9.6. Rules

In order to specify to which subscriber group subscribers from a certain subnet belong, NAT rules are used. For the subscribers that are not assigned to any subscriber group by a rule, traffic will be dropped.

nat rule subnet A.B.C.D/M subscriber-group NAME [vrf NAME]
nat64 rule subnet X:X::X:X/M subscriber-group NAME [vrf NAME]

Add a standard NAT rule. After executing this command, subscribers from the subnet specified by the subnet A.B.C.D/M option will be assigned to the subscriber group specified by the subsriber-group NAME option. The vrf NAME option allows to specify the VRF in which the rule will be created. Without using this option, the rule will be created in the default VRF.

nat rule subnet A.B.C.D/M passthrough [vrf NAME]
nat64 rule subnet X:X::X:X/M passthrough [vrf NAME]

Add a passthrough NAT rule. For the subscribers that fall under this rule traffic will be processed without address translation, sessions creations, limits tracking, etc. If you need to pass subscriber traffic without translation, but at the same time monitor sessions and set limits, use a standard NAT rule with a subscriber group specified, but don’t assign any public addresses pool to this group.

If a new rule’s subnet intersects with other existing rules, then the most specific rule will be applied, just as it works with routing. For example, if you have rules for subnets 100.64.0.0/24 and 100.64.0.128/25, then for the 100.64.0.129 subscriber the second rule will be applied.

If a new rule’s subnet completely matches one of the existing rules, the existing rule will be replaced with a new one.

Creating and changing rules affects already existing subscribers - if at any point in time rule A will be switched to a new rule B, all existing subscriber sessions will still be working according to the rule A, yet all the new subscriber sessions will be created according to the new rule B.

Deleting a rule affects only the new connections established by subscribers from a subnet. For all the existing sessions of such subscribers traffic will be processed. If you also want to delete the current sessions, you can use the clear nat sessions int-ip A.B.C.D command.