9.15. Show and Clear Commands¶
Below you see a list of show and clear commands broken down into blocks. There is a description for each show command. Clear commands with the meaning obvious from the command itself are listed without a description.
- show <nat|nat64> counters [vrf NAME]¶
Display the information about the current system load (Counter, Current value, Limit, and Load as a percentage). If you have several NAT instances configured in different VRFs, you can view the counters in each VRF separately by specifying its NAME. The counters are:
Counter
Description
Active SubscribersActive internal IP addresses
Address Map EntriesEach entry has one unique internal IP address matching the unique external one
Port Map EntriesThe internal IP:Port mappings to external IP:Port. Mappings is used in NAT sessions creation process
Session EntriesA session is an internal data structure which is needed for implementation of the mapping from an internal IP:Port to an external IP:Port. The session contains the following information: int_ip:port ext_ip:port dst_ip:port, the time it was last used
Pending FragmentsThe IP fragments for all chains that are awaiting assembly
- show <nat|nat64> counters [vrf NAME] overall¶
- clear <nat|nat64> counters [vrf NAME] overall¶
Display the information for all NAT|NAT64 counters. These counters are accumulative and do not show the current load of the system. Below are some counters and their brief description:
Counter
Description
Inbound and Outbound TranslationsTranslations mean each fact of IP, port or IP:Port changing
Inbound and Outbound BytesAll traffic through NAT without taking into account Ethernet and VLAN headers
Inbound and Outbound Fragment TranslationsAll IP fragments that were received from internal network (outbound) or from external one (inbound)
Inbound and Outbound Fragment BytesThe same as above but in bytes
Subscriber Creations, Address Map Creations, Port Map Creations and Session CreationsThese counters are the same as in the description of the
show <nat|nat64> counterscommand, except thatCreationsmeans the quantity for the entire time of operation of the deviceHairpinning SessionsSee RFC 5128 and Hairpinning Behavior for reference
Filtering Policy DropsFiltering mode did not allow to create a new session
Hairpinning Loop DropsSee RFC 6146 Section 5.4 for reference
Hairpinning DropsThe hairpinning is disabled, but vCGNAT has received a packet to create Hairpinning Sessions
No Pool DropsPacket drops that could happen during the pool deletion from the subscriber-group
No Portless Mapping DropsA packet came from the internal network via GRE, AH, ESP protocols, but there was no corresponding IP-IP mapping for it
ACL DropsA packet drop (deny) according to access list rules
Inbound Refresh DropsA packet came from the external network, according to which it is necessary to create a new session, but inbound refresh is disabled
Unsupported L4 Protocol DropsA packet with unsupported L4 protocol
No NAT Rule DropsA packet came to the inside interface from the client network for which no NAT rule is set
No Mapping DropsA packet came on a closed port (i.e. no open mapping) from the external network
No RSS DropsRSS was not counted by the network card/driver
Fragment Timeout DropsUntil the first fragment arrives, we cannot do translation because the other fragments do not have any information about ports. These fragments are stored in chains. A chain lives for a certain amount of time. If the first packet does not arrive within the specified time interval, the chain will be removed. The default interval is 15 seconds
Fragment Duplicated DropsA fragment duplicates a fragment that has already been processed
Fragment Overlap DropsA fragment overlaps with the other one that has already been processed
Fragment With Zero Size DropsThe IP fragment with 0 payload (without data). If it turns out that the L4 payload size in the packet is 0 bytes after parsing the IP header, then such packet will be dropped, because this is a network attack
Fragment Control Queue Too Short DropsThere is an array which is used to check that the incoming fragments do not overlap with each other. If there is not enough of this array to check, the packet is dropped
TCP No SYN DropsThe TCP packets without SYN flag, the session for which was not found
TCP NULL Flags DropsThe TCP packets without any TCP flags
TCP SYN & FIN DropsThe packets with both TCP SYN and FIN flags set
TCP XMAS DropsThe TCP packets with FIN, URG, PSH flags set at the same time. Such packets are illegal based on RFC 793
TCP SYN Fragments DropsThe TCP SYN packets that are IP fragments
TCP/UDP Port Zero DropsThe TCP/UDP packets, where Source/Destination Port value is zero
ICMP Query ID Zero DropsThe ICMP packets, where Query ID value is zero
ICMP Unsupported Proto DropsThe ICMP error with an unsupported L4 protocol inside
ICMP Unknown Type DropsThe ICMP packets with unknown Type and Code fields
ICMP Error DropsNo matching NAT sessions for ICMP error message
GRE Unknown Version DropsThe GRE packets with unknown version of the protocol. There is the Version Field (bits 13-15) in the GRE header and it must be 0. See RFC 2784 for reference
Limit drops counters mean that there was an attempt to exceed the specified limit. In this case we drop the entry/packet/etc., and add 1 to the counter. The limits are:
Limit Drop Counters
Description
Address Map Entry Limit DropsIP-IP NAT mappings. It is a global limit and can be set via the command
nat limits address-mappingsSession Entry Limit DropsNAT sessions (here entry includes Internal, External and Remote IP:Port). It is a global limit andcan be set via the command
nat limits sessionsSubscriber Limit DropsInternal IP (subscribers) for NAT. It is a global limit and can be set via the command
nat limits active-subscribersPending Fragments Limit DropsFragments currently being processed for the NAT. It is a global limit and can be set via the command
nat limits pending-fragmentsAddress Map Failure DropsSee RFC 7659 Section 3.1.4 for reference:
there are no free IP addresses in the pool
the system has received a request to allocate
the IP address which is already busy
Port Map Failure Drops:This counter includes counters connected to Port Limit Drops:
Port Map Entry Limit Drops
IP:Port - IP:Port NAT mappings. It is a global limit and can be set via the command
nat limits port-mappingsSubscriber Port Map Limit Drops
The limit on the number of ports allocated to one user has been exceeded. The limit is set via
limits port-map-entriesin the subscriber-group sectionSubscriber Port Block Limit Drops
The limit on the number of port blocks allocated to one user has been exceeded. The limit is set via
limits port-block-entriesin the subscriber-group sectionNo Free Port Drops
No free ports on one of the external IP addresses in one of the pools (see the output
show nat pool POOL_NAME ip)No Free Block Drops
No free port blocks on one of the external IP addresses in one of the pools (see the column
Port Blocksin the outputshow nat pool POOL_NAME ip)Subscriber Session Limit DropsSessions per subscriber. The limit is set via
limits session-entriesFragment Chain Limit DropsThe limit for fragment chain is exceeded. The default value is 24
- show <nat|nat64> counters [vrf NAME] protocols¶
- clear <nat|nat64> counters [vrf NAME] protocols¶
Display the counter information for each protocol, for example:
nfware# show nat counters protocols --------------------------------------------------------------------------------------------------------- Counter ICMP TCP UDP GRE ESP --------------------------------------------------------------------------------------------------------- Port Map Entries 0 0 0 0 0 Translations Outbound 385 0 0 0 0 Translations Inbound 385 0 0 0 0 Port Map Creations 1 0 0 0 0 Port Map Failure Drops 0 0 0 0 0 ---------------------------------------------------------------------------------------------------------
- show <nat|nat64> sessions [FILTER]¶
- clear <nat|nat64> sessions [FILTER]¶
Display the output of the whole translation table with the capability to filter this output by following fields: internal/external/remote IP addresses, protocols, ports, pool, or VRF
Filter
Keys
protoicmptcpHere you can type tcp key or point one or several additional keys like:syn-receivedestablishedfin-receivedclosingtransitory
udpgreesp
int-ipFor NAT type
A.B.C.Dinternal IP addressFor NAT64 type
X:X::X:Xinternal IP address
int-portChoose internal port from range
1-65535ext-ipSpecify external IP address like
A.B.C.Dext-portChoose external port from range
1-65535rem-ipSpecify remote IP address like
A.B.C.Drem-portChoose remote port from range
1-65535poolSpecify pool
NAMEvrfSpecify vrf
NAMEFull format of the commands:
- show nat64 sessions proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory|stateless}]|udp|gre|esp> [{int-ip X:X::X:X|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]¶
- show nat sessions proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory|stateless}]|udp|gre|esp> [{int-ip A.B.C.D|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]¶
- clear nat64 sessions proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory|stateless}]|udp|gre|esp> [{int-ip X:X::X:X|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]¶
- clear nat sessions proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory|stateless}]|udp|gre|esp> [{int-ip A.B.C.D|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]¶
Examples:
nfware# show nat sessions int-port 22 ------------------------------------------------------------------------------- Protocol Internal External Remote ------------------------------------------------------------------------------- icmp 192.168.1.2:22 12.13.14.15:603 5.5.5.5:603 ------------------------------------------------------------------------------- nfware# show nat sessions proto udp int-ip 192.168.1.24 int-port 58448 rem-ip 6.6.6.6 pool TEST ------------------------------------------------------------------------------- Protocol Internal External Remote ------------------------------------------------------------------------------- udp 192.168.1.24:58448 12.13.14.20:5296 6.6.6.6:29375 ------------------------------------------------------------------------------- nfware# show nat sessions proto tcp transitory int-ip 192.168.1.25 rem-ip 6.6.6.6 ------------------------------------------------------------------------------- Protocol Internal External Remote ------------------------------------------------------------------------------- tcp (t) 192.168.1.25:58448 12.13.14.18:5296 6.6.6.6:443 -------------------------------------------------------------------------------
- show <nat|nat64> sessions [vrf NAME] STRING...¶
- clear <nat|nat64> sessions [vrf NAME] STRING...¶
Display the detailed information about the session, specified by the full session key. The key can be taken from the output of the
show nat sessionscommand. For example:nfware# show nat sessions icmp 192.168.3.4:5 203.0.113.34:119 172.20.1.2:119 Key: proto icmp int-ip 192.168.3.4 int-port 5 ext-ip 203.0.113.34 ext-port 119 r em-ip 172.20.1.2 rem-port 119 Direction: outbound Time to live: 0h 0m 59s
- show <nat|nat64> counters [vrf NAME] rate¶
Display counters rate. If you have several NAT instances configured in different VRFs, you can view the counters rate in each VRF separately by specifying its NAME.
- show nat64 fragment [{src-ip X:X::X:X | dst-ip X:X::X:X | vrf NAME}]¶
- show nat fragment [{src-ip A.B.C.D | dst-ip A.B.C.D | vrf NAME}]¶
Display the IP packet fragmentation table for NAT|NAT64. You can specify filters like source/destination IP addresses and VRF. vCGNAT assembles IP packet fragments into a chain until it waits for the first fragment or until the chain lifetime expires (15 seconds).
- show <nat|nat64> mappings [FILTER]¶
Display the internal to external IP:Port mapping table for NAT|NAT64 with the capability to filter the output by the following fields: internal/external IP addresses, protocols, ports or VRF. Also, the type of mapping is shown:
d for dynamic translation,
s for static one,
pcp which means that subscribers ask NAT to open ports themselves via PCP protocol.
For dynamic mapping the entry is presented in the table as long as at least one session is alive. The mapping will be deleted as soon as the last session is closed. Static mappings do not age out. PCP mappings live for the requested time, but it is limited to 1 hour. You cannot open a port for more than 1 hour via PCP protocol.
Filter
Keys
protoicmptcpudpgreesp
int-ipfor NAT type
A.B.C.Dinternal IP addressfor NAT type
X:X::X:Xinternal IP address
int-portChoose internal port from the range
1-65535rem-ipSpecify remote IP address like
A.B.C.Drem-portChoose remote port from range
1-65535vrfSpecify vrf
NAMEFull format of the commands:
- show nat64 mappings [{proto <icmp|udp|tcp|gre>|int-ip X:X::X:X|int-port (1-65535)|rem-ip X:X::X:X|rem-port (1-65535)|vrf NAME}]¶
- show nat mappings [{proto <icmp|udp|tcp|gre>|int-ip A.B.C.D|int-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|vrf NAME}]¶
Examples:
nfware# show nat mappings -------------------------------------------------------------- Type Protocol Internal Remote -------------------------------------------------------------- d icmp 192.168.1.2:48386 12.13.14.16:17696 s tcp 192.168.1.3:1016 12.13.14.17:79 pcp udp 192.168.1.3:3718 12.13.14.18:39530 nfware# show nat mappings proto icmp int-ip 192.168.1.2 rem-ip 12.13.14.16 -------------------------------------------------------------- Type Protocol Internal Remote -------------------------------------------------------------- d icmp 192.168.1.2:48386 12.13.14.16:17696