Example for Configuring the NAT Function

This section provides an example for configuring the centralized NAT function to implement
multiple-to-multiple translations from internal addresses of enterprise users to external addresses
and allow only PCs on a specified network segment to access the Internet.

Applicable Products and Versions

● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
On the network shown in Figure 1-79, the device performs the NAT function to help PCs within
the enterprise network access the Internet. The device uses Ethernet interface 0/1/0 to connect
to the enterprise network. The device connects to the Internet using GE 0/1/1 interface. The
enterprise has five public IP addresses ranging from 1.1.1.101/32 to 1.1.1.105/32.
Figure 1-79 shows the interface IP addresses that are configured to meet the following
requirements:
● Only PCs on the network segment of 192.168.10.0/24 can access the Internet.
● Multiple-to-multiple NAT translation is performed for internal and external IP
addresses.
Figure 1-79 NAT networking

In this example, interface 1 and interface 2 stand for GE 0/1/0 and GE 0/1/1, respectively.
Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure a NAT traffic policy.

Data Preparation
To complete the configuration, you need the following data:
● service-location backup group index: 1
● service-instance-group service instance group name: group1
● NAT instance name: nat1; NAT instance index: 1
● NAT address pool name for NATA: address-group1; NAT address pool ID: 1; IP
address segment: 1.1.1.101 to 1.1.1.105
● ACL name: 3001
● Number and IP address of the interface that applies the NAT traffic policy

Procedure

1. Configure basic NAT functions.

Create a NAT instance named nat1 and bind it to the service board.
<HUAWEI> system-view
[~HUAWEI] sysname NATA
[*HUAWEI] commit
[~NATA] service-location 1
[*NATA-service-location-1] location follow-forwarding-mode
[*NATA-service-location-1] commit
[~NATA-service-location-1] quit
[~NATA] service-instance-group group1
[*NATA-service-instance-group-group1] service-location 1
[*NATA-service-instance-group-group1] commit
[~NATA-service-instance-group-group1] quit
[~NATA] nat instance nat1 id 1
[*NATA-nat-instance-nat1] service-instance-group group1
[*NATA-nat-instance-nat1] commit

● [~NATA-nat-instance-nat1] quit

Configure a NAT address pool with IP addresses ranging from 1.1.1.101 to 1.1.1.105.
[~NATA] nat instance nat1
[~NATA-nat-instance-nat1] nat address-group address-group1 group-id 1
[*NATA-nat-instance-nat1-nat-address-group-address-group1] section 1 1.1.1.101 1.1.1.105
[*NATA-nat-instance-nat1-nat-address-group-address-group1] commit
[~NATA-nat-instance-nat1-nat-address-group-address-group1] quit

● [~NATA-nat-instance-nat1] quit
2. Configure an outbound NAT traffic policy.

Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic
classification rule to allow only hosts with a network segment address of 192.168.10.0/24 to
access the Internet.
[~NATA] acl 3001
[*NATA-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255
[*NATA-acl4-advance-3001] commit

● [~NATA-acl4-advance-3001] quit

Apply the NAT traffic policy for ACL users in the view of GE 0/1/1.
[~NATA] interface gigabitEthernet 0/1/1
[~NATA-GigabitEthernet0/1/1] ip address 11.2.3.4 24
[*NATA-GigabitEthernet0/1/1] nat bind acl 3001 instance nat1
[*NATA-GigabitEthernet0/1/1] commit

● [~NATA-GigabitEthernet0/1/1] quit

Assign an IP address to GE 0/1/0.

[~NATA] interface gigabitEthernet 0/1/0
[~NATA-GigabitEthernet0/1/0] ip address 192.168.10.1 24
[*NATA-GigabitEthernet0/1/0] commit

● [~NATA-GigabitEthernet0/1/0] quit

Verify the configuration.

# Verify NAT user information.
[~NATA] display nat user-information slot 9 verbose
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 1.
---------------------------------------------------------------------------
User Type : NAT444
CPE IP : 192.168.10.100
User ID : -
 VPN Instance : -
Address Group : address-group1
NoPAT Address Group : -
NAT Instance : nat1
Public IP : 1.1.1.102
NoPAT Public IP : -
Total/TCP/UDP/ICMP Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Session Current : 1/0/1/0
Total/TCP/UDP/ICMP Rev Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Rev Session Current: 0/0/0/0
Nat ALG Enable : NULL
Aging Time(s) : -
Left Time(s) : -
Session Limit Discard Count : 0
-->Transmit Packets : 1046632
-->Transmit Bytes : 90409306
-->Drop Packets : 0
<--Transmit Packets : 0
<--Transmit Bytes : 0
<--Drop Packets : 0

3. ---------------------------------------------------------------------------

Configuration Files

NATA configuration file

#
sysname NATA
#
service-location 1
location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat address-group address-group1 group-id 1
section 1 1.1.1.101 1.1.1.105
#
acl number 3001
rule 1 permit ip source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet 0/1/0
undo shutdown
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet 0/1/1
undo shutdown
ip address 11.2.3.4 255.255.255.0
nat bind acl 3001 instance nat1
#

● return

Example for Configuring Outbound NAT Traffic

Diversion, Easy IP, and the Hairpin Function
This section provides an example for configuring NAT easy IP on an outbound interface and the
hairpin function. The function combination allows internal hosts to access the Internet through the
outbound NAT function and to access an internal server that is created using the easy IP
function.

Applicable Products and Versions

● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
In Figure 1-80, a host on a private network is connected to the Internet through the router on
which NAT traffic distribution on an outbound interface is configured. The host uses a public IP
address to access an internal server that is created in easy IP mode on the same NAT device.
The router is connected to the private network through 0/1/0. The router's GE 0/1/1 is connected
to the Internet. The public IP addresses 11.1.1.2/32 and 11.1.1.3/32 are available.
Figure 1-80 shows IP addresses of interfaces. The configuration requirements are as follows:
● PCs on the private network segment of 10.1.1.4/32 can access the Internet.
● PCs on the private network segment of 10.1.1.4/32 can access the internal server
using a public IP address.
● The host uses a public IP address to access an internal server that is created in easy
IP mode on the same NAT device.
Figure 1-80 Scenario in which NAT traffic distribution on an outbound interface, easy IP, and the
hairpin function are configured

In this example, interface 1 and interface 2 are GE 0/1/0 and GE 0/1/1, respectively.
Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a NAT instance.

2. Configure an internal server in easy IP mode.
3. Bind an outbound interface to the NAT instance.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance name (nat1) and index (1)
● NAT Device's NAT address pool name (address-group1), address pool number (1), a
range of public IP addresses (11.1.1.2 and 11.1.1.3)
● ACL number (3001) to match traffic that a private network host sends to the Internet
● ACL number (3002) to match traffic that a private network host sends to the private
network server
● Name and IP address of each interface to which a NAT traffic distribution policy is
applied

Procedure

1. Configure basic NAT functions.

Configure a NAT instance named nat1.

[~NAT Device] service-location 1
[*NAT Device-service-location-1] location follow-forwarding-mode
[*NAT Device-service-location-1] commit
[~NAT Device-service-location-1] quit
[~NAT Device] service-instance-group group1
[*NAT Device-service-instance-group-group1] service-location 1
[*NAT Device-service-instance-group-group1] commit
[~NAT Device-service-instance-group-group1] quit
[~NAT Device] nat instance nat1 id 1
[*NAT Device-nat-instance-nat1] service-instance-group group1
[*NAT Device-nat-instance-nat1] commit

● [~NAT Device-nat-instance-nat1] quit

Configure a NAT address pool and specify a range of IP addresses 11.1.1.2 to 11.1.1.3 in the
pool.
[~NAT Device] nat instance nat1
[~NAT Device-nat-instance-nat1] nat address-group address-group1 group-id 1 11.1.1.2
11.1.1.3
[*NAT Device-nat-instance-nat1] commit

● [~NAT Device-nat-instance-nat1] quit

2. Configure an internal server in easy IP mode.

Configure the public network interface.

[~NAT Device] interface gigabitEthernet 0/1/1
[~NAT Device-GigabitEthernet0/1/1] ip address 11.1.1.1 255.255.255.0
[*NAT Device-GigabitEthernet0/1/1] commit

● [~NAT Device-GigabitEthernet0/1/1] quit

Configure an internal server. In this example, TCP port 80 is used on an internal server.
[~NAT Device] nat instance nat1
[~NAT Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface
GigabitEthernet0/1/1 80 inside 10.1.1.254 80
[*NAT Device-nat-instance-nat1] commit

● [~NAT Device-nat-instance-nat1] quit

3. Configure a NAT traffic distribution policy on an outbound interface.

Configure an ACL to match traffic that a private network host sends to the Internet, and to match
traffic that a private network host sends to the private network server..
[~NAT Device] acl 3001
[*NAT Device-acl4-advance-3001] rule 1 permit ip source 10.1.1.4 0.0.0.0
[*NAT Device-acl4-advance-3001] rule 2 permit tcp source 10.1.1.254 0.0.0.0
[*NAT Device-acl4-advance-3001] commit
 ● [~NAT Device-acl4-advance-3001] quit

Configure a NAT distribution policy on the public network outbound interface.

[~NAT Device] interface gigabitEthernet 0/1/1
[~NAT Device-GigabitEthernet0/1/1] nat bind acl 3001 instance nat1
[*NAT Device-GigabitEthernet0/1/1] commit

● [~NAT Device-GigabitEtherne0/1/1] quit

Configure a NAT distribution policy on the private network outbound interface.

[~NAT Device] interface gigabitEthernet 0/1/0
[~NAT Device-GigabitEthernet0/1/0] ip address 10.1.1.2 255.255.255.0
[*NAT Device-GigabitEthernet0/1/0] nat bind acl 3001 instance nat1
[*NAT Device-GigabitEthernet0/1/0] commit

● [~NAT Device-GigabitEthernet0/1/0] quit

Configuration File

#
sysname NAT Device
#
service-location 1
location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
acl number 3001
rule 1 permit ip source 10.1.1.4 0.0.0.0
rule 2 permit tcp source 10.1.1.254 0.0.0.0
#
nat instance nat1 id 1
service-instance-group group1
nat address-group address-group1 group-id 1 11.1.1.2 11.1.1.3
nat server protocol tcp global unnumbered interface GigabitEthernet0/1/1 80 inside 10.1.1.254
80
#
interface gigabitEthernet 0/1/0
undo shutdown
 ip address 10.1.1.2 255.255.255.0
nat bind acl 3001 instance nat1
#
interface gigabitEthernet 0/1/1
undo shutdown
ip address 11.1.1.1 255.255.255.0
nat bind acl 3001 instance nat1
#
return

Example for Configuring the Internal Server Through 1:1

NAT (On-board Scenario)
This section provides an example for configuring the internal server through 1:1 NAT. By
specifying an internal NAT server and configuring the mapping entries between the internal
server's private IP address/port and public IP address/port, an external host can access the
internal server.

Applicable Products and Versions

● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
On the network shown in Figure 1-81, the device performs the NAT function to help PCs within
the enterprise network access the Internet. The device uses the GE 0/1/0 interface to connect to
an internal network and the GE 0/1/1 interface to connect to the Internet.
The internal network address of the enterprise network is 192.168.0.0/16. The internal server
address is 192.168.10.10/24. Only PCs on the network segment of 192.168.10.0/24 can access
the Internet. External PCs can access the internal server. The enterprise has five valid IP
addresses ranging from 11.11.11.101/24 to 11.11.11.105/24. The internal server of the enterprise
has an independent public address 11.11.11.100. The internal server can be accessed from the
external network address 13.13.13.2 through 1:1 NAT.
Figure 1-81 Networking of the internal NAT server

The configurations in this example are mainly performed on NAT A and Device B.
In this example, interface 1, interface 2, and interface 3 stand for GE 0/1/0, GE 0/1/1, and GE
0/1/2, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic functions of NAT.

2. Configure a NAT traffic policy.
3. Configure an internal NAT server.

Data Preparation
To complete the configuration, you need the following data:
● service-location backup group index: 1
● service-instance-group service instance group name: group1
● NAT instance name: nat1; NAT instance index: 1
● NAT address pool name for NAT A: address-group1; NAT address pool ID: 1; IP
address segment: 11.11.11.101 to 11.11.11.105
● ACL number: 3001
● Traffic classifier name: classifier1
● Traffic behavior name: behavior1
● Traffic policy name: policy1
● Number and IP address of the interface that applies the NAT traffic policy: 0/1/0,
192.168.10.1/24
 ● Private IP address of the internal NAT server: 192.168.10.10; public IP address of the
internal NAT server: 11.11.11.100

Procedure

1. Configure basic functions of NAT.

Create a NAT instance named nat1 and bind it to the service board.
<HUAWEI> system-view
[~HUAWEI] sysname NATA
[*HUAWEI] commit
[~NATA] service-location 1
[*NATA-service-location-1] location follow-forwarding-mode
[*NATA-service-location-1] commit
[~NATA-service-location-1] quit
[~NATA] service-instance-group group1
[*NATA-service-instance-group-group1] service-location 1
[*NATA-service-instance-group-group1] commit
[~NATA-service-instance-group-group1] quit
[~NATA] nat instance nat1 id 1
[*NATA-nat-instance-nat1] service-instance-group group1
[*NATA-nat-instance-nat1] commit

● [~NATA-nat-instance-nat1] quit

Configure a NAT address pool with IP addresses ranging from 11.11.11.101 to 11.11.11.105.
[~NATA] nat instance nat1
[~NATA-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.101
11.11.11.105
[*NATA-nat-instance-nat1] commit

● [~NATA-nat-instance-nat1] quit
2. Configure a NAT traffic policy.

Configure traffic classification rules based on ACL 3001.

Rule 1: Only PCs with the internal network segment address as 192.168.10.0/24 can access the
Internet.
[~NATA] acl 3001
[*NATA-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255
[*NATA-acl4-advance-3001] commit

● [~NATA-acl4-advance-3001] quit
Configure a traffic classifier named classifier1 and define an ACL-based matching rule.
[~NATA] traffic classifier classifier1
[*NATA-classifier-classifier1] if-match acl 3001
[*NATA-classifier-classifier1] commit

● [~NATA-classifier-classifier1] quit

Configure a traffic behavior named behavior1 and bind it to the NAT instance.
[~NATA] traffic behavior behavior1
[*NATA-behavior-behavior1] nat bind instance nat1
[*NATA-behavior-behavior1] commit

● [~NATA-behavior-behavior1] quit

Define a NAT traffic policy named policy1 to associate the ACL rule with the traffic behavior.
[~NATA] traffic policy policy1
[*NATA-trafficpolicy-policy1] classifier classifier1 behavior behavior1
[*NATA-trafficpolicy-policy1] commit

● [~NATA-trafficpolicy-policy1] quit

Apply the NAT traffic policy in the interface view.

[~NATA] interface gigabitEthernet 0/1/0
[~NATA-GigabitEthernet0/1/0] ip address 192.168.10.1 24
[*NATA-GigabitEthernet0/1/0] traffic-policy policy1 inbound
[*NATA-GigabitEthernet0/1/0] commit

● [~NATA-GigabitEthernet0/1/0] quit

Configure the IP address of GE0/1/1.

[~NATA] interface gigabitEthernet 0/1/1
[~NATA-GigabitEthernet0/1/1] ip address 12.12.12.1 24
[*NATA-GigabitEthernet0/1/1] commit
 ● [~NATA-GigabitEthernet0/1/1] quit

Define the internal server address as 192.168.10.10 and external address as 11.11.11.100. Use
the address-level mode to ensure 1:1 relationship between the public and private IP addresses.
[~NATA] nat instance nat1
[~NATA-nat-instance-nat1] nat server global 11.11.11.100 inside 192.168.10.10
[*NATA-nat-instance-nat1] commit

3. [~NATA-nat-instance-nat1] quit

Verify the configuration.

# Run the display nat server-map command on the device. The command output shows the
mapping between the public IP address and private IP address of the NAT server.
<NATA> display nat server-map
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 2.
NAT Instance: nat1
Protocol:ANY, VPN:--->-
Server:192.168.10.10[11.11.11.100]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:192.168.10.10

NAT Instance: nat1

Protocol:ANY, VPN:--->-
Server reverse:ANY->11.11.11.100[192.168.10.10]
Tag:0x0, TTL:-, Left-Time:-

4. CPE IP:192.168.10.10

Configuration Files

NAT A configuration file

#
sysname NATA
#
service-location 1
location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
nat server global 11.11.11.100 inside 192.168.10.10
#
acl number 3001
rule 1 permit ip source 192.168.10.0 0.0.0.255
#
traffic classifier classifier1 operator or
if-match acl 3001
#
traffic behavior behavior1
nat bind instance nat1
#
traffic policy policy1
classifier classifier1 behavior behavior1 precedence 1
#
interface GigabitEthernet 0/1/0
undo shutdown
ip address 192.168.10.1 255.255.255.0
traffic-policy policy1 inbound
#
interface GigabitEthernet 0/1/1
undo shutdown
ip address 12.12.12.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 12.12.12.0 0.0.0.255
#

● return

Device B configuration file

#
sysname DeviceB
#
interface GigabitEthernet 0/1/0
undo shutdown
ip address 13.13.13.1 255.255.255.0
#
interface GigabitEthernet 0/1/2
undo shutdown
ip address 12.12.12.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 12.12.12.0 0.0.0.255
network 13.13.13.0 0.0.0.255
#

● return
Example for Configuring Bidirectional NAT
This section provides an example for configuring bidirectional NAT on an enterprise network.
This function protects data within the enterprise network and translates both the source and
destination, without exposing internal server data. A configuration networking diagram is
provided to help you understand the configuration procedure.

Applicable Products and Versions

● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
On the network shown in Figure 1-82, the device translates private IP address of servers A and B
to public IP addresses before the servers communicate with the Internet. When server A
attempts to access server B, server A sends a packet with a private source IP address of
10.78.1.2 and the destination IP address of 11.11.11.1 (server B's public address). When server
B attempts to access server A, server B sends a packet with a private source IP address of
10.67.1.2 and the destination IP address of 11.11.11.2 (server A's public address).
Figure 1-82 Bidirectional NAT networking

In this example, interface 1 and interface 2 are GE 0/1/1 and GE 0/1/0, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Create a NAT instance and associate a service board with the NAT instance.
2. Configure a mapping between the NAT address pool, internal servers' private IP
addresses, and public addresses.
3. Configure an outbound NAT traffic distribution policy.
Data Preparation
To complete the configuration, you need the following data:
● service-location backup group index: 1
● service-instance-group service instance group name: group1
● NAT instance names and indexes: nata with index 1; natb with index 2
● NAT A's address pools: address-groupa and address-groupb
● Server public IP address: 11.11.11.2 for server A and 11.11.11.1 for server B
● ACL numbers: 2464 and 2465
● Names and IP addresses of interfaces to which an outbound NAT traffic distribution
policy applies: GE 0/1/1 with IP address 10.78.1.1/24 and GE 0/1/0 with IP address
10.67.1.1/24

Procedure
Create a NAT instance and associate a service board with the NAT instance.
<HUAWEI> system-view
[~HUAWEI] sysname NATA
[*HUAWEI] commit
[~NATA] service-location 1
[*NATA-service-location-1] location follow-forwarding-mode
[*NATA-service-location-1] commit
[~NATA-service-location-1] quit
[~NATA] service-instance-group group1
[*NATA-service-instance-group-group1] service-location 1
[*NATA-service-instance-group-group1] commit
[~NATA-service-instance-group-group1] quit
[~NATA] nat instance nata id 1
[*NATA-nat-instance-nata] service-instance-group group1
[*NATA-nat-instance-nata] commit
[~NATA-nat-instance-nata] quit
[~NATA] nat instance natb id 2
[*NATA-nat-instance-natb] service-instance-group group1
[*NATA-nat-instance-natb] commit

1. [~NATA-nat-instance-natb] quit

Configure a mapping between the NAT address pool, internal servers' private IP addresses, and
public addresses.
# In the view of a NAT instance named nata, configure an IP address pool named
address-groupa with an IP address segment ranging from 11.1.1.1 to 11.1.1.10 and map the
NAT-A's private IP address of 10.78.1.2 to a public IP address of 11.11.11.2.
[~NATA] nat instance nata
[~NATA-nat-instance-nata] nat address-group address-groupa group-id 111 11.1.1.1
11.1.1.10
[*NATA-nat-instance-nata] nat server protocol udp global 11.11.11.2 inside 10.78.1.2
[*NATA-nat-instance-nata] commit
[~NATA-nat-instance-nata] quit
# In the view of a NAT instance named natb, configure an IP address pool named
address-groupb with an IP address segment ranging from 11.1.1.11 to 11.1.1.20 and map the
NAT-B's private IP address of 10.67.1.2 to a public IP address of 11.11.11.1.
[~NATA] nat instance natb
[~NATA-nat-instance-natb] nat address-group address-groupb group-id 112 11.1.1.11
11.1.1.20
[*NATA-nat-instance-natb] nat server protocol udp global 11.11.11.1 inside 10.67.1.2
[*NATA-nat-instance-natb] commit

2. [~NATA-nat-instance-natb] quit
3. Configure an outbound NAT traffic policy.

An ACL rule is configured.

Configure an ACL numbered 2464 and an ACL rule numbered 5 to allow only hosts with a
network segment address of 10.78.1.0/24 to access the Internet.
[~NATA] acl number 2464
[*NATA-acl4-basic-2464] rule 5 permit source 10.78.1.0 0.0.0.255
[*NATA-acl4-basic-2464] commit
[~NATA-acl4-basic-2464] quit
# Configure an ACL numbered 2465, an ACL rule numbered 5, and an ACL-based traffic
classification rule to only allow hosts with a network segment address of 10.67.1.0/24 to access
the Internet.
[~NATA] acl number 2465
[*NATA-acl4-basic-2465] rule 5 permit source 10.67.1.0 0.0.0.255
[*NATA-acl4-basic-2465] commit

● [~NATA-acl4-basic-2465] quit

Apply the outbound NAT traffic distribution policy to GE 0/1/0 and GE 0/1/1.
# Bind the ACL numbered 2464 and the NAT instance named nata to GE 0/1/0.
[~NATA] interface GigabitEthernet0/1/0
[~NATA-GigabitEthernet0/1/1] ip address 10.67.1.1 24
[*NATA-GigabitEthernet0/1/0] nat bind acl 2464 instance nata
[*NATA-GigabitEthernet0/1/0] commit
[~NATA-GigabitEthernet0/1/0] quit
# Bind the ACL numbered 2465 and the NAT instance named natb to GE 0/1/1.
[~NATA] interface GigabitEthernet0/1/1
[~NATA-GigabitEthernet0/1/1] ip address 10.78.1.1 24
[*NATA-GigabitEthernet0/1/1] nat bind acl 2465 instance natb
[*NATA-GigabitEthernet0/1/1] commit

● [~NATA-GigabitEthernet0/1/1] quit
Verify the configuration.
# View NAT user information.
[~NATA] display nat instance
nat instance nata id 1
service-instance-group group1
nat address-group address-groupa group-id 111 11.1.1.1 11.1.1.10
nat server protocol udp global 11.11.11.2 inside 10.78.1.2
nat instance natb id 2
service-instance-group group1
nat address-group address-groupb group-id 112 11.1.1.11 11.1.1.20
nat server protocol udp global 11.11.11.1 inside 10.67.1.2
# Run the display nat server-map command on the device. The command output shows the
mapping between the public IP address and private IP address of the NAT server.
[~NATA] display nat server-map
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 4.
NAT Instance: nata
Protocol:UDP, VPN:--->-
Server:10.78.1.2[11.11.11.2]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:10.78.1.2
NAT Instance: nata
Protocol:UDP, VPN:--->-
Server reverse:ANY->11.11.11.2[10.78.1.2]
Tag:0x0, TTL:-, Left-Time:-
CPE IP:10.78.1.2

NAT Instance: natb

Protocol:UDP, VPN:--->-
Server:10.67.1.2[11.11.11.1]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:10.67.1.2
NAT Instance: natb
Protocol:UDP, VPN:--->-
Server reverse:ANY->11.11.11.1[10.67.1.2]
Tag:0x0, TTL:-, Left-Time:-

4. CPE IP:10.67.1.2

Configuration Files

NAT A configuration file

#
sysname NATA
#
service-location 1
 location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
nat instance nata id 1
service-instance-group group1
nat address-group address-groupa group-id 111 11.1.1.1 11.1.1.10
nat server protocol udp global 11.11.11.2 inside 10.78.1.2
nat instance natb id 2
service-instance-group group1
nat address-group address-groupb group-id 112 11.1.1.11 11.1.1.20
nat server protocol udp global 11.11.11.1 inside 10.67.1.2
#
acl number 2464
rule 5 permit source 10.78.1.0 0.0.0.255
#
acl number 2465
rule 5 permit source 10.67.1.0 0.0.0.255
#
interface GigabitEthernet0/1/1
undo shutdown
ip address 10.78.1.1 255.255.255.0
undo dcn
nat bind acl 2465 instance natb
#
interface GigabitEthernet0/1/0
undo shutdown
ip address 10.67.1.1 255.255.255.0
undo dcn
nat bind acl 2464 instance nata
#

return

Example for Configuring Static NAT Source Tracing

This section provides an example for configuring static NAT source tracing so that one-to-many
translation between the private and public IP addresses can be performed in an enterprise and
only PCs on a specified network segment can access the Internet.

Applicable Products and Versions

This configuration applies to NE40E and ME60 routers running V800R010C00 or later.

Networking Requirements
On the network shown in Figure 1-83, the PCs in an enterprise use the CPE to perform NAT and
then are connected to the BRAS. The BRAS is connected to the RADIUS server. The CR is
connected to the NAT device in bypass mode for IPv4 network access. The NAT device is
connected to the CR through GE 0/2/0. The enterprise has 100 public IP addresses ranging from
11.11.11.1/24 to 11.11.11.100/24.
The configuration requirement is as follows:
● Only PCs on the network segment ranging from 10.0.0.1/24 to 10.0.0.255/24 can
access the Internet.
Figure 1-83 Static NAT source tracing

In this example, interface 1 is GE 0/2/0.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a service-instance-group service instance group.

2. Configure a NAT instance named nat1 and bind it to the NAT service board.
3. Configure a traffic classification rule and NAT behavior.
 4. Configure static NAT trace sourcing algorithm mapping.
5. Bind the static NAT source tracing to the NAT instance.

Data Preparation
To complete the configuration, you need the following data:
● Index of the service-location backup group: 1; name of the service-instance-group
service instance group: group 1; index of the NAT instance named nat1: 1
● Numbers of the private and public address pools for static NAT source tracing
● Number and IP address of the interface that applies the NAT traffic policy
● Private network address segment for static NAT source tracing: 10.0.0.1 to 10.0.0.255;
public network address segment for static NAT source tracing 11.11.11.1 to
11.11.11.100
● Port number range for the public address pool: 256 to 1023; port segment size: 256
● ACL number: 3001; traffic classification rule name: c1; traffic behavior name: b1; traffic
policy name: p1

Procedure
Configure a service-instance-group service instance group.
<HUAWEI> system-view
[~HUAWEI] service-location 1
[*HUAWEI-service-location-1] location slot 1 engine 0
[*HUAWEI-service-location-1] commit
[~HUAWEI-service-location-1] quit
[~HUAWEI] service-instance-group group1
[*HUAWEI-service-instance-group-group1] service-location 1
[*HUAWEI-service-instance-group-group1] commit

1. [~HUAWEI-service-instance-group-group1] quit

Configure a NAT instance named nat1 and bind it to the CGN service board.
[~HUAWEI] nat instance nat1 id 1
[*HUAWEI-nat-instance-nat1] service-instance-group group1
[*HUAWEI-nat-instance-nat1] commit

2. [~HUAWEI-nat-instance-nat1] quit

Configure a group of static NAT source tracing algorithm parameters, with the private address
pool containing IP addresses from 10.0.0.1 to 10.0.0.255, the public address pool containing IP
addresses from 11.11.11.1 to 11.11.11.100, the port range from 256 to 1023, and port segment
size as 256.
[~HUAWEI] nat static-mapping
[*HUAWEI-nat-static-mapping] inside-pool 1
[*HUAWEI-nat-static-mapping-inside-pool-1] section 1 10.0.0.1 10.0.0.255
[*HUAWEI-nat-static-mapping-inside-pool-1] quit
[*HUAWEI-nat-static-mapping] global-pool 1
[*HUAWEI-nat-static-mapping-global-pool-1] section 1 11.11.11.1 11.11.11.100
[*HUAWEI-nat-static-mapping-global-pool-1] quit
[*HUAWEI-nat-static-mapping] static-mapping 10 inside-pool 1 global-pool 1 port-range 256
1023 port-size 256
[*HUAWEI-nat-static-mapping] commit

3. [~HUAWEI-nat-static-mapping] quit

Enable static NAT source tracing algorithm on the NAT instance named nat1 and specify the
algorithm ID as 10.
[~HUAWEI] nat instance nat1
[~HUAWEI-nat-instance-nat1] nat bind static-mapping 10
[*HUAWEI-nat-instance-nat1] commit

4. [~HUAWEI-nat-instance-nat1] quit
5. Configure a traffic classification rule and NAT behavior.

Configure an ACL rule for traffic classification. Only PCs with the internal network segment
address as 10.0.0.0/24 can access the Internet.
[~HUAWEI] acl 3001
[*HUAWEI-acl4-advance-3001] rule 1 permit ip source 10.0.0.0 0.0.0.255
[*HUAWEI-acl4-advance-3001] commit

● [~HUAWEI-acl4-advance-3001] quit

Configure a traffic classifier and define an ACL-based matching rule.

[~HUAWEI] traffic classifier c1
[*HUAWEI-classifier-c1] if-match acl 3001
[*HUAWEI-classifier-c1] commit

● [~HUAWEI-classifier-c1] quit

Configure a traffic behavior and bind the traffic behavior to the NAT instance named nat1.
[~HUAWEI] traffic behavior b1
[*HUAWEI-behavior-b1] nat bind instance nat1
[*HUAWEI-behavior-b1] commit

● [~HUAWEI-behavior-b1] quit
Define a NAT traffic policy to associate the ACL rule with the traffic behavior.
[~HUAWEI] traffic policy p1
[*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[*HUAWEI-trafficpolicy-p1] commit

● [~HUAWEI-trafficpolicy-p1] quit

Apply the NAT traffic policy in the interface view.

[~HUAWEI] interface gigabitEthernet 0/2/0
[~HUAWEI-GigabitEthernet0/2/0] traffic-policy p1 inbound
[*HUAWEI-GigabitEthernet0/2/0] commit

● [~HUAWEI-GigabitEthernet0/2/0] quit

Verify the configuration.

# Display NAT user information on the device.
<HUAWEI> display nat user-information slot 1 engine 0 verbose
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 1 Engine: 0
Total number: 1.
---------------------------------------------------------------------------
User Type : NAT444
CPE IP : 10.0.0.1
User ID : -
VPN Instance : -
Address Group : -
NoPAT Address Group : -
NAT Instance : nat1
Public IP : 11.11.11.1
NoPAT Public IP : -
Start Port : 256
Port Range : 256
Port Total : 256
Extend Port Alloc Times : 0
Extend Port Alloc Number : 0
First/Second/Third Extend Port Start : 0/0/0
Total/TCP/UDP/ICMP Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Session Current : 1/0/1/0
Total/TCP/UDP/ICMP Rev Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Rev Session Current: 0/0/0/0
Total/TCP/UDP/ICMP Port Limit : 0/0/0/0
Total/TCP/UDP/ICMP Port Current : 1/0/1/0
Nat ALG Enable : NULL
 Token/TB/TP : 0/0/0
Port Forwarding Flag : Non Port Forwarding
Port Forwarding Ports : 00000
Aging Time(s) : -
Left Time(s) : -
Port Limit Discard Count : 0
Session Limit Discard Count : 0
Fib Miss Discard Count : 0
-->Transmit Packets : 150156628
-->Transmit Bytes : 19699109016
-->Drop Packets : 0
<--Transmit Packets : 0
<--Transmit Bytes : 0
<--Drop Packets : 0

6. ---------------------------------------------------------------------------

Configuration Files

NAT device configuration file

#
sysname HUAWEI
#
license
active nat session-table size 16 slot 1 engine 0
#
nat static-mapping
inside-pool 1
section 1 10.0.0.1 10.0.0.255
global-pool 1
section 1 11.11.11.1 11.11.11.100
static-mapping 10 inside-pool 1 global-pool 1 port-range 256 1023 port-size 256
#
service-location 1
locate slot 1 engine 0
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat bind static-mapping 10
#
acl number 3001
rule 1 permit ip source 10.0.0.0 0.0.0.255
#
traffic classifier c1
 if-match acl 3001
#
traffic behavior b1
nat bind instance nat1
#
traffic policy p1
classifier c1 behavior b1 precedence 1
#
interface GigabitEthernet 0/2/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
traffic-policy p1 inbound
#

return

Example for Configuring NAT in the Address Pool Mode

This section provides an example for configuring NAT device performs the NAT function to help
PCs within an enterprise network access the Internet.

Applicable Products and Versions

● This configuration example applies to NE05E and NE08E routers running
V300R003C10 or later versions.
● This configuration example applies to NE40E-M2, NE20E-S2, NE40E-M, NE20E-S
and NE40E-F routers running V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14, NetEngine 8000 M6 and
NetEngine 8000 M1A routers running V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 and NetEngine 8000 F
routers running V800R012C10 or later versions.

Networking Requirements
In Figure 1-84, NAT-Device performs the NAT function to help PCs within an enterprise network
access the Internet. NAT-Device uses GE 0/1/0 to connect to the enterprise network.
NAT-Device's GE 0/1/1 is connected to the Internet. The enterprise is assigned five public IP
addresses of 11.11.11.101/32 through 11.11.11.105/32. The peer device connected to
NAT-Device is assigned an IP address of 1.1.1.5.
Figure 1-84 shows IP addresses of interfaces. The configuration requirements are as follows:
● PCs only on the network segment of 192.168.10.0/24 can access the Internet.
● Multiple-to-multiple NAT translation is performed for IP addresses between private and
public networks.
Figure 1-84 Configuring NAT in the address pool mode
In this example, interface 1 and interface 2 are GE 0/1/0 and GE 0/1/1, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure a NAT distribution policy.
3. Apply the NAT distribution policy.
4. Configure static routes.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance name (nat1) and index (1)
● NAT-Device's NAT address pool name (address-group1), address pool number (1), a
range of public IP addresses (11.11.11.101 through 11.11.11.105)
● ACL number (3001)
● Name and IP address of each interface to which a NAT distribution policy is applied

Procedure

1. Configure basic NAT functions.

Create a NAT instance named nat1.

<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] nat instance nat1 id 1 simple-configuration
[*NAT-Device-nat-instance-nat1] commit

● [~NAT-Device-nat-instance-nat1] quit
Configure a NAT address pool and specify a range of IP addresses of 11.11.11.101 through
11.11.11.105 in the pool.
[~NAT-Device] nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105

● [*NAT-Device] commit

Configure a NAT distribution policy.

Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic
classification rule to allow hosts only with a network segment address of 192.168.10.0/24 to
access the Internet.
[~NAT-Device] acl 3001
[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255
[*NAT-Device-acl4-advance-3001] commit

2. [~NAT-Device-acl4-advance-3001] quit

Apply the NAT distribution policy.

Apply the ACL-based traffic classification rule to the view of the outbound interface named GE
0/1/1.
[~NAT-Device] interface gigabitEthernet 0/1/1
[~NAT-Device-GigabitEthernet0/1/1] ip address 1.1.1.4 24
[*NAT-Device-GigabitEthernet0/1/1] nat bind acl 3001 instance nat1
[*NAT-Device-GigabitEthernet0/1/1] commit

3. [~NAT-Device-GigabitEthernet0/1/1] quit

Configure a default route as a static route and set the next hop address of the default route to
1.1.1.5.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 1.1.1.5

4. [*NAT-Device] commit

Verify the configuration.

# Run the display nat user-information slot verbose command to view NAT user information.
[~NAT-Device] display nat user-information slot 9 verbose
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 1.
---------------------------------------------------------------------------
User Type : NAT444
CPE IP : 192.168.10.100
User ID : -
VPN Instance : -
Address Group : address-group1
NAT Instance : nat1
 Public IP : 11.11.11.101
NoPAT Public IP : -
Total/TCP/UDP/ICMP Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Session Current : 1/0/1/0
Total/TCP/UDP/ICMP Rev Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Rev Session Current: 0/0/0/0
Nat ALG Enable : NULL
Aging Time(s) : -
Left Time(s) : -
Session Limit Discard Count : 0
-->Transmit Packets : 9753259
-->Transmit Bytes : 1111770864
-->Drop Packets : 0
<--Transmit Packets : 0
<--Transmit Bytes : 0
<--Drop Packets : 0

5. ---------------------------------------------------------------------------

NAT-Device Configuration File

#
sysname NAT-Device
#
nat instance nat1 id 1 simple-configuration
#
nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
#
acl number 3001
rule 1 permit ip source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet 0/1/1
undo shutdown
ip address 1.1.1.4 255.255.255.0
nat bind acl 3001 instance nat1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.5
#

return

Example for Configuring Easy IP for NAT

This section provides an example for configuring easy IP for NAT to send traffic from an
enterprise network to an external carrier network.

Applicable Products and Versions

 ● This configuration example applies to NE05E and NE08E routers running
V300R003C10 or later versions.
● This configuration example applies to NE40E-M2, NE20E-S2, NE40E-M, NE20E-S
and NE40E-F routers running V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14, NetEngine 8000 M6 and
NetEngine 8000 M1A routers running V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 and NetEngine 8000 F
routers running V800R012C10 or later versions.

Networking Requirements
In Figure 1-85, traffic is to be sent from an enterprise network to an external carrier network.
NAT-Device translates a private IP address of an enterprise network user to the IP address of a
public network interface so that the user accesses the external carrier network.
NAT-Device uses GE 0/1/0 to connect to the enterprise network. NAT-Device uses GE 0/1/1 to
connect to the Internet. The enterprise is assigned only the public IP address of 1.1.1.4. The peer
device connected to NAT-Device is assigned an IP address of 1.1.1.5.
Figure 1-85 shows IP addresses of interfaces. The configuration requirements are as follows:
● PCs only on the network segment of 192.168.10.0/24 can access the Internet.
● NAT-Device uses only the IP address of a public network interface, not other public IP
addresses.
Figure 1-85 Configuring easy IP for NAT

In this example, interface 1 and interface 2 are GE 0/1/0 and GE 0/1/1, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure a NAT distribution policy.
3. Apply the NAT distribution policy.
 4. Configure static routes.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance name (nat1) and index (1)
● NAT-Device's NAT address pool name (address-group1) and sequence number (1)
● ACL number (3001)
● Name (GE 0/1/1) and IP address (1.1.1.4/24) of an interface to which a NAT
distribution policy is applied

Procedure

1. Configure basic NAT functions.

Create a NAT instance named nat1.

<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] nat instance nat1 id 1 simple-configuration
[*NAT-Device-nat-instance-nat1] commit

● [~NAT-Device-nat-instance-nat1] quit

Assign an IP address to an outbound interface.

[~NAT-Device] interface gigabitEthernet 0/1/1
[~NAT-Device-GigabitEthernet0/1/1] ip address 1.1.1.4 24
[*NAT-Device-GigabitEthernet0/1/1] commit

● [~NAT-Device-GigabitEthernet0/1/1] quit

Configure a mapping between the address pool and the IP address of the outbound interface.
[~NAT-Device] nat address-group address-group1 group-id 1 unnumbered interface
GigabitEthernet 0/1/1

● [*NAT-Device] commit
Configure a NAT distribution policy.
Configure an ACL numbered 3001, an ACL rule numbered 1, and an ACL-based traffic
classification rule to allow hosts only with a network segment address of 192.168.10.0/24 to
access the Internet.
[~NAT-Device] acl 3001
[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255
[*NAT-Device-acl4-advance-3001] commit

2. [~NAT-Device-acl4-advance-3001] quit

Apply the NAT distribution policy.

Apply the ACL-based traffic classification rule to the view of the outbound interface named GE
0/1/1.
[~NAT-Device] interface gigabitEthernet 0/1/1
[~NAT-Device-GigabitEthernet0/1/1] nat bind acl 3001 instance nat1
[*NAT-Device-GigabitEthernet0/1/1] commit

3. [~NAT-Device-GigabitEthernet0/1/1] quit

Configure a default route as a static route and set the next hop address of the default route to
1.1.1.5.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 1.1.1.5

4. [*NAT-Device] commit

Verify the configuration.

# Run the display nat user-information slot verbose command to view NAT user information.
[~NAT-Device] display nat user-information slot 9 verbose
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 1.
---------------------------------------------------------------------------
User Type : NAT444
CPE IP : 192.168.10.100
User ID : -
VPN Instance : -
Address Group : address-group1
NAT Instance : nat1
Public IP : 1.1.1.4
Total/TCP/UDP/ICMP Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Session Current : 1/0/1/0
Total/TCP/UDP/ICMP Rev Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Rev Session Current: 0/0/0/0
Nat ALG Enable : NULL
Aging Time(s) : -
Left Time(s) : -
Session Limit Discard Count : 0
-->Transmit Packets : 9753259
-->Transmit Bytes : 1111770864
 -->Drop Packets : 0
<--Transmit Packets : 0
<--Transmit Bytes : 0
<--Drop Packets : 0

5. ---------------------------------------------------------------------------

NAT-Device Configuration File

#
sysname NAT-Device
#
nat instance nat1 id 1 simple-configuration
#
nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/1/1
#
acl number 3001
rule 1 permit ip source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet 0/1/1
undo shutdown
ip address 1.1.1.4 255.255.255.0
nat bind acl 3001 instance nat1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.5
#

return

Example for Configuring Bidirectional NAT and an

Internal Server
This section provides an example for configuring bidirectional NAT and an internal server. The
private and public networks want to access the internal server using the public IP address.

Applicable Products and Versions

● This configuration example applies to NE05E and NE08E routers running
V300R003C10 or later versions.
● This configuration example applies to NE40E-M2, NE20E-S2, NE40E-M, NE20E-S
and NE40E-F routers running V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14, NetEngine 8000 M6 and
NetEngine 8000 M1A routers running V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 and NetEngine 8000 F
routers running V800R012C10 or later versions.
Networking Requirements
In Figure 1-86, NAT-Device's GE 0/1/0 with an IP address of 192.168.1.1/24 is connected to a
private network. NAT-Device's GE 0/1/1 with an IP address of 11.11.11.1/8 is connected to the
Internet. The internal server has a private IP address of 192.168.1.2/24 and a public IP address
of 11.11.11.6. A private network host with an IP address of 192.168.1.3/24 attempts to access the
internal server. The peer device connected to NAT-Device is assigned an IP address of
11.11.11.2.
The private and public networks want to access the internal server using the public IP address of
11.11.11.6.
Figure 1-86 Configuring NAT and an internal server

In this example, interface 1 and interface 2 are GE 0/1/0 and GE 0/1/1, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure an internal server.
3. Configure a NAT distribution policy.
4. Apply the NAT distribution policy.
5. Configure static routes.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance name (nat1) and index (1)
● NAT-Device's NAT address pool name (address-group1), address pool number (1),
and IP address range in easy IP mode
● ACL numbers (3001 and 3002)
 ● Name (GE 0/1/0) and IP address (192.168.1.1/24) of an interface to which a NAT
distribution policy is applied; name (GE 0/1/1) and IP address (11.11.11.1/8) of another
interface to which a NAT distribution policy is applied

Procedure

1. Configure basic NAT functions.

Create a NAT instance named nat1.

<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] nat instance nat1 id 1 simple-configuration
[*NAT-Device-nat-instance-nat1] commit

■ [~NAT-Device-nat-instance-nat1] quit

Assign an IP address to an outbound interface.

[~NAT-Device] interface gigabitEthernet 0/1/1
[~NAT-Device-GigabitEthernet0/1/1] ip address 11.11.11.1 8
[*NAT-Device-GigabitEthernet0/1/1] commit

■ [~NAT-Device-GigabitEthernet0/1/1] quit

Configure a NAT address pool in easy IP mode.

[~NAT-Device] nat address-group address-group1 group-id 1 unnumbered interface
GigabitEthernet 0/1/1

■ [*NAT-Device] commit

Configure an internal server.

[~NAT-Device] nat server global 11.11.11.6 inside 192.168.1.2

2. [*NAT-Device] commit
3. Configure a NAT distribution policy.
■ Configure an ACL-based traffic classification rule. Configure an ACL
numbered 3001 and a rule numbered 1 for a private network host to
access the internal server using the IP address of 11.11.11.6. The ACL is
 used to allow GE 0/1/0 to perform NAT only for services initiated inside the
private network.
■ Configure an ACL numbered 3002, an ACL rule numbered 2, and an
ACL-based traffic classification rule to allow the private network host to
access the Internet.

[~NAT-Device] acl 3001

[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255 destination
192.168.1.2 0
[*NAT-Device-acl4-advance-3001] rule 2 permit ip source 192.168.1.2 0 destination
192.168.1.0 0.0.0.255
[*NAT-Device-acl4-advance-3001] commit
[~NAT-Device-acl4-advance-3001] quit
[~NAT-Device] acl 3002
[*NAT-Device-acl4-advance-3002] rule 2 permit ip
[*NAT-Device-acl4-advance-3002] commit

4. [~NAT-Device-acl4-advance-3002] quit
5. Apply the NAT distribution policy.
■ Apply the traffic classification policy with ACL 3001 to the view of GE 0/1/0.
■ Apply the traffic classification policy with ACL 3002 to the view of GE 0/1/1.

[~NAT-Device] interface gigabitEthernet 0/1/0

[~NAT-Device-GigabitEthernet0/1/0] ip address 192.168.1.1 24
[*NAT-Device-GigabitEthernet0/1/0] nat bind acl 3001 instance nat1
[*NAT-Device-GigabitEthernet0/1/0] commit
[~NAT-Device-GigabitEthernet0/1/0] quit
[~NAT-Device] interface gigabitEthernet 0/1/1
[~NAT-Device-GigabitEthernet0/1/1] nat bind acl 3002 instance nat1
[*NAT-Device-GigabitEthernet0/1/1] commit

6. [~NAT-Device-GigabitEthernet0/1/1] quit

Configure a default route as a static route and set the next hop address of the default route to
11.11.11.2.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2

7. [*NAT-Device] commit

Verify the configuration.

# Run the display nat server-map command on the device. The command output shows the
mapping between the public IP address and private IP address of the NAT server.
[~NAT-Device] display nat server-map
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 2.
NAT Instance: nat1
Protocol:ANY, VPN:--->-
Server:192.168.1.2[11.11.11.6]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:192.168.1.2
NAT Instance: nat1
Protocol:ANY, VPN:--->-
Server reverse:ANY->11.11.11.6[192.168.1.2]
Tag:0x0, TTL:-, Left-Time:-
CPE IP:192.168.1.2

8. ---------------------------------------------------------------------------

NAT-Device Configuration File

#
sysname NAT-Device
#
nat instance nat1 id 1 simple-configuration
#
nat address-group 1 group-id 1 unnumbered interface GigabitEthernet 0/1/1
#
nat server global 11.11.11.6 inside 192.168.1.2
#
acl number 3001
rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.1.2 0
rule 2 permit ip source 192.168.1.2 0 destination 192.168.1.0 0.0.0.255
#
acl number 3002
rule 2 permit ip
#
interface GigabitEthernet 0/1/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
nat bind acl 3001 instance nat1
#
interface GigabitEthernet 0/1/1
undo shutdown
ip address 11.11.11.1 255.0.0.0
nat bind acl 3002 instance nat1
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
#

return

Example for Configuring NAT and an Internal Web Server

This section provides an example for configuring NAT and an internal web server to provide web
services for internet or private network users.

Applicable Products and Versions

● This configuration example applies to NE05E and NE08E routers running
V300R003C10 or later versions.
● This configuration example applies to NE40E-M2, NE20E-S2, NE40E-M, NE20E-S
and NE40E-F routers running V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14, NetEngine 8000 M6 and
NetEngine 8000 M1A routers running V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 and NetEngine 8000 F
routers running V800R012C10 or later versions.

Networking Requirements
In Figure 1-87, the private IP address 192.168.0.100/24 and port 8080 are assigned to a web
server to provide web services. The public IP address of the web server is 11.1.1.3/24, and the
domain name is www.huawei.com. The outbound interface GE 0/1/1 of NAT-Device is
11.1.1.2/24, and the LAN-side gateway's IP address is 192.168.0.1. The enterprise has no other
public IP addresses. The IP address of the peer device on the carrier side is 11.1.1.1/24. The
enterprise attempts to use the private network web server to provide web services for Internet
users and to allow private network users to access the Internet. Private network users can also
access the private network web server through a DNS server on the Internet.
The configuration requirements are as follows:
● PCs only on the network segment of 192.168.0.200/24 can access the Internet.
● NAT-Device uses the public IP address of a public interface and the public IP address
of an internal server. No other public IP addresses are used.
● Public network users access the internal web server at 192.168.0.100/24 using the
public IP address of 11.1.1.3/24 and the domain name of www.huawei.com.
● Private network users access the internal web server at 192.168.0.100/24 using the
public IP address of 11.1.1.3/24 and the domain name of www.huawei.com.
Figure 1-87 Configuring NAT and an internal server

In this example, interface 1 and interface 2 are GE 0/1/0 and GE 0/1/1, respectively.
Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure an internal server.
3. Configure DNS mapping.
4. Enable the NAT ALG function for the DNS protocol.
5. Configure a NAT distribution policy.
6. Apply the NAT distribution policy.
7. Configure static routes.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance name (nat1) and index (1)
● NAT-Device's NAT address pool name (address-group1), address pool number (1),
and IP address range in Easy IP mode
● ACL number (3001)
● Name (GE 0/1/1) and IP address (11.1.1.2/24) of an interface to which a NAT
distribution policy is applied

Procedure

1. Configure basic NAT functions.

Create a NAT instance named nat1.

<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] nat instance nat1 id 1 simple-configuration
[*NAT-Device-nat-instance-nat1] commit
 ● [~NAT-Device-nat-instance-nat1] quit

Assign an IP address to an outbound interface.

[~NAT-Device] interface gigabitEthernet 0/1/1
[~NAT-Device-GigabitEthernet0/1/1] ip address 11.1.1.2 24
[*NAT-Device-GigabitEthernet0/1/1] commit

● [~NAT-Device-GigabitEthernet0/1/1] quit

Configure a NAT address pool in Easy IP mode.

[~NAT-Device] nat address-group address-group1 group-id 1 unnumbered interface
GigabitEthernet 0/1/1

● [*NAT-Device] commit

Configure an internal server.

[~NAT-Device] nat server protocol tcp global 11.1.1.3 www inside 192.168.0.100 8080

2. [~NAT-Device] commit

Configure DNS mapping between the DNS domain name of www.huawei.com, the public IP
address of 11.1.1.3 and the private IP address of 192.168.0.100.
[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] nat dns-mapping domain www.huawei.com global-address
11.1.1.3 inside-address 192.168.0.100
[*NAT-Device-nat-instance-nat1] commit

3. [~NAT-Device-nat-instance-nat1] quit

Enable the NAT ALG function for the DNS protocol.

[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] nat alg dns
[*NAT-Device-nat-instance-nat1] commit

4. [~NAT-Device-nat-instance-nat1] quit

Configure a NAT distribution policy. Configure an ACL numbered 3001, an ACL rule numbered 1,
and an ACL-based traffic classification rule to allow hosts only with a network segment address
of 192.168.0.200/24 to access the Internet.
[~NAT-Device] acl 3001
[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.0.200 0.0.0.255
[*NAT-Device-acl4-advance-3001] commit

5. [~NAT-Device-acl4-advance-3001] quit

Apply the NAT distribution policy. Apply the ACL-based traffic classification rule to the view of the
outbound interface named GE 0/1/1.
[~NAT-Device] interface gigabitEthernet 0/1/1
[~NAT-Device-GigabitEthernet0/1/1] nat bind acl 3001 instance nat1
[*NAT-Device-GigabitEthernet0/1/1] commit

6. [~NAT-Device-GigabitEthernet0/1/1] quit

Configure a default route as a static route and set the next hop address of the default route to
11.1.1.1.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.1.1.1

7. [*NAT-Device] commit

Verify the configuration.

# Run the display nat server-map command on the device. The command output shows the
mapping between the public IP address and private IP address of the NAT server.
[~NAT-Device] display nat server-map
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 2.
NAT Instance: nat1
Protocol:TCP, VPN:--->-
Server:192.168.0.100:8080[11.1.1.3:80]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:192.168.0.100

NAT Instance: nat1

Protocol:TCP, VPN:--->-
Server reverse:ANY->11.1.1.3:80[192.168.0.100:8080]
Tag:0x0, TTL:-, Left-Time:-
CPE IP:192.168.0.100

8. ---------------------------------------------------------------------------

NAT-Device Configuration File

#
sysname NAT-Device
#
nat instance nat1 id 1 simple-configuration
#
nat address-group 1 group-id 1 unnumbered interface GigabitEthernet0/1/1
#
nat server protocol tcp global 11.1.1.3 www inside 192.168.0.100 8080
#
nat instance nat1
nat alg dns
nat dns-mapping domain www.huawei.com global-address 11.1.1.3 inside-address
192.168.0.100
#
acl number 3001
rule 1 permit ip source 192.168.0.200 0.0.0.255
#
interface GigabitEthernet 0/1/1
undo shutdown
ip address 11.1.1.2 24
nat bind acl 3001 instance nat1
#
ip route-static 0.0.0.0 0.0.0.0 11.1.1.1
#

return

Example for Configuring Static 1:1 NAT

This section provides an example for configuring static 1:1 NAT to translate the private IP
address to the public IP address within the Internet.

Applicable Products and Versions

● This configuration example applies to NE05E and NE08E routers running
V300R003C10 or later versions.
● This configuration example applies to NE40E-M2, NE20E-S2, NE40E-M, NE20E-S
and NE40E-F routers running V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14, NetEngine 8000 M6 and
NetEngine 8000 M1A routers running V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 and NetEngine 8000 F
routers running V800R012C10 or later versions.

Networking Requirements
In Figure 1-88, the outbound interface GE 0/1/1 of NAT-Device is 1.1.1.2/24, and the LAN-side
gateway's IP address is 192.168.0.1/24. The IP address of the peer carrier device is 1.1.1.1/24.
The private IP address of the host is 192.168.0.2/24 and is mapped to a fixed IP address of
1.1.1.3/24 for NAT processing. The private IP address needs to be translated to the public IP
address within the Internet to connect to the WAN.
Figure 1-88 Configuring static 1:1 NAT
In this example, interface 1 and interface 2 are GE 0/1/0 and GE 0/1/1, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure an internal server.
3. Configure a NAT distribution policy.
4. Apply the NAT distribution policy.
5. Configure static routes.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance name (nat1) and index (1)
● ACL number (3001)
● Name (GE 0/1/1) and IP address (1.1.1.2/24) of an interface to which a NAT
distribution policy is applied
● Internal server's private IP address (192.168.0.2) and public IP address (1.1.1.3)

Procedure

1. Configure basic NAT functions.

Create a NAT instance named nat1.

<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] nat instance nat1 id 1 simple-configuration
[*NAT-Device-nat-instance-nat1] commit

● [~NAT-Device-nat-instance-nat1] quit
Configure a NAT address pool and specify a range of IP addresses of 11.11.11.101 through
11.11.11.105 in the pool.
[~NAT-Device] nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105

● [*NAT-Device] commit

Configure an internal server in 1:1 static NAT mapping. Set the internal server's private IP
address to 192.168.0.2 and public IP address to 1.1.1.3.
[*NAT-Device] nat server global 1.1.1.3 inside 192.168.0.2

2. [*NAT-Device] commit

Configure a NAT distribution policy. Configure an ACL numbered 3001, an ACL rule numbered 1,
and an ACL-based traffic classification rule to allow hosts only with a network segment address
of 192.168.0.2/24 to access the Internet.
[~NAT-Device] acl 3001
[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.0.0 0.0.0.255
[*NAT-Device-acl4-advance-3001] commit

3. [~NAT-Device-acl4-advance-3001] quit

Apply the NAT distribution policy. Apply the ACL-based traffic classification rule to the view of the
outbound interface named GE 0/1/1.
[~NAT-Device] interface gigabitEthernet 0/1/1
[~NAT-Device-GigabitEthernet0/1/1] ip address 1.1.1.2 24
[*NAT-Device-GigabitEthernet0/1/1] nat bind acl 3001 instance nat1
[*NAT-Device-GigabitEthernet0/1/1] commit

4. [~NAT-Device-GigabitEthernet0/1/1] quit

Configure a default route as a static route and set the next hop address of the default route to
1.1.1.1.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 1.1.1.1

5. [*NAT-Device] commit

Verify the configuration.

# Run the display nat server-map command on the device. The command output shows the
mapping between the public IP address and private IP address of the NAT server.
[~NAT-Device] display nat server-map
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 2.
NAT Instance: nat1
 Protocol:ANY, VPN:--->-
Server:192.168.0.2[1.1.1.3]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:192.168.0.2

NAT Instance: nat1

Protocol:ANY, VPN:--->-
Server reverse:ANY->1.1.1.3[192.168.0.2]
Tag:0x0, TTL:-, Left-Time:-

6. CPE IP:192.168.0.2

NAT-Device Configuration File

#
sysname NAT-Device
#
nat instance nat1 id 1 simple-configuration
#
nat address-group address-group1 group-id 1 11.11.11.101 11.11.11.105
#
nat server global 1.1.1.3 inside 192.168.0.2
#
acl number 3001
rule 1 permit ip source 192.168.0.0 0.0.0.255
#
interface GigabitEthernet 0/1/1
undo shutdown
ip address 1.1.1.2 255.255.255.0
nat bind acl 3001 instance nat1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
#

return

Example for Configuring Traffic Diversion Policies to

Assign Different NAT Address Pools to Intranet Users to
Access the Internet
This section provides an example for configuring traffic diversion policies to assign different NAT
address pools to intranet users to access the Internet.

Applicable Products and Versions

 ● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
In Figure 1-89, private network users in areas A and B of an enterprise are connected to the
Internet. The public IP address of GE 0/1/0 on NAT-Device is 11.11.11.1/24, and the IP address
of the peer device on the carrier side is 11.11.11.2/24. Users in area A want to replace private
host IP addresses (on the network segment of 192.168.20.0/24) with public IP addresses in the
address pool (11.11.11.100 through 11.11.11.200) in No-PAT mode before accessing the Internet.
Since a few public IP addresses are used in area B, users in area B want to replace private host
IP addresses (on the network segment of 10.0.0.0/24) with the public IP addresses and public
port numbers in PAT mode in the public IP address pool (11.11.11.80 through 11.11.11.83) before
accessing the Internet.
Figure 1-89 shows IP addresses of interfaces. The configuration requirements are as follows:
● PCs on the private network segment of 192.168.20.0/24 can access the Internet.
● PCs on the private network segment of 10.0.0.0/24 can access the Internet.
Figure 1-89 Networking for configuring NAT for VPN users

In this example, interface 1, interface 2, and interface 3 stand for GE 0/1/0, GE 0/1/1, and GE
0/1/2, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a NAT instance and a No-PAT address pool for users in area A.
2. Configure a NAT instance and a PAT address pool for users in area B.
3. Configure a NAT diversion policy.
 4. Apply the NAT diversion policy.
5. Configure static routes.

Data Preparation
To complete the configuration, you need the following data:
● Area A's private network segment address (192.168.20.0/24)
● In area A, NAT instance name (nat1) and index (1), NAT address pool name
(address-group1), address pool number (1), and IP address range (11.11.11.100
through 11.11.11.200)
● Area B's private network segment address (10.0.0.0/24)
● In area B, NAT instance name (nat2) and index (2), NAT address pool name
(address-group2), address pool number (2), and IP address range (11.11.11.80
through 11.11.11.83)
● ACL numbers (3001 for area A and 3002 for area B)
● Name (GE 0/1/0) and IP address (11.11.11.1/24) of an interface to which a NAT
diversion policy is applied

Procedure

1. Configure a NAT instance and a No-PAT address pool for users in area A.

Create a NAT instance named nat1.

<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] service-location 1
[*NAT-Device-service-location-1] location follow-forwarding-mode
[*NAT-Device-service-location-1] commit
[~NAT-Device-service-location-1] quit
[~NAT-Device] service-instance-group group1
[*NAT-Device-service-instance-group-group1] service-location 1
[*NAT-Device-service-instance-group-group1] commit
[~NAT-Device-service-instance-group-group1] quit
[~NAT-Device] nat instance nat1 id 1
[*NAT-Device-nat-instance-nat1] service-instance-group group1
[*NAT-Device-nat-instance-nat1] commit

■ [~NAT-Device-nat-instance-nat1] quit

Configure a NAT address pool and specify a range of public IP addresses 11.11.11.100 through
11.11.11.200 in the pool. Set the No-PAT mode for the address pool.
[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.100
11.11.11.200 No-PAT
[*NAT-Device-nat-instance-nat1] commit

■ [~NAT-Device-nat-instance-nat1] quit
2. Configure a NAT instance and a PAT address pool for users in area B.

Create a NAT instance named nat2.

[~NAT-Device] nat instance nat2 id 2
[*NAT-Device-nat-instance-nat2] service-instance-group group1
[*NAT-Device-nat-instance-nat2] commit

■ [~NAT-Device-nat-instance-nat2] quit

Configure a NAT address pool and specify a range of public IP addresses 11.11.11.80 through
11.11.11.83 in the pool. Set the PAT mode for the address pool.
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat address-group address-group2 group-id 2 11.11.11.80
11.11.11.83
[*NAT-Device-nat-instance-nat2] commit

■ [~NAT-Device-nat-instance-nat2] quit
3. Configure a NAT diversion policy.
■ In area A, configure an ACL numbered 3001, an ACL rule numbered 1,
and an ACL-based traffic classification rule to allow hosts only with a
network segment address of 192.168.20.0/24 to access the Internet.
■ In area B, configure an ACL numbered 3002, an ACL rule numbered 2,
and an ACL-based traffic classification rule to allow only hosts with a
network segment address of 10.0.0.0/24 to access the Internet.

[~NAT-Device] acl 3001

[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.20.0 0.0.0.255
[*NAT-Device-acl4-advance-3001] commit
[~NAT-Device-acl4-advance-3001] quit
[~NAT-Device] acl 3002
[*NAT-Device-acl4-advance-3002] rule 2 permit ip source 10.0.0.0 0.0.0.255
[*NAT-Device-acl4-advance-3002] commit

4. [~NAT-Device-acl4-advance-3002] quit

Apply the NAT diversion policy. Apply the ACL-based traffic classification rule to the view of the
outbound interface named GE 0/1/0.
[~NAT-Device] interface GigabitEthernet 0/1/0
[~NAT-Device-GigabitEthernet0/1/0] ip address 11.11.11.1 24
[*NAT-Device-GigabitEthernet0/1/0] nat bind acl 3001 instance nat1
[*NAT-Device-GigabitEthernet0/1/0] nat bind acl 3002 instance nat2
[*NAT-Device-GigabitEthernet0/1/0] commit

5. [~NAT-Device-GigabitEthernet0/1/0] quit

Configure a default route as a static route and set the next hop address of the default route to
11.11.11.2.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2

6. [*NAT-Device] commit

Verify the configuration.

# Run the display nat user-information slot command to view NAT user information.
[~NAT-Device] display nat user-information slot 9 verbose
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 2.
---------------------------------------------------------------------------
User Type : NAT444
CPE IP : 192.168.20.100
User ID : -
VPN Instance : -
Address Group : address-group1
NAT Instance : nat1
Public IP : -
NoPAT Public IP : 11.11.11.100
Total/TCP/UDP/ICMP Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Session Current : 64511/0/64511/0
Total/TCP/UDP/ICMP Rev Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Rev Session Current: 0/0/0/0
Nat ALG Enable : NULL
Aging Time(s) : -
Left Time(s) : -
Session Limit Discard Count : 0
-->Transmit Packets : 9753259
-->Transmit Bytes : 1111770864
-->Drop Packets : 0
<--Transmit Packets : 0
<--Transmit Bytes : 0
<--Drop Packets : 0
---------------------------------------------------------------------------
---------------------------------------------------------------------------
User Type : NAT444
CPE IP : 10.0.0.1
User ID : -
VPN Instance : -
Address Group : address-group2
 NAT Instance : nat2
Public IP : 11.11.11.80
NoPAT Public IP : -
Total/TCP/UDP/ICMP Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Session Current : 1/0/1/0
Total/TCP/UDP/ICMP Rev Session Limit : 8192/10240/10240/512
Total/TCP/UDP/ICMP Rev Session Current: 0/0/0/0
Nat ALG Enable : NULL
Aging Time(s) : -
Left Time(s) : -
Session Limit Discard Count : 0
-->Transmit Packets : 9753259
-->Transmit Bytes : 1111770864
-->Drop Packets : 0
<--Transmit Packets : 0
<--Transmit Bytes : 0
<--Drop Packets : 0

7. ---------------------------------------------------------------------------

NAT-Device Configuration File

#
sysname NAT-Device
#
service-location 1
location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat address-group address-group1 group-id 1 11.11.11.100 11.11.11.200 no-pat
#
nat instance nat2 id 2
service-instance-group group1
nat address-group address-group2 group-id 2 11.11.11.80 11.11.11.83
#
acl number 3001
rule 1 permit ip source 192.168.20.0 0.0.0.255
#
acl number 3002
rule 2 permit ip source 10.0.0.0 0.0.0.255
#
interface GigabitEthernet 0/1/0
undo shutdown
ip address 11.11.11.1 255.255.255.0
 nat bind acl 3001 instance nat1
nat bind acl 3002 instance nat2
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
#

return

Example for Configuring NAT to Translate Both the

Source and Destination IP Addresses
This section provides an example for configuring NAT to translate both the source and
destination IP addresses when Internet users access an internal server.

Applicable Products and Versions

● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
In Figure 1-90, NAT-Device functions as a gateway of an enterprise, and the FTP server is an
internal server on the enterprise network. Users on the Internet want to access the FTP server on
the private network. During the access process, public IP addresses are translated so that no
public network routes are imported to the private network. The peer device connected to
NAT-Device is assigned an IP address of 11.11.1.2.
Figure 1-90 shows IP addresses of interfaces. The configuration requirements are as follows:
● PCs on the Internet can access the FTP server inside the enterprise network.
● NAT-Device does not import public network routes.
Figure 1-90 Networking for configuring NAT to translate both the source and destination IP
addresses

In this example, interface 1 and interface 2 stand for GE 0/2/0 and GE 0/2/1, respectively.
Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure an internal server.
3. Enable the NAT ALG function for FTP.
4. Configure a NAT diversion policy.
5. Apply the NAT diversion policy.
6. Configure static routes.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance names (nat1 and nat2) and indexes (1 and 2)
● NAT instance named nat1: NAT address pool name (address-group1), address pool
number (1), a range of public IP addresses (11.11.11.10 through 11.11.11.15); NAT
instance named nat2: NAT address pool name (address-group2), address pool
number (2), a range of public IP addresses (11.11.11.16 through 11.11.11.20)
● ACL numbers (3001 and 3002)
● Name (GE 0/2/0) and IP address (192.168.1.1/24) of a private network interface to
which a NAT diversion policy is applied; name (GE 0/2/1) and IP address (11.11.11.1)
of a public network interface to which a NAT diversion policy is applied
● Internal server's advertised public IP address (11.11.11.10) and internal IP address
(192.168.1.2)

Procedure

1. Configure basic NAT functions.

Create a VSM HA backup group and a VSM HA service instance group and bind a NAT service
board to the VSM HA backup group.
<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] service-location 1
[*NAT-Device-service-location-1] location follow-forwarding-mode
[*NAT-Device-service-location-1] commit
[~NAT-Device-service-location-1] quit
[~NAT-Device] service-instance-group group1
[*NAT-Device-service-instance-group-group1] service-location 1
[*NAT-Device-service-instance-group-group1] commit

■ [~NAT-Device-service-instance-group-group1] quit

Create NAT instances named nat1 and nat2 and bind the VSM HA service instance group to the
NAT instances so that service traffic can be processed by the NAT service board.
[~NAT-Device] nat instance nat1 id 1
[*NAT-Device-nat-instance-nat1] service-instance-group group1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[*NAT-Device-nat-instance-nat2] service-instance-group group1
[*NAT-Device-nat-instance-nat2] commit

■ [~NAT-Device-nat-instance-nat2] quit

Configure a NAT address pool.

[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.10
11.11.11.15
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat1] nat address-group address-group2 group-id 2 11.11.11.16
11.11.11.20
[*NAT-Device-nat-instance-nat1] commit

■ [~NAT-Device-nat-instance-nat1] quit

Configure an internal server.

[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] nat server-mode enable
[~NAT-Device-nat-instance-nat1] nat server global 11.11.11.10 inside 192.168.1.2
[*NAT-Device-nat-instance-nat1] commit
 2. [~NAT-Device -nat-instance-nat1] quit

Enable NAT ALG for FTP to translate the application-layer IP addresses and port numbers of
traffic of the NAT instance named nat1.
[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] nat alg ftp
[*NAT-Device-nat-instance-nat1] commit

3. [~NAT-Device -nat-instance-nat1] quit

4. Configure a NAT diversion policy.
■ Configure an ACL numbered 3001, an ACL rule numbered 1, and an
ACL-based traffic classification rule to allow hosts only with a network
segment address of 192.168.1.0/24 to access the Internet.
■ Configure an ACL-based traffic classification rule and set the ACL number
to 3002 and ACL rule number to 2 to allow any packets to match the rule.

[~NAT-Device] acl 3001

[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.1.0 0.0.0.255
[*NAT-Device-acl4-advance-3001] commit
[~NAT-Device-acl4-advance-3001] quit
[~NAT-Device] acl 3002
[*NAT-Device-acl4-advance-3002] rule 2 permit ip source any
[*NAT-Device-acl4-advance-3002] commit

5. [~NAT-Device-acl4-advance-3002] quit
6. Apply the NAT diversion policy.
■ Apply the traffic classification policy with ACL 3001 to the view of GE 0/2/1
on the public network side.
■ Apply the traffic classification policy with ACL 3002 to the view of GE 0/2/0
on the private network side.

[~NAT-Device] interface gigabitEthernet 0/2/1

[~NAT-Device-GigabitEthernet0/2/1] ip address 11.11.11.1 24
[*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface gigabitEthernet 0/2/0
[~NAT-Device-GigabitEthernet0/2/0] ip address 192.168.1.1 24
[*NAT-Device-GigabitEthernet0/2/0] nat bind acl 3002 instance nat2
[*NAT-Device-GigabitEthernet0/2/0] commit

7. [~NAT-Device-GigabitEthernet0/2/0] quit

Configure a default route as a static route and set the next hop address of the default route to
11.11.11.2.
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
 8. [*NAT-Device] commit

Verify the configuration.

# Run the display nat server-map command on the device. The command output shows the
mapping between the public IP address and private IP address of the NAT server.
[~NAT-Device] display nat server-map
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 2.
NAT Instance: nat1
Protocol:ANY, VPN:--->-
Server:192.168.1.2[11.11.11.10]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:192.168.10.10
extendable:false

NAT Instance: nat1

Protocol:ANY, VPN:--->-
Server reverse:ANY->11.11.11.10[192.168.1.2]
Tag:0x0, TTL:-, Left-Time:-
CPE IP:192.168.10.10

9. extendable:false

NAT-Device Configuration File

#
sysname NAT-Device
#
service-location 1
location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat server-mode enable
nat address-group address-group1 group-id 1 11.11.11.10 11.11.11.15
nat server global 11.11.11.10 inside 192.168.1.2
#
nat instance nat2 id 2
service-instance-group group1
nat address-group address-group2 group-id 2 11.11.11.16 11.11.11.20
nat alg ftp
#
acl number 3001
rule 1 permit ip source 192.168.1.0 0.0.0.255
#
acl number 3002
rule 2 permit ip source any
#
interface GigabitEthernet 0/2/1
undo shutdown
ip address 11.11.11.1 255.255.255.0
nat bind acl 3001 instance nat1
#
interface GigabitEthernet 0/2/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
nat bind acl 3002 instance nat2
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
#

return

Example for Configuring Bidirectional NAT and Using

Easy IP to Create an Internal Server
This section provides an example for configuring bidirectional NAT and using easy IP to create
an internal server so that traffic of public network users and the public network server can be
forwarded through NAT-Device.

Applicable Products and Versions

● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
In Figure 1-91, an enterprise deploys an FTP server on the Internet, and NAT-Device functions
as the gateway of the enterprise network. To secure traffic transmission, the enterprise wants
that traffic exchanged between public network users and the FTP server is forwarded by
NAT-Device and that public network users and the FTP server are not aware of IP addresses of
one another.
Figure 1-91 Networking for configuring bidirectional NAT and using easy IP to create an internal
server
In this example, interface 1 and interface 2 stand for GE 0/2/1 and GE 0/2/2, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure an internal server.
3. Enable the FTP ALG function.
4. Configure a NAT diversion policy.
5. Apply the NAT diversion policy.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance names (nat1 and nat2) and indexes (1 and 2)
● NAT-Device's address pool names (address-group1 and address-group2) and address
pool numbers (1 and 2), and Eazy IP address range
● ACL number (3001)
● Names (GE 0/2/1 and GE 0/2/2) and IP addresses (1.1.1.1/24 and 2.1.1.1/24) of
interfaces that apply a NAT diversion policy

Procedure

1. Configure basic NAT functions.

Create NAT instances named nat1 and nat2.

<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] service-location 1
[*NAT-Device-service-location-1] location follow-forwarding-mode
[*NAT-Device-service-location-1] commit
[~NAT-Device-service-location-1] quit
[~NAT-Device] service-instance-group group1
[*NAT-Device-service-instance-group-group1] service-location 1
[*NAT-Device-service-instance-group-group1] commit
[~NAT-Device-service-instance-group-group1] quit
[~NAT-Device] nat instance nat1 id 1
[*NAT-Device-nat-instance-nat1] service-instance-group group1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[*NAT-Device-nat-instance-nat2] service-instance-group group1
[*NAT-Device-nat-instance-nat2] commit

● [~NAT-Device-nat-instance-nat2] quit

Assign IP addresses to interfaces.

[~NAT-Device] interface GigabitEthernet 0/2/1
[~NAT-Device-GigabitEthernet0/2/1] ip address 1.1.1.1 24
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface GigabitEthernet 0/2/2
[~NAT-Device-GigabitEthernet0/2/2] ip address 2.1.1.1 24
[*NAT-Device-GigabitEthernet0/2/2] commit

● [~NAT-Device-GigabitEthernet0/2/2] quit

Configure a NAT address pool in easy IP mode.

[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 unnumbered
interface GigabitEthernet0/2/1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat address-group address-group2 group-id 2 unnumbered
interface GigabitEthernet0/2/2
[*NAT-Device-nat-instance-nat2] commit

● [~NAT-Device-nat-instance-nat2] quit

Configure an internal server.

[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface
GigabitEthernet0/2/1 ftp inside 2.1.1.2 ftp
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat server protocol tcp global unnumbered interface
GigabitEthernet0/2/2 ftp inside 1.1.1.2 ftp
[*NAT-Device-nat-instance-nat2] commit

2. [~NAT-Device-nat-instance-nat2] quit

Enable the FTP ALG function.

[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] nat alg ftp
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2
[~NAT-Device-nat-instance-nat2] nat alg ftp
[*NAT-Device-nat-instance-nat2] commit

3. [~NAT-Device-nat-instance-nat2] quit

Configure a NAT diversion policy. Configure an ACL numbered 3001, an ACL rule numbered 1,
and an ACL-based traffic classification rule to allow hosts to access the Internet.
[~NAT-Device] acl 3001
[*NAT-Device-acl4-advance-3001] rule 1 permit source any
[*NAT-Device-acl4-advance-3001] commit

4. [~NAT-Device-acl4-advance-3001] quit

Apply the NAT diversion policy. Apply the ACL-based traffic classification rule to the view of the
outbound interface named GE 0/2/1 and GE 0/2/2.
[~NAT-Device] interface GigabitEthernet 0/2/1
[~NAT-Device-GigabitEthernet0/2/1] nat bind acl 3001 instance nat1
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface GigabitEthernet 0/2/2
[~NAT-Device-GigabitEthernet0/2/2] nat bind acl 3001 instance nat2
[*NAT-Device-GigabitEthernet0/2/2] commit

5. [~NAT-Device-GigabitEthernet0/2/2] quit

Verify the configuration.

# Run the display nat server-map command on the device. The command output shows the
mapping between the public IP address and private IP address of the NAT server.
[~NAT-Device] display nat server-map
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 9
Total number: 4.
NAT Instance: nat1
Protocol:TCP, VPN:--->-
Server reverse:ANY->1.1.1.1:21[2.1.1.2:21]
Tag:0x0, TTL:-, Left-Time:-
CPE IP:2.1.1.2
extendable:false
NAT Instance: nat1
Protocol:TCP, VPN:--->-
Server:2.1.1.2:21[1.1.1.1:21]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:2.1.1.2
extendable:false
NAT Instance: nat2
Protocol:TCP, VPN:--->-
Server reverse:ANY->2.1.1.1:21[1.1.1.2:21]
Tag:0x0, TTL:-, Left-Time:-
CPE IP:1.1.1.2
extendable:false
NAT Instance: nat2
Protocol:TCP, VPN:--->-
Server:1.1.1.2:21[2.1.1.1:21]->ANY
Tag:0x0, TTL:-, Left-Time:-
CPE IP:1.1.1.2
extendable:false

6. ---------------------------------------------------------------------------

NAT-Device Configuration File

#
sysname NAT-Device
#
service-location 1
location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet0/2/1
nat server protocol tcp global unnumbered interface GigabitEthernet0/2/1 ftp inside 2.1.1.2 ftp
nat alg ftp
#
nat instance nat2 id 2
service-instance-group group1
nat address-group address-group2 group-id 2 unnumbered interface GigabitEthernet0/2/2
 nat server protocol tcp global unnumbered interface GigabitEthernet0/2/2 ftp inside 1.1.1.2 ftp
nat alg ftp
#
acl number 3001
rule 1 permit source any
#
interface GigabitEthernet 0/2/1
undo shutdown
ip address 1.1.1.1 24
nat bind acl 3001 instance nat1
#
interface GigabitEthernet 0/2/2
undo shutdown
ip address 2.1.1.1 24
nat bind acl 3001 instance nat2
#

return

Example for Configuring Outbound-Interface NAT Load

Balancing on an Enterprise Network
This section provides an example for configuring dual outbound interfaces on NAT-Device so that
external network users access an internal server through different interfaces and internal user
traffic destined for the Internet is load-balanced.

Applicable Products and Versions

● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
In Figure 1-92, NAT-Device functions as an enterprise network gateway and is dual-homed to the
Internet through interfaces 2 and 3. NAT is configured to convert private IP addresses to public
IP addresses. The enterprise network wants to provide web and FTP server access services for
Internet users. The web server is assigned 192.168.4.1/16 and 192.168.5.1/16, and the FTP
server is assigned 192.168.2.1/16 and 192.168.3.1/16.
Figure 1-92 shows IP addresses of interfaces. The configuration requirements are as follows:
● External network users can access the web and FTP servers within the enterprise
network.
● Internal users and servers can access one another, without NAT conversion.
● The traffic sent from the enterprise network to the Internet is load-balanced based on
source IP addresses.
Figure 1-92 Networking for configuring outbound-interface NAT load balancing on an enterprise
network

Interfaces 1 through 3 in this example represent GE 0/2/0, GE 0/2/1, and GE 0/2/2, respectively.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure load balancing.

2. Configure basic NAT functions.
3. Configure internal servers.
4. Enable the NAT ALG function for the web and FTP protocols.
5. Configure a NAT traffic diversion policy.
6. Apply the NAT traffic diversion policy.
7. Configure default routes.

Data Preparation
To complete the configuration, you need the following data:
● NAT instance names (nat1 and nat2) and indexes (1 and 2)
● Address pool name (address-group1) and ID (1)
● Private IP addresses of FTP server and web server in NAT instance nat1 (192.168.2.1
and 192.168.4.1, respectively) and in NAT instance nat2 (192.168.3.1 and
192.168.5.1, respectively)
 ● IP addresses (192.168.0.1/16, 11.11.1.1/24, and 11.11.2.1/24) of GE 0/2/0, GE 0/2/1,
and GE 0/2/2
● ACL numbers (3000 through 3005)
● NAT traffic diversion policy applied to GE 0/2/0; ACL 3000 to NAT instance nat1 bound
to GE 0/2/1; ACL 3000 to NAT instance nat1 bound to GE 0/2/2

Procedure

1. Configure basic NAT functions.

Enable the NAT device to load-balance received packets based on source IP addresses in all
slots.
<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] load-balance hash-key ip source-ip slot all

● [*NAT-Device] commit

Create NAT instances named nat1 and nat2.

[~NAT-Device] service-location 1
[*NAT-Device-service-location-1] location follow-forwarding-mode
[*NAT-Device-service-location-1] commit
[~NAT-Device-service-location-1] quit
[~NAT-Device] service-instance-group group1
[*NAT-Device-service-instance-group-group1] service-location 1
[*NAT-Device-service-instance-group-group1] commit
[~NAT-Device-service-instance-group-group1] quit
[~NAT-Device] nat instance nat1 id 1
[*NAT-Device-nat-instance-nat1] service-instance-group group1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[*NAT-Device-nat-instance-nat2] service-instance-group group1
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
[~NAT-Device] nat instance nat1 id 1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[*NAT-Device-nat-instance-nat2] commit

● [~NAT-Device-nat-instance-nat2] quit
Assign IP addresses to interfaces.
[~NAT-Device] interface gigabitEthernet 0/2/0
[~NAT-Device-GigabitEthernet0/2/1] ip address 192.168.0.1 16
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface gigabitEthernet 0/2/1
[~NAT-Device-GigabitEthernet0/2/1] ip address 11.11.1.1 24
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface gigabitEthernet 0/2/2
[~NAT-Device-GigabitEthernet0/2/2] ip address 11.11.2.1 24
[*NAT-Device-GigabitEthernet0/2/2] commit

● [~NAT-Device-GigabitEthernet0/2/2] quit

Configure NAT address pools.

[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 unnumbered
interface GigabitEthernet 0/2/1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat address-group address-group1 group-id 1 unnumbered
interface GigabitEthernet 0/2/2
[*NAT-Device-nat-instance-nat2] commit

● [~NAT-Device-nat-instance-nat2] quit

Configure internal servers.

[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface
GigabitEthernet 0/2/1 ftp inside 192.168.2.1 ftp
[~NAT-Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface
GigabitEthernet 0/2/1 www inside 192.168.4.1 www
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat server protocol tcp global unnumbered interface
GigabitEthernet 0/2/2 ftp inside 192.168.3.1 ftp
[~NAT-Device-nat-instance-nat2] nat server protocol tcp global unnumbered interface
GigabitEthernet 0/2/2 www inside 192.168.5.1 www
[*NAT-Device-nat-instance-nat2] commit
 2. [~NAT-Device-nat-instance-nat2] quit

Configure the NAT ALG function. Enable the NAT ALG function for FTP and DNS in each NAT
instance. Configure a DNS mapping entry that contains a domain name, a public IP address, and
a private IP address in each NAT instance for NAT processing that is performed after the DNS
server resolves the IP address of the internal server.
[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] nat alg ftp
[*NAT-Device-nat-instance-nat1] nat alg dns
[*NAT-Device-nat-instance-nat1] nat dns-mapping domain www.huawei.com global-address
11.11.1.1 inside-address 192.168.4.1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2
[~NAT-Device-nat-instance-nat2] nat alg ftp
[*NAT-Device-nat-instance-nat2] nat alg dns
[*NAT-Device-nat-instance-nat2] nat dns-mapping domain www.huawei.com global-address
11.11.2.1 inside-address 192.168.5.1
[*NAT-Device-nat-instance-nat2] commit

3. [~NAT-Device-nat-instance-nat2] quit

Configure the redirection function by specifying a redirected next-hop IP address for

private-to-public traffic in each NAT instance.
[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] redirect ip-nexthop 11.11.1.2 outbound
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2
[~NAT-Device-nat-instance-nat2] redirect ip-nexthop 11.11.2.2 outbound
[*NAT-Device-nat-instance-nat2] commit

4. [~NAT-Device-nat-instance-nat2] quit
5. Configure a NAT traffic diversion policy.

Configure an ACL numbered 3000 to allow hosts on the enterprise network to access the
Internet.
[~NAT-Device] acl 3000
[*NAT-Device-acl4-advance-3000] rule 1 permit ip
[*NAT-Device-acl4-advance-3000] commit

● [~NAT-Device-acl4-advance-3000] quit
Configure an ACL numbered 3001 to allow hosts on the enterprise network to access one
another.
[~NAT-Device] acl 3001
[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.0.0 0.0.255.255
[*NAT-Device-acl4-advance-3001] commit

● [~NAT-Device-acl4-advance-3001] quit

Configure an ACL numbered 3002 to allow the host at 192.168.2.1/32 on the enterprise network
to access the Internet.
[~NAT-Device] acl 3002
[*NAT-Device-acl4-advance-3002] rule 1 permit ip source 192.168.2.1 0.0.0.0
[*NAT-Device-acl4-advance-3002] commit

● [~NAT-Device-acl4-advance-3002] quit

Configure an ACL numbered 3003 to allow the host at 192.168.3.1/32 on the enterprise network
to access the Internet.
[~NAT-Device] acl 3003
[*NAT-Device-acl4-advance-3003] rule 1 permit ip source 192.168.3.1 0.0.0.0
[*NAT-Device-acl4-advance-3003] commit

● [~NAT-Device-acl4-advance-3003] quit

Configure an ACL numbered 3004 to allow the host at 192.168.4.1/32 on the enterprise network
to access the Internet.
[~NAT-Device] acl 3004
[*NAT-Device-acl4-advance-3004] rule 1 permit ip source 192.168.4.1 0.0.0.0
[*NAT-Device-acl4-advance-3004] commit

● [~NAT-Device-acl4-advance-3004] quit

Configure an ACL numbered 3005 to allow the host at 192.168.5.1/32 on the enterprise network
to access the Internet.
[~NAT-Device] acl 3005
[*NAT-Device-acl4-advance-3005] rule 1 permit ip source 192.168.5.1 0.0.0.0
[*NAT-Device-acl4-advance-3005] commit

● [~NAT-Device-acl4-advance-3005] quit

Configure traffic classifiers for data that needs to be redirected.

[~NAT-Device] traffic classifier redirectover1 operator or
[*NAT-Device-classifier-redirectover1] if-match acl 3001
[*NAT-Device-classifier-redirectover1] commit
[~NAT-Device-classifier-redirectover1] quit
[~NAT-Device] traffic classifier redirectover2 operator or
[*NAT-Device-classifier-redirectover2] if-match acl 3002
[*NAT-Device-classifier-redirectover2] commit
[~NAT-Device-classifier-redirectover2] quit
[~NAT-Device] traffic classifier redirectover3 operator or
[*NAT-Device-classifier-redirectover3] if-match acl 3003
[*NAT-Device-classifier-redirectover3] commit
[~NAT-Device-classifier-redirectover3] quit
[~NAT-Device] traffic classifier redirectover4 operator or
[*NAT-Device-classifier-redirectover4] if-match acl 3004
[*NAT-Device-classifier-redirectover4] commit
[~NAT-Device-classifier-redirectover4] quit
[~NAT-Device] traffic classifier redirectover5 operator or
[*NAT-Device-classifier-redirectover5] if-match acl 3005
[*NAT-Device-classifier-redirectover5] commit

● [~NAT-Device-classifier-redirectover5] quit

Configure traffic behaviors for data that needs to be redirected. Set the redirected next-hop IP
address to 11.11.1.2 in a traffic behavior named redirectover2 and 11.11.2.2 in a traffic behavior
named redirectover3.
[~NAT-Device] traffic behavior redirectover1
[*NAT-Device-behavior-redirectover1] commit
[~NAT-Device-behavior-redirectover1] quit
[~NAT-Device] traffic behavior redirectover2
[*NAT-Device-behavior-redirectover2] redirect ip-nexthop 11.11.1.2
[*NAT-Device-behavior-redirectover2] commit
[~NAT-Device-behavior-redirectover2] quit
[~NAT-Device] traffic behavior redirectover3
[*NAT-Device-behavior-redirectover3] redirect ip-nexthop 11.11.2.2
[*NAT-Device-behavior-redirectover3] commit
 ● [~NAT-Device-behavior-redirectover3] quit
● Bind the traffic classifiers with the traffic behaviors in a traffic policy.
■ Data flows exchanged by users on the network segment of
192.168.0.0/16 within the enterprise network are assigned a
priority value of 1 (higher) and are not processed by NAT.
■ Data flows with the source IP address 192.168.2.1/32 pass
through outbound interface 2 and are assigned a priority value
of 2.
■ Data flows with the source IP address 192.168.3.1/32 pass
through outbound interface 3 and are assigned a priority value
of 3.
■ Data flows with the source IP address 192.168.4.1/32 pass
through outbound interface 2 and are assigned a priority value
of 4.
■ Data flows with the source IP address 192.168.5.1/32 pass
through outbound interface 3 and are assigned a priority value
of 5.

[~NAT-Device] traffic policy redirect

[*NAT-Device-trafficpolicy-redirect] classifier redirectover1 behavior redirectover1
precedence 1
[*NAT-Device-trafficpolicy-redirect] classifier redirectover2 behavior redirectover2
precedence 2
[*NAT-Device-trafficpolicy-redirect] classifier redirectover3 behavior redirectover3
precedence 3
[*NAT-Device-trafficpolicy-redirect] classifier redirectover4 behavior redirectover2
precedence 4
[*NAT-Device-trafficpolicy-redirect] classifier redirectover5 behavior redirectover3
precedence 5
[*NAT-Device-trafficpolicy-redirect] commit

● [~NAT-Device-trafficpolicy-redirect] quit

Apply the traffic classification policy to interfaces.

[~NAT-Device] interface gigabitEthernet 0/2/0
[*NAT-Device-GigabitEthernet0/2/0] traffic-policy redirect inbound
[*NAT-Device-GigabitEthernet0/2/0] commit
[~NAT-Device-GigabitEthernet0/2/0] quit
[~NAT-Device] interface gigabitEthernet 0/2/1
[*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3000 instance nat1
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface gigabitEthernet 0/2/2
[*NAT-Device-GigabitEthernet0/2/2] nat bind acl 3000 instance nat2
[*NAT-Device-GigabitEthernet0/2/2] commit

6. [~NAT-Device-GigabitEthernet0/2/2] quit

Configure default routes.

[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.1.2
[*NAT-Device] ip route-static 0.0.0.0 0.0.0.0 11.11.2.2

7. [*NAT-Device] commit

Configuration File

#
sysname NAT-Device
#
load-balance hash-key ip source-ip slot all
#
service-location 1
location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/1 ftp inside 192.168.2.1
ftp
nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/1 www inside
192.168.4.1 www
nat alg ftp
nat alg dns
redirect ip-nexthop 11.11.1.2 outbound
nat dns-mapping domain www.huawei.com global-address 11.11.1.1 inside-address 192.168.4.1
#
nat instance nat2 id 2
service-instance-group group1
nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/2
nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/2 ftp inside 192.168.3.1
ftp
nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/2 www inside
192.168.5.1 www
nat alg ftp
nat alg dns
redirect ip-nexthop 11.11.2.2 outbound
nat dns-mapping domain www.huawei.com global-address 11.11.2.1 inside-address 192.168.5.1
#
acl number 3000
rule 1 permit ip
#
acl number 3001
rule 1 permit ip source 192.168.0.0 0.0.255.255
#
acl number 3002
rule 1 permit ip source 192.168.2.1 0
#
acl number 3003
rule 1 permit ip source 192.168.3.1 0
#
acl number 3004
rule 1 permit ip source 192.168.4.1 0
#
traffic classifier redirectover1 operator or
if-match acl 3001
#
traffic classifier redirectover2 operator or
if-match acl 3002
#
traffic classifier redirectover3 operator or
if-match acl 3003
#
traffic classifier redirectover4 operator or
if-match acl 3004
#
traffic classifier redirectover5 operator or
if-match acl 3005
#
traffic behavior redirectover1
#
traffic behavior redirectover2
redirect ip-nexthop 11.11.1.2
#
traffic behavior redirectover3
redirect ip-nexthop 11.11.2.2
#
traffic policy redirect
classifier redirectover1 behavior redirectover1 precedence 1
classifier redirectover2 behavior redirectover2 precedence 2
classifier redirectover3 behavior redirectover3 precedence 3
classifier redirectover4 behavior redirectover2 precedence 4
classifier redirectover5 behavior redirectover3 precedence 5
#
interface GigabitEthernet 0/2/0
undo shutdown
ip address 192.168.0.1 255.255.0.0
traffic-policy redirect inbound
#
interface GigabitEthernet 0/2/1
undo shutdown
ip address 11.11.1.1 255.255.255.0
nat bind acl 3000 instance nat1
#
interface GigabitEthernet 0/2/2
undo shutdown
ip address 11.11.2.1 255.255.255.0
nat bind acl 3000 instance nat2
#
ip route-static 0.0.0.0 0.0.0.0 11.11.1.2
ip route-static 0.0.0.0 0.0.0.0 11.11.2.2
#

return

Example for Configuring IPoEoVLAN Access Together

with NAT
This section provides an example for configuring IPoEoVLAN access together with NAT so that
home users can access the Internet through NAT processing.

Applicable Products and Versions

● This configuration example applies to NE40E-M and NE20E-S routers running
V800R010C00 or later versions.
● This configuration example applies to NetEngine 8000 M14 router running
V800R012C00 or later versions.
● This configuration example applies to NetEngine 8000 M8 router running
V800R012C10 or later versions.

Networking Requirements
In Figure 1-93, home users access a BRAS using IPoE. The BRAS implements user
authentication, authorization, and accounting. It also provides the NAT service to convert
between the private and public IP addresses of home users, so that the home users can access
the Internet.
Home users of user group 1 can access the Internet.
Figure 1-93 Example for configuring IPoEoVLAN access together with NAT

In this example, interface 1 stands for Eth-Trunk2.1.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure NAT user information.
3. Configure a NAT diversion policy.
4. Configure a BAS interface.

Data Preparation
To complete the configuration, you need the following data:
● Name of a NAT instance
● NAT address pool's number and start and end IP addresses
● User group name
● ACL and UCL numbers
● NAT traffic diversion policy information

Procedure
Create a NAT instance named nat1.
<HUAWEI> system-view
[~HUAWEI] service-location 1
[*HUAWEI-service-location-1] location follow-forwarding-mode
[*HUAWEI-service-location-1] commit
[~HUAWEI-service-location-1] quit
[~HUAWEI] service-instance-group group1
[*HUAWEI-service-instance-group-group1] service-location 1
[*HUAWEI-service-instance-group-group1] commit
[~HUAWEI-service-instance-group-group1] quit
[~HUAWEI] nat instance nat1 id 1
[*HUAWEI-nat-instance-nat1] service-instance-group group1
[*HUAWEI-nat-instance-nat1] commit

1. [~HUAWEI-nat-instance-nat1] quit

Configure a NAT address pool.

[~HUAWEI] nat instance nat1 id 1
[~HUAWEI-nat-instance-nat1] nat address-group address-group1 group-id 1 11.1.1.1 mask
26
[*HUAWEI-nat-instance-nat1] commit

2. [~HUAWEI-nat-instance-nat1] quit
3. Configure NAT user information.
● Create a user group named group1.
[~HUAWEI] user-group group1

Configure the BRAS service to enable users to go online.

[~HUAWEI] ip pool pool1 bas local
[*HUAWEI-ip-pool-pool1] gateway 100.64.0.1 255.255.0.0
[*HUAWEI-ip-pool-pool1] section 0 100.64.0.2 100.64.255.254
[*HUAWEI-ip-pool-pool1] dns-server 192.168.8.2
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] quit
[~HUAWEI] radius-server group rd1
[*HUAWEI-radius-rd3] radius-server authentication 192.168.8.9 1812
[*HUAWEI-radius-rd3] radius-server accounting 192.168.8.9 1813
[*HUAWEI-radius-rd3] radius-server type standard
[*HUAWEI-radius-rd3] radius-server shared-key-cipher huawei@123
[*HUAWEI-radius-rd3] commit
[~HUAWEI-radius-rd3] quit
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit
[~HUAWEI-aaa] accounting-scheme acct1
[*HUAWEI-aaa-accounting-acct1] accounting-mode radius
[~HUAWEI-aaa-accounting-acct1] commit
[~HUAWEI-aaa-accounting-acct1] quit
[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
[*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
[*HUAWEI-aaa-domain-isp1] radius-server group rd1
[*HUAWEI-aaa-domain-isp1] ip-pool pool1
[*HUAWEI-aaa-domain-isp1] user-group group1
[*HUAWEI-aaa-domain-isp1] commit
[~HUAWEI-aaa-domain-isp1] quit

● [~HUAWEI-aaa] quit
4. Configure a traffic classification rule, a NAT behavior, and a NAT traffic policy and
apply the policy.
 Configure UCLs for user traffic. A UCL number ranges from 6000 to 9999.

Configure ACL-based traffic classification rule and set the ACL number to 6001 and ACL rule
number to 1.
[~HUAWEI] acl number 6001
[*HUAWEI-acl-ucl-6001] rule 1 permit ip source user-group group1
[*HUAWEI-acl-ucl-6001] commit

● [~HUAWEI-acl-ucl-6001] quit

Configure a traffic classifier.

[~HUAWEI] traffic classifier c1 operator or
[*HUAWEI-classifier-c1] if-match acl 6001
[*HUAWEI-classifier-c1] commit

● [~HUAWEI-classifier-c1] quit

Configure a traffic behavior named b1 and bind the traffic behavior to the NAT instance named
nat1.
[~HUAWEI] traffic behavior b1
[*HUAWEI-behavior-b1] nat bind instance nat1
[*HUAWEI-behavior-b1] commit

● [~HUAWEI-behavior-b1] quit

Configure a NAT diversion policy and associate the ACL rule with the traffic behavior.
[~HUAWEI] traffic policy p1
[*HUAWEI-trafficpolicy-p1] share-mode
[*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 precedence 1
[*HUAWEI-trafficpolicy-p1] commit

● [~HUAWEI-trafficpolicy-p1] quit
Apply the NAT diversion policy in the system view.
[~HUAWEI] traffic-policy p1 inbound

● [*HUAWEI] commit

Configure a BAS interface.

[~HUAWEI] interface Eth-Trunk 2.1
[*HUAWEI-Eth-Trunk2.1] user-vlan 1 2
[*HUAWEI-Eth-Trunk2.1-1-2] quit
[*HUAWEI-Eth-Trunk2.1] bas
[*HUAWEI-Eth-Trunk2.1-bas] access-type layer2-subscriber default-domain authentication
isp1
[*HUAWEI-Eth-Trunk2.1-bas] client-option82
[*HUAWEI-Eth-Trunk2.1-bas] option82-relay-mode include allvalue
[*HUAWEI-Eth-Trunk2.1-bas] authentication-method bind
[*HUAWEI-Eth-Trunk2.1-bas] quit

5. [*HUAWEI-Eth-Trunk2.1] quit

Configuration Files

BRAS configuration file

service-location 1
location follow-forwarding-mode
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
service-instance-group group1
nat address-group group1 group-id 1 11.1.1.1 mask 26
#
radius-server group rd1
radius-server shared-key-cipher huawei@123
radius-server authentication 192.168.8.9 1812 weight 0
radius-server accounting 192.168.8.9 1813 weight 0
radius-server type standard
#
ip pool pool1 bas local
gateway 100.64.0.1 255.255.0.0
section 0 100.64.0.2 100.64.255.254
dns-server 192.168.8.2
#
aaa
 authentication-scheme auth1
#
accounting-scheme acct1
#
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ip-pool pool1
user-group group1
#
user-group group1
#
acl number 6001
rule 1 permit ip source user-group group1
#
traffic classifier c1 operator or
if-match acl 6001
#
traffic behavior b1
nat bind instance nat1
#
traffic policy p1
share-mode
classifier c1 behavior b1 precedence 1
#
traffic-policy p1 inbound
#
interface Eth-Trunk2.1
user-vlan 1 2
#
bas
access-type layer2-subscriber default-domain authentication isp1
client-option82
option82-relay-mode include allvalue
authentication-method bind
#
#

● return

Example for Configuring NAT Together

with DAA
Network address translation (NAT) translates IP addresses between private and public networks
to enable multiple private network users to use only a small number of public IPv4 addresses for
accessing external networks. When a user accesses an external network, a NAT device
translates the user's private IPv4 address into a public IPv4 address and temporarily records the
mapping.
Destination Address Accounting (DAA) implements accounting, rate limit, and priority scheduling
based on destination addresses accessed by users.
NAT and DAA need to be configured together in the following scenarios: Private network users
access the network, and different tariff levels need to be defined for accounting and different rate
levels need to be defined for rate limiting based on destination addresses accessed by users.
This section provides an example for configuring NAT together with DAA.

Applicable Products and Versions

This feature applies to ME60 series, NE40E series, NE20E series, and NE8000 series routers
running V800R021C10 and later versions.

Precautions
Table 1-40 Precautions for deploying NAT together with DAA

No. Precaution Impact Workaround

1 After DAA services are If DAA services are Plan DAA services
deployed for users in the web deployed in the web in the web
pre-authentication domain, pre-authentication authentication
these users cannot be domain, users domain when both
switched to the web cannot log in to the web and DAA
authentication domain. web authentication services are
domain. deployed.
2 A DAA service policy cannot A DAA service policy None
be delivered by the Common can be delivered
Open Policy Service (COPS). only through domain
binding, the RADIUS
server, or Diameter
server.

4 A DAA service can be If a DAA service Configure an empty

generated only when a DAA needs to be DAA service policy
service policy is bound to a deployed, a DAA in a domain.
domain or delivered using a service policy must
RADIUS authentication be bound to a
response packet. A DAA domain or delivered
service policy can be using a RADIUS
switched through the authentication
RADIUS server. After a user response packet.
goes online, the DAA service
policy cannot be delivered by
the RADIUS server to
generate a DAA service.
5 DAA service policy switching Improper planning Do not switch a
restrictions: results in failed DAA DAA service policy
service policy in the scenarios
switching. that are not
supported.
● A DAA service
policy in
non-uniform
accounting mode
supports switching
for existing
services only. The
level and number
of services do not
change before and
after switching.
● Switching is not
supported
between a DAA
service policy in
non-uniform
accounting mode
and a DAA service
policy in uniform
accounting mode.
● The IP address
types in service
policies must be
the same before
and after
switching.
Otherwise,
services cannot be
switched.
● When a DAA
service policy is
switched, the
accounting
scheme in the
DAA service policy
cannot be
switched.
6 DAA quota delivery After DAA service ● Configur
restrictions: quotas are e
exhausted in duration
non-uniform and
accounting mode, volume
● If both duration service traffic cannot quotas
and volume be forwarded. delivered
quotas are Services cannot be separatel
delivered for DAA restored by y.
services, only the delivering a service ● Configur
duration quota policy or quota, and e uniform
takes effect. redirection fails. accounti
● After DAA service ng for
quotas are DAA
exhausted in services.
non-uniform
accounting mode,
service traffic
cannot be
forwarded.
Services with
quota exhaustion
cannot be restored
by delivering a
service policy
dynamically, and
redirection is not
supported.
7 DAA rate limit restrictions: Improper planning ● Do not
results in inaccurate configure
rate limiting. services
in the BE
● When SQ rate limit queue
is used for a DAA when
service, DAA
non-service traffic uses SQ
enters the BE rate limit.
queue. If the DAA ● None
service is planned ● Do not
for the BE queue, switch a
non-service traffic DAA
is controlled by the service
DAA service's rate policy if
limit and is QoS
included into the resource
DAA service s are
traffic. insufficie
● Service separation nt.
does not take ● None
effect when CAR
is configured for
DAA and SQ is
configured for
users.
● If QoS resources
are insufficient
during DAA
service policy
switching,
resources are not
switched, and
services remain
unchanged.
Service resource
insufficiency can
be checked.
● If SQ rate limit is
configured for
DAA services and
no rate limit is
configured for a
 user, the user's
rate is also limited.

8 In simplified MAC address DAA services are None

authentication scenarios, deleted for users
when DAA is deployed in a who return from the
MAC domain, DAA takes authentication
effect immediately for users domain to the MAC
who go online from the MAC domain.
domain.

Prerequisites

1. Special boards required in this scenario:

■ Boards that support user access must be deployed on the user side.
■ eTM subcard is required for DAA service deployment.
■ VSUI-400 series NAT boards are required.
2. Required License Items
Table 1-41 License item

Licens License U Involved

e Description Models
Na
me
BNG By default, a B NE40E and
Fun maximum of NE8000-
ctio 32K users M series
n are
Lice supported
nse per BNG.
The license
can be
separately
purchased to
increase the
number of
users to
128K.
PPPoE,
IPoE, L2TP,
DAA, and
EDSG
functions are
included.

Subscri Number of online B NetEngine40

bers users. E,
Qua NE8000-
ntity M series,
(1k ME60,
Sub and
scri NE20E
bers
)
PPPoE/ Controls the B NE40E, and
IPo PPPoE/IPoE CX600
E function of outside
Fun the entire China
ctio device.
n
Lice
nse

PPPoE/ Controls the B NE20E

IPo PPPoE/IPoE
E function of
Fun the entire
ctio device.
n
Lice
nse

2M NAT NAT session B NE40E,

Ses license for CX600,
sion the and
Lice VSUI-400 ME60
nse series. Each
license
permits 2M
NAT
sessions. To
allocate
license
resources to
 the CPUs of
service
boards, run
the active
nat
session-tabl
e size
(license
view)
command.

CGN VSU series B NE8000-M

Ser session series
vice resource
1M license.
NAT
Ses
sion
Lice
nse

16M NAT session B NE40E,

NAT license for CX600,
ses the and
sion VSUI-400 ME60
lice series. Each
nse license
for permits 16M
VS NAT
U sessions. To
Seri allocate
es license
resources to
the CPUs of
 Unit service
s boards, run
the active
nat
session-tabl
e size
(license
view)
command.

VSUI-4 The capacity of B NE40E,

00 VSUI-400 CX600,
Seri series and
es boards is 0 ME60
20G by default,
bps and can be
Cap expanded up
acit to 400 Gbit/s.
y
RT
U
for
CG To expand the
N capacity of a
VSUI-400
series board,
run the
active nat
bandwidth-e
nhance slot
command in
the license
view.

DAA-Related RADIUS Attributes

Table 1-42 DAA-related RADIUS attributes

Attribute Attribute Attribute Server Usage Remarks

No. Name Type Type

11 Filter-Id String All This attribute The length

(defined carries the user ranges
as Text group name from 1 to
in the USER-GROUP 32 bytes.
protocol) NAME. If
GROUPNAME
contains @,
only the
character string
before @ is
used. If multiple
filter-IDs are
received, only
the last filter-ID
takes effect.
Therefore, it is
advised to
contain one
filter-ID each
time.
26-95 HW-Polic String All The attribute The length
y-Name indicates the is 32
name of the characters.
value-added In some
service policy. versions,
Multiple HW-Policy-
HW-Policy-Nam Name is
e attributes can Policy-Na
be encapsulated me.
in a packet to
deliver multiple
value-added
services. A
packet can
deliver up to 16
value-added
services. (DAA
does not
support
encapsulation of
multiple
value-added
service policy
names in one
packet.)
50 Acct-Mult String All (1) If tunnel
i-Session users are
-Id configured in
the system, the
attribute
indicates the
accounting ID of
an L2TP tunnel
user. The format
of
Acct-Multi-Sessi
on-Id is the
same as that of
Acct-Session-Id.
For other
scenarios, this
attribute is not
used.

(2) If RADIUS
accounting is
applied to a
user's
value-added
services (BOD
and DAA),
accounting
packets carry
the user's
Acct-Session-Id
as the
Multi-Session-Id
.

(3) When
Multi-Link
Point-to-Point
Protocol
(MLPPP) is
used, the
Acct-Session-Id
of the first user
of the MP-group
interface is used
as the
Multi-Session-Id
.
44 Acct-Ses String All The formats of The length
sion-Id Acct-Session-Id of
are as follows: Acct-Sessi
on-Id is as
follows:
The value
Version 1: host contains
name (7 bits) + 27 to 33
slot number (2 bytes for
bits) + card version 1
number (1 bit) + format due
port number (2 to the
bits) + {VPI (4 variable-le
bits) + VCI (5 ngth host
bits), outer name, 16
VLAN (4 bits) + bytes for
inner VLAN (5 version 2
bits)} + format, 8
CPUTICK (in bytes for
hexadecimal version 3
format, 6 bits) + format,
user connection and 15
index (6 bits) bytes for
version 4
format.
Version 2: {VPI
(4 bits), outer
VLAN (4 bits)} + The value
CPUTICK (in contains
hexadecimal 26 to 32
format, 6 bits) + bytes for
user connection the DSG
index (6 bits) service
due to the
variable-le
ngth host
Version 3:
name.
CPUTICK (in
hexadecimal
format, the
lower order 2
bits) + user
connection
index (6 bits)
 Version 4: host
name (7 bits) +
serial number (2
bits) + user
connection
index (6 bits)

The format in
the DSG service
is: host name (7
bits) + slot
number (2 bits)
+ card number
(1 bit) + port
number (2 bits)
+ SSG + service
ID (5 bits) +
CPUTICK (in
hexadecimal
format, 6 bits) +
user connection
index (6 bits)

Networking Requirements
Assume that a user has two types of service traffic: enterprise internal service traffic and external
public network service traffic. Enterprise internal services match DAA, requiring separate rate
limit and no accounting. External services do not match DAA, requiring separate rate limit and
RADIUS accounting.

As shown in Figure 1-94, the networking requirements are as follows:

● The user sends a login request to the BRAS, which then sends an authentication
request to the AAA server. The AAA server then returns an authentication success
message to the BRAS.
● When the user goes online, the BRAS assigns a private IP address to the user and
performs NAT on the BRAS to translate the private IP address into a public IP
address.
● When the user accesses the network, ACL rules are used to match the destination
address of the user to determine whether the network accessed by the user is an
enterprise intranet or an external network. In this way, separate rate limiting is
performed.
 ● The BRAS sends an accounting start request packet for external services to the AAA
server.

Figure 1-94 Networking diagram for configuring NAT together with DAA

In this example, interface1 represents GE 0/1/1.

Table 1-43 Network planning data

Device Item Data

IP address of the RADIUS 172.16.45.220

authentication server
BRAS(NAT)
 Gateway address 10.0.0.1

IP address of the web authentication 192.168.10.2

server

IP address of the Portal server 192.168.10.2

DAA services that require 192.168.200.0

acceleration

Configuration Roadmap

1. Configure the NAT service.

● Configure NAT licenses and bind them to boards.
● Configure a NAT instance.
2. Configure web authentication.
● Configure basic information such as the RADIUS server, QoS, address
pool, and pre-authentication and authentication domains.
● Configure a web pre-authentication domain, a web authentication domain,
and the user group information of DAA users.
3. Configure the DAA service.
● Configure DAA traffic policies.
● Configure DAA service policies.
4. Configure policy binding.
Procedure
Configure the NAT service. When a private network user accesses an external network, the
private IP address of the user can be translated into a public IP address.
Configure NAT licenses and bind them to boards.

For the CX600 chassis-shaped device used outside China, NE40E, and ME60, the engine
parameter must be specified when resource licenses are allocated and NAT service boards are
bound.
When NAT is deployed on an NE20E, no license needs to be configured.
When NAT is deployed on an NE8000-M series device, only the resource license needs to be
configured. The bandwidth license does not need to be configured.
[~HUAWEI] license
[*HUAWEI-license] active nat session-table size 6 slot 1 engine 0
[*HUAWEI-license] active nat session-table size 6 slot 2 engine 0
[*HUAWEI-license] active nat bandwidth-enhance 40 slot 1
[*HUAWEI-license] active nat bandwidth-enhance 40 slot 2
[*HUAWEI-license] commit
[~HUAWEI-license] quit
[~HUAWEI] service-location 1
[*HUAWEI-service-location-1] location slot 1 engine 0 backup slot 2 engine 0
[*HUAWEI-service-location-1] quit
[*HUAWEI] service-instance-group group1
[*HUAWEI-service-instance-group-group1] service-location 1
[*HUAWEI-service-instance-group-group1] commit
[~HUAWEI-service-instance-group-group1] quit
# Configure a NAT instance.
[~HUAWEI] nat instance nat1
[*HUAWEI-nat-instance-nat1] nat address-group address-group1 group-id 1
[*HUAWEI-nat-instance-nat1-nat-address-group-address-group1] section 1 11.11.11.0 mask 24
[*HUAWEI-nat-instance-nat1-nat-address-group-address-group1] quit
[*HUAWEI-nat-instance-nat1] port-range 1024
[*HUAWEI-nat-instance-nat1] service-instance-group group1
[*HUAWEI-nat-instance-nat1] nat outbound any address-group address-group1
[*HUAWEI-nat-instance-nat1] nat alg all
[*HUAWEI-nat-instance-nat1] nat filter mode full-cone
[*HUAWEI-nat-instance-nat1] commit

1. [~HUAWEI-nat-instance-nat1] quit

Configure web authentication.

# Configure RADIUS server information.
<HUAWEI> system-view
[~HUAWEI] radius-server group radius
[*HUAWEI-radius-radius] radius-server authentication 172.16.45.220 1812 weight 0
[*HUAWEI-radius-radius] radius-server accounting 172.16.45.220 1813 weight 0
[*HUAWEI-radius-radius] radius-server shared-key Huawei
[*HUAWEI-radius-radius] commit
[~HUAWEI-radius-radius] quit
# Configure QoS profiles. Generally, two or more QoS profiles need to be configured for basic
user bandwidth and DAA service acceleration bandwidth, respectively.
[~HUAWEI] qos-profile qos-prof1
[*HUAWEI-qos-profile-qos-prof1] car cir 5000 inbound
[*HUAWEI-qos-profile-qos-prof1] car cir 5000 outbound
[*HUAWEI-qos-profile-qos-prof1] quit
[*HUAWEI] qos-profile qos-prof2
[*HUAWEI-qos-profile-qos-prof2] car cir 10000 inbound
[*HUAWEI-qos-profile-qos-prof2] car cir 10000 outbound
[*HUAWEI-qos-profile-qos-prof2] commit
[*HUAWEI-qos-profile-qos-prof2] quit
# Configure an address pool.
[~HUAWEI] ip pool pool1 bas local
[~HUAWEI-ip-pool-pool1] gateway 10.0.0.1 255.255.255.0
[~HUAWEI-ip-pool-pool1] section 0 10.0.0.2 10.0.0.200
[~HUAWEI-ip-pool-pool1] excluded-ip-address 10.0.0.101

2. [~HUAWEI-ip-pool-pool1] quit
# Configure a user group. Assign different user groups based on user attributes to
control different access permissions and policies.
■ If a user is in the pre-authentication domain, the device assigns
user-group preweb to the user. This user group is used to control user
access permissions so that the user can access only the web server.
■ If a user is in the authentication domain, the user has gone online
successfully. The device then assigns user-group web to the user. This
user group grants the user access permissions. It diverts traffic for NAT
when the user accesses external network services.
■ After a DAA service policy is delivered to a user, the device assigns
user-group daa to the user. This user group increases the bandwidth for
the user to access specific resources.

[~HUAWEI] user-group preweb

[*HUAWEI] user-group web
[*HUAWEI] user-group daa
[*HUAWEI] commit
# Configure the web server.
[~HUAWEI] web-auth-server 192.168.10.2 port 50100 key cipher huawei
# Configure a pre-authentication domain. Users in the pre-authentication domain can access only
some specified servers and cannot access other resources. For this reason, non-authentication
and non-accounting are used.

The user groups in the pre-authentication domain, authentication domain, and the DAA service
policy must be bound to the same NAT instance.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme none
[*HUAWEI-aaa-authen-none] authentication-mode none
[*HUAWEI-aaa-authen-none] commit
[~HUAWEI-aaa-authen-none] quit
[~HUAWEI-aaa] accounting-scheme none
[*HUAWEI-aaa-accounting-none] accounting-mode none
[*HUAWEI-aaa-accounting-none] commit
[~HUAWEI-aaa-accounting-none] quit
[~HUAWEI-aaa] domain preweb
[*HUAWEI-aaa-domain-preweb] authentication-scheme none
[*HUAWEI-aaa-domain-preweb] accounting-scheme none
[*HUAWEI-aaa-domain-preweb] user-group preweb bind nat instance nat1
[*HUAWEI-aaa-domain-preweb] commit
[~HUAWEI-aaa-domain-preweb] ip-pool pool1
[~HUAWEI-aaa-domain-preweb] web-server 192.168.10.2
[~HUAWEI-aaa-domain-preweb] web-server url http://192.168.10.2
[~HUAWEI-aaa-domain-preweb] quit
[~HUAWEI-aaa] quit
# Configure an authentication domain. Users in the authentication domain are online users and
require RADIUS authentication and accounting.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme radius
[*HUAWEI-aaa-authen-radius] authentication-mode radius
[*HUAWEI-aaa-authen-radius] commit
[~HUAWEI-aaa-authen-radius] quit
[~HUAWEI-aaa] accounting-scheme radius
[*HUAWEI-aaa-accounting-radius] accounting-mode radius
[*HUAWEI-aaa-accounting-radius] commit
[~HUAWEI-aaa-accounting-radius] quit
[~HUAWEI-aaa] domain web
[*HUAWEI-aaa-domain-web] authentication-scheme radius
[*HUAWEI-aaa-domain-web] accounting-scheme radius
[*HUAWEI-aaa-domain-web] radius-server group radius
[*HUAWEI-aaa-domain-web] user-group web bind nat instance nat1
[*HUAWEI-aaa-domain-web] qos-profile qos-prof1 inbound
[*HUAWEI-aaa-domain-web] qos-profile qos-prof1 outbound
[*HUAWEI-aaa-domain-web] commit
[~HUAWEI-aaa-domain-web] portal-server 192.168.10.2
[~HUAWEI-aaa-domain-web] portal-server url http://192.168.10.2/portal/admin
[~HUAWEI-aaa-domain-web] quit
[~HUAWEI-aaa] quit
# Configure ACL rules. The user group is used to control the access permissions of users in the
pre-authentication domain.
[~HUAWEI] acl number 6000
[*HUAWEI-acl-ucl-6000] rule 5 permit ip source user-group preweb destination ip-address
127.0.0.1 0
[*HUAWEI-acl-ucl-6000] rule 15 permit ip source ip-address 127.0.0.1 0 destination
user-group preweb
[*HUAWEI-acl-ucl-6000] rule 20 permit ip source user-group preweb destination ip-address
192.168.10.2 0
[*HUAWEI-acl-ucl-6000] rule 25 permit ip source ip-address 192.168.10.2 0 destination
user-group preweb
[*HUAWEI-acl-ucl-6000] commit
[~HUAWEI-acl-ucl-6000] quit
[~HUAWEI] acl number 6001
[*HUAWEI-acl-ucl-6001] rule 5 permit tcp source user-group preweb destination-port eq
www
[*HUAWEI-acl-ucl-6001] rule 10 permit tcp source user-group preweb destination-port eq
8080
[*HUAWEI-acl-ucl-6001] commit
[~HUAWEI-acl-ucl-6001] quit
[~HUAWEI] acl number 6002
[*HUAWEI-acl-ucl-6002] rule 5 permit ip source ip-address any destination user-group
preweb
[*HUAWEI-acl-ucl-6002] rule 10 permit ip source user-group preweb destination ip-address
any
[*HUAWEI-acl-ucl-6002] commit
[~HUAWEI-acl-ucl-6002] quit
# Configure traffic classifiers.
[~HUAWEI] traffic classifier web-permit
[*HUAWEI-classifier-web-permit] if-match acl 6000
[*HUAWEI-classifier-web-permit] commit
[~HUAWEI-classifier-web-permit] quit
[~HUAWEI] traffic classifier web-redirect
[*HUAWEI-classifier-preweb] if-match acl 6001
[*HUAWEI-classifier-preweb] commit
[~HUAWEI-classifier-preweb] quit
[~HUAWEI] traffic classifier web-deny
[*HUAWEI-classifier-web-deny] if-match acl 6002
[*HUAWEI-classifier-web-deny] commit

3. [~HUAWEI-classifier-web-deny] quit

Configure the DAA service. The corresponding acceleration is performed when a user accesses
a specific resource.
# Enable the DAA service.
[~HUAWEI] value-added-service enable
[*HUAWEI] commit
# Configure DAA traffic policies.
[~HUAWEI] acl number 6010
[*HUAWEI-acl-ucl-6010] rule 5 permit ip source user-group web destination any
[*HUAWEI-acl-ucl-6010] rule 10 permit ip source any destination user-group web
[*HUAWEI-acl-ucl-6010] quit
[*HUAWEI] acl number 6011
[*HUAWEI-acl-ucl-6011] rule 5 permit ip source user-group daa destination ip-address
192.168.200.0 0.0.0.255
[*HUAWEI-acl-ucl-6011] rule 10 permit ip source ip-address 192.168.200.0 0.0.0.255
destination user-group daa
[*HUAWEI-acl-ucl-6011] commit
[*HUAWEI] acl number 6012
[*HUAWEI-acl-ucl-6012] rule 5 permit ip source user-group daa destination any
[*HUAWEI-acl-ucl-6012] rule 10 permit ip source any destination user-group daa
[*HUAWEI-acl-ucl-6012] commit
[~HUAWEI-acl-ucl-6012] quit
# Configure DAA traffic classifiers.
[~HUAWEI] traffic classifier daa_default
[*HUAWEI-classifier-daa_default] if-match acl 6010
[*HUAWEI-classifier-daa_default] quit
[*HUAWEI] traffic classifier daa_t1
[*HUAWEI-classifier-daa_tc1] if-match acl 6011
[*HUAWEI-classifier-daa_tc1] commit
[*HUAWEI] traffic classifier daa_t2
[*HUAWEI-classifier-daa_tc2] if-match acl 6012
[*HUAWEI-classifier-daa_tc2] commit
[~HUAWEI-classifier-daa_tc2] quit
# Configure DAA service policies. A DAA service policy must be bound to a NAT instance.
Otherwise, NAT cannot be performed, and services are interrupted.

In NAT load balancing scenarios, to prevent uneven load balancing of NAT users, you are
advised not to bind a user group to a NAT instance in the default DAA service policy.
[~HUAWEI] value-added-service policy vp_daa_default daa
[*HUAWEI-vas-policy-vp_daa_default] user-group web bind nat instance nat1
[*HUAWEI-vas-policy-vp_daa_default] traffic-separate enable
[*HUAWEI-vas-policy-vp_daa_default] accounting-together enable
[*HUAWEI-vas-policy-vp_daa_default] quit
[*HUAWEI] value-added-service policy vp_daa daa
[*HUAWEI-vas-policy-vp_daa] user-group daa bind nat instance nat1
[*HUAWEI-vas-policy-vp_daa] traffic-separate enable
[*HUAWEI-vas-policy-vp_daa] tariff-level 5 qos-profile qos-prof2
[*HUAWEI-vas-policy-vp_daa] commit
[~HUAWEI-vas-policy-vp_daa] quit
# Bind DAA to the authentication domain. In this step, you can mark a user as a DAA user. DAA
policies can be dynamically delivered only after the user is marked as a DAA user. There are two
ways to mark a user as a DAA user: static configuration in the domain or dynamic delivery by the
RADIUS server. To facilitate maintenance, you are advised to choose static configuration unless
otherwise specified.
[~HUAWEI-aaa] domain web
[~HUAWEI-aaa-domain-web] value-added-service account-type radius radius
[*HUAWEI-aaa-domain-web] value-added-service policy vp_daa_default
[*HUAWEI-aaa-domain-web] commit
[~HUAWEI-aaa-domain-web] quit

3. [~HUAWEI-aaa] quit
Configure policy binding.
# Configure traffic behaviors for users in the web pre-authentication domain.
[~HUAWEI] traffic behavior web-deny
[*HUAWEI-behavior-web-deny] deny
[*HUAWEI-behavior-web-deny] commit
[~HUAWEI-behavior-web-deny] quit
[~HUAWEI] traffic behavior web-permit
[*HUAWEI-behavior-web-permit] nat bind instance nat1
[*HUAWEI-behavior-web-permit] commit
[~HUAWEI-behavior-web-permit] quit
[~HUAWEI] traffic behavior web-redirect
[*HUAWEI-behavior-web-preweb] http-redirect
[*HUAWEI-behavior-web-preweb] commit
[~HUAWEI-behavior-web-preweb] quit
# Configure a traffic policy for the web pre-authentication domain.
[~HUAWEI] traffic policy preweb
[*HUAWEI-policy-preweb] share-mode
[*HUAWEI-policy-preweb] classifier web-permit behavior web-permit
[*HUAWEI-policy-preweb] classifier web-redirect behavior web-redirect
[*HUAWEI-policy-preweb] classifier web-deny behavior web-deny
[*HUAWEI-policy-preweb] commit
[~HUAWEI-policy-preweb] quit
# Apply the traffic policy for the web pre-authentication domain.
[~HUAWEI] traffic-policy preweb inbound
# Configure DAA traffic policies for users in the web authentication domain.
[~HUAWEI] traffic behavior daa_default
[*HUAWEI-behavior-daa_default] nat bind instance nat1
[*HUAWEI-behavior-daa_default] traffic-statistic
[*HUAWEI-behavior-daa_default] quit
[*HUAWEI] traffic behavior daa_b1
[*HUAWEI-behavior-daa_b1] nat bind instance nat1
[*HUAWEI-behavior-daa_b1] tariff-level 5
[*HUAWEI-behavior-daa_b1] car
[*HUAWEI-behavior-daa_b1] traffic-statistic
[*HUAWEI-behavior-daa_b1] quit
[*HUAWEI] traffic behavior daa_b2
[*HUAWEI-behavior-daa_b2] nat bind instance nat1
[*HUAWEI-behavior-daa_b2] commit
[~HUAWEI-behavior-daa_b2] quit
# Bind a DAA user policy.
[~HUAWEI] traffic policy daa
[*HUAWEI-policy-daa] share-mode
[*HUAWEI-policy-daa] classifier daa_default behavior daa_default
[*HUAWEI-policy-daa] classifier daa_c1 behavior daa_b1
[*HUAWEI-policy-daa] classifier daa_c2 behavior daa_b2
[*HUAWEI-policy-daa] commit
[~HUAWEI-policy-daa] quit
# Apply DAA user traffic policies.
The traffic-policy inbound command in the system view does not take effect for DAA users. If a
user is marked as a DAA user, you can only perform this step to control the traffic diversion
policy.
[~HUAWEI] accounting-service-policy daa
# Configure the authentication interface.
[~HUAWEI] interface gigabitEthernet0/1/1
[~HUAWEI-GigabitEthernet0/1/1] bas
[~HUAWEI-GigabitEthernet0/1/1] access-type layer2-subscriber default-domain
pre-authentication preweb authentication web
[~HUAWEI-GigabitEthernet0/1/1] authentication-method web ppp

4. [~HUAWEI-GigabitEthernet0/1/1] quit

Configuration Files
#
radius-server group radius
radius-server authentication 172.16.45.220 1812 weight 0
radius-server accounting 172.16.45.220 1813 weight 0
radius-server shared-key %^%#`E)v.Q@BHVzxxZ;ij{>&_M0!TGP7YRA@8a7mq<\/%^%#
#
service-location 1
location slot 1 engine 0 backup slot 2 engine 0
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
port-range 1024
service-instance-group group1
nat address-group address-group1 group-id 1
section 0 11.11.11.0 mask 24
nat outbound any address-group 1
nat alg all
nat filter mode full-cone
#
ip pool pool1 bas local
gateway 10.0.0.1 255.255.255.0
section 0 10.0.0.2 10.0.0.200
excluded-ip-address 10.0.0.101
#
web-auth-server 192.168.10.2 port 50100 key cipher huawei
#
value-added-service enable
#
qos-profile qos-prof1
car cir 5000 cbs 935000 green pass red discard inbound
car cir 5000 cbs 935000 green pass red discard outbound
qos-profile qos-prof2
 car cir 10000 cbs 1870000 green pass red discard inbound
car cir 10000 cbs 1870000 green pass red discard outbound
#
user-group preweb
user-group web
user-group daa
#
aaa
authentication-scheme none
authentication-mode none
authentication-scheme radius
authentication-mode radius
#
accounting-scheme none
accounting-mode none
accounting-scheme radius
accounting-mode radius
#
domain preweb
authentication-scheme none
accounting-scheme none
ip-pool pool1
user-group preweb bind nat instance nat1
web-server 192.168.10.2
web-server url http://192.168.10.2
#
domain web
authentication-scheme radius
accounting-scheme radius
radius-server group radius
user-group web bind nat instance nat1
qos-profile qos-prof1 inbound
qos-profile qos-prof1 outbound
value-added-service account-type radius radius
value-added-service policy vp_daa_default
portal-server 192.168.10.2
portal-server url http://192.168.10.2/portal/admin
#
#
value-added-service policy vp_daa_default daa
user-group web bind nat instance nat1
accounting-together enable
traffic-separate enable
#
value-added-service policy vp_daa daa
user-group daa bind nat instance nat1
traffic-separate enable
tariff-level 5 qos-profile qos-prof2
#
acl number 6000
 rule 5 permit ip source user-group preweb destination ip-address 127.0.0.1 0
rule 15 permit ip source ip-address 127.0.0.1 0 destination user-group preweb
rule 20 permit ip source user-group preweb destination ip-address 192.168.10.2 0
rule 25 permit ip source ip-address 192.168.10.2 0 destination user-group preweb
#
acl number 6001
rule 5 permit tcp source user-group preweb destination-port eq www
rule 10 permit tcp source user-group preweb destination-port eq 8080
#
acl number 6002
rule 5 permit ip source ip-address any destination user-group preweb
rule 10 permit ip source user-group preweb destination ip-address any
#
acl number 6010
rule 5 permit ip source user-group web destination any
rule 15 permit ip source any destination user-group preweb
#
acl number 6011
rule 5 permit ip source user-group daa destination ip-address 192.168.200.0 0.0.0.255
rule 10 permit ip source ip-address 192.168.200.0 0.0.0.255 destination user-group daa
#
acl number 6012
rule 5 permit ip source user-group daa destination any
rule 10 permit ip source any destination user-group daa
#
traffic classifier web-deny operator or
if-match acl 6002
traffic classifier web-permit operator or
if-match acl 6000
traffic classifier web-redirect operator or
if-match acl 6001
traffic classifier daa_default operator or
if-match acl 6010
traffic classifier daa_c1 operator or
if-match acl 6011
traffic classifier daa_c2 operator or
if-match acl 6012
#
traffic behavior web-deny
deny
traffic behavior web-permit
nat bind instance nat1
traffic behavior web-redirect
http-redirect
traffic behavior daa_default
nat bind instance nat1
traffic behavior daa_b1
nat bind instance nat1
tariff-level 5
car
 traffic-statistic
traffic behavior daa_b2
nat bind instance nat1
#
traffic policy preweb
share-mode
classifier web-permit behavior web-permit
classifier web-redirect behavior web-redirect
classifier web-deny behavior web-deny
traffic policy daa
share-mode
classifier daa_default behavior daa_default
classifier daa_c1 behavior daa_b1
classifier daa_c2 behavior daa_b2
#
traffic-policy preweb inbound
#
accounting-service-policy daa
#
interface gigabitEthernet0/1/1
bas
#
access-type layer2-subscriber default-domain pre-authentication preweb authentication web
authentication-method web ppp
#
#

return

Typical Configuration of Centralized NAT

Automatic Load Balancing in
Inter-chassis 1:1 Cold Backup Scenarios
Network address translation (NAT) translates between private and public IPv4 addresses. By
doing so, it enables multiple users on a private network to use only a small number of public IPv4
addresses for access to external networks. When a user accesses an external network, a NAT
device translates the user's private IPv4 address into a public IPv4 address and temporarily
records the mapping. In an inter-chassis cold backup scenario, you can configure centralized
NAT automatic load balancing on two CGN devices to improve their reliability.

Applicable Products and Versions

This feature applies to ME60 series, NE40E series, NE20E series, and NE8000 series routers
running V800R021C10 and later versions.

Precautions
Table 1-44 Precautions for centralized NAT automatic load balancing in inter-chassis 1:1 cold
backup scenarios

No. Precaution Impact Workaround

1 In automatic load balancing Specifying the Specify the same

scenarios, the same CPU cannot same CPU CPU once at most.
be specified multiple times in the multiple times
service-instance group view. will result in
uneven load
balancing.

2 A NAT instance supports a Attempting to Configure the

maximum of 16 CPUs for load configure service locations
balancing. This means you can more than 16 based on how they
configure a maximum of 16 service service are supported by
locations in the service-instance locations will devices.
group view. result in a
configuration
error being
displayed.
3 When configuring the nat-instance If a fault Reserve at least
subnet length initial command, occurs and 50% of addresses.
you are advised to reserve at least there are not
50% of addresses in the global enough
address pool after addresses are reserved
allocated for the first time. addresses,
traffic cannot
be forwarded.

4 By default, when the usage of a If the number Plan the number of

global address pool reaches 80%, of addresses addresses in the
an associated alarm is generated. configured in global address pool
In this case, you can apply for a global appropriately.
addresses from the global address address pool
pool only when the port usage of is
the instance reaches 100%. inappropriate,
an alarm for
the address
usage is
generated.

5 The resource licenses of all CPUs If you do not Before running the
configured in the service-instance do so, load service-instance-g
group view must be the same, as balancing will roup command,
too must the bandwidth licenses of be uneven. check the resource
the CPUs. and bandwidth
licenses of each
CPU.
 6 In dual-device backup scenarios, If this Before configuring
you need to specify the slave parameter is dual-device backup,
parameter in the nat ip-pool not specified, manually select a
command on one device. some device as the
addresses backup device for
may be which the slave
allocated parameter is to be
twice, causing specified.
traffic to enter
an incorrect
device.

7 After the load balancing solution is For the public You are advised to
used, the addresses in the NAT IP addresses run the port-range
address pool configured using the that are command to limit
nat ip-pool command are assigned first, the number of ports
dynamically allocated to CPUs. their port for a single user or
During off-peak hours, user usage is high run the nat ip
services all use the first assigned or their ports access-user limit
public IP addresses, for example, are command to limit
the addresses from the initial exhausted. In the number of
address segment. Because one contrast, the private network
user can be assigned ports of only port usage of users using a single
a specific public IP address, not the addresses public IP address.
ports of the other addresses, that are
problems will occur as the number assigned later
of services grows. is low.

Prerequisites

1. VSUI-400 series NAT boards are installed.

2. License items listed in Table 1-45 are ready.
Table 1-45 Licenses required for centralized NAT automatic load balancing in inter-chassis 1:1
cold backup scenarios
Licens License U Involved
e Description Models
Na
me

2M NAT session B NE40E,

NA license for the CX600,
T VSUI-400 and
Ses series. Each ME60
sio license
n permits 2M
Lic NAT sessions.
ens To allocate
e license
resources to
the CPUs of
service
boards, run
the active nat
session-table
size (license
view)
command.

CGN VSU series B NE8000-M

Ser session series
vice
1M
NA
T
Ses
 sio resource
n license.
Lic
ens
e

16M NAT session B NE40E,

NA license for the CX600,
T VSUI-400 and
Ses series. Each ME60
sio license
n permits 16M
Lic NAT sessions.
ens To allocate
e license
for resources to
VS the CPUs of
U service
Seri boards, run
es the active nat
Unit session-table
s size (license
view)
command.

VSUI-4 The capacity of B NE40E,

00 VSUI-400 CX600,
Seri series boards and
es is 0 by ME60
20 default, and
Gb can be
ps
Ca
pac
 ity expanded up
RT to 400 Gbit/s.
U
for
CG
N
To expand the
capacity of a
VSUI-400
series board,
run the active
nat
bandwidth-e
nhance slot
command in
the license
view.

Networking Requirements
In the centralized deployment scenario shown in Figure 1-95, CGN1 and CGN2 are deployed
near the IGW at the metro network core as standalone devices. They need to be configured with
different public IP addresses and static default routes to be advertised to the user-side router. In
addition, BGP local preference values need to be configured on the user-side router to ensure
that the preference of the route advertised by CGN1 is higher than that advertised by CGN2.

Typically, if a CGN service board fails, BGP does not withdraw the default route advertised to a
downstream device. As a result, traffic is interrupted when it is forwarded to the CGN device over
the static default route. To address this problem, configure the function of associating NAT
inter-chassis cold backup with CGN boards. Specifically, by associating a serviceif interface with
an HA service status monitoring group, this function can promptly detect the running status of
CGN service boards and switch the traffic to the backup device if necessary.

Figure 1-95 Networking diagram for configuring centralized NAT automatic load balancing in an
inter-chassis 1:1 cold backup scenario

Interface 1 in this example represents GE2/0/0.

Configuration Roadmap

Before configuring CGN devices, ensure that BGP local-preference has been configured on the
user-side router and that the router preferentially selects the default route from one CGN device.

The two CGN devices must have the same configurations except for the preference parameter.

The configuration roadmap is as follows:

1. Configure basic NAT functions.

2. Configure association of NAT board faults with inter-chassis NAT cold backup.
3. Configure routing-related functions.
4. Configure interface-related functions.

Procedure
Configure basic NAT functions. The configuration of CGN2 is similar to that of CGN1. For
configuration details, see the configuration files.
Configure NAT licenses and bind them to boards.
<HUAWEI> system-view
[~HUAWEI] sysname CGN1
[*HUAWEI] commit
[~CGN1] license
[*CGN1-license] active nat session-table size 16 slot 4 engine 0
[*CGN1-license] active nat session-table size 16 slot 5 engine 0
[*CGN1-license] active nat bandwidth-enhance slot 4 engine 0
[*CGN1-license] commit
[~CGN1-license] quit

When NAT is deployed on an NE20E, no license needs to be configured.

When NAT is deployed on an NE8000-M series device, only the resource license needs to be
configured. The bandwidth license does not need to be configured.
# Configure service locations and bind them to the boards.
[~CGN1] service-location 1
[*CGN1-service-location-1] location slot 4 engine 0
[*CGN1-service-location-1] quit
[*CGN1] service-location 2
[*CGN1-service-location-2] location slot 5 engine 0
[*CGN1-service-location-2] commit
[~CGN1-service-location-2] quit

For the CX600 chassis-shaped device used outside China, NE40E, and ME60, the engine
parameter must be specified when resource licenses are allocated and NAT service boards are
bound.
# Configure a service-instance group.
[~CGN1] service-instance-group nat1
[*CGN1-service-instance-group-nat1] service-location 1
[*CGN1-service-instance-group-nat1] service-location 2
[*CGN1-service-instance-group-nat1] commit
[~CGN1-service-instance-group-nat1] quit

Do not specify the same CPU multiple times in the service-instance group view. Otherwise, load
balancing is uneven.
# Configure a global address pool, set the mask length of the initial address segment, and set the
mask length of the extended address segment to be used after the initial address segment is
exhausted.
[~CGN1] nat ip-pool nat_pool1
[*CGN1-nat-nat-ip-pool-nat_pool1] section 0 11.11.11.0 mask 24
[*CGN1-nat-nat-ip-pool-nat_pool1] nat-instance subnet length initial 26 extend 28
[*CGN1-nat-nat-ip-pool-nat_pool1] commit
[~CGN1-nat-nat-ip-pool-nat_pool1] quit
# Configure a NAT instance and the ALG function to ensure that NAT is performed for packets
containing IP addresses and port numbers.
[~CGN1] nat instance nat1
[*CGN1-nat-instance-nat1] port-range 4096
[*CGN1-nat-instance-nat1] service-instance-group nat1
[*CGN1-nat-instance-nat1] nat address-group 1 group-id 1 bind-ip-pool nat_pool1
[*CGN1-nat-instance-nat1] nat outbound any address-group 1
[*CGN1-nat-instance-nat1] nat alg all
[*CGN1-nat-instance-nat1] nat filter mode full-cone
[*CGN1-nat-instance-nat1] nat statistics port-usage enable
[*CGN1-nat-instance-nat1] nat statistics session-usage enable
[*CGN1-nat-instance-nat1] nat statistics address-pool-usage enable
[*CGN1-nat-instance-nat1] commit
[~CGN1-nat-instance-nat1] quit
# Configure an ACL rule.
[~CGN1] acl number 3001
[*CGN1-acl-ucl-3001] rule 5 permit ip source 10.0.0.0 0.0.255.255
[*CGN1-acl-ucl-3001] commit
[~CGN1-acl-ucl-3001] quit
# Configure a traffic policy.
[~CGN1] traffic classifier nat1
[*CGN1-classifier-web-permit] if-match acl 3001
[*CGN1-classifier-web-permit] commit
[~CGN1-classifier-web-permit] quit
[~CGN1] traffic behavior nat1
[*CGN1-behavior-nat1] nat bind instance nat1
[*CGN1-behavior-nat1] commit
[~CGN1-behavior-nat1] quit
[~CGN1] traffic policy NAT
[*CGN1-policy-NAT] share mode
[*CGN1-policy-NAT] classifier nat1 behavior nat
[*CGN1-policy-NAT] commit

1. [~CGN1-policy-NAT] quit

Configure association of NAT board faults with inter-chassis NAT cold backup. The configuration
of CGN2 is similar to that of CGN1. For configuration details, see the configuration files.
# Configure a VPN instance.
[~CGN1] ip vpn-instance inside_vrf
[*CGN1-vpn-instance-inside_vrf] ipv4-family
[*CGN1-vpn-instance-inside_vrf] route-distinguisher 100:1
[*CGN1-vpn-instance-inside_vrf] vpn-target 111:1 both
[*CGN1-vpn-instance-inside_vrf] commit
[~CGN1-vpn-instance-inside_vrf] quit
# Configure a monitor-location group.
[~CGN1] monitor-location-group cgn1
[*CGN1-monitor-location-group-cgn1] service-location 1
[*CGN1-monitor-location-group-cgn1] service-location 2
[*CGN1-monitor-location-group-cgn1] commit
[~CGN1-monitor-location-group-cgn1] quit
# Configure an interface named serviceif1 and bind it to the monitor-location group.
[~CGN1] interface serviceif1
[*CGN1-serviceif1] ip binding vpn-instance inside_vrf
[*CGN1-serviceif1] ip address 10.0.0.0 255.255.255.255
[*CGN1-serviceif1] track monitor-location-group cgn1
[*CGN1-serviceif1] commit

2. [~CGN1-serviceif1] quit

Configure routing-related functions. The configuration of CGN2 is similar to that of CGN1. For
configuration details, see the configuration files.
# Configure a static route on the device and set the outbound interface of the route to serviceif1.
[~CGN1] ip route-static vpn-instance inside_vrf 0.0.0.0 0.0.0.0 serviceif1
[*CGN1] commit
# Configure a route advertisement policy.
[~CGN1] bgp 65000
[*CGN1-bgp] peer 10.1.1.11 as-number 65000
[*CGN1-bgp] peer 10.1.1.11 connect-interface LoopBack0
[*CGN1-bgp] peer 10.1.1.12 as-number 65000
[*CGN1-bgp] peer 10.1.1.12 connect-interface LoopBack0
[*CGN1-bgp] ipv4-family unicast
[*CGN1-bgp-af-ipv4] undo synchronization
[*CGN1-bgp-af-ipv4] peer 10.1.1.12 enable
[*CGN1-bgp-af-ipv4] quit
[*CGN1-bgp] ipv4-family vpn-instance inside_vrf
[*CGN1-bgp-inside_vrf] peer 10.1.1.11 enable
[*CGN1-bgp-inside_vrf] peer 10.1.1.11 default-route-advertise
[*CGN1-bgp-inside_vrf] commit

3. [~CGN1-bgp-inside_vrf] quit

Configure interface-related functions. The configuration of CGN2 is similar to that of CGN1. For
configuration details, see the configuration files.
# Bind the traffic policy to the interface.
[*CGN1] interface gigabitEthernet 2/0/0
[*CGN1-GigabitEthernet2/0/0] ip binding vpn-instance inside_vrf
[*CGN1-GigabitEthernet2/0/0] traffic-policy NAT inbound
[*CGN1-GigabitEthernet2/0/0] quit

4. [*CGN1] commit

Configuration Files
The configurations on CGN1 and CGN2 are as follows:

Item CGN1 CGN2

# #
sysname CGN1 sysname CGN2

1. Set a
system name.
# #

license license
active nat session-table size 16 active nat session-table size 16
slot 4 engine 0 slot 4 engine 0
2. Configure active nat session-table size 16 active nat session-table size 16
licenses. slot 5 engine 0 slot 5 engine 0
active nat bandwidth-enhance active nat bandwidth-enhance
slot 4 engine 0 slot 4 engine 0

# #

service-instance-group nat1 service-instance-group nat1

service-location 1 service-location 1
service-location 2 service-location 2
3. Configure
service
locations.
# #

nat ip-pool nat_pool1 nat ip-pool nat_pool1 slave

section 0 100.0.0.0 mask 24 section 0 101.0.0.0 mask 24
nat-instance subnet length nat-instance subnet length
4. Configure a initial 26 extend 28 initial 26 extend 28
global address
pool.
 # #

nat instance nat1 id 1 nat instance nat1 id 1

port-range 4096 port-range 4096
service-instance-group nat1 service-instance-group nat1
5. Configure a nat address-group 1 group-id 1 nat address-group 1 group-id 1
NAT instance. bind-ip-pool nat_pool1 bind-ip-pool nat_pool1
nat outbound any nat outbound any
address-group 1 address-group 1
nat alg all nat alg all
nat filter mode full-cone nat filter mode full-cone
nat statistics port-usage enable nat statistics port-usage enable
nat statistics session-usage nat statistics session-usage
enable enable
nat statistics nat statistics
address-pool-usage enable address-pool-usage enable

# #

acl number 3001 acl number 3001

rule 5 permit ip source 10.0.0.0 rule 5 permit ip source 10.0.0.0
0.0.255.255 0.0.255.255
6. Configure
an ACL rule.

# #

traffic classifier nat1 traffic classifier nat1

if-match acl 3001 if-match acl 3001

7. Configure a
traffic
classifier. # #
 traffic behavior nat1 traffic behavior nat1
nat bind instance nat1 nat bind instance nat1

8. Configure a
traffic
behavior. # #

traffic policy NAT traffic policy NAT

share-mode share-mode
classifier nat1 behavior nat classifier nat1 behavior nat
9. Configure a
traffic policy.

# #

ip vpn-instance insider_vrf ip vpn-instance insider_vrf

ipv4-family ipv4-family
route-distinguisher 100:1 route-distinguisher 200:1
10. Configure vpn-target 111:1 both vpn-target 111:1 both
a VPN
instance.

# #

monitor-location-group cgn1 monitor-location-group cgn1

service-location 1 service-location 1
service-location 2 service-location 2
11. Configure
a
monitor-locatio
n group. # #

interface serviceif1 interface serviceif1

ip binding vpn-instance ip binding vpn-instance
inside_vrf inside_vrf
12. Configure ip address 10.0.0.0 ip address 10.0.0.0
a serviceif 255.255.255.255 255.255.255.255
interface. track monitor-location-group track monitor-location-group
cgn1 cgn1
 # #

ip route-static vpn-instance ip route-static vpn-instance

inside_vrf 0.0.0.0 0.0.0.0 inside_vrf 0.0.0.0 0.0.0.0
serviceif1 serviceif1
13. Configure
a static default
route.
# #

bgp 65000 bgp 65000

peer 10.1.1.11 as-number peer 10.1.1.11 as-number
65000 65000
14. Configure peer 10.1.1.11 peer 10.1.1.11
route connect-interface LoopBack0 connect-interface LoopBack0
advertisement. peer 10.1.1.12 as-number peer 10.1.1.12 as-number
65000 65000
peer 10.1.1.12 peer 10.1.1.12
connect-interface LoopBack0 connect-interface LoopBack0
# #
ipv4-family unicast ipv4-family unicast
undo synchronization undo synchronization
peer 10.1.1.12 enable peer 10.1.1.12 enable
# #
ipv4-family vpn-instance ipv4-family vpn-instance
inside_vrf inside_vrf
peer 10.1.1.11 enable peer 10.1.1.11 enable
peer 10.1.1.11 peer 10.1.1.11
default-route-advertise default-route-advertise

# #
 interface GigabitEthernet 2/0/0 interface GigabitEthernet 2/0/0
ip binding vpn-instance ip binding vpn-instance
inside_vrf inside_vrf
14. Bind the traffic-policy NAT inbound traffic-policy NAT inbound
traffic policy to
the desired
interface.
# #

Typical Configuration of Centralized NAT

Deployment Applied in Distributed NAT
Mode
Network address translation (NAT) translates between private and public IPv4 addresses. By
doing so, it enables multiple users on a private network to use only a small number of public IPv4
addresses for access to external networks. When a user accesses an external network, a NAT
device translates the user's private IPv4 address into a public IPv4 address and temporarily
records the mapping.
Destination address accounting (DAA) implements accounting, rate limit, and priority scheduling
based on destination addresses accessed by users.
There are two NAT deployment modes: distributed NAT and centralized NAT.
● Distributed NAT: NAT is performed on a BRAS. A public IP address is assigned to a
user when the user goes online, and remains assigned to this user for the duration of
online activity.
● Centralized NAT: NAT is performed on boards installed on a CR or on a device
attached to a CR. NAT is triggered by traffic to assign a public IP address. User login
is not involved.
The mechanisms for triggering public IP address allocation in the two deployment modes are
different. To maximize the usage of public IP addresses, distributed NAT can be used for
high-end users and centralized NAT for common users.
This section provides an example for configuring centralized NAT deployment applied in
distributed NAT mode.

Applicable Products and Versions

This feature applies to ME60 series, NE40E series, and NE8000 series routers running
V800R021C10 and later versions.
Precautions
Table 1-46 Precautions for centralized NAT deployment applied in distributed NAT mode

No. Precaution Impact Workaround

1 A DAA service policy cannot A DAA service policy None

be delivered by the Common can be delivered
Open Policy Service (COPS). only through domain
binding, the RADIUS
server, or Diameter
server.

2 A DAA service can be If a DAA service Configure an empty

generated only when a DAA needs to be DAA service policy
service policy is bound to a deployed, a DAA in a domain.
domain or delivered using a service policy must
RADIUS authentication be bound to a
response packet. A DAA domain or delivered
service policy can be using a RADIUS
switched through the authentication
RADIUS server. After a user response packet.
goes online, the DAA service
policy cannot be delivered by
the RADIUS server to
generate a DAA service.
3 DAA rate limit restrictions: Improper planning Workarounds:
results in inaccurate
rate limiting.

1. When SQ rate 1. Do not

limit is used for a configur
DAA service, e
non-service traffic services
enters the BE in the
queue. If the DAA BE
service is queue
planned for the when
BE queue, DAA
non-service traffic uses
is controlled by SQ rate
the DAA service's limit.
rate limit and is 2. None
included into the 3. Do not
DAA service switch a
traffic. DAA
2. Service service
separation does policy if
not take effect QoS
when CAR is resourc
configured for es are
DAA and SQ is insuffici
configured for ent.
users. 4. None
3. If QoS resources
are insufficient
during DAA
service policy
switching,
resources are not
switched, and
services remain
unchanged.
Service resource
insufficiency can
be checked.
4. If SQ rate limit is
configured for
DAA service and
no rate limit is
configured for a
user, the user's
 rate is also
limited.

Prerequisites

1. Special boards required in this scenario:

■ Boards that support user access must be deployed on the user side.
■ VSUI-400 series NAT boards are required.
2. Table 1-47 lists the license items required in this scenario.
Table 1-47

Licens License U Involved

e Description Models
Na
me

Subscri Number of online B NetEngine40

bers users. E,
Qua NE8000-
ntity M series,
(1k and
Sub ME60
scri
bers
)
PPPoE/ Controls the B NE40E, and
IPo PPPoE/IPoE CX600
E function of used
Fun the entire outside
ctio device. China
n
Lice
nse

2M NAT NAT session B NE40E and

Ses license for ME60
sion the
Lice VSUI-400
nse series. Each
license
permits 2M
NAT
sessions. To
allocate
license
resources to
the CPUs of
service
boards, run
the active
nat
session-tabl
e size
(license
view)
command.
CGN VSU series B NE8000-M
Ser session series
vice resource
1M license.
NAT
Ses
sion
Lice
nse

16M NAT session B NE40E and

NAT license for ME60
ses the
sion VSUI-400
lice series. Each
nse license
for permits 16M
VS NAT
U sessions. To
Seri allocate
es license
Unit resources to
s the CPUs of
service
boards, run
the active
nat
session-tabl
e size
(license
view)
command.
 VSUI-4 The capacity of B NE40E and
00 VSUI-400 ME60
Seri series
es boards is 0
20G by default,
bps and can be
Cap expanded up
acit to 400 Gbit/s.
y
RT
U
for
CG To expand the
N capacity of a
VSUI-400
series board,
run the
active nat
bandwidth-e
nhance slot
command in
the license
view.

RADIUS Attributes
Table 1-48 RADIUS attributes

Attribute Attribute Attribute Server Usage Remarks

No. Name Type Type
11 Filter-Id String All This attribute The length
(defined carries the user ranges
as Text group name from 1 to
in the (USER-GROUP 32 bytes.
protocol) NAME). If the
user group
name contains
@, only the
character string
before @ is
used. @ and
the characters
after @ are
ignored. If
multiple
filter-IDs are
received, only
the last filter-ID
takes effect.
Therefore, it is
advised to
contain one
filter-ID each
time.
 26-95 HW-Polic String All The attribute The length
y-Name indicates the is 32
name of the characters.
value-added In some
service policy. versions,
Multiple HW-Policy-
HW-Policy-Nam Name is
e attributes can Policy-Na
be me.
encapsulated in
a packet to
deliver multiple
value-added
services. A
packet can
deliver up to 16
value-added
services. (DAA
does not
support
encapsulation of
multiple
value-added
service policy
names in one
packet.)

Networking Requirements
In the mobile Internet private line service, users can be classified into either high-end users or
common users. Carriers can preferentially forward traffic of high-end users and provide
differentiated acceleration services.

As shown in Figure 1-96, the networking requirements of centralized NAT deployment applied in
distributed NAT mode are as follows:

● Preferential forwarding for upstream traffic of high-end users on the intranet: High-end
user traffic is identified based on IP addresses. The packets are re-marked with DSCP
values, and the values are sent to the upstream MAN router. In this way, the
processing priority of the packets is adjusted, and the traffic is preferentially forwarded
on the intranet.
 ● Differentiated acceleration for intranet and extranet downstream traffic: The RADIUS
server and DAA are used to implement differentiated acceleration package policies.
The BRAS identifies intranet and extranet traffic based on the DSCP values of the
received IP packets. For example, if the DSCP value of the downstream traffic is 14,
the BRAS determines that the traffic is extranet traffic. Differentiated acceleration is
implemented for intranet downstream traffic without affecting the inter-network
downstream bandwidth.
● NAT is necessary for the coexistence of high-end users and common users due to the
scarce public IP addresses. In addition to DSCP marking and DAA differentiated
acceleration for intranet and extranet traffic, NAT is required to map private IP
addresses to public IP addresses after users go online. Common users and high-end
users share the same service domain and NAT address pool.

Figure 1-96 Networking diagram of centralized NAT deployment applied in distributed NAT mode

In this example, interface1, subinterface1.1, and subinterface1.2 represent GE 0/2/0, GE 0/2/0.1,

and GE 0/2/0.2, respectively.

Configuration Roadmap

1. Configure the NAT service.

● Configure NAT licenses and bind them to boards.
● Configure a NAT instance.
 ● Configure the NAT log function.
2. Configure basic information about the RADIUS server.
3. Configure QoS policies to preferentially forward traffic of high-end users on the
intranet.
● Configure basic information about QoS and the address pool.
● Configure a user group for DAA users.
4. Configure DAA service to implement differentiated acceleration for intranet and
extranet downstream traffic.
● Configure DAA traffic policies.
● Configure DAA service policies.
5. Configure a NAT conversion policy to implement NAT.

Procedure
Configure the NAT service. When an intranet user accesses an external network, the private IP
address of the user can be translated into a public IP address.
# Configure NAT licenses and bind them to boards.

When NAT is deployed on an NE8000-M series device, you only need to run the active nat
session-table size command to configure the NAT session resource license. In this case, you
do not need to run the active nat bandwidth-enhance command to configure the bandwidth
license.
<HUAWEI> system-view
[~HUAWEI] license
[~HUAWEI-license] active nat session-table size 6 slot 1 engine 0
[*HUAWEI-license] active nat session-table size 6 slot 2 engine 0
[*HUAWEI-license] active nat bandwidth-enhance 40 slot 1
[*HUAWEI-license] active nat bandwidth-enhance 40 slot 2
[*HUAWEI-license] commit
[~HUAWEI-license] quit
# Configure a NAT instance.
[~HUAWEI] service-location 1
[*HUAWEI-service-location-1] location slot 1 engine 0 backup slot 2 engine 0
[*HUAWEI-service-location-1] quit
[*HUAWEI] service-instance-group group1
[*HUAWEI-service-instance-group-group1] service-location 1
[*HUAWEI-service-instance-group-group1] commit
[~HUAWEI-service-instance-group-group1] quit
[~HUAWEI] nat instance nat1 id 1
[*HUAWEI-nat-instance-nat1] nat address-group address-group1 group-id 1
[*HUAWEI-nat-instance-nat1-nat-address-group-address-group1] section 1 11.11.11.0 mask 24
[*HUAWEI-nat-instance-nat1-nat-address-group-address-group1] quit
[*HUAWEI-nat-instance-nat1] port-range 256 extended-port-range 1024 extended-times 3
[*HUAWEI-nat-instance-nat1] service-instance-group group1
[*HUAWEI-nat-instance-nat1] commit
[~HUAWEI-nat-instance-nat1] quit
# Configure the NAT log function.
When intranet users access the external network through the NAT device, multiple users share
the same external IP address. As a result, the users accessing the external network cannot be
located. The log function can be used to trace and record the access of intranet users to external
networks in real time, enhancing network maintainability.
[~HUAWEI] nat instance nat1 id 1
[~HUAWEI-nat-instance-nat1] nat alg all
[*HUAWEI-nat-instance-nat1] nat filter mode full-cone
[*HUAWEI-nat-instance-nat1] nat log session enable
[*HUAWEI-nat-instance-nat1] nat log host 10.179.13.230 514 source 10.179.34.241 65532
[*HUAWEI-nat-instance-nat1] commit

1. [~HUAWEI-nat-instance-nat1] quit

Configure basic information about the RADIUS server.

# Configure the source interface of the RADIUS server as loopback 0.
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] ip address 1.1.1.1 32
[*HUAWEI-LoopBack0] commit
[~HUAWEI-LoopBack0] quit
[~HUAWEI] radius-server source interface LoopBack 0
[*HUAWEI] commit
# Configure a RADIUS authorization server.
[~HUAWEI] radius-server authorization 172.16.45.220 shared-key itellin server-group
ipman-radiusradius-server group ip-radius
[*HUAWEI] commit
# Configure a RADIUS server group.
Run the radius-server authentication and radius-server accounting commands to configure
the IP address, port number, VPN instance, and weight of the authentication server and
accounting server in a RADIUS server group.
Run the radius-server shared-key command to configure the shared key for the RADIUS
servers. The shared key for the device must be the same as that for the RADIUS servers.
Otherwise, the device cannot communicate with the RADIUS servers.
Run the radius-server class-as-car command to configure packets to carry the CAR value. By
default, a packet does not carry the CAR value.
[~HUAWEI] radius-server group ip-radius
[*HUAWEI-radius-ip-radius] radius-server authentication 172.16.45.220 1812
[*HUAWEI-radius-ip-radius] radius-server accounting 172.16.45.220 1813
[*HUAWEI-radius-ip-radius] radius-server shared-key itellin
[*HUAWEI-radius-ip-radius] radius-server class-as-car
[*HUAWEI-radius-ip-radius] radius-server traffic-unit kbyte
[*HUAWEI-radius-ip-radius] radius-server algorithm loading-share
[*HUAWEI-radius-ip-radius] radius-server retransmit 5 timeout 20
[*HUAWEI-radius-ip-radius] commit
[~HUAWEI-radius-ip-radius] quit
# Configure basic AAA authentication information.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth-gmcc-radius
[*HUAWEI-aaa-authen-auth-gmcc-radius] commit
[~HUAWEI-aaa-authen-auth-gmcc-radius] quit
[~HUAWEI-aaa] accounting-scheme acc-gmcc-radius
[*HUAWEI-aaa-accounting-acc-gmcc-radius] accounting interim interval 15
[*HUAWEI-aaa-accounting-acc-gmcc-radius] accounting start-fail online
[*HUAWEI-aaa-accounting-acc-gmcc-radius] commit
[~HUAWEI-aaa-accounting-acc-gmcc-radius] quit

2. [~HUAWEI-aaa]

Configure a QoS policy and configure the policy group to take effect in the upstream direction.
The QoS policy is used to preferentially forward the traffic of high-end users on the intranet.
A multi-field classification policy is configured based on the user group of high-end users. The
user group is determined based on the Filter-Id attribute delivered by the RADIUS server. And
the priority of the packets is re-marked in the QoS profile and the remark is transmitted to the
upstream router. In this manner, traffic is preferentially forwarded on the intranet. The preceding
configuration only needs to be performed for upstream (user-to-network) traffic.
# Configure an ACL rule to match packets from user group 12m_gold_user.
[~HUAWEI] user-group 12m_gold_user
[*HUAWEI] acl number 6000
[*HUAWEI-acl-ucl-6000] description for_daauser_gold_user-remark_qos
[*HUAWEI-acl-ucl-6000] rule 5 permit ip source user-group 12m_gold_user
[*HUAWEI-acl-ucl-6000] commit
[~HUAWEI-acl-ucl-6000] quit
# Configure a traffic classifier, traffic behavior, and traffic policy, and remark the DSCP value.
[~HUAWEI] traffic classifier gold_user_qos
[*HUAWEI-classifier-gold_user_qos] if-match acl 6000
[*HUAWEI-classifier-gold_user_qos] quit
[*HUAWEI] traffic behavior gold_user_qos_af22
[*HUAWEI-behavior-gold_user_qos_af22] remark dscp af22
[*HUAWEI-behavior-gold_user_qos_af22] quit
[*HUAWEI] commit
[~HUAWEI] traffic policy p1
[*HUAWEI-trafficpolicy-p1] classifier gold_user_qos behavior gold_user_qos_af22
[*HUAWEI-trafficpolicy-p1] quit
[*HUAWEI] commit
# Configure the policy group to take effect in the upstream (user-to-network) direction.
[~HUAWEI] traffic-policy p1 inbound

3. [*HUAWEI] commit

Configure DAA service to implement differentiated acceleration for intranet and extranet
downstream traffic.
# Enable the DAA service.
[~HUAWEI] value-added-service enable
 4. [*HUAWEI] commit
# Configure intranet and extranet traffic policies.

Define ACL rule 6001 to control users' extranet traffic. Match the data flow whose destination
user group is 12m_gold_user and DSCP value is 14.
[~HUAWEI] acl number 6001
[*HUAWEI-acl-ucl-6001] description for_12m_gold_user-to-outside
[*HUAWEI-acl-ucl-6001] rule 5 permit ip destination user-group 12m_gold_user dscp 14
[*HUAWEI-acl-ucl-6001] quit

● [*HUAWEI] commit

Configure a traffic classifier and a traffic behavior to modify the tariff level, CAR, and statistics
collection functions of the traffic behavior.
Configure car in the traffic behavior to enable traffic policing for DAA. Then, configure
traffic-statistic to collect DAA service traffic statistics and provide the statistics to the accounting
system for accounting.
[~HUAWEI] traffic classifier 12m_gold_user_to_outside
[*HUAWEI-classifier-12m_gold_user_to_outside] if-match acl 6001
[*HUAWEI-classifier-12m_gold_user_to_outside] quit
[*HUAWEI] traffic behavior 12m_gold_user_to_outside
[*HUAWEI-behavior-12m_gold_user_to_outside] tariff-level 1
[*HUAWEI-behavior-12m_gold_user_to_outside] car
[*HUAWEI-behavior-12m_gold_user_to_outside] traffic-statistic
[*HUAWEI-behavior-12m_gold_user_to_outside] quit

● [*HUAWEI] commit

Define ACL rule 6002 to control users' intranet traffic. Match the data flow whose destination user
group is 12m_gold_user.
[~HUAWEI] acl number 6002
[*HUAWEI-acl-ucl-6002] description for_12m_gold_user-to-intranet
[*HUAWEI-acl-ucl-6002] rule 5 permit ip destination user-group 12m_gold_user
[*HUAWEI-acl-ucl-6002] quit

● [*HUAWEI] commit
Configure a traffic classifier and a traffic behavior to modify the tariff level, CAR, and statistics
collection functions of the traffic behavior.
[~HUAWEI] traffic classifier 12m_gold_user_to_intranet
[*HUAWEI-classifier-12m_gold_user_to_intranet] if-match acl 6002
[*HUAWEI-classifier-12m_gold_user_to_intranet] quit
[*HUAWEI] traffic behavior 12m_gold_user_to_intranet
[*HUAWEI-behavior-12m_gold_user_to_intranet] tariff-level 2
[*HUAWEI-behavior-12m_gold_user_to_intranet] car
[*HUAWEI-behavior-12m_gold_user_to_intranet] traffic-statistic
[*HUAWEI-behavior-12m_gold_user_to_intranet] quit

● [*HUAWEI] commit

Bind a DAA user policy.

[~HUAWEI] traffic policy daa
[*HUAWEI-trafficpolicy-daa] classifier 12m_gold_user_to_outside behavior
12m_gold_user_to_outside
[*HUAWEI-trafficpolicy-daa] classifier 12m_gold_user_to_intranet behavior
12m_gold_user_to_intranet
[*HUAWEI-trafficpolicy-daa] quit

● [*HUAWEI] commit

Apply the DAA user traffic policy.

[~HUAWEI] accounting-service-policy daa

● [*HUAWEI] commit

# Configure QoS profiles. Generally, two or more QoS profiles need to be configured for basic
user bandwidth and DAA service acceleration bandwidth, respectively.
[~HUAWEI] qos-profile qos-prof1
[*HUAWEI-qos-profile-qos-prof1] car cir 12288 pir 12288 inbound
[*HUAWEI-qos-profile-qos-prof1] car cir 16384 pir 16384 outbound
[*HUAWEI-qos-profile-qos-prof1] quit
[*HUAWEI] qos-profile qos-prof2
[*HUAWEI-qos-profile-qos-prof2] car cir 12288 pir 12288 inbound
[*HUAWEI-qos-profile-qos-prof2] car cir 12288 pir 12288 outbound
[*HUAWEI-qos-profile-qos-prof2] commit
[~HUAWEI-qos-profile-qos-prof2] quit
# Configure DAA service policies. Associate the configured tariff levels with the QoS profiles.
[*HUAWEI] value-added-service policy 12m_gold_user_daa daa
[*HUAWEI-vas-policy-12m_gold_user_daa] accounting-scheme acc-gmcc-radius
[*HUAWEI-vas-policy-12m_gold_user_daa] user-group 12m_gold_user
[*HUAWEI-vas-policy-12m_gold_user_daa] accounting-together enable
[*HUAWEI-vas-policy-12m_gold_user_daa] tariff-level 1 qos-profile qos-prof1
[*HUAWEI-vas-policy-12m_gold_user_daa] tariff-level 2 qos-profile qos-prof2
[*HUAWEI-vas-policy-12m_gold_user_daa] commit
[~HUAWEI-vas-policy-12m_gold_user_daa] quit
# Bind DAA to a high-end user domain. In this step, you can mark a user as a DAA user. DAA
policies can be dynamically delivered only after the user is marked as a DAA user. DAA user
marking can be statically configured in a domain or dynamically delivered by the RADIUS server.
[~HUAWEI-aaa] domain 12m_gold_user
[~HUAWEI-aaa-12m_gold_user] value-added-service account-type radius radius
[*HUAWEI-aaa-12m_gold_user] value-added-service policy 12m_gold_user_daa
[*HUAWEI-aaa-12m_gold_user] commit
[~HUAWEI-aaa-12m_gold_user] quit

5. [~HUAWEI-aaa] quit

Configure a NAT policy.

# Configure an address pool.
[~HUAWEI] ip pool pool1 bas local
[*HUAWEI-ip-pool-pool1] gateway 10.10.0.1 255.255.255.0
[*HUAWEI-ip-pool-pool1] section 0 10.10.0.1 10.10.0.100
[*HUAWEI-ip-pool-pool1] dns-server 192.168.7.252
[*HUAWEI-ip-pool-pool1] quit

5. [*HUAWEI] commit
# Configure the NAT function for common users.

Configure a user group to match common users.

[~HUAWEI] user-group pppoe_nat

● [*HUAWEI] commit

Configure authentication and accounting schemes.

[~HUAWEI] aaa
[~HUAWEI-aaa] domain user
[*HUAWEI-aaa-domain-user] authentication-scheme auth-gmcc-radius
[*HUAWEI-aaa-domain-user] accounting-scheme acc-gmcc-radius
[*HUAWEI-aaa-domain-user] radius-server group ip-radius
[*HUAWEI-aaa-domain-user] commit
[~HUAWEI-aaa-domain-user] ip-pool pool1
[*HUAWEI-aaa-domain-user] user-group pppoe_nat
[~HUAWEI-aaa-domain-user] accounting-service-policy inbound disable
[~HUAWEI-aaa-domain-user] qos rate-limit-mode car outbound
[~HUAWEI-aaa-domain-user] quit

● [~HUAWEI-aaa] quit

Configure a traffic classifier, a traffic behavior, and a NAT traffic diversion policy, and apply the
policy.
[~HUAWEI] acl 7000
[*HUAWEI-acl-ucl-7000] description For-NAT-Policy
[*HUAWEI-acl-ucl-7000] rule 5 permit ip source user-group pppoe_nat
[*HUAWEI-acl-ucl-7000] commit
[~HUAWEI-acl-ucl-7000] quit
[~HUAWEI] traffic classifier pppoe-nat operator or
[*HUAWEI-classifier-pppoe-nat] if-match acl 7000
[*HUAWEI-classifier-pppoe-nat] commit
[~HUAWEI-classifier-pppoe-nat] quit
[~HUAWEI] traffic behavior pppoe-nat
[*HUAWEI-behavior-pppoe-nat] nat bind instance nat1
[*HUAWEI-behavior-pppoe-nat] commit
[~HUAWEI-behavior-pppoe-nat] quit
[~HUAWEI] traffic policy p1
[~HUAWEI-trafficpolicy-global] classifier pppoe-nat behavior pppoe-nat
[*HUAWEI-trafficpolicy-global] commit

● [~HUAWEI-trafficpolicy-global] quit

Configure a NAT conversion policy to perform NAT for user traffic.

[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] description For-PPPOE-NAT-CustomerIP
[*HUAWEI-acl4-basic-2000] rule 5 permit source 172.16.0.0 16
[*HUAWEI-acl4-basic-2000] commit
[~HUAWEI-acl4-basic-2000] quit
[~HUAWEI] nat instance nat1 id 1
[~HUAWEI-nat-instance-nat1] nat outbound 2000 address-group address-group1
[*HUAWEI-nat-instance-nat1] commit

● [~HUAWEI-nat-instance-nat1] quit

# Configure the NAT function for high-end users.

[~HUAWEI] aaa
[~HUAWEI-aaa] domain 12m_gold_user
[*HUAWEI-aaa-domain-12m_gold_user] authentication-scheme auth-gmcc-radius
[*HUAWEI-aaa-domain-12m_gold_user] accounting-scheme acc-gmcc-radius
[*HUAWEI-aaa-domain-12m_gold_user] radius-server group ip-radius
[*HUAWEI-aaa-domain-12m_gold_user] commit`
[~HUAWEI-aaa-domain-12m_gold_user] ip-pool pool1
[*HUAWEI-aaa-domain-12m_gold_user] user-group 12m_gold_user bind nat instance nat1
[*HUAWEI-aaa-domain-12m_gold_user] accounting-service-policy inbound disable
[*HUAWEI-aaa-domain-12m_gold_user] qos rate-limit-mode car outbound
[*HUAWEI-aaa-domain-12m_gold_user] commit
[~HUAWEI-aaa-domain-12m_gold_user] quit
[~HUAWEI-aaa] quit
[~HUAWEI] traffic behavior gold_user_qos_af22
[~HUAWEI-behavior-gold_user_qos_af22] nat bind instance nat1
[*HUAWEI-behavior-gold_user_qos_af22] commit
[~HUAWEI-behavior-gold_user_qos_af22] quit
[~HUAWEI] traffic behavior 12m_gold_user_to_outside
[~HUAWEI-behavior-12m_gold_user_to_outside] nat bind instance nat1
[*HUAWEI-behavior-12m_gold_user_to_outside] commit
[~HUAWEI-behavior-12m_gold_user_to_outside] quit
[~HUAWEI] traffic behavior 12m_gold_user_to_intranet
[~HUAWEI-behavior-12m_gold_user_to_intranet] nat bind instance nat1
[*HUAWEI-behavior-12m_gold_user_to_intranet] commit
[~HUAWEI-behavior-12m_gold_user_to_intranet] quit
# Configure a user-side sub-interface.

Run the interface interface-type interface-number. subinterface-number command to create a

sub-interface and enter the sub-interface view. Then run the commit command before
configuring the user-vlan command.
[~HUAWEI] interface Virtual-Template 1
[*HUAWEI-Virtual-Template1] ppp authentication-mode auto
[*HUAWEI-Virtual-Template1] commit
[~HUAWEI-Virtual-Template1] quit
[~HUAWEI] interface GigabitEthernet 0/2/0.1
[*HUAWEI-GigabitEthernet0/2/0.1] commit
[~HUAWEI-GigabitEthernet0/2/0.1] user-vlan 1
[~HUAWEI-GigabitEthernet0/2/0.1-vlan-1-1] quit
[~HUAWEI-GigabitEthernet0/2/0.1] pppoe-server bind Virtual-Template 1
[*HUAWEI-GigabitEthernet0/2/0.1] commit
[~HUAWEI-GigabitEthernet0/2/0.1] bas
[~HUAWEI-GigabitEthernet0/2/0.1-bas] access-type layer2-subscriber default-domain
authentication user
[*HUAWEI-GigabitEthernet0/2/0.1-bas] authentication-method ppp
[*HUAWEI-GigabitEthernet0/2/0.1-bas] commit
[~HUAWEI-GigabitEthernet0/2/0.1-bas] quit
[~HUAWEI-GigabitEthernet0/2/0.1] quit
[~HUAWEI] interface GigabitEthernet 0/2/0.2
[*HUAWEI-GigabitEthernet0/2/0.2] commit
[~HUAWEI-GigabitEthernet0/2/0.2] user-vlan 2
[~HUAWEI-GigabitEthernet0/2/0.2-vlan-2-2] quit
[~HUAWEI-GigabitEthernet0/2/0.2] pppoe-server bind Virtual-Template 1
[*HUAWEI-GigabitEthernet0/2/0.2] commit
[~HUAWEI-GigabitEthernet0/2/0.2] bas
[~HUAWEI-GigabitEthernet0/2/0.2-bas] access-type layer2-subscriber default-domain
authentication 12m_gold_user
[*HUAWEI-GigabitEthernet0/2/0.2-bas] authentication-method ppp
[*HUAWEI-GigabitEthernet0/2/0.2-bas] commit
[~HUAWEI-GigabitEthernet0/2/0.2-bas] quit

6. [~HUAWEI-GigabitEthernet0/2/0.2] quit

Configuration Files
#
radius-server group ip-radius
radius-server shared-key-cipher %^%#`E)v.Q@BHVzxxZ;ij{>&_M0!TGP7YRA@8a7mq<\/%^%#
radius-server authentication 172.16.45.220 1812 weight 0
radius-server accounting 172.16.45.220 1813 weight 0
radius-server retransmit 5 timeout 20
radius-server class-as-car
radius-server traffic-unit kbyte
radius-server algorithm loading-share
#
radius-server authorization 221.179.9.19 shared-key-cipher
%^%#LwVJ>q<d1($K:\VbOw.76&vZ7/Eim"q[jZ#;&`K-%^%# server-group ip-radius
#
service-location 1
location slot 1 engine 0 backup slot 2 engine 0
#
service-instance-group group1
service-location 1
#
nat instance nat1 id 1
port-range 256 extended-port-range 1024 extended-times 3
 service-instance-group group1
nat address-group address-group1 group-id 1
section 1 11.11.11.0 mask 24
nat outbound 2000 address-group address-group1
nat log host 10.179.13.230 514 source 10.179.34.241 65532
nat alg all
nat filter mode full-cone
nat log session enable
#
ip pool pool1 bas local
gateway 172.16.0.1 255.255.0.0
section 0 172.16.0.2 172.16.255.254
dns-server 10.179.155.161 10.179.155.177
#
web-auth-server 192.168.10.2 port 50100 key cipher huawei
#
value-added-service enable
#
qos-profile qos-prof1
car cir 12288 pir 12288 cbs 2297856 pbs 2297856 green pass yellow pass red discard inbound
car cir 16384 pir 16384 cbs 3063808 pbs 3063808 green pass yellow pass red discard outbound
qos-profile qos-prof2
car cir 12288 pir 12288 cbs 2297856 pbs 2297856 green pass yellow pass red discard inbound
car cir 12288 pir 12288 cbs 2297856 pbs 2297856 green pass yellow pass red discard outbound
#
user-group 12m_gold_user
user-group pppoe_nat
#
aaa
authentication-scheme auth-gmcc-radius
#
accounting-scheme acc-gmcc-radius
accounting interim interval 15
accounting start-fail online
#
domain user
authentication-scheme auth-gmcc-radius
accounting-scheme acc-gmcc-radius
radius-server group ip-radius
ip-pool pool1
accounting-service-policy inbound disable
user-group pppoe_nat
qos rate-limit-mode car outbound
#
domain 12m_gold_user
authentication-scheme auth-gmcc-radius
accounting-scheme acc-gmcc-radius
radius-server group ip-radius
value-added-service account-type radius radius
value-added-service policy 12m_gold_user_daa
 ip-pool pool1
user-group 12m_gold_user bind nat instance nat1
#
#
license
active nat session-table size 6 slot 1 engine 0
active nat session-table size 6 slot 2 engine 0
active nat bandwidth-enhance 40 slot 1
active nat bandwidth-enhance 40 slot 2
#
value-added-service policy 12m_gold_user_daa daa
accounting-scheme acc-gmcc-radius
user-group 12m_gold_user
accounting-together enable
tariff-level 1 qos-profile qos-prof2
tariff-level 2 qos-profile qos-prof1
#
acl number 2000
description For-PPPOE-NAT-CustomerIP
rule 5 permit source 172.16.0.0 0.0.255.255
#
acl number 6000
description for_daauser_gold_user-remark_qos
rule 5 permit ip source user-group 12m_gold_user
#
acl number 6001
description for_12m_gold_user-to-outside
rule 5 permit ip destination user-group 12m_gold_user dscp 14
#
acl number 6002
description for_12m_gold_user-to-intranet
rule 5 permit ip destination user-group 12m_gold_user
#
acl number 7000
description For-PPPOE-NAT-Policy
rule 5 permit ip source user-group pppoe_nat
#
traffic classifier gold_user_qos operator or
if-match acl 6000
#
traffic classifier pppoe-nat operator or
if-match acl 7000
#
traffic classifier 12m_gold_user_to_outside operator or
if-match acl 6001
#
traffic classifier 12m_gold_user_to_intranet operator or
if-match acl 6002
#
traffic behavior gold_user_qos_af22 operator or
 remark dscp 20
nat bind instance nat1
#
traffic behavior 12m_gold_user_to_outside operator or
tariff-level 1
car
traffic-statistic
nat bind instance nat1
#
traffic behavior 12m_gold_user_to_intranet operator or
tariff-level 2
car
traffic-statistic
nat bind instance nat1
#
traffic behavior pppoe-nat operator or
nat bind instance nat1
#
traffic policy daa
share-mode
classifier 12m_gold_user_to_outside behavior 12m_gold_user_to_outside
classifier 12m_gold_user_to_intranet behavior 12m_gold_user_to_intranet
#
traffic policy p1
classifier gold_user_qos behavior gold_user_qos_af22
classifier pppoe-nat behavior pppoe-nat
#
traffic-policy p1 inbound
#
accounting-service-policy daa
#
interface Virtual-Template1
ppp authentication-mode auto
#
interface GigabitEthernet0/2/0.1
user-vlan 1
pppoe-server bind Virtual-Template 1
bas
access-type layer2-subscriber default-domain authentication user
authentication-method ppp
#
interface GigabitEthernet0/2/0.2
user-vlan 2
pppoe-server bind Virtual-Template 1
bas
access-type layer2-subscriber default-domain authentication 12m_gold_user
authentication-method ppp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
radius-server source interface LoopBack0
#

return