0% found this document useful (0 votes)

52 views226 pages

A10 - 4.1.4 GR1 P5 - Cli CGN

Uploaded by

Lin Ken

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

52 views226 pages

A10 - 4.1.4 GR1 P5 - Cli CGN

Uploaded by

Lin Ken

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 226

ACOS 4.1.

4-GR1-P5
Command Line Interface Reference for
CGN
for A10 Thunder® Series
23 September 2020
© 2020 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the
virtual patent marking provisions of various jurisdictions including the virtual patent marking provisions of the America
Invents Act. A10 Networks' products, including all Thunder Series products, are protected by one or more of U.S. patents and
patents pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking

TRADEMARKS
A10 Networks trademarks are listed at:

https://www.a10networks.com/company/legal-notices/a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees
to treat Software as confidential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), pro-
vided later in this document or available separately. Customer shall not:

1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any means.
2. Sub-license, rent, or lease the Software.

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All informa-
tion is provided "as-is." The product specifications and features described in this publication are based on the latest informa-
tion available; however, specifications are subject to change without notice, and certain features may not be available upon
initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ prod-
ucts and services are subject to A10 Networks’ standard terms and conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-
posal of electronic components in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Net-
works location, which can be found by visiting www.a10networks.com.
Table of Contents

OVERVIEW ....................................................................................................................... 11

CONFIG COMMANDS: LARGE SCALE NAT ...................................................................... 13

LSN Configuration Commands..................................................................................................13
class-list (for LSN) ........................................................................................................................15
cgnv6 enable-port-batch-v1 .....................................................................................................16
cgnv6 ecmp 4-tuple-hash .........................................................................................................16
cgnv6 logging ................................................................................................................................ 17
cgnv6 lsn alg ..................................................................................................................................18
cgnv6 lsn alg sip rtp-stun-timeout .........................................................................................19
cgnv6 lsn attempt-port-preservation .....................................................................................19
cgnv6 lsn endpoint-independent-filtering ............................................................................19
cgnv6 lsn endpoint-independent-mapping .........................................................................20
cgnv6 lsn enhanced-user-tracking ........................................................................................20
cgnv6 lsn hairpinning ..................................................................................................................21
cgnv6 lsn half-close-timeout ................................................................................................... 22
cgnv6 lsn health-check-gateway ........................................................................................... 22
cgnv6 lsn icmp ............................................................................................................................. 23
cgnv6 lsn inbound-refresh ....................................................................................................... 23
cgnv6 lsn inside source class-list ........................................................................................... 23
cgnv6 lsn ip-selection ................................................................................................................ 24
cgnv6 lsn logging default-template ....................................................................................... 25
cgnv6 lsn logging partition ....................................................................................................... 25
cgnv6 lsn logging pool ............................................................................................................... 26
cgnv6 lsn port-batching ............................................................................................................ 26
cgnv6 lsn port-batching tcp-time-wait-interval ................................................................ 27
cgnv6 lsn port-overloading ...................................................................................................... 27
cgnv6 lsn port-overloading allow-different-user ............................................................... 27
cgnv6 lsn port-overloading unique ........................................................................................28
cgnv6 lsn port-reservation .......................................................................................................28
cgnv6 lsn strictly-sticky-nat .................................................................................................... 29
cgnv6 lsn stun-timeout ............................................................................................................. 29
cgnv6 lsn syn-timeout ............................................................................................................... 29
cgnv6 lsn tcp mss-clamp ..........................................................................................................30
cgnv6 lsn tcp reset-on-error ....................................................................................................30
cgnv6 lsn-lid ..................................................................................................................................31
cgnv6 lsn-radius-profile ............................................................................................................ 33
cgnv6 lsn-rule-list .......................................................................................................................34
cgnv6 nat icmp always-source-nat-errors ...........................................................................41

3
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Contents

cgnv6 nat icmp respond-to-ping .............................................................................................41

cgnv6 nat icmpv6 respond-to-ping ........................................................................................41
cgnv6 nat inside source static ..................................................................................................41
cgnv6 nat inside source static partition ................................................................................ 42
cgnv6 nat pool .............................................................................................................................. 42
cgnv6 nat pool-group ................................................................................................................44
cgnv6 nat range-list ...................................................................................................................45
cgnv6 nat exclude-port .............................................................................................................45
cgnv6 one-to-one mapping-timeout ....................................................................................46
cgnv6 one-to-one pool ..............................................................................................................46
cgnv6 one-to-one pool-group ................................................................................................. 47
cgnv6 port-list ..............................................................................................................................48
cgnv6 resource-usage ...............................................................................................................49
cgnv6 sctp rate-limit ..................................................................................................................49
cgnv6 template http-alg ...........................................................................................................50
cgnv6 translation ......................................................................................................................... 53
ip-list ...............................................................................................................................................54
netflow monitor ............................................................................................................................ 55
session-filter ................................................................................................................................. 57
LSN Show Commands................................................................................................................58
show cgnv6 lsn alg ...................................................................................................................... 59
show cgnv6 lsn full-cone-sessions ........................................................................................64
show cgnv6 lsn inside-user ...................................................................................................... 65
show cgnv6 lsn nat-address ....................................................................................................66
show cgnv6 lsn port-overloading config .............................................................................. 67
show cgnv6 lsn port-reservations ..........................................................................................68
show cgnv6 lsn statistics .......................................................................................................... 69
show cgnv6 lsn system-status ............................................................................................... 72
show cgnv6 lsn user-quota-sessions ................................................................................... 74
show cgnv6 lsn-lid ...................................................................................................................... 75
show cgnv6 lsn-rule-list ............................................................................................................ 75
show cgnv6 nat pool .................................................................................................................. 76
show cgnv6 nat pool-group ..................................................................................................... 79
show cgnv6 nat range-list ........................................................................................................80
show cgnv6 nat static-binding ................................................................................................80
show cgnv6 one-to-one mappings ........................................................................................80
show cgnv6 one-to-one pool ..................................................................................................82
show cgnv6 one-to-one pool-group .....................................................................................82
show cgnv6 one-to-one statistics .........................................................................................82
show cgnv6 resource-usage ....................................................................................................82
show cgnv6 template .................................................................................................................83

CONFIG COMMANDS: PORT CONTROL PROTOCOL ..........................................................85

Notes About the Current Release............................................................................................85
PCP Configuration Commands ................................................................................................85
cgnv6 pcp default-template ....................................................................................................86

4
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Contents

cgnv6 template pcp ....................................................................................................................86

PCP Show Commands ...............................................................................................................88
show cgnv6 pcp statistics ........................................................................................................88

CONFIG COMMANDS: NAT64 / DNS64 ....................................................................... 91

DNS64 Configuration Commands ............................................................................................91
cgnv6 nat pool ...............................................................................................................................91
cgnv6 nat pool-group .................................................................................................................91
cgnv6 nat64 prefix ...................................................................................................................... 92
cgnv6 server ................................................................................................................................. 92
cgnv6 service-group ..................................................................................................................94
cgnv6 template dns .................................................................................................................... 95
cgnv6 dns64-virtualserver .....................................................................................................100
NAT64 Configuration Commands ......................................................................................... 102
cgnv6 ecmp 4-tuple-hash ...................................................................................................... 103
class-list (for NAT64) ................................................................................................................ 103
glid (for NAT64 override) .......................................................................................................... 104
cgnv6 nat pool (for NAT64) ..................................................................................................... 104
cgnv6 nat pool-group (for NAT64) ....................................................................................... 105
cgnv6 lsn-lid ............................................................................................................................... 105
cgnv6 nat64 alg ......................................................................................................................... 105
cgnv6 nat64 force-non-zero-ipv4-id .................................................................................. 107
cgnv6 nat64 fragmentation df-bit-transparency ............................................................ 107
cgnv6 nat64 fragmentation inbound ................................................................................... 108
cgnv6 nat64 fragmentation inbound df-set ...................................................................... 109
cgnv6 nat64 fragmentation outbound ................................................................................ 109
cgnv6 nat64 icmp ......................................................................................................................110
cgnv6 nat64 inside .....................................................................................................................110
cgnv6 nat64 prefix .....................................................................................................................110
cgnv6 nat64 tcp mss-clamp ...................................................................................................110
cgnv6 nat64 tcp reset-on-error ..............................................................................................111
cgnv6 nat64 user-quota-prefix-length ................................................................................111
cgnv6 template policy ............................................................................................................... 112
ip nat inside .................................................................................................................................. 114
ip nat-global reset-idle-tcp-conn .......................................................................................... 114
ip frag timeout ............................................................................................................................. 114
ip frag max-reassembly-sessions .......................................................................................... 114
DNS64 / NAT64 Show Commands.........................................................................................115
show cgnv6 dns64 statistics ................................................................................................... 115
show cgnv6 nat64 alg ............................................................................................................... 117
show cgnv6 nat64 conversion ................................................................................................118
show cgnv6 nat64 full-cone-sessions .................................................................................118
show cgnv6 nat64 inside-user ............................................................................................... 119
show cgnv6 nat64 nat-address ............................................................................................ 122
show cgnv6 nat64 prefixes .................................................................................................... 123

5
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Contents

show cgnv6 nat64 statistics .................................................................................................. 123

show cgnv6 nat64 user-quota-sessions ............................................................................ 126

CONFIG COMMANDS: DS-LITE .................................................................................... 129

DS-Lite Configuration Commands ........................................................................................ 129
class-list (for DS-Lite) .............................................................................................................. 130
cgnv6 ds-lite alg ........................................................................................................................ 130
cgnv6 ds-lite fragmentation inbound ................................................................................... 131
cgnv6 ds-lite fragmentation outbound ............................................................................... 132
cgnv6 ds-lite icmp .................................................................................................................... 133
cgnv6 ds-lite inside source class-list .................................................................................. 133
cgnv6 ds-lite ip-checksum-error .......................................................................................... 133
cgnv6 ds-lite l4-checksum-error .......................................................................................... 134
cgnv6 ds-lite port-reservation ............................................................................................... 134
cgnv6 ds-lite tcp mss-clamp ................................................................................................. 135
cgnv6 ds-lite tcp reset-on-error ........................................................................................... 136
cgnv6 ds-lite user-quota-prefix-length ............................................................................. 136
DS-Lite Show Commands ....................................................................................................... 136
show cgnv6 ds-lite alg ..............................................................................................................137
show cgnv6 ds-lite full-cone-sessions ................................................................................137
show cgnv6 ds-lite inside-user ............................................................................................. 138
show cgnv6 ds-lite nat-address ........................................................................................... 140
show cgnv6 ds-lite port-reservations ................................................................................. 142
show cgnv6 ds-lite statistics ................................................................................................. 142
show cgnv6 ds-lite user-quota-sessions ........................................................................... 145

CONFIG COMMANDS: LIGHTWEIGHT 4OVER6 ............................................................... 147

Lightweight 4over6 Configuration Commands.................................................................. 147
class-list (for lw4o6) ................................................................................................................. 148
cgnv6 lw-4o6 ............................................................................................................................. 148
cgnv6 lw-4o6 binding-table ................................................................................................... 149
cgnv6 lw-4o6 binding-table-validate .................................................................................. 150
cgnv6 lw-4o6 fragmentation inbound ................................................................................. 150
cgnv6 lw-4o6 fragmentation outbound ............................................................................... 151
cgnv6 lw-4o6 hairpinning ........................................................................................................ 151
cgnv6 lw-4o6 health-check-gateway ................................................................................. 152
cgnv6 lw-4o6 icmp-inbound ................................................................................................. 152
cgnv6 lw-4o6 inside-src-access-list ................................................................................... 153
cgnv6 lw-4o6 nat-prefix-list .................................................................................................. 153
cgnv6 lw-4o6 no-forward-match ......................................................................................... 153
cgnv6 lw-4o6 no-reverse-match ......................................................................................... 154
cgnv6 lw-4o6 save-binding-table ........................................................................................ 154
cgnv6 lw-4o6 use-binding-table .......................................................................................... 155
Lightweight 4over6 Show Commands................................................................................. 155
show cgnv6 lw-4o6 binding-table ....................................................................................... 155

6
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Contents

show cgnv6 lw-4o6 binding-table-validation-log files .................................................. 156

show cgnv6 lw-4o6 statistics ................................................................................................ 156

COMMAND LINE INTERFACE REFERENCE FOR CGN CONFIG COMMANDS: MAP .......... 159
MAP Configuration Commands.............................................................................................. 159
cgnv6 map encapsulation domain ........................................................................................ 160
cgnv6 map encapsulation fragmentation inbound ........................................................... 161
cgnv6 map encapsulation fragmentation outbound ....................................................... 162
cgnv6 map translation domain .............................................................................................. 163
cgnv6 map translation fragmentation inbound ................................................................ 165
cgnv6 map translation fragmentation inbound df-set .................................................... 165
cgnv6 map translation fragmentation outbound .............................................................. 166
map inside ................................................................................................................................... 166
map outside ................................................................................................................................ 166
MAP Show Commands............................................................................................................. 167
show cgnv6 map encapsulation statistics ..........................................................................167
show cgnv6 map encapsulation domain .............................................................................167
show cgnv6 map translation statistics .................................................................................167
show cgnv6 map translation domain ................................................................................... 168

DDOS MITIGATION ....................................................................................................... 169

DDoS Mitigation Configuration Commands ........................................................................ 169
acos-application-only .............................................................................................................. 169
cgnv6 ddos-protection ............................................................................................................ 170
cgnv6 ddos-protection disable-nat-ip-by-bgp zone ...................................................... 170
cgnv6 ddos-protection logging ............................................................................................. 170
cgnv6 ddos-protection max-hw-entries ............................................................................. 171
cgnv6 ddos-protection packets-per-second ..................................................................... 171
cgnv6 ddos-protection packets-per-second ip .................................................................173
cgnv6 lsn-lid conn-rate-limit ..................................................................................................173
ip anomaly-drop ..........................................................................................................................174
DDoS Mitigation Show Commands........................................................................................ 175
show cgnv6 ddos-protection disabled-ip-by-bgp ...........................................................176
show cgnv6 ddos-protection ip-entries ..............................................................................176
show cgnv6 ddos-protection l4-entries .............................................................................. 177
show cgnv6 ddos-protection statistics ................................................................................ 177
show ip anomaly-drop statistics ........................................................................................... 178
DDoS Mitigation Clear Commands .........................................................................................179
clear cgnv6 ddos-protection disabled-ip-by-bgp ........................................................... 180
clear cgnv6 ddos-protection ip-entries .............................................................................. 180
clear cgnv6 ddos-protection l4-entries .............................................................................. 180
clear cgnv6 ddos-protection statistics ................................................................................ 180

CONFIG COMMANDS: STATELESS NAT46 ....................................................................181

7
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Contents

Stateless NAT46 Configuration Commands ........................................................................181

cgnv6 nat46-stateless fragmentation inbound ................................................................ 182
cgnv6 nat46-stateless fragmentation outbound ............................................................. 182
cgnv6 nat46-stateless fragmentation outbound df-set ................................................ 183
cgnv6 nat46-stateless partition-prefix ............................................................................... 183
cgnv6 nat46-stateless prefix ................................................................................................. 184
cgnv6 nat46-stateless static-dest-mapping .................................................................... 184
Stateless NAT46 Show Commands ...................................................................................... 185
show cgnv6 nat46-stateless statistics ............................................................................... 185

CONFIG COMMANDS: 6RD ............................................................................................ 189

6rd Configuration Commands................................................................................................ 189
cgnv6 sixrd domain ................................................................................................................... 189
cgnv6 sixrd fragmentation inbound ...................................................................................... 191
cgnv6 sixrd fragmentation outbound ................................................................................... 191
cgnv6 sixrd fragmentation outbound df-set ..................................................................... 192
6rd Show Commands ............................................................................................................... 192
show cgnv6 sixrd statistics ..................................................................................................... 193

CONFIG COMMANDS: NPTV6 COMMANDS ................................................................... 195

NPTv6 Configuration Commands.......................................................................................... 195
cgnv6 nptv6 domain ................................................................................................................. 195
cgnv6 nptv6 common send-icmpv6-on-error disable ................................................... 196
NPTv6 Show Commands ......................................................................................................... 196
show cgnv6 nptv6 ..................................................................................................................... 196

CONFIG COMMANDS: LOGGING TEMPLATE ................................................................... 199

Logging Template Configuration Commands..................................................................... 199
cgnv6 template logging ........................................................................................................... 199
cgnv6 server .............................................................................................................................. 209
cgnv6 service-group ................................................................................................................ 210
Logging Template Show Commands.....................................................................................211
show cgnv6 logging keywords .............................................................................................. 212
show cgnv6 logging source-address ................................................................................... 213
show cgnv6 logging statistics ................................................................................................ 213
show cgnv6 logging tcp-svr-status ..................................................................................... 213

CONFIG COMMANDS: FIXED-NATCOMMAND LINE INTERFACE REFERENCE FOR CGN . 215

Fixed-NAT Configuration Command .................................................................................... 215
cgnv6 ecmp 4-tuple-hash ...................................................................................................... 215
cgnv6 lsn alg ............................................................................................................................... 215
cgnv6 fixed-nat create-port-mapping-file ........................................................................ 216

8
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Contents

cgnv6 fixed-nat port-mapping-files-count ....................................................................... 216

cgnv6 fixed-nat inside ............................................................................................................. 216
Fixed-NAT Show Commands.................................................................................................. 219
show cgnv6 fixed-nat alg ....................................................................................................... 219
show cgnv6 fixed-nat full-cone-sessions ........................................................................ 220
show cgnv6 fixed-nat inside-user ....................................................................................... 220
show cgnv6 fixed-nat nat-address ...................................................................................... 221
show cgnv6 fixed-nat port-mapping-files ......................................................................... 221
show cgnv6 fixed-nat statistics ............................................................................................ 221

9
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Contents

10
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

OVERVIEW

This reference lists the ACOS CLI commands that apply specifically to IPv6 Migration features.

NOTE: For information about system-level commands or about using the

CLI, see the main Command Line Interface Reference guide.

11
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e

12
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: LARGE SCALE NAT

The commands in this chapter configure Large Scale NAT (LSN).

• “LSN Configuration Commands” on page 13

• “LSN Show Commands” on page 58

LSN Configuration Commands

This section describes the LSN configuration commands.

• class-list (for LSN)

• cgnv6 enable-port-batch-v1

• cgnv6 ecmp 4-tuple-hash

• cgnv6 logging

• cgnv6 lsn alg

• cgnv6 lsn alg sip rtp-stun-timeout

• cgnv6 lsn attempt-port-preservation

• cgnv6 lsn endpoint-independent-filtering

• cgnv6 lsn endpoint-independent-mapping

• cgnv6 lsn hairpinning

• cgnv6 lsn half-close-timeout

• cgnv6 lsn health-check-gateway

• cgnv6 lsn icmp

• cgnv6 lsn inbound-refresh

• cgnv6 lsn inside source class-list

• cgnv6 lsn ip-selection

• cgnv6 lsn logging partition

• cgnv6 lsn logging default-template

13
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

• cgnv6 lsn logging pool

• cgnv6 lsn port-batching

• cgnv6 lsn port-batching tcp-time-wait-interval

• cgnv6 lsn port-overloading

• cgnv6 lsn port-overloading allow-different-user

• cgnv6 lsn port-overloading unique

• cgnv6 lsn port-reservation

• cgnv6 lsn strictly-sticky-nat

• cgnv6 lsn stun-timeout

• cgnv6 lsn syn-timeout

• cgnv6 lsn tcp mss-clamp

• cgnv6 lsn tcp reset-on-error

• cgnv6 lsn-lid

• cgnv6 lsn-radius-profile

• cgnv6 lsn-rule-list

• cgnv6 nat icmp always-source-nat-errors

• cgnv6 nat icmp respond-to-ping

• cgnv6 nat icmpv6 respond-to-ping

• cgnv6 nat inside source static

• cgnv6 nat pool

• cgnv6 nat pool-group

• cgnv6 nat range-list

• cgnv6 nat exclude-port

• cgnv6 one-to-one mapping-timeout

• cgnv6 one-to-one pool

• cgnv6 one-to-one pool-group

• cgnv6 port-list

• cgnv6 resource-usage

• cgnv6 sctp rate-limit

14
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

• cgnv6 template http-alg

• cgnv6 translation

• ip-list

• netflow monitor

• session-filter

class-list (for LSN)

Description Configure an IP class list for use with Large Scale NAT (LSN).

Syntax [no] class-list {list-name} [file | ipv4 [file] | ipv6 [file]]

Parameter Description
list-name Adds the list to the running-config.
file Saves the list to a file.
ipv4 | ipv6 Specifies the class-list type as IPv4 or IPv6.

This command changes the CLI to the configuration level for the
specified class list, where the following command is available.

NOTE: The other configuration commands at this level are not appli-
cable to LSN.

Command Description
[no] priv-addr/mask-length Specifies the internal clients. The priv-addr option specifies the
{glid num | internal host or subnet address. The /mask-length specifies the
lid num | network mask or mask length.
lsn-lid num |
lsn-radius-profile num}
• The glid num option specifies an global LSN LID to apply to
matching clients.
• The lid num option specifies a non-LSN LID to apply to match-
ing clients.
• The lsn-lid num option specifies an LSN LID to apply to match-
ing clients.
• The lsn-radius-profile num option specifies an LSN RADIUS
Profile Index to apply to matching clients.

Default None

Mode Configuration mode

15
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Usage Configure the LSN LIDs or Fixed-NAT LIDs before configuring the class
list entries.

As an alternative to configuring class entries on the ACOS device, you

can configure the class list using a text editor on another device, then
import the class list onto the ACOS device.
For more information about LSN, see the “Large Scale NAT” chapter in
the IPv4-to-IPv6 Transition Solutions Guide.

Example The following commands configure a class list to bind internal subnet
5.5.5.x/24 to LSN LID 5:

ACOS(config)# class-list list1

ACOS(config-class list)# 5.5.5.0 lsn-lid 5

cgnv6 enable-port-batch-v1
Description Enable Port Batching v1.

Syntax [no] cgnv6 enable-port-batch-v1

Default None

Mode Configuration mode

Usage If no pre-existing port-batch-v1 configurations are detected, use this

command to enable Port Batching v1 manually, prior to configuring
port-batching size, port-overloading, and NAT Pool configurations.

cgnv6 ecmp 4-tuple-hash

Description Enable ECMP route and link load balancing to support 4-tuple hashing
based on Source IP, Source Port, Destination IP, and Destination Port.

Syntax [no] cgnv6 ecmp 4-tuple-hash

Mode Configuration mode

Usage This feature is enhanced to support 4-tuple hashing for UDP/TCP/

ICMP for Static-NAT and LW-4o6 technologies, in addition to the pre-
viously supported UDP/TCP for DSLite, LSN, Fixed-NAT, NAT64, and
Gi/SGi-FW transparent sessions.

Example The following shows how to enable ECMP 4-tuple hashing:.

ACOS(config)# cgnv6 ecmp 4-tuple-hash

16
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

cgnv6 logging
Description Configure a severity level for NAT pool exhaustion log messages.

Syntax [no] cgnv6 logging {nat-quota-exceeded | nat-resource-exhausted}

level {critical | notice | warning}

Parameter Description
nat-quota-exceeded Configure the warning level of error messages that occur when the NAT
pool quota is exceeded. The following options are available”

• critical configures error messages to be flagged as critical.

• notice configures error messages to be flagged as notifications.
• warning configures error messages to be flagged as warnings.
nat-resource-exhausted Configure the warning level of error messages that occur when the NAT
pool resources are exhausted. The following options are available”

• critical configures error messages to be flagged as critical.

• notice configures error messages to be flagged as notifications.
• warning configures error messages to be flagged as warnings.

Default By default all resource exhaustion error messages are flagged as “Crit-
ical,” and all quota exceeded error messages are flagged as “Warning.”

Mode Configuration Mode

Usage Use these command to configure a severity level for NAT pool exhaus-
tion messages. The following log messages fall into each category:

Resource Exhausted:
• LOG_MSG_A10LB_LSN_NAT_PORT_UNAVAILABLE
• LOG_MSG_A10LB_LSN_NEW_USER_RESOURCE_UNAVAIL-
ABLE
• LOG_MSG_A10LB_LST_IP_ALL_PORT_EXHAUSTED
• LOG_MSG_A10LB_LSN_USER_QUOTa_CREATION_FAILED
• LOG_MSG_A10LB_LSN_FULLCONE_CREATE_FAILED
• LOG_MSG_A10LB_NAT_121_POOL_STAT_ADDR_EXHAUSTED
• LOG_MSG_A10LB_FIXED_NAT_PORT_UNAVAILABLE_EXCESS
• LOG_MSG_A10LB_FIXED_NAT_PORT_UNAVAIL-
ABLE_ONE_USER
• LOG_MSG_A10LB_FIXED_NAT_PORT_UNAVAILABLE_EX-
CESS_NO_IPLIST
Quota Exceeded:

• LOG_MSG_A10LB_LSN_NAT_PORT_UNAVAILABLE

17
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

• LOG_MSG_A10LB_LSN_NEW_USER_RESOURCE_UNAVAIL-
ABLE
• LOG_MSG_A10LB_LSN_IP_ALL_PORT_EXHAUSTED
• LOG_MSG_A10LB_LSN_USER_QUOTA_CREATION_FAILED
• LOG_MSG_A10LB_LSN_FULLCONE_CREATION_FAILED
• LOG_MSG_A10LB_NAT_121_POOL_STAT_ADDR_EXHAUSTED
• LOG_MSG_A10LB_FIXED_NAT_PORT_UNAVAILABLE_EXCESS
• LOG_MSG_A10LB_FIXED_NAT_PORT_UNAVAIL-
ABLE_ONE_USER
• LOG_MSG_A10LB_FIXED_NAT_PORT_UNAVAILABLE_EX-
CESS_NO_IPLIST
• LOG_MSG_A10LB_FIXED_NAT_QUOTA_EXCEEDED_EXCESS
• LOG_MSG_A10LB_FIXED_NAT_QUOTA_EXCEED-
ED_ONE_USER
• LOG_MSG_A10LB_FIXED_NAT_QUOTA_EXCEEDED_EX-
CESS_NO_IPLIST
All *_ONE_USER errors extend to _TWO_USER, _THREE_USER,
_FOUR_USER, etc.

cgnv6 lsn alg

Description Disable or re-enable Application Level Gateway (ALG) support for LSN
(NAT44) and Fixed NAT.

Syntax [no] cgnv6 lsn alg

{esp | ftp | h323 | mgcp | pptp | rtsp | sip | tftp}
{enable | disable}

Parameter Description
esp Enables or disables ALG support for Encapsulating Security Payload
(ESP).
ftp Enables or disables ALG support for File Transfer Protocol (FTP).
h323 Enables or disables ALG support H323 standard.
mgcp Enables or disables ALG support for Media Gateway Control Protocol
(MGCP).
pptp Enables or disables ALG support for Point-to-Point Tunneling Protocol
(PPTP).
rtsp Enables or disables ALG support for Real Time Streaming Protocol
(RTSP).
sip Enables or disables ALG support for Session Initiation Protocol (SIP).
tftp Enables or disables ALG support for Trivial File Transfer Protocol (TFTP).

Default ALG support for FTP is enabled by default. ALG support for the other
protocols is disabled by default.

18
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

Mode Configuration mode

cgnv6 lsn alg sip rtp-stun-timeout

Description Change the RTP/RTCP Session Traversal Utilities for NAT (STUN) time-
out for full-cone sessions.

Syntax [no] cgnv6 lsn alg sip rtp-stun-timeout minutes

Replace minutes with the timeout duration (2-10 minutes)

Default 5

Mode Configuration mode

cgnv6 lsn attempt-port-preservation

Description Enable LSN port preservation. Port preservation attempts to use the
same source protocol port for a client’s public address (NAT address)
that is used in the client’s inside address.

Syntax [no] cgnv6 lsn attempt-port-preservation {disable | enable}

Default Enabled

Mode Configuration mode

Usage Even when port preservation is disabled, it is possible in rare cases for
the same protocol port to be used.

cgnv6 lsn endpoint-independent-filtering

Description Configure endpoint-independent filtering.

Syntax [no] cgnv6 lsn endpoint-independent-filtering

{tcp | udp}

Parameter Description
tcp | udp Specifies the Layer 4 protocol. If you want to apply the command to both TCP and
UDP, enter the command twice, specifying a different protocol each time. The follow-
ing options are available:

• port configures a single destination port or Port Range Start

• session-limit limits the number of EIF sessions that can be created per port.

Default Disabled

Mode Configuration mode

19
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Usage Ensure that both EIF and EIM are enabled for a destination port or a
port range. If EIF is enabled for a port where EIM is disabled or vice
versa, the EIM filtering will fail when packets are dropped.

NOTE: When IP stateful firewall is configured, EIF configuration should

only be done for the inside L4 ports. In these cases, the inside
L4 ports should be configured as the destination ports since
traffic is originating from outside.

cgnv6 lsn endpoint-independent-mapping

Description Configure endpoint-independent mapping for both ephemeral and
well-known ports.
Syntax [no] cgnv6 lsn endpoint-independent-mapping
{tcp | udp}

Parameter Description
tcp | udp Specifies the Layer 4 protocol. If you want to apply the command to both TCP and
UDP, enter the command twice, specifying a different protocol each time.

Default Disabled

Mode Configuration mode

cgnv6 lsn enhanced-user-tracking

Description Configures the enhanced user tracking for viewing the peak session
utilization, NAT port utilization, and aggregated upstream and down-
stream byte and packet count per subscriber for both LSN and NAT64.

The enhanced user tracking log must be configured at the partition

level.
Before configuring the enhanced user tracking log, the following logs
can be configured to include session byte count, LSN subscriber
information, and radius attributes in the enhanced-user-tracking log:
ACOS(config)# cgnv6 template logging template_name
ACOS(config-logging:template_name)# include-session-byte-count
ACOS(config-logging:template_name)# log user-data
ACOS(config-logging:template_name)# include-radius-attribute

20
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

user-data

Syntax [no] cgnv6 lsn enhanced-user-tracking

Default Disabled

Mode Configuration mode

Usage The information in the enhanced user tracking log can be used to
detect anomaly attack in the client’s network. The log information also
provides enhanced visibility for allocating user quota values for ses-
sions and ports. When there are new NAT IPs, the NAT port utilization
log helps to allocate the NAT IPs to the appropriate NAT pools for effi-
cient utilization.

cgnv6 lsn hairpinning

Description Configure filtering for hairpinning.

Syntax [no] cgnv6 lsn hairpinning

{filter-none | filter-self-ip | filter-self-ip-port}

Parameter Description
filter-none Allows for self-hairpinning for UDP packets only. This is the default behavior
for UDP packets.
filter-self-ip Drops packets that have the same inside client IP address for both the
source and destination.
filter-self-ip-port Drops packets that have the same inside client IP address and protocol port
number for both the source and destination. This option may be needed if
double NAT is used.
• filter-none - UDP
• filter-self-ip port - TCP

Mode Configuration mode

21
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

cgnv6 lsn half-close-timeout

Description Configure the TCP half-closed session timeout for LSN.

Syntax [no] cgnv6 lsn half-close-timeout seconds

Replace seconds with the timeout (2-3000 seconds).

Default No default timeout is set.

Mode Configuration mode

Usage The LSN TCP half-closed timeout is separate from the TCP idle-time-
out. To configure TCP idle timeout, see “cgnv6 lsn-rule-list” on
page 34.

cgnv6 lsn health-check-gateway

Description Configure enforcement of gateway health monitoring prior to redis-
tributing LSN NAT pool prefixes.

Syntax [no] cgnv6 lsn health-check-gateway ip-addr

Replace ip-addr with the IPv4 or IPv6 address for the gateway for
enforcement.

Default Disabled.

Mode Configuration mode

Usage If any of the specified gateways fail a health check, the ACOS device
will discontinue advertising LSN NAT pool prefixes during route redis-
tributions. This command needs to be entered again for each gateway.

22
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

cgnv6 lsn icmp

Description Send ICMP Destination Unreachable messages when there are no pro-
tocol ports available for NAT mappings, or when a a user quota is
exceeded.

Syntax [no] cgnv6 lsn icmp

{send-on-port-unavailable |
send-on-user-quota-exceeded}
{
admin-filtered |
disable |
host-unreachable
}

Parameter Description
send-on-port-unavailable Sends ICMP Destination Unreachable message when there are no
protocol ports available for NAT mappings.
send-on-user-quota- Sends ICMP Destination Unreachable message when a a user quota is
exceeded exceeded.
admin-filtered Sends code type 3, code 13, administratively filtered.
disable Disable ICMP Unreachable messages for the specified event.
host-unreachable Sends code type 3, code 1 for IPv4, and type 1 code 3 for IPv6.

Default The default for send-on-port-unavailable is disable. The default for

send-on-user-quota-exceeded is admin-filtered.

Mode Configuration mode

cgnv6 lsn inbound-refresh

Description Enable or disable the session aging time for NAT translation.

Syntax [no] cgnv6 lsn inbound-refresh {disable | enable}

Default Enabled.

Mode Configuration mode.

Usage This command disables or enables resetting of the age-out time for
NAT translation when inbound packets are received. This command
does not apply for outbound packets.

cgnv6 lsn inside source class-list

Description Bind an IP class list for use with LSN.

Syntax [no] cgnv6 lsn inside source class-list list-name

23
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Replace list-name with the name of the class list.

Default None

Mode Configuration mode

Usage The class list must already be configured. You can import the class list
or configure it on the ACOS device. For more information, see the
“Large Scale NAT” chapter in the IPv4-to-IPv6 Transition Solutions
Guide.

cgnv6 lsn ip-selection

Description Specify the method for LSN to use to select IP addresses within a pool.

Syntax [no] cgnv6 lsn ip-selection method

Replace method with one of the following:

• random – Selects addresses randomly, instead of using any of the
other methods.
• round-robin – Selects addresses sequentially.
• least-used-strict – Selects the address with the fewest NAT
ports of any type (TCP or UDP) used. This option is not applicable
to ICMP.
• least-udp-used-strict – Selects the address with the fewest UDP
NAT ports used.
• least-tcp-used-strict – Selects the address with the fewest TCP
NAT ports used.
• least-reserved-strict – Selects the address with the fewest TCP
or UDP NAT ports reserved.
• least-tcp-reserved-strict – Selects the address with the fewest
TCP NAT ports reserved.
• least-udp-reserved-strict – Selects the address with the fewest
UDP NAT ports reserved.
• least-users-strict – Selects the address with the fewest users.

Default random

Mode Configuration mode

Usage The IP address selection method applies only to the IP addresses

within individual pools. The method does not apply to selection of
pools within a pool group. LSN randomly selects a pool from within a
pool group, then uses the configured IP address selection method to
select an address from within the pool.

24
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

cgnv6 lsn logging default-template

Description Set a configured LSN traffic logging template as the default template
for all LSN pools.

Syntax [no] cgnv6 lsn logging default-template template-name

Replace template-name with the name of the LSN traffic logging

template to use as the default for all LSN pools.

Default Not set

Mode Configuration mode

Usage The NAT logging template you plan to use as the default must already
be configured.

You also can assign a NAT logging template to an individual pool. In

this case, the NAT logging template assigned to the pool is used
instead of the default NAT logging template. See “cgnv6 lsn logging
pool” on page 26.

Example The following commands configure a NAT logging template, then set it
as the default logging template for LSN:

ACOS(config)# cgnv6 server syslog1 192.168.1.100

ACOS(config-real server)# port 514 udp
ACOS(config-real server)# exit
ACOS(config)# cgnv6 service-group syslog udp
ACOS(config-cgnv6 svc group)# member syslog1:514
ACOS(config-cgnv6 svc group)# exit
ACOS(config)# cgnv6 template logging lsn_logging
ACOS(config-logging:lsn_logging)# log port-mappings creation
ACOS(config-logging:lsn_logging)# service-group syslog
ACOS(config-logging:lsn_logging)# exit
ACOS(config)# cgnv6 lsn logging default-template lsn_logging

cgnv6 lsn logging partition

Description Assigns a separate VRF/L3V instance for the CGN logging servers and
to enable system logs to be routed from different partitions.

Syntax [no] cgnv6 lsn logging partition

Parameter Description
shared Selects the shared partition.
Name Selects the partition name for logging.

25
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Default Not set.

Mode Configuration mode

NOTE: From a L3V partition, any other partition can also be referenced.
From a shared partition, only allowed L3V partition can be refer-
enced.

cgnv6 lsn logging pool

Description Assign a NAT logging template to an LSN pool.

Syntax [no] cgnv6 lsn logging pool pool-name template template-name

Parameter Description
pool-name Specifies the LSN pool.
template-name Specifies the NAT logging template.

Default Not set. If a NAT logging template has been set as the default NAT log-
ging template, that template is used.

Mode Configuration mode

Usage The NAT logging template you plan to use must already be configured.

cgnv6 lsn port-batching

Description Enable port batching. Port batching reduces logging by allocating a
set of multiple ports to the client at the same time, and generating
only a single log message for the batch of ports.

Syntax [no] cgnv6 lsn port-batching size

{1 | 8 | 16 | 32 | 64 | 128 | 256 | 512}

Specifies the number of ports to allocate in each batch.

Default Disabled

Mode Configuration mode

NOTE: New users must explicitly use the cgnv6 enable-port-batch-

v1command to enable Port Batching v1 manually, prior to configur-
ing this command.

26
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

cgnv6 lsn port-batching tcp-time-wait-interval

Description Configure the timeout interval before TCP NAT ports can be reused
after they have been released.

Syntax [no] cgnv6 lsn port-batching tcp-time-wait-interval num

Specifies the timeout of TCP ports in minutes. You can specify a value
between 0-10 minutes.

Default 2 minutes

Mode Configuration mode

Example The following example configures CGNv6 LSN port batching, with a
TCP timeout interval of 5 minutes before TCP ports in a batch can be
reused after they are released.

ACOS(config)# cgnv6 lsn port-batching tcp-time-wait-interval 5

cgnv6 lsn port-overloading

Description Enable or disable Port Overloading.

Syntax [no] cgnv6 lsn port-overloading

{tcp | udp}

Parameter Description
tcp | udp Enable or disable port overloading behavior for TCP or UDP traffic spe-
cifically.
port-num [to port-num] Enables port overloading for the specified protocol and port or port
range.

Default Port overloading is enabled for all ports, 1-65535.

Usage Configuration mode

cgnv6 lsn port-overloading allow-different-user

Description Allows an overloaded port to be used by more than one client.

Syntax [no] cgnv6 lsn port-overloading allow-different-user

Default By default, a port can be overloaded to create multiple mappings only

for the same client.

Mode Configuration mode

27
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

cgnv6 lsn port-overloading unique

Description Change the granularity for Port Overloading.

Syntax [no] cgnv6 lsn port-overloading unique

{destination-address |
destination-address-and-port}

Parameter Description
destination-address The granularity is based on destination IP address.
destination-address-and- The granularity is based on destination IP address and destination
port protocol port.

Default destination-address-and-port

Mode Configuration mode

cgnv6 lsn port-reservation

Description Configure static LSN mappings for a range of protocol ports for an
internal address.

Syntax [no] cgnv6 lsn port-reservation

inside priv-ipaddr start-priv-portnum end-priv-portnum
nat public-ipaddr start-public-portnum end-public-portnum

Parameter Description
priv-ipaddr Specifies the internal IP address.
start-priv-portnum Specifies the beginning (lowest-numbered) protocol port number in the
range of internal protocol port numbers.
end-priv-portnum Specifies the ending (highest-numbered) protocol port number in the
range of internal protocol port numbers.
public-ipaddr Specifies the public IP address to map to the internal IP address.
start-public-portnum Specifies the beginning public protocol port number in the range to map
to the internal protocol port numbers.
end-public-portnum Specifies the ending public protocol port number in the range to map to
the internal protocol port numbers.

Default None. If LSN is configured, LSN mappings are created and deleted
dynamically.

Mode Configuration mode

28
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

cgnv6 lsn strictly-sticky-nat

Description Configure to strictly adhere to the sticky NAT behaviour, regardless of
configuring destination IP addresses in the LSN rule-list.

Syntax [no] cgnv6 lsn strictly-sticky-nat

Default None.

Mode Configuration mode.

Usage Use this command to strictly adhere to the sticky NAT behavior.
Regardless of configuring destination IP addresses in the LSN rule-list
configuration, ACOS uses the same mapping for all traffic between the
client and the NAT IP addresses once the mapping is dynamically
assigned.

cgnv6 lsn stun-timeout

Description Configure the LSN STUN timeout. The LSN STUN timeout specifies
how long a NAT mapping for a full-cone session is maintained after
the data session ends.

Syntax [no] cgnv6 lsn stun-timeout {tcp | udp}

port port-num [to port-num] minutes

Parameter Description
tcp | udp Specifies the Layer 4 protocol. If you omit this option, the com-
mand applies to both TCP and UDP.
port port-num [to port-num] Specifies an individual port or a custom port range.
minutes Specifies the timeout, 0-60 minutes.

Default 2, for all TCP and UDP ports (1-65535)

Mode Configuration mode

Usage If you do not use the ephemeral, well-known, or port option, the com-
mand applies to ports 1-65535.

cgnv6 lsn syn-timeout

Description Configure the SYN timeout for LSN.

Default [no] cgnv6 lsn syn-timeout seconds

Replace seconds with the timeout (2-30 seconds).

Default 4

29
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Mode Configuration mode

Usage The LSN SYN timeout is separate from the IP NAT translation timeout.

cgnv6 lsn tcp mss-clamp

Description Configure TCP maximum segment size (MSS) clamping. MSS clamping
checks the TCP MSS value in packets from IPv4 clients and, if neces-
sary, changes it before sending the NATted request to the server.

Syntax [no] cgnv6 lsn tcp mss-clamp {none | fixed n | subtract s [min
n]}

Parameter Description
none Does not change the MSS value.
fixed n Changes the MSS to the length you specify.
subtract s [min n] Reduces the MSS if it is longer than the specified number of bytes. This
option sets the MSS based on the following calculations:

• If MSS minus S is greater than N, subtract S from the MSS.

• If MSS minus S is less than or equal to N, set the MSS to N.

The subtract method of MSS clamping is used by default, with the following
values:

S = 40 bytes

N = 416 bytes

Using these values, the default MSS clamping calculations are as follows:

• If MSS minus 40 is greater than 416, subtract 40 from the MSS.

• If MSS minus 40 is less than or equal to 416, set the MSS to 416.

Default The none option is used by default. See above.

Mode Configuration mode

cgnv6 lsn tcp reset-on-error

Description Send TCP resets to LSN clients in response to invalid TCP packets
from the inside network.
Syntax [no] cgnv6 lsn tcp reset-on-error outbound disable

Default Enabled

Mode Configuration mode

30
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

cgnv6 lsn-lid
Description Configure a limit ID (LID) for LSN.

NOTE: Some LSN LID commands apply only to other features, and are
described in the chapters for those features.

Syntax [no] cgnv6 lsn-lid num

Replace num with the LSN LID number, 1-1023.

This command changes the CLI to the configuration level for the
specified LSN LID, where the following commands are available.

NOTE: The other configuration commands at this level are not appli-
cable to LSN.

Command Description
[no] conn-rate-limit num The maximum number of connections a client can attempt to ini-
tiate per second. The value can range from 1-65535.
[no] ds-lite For Dual-stack Lite (DS-Lite), uses a class list to specify the
inside-src-permit-list list- hosts or subnets that are permitted to be NATted. Any IPv4
name addresses that do not match the class list are not NATted.
[no] extended-user-quota Configures a per-user extended quota for essential services. The
{tcp | udp} port option specifies the Layer 4 protocol port of the service, and
service-port portnum can be 1-65535. The sessions option specifies how many
sessions num extended sessions are allowed for the protocol port, and can be
1-255.
[no] lsn-rule-list Matches traffic based on destination IP address, traffic type, or
destination list-name protocol port, in addition to matching on the source IP addresses
in the class list that uses this LID.

If traffic matches both a source IP address in the class list and a

destination address, traffic type, or protocol port in the rule list,
the action specified in the rule list is applied to the traffic.

(To configure an LSN rule list, see “cgnv6 nat icmp always-
source-nat-errors” on page 41.)
[no] name string Assigns a name to the LID.

31
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Command Description
[no] override Overrides NAT for matching traffic, and performs the specified
{none | drop | pass-through} action instead:

• none – Applies source NAT if configured (default).

• drop – Drops the traffic.
• pass-through – Forwards the traffic without performing NAT.
[no] respond-to-user-mac Enables MAC-based nexthop routing. When MAC-based nexthop
routing is enabled, the ACOS device sends the reply to an inside
client’s request back through the same route hop on which the
request was received. The ACOS device identifies the route hop
based on its MAC address. The ACOS device sends the reply to
the MAC address, instead of using the route table to select the
next hop for the reply.
[no] source-nat-pool Binds an LSN NAT pool to the LID.
pool-name
[no] user-quota Configures the per-user mapping quota for the specified proto-
{tcp | udp | icmp | session} col. The quota-num option specifies the maximum number of
quota-num sessions allowed per client and can be 1-64000.
[reserve reserve-num]
The reserve option allows you to specify how many ports to
reserve on a NAT IP for each user, 0-64000. If unspecified, the
reserve value is the same as the user-quota value.
[no] user-quota-prefix-length Configures the NAT64 user quota prefix length <1-128>.
length-num

Default The LSN LID options have the following default values:
• ds-lite – not set
• extended-user-quota – not set
• lsn-access-list – not set
• name – not set
• override – not set
• respond-to-user-mac – disabled
• source-nat-pool – not set
• user-quota {tcp | udp | icmp} – Not set. By default, the reserve value
is the same as the user-quota value.
• user-quota sessions – not set
• user-quota-prefix-length – Uses the global NAT64 configured
value

Mode Configuration mode

Example The following commands configure an LSN LID. The LID is bound to
pool “LSN_POOL1”. Per-user quotas are configured for TCP, UDP, and
ICMP. For UDP, this class of users will reserve only 100 UDP ports

32
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

instead of 300. An extended quota of sessions per client is allocated

for TCP port 25 (SMTP).

ACOS(config)# cgnv6 lsn-lid 5

ACOS(config-lsn lid)# source-nat-pool LSN_POOL1
ACOS(config-lsn lid)# user-quota tcp 100
ACOS(config-lsn lid)# user-quota udp 300 reserve 100
ACOS(config-lsn lid)# user-quota icmp 10
ACOS(config-lsn lid)# extended-user-quota tcp service-port 25 sessions 3

Example The following commands configure an LSN LID in which MAC-based

nexthop routing is enabled:

ACOS(config)# cgnv6 lsn-lid 1

ACOS(config-lsn lid)# respond-to-user-mac
ACOS(config-lsn lid)# exit

Example The following commands configure a class list that maps inside clients
to the LSN LID:

ACOS(config)# class-list mac-reply-clients

ACOS(config-class list)# 192.168.0.0 /16 lsn-lid 1

cgnv6 lsn-radius-profile
Description Configure a RADIUS profile that assigns clients to LSN LIDs based on
the value of the custom attribute from the RADIUS server.

Syntax [no] cgnv6 lsn-radius-profile num

This command changes the CLI to the configuration level for the
specified RADIUS server profile, where the following command is
available.

33
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

NOTE: The other configuration commands at this level are not appli-
cable to LSN.

Parameter Description
radius Matches on the attribute values from the RADIUS server, and specifies
{default | the LSN LID to use for handling clients that have the matching attribute
attribute-type} value.
[exact-value string |
starts-with string]
The attribute-type can be one of the following:
lsn-lid num
• default – Matches on clients who do not have any of the following
custom attributes.
• msisdn – Matches on client MSIDSN.
• imei – Matches on client IMEI.
• imsi – Matches on client IMSI.
• custom1 – A10-CGN-Radius-Custom-1
• custom2 – A10-CGN-Radius-Custom-2
• custom3 – A10-CGN-Radius-Custom-3

To specify match criteria, use one of the following options:

• exact-value string – Matches only on an exact attribute value.

• starts-with string – Matches on only the beginning portion of an
attribute value.

The lsn-lid option specifies the LSN LID to use for handling clients that
have the matching attribute value.

Default Not set

Mode Configuration mode

cgnv6 lsn-rule-list
Description Configure an LSN rule list. You can add an LSN rule list to an LSN LID to
specify the actions to perform on matching traffic. This command
changes the CLI to the configuration level for the specified rule list.

NOTE: You also can use LSN rule lists for NAT64 and DS-Lite.

Syntax [no] cgnv6 lsn-rule-list list-name

Replace list-name with the name of the rule list.

34
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

Command Description
[no] default Enters the configuration level for the default set of rules. The default set of
rules is used for traffic that does not exactly match an IP host or subnet
rule. (See below.)

• [no] dscp [any | dscp-value] action set-dscp

{inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• [no] icmp {action action | no-action}
• dnat ipv4-list list-name {action action | no-action}
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• [no] others {action action | no-action}
• dnat ipv4-list list-name {no action | no-action}
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• [no] tcp port {0 | portnum [to portnum]}
{action action | no-action}
• dnat ipv4-list list-name {no-snat | port-list num}
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• template http-alg template-name

[no] default • [no] udp port {0 | portnum [to portnum]}

{action action | no-action}
• dnat ipv4-list list-name {no-snat | port-list num}
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}

35
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Command Description
[no] Enters the configuration level for the set of rules to apply to the specified
domain-list-name domain list name.
string
• [no] dscp [any | dscp-value] action set-dscp
{inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• [no] icmp {action action | no-action}
• dnat ipv4-list list-name
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• [no] others {action action | no-action}
• dnat ipv4-list list-name
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• [no] tcp port {0 | portnum [to portnum]}
{action action | no-action}
• dnat ipv4-list list-name {no-snat | port-list num}
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• template http-alg template-name

[no] • [no] udp port {0 | portnum [to portnum]}

domain-list-name {action action | no-action}
string • dnat ipv4-list list-name {no-snat | port-list num}
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}

36
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

Command Description
[no] Enters the configuration level for the set of rules to apply to the specified
domain-name string domain name.

• [no] dscp [any | dscp-value] action set-dscp

{inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• [no] icmp {action action | no-action}
• dnat ipv4-list list-name
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• [no] others {action action | no-action}
• dnat ipv4-list list-name
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• [no] tcp port {0 | portnum [to portnum]}
{action action | no-action}
• dnat ipv4-list list-name {no-snat | port-list num}
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
• template http-alg template-name

[no] • [no] udp port {0 | portnum [to portnum]}

domain-name string {action action | no-action}
• dnat ipv4-list list-name {no-snat | port-list num}
• drop
• one-to-one-snat pool pool-name
• pass-through
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]}
• snat pool {pool-name | pool-group-name}
[no] Enables matching domain name in the HTTP request.
http-match-domain-
name

37
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Command Description
[no] ip ipv4addr/ Enters the configuration level for the set of rules to apply to the specified
mask-length IP host address or subnet.

• [no] dscp [any | dscp-value] action set-dscp

The following commands are available at this level:

38
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

• [no] dscp [any | dscp-value] action set-dscp

{inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]} – Matches based
on the DSCP classification in traffic, and marks the DSCP value
before forwarding the traffic.
• [no] icmp {action action | no-action} – Specifies the action
for matching ICMP traffic.
• [no] others {action action | no-action} – Specifies the
action for matching traffic that is not ICMP, TCP, or UDP traffic.
• [no] tcp port {0 | portnum [to portnum]}
{action action | no-action} – Specifies the action for match-
ing TCP traffic.
• [no] udp port {0 | portnum [to portnum]}
{action action | no-action} – Specifies the action for match-
ing UDP traffic.

The action can be one of the following:

• dnat ipv4-list list-name {no-snat | port-list num} –
Applies destination NAT.
• drop – Drops the traffic.
• idle-timeout {num | fast}– Configures an idle-timeout or fast
aging for the traffic on the configured destination network or
host. If configuring a timeout, the value can be between 2-
129600 seconds.
• one-to-one-snat pool pool-name – Applies one-to-one source
NAT.
• pass-through – Forwards the traffic without performing NAT.
• set-dscp {inbound dscp-value [outbound dscp-value] |
outbound dscp-value [inbound dscp-value]} – Performs DSCP
marking.
• snat pool {pool-name | pool-group-name} – Performs NAT
using the specified pool or pool group. This option can be used
to redirect the traffic to use a different pool or pool group than
the one in the LID definition.
• template http-alg template-name – Processes traffic based on
the specified HTTP-ALG template. (See “cgnv6 template http-
alg” on page 50.)

NOTE: The pass-through option is not applicable to NAT64 or DS-Lite. For

these features, the option is ignored and the traffic is processed
based only on source IP address. (No rule list is applied.)

The no-action option excludes matching traffic from the actions in the rule
list, but still performs NAT for the traffic. (For more information, see the IPv4-
to-IPv6 Transition Solutions Guide.)

Mode None

39
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Mode Configuration mode

Usage After you configure the rule list, you can add it to an LSN LID. (See
“cgnv6 nat icmp always-source-nat-errors” on page 41.)

For NAT64, the traffic matching and action are applied to IPv4
addresses after conversion from IPv6 to IPv4.

For DS-Lite, the traffic matching and action are applied to inside IPv4
addresses after removing the IPv6 header.

If the matching traffic is for a current full-cone session or user-quota

session, and the session uses a different pool or pool group than the
one redirected to by the rule list, the rule list is not used.

The snat pool option applies only if the client does not have a NAT
session. If the client already has a NAT session, the sticky NAT feature
keeps the client on the same NAT address, regardless of the LSN rule-
list configuration. The option is not applicable to Fixed-NAT (Fixed-
NAT44, Fixed-NAT64 or Fixed-NAT for DS-Lite). For these features,
the option is ignored and the traffic is dropped. (For drop statistics, see
the "Fixed NAT Dest Rules List Source NAT Drop" counter in the output
of the show cgnv6 fixed-nat statistics command.
The one-to-one-snat option is not applicable to DS-Lite. For these
features, the option is ignored and the traffic is processed based only
on source IP address. (No rule list is applied.)

Default and Specific Rules

In an LSN rule list, you can configure the following types of rules:
• Rules for specific IP addresses or subnets
• Domain name
• Default rules

If traffic matches an IP-specific rule, that rule is used. Otherwise, the

default rules (if configured), are used to match.

If traffic does not have a match in IP-specific rules or the default rule
list, the traffic is processed based only on source IP address. (No rule
list is applied.)

40
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

cgnv6 nat icmp always-source-nat-errors

Description Enable NAT for ICMP messages from inside routers.

Syntax [no] cgnv6 nat icmp always-source-nat-errors

Default By default, the ACOS device does not translate the source IP
addresses of ICMP error messages sent by inside routers into NAT
addresses.

Mode Configuration mode

cgnv6 nat icmp respond-to-ping

Description Enable ping replies from NAT pool addresses.

Syntax [no] cgnv6 nat icmp respond-to-ping

Default By default, the ACOS device does not reply to ping requests that are
sent to NAT addresses (LSN NAT pool addresses). Instead, by default,
the ACOS device drops ping requests sent to LSN NAT pool addresses.

Mode Configuration mode

cgnv6 nat icmpv6 respond-to-ping

Description Enable ping replies from NAT pool addresses.

Syntax [no] cgnv6 nat icmpv6 respond-to-ping

Configuration mode

cgnv6 nat inside source static

Description Perform inside configuration for NAT.

Syntax [no] cgnv6 nat inside source static source-addr nat-addr [vrid
num]

Default None.

Mode Configuration mode

Example The following commands configures inside configuration for NAT:

41
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

ACOS(config)# cgnv6 nat inside source static 1.1.1.1 1.1.1.1 vrid

cgnv6 nat inside source static partition

Description Perform inside configuration for NAT for inside user partition.

Syntax [no] cgnv6 nat inside source static partition name ipaddr [vrid
num]

Default None.

Mode Configuration mode

Example The following commands configures inside configuration for NAT:

ACOS(config)# cgnv6 nat inside source static 1.1.1.1 partition

TEMP 1.1.1.1 vrid 1

cgnv6 nat pool

Description Configure a named set of IP addresses for use by Carrier Grade NAT
(CGN) or Large Scale NAT (LSN).
Syntax [no] cgnv6 nat pool pool-name
start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[max-users-per-ip num]
[port-batch-v2-size {64 | 128 | 256 | 512 | 1024 | 2048 | 4096}]
[shared {all | group | partition}]
[vrid vrid]

Syntax [no] cgnv6 nat pool pool-name

start-ipaddr
netmask {subnet-mask | /mask-length}
[max-users-per-ip num]
[port-batch-v2-size {64 | 128 | 256 | 512 | 1024 | 2048 | 4096}]
[shared {all | group | partition}]
[vrid vrid]

Syntax [no] cgnv6 nat pool pool-name exclude-ip

start-ipaddr [to end-ipaddr]

NOTE: Using the second form of the command shown above, you can
configure an address range in a CGN pool by entering a starting
address followed by the mask length. This allows use of
addresses that use non-zero values in the host portion.

Parameter Description
pool-name Name of the address pool.
start-ipaddr Beginning (lowest) IP address in the range.
end-ipaddr Ending (highest) IP address in the range.

42
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

Parameter Description
netmask The netmask /mask-length option specifies the network mask. All
{subnet-mask | addresses within the resulting subnet are members of the pool, and can
/mask-length} be used by CGN for client mappings.
max-users-per-ip num Enables the pool to be used for Large Scale NAT (LSN).

The max-user-per-ip option specifies the maximum number of internal

addresses that can be mapped to a single public address at the same
time. You can specify 1-64512. By default, there is no limit.
port-batch-v2-size {64 Configure batched port allocation. The following options are available:
| 128 | 256 | 512 |
1024 | 2048 | 4096} • per-batch-port-usage-warning-threshold configures warning log
threshold for per batch port usage (default: disabled).
• simultaneous-batch-allocation allocates the same TCP and UDP
batches at once.
• tcp-time-wait-interval configures the number of minutes before
TCP NAT ports can be reused.
• usable-nat-ports configures usable NAT ports.

Under each of these options, the following are the sub-options:

• simultaneous-batch-allocation allocates same TCP and UDP

batches at once.
• tcp-time-wait-interval configures the minutes before TCP NAT
ports can be reused.
• usable-nat-ports configures usable NAT ports.
shared Allows L3V partitions running CGN to use this pool. The available options
are:

• all – Shares with all partitions.

• group – Shares with a partition group.
• partition – Shares with a single partition.
vrid vrid Adds the resource to a VRRP-A virtual router, identified by its virtual
router ID (VRID). The available options are:

• max-users-per-ip
• port-batch-v2-size
• shared
exclude-ip Excludes the specified IP address or address range from the pool.
start-ipaddr
[to end-ipaddr]

Default None.

Mode Configuration mode

43
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

cgnv6 nat pool-group

Description Configure a set of IP pools for use by NAT. Pool groups enable you to
use non-contiguous IP address ranges, by combining multiple IP
address pools.

Syntax [no] cgnv6 nat pool-group pool-group-name

[vrid vrid]

Parameter Description
pool-group-name Name of the pool group.
vrid vrid Adds the resource to a VRRP-A virtual router, identified by its virtual
router ID (VRID).

This command changes the CLI to the configuration level for the
specified pool group, where the following command is available.

(The other commands are common to all CLI configuration levels. See
the CLI Reference for SLB.)

Command Description
member pool-name Name of a configured IP address pool.

Default None.

Mode Configuration mode

Usage To use a non-contiguous range of addresses, configure a separate

pool for each contiguous portion of the range, then configure a pool
group that contains the pools.

The addresses within an individual pool still must be contiguous, but

you can have gaps between the ending address in one pool and the
starting address in another pool. You also can use pools that are in
different subnets.

If a pool group contains pools in different subnets, the ACOS device

selects the pool that matches the outbound subnet. For example, of
there are two routes to a given destination, in different subnets, and
the pool group has a pool for one of those subnets, the ACOS selects
the pool that is in the subnet for the outbound route.
The ACOS device selects the pool whose addresses are in the same
subnet as the next-hop interface used by the data route table to reach
the server.

Example The following commands create a pool group for LSN and add 25 pools
to the group:

44
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

ACOS(config)# cgnv6 nat pool-group group1

ACOS(config-pool-group)# member pool1
ACOS(config-pool-group)# member pool2
ACOS(config-pool-group)# member pool3
...
ACOS(config-pool-group)# member pool25

cgnv6 nat range-list

Description Configure an IP source NAT static range list.

Syntax [no] cgnv6 nat range-list list-name

start-ipaddr
netmask {subnet-mask | /mask-length}
start-ipaddr
netmask {subnet-mask | /mask-length}
count number

Default None.

Mode Configuration mode

Example The following command configures an IP source NAT static range list:

ACOS(config)# cgnv6 nat range-list r1 1.1.1.1 /24 2.2.2.2 /24 count 3

Partition is optional. The following command configures an inter-

partition scenario:
ACOS(config)# cgnv6 nat range-list asasd 11.1.1.1 /24 partition p1 12.2.2.2 /24 count 1

cgnv6 nat exclude-port

Description Excludes a specific or a range of ports from the LSN NAT pools in both
shared and L3v partitions.

Syntax [no] cgnv6 nat exclude-port tcp | udp

Command Description
tcp Configures the tcp port from which the specified
ports are excluded from the NAT pool.
udp Configures the udp port from which the specified
ports are excluded from the NAT pool.

45
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

This command changes the CLI to the configuration level for the
specified protocol, where the following command is available.

Command Description
port Configures a single port or a starting port range to be
excluded from the NAT pool.
to Port Range Configures an ending port range to be excluded from
the NAT pool.

Default tcp

Mode Configuration mode

Example The following commands exclude a specific port or a range of ports

from the LSN NAT pool:

ACOS(config)# cgnv6 nat exclude-port tcp

ACOS(config-exclude-tcp-port)# port 1080
ACOS(config-exclude-tcp-port)# port 1060 to 1063

cgnv6 one-to-one mapping-timeout

Description Configure a timeout value for the NAT one-to-one mapping.
Syntax [no] cgnv6 one-to-one mapping-timeout timeout-value

The timeout-value lets you specify how many minutes before the NAT
one-to-one mapping expires. The value ranges from 0 to 180 minutes.
Configuring 0 minutes means that the mapping times out immediately
when there is no active session using that mapping.

Default Timeout of 10 minutes.

Mode Configuration mode

cgnv6 one-to-one pool

Description Configure a named set of IP addresses for use by one-to-one NAT.

Syntax [no] cgnv6 one-to-one pool pool-name

start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[shared [group group-name | partition partition-name]]
[vrid vrid]

Syntax [no] cgnv6 one-to-one pool pool-name

start-ipaddr
netmask {subnet-mask | /mask-length}
[shared [group group-name | partition partition-name]]
[vrid vrid]

46
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

NOTE: Using the second form of the command shown above, you can
configure an address range in a CGN pool by entering a starting
address followed by the mask length. This allows use of addresses
that use non-zero values in the host portion

Parameter Description
pool-name Name of the address pool.
start-ipaddr Beginning (lowest) IP address in the range.
end-ipaddr Ending (highest) IP address in the range.
netmask The netmask /mask-length option specifies the network mask. All
{subnet-mask | addresses within the resulting subnet are members of the pool, and can
/mask-length} be used by CGN for client mappings.
shared Allows L3V partitions running CGN to use this pool.
vrid vrid Adds the resource to a VRRP-A virtual router, identified by its virtual router
ID (VRID).

Default None

Description Configuration mode

cgnv6 one-to-one pool-group

Description Configure a set of IP pools for use by NAT. Pool groups enable you to
use non-contiguous IP address ranges, by combining multiple IP
address pools.

Syntax [no] cgnv6 one-to-one pool-group pool-group-name

[vrid vrid]

Parameter Description
pool-group-name Name of the pool group.
vrid vrid Adds the resource to a VRRP-A virtual router, identified by its virtual
router ID (VRID).

This command changes the CLI to the configuration level for the
specified pool group, where the following command is available.

(The other commands are common to all CLI configuration levels. See
the CLI Reference for SLB.)

Command Description
member pool-name Name of a configured IP address pool.

Default None.

47
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Mode Configuration mode

Usage To use a non-contiguous range of addresses, configure a separate

pool for each contiguous portion of the range, then configure a pool
group that contains the pools.

The addresses within an individual pool still must be contiguous, but

you can have gaps between the ending address in one pool and the
starting address in another pool. You also can use pools that are in
different subnets.

If a pool group contains pools in different subnets, the ACOS device

The ACOS device selects the pool whose addresses are in the same
subnet as the next-hop interface used by the data route table to reach
the server.

Example The following commands create a pool group for LSN and add 25 pools
to the group:

ACOS(config)# cgnv6 one-to-one pool-group group1

ACOS(config-pool-group)# member pool1
ACOS(config-pool-group)# member pool2
ACOS(config-pool-group)# member pool3
...
ACOS(config-pool-group)# member pool25

cgnv6 port-list
Description Configure CGNV6 port list that contains the mapping between original
ports and translated ports.

Syntax [no] cgnv6 port-list name [original-port num to translated-port

num]

Parameter Description
original-port Original port to be translated.
translated-port Port after translation.

Default None.

Mode Configuration mode

Example The following commands create a port list:

48
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

ACOS(config)# cgnv6 port-list abc

ACOS(config-port-list)# original-port 80 to translated-port 8080

cgnv6 resource-usage
Description Configure CGNV6 resource usage.

Syntax [no] cgnv6 resource-usage {fixed-nat-inside-user-count | fixed-

nat-ip-addr-count | lsn-nat-addr-count |radius-table-size}

Parameter Description
fixed-nat-inside-user-count Total configurable CGNV6 Fixed NAT inside users.
fixed-nat-ip-addr-count Total configurable CGNV6 Fixed NAT addresses
lsn-nat-addr-count Total configurable CGNV6 NAT Pool addresses
radius-table-size Total configurable CGNV6 RADIUS Table entries
stateless-entries Helper size for CGN Stateless Technologies.

Default None.

Mode Configuration mode

cgnv6 sctp rate-limit

Description Configure a traffic rate-limit for SCTP sessions.

Syntax [no] cgnv6 sctp rate-limit {source | destination} ip-addr num

Parameter Description
source Configure a packet rate-limit per second based on an SCTP session source IP.
destination Configure a packet rate-limit per second based on an SCTP session destination IP.
ip-addr Specify the IP address of the source or the destination to rate-limit.
num Configure the packet rate-limit per second. The packets per second ran range from 1 -
2147483647.

Default None.

Mode Configuration mode.

Usage Use these commands to configure the number of SCTP packets

allowed per second, whether originating from the source or from the
destination address. If this command is not configured, then there is
no packet rate-limit for SCTP traffic.

NOTE: This command is available only on CFW platforms.

49
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

cgnv6 template http-alg

Description Configure a template for HTTP Application Level Gateway (ALG).

NOTE: The request-insert-msisdn option in HTTP-ALG templates no

longer requires a RADIUS service group to be specified.

Syntax [no] cgnv6 template http-alg template-name

Replace template-name with the name of the template, 1-63

characters, of the NAT HTTP-ALG template. This command changes
the CLI to the configuration level for the template, where the following
commands are available. (The other commands are common to all CLI
configuration levels. See the CLI Reference for SLB.)

50
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

51
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Command Description
[no] Enables insertion of the client IP address into the headers of client
request-insert-client-ip HTTP requests. You can specify the following options:
[options]
• header-name string – Header name to insert, instead of the
default.
• include-tunnel-ip – Includes the tunnel IP Address in the inserted
header. This option applies only to DS-Lite sessions and 6rd-NAT64
sessions.
• method {append | replace} [header-name string | include-
tunnel-ip header-name string] – Method to use for adding the
header:
• append – Adds a new header field to the end of all the request
headers, regardless of how many headers are already in the
request. For example, if append is configured and header name
field displays the default, “X-Forwarded-For,” the new “X-For-
warded-For” header will be added to the end of all the headers in
the HTTP request. If append is configured and header-name is “X-
Client-IP,” the new “X-Client-IP” will be added to the end of all the
headers in the HTTP request.
• replace – Substitutes the configured header. For example, if
replace is configured and header-name is default, “X-Forwarded-
For,” it will be replaced by the new “X-Forwarded-For” header in
the HTTP request. If replace is configured and header-name is
“X-Client-IP,” it will be replaced by the new “X-Client-IP” in the
HTTP request.

If the packet has more than one header field of the same name, all
of them will be replaced.
[no] Inserts the client’s mobile number in client requests.
request-insert-msisdn
[options] • header-name string – Header name to insert, instead of the
default. The following option is available:
• radius-sg group-name secret string shared-secret – Spec-
ifies the group of RADIUS accounting servers to use for obtaining
client mobile numbers.
• radius-sg group-name secret string shared-secret – Speci-
fies the group of RADIUS accounting servers to use for obtaining cli-
ent mobile numbers. The following parameters are available:
• group-name – Name of the service group that contains the client
RADIUS servers.
• string – Authentication string the ACOS device and the client
RADIUS servers use to authenticate RADIUS traffic from one
another.
• retry num – Maximum number of additional times to send the
request, if it times out. You can specify 0-3. The default is 2.
• retry-svr-num num – Number of additional servers that can be
tried, if the first server does not respond after all retries have
timed out. You can specify 0 or 1. The default is 0.
• timeout seconds – Maximum number of seconds ACOS waits for
the server to reply, before trying again, trying another server (if
applicable), or giving up. You can specify 1-3 seconds. The default
is 2.

52
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

Default Not set. When you configure an HTTP-ALG template, the default
header for client IP addresses is X-Forwarded-For. The other parame-
ters do not have default settings.

Mode Configuration mode

Example The following commands configure the HTTP-ALG template for inser-
tion of client IP in HTTP requests:

ACOS(config)# cgnv6 template http-alg TEMP

ACOS(config-http-alg:TEMP)# request-insert-client-ip header-name TEMP include-tunnel-ip
method append

Example The following commands configure the HTTP-ALG template for inser-
tion of client mobile number in HTTP requests:

ACOS(config)# cgnv6 template http-alg CLIENT-MOBILE-INSERT

ACOS(config-http-alg)# request-insert-msisdn header-name TEMP radius-sg TEMP secret
encrypted TEMP retry 0 retry-svr-num 0 timeout 1

cgnv6 translation
Description Configure default idle-timeout values for services and protocol traffic
over LSN.

Syntax [no] cgnv6 translation

{
icmp-timeout {num | fast} |
service-timeout {tcp | udp} port num {num | fast} |
tcp-timeout num |
udp-timeout num
}

Parameter Description
icmp-timeout {num | fast} Configure an idle-timeout or fast aging for ICMP traffic
service-timeout {tcp | udp} Configure an idle-timeout or fast aging for specific services on a
port num {num | fast} port.
tcp-timeout num Configure an idle-timeout for TCP traffic.
udp-timeout num Configure an idle-timeout for UDP traffic.

Default The default for tcp-timeout and udp-timeout is 300 seconds.

Mode Configuration mode

53
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

ip-list
Description Configure a list of client addresses. IP lists can be used with features
such as Fixed-NAT and client mobile number logging.

Syntax [no] ip-list list-name

This command changes the CLI to the configuration level for the
specified IP list, where the following command is available.

Command Description
[no] start-ipv4-addr to end-ipv4-addr Range of IPv4 addresses. Enter the lowest address
number in the range first.
[no] start-ipv6-addr to end-ipv6-addr Range of IPv6 addresses. Enter the lowest address
number in the range first.

Default None

Mode Configuration mode

Usage See the IPv4-to-IPv6 Transition Solutions Guide.

Example The following commands configure an IP list. The IP list contains the IP
addresses of the RADIUS servers.

ACOS(config)# ip-list RADIUS_IP_LIST

ACOS(config-ip list)# 40.40.40.1 to 40.40.40.2
ACOS(config-ip list)# exit

Within an IP-list entry, you can specify prefixes in any of the following
ways:
• Range – Specify the starting prefix and ending prefix in the range.
Example: 4001::/32 to 4025::/32
• Count – Specify the starting prefix, and the total number of pre-
fixes for the entry. The count can be 1-2147483647. Example:
6001::/16 count 1000
• Single prefix – Example: 2001:DB8::/32

The following commands configure an IP list that contains some IPv6

prefix entries:
ACOS(config)# ip-list test
ACOS(config-ip list)# 6001::/16 count 1000
ACOS(config-ip list)# 4001::/32 to 4025::/32
ACOS(config-ip list)# 3001::1 to 3001::100

The first two commands configure prefix ranges. The last command
configures a unicast address range.

54
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

netflow monitor
Description Enable the ACOS device to act as a NetFlow exporter, for monitoring
traffic and exporting the data to one or more NetFlow collectors for
analysis.

Syntax [no] netflow monitor monitor-name

Replace monitor-name with the name of the NetFlow monitor.

This command changes the CLI to the configuration level for the
specified NetFlow monitor, where the following commands are
available.

Command Parameter
[no] destination Configure the destination where NetFlow records will be sent by
{service-group sg-name | entering a service group (if using multiple NetFlow collectors), or
ip-addr} an IP address for a specific host.
disable Disable this NetFlow monitor.
disable-log-by-destination Disable logging by destination protocol and port. The following
options are available:

• icmp – Disables logging for icmp traffic.

• ip – Disables logging by destination IPv4 entry.
• ip6 – Disables logging by destination IPv6 entry.
• others – Disable logging for other L4 protocols.
• tcp – Disable logging by destination TCP port.
• udp – Disable logging by destination UDP port.
[no] flow-timeout Timeout value interval at which flow records will be periodically
minutes exported for long-lived sessions. Flow records for short-lived
sessions (if any) are sent upon termination of the session.

After the specified amount of time has elapsed, the ACOS device
will send any flow records to the NetFlow collector, even if the
flow is still active. The flow timeout can be set to 0-1440 minutes.
The flow timeout default value is 10 minutes.

Setting the timeout value to 0 disables the flow timeout feature.

Regardless of how long-lived a flow might be, the ACOS device
waits until the flow has ended and the session is deleted before it
sends any flow records for it.
[no] protocol {v9 | v10} Configure which version of the NetFlow protocol to use, version 9
or version 10. The default is NetFlow version 9.

55
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Configuration Commands

Command Parameter
[no] record Configure the NetFlow record types to be exported. (See the
netflow-template-type “NetFlow v9 and v10 (IPFIX)” chapter in the System Configuration
[both | and Administration Guide.)
creation |
deletion]
The netflow-template-type refers to the NetFlow template that
defines the NetFlow records to export, and it includes the follow-
ing template types:

• dslite – DS-Lite Flow Record Template

• nat44 – NAT44 Flow Record Template
• nat64 – NAT64 Flow Record Template
• netflow-v5 – NetFlow V5 Flow Record Template
• netflow-v5-ext – Extended NetFlow V5 Flow Record Template,
supports ipv6
• port-batch-dslite – DS-Lite Port Batching Event Template
• port-batch-nat44 – NAT44 Port Batching Event Template
• port-batch-nat64 – NAT64 Port Batching Event Template
• port-batch-v2-dslite – DS-Lite NAT Port Batching v2 Event
Template
• port-batch-v2-nat44 – NAT44 NAT Port Batching v2 Event
Template
• port-batch-v2-nat64 – NAT64 NAT Port Batching v2 Event
Template
• port-mapping-dslite – DS-Lite Port Mapping Event Template
• port-mapping-nat44 – NAT44 Port Mapping Event Template
• port-mapping-nat64 – NAT64 Port Mapping Event Template
• sesn-event-dslite – DS-Lite Session Event Template
• sesn-event-nat44 – NAT44 Session Event Template
• sesn-event-nat64 – NAT64 Flow Record Template

The options for specifying both, creation, and deletion allow

you to determine which types of events will be exported:

• both – Export both creation and deletion events (default)

• creation – Export only creation events
• deletion – Export only deletion events

The both, creation, and deletion options are only available for
session event and port mapping event templates. They are not
available for flow record templates.

56
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Configuration Commands

Command Parameter
[no] resend-template {records Configure when to resend the NetFlow template. The trigger can
num | timeout seconds} be either the number of records, or the amount of time that has
passed.

• records – Specify a range from 0-1000000, with a default

of 1000 records. Note that specifying 0 means never resend
the template.
• timeout – Specify a range from 0-86400, with a default of
1800 records. Note that specifying 0 means never resend the
template.
[no] source-address Specify the IPv4 or IPv6 source address of the Netflow packet.
{ip string | ipv6 string}
• ip – Specify the source address in the ipv4-address format
of A.B.C.D.
• ipv6 – Specify the source address in the ipv6-address format
of A:B:C:D:E:F:G:H.
[no] source-ip-use-mgmt Use the management interface's IP address as the source IP for
exported NetFlow packets. Note that this command does not
change the ACOS port from which NetFlow traffic is exported.

Default Described above, where applicable.

Mode Configuration mode

Usage A NetFlow monitor consists of the following protocol parameters,

which can be used to configure the ACOS device to export data in
the format of NetFlow v9 or NetFlow v10 (IPFIX). The current
release supports NetFlow version 9 (RFC 3954), and NetFlow ver-
sion 10 (IPFIX) (RFC 5101).

You can configure up to 64 NetFlow monitors.

Predefined NetFlow Templates

The ACOS device includes some pre-defined NetFlow templates. For

information, see the “NetFlow v9 and v10 (IPFIX)” chapter in the
System Configuration and Administration Guide.

session-filter
Description Configure a session filter.

57
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

Syntax session-filter filter-name set

{
dest-addr portnum |
dest-port portnum |
ipv6 |
sip |
source-addr portnum |
source-port portnum
}

Parameter Description
dest-addr portnum Matches on destination address.
dest-port portnum Matches on destination port.
ipv6 Matches specifically on IPv6 addresses.
sip Matches on SIP sessions.
source-addr portnum Matches on source address.
source-port portnum Matches on source port.

Default No session filters are configured by default.

Mode Configuration mode

Usage Session filters allows you to save session display options for use with
the clear session and show session commands. Configuring a session
filter allows you to specify a given set of options one time rather than
re-entering the options each time you use the clear session or show
session command.

Example The following example sets session filter criteria of a forward destina-
tion IP and forward destination port:

ACOS(config)# session-filter TEMP set dest-addr 1.1.1.1 dest-port

LSN Show Commands

This section describes the show commands for LSN.

• show cgnv6 lsn alg

• show cgnv6 lsn full-cone-sessions

• show cgnv6 lsn inside-user

• show cgnv6 lsn nat-address

• show cgnv6 lsn port-overloading config

• show cgnv6 lsn port-reservations

58
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

• show cgnv6 lsn statistics

• show cgnv6 lsn system-status

• show cgnv6 lsn user-quota-sessions

• show cgnv6 lsn-lid

• show cgnv6 lsn-rule-list

• show cgnv6 nat pool

• show cgnv6 nat pool-group

• show cgnv6 nat range-list

• show cgnv6 nat static-binding

• show cgnv6 one-to-one mappings

• show cgnv6 one-to-one pool

• show cgnv6 one-to-one pool-group

• show cgnv6 one-to-one statistics

• show cgnv6 resource-usage

• show cgnv6 template

show cgnv6 lsn alg

Description Show Application Level Gateway (ALG) information for LSN and
NAT64.

Syntax show cgnv6 lsn alg

{esp | ftp | h323 | mgcp | pptp | rtp-stun-timeout | rtsp | sip |

59
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

tftp}
{config | statistics [debug]}

Parameter Description
esp | Specifies the protocol:
ftp |
h323| • esp – IPsec Encapsulating Security Payload (ESP)
mgcp |
• ftp – File Transfer Protocol (FTP)
pptp |
rtp-stun-timeout | • h323 – H.323 standard is a legacy voice-over-IP (VoIP) protocol.
rtsp | • mgcp – Media Gateway Control Protocol (MGCP)
sip | • pptp – Point-to-Point Tunneling Protocol (PPTP) Generic Routing Encapsu-
tftp lation (GRE)
• rtp-stun-timeout – Show RTP/RTCP STUN timeout configuration.
• rtsp – Real Time Streaming Protocol (RTSP)
• sip – Session Initiation Protocol (SIP)
• tftp – Trivial File Transfer Protocol (TFTP)
config | Specifies the type of information to display:
statistics [debug]
• config – Indicates whether ALG support for the protocol is enabled.
• statistics [debug] – Displays statistics for the protocol. The debug
option displays additional statistics.

Mode All

Example The following commands show information for ESP ALG:

ACOS# show cgnv6 lsn alg esp statistics

LSN ESP ALG Statistics:
---------------------------
ESP Sessions Created 2

The following commands show information for FTP ALG:

ACOS# show cgnv6 lsn alg ftp config
LSN ALG for FTP is enabled on port 21.
ACOS# show cgnv6 lsn alg ftp statistics
LSN FTP ALG Statistics:
---------------------------
PORT Requests From Client 0
EPRT Requests From Client 2
LPRT Requests From Client 0
PASV Replies From Server 3
EPSV Replies From Server 0
LPSV Replies From Server 0

60
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

The following table describes the fields in the command’s output.

Field Description
PORT Requests From Cli- Number of FTP PORT requests received from clients.
ent
EPRT Requests From Cli- Number of FTP EPRT requests received from clients.
ent
LPRT Requests From Cli- Number of FTP LPRT requests received from clients.
ent
PASV Replies From Server Number of passive mode replies received from servers.
EPSV Replies From Server Number of EPSV replies received from servers.
LPSV Replies From Server Number of LPSV replies received from servers.

Example The following command shows statistics for PPTP ALG:

ACOS# show cgnv6 lsn alg pptp statistics

LSN PPTP ALG Statistics:
---------------------------
Calls Established 0
Mismatched PNS Call ID 0
GRE Sessions Created 0
GRE Sessions Freed 0
No Matching GRE Session 0
Call ID Mismatch on Call Request 0
Call ID Mismatch on Call Reply 0

The following table describes the command’s output.

Field Description
Calls Established Number of PPTP call sessions created.
Mismatched PNS Call ID Number of times PPTP call packets did not match the PNS call
ID.
GRE Sessions Created Number of PPTP GRE sessions created.
GRE Sessions Freed Number of PPTP GRE sessions freed.
No Matching GRE Session Number of times GRE packets did not match a GRE session.
Call ID Mismatch on Call Request Number of call IDs not matching call requests
Call ID Mismatch on Call Reply Number of call IDs not matching call replies.

Example The following command shows statistics for RTSP ALG:

ACOS# show cgnv6 lsn alg rtsp statistics

LSN RTSP ALG Statistics:
---------------------------

61
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

Streams Created 0
Streams Freed 0
Stream Creation Failures 0
Stream Client Ports Allocated 0
Stream Client Ports Freed 0
Stream Client Port Allocation Failures 0
Server Replies With Unknown Client Ports 0
Data Session Created 0
Data Session Freed 0
Data Session Creation Failures 0

The following table describes the fields in the command’s output.

Field Description
Streams Created Number of RTSP stream sessions created.
Streams Freed Number of RTSP stream sessions freed.
Stream Creation Failures Number of times creation of an RTSP stream failed because
the ACOS device was out of memory for sessions.
Stream Client Ports Allocated Number of NAT ports allocated to client for creating streams.
Stream Client Ports Freed Number of NAT ports freed.
Stream Client Port Allocation Failures Number of times port allocation for a stream failed.
Server Replies With Unknown Client Number of server replies to SETUP that were addressed to an
Ports unknown client port.
Data Session Created Number of UDP data sessions created for streaming video.
Data Session Freed Number of UDP data sessions freed.
Data Session Creation Failures Number of times creation of a data session failed because the
ACOS device was out of memory for sessions.

Example The following command shows statistics for SIP ALG:

ACOS# show cgnv6 lsn alg sip statistics

LSN SIP ALG Statistics:
---------------------------
SIP Method REGISTER 544
SIP Method INVITE 0
SIP Method ACK 544
SIP Method CANCEL 0
SIP Method BYE 544
SIP Method OPTIONS 100
SIP Method PRACK 0
SIP Method SUBSCRIBE 8
SIP Method NOTIFY 10
SIP Method PUBLISH 0

62
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

SIP Method INFO 0

SIP Method REFER 0
SIP Method MESSAGE 0
SIP Method UPDATE 0
SIP Method UNKNOWN 0

The following table describes the fields in the command’s output.

Field Description
SIP Method REGIS- Number of SIP REGISTER messages received by the ACOS device.
TER
Note: This counter and all the following counters in the output apply to mes-
sages both from User Agent Servers (UASs) and User Agent Clients (UACs).
SIP Method INVITE Number of SIP INVITE messages received by the ACOS device.
SIP Method ACK Number of SIP ACK messages received by the ACOS device.
SIP Method CANCEL Number of SIP CANCEL messages received by the ACOS device.
SIP Method BYE Number of SIP BYE messages received by the ACOS device.
SIP Method OPTIONS Number of SIP OPTIONS messages received by the ACOS device.
SIP Method PRACK Number of SIP PRACK messages received by the ACOS device.
SIP Method SUB- Number of SIP SUBSCRIBE messages received by the ACOS device.
SCRIBE
SIP Method NOTIFY Number of SIP NOTIFY messages received by the ACOS device.
SIP Method PUBLISH Number of SIP PUBLISH messages received by the ACOS device.
SIP Method INFO Number of SIP INFO messages received by the ACOS device.
SIP Method REFER Number of SIP REFER messages received by the ACOS device.
SIP Method MES- Number of SIP MESSAGE messages received by the ACOS device.
SAGE
SIP Method UPDATE Number of SIP UPDATE messages received by the ACOS device.
SIP Method Number of SIP UNKNOWN messages received by the ACOS device.
UNKNOWN

Example The following command shows statistics for TFTP ALG:

ACOS# show cgnv6 lsn alg tftp statistics

LSN TFTP ALG Statistics:
---------------------------
TFTP Client Sessions Created 2

63
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

show cgnv6 lsn full-cone-sessions

Description Show currently active LSN full-cone sessions.

Syntax show cgnv6 lsn full-cone-sessions

[all-partitions]
[inside-user ipaddr]
[partition partition-name]
[pcp]
[pool pool-name]

Parameter Description
all-partitions | Displays full-cone sessions for all partitions or for a particular partition.
partition partition-name
inside-user ipaddr Displays full-cone sessions only for the specified user.
pcp Displays full-cone sessions created by PCP requests.
pool pool-name Displays only the full-cone sessions that use a public IP address from
the specified LSN NAT pool.

Mode All

Example The following command shows currently active LSN full-cone ses-
sions:

ACOS# show cgnv6 lsn full-cone-sessions

LSN Full-cone Sessions:
Prot Inside Address NAT Address Outbnd Inbnd Pool CPU
Age Flags
--------------------------------------------------------------------------------------
----
UDP 10.10.10.4:30251 19.19.19.104:30251 1 0 lsn_p1 4 -
-
Total Full-cone Sessions: 1

The following table describes the fields in the command’s output.

Field Description
Information for Individual Sessions:
Prot Protocol of the session.
Inside Address Private IP address of the client.
NAT Address Public IP address mapped to the client’s private IP address.
Outbnd Number of active outbound EIM sessions.
Inbnd Number of active inbound EIF sessions.
Pool LSN NAT pool from which the public IP address was assigned.
CPU ACOS CPU on which the session resides.

64
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

Field Description
Age Number of seconds the session has been in effect.
Flags Indicate that the full-cone session was created by traffic or
PCP.

show cgnv6 lsn inside-user

Description Show session information for a specific LSN inside client.

Syntax show cgnv6 lsn inside-user ipaddr

Replace ipaddr with the inside IP address of the user.

Mode All

Example The following command shows LSN session information for an LSN
user:

ACOS# show cgnv6 lsn inside-user 10.10.10.4

LSN User-Quota Sessions:
Inside Address NAT Address ICMP UDP TCP Session Pool LID
--------------------------------------------------------------------------------------
----
10.10.10.4 19.19.19.104 0 1 0 1 lsn_p1 1
Total User-Quota Sessions Shown: 1

LSN Full-cone Sessions:

Prot Inside Address NAT Address Outbnd Inbnd Pool CPU
Age Flags
--------------------------------------------------------------------------------------
----
UDP 10.10.10.4:30251 19.19.19.104:30251 1 0 lsn_p1 4 -
-
Total Full-cone Sessions: 1

LSN Data Sessions:

Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash Flags Type
--------------------------------------------------------------------------------------
----
Udp 10.10.10.4:30251 19.19.19.1:82 19.19.19.1:82
19.19.19.104:30251 300 4 NSe0f0r0 LSN

The following table describes the fields in the command’s output.

Field Description
LSN User-Quota Ses- See “show cgnv6 lsn user-quota-sessions” on page 74.
sions

65
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

Field Description
LSN Full-Cone Sessions See “show cgnv6 lsn full-cone-sessions” on page 64.
LSN Data Sessions Lists the following data session information for the user:

• Prot – Protocol of the session

• Inside Address – IPv4 address and protocol port of the client
• NAT Address – NAT address assigned to the client by CGN
• Outbnd – Number of active outbound EIM sessions.
• Inbnd – Number of active inbound EIF sessions.
• Pool – LSN pool name
• CPU Age – Number of seconds the session has been in effect
• Flags – Indicate that the full-cone session was created by traffic or PCP.

show cgnv6 lsn nat-address

Description Show LSN sessions filtered by NAT address.
Syntax show cgnv6 lsn nat-address nataddr [nat-port natport]

Parameter Description
nataddr Specifies the NAT IP address.
natport Specifies the NAT port.

Mode All

Example The following command shows LSN session information filtered by

NAT address for user 9.9.9.78

ACOS# show cgnv6 lsn nat-address 9.9.9.78

Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash Flags Type
--------------------------------------------------------------------------------------
----
Udp 90.135.166.203:1966 9.9.9.173:10000 9.9.9.173:10000 9.9.9.78:36976 300 2
NFe0f0r0 LSN
Udp 130.69.85.151:1964 9.9.9.173:10000 9.9.9.173:10000 9.9.9.78:9379 300 5
NFe0f0r0 LSN
Total Sessions: 2

Example The following command shows LSN session information filtered by

NAT address user 9.9.9.78 and NAT port 9379

ACOS# show cgnv6 lsn nat-address 9.9.9.78 nat-port 9379

66
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

NFe0f0r0 LSN
Total Sessions: 1

The following table describes the fields in this command’s output.

Field Description
Prot Transport protocol.
Forward Source Client IP address when connecting to a VIP.

Notes:

• For DNS sessions, the client’s DNS transaction ID is shown instead of a protocol
port number.
• The output for connection-reuse sessions shows 0.0.0.0 for the forward source
and forward destination addresses.
• For source-IP persistent sessions, the value shown in the Forward Source col-
umn is a combination of the IP address and the port number. The first two bytes
of the displayed value are the third and fourth octets of the client IP address. The
last two bytes of the displayed value represent the client source port.
Forward Dest VIP to which the client is connected.
Reverse Source Real server’s IP address.

Note: If the ACOS device is functioning as a cache server (RAM caching), asterisks (
* ) in this field and the Reverse Dest field indicate that the ACOS device directly
served the requested content to the client from the ACOS RAM cache. In this case,
the session is actually between the client and the ACOS device rather than the real
server.
Reverse Dest IP address to which the real server responds.
Age Number of seconds since the session started.
Hash CPU ID.
Flags Processing path for the traffic:

• NF – Fast-path processing.
• NS – Slow-path processing.
Type Type of NAT traffic.

show cgnv6 lsn port-overloading config

Description Display the configured Port Overloading settings that are ready to be
deployed.

Syntax show cgnv6 lsn port-overloading config

Mode All

Example Here is an example of the output:

67
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

ACOS# show cgnv6 lsn port-overloading config

LSN Port-Overloading Configured:
cgnv6 lsn port-overloading tcp disable 1 to 79
cgnv6 lsn port-overloading tcp enable 80
cgnv6 lsn port-overloading tcp disable 81 to 65535
cgnv6 lsn port-overloading udp disable

LSN Port-Overloading Actual:

cgnv6 lsn port-overloading tcp disable 1 to 79
cgnv6 lsn port-overloading tcp enable 80
cgnv6 lsn port-overloading tcp disable 81 to 65535
cgnv6 lsn port-overloading udp disable

show cgnv6 lsn port-reservations

Description Show static LSN port reservations.

Syntax show cgnv6 lsn port-reservations

Mode All

Example The following command shows static LSN port reservations:

ACOS# show cgnv6 lsn port-reservations

LSN Port Reservations
Inside Address Start End NAT Address Start End
--------------------------------------------------------------------------------------
192.168.1.1 80 1024 203.0.113.1 80 1024
Total Static Port Reservations: 1

The following table describes the fields in this command’s output.

Field Description
Inside Address Inside client’s IP address.
Start Beginning protocol port number in the inside address’ range.
End Ending protocol port number in the inside address’ range.
NAT Address Public IP address assigned to the client by LSN.
Start Beginning protocol port number that is statically mapped to the inside address’ port
range.
End Ending protocol port number that is statically mapped to the inside address’ port
range.

68
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

show cgnv6 lsn statistics

Description Show LSN statistics.

Syntax show cgnv6 lsn statistics

Mode All

Example The following command shows LSN statistics:

ACOS# show cgnv6 lsn statistics

Traffic statistics for LSN:
---------------------------
Total TCP Ports Allocated 0
Total TCP Ports Freed 0
Total UDP Ports Allocated 0
Total UDP Ports Freed 0
Total ICMP Ports Allocated 0
Total ICMP Ports Freed 0
Data Session Created 0
Data Session Freed 0
User-Quota Created 0
User-Quota Freed 0
User-Quota Creation Failed 0
TCP NAT Port Unavailable 0
UDP NAT Port Unavailable 0
ICMP NAT Port Unavailable 0
New User NAT Resource Unavailable 0
TCP User-Quota Exceeded 0
UDP User-Quota Exceeded 0
ICMP User-Quota Exceeded 0
Extended User-Quota Matched 0
Extended User-Quota Exceeded 0
Data Session User-Quota Exceeded 0
Conn Rate User-Quota Exceeded 0
TCP Full-cone Session Created 0
TCP Full-cone Session Freed 0
UDP Full-cone Session Created 0
UDP Full-cone Session Freed 0
Full-cone Session Creation Failed 0
Hairpin Session Created 0
Self-Hairpinning Drop 0
Endpoint-Independent Mapping Matched 0
Endpoint-Independent Filtering Matched 0
Endpoint-Dependent Filtering Drop 0

69
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

Endpoint-Independent Filtering Inbound Limit Exceeded 0

TCP Port Overloaded 0
UDP Port Overloaded 0
TCP Port Overloading Session Created 0
UDP Port Overloading Session Created 0
TCP Port Overloading Session Freed 0
UDP Port Overloading Session Freed 0
NAT Pool Unusable 0
HA NAT Pool Unusable 0
HA NAT Pool Batch Type Mismatch 0
No RADIUS Profile Match 0
User-Quota Marked Unusable 0
User-Quota Unusable Drop 0
NAT IP TCP Max Ports Allocated 0
NAT IP UDP Max Ports Allocated 0
No Class-List Match 0
LSN LID Drop 0
LSN LID Pass-through 0

The following table describes the fields in this command’s output.

Field Description
Total TCP Ports Allocated Total number of TCP ports allocated for user sessions.
Total TCP Ports Freed Total number of TCP ports freed for use by other sessions.
Total UDP Ports Allocated Total number of UDP ports allocated for user sessions.
Total UDP Ports Freed Total number of UDP ports freed for use by other sessions.
Total ICMP Ports Allocated Total number of ICMP ports allocated for user sessions.
Total ICMP Ports Freed Total number of ICMP ports freed for use by other sessions.
Data Session Created Total number of LSN data sessions created.
Data Session Freed Total number of LSN data sessions freed.
User-Quota Created Number of port mappings created for which the user quota had
available mappings.
User-Quota Freed Number of port mappings that were created for which the user
quota had available mappings, that were later freed.
User-Quota Creation Failed Number of times creation of a port mapping was unsuccessful
because the user quota had no free mappings.
TCP NAT Port Unavailable Number of times a TCP port for an LSN NAT session was unavail-
able.
UDP NAT Port Unavailable Number of times a UDP port for an LSN NAT session was unavail-
able.
ICMP NAT Port Unavailable Number of times an ICMP port for an LSN NAT session was
unavailable.

70
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

Field Description
New User NAT Resource Unavail- Number of times LSN resources (ICMP, TCP, or UDP) were not
able available for a new user.
TCP User-Quota Exceeded Number of times the TCP quota for a user was exceeded.
UDP User-Quota Exceeded Number of times the UDP quota for a user was exceeded.
ICMP User-Quota Exceeded Number of times the ICMP quota for a user was exceeded.
Extended User-Quota Matched Number of times the extended user quota was used to create a
mapping.
Extended User-Quota Exceeded Number of times a NAT port was unavailable to a client because
the client had exceeded the extended user quota.
Data Session User-Quota Number of times a client exceeded their data session quota.
Exceeded
Conn Rate User-Quota Exceeded Number of times connection rate quota for a user was exceeded.
TCP Full-cone Session Created Total number of LSN TCP full-cone sessions created.
TCP Full-cone Session Freed Total number of LSN TCP full-cone sessions freed.
UDP Full-cone Session Created Total number of LSN UDP full-cone sessions created.
UDP Full-cone Session Freed Total number of LSN UDP full-cone sessions freed.
Full-cone Session Creation Failed Number of times creation of a full-cone session failed.
Hairpin Session Created Total number of LSN hairpin sessions created.
Self-Hairpinning Drop Number of hairpin sessions dropped because the source and des-
tination client were the same.
Endpoint-Independent Mapping Number of times LSN reused the LSN mapping assigned to a client
Matched for subsequent traffic for that client. (This is the benefit provided
by Endpoint independent mapping.)
Endpoint-Independent Filtering Number of times traffic from any source to a given mapped client
Matched was forwarded to the internal client, regardless of the endpoint.
(This is the benefit provided by Endpoint independent filtering.)
Endpoint-Dependent Filtering Number of times traffic to a mapped client was dropped because
Drop endpoint-independent filtering was not enabled, and the traffic
was not from the endpoint mapped to the client.
Endpoint-Independent Number of times the maximum number of Endpoint-Independent
Filtering Inbound Limit Exceeded Filtering (EIF) sessions allowed for a NAT mapping was exceeded.
NAT Pool Mismatch Drop Number of times traffic was dropped because matching traffic for
a current full-cone session or user-quota session uses a different
pool or pool group than the one redirected to by the rule list.
TCP Port Overloaded Number of times a TCP port on a NAT address was assigned to a
new client while another client was still using the mapping.

71
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

Field Description
TCP Port Overloading Session Number of times a session on an overloaded TCP port was cre-
Created ated.
UDP Port Overloading Session Number of times a session on an overloaded UDP port was cre-
Created ated.
TCP Port Overloading Session Number of times a session created on an overloaded TCP port was
Freed freed.
UDP Port Overloading Session Number of times a session created on an overloaded UDP port
Freed was freed.
NAT Pool Unusable Number of times traffic hit a disabled NAT IP.
HA NAT Pool Unusable Number of times traffic hit a disabled NAT IP in high availability
standby state.
No RADIUS Profile Match Number of times traffic did not match the RADIUS profile.
User-Quota Marked Unusable Number of times traffic hit the user quota.
User-Quota Unusable Drop Number of times traffic was dropped because the user quota had
been reached.
NAT IP TCP Max Ports Allocated Number of times a NAT IP’s all TCP ports have been
allocated.
NAT IP UDP Max Ports Allocated Number of times a NAT IP’s all UDP ports have been
allocated.
No Class-List Match Number of times traffic did not match the LSN class list.
LSN LID Drop Number of times traffic matched the drop action in the LSN LID,
and was dropped.
LSN LID Pass-through Number of times traffic matched the pass-through action in the
LSN LID, and was passed through without being NATted.

show cgnv6 lsn system-status

Description Show system-level information for LSN.
Syntax show cgnv6 lsn system-status

Mode All

Example The following command shows system-level information for LSN:

ACOS# show cgnv6 lsn system-status

CPU Usage:
----------
Control CPU : 18%
Data CPU 1 : 0%
Data CPU 2 : 0%
Data CPU 3 : 0%
Data CPU 4 : 0%

72
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

Data CPU 5 : 0%
Data CPU avg: 0%

Memory Status:
--------------
Total Memory(KB): 6123184
Used Memory(KB) : 4462824
Free Memory(KB) : 1660360
Memory Usage : 72.8%

Sessions Status:
----------------
LSN CPS : 0
Data Sessions Used: 0
Data Sessions Free: 16744443
SMP Sessions Used : 0
SMP Sessions Free : 16580608

NAT Port Usage:

---------------
TCP NAT Ports Used: 0
TCP NAT Ports Free: 1290240
UDP NAT Ports Used: 0
UDP NAT Ports Free: 1290240

RADIUS Table Usage:

-------------------
RADIUS Entries Used: 0
RADIUS Entries Free: 1500000

The following table describes the fields in the command’s output.

Field Description
CPU Usage Shows utilization for each CPU. The average utilization for all CPUs also is shown.
Memory Status Shows memory usage information.
Sessions Status Shows usage and availability for LSN traffic sessions.

Date sessions are traffic sessions.

SMP sessions are cross-CPU sessions.

NAT Port Usage Shows current utilization information for Layer 4 NAT ports.
RADIUS Table Shows current utilization information for RADIUS table usage.
Usage

73
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

show cgnv6 lsn user-quota-sessions

Description Show LSN user-quota session information.

Syntax show cgnv6 lsn user-quota-sessions

[all-partitions]
[inside-user ipaddr]
[partition partition-name]
[pool pool-name]
[top num {all | icmp | tcp | udp}]

Parameter Description
all-partitions | Displays session information for all partitions or for a particular parti-
partition partition-name tion.
inside-user ipaddr Displays session information only for the specified user IP address.
pool pool-name Displays session information only for the specified LSN NAT pool.
top num type Limits the display to the sessions with the highest counters for the
specified resource type. You can specify 1-100.

The resource type can be one of the following:

• all – Displays the sessions with the highest counters for all
resource types (ICMP, TCP, and UDP).
• icmp – Displays the sessions with the highest counters for ICMP.
• tcp – Displays the sessions with the highest counters for TCP.
• udp – Displays the sessions with the highest counters for UDP.

Mode All

Example The following command shows user-quota information:

ACOS# show cgnv6 lsn user-quota-sessions

LSN User-Quota Sessions:
Inside Address NAT Address ICMP UDP TCP Session Pool LID Flag
-----------------------------------------------------------------------------------
10.10.10.4 19.19.19.103 0 1 0 1 lsn_p1 1 U
Total User-Quota Sessions Shown: 1

Field Description
Inside Address Inside client’s IP address.
NAT Address Public IP address assigned to the client by LSN.
ICMP Number of ICMP ports from the quota that are in use.
UDP Number of UDP ports from the quota that are in use.
TCP Number of TCP ports from the quota that are in use.
Session Number of active sessions created by the client.

74
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

Field Description
Pool Name of the pool from which the public address for the session
was selected.
LID Limit ID (LID) in which the user quota is configured.
Flag Displays a “U” if the quota is unusable.

show cgnv6 lsn-lid

Description Show configuration information for CGN Limit IDs (LIDs).

Syntax show cgnv6 lsn-lid [num]

Mode All

show cgnv6 lsn-rule-list

Description Show information for LSN rule lists.
Syntax show cgnv6 lsn-rule-list list-name [statistics]

Parameter Description
list-name Displays information for the specified CGN rule list.
statistics Displays statistics. For each rule in the list, the number of times traffic matched the rule
(the number of “hits”) is listed.

Mode All

Example The following command shows some rule-list statistics:

ACOS# show cgn lsn-rule-list r1 statistics

cgnv6 lsn-rule-list r1
default
tcp port 80 action snat pool lsn_p1 hits 1
icmp action drop hits 4

75
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

show cgnv6 nat pool

Description Display the configured NAT pools.

Syntax show cgnv6 nat pool statistics [options] [pool-name]

Parameter Description
pool-name Displays statistics for the specified CGN pool.
statistics [options] Displays CGN pool statistics. The following filtering options are avail-
able:

pool-name – Name of a CGN pool.

brief – Displays fewer details.

misc – Displays miscellaneous per-IP information.

peaks – Displays peak statistics.

top num suboption – Limits the display to the pool IP addresses

with the highest counters for the specified statistics type. You can
specify 1-100. The statistics type can be one of the following:

• used – Displays the pool IP addresses with the highest total

resource usage.
• used-icmp – Displays the pool IP addresses with the highest ICMP
identifier usage.
• used-udp – Displays the pool IP addresses with the highest UDP
port usage.
• used-tcp – Displays the pool IP addresses with the highest TCP
port usage.
• reserved – Displays the pool IP addresses with the most total
reserved ports.
• reserved-udp – Displays the pool IP addresses with the most
reserved UDP ports.
• reserved-tcp – Displays the pool IP addresses with the most
reserved TCP ports.
• users – Displays the pool IP addresses with the most users.

Example The following command displays CGN NAT pool information:

ACOS# show cgnv6 nat pool

Total IP NAT Pools: 3
Pool Name Start Address End Address Mask Gateway Vrid
--------------------------------------------------------------------------------------
----
test-lsn-pool 100.101.1.1 100.101.1.12 /24 0.0.0.0 default

76
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

The following table describes the fields in the command’s output.

Field Description
Pool Name Name of the pool.
Start Address Starting address of the pool.
End Address Ending address of the pool.
Mask Network mask for the pool address range.
Gateway Default gateway to use for outbound client traffic mapped to an
address from this pool.
VRID VRRP-A VRID to which this pool is assigned, if applicable.

Example The following command shows LSN pool statistics:

ACOS# show cgnv6 nat pool statistics

LSN Address Pool Statistics:
----------------------------
lsn_p1 Address Users ICMP Freed Total UDP Freed Total Rsvd TCP Freed Total Rsvd
--------------------------------------------------------------------------------------
----
19.19.19.101 0 0 0 0 0 0 0
0 0 0 0 0
19.19.19.102 0 0 0 0 0 0 0
0 0 0 0 0
19.19.19.103 1 0 0 0 1 0 1
0 0 0 0 0
19.19.19.104 0 0 0 0 0 0 0
0 0 0 0 0
19.19.19.105 0 0 0 0 0 0 0
0 0 0 0 0
19.19.19.106 0 0 0 0 0 0 0
0 0 0 0 0
19.19.19.107 0 0 0 0 0 0 0
0 0 0 0 0
19.19.19.108 0 0 0 0 0 0 0
0 0 0 0 0
19.19.19.109 0 0 0 0 0 0 0
0 0 1 1 0
19.19.19.110 0 0 0 0 0 0 0
0 0 0 0 0

The following table describes the fields in this command’s output.

77
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

Field Description
Address NAT (global) IP address.
Users Number of inside IP addresses currently using the NAT IP address.
ICMP Number of ICMP identifiers currently in use.
Freed Total number of ICMP identifiers freed.
(ICMP)
Total (ICMP) Total number of ICMP identifiers allocated.

ICMP column + Freed column = Total column.

UDP Number of UDP ports currently in use.
Freed (UDP) Total number of UDP ports freed.
Total (UDP) Total number of UDP ports allocated.

UDP column + Freed column = Total column.

Rsvd (UDP) Total of all UDP reserve settings for each user that is currently using the NAT IP
address.

For example, if an LID has the setting “user-quota udp 100 reserve 50”, and there are
50 users using the LID d on the NAT IP address, the Rsvd value is 50*50 = 2500.
TCP Number of TCP ports currently in use.
Freed (TCP) Total number of TCP ports freed.
Total (TCP) Total number of TCP ports allocated.

TCP column + Freed column = Total column.

Rsvd (TCP) Total of all TCP reserve settings for each user that is currently using the NAT IP
address.

For example, if an LID has the setting “user-quota tcp 100 reserve 60”, and there are 10
users using the LID d on the NAT IP address, the Rsvd value is 10*60 = 600.

Example The following example shows use of the misc option:

ACOS# show cgnv6 nat pool statistics misc

LSN Address Pool Statistics:
----------------------------
lsn_p1 Address ICMP RTSP
---------------------------------------------------
19.19.19.101 0 0
19.19.19.102 0 0
19.19.19.103 0 0
19.19.19.104 0 0
19.19.19.105 0 0
19.19.19.106 0 0

78
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

19.19.19.107 0 0
19.19.19.108 0 0
19.19.19.109 0 0
19.19.19.110 0 0

Example The following example shows use of the brief option:

ACOS# show cgnv6 nat pool statistics brief

LSN Address Pool Statistics:
----------------------------
lsn_p1 Address Users UDP TCP
-------------------------------------------------------------
19.19.19.101 0 0 0
19.19.19.102 0 0 0
19.19.19.103 1 1 0
19.19.19.104 0 0 0
19.19.19.105 0 0 0
19.19.19.106 0 0 0
19.19.19.107 0 0 0
19.19.19.108 0 0 0
19.19.19.109 0 0 0
19.19.19.110 0 0 0

show cgnv6 nat pool-group

Description Display the configured NAT pool groups.

Syntax show cgnv6 nat pool-group group-name [statistics]

Example The following command shows the configuration of pool group “grp1”:

ACOS# show cgnv6 nat pool-group grp1

cgnv6 nat pool-group grp1
member test-lsn-pool

Parameter Description
statistics Displays NAT pool group statistics.

NOTE: To display the pool-group statistics for all pool groups, do not enter
any pool group name.

Example The following command shows the configuration of all pool groups.

ACOS# show cgnv6 nat pool-group [statistics]

Pool Group Name Total IP Used IP Free IP
--------------------------------------------------

79
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

grp2 120 0 120

grp1 145 0 To 145
--------------------------------------------------

show cgnv6 nat range-list

Description Display information on an IP source NAT static range list.

Syntax [no] show cgnv6 nat range-list list-name

Default None.

Mode All

Example The following command displays information on an IP source NAT

static range list:

ACOS# show cgnv6 nat range-list

Total Static NAT range lists: 1
Name Local Address/Mask Global Address/Mask Count VRID
----------------------------------------------------------------
abc 1.1.1.1/32 2.2.2.2/32 1 0

show cgnv6 nat static-binding

Description Display information on static bindings configured.

Syntax [no] show cgnv6 nat static-binding

Default None.

Mode All

show cgnv6 one-to-one mappings

Description Display information on NAT one-to-one mappings.

Syntax show cgnv6 one-to-one mappings

[all-partitions | partition partition-name]
[inside-address ipaddr]
[inside-address-ipv6 ipv6-addr]
[nat-address ipaddr]
[partition partition-name]
[pool pool-name [shared]]

80
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

Parameter Description
all-partitions | Displays mappings for all partitions or for a particular partition.
partition partition-name
inside-address ipaddr Displays information for a specific inside address.
inside-address-ipv6 ipv6-addr Displays information for a specific IPv6 inside address.
nat-address ipaddr Displays information for a specific NAT address.
partition partition-name Displays information for a specific partition.
pool pool-name Displays mappings for a specific NAT pool.

The shared option filters the output to include only pools that
are configured to be shared with L3V partitions. This option is
applicable when the command is entered from the shared parti-
tion, and displays mappings for pools that are configured in the
shared partition and that are enabled to be shared with L3V par-
titions.

Example The following command displays CGN one-one mappings:

ACOS(config)# show cgnv6 one-to-one mappings

Inside IPv4 Address Inside IPv6 Address NAT Address Sessions Age
Pool
--------------------------------------------------------------------------------------
----
- 2001:db8::2:10 6.6.6.6 9 - p5
Total One-to-One NAT Mappings: 1

The following table describes the fields in the command’s output.

Field Description
Inside IPv4 Address IPv4 inside address.
Inside IPv6 Address IPv6 inside address
NAT Address Public IP address assigned to the client by LSN.
Sessions Number of sessions using this mapping.
Age Age of this mapping.
Pool Name of the pool.

81
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

show cgnv6 one-to-one pool

Description Display information on NAT one-to-one pool.

Syntax show cgnv6 one-to-one pool [pool-name]

Parameter Description
pool [pool-name] Displays the name of the pool.
statistics Displays the one-to-one NAT pool usage.

show cgnv6 one-to-one pool-group

Description Display the information on NAT one-to-one pool group.
Syntax show cgnv6 one-to-one pool-group [pool-group-name]

show cgnv6 one-to-one statistics

Description Display information on NAT one-to-one statistics.
Syntax show cgnv6 one-to-one statistics

Example To display one-to-one statistics, enter the following commands:

ACOS# show cgnv6 one-to-one statistics

Total One-to-One Mapping Allocated: 23456
Total One-to-One Mapping Freed: 23000
One-to-One Mapping Allocation Failure: 100

show cgnv6 resource-usage

Description Display CGNv6 resource usage.

Syntax show cgnv6 resource-usage

Example The following is the sample output of this command:

AX5100(config)# show cgnv6 resource-usage

Resource Current Default Minimum Maximum
--------------------------------------------------------------------------
lsn-nat-addr-count 2048 2048 512 10240
fixed-nat-ip-addr-count 128000 128000 2560 128000
fixed-nat-inside-user-count 4000000 4000000 80000 4000000
radius-table-size 6000000 6000000 3000000 6000000

82
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
LSN Show Commands

show cgnv6 template

Description Display CGN templates.

Syntax show cgnv6 templates {dns | http-alg | logging | pcp | policy}

[template-name]

Default Use one of the options shown to specify the type of template to dis-
play.

83
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
LSN Show Commands

84
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: PORT CONTROL PROTOCOL

The commands in this chapter configure Port Control Protocol (PCP).

• “Notes About the Current Release” on page 85

• “PCP Configuration Commands” on page 85

• “PCP Show Commands” on page 88

Notes About the Current Release

Observe the following notes about PCP implementation in this release:

• ACOS implements PCP fully compliant with RFC6887, and it supports port mapping alloca-
tions for the following CGN features: LSN (NAT44), Dual-Stack Lite (DS-Lite), NAT64, and
Fixed-NAT LSN/DS-Lite/NAT64.
• Below are some important PCP features ACOS supports. This list is not all-inclusive:

• PCP MAP Opcode

• PCP PEER Opcode
• PCP ANNOUNCE Opcode
• THIRD_PARTY option for PCP MAP/PEER
• PREFER_FAILURE option for PCP MAP
• FILTER option for PCP MAP
• Validating “nonce” in PCP MAP request

PCP Configuration Commands

This section describes the PCP configuration commands.

• cgnv6 pcp default-template

• cgnv6 template pcp

85
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
PCP Configuration Commands

cgnv6 pcp default-template

Description Specify the Port Control Protocol (PCP) template to use as the set of
default PCP settings.

Syntax [no] cgnv6 pcp default-template template-name

Replace template-name with the name of the PCP template. (To

configure a PCP template, see “cgnv6 template pcp” on page 86.)

Default PCP is disabled by default. To enable it, configure a PCP template,

then activate it on a global basis using the cgnv6 pcp default-template
command.

Mode Configuration mode

Usage When PCP is enabled, the ACOS device acts as a PCP server for Large
Scale NAT (LSN) clients (PCP clients). The ACOS device parses incom-
ing UDP packets arriving on the PCP port, extracts the relevant infor-
mation, and creates or refreshes the IPv4-IPv4 mapping as requested
by the PCP client. The ACOS device then sends a PCP response mes-
sage back to the PCP client. The mapping created for the client is an
implicit dynamic mapping.

cgnv6 template pcp

Configure a template to set Port Control Protocol (PCP) options.

Syntax [no] cgnv6 template pcp template-name

Replace template-name with the name of the template, 1-31

characters.

This command changes the CLI to the configuration level for the
template, where the following commands are available.

86
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
PCP Configuration Commands

(The other commands are common to all CLI configuration levels. See
the Command Line Interface Reference (for ADC).

Command Description
[no] allow-third-party-from-lan Enables support for the third-party option in MAP requests
received on the LAN. This option instructs the ACOS device to
use the address specified in the MAP request, instead of the
source address of the request packet, as the internal address
for the mapping. By default, this option is disabled.
[no] allow-third-party-from-wan Enables support for the third-party option in MAP requests
received on the WAN. This option instructs the ACOS device to
use the address specified in the MAP request, instead of the
source address of the request packet, as the internal address
for the mapping. By default, this option is disabled.
[no] check-client-nonce Enable validation of the PCP MAP NONCE. By default, this
option is disabled.
[no] disable-map-filter Disable the process to FILTER in PCP MAP. By default, this
option is enabled.
[no] disable-opcode option Enable or disable the process for MAP/PEER/ANNOUNCE
Opcodes. Available options are:

• announce
• map
• peer

All three options are enabled by default.

[no] mapping-lifetime Specifies the maximum lifetime of PCP mappings. Available
options are:

• maximum – You can specify 2 -1440 minutes. The default is

1440 minutes.
• minimum – You can specify 2 -1440 minutes. The default is 2
minutes.
[no] pcp-server-port portnum Specifies the UDP destination port for PCP, 1024-65535. The
default is 5351.
[no] send-unsolicited-announce Allows the ACOS device to send an unsolicited announce
{source-ip ipv4addr | packet when the ACOS device reboots or reloads, or following
source-ipv6 ipv6addr} VRRP-A failover. By default, the configuration is disabled.

Default PCP disabled by default. To enable it, use this command to configure a
PCP template, then use the cgnv6 pcp default-template command to
activate it (“cgnv6 pcp default-template” on page 86).

Mode Configuration mode

87
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
PCP Show Commands

Usage The current release supports PCP only for IPv4-IPv4 mappings for LSN
clients. PCP is not supported for IPv6 mappings or for other IPv6
migration features (NAT64, DS-Lite, and so on).

ACOS supports RFC 6887- compliant Port Control Protocol (draft 29).
For more information, see RFC 6887. Draft versions 12 and 13 are no
longer supported.

PCP Show Commands

This section describes the show commands for PCP.

• show cgnv6 pcp statistics

show cgnv6 pcp statistics

Description Show statistics for Port Control Protocol (PCP).
Syntax show cgnv6 pcp statistics

Mode All

Example The following command shows PCP statistics:

ACOS# show cgnv6 pcp statistics

PCP Statistics:
---------------
Packets Received 0
PCP MAP Request Processing Success (NAT44) 0
PCP MAP Request Processing Success (DS-Lite) 0
PCP MAP Request Processing Success (NAT64) 0
PCP PEER Request Processing Success (NAT44) 0
PCP PEER Request Processing Success (DS-Lite) 0
PCP PEER Request Processing Success (NAT64) 0
PCP ANNOUNCE Request Processing Success (NAT44) 0
PCP ANNOUNCE Request Processing Success (DS-Lite) 0
PCP ANNOUNCE Request Processing Success (NAT64) 0
Packet Not a PCP Request 0
Packet Too Short 0
Response No Route 0
Unsupported PCP version 0
PCP Request Not Authorized 0
PCP Request Malformed 0
Unsupported PCP Opcode 0
Unsupported PCP Option 0

88
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
PCP Show Commands

PCP Option Malformed 0

No System or NAT Resources 0
Unsupported Mapping Protocol 0
User Quota Exceeded 0
Cannot Provide Suggested Port When PREFER_FAILURE 0
PCP Client Address Mismatch 0
Excessive Remote Peers 0
Packet Dropped For Not Coming From NAT Inside 0
L3/L4 Process Error 0
Internal Error 0
Unsolicited Announce Sent 0
Unsolicited Announce Send Failure 0
HA Sync PCP Epoch Sent 0
HA Sync PCP Epoch Recv 0

The following table describes the fields in the command’s output.

