Timestamp request. |
|
Timestamp reply. |
|
Information request reply. |
|
Information response reply. |
|
Address mask request. |
|
Address mask reply. |
|
No description. |
mark¶
Match only this mark.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match
vsr running match# mark [not] VALUE
VALUE (mandatory)¶
The mark value to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
ds-lite¶
Enable Dual Stack Lite. It uses IPv4-in-IPv6 tunneling, with the tunnel endpoints (softwire address) for the NAT mapping, allowing overlap of the IPv4 source address spaces. An ipip tunnel interface with the option ‘ds-lite-aftr’ enabled is necessary.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match ds-lite
softwire-address¶
Match on softwire address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 match ds-lite
vsr running ds-lite# softwire-address SOFTWIRE-ADDRESS
|
An IPv6 prefix: address and CIDR mask. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
pool-name (mandatory)¶
Name of IP address pool used for translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# pool-name <leafref>
max-blocks-per-user¶
Maximum number of port blocks assigned to a user.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# max-blocks-per-user <1-65535>
block-algo¶
Select the block allocation algorithm when the active block is full.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# block-algo BLOCK-ALGO
|
Description |
|---|---|
|
Allocate a new block to the user if max-blocks-per-user is not reached, reducing the port prediction. |
|
Reuse an existing user block with available port, reducing the number of blocks per user and the number of block event logs. |
active-block-timeout¶
unit: seconds
Interval during which the the current block is used to allocate sessions. When set to 0, the current block is always used.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# active-block-timeout <uint16>
user-timeout¶
unit: seconds
Interval during which the current user remains active after all user flows have expired.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# user-timeout <1-65535>
port-algo¶
Port allocation algorithm for new mappings.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# port-algo PORT-ALGO
|
Description |
|---|---|
|
Select the first available port and preserve the parity: an even port will be mapped to an even port,and an odd port will be mapped to an odd port. |
|
Select the port randomly without parity preservation. |
|
Select the port randomly and preserve the parity. |
|
Select the first available port without parity preservation. |
max-conntracks-per-user¶
Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# max-conntracks-per-user <uint32>
endpoint-mapping¶
NAT endpoint mapping behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# endpoint-mapping ENDPOINT-MAPPING
|
Description |
|---|---|
|
Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port. |
|
Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port. |
endpoint-filtering¶
NAT endpoint filtering behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# endpoint-filtering ENDPOINT-FILTERING
|
Description |
|---|---|
|
Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst). |
|
Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ). |
hairpinning¶
Enable communication between two hosts on the internal network, using their mapped endpoint.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# hairpinning true|false
address-pooling¶
CG-NAT Address Pooling mode.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# address-pooling ADDRESS-POOLING
|
Description |
|---|---|
|
In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE. |
|
In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to
vsr running translate-to# conntrack-based-routing true|false
port-overloading¶
Enable configuring port overloading.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to port-overloading
unique-destination¶
Overload a port only when the destination address is unique or destination address and port pair is unique.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to port-overloading
vsr running port-overloading# unique-destination UNIQUE-DESTINATION
|
Description |
|---|---|
|
Overload a port only when the destination address is unique. |
|
Overload a port when the destination address and port pair is unique. |
protocol¶
Enable port overloading for protocol TCP, UDP or both.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to port-overloading
vsr running port-overloading# protocol PROTOCOL
|
Description |
|---|---|
|
Transmission Control Protocol. |
|
User Datagram Protocol. |
|
Transmission Control Protocol and User Datagram Protocol. |
- Default value
both
factor¶
Select port factor multiplier. For example, with a port range of 64512 and a port factor of 2, the maximum port capacity will be 129024.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat44 translate-to port-overloading
vsr running port-overloading# factor FACTOR
|
Description |
|---|---|
|
Port factor of 2. |
|
Port factor of 4. |
|
Port factor of 8. |
|
Port factor of 16. |
|
Port factor of 32. |
|
Port factor of 64. |
|
Port factor of 128. |
dynamic-port-snat44¶
Dynamic source NAT44 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match
source-application¶
The source application to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match
vsr running match# source-application SOURCE-APPLICATION
|
Description |
|---|---|
|
No description. |
|
No description. |
destination-application¶
The destination application to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match
vsr running match# destination-application DESTINATION-APPLICATION
|
Description |
|---|---|
|
No description. |
|
No description. |
outbound-interface (mandatory)¶
Interface to match on outbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match
vsr running match# outbound-interface OUTBOUND-INTERFACE
|
An interface name. |
source (deprecated)¶
Attention
source-addressMatch on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match source
ipv4-address (deprecated)¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match source
vsr running source# ipv4-address IPV4-ADDRESS
|
An IPv4 prefix: address and CIDR mask. |
source-address¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match source-address
ADDRESS¶
The address, network, address-group or network-group to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match source-address
vsr running source-address# ADDRESS
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
|
No description. |
|
No description. |
not¶
Excluded address or network from the match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match source-address
vsr running source-address# not NOT
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
destination-address¶
Match on destination address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match destination-address
ADDRESS¶
The address, network, address-group or network-group to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match destination-address
vsr running destination-address# ADDRESS
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
|
No description. |
|
No description. |
not¶
Excluded address or network from the match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match destination-address
vsr running destination-address# not NOT
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 prefix: address and CIDR mask. |
protocol¶
Select protocol to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol
tcp¶
Match TCP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol tcp
Source port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol tcp
vsr running tcp# source-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
Destination port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol tcp
vsr running tcp# destination-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
udp¶
Match UDP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol udp
Source port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol udp
vsr running udp# source-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
Destination port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol udp
vsr running udp# destination-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
icmp¶
Match ICMP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol icmp
Match ICMP message type.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match protocol icmp
vsr running icmp# icmp-type [not] VALUE
The ICMP message type value to match.
VALUE
|
Description |
|---|---|
|
Any ICMP type. |
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Network unreachable. |
|
Host unreachable. |
|
Protocol unreachable. |
|
Port unreachable. |
|
Fragmentation needed. |
|
Source route failed. |
|
Network unknown. |
|
Host unknown. |
|
Network prohibited. |
|
Host prohibited. |
|
TOS network unreachable. |
|
TOS host unreachable. |
|
Communication prohibited. |
|
Host precedence violation. |
|
Precedence cutoff. |
|
Source quench. |
|
Redirect. |
|
Network redirect. |
|
Host redirect. |
|
TOS network redirect. |
|
TOS host redirect. |
|
Router advertisement. |
|
Router solicitation. |
|
TTL exceeded. |
|
Time to Live exceeded in Transit. |
|
Fragment Reassembly Time Exceeded. |
|
Parameter problem. |
|
Bad IP header. |
|
Missing a Required Option. |
|
Timestamp request. |
|
Timestamp reply. |
|
Information request reply. |
|
Information response reply. |
|
Address mask request. |
|
Address mask reply. |
|
No description. |
mark¶
Match only this mark.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match
vsr running match# mark [not] VALUE
VALUE (mandatory)¶
The mark value to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
ds-lite¶
Enable Dual Stack Lite. It uses IPv4-in-IPv6 tunneling, with the tunnel endpoints (softwire address) for the NAT mapping, allowing overlap of the IPv4 source address spaces. An ipip tunnel interface with the option ‘ds-lite-aftr’ enabled is necessary.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match ds-lite
softwire-address¶
Match on softwire address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 match ds-lite
vsr running ds-lite# softwire-address SOFTWIRE-ADDRESS
|
An IPv6 prefix: address and CIDR mask. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
pool-name (mandatory)¶
Name of IP address pool used for translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
vsr running translate-to# pool-name <leafref>
user-timeout¶
unit: seconds
Interval during which the current user remains active after all user flows have expired.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
vsr running translate-to# user-timeout <1-65535>
max-conntracks-per-user¶
Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
vsr running translate-to# max-conntracks-per-user <uint32>
endpoint-mapping¶
NAT endpoint mapping behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
vsr running translate-to# endpoint-mapping ENDPOINT-MAPPING
|
Description |
|---|---|
|
Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port. |
|
Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port. |
endpoint-filtering¶
NAT endpoint filtering behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
vsr running translate-to# endpoint-filtering ENDPOINT-FILTERING
|
Description |
|---|---|
|
Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst). |
|
Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ). |
hairpinning¶
Enable communication between two hosts on the internal network, using their mapped endpoint.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
vsr running translate-to# hairpinning true|false
address-pooling¶
CG-NAT Address Pooling mode.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
vsr running translate-to# address-pooling ADDRESS-POOLING
|
Description |
|---|---|
|
In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE. |
|
In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat44 translate-to
vsr running translate-to# conntrack-based-routing true|false
dynamic-snat64¶
Dynamic source NAT64 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match
source-application¶
The source application to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match
vsr running match# source-application SOURCE-APPLICATION
|
Description |
|---|---|
|
No description. |
|
No description. |
destination-application¶
The destination application to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match
vsr running match# destination-application DESTINATION-APPLICATION
|
Description |
|---|---|
|
No description. |
|
No description. |
outbound-interface (mandatory)¶
Interface to match on outbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match
vsr running match# outbound-interface OUTBOUND-INTERFACE
|
An interface name. |
source (deprecated)¶
Attention
source-addressMatch on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match source
ipv6-address (deprecated) (mandatory)¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match source
vsr running source# ipv6-address IPV6-ADDRESS
|
An IPv6 prefix: address and CIDR mask. |
source-address¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match source-address
ADDRESS¶
The address, network, address-group or network-group to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match source-address
vsr running source-address# ADDRESS
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
|
No description. |
|
No description. |
not¶
Excluded address or network from the match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match source-address
vsr running source-address# not NOT
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
destination-address¶
Match on destination address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match destination-address
ADDRESS¶
The address, network, address-group or network-group to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match destination-address
vsr running destination-address# ADDRESS
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
|
No description. |
|
No description. |
not¶
Excluded address or network from the match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match destination-address
vsr running destination-address# not NOT
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
protocol¶
Select protocol to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol
tcp¶
Match TCP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol tcp
Source port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol tcp
vsr running tcp# source-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
Destination port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol tcp
vsr running tcp# destination-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
udp¶
Match UDP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol udp
Source port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol udp
vsr running udp# source-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
Destination port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol udp
vsr running udp# destination-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
icmpv6¶
Match ICMPv6 protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol icmpv6
Match ICMPv6 message type.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match protocol icmpv6
vsr running icmpv6# icmp-type [not] VALUE
The ICMPv6 message type value to match.
VALUE
|
Description |
|---|---|
|
Any ICMPv6 type. |
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
|
No description. |
mark¶
Match only this mark.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match
vsr running match# mark [not] VALUE
VALUE (mandatory)¶
The mark value to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
ds-lite¶
Enable Dual Stack Lite. It uses IPv4-in-IPv6 tunneling, with the tunnel endpoints (softwire address) for the NAT mapping, allowing overlap of the IPv4 source address spaces. An ipip tunnel interface with the option ‘ds-lite-aftr’ enabled is necessary.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match ds-lite
softwire-address¶
Match on softwire address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 match ds-lite
vsr running ds-lite# softwire-address SOFTWIRE-ADDRESS
|
An IPv6 prefix: address and CIDR mask. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
pool-name (mandatory)¶
Name of IP address pool used for translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# pool-name <leafref>
max-blocks-per-user¶
Maximum number of port blocks assigned to a user.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# max-blocks-per-user <1-65535>
block-algo¶
Select the block allocation algorithm when the active block is full.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# block-algo BLOCK-ALGO
|
Description |
|---|---|
|
Allocate a new block to the user if max-blocks-per-user is not reached, reducing the port prediction. |
|
Reuse an existing user block with available port, reducing the number of blocks per user and the number of block event logs. |
active-block-timeout¶
unit: seconds
Interval during which the the current block is used to allocate sessions. When set to 0, the current block is always used.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# active-block-timeout <uint16>
user-timeout¶
unit: seconds
Interval during which the current user remains active after all user flows have expired.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# user-timeout <1-65535>
port-algo¶
Port allocation algorithm for new mappings.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# port-algo PORT-ALGO
|
Description |
|---|---|
|
Select the first available port and preserve the parity: an even port will be mapped to an even port,and an odd port will be mapped to an odd port. |
|
Select the port randomly without parity preservation. |
|
Select the port randomly and preserve the parity. |
|
Select the first available port without parity preservation. |
max-conntracks-per-user¶
Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# max-conntracks-per-user <uint32>
endpoint-mapping¶
NAT endpoint mapping behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# endpoint-mapping ENDPOINT-MAPPING
|
Description |
|---|---|
|
Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port. |
|
Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port. |
endpoint-filtering¶
NAT endpoint filtering behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# endpoint-filtering ENDPOINT-FILTERING
|
Description |
|---|---|
|
Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst). |
|
Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ). |
hairpinning¶
Enable communication between two hosts on the internal network, using their mapped endpoint.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# hairpinning true|false
address-pooling¶
CG-NAT Address Pooling mode.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# address-pooling ADDRESS-POOLING
|
Description |
|---|---|
|
In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE. |
|
In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# conntrack-based-routing true|false
destination-prefix¶
NAT64 destination prefix. Allowed prefix lengths are 32, 40, 48, 56, 64, and 96.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to
vsr running translate-to# destination-prefix DESTINATION-PREFIX
|
An IPv6 prefix: address and CIDR mask. |
port-overloading¶
Enable configuring port overloading.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to port-overloading
unique-destination¶
Overload a port only when the destination address is unique or destination address and port pair is unique.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to port-overloading
vsr running port-overloading# unique-destination UNIQUE-DESTINATION
|
Description |
|---|---|
|
Overload a port only when the destination address is unique. |
|
Overload a port when the destination address and port pair is unique. |
protocol¶
Enable port overloading for protocol TCP, UDP or both.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to port-overloading
vsr running port-overloading# protocol PROTOCOL
|
Description |
|---|---|
|
Transmission Control Protocol. |
|
User Datagram Protocol. |
|
Transmission Control Protocol and User Datagram Protocol. |
- Default value
both
factor¶
Select port factor multiplier. For example, with a port range of 64512 and a port factor of 2, the maximum port capacity will be 129024.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-snat64 translate-to port-overloading
vsr running port-overloading# factor FACTOR
|
Description |
|---|---|
|
Port factor of 2. |
|
Port factor of 4. |
|
Port factor of 8. |
|
Port factor of 16. |
|
Port factor of 32. |
|
Port factor of 64. |
|
Port factor of 128. |
dynamic-port-snat64¶
Dynamic source NAT64 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match
source-application¶
The source application to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match
vsr running match# source-application SOURCE-APPLICATION
|
Description |
|---|---|
|
No description. |
|
No description. |
destination-application¶
The destination application to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match
vsr running match# destination-application DESTINATION-APPLICATION
|
Description |
|---|---|
|
No description. |
|
No description. |
outbound-interface (mandatory)¶
Interface to match on outbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match
vsr running match# outbound-interface OUTBOUND-INTERFACE
|
An interface name. |
source (deprecated)¶
Attention
source-addressMatch on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match source
ipv6-address (deprecated) (mandatory)¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match source
vsr running source# ipv6-address IPV6-ADDRESS
|
An IPv6 prefix: address and CIDR mask. |
source-address¶
Match on source address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match source-address
ADDRESS¶
The address, network, address-group or network-group to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match source-address
vsr running source-address# ADDRESS
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
|
No description. |
|
No description. |
not¶
Excluded address or network from the match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match source-address
vsr running source-address# not NOT
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
destination-address¶
Match on destination address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match destination-address
ADDRESS¶
The address, network, address-group or network-group to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match destination-address
vsr running destination-address# ADDRESS
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
|
No description. |
|
No description. |
not¶
Excluded address or network from the match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match destination-address
vsr running destination-address# not NOT
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
protocol¶
Select protocol to match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol
tcp¶
Match TCP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol tcp
Source port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol tcp
vsr running tcp# source-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
Destination port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol tcp
vsr running tcp# destination-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
udp¶
Match UDP protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol udp
Source port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol udp
vsr running udp# source-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
Destination port match.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol udp
vsr running udp# destination-port VALUE
The ports or port ranges to match.
VALUE
|
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
icmpv6¶
Match ICMPv6 protocol.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol icmpv6
Match ICMPv6 message type.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match protocol icmpv6
vsr running icmpv6# icmp-type [not] VALUE
The ICMPv6 message type value to match.
VALUE
|
Description |
|---|---|
|
Any ICMPv6 type. |
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
|
No description. |
mark¶
Match only this mark.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match
vsr running match# mark [not] VALUE
VALUE (mandatory)¶
The mark value to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
ds-lite¶
Enable Dual Stack Lite. It uses IPv4-in-IPv6 tunneling, with the tunnel endpoints (softwire address) for the NAT mapping, allowing overlap of the IPv4 source address spaces. An ipip tunnel interface with the option ‘ds-lite-aftr’ enabled is necessary.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match ds-lite
softwire-address¶
Match on softwire address.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 match ds-lite
vsr running ds-lite# softwire-address SOFTWIRE-ADDRESS
|
An IPv6 prefix: address and CIDR mask. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
pool-name (mandatory)¶
Name of IP address pool used for translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# pool-name <leafref>
user-timeout¶
unit: seconds
Interval during which the current user remains active after all user flows have expired.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# user-timeout <1-65535>
max-conntracks-per-user¶
Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# max-conntracks-per-user <uint32>
endpoint-mapping¶
NAT endpoint mapping behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# endpoint-mapping ENDPOINT-MAPPING
|
Description |
|---|---|
|
Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port. |
|
Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port. |
endpoint-filtering¶
NAT endpoint filtering behavior.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# endpoint-filtering ENDPOINT-FILTERING
|
Description |
|---|---|
|
Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst). |
|
Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ). |
hairpinning¶
Enable communication between two hosts on the internal network, using their mapped endpoint.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# hairpinning true|false
address-pooling¶
CG-NAT Address Pooling mode.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# address-pooling ADDRESS-POOLING
|
Description |
|---|---|
|
In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE. |
|
In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# conntrack-based-routing true|false
destination-prefix¶
NAT64 destination prefix. Allowed prefix lengths are 32, 40, 48, 56, 64, and 96.
vsr running config# vrf <vrf> cg-nat rule <uint32> dynamic-port-snat64 translate-to
vsr running translate-to# destination-prefix DESTINATION-PREFIX
|
An IPv6 prefix: address and CIDR mask. |
static-dnat44¶
Static destination NAT44 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match
inbound-interface (mandatory)¶
Interface to match on inbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match
vsr running match# inbound-interface INBOUND-INTERFACE
|
An interface name. |
source¶
Match on source address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match source
ipv4-range¶
Match on source address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match source
vsr running source# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
destination¶
Match on destination address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match destination
ipv4-range (mandatory)¶
Match on destination address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match destination
vsr running destination# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
protocol¶
Match on protocol and source port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match protocol
tcp¶
Match TCP protocol and source ports.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match protocol tcp
Match on a source port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match protocol tcp
vsr running tcp# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
Match on a destination port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match protocol tcp
vsr running tcp# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
udp¶
Match UDP protocol and source ports.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match protocol udp
Match on a source port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match protocol udp
vsr running udp# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
Match on a destination port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 match protocol udp
vsr running udp# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 translate-to
destination-port¶
Translate to a port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 translate-to
vsr running translate-to# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
ipv4-range (mandatory)¶
Translate to an address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 translate-to
vsr running translate-to# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat44 translate-to
vsr running translate-to# conntrack-based-routing true|false
static-dnat46¶
Static destination NAT46 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match
inbound-interface (mandatory)¶
Interface to match on inbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match
vsr running match# inbound-interface INBOUND-INTERFACE
|
An interface name. |
source¶
Match on source address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match source
ipv4-range¶
Match on source address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match source
vsr running source# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
destination¶
Match on destination address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match destination
ipv4-range (mandatory)¶
Match on destination address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match destination
vsr running destination# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
protocol¶
Match on protocol and source port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match protocol
tcp¶
Match TCP protocol and source ports.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match protocol tcp
Match on a source port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match protocol tcp
vsr running tcp# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
Match on a destination port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match protocol tcp
vsr running tcp# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
udp¶
Match UDP protocol and source ports.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match protocol udp
Match on a source port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match protocol udp
vsr running udp# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
Match on a destination port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 match protocol udp
vsr running udp# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 translate-to
ipv6-range (mandatory)¶
Translated Address or Address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 translate-to
vsr running translate-to# ipv6-range IPV6-RANGE
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 address range, in the form addr6-addr6. |
destination-port¶
Translate to a port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 translate-to
vsr running translate-to# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
source-prefix¶
NAT46 source prefix. Allowed prefix lengths are 32, 40, 48, 56, 64, and 96.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 translate-to
vsr running translate-to# source-prefix SOURCE-PREFIX
|
An IPv6 prefix: address and CIDR mask. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> static-dnat46 translate-to
vsr running translate-to# conntrack-based-routing true|false
static-snat44¶
Static source NAT44 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match
outbound-interface (mandatory)¶
Interface to match on outbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match
vsr running match# outbound-interface OUTBOUND-INTERFACE
|
An interface name. |
source¶
Match on source address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match source
ipv4-range (mandatory)¶
Match on source address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match source
vsr running source# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
destination¶
Match on destination address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match destination
ipv4-range¶
Match on destination address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match destination
vsr running destination# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
protocol¶
Match on protocol and source port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match protocol
tcp¶
Match TCP protocol and source ports.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match protocol tcp
Match on a source port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match protocol tcp
vsr running tcp# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
