9.15. Show and Clear Commands¶
Below you see a list of show
and clear
commands broken down into blocks. There is a description for each show command. Clear
commands with the meaning obvious from the command itself are listed without a description.
- show <nat|nat64> counters [vrf NAME]¶
Display the information about the current system load (Counter, Current value, Limit, and Load as a percentage). If you have several NAT instances configured in different VRFs, you can view the counters in each VRF separately by specifying its NAME. The counters are:
Counter
Description
Active Subscribers
Active internal IP addresses
Address Map Entries
Each entry has one unique internal IP address matching the unique external one
Port Map Entries
The internal IP:Port mappings to external IP:Port. Mappings is used in NAT sessions creation process
Session Entries
A session is an internal data structure which is needed for implementation of the mapping from an internal IP:Port to an external IP:Port. The session contains the following information: int_ip:port ext_ip:port dst_ip:port, the time it was last used
Pending Fragments
The IP fragments for all chains that are awaiting assembly
- show <nat|nat64> counters [vrf NAME] overall¶
- clear <nat|nat64> counters [vrf NAME] overall¶
Display the information for all NAT|NAT64 counters. These counters are accumulative and do not show the current load of the system. Below are some counters and their brief description:
Counter
Description
Inbound and Outbound Translations
Translations mean each fact of IP, port or IP:Port changing
Inbound and Outbound Bytes
All traffic through NAT without taking into account Ethernet and VLAN headers
Inbound and Outbound Fragment Translations
All IP fragments that were received from internal network (outbound) or from external one (inbound)
Inbound and Outbound Fragment Bytes
The same as above but in bytes
Subscriber Creations, Address Map Creations, Port Map Creations and Session Creations
These counters are the same as in the description of the
show <nat|nat64> counters
command, except thatCreations
means the quantity for the entire time of operation of the deviceHairpinning Sessions
See RFC 5128 and Hairpinning Behavior for reference
Filtering Policy Drops
Filtering mode did not allow to create a new session
Hairpinning Loop Drops
See RFC 6146 Section 5.4 for reference
Hairpinning Drops
The hairpinning is disabled, but vCGNAT has received a packet to create Hairpinning Sessions
No Pool Drops
Packet drops that could happen during the pool deletion from the subscriber-group
No Portless Mapping Drops
A packet came from the internal network via GRE, AH, ESP protocols, but there was no corresponding IP-IP mapping for it
ACL Drops
A packet drop (deny) according to access list rules
Inbound Refresh Drops
A packet came from the external network, according to which it is necessary to create a new session, but inbound refresh is disabled
Unsupported L4 Protocol Drops
A packet with unsupported L4 protocol
No NAT Rule Drops
A packet came to the inside interface from the client network for which no NAT rule is set
No Mapping Drops
A packet came on a closed port (i.e. no open mapping) from the external network
No RSS Drops
RSS was not counted by the network card/driver
Fragment Timeout Drops
Until the first fragment arrives, we cannot do translation because the other fragments do not have any information about ports. These fragments are stored in chains. A chain lives for a certain amount of time. If the first packet does not arrive within the specified time interval, the chain will be removed. The default interval is 15 seconds
Fragment Duplicated Drops
A fragment duplicates a fragment that has already been processed
Fragment Overlap Drops
A fragment overlaps with the other one that has already been processed
Fragment With Zero Size Drops
The IP fragment with 0 payload (without data). If it turns out that the L4 payload size in the packet is 0 bytes after parsing the IP header, then such packet will be dropped, because this is a network attack
Fragment Control Queue Too Short Drops
There is an array which is used to check that the incoming fragments do not overlap with each other. If there is not enough of this array to check, the packet is dropped
TCP No SYN Drops
The TCP packets without SYN flag, the session for which was not found
TCP NULL Flags Drops
The TCP packets without any TCP flags
TCP SYN & FIN Drops
The packets with both TCP SYN and FIN flags set
TCP XMAS Drops
The TCP packets with FIN, URG, PSH flags set at the same time. Such packets are illegal based on RFC 793
