Chapter 17: Access Control List Configuration Guide266 SmartSwitch Router User Reference ManualSee “Limiting Traffic Rate” on page 291 for more information on using the rate-limitcommand.Using Profile ACLs with Dynamic NATNetwork Address Translation (NAT) allows you to map an IP address used within onenetwork to a different IP address used within another network. NAT is often used to mapaddresses used in a private, local intranet to one or more addresses used in the public,global Internet.The SSR supports two kinds of NAT: static NAT and dynamic NAT. With dynamic NAT, anIP address within a range of local IP addresses is mapped to an IP address within a rangeof global IP addresses. For example, you can configure IP addresses on network10.1.1.0/24 to use an IP address in the range of IP addresses in network 192.50.20.0/24.You can use a Profile ACL to define the ranges of local IP addresses.The following command creates a Profile ACL called local. The local profile specifies as itsselection criteria the range of IP addresses in network 10.1.1.0/24..Note: When a Profile ACL is defined for dynamic NAT, only the source IP address fieldin the acl statement is evaluated. All other fields in the acl statement are ignored.Once you have defined a Profile ACL, you can then use the nat create dynamic commandto bind the range of IP addresses defined in the local profile to a range in network192.50.20.0/24.See “Network Address Translation Configuration Guide” on page 223 for moreinformation on using dynamic NAT.Using Profile ACLs with the Port Mirroring FacilityPort mirroring refers to the SSR’s ability to copy traffic on one or more ports to a “mirror”port, where an external analyzer or probe can be attached. In addition to mirroring trafficon one or more ports, the SSