Modifying an active NAT prefix list or NAT classifier via CLI

CLI – Modifying prefix in the NAT prefix list

Existing flows are always checked whether they comply with the NAT prefix list that is currently applied in the subscriber profile for the subscriber. If the flows do not comply with the current NAT prefix list, they are cleared after 5 seconds.

The new flows immediately start using the updated settings.

Changing the prefix in the NAT prefix list internally re-subnets the outside IP address space.

A NAT prefix list is used with multiple NAT policies in L2-Aware NAT and for downstream Internal subnet in DNAT-only scenario for LSN.

The prefix can be modified (added, removed, remapped) at any time in the NAT prefix list, while the NAT policy must be first shut down via CLI.

CLI – Modifying or replacing the NAT classifier

Existing flows are always checked whether they comply with the NAT classifier that is currently applied in the active NAT policy for the subscriber. If the flows do not comply with the current NAT classifier, they are cleared after 5 seconds.

The new flows immediately start using the updated settings.

Changing the NAT classifier have the same effect as in L2-Aware NAT; all existing flows using the NAT classifier are checked whether they comply with this classifier or not.

The NAT classifier is used for DNAT.

NAT classifier is referenced in the NAT policy.

CLI - Removing or adding NAT policy in NAT prefix list

Blocked

Not applicable

CLI - Removing or adding NAT policy in the subscriber profile

Blocked

Not applicable

CLI - Removing, adding or replacing NAT prefix list under the rtr/nat/inside/DNAT-only

Not applicable

This action triggers internally re-subnet the source address space according to the new NAT prefix list. However, the current flows in the MS ISA are not affected by this change. In other words, they are not removed if the associated prefix is removed from the prefix list.