ltm lsn-pool¶

ltm lsn-pool(1) BIG-IP TMSH Manual ltm lsn-pool(1)

NAME
lsn-pool - Configures a Large-Scale Network Address Translation (or Carrier-Grade Network Address Translation) pool.

MODULE
ltm

SYNTAX
CREATE/MODIFY
create lsn-pool [name]
modify lsn-pool [name | all]
options:
app-service [[string] | none]
backup-members
[add | delete | replace-all-with] {
[ip address/prefix length] ...
}
client-connection-limit [integer value]
description [string]
egress-interfaces
[add | delete | replace-all-with] {
[interface name] ...
}
egress-interfaces-disabled
egress-interfaces-enabled
hairpin-mode [enabled | disabled]
icmp-echo [enabled | disabled]
inbound-connections [automatic | explicit | disabled]
log-publisher [log publisher name | none]
log-profile [log profile name | none]
members
[add | delete | replace-all-with] {
[ip address/prefix length] ...
}
mode [deterministic | napt | pba]
persistence {
mode [none | address | address-port]
timeout [integer]
}
pcp {
profile [ name | none ]
selfip [ name | none]
dslite_tunnel [ name | none ]
}
port-block-allocation {
block-idle-timeout [integer]
block-lifetime [integer]
block-size [integer]
client-block-limit [integer]
zombie-timeout [integer]
}
route-advertisement [enabled | disabled]
translation-port-range [integer low:integer high | integer]

edit lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties

reset-stats lsn-pool
reset-stats lsn-pool [ [ [name] | [glob] | [regex] ] ... ]

DISPLAY
list lsn-pool
list lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
show running-config lsn-pool
show running-config lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line

show lsn-pool
show lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
failure-cause

DELETE
delete lsn-pool [name | all]

DESCRIPTION
A large-scale NAT (LSN) pool is a set of networks and port numbers that the BIG-IP system uses as public-side addresses and
ports. When you assign an LSN pool to a virtual server, the virtual server's clients have their private addresses (and/or
ports) translated to a public address and/or port from the LSN pool. The public-side addresses and ports in the LSN pool
are called translation addresses and ports.

EXAMPLES
create lsn-pool my_lsn_pool1 mode napt persistence { mode address-port timeout 600 } members add { 10.10.10.0/24
10.10.20.0/24 } translation-port-range 4000:5000 client-connection-limit 100

Creates the LSN pool my_lsn_pool1 that contains the translation addresses in the range of (members) 10.10.10.0/24 and
10.10.20.0/24, translation port range 4000-5000, with a client connection limit of 100 connections per client. The
translated address and port are persisted for 600 seconds. This LSN pool operates in NAPT mode (Network Address and Port
Translation mode), which is the default mode if not specified.

delete lsn-pool my_lsn_pool1

Deletes the LSN pool named my_lsn_pool1.

OPTIONS
app-service
Specifies the name of the application service to which this object belongs. The default value is none.

Note: If the strict-updates option is enabled on the application service that owns the object, you cannot modify or
delete this object. Only the application service can modify or delete this object.

backup-members
Specifies translation IP addresses available in the backup pool which is used by DNAT translation mode if DNAT mode
translation fails and falls back to NAPT mode. This is a collection of IP prefixes with their prefix lengths.

client-connection-limit
The maximum number of simultaneous translated connections a client or subscriber is allowed to have.

description
User defined description.

egress-interfaces
The set of interfaces on which the source address translation is allowed or disallowed. If egress-interfaces-enabled
is specified, the source address translation is allowed only on the specified set of interfaces. If egress-interfaces-
disabled is specified, source address translation is disabled on specified interfaces.

egress-interfaces-disabled
Source address translation is not allowed on the interfaces specified in the egress-interfaces set.

egress-interfaces-enabled
Source address translation is allowed on the interfaces specified in the egress-interfaces set.

glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.

hairpin-mode
Enable or disable hairpinning for incoming connections.

When a client sends a packet to another client in the same private network, hairpin mode sends the packet directly to
the destination client's private address; the BIG-IP system immediately translates the packet's public-side
destination address. Rather than going out to the public network and coming back later for translation, the packet
takes a hairpin turn at the BIG-IP device.

icmp-echo
Enable or disable ICMP echo on translated addresses.

inbound-connections
Modifies the inbound-connection mode for incoming connections to translation endpoints. A translation endpoint is the
public-side address and port (X':x') for a private-side address (X:x). You can allow one of three algorithms for
managing inbound connections:

Automatic
creates inbound mappings automatically from outbound traffic and allows inbound connections. Consider an outbound
mapping from X:x to X':x'. If a connection comes from X:x through X':x', the BIG-IP system automatically creates
a reverse mapping from X':x' back to X:x. A public-side station can respond through the X':x' address. This
allows the BIG-IP system to provide Endpoint Independent Filtering (EIF) as defined in section 5 of RFC 4787
().

Explicit
only allows inbound connections for mappings that are explicitly created by another party, such as iRules or a
PCP request. For example, if a PCP request creates a mapping of X:x to X':x' and the client at X:x uses it, an
external caller can respond to the client through X':x'. However, if a client at M:m automatically makes a NAT'ed
connection through M':m', the BIG-IP does not support an inbound connection from M':m' back to M:m.

Disabled
disables inbound connections to translation end-points (X':x'). If there is a mapping of X (a private-side IP
address) to X' (a public-side IP), connections can only go out from X through X'. If a public-side recipient
tries to answer at the client's public-side X' address, the BIG-IP system does not map X' back to X. The inbound
connection never happens.

Port Control Protocol (PCP) is not supported if you use this setting.

log-publisher
Specify the name of the log publisher which logs translation events. See help sys log-config for more details on the
logging sub-system. Use the "sys log-config publisher" component to set up a log publisher.

log-profile
Specify the name of the LSN log profile which controls the logging of translation events. See help ltm lsn-log-profile
for more details on the logging profile sub-system. Use the "ltm lsn-log-profile profile" component to set up a LSN
log profile.

members
Specifies the set of translation IP addresses available in the pool. This is a collection of IP prefixes with their
prefix lengths. All public-side addresses come from the subnets you enter in this property.

mode Specifies which kind of translation address mapping is performed when an address is translated. Available options are
NAPT, Deterministic, and PBA.

NAPT (Network Address Port Translation) assigns translation addresses and ports in round-robin fashion. The algorithm
first cycles through translation addresses and then through translation ports.

Deterministic
(DNAT) is a reversible translation method. A given client address and port always translates to a particular
public address and port from the LSN pool. This method has the following restrictions:

it is only available for NAT44 translations,
it does not support connections through DS-Lite tunnels,
subscriber connections must be received over a VLAN with the property, cmp-hash, set to "source ip,"
the egress to the Internet must be over a VLAN with the property, cmp-hash, set to "dest ip,"
any virtual server ("ltm virtual") that uses this LSN pool must have a source property set to an IP prefix
containing fewer than 231 addresses. For example, the source cannot be 0.0.0.0/0.
PBA (Port Block Allocation) assigns 'blocks' of the translation addresses and ports to individual clients. All client
connections are restricted to the allocated port blocks. Only block allocations and deallocations are logged in
order to reduce the volume of logs.

subscriber connections must be received over a VLAN with the property, cmp-hash, set to "source ip,"
the egress to the Internet must be over a VLAN with the property, cmp-hash, set to "dest ip,"

You can access your VLAN configurations through the "net vlan" component. You can find the VLANs used by your
virtual server by showing or listing the "ltm virtual" component.

name Specifies a unique name for the lsn-pool component. This option is required for the commands create, delete, and
modify.

persistence
Configure the persistence settings for LSN translation entries. Persistence is the preservation of a public-side IP
address for a client from session to session.

persistence.mode
Configure the persistence mode for LSN translation entries. You can enter address, address-port, or none.

address
causes the BIG IP software to attempt to keep the IP address persistent but not necessarily the port. If a
client's private IP address:port combination is X:x, it's public-side address may be X':a in one session, X':b in
the next session, X':c in a third session, and so on.

address-port
causes the BIG IP software to attempt to keep the IP address and port persistent. If a client's private IP
address:port combination is X:x, and it's public-side address is X':x' in the first session, it remains X':x' in
all future sessions.

This is called "Endpoint Independent Mapping" in RFC 4787 ().

This is the only supported setting for PCP, which you configure with the pcp property.

none prevents the BIG IP software from attempting any IP address or port persistence. An address:port combination of
X:x is never guaranteed to have the same public-side address or port in two sessions.

persistence.timeout
After the most-recent session where address:port X:x translated to X':x' on the public side, a timer begins. If the
timer expires before X:x has another session, X' or x' may be used as the public side of another address:port. Use
this parameter to set the timeout (in seconds) for address and port persistence.

pcp A Port Control Protocol (PCP) client can set (or at least learn) its own translation (public-side) IP address and/or
port. It can also set the address and/or port of a third-party client. PCP is defined in RFC 6887 (see
).

pcp.profile
Specifies the PCP profile to use for this LSN pool. This PCP profile defines the settings to use for communication
with PCP clients. Use the create ltm profile pcp command to create a new PCP profile.

PCP requires a profile (defined with this property) and either a pcp.selfip or a pcp.dslite tunnel where clients can
send their PCP requests.

If you remove this profile option, you must specifically remove any pcp.selfip or pcp.dslite tunnel, too.

pcp.selfip
Specifies the PCP Server self-IP address for this LSN pool. The virtual server's clients send their PCP packets to
this address. Use the create net self command to create a self-IP address, then use that address for this parameter.
Choose a self-IP address in a VLAN that is reachable by the virtual server's clients.

pcp.dslite
Specifies a DS-LITE tunnel for PCP packets. Whenever a client sends a PCP packet through this tunnel, the BIG-IP
device uses the PCP profile you choose with the pcp.profile property.

A DS-LITE tunnel places each IPv4 packet into the payload of an IPv6 packet. The IPv6 packet carries the IPv4 packet
between customer equipment and the BIG-IP system, which then removes the IPv4 packet, uses NAT to translate its IPv4
addresses, and sends it to its destination.

You cannot use this property if the mode property is set to Deterministic.

port-block-allocation
Configures the port block settings for PBA mode.

port-block-allocation.block-idle-timeout
Configures the time after the last connection using the block is freed that the block assignment expires. The default
value is 3600 seconds.

port-block-allocation.block-lifetime
Configures the timeout after which the block is no longer used for new port allocations. The block becomes a zombie
block. The default is 0 which corresponds to an infinite timeout.

port-block-allocation.block-size
Configures the number of ports in a block. The default value is 64.

port-block-allocation.client-block-limit
Configures the number of blocks that can be assigned to a single subscriber IP address. The default value is 1.

port-block-allocation.zombie-timeout
Configures the timeout after which connections using the zombie block are killed. After connections are killed zombie
block is freed after port-block-allocation.block-idle-timeout. This parameter is unused unless the
port-block-allocation.block-lifetime is set. The default value is 0 which corresponds to infinite timeout.

regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.

route-advertisement
Specifies whether route advertisement is enabled or disabled for translated IP addresses.

translation-port-range
Specifies the range of port numbers available for use with translation IP addresses.

failure-cause
Displays the failure-cause table for this lsn-pool. There are many different possible failure causes and only the
failures that occur will be displayed. This information can be useful for determining why a translation is failing.

SEE ALSO
ltm profile pcp, ltm virtual, net self, net vlan, create, delete, edit, glob, list, ltm, modify, regex, reset-stats, show,
tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.

BIG-IP 2017-07-27 ltm lsn-pool(1)