nat64 reverse-session-limit

Function

The nat64 reverse-session-limit command sets the maximum number of reverse (IPv4-to-IPv6) sessions of a specific or all three IP protocols.

The undo nat64 reverse-session-limit command restores the default maximum numbers.

By default, the maximum number of reverse IP sessions for each user of a specific or all three protocols is as follows:

  • TCP or UDP: 10240
  • ICMP: 512
  • Summation of TCP, UDP and ICMP: 8192

If the total parameter is set, this parameter takes precedence.

This command is supported only on the NetEngine 8000 F1A.

Format

nat64 reverse-session-limit { tcp limit-number | udp limit-number | icmp limit-number | total limit-number }

undo nat64 reverse-session-limit { { tcp | udp | icmp | total } [ limit-number ] }

Parameters

Parameter Description Value
tcp limit-number

Indicates the maximum number of TCP reverse IP sessions for each user.

The value is an integer ranging from 50 to 65535.
udp limit-number

Indicates the maximum number of UDP reverse IP sessions for each user.

The value is an integer ranging from 50 to 65535.
icmp limit-number

Indicates the maximum number of ICMP reverse IP sessions for each user.

The value is an integer ranging from 50 to 65535.
total limit-number

Indicates the maximum number of all reverse IP sessions for each user.

If the total number of TCP, UDP, and ICMP reverse IP sessions for each user reaches the upper limit, NAT cannot be performed even if the number of TCP, UDP, or ICMP reverse IP sessions for each user has not reached the maximum number.

The value is an integer ranging from 50 to 65535.

Views

NAT64 instance view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
nat write

Usage Guidelines

Usage Scenario

Reverse sessions refer to sessions initiated from IPv4-side devices to IPv6-side devices. Some unauthorized users may consume a lot of reverse session resources to attack devices. As a result, there is a possibility that no NAT64 session can be used by authorized users. To prevent this problem, run the nat64 reverse-session-limit command to limit the number of sessions that can be used.

Prerequisites

The device has been enabled to monitor the number of reverse IP sessions in a specified NAT64 instance.

Configuration Impact

When the number of reverse NAT64 sessions of a user reaches the specified upper limit, no more sessions can be established. New NAT64 sessions can be established only after the number of reverse NAT64 sessions falls below the threshold.

Example

# Set the maximum number of reverse TCP sessions that can be established to 2000 in a NAT64 instance named cpe1.
<HUAWEI> system-view
[~HUAWEI] nat64 instance cpe1 id 1
[*HUAWEI-nat64-instance-cpe1] nat64 reverse-session-limit tcp 2000
Parent Topic: NAT64 Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >