Network Address Translation Command Reference

This command is applicable to prefixes in deterministic NAT (LSN44 and DS-Lite). Its purpose is to split the number of subscribers within the configured prefix over available sequence of outside IP addresses.

There are several rules guiding the usage of the map statement:

To modify map statements, the corresponding prefix must be in a shutdown mode.

Map statements can be configured automatically by the system, as soon as the prefix is enabled (no shutdown state) or they can be configured manually by the operator while the prefix is disabled.

The following is an example of the map statement for the LSN44 case:

Since each outside IP address can accommodate only 128 hosts, the subscribers (IPv4 addresses in LSN44) from the 10.0.0.0/24 prefix will be split and mapped into two outside IP addresses

10.0.0.0 – 10.0.0.127 (10.0.0.0/25) - 128.251.0.1

10.0.0.128 – 10.0.0.255 (10.0.0.128/25) - 128.251.0.2

The first IP address range will be mapped to the ‘to’ address in the map statement => 128.251.0.1. The second IP address range will be mapped into the next consecutive IP address in the pool assuming that this IP address is free. In this case this consecutive address (128.251.0,2) would not be shown in the map statement.

For Deterministic DS-Lite, the example would be:

There are 256 DS-Lite subscribers within the 2001:DB8::/56 prefix. Each subscriber will be a /64 IPv6 prefix as dictated by the subscriber-prefix-length command.

Since each outside IP address can accommodate only 128 hosts, the subscribers from the 2001:DB8::/56 prefix will be split and mapped into two outside IP addresses

2001:DB8:: – 2001:DB8:0:7F:: (2001:DB8::/57) - 128.251.0.1

2001:DB8:0:80:: – 2001:DB8:0:FF::(2001:DB8:0:FF::/57) - 128.251.0.2

The first IP prefix range will be mapped to the ‘to’ address in the map statement => 128.251.0.1. The second IP prefix range will be mapped into the next consecutive IP address in the pool assuming that this IP address is free. In this case this consecutive address (128.251.0,2) would not be shown in the map statement.

This command enables the context to configure Dual Stack Lite parameters.

In order for the DS-Lite feature to work, the ingress traffic (the IPv6 traffic that has to go to the NAT) must come from an IOM-3. If an IOM-2 is used, the IPv6 packet with destination the NAT will be dropped and an ICMP packet will be sent back.

This command configures the IP address of the NAT redundancy peer in the realm of this virtual router instance.

This command sets the value for the number of high order bits of the source IPv6 address that will be considered as DS-Lite subscriber. The remaining bits of the source IPv6 address will be masked off, effectively aggregation all IPv6 source addresses under the configured prefix length into a single DS-Lite subscriber. Source IPv4 addresses/ports of the traffic carried within the DS-Lite subscriber will be translated into a single outside IPv4 address and the corresponding deterministic port-block (port-blocks can be extended).

The range of values for subscriber-prefix-length in non-deterministic DS-Lite is limited from 32 to 64 (a prefix will be considered as a DS-Lite subscriber) or it can be set to a value of 128 (the source IPv6 address is considered as a DS-Lite subscriber).

In cases where deterministic DS-Lite is enabled in a giver inside routing context, the range of values of the subscriber-prefix-length depends on the value of dslite-max-subscriber-limit parameter as follows:

subscriber-prefix-length – n = [32..64,128]

where n = log2(dslite-max-subscriber-limit)

[or in an alternate form: dslite-max-subscriber-limit = 2^n.]

In other words the largest prefix length for the deterministic DS-lite subscriber will be 32+n, where n = log2(dslite-max-subscriber-limit). The subscriber prefix length can extend up to 64 bits. Beyond 64 bits for the subscriber prefix length, there only one value is allowed: 128. In the case n must be 0, which means that the mapping between B4 elements (or IPv6 address) and the IPv4 outside addresses is in 1:1 ratio (no sharing of outside IPv4 addresses).

This parameter can be changed only when there are no deterministic prefixes configured in the same routing context.

The no form of the command reverts to the default.

This command configures downstream IPv6 fragmentation behavior in DS-lite and NAT64. IPv6 fragmentation is performed in the ISA. IPv4 fragmentation is not affected by this command. If desired, downstream IPv4 packet can be fragmented in the carrier IOM before the packet reaches ISA (and the NAT function). The IPv4 fragmentation in the downstream direction can be set by the config>router/vprn>nat>outside>mtu command

DS-Lite IPv6 Fragmentation in Downstream Direction (IPv4 to IPv6)

In case that the length of the received IPv4 packet is larger than the configured tunnel-mtu value while fragmentation is allowed, the resulting IPv6 packet will be fragmented (IPv4 is tunneled within IPv6). The maximum size of the of the fragmented IPv6 packet will be 48bytes larger than the configured tunnel-mtu value. This is due to the size of the tunneling IPv6 header: 40bytes basic IPv6 header + 8 bytes of extended fragmentation IPv6 header.

In case that fragmentation is not allowed while the IPv4 packet size is larger than configured tunnel-mtu size, the IPv4 packet will be dropped and an ICMPv4 Datagram Too Big message will be generated towards the source. The advertised mtu size in that ICMP message will be set to configured tunnel-mtu value.

NAT64 IPv6 Fragmentation in Downstream Direction (IPv4to IPv6)

In contrast to DS-lite, NAT64 transport is not based on tunneling. Instead, IP headers are translated between IPv4 and IPv6. Consequently, NAT64 fragmentation operates based on the ipv6-mtu, as opposed to tunnel-mtu in DS-lite which represents the size of the tunnel payload (IPv4 packet).

In case that the length of the translated IPv6 packet exceeds the size of the configured ipv6-mtu value while fragmentation is allowed, the resulting IPv6 packet will be fragmented. The maximum size of the of the fragmented IPv6 packet will be the configured ipv6-mtu value.

In case that fragmentation is not allowed while the translated IPv6 packet size is larger than configured ipv6-mtu size, the IPv4 packet (that is supposed to be translated into IPv6) will be dropped and an ICMPv4 Datagram Too Big message will be generated towards the source. The advertised mtu size in that ICMP message will be set to the ipv6-mtu value minus 28bytes. The 28bytes comes from the size of the IPv6 overhead of the translated packet (20bytes difference between the IP header sizes  40bytes in IPv6 vs 20bytes in IPv4; 8 bytes for extended IPv6 fragmentation header).

This command sets the size of the payload in IPv6 packet in downstream DS-lite direction. The payload is, in essence, the tunneled IPv4 packet.

This command enters the “l2-aware” context for configuration specific to Layer 2-aware NAT.

This command configures the IP address and mask of the subnet.

The no form of the command removes the IP address and prefix length from the configuration.

This command enables the context to configure NAT64.

The no form of the command disables NAT64.

This command specifies if UDP datagrams with zero IPv4 checksum are dropped.

If this command is disabled, the system calculates the IPv6 checksum for each such datagram.

This command specifies if the IPv4 Type Of Service (TOS) is ignored and the IPv6 traffic class bits set to zero.

If this command is disabled, the system copies the IPv4 TOS into the IPv6 traffic class.

This command specifies if the system always inserts an IPv6 fragment header, to indicate that the sender allows fragmentation.

The no form of the command does not allow the system to insert an IPv6 fragment header.

This command enters the “l2-aware” context for configuration specific to Layer 2-aware NAT.

This command configures a Layer 2-aware NAT address. This address will act as a local address of the system. Hosts connected to the inside service will be able to ARP for this address. To verify connectivity, a host can also ping the address. This address is typically used as next hop of the default route of a Layer 2-aware host. The given mask defines a Layer 2-aware subnet. The (inside) IP address used by anLayer 2-aware host must match one of the subnets defined here or it will be rejected.

This command configures the NAT policy that will be used for large-scale NAT in this service.

The no form of the command removes the policy name from the configuration.

This command enables the context to configure NAT64 parameters.

The no form of the command disables NAT64.

This command enables the NAT64 node to drop received UDP datagrams with zero IPv4 checksum. By default, checksum is re-calculated for non-fragmented datagrams.

The no form of the command disabales the command.

This command specifies whether the IPv4 Type Of Service (TOS) is ignored and the IPv6 traffic class bits set to zero.

When disabled, the system copies the IPv4 TOS into the IPv6 traffic class.

The no form of the command recognizes the IPv4 Type Of Service (TOS).

This command specifies whether the NAT64 node will insert IPv6 fragment header to IPv6 packets for which the DF bit is not set in the corresponding IPv4 packet, and is not already a fragment.

The no form of the command disables the insertion.

This command sets the size of the IPv6 downstream packet in NAT64. This packet is translated from IPv4.

The no form of the command reverts to the default.

This command configures the IPv6 prefix used to derive the IPv6 address from the IPv4 address, and is same as the prefix used by DNS64 to generate AAAA record returned for IPv4 endpoint resolution. NAT64 node announces this prefix in routing to attract traffic from IPv6 hosts. If the prefix is not configured, then a well known prefix, 64:FF9B::/96, is used.

The no form of the command removes the prefix from the NAT64 configuration.

This command specifies the value of the IPv4 Type Of Service (TOS) field. When enabled, the NAT64 node ignores IPv6 traffic-class and sets IPv4 TOS to supplied tos-value in the translated IPv4 packet.

The no form of the command reverts to the default.

This command specifies the IPv6 address prefix length to be used for the NAT64 subscribers in this virtual router instance.

The no form of the command

This command enables the context to configure redundancy parameters.

This command is used in LSN44 multi-chassis redundancy in conjunction with filters. The configured peer address is an IPv4 address that is configured under an interface on the peering LSN44 node (active or standby). This IPv4 interface address is advertised via routing on the inside in order to attract traffic from the standby to the active LSN44 node.

If configured, the steering-route will be advertised only from the active LSN44 node. Consequently, upstream traffic for LSN44 will be attracted to the active LSN44 node. The nat action in the ipv4-filter on the active LSN44 node will forward traffic to the local MS-ISA where LSN44 function is performed. However, in that case that upstream traffic somehow arrives on the standby LSN44 node, the nat action in the IPv4-filter will forward traffic to the peer address (active LSN44 node).

The no form of the command removes the peer ipv4-address from the configuration.

This command is used in NAT64 multi-chassis redundancy in conjunction with filters. The configured peer6 address is an IPv6 address configured under an interface on the peering NAT64 node (active or standby). This IPv6 interface address is advertised via routing on the inside in order to attract traffic from the standby to the active NAT64 node.

Under normal circumstances, the NAT64 prefix will be advertised only from the active NAT64 node. Consequently, upstream traffic for NAT64 will be attracted to the active NAT64 node. The nat action in the ipv6-filter on the active NAT64 node will forward traffic to the local MS-ISA where NAT64 function is performed. However, in that case that upstream traffic somehow arrives on the standby NAT64 node, the nat action in the IPv6-filter will forward traffic to the peer6 address (active NAT64 node).

The no form of the command removes the peer6 ip-address from the configuration.

This command is optionally used in LSN44 multi-chassis redundancy when filters are used on the inside to send traffic destined for the LSN44 function to MS-ISA, where NAT is performed.

If configured, the steering-route is advertised only from the active LSN44 node: the purpose is to bring the LSN44 node activity awareness to downstream routers. In this fashion, downstream routers can make a more intelligent decision when forwarding traffic in the upstream direction. Based on the steering-route, traffic can be sent directly towards the active LSN44 node. This route avoids an extra forwarding hop which would ensue in the case without LSN44 activity awareness, where the upstream traffic can be forwarded to the standby LSN44 node and then to the active LSN44 node.

LSN44 node activity (active/stanby) is evaluated per isa-group based on monitoring routes advertised on the outside.

The no form of the command removes the ip-prefix/length from the configuration.

This command enables the context to configure subscriber identification for Large Scale NAT.

This command defines the attribute that will in addition to framed-ip-address (inside IP address) and service-id be used for correlating BNG subscriber with the NAT subscriber.

Only a single attribute at the time can be configured. The attribute will be extracted from the BNG accounting start and/or interim-update messages via Radius accounting proxy server. This attribute can be then optionally passed to the Large Scale NAT44 accounting server. User-name attribute (if included) in Large Scale NAT44 accounting messages will be automatically set to the subscriber-id string.

The attribute parameter can be changed at any given time and the change will be reflected automatically when the next interim-update message from the BNG host is received by Radius accounting proxy.

In case that the BNG accounting message in RADIUS accounting proxy does not contain this attribute, subscriber aware Large Scale NAT44 functionality for this particular subscriber will be disabled.

When this command denies address translation to subscribers that have not been identified via accounting messages sent by BNG and received by Radius accounting proxy. This command has effect only in Subscriber Aware Application.

This command configures RADIUS proxy server parameters. This is a reference to a RADIUS accounting proxy server in Subscriber Aware Large Scale NAT44 application. RADIUS accounting proxy server will cache attributes related to a BNG subscriber as they are received in standard accounting messages (RFC 2866). Radius accounting proxy server can be configured in any routing instance within 7750 SR.

This command configures the MTU for downstream traffic flowing through this router (as outside NAT router). The system fragments IP datagrams exceeding the MTU.

This command creates a NAT pool in the outside routing context. The nat pool defines the parameters that will be used for IP address and port translation within the pool.

This command configures a NAT address range.

This command starts or stops draining this NAT address range. When an address-range is being drained, it will not be used to serve new hosts. Existing hosts, however, will still be able to use the address that was assigned to them even if it is being drained.An address-range can only be deleted if the parent pool is shut down or if the range itself is effectively drained (no hosts are using the addresses anymore).

This command specifies the mode of operation of this NAT address pool.

The no form of the command reverts to the default.

This command configures the end of the port range available for port forwarding. The start of the range is always equal to one.

The number of ports that can be configured is half of the available block => 64512 : 2 = 32256

In combination with port-forwarding-range the formulas are:

      "max port-reservation blocks" = 65535 - "port-forwarding-range"

      "max port-reservation ports" = (65535 - "port-forwarding-range") / 2

with:

the default min value for "port-forwarding-range" = 1023

Also, the same applies for max port-forwarding-range if the port-reservation is already configured:

      "max port-forwarding-range" = 65535 - "port-reservation blocks"

      "max port-forwarding-range" = 65535 - ("port-reservation ports" * 2)

The no form of the command reverts to the default.

This command configures deterministic NAT for this pool

This command is applicable only to deterministic NAT. It configures the number of deterministic ports per subscriber (for example a subscriber is an inside IP address in LSN44 or IPv6 address or prefix in DS-lite). Once this command is enabled, the pool will transition into deterministic mode of operation. This means that the subscribers can use dynamic port-blocks in the pool only as a mean to expand the range of originally assigned deterministic ports. A pool with such property is referred to as deterministic pool. However, deterministic NAT and non-deterministic NAT cannot use the same pool simultaneously.

All subscribers in deterministic pool are pre-mapped during the configuration phase to outside IP addresses and deterministic port-blocks. Because of this, the deterministic pool cannot be oversubscribed with subscribers (first-come, first-served).

Once the deterministic pool becomes operational (no shutdown) a log is created. The same applies if the pool is disabled (shutdown). As a result of this ’one time’ logging, there will be no additional logging when a subscriber starts using ports from the pre-assigned deterministic port block. This drastically reduces the logging overhead. However, when a deterministic port block is expanded by a dynamic port block, a log will be created on any allocation/de-allocation of the dynamic port block. The logs are also created for static port forwards (including PCP).

The number of subscribers per outside IP address (subscriber-limit) multiplied by the number of deterministic ports per subscriber (port-reservation) will determine the port range of an outside IP address that will be dedicated to deterministic mappings. The number of subscribers per outside IP address in deterministic NAT must be power of 2 (2^n). Once the deterministic ports are allocated, the dynamic ports are carved out of the remaining port space of the same outside IP address according to the existing port-reservation command under the same hierarchy,

This command configures the size of the port-block that will be assigned to a host that is served by this pool. The number of ports configured here will be available to UDP, TCP and ICMP (as identifiers).

This command configures the mode of operation of this NAT pool.

This command will enable the reservation of the dynamic port blocks when the first port forward for the subscriber is created. The dynamic port bloc allocation is logged only if the block is being utilized (mapping are created). In other words, dynamic port block reservation due to the port forward creation but without any dynamic mapping, will not be logged.

The reserved port block will be released only when the last mapping in the block expires AND there is not port forward associated with the subscriber. The de-allocation log (syslog or Radius) will be generated when the dynamic port block is completely released.

Dynamic port block reservation can be enabled only if the configured maximum number of subscriber per outside IP address is less or equal then the maximum number of configured port blocks per outside IP address.

This command specifies the end of the port range available for port forwarding. The start of the range is always equal to one.

This command enables the context to configure NAT pool redundancy parameters.

This command configures the route to export to the peer. While the export prefix is configured and the value of the object tmnxNatPlLsnRedActive is equal to true, the system exports this prefix in the realm of the virtual router instance associated with this pool; to the NAT redundancy peer, the presence of this prefix is an indication that the Large Scale NAT function in this virtual router instance is active; hence, the export prefix of this system is the monitor prefix of the peer.

The export prefix must be different from the monitor prefix.

This command implicitly enables Pool Fate-Sharing Group (PFSG) which is required in case of multiple NAT policies per inside routing context. A NAT pool configured with this command will not advertize or monitor any route in order to change its (activity) state but instead it will directly follow the state of the lead pool in the PFSG. Once the lead pool changes its (activity) state, all the remaining pools following the lead pool will change their state accordingly.

This command configures the IP address of the prefix to be monitored.

While the monitor prefix is configured, the system monitors the presence of this prefix in the routing table of the virtual router instance associated with this pool; the presence of this prefix is an indication that the NAT redundancy peer is active; the monitor prefix of this system is the export prefix of the peer.

The monitor prefix must be different from the export prefix.

This command configures the maximum number of subscribers per outside IP address. In case multiple port blocks per subscriber are used, the block size is typically small; all blocks assigned to a given subscriber belong to the same IP address; the subscriber limit guarantees that any subscriber can get a mimimum number of ports.

This command configures the watermarks for this NAT pool.

This command configures the ip-filter for upstream traffic. This filter is applied to the upstream traffic after the NAT function and before it enters the outside virtual router instance; it is useful for traffic that bypasses the ingress filters applied in the inside virtual router instance, such as DSLite traffic.

This command configures the ipv6-filter for upstream traffic. This filter is applied to the upstream traffic after the NAT function and before it enters the outside virtual router instance. This is useful for shared v6 filters that apply to all v6 DSM hosts.

This command associates the MSS adjust group consisting of multiple ISAs with the routing context in which the application requiring TCP MSS adjust resides.