< Home

Configuring Port Pre-allocation and Incremental Allocation

This section describes how to configure port pre-allocation and incremental allocation.

Port pre-allocation and incremental allocation mainly apply to NAT444 and NAT64 scenarios. Port pre-allocation provides the source tracing based on CPE and reduces the number of service logs as well. Incremental allocation compensates the shortage of pre-allocated ports.

Configuring Port Pre-allocation and Incremental Allocation

Configuring port pre-allocation and incremental allocation consists of two steps:

  1. In the NAT address pool view, specify parameters for port pre-allocation and incremental allocation.
  2. In the NAT policy view, reference the NAT address pool.

Procedure:

  1. Access the system view.

    system-view

  2. Optional: Enable port pre-allocation and incremental allocation in load-balancing hot standby networking.

    nat resource load-balance enable

    The nat resource load-balance enable command needs to be run when port pre-allocation and incremental allocation are used in load-balancing hot standby networking.

  3. Configure the NAT address pool and specify the IP address range for address translation and the NAT mode of the address pool. For details, see Key Points for Configuring Source NAT.
  4. In the address pool view, specify parameters for port pre-allocation and incremental allocation.

    port-block-size [ extended-times times-num ] [ port-range port1 port2 ]

    In interzone multiple-egress scenarios, specify only source IP addresses, but not destination IP addresses in the NAT policy for port pre-allocation and incremental allocation. Otherwise, translation errors may occur.

    Traffic that matches the NAT policy for port pre-allocation and incremental allocation will not be matched with other NAT policies.

    The log sending interface must be an interface in the root system.

  5. Optional: Run the exclude-ip { ip-address1 [ to ip-address2 ] | ip-address1 mask { mask-value | mask-length } } command to exclude IP addresses from an address pool.

    A maximum of 100 address ranges can be excluded from an address pool, and a maximum of 4096 addresses can be excluded from an address range.

  6. Return to the system view.

    quit

  7. Configure the NAT policy and apply port pre-allocation and incremental allocation by referencing the NAT address pool in the policy. For details, see Key Points for Configuring Source NAT.

Configuring the Syslog Service

After configuring port pre-allocation and incremental allocation, configure the syslog service on theFW to enable the log server to resolve port pre-allocation and incremental allocation logs.

TheFW sends logs only during port allocation and recycling to the log server. The log server resolves the logs and obtains the following information, which can be used in source tracing:
  • Pre-NAT source address
  • Post-NAT source address
  • Port scope allocated to users
  • Time stamp

Procedure:

  1. Access the system view.

    system-view

  2. Enable the syslog service for the specified port range.

    nat port-block { assigning | freeing } syslog enable

    • assigning: sends logs on port range allocation.
    • freeing: sends logs on port range release.

  3. Set the timestamp type of the port block syslog header.

    nat port-block syslog header default timestamp { utc | local }

  4. Enable the function of sending keepalive logs for the port range.

    nat port-block keepalive syslog enable

  5. Specify the keepalive log interval.

    nat port-block keepalive syslog timer timer

  6. Set the syslog format for the port range to China Telecom.

    nat port-block syslog descriptive format [ cn | unicom ]

    The default syslog format is France Telecom.

  7. Configure the syslog server for the port range.

    nat port-block syslog host host-address [ host-port ] source source-name source-address source-port

    • host: indicates the syslog server.
    • source: indicates the configuration of the syslog source, namely, the FW.

    In the environment of dual-system hot backup, this command is not copied to the slave device. You need to configure this command on the active device and the standby device as well.

    The function of sending syslogs needs to be configured only in the root system. After the configuration is complete, virtual systems send syslogs through the root system.

Configuring the Function of Sending Logs and Alarms When the Port Usage Reaches the Threshold

  1. Access the system view.

    system-view

  2. Configure the function of sending logs and alarms when the port usage reaches the threshold.

    nat port-block used-up alarm enable

  3. Set an alarm threshold for the port usage.

    nat port-block used-up alarm threshold

    When the ports allocated to users through port pre-allocation or incremental allocation are exhausted, the FW sends alarms and logs in syslog format to the log server.

    This function takes effect only when 3-tuple NAT or 3-tuple DS-Lite NAT is configured.

Configuring the Function of Sending Logs and Alarms When the Port Block Usage of an IP Address Reaches the Threshold

  1. Access the system view.

    system-view

  2. Configure the function of sending logs and alarms when the port block usage of an IP address reaches the threshold.

    nat port-block ip-used-up alarm enable

  3. Set an alarm threshold for the port block usage of an IP address.

    nat port-block ip-used-up alarm threshold

    When the port block usage of an IP address reaches the threshold, the FW sends alarms and logs in syslog format to the log server.

Configuring the Concurrent Port Pre-Allocation Mode

  1. Access the system view.

    system-view

  2. Configure the concurrent port pre-allocation mode.

    nat port-block syslog multi-host-mode

Parent Topic: Port Pre-allocation and Incremental Allocation
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >