nat reverse-session-limit (NAT instance view)

Function

The nat reverse-session-limit command enables the limitation on the number of established network-to-user IP sessions.

The undo nat reverse-session-limit command disables the limitation on the number of established network-to-user IP sessions.

By default, the limitation on the number of established network-to-user IP sessions is enabled. The maximum number of network-to-user IP sessions for each user of a specific or all three protocols is as follows:

  • TCP or UDP: 10240
  • ICMP: 512
  • Summation of TCP, UDP and ICMP: 8192. If the maximum number of NAT sessions of all protocols is set, this setting takes preference over the setting for a specific type protocol.

This command is supported only on the NetEngine 8000 F1A.

Format

nat reverse-session-limit { enable | tcp session-number | udp session-number | icmp session-number | total session-number }

undo nat reverse-session-limit { enable | { tcp | udp | icmp | total } [ session-number ] }

Parameters

Parameter Description Value
enable

Enables the limitation on the number of established network-to-user IP sessions.

-
tcp session-number

Indicates the maximum number of TCP network-to-user IP sessions for each user.

The value is an integer ranging from 1 to 65535.
udp session-number

Indicates the maximum number of UDP network-to-user IP sessions for each user.

The value is an integer ranging from 1 to 65535.
icmp session-number

Indicates the maximum number of ICMP network-to-user IP sessions for each user.

The value is an integer ranging from 1 to 65535.
total session-number

Indicates the maximum number of all network-to-user IP sessions for each user.

If the total number of TCP, UDP, and ICMP network-to-user IP sessions for each user reaches the maximum number, NAT cannot be performed even if the number of TCP, UDP, or ICMP network-to-user IP sessions for each user has not reached the maximum number.

The value is an integer ranging from 1 to 65535.

Views

NAT instance view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
nat write

Usage Guidelines

Usage Scenario

Some unauthorized users may consume a lot of network-to-user session resources to attack devices. As a result, there is a possibility that no NAT session can be used by authorized users. To prevent this problem, set the maximum number of network-to-user IP sessions for a user.

Precautions

After the number of network-to-user IP sessions established for a specific user reaches the upper limit, no more sessions can be established for the user. After existing NAT sessions age and the number of established network-to-user IP sessions falls below the upper limit, new sessions can be established for the user.

To enable the limitation on the number of established network-to-user IP sessions, run the nat reverse-session-limit enable command. The configured maximum number of network-to-user IP sessions that can be established can take effect only after the nat reverse-session-limit enable command is run.

Example

# Set the maximum number of network-to-user TCP sessions that can be established to 20000 in a NAT instance named cpe1.
<HUAWEI> system-view
[~HUAWEI] nat instance cpe1 id 1
[*HUAWEI-nat-instance-cpe1] nat reverse-session-limit tcp 20000
# Enable the limitation on the number of established network-to-user IP sessions in a NAT instance named cpe1.
<HUAWEI> system-view
[~HUAWEI] nat instance cpe1 id 1
[*HUAWEI-nat-instance-cpe1] nat reverse-session-limit enable
Parent Topic: NAT Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >