ltm lsn-pool
ltm lsn-pool(1) BIG-IP TMSH Manual ltm lsn-pool(1)
NAME
lsn-pool - Configures a Large-Scale Network Address Translation (or
Carrier-Grade Network Address Translation) pool.
MODULE
ltm
SYNTAX
CREATE/MODIFY
create lsn-pool [name]
modify lsn-pool [name | all]
options:
app-service [[string] | none]
backup-members
[add | delete | replace-all-with] {
[ip address/prefix length] ...
}
client-connection-limit [integer value]
description [string]
egress-interfaces
[add | delete | replace-all-with] {
[interface name] ...
}
egress-interfaces-disabled
egress-interfaces-enabled
hairpin-mode [enabled | disabled]
icmp-echo [enabled | disabled]
inbound-connections [automatic | explicit | disabled]
log-publisher [log publisher name | none]
log-profile [log profile name | none]
members
[add | delete | replace-all-with] {
[ip address/prefix length] ...
}
mode [deterministic | napt | pba]
persistence {
mode [none | address | address-port]
timeout [integer]
}
pcp {
profile [ name | none ]
selfip [ name | none]
dslite_tunnel [ name | none ]
}
port-block-allocation {
block-idle-timeout [integer]
block-lifetime [integer]
block-size [integer]
client-block-limit [integer]
zombie-timeout [integer]
}
route-advertisement [enabled | disabled]
translation-port-range [integer low:integer high | integer]
edit lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats lsn-pool
reset-stats lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list lsn-pool
list lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
show running-config lsn-pool
show running-config lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
show lsn-pool
show lsn-pool [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
detail
field-fmt
DELETE
delete lsn-pool [name | all]
DESCRIPTION
A large-scale NAT (LSN) pool is a set of networks and port numbers that
the BIG-IP system uses as public-side addresses and ports. When you
assign an LSN pool to a virtual server, the virtual server's clients
have their private addresses (and/or ports) translated to a public
address and/or port from the LSN pool. The public-side addresses and
ports in the LSN pool are called translation addresses and ports.
EXAMPLES
create lsn-pool my_lsn_pool1 mode napt persistence { mode address-port
timeout 600 } members add { 10.10.10.0/24 10.10.20.0/24 } translation-
port-range 4000:5000 client-connection-limit 100
Creates the LSN pool my_lsn_pool1 that contains the translation
addresses in the range of (members) 10.10.10.0/24 and 10.10.20.0/24,
translation port range 4000-5000, with a client connection limit of 100
connections per client. The translated address and port are persisted
for 600 seconds. This LSN pool operates in NAPT mode (Network Address
and Port Translation mode), which is the default mode if not specified.
delete lsn-pool my_lsn_pool1
Deletes the LSN pool named my_lsn_pool1.
OPTIONS
app-service
Specifies the name of the application service to which this object
belongs. The default value is none.
Note: If the strict-updates option is enabled on the application
service that owns the object, you cannot modify or delete this
object. Only the application service can modify or delete this
object.
backup-members
Specifies translation IP addresses available in the backup pool
which is used by DNAT translation mode if DNAT mode translation
fails and falls back to NAPT mode. This is a collection of IP
prefixes with their prefix lengths.
client-connection-limit
The maximum number of simultaneous translated connections a client
or subscriber is allowed to have.
description
User defined description.
egress-interfaces
The set of interfaces on which the source address translation is
allowed or disallowed. If egress-interfaces-enabled is specified,
the source address translation is allowed only on the specified
set of interfaces. If egress-interfaces-disabled is specified,
source address translation is disabled on specified interfaces.
egress-interfaces-disabled
Source address translation is not allowed on the interfaces
specified in the egress-interfaces set.
egress-interfaces-enabled
Source address translation is allowed on the interfaces specified
in the egress-interfaces set.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
hairpin-mode
Enable or disable hairpinning for incoming connections.
