Configuring a NAT Traffic Policy on an Inbound Interface

You can configure a NAT traffic policy on an inbound interface to perform NAT translation on user traffic.

Context

To perform NAT translation on user traffic on an inbound interface, configure a NAT traffic policy on the inbound interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure a traffic classification rule.
    1. Run either of the following commands to create an ACL and enter the ACL view:

      • For a basic ACL (numbered from 2000 to 2999), run the acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ] command.

      • For an advanced ACL (numbered from 3000 to 3999), run the acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ] command.

    2. Run either of the following commands to create an ACL rule:

      • For a basic ACL (numbered from 2000 to 2999), run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name ] *

      • For an advanced ACL (numbered from 3000 to 3999), run:

        1. If TCP is used, run:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established |{ ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh | rst | syn | urg ] * } } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        2. If UDP is used, run:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        3. If ICMP is used, run:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        4. If a protocol, different from the preceding ones, is used, run:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

      ACL rules match against source IP addresses in packets. To add rules to an ACL, repeat Step 2.b.

      Rules in an ACL to which traffic is matched against are used based on the depth first rule (with auto configured) or in a configuration order (with config configured). By default, rules are used in a configuration order (with config configured).

      When an ACL rule is associated with an instance, the address wildcard of the ACL rule must be a subnet mask in consecutive mode (with 0s and 1s consecutively sequenced, such as 255.255.255.0), instead of a subnet mask in non-consecutive mode (with 0s and 1s inconsecutively sequenced, such as 255.0.255.0).

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  3. Configure a traffic classifier.
    1. Run traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is configured, and the traffic classifier view is displayed.

    2. Run if-match acl acl-number

      A matching rule for multi-field (MA) traffic classification based on an ACL is configured.

      To add rules to an ACL, repeat this step.

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  4. Configure a traffic behavior.
    1. Run traffic behavior behavior-name

      A traffic behavior is configured, and the traffic behavior view is displayed.

    2. Run nat bind instance instance-name

      A traffic behavior is bound to a NAT instance.

      The nat bind instance and redirect ip-nexthop commands are mutually exclusive.

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  5. Configure a traffic policy.
    1. Run traffic policy policy-name

      A traffic policy is configured, and the traffic policy view is displayed.

    2. Run classifier classifier-name behavior behavior-name

      A traffic behavior is specified for a specified traffic classifier in the traffic policy.

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  6. Apply the traffic policy to an interface.

    Apply the traffic policy to a user-side Layer 3 interface.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run traffic-policy policy-name inbound [ link-layer | all-layer | mpls-layer ]

      A traffic policy is applied to the interface.

    3. Run commit

      The configuration is committed.

    Apply the traffic policy to a user-side Layer 2 Ethernet interface that is added to a VLAN.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run portswitch

      The Layer 3 interface is switched to the Layer 2 mode.

    3. Run port link-type { access | dot1q-tunnel | hybrid | trunk }

      An interface attribute is set for the Layer 2 Ethernet interface.

      The default interface type is hybrid.

    4. Run either of the following commands to add an interface to a VLAN:

      • For an access or QinQ interface:

        1. Run the port default vlan vlan-id command to add the interface to the VLAN.

          To add interfaces to a VLAN in a batch, run the port interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the VLAN view.

          interface-number2 must be greater than interface-number1. interface-number2 and interface-number1 must specify the same type of interface. Interfaces in the range defined by interface-number2 and interface-number1 must exist.

          In a port interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command instance, a maximum of 10 to parameters can be used to define 10 ranges of ports.

      • For a hybrid interface:

        1. Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add the interface to the VLAN.

        2. (Optional) Run the port default vlan vlan-id command to specify a default VLAN for the trunk interface.

    5. Run traffic-policy policy-name inbound vlan { all | vlan-id1 [ to vlan-id2 ] } [ link-layer | all-layer | mpls-layer ]

      A traffic policy is applied to the Layer 2 interface.

    6. Run commit

      The configuration is committed.

Parent Topic: Configuring NAT for Traffic
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >