9.5. Subscriber Groups¶
In order to configure general traffic processing rules for one or more subscriber subnets, use subscriber groups. They can help to identify which pool is used to translate connections, as well as to limit the resource usage. Subscriber groups are linked to the subscriber subnets using NAT rules. This section describes the creation and configuration of the subscriber groups.
Subscriber Group Creation¶
- nat subscriber-group NAME¶
Create a
NAME
subscriber group and switch to its configuration mode.
All the settings described below are performed in the subscriber group configuration mode.
Assigning Pool¶
If there’s no pool assigned to the subscriber group, its traffic will be processed without address translation. In order for NAT to start translating addresses, you need to specify which pool’s public addresses will be used for translation.
- pool NAME [secondary NAME]¶
Assign the
NAME
pool to the subscriber group. The pool must be created and enabled in advance. A single pool can be assigned to several subscriber groups at the same time.If the
NAME
pool is a NAT, type pool, then you can use thesecondary
option to specify a backup pool that will be used if all of the IP addresses of the primary pool are exhausted.To unassign the pool, use the
no pool
command.
Assigning Access Lists¶
NAT access lists provide more precise control over how the subscriber group’s traffic is translated, for example:
translate the connections to some IP addresses or ports using a different pool,
do not translate connections to some IP addresses or ports at all,
prohibit traffic to some IP addresses or ports.
These are only some of the NAT access lists capabilities. A detailed description of all the features can be found in the Access Lists section.
- <ip|ipv6> dp-access-list NAME <inside|outside>¶
After executing this command, the
NAME
access list of the specified type (ip
oripv6
) will be assigned to the subscriber group.Access lists are checked only when a subscriber creates a new connection. Linking or changing the access list does not affect existing connections. When using the
inside
option, the access list will be checked for outbound subscriber connections. When using theoutside
option, the access list will be checked for inbound subscriber connections.
Limits¶
To prevent any single subscriber from using too much of the common resources, such as public ports or NAT sessions, it is possible to set limitations:
- limits port-map-entries (1-536870911)¶
Set the maximum number of ports that a single subscriber can use. In case a set limit would be reached and a new port will be required, NAT will not allocate any additional ports and drop all traffic sent through this connection. Existing ports will not be affected.
- limits port-block-entries (1-536870911)¶
Set the maximum number of public port blocks that a single subscriber can use. In case a set limit would be reached and a new port block will be required, NAT will not allocate any additional port blocks and drop all traffic sent through this connection. Existing port blocks will not be affected.
- limits session-entries (1-536870911)¶
Set the maximum number of NAT sessions that a single subscriber can use. In case a set limit would be reached and a new connection will be required, NAT will not create any new sessions and drop all traffic sent through this connection. Existing connections will not be affected.
Show Commands¶
- show <nat|nat64> subscribers [vrf NAME]¶
Display the information on connected subscribers: internal IP address, number of opened ports, and sessions.
nfware# show nat subscriber ------------------------------------------------------------ Subscriber Port Map Entries Session Entries ------------------------------------------------------------ 192.168.96.81 110 110 192.168.225.203 120 122 192.168.162.86 9 9 192.168.254.197 55 55 192.168.237.222 2 2 192.168.55.176 37 41 ------------------------------------------------------------
- show nat64 subscribers X:X::X:X [{counters|vrf NAME}]¶
- show nat subscribers A.B.C.D [{counters|vrf NAME}]¶
Display current (at the moment) and overall (over a whole period of the operation) counters for specified subscriber.
Current Counters
Description
Ports
The number of opened ports
Port Blocks
The number of allocated port blocks. You can configure a pool in Port Block Allocation mode (see Port Block Allocation section) to allocate not only one port but also blocks. For example, to reduce logs
Sessions
The number of opened sessions
Overall Counters
Description
Ports opened
The number of opened ports
Port Blocks allocated
The number of allocated port blocks
Sessions created
The number of created sessions
Port Map Failure Drops
See RFC 7659 for reference:
the limit on the number of ports/blocks per subscriber
is exceeded
there are no free ports (taking into account paired
limits and pool settings)
- show nat subscriber-group NAME <ip|ipv6> dp-access-list <inside|outside>¶
Display the ACL configuration for inside and outside network and the number of times each ACL rule has been matched.