Match on a destination port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match protocol tcp
vsr running tcp# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
udp¶
Match UDP protocol and source ports.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match protocol udp
Match on a source port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match protocol udp
vsr running udp# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
Match on a destination port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 match protocol udp
vsr running udp# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 translate-to
source-port¶
Translate to a port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 translate-to
vsr running translate-to# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
ipv4-range (mandatory)¶
Translate to an address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 translate-to
vsr running translate-to# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat44 translate-to
vsr running translate-to# conntrack-based-routing true|false
static-snat64¶
Static source NAT64 translation.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64
match¶
Match parameters.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match
outbound-interface (mandatory)¶
Interface to match on outbound.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match
vsr running match# outbound-interface OUTBOUND-INTERFACE
|
An interface name. |
source¶
Match on source address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match source
ipv6-range (mandatory)¶
Match on source address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match source
vsr running source# ipv6-range IPV6-RANGE
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 address range, in the form addr6-addr6. |
destination¶
Match on destination address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match destination
ipv6-range¶
Match on destination address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match destination
vsr running destination# ipv6-range IPV6-RANGE
|
Description |
|---|---|
|
An IPv6 address. |
|
An IPv6 address range, in the form addr6-addr6. |
protocol¶
Match on protocol and source port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match protocol
tcp¶
Match TCP protocol and source ports.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match protocol tcp
Match on a source port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match protocol tcp
vsr running tcp# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
Match on a destination port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match protocol tcp
vsr running tcp# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
udp¶
Match UDP protocol and source ports.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match protocol udp
Match on a source port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match protocol udp
vsr running udp# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
Match on a destination port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 match protocol udp
vsr running udp# destination-port DESTINATION-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
translate-to¶
Translate to.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 translate-to
ipv4-range (mandatory)¶
Translate to an address or address range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 translate-to
vsr running translate-to# ipv4-range IPV4-RANGE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv4 address range, in the form addr4-addr4. |
conntrack-based-routing¶
Toggle conntrack-based routing. When enabled, steer reply traffic using conntrack information about its origin (source interface, MAC address) instead of relying on standard route lookup and neighbor discovery mechanisms. This allows it to get through even if host is otherwise unreachable (e.g. due to a missing route).
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 translate-to
vsr running translate-to# conntrack-based-routing true|false
source-port¶
Translate to a port or port range.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 translate-to
vsr running translate-to# source-port SOURCE-PORT
|
Description |
|---|---|
|
No description. |
|
A port-range. Examples: ‘1024-2048’. |
destination-prefix¶
NAT64 destination prefix. Allowed prefix lengths are 32, 40, 48, 56, 64, and 96.
vsr running config# vrf <vrf> cg-nat rule <uint32> static-snat64 translate-to
vsr running translate-to# destination-prefix DESTINATION-PREFIX
|
An IPv6 prefix: address and CIDR mask. |
logging¶
CG-NAT log configuration.
vsr running config# vrf <vrf> cg-nat logging
enabled¶
Enable log.
vsr running config# vrf <vrf> cg-nat logging
vsr running logging# enabled true|false
- Default value
true
local¶
Generate log locally.
vsr running config# vrf <vrf> cg-nat logging
vsr running logging# local true|false
event¶
Events to log.
vsr running config# vrf <vrf> cg-nat logging
vsr running logging# event EVENT
|
Description |
|---|---|
|
Log conntrack allocation and destroy event. |
|
Log deterministic configuration event. |
|
Log port-block allocation and destroy event. |
ipfix¶
Configuration for IPFIX message logging. When multiple collector groups are configured, log messages will be duplicated to all collector groups.
vsr running config# vrf <vrf> cg-nat logging ipfix
events¶
Events to log in IPFIX format.
vsr running config# vrf <vrf> cg-nat logging ipfix
vsr running ipfix# events EVENTS
|
Description |
|---|---|
|
Log conntrack allocation and destroy event. |
|
Log port-block allocation and destroy event. |
collector-group¶
List of IPFIX collector groups that all receive duplicate logs.
vsr running config# vrf <vrf> cg-nat logging ipfix collector-group <leafref>
|
The name of the collector group defined in the global configuration. |
rsyslog¶
Configuration for rsyslog message logging. When multiple collector groups are configured, log messages will be duplicated to all collector groups.
vsr running config# vrf <vrf> cg-nat logging rsyslog
events¶
Events to log in rsyslog format.
vsr running config# vrf <vrf> cg-nat logging rsyslog
vsr running rsyslog# events EVENTS
|
Description |
|---|---|
|
Log conntrack allocation and destroy event. |
|
Log port-block allocation and destroy event. |
collector-group¶
List of rsyslog collector groups that all receive duplicate logs.
vsr running config# vrf <vrf> cg-nat logging rsyslog collector-group <leafref>
|
The name of the collector group defined in the global configuration. |