TCP SYN Fragments Drops
The TCP SYN packets that are IP fragments
TCP/UDP Port Zero Drops
The TCP/UDP packets, where Source/Destination Port value is zero
ICMP Query ID Zero Drops
The ICMP packets, where Query ID value is zero
ICMP Unsupported Proto Drops
The ICMP error with an unsupported L4 protocol inside
ICMP Unknown Type Drops
The ICMP packets with unknown Type and Code fields
ICMP Error Drops
No matching NAT sessions for ICMP error message
GRE Unknown Version Drops
The GRE packets with unknown version of the protocol. There is the Version Field (bits 13-15) in the GRE header and it must be 0. See RFC 2784 for reference
Limit drops counters mean that there was an attempt to exceed the specified limit. In this case we drop the entry/packet/etc., and add 1 to the counter. The limits are:
Limit Drop Counters
Description
Address Map Entry Limit Drops
IP-IP NAT mappings. It is a global limit and can be set via the command
nat limits address-mappings
Session Entry Limit Drops
NAT sessions (here entry includes Internal, External and Remote IP:Port). It is a global limit andcan be set via the command
nat limits sessions
Subscriber Limit Drops
Internal IP (subscribers) for NAT. It is a global limit and can be set via the command
nat limits active-subscribers
Pending Fragments Limit Drops
Fragments currently being processed for the NAT. It is a global limit and can be set via the command
nat limits pending-fragments
Address Map Failure Drops
See RFC 7659 Section 3.1.4 for reference:
there are no free IP addresses in the pool
the system has received a request to allocate
the IP address which is already busy
Port Map Failure Drops:
This counter includes counters connected to Port Limit Drops:
Port Map Entry Limit Drops
IP:Port - IP:Port NAT mappings. It is a global limit and can be set via the command
nat limits port-mappings
Subscriber Port Map Limit Drops
The limit on the number of ports allocated to one user has been exceeded. The limit is set via
limits port-map-entries
in the subscriber-group sectionSubscriber Port Block Limit Drops
The limit on the number of port blocks allocated to one user has been exceeded. The limit is set via
limits port-block-entries
in the subscriber-group sectionNo Free Port Drops
No free ports on one of the external IP addresses in one of the pools (see the output
show nat pool POOL_NAME ip
)No Free Block Drops
No free port blocks on one of the external IP addresses in one of the pools (see the column
Port Blocks
in the outputshow nat pool POOL_NAME ip
)Subscriber Session Limit Drops
Sessions per subscriber. The limit is set via
limits session-entries
Fragment Chain Limit Drops
The limit for fragment chain is exceeded. The default value is 24
- show <nat|nat64> counters [vrf NAME] protocols¶
- clear <nat|nat64> counters [vrf NAME] protocols¶
Display the counter information for each protocol, for example:
nfware# show nat counters protocols --------------------------------------------------------------------------------------------------------- Counter ICMP TCP UDP GRE ESP --------------------------------------------------------------------------------------------------------- Port Map Entries 0 0 0 0 0 Translations Outbound 385 0 0 0 0 Translations Inbound 385 0 0 0 0 Port Map Creations 1 0 0 0 0 Port Map Failure Drops 0 0 0 0 0 ---------------------------------------------------------------------------------------------------------
- show <nat|nat64> sessions [FILTER]¶
- clear <nat|nat64> sessions [FILTER]¶
Display the output of the whole translation table with the capability to filter this output by following fields: internal/external/remote IP addresses, protocols, ports, pool, or VRF
Filter
Keys
proto
icmp
tcp
Here you can type tcp key or point one or several additional keys like:syn-received
established
fin-received
closing
transitory
udp
gre
esp
int-ip
For NAT type
A.B.C.D
internal IP addressFor NAT64 type
X:X::X:X
internal IP address
int-port
Choose internal port from range
1-65535
ext-ip
Specify external IP address like
A.B.C.D
ext-port
Choose external port from range
1-65535
rem-ip
Specify remote IP address like
A.B.C.D
rem-port
Choose remote port from range
1-65535
pool
Specify pool
NAME
vrf
Specify vrf
NAME
Full format of the commands:
- show nat64 sessions [{proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory}]|udp|gre|esp>|int-ip X:X::X:X|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]¶
- show nat sessions [{proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory}]|udp|gre|esp>|int-ip A.B.C.D|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]¶
- clear nat64 sessions [{proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory}]|udp|gre|esp>|int-ip X:X::X:X|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]¶
- clear nat sessions [{proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory}]|udp|gre|esp>|int-ip A.B.C.D|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]¶
Examples:
nfware# show nat sessions int-port 22 ------------------------------------------------------------------------------- Protocol Internal External Remote ------------------------------------------------------------------------------- icmp 192.168.1.2:22 12.13.14.15:603 5.5.5.5:603 ------------------------------------------------------------------------------- nfware# show nat sessions proto udp int-ip 192.168.1.24 int-port 58448 rem-ip 6.6.6.6 pool TEST ------------------------------------------------------------------------------- Protocol Internal External Remote ------------------------------------------------------------------------------- udp 192.168.1.24:58448 12.13.14.20:5296 6.6.6.6:29375 ------------------------------------------------------------------------------- nfware# show nat sessions proto tcp transitory int-ip 192.168.1.25 rem-ip 6.6.6.6 ------------------------------------------------------------------------------- Protocol Internal External Remote ------------------------------------------------------------------------------- tcp (t) 192.168.1.25:58448 12.13.14.18:5296 6.6.6.6:443 -------------------------------------------------------------------------------
- show <nat|nat64> sessions [vrf NAME] STRING...¶
- clear <nat|nat64> sessions [vrf NAME] STRING...¶
Display the detailed information about the session, specified by the full session key. The key can be taken from the output of the
show nat sessions
command. For example:nfware# show nat sessions icmp 192.168.3.4:5 203.0.113.34:119 172.20.1.2:119 Key: proto icmp int-ip 192.168.3.4 int-port 5 ext-ip 203.0.113.34 ext-port 119 r em-ip 172.20.1.2 rem-port 119 Direction: outbound Time to live: 0h 0m 59s
- show <nat|nat64> counters [vrf NAME] rate¶
Display counters rate. If you have several NAT instances configured in different VRFs, you can view the counters rate in each VRF separately by specifying its NAME.
- show nat64 fragment [{src-ip X:X::X:X | dst-ip X:X::X:X | vrf NAME}]¶
- show nat fragment [{src-ip A.B.C.D | dst-ip A.B.C.D | vrf NAME}]¶
Display the IP packet fragmentation table for NAT|NAT64. You can specify filters like source/destination IP addresses and VRF. vCGNAT assembles IP packet fragments into a chain until it waits for the first fragment or until the chain lifetime expires (15 seconds).
- show <nat|nat64> mappings [FILTER]¶
Display the internal to external IP:Port mapping table for NAT|NAT64 with the capability to filter the output by the following fields: internal/external IP addresses, protocols, ports or VRF. Also, the type of mapping is shown:
d for dynamic translation,
s for static one,
pcp which means that subscribers ask NAT to open ports themselves via PCP protocol.
For dynamic mapping the entry is presented in the table as long as at least one session is alive. The mapping will be deleted as soon as the last session is closed. Static mappings do not age out. PCP mappings live for the requested time, but it is limited to 1 hour. You cannot open a port for more than 1 hour via PCP protocol.
Filter
Keys
proto
icmp
tcp
udp
gre
esp
int-ip
for NAT type
A.B.C.D
internal IP addressfor NAT type
X:X::X:X
internal IP address
int-port
Choose internal port from the range
1-65535
rem-ip
Specify remote IP address like
A.B.C.D
rem-port
Choose remote port from range
1-65535
vrf
Specify vrf
NAME
Full format of the commands:
- show nat64 mappings [{proto <icmp|udp|tcp|gre>|int-ip X:X::X:X|int-port (1-65535)|rem-ip X:X::X:X|rem-port (1-65535)|vrf NAME}]¶
- show nat mappings [{proto <icmp|udp|tcp|gre>|int-ip A.B.C.D|int-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|vrf NAME}]¶
Examples:
nfware# show nat mappings -------------------------------------------------------------- Type Protocol Internal Remote -------------------------------------------------------------- d icmp 192.168.1.2:48386 12.13.14.16:17696 s tcp 192.168.1.3:1016 12.13.14.17:79 pcp udp 192.168.1.3:3718 12.13.14.18:39530 nfware# show nat mappings proto icmp int-ip 192.168.1.2 rem-ip 12.13.14.16 -------------------------------------------------------------- Type Protocol Internal Remote -------------------------------------------------------------- d icmp 192.168.1.2:48386 12.13.14.16:17696