service-exclude (nat policy rule view)

When referencing services or service groups in a policy, you can run the service-exclude command to exclude a service or service group. Traffic with the excluded service will not match the policy.

Application Scenarios

When configuring a policy, you can reference a service or service group as a matching condition the policy to implement service-based NAT. For example, two service groups Service_group1 (referencing the DNS and FTP services) and Service_group2 (referencing BGP, DNS, FTP, and H225 services) are available. NAT needs to be disabled for traffic that belongs to Service_group1 but needs to be implemented for traffic that belongs to Service_group2, and the NATed traffic needs to be permitted. You can use configuration method 1 in the following table to assign different actions to different service groups. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.

<sysname> system-view
[sysname] nat-policy
[sysname-policy-nat] rule name policy_1
[sysname-policy-nat-rule-policy_1] service Service_group1
[sysname-policy-nat-rule-policy_1] action no-nat
[sysname-policy-nat-rule-policy_1] quit
[sysname-policy-nat] rule name policy_2
[sysname-policy-nat-rule-policy_2] service Service_group2
[sysname-policy-nat-rule-policy_2] action source-nat address-group group1

<sysname> system-view
[sysname] nat-policy
[sysname-policy-nat] rule name policy_nat
[sysname-policy-nat-rule-policy_nat] service-exclude Service_group1
[sysname-policy-nat-rule-policy_nat] service Service_group2
[sysname-policy-nat-rule-policy_nat] action source-nat address-group group1