VPF Tables¶
VPF tables are collections of networks which allow VPF Filter Rules and VPF NAT Rules to act on groups of networks in a single rule using a custom name, allowing for simpler and more descriptive rulesets. Tables also make it easy to update addresses and networks in one place rather than having to edit multiple rules.
Each table contains one or more prefix entries, which can be a single IP address or an entire subnet.
Table Management¶
To create a new table, run the vpf table <name> command in config mode,
which enters config-vpf-table mode.
The following commands are available inside config-vpf-table mode:
- description <text>:
Adds a optional description for the table, such as an explanation of its contents or purpose.
- prefix <ip-prefix>:
Defines an IP prefix to include in this table. Each prefix is composed of an IPv4 or IPv6 address and a CIDR mask/prefix length. For example,
10.0.0.0/8orff00::/8.To define a single host, use a
/32CIDR for IPv4 or a/128prefix length for IPv6.Warning
When defining a network, use an appropriate network boundary as the starting address. For example, to define a prefix for an IPv4 network including the address
10.1.2.1/24, the prefix must be defined using the network address of that subnet,10.1.2.0/24.Warning
A table cannot contain overlapping prefixes. Ensure each entry is distinct and has the correct prefix length.
Example¶
A table to cover private network IP addresses:
tnsr(config)# vpf table PrivateNets
tnsr(config-vpf-table)# description Private IPv4 Networks
tnsr(config-vpf-table)# prefix 10.0.0.0/8
tnsr(config-vpf-table)# prefix 172.16.0.0/12
tnsr(config-vpf-table)# prefix 192.168.0.0/16
tnsr(config-vpf-table)# exit
A table with multiple single IP addresses:
tnsr(config)# vpf table ExternalNAT
tnsr(config-vpf-table)# prefix 203.0.113.230/32
tnsr(config-vpf-table)# prefix 203.0.113.231/32
tnsr(config-vpf-table)# prefix 203.0.113.232/32
tnsr(config-vpf-table)# exit