exclude-port (NAT instance view)

Function

The exclude-port command enables a device to filter out packets with a specified port number or a specified range of port numbers.

The undo exclude-port command disables a device from filtering out packets with a specified port number or a specified range of port numbers.

By default, no any port or port range is filtered.

This command is supported only on the NetEngine 8000 F1A.

Format

exclude-port { port [ to port ] } &<1-10>

undo exclude-port { port [ to port ] } &<1-10>

undo exclude-port all

Parameters

Parameter	Description	Value
port	Specifies the number of a single port, a start port. The start port number must be less than the end port number.	The value is an integer ranging from 1 to 65535.
to port	Specifies the number of an end port. The start port number must be less than the end port number.	The value is an integer ranging from 1 to 65535.
all	Deletes all filtered port numbers.	-

Parameter

Description

Value

port

Specifies the number of a single port, a start port. The start port number must be less than the end port number.

The value is an integer ranging from 1 to 65535.

to port

Specifies the number of an end port. The start port number must be less than the end port number.

The value is an integer ranging from 1 to 65535.

all

Deletes all filtered port numbers.

Views

NAT instance view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
nat	write

Usage Guidelines

Usage Scenario

To maintain network security and prevent virus invasion, deploy the port filtering function for NAT services. The function prevents a port from being converted into a filtered port after NAT.

Configuration Impact

If the exclude-port command is run more than once, all configurations take effect. After the exclude-port command is run, the filtered ports in the NAT instance view are displayed in ascending order, and consecutive ports are displayed after combination. For example, the exclude-port 1 2 3 4 5 command is combined into exclude-port 1 to 5.

Precautions

The exclude-port command can be run to configure a maximum of 10 parameters.
Before running the exclude-port command, note the following points:
- Ports used by a port-level NAT server cannot be filtered. If a public network port has been filtered, the filtered port cannot be used as a port-level NAT server.
- When configuring or deleting filtered ports, you cannot run the exclude-port command if two filtered port lists overlap.
After the exclude-port command is run in a NAT instance, flow tables using the specified filtered ports rapidly age. After the flow tables age, new traffic cannot be assigned these ports.

Example

# Enable a device to filter ports 1 to 10 in the NAT instance view.

<HUAWEI> system-view
[~HUAWEI] nat instance cpe1 id 1
[*HUAWEI-nat-instance-cpe1] exclude-port 1 2 3 4 to 10
Warning: Excluded ports cannot be used by sessions, and the total number of available ports in a NAT pool will decrease. Continue? [Y/N]: Y