Configuring a NAT64 Traffic Distribution Policy

You can configure a NAT64 traffic distribution policy to distribute user traffic to NAT64 service boards for translation.

Context

A service board does not provide any interfaces. Therefore, an interface board must distribute user traffic to a service board for NAT64 treatment. You can configure a traffic distribution policy to distribute the packets matching the traffic distribution policy to the NAT64 service board.

Procedure

Configure a traffic classification rule.
1. Run system-view
  The system view is displayed.
2. Run either of the following commands:
  - For a basic ACL numbered from 2000 to 2999, run the acl ipv6 { name basic-acl6-name basic | [ number ] basic-acl6-number } [ match-order { config | auto } ] command.
  - For an advanced ACL numbered from 3000 to 3999, run the
    
    acl ipv6 { name advance-acl6-name [ advance | [ advance ] number advance-acl6-number ] | [ number ] advance-acl6-number } [ match-order { config | auto } ] command.
3. Run either of the following commands to create an ACL rule:
  - For a basic ACL numbered from 2000 to 2999, run the rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name ] command.
  - For an advanced ACL numbered from 3000 to 3999:
    1. If TCP is used, run:
      
      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established |{ ack [ fin | psh | rst | syn | urg ] ^* } | { fin [ ack | psh | rst | syn | urg ] ^* } | { psh [ fin | ack | rst | syn | urg ] ^* } | { rst [ fin | psh | ack | syn | urg ] ^* } | { syn [ fin | psh | rst | syn | urg ] ^* } | { urg [ fin | psh | rst | syn | urg ] ^* } } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ]
    2. If UDP is used, run:
      
      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ]
    3. If ICMP is used, run:
      
      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
    4. If a protocol, different from the preceding ones, is used, run:
      
      rule [ rule-id ] [ name rule-name ] { permit | deny } { hoport [ option-code option-value ] | 1 | 5 | protocol | gre | ipv6 | ipv6-frag | ipv6-ah | ipv6-esp | ospf | 7-16 | 18-42 | { 43 | ipv6-routing } [ routing-type routing-number ] | 44-57 | 59 | { 60 | ipv6-destination } [ option-code option-value ] | 61-255 } [ destination { destination-ipv6-address prefix-length | dest-ipv6-addr-prefix | any } | fragment | { source { source-ipv6-address prefix-length | src-ipv6-addr-prefix | any } | source-pool source-pool-name } | time-range time-name | [ dscp dscp | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] ^* ] | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
  A source IP address is usually configured in an ACL rule.
  
  To add multiple rules in an ACL, repeat Step c.
4. Run commit
  The configuration is committed.
5. Run quit
  Return to the system view.
Configure a traffic classifier.
1. Run system-view
  The system view is displayed.
2. Run traffic classifier classifier-name [ operator { and | or } ]
  A traffic classifier is configured, and the traffic classifier view is displayed.
3. Run if-match ipv6 acl acl-number
  A matching rule for multi-field (MA) traffic classification based on an ACL is configured.
  
  To configure multiple matching rules based on ACLs, repeat Step c. Traffic matching the ACL rule must have the destination addresses with the prefix defined in the NAT64 instance.
4. Run commit
  The configuration is committed.
5. Run quit
  Return to the system view.
Configure a traffic behavior.
1. Run system-view
  The system view is displayed.
2. Run traffic behavior behavior-name
  A traffic behavior is configured, and the traffic behavior view is displayed.
3. Run nat64 bind instance instance-name
  The traffic behavior is bound to a NAT64 instance.
4. Run commit
  The configuration is committed.
5. Run quit
  Return to the system view.
Configure a traffic policy.
1. Run system-view
  The system view is displayed.
2. Run traffic policy policy-name
  A traffic policy is configured, and the traffic policy view is displayed.
3. Run classifier classifier-name behavior behavior-name
  A traffic behavior is specified for a specified traffic classifier in the traffic policy.
4. Run commit
  The configuration is committed.
5. Run quit
  Return to the system view.
Apply the traffic policy to an interface.
# In centralized NAT64 scenarios, apply the traffic policy to Layer 3 interfaces for Layer 3 traffic sent by the network side.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run traffic-policy policy-name inbound [ link-layer | all-layer | mpls-layer ]
  A traffic policy is applied to an interface.
4. Run commit
  The configuration is committed.
# In centralized NAT64 scenarios, apply the traffic policy to Layer 2 VLANIF member interfaces for VLAN traffic sent by the network side.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run portswitch
  The Layer 3 interface is switched to a Layer 2 interface.
4. Run traffic-policy policy-name inbound vlan { all | vlan-id1 [ to vlan-id2 ] } [ link-layer | all-layer | mpls-layer ]
  A traffic policy is applied to the Layer 2 interface.
5. Run commit
  The configuration is committed.