nat bind acl
Function
The nat bind acl command binds a NAT instance to an ACL on a specified interface.
The undo nat bind acl command removes the binding between a NAT instance and an ACL on a specified interface.
By default, no NAT instance is bound to an ACL on an interface.
This command is supported only on the NetEngine 8000 F1A.
Parameters
| Parameter | Description | Value |
|---|---|---|
| name acl-name | Specifies the name of an ACL. |
The value is a string of 1 to 64 case-sensitive characters. It cannot contain spaces. |
| mode | Specifies the packet forwarding mode. |
- |
| deny-forward | Transparently transmits traffic matching an ACL deny rule. If the mode deny-forward parameter is configured, traffic matching the ACL deny rule is transparently transmitted. |
- |
| instance instance-name | Specifies the name of a NAT instance. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
| precedence precedence-index | Specifies a precedence index. The smaller the precedence value, the higher the precedence. |
The value is an integer that ranges from 0 to 8191. |
| acl acl-index | Specifies an ACL index. |
The value is an integer. Basic ACLs are numbered from 2000 to 2999, and advanced ACLs are numbered from 3000 to 3999. |
Views
100GE-Trunk member interface view, 100GE interface view, 10G LAN interface view, 10G WAN interface view, Eth-Trunk sub-interface view, Eth-Trunk member Layer 3 interface view, Eth-Trunk member interface view, Eth-Trunk interface view, Eth-Trunk interface view, GE-Trunk member Layer 3 interface view, GE-Trunk member interface view, Layer 3 GE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Serial-Trunk member interface view, VBDIF interface view, VLANIF interface view, XGE interface view
Usage Guidelines
Usage Scenario
To bind a NAT instance to an ACL on a specified interface, run the nat bind acl command. The command helps direct traffic to a service board for NAT processing.
The device processes traffic matching an ACL deny rule as follows:- If the mode deny-forward parameter is configured, traffic matching the ACL deny rule is transparently transmitted.
- If the mode deny-forward parameter is not configured, traffic matching the ACL deny rule is discarded.
Prerequisites
ACL rules have been configured.
Precautions
- If ECMP with multiple equal-cost outbound interfaces specified is configured, traffic distribution configurations must be the same on these outbound interfaces.
- NAT traffic distribution on the public network outbound interface: This command is not supported by dot1q and QinQ VLAN tag termination sub-interfaces.
In VS mode, this command is supported only by the admin VS.
Example
<HUAWEI> system-view [~HUAWEI] acl number 3000 [*HUAWEI-acl-adv-3000] rule 1 permit source 10.1.1.0 0.0.0.255 [*HUAWEI-acl-adv-3000] commit [~HUAWEI-acl-adv-3000] quit [~HUAWEI] nat instance cpe1 id 1 [~HUAWEI-nat-instance-cpe1] commit [~HUAWEI-nat-instance-cpe1] quit [~HUAWEI] interface GigabitEthernet0/1/1 [~HUAWEI-GigabitEthernet0/1/1] nat bind acl 3000 instance cpe1