Displaying IP pool usage information

Use the following diagnose commands from a hyperscale firewall VDOM to display details about CGN IP pools including client IP addresses, PBA blocks, and public IP addresses currently in use.

diagnose firewall ippool {list {pba | nat-ip | user} | stats}

diagnose firewall ippool {list {pba | nat-ip | user} | stats | get-priv | get-pub | get-pub6}

diagnose firewall ippool get-priv <public-ipv4> [<public-port>]

diagnose firewall ippool get-pub <private-ipv4>

diagnose firewall ippool get-pub6 <private-ipv6>

diagnose firewall ippool {list {pba | nat-ip | user} | stats}

stats list the total number of CGN IP pools that have been allocated, the number of currently active client IP addresses, NAT IP addresses, and PBA blocks.

pba list currently active source addresses of CGN clients and the PBA blocks assigned to them.

user list currently active source addresses of CGN clients and the number of PBA blocks assigned to them.

nat-ip list currently active public IP addresses and the number of PBA blocks and user sessions connected to each public IP.

get-priv <public-ipv4> [<public-port>] query private information of a public IPv4 address and optionally a port number.

get-pub <private-ipv4> query public information of a private IPv4 address.

get-pub6 <private-ipv6> query public information of a private IPv6 address.

diagnose firewall ippool list

Use diagnose firewall ippool list with no options to display the names, configuration details and current usage information for all of the CGN and non-CGN IP pools in the current VDOM.

For CGN IP pools that have been added to hyperscale firewall policies, IP pool usage information consists of two parts:

• Kernel firewall usage information (basically placeholder information that doesn't represent actual CGN IP pool usage).

• NP7 hyperscale firewall policy engine (or PLE) usage information (actual CGN IP pool usage information).

If a CGN IP pool has not been added to a hyperscale firewall policy, then only the kernel firewall information is shown.

The following example includes a CGN IP pool named test-cgn-pba-1 that has been added to a hyperscale firewall policy. The first 5 lines of output contain configuration and kernel firewall usage information. The final four lines of output, beginning with grp=N/A is NP7 hyperscale firewall policy engine (or PLE) usage information. These final four lines include the correct usage information for the CGN IP pool.

The IP pool in the example named test-cgn-opba-1 has not been added to a hyperscale firewall policy and only contains configuration and kernel firewall usage information.

diagnose firewall ippool list
list ippool info:(vf=cgn-hw1)
ippool test-cgn-pba-1: id=1, block-sz=64, num-block=8, fixed-port=no, use=4
        ip-range=172.16.201.181-172.16.201.182 start-port=5117, num-pba-per-ip=944
        clients=1, inuse-NAT-IPs=1
        total-PBAs=1888, inuse-PBAs=1, expiring-PBAs=0, free-PBAs=99.95%
        allocate-PBA-times=1, reuse-PBA-times=0
        grp=N/A, start-port=8117, end-port=8629
        npu-clients=1, npu-inuse-NAT-IPs=1, total-NAT-IP=2
        npu-total-PBAs=16, npu-inuse-PBAs=4/0, npu-free-PBAs=75.00%/100.00%
        npu-tcp-sess-count=256, npu-udp-sess-count=0
ippool test-cgn-opba-1: id=2, block-sz=256, num-block=8, fixed-port=no, use=2
        ip-range=172.16.201.183-172.16.201.184 start-port=5117, num-pba-per-ip=236
        clients=0, inuse-NAT-IPs=0
        total-PBAs=472, inuse-PBAs=0, expiring-PBAs=0, free-PBAs=100.00%
        allocate-PBA-times=0, reuse-PBA-times=0

The following example shows two CGN IP pools named cgn-pool1 and cgn-pool2 that have been added to a CGN IP pool group named cgn_pool_grp1. The information displayed for the IP pools in the group is the same as is displayed for individual IP pools, except that the grp field includes an IP pool group name.

Also, the information displayed for each IP pool in the group is actually the usage information for the entire IP pool group and not for each individual IP pool in the group. As a result, the usage information displayed for each IP pool is the same, since it is the information for the entire group.

F2K61F-TIGER-194-31 (global) # sudo cgn-hw1 diagnose firewall ippool list
list ippool info:(vf=cgn-hw1)
ippool cgn-pool1: id=1, block-sz=64, num-block=8, fixed-port=no, use=2
	ip-range=203.0.113.2-203.0.113.3 start-port=5117, num-pba-per-ip=944
	clients=0, inuse-NAT-IPs=0
	total-PBAs=1888, inuse-PBAs=0, expiring-PBAs=0, free-PBAs=100.00%
	allocate-PBA-times=10, reuse-PBA-times=0
	grp=cgn_pool_grp1, start-port=5117, end-port=65530
	npu-clients=1, npu-inuse-NAT-IPs=1, total-NAT-IP=0
	npu-total-PBAs=0, npu-inuse-PBAs=16/0, npu-free-PBAs=0.00%/-nan%
	npu-tcp-sess-count=1024, npu-udp-sess-count=0
ippool cgn-pool2: id=2, block-sz=64, num-block=8, fixed-port=no, use=2
	ip-range=203.0.113.4-203.0.113.5 start-port=5117, num-pba-per-ip=944
	clients=0, inuse-NAT-IPs=0
	total-PBAs=1888, inuse-PBAs=0, expiring-PBAs=0, free-PBAs=100.00%
	allocate-PBA-times=0, reuse-PBA-times=0
	grp=cgn_pool_grp1, start-port=5117, end-port=65530
	npu-clients=1, npu-inuse-NAT-IPs=1, total-NAT-IP=0
	npu-total-PBAs=0, npu-inuse-PBAs=16/0, npu-free-PBAs=0.00%/-nan%
	npu-tcp-sess-count=1024, npu-udp-sess-count=0

diagnose firewall ippool list pba

This command lists the PBAs in the IP pools in the current VDOM. For each IP pool, the command lists the client IP, NAT IP, NAT port range, port block index, and a kernel reference counter. The final line of the command output shows the number of PBAs allocated by NP7 processors for this VDOM

diag firewall ippool list pba
user 10.1.100.200: 172.16.201.181 8117-8180, idx=0, use=1
user 10.1.100.200: 172.16.201.181 8181-8244, idx=1, use=1
user 10.1.100.200: 172.16.201.181 8245-8308, idx=2, use=1
user 10.1.100.200: 172.16.201.181 8309-8372, idx=3, use=1
Total pba in NP: 4

diagnose firewall ippool list nat-ip

This command lists the NAT IPs in use in the VDOM. For each NAT IP, the command shows the number of PBAs allocated for the NAT IP and the number of PBAs in use:

diag firewall ippool list nat-ip
NAT-IP 172.16.201.181: pba=8, use=4
Total nat-ip in NP: 1

diagnose firewall ippool list user

This command lists all of the user IP addresses allocated by NP7 processors for the current VDOM. For each user IP address, the command lists the number of PBAs assigned to the user IP and the number of PBAs being used. The final line of the command output shows the total number of user IPs in use for the current VDOM.

diagnose firewall ippool list user
User-IP 100.64.0.2: pba=1, use=1
User-IP 100.64.0.3: pba=1, use=1
User-IP 100.64.0.4: pba=1, use=1
User-IP 100.64.0.5: pba=1, use=1
User-IP 100.64.0.8: pba=1, use=1
User-IP 100.64.0.9: pba=1, use=1
…
User-IP 100.64.3.229: pba=1, use=1
User-IP 100.64.3.241: pba=1, use=1
User-IP 100.64.3.252: pba=1, use=1
User-IP 100.64.3.253: pba=1, use=1
Total user in NP: 218