When a client sends a packet to another client in the same private
network, hairpin mode sends the packet directly to the destination
client's private address; the BIG-IP system immediately translates
the packet's public-side destination address. Rather than going
out to the public network and coming back later for translation,
the packet takes a hairpin turn at the BIG-IP device.
icmp-echo
Enable or disable ICMP echo on translated addresses.
inbound-connections
Modifies the inbound-connection mode for incoming connections to
translation endpoints. A translation endpoint is the public-side
address and port (X':x') for a private-side address (X:x). You can
allow one of three algorithms for managing inbound connections:
Automatic
creates inbound mappings automatically from outbound traffic
and allows inbound connections. Consider an outbound mapping
from X:x to X':x'. If a connection comes from X:x through
X':x', the BIG-IP system automatically creates a reverse
mapping from X':x' back to X:x. A public-side station can
respond through the X':x' address. This allows the BIG-IP
system to provide Endpoint Independent Filtering (EIF) as
defined in section 5 of RFC 4787
().
Explicit
only allows inbound connections for mappings that are
explicitly created by another party, such as iRules or a PCP
request. For example, if a PCP request creates a mapping of
X:x to X':x' and the client at X:x uses it, an external
caller can respond to the client through X':x'. However, if a
client at M:m automatically makes a NAT'ed connection through
M':m', the BIG-IP does not support an inbound connection from
M':m' back to M:m.
Disabled
disables inbound connections to translation end-points
(X':x'). If there is a mapping of X (a private-side IP
address) to X' (a public-side IP), connections can only go
out from X through X'. If a public-side recipient tries to
answer at the client's public-side X' address, the BIG-IP
system does not map X' back to X. The inbound connection
never happens.
Port Control Protocol (PCP) is not supported if you use this
setting.
log-publisher
Specify the name of the log publisher which logs translation
events. See help sys log-config for more details on the logging
sub-system. Use the "sys log-config publisher" component to set up
a log publisher.
log-profile
Specify the name of the LSN log profile which controls the logging
of translation events. See help ltm lsn-log-profile for more
details on the logging profile sub-system. Use the "ltm lsn-log-
profile profile" component to set up a LSN log profile.
members
Specifies the set of translation IP addresses available in the
pool. This is a collection of IP prefixes with their prefix
lengths. All public-side addresses come from the subnets you enter
in this property.
mode Specifies which kind of translation address mapping is performed
when an address is translated. Available options are NAPT,
Deterministic, and PBA.
NAPT (Network Address Port Translation) assigns translation
addresses and ports in round-robin fashion. The algorithm
first cycles through translation addresses and then through
translation ports.
Deterministic
(DNAT) is a reversible translation method. A given client
address and port always translates to a particular public
address and port from the LSN pool. This method has the
following restrictions:
it is only available for NAT44 translations,
it does not support connections through DS-Lite tunnels,
subscriber connections must be received over a VLAN with the
property, cmp-hash, set to "source ip,"
the egress to the Internet must be over a VLAN with the
property, cmp-hash, set to "dest ip,"
any virtual server ("ltm virtual") that uses this LSN pool
must have a source property set to an IP prefix containing
fewer than 231 addresses. For example, the source cannot be
0.0.0.0/0.
PBA (Port Block Allocation) assigns 'blocks' of the translation
addresses and ports to individual clients. All client
connections are restricted to the allocated port blocks. Only
block allocations and deallocations are logged in order to
reduce the volume of logs.
subscriber connections must be received over a VLAN with the
property, cmp-hash, set to "source ip,"
the egress to the Internet must be over a VLAN with the
property, cmp-hash, set to "dest ip,"
You can access your VLAN configurations through the "net
vlan" component. You can find the VLANs used by your virtual
server by showing or listing the "ltm virtual" component.
name Specifies a unique name for the lsn-pool component. This option is
required for the commands create, delete, and modify.
persistence
Configure the persistence settings for LSN translation entries.
Persistence is the preservation of a public-side IP address for a
client from session to session.
persistence.mode
Configure the persistence mode for LSN translation entries. You
can enter address, address-port, or none.
address
causes the BIG IP software to attempt to keep the IP address
persistent but not necessarily the port. If a client's
private IP address:port combination is X:x, it's public-side
address may be X':a in one session, X':b in the next session,
X':c in a third session, and so on.
address-port
causes the BIG IP software to attempt to keep the IP address
and port persistent. If a client's private IP address:port
combination is X:x, and it's public-side address is X':x' in
the first session, it remains X':x' in all future sessions.
This is called "Endpoint Independent Mapping" in RFC 4787
().
This is the only supported setting for PCP, which you
configure with the pcp property.
none prevents the BIG IP software from attempting any IP address
or port persistence. An address:port combination of X:x is
never guaranteed to have the same public-side address or port
in two sessions.
persistence.timeout
After the most-recent session where address:port X:x translated to
X':x' on the public side, a timer begins. If the timer expires
before X:x has another session, X' or x' may be used as the public
side of another address:port. Use this parameter to set the
timeout (in seconds) for address and port persistence.
pcp A Port Control Protocol (PCP) client can set (or at least learn)
its own translation (public-side) IP address and/or port. It can
also set the address and/or port of a third-party client. PCP is
defined in RFC 6887 (see ).
pcp.profile
Specifies the PCP profile to use for this LSN pool. This PCP
profile defines the settings to use for communication with PCP
clients. Use the create ltm profile pcp command to create a new
PCP profile.
PCP requires a profile (defined with this property) and either a
pcp.selfip or a pcp.dslite tunnel where clients can send their PCP
requests.
If you remove this profile option, you must specifically remove
any pcp.selfip or pcp.dslite tunnel, too.
pcp.selfip
Specifies the PCP Server self-IP address for this LSN pool. The
virtual server's clients send their PCP packets to this address.
Use the create net self command to create a self-IP address, then
use that address for this parameter. Choose a self-IP address in
a VLAN that is reachable by the virtual server's clients.
pcp.dslite
Specifies a DS-LITE tunnel for PCP packets. Whenever a client
sends a PCP packet through this tunnel, the BIG-IP device uses the
PCP profile you choose with the pcp.profile property.
A DS-LITE tunnel places each IPv4 packet into the payload of an
IPv6 packet. The IPv6 packet carries the IPv4 packet between
customer equipment and the BIG-IP system, which then removes the
IPv4 packet, uses NAT to translate its IPv4 addresses, and sends
it to its destination.
You cannot use this property if the mode property is set to
Deterministic.
port-block-allocation
Configures the port block settings for PBA mode.
port-block-allocation.block-idle-timeout
Configures the time after the last connection using the block is
freed that the block assignment expires. The default value is 3600
seconds.
port-block-allocation.block-lifetime
Configures the timeout after which the block is no longer used for
new port allocations. The block becomes a zombie block. The
default is 0 which corresponds to an infinite timeout.
port-block-allocation.block-size
Configures the number of ports in a block. The default value is
64.
port-block-allocation.client-block-limit
Configures the number of blocks that can be assigned to a single
subscriber IP address. The default value is 1.
port-block-allocation.zombie-timeout
Configures the timeout after which connections using the zombie
block are killed. After connections are killed zombie block is
freed after port-block-allocation.block-idle-timeout. This
parameter is unused unless the
port-block-allocation.block-lifetime is set. The default value is
0 which corresponds to infinite timeout.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
route-advertisement
Specifies whether route advertisement is enabled or disabled for
translated IP addresses.
translation-port-range
Specifies the range of port numbers available for use with
translation IP addresses.
SEE ALSO
ltm profile pcp, ltm virtual, net self, net vlan, create, delete, edit,
glob, list, ltm, modify, regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2016. All rights
reserved.
BIG-IP 2016-03-14 ltm lsn-pool(1)