Field Description
Packets Received Number of PCP request packets received by ACOS.
PCP MAP Request Processing Success Number of NAT44 PCP MAP requests received and pro-
(NAT44) cessed successfully by ACOS.
PCP MAP Request Processing Success Number of DS-Lite PCP MAP requests received and pro-
(DS-Lite) cessed successfully by ACOS.
PCP MAP Request Processing Success Number of NAT64 PCP MAP requests received and pro-
(NAT64) cessed successfully by ACOS.
PCP PEER Request Processing Success Number of NAT44 PCP PEER requests received and pro-
(NAT44) cessed successfully by ACOS.
PCP PEER Request Processing Success Number of DS-Lite PCP PEER requests received and pro-
(DS-Lite) cessed successfully by ACOS.
PCP PEER Request Processing Success Number of NAT64 PCP PEER requests received and pro-
(NAT64) cessed successfully by ACOS.
PCP ANNOUNCE Request Processing Number of NAT44 PCP ANNOUNCE requests received and
Success (NAT44) processed successfully by ACOS.
PCP ANNOUNCE Request Processing Number of DS-Lite PCP ANNOUNCE requests received and
Success (DS-Lite) processed successfully by ACOS.
PCP ANNOUNCE Request Processing Number of NAT64 PCP ANNOUNCE requests received and
Success (NAT64) processed successfully by ACOS.
Packet Not a PCP Request Number of packets which are not a PCP request (e.g. PCP
response).
Packet Too Short Number of packets which are too short to be a valid PCP
packet.
Response No Route Number of packets for which ACOS cannot find the route
on which to send back the PCP response.

89
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
PCP Show Commands

Field Description
Unsupported PCP version Number of packets using a PCP protocol version which
ACOS does not support.
PCP Request Not Authorized Number of PCP requests sent from an unauthorized client.
PCP Request Malformed Number of PCP requests which are malformed.
Unsupported PCP Opcode Number of PCP packets with an unsupported PCP Opcode
in the request.
Unsupported PCP Option Number of PCP packets with a mandatory PCP Opcode in
the request that is not supported by ACOS.
PCP Option Malformed Number of PCP packs with malformed PCP options in the
request.
No System or NAT Resources Number of PCP requests for which ACOS cannot allocate a
NAT port due to lack of available NAT ports or other system
resources.
Unsupported Mapping Protocol Number of packets for which the request port mapping is
for a protocol other than TCP/UDP.
User Quota Exceeded Number of packets for which ACOS cannot allocate a NAT
port due to an exceeded user quota for the client.
Cannot Provide Suggested Port When Number of packets for which ACOS cannot allocate the
PREFER_FAILURE suggested NAT port for PCP requests with a PREFER_-
FAILURE option.
PCP Client Address Mismatch Number of packets for which the client address in the PCP
payload is different from the source address of the PCP
packet.
Excessive Remote Peers Number of packets in which the PCP MAP request con-
tains too many filters for remote peers.
Packet Dropped For Not Coming From Number of PCP requests which are received from an ACOS
NAT Inside interface but are not permitted by the ACOS configuration
because they do not come from a NAT inside interface.
L3/L4 Process Error Number of PCP packets which contain an error in the L3/
L4 headers.
Internal Error Number of unexpected internal errors from ACOS.
Unsolicited Announce Sent Number of Unsolicited PCP Announce packets sent by
ACOS.
Unsolicited Announce Send Failure Number of times ACOS fails to send an Unsolicited PCP
Announce packets.
HA Sync PCP Epoch Sent For an HA Active box, the number of PCP epoch sync
messages sent to a Standby box
HA Sync PCP Epoch Recv For an HA Standby box, the number of PCP epoch sync
messages received from the Active box.

90
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: NAT64 / DNS64

The commands in this chapter configure global settings for NAT64 / DNS64.

• “DNS64 Configuration Commands” on page 91

• “NAT64 Configuration Commands” on page 102

• “DNS64 / NAT64 Show Commands” on page 115

DNS64 Configuration Commands

This section describes the DNS64 configuration commands.

• cgnv6 nat pool

• cgnv6 nat pool-group

• cgnv6 nat64 prefix

• cgnv6 server

• cgnv6 service-group

• cgnv6 template dns

• cgnv6 dns64-virtualserver

cgnv6 nat pool

Description Configure an IPv4 pool, for DNS64 to use while acting as a proxy for a
local IPv4 DNS server. For syntax information, see “cgnv6 nat pool” on
page 42.

cgnv6 nat pool-group

Description Configure a set of IP pools for use by NAT. Pool groups enable you to
use non-contiguous IP address ranges, by combining multiple IP
address pools. For syntax information, see “cgnv6 nat pool-group” on
page 44.

91
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 Configuration Commands

cgnv6 nat64 prefix

Description Configure the NAT64 prefix.

Syntax [no] cgnv6 nat64 prefix ipv6-addr/nn

[class-list list-name]
[vrid vrid]

Parameter Description
ipv6-addr/nn Specifies the prefix.
class-list list-name Specifies a class list of inside source parameters for the prefix.
vrid vrid Adds the resource to a VRRP-A virtual router, identified by its virtual
router ID (VRID).

Default The default is 64:ff9b::/96. No VRID is assigned by default.

Mode Configuration mode

cgnv6 server
Description Configure the local DNS server to be proxied.

Syntax [no] cgnv6 server server-name {ipaddr | ipv6-addr}

This command creates the server and changes the CLI to the
configuration level for the server, where the following commands are
available.

NOTE: The other configuration commands at this level are not appli-
cable to DNS64 / NAT64.

Command Description
[no] health-check Enables health monitoring of the server. The monitor-name specifies the
{monitor-name} name of a configured health monitor.

If you omit this command or you enter it without the monitor-name option,
the default Layer 3 (ICMP) health monitor is used.

92
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 Configuration Commands

Command Description
[no] health-check- Disables health monitoring of the server.
disable
[no] port port-num Specifies the TCP or UDP port on which the server listens for traffic.
{tcp | udp}
enable | disable

Enables or disables the port.

[no] health-check [monitor-name]

Enables health monitoring of the port. The monitor-name option speci-

fies the name of a configured health monitor.

If you omit the health-check command or you enter it without the mon-
itor-name option, the default UDP health monitor is used. (See “Usage”
below.)

[no] health-check-disable

Disables health monitoring of the port.

Default None

Mode Configuration mode

Usage The normal form of the cgnv6 server command creates a new real
server or edits an existing real server. The CLI changes to the configu-
ration level for the server. The “no” form of this command removes an
existing real server. The IP address of the server can be in either IPv4
or IPv6 format. ACOS devices support both address formats.

Default Health Monitoring

The following health monitors are enabled by default.

• ICMP – Server health check. Every 5 seconds, the ACOS device
sends an ICMP echo request (ping) addressed to the server’s IP
address. The server passes the health check if it sends an echo
reply to the ACOS device. If the server does not reply after the
fourth attempt (the first attempt followed by 3 retries), the ACOS
device sets the server state to DOWN.
• UDP – Protocol port health check. Every 5 seconds, the ACOS
device sends a packet with a valid UDP header and a garbage
payload to the UDP port. The port passes the health check if the
server either does not reply, or replies with any type of packet
except an ICMP Error message.

93
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 Configuration Commands

cgnv6 service-group
Description Configure a service group, which is a pool of one or more servers.

Syntax [no] cgnv6 service-group group-name {tcp | udp}

Replace group-name with the name of the group, 1-31 characters.

This command changes the CLI to the configuration level for the
specified service-group, where the following command is available:

NOTE: The other configuration commands at this level are not appli-
cable to DNS64 / NAT64.

Command Description
[no] health-check Enables health monitoring of the service group. The
[monitor-name] monitor-name specifies the name of a configured
health monitor.
[no] member {member-name} {portnum} Adds the external log server and port to the service
group.
[no] shared {group | partition} Configures the service group to share with either a
partition group or a single partition.
[no] traffic-replication-type [mir- Enables ACOS to duplicate the syslog messages and
ror-ip-repl] forward them to multiple collector servers.

The mirror-ip-repl option alters the packets header

and makes changes to the destination IP address and
destination port in the duplicated packets at Layer 4.
The log messages are then replicated or “mirrored” to
the collector servers that are specified within the ser-
vice group.

Default There are no service groups configured by default.

Mode Configuration mode

Usage The normal form of this command creates a new or edits an existing
service group. The CLI changes to the configuration level for the ser-
vice group.

94
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 Configuration Commands

cgnv6 template dns

Description Configure a DNS template to enable DNS64 and set DNS64 options.

Syntax [no] cgnv6 template dns template-name

This command creates the template and changes the CLI to the
configuration level for the template, where the following DNS64-
related commands is available:

95
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 Configuration Commands

NOTE: The other configuration commands at this level are not appli-
cable to DNS64 / NAT64.

Command Description
[no] class-list Enables health monitoring of the service group. The monitor-
class-list lid num {conn-rate- name specifies the name of a configured health monitor.
limit | over-limit-action}
• conn-rate-limit configures the connection rate limit.
• dns configures DNS cache options. The following options
are available:
• cache-disable disables DNS cache.
• cache-enable enables DNS cache.
• ttl configures TTL for cache entry.
• weight configures weight for cache entry.
• over-limit-action configures the action when the con-
nection rate limit is exceeded. The following actions are
available:
• dns-cache-disable disables DNS cache when it
exceeds limit.
• dns-cache-enable enables DNS cache when it exceeds
limit.
• forward forwards the traffic even it exceeds limit.
• lockout Any new connection for certain time will not be
accepted.
• log logs a message.
[no] default-policy Specify the default action to take when a query does not
[nocache | cache] match any class-list entries.
[no] Disables the DNS template.
disable-dns-template
[no] dns-log-enable period Specify how often log messages are generated for DNS
period caching. (1-10000 minutes)

96
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 Configuration Commands

Command Description
[no] dns64 Enables or disables DNS64. This option is disabled by default.
The following options are available:

• answer-only-disable If you configure this command, the

IPv4 addresses in all sections of DNS replies are synthe-
sized to IPv6. Otherwise, the ACOS device synthesizes IPv6
address for only resource records in the ANSWER section
of DNS replies. When the dns64 option is enabled, this
sub-option is enabled.
• auth-data When the ACOS device receives an A-query-
response from the DNS server, this option sets the authen-
ticated-data bit in synthesized AAAA responses. The auth-
bit will be set only if DNS64 synthesis is performed in the
reply. Otherwise, the bit will not be changed. When the
dns64 option is enabled, this sub-option is disabled.
• cache Uses a cached A-query response to provide AAAA
query responses for the same hostname, without consult-
ing the DNS server. When the dns64 option is enabled, this
sub-option is disabled.

For example, assume that an A query has been cached for

hostname example.com. If the client sends a AAAA query
for example.com, the ACOS device does not consult the
DNS server. Instead, the ACOS device uses the cached
type A answer to synthesize a AAAA response, and sends
the synthesized response to the client.

• change-query When the ACOS device receives a AAAA

request from a client, this option forwards only an A
request on behalf of the client. This option saves time if the
DNS database only contains A records, because the ACOS
device does not need to wait for an error or empty
response, or for the response to time out. When the dns64
option is enabled, this sub-option is disabled.
• compress-disable Saves network costs by compressing
DNS packets. When the dns64 option is enabled, this sub-
option is enabled.
• deep-check-rr-disable [drop-cname-disable] Evalu-
ates the resource records in the ANSWER sections of DNS
replies individually. Sometimes the DNS server may send
only CNAMEs in the ANSWER section in response to a
AAAA query. This option drops such responses, consider-
ing them to be empty, and initiates an A query towards the
hostname. By default, this option is enabled. This option is
valid only when the deep-check-RR option is enabled.
When the dns64 option is enabled, this sub-option is
enabled.
• enable Enables DNS64.

97
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 Configuration Commands

Command Description
[no] dns64 • ignore-rcode3-disable Ignores any DNS response with
rcode 3 in response to a AAAA query. The ACOS device
treats the response as empty, and sends an A query to the
same hostname. This option is useful for circumventing
DNS servers that are configured incorrectly to return
rcode=3 when they do not have any AAAA records for the
hostname, even though the hostname exists. When the
dns64 option is enabled, this sub-option is enabled.
• max-qr-length num Forwards the response from the DNS
server to the client without any modification to the
response, if the question-record length is greater than the
specified length. The length can be 1-1023 bytes. When the
dns64 option is enabled, this value is set to 128 by default.
• parallel-query Sends both an IPv6 AAAA request and
an IPv4 A request in parallel (at the same time) on behalf of
the client. When this option is enabled, the ACOS device
performs DNS64 synthesis if necessary, and forwards the
first valid response received to the client. (Empty
responses and errors are invalid.)

If both responses are invalid, the ACOS device forwards the

last invalid response to the client.

When the dns64 option is enabled, this sub-option is dis-

abled.

Note: It is recommended to disable passive queries (pas-

sive-query disable) and the single-response option
enabled (no single response-disable) when using the par-
allel-query option.

• passive-query-disable Initiates an A query upon receiv-

ing an empty response or error for a AAAA query. When the
dns64 option is enabled, this sub-option is enabled.
• retry retry-num Specifies the maximum number of
times the ACOS device will retry an A query if a response is
not received from the DNS server. You can specify 0-15. If
you specify 0, retries are disabled. When the dns64 option
is enabled, this value is set to 3 by default.
• single-response-disable When the ACOS device is
operating in parallel-query mode, the ACOS device will
send two queries to the DNS server at the same time. Both
queries could come back with valid responses. When the
dns64 option is enabled, this sub-option is enabled.

When the single-response option is enabled, the first valid

response is forwarded to the client. If two invalid
responses are received, the last one is forwarded to the cli-
ent.

If you disable this option, the ACOS device will forward

both responses to the server, if both responses are valid.

• timeout seconds Specifies the maximum number of sec-

onds the ACOS device waits for a AAAA response before
sending an A query. You can specify 0-15 seconds. When
the dns64 option is enabled, this value is set to 1 by
default.
98
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 Configuration Commands

Command Description
[no] dns64 • trans-ptr [trans-ptr-query] Enables you to run PTR
queries for synthesized IPv6 addresses with the client. The
PTR queries are intercepted by DNS64 and converted into
PTR queries for their corresponding IPv4 addresses before
sending out.

When the response is received by the ACOS device, the

response is synthesized and sent back to the client as if it
were a response for the synthesized IPv6 address.

When the dns64 option is enabled, this sub-option is dis-

abled.

• ttl seconds Specifies the maximum TTL to use in syn-

thesized AAAA replies, in place of the TTL value in the orig-
inal IPv4 DNS reply.
• If the TTL value in the template is lower than the TTL
value in the IPv4 reply, the template’s TTL value is used
in the synthesized IPv6 reply.
• If the TTL value in the template is equal to or higher than
the TTL value in the IPv4 reply, the TTL value in the IPv4
reply is used in the synthesized IPv6 reply.

You can specify 1-1000000000 seconds.

When the dns64 option is enabled, this sub-option is not

set by default.
[no] malformed-query {drop | Specifies the action the ACOS device will take on malformed
forward queries.
service-group-name}
• drop - the malformed query will be dropped
• forward - the malformed query will be forwarded to a ser-
vice group.
[no] max-cache-size num Specify the maximum number of entries that can be cached
per VIP.

Note: The maximum configurable amount depends on the

amount of RAM installed on the ACOS device.

Default None.

Mode Configuration mode

99
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 Configuration Commands

cgnv6 dns64-virtualserver
Description Configure the virtual server for the DNS proxy, to which clients will
send DNS queries.

Syntax [no] cgnv6 dns64-virtualserver name {ipaddr | ipv6-addr}

This command creates the server and changes the CLI to the
configuration level for the virtual server, where the following
commands are available.

NOTE: The other configuration commands at this level are not appli-
cable to DNS64 / NAT64.

100
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 Configuration Commands

Command Description
[no] port port-number dns-udp Specifies the UDP port number and the port type, dns-
udp.

This command changes the CLI to the configuration level

for the port, where the following commands are available:

• service-group group-name

Binds the virtual port to the service group.

• source-nat {auto | pool}

Binds the virtual port on an IP NAT pool or pool group.

See the example below. Use the auto option to config-
ure auto NAT for the vport. Use the pool option to
specify NAT pool or pool group.

• template dns template-name

Binds the virtual port to the DNS template containing

the DNS64 settings. (See “cgnv6 template dns” on
page 95.)

• template policy template-name

Binds the virtual port to a policy template, if applicable.

(See “cgnv6 template policy” on page 112.)

• enable enables the virtual port

• disable disables the virtual port.
[no] template policy template-name Binds a policy template to the virtual server, if applicable.
[no] vrid vrid Adds the virtual server to a VRRP-A group.
enable Enables the virtual server.
disable Disables the virtual server.

Default None

Mode DNS template configuration. See cgnv6 template dns for more infor-
mation.

Example This example shows how to use an IP NAT pool with DNS64:

ACOS(config)# ip nat pool rr1 10.10.10.1 10.10.10.10 netmask /24

ACOS(config)# cgnv6 dns64-virtualserver dns64 20.1.1.20
ACOS(config-cgnv6 dnsvserver)# port 53 dns-udp
ACOS(config-cgnv6 dnsvserver-vport)# source-nat pool rr1

101
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NAT64 Configuration Commands

NAT64 Configuration Commands

This section describes the NAT64 configuration commands.

• cgnv6 ecmp 4-tuple-hash

• class-list (for NAT64)

• glid (for NAT64 override)

• cgnv6 nat pool (for NAT64)

• cgnv6 nat pool-group (for NAT64)

• cgnv6 lsn-lid

• cgnv6 nat64 alg

• cgnv6 nat64 force-non-zero-ipv4-id

• cgnv6 nat64 fragmentation df-bit-transparency

• cgnv6 nat64 fragmentation inbound

• cgnv6 nat64 fragmentation inbound df-set

• cgnv6 nat64 fragmentation outbound

• cgnv6 nat64 icmp

• cgnv6 nat64 inside

• cgnv6 nat64 prefix

• cgnv6 nat64 tcp mss-clamp

• cgnv6 nat64 tcp reset-on-error

• cgnv6 nat64 user-quota-prefix-length

• cgnv6 template policy

• ip nat inside

• ip nat-global reset-idle-tcp-conn

• ip frag timeout

• ip frag max-reassembly-sessions

102
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
NAT64 Configuration Commands

cgnv6 ecmp 4-tuple-hash

NOTE: For information on this command, see “cgnv6 ecmp 4-tuple-hash”

on page 16”

class-list (for NAT64)

Description Configure a class list that specifies IPv6 addresses or prefixes on
which to perform an override action. For matching entries, the override
action is applied instead of the configured NAT64 action.

Syntax [no] class-list {list-name | filename file}

Parameter Description
list-name Adds the list to the running-config.
filename file Saves the list to a standalone file on the ACOS device.

NOTE: A class list can be exported only if you use the file option.

This command changes the CLI to the configuration level for the
specified class list, where the following command is available.

NOTE: The other configuration commands at this level are not appli-
cable to DNS64 / NAT64.

Command Description
[no] ipv6-addr/prefix Adds an entry to the class list.
{glid | lid | lsn-lid}
num • ipv6-addr/prefix – Specifies an IPv6 address or prefix on which
to perform an override action
• {glid | lid} num – Specifies a Global Limit ID (GLID) or a Limit ID
(LID) configured in a policy template. These options apply only to
NAT64 override.
• lsn-lid num – Specifies the LID that refers to the NAT pool (or
group of pools) containing the IPv4 address(es) to use for NATting
traffic from IPv6 clients to IPv4 servers.

Default None

Mode Configuration mode

Usage If you plan to use a GLID, see “glid (for NAT64 override)” on page 104. If
you plan to use a policy template instead, see “cgnv6 template policy”
on page 112.

103
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NAT64 Configuration Commands

glid (for NAT64 override)

Description Configure a GLID to specify a NAT64 override action.

NOTE: This command applies only for configuring NAT64 override

actions. To configure the LID for regular NAT64, see “cgnv6
lsn-lid” on page 105.

Syntax [no] glid num

Replace num with the GLID number, 1-1023.

This command changes the CLI to the configuration level for the
specified GLID, where the following command is available.

NOTE: The other configuration commands at this level are not appli-
cable to DNS64 / NAT64.

Command Description
[no] dns64 Specifies the override action:
{disable |
exclusive-answer | • disable – Does not perform DNS64 processing on the client’s DNS
prefix ipv6-addr/nn} request. The client’s request is forwarded to the DNS server, and the
reply is sent to client without modification.
• exclusive-answer – Drops AAAA replies that contain specific IPv6
addresses or prefixes. In this case, the ACOS device sends an A query on
behalf of the client, then uses DNS64 to add synthesized IPv6 addresses
in the reply before sending the reply to the client.
• prefix ipv6-addr/nn – Uses a different NAT64 prefix to synthesize
IPv6 addresses in the reply to the client. You can use this option to load
balance NAT64 service across multiple ACOS devices.

Default None

Mode Configuration mode

Mode

cgnv6 nat pool (for NAT64)

Description Configure a NAT pool containing the IPv4 address(es) to use for NAT-
ting traffic from IPv6 clients to IPv4 servers. For syntax information,
see “cgnv6 nat pool” on page 42.

104
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
NAT64 Configuration Commands

cgnv6 nat pool-group (for NAT64)

cgnv6 lsn-lid
Description Configure a Limit ID (LID) for NAT64. This LID will refer to the NAT pool
(or group of pools) containing the IPv4 address(es) to use for NATting
traffic from IPv6 clients to IPv4 servers.

NOTE: This command is not applicable to GLIDs or LIDs used for con-
figuring NAT64 override actions. To configure a GLID or LID for
NAT64 override, see “glid (for NAT64 override)” on page 104 or
“cgnv6 template policy” on page 112.

Syntax [no] cgnv6 lsn-lid num

Replace num with the LID number, 1-31.

This command changes the CLI to the configuration level for the
specified LID, where the following command is available.

NOTE: The other configuration commands at this level are not appli-
cable to DNS64 / NAT64.

Command Description
[no] source-nat-pool pool-name Binds an IPv4 NAT pool to the LID.
[no] user-quota-prefix-length mask-length Assign a user quota to all users of a specific
IPv6 prefix.

Default None

Mode Configuration mode

cgnv6 nat64 alg

Description Enable or disable Application Level Gateway (ALG) support.

105
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NAT64 Configuration Commands

Syntax [no] cgnv6 nat64 alg {esp | ftp [options]| h323 | mgcp| pptp |
rtsp | sip | tftp}
{disable | enable}

Parameter Description
esp Enables or disables NAT64 ALG support for Encapsulating Security Payload
{enable |disable} (ESP).
ftp [options] Enables or disables NAT64 ALG support for File Transfer Protocol (FTP). The
options enable or disable command translation for compatibility with old
FTP servers.

NAT64 FTP ALG supports the following command translations:

• trans-eprt-to-port – EPRT (RFC 2428) to PORT

• trans-epsv-to-pasv – EPSV (RFC 2428) to PASV
• trans-lprt-to-port – LPRT (RFC 1639) to PORT
• trans-lpsv-to-pasv – LPSV (RFC 1639) to PASV
• xlat-no-trans-pasv – Skip PASV response. The Payload of the IP
address information will not be translated from IPv4 to IPv6
h323 Enables or disables NAT64 ALG support for H323 standard.
{enable | disable}
mgcp Enables or disables NAT64 ALG support for Media Gateway Control Protocol
{enable | disable} (MGCP).
pptp Enables or disables NAT64 ALG support for Point-to-Point Tunneling Proto-
{enable | disable} col (PPTP).
rtsp Enables or disables NAT64 ALG support for Real Time Streaming Protocol
{enable | disable} (RTSP).
sip Enables or disables NAT64 ALG support for Session Initiation Protocol (SIP).
{enable | disable}
tftp Enables or disables NAT64 ALG support for Trivial File Transfer Protocol
{enable | disable} (TFTP).

Default ALG support for FTP is enabled by default, and all the command trans-
lation options are enabled by default except for “xlat-no-trans-pasv”.
ALG support for ESP, H323, MGCP, PPTP, RTSP, SIP, and TFTP is dis-
abled by default.

Mode Configuration mode

106
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
NAT64 Configuration Commands

cgnv6 nat64 force-non-zero-ipv4-id

Description Enable the Identification field in an IPv4 header to have a non-zero
number for non-fragmented IPv6 packets between 88 and 1280 bytes
in size.

Syntax cgnv6 nat64 force-non-zero-ipv4-id [all]

The all option enables the Identification field to have a non-zero

number for all packet sizes.

Default Disabled. If the IPv6 packet is not fragmented, the Identification field
in the IPv4 header will be 0 by default.

Mode Configuration mode

Usage In some cases, servers will drop packets with a “0” in the Identification
field of an IPv4 header when the IPv6 packet is not fragmented. This
command forces the IPv4 header to have a non-zero number in that
Identification field whenever the IPv6 packet is not fragmented. By
default, when enabled, non-zero identification numbers are only
applied to packets between 88 and 1280 bytes. Using the optional all
command at the end configures a non-zero value in the Identification
field of the IPv4 packet for all non-fragmented IPv6 packets, regard-
less of packet size.

cgnv6 nat64 fragmentation df-bit-transparency

Description Enable or disable insertion of headers that have the more-fragments
bit set to zero, and that have the fragmentation-offset set to zero.

Syntax [no] cgnv6 nat64 fragmentation df-bit-transparency enable

Default Insertion of headers that have the more-fragments bit set to zero and
the fragmentation-offset set to zero is disabled by default.

Mode Configuration mode

Usage This option applies to the IPv4-to-IPv6 traffic direction. When this
option is enabled, headers are inserted when the IPv4 Don’t Fragment
bit is not set.

107
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NAT64 Configuration Commands

cgnv6 nat64 fragmentation inbound

Description Configure fragmentation support for inbound packets.

Syntax [no] cgnv6 nat64 fragmentation inbound

{df-set | drop | ipv6}

Paramete
r Description
df-set Configures the behavior for inbound fragmented packets when Don’t Fragment (DF) bit is
set. The following options are available:

• drop drops silently

• ipv6 uses IPv6 fragmentation.
• send-icmp sends ICMP Type 3 Code 4. This is the default option.
drop Drops inbound fragmented packets.
ipv6 Uses IPv6 fragmentation support for inbound oversized packets.

Default The following options are enabled by default:

• ipv6
• df-set send-icmp

Mode Configuration mode

NOTE: If df-set is not configured, then the default is to use ipv6-frag-

mentation. If df-set is configured, the default is to send back an
icmp error.

108
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
NAT64 Configuration Commands

cgnv6 nat64 fragmentation inbound df-set

Description Configure the behavior for inbound fragmented packets when Don’t
Fragment (DF) bit is set.

Syntax [no] cgnv6 nat64 fragmentation inbound df-set

{drop | ipv6| send-icmp [count num]}

Parameter Description
send-icmp Enables sending of ICMP unreachable messages for inbound fragmented packets, and
[count num] disallows overriding the Don’t Fragment bit.

You can configure the number of ICMP messages sent when DF is set. The default is 1.
drop Drops inbound fragmented packets.

The df-set option disallows override of the Don’t Fragment bit.

ipv6 Enables fragmentation support for inbound IPv6 packets.

The df-set option disallows override of the Don’t Fragment bit.

Default df-set send-icmp

Mode Configuration mode

cgnv6 nat64 fragmentation outbound

Description Configure fragmentation support for outbound packets.

Syntax [no] cgnv6 nat64 fragmentation outbound

{
drop |
ipv4 |
send-icmpv6
}

Parameter Description
drop Drops outbound fragmented packets.
ipv4 Allows fragmentation of outbound IPv4 packets.
send-icmpv6 Enables sending of ICMPv6 unreachable messages for outbound IPv6 fragmented
packets, and disallows overriding the Don’t Fragment bit.

Default ipv4

Mode Configuration mode

109
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NAT64 Configuration Commands

cgnv6 nat64 icmp

Description Send ICMP Destination Unreachable messages when there are no pro-
tocol ports available for NAT mappings, or when a a user quota is
exceeded.

Syntax [no] cgnv6 nat64 icmp

{send-on-port-unavailable | send-on-user-quota-exceeded}
{host-unreachable | admin-filtered | disable}

Parameter Description
send-on-port-unavailable Sends ICMP Destination Unreachable message when there are no
protocol ports available for NAT mappings.
send-on-user-quota-exceeded Sends ICMP Destination Unreachable message when a a user quota
is exceeded.
host-unreachable Sends code type 3, code 1 for IPv4, and type 1 code 3 for IPv6.
admin-filtered Sends code type 3, code 13, administratively filtered.
disable Disable ICMP Unreachable messages for the specified event.

Default The default for send-on-port-unavailable is disable. The default for

send-on-user-quota-exceeded is admin-filtered.

Mode Configuration mode

cgnv6 nat64 inside

Description Bind a class list to the NAT64 feature.

Syntax [no] cgnv6 nat64 inside source class-list list-name

Default None

Mode Configuration mode

Usage To configure the class list, see “class-list (for NAT64)” on page 103.

cgnv6 nat64 prefix

Description See “cgnv6 nat64 prefix” on page 92.

cgnv6 nat64 tcp mss-clamp

Description Configure TCP maximum segment size (MSS) clamping. MSS clamping
checks the TCP MSS value in IPv4 packets clients and, if necessary,
changes it before sending the NATted request to the server.

110
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
NAT64 Configuration Commands

Syntax [no] cgnv6 nat64 tcp mss-clamp {fixed n | none | subtract s [min
n]}

Parameter Description
fixed n Changes the MSS to the length you specify.
none Does not change the MSS value.
subtract s Reduces the MSS if it is longer than the specified number of bytes. This option
[min n] sets the MSS based on the following calculations:

• If MSS minus S is greater than N, subtract S from the MSS.

• If MSS minus S is less than or equal to N, set the MSS to N.

The subtract method of MSS clamping is used by default, with the following
values:

S = 20 bytes
N = 476 bytes

Using these values, the default MSS clamping calculations are as follows:

• If MSS minus 20 is greater than 476, subtract 20 from the MSS.

• If MSS minus 20 is less than or equal to 476, set the MSS to 476.

Default The subtract option is used by default. See above.

Mode Configuration mode

cgnv6 nat64 tcp reset-on-error

Description Send TCP resets to clients in response to invalid TCP packets from the
inside network.

Syntax [no] cgnv6 nat64 tcp reset-on-error outbound disable

Default Enabled

Mode Configuration mode

cgnv6 nat64 user-quota-prefix-length

Description Assign a user quota to all users of a specific NAT64 prefix.

Syntax [no] cgnv6 nat64 user-quota-prefix-length mask-length

Parameter Description
mask-length Prefix length, 1-128.

111
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NAT64 Configuration Commands

Default 128

Mode Configuration mode

Usage You can apply a user quota prefix length on a global level or per LSN
LID basis. The user quota prefix length set for an LSN LID overrides the
global configuration value.

If the user quota prefix length is broader than the subnet to which the
LSN LID is bound, the user quota may not be enforced

For the command show cgnv6 nat64 user-quota-sessions, if a user

quota prefix length is configured, only the prefix quota is displayed. If
the prefix quota is not set, only the user quota session is displayed.

cgnv6 template policy

Description Configure a policy template, to override the configured NAT64 behav-
ior for specific IPv6 addresses or prefixes.

Syntax [no] cgnv6 template policy template-name

This command changes the CLI to the configuration level for the
specified class list, where the following commands are available.

NOTE: The other configuration commands at this level are not appli-
cable to DNS64 / NAT64.

112
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
NAT64 Configuration Commands

Command Description
[no] class-list list-name Specifies the class list. The following sub-commands are available:

• client-ip – Set the client IP address. By default, the source IP

address is used.
• client-ip l3-dest - Extract the client’s IP address from the
Layer 7 header, using the destination IP as the client’s IP
address.
• client-ip l7-header [L7-header-name] – Extract the cli-
ent’s IP address from the layer 7 header, using the name of the
Layer 7 header.
• lid num- Configure a LID within the class list. This command
changes the CLI to the configuration level for the LID, where the
following sub-command is available:
• conn-limit configures the connection limit.
• conn-rate-limit specifies the connection rate limit.
• dns64 {disable | prefix ipv6-addr/nn | exclusive-
answer} applies DNS64. This command specifies the override
action for IPv6 addresses that match the class list. The follow-
ing options are available:

disable – Does not perform DNS64 processing on the client’s

DNS request. The client’s request is forwarded to the DNS
server, and the reply is sent to client without modification.

prefix ipv6-addr/nn – Uses a different NAT64 prefix to syn-

thesize IPv6 addresses in the reply to the client. You can use
this option to load balance NAT64 service across multiple
ACOS devices.

exclusive-answer – Drops AAAA replies that contain specific

IPv6 addresses or prefixes. In this case, the ACOS device sends
an A query on behalf of the client, then uses DNS64 to add
synthesized IPv6 addresses in the reply before sending the
reply to the client.

• over-limit-action sets action when exceeds limit.

• request-limit sets the request limit.
• request-rate-limit sets the request rate limit.

Default None

Mode Configuration mode

113
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NAT64 Configuration Commands

ip nat inside
Description Enable IPv4 inside NAT on the interface connected to the IPv4 Inter-
net.

Syntax [no] ip nat inside source {class-list | list | static}

Default Disabled

Mode Interface configuration level

ip nat-global reset-idle-tcp-conn
Description Enable client and server TCP Resets for NATted TCP sessions that
become idle.

Syntax [no] ip nat-global reset-idle-tcp-conn

Default Disabled

Usage Configuration mode

ip frag timeout
Description Configure IP fragmentation parameters.

Syntax {ip | ipv6} frag timeout millisecond

Default 1000

Mode Configuration mode

ip frag max-reassembly-sessions
Description Configure the maximum number of pending reassembly sessions
allowed.

Syntax ip frag max-reassembly-sessions num

Default 100000

Mode Configuration mode

114
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 / NAT64 Show Commands

DNS64 / NAT64 Show Commands

This section describes the show commands for NAT64 / DNS64.

• show cgnv6 dns64 statistics

• show cgnv6 nat64 alg

• show cgnv6 nat64 conversion

• show cgnv6 nat64 full-cone-sessions

• show cgnv6 nat64 inside-user

• show cgnv6 nat64 nat-address

• show cgnv6 nat64 prefixes

• show cgnv6 nat64 statistics

• show cgnv6 nat64 user-quota-sessions

show cgnv6 dns64 statistics

Description Show statistics for DNS64.

Syntax show cgnv6 dns64 statistics

Mode Privileged EXEC and all configuration levels

Usage The following command shows DNS64 statistics:

ACOS# show cgnv6 dns64 statistics
DNS Service Type: dns64
Query Q-Parallel Q-Passive Q-Changed Q-Bad
Response Translated Cache Dropped R-Bad R-Error R-Empty
-----------------------------------------------------------------------------
0 0 0 0 0
0 0 0 0 0 0 0

The following table describes the fields in the command’s output.

115
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 / NAT64 Show Commands

Field Description
Query Number of queries received from clients.
Response Number of responses received from the DNS server.

Note: The ACOS can send multiple queries to the server for a single query from a client.
In this case, the Query counter will increment by only 1 for the client’s request, while the
Response counter will increment by 1 for each response to each individual query sent by
the ACOS device to the DNS server. For example, a single client query can result in an
increment of 1 for Query and an increment of 2 for Response.
Q-Parallel Number of parallel queries sent out by the ACOS device.
Translated Number of A responses translated by DNS64 into AAAA responses.
Q-Passive Number of times DNS64 sent an A query to the DNS server, because the server sent an
empty response or error in response to a AAAA query.
Cache Number of times a AAAA reply was sent from the DNS64 cache.
Q-Changed When the change-query option is enabled in the DNS template, this counter indicates
the number of AAAA queries converted into A queries by DNS64.
Dropped When the passive-query option is disabled in the DNS template, this counter indicates
the number of empty responses or errors received from the DNS server.
Q-Bad Number of bad (malformed) query packets received on the DNS virtual port.
R-Bad Number of bad (malformed) response packets sent to the DNS server.
R-Error Number of DNS server responses with errors.
R-Empty Number of empty responses from the DNS server.

116
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 / NAT64 Show Commands

show cgnv6 nat64 alg

Description Show Application Level Gateway (ALG) information for NAT64.

Syntax show cgnv6 nat64 alg {esp | ftp | h323 | mgcp | pptp | rtsp | sip
| tftp} config

Paramet
er Description
esp Shows whether NAT64 ALG support for Encapsulating Security Payload (ESP) is enabled.
ftp Shows whether NAT64 ALG support for File Transfer Protocol (TFTP) is enabled.
h323 Shows whether NAT64 ALG support for H.323 standard is enabled.
mgcp Shows whether NAT64 ALG support for Media Gateway Control Protocol (MGCP).
pptp Shows whether NAT64 ALG support for Point-to-Point Tunneling Protocol (PPTP) is
enabled.
rtsp Shows whether NAT64 ALG support for Real Time Streaming Protocol (RTSP) is enabled.
sip Shows whether NAT64 ALG support for Session Initiation Protocol (RTSP) is enabled.
tftp Shows whether NAT64 ALG support for Trivial File Transfer Protocol (TFTP) is enabled.

Mode All

Usage The following command shows the NAT64 ALG state for RTSP:
ACOS# show cgnv6 nat64 alg rtsp config
NAT64 RTSP ALG is disabled on TCP port 554

117
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 / NAT64 Show Commands

show cgnv6 nat64 conversion

Description Show the IPv4 version of an IPv6 address or the IPv6 version of an
IPv4 address.

Syntax show cgnv6 nat64 conversion

{ipv4-addr | ipv6-addr}
prefix NAT64-prefix

Parameter Description
ipv4-addr | ipv6-addr Specifies the IP address to convert.

• ipv4-addr – To display the IPv6 version of an IPv4 address, enter the

IPv4 address.
• ipv6-addr – To display the IPv4 version of an IPv6 address, enter the
IPv4 address.
prefix NAT64-prefix Specifies the NAT64 prefix to use for the conversion.

Mode All

Example The following command shows the IPv4 version of IPv6 address
64:ff9b::c0a8:10a, using the well-known NAT64 prefix (64:ff9b::/96):

ACOS# show cgnv6 nat64 conversion 64:ff9b::c0a8:10a prefix 64:ff9b::/96

Prefix: 64:ff9b::/96
IPv6: 64:ff9b::c0a8:10a
IPv4: 192.168.1.10

show cgnv6 nat64 full-cone-sessions

Description Show currently active NAT64 full-cone sessions.

Syntax show cgnv6 nat64 full-cone-sessions

[all-partitions]
[partition pool-name]
[pcp]
[pool pool-name]

Parameter Description
all-partitions Show full-cone sessions for all partitions
partition partition-name Only show sessions from a specific partition.
pcp Displays only the full-cone sessions that were created by a PCP
request.
pool pool-name [shared] Displays only the full-cone sessions that use a public IP address from
the specified NAT pool.

Mode All

The following table describes the fields in this command’s output.

118
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 / NAT64 Show Commands

Field Description
Information for Individual Sessions:
NAT Address Public IPv4 or IPv6 address mapped to the client’s private IPv6
address.
Conns Number of connections currently using the session.
Pool NAT pool from which the public IP address was assigned.
CPU ACOS CPU on which the session resides.
Age Number of seconds the session has been in effect.
Statistics (brief option)
NAT64 TCP Full-cone Session Cre- Number of TCP full-cone sessions created.
ated
NAT64 TCP Full-cone Session Number of TCP full-cone sessions freed.
Freed
NAT64 UDP Full-cone Session Cre- Number of UDP full-cone sessions created.
ated
NAT64 UDP Full-cone Session Number of UDP full-cone sessions freed.
Freed
NAT64 Full-cone Session Creation Number of times an attempt to create a NAT64 full-cone session
Failed failed.

show cgnv6 nat64 inside-user

Description Show session information for a specific NAT64 inside client.

Syntax show cgnv6 nat64 inside-user ipv6addr

Replace ipv6addr with the inside IPv6 address of the user.

Mode All

Example The following command shows session information for NAT64 user
2001:10::100:

ACOS# show cgnv6 nat64 inside-user 2001:10::100

NAT64 User-Quota Sessions:
Inside IPv6 NAT Address ICMP UDP TCP Pool LID Flag
----------------------------------------------------------------------
2001:10::100 172.7.7.30 0 2 2 lsn0 1 U
Total User-Quota Sessions Shown: 1

NAT64 Full Cone Sessions:

Prot Inside IPv6 NAT Address

119
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 / NAT64 Show Commands

Conns Pool CPU Age

--------------------------------------------------------------------------------------
----
UDP [2001:10::100]:26635 172.7.7.30:41995
1 lsn0 1 -
UDP [2001:10::100]:64284 172.7.7.30:48156
1 lsn0 4 -
TCP [2001:10::100]:32063 172.7.7.30:50239
1 lsn0 1 -
TCP [2001:10::100]:32062 172.7.7.30:25662
1 lsn0 2 -
Total Full Cone Sessions: 4

NAT64 Data Sessions:

Prot IP Type IP Address and Port Age Hash
Flags
--------------------------------------------------------------------------------------
----
Tcp Fwd Src [2001:10::100]:32063 0 1 NS
Fwd Dst [64:ff9b::ac07:764]:80
Rev Src 172.7.7.100:80
Rev Dst 172.7.7.30:50239
Udp Fwd Src [2001:10::100]:26635 300 1 NS
Fwd Dst [64:ff9b::ac07:764]:5300
Rev Src 172.7.7.100:5300
Rev Dst 172.7.7.30:41995
Tcp Fwd Src [2001:10::100]:32062 0 2 NS
Fwd Dst [64:ff9b::ac07:764]:80
Rev Src 172.7.7.100:80
Rev Dst 172.7.7.30:25662
Udp Fwd Src [2001:10::100]:64284 300 4 NS
Fwd Dst [64:ff9b::ac07:764]:5300
Rev Src 172.7.7.100:5300
Rev Dst 172.7.7.30:48156

120
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 / NAT64 Show Commands

The following table describes the fields in the command’s output.

Field Description
NAT64 User-Quota Ses- Lists the following user-quota session information for the user:
sions
• Inside IPv6 – IPv6 address of the client
• NAT Address – Client IPv4 NAT address from the LSN pool on the ACOS
device
• ICMP – Number of ICMP sessions from the quota that are in use
• UDP – Number of UDP sessions from the quota that are in use
• TCP – Number of TCP sessions from the quota that are in use
• Pool – LSN NAT pool from which the NAT address for the session was
selected
• LID – Limit ID (LID) in which the user quota is configured
NAT64 Full-Cone Sessions Lists the following information for the user’s full-cone session:

• Prot – Protocol of the session

• Inside IPv6 – IPv6 address and protocol port of the client
• NAT Address – Client IPv4 NAT address from the LSN pool on the ACOS
device
• Conns – Number of connections currently using the session
• Pool – LSN NAT pool from which the NAT address for the session was
selected
• CPU – ACOS CPU on which the session resides
• Age – Number of seconds the session has been in effect
NAT64 Data Sessions Lists the following data session information for the user:

• Prot – Protocol of the session

• IP Type – Role of the IP address in the session:
• Fwd Src – IPv6 address and protocol port of the client
• Fwd Dst – Synthetic IPv6 address and protocol port of the server
• Rev Src – IPv4 address and protocol port of the server
• Rev Dst – Client IPv4 NAT address from the LSN pool on the ACOS
device
• IP Address and Port – IP addresses and protocol ports of the session
• Age – Number of seconds the session has been in effect
• Hash – Hash value for the session
• Flags – This value is used by A10 Technical Support.

121
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 / NAT64 Show Commands

show cgnv6 nat64 nat-address

Description Show NAT64 sessions filtered by NAT address.

Syntax show cgnv6 nat64 nat-address nataddr [nat-port natport]

Parameter Description
nataddr Specifies the NAT IP address.
natport Specifies the NAT port.

Mode All

Example The following command shows NAT64 session information filtered by

NAT address for user 9.9.9.75

ACOS# show cgnv6 nat64 nat-address 9.9.9.75

Prot IP Type IP Address and Port
Age Hash Flags Type
----------------------------------------------------------------
----------------------------------
Udp Fwd Src [3201::172]:34080
240 1 NSe0f0r0 LSN
Fwd Dst [64:ff9b::909:9ad]:3000
Rev Src 9.9.9.173:3000
Rev Dst 9.9.9.75:62980
Udp Fwd Src [3201::172]:34861
240 2 NSe0f0r0 LSN
Fwd Dst [64:ff9b::909:9ad]:3000
Rev Src 9.9.9.173:3000
Rev Dst 9.9.9.75:62990
Udp Fwd Src [3201::172]:35377
240 3 NSe0f0r0 LSN
Fwd Dst [64:ff9b::909:9ad]:3000
Rev Src 9.9.9.173:3000
Rev Dst 9.9.9.75:62985
Total Sessions: 3

Example The following command shows NAT64 session information filtered by

NAT address user 9.9.9.75 and NAT port 62985.

ACOS# show cgnv6 nat64 nat-address 9.9.9.75 nat-port 62985

Prot IP Type IP Address and Port Age Hash Flags Type
----------------------------------------------------------------
---
Udp Fwd Src [3201::172]:35377
240 3 NSe0f0r0 LSN
Fwd Dst [64:ff9b::909:9ad]:3000
Rev Src 9.9.9.173:3000

122
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 / NAT64 Show Commands

Rev Dst 9.9.9.75:62985

Total Sessions: 1

The following table describes the fields in this sample output.

Field Description
Prot Layer 4 protocol of the session.
IP Type The type of IP address:

• Fwd Src - Forward Source

• Fwd Dst - Forward Dest
• Rev Src - Reverse Source
• Rev Dst - Reverse Dest
IP Address and IP address and port number for the corresponding IP Type
Port
Age Number of seconds since the session started.
Hash CPU ID.
Flags Processing path for the traffic:

• NF – Fast-path processing.
• NS – Slow-path processing.
Type Type of NAT traffic.

show cgnv6 nat64 prefixes

Description Show the IPv6 prefixes configured for NAT64.

Syntax show cgnv6 nat64 prefixes

Mode All

show cgnv6 nat64 statistics

Description Show statistics for NAT64.

Syntax show cgnv6 nat64 statistics

Mode All

The following table describes the fields in this command’s output.

123
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 / NAT64 Show Commands

Field Description
Total UDP Ports Freed Total number of UDP ports freed for use by other sessions.
Total ICMP Ports Allocated Total number of ICMP ports allocated for user sessions.
Total ICMP Ports Freed Total number of ICMP ports freed for use by other sessions.
Data Session Created Total number of data sessions created.
Data Session Freed Total number of data sessions freed.
User-Quota Created Number of port mappings created for which the user quota had
available mappings.
User-Quota Freed Number of port mappings that were created for which the user
quota had available mappings, that were later freed.
User-Quota Creation Failed Number of times creation of a port mapping was unsuccessful
because the user quota had no free mappings.
TCP NAT Port Unavailable Number of times a TCP port for an LSN NAT session was unavail-
able.
UDP NAT Port Unavailable Number of times a UDP port for an LSN NAT session was unavail-
able.
ICMP NAT Port Unavailable Number of times an ICMP port for an LSN NAT session was
unavailable.
New User NAT Resource Unavail- Number of times LSN resources (ICMP, TCP, or UDP) were not
able available for a new user.
TCP User-Quota Exceeded Number of times the TCP quota for a user was exceeded.
UDP User-Quota Exceeded Number of times the UDP quota for a user was exceeded.
ICMP User-Quota Exceeded Number of times the ICMP quota for a user was exceeded.
Extended User-Quota Matched Number of times the extended user quota was used to create a
mapping.
Extended User-Quota Exceeded Number of times a NAT port was unavailable to a client because
the client had exceeded the extended user quota.
Data Session User-Quota Number of times a client exceeded their data session quota.
Exceeded
Conn Rate User-Quota Exceeded Number of times connection rate quota for a user was exceeded.
TCP Full-cone Session Created Total number of LSN TCP full-cone sessions created.
TCP Full-cone Session Freed Total number of LSN TCP full-cone sessions freed.
UDP Full-cone Session Created Total number of LSN UDP full-cone sessions created.
UDP Full-cone Session Freed Total number of LSN UDP full-cone sessions freed.
Full-cone Session Creation Failed Number of times creation of a full-cone session failed.
Hairpin Session Created Total number of LSN hairpin sessions created.
Self-Hairpinning Drop Number of hairpin sessions dropped because the source and des-
tination client were the same.
Endpoint- Number of times LSN reused the LSN mapping assigned to a cli-
Independent Mapping Matched ent for subsequent traffic for that client. (This is the benefit pro-
vided by Endpoint independent mapping.)

124
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 / NAT64 Show Commands

Field Description
Endpoint-Independent Number of times traffic from any source to a given mapped client
Filtering Matched was forwarded to the internal client, regardless of the endpoint.
(This is the benefit provided by Endpoint independent filtering.)
Endpoint-Dependent Number of times traffic to a mapped client was dropped because
Filtering Drop endpoint-independent filtering was not enabled, and the traffic
was not from the endpoint mapped to the client.
Endpoint-Independent Number of times the maximum number of Endpoint-Independent
Filtering Inbound Limit Exceeded Filtering (EIF) sessions allowed for a NAT mapping was exceeded.
TCP Port Overloaded Number of times a TCP port on a NAT address was assigned to a
new client while another client was still using the mapping.

Note: This counter and the other Port Overloading counters apply
only if port overloading is configured.
UDP Port Overloaded Number of times a UDP port on a NAT address was assigned to a
new client while another client was still using the mapping.
TCP Port Overloading Session Cre- Number of times a session on an overloaded TCP port was cre-
ated ated.
UDP Port Overloading Session Number of times a session on an overloaded UDP port was cre-
Created ated.
TCP Port Overloading Session Number of times a session created on an overloaded TCP port
Freed was freed.
UDP Port Overloading Session Number of times a session created on an overloaded UDP port
Freed was freed.
NAT Pool Unusable Number of times traffic hit a disabled NAT IP.
HA NAT Pool Unusable Number of times traffic hit a disabled NAT IP in high availability
standby state.
HA NAT Pool Batch Type Mis- Number of times traffic hit a mismatch of NAT pool batch type.
match
No RADIUS Profile Match Number of times traffic did not match the RADIUS profile.
Layer 3 Forwarded Packets Number of packets forwarded at Layer 3 because the IPv6 desti-
nation address did not match the NAT64 prefix.
Source Address Prefix Match Drop Number of times incoming traffic matched the NAT64 prefix, but
was dropped because it matched the drop action in the LSN-LID.
LSN LID Drop Number of times traffic matched the drop action in the LSN LID,
and was dropped.
LSN LID Pass-through Number of times traffic matched the pass-through action in the
LSN LID, and was passed through without being NATted.
No Class-List Match Number of times traffic did not match the LSN class list.

125
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 / NAT64 Show Commands

show cgnv6 nat64 user-quota-sessions

Description Show NAT64 user-quota session information.

Syntax show cgnv6 nat64 user-quota-sessions

[all-partitions]
[partition partition-name]
[pool pool-name]
[prefix ipv6addr/prefix-length]
[top num {all | icmp | tcp | udp}]

Parameter Description
all-partitions Show users in all partitions.
partition partition-name Sow users in a specific partition.
pool pool-name Displays session information only for the specified NAT pool.
prefix ipv6addr/prefix-length Displays session information only for the specified IPv6
address(es).
top num type Limits the display to the sessions with the highest counters for
the specified resource type. You can specify 1-100.

The resource type can be one of the following:

• all – Displays the sessions with the highest counters for all
resource types (ICMP, TCP, and UDP).
• icmp – Displays the sessions with the highest counters for
ICMP.
• tcp – Displays the sessions with the highest counters for
TCP.
• udp – Displays the sessions with the highest counters for
UDP.

Mode All

The following table describes the fields in the command’s output.

Field Description
Information for Individual Sessions:
Inside IPv6 Inside IP address of the client.
Prefix NAT Address Public IP address assigned to the client.
ICMP Number of ICMP sessions from the quota that are in use.
UDP Number of UDP sessions from the quota that are in use.
TCP Number of TCP sessions from the quota that are in use.
Session Pool Name of the pool from which the public address for the session was
selected.
LID Limit ID (LID) in which the user quota is configured.
Statistics (brief option)

126
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DNS64 / NAT64 Show Commands

Field Description
NAT64 User-Quota Created Number of port mappings created for which the user quota had
available mappings.
NAT64 User-Quota Freed Number of port mappings that were created for which the user
quota had available mappings, that were later freed.
NAT64 User-Quota Creation Number of times creation of a port mapping was unsuccessful
Failed because the user quota had no free mappings.
NAT64 TCP User-Quota Number of times the TCP quota for a user was exceeded.
Exceeded
NAT64 UDP User-Quota Number of times the UDP quota for a user was exceeded.
Exceeded
NAT64 ICMP User-Quota Number of times the ICMP quota for a user was exceeded.
Exceeded
NAT64 Extended User-Quota Number of times the extended user quota was used to create a
Matched mapping.
NAT64 Extended User-Quota Number of times a NAT port was unavailable to a client because the
Exceeded client had exceeded the extended user quota.
NAT64 Data Session Number of times a client exceeded their data session quota.
User-Quota Exceeded

127
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DNS64 / NAT64 Show Commands

128
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: DS-LITE

The commands in this chapter configure global settings for Dual-Stack Lite (DS-Lite). DS-Lite
enables the ACOS device to act as an end-point for IPv4 traffic tunneled through an IPv6 link.

• “DS-Lite Configuration Commands” on page 129

• “DS-Lite Show Commands” on page 136

DS-Lite Configuration Commands

This section describes the DS-Lite configuration commands.

• class-list (for DS-Lite)

• cgnv6 ds-lite alg

• cgnv6 ds-lite fragmentation inbound

• cgnv6 ds-lite fragmentation outbound

• cgnv6 ds-lite icmp

• cgnv6 ds-lite inside source class-list

• cgnv6 ds-lite ip-checksum-error

• cgnv6 ds-lite l4-checksum-error

• cgnv6 ds-lite port-reservation

• cgnv6 ds-lite tcp mss-clamp

• cgnv6 ds-lite tcp reset-on-error

• cgnv6 ds-lite user-quota-prefix-length

129
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Configuration Commands

class-list (for DS-Lite)

Description Configure an IP class list for use with Dual-Stack Lite (DS-Lite).

Syntax [no] class-list {list-name | filename file}

Parameter Description
list-name Adds the list to the running-config.
filename file Saves the list to a file.

This command changes the CLI to the configuration level for the
specified class list, where the following commands are available.

NOTE: The other configuration commands at this level are not appli-
cable to DS-Lite.

Command Description
[no] Adds an entry to the class list.
ipv6-addr/prefix-length
lsn-lid num • ipv6-addr/prefix-length – Specifies the range of client IPv6 addresses
on which to match. These are the IPv6 addresses of the customer DS-Lite
routers.
• lsn-lid num – Specifies the LID number.

Default None

Mode Configuration mode

Usage Configure the DS-Lite LIDs before configuring the class-list entries. To
configure an LID for DS-Lite, see “cgnv6 nat icmp always-source-nat-
errors” on page 41.

As an alternative to configuring class entries on the ACOS device, you

can configure the class list using a text editor on another device, then
import the class list onto the ACOS device.

For more information about DS-Lite, see the “Dual-Stack Lite” chapter
in the IPv4-to-IPv6 Transition Solutions Guide.

cgnv6 ds-lite alg

Description Configure Application Level Gateway (ALG) support for DS-Lite.

Syntax [no] cgnv6 ds-lite alg

{ftp | h323 | mgcp | pptp | rtsp | sip | tftp}
{enable | disable}

Specify the protocol for which to disable or enable ALG support:

130
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DS-Lite Configuration Commands

• ftp – File Transfer Protocol

• h323 – H.323 standard is a legacy voice-over-IP (VoIP) protocol.
• mgcp – Media Gateway Control Protocol (MGCP)
• pptp – Point-to-Point Tunnelling Protocol
• rtsp – Real Time Streaming Protocol
• sip – Session Initiation Protocol
• tftp – Trivial File Transfer Protocol

Default ALG support for FTP is enabled by default. ALG support for the other
protocols is disabled by default.

Mode Configuration mode

cgnv6 ds-lite fragmentation inbound

Description Configure fragmentation support for inbound packets.

Syntax [no] cgnv6 ds-lite fragmentation inbound

{
df-set send-icmp |
[df-set] drop |
[df-set] ipv4 |
[df-set] ipv6
}

Parameter Description
df-set send-icmp Enables sending of ICMP unreachable messages for inbound fragmented packets,
and disallows overriding the Don’t Fragment bit.
[df-set] drop Drops inbound fragmented packets.

The df-set option disallows override of the Don’t Fragment bit.

[df-set] ipv4 Enables fragmentation support for inbound IPv4 packets.

The df-set option disallows override of the Don’t Fragment bit.

[df-set] ipv6 Enables fragmentation support for inbound IPv6 packets.

The df-set option disallows override of the Don’t Fragment bit.

Default By default, fragmentation for IPv6 tunnel packets is enabled but frag-
mentation of IPv4 packets within the tunnel is disabled. Override of
the Don’t Fragment bit is enabled.

Mode Configuration mode

131
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Configuration Commands

cgnv6 ds-lite fragmentation outbound

Description Configure fragmentation support for outbound packets.

Syntax [no] cgnv6 ds-lite fragmentation outbound

{
df-set send-icmp |
[df-set] drop |
[df-set] ipv4 |
[df-set] send-icmpv6
}

Parameter Description
df-set Enables sending of ICMP unreachable messages for outbound IPv4 fragmented
send-icmp packets, and disallows overriding the Don’t Fragment bit.
[df-set] drop Drops outbound fragmented packets.

The df-set option disallows override of the Don’t Fragment bit.

[df-set] ipv4 Enables fragmentation support for outbound IPv4 packets.

The df-set option disallows override of the Don’t Fragment bit.

[df-set] Enables sending of ICMPv6 unreachable messages for outbound IPv6 frag-
send-icmpv6 mented packets, and disallows overriding the Don’t Fragment bit.

The df-set option disallows override of the Don’t Fragment bit.

Default By default, fragmentation for IPv6 tunnel packets is enabled but frag-
mentation of IPv4 packets within the tunnel is disabled. Override of
the Don’t Fragment bit is enabled.

Mode Configuration mode

132
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DS-Lite Configuration Commands

cgnv6 ds-lite icmp

Description Send ICMP Destination Unreachable messages when there are no pro-
tocol ports available for NAT mappings, or when a a user quota is
exceeded.

Syntax [no] cgnv6 ds-lite icmp

{send-on-port-unavailable | send-on-user-quota-exceeded}
{host-unreachable | admin-filtered | disable}

Parameter Description
send-on-port-unavailable Sends ICMP Destination Unreachable message when there are no
protocol ports available for NAT mappings.
send-on-user-quota-exceeded Sends ICMP Destination Unreachable message when a a user
quota is exceeded.
host-unreachable Sends code type 3, code 1 for IPv4, and type 1 code 3 for IPv6.
admin-filtered Sends code type 3, code 13, administratively filtered.
disable Disable ICMP Unreachable messages for the specified event.

Default The default for send-on-port-unavailable is disable. The default for

send-on-user-quota-exceeded is admin-filtered.

Mode Configuration mode

cgnv6 ds-lite inside source class-list

Description Bind a class list for use with DS-Lite.

Syntax [no] cgnv6 ds-lite inside source class-list list-name

Replace list-name with the name of the class list.

Default None

Mode Configuration mode

cgnv6 ds-lite ip-checksum-error

Description Configure handling of IP checksum errors in DS-Lite tunneled IP traf-
fic.

Syntax [no] cgnv6 ds-lite ip-checksum-error {fix | drop}

Parameter Description
fix Fixes the checksum and forwards the traffic.
drop Drops the traffic.

133
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Configuration Commands

Default drop

Mode Configuration mode

Usage IP checksum handling applies to IPv4 packets encapsulated within a

DS-Lite tunnel.

This command applies only to IP traffic that is encapsulated inside a

DS-Lite tunnel. The ACOS device always drops other IPv4 traffic that
has an invalid checksum.

cgnv6 ds-lite l4-checksum-error

Description Configure handling of Layer 4 checksum errors in DS-Lite tunneled IP
traffic.

Syntax [no] cgnv6 ds-lite l4-checksum-error {fix | drop | propagate}

Default propagate

Mode Configuration mode

Usage Layer 4 checksum handling applies to TCP, UDP, and ICMP packets
encapsulated within a DS-Lite tunnel.

This command applies only to IP traffic that is encapsulated inside a

DS-Lite tunnel. The ACOS device always drops other IPv4 traffic that
has an invalid checksum.

cgnv6 ds-lite port-reservation

Description Configure static mappings for a range of protocol ports for an IPv4
address

Syntax [no] cgnv6 ds-lite port-reservation inside

ipv6-tunnel-source ipv6-tunnel-destination
ipv4-inside-addr inside-start-port inside-end-port
nat nat-ipaddr nat-start-portnum nat-end-portnum

Parameter Description
ipv6-tunnel-source Inside client’s tunnel source IPv6 address.
ipv6-tunnel-destination Inside client’s tunnel destination IPv6 address.
ipv4-inside-addr Client IPv4 address.
inside-start-portnum Beginning Layer 4 protocol port number in the port range to be
mapped.
inside-end-port Ending Layer 4 protocol port number in the port range to be mapped.

134
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DS-Lite Configuration Commands

Parameter Description
nat nat-ipaddr Public IPv4 address to map to the client IPv4 address.
nat-start-portnum Beginning Layer 4 protocol port number to map to the inside port
range.
nat-end-portnum Ending Layer 4 protocol port number to map to the inside port range.

Default None

Mode Configuration mode

cgnv6 ds-lite tcp mss-clamp

Syntax [no] cgnv6 ds-lite tcp mss-clamp

{fixed n | none | subtract s [min n]}

Parameter Description
fixed n Changes the MSS to the length you specify.
none Does not change the MSS value.
subtract s Reduces the MSS if it is longer than the specified number of bytes. This option sets the
[min n] MSS based on the following calculations:

• If MSS minus S is greater than N, subtract S from the MSS.

• If MSS minus S is less than or equal to N, set the MSS to N.

The subtract method of MSS clamping is used by default, with the following values:

S = 40 bytes
N = 416 bytes

Using these values, the default MSS clamping calculations are as follows:

• If MSS minus 40 is greater than 416, subtract 40 from the MSS.

• If MSS minus 40 is less than or equal to 416, set the MSS to 416.

Default The subtract option is used by default. See above.

Mode Configuration mode

135
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Show Commands

cgnv6 ds-lite tcp reset-on-error

Description Send TCP resets to DS-Lite clients in response to invalid TCP packets
from the inside network.

Syntax [no] cgnv6 ds-lite tcp reset-on-error outbound disable

Default Enabled

Mode Configuration mode

cgnv6 ds-lite user-quota-prefix-length

Description Assign a user quota to all users of a specific DS-Lite prefix.

Syntax [no] cgnv6 ds-lite user-quota-prefix-length num

Default 128

Mode Configuration mode

Usage You can apply a user quota prefix length on a global level or per LSN
LID basis. The user quota prefix length set for an LSN LID overrides the
global configuration value.

If the user quota prefix length is broader than the subnet to which the
LSN LID is bound, the user quota may not be enforced. For the
command show cgnv6 ds-lite user-quota-sessions, if a user quota
prefix length is configured, only the prefix quota is displayed. If the
prefix quota is not set, only the user quota session is displayed.

DS-Lite Show Commands

This section describes the show commands for DS-Lite.

• show cgnv6 ds-lite alg

• show cgnv6 ds-lite full-cone-sessions

• show cgnv6 ds-lite inside-user

• show cgnv6 ds-lite nat-address

• show cgnv6 ds-lite port-reservations

• show cgnv6 ds-lite statistics

• show cgnv6 ds-lite user-quota-sessions

136
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DS-Lite Show Commands

show cgnv6 ds-lite alg

Description Show the current Application Level Gateway (ALG) configuration for
DS-Lite.

Syntax show cgnv6 ds-lite alg {ftp | h323 | mgcp | pptp | rtsp | sip |
tftp} config

Mode All

show cgnv6 ds-lite full-cone-sessions

Description Shows currently active full-cone sessions.

Syntax show cgnv6 ds-lite full-cone-sessions [pcp | pool pool-name]

The pool-name option displays sessions only for the specified pool. If
you omit this option, sessions for all pools are shown.
The pcp options only displays full-cone sessions created by PCP
requests.

Mode All

The following table describes the fields in this command’s output.

Field Description
Information for Individual Sessions:
Protocol Layer 4 protocol of the session.
Inside IPv6 Client DS-Lite router’s IPv6 address.
Inside Address Client’s IPv4 address.
NAT Address Global IPv4 address assigned to the client by the ACOS device
for communicating with the IPv4 server.
Inbound Number of inbound connections.
Outbound Number of outbound connections.
Pool IP address pool from which the NAT address was assigned.
CPU ACOS CPU on which the session resides.
Age Number of seconds the session has been in effect.
Flags Value used by A10 Technical Support.
Statistics (brief option)
DS-Lite TCP Full-cone Session Cre- Number of TCP full-cone sessions created.
ated
DS-Lite TCP Full-cone Session Number of TCP full-cone sessions freed.
Freed

137
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Show Commands

Field Description
DS-Lite UDP Full-cone Session Number of UDP full-cone sessions created.
Created
DS-Lite UDP Full-cone Session Number of UDP full-cone sessions freed.
Freed
DS-Lite Full-cone Number of times an attempt to create a DS-Lite full-cone ses-
Session Creation Failed sion failed.

show cgnv6 ds-lite inside-user

Description Show session information for a specific DS-Lite inside client.

Syntax show cgnv6 ds-lite inside-user ipv6addr

Replace ipv6addr with the inside IPv6 address of the user.

Mode All

Example The following command shows session information for DS-Lite user
2001:10::100:

ACOS# show cgnv6 ds-lite inside-user 2001:10::100

DS-Lite User-Quota Sessions:
Inside IPv6 NAT Address ICMP UDP TCP Pool LID Flag
-------------------------------------------------------------------------
2001:10::100 172.7.7.30 0 2 2 lsn0 1 U
Total User-Quota Sessions Shown: 1

DS-Lite Full Cone Sessions:

Prot Inside IPv6 Inside Address NAT Address Conns
Pool CPU Age
----------------------------------------------------------------------------------------------------
-------------------------------------
TCP 2001:10::100 10.10.10.100:26504 172.7.7.30:27656 0
lsn0 2 120
UDP 2001:10::100 10.10.10.100:48968 172.7.7.30:52232 1
lsn0 4 -
UDP 2001:10::100 10.10.10.100:51775 172.7.7.30:29759 1
lsn0 4 -
TCP 2001:10::100 10.10.10.100:26505 172.7.7.30:35849 1
lsn0 1 -
Total Full Cone Sessions: 4

DS-Lite Data Sessions:

Prot IP Type IP Address and Port Age Hash Flags
----------------------------------------------------------------------------------------------
Tcp Fwd Src [2001:10::100]10.10.10.100:26505 0 1 NS
Fwd Dst [2001:10::1]172.7.7.100:80
Rev Src 172.7.7.100:80
Rev Dst 172.7.7.30:35849

138
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DS-Lite Show Commands

Udp Fwd Src [2001:10::100]10.10.10.100:51775 300 4 NS

Fwd Dst [2001:10::1]172.7.7.100:5300
Rev Src 172.7.7.100:5300
Rev Dst 172.7.7.30:29759
Udp Fwd Src [2001:10::100]10.10.10.100:48968 300 4 NS
Fwd Dst [2001:10::1]172.7.7.100:5300
Rev Src 172.7.7.100:5300
Rev Dst 172.7.7.30:52232

The following table describes the fields in the command’s output.

Field Description
DS-Lite User-Quota Ses- Lists the following user-quota session information for the user:
sions
• Inside IPv6 – IPv6 address of the remote end of the tunnel
• NAT Address – Client IPv4 NAT address from the LSN pool on the ACOS
device
• ICMP – Number of ICMP sessions from the quota that are in use
• UDP – Number of UDP sessions from the quota that are in use
• TCP – Number of TCP sessions from the quota that are in use
• Pool – LSN NAT pool from which the NAT address for the session was
selected
• LID – Limit ID (LID) in which the user quota is configured

139
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Show Commands

Field Description
DS-Lite Full-Cone Ses- Lists the following information for the user’s full-cone session:
sions
• Prot – Protocol of the session
• Inside IPv6 – IPv6 address of the remote end of the tunnel
• Inside Address – IPv4 address and protocol port of the client
• NAT Address – Client IPv4 NAT address from the LSN pool on the ACOS
device
• Conns – Number of connections currently using the session
• Pool – LSN NAT pool from which the NAT address for the session was
selected
• CPU – ACOS CPU on which the session resides
• Age – Number of seconds the session has been in effect
DS-Lite Data Sessions Lists the following data session information for the user:

• Prot – Protocol of the session

• IP Type – Role of the IP address in the session:
• Fwd Src – IPv6 address of the remote end of the tunnel, and IPv4
address and protocol port of the client
• Fwd Dst – IPv6 address of the tunnel interface on the ACOS device,
and IPv4 address and protocol port of the server
• Rev Src – IPv4 address and protocol port of the server
• Rev Dst – Client IPv4 NAT address from the LSN pool on the ACOS
device
• IP Address and Port – IP addresses and protocol ports of the session
• Age – Number of seconds the session has been in effect
• Hash – Hash value for the session
• Flags – This value is used by A10 Technical Support.

show cgnv6 ds-lite nat-address

Description Show DS-Lite sessions filtered by NAT address.

Syntax show cgnv6 ds-lite nat-address nataddr [nat-port natport]

Parameter Description
nataddr Specifies the NAT IP address.
natport Specifies the NAT port.

Mode All

Example The following command shows DS-Lite session information filtered by

NAT address for user 9.9.9.73.

ACOS# show cgnv6 ds-lite nat-address 9.9.9.73

Prot IP Type IP Address and Port Age Hash Flags Type

140
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DS-Lite Show Commands

--------------------------------------------------------------------------------------------------
Udp Fwd Src [3201::172]121.78.233.82:2468 300 4 NSe0f0r0 LSN
Fwd Dst [3201::200]9.9.9.173:10000
Rev Src 9.9.9.173:10000
Rev Dst 9.9.9.73:62178
Udp Fwd Src [3201::172]166.179.148.63:2469 300 5 NSe0f0r0 LSN
Fwd Dst [3201::200]9.9.9.173:10000
Rev Src 9.9.9.173:10000
Rev Dst 9.9.9.73:62183
Total Sessions: 2

Example The following command shows DS-Lite session information filtered by

NAT address for user 9.9.9.73 and NAT port 62183.

ACOS# show cgnv6 ds-lite nat-address 9.9.9.73 nat-port 62183

Prot IP Type IP Address and Port Age Hash Flags Type
--------------------------------------------------------------------------------------------------
Udp Fwd Src [3201::172]166.179.148.63:2469 180 5 NSe0f0r0 LSN
Fwd Dst [3201::200]9.9.9.173:10000
Rev Src 9.9.9.173:10000
Rev Dst 9.9.9.73:62183
Total Sessions: 1

The following table describes the fields in this command’s output.

Field Description
Prot Layer 4 protocol of the session.
IP Type The type of IP address:

• Fwd Src - Forward Source

• Fwd Dst - Forward Dest
• Rev Src - Reverse Source
• Rev Dst - Reverse Dest
IP Address and IP address and port number for the corresponding IP
Port Type
Age Number of seconds since the session started.
Hash CPU ID.
Flags Processing path for the traffic:

• NF – Fast-path processing.
• NS – Slow-path processing.
Type Type of NAT traffic.

141
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Show Commands

show cgnv6 ds-lite port-reservations

Description Show Layer 4 port reservations.

Syntax show cgnv6 ds-lite port-reservations

Mode All

The following table describes the fields in this command’s output.

Field Description
Tunnel Src IPv6 Source IPv6 address of the tunnel on which the ACOS device receives the cli-
Address ent traffic.
Tunnel Dst IPv6 Destination IPv6 address of the tunnel on which the ACOS device receives the
Address client traffic.
Inside Address Client IPv4 address.
Inside Start Port Beginning Layer 4 protocol port number in the port range to be mapped.
Inside End Port Ending Layer 4 protocol port number in the port range to to be mapped.
NAT Address Public IPv4 address to map to the client IPv4 address.
NAT Start Port Beginning Layer 4 protocol port number to map to the inside port range.
NAT End Port Ending Layer 4 protocol port number to map to the inside port range.

show cgnv6 ds-lite statistics

Description Show global statistics related to DS-Lite.

Syntax show cgnv6 ds-lite statistics

Mode All

The following table describes the fields in this command’s output.

142
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DS-Lite Show Commands

Field Description
User-Quota Freed Number of port mappings that were created for which the user
quota had available mappings, that were later freed.
User-Quota Creation Failed Number of times creation of a port mapping was unsuccessful
because the user quota had no free mappings.
TCP NAT Port Unavailable Number of times a TCP port for an LSN NAT session was unavail-
able.
UDP NAT Port Unavailable Number of times a UDP port for an LSN NAT session was unavail-
able.
ICMP NAT Port Unavailable Number of times an ICMP port for an LSN NAT session was
unavailable.
New User NAT Resource Unavail- Number of times LSN resources (ICMP, TCP, or UDP) were not
able available for a new user.
TCP User-Quota Exceeded Number of times the TCP quota for a user was exceeded.
UDP User-Quota Exceeded Number of times the UDP quota for a user was exceeded.
ICMP User-Quota Exceeded Number of times the ICMP quota for a user was exceeded.
Extended User-Quota Matched Number of times the extended user quota was used to create a
mapping.
Extended User-Quota Exceeded Number of times a NAT port was unavailable to a client because
the client had exceeded the extended user quota.
Data Session User-Quota Number of times a client exceeded their data session quota.
Exceeded
TCP Full-cone Session Created Total number of LSN TCP full-cone sessions created.
TCP Full-cone Session Freed Total number of LSN TCP full-cone sessions freed.
UDP Full-cone Session Created Total number of LSN UDP full-cone sessions created.
UDP Full-cone Session Freed Total number of LSN UDP full-cone sessions freed.
Full-cone Session Creation Failed Number of times creation of a full-cone session failed.
Hairpin Session Created Total number of LSN hairpin sessions created.
Self-Hairpinning Drop Number of hairpin sessions dropped because the source and des-
tination client were the same.
Endpoint-Independent Mapping Number of times LSN reused the LSN mapping assigned to a client
Matched for subsequent traffic for that client. (This is the benefit provided
by Endpoint independent mapping.)
Endpoint-Independent Number of times traffic from any source to a given mapped client
Filtering Matched was forwarded to the internal client, regardless of the endpoint.
(This is the benefit provided by Endpoint independent filtering.)
Endpoint-Dependent Number of times traffic to a mapped client was dropped because
Filtering Drop endpoint-independent filtering was not enabled, and the traffic
was not from the endpoint mapped to the client.
Endpoint-Independent Number of times the maximum number of Endpoint-Independent
Filtering Inbound Limit Exceeded Filtering (EIF) sessions allowed for a NAT mapping was exceeded.

143
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Show Commands

Field Description
NAT Pool Mismatch Drop Number of times traffic was dropped because matching traffic for
a current full-cone session or user-quota session uses a different
pool or pool group than the one redirected to by the rule list.
TCP Port Overloaded Number of times a TCP port on a NAT address was assigned to a
new client while another client was still using the mapping.

Note: This counter and the other Port Overloading counters apply
only if port overloading is configured.
UDP Port Overloaded Number of times a UDP port on a NAT address was assigned to a
new client while another client was still using the mapping.
TCP Port Overloading Session Number of times a session on an overloaded TCP port was cre-
Created ated.
UDP Port Overloading Session Number of times a session on an overloaded UDP port was cre-
Created ated.
TCP Port Overloading Session Number of times a session created on an overloaded TCP port was
Freed freed.
UDP Port Overloading Session Number of times
Freed
a session created on an overloaded UDP port was freed.
NAT Pool Unusable Number of times traffic hit a disabled NAT IP.
HA NAT Pool Unusable Number of times traffic hit a disabled NAT IP in high availability
standby state.
HA NAT Pool Batch Type Mis-
match
No RADIUS Profile Match Number of times traffic did not match the RADIUS profile.
Truncated Packet Number of tunneled packets that were truncated because they
were longer than the Maximum Transmission Unit (MTU) on the
ACOS interface where the packet was received.
LSN LID Drop Number of times traffic matched the drop action in the LSN LID,
and was dropped.
LSN LID Number of times traffic matched the pass-through action in the
Pass-through LSN LID, and was passed through without being NATted.
No Class-List Match Number of times traffic did not match the LSN class list.
Permit Class-List Drop Number of packets dropped because they did not match the class
list’s permit list.

144
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DS-Lite Show Commands

show cgnv6 ds-lite user-quota-sessions

Description Show currently active user quota sessions.

Syntax show cgnv6 ds-lite user-quota-sessions

[pool pool-name]
[top num {all | icmp | tcp | udp}]

Parameter Description
pool Shows currently active full-cone sessions only for the specified pool. If you omit this
pool-name option, sessions for all pools are shown.
top num type Limits the display to the sessions with the highest counters for the specified resource
type. You can specify 1-100.

The resource type can be one of the following:

• all – Displays the sessions with the highest counters for all resource types (ICMP,
TCP, and UDP).
• icmp – Displays the sessions with the highest counters for ICMP.
• tcp – Displays the sessions with the highest counters for TCP.
• udp – Displays the sessions with the highest counters for UDP.

Mode All

The following table describes the fields in this command’s output.

Field Description
DS-Lite User-Quota Created Number of port mappings created for which the user quota had
available mappings.
DS-Lite User-Quota Freed Number of port mappings that were created for which the user
quota had available mappings, that were later freed.
DS-Lite User-Quota Creation Number of times creation of a port mapping was unsuccessful
Failed because the user quota had no free mappings.
DS-Lite TCP User-Quota Number of times the TCP quota for a user was exceeded.
Exceeded
DS-Lite UDP User-Quota Number of times the UDP quota for a user was exceeded.
Exceeded
DS-Lite ICMP User-Quota Number of times the ICMP quota for a user was exceeded.
Exceeded
DS-Lite Extended User-Quota Number of times the extended user quota was used to create a
Matched mapping.
DS-Lite Extended User-Quota Number of times a NAT port was unavailable to a client because
Exceeded the client had exceeded the extended user quota.
DS-Lite Data Session User- Number of times a client exceeded their data session quota.
Quota Exceeded
Information for Individual Sessions:

145
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DS-Lite Show Commands

146
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: LIGHTWEIGHT 4OVER6

The commands in this chapter configure global settings for the Lightweight 4over6 version of
Dual-Stack Lite (DS-Lite).

Lightweight 4over6 enables the ACOS device to route traffic between an IPv4 client’s IPv6
Customer Premises Equipment (CPE) and IPv4 servers. The IPv4 client’s CPU performs NAT to
assign a public IPv6 address to the client, then encapsulates the client’s NATted IPv4 traffic in
an IPv6 tunnel that is terminated on the ACOS device.

• “Lightweight 4over6 Configuration Commands” on page 147

• “Lightweight 4over6 Show Commands” on page 155

Lightweight 4over6 Configuration Commands

This section describes the global configuration commands for Lightweight 4over6. Also see
“cgnv6 lw-4o6” on page 148.

• class-list (for lw4o6)

• cgnv6 lw-4o6

• cgnv6 lw-4o6 binding-table

• cgnv6 lw-4o6 binding-table-validate

• cgnv6 lw-4o6 fragmentation inbound

• cgnv6 lw-4o6 fragmentation outbound

• cgnv6 lw-4o6 hairpinning

• cgnv6 lw-4o6 health-check-gateway

• cgnv6 lw-4o6 icmp-inbound

• cgnv6 lw-4o6 inside-src-access-list

• cgnv6 lw-4o6 nat-prefix-list

• cgnv6 lw-4o6 no-forward-match

• cgnv6 lw-4o6 no-reverse-match

• cgnv6 lw-4o6 save-binding-table

147
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Lightweight 4over6 Configuration Commands

• cgnv6 lw-4o6 use-binding-table

NOTE: The cgnv6 lw-4o6 command can only be configured on the shared
partition.

class-list (for lw4o6)

Description Configure an IP class list for use with Lightweight 4over6.

Syntax [no] class-list {list-name | filename file}

Parameter Description
list-name Adds the list to the running-config.
filename file Saves the list to a file.

Mode Configuration mode

Example Create a class-list of NAT IPv4 address prefixes to use for route redis-
tribution, and apply the class-list to Lightweight 4over6.

ACOS(config)# class-list lw-4o6-nat-prefixes

ACOS(config-class list)# 15.10.10.171 /32
ACOS(config-class list)# 12.10.10.0 /24

cgnv6 lw-4o6
Description Configures LW-4over6.

Syntax [no] cgnv6 lw-4o6 {binding-table | binding-table-validate | hair-

pinning | health-check-gateway | icmp-inbound | inside-src-
access-list | nat-prefix-list | no-forward-match | no-reverse-
match | save-binding-table | use-binding-table}

See the following sections for each command.

Default Not set

Mode Global configuration mode

148
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Lightweight 4over6 Configuration Commands

cgnv6 lw-4o6 binding-table

Description Configures a Lightweight 4over6 binding table directly on the ACOS
device

Syntax [no] cgnv6 lw-4o6 binding-table table-name

This command changes the CLI to the configuration level for the
specified class list, where the following command is available.

NOTE: This command can only be configured on the shared partition.

Command Description
[no] tunnel-address ipv6- Specifies the IPv6 address of the tunnel endpoint address. This
address command creates an individual binding-table entry and changes
the CLI to the configuration for that entry, where the following
command is available:

• [no] nat-address ipv4-address – Specifies the NAT IPv4

address for the given binding table entry. This command
changes the CLI to the configuration level for the NAT address
within that entry, where the following command is available:
• port num [to num] – Specifies the port range for the NAT
address in the binding table entry.

The tunnel-endpoint-address option is available to config-

ure LW-4o6 IPIP Tunnel Endpoint Address.

Using the “no” form of either the nat-address or tunnel-address

command removes all entries associated with that specific NAT
address or tunnel address respectively.

Default None

Mode Global configuration mode

Usage This command creates a Lightweight 4over6 binding table on the

ACOS device, as well as all related entries for the binding table. To acti-
vate the binding table, see “cgnv6 lw-4o6 use-binding-table” on
page 155.

Example The following commands configure a LW-4o6 binding table “lw”:

ACOS(config)# cgnv6 lw-4o6 binding-table lw

ACOS(config-lw-4o6)# tunnel-address 2007:1:1:1::2007
ACOS(config-lw-4o6-ipv6)# nat-address 70.1.1.77
ACOS(config-lw-4o6-ipv6-nat)# port 1 to 65535 tunnel-endpoint-address 2007:1:1:1::2

149
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Lightweight 4over6 Configuration Commands

cgnv6 lw-4o6 binding-table-validate

Description Checks and validates a Lw-4o6 binding-table for errors and log the
error location and type into a file. It also checks an imported binding
table and logs all the error entries into a file. If any error entries are
found, a warning message indicates that errors are present in the vali-
dated binding table.

Syntax cgnv6 lw-4o6 binding-table-validate table-name

Default None

Mode Global configuration mode

cgnv6 lw-4o6 fragmentation inbound

Description Configure fragmentation support for inbound packets.

Syntax [no] cgnv6 lw-4o6 fragmentation inbound

{df-set | drop | ipv4 | ipv6}

Parameter Description
df-set {drop | The df-set option handles the packet when df-bit is set in the IPv4 header.
ipv4 | ipv6 |
send-icmp} The send-icmp option sends an ICMP Type 3 Code 4 (Destination unreachable
- Fragmentation needed and DF set) to the source of the packet. This is the
default option.
drop Drops inbound packets that requires fragmentation.
ipv4 Enables fragmentation for IPv4 packets, of which fragments are then encapsu-
lated in IPv6.
ipv6 Enables fragmentation for IPv4-in-IPv6 packets (after encapsulating IPv4 in
IPv6). This is the default option. Fragmentation occurs on the outer header.

Default By default, for packets set with df-set, the default is send-icmp. For
packets not set with df-set, the default is ipv6.

Mode Configuration mode

150
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Lightweight 4over6 Configuration Commands

cgnv6 lw-4o6 fragmentation outbound

Description Configure fragmentation support for outbound packets.

Syntax [no] cgnv6 lw-4o6 fragmentation outbound

{df-set | drop | ipv4 | send-icmpv6}

Parameter Description
df-set {drop | The df-set option handles the packet when df-bit is set in the inner IPv4
ipv4 | send-icmp header.
| send-icmpv6}
The send-icmp option sends an ICMP Type 3 Code 4 (Destination unreachable
- Fragmentation needed) in the tunnel to the source of the packet. This is the
default option.

The send-icmpv6 option sends an ICMPv6 Type 2 Code 0 (Packet Too Big) to
the tunnel source.
drop Drops outbound packets that requires fragmentation.
ipv4 Enables fragmentation for IPv4 packets, after de-encapsulating the IPv4-in-
IPv6 packet.
send-icmpv6 Enables sending of ICMPv6 Type 2 Code 0 (Packet Too Big) to the tunnel
source.

Default By default, for packets set with df-set, the default is send-icmp. For
packets not set with df-set, the default is ipv4.

Mode Configuration mode

cgnv6 lw-4o6 hairpinning

Description Configure hairpinning for Lightweight 4over6 clients.

Syntax [no] cgnv6 lw-4o6 hairpinning

{
filter-all |
filter-none |
filter-self-ip |
filter-self-ip-port
}

Parameter Description
filter-all Drops all hairpinning traffic.
filter-none Allows hairpinning without any restrictions.

151
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Lightweight 4over6 Configuration Commands

Parameter Description
filter-self-ip Drops packets that have the same inside client IP address for both the
source and destination.
filter-self-ip-port Drops packets that have the same inside client IP address and protocol port
number for both the source and destination. This option may be needed if
double NAT is used.

Default filter-none

Mode Configuration mode

NOTE: This command can only be configured on the shared partition.

cgnv6 lw-4o6 health-check-gateway

Description Enforces gateway health monitoring for Lightweight 4over6. If any of
the specified gateways fail a health check, ACOS will drop Lightweight
4over6 traffic and discontinue route redistribution:

Syntax [no] cgnv6 lw-4o6 health-check-gateway ipaddr

Replace ip-addr with the IPv4 or IPv6 address of the gateway.

Example After you enable health monitoring for one or more gateways. ACOS
will periodically check each gateway and drop Lightweight 4over6
traffic if any of the gateways are marked as down.

ACOS(config)# cgnv6 lw-4o6 health-check-gateway 9.9.9.173

ACOS(config)# cgnv6 lw-4o6 health-check-gateway 3201::172

NOTE: This command can only be configured on the shared partition.

cgnv6 lw-4o6 icmp-inbound

Description Configure handling of inbound IPv4 ICMP traffic for Lightweight
4over6 traffic. This applies to IPv4 traffic from the Internet fro ses-
sions using Lightweight 4over6 bindings.

Syntax [no] cgnv6 lw-4o6 icmp-inbound {drop | handle}

Parameter Description
drop Drops inbound ICMP traffic.
handle Handles inbound ICMP traffic.

Default handle

152
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Lightweight 4over6 Configuration Commands

Mode Configuration mode

NOTE: This command can only be configured on the shared partition.

Usage The feature applies only to inbound IPv4 traffic that is received on the
Lightweight 4over6 inside NAT interface. (See “cgnv6 lw-4o6” on
page 148.)

cgnv6 lw-4o6 inside-src-access-list

Description Configure the Access List for Lightweight 4over6 inside clients.

Syntax [no] cgnv6 lw-4o6 inside-src-access-list acl-num

Default None

Mode Configuration mode

Usage The feature applies an ACL to Lightweight 4over6 traffic.

NOTE: The acl-num option specifies the ACL number for the ACL to be
applied to Lightweight 4over6 traffic.

cgnv6 lw-4o6 nat-prefix-list

Description Apply a class list to Lightweight 4over6 as the NAT Prefix List:

Syntax [no] cgnv6 lw-4o6 nat-prefix-list class-list-name

Example The following example applies a class-list named “v-4o6” as the NAT
Prefix List for Lightweight 4over6.

ACOS(config)# cgnv6 lw-4o6 nat-prefix-list v-4o6

NOTE: This command can only be configured on the shared partition.

cgnv6 lw-4o6 no-forward-match

Description Enable ICMPv6 Destination Unreachable messages (type 1, code 5)
from the ACOS device to the client CPE.

Syntax [no] cgnv6 lw-4o6 no-forward-match send-icmpv6

Default Disabled

Mode Configuration mode

153
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Lightweight 4over6 Configuration Commands

NOTE: This command can only be configured on the shared partition.

Usage The feature applies only to outbound traffic on the Lightweight 4over6
outside NAT interface. (See “cgnv6 lw-4o6” on page 148.)

When this feature is enabled, the behavior is as follows:

• IPv6 tunnel address does not match any binding table entries
• Source IPv4 address matches a binding table entry, but the proto-
col port number does not match that entry
• Source IPv4 address and protocol port number match a binding
table entry, but do not match the IPv6 tunnel address of that
entry

cgnv6 lw-4o6 no-reverse-match

Description Enable ICMP Destination Unreachable messages (type 3, code 1) from
the ACOS device to IPv4 servers.

Syntax [no] cgnv6 lw-4o6 no-reverse-match send-icmp

Default Disabled

Mode Configuration mode

NOTE: This command can only be configured on the shared partition.

Usage The feature applies only to inbound IPv4 traffic that is received on the
Lightweight 4over6 inside NAT interface. (See “cgnv6 lw-4o6” on
page 148.)

When this feature is enabled, the behavior is as follows:

• If an inbound IPv4 packet’s destination IPv4 address matches a

binding-table entry but not the entry’s protocol port(s), the ACOS
device sends an ICMP message to the IPv4 packet’s sender.
• If there is no binding-table match and the packet is not otherwise
filtered out (for example, by an ACL on the inbound interface), the
packet is forwarded at Layer 3.

cgnv6 lw-4o6 save-binding-table

Description Saves the LW-4over6 binding table

Syntax cgnv6 lw-4o6 save-binding-table

NOTE: This command can only be configured on the shared partition.

154
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Lightweight 4over6 Show Commands

Mode Configuration mode

cgnv6 lw-4o6 use-binding-table

Description Activate a Lightweight 4over6 binding table.

Syntax [no] cgnv6 lw-4o6 use-binding-table name

Replace name with the name of the binding table.

Default Disabled

Mode Configuration mode

NOTE: This command can only be configured on the shared partition.

Example Apply the Binding Table to Lightweight 4over6:

ACOS(config)# cgnv6 lw-4o6 use-binding-table bt1

Lightweight 4over6 Show Commands

This section describes the show commands for Lightweight 4over6.

• show cgnv6 lw-4o6 binding-table

• show cgnv6 lw-4o6 binding-table-validation-log files

• show cgnv6 lw-4o6 statistics

show cgnv6 lw-4o6 binding-table

Description Show binding-table information for Lightweight 4over6.

Syntax show cgnv6 lw-4o6 binding-table

[entries | files | statistics | tunnel-address ipv6addr [statis-
tics]]

Parameter Description
entries Lists binding table entries in the order that they are added either
manually or from a file.
files Lists the Lightweight 4over6 binding tables on the ACOS device, and
their status.

155
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Lightweight 4over6 Show Commands

Parameter Description
statistics Displays binding-table statistics.
tunnel-address ipv6addr Displays information for the specified Lightweight 4over6 tunnel
[statistics] address. If you use the statistics option, statistics are listed.

Mode All

show cgnv6 lw-4o6 binding-table-validation-log files

Description Show the validation log files resulting from the lw-4o6 binding-table-
validate command. The maximum number of log files that can be
present at any time is 100.

Syntax show cgnv6 lw-4o6 binding-table-validation-log files

Mode All

Using the CLI

• To view all the binding table log files, enter the following command:

ACOS(config)# show cgnv6 lw-4o6 binding-table-validation-log files

It can also be used with the standard output modifiers:

ACOS# show cgnv6 lw-4o6 binding-table-validation-log files | ?

begin Begin with the line that matches
include Include lines that match
exclude Exclude lines that match
section Filter a section of output

• To delete a binding table log file, enter the following command:

ACOS(config)# delete cgnv6 lw-4o6-binding-table-validation-log <file-name>

• To export a binding table log file, enter the following command:

ACOS(config)# export lw-4o6-binding-table-validation-log <file-name>

show cgnv6 lw-4o6 statistics

Description Show statistics for Lightweight 4over6.

Syntax show cgnv6 lw-4o6 statistics

Mode All

The following table describes the fields in this command’s output.

156
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Lightweight 4over6 Show Commands

Field Description
Total Entries Configured Total number of entries in the currently active binding table.
Self-Hairpinning Drops Number of packets dropped because both the source and destination
address information matched.

• Both the source and destination IP addresses are the same, and
match the IPv4 NAT address of any binding-table entry. For example:
source IP address 10.10.10.100:x to destination IP address
10.10.10.100:y.
• Both the source and destination IP addresses are the same and
match a binding-table entry, and the packet’s source and destination
protocol ports also match the protocol port(s) of the same bridging-
table entry. For example: source IP address 10.10.10.100:x to destina-
tion IP address 10.10.10.100:x.

Note: Packets dropped for these reasons also are counted in the All
Hairpinning Drops field (below).
All Hairpinning Drops Number of packets dropped because both the source and destination
IPv4 addresses matched entries in the binding table.

This counter is incremented in any of the following cases:

• The source IP address matches the IPv4 NAT address of any binding-
table entry.
• The destination IP address matches the IPv4 NAT address of any
binding-table entry.
• Any self-hairpinning drops occur. (See above.)
No-Forward-Match ICMPv6 Number of times an ICMPv6 Destination Unreachable message was
Sent sent to a client CPE, because traffic from the client partially matched a
binding-table entry but did not completely match any of the entries.

For example, this counter is incremented if the ACOS device receives a

packet whose IPv6 tunnel address does not match any binding-table
entries.

Note: This counter is incremented only if the feature is enabled. See

“cgnv6 lw-4o6 no-forward-match” on page 153.
No-Reverse-Match ICMP Number of times an IPv4 ICMP Destination Unreachable message was
Sent sent to an IPv4 server, because traffic from the server partially matched
a binding-table entry but did not completely match any of the entries.

Note: This counter is incremented only if the feature is enabled. See

“cgnv6 lw-4o6 no-reverse-match” on page 154.
Inbound ICMP Drops Number of inbound IPv4 ICMP packets that were dropped.

Note: This counter is incremented only if the feature is enabled. See

“cgnv6 lw-4o6 icmp-inbound” on page 152.

157
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Lightweight 4over6 Show Commands

Field Description
Forward Route Lookup Failed Number of times client-to-server traffic was dropped because no route
was available for forwarding it to the destination server.
Reverse Route Lookup Failed Number of times server-to-client traffic was dropped because no route
was available for forwarding it to the destination Lightweight 4over6
client.
LW-4over6 Interfaces not Number of packets dropped due to LW-4over6 interfaces not being
Configured Drops configured.
No Forward Binding Table Number of packets dropped because no matching forward binding
Entry Match Drops table entry was available.
No Reverse Binding Table Number of packets dropped because no matching reverse binding table
Entry Match Drops entry was available.

158
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

COMMAND LINE INTERFACE REFERENCE FOR CGN

CONFIG COMMANDS: MAP

The commands in this chapter configure the Mapping of Address and Port (MAP) technology.

MAP Configuration Commands

• cgnv6 map encapsulation domain

• cgnv6 map encapsulation fragmentation inbound

• cgnv6 map encapsulation fragmentation outbound

• cgnv6 map translation domain

• cgnv6 map translation fragmentation inbound

• cgnv6 map translation fragmentation inbound df-set

• cgnv6 map translation fragmentation outbound

• map inside

• map outside

159
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
MAP Configuration Commands

cgnv6 map encapsulation domain

Description This command is used to enter the configuration level for a MAP-E
domain on the ACOS device, whenever ACOS is used as a Border Relay
in a MAP-E network.

Syntax [no] cgnv6 map encapsulation domain domain-name

{basic-mapping-rule | description | format |
health-check-gateway | tunnel-endpoint-address}

Parameter Description
basic-mapping-rule Configure the IPv6 address or prefix, and allows
{prefix-rule rule-name | for MAP-E CPE to configure an IPv4 address
rule-ipv4-address-port-settings} based on the IPv6 prefix.

prefix-rule – Configure the IPv6 and IPv4 prefix

rule.

For each prefix rule, there is the option to config-

ure its own rule-ipv4-address-port-settings.
If no such option is configured under the prefix
rule, then the domain level rule-ipv4-address-
port-settings is applied.

rule-ipv4-address-port-settings:

prefix-addr – Each CE is assigned an IPv4 pre-

fix.

single-addr – Each CE is assigned an IPv4

address.

shared-addr – Each CE is assigned a shared IPv4

address.
description domain-name Create a description for the MAP-T domain
format {draft-03} Configure the draft format for packet construc-
tion. By default, the packet is constructed/vali-
dated based on RFC format. This option changes
the format to draft-03 format.

160
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
MAP Configuration Commands

Parameter Description
health-check-gateway {ipv4-addr | ipv6-addr | Configure a Health-check gateway for route with-
withdraw-route} drawn.

withdraw-route:

all-link-failure – Withdraw routes on health-

check failure of all IPv4 gateways or all IPv6 gate-
ways

any-link-failure – Withdraw routes on health-

check failure of any gateway (default)
tunnel-endpoint-address {ipv6-addr} Configure the tunnel-endpoint-address as the
destination address for traffic from the CPE. A
single TEP can be used by multiple MAP domains.

Mode Global configuration mode.

This command can be used to create a new MAP-E domain on the ACOS device, or it can be
used to enter the configuration level of an existing MAP-E domain in order to make changes to
the domain configuration.

cgnv6 map encapsulation fragmentation inbound

Description Configure fragmentation support for inbound packets sent to the CPE.

Syntax [no] cgnv6 map encapsulation fragmentation inbound

{df-set | drop | ipv4 | ipv6}

Parameter Description
df-set {drop | The df-set option handles packet when df-bit is set in the IPv4 header.
ipv4 | ipv6 |
send-icmp} The send-icmp option sends an ICMP Type 3 Code 4 (Destination
unreachable - Fragmentation needed and DF set) to the source of the
packet. This is the default option.
drop Drops inbound packets that requires fragmentation.
ipv4 Fragments the encapsulated IPv4 packet when sent to the CPE.
ipv6 Fragments the IPv6 tunnel packet when sent to the CPE. This is the default
option. Fragmentation occurs on the outer header.

Default For packets set with df-set, the default is send-icmp. In other words,
ICMP Type 3 Code 4 (Fragmentation Needed and DF Set) is sent. For
packets not set with df-set, the default is ipv6.

Mode Configuration mode

161
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
MAP Configuration Commands

cgnv6 map encapsulation fragmentation outbound

Description Configure fragmentation support for outbound packets sent to the
server.

Syntax [no] cgnv6 map encapsulation fragmentation outbound

{df-set | drop | ipv4 | send-icmpv6}

Parameter Description
df-set {drop | The df-set option handles the packet when df-bit is set in the inner IPv4
ipv4 | send-icmp header.
| send-icmpv6}
The send-icmp option sends an ICMP Type 3 Code 4 (Destination unreachable -
Fragmentation needed) in the tunnel to the tunnel source if the outbound
packet is to be fragmented. This is the default option.

The send-icmpv6 option sends an ICMPv6 Type 2 Code 0 (Packet Too Big) to
the tunnel source if the outbound packet is to be fragmented to be sent to the
server.
drop Drops outbound packets that requires fragmentation.
ipv4 Fragments the encapsulated IPv4 packet when sent to the server.
send-icmpv6 Enables sending of ICMPv6 Type 2 Code 0 (Packet Too Big) to the tunnel source
if the outbound packets is to be fragmented when sent to the server.

Default For packets set with df-set, the default is send-icmp. In other words,
ICMP Type 3 Code 4 (Fragmentation Needed and DF Set) is sent. For
packets not set with df-set, the default is ipv4.

Mode Configuration mode

162
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
MAP Configuration Commands

cgnv6 map translation domain

Description This command is used to enter the configuration level for a MAP-T
domain on the ACOS device, whenever ACOS is used as a Border Relay
in a MAP-T network.

Syntax [no] cgnv6 map translation domain domain-name

{basic-mapping-rule | default-mapping-rule | description |
health-check-gateway | mtu | tcp mss-clamp}

Parameter Description
basic-mapping-rule Configure the IPv6 address or prefix, and allows for
{prefix-rule rule-name | MAP-T CPE to configure an IPv4 address based on
rule-ipv4-address-port-settings} the IPv6 prefix.

• prefix-rule – Configure the IPv6 and IPv4 pre-

fix rule.
• rule-ipv4-address-port-settings:
• prefix-addr – Each CE is assigned an IPv4
prefix.
• single-addr – Each CE is assigned an IPv4
address.
• shared-addr – Each CE is assigned a shared
IPv4 address.
default-mapping-rule {rule-ipv6-prefix Configure the default mapping rule (DMR) to map
ipv6-prefix} IPv4 addresses to IPv6 addresses beyond the MAP-
T domain.
description domain-name Create a description for the MAP-T domain
health-check-gateway {ipv4-addr | ipv6- Configure a Health-check gateway for route with-
addr | withdraw-route} drawn.

• withdraw-route:
• all-link-failure – Withdraw routes on
health-check failure of all IPv4 gateways or all
IPv6 gateways
• any-link-failure – Withdraw routes on
health-check failure of any gateway (default)

163
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
MAP Configuration Commands

Parameter Description
mtu num Configure domain MTU value per domain to con-
figure the maximum size of each packet being
transmitted as determined by Transmission
Control Protocol (TCP).
tcp mss-clamp {fixed | none | subtract} Configure MSS to set the maximum size of a TCP
segment that can be processed in a single, un-
fragmented piece.

• fixed – ACOS changes the MSS to the length

you specify. A fixed MSS value must be less than
or equal to the domain MTU.
• none – ACOS does not change the MSS value.
• subtract – ACOS reduces the MSS if it is longer
than the specified number of bytes. This option
sets the MSS based on the following calculations:

Mode Global configuration mode.

Usage This command can be used to create a new MAP-T domain on the
ACOS device, or it can be used to enter the configuration level of an

164
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
MAP Configuration Commands

existing MAP-T domain in order to make changes to the domain con-

figuration.

cgnv6 map translation fragmentation inbound

Description Configures the action to be taken when inbound IPv4 packets are too
large.

Syntax [no] cgnv6 map translation fragmentation inbound {drop | ipv6}

Paramete
r Description
df-set MAP-T behavior if Don’t Fragment (DF) is set for oversize packets. By default, it is set to
send-icmp.
drop Silently drop the oversized packets. No warning or error message is sent.
ipv6 Use IPv6 fragmentation for oversized packets.

Default The default behavior is to fragment oversized packets.

Mode Global configuration mode.

Usage This command is used to configure what action should be taken when
an oversized, inbound IPv4 packet is received. The default behavior is
to fragment all packets.

cgnv6 map translation fragmentation inbound df-set

Description Configures the action to be taken when an inbound IPv4 packet is too
large and the DF flag is set.

Syntax [no] cgnv6 map translation fragmentation inbound df-set

{drop | ipv6 | send-icmp}

Paramete
r Description
drop Silently drop the oversized packets. No warning or error message is sent.
ipv6 Use IPv6 fragmentation for oversized packets, ignoring the DF flag.
send-icmp Send an ICMP error message saying that the packet is too large and needs to be frag-
mented, but the DF flag is set.

Default The default behavior is to send an ICMP error message when oversized
IPv4 packets with the DF-bit set are received.

Mode Global configuration mode.

Usage This command is used to configure what action should be taken when

165
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
MAP Configuration Commands

an oversized, inbound IPv4 packet is received and the DF flag is set.

cgnv6 map translation fragmentation outbound

Description Configures the action to be taken when an outbound IPv6 packet is
too large.

Syntax [no] cgnv6 map translation fragmentation outbound

{drop | ipv4 | send-icmpv6}

Parameter Description
drop Silently drop the oversized packets. No warning or error message
is sent.
ipv4 Use IPv4 fragmentation for oversized packets.
send-icmpv6 Send an ICMP error message saying that the packet is too large.

Default The default behavior is to fragment oversized packets.

Mode Global configuration mode.

Usage This command is used to configure what action should be taken when
an oversized, outbound IPv6 packet is received.

map inside
Description This command enables MAP on the inside interface connected to the
CEs and the private IPv6 network.
Syntax [no] map inside

Default Disabled.

Mode Interface configuration mode.

map outside
Description This command enables MAP on the outside interface connected to the
public IPv4 network.

Syntax [no] map outside

Default Disabled.

Mode Interface configuration mode.

166
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
MAP Show Commands

MAP Show Commands

• show cgnv6 map encapsulation statistics

• show cgnv6 map encapsulation domain

• show cgnv6 map encapsulation statistics

• show cgnv6 map translation domain

show cgnv6 map encapsulation statistics

Description This command displays MAP-E traffic statistics for all MAP-E domains,
or for a specified MAP-E domain.

Syntax show cgnv6 map encapsulation statistics [domain-name]

show cgnv6 map encapsulation domain

Description This command displays MAP-E domain configuration for all MAP-E
domains, or for a specified MAP-E domain.
Syntax show cgnv6 map encapsulation domain [domain-name]

Default N/A

Mode All

show cgnv6 map translation statistics

Description This command displays MAP-T traffic statistics for all MAP-T domains,
or for a specified MAP-T domain.

Syntax show cgnv6 map translation statistics [domain-name]

The show command output for all MAP-T traffic (no domain specified)
is as follows:
MAP-T Statistics for domain 1:
---------------------------------
Inbound IPv4 Packets Received 0
Inbound IPv4 Fragment Packets Received 0
Inbound IPv4 Destination Address Validation Failed 0
Inbound IPv4 Reverse Route Lookup Failed 0
Inbound IPv6 Destination Address Unreachable 0
Outbound IPv6 Packets Received 0
Outbound IPv6 Fragment Packets Received 0
Outbound IPv6 Source Address Validation Failed 0

167
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
MAP Show Commands

Outbound IPv6 Reverse Route Lookup Failed 0

Outbound IPv4 Destination Address Unreachable 0
Packet Exceeded MTU 0
ICMP Packet Too Big Sent 0
Interfaces not Configured Dropped 0
BMR Prefix Rule Configured 0

Default N/A

Mode All

show cgnv6 map translation domain

Description This command displays MAP-T domain configuration for all MAP-T
domains, or for a specified MAP-T domain.
Syntax show cgnv6 map translation domain [domain-name]

Default N/A

Mode All

168
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

DDOS MITIGATION

This chapter describes the commands for DDoS Mitigation.

• “DDoS Mitigation Configuration Commands” on page 169

• “DDoS Mitigation Show Commands” on page 175

• “DDoS Mitigation Clear Commands” on page 179

DDoS Mitigation Configuration Commands

This section describes the configuration commands for DDoS Mitigation:

• acos-application-only

• cgnv6 ddos-protection

• cgnv6 ddos-protection disable-nat-ip-by-bgp zone

• cgnv6 ddos-protection logging

• cgnv6 ddos-protection max-hw-entries

• cgnv6 ddos-protection packets-per-second

• cgnv6 lsn-lid conn-rate-limit

• ip anomaly-drop

acos-application-only
Description Direct BGP update messages to ACOS applications only.

Syntax [no] acos-application-only

Mode BGP neighbour level

Usage After configuring a neighboring BGP router, route updates from this
neighboring router is treated specially using the acos-application-

169
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DDoS Mitigation Configuration Commands

only command. This configuration must be configured on the ACOS

device to disable or re-enable black-listed NAT IPs.

cgnv6 ddos-protection
Description Enable or disable DDoS Mitigation for CGN.

Syntax [no] cgnv6 ddos-protection {disable | enable}

Default Enabled.

Mode Configuration mode.

Usage DDoS protection for CGN allows for selective filtering to match traffic
based on destination IP addresses and destination IP port. Selective
filtering tracks the number of protocol packets received to these 2-
tuples. An excess of packets is registered as a DDoS attack. ACOS then
logs the IP and IP port match and drops further packets.

cgnv6 ddos-protection disable-nat-ip-by-bgp zone

Description Disable NAT IP based on BGP advertisement from upstream router.
Syntax [no] cgnv6 ddos-protection disable-nat-ip-by-bgp zone name

Mode Configuration mode.

Usage When an IP is black-listed, upon receiving a BGP route update, ACOS

device can disable a specific NAT IP fallen into the configured BGP
DDoS zone.

cgnv6 ddos-protection logging

Description Enable or disable logging statistics for DDoS Mitigation.

Syntax [no] cgnv6 ddos-protection logging {disable | enable}

Default Enabled.

Mode Configuration mode.

Usage When selective filtering identifies 2-tuples that are being flooded and
drop the packets, ACOS can log the number of packets over the
threshold that are dropped.

170
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DDoS Mitigation Configuration Commands

cgnv6 ddos-protection max-hw-entries

Description Configure a limit for Selective Filtering entries in the hardware.

Syntax [no] cgnv6 ddos-protection max-hw-entries number

Mode Configuration mode.

Usage On platforms that support Selective Filtering at the hardware level, a

lower limit for Selective Filtering entries can be configured in the hard-
ware.

cgnv6 ddos-protection packets-per-second

Description Configure the maximum number of packets allowed per protocol for
either an entire IP or any given combination of a destination IP and IP
port.

Syntax [no] cgnv6 ddos-protection packets-per-second

{include-existing-session | ip | other | tcp | udp}
num

Parameter Description
include-existing-session Count traffic associated with an existing session into the packets-per-
second. The default is disabled.
ip | other | tcp | udp Traffic type.

• ip - Configure packets-per-second threshold per IP. The default is

3000000.
• other - Configure packets-per-second threshold for other L4 proto-
cols. The default is 10000.
• tcp - Configure packets-per-second threshold per TCP port. The
default is 3000.
• udp - Configure packets-per-second threshold per UDP port. The
default is 3000.
num Maximum number of packets per second allowed. The maximum con-
figurable limit is 30000000 packets.

Default Selective filtering is enabled by default. The default value is 3000

packets for TCP or UDP protocol, exclusive, or 3000 packets per
source-IP. For all other protocols combined, the default value is 10000
packets.

Mode Configuration mode.

171
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DDoS Mitigation Configuration Commands

tuples. An excess of packets is registered as a DDoS attack, and all

packets above the configured threshold are dropped.

Filtering is performed in two stages:

• Stage 1: If the IP entry is created, a L4 entry will not be created

since all ports of this IP are dropped. Conversely, if the L4 entry is
created, an IP entry will also be created if the packets-per-second
to a single NAT IP exceeds the configured DDoS protection pack-
ets-per-second IP threshold. In this scenario, the processing
moves to Stage 2.
• Stage 2: Processing depends on the Layer 4 protocol:
• TCP/UDP – If the "bad" packets-per-second to a single (NAT
IP:port) pair exceeds the configured threshold, then that pair
gets the selective filtering entry. For example, if UDP packets
that hit a NAT IP on port 5000 exceed the threshold, then only
UDP packets to port 5000 will be blocked. Other UDP packets
to that NAT IP will not be affected.
• Other Layer 4 protocols – If the "bad" packets-per-second to a
single (NAT IP: Layer 4 protocol) pair exceeds the configured
threshold, that pair gets an entry. For example, if GRE (ip proto-
col 47) packets to one NAT IP exceeds the threshold for Other
protocols, then only GRE packets to that NAT IP will be blocked.

172
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DDoS Mitigation Configuration Commands

cgnv6 ddos-protection packets-per-second ip

Description Configure packets-per-second threshold per IP (default 3000000).

Syntax [no] cgnv6 ddos-protection packets-per-second ip threshold action

{log | drop | redistribute-route route-map-name} expiration sec-
onds timer-multiply-max num

Parameter Description
action {log | drop | The following actions are available:
redistribute-route
route-map-name} expira- • log - Log the event only.
tion seconds timer-mul-
• drop - Log, and drop all packets (default).
tiply-max num
• redistribute-route - Log, drop, and notify upstream router to
reroute the packets.

If the configured action is to redirect the NAT IP Black List informa-

tion to an upstream router via BGP, then the route-map-
name specifies the route-map that should be used.

• expiration - specifies (in seconds) how long the NAT IP traffic must
be below the configured packets-per-second threshold before the
NAT IP is removed from the Black List.
• timer-multiply-max - specifies the maximum value of the timer
multiplier for attacks that lasts long. If, during the remove-wait
period, ACOS detects DDoS attack again, the black hole entry is re-
initiated and the black hole timer is extended by multiplying the
number of times the expiration time.
num Maximum number of packets per second allowed. The maximum con-
figurable limit is 30000000 packets.

cgnv6 lsn-lid conn-rate-limit

Description Within an LSN LID, you can enable connection rate limiting. This con-
figures a maximum number of connections a client can attempt to ini-
tiate per second.

Syntax [no] cgnv6 lsn-lid num

Replace num with the LSN LID number, 1-1023.

This command changes the CLI to the configuration level for the
specified LSN LID, where the following commands are available.

NOTE: The other configuration commands at this level are not appli-
cable to LSN DDoS Mitigation.

173
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DDoS Mitigation Configuration Commands

Command Description
[no] conn-rate-limit num The maximum number of connections a client can attempt to initiate
per second. The value can range from 1-65535.

Default The LSN LID has the following default value:

• conn-rate-limit – No limit

Mode CGNv6 LSN LID mode

Example The following commands enable connection rate limiting on an LSN

LID with the ID number 10. The connection rate is limited to 100 con-
nections per second. The LID can then be bound to any CGNv6 class-
list.

ACOS(config)# cgnv6 lsn-lid 10

ACOS(config-lsn-lid)# conn-rate-limit 100

NOTE: The default is to have no connection rate limit except for the max-
imum number of connections allowed, if configured elsewhere.
Any value from 1 to 65535 connections per second are allowed.

ip anomaly-drop
Description Enable filtering for IP packets that exhibit predictable, well-defined
anomalies. You can enable filtering for specific IP anomalies, or you
can enable filtering for the following types of IP anomalies:

Syntax [no] ip anomaly-drop packet-deformity layer-3

[no] ip anomaly-drop packet-deformity layer-4

[no] ip anomaly-drop security-attack layer-3

[no] ip anomaly-drop security-attack layer-4

Syntax [no] ip anomaly-drop

174
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DDoS Mitigation Show Commands

Command Description
bad-content num Drop TCP packets that contain an invalid request. The num option speci-
fies the maximum number of connections allowed per IP before it is con-
sidered a DDoS attack, and the specified mitigation action is taken.
drop-all Drop all packets with IP anomalies.
frag Drop all fragmented packets.
ip-option Drop packets that have IP options
land-attack Drop packets that have the same source and destination address.
out-of-sequence num Specify the threshold of how many out-of-sequence packets the ACOS
device will receive before it drops all out-of-sequence packets. The
threshold can range from 1-127 out-of-sequence packets.
packet-deformity Drop packets with deformities.
{layer-3 | layer-4}
• layer-3 - network layer anomaly.
• layer-4 - transport layer anomaly.
security-attack Drop packets causing security attack.
{layer-3 | layer-4}
• layer-3 - network layer anomaly.
• layer-4 - transport layer anomaly.
ping-of-death Drop oversized ICMP packets.
tcp-no-flag Drop TCP packets that have no flag.
tcp-syn-fin Drop TCP packets that have both SYN and FIN flags set.
tcp-syn-frag Drop fragmented TCP packets that have SYN flag set.
zero-window num Drops packets with TCP window size set to 0. The num option specifies
the maximum number of connections allowed per IP before it is consid-
ered a DDoS attack, and the specified mitigation action is taken.

Default All options are disabled by default.

Example The following commands enable filtering and dropping of each group
of IP anomalies:

ACOS(config)# ip anomaly-drop packet-deformity layer-3

ACOS(config)# ip anomaly-drop packet-deformity layer-4
ACOS(config)# ip anomaly-drop security-attack layer-3
ACOS(config)# ip anomaly-drop security-attack layer-4

DDoS Mitigation Show Commands

This section describes the show commands for DDoS Mitigation.

175
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DDoS Mitigation Show Commands

• show cgnv6 ddos-protection disabled-ip-by-bgp

• show cgnv6 ddos-protection ip-entries

• show cgnv6 ddos-protection l4-entries

• show cgnv6 ddos-protection statistics

• show ip anomaly-drop statistics

show cgnv6 ddos-protection disabled-ip-by-bgp

Description This command displays the list of NAT IPs disabled on BGP advertise-
ment.

Syntax show cgnv6 ddos-protection disabled-ip-by-bgp

Example The following example displays sample output for the show cgnv6
ddos-protection disabled-ip-by-bgp command:

ACOS# show ddos-protection disabled-ip-by-bgp

IP Address NAT Pool Name
==================================
1.1.1.1 2
1.1.1.2 2

show cgnv6 ddos-protection ip-entries

Description This command displays abnormal IP entries from DDoS monitoring and
selective filtering.ip-en

Syntax show cgnv6 ddos-protection ip-entries [all]

Mode All

Example The following example displays sample output for the show cgnv6
ddos-protection ip-entries command:

ACOS(config)# show cgnv6 ddos-protection ip-entries

Address PPS Expiration
----------------------------------------------
15.15.15.15 5000 3600

The following example displays sample output for the show cgnv6
ddos-protection ip-entries all command:
ACOS(config)# show cgnv6 ddos-protection ip-entries all
(*) L4 PPS Threshold Exceeded

176
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DDoS Mitigation Show Commands

(**) L3 PPS Threshold Exceeded

Address PPS Expiration L4-Entries

-----------------------------------------------------------
15.15.15.15 0 - 0

NOTE: If you enter the all parameter, it lists all the NAT IPs and marks an
entry if it is a L4 entry or IP entry.

show cgnv6 ddos-protection l4-entries

Description This command displays abnormal L4 port entries from DDoS monitor-
ing and selective filtering.
Syntax show cgnv6 ddos-protection l4-entries
[address ipaddr | in-hardware | l4-proto protocol-num |
not-in-hardware | port port-num]

Example The following example displays sample output:

ACOS(config)# show cgnv6 ddos-protection l4-enaddretries

Address L4 Port PPS
----------------------------------
1.1.1.1 17 333 5000

Usage The following table describes the fields for the show command output:

Field Description
Address The destination IP address that traffic is matched to.
L4 The Layer 4 protocol type. In the above example, L4 17 indicates UDP traffic.
Port The specific destination IP port that traffic is matched to.
PPS The number of packets that match the IP address and the given port in the last
10 seconds.

show cgnv6 ddos-protection statistics

Description This command displays the logging statistics for CGN DDoS selective
filtering.

Syntax show cgnv6 ddos-protection statistics

Mode All

Example The following is a sample output:

177
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DDoS Mitigation Show Commands

AX5100(config)# show cgnv6 ddos-protection statistics

L3 Entry Added 0
L3 Entry Deleted 0
L3 Entry Added to BGP 0
L3 Entry Removed From BGP 0
L3 Entry Added to HW 0
L3 Entry Removed From HW 0
Too Many L3 entries 0
L3 Entry Match Drop 0
HW L3 Entry Match Drop 0
L4 Entry Added 0
L4 Entry Deleted 0
L4 Entry Added to HW 0
L4 Entry Removed From HW 0
HW out of L4 Entries 0
L4 Entry Match Drop 0
HW L4 Entry Match Drop 0

show ip anomaly-drop statistics

Description Display IP anomaly drop filtering statistics

Syntax show ip anomaly-drop statistics

Mode All

Example The following command displays sample output for IP anomaly drop
statistics:

ACOS(config)# show ip anomaly-drop statistics

IP Anomaly Drop Statistics
--------------------------
Land Attack Drop 0
Empty Fragment Drop 0
Micro Fragment Drop 0
IPv4 Options Drop 0
IP Fragment Drop 0
Bad IP Header Len Drop 0
Bad IP Flags Drop 0
Bad IP TTL Drop 0
No IP Payload drop 0
Oversize IP Payload Drop 0
Bad IP Payload Len Drop 0
Bad IP Fragment Offset Drop 0
Bad IP Checksum Drop 0

178
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
DDoS Mitigation Clear Commands

ICMP Ping of Death Drop 0

TCP Bad Urgent Offset Drop 0
TCP Short Header Drop 0
TCP Bad IP Length Drop 0
TCP Null Flags Drop 0
TCP Null Scan Drop 0
TCP Syn and Fin Drop 0
TCP XMAS Flags Drop 0
TCP XMAS Scan Drop 0
TCP Syn Fragment Drop 0
TCP Fragmented Header Drop 0
TCP Bad Checksum Drop 0
UDP Short Header Drop 0
UDP Bad Length Drop 0
UDP Kerberos Fragment Drop 0
UDP Port Loopback Drop 0
UDP Bad Checksum Drop 0
Runt IP Header Drop 0
Runt TCP/UDP Header Drop 0
IP-over-IP Tunnel Mismatch Drop 0
TCP Option Error Drop 0
IP-over-IP Tunnel Error Drop 0
VXLAN Tunnel Error Drop 0
GRE Tunnel Error Drop 0
GRE PPTP Error Drop 0

NOTE: The counter for an anomaly increments only if filtering and

dropping for that anomaly type is enabled.

DDoS Mitigation Clear Commands

This section describes the clear commands for DDoS Mitigation.

• clear cgnv6 ddos-protection disabled-ip-by-bgp

• clear cgnv6 ddos-protection ip-entries

• clear cgnv6 ddos-protection l4-entries

• clear cgnv6 ddos-protection statistics

179
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
DDoS Mitigation Clear Commands

clear cgnv6 ddos-protection disabled-ip-by-bgp

Description Clear the currently disabled NAT IP on BGP advertisement.

Syntax clear cgnv6 ddos-protection disabled-ip-by-bgp {all | ip-address

ip-addr}

Mode Configuration mode

clear cgnv6 ddos-protection ip-entries

Description Clear DDoS IP entries.

Syntax clear cgnv6 ddos-protection ip-entries {all | ip-address ip-addr

| nat-pool name}

Mode Configuration mode

clear cgnv6 ddos-protection l4-entries

Description Clear DDoS L4 entries.

Syntax clear cgnv6 ddos-protection l4-entries {address ipaddr | all |

l4-proto protocol-num | nat-pool name | port port-num}

Mode Configuration mode

clear cgnv6 ddos-protection statistics

Description Clear DDoS statistics.

Syntax clear cgnv6 ddos-protection statistics

Mode Configuration mode

180
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: STATELESS NAT46

The commands in this chapter configure stateless NAT46. Stateless NAT46 enables IPv4 clients
to reach IPv6 servers, without the need to maintain per-connection information on the ACOS
device.

• “Stateless NAT46 Configuration Commands” on page 181

• “Stateless NAT46 Show Commands” on page 185

Stateless NAT46 Configuration Commands

This section describes the configuration commands for stateless NAT46.

• cgnv6 nat46-stateless fragmentation inbound

• cgnv6 nat46-stateless fragmentation outbound

• cgnv6 nat46-stateless fragmentation outbound df-set

• cgnv6 nat46-stateless partition-prefix

• cgnv6 nat46-stateless prefix

• cgnv6 nat46-stateless static-dest-mapping

181
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Stateless NAT46 Configuration Commands

cgnv6 nat46-stateless fragmentation inbound

Description Change fragmentation support for inbound IPv6-to-IPv4 traffic.

Syntax [no] cgnv6 nat46-stateless fragmentation inbound

{ipv4 | drop | send-icmpv6}

Parameter Description
drop IPv4 fragmentation is not allowed. Oversize packets are dropped. No ICMPv6 error
message is sent.
ipv4 IPv4 fragmentation is allowed.
send-icmpv6 IPv4 fragmentation is not allowed. Oversize packets are dropped, and an ICMPv6 error
message is sent.

Default ipv4

Mode Configuration mode

cgnv6 nat46-stateless fragmentation outbound

Description Change fragmentation support for outbound IPv4-to-IPv6 traffic.

Syntax [no] cgnv6 nat46-stateless fragmentation outbound {df-set | drop

| ipv6}

Paramet
er Description
df-set Stateless NAT46 behavior if Don't Fragment (DF) bit is set for oversize packets. The
default is send-icmp.
drop IPv6 fragmentation is not allowed. Oversize packets are dropped. No ICMP error message
is sent.
ipv6 IPv6 fragmentation is allowed.

Default ipv6

Mode Configuration mode

182
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Stateless NAT46 Configuration Commands

cgnv6 nat46-stateless fragmentation outbound df-set

Description Change fragmentation support for IPv4 packets that have the Don’t
Fragment bit set.

Syntax [no] cgnv6 nat46-stateless fragmentation outbound df-set

{ipv6 | drop | send-icmp}

Parameter Description
ipv6 IPv6 fragmentation is allowed.
drop IPv6 fragmentation is not allowed. Oversize packets are dropped. No ICMP error mes-
sage is sent.
send-icmp IPv6 fragmentation is not allowed. Oversize packets are dropped, and an ICMP error
message is sent.

Default send-icmp

Mode Configuration mode

cgnv6 nat46-stateless partition-prefix

Description Configure NAT46 prefix for L3V inter-partition NAT46 traffic.

Syntax [no] cgnv6 nat46-stateless partition-prefix partition-name ipv6-

prefix [vrid vrid-num]

Default None

Mode Configuration mode

Use this command to define a prefix that handles inter-partition NAT46 traffic going to L3V
partitions. If a VRID is configured for a prefix, then only VRID-active ACOS devices will advertise
this prefix.

183
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Stateless NAT46 Configuration Commands

cgnv6 nat46-stateless prefix

Description Configure a IPv6 prefix for stateless NAT46.

Syntax [no] cgnv6 nat46-stateless prefix ipv6-prefix vrid vrid-num

Replace ipv6-prefix with the 96-bit prefix used as the higher-order

bits of the client’s IPv6 address and the vrid-num with the VRID
configured for this prefix used for route advertisement.

Default None

Mode Configuration mode

Usage Stateless NAT46 translates an IPv4 client’s address into an IPv6

address by combining the stateless NAT46 prefix configured on the
ACOS device with the client’s IPv4 address:
stateless_NAT46_prefix:client_IPv4_address

The stateless NAT46 prefix must be 96 bits long. This leaves 32 bits for
the client’s IPv4 address.

cgnv6 nat46-stateless static-dest-mapping

Description Configure static IPv4-IPv6 mappings for the IPv6 servers.

Syntax [no] cgnv6 nat46-stateless static-dest-mapping ipv4addr ipv6addr

[count num]
[shared | to-shared]
[vrid vrid]

Parameter Description
ipv4addr IPv4 server address to which IPv4 clients will send requests.
ipv6addr Server’s IPv6 address. Specify the lowest address in the range.
count num Specifies how many mappings to create. The IPv4 and IPv6 addresses of each map-
ping are incremented by 1 over the previous mapping.
shared This option is only available at the shared partition to share/expose this mapping with
other partitions. This configuration shares/exposes the v4-address to all partitions.
All traffic sent to this v4-address is initially handled as NAT46 traffic. If NAT46 fails,
the traffic will then be handled as normal traffic.
to-shared This option is only available at L3V partitions to send NAT-ed traffic through the
shared partition. This mapping is used for inter-partition traffic. Any matching IPv4
traffic is translated to IPv6 traffic using the prefix defined in the shared partition (the
partition-prefix configuration) and forward though the shared partition.
vrid vrid Assigns the mappings to a VRRP-A VRID.

Default None

184
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Stateless NAT46 Show Commands

Mode Configuration mode

Usage Depending on the size of the system resources, the following lists the
number of mappings supported:
• If the system memory is smaller than 16GB, then 1024 individ-
ual mappings are supported per partition.
• If the system memory is greater then 16GB, then 8K (8* 1024)
mappings are supported per partition.

Specify only the first mapping in the range, and how many mappings
to create. The ACOS device then automatically creates additional
mappings, up to the quantity specified.
The IPv4 and IPv6 addresses for each additional mapping are
incremented by 1 over the previous mapping. For example, suppose
you specify the following mapping, and a quantity of 10:
• 20.0.0.1 -> 2001::1

The ACOS device creates the following mappings:

• 20.0.0.1 -> 2001::1
• 20.0.0.2 -> 2001::2
• 20.0.0.3 -> 2001::3
• 20.0.0.4 -> 2001::4
• 20.0.0.5 -> 2001::5
• 20.0.0.6 -> 2001::6
• 20.0.0.7 -> 2001::7
• 20.0.0.8 -> 2001::8
• 20.0.0.9 -> 2001::9
• 20.0.0.10 -> 2001::a

Stateless NAT46 Show Commands

This section describes the show commands for stateless NAT46.

• show cgnv6 nat46-stateless statistics

show cgnv6 nat46-stateless statistics

Description Show stateless NAT46 statistics.

Syntax show cgnv6 nat46-stateless statistics

Mode All

Example The following command displays statistics for stateless NAT46:

185
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Stateless NAT46 Show Commands

ACOS(config)# show cgnv6 nat46-stateless statistics

Stateless NAT46 Statistics:
---------------------------
Outbound IPv4 packets received 10
Outbound IPv4 packets dropped 0
Outbound IPv4 fragment packets received 0
Outbound IPv6 destination unreachable 0
Outbound IPv6 packets fragmented 0
Inbound IPv6 packets received 101
Inbound IPv6 packets dropped 0
Inbound IPv6 fragment packets received 0
Inbound IPv4 destination unreachable 0
Inbound IPv4 packets fragmented 0
Packet too big 0
Fragment process error 0
ICMPv6 to ICMP 1
ICMPv6 to ICMP error 0
ICMP to ICMPv6 0
ICMP to ICMPv6 error 0
HA is standby 0
Other errors 0

The following table describes the fields in the command output.

Field Description
Outbound IPv4 packets received Number of client IPv4 packets received by the ACOS device.
Outbound IPv4 packets dropped Number of client IPv4 packets dropped by the ACOS device.
Outbound IPv4 fragment packets Number of IPv4 packet fragments received from clients by
received the ACOS device.
Outbound IPv6 destination unreach- Number of times the IPv6 destination was unreachable.
able
Outbound IPv6 packets fragmented Number of outbound IPv6 packets fragmented.
Inbound IPv6 packets received Number of inbound IPv6 packets received.
Inbound IPv6 packets dropped Number of inbound IPv6 packets dropped.
Inbound IPv6 fragment packets Number of inbound fragmented IPv6 packets received.
received
Inbound IPv4 destination unreachable Number of times the destination for inbound IPv4 traffic was
unreachable.
Inbound IPv4 packets fragmented Number of inbound IPv4 packets fragmented.
Packet too big Number of oversize packets received.
Fragment processing errors Number of fragment processing errors.
ICMPv6 to ICMP Number of ICMPv6-to-ICMP translations.
ICMPv6 to ICMP errors Number of ICMPv6-to-ICMP errors.

186
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Stateless NAT46 Show Commands

Field Description
ICMP to ICMPv6 Number of ICMP-to-ICMPv6 translations.
ICMP to ICMPv6 errors Number of ICMP-to-ICMPv6 errors.
HA is standby Number of times the HA group the stateless NAT46 map-
pings are in was in the Standby state on this ACOS device.
Other errors Number of errors other than those counted above.

187
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Stateless NAT46 Show Commands

188
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: 6RD

The commands in this chapter configure IPv6 rapid deployment (6rd). 6rd enables IPv6 clients
to communicate with IPv6 servers over a service provider’s IPv4 network.

• “6rd Configuration Commands” on page 189

• “6rd Show Commands” on page 192

6rd Configuration Commands

This section describes the 6rd configuration commands.

• cgnv6 sixrd domain

• cgnv6 sixrd fragmentation inbound

• cgnv6 sixrd fragmentation outbound

• cgnv6 sixrd fragmentation outbound df-set

cgnv6 sixrd domain

Description Configure 6rd domain settings.

Syntax [no] cgnv6 sixrd domain domain-name

Replace domain-name with the string to describe the 6rd domain (1-63
characters).

This command changes the CLI to the configuration level for the
specified 6rd domain, where the following commands are available.

NOTE: The other configuration commands at this level are not appli-
cable to 6rd.

189
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
6rd Configuration Commands

Command Description
[no] br-ipv4-address ipv4addr Specifies the 6rd IPv4 address of the ACOS device, and the
ipv6-prefix ipv6addr/prefix-length IPv6 prefix for the 6rd domain.

The IPv4 address must be one of the following:

• An IP interface that is already configured on the ACOS

device, on a data interface or as a floating IP address.
The interface must be connected to the 6rd domain’s cli-
ents.
• A floating-IP interface that is already configured on the
ACOS device. In this case, the High Availability (HA) state
is applicable. Packets are forwarded only on the active
ACOS device in the HA pair.

NOTE: The current release does not support use of an any-

cast address for 6rd.
[no] ce-ipv4-network ipv4addr Specifies the client IPv4 network, and the portion of the cli-
{subnet-mask | /mask-length} ent’s 6rd customer edge (CE) router IPv4 address that is
common to all of the 6rd domain’s clients. For example, if
your deployment uses 10.0.0.0/8 for all CE router IPv4
addresses in the 6rd domain, specify the following:

ce-ipv4-network 10.0.0.0 /8
[no] mtu bytes Specifies the maximum transmission unit (MTU) for the
IPv6 tunnel. You can specify 1280-1480 bytes.

The default MTU is 1480 bytes.

Default There are no 6rd domains configured by default. When you create one,
it has the default settings as described in the table above.

Mode Configuration mode

Example For the ACOS BR address, you can use either an IP address configured
on an ACOS interface or a High Availability (HA) floating-IP address. If
you use an IP address configured on an ACOS interface, the 6rd
domain is not synchronized to the standby ACOS device as part of HA
configuration synchronization.

The br-ipv4-address command does not also configure the IPv4

interface or floating-IP address itself. The command simply indicates
the configured IPv4 address that is connected to 6rd clients.

190
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
6rd Configuration Commands

cgnv6 sixrd fragmentation inbound

Description Configure fragmentation support for oversize inbound IPv6 packets.
These are packets from IPv6 servers to 6rd clients.

Syntax [no] cgnv6 sixrd fragmentation inbound

{drop | ipv4 |ipv6 | send-icmpv6}

Parameter Description
drop Drops oversize packets without sending an ICMPv6 error message back to the server.
Fragmentation is not performed.
ipv4 The IPv6 packet is treated as an IPv4 payload, and the IPv4 packet is then fragmented.
The client’s 6rd CE router defragments the IPv4 packet, extracts the IPv6 payload, and
sends it to the IPv6 client.
ipv6 The IPv6 packet is fragmented first, and the fragments are then placed into separate
IPv4 packets. The IPv4 packets are not fragmented. The fragmented IPv6 packet is
defragmented by the IPv6 client.
send-icmpv6 Drops oversize packets and sends an ICMPv6 error message back to the server. Frag-
mentation is not performed.

Default send-icmpv6

Mode Configuration mode

Usage For packets larger than 1500 bytes, the ipv4 option does not work. In
this case, the ipv6 option is recommended instead.

cgnv6 sixrd fragmentation outbound

Description Configure fragmentation support for oversize outbound IPv6 packets.
These are packets from the ACOS device, forwarded on behalf of 6rd
clients to IPv6 servers.

Syntax [no] cgnv6 sixrd fragmentation outbound

{df-set | drop | ipv6 | send-icmp | send-icmpv6}

NOTE: For information about the df-set option, see “cgnv6 sixrd frag-
mentation outbound df-set” on page 192.

191
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
6rd Show Commands

Parameter Description
df-set 6rd behavior if Don’t Fragment (DF) bit is set for oversize packets. The default is
send-icmp.
drop Drops oversize packets without sending an ICMPv6 error message to the client.
Fragmentation is not performed.
ipv6 Fragments oversize IPv6 packets.
send-icmp Drops oversize packets and sends an IPv4 ICMP error message to the client’s 6rd
CE router. Fragmentation is not performed.
send-icmpv6 Drops oversize packets and sends a tunneled ICMPv6 error message to the client.
Fragmentation is not performed.

Default ipv6

Mode Configuration mode

cgnv6 sixrd fragmentation outbound df-set

Description Configure the ACOS response to oversize outbound IPv6 packets that
have the Don’t Fragment bit set.

Syntax [no] cgnv6 sixrd fragmentation outbound df-set

{drop | ipv6 | send-icmp | send-icmpv6}

Parameter Description
drop Drops oversize packets without sending a tunneled ICMPv6 error message to the client.
ipv6 Fragments oversize IPv6 packets anyway and forwards the fragments.
send-icmp Drops oversize packets and sends an IPv4 ICMP error message to the client’s 6rd CE
router.
send-icmpv6 Drops oversize packets and sends a tunneled ICMPv6 error message to the client.

Default send-icmp

Mode Configuration mode

6rd Show Commands

This section describes the show commands for 6rd.

• show cgnv6 sixrd statistics

192
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
6rd Show Commands

show cgnv6 sixrd statistics

Description Show 6rd statistics.

Syntax show cgnv6 sixrd statistics [domain-name]

Mode All

Example The following command displays statistics for the 6rd domain “6rd1”:

ACOS(config 6rd)# show cgnv6 sixrd statistics 6rd1

6rd Statistics for domain 6rd1:
----------------------------
Outbound TCP packets received 65
Outbound UDP packets received 13
Outbound ICMP packets received 10
Outbound other packets received 0
Outbound packets dropped 0
Outbound IPv6 destination unreachable 1
Outbound Fragmented IPv6 0
Inbound TCP packets received 66
Inbound UDP packets received 12
Inbound ICMP packets received 10
Inbound other packets received 0
Inbound packets dropped 0
Inbound IPv4 destination unreachable 0
Inbound Fragmented IPv4 0
Inbound Fragmented IPv6 in tunnel 0
Unknown 6rd delegated prefix 0
Packet too big 0
Not local IP 0
Fragment processing errors 0
Other errors 0

The following table describes the fields in this command’s output.

Field Description
Outbound TCP packets received Number of client-to-server TCP packets received from clients.
Outbound UDP packets received Number of client-to-server UDP packets received from clients.
Outbound ICMP packets received Number of client-to-server ICMP packets received from clients.
Outbound other packets received Number of fragmented client-to-server packets received from cli-
ents.
Outbound packets dropped Number of client-to-server packets dropped by the ACOS device
because they were larger than the MTU of the outgoing interface.

193
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
6rd Show Commands

Field Description
Outbound IPv6 destination Number of client-to-server packets that could not be delivered
unreachable because the IPv6 server was unreachable.
Outbound Fragmented IPv6 Number of client-to-server IPv6 packets that were fragmented by
the ACOS device because they were larger than the MTU on the
outgoing interface.
Inbound TCP packets received Number of server-to-client TCP packets received from clients.
Inbound UDP packets received Number of server-to-client UDP packets received from clients.
Inbound ICMP packets received Number of server-to-client ICMP packets received from clients.
Inbound other packets received Number of fragmented server-to-client packets received from cli-
ents.
Inbound packets dropped Number of server-to-client packets dropped by the ACOS device
because they were larger than the MTU of the outgoing interface.
Inbound IPv4 destination Number of server-to-client packets that could not reach the desti-
unreachable nation of the IPv4 tunnel.
Inbound Fragmented IPv4 Number server-to-client packets fragmented into multiple IPv4
packets.
Inbound Fragmented IPv6 in Number server-to-client packets fragmented into multiple IPv6
tunnel packets before being sent in the IPv4 tunnel.
Unknown 6rd delegated prefix Number of packets received that had an unknown 6rd delegated
prefix.
Packet too big Number of packets received by the ACOS device from clients or
servers that were larger than the MTU of the ACOS interface. This
includes the following types of packets:

• Inbound IPv6 packets from servers

• Outbound IPv6 packets from 6rd clients
Not local IP Number of times an inbound IPv6 packet matched a 6rd domain
configuration, but the BR IPv4 address was a floating-IP address
and its HA group on this ACOS device was in the standby state, so
the IP address could not be used.
Fragment processing errors Number of times the ACOS device could not process fragmented
IPv4/IPv6 packets. For example, this counter is incremented if the
fragment offset is not correct, or insufficient data is received, and
so on.
Other errors Number of other types of errors not covered by any of the counters
above.

194
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: NPTV6 COMMANDS

This chapter describes the commands for NPTv6.

• “NPTv6 Configuration Commands” on page 195

• “NPTv6 Show Commands” on page 196

NPTv6 Configuration Commands

This section describes the configuration commands for NPTv6

• cgnv6 nptv6 domain

• cgnv6 nptv6 common send-icmpv6-on-error disable

cgnv6 nptv6 domain

Description Configures NPTv6 translation to manage network traffic.
Syntax [no] cgnv6 nptv6 domain name

This command brings you to the NPTv6 domain configuration level,

where the following commands are available.

[no] inside-prefix ipv6addr [outside-prefix ipv6addr]

[no] outside-prefix ipv6addr

Parameter Description
inside-prefix ipv6addr This command specifies the inside-prefix for an NPTv6 domain.
outside-prefix ipv6addr This command specifies the outside-prefix for an NPTv6 domain.

Default N/A.

Mode Configuration mode.

Usage NPTv6 translation translates the routing prefix, subnet, and interface
identifier (IID) of IPv6 traffic when the traffic between networks.
NPTv6 translation can be configured between an internal network and

195
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NPTv6 Show Commands

one or multiple external networks, as well as between two private net-

works.

cgnv6 nptv6 common send-icmpv6-on-error disable

Description Disable error notifications on NPTv6 translation failure.

Syntax cgnv6 nptv6 common send-icmpv6-on-error disable

Default Not set.

Mode Configuration mode.

Usage When an NPTv6 prefix translation fails, an ICMPv6 error message is

sent. Use this command to disable error messages.

NPTv6 Show Commands

This section describes the show commands for NPTv6.

• show cgnv6 nptv6

show cgnv6 nptv6

Description Display the NPTv6 domains, or display statistics for NPTv6 domains.

Syntax show cgnv6 nptv6 {domain | statistics} [domain-name]

Mode All

Example The following example displays sample output:

ACOS(config)# show cgnv6 nptv6 statistics

NPTV6 Statistics for domain TEMP:

--------------------------------
Outbound Packets 0
Inbound Packets 0
Haripin Packets 0
Address Not Valid For Translation 0
Inbound Packets No Map 0
Packets Destination Unreachable 0

NPTV6 Statistics for domain domain1:

--------------------------------

196
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
NPTv6 Show Commands

Outbound Packets 0
Inbound Packets 0
Haripin Packets 0
Address Not Valid For Translation 0
Inbound Packets No Map 0
Packets Destination Unreachable 0

Usage The following table describes the fields for the show command output:

Field Description
domain [domain-name] Display all NPTv6 domains or a specific domain.
statistics [domain-name] Display NPTv6 statistics for all domains or for a specific
domain.

197
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
NPTv6 Show Commands

198
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: LOGGING TEMPLATE

This chapter describes the commands for configuring logging templates. Logging templates are
applicable to IPv6 migration features.

• “Logging Template Configuration Commands” on page 199

• “Logging Template Show Commands” on page 211

Logging Template Configuration Commands

This section describes the configuration commands for CGN logging templates.

• cgnv6 template logging

• cgnv6 server

• cgnv6 service-group

cgnv6 template logging

Description Configure a template for external logging of LSN / DS-Lite traffic
events.

Syntax [no] cgnv6 template logging template-name

This command changes the CLI to the configuration level for the
specified NAT logging template, where the following command is
available.

(The other commands are common to all CLI configuration levels. See
the CLI Reference for SLB.)

Command Description
[no] Disables batching of multiple log messages in the same
batched-logging-disable external logging packet. When this option is enabled, only a
single log message is placed in each packet.

199
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Logging Template Configuration Commands

Command Description
[no] custom options Configures custom LSN log strings.

• custom header use-syslog-header – Adds a syslog

header to each message. (Disabled by default. By default,
no header is included.)
• custom message type string – Customizes a logging
string.

The type can be one of the following:

• fixed-nat-allocated
• fixed-nat-freed
• fixed-nat-interim-update
• http-request-got – Message strings for HTTP request
logs. The message-string must be in the following for-
mat:
“MSG-ID [STRUCTURED-DATA] MSG”
• port-allocated
• port-batch-allocated
• port-batch-freed
• port-batch-v2-allocated
• port-batch-v2-freed
• port-batch-v2-interim-update
• port-freed
• session-created
• session-deleted
• custom time-stamp-format– Customizes the time stamp
format to use in the message strings.
[no] disable-log-by-destination Disables logging by specific protocol and destination port/
range of ports. The following options are available:

• icmp—Disables logging for ICMP traffic.

• ip—Disables logging by destination IP entry.
• ip6—Disables logging by destination IPv6 entry.
• others—Disables logging for other L4 protocols.
• tcp—Disables logging by destination TCP port.
• udp—Disables logging by destination UDP port.
[no] Specifies the logging facility to use. For a list of available
facility facility-name facilities, enter the following command: facility ?

200
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Logging Template Configuration Commands

Command Description
[no] format option Reduces the size of external traffic logs. You can enable one
of the following data reduction options:

• binary – Uses a unique A10 Binary Logging format to rep-

resent the log messages.
• compact – Uses ASCII text format. It reduces the log size
by using operational codes (“opcodes”) for event and pro-
tocol names, and by using hexadecimal representation for
IPv4 addresses and port numbers.
• custom – Uses an arbitrary custom logging format.
• default – Uses ASCII text format for external log mes-
sages, with IP addresses and port numbers represented in
decimal format. Likewise, the event and protocol names
are spelled out.
• rfc5424 – Uses the format defined in RFC 5424, The Sys-
log Protocol.
• cef – Uses the Common Event Format for logging.

For more information about these logging formats, see the

“NAT Logging” chapter of the IPv4-to-IPv6 Transition Solu-
tions Guide.

Note: RADIUS logging is only available in ASCII format.

[no] include-destination Includes the destination IP addresses and protocol ports in
NAT port mapping logs.
[no] include-http option Includes additional HTTP information in the log messages.

• cookie [max-length num] – Includes cookie information.

• file-extension – Includes HTTP file extension.
• l4-session-info – Includes TCP session information.
• method – Includes the HTTP method; for example: GET or
POST.
• referer [max-length num] – Includes the information in
the Referer header.
• request-number – Includes the HTTP request number.
• user-agent [max-length num] – Includes the informa-
tion in the User-Agent header.
• header1 [max-length num], header2 [max-length num],
header3 [max-length num]– Includes up to 3 additional
headers.

The max-length option specifies the maximum number of

characters to include for each header. You can specify 100-
1000. the default is 100.
[no] include-inside-user-mac Inserts client MAC addresses into traffic logs.
[no] include-partition-name Includes the ADP partition names in logs.

201
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Logging Template Configuration Commands

Command Description
[no] Includes the client mobile number in Carrier Grade NAT (CGN)
include-radius-attribute traffic logs. The ACOS device obtains the client mobile num-
{framed-ipv6-prefix {prefix- ber by sending a RADIUS Accounting request to an external
length}| imei | imsi | msisdn | RADIUS server for the specified attribute. The attribute can
custom1 | custom2 |
be one of the following:
custom3 | no-quote}
• framed-ipv6-prefix – Include RADIUS attributes for the pre-
fix. You must specify the prefix-length designated for the
prefix.
• imei – International Mobile Equipment Identity
• imsi – International Mobile Subscriber Identity
• insert-if-not-existing – Configure what string is to be
inserted for custom RADIUS attributes.
• msisdn – Mobile Station International ISDN Number
• custom1, custom2, custom3 – Additional attributes not
covered by other options
• no-quote – No quotation marks for RADIUS attributes in
logs.

With the exception of no-quote and framed-ipv6-prefix,

under each of this attribute, the following options are avail-
able:

• The http-requests option includes the mobile number

in HTTP request logs.
• The port-mappings option inserts the mobile number
into port-mapping logs, Fixed-NAT user port logs (if
enabled), and Port Batching logs (if enabled).
• The sessions option includes the mobile number in ses-
sion logs.
• The user-data option enables the subscriber informa-
tion to be included in the enhanced user tracking logs.
[no] Includes the byte-count in session deletion logs.
include-session-byte-count

202
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Logging Template Configuration Commands

Command Description
[no] log option Enables logging for specific options.

• fixed-nat
{
http-requests {host | url} |
port-mappings {both | creation} | sessions |
user-ports [periodic days start-time hh:mm]}

Enables logging for Fixed-NAT.

• http-requests {host | url}

Enables logging of information from HTTP requests.

Note: The maximum length of the log http-requests

host option is 255.

• port-mappings {both | creation}

Logs Fixed-NAT port mappings. Use both to log both

creation and deletion of NAT mappings; use creation to
log creation of MAT mappings only.

• sessions [merged-style]

Logs Fixed-NAT session creation and deletion. The

merged-style option merges creation and deletion of
session logs to one.

• user-ports [periodic days start-time hh:mm]

Includes the port numbers assigned to clients. The

periodic option specifies the Interval between log gen-
eration for Fixed-NAT port allocations. You can specify
1-30 days. The start-time option specifies the time at
which to generate the first user activity log. This is the
local system time on the ACOS device.

• http-requests {host | url}

Enables logging of information from HTTP requests.

• host logs the hostname requested by the client.

• url logs the URL requested by the client.
• port-mappings {creation | disable}

Enables logging of LSN port mapping events. The cre-

ation option logs Fixed-NAT session creation only. If you
omit this option, session deletion also is logged.

• creation

Logs mapping creation only.

• disable
203
Disables logging for port mapping.

• port-overloading
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Logging Template Configuration Commands

Command Description
• user-data

Enables the enhanced user tracking logs to be sent out to

external syslog servers.
[no] log-receiver radius secret Enables use of RADIUS for external logging.
{secret-string | encrypted}
• secret-string – The password required by the RADIUS
server for authentication requests.
• encrypted – The A10 reserved encrypted keyword. Do
NOT use this option manually.

NOTE: The “no” form of the command returns the logging

method to its default, Syslog.
[no] resolution Specifies the precision of the timestamps in log messages.

• seconds – Log message timestamps are precise to within

one whole second.
• 10-milliseconds – Log message timestamps are precise
to within 1/100 second (10 milliseconds).
[no] rfc-custom header Use the following timestamp format:
use-alternate-timestamp
YYYY MMM DD HH:MM:SS

Enabling this option disables use of timestamps formatted in

compliance with RFC 5424, The Syslog Protocol.

204
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Logging Template Configuration Commands

Command Description
[no] rfc-custom message Customizes log message strings for external logging.
feature type string
The feature can be one of the following:

• http-request-got – Message strings for HTTP request

logs. The message-string must be in the following format:
“MSG-ID [STRUCTURED-DATA] MSG”
• lsn – Message strings for CGN traffic.
• nat64 – Message strings for NAT64 traffic.
• ds-lite – Message strings for DS-Lite traffic.
• sixrd-nat64 – Message strings for 6rd-NAT64 traffic.

The type can be one of the following:

fixed-nat-allocated – Fixed-NAT allocated

•
fixed-nat-freed – Fixed-NAT freed
•
port-allocated – Port allocated
•
port-batch-allocated – Port Batch allocated
•
port-batch-freed – Port Batch freed
•
port-batch-v2-allocated – Port Batch v2 allocated
•
port-batch-v2-freed – Port Batch v2 freed
•
port-freed – Port freed
•
• session-created – Message strings for session creation.
• session-deleted – Message strings for session deletion.

NOTE: The fixed-nat-allocated and fixed-nat-freed

message types apply only to feature types lsn and nat64.

The string specifies the fields and text to use in the mes-
sage strings. (For string syntax information, see the “RFC
5424 Header Support For External Logging” section in the
IPv4-to-IPv6 Transition Solutions Guide.)

205
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Logging Template Configuration Commands

Command Description
[no] rule http-requests option Configures rules for HTTP request logging. You can set the
following options:

• dest-port portnum [include-byte-count] – Destina-

tion TCP port for which to log client requests. For example,
to log client requests to port 80, enter the following com-
mand: r ule http-requests dest-port 80.

The include-byte-count option also adds the byte count

to the log messages.

• disable-sequence-check – Disables HTTP packet sequence

check and don’t drop out packets. HTTP sequence check is
enabled by default. This HTTP sequence check is required for
HTTP logging. If disabled, out-of-order HTTP requests will not be
logged.
• include-all-headers – Includes all configured headers
even when they are absent in the HTTP request.
• log-every-http-request – Logs every HTTP request in a
client session. Without this option, only the first request in
the session is logged.
• max-url-len max-number-of-characters – Maximum
number of characters logged for each URL string. You can
specify 100-1000 characters.

NOTE: Some limitations may apply. See “Usage” below.

[no] rule port-mappings [interim- Specifies the interim update interval in minutes, within the
update minutes] range of 15-120 minutes.
[no] service-group Specifies the service group for the external log servers.
group-name
[no] severity Specifies the severity level to assign to LSN traffic logs gen-
severity-level erated using this template. You can enter the name or the
number of a severity level.

• 0 | emergency
• 1 | alert
• 2 | critical
• 3 | error
• 4 | warning
• 5 | notice
• 6 | informational
• 7 | debug
[no] source-address Specifies the source IPv4 or IPv6 address to use as the
{ip ipv4addr | source of log packets.
ipv6 ipv6addr}

206
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Logging Template Configuration Commands

Command Description
[no] source-port Specifies the source protocol port the ACOS device uses to
{portnum | any} send out log messages to the external log servers.

NOTE: This does not conflict with the real server port, which
is the destination port of the logging packet.

If the any option is configured, the ACOS device randomly

selects a source-port for each logging packet.

The source-port command is only applicable to syslog over

UDP, and does not apply to TCP traffic. With syslog over TCP
traffic, the source port is determined by the ACOS device
through Smart NAT.

Default There is no NAT logging template by default. When you configure one,
the template options have the following default values:
• batched-logging-disable – disabled. Log messages are batched.
Each external logging packet can contain more than one log mes-
sage.
• custom – not set
• facility – local0
• format – default
• include-destination – disabled
• include-http – not set
• include-inside-user-mac – not set
• include-partition-name – not set
• include-radius-attribute – not set
• log fixed-nat – all options disabled
• log fixed-nat-user-ports – disabled
• log http-requests – disabled
• log port-mappings – Both creation and deletion of mappings are
logged.
• log port-overloading – disabled
• log sessions – disabled
• log-receiver – not set
• resolution – seconds
• rfc-custom – The default message formats are used, if RFC 5424
format is enabled. (See the IPv4-to-IPv6 Transition Solutions
Guide.)
• rule – Rules for HTTP request logging have the following defaults:
• dest-port – not set
• log-every-http-request – disabled; only the first request of
the session is logged
• max-url-len – 100

207
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Logging Template Configuration Commands

• service-group – not set

• severity – 7 (debugging)
• source-address – IP address of the Ethernet data interface out
which the log packet is sent.
• source-port – 514 (for UDP only)

Mode Configuration mode

Usage The template does not take effect until you set it as the default LSN /
DS-Lite logging template or assign it to individual LSN / DS-Lite pools.
• To set the template as the default LSN / DS-Lite logging template,
see “cgnv6 lsn logging default-template” on page 25.
• To assign the template to an LSN / DS-Lite pool, see “cgnv6 lsn
logging pool” on page 26.

Maximum URL Length for HTTP Request Logging

The maximum number of URL characters that can be logged depends

on the log format settings, as listed in the table below

Logging Option Maximum URL Characters Logged

Default data format (ASCII)
Compact data format 1000
RFC 5424 format
Binary data format 253
Logging to RADIUS 247

Additional characters are truncated from the right side of the URL
string.

Example The following commands configure external logging for LSN / DS-Lite
traffic events, using the same template for all LSN / DS-Lite pools:

ACOS(config)# cgnv6 server syslog1 192.168.1.100

ACOS(config-real server)# port 514 udp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# cgnv6 service-group syslog udp
ACOS(config-cgnv6 svc group)# member syslog1 514
ACOS(config-cgnv6 svc group)# exit
ACOS(config)# cgnv6 template logging lsn_logging
ACOS(config-logging:lsn_logging)# log port-mappings creation
ACOS(config-logging:lsn_logging)# service-group syslog
ACOS(config-logging:lsn_logging)# exit
ACOS(config)# cgnv6 lsn logging default-template lsn_logging

208
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Logging Template Configuration Commands

cgnv6 server
Description Configure a server for external logging.

Syntax [no] cgnv6 server server-name ipaddr

Parameter Description
server-name Server name, 1-31 characters.
ipaddr IP address of the server in either IPv4 or IPv6 format. The address is required only if you
are creating a new server.

This command changes the CLI to the configuration level for the
specified service-group, where the following command is available:

Command Description
disable Disables the server.
enable Enables the server.
[no] health-check Enables health monitoring of the server. The monitor-name specifies the
[monitor-name] name of a configured health monitor.

If you omit this command or you enter it without the monitor-name option,
the default Layer 3 (ICMP) health monitor is used.
[no] health-check- Disables health monitoring of the server.
disable
[no] health-check- Specifies the specific port to follow for health status.
follow-port portnum
{tcp | udp}

[no] port port-num Specifies the TCP or UDP port on which the server listens for log traffic.
{tcp | udp}
disable | enable

Disables or re-enables the port.

[no] health-check [monitor-name]

Enables health monitoring of the port. The monitor-name option specifies

the name of a configured health monitor.

If you omit the health-check command or you enter it without the moni-
tor-name option, the default UDP health monitor is used. (See “Usage”
below.)

[no] health-check-disable

Disables health monitoring of the port.

209
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Logging Template Configuration Commands

Default There is no default logging server configuration. For health monitoring

defaults, see below.

Mode Configuration mode

Usage The normal form of the cgnv6 server command creates a new or edits
an existing real server. The CLI changes to the configuration level for
the server.

The “no” form of this command removes an existing real server.

The IP address of the server can be in either IPv4 or IPv6 format. ACOS
supports both address formats.

Default Health Monitoring

The following health monitors are enabled by default.

• ICMP – Server health check. Every 5 seconds, the ACOS device

sends an ICMP echo request (ping) addressed to the server’s IP
address. The server passes the health check if it sends an echo
reply to the ACOS device. If the server does not reply after the
fourth attempt (the first attempt followed by 3 retries), the ACOS
device sets the server state to DOWN.
• TCP – Every 5 seconds, the ACOS device sends a connection
request (TCP SYN) to the specified TCP port on the server. The
port passes the health check if it replies to the ACOS device by
sending a TCP SYN ACK. If the port does not reply after the fourth
attempt, the ACOS device sets the port state to DOWN.
• UDP – Protocol port health check. Every 5 seconds, the ACOS
device sends a packet with a valid UDP header and a garbage
payload to the UDP port. The port passes the health check if the
server either does not reply, or replies with any type of packet
except an ICMP Error message.

cgnv6 service-group
Description Configure a service group, which is a pool of one or more servers.

Syntax [no] cgnv6 service-group group-name {tcp | udp}

Replace group-name with the name of the group, 1-31 characters.

This command changes the CLI to the configuration level for the
specified service-group, where the following command is available:

210
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Logging Template Show Commands

NOTE: The other configuration commands at this level are not appli-
cable to logging.

Command Description
[no] health-check Enables health monitoring of the service group. The monitor-name
[monitor-name] specifies the name of a configured health monitor.
[no] member Adds the external log server and port to the service group.
server-name portnum

Default There are no service groups configured by default.

Mode Configuration mode

Usage The normal form of this command creates a new or edits an existing
service group. The CLI changes to the configuration level for the ser-
vice group.

Logging Template Show Commands

This section lists the show commands related to logging template configuration.

• show cgnv6 logging keywords

• show cgnv6 logging source-address

• show cgnv6 logging statistics

• show cgnv6 logging tcp-svr-status

211
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Logging Template Show Commands

show cgnv6 logging keywords

Description Show valid keywords for RFC 5424 custom messages.

Syntax show cgnv6 logging keywords feature event

Parameter Description
feature Specifies the feature, which can be one of the following:

• ds-lite – Message strings for DS-Lite traffic.

• http-request-got – Message strings for HTTP request logs.
• lsn – Message strings for CGN traffic.
• nat64 – Message strings for NAT64 traffic.
• session-created – Message strings for session creation.
• session-deleted – Message strings for session deletion.
• sixrd-nat64 – Message strings for 6rd-NAT64 traffic.
event Specifies the event type, which can be one of the following (depending on the fea-
ture):

• fixed-nat-allocated
• fixed-nat-freed
• fixed-nat-interim-update
• port-allocated
• port-batch-allocated
• port-batch-freed
• port-batch-v2-allocated
• port-batch-v2-freed
• port-batch-v2-interim-update
• port-freed

Mode All

212
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Logging Template Show Commands

show cgnv6 logging source-address

Description Display all source-address logging statistics about the state of the
source address port allocation.

Syntax show cgnv6 logging source-address

Default N/A

Mode All

Usage You can also specify source-address logging statistics for a specific
template.

show cgnv6 logging statistics

Description Show statistics for external logging.
Syntax show cgnv6 logging statistics

Mode All

show cgnv6 logging tcp-svr-status

Description Displays status information for the TCP connections to logging serv-
ers.

Syntax show cgnv6 logging tcp-svr-status template template-name

Replace template-name with the name of the active logging template.

(This is the template set as the default CGN logging template.)

Mode All

Example The following command displays the status of the ACOS device’s TCP
connections to syslog servers:

ACOS# show cgnv6 logging tcp-svr-status template cgn-log-tmplt

Server No. of TCP connections Status
--------------------------------------------------------
LogSrv1 15/15 OK
LogSrv2 13/15 Retrying
LogSrv3 15/15 OK
LogSrv4 15/15 OK

The following table describes the fields in the command output.

213
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Logging Template Show Commands

Field Description
Server Name of the syslog server.
No. of TCP connec- Status of the TCP connections to the server. The status is shown as follows:
tions
Established-Connections / Data-CPUs

To optimize performance, the ACOS device establishes a separate TCP session

from each data CPU to each syslog server.

The Established-Connections value is the number of connections that currently

are established. The Data-CPUs value is the number of data CPUs on the ACOS
device. This number varies depending on the ACOS model.
Status Connection status:

• OK – All ACOS TCP connections to the syslog server are functioning normally.
• Retrying – Some connections are not up, and the ACOS device is sending
SYNs to try to establish the missing connections.

214
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN

CONFIG COMMANDS: FIXED-NATCOMMAND LINE

INTERFACE REFERENCE FOR CGN

This chapter describes the commands for Fixed-NAT.

• “Fixed-NAT Configuration Command” on page 215

• “Fixed-NAT Show Commands” on page 219

NOTE: For Fixed-NAT, use of a NAT64 prefix with mapping to a class list is
not supported.

Fixed-NAT Configuration Command

This section describes the configuration command for Fixed-NAT.

• cgnv6 ecmp 4-tuple-hash

• cgnv6 lsn alg

• cgnv6 fixed-nat create-port-mapping-file

• cgnv6 fixed-nat port-mapping-files-count

• cgnv6 fixed-nat inside

cgnv6 ecmp 4-tuple-hash

For information on this command, see “cgnv6 ecmp 4-tuple-hash” on page 16

cgnv6 lsn alg

For information in configuring ALG support for Fixed-NAT, see “cgnv6 lsn alg” on page 18.

215
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Fixed-NAT Configuration Command

cgnv6 fixed-nat create-port-mapping-file

Description Creates a port mapping file.

Syntax [no] cgnv6 fixed-nat create-port-mapping-file

Default Not set

Mode Configuration mode

Example The following is an example of the command

ACOS(config)# cgnv6 fixed-nat create-port-mapping-file

cgnv6 fixed-nat port-mapping-files-count

Description Configures the number of old port-mapping files to retain.

Syntax [no] cgnv6 fixed-nat port-mapping-files-count

Default Not set

Mode Configuration mode

Example The following is an example of the command

ACOS(config)# cgnv6 fixed-nat create-port-mapping-files-count 1

cgnv6 fixed-nat inside

Description Configures Fixed NAT inside users using IPv4 or IPv6 inside user
address.
Syntax [no] cgnv6 fixed-nat inside
ip-list list-name nat ip-list list-name {dest-rule-list |
dynamic-pool-size | method | offset | ports-per-user | respond-
to-user-mac | session-quota | usable-nat-ports | vrid}

This scenario configures Fixed NAT inside users with an IP-list.

The following is an example of this configuration:

ACOS(config)# cgnv6 fixed-nat inside ip-list TEMP nat ip-list
TEMP dest-rule-list TEMP dynamic-pool-size 0 method use-all-nat-
ips offset random ports-per-user 1 respond-to-user-mac session-
quota 1 usable-nat-ports 1024 1024 vrid 1

Syntax [no] cgnv6 fixed-nat inside

{ipv4-start-inside-addr ipv4-end-inside-addr netmask /nn nat
start-nat-addr end-nat-addr netmask /nn {dest-rule-list |

216
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Fixed-NAT Configuration Command

dynamic-pool-size | method | offset | ports-per-user | respond-

to-user-mac | session-quota | usable-nat-ports | vrid}

This scenario configures FIXED NAT inside users with NAT start and
end addresses.

The following is an example of this configuration:

ACOS(config)# cgnv6 fixed-nat inside 1.1.1.1 1.1.1.1 netmask /24
nat 1.1.1.1 1.1.1.1 netmask /24 dest-rule-list TEMP dynamic-pool-
size 0 method use-all-nat-ips offset random ports-per-user 1
respond-to-user-mac session-quota 1 usable-nat-ports 1024 1024
vrid 1

Syntax [no] cgnv6 fixed-nat inside

{ipv4-start-inside-addr ipv4-end-inside-addr netmask /nn parti-
tion partition-name nat ip-list list-name {dest-rule-list |
dynamic-pool-size | method | offset | ports-per-user | respond-
to-user-mac | session-quota | usable-nat-ports | vrid}

This scenario configures FIXED NAT inside users with an IP-list within
an inside user partition.

The following is an example of this configuration:

ACOS(config)# cgnv6 fixed-nat inside 1.1.1.1 1.1.1.1 netmask /24
partition TEMP nat ip-list TEMP dynamic-pool-size 0 dest-rule-
list TEMP method use-all-nat-ips offset random ports-per-user 1
respond-to-user-mac session-quota 1 usable-nat-ports 1024 1024
vrid 1

Syntax [no] cgnv6 fixed-nat inside

{ipv4-start-inside-addr ipv4-end-inside-addr netmask /nn parti-
tion partition-name nat start-nat-addr end-nat-addr netmask /nn
{dest-rule-list | dynamic-pool-size | method | offset | ports-
per-user | respond-to-user-mac | session-quota | usable-nat-ports
| vrid}

This scenario configures FIXED NAT inside users with NAT start and
end addresses within an inside user partition.

The following is an example of this configuration:

ACOS(config)# cgnv6 fixed-nat inside 1.1.1.1 1.1.1.1 netmask /24
partition TEMP nat 1.1.1.1 1.1.1.1 netmask /24 dynamic-pool-size
0 dest-rule-list TEMP method use-all-nat-ips offset random ports-
per-user 1 respond-to-user-mac session-quota 1 usable-nat-ports
1024 1024 vrid 1

217
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Fixed-NAT Configuration Command

Parameter Description
inside options IP address range(s) of inside clients.

To specify a single range:

• start-inside-ipaddr – Beginning (lowest-numbered) inside client

address.
• end-inside-ipaddr – Ending (highest-numbered) inside client
address.
• netmask – Network mask, in the applicable format:
• IPv4 – /mask-length or ipaddr
• IPv6 – mask-length
nat options To specify a single range:

• start-nat-ipaddr – Beginning (lowest-numbered) NAT address.

(For syntax information, see starting-inside-address above.)
• end-nat-ipaddr – Ending (highest-numbered) NAT address. (For
syntax information, see starting-inside-address above.)

To specify multiple ranges:

• ip-list list-name – Name of a configured IP list. (See the CLI Ref-

erence for SLB.)
partition options Configures settings for inside user partition.
dest-rule-list name Binds destination-based rule-list.
dynamic-pool-size num Number of protocol ports on each NAT address to set aside for use by
clients who run out of their reserved ports.
method Method for IP allocation.
{use-all-nat-ips |
use-least-nat-ips} • use-all-nat-ips—Inside client IP addresses can be allocated with
the intent to use all of the available NAT IP addresses. This new algo-
rithm ensures that all NAT IP addresses are used, with little room for
any unused NAT IP addresses.
• use-least-nat-ips—Inside client IP addresses can be allocated to
NAT addresses with the goal of minimizing the use of available pub-
lic NAT IP Addresses. This is the current behavior. This configuration
method may result in some unused NAT IP addresses.
offset Allocation offset. (See the IPv6 Migration Logging Guide.)
{random | offset-value}
ports-per-user num Number of protocol ports to allocate to each new client. You can spec-
ify 1-64512.
respond-to-user-mac Enables MAC-based nexthop routing for Fixed-NAT. The next route
hop is based on the MAC address of the inside client’s request. The
ACOS device uses the MAC address, instead of the route table, to
select the next hop for the reply. Replies that are sent to the client use
the same route hop on which the request was received.

218
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Fixed-NAT Show Commands

Parameter Description
session-quota quota-num Maximum number of sessions that can be created for a given client.
You can specify 1-2147483647.
usable-nat-ports Range of protocol ports that can be allocated to clients. You can spec-
starting-port ify 1024-65535.
ending-port
vrid vrid Adds the Fixed-NAT addresses to a VRRP-A VRID for redundancy.

Default Not set

Mode Configuration mode

Fixed-NAT Show Commands

This section describes the show commands for Fixed-NAT:

• show cgnv6 fixed-nat alg

• show cgnv6 fixed-nat full-cone-sessions

• show cgnv6 fixed-nat inside-user

• show cgnv6 fixed-nat nat-address

• show cgnv6 fixed-nat port-mapping-files

• show cgnv6 fixed-nat statistics

show cgnv6 fixed-nat alg

Description Show Application Level Gateway (ALG) statistics for Fixed-NAT.
Syntax show cgnv6 fixed-nat alg
{esp | ftp | h323 | mgcp | pptp | rtsp | sip | tftp}
statistics

Specify one of the protocols to see statistics for that protocol:

Parameter Description
esp Encapsulating Security Payload (ESP)
ftp File Transfer Protocol (FTP).
h323 H.323 standard.
mgcp Media Gateway Control Protocol
pptp Point-to-Point Tunneling Protocol (PPTP) Generic Routing Encapsula-
tion (GRE)

219
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Fixed-NAT Show Commands

Parameter Description
rtsp Real Time Streaming Protocol (RTSP)
sip Session Initiation Protocol (SIP)
tftp Trivial File Transfer Protocol (TFTP)

Mode All

Example For examples, see “show cgnv6 lsn alg” on page 59.

show cgnv6 fixed-nat full-cone-sessions

Description Show Fixed-NAT full-cone sessions.

Syntax show cgnv6 fixed-nat full-cone-sessions

[ds-lite [nat-address ipaddr] |
nat-address ipaddr |
nat44 [nat-address ipaddr] |
nat64 [nat-address ipaddr] ]
[all-partitions | partition name]
[pcp]

Parameter Description
ds-lite [nat-address ipaddr] Displays DS-Lite full-cone sessions.
nat-address ipaddr Displays full-cone sessions for the specified NAT address.
nat44 [nat-address ipaddr] Displays NAT44 full-cone sessions.
nat64 [nat-address ipaddr] Displays NAT64 full-cone sessions.
all-partitions Displays full-cone sessions for all partitions.
partition name Displays full-cone sessions for only the specified partition.
pcp Displays only those full-cone sessions created by PCP request.

Mode All

show cgnv6 fixed-nat inside-user

Description Show Fixed-NAT information for a specific inside client.

Syntax show cgnv6 fixed-nat inside-user {ipv4addr | ipv6addr}

[partition name]
{port-mapping | quota-used}

Parameter Description
partition name Name of the inside user partition.
port-mapping Displays Fixed-NAT port mappings for a specific NAT address.
quota-used Lists the number of sessions the client currently has active, and the number of
TCP, UDP, and ICMP ports in use by the client.

220
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Fixed-NAT Show Commands

Mode All

show cgnv6 fixed-nat nat-address

Description Display Fixed-NAT address information.

Syntax show cgnv6 fixed-nat nat-address ipv4addr

{portnum | port-mapping}

Parameter Description
portnum Displays the inside user mapping for NAT address and NAT port number
(1024-65535).
port-mapping Displays Fixed-NAT port mappings for a specific NAT address.

Mode All

show cgnv6 fixed-nat port-mapping-files

Description Display all created files currently on the file system.

Syntax show cgnv6 fixed-nat port-mapping-files {all | archive}

Parameter Description
all List all the port mapping files of all configuration
archive List all the port mapping files that are deleted.

Mode All

Example This show a sample output:

ACOS(config)# show cgnv6 fixed-nat port-mapping-files

Fixed Nat Port Mapping Files
------------------------------------------------------
fixed_nat_150.150.150.150
Total: 1

show cgnv6 fixed-nat statistics

Description Show statistics for Fixed-NAT.

Syntax show cgnv6 fixed-nat statistics

Mode All

221
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Fixed-NAT Show Commands

The following table describes the fields in this command’s output.

Field Description
Total NAT Addresses in-use Total number of NAT pool addresses in use.
Total TCP Ports Allocated Total number of TCP ports allocated for user sessions.
Total TCP Ports Freed Total number of TCP ports freed for use by other sessions.
Total UDP Ports Allocated Total number of UDP ports allocated for user sessions.
Total UDP Ports Freed Total number of UDP ports freed for use by other sessions.
Total ICMP Ports Allocated Total number of ICMP ports allocated for user sessions.
Total ICMP Ports Freed Total number of ICMP ports freed for use by other sessions.
NAT44 Data Sessions Created Total number of NAT44 Fixed-NAT data sessions created.
NAT44 Data Sessions Freed Total number of NAT44 Fixed-NAT data sessions freed.
NAT64 Data Sessions Created Total number of NAT64 Fixed-NAT data sessions created.
NAT64 Data Sessions Freed Total number of NAT64 Fixed-NAT data sessions freed.
DS-Lite Data Sessions Created Total number of DS-Lite Fixed-NAT data sessions created.
DS-Lite Data Sessions Freed Total number of DS-Lite Fixed-NAT data sessions freed.
TCP NAT Port Unavailable Number of times a TCP port for an LSN NAT session was unavailable.
UDP NAT Port Unavailable Number of times a UDP port for an LSN NAT session was unavail-
able.
ICMP NAT Port Unavailable Number of times an ICMP port for an LSN NAT session was unavail-
able.
Sessions User Quota Exceeded Number of times a client exceeded their data session quota.
NAT44 TCP Full-Cone Created Total number of NAT44 TCP full-cone sessions created.
NAT44 TCP Full-Cone Freed Total number of NAT44 TCP full-cone sessions freed.
NAT44 UDP Full-Cone Created Total number of NAT44 UDP full-cone sessions created.
NAT44 UDP Full-Cone Freed Total number of NAT44 UDP full-cone sessions freed.
NAT44 UDP ALG Full-Cone Cre- Total number of NAT44 UDP full-cone sessions created that used
ated ALG support.
NAT44 UDP ALG Full-Cone Freed Total number of NAT44 UDP full-cone sessions freed that used ALG
support.
NAT64 TCP Full-Cone Created Total number of NAT64 TCP full-cone sessions created.
NAT64 TCP Full-Cone Freed Total number of NAT64 TCP full-cone sessions freed.
NAT64 UDP Full-Cone Created Total number of NAT64 UDP full-cone sessions created.
NAT64 UDP Full-Cone Freed Total number of NAT64 UDP full-cone sessions freed.
NAT64 UDP ALG Full-Cone Cre- Total number of NAT64 UDP full-cone sessions created that used
ated ALG support.
NAT64 UDP ALG Full-Cone Freed Total number of NAT64 UDP full-cone sessions freed that used ALG
support.
DS-Lite TCP Full-Cone Created Total number of DS-Lite UDP full-cone sessions created that used
ALG support.

222
Feedback ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN
Fixed-NAT Show Commands

Field Description
DS-Lite TCP Full-Cone Freed Total number of DS-Lite UDP full-cone sessions freed that used ALG
support.
DS-Lite UDP Full-Cone Created Total number of DS-Lite TCP full-cone sessions created.
DS-Lite UDP Full-Cone Freed Total number of DS-Lite TCP full-cone sessions freed.
DS-Lite UDP ALG Full-Cone Cre- Total number of DS-Lite UDP full-cone sessions created.
ated
DS-Lite UDP ALG Full-Cone Total number of DS-Lite UDP full-cone sessions freed.
Freed
Full-Cone Session Creation Failed Total number of NAT64 UDP full-cone sessions created that used
ALG support.
NAT44 Endpoint-Independent Total number of NAT64 UDP full-cone sessions freed that used ALG
Mapping Matched support.
NAT64 Endpoint-Independent Number of times the NAT64 mapping assigned to a client was
Mapping Matched reused for subsequent traffic for that client.
DS-Lite Endpoint-Independent Number of times the DS-Lite mapping assigned to a client was
Mapping Matched reused for subsequent traffic for that client.
NAT44 Number of times traffic from any source to a given NAT44 mapped
Endpoint- client was forwarded to the internal client, regardless of the end-
Independent point. (This is the benefit provided by Endpoint independent filter-
Filtering Matched ing.)
NAT64 Endpoint-Independent Number of times traffic from any source to a given NAT64 mapped
Filtering Matched client was forwarded to the internal client, regardless of the end-
point.
DS-Lite Endpoint-Independent Number of times traffic from any source to a given DS-Lite mapped
Filtering Matched client was forwarded to the internal client, regardless of the end-
point.
NAT44Endpoint-Dependent Fil- Number of times traffic to a NAT44 mapped client was dropped
tering Drop because endpoint-independent filtering was not enabled, and the
traffic was not from the endpoint mapped to the client.
NAT64Endpoint-Dependent Fil- Number of times traffic to a NAT64 mapped client was dropped
tering Drop because endpoint-independent filtering was not enabled, and the
traffic was not from the endpoint mapped to the client.
DS-Lite Endpoint-Dependent Fil- Number of times traffic to a DS-Lite mapped client was dropped
tering Drop because endpoint-independent filtering was not enabled, and the
traffic was not from the endpoint mapped to the client.
NAT44 Endpoint-Independent Number of times the limit for EIF sessions on a NAT44 mapping was
Filtering Inbound Limit Exceeded exceeded.
NAT64 Endpoint-Independent Number of times the limit for EIF sessions on a NAT64 mapping was
Filtering Inbound Limit Exceeded exceeded.
DS-Lite Endpoint-Independent Number of times the limit for EIF sessions on a DS-Lite mapping was
Filtering Inbound Limit Exceeded exceeded.
NAT44 Hairpin Session Created Total number of NAT44 hairpin sessions created.
NAT64 Hairpin Session Created Total number of NAT64 hairpin sessions created.

223
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN FeedbackF
Fee
e
Fixed-NAT Show Commands

Field Description
DS-Lite Hairpin Session Created Total number of DS-Lite hairpin sessions created.
Fixed NAT LID Standby Drop Number of packets dropped because the Fixed-NAT LID is in an HA
group, and this ACOS device was the Standby for that HA group.
Self-Hairpinning Drop Number of times traffic was dropped because the inside source and
destination addresses were the same.
Fixed NAT IPv6 in IPv4 Packet Number of Packets dropped because it is a ipv6 packet encapsu-
Drop lated in IPv4 packet. Fixed NAT does not support 6rd / IPv6 in IPv4
packets.
Fixed NAT Dest Rule List Drop Number of Packets dropped because the Drop was configured in
Destination Rule List.
Fixed NAT Dest Rule List Pass- Number of Packets passed through because the Pass-Through was
Through configured in Destination Rule List.
Fixed NAT IPv4 User Marked Number of Fixed NAT IPv4 users set to unusable state.
Unusable
Fixed NAT IPv6 User Marked Number of Fixed NAT IPv6 users set to unusable state.
Unusable
Fixed NAT User Unusable Drop Number of Packets dropped because the user is in unusable state.
Fixed NAT Dest Rules List Source Number of Packets dropped because LSN Source NAT was config-
NAT Drop ured in Fixed-NAT Dest Rule List.
Fixed NAT Config not Found Packets dropped due to configuration is not found. This can occur
when the configuration is being removed.
Fixed NAT IPD disabled Fixed-NAT IP black-listed due to cgnv6 ddos-protection. Number of
times traffic hits this Fixed NAT IP once it is black-listed.

224
ACOS 4.1.4-GR1-P5 Command Line Interface Reference for CGN for A10 Thunder Series
Contents

225

A10 4.1.1-P11 Cli-Cgn
No ratings yet
A10 4.1.1-P11 Cli-Cgn
224 pages
A10 5.1.0 Cli-Cgn
No ratings yet
A10 5.1.0 Cli-Cgn
224 pages
A10 4.1.1-P8 Cli-Slb PDF
No ratings yet
A10 4.1.1-P8 Cli-Slb PDF
500 pages
A10 5.0.1 Sag
No ratings yet
A10 5.0.1 Sag
418 pages
A10 4.1.1-P11 DCFW
100% (1)
A10 4.1.1-P11 DCFW
142 pages
Acos 4.1.4-Gr1-P5 Traffic Logging Guide For Ipv6 Migration: For A10 Thunder Series 18 August 2020
No ratings yet
Acos 4.1.4-Gr1-P5 Traffic Logging Guide For Ipv6 Migration: For A10 Thunder Series 18 August 2020
202 pages
A10 5.1.0 Cli-Slb
50% (2)
A10 5.1.0 Cli-Slb
586 pages
ACOS 4.1.1-P11 System Configuration and Administration Guide
No ratings yet
ACOS 4.1.1-P11 System Configuration and Administration Guide
206 pages
Acos 5.1.0 Ipv4-To-Ipv6 Transition Solutions Guide: For A10 Thunder Series 2 December 2019
No ratings yet
Acos 5.1.0 Ipv4-To-Ipv6 Transition Solutions Guide: For A10 Thunder Series 2 December 2019
354 pages
ACOS 4.1.1-P11 Network Configuration Guide: For A10 Thunder Series and AX™ Series 29 May 2019
No ratings yet
ACOS 4.1.1-P11 Network Configuration Guide: For A10 Thunder Series and AX™ Series 29 May 2019
378 pages
A10 4.1.0-P2 CLI Jun17 2016
No ratings yet
A10 4.1.0-P2 CLI Jun17 2016
394 pages
A10 4.1.0-P3 CLI-ADC Jun24 2016
No ratings yet
A10 4.1.0-P3 CLI-ADC Jun24 2016
454 pages
A10 5.1.0-P3 Apfw
No ratings yet
A10 5.1.0-P3 Apfw
56 pages
A10 Command Reference
No ratings yet
A10 Command Reference
394 pages
ACOS 5.1.0-P3 Configuring Application Delivery Partitions: For A10 Thunder Series 24 April 2020
No ratings yet
ACOS 5.1.0-P3 Configuring Application Delivery Partitions: For A10 Thunder Series 24 April 2020
94 pages
A10 Configuring Application Delivery Partitions
No ratings yet
A10 Configuring Application Delivery Partitions
46 pages
A10 Thunder Vlan Bridging + VRRP
No ratings yet
A10 Thunder Vlan Bridging + VRRP
328 pages
A10 4.1.4-P1 Net PDF
No ratings yet
A10 4.1.4-P1 Net PDF
358 pages
ACOS 5.0.0-P1 Scaleout Configuration Guide: For A10 Thunder Series 20 November 2019
No ratings yet
ACOS 5.0.0-P1 Scaleout Configuration Guide: For A10 Thunder Series 20 November 2019
98 pages
DDoS Mitigation ADC
No ratings yet
DDoS Mitigation ADC
110 pages
ACOS 5.1.0 Configuring Application Firewall: For A10 Thunder Series 29 November 2019
No ratings yet
ACOS 5.1.0 Configuring Application Firewall: For A10 Thunder Series 29 November 2019
56 pages
ACOS 4.1.4-GR1-P5 Configuring Application Firewall: For A10 Thunder Series and AX™ Series 24 August 2020
No ratings yet
ACOS 4.1.4-GR1-P5 Configuring Application Firewall: For A10 Thunder Series and AX™ Series 24 August 2020
56 pages
A10 5.1.0 Aflex
100% (1)
A10 5.1.0 Aflex
458 pages
ACOS 4.1.4-GR1-P1 Command Line Reference: For A10 Thunder Series 9 April 2019
No ratings yet
ACOS 4.1.4-GR1-P1 Command Line Reference: For A10 Thunder Series 9 April 2019
510 pages
ACOS 4.1.4-GR1-P5 Configuring Application Delivery Partitions
No ratings yet
ACOS 4.1.4-GR1-P5 Configuring Application Delivery Partitions
100 pages
A10 Networks WAF Guide
100% (2)
A10 Networks WAF Guide
176 pages
ACOS 4.1.1-P11 Command Line Interface Reference: For A10 Thunder Series and AX™ Series 30 May 2019
No ratings yet
ACOS 4.1.1-P11 Command Line Interface Reference: For A10 Thunder Series and AX™ Series 30 May 2019
466 pages
A10 4.1.4-GR1-P5 Avcs
No ratings yet
A10 4.1.4-GR1-P5 Avcs
74 pages
ACOS 4.1.1-P11 Application Delivery and Server Load Balancing Guide
No ratings yet
ACOS 4.1.1-P11 Application Delivery and Server Load Balancing Guide
742 pages
ACOS 4.1.2-P4 Configuring Application Delivery Partitions: For A10 Thunder Series and AX™ Series 12 April 2018
No ratings yet
ACOS 4.1.2-P4 Configuring Application Delivery Partitions: For A10 Thunder Series and AX™ Series 12 April 2018
64 pages
A10 5.1.0 Adp
No ratings yet
A10 5.1.0 Adp
94 pages
A10 4.1.1-P1 SLB Nov29 2016
No ratings yet
A10 4.1.1-P1 SLB Nov29 2016
736 pages
A10 5.1.0-P3 Avcs
No ratings yet
A10 5.1.0-P3 Avcs
80 pages
A10 4.1.4-GR1-P5 Aflex
No ratings yet
A10 4.1.4-GR1-P5 Aflex
438 pages
A10 Thunder Series and AX Series: ACOS 2.7.2-P7-SP3 22 December 2015
No ratings yet
A10 Thunder Series and AX Series: ACOS 2.7.2-P7-SP3 22 December 2015
360 pages
ACOS 5.0.0-P1 System Configuration and Administration Guide: For A10 Thunder Series 11 October 2019
No ratings yet
ACOS 5.0.0-P1 System Configuration and Administration Guide: For A10 Thunder Series 11 October 2019
320 pages
A10 Thunder WAFGuide-2014 04 30
No ratings yet
A10 Thunder WAFGuide-2014 04 30
136 pages
A10 Thunder Series and AX Series: Application Delivery and Server Load Balancing Guide
No ratings yet
A10 Thunder Series and AX Series: Application Delivery and Server Load Balancing Guide
684 pages
System Configuration and Administration Guide
No ratings yet
System Configuration and Administration Guide
576 pages
Application Delivery Controller
No ratings yet
Application Delivery Controller
834 pages
A10 Thunder AX 271-P2 CLI Ref-2013.08.05
No ratings yet
A10 Thunder AX 271-P2 CLI Ref-2013.08.05
1,084 pages
A10 5.0.1 Mas
No ratings yet
A10 5.0.1 Mas
88 pages
A10 Thunder AX 271-P2 Admin-2013.07.22
No ratings yet
A10 Thunder AX 271-P2 Admin-2013.07.22
602 pages
A10 5.1.0 Avcs
No ratings yet
A10 5.1.0 Avcs
80 pages
A10 LB
No ratings yet
A10 LB
246 pages
271-GR1 Rel 004
No ratings yet
271-GR1 Rel 004
236 pages
Web Application Firewall
No ratings yet
Web Application Firewall
194 pages
A10 Thunder AX 272P4 RelNote-2015 02 12
No ratings yet
A10 Thunder AX 272P4 RelNote-2015 02 12
242 pages
A10 Thunder AX 271-P2 GUI Ref-2013.08.05
No ratings yet
A10 Thunder AX 271-P2 GUI Ref-2013.08.05
494 pages
A10 4.1.1-P6 SLB Nov09 2017
No ratings yet
A10 4.1.1-P6 SLB Nov09 2017
706 pages
A10 Bare Metal Lib3.3
No ratings yet
A10 Bare Metal Lib3.3
38 pages
A10 TH3040 Lib6.4
No ratings yet
A10 TH3040 Lib6.4
40 pages
A10 Thunder AX 271-P2 AAM DDoS-2013.08.05
No ratings yet
A10 Thunder AX 271-P2 AAM DDoS-2013.08.05
222 pages
A10 Control Admin Guide: March, 2025
No ratings yet
A10 Control Admin Guide: March, 2025
2,099 pages
ACOS 5.1.0 Web Application Firewall Guide: For A10 Thunder Series 13 December 2019
No ratings yet
ACOS 5.1.0 Web Application Firewall Guide: For A10 Thunder Series 13 December 2019
186 pages
A10 Thunder AX 271-P2 RelNote-2013.08.05
No ratings yet
A10 Thunder AX 271-P2 RelNote-2013.08.05
484 pages
CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide (Nazmul Rajib) (Z-Library)
100% (3)
CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide (Nazmul Rajib) (Z-Library)
684 pages
CCNP and CCIE Enterprise Core & CCNP Advanced Routing Portable Command Guide All ENCOR (350-401) and ENARSI (300-410) PDF
100% (9)
CCNP and CCIE Enterprise Core & CCNP Advanced Routing Portable Command Guide All ENCOR (350-401) and ENARSI (300-410) PDF
950 pages
Cisco CCNA Lab Guide
90% (10)
Cisco CCNA Lab Guide
356 pages
Cisco Software Defined Access Networking PDF
100% (6)
Cisco Software Defined Access Networking PDF
687 pages
CiscoPress CCNP Enterprise Advanced Routing ENARSI 300 410 Official
100% (4)
CiscoPress CCNP Enterprise Advanced Routing ENARSI 300 410 Official
1,157 pages
Cisco CCNA Command Guide 3 in 1 - Beginner - Stuart Nicholas
100% (6)
Cisco CCNA Command Guide 3 in 1 - Beginner - Stuart Nicholas
378 pages
CCNA 200-301 Practice Exam Questions 2020
100% (8)
CCNA 200-301 Practice Exam Questions 2020
350 pages
CCIE Security v6 Technology Lab Guide
100% (2)
CCIE Security v6 Technology Lab Guide
561 pages
Cisco ACI Zero To Hero
100% (3)
Cisco ACI Zero To Hero
625 pages
MPLS L3VPN Networks
100% (2)
MPLS L3VPN Networks
82 pages
Cisco Certified DevNet Associate DEVASC 200 901 Official Cert Guide
No ratings yet
Cisco Certified DevNet Associate DEVASC 200 901 Official Cert Guide
678 pages
CCNA 200-301 Study Notes v1.3
80% (10)
CCNA 200-301 Study Notes v1.3
152 pages
Cisco Software Defined Access Book
100% (3)
Cisco Software Defined Access Book
349 pages
Chatterjee A. Deploying Juniper Data Centers With EVPN VXLAN 2024
100% (3)
Chatterjee A. Deploying Juniper Data Centers With EVPN VXLAN 2024
689 pages
300 620 CCNP Data Center Aci
100% (1)
300 620 CCNP Data Center Aci
1,348 pages
Service Provider Network Design and Architecture Perspective Book
No ratings yet
Service Provider Network Design and Architecture Perspective Book
307 pages
CiscoPress Cisco Data Center Fundamentals
100% (4)
CiscoPress Cisco Data Center Fundamentals
736 pages
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide
100% (4)
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide
1,175 pages
Lacoste R. CCNP Enterprise Advanced Routing ENARSI 300-410... Cert Guide 2ed 2023
No ratings yet
Lacoste R. CCNP Enterprise Advanced Routing ENARSI 300-410... Cert Guide 2ed 2023
2,990 pages
Full Notes CCIE Enterprise CCNP Encor
100% (8)
Full Notes CCIE Enterprise CCNP Encor
462 pages
Troubleshooting IP Routing Protocols
100% (1)
Troubleshooting IP Routing Protocols
913 pages
CCIE Enterprsie Course Material
100% (2)
CCIE Enterprsie Course Material
1,413 pages
TCP/IP
100% (15)
TCP/IP
286 pages
Cisco - FTD - Configuration and Troubleshooting Best Practices - Technet24
100% (1)
Cisco - FTD - Configuration and Troubleshooting Best Practices - Technet24
983 pages
CCIE Data Center Lab Guide
100% (1)
CCIE Data Center Lab Guide
40 pages
CCNPandCCIEEnterpriseCoreENCOR350 401ExamCram
100% (3)
CCNPandCCIEEnterpriseCoreENCOR350 401ExamCram
798 pages
CCNP Enterprise Advanced Routing ENARSI 300-410
85% (27)
CCNP Enterprise Advanced Routing ENARSI 300-410
1,100 pages
Zsiga Z Cisco Certified Design Expert CCDE 400 007 Official Cert Guide 2023
100% (2)
Zsiga Z Cisco Certified Design Expert CCDE 400 007 Official Cert Guide 2023
1,115 pages
CCIE Service Provider Fundamentals Workbook.v1.2
100% (6)
CCIE Service Provider Fundamentals Workbook.v1.2
211 pages
Vxlan Evpn
No ratings yet
Vxlan Evpn
170 pages
FMOS Installation and Configuration Guide
No ratings yet
FMOS Installation and Configuration Guide
171 pages
Getting Started Guide
No ratings yet
Getting Started Guide
102 pages
FireMon 9.8 Release Notes Summary
No ratings yet
FireMon 9.8 Release Notes Summary
17 pages
Firemon
No ratings yet
Firemon
48 pages
Firemon
100% (1)
Firemon
97 pages
FreeBSD 中文手册
No ratings yet
FreeBSD 中文手册
233 pages
MAD Mini Project Format 2022 PDF
No ratings yet
MAD Mini Project Format 2022 PDF
12 pages
Notice of Violation of IEEE Publication Principles "Evaluating Machine Learning Algorithms For Fake News Detection"
No ratings yet
Notice of Violation of IEEE Publication Principles "Evaluating Machine Learning Algorithms For Fake News Detection"
7 pages
SET-331. Micro Controller Based Refrigeration Control System
No ratings yet
SET-331. Micro Controller Based Refrigeration Control System
4 pages
React JS
No ratings yet
React JS
4 pages
Learning How To Use Pygame
No ratings yet
Learning How To Use Pygame
14 pages
Supplement111 112
No ratings yet
Supplement111 112
31 pages
Chapter 6 Enterprise Resource Planning
No ratings yet
Chapter 6 Enterprise Resource Planning
4 pages
Lesson 6. Zooming & Panning
No ratings yet
Lesson 6. Zooming & Panning
3 pages
Audio Headroom Essentials
No ratings yet
Audio Headroom Essentials
9 pages
Questions Bank With Answer Key
No ratings yet
Questions Bank With Answer Key
7 pages
Ix Messaging TM Client Applications Guide
No ratings yet
Ix Messaging TM Client Applications Guide
215 pages
Iot Gas Monitoring
No ratings yet
Iot Gas Monitoring
59 pages
Adaptive Health Management Information Systems: Concepts, Cases, & Practical Applications: Concepts, Cases, & Practical Applications
100% (26)
Adaptive Health Management Information Systems: Concepts, Cases, & Practical Applications: Concepts, Cases, & Practical Applications
23 pages
A Scoping Review of Computational Thinking Assessments in Higher Education
No ratings yet
A Scoping Review of Computational Thinking Assessments in Higher Education
46 pages
Slide 7 - Cost Estimation Static and Cocomo Basic
No ratings yet
Slide 7 - Cost Estimation Static and Cocomo Basic
22 pages
RFID Safety for School Transport
No ratings yet
RFID Safety for School Transport
1 page
NLUA Journal of IPR Vol1 Issue1
No ratings yet
NLUA Journal of IPR Vol1 Issue1
205 pages
A Modeling of A Dynamically Reconfigurable Processor Using SystemC
No ratings yet
A Modeling of A Dynamically Reconfigurable Processor Using SystemC
6 pages
Thermal Receipt Printer Manual
No ratings yet
Thermal Receipt Printer Manual
12 pages
Excel Project 2 Instructions
No ratings yet
Excel Project 2 Instructions
4 pages
AES and DES Performance Comparison
No ratings yet
AES and DES Performance Comparison
9 pages
LLMNR Attack
No ratings yet
LLMNR Attack
4 pages
Victim Announcement English
No ratings yet
Victim Announcement English
4 pages
DROID: A Large-Scale In-The-Wild Robot Manipulation Dataset
No ratings yet
DROID: A Large-Scale In-The-Wild Robot Manipulation Dataset
21 pages
CV Trajkovic Jelena
No ratings yet
CV Trajkovic Jelena
2 pages
IT Manager - Job Desc
No ratings yet
IT Manager - Job Desc
2 pages
Introducing The .NET-0 AFramework 4.0
No ratings yet
Introducing The .NET-0 AFramework 4.0
25 pages
Numerical Differentiation
No ratings yet
Numerical Differentiation
12 pages
Queuing Models and System Performance
No ratings yet
Queuing Models and System Performance
48 pages
Netbackup For Sybase
No ratings yet
Netbackup For Sybase
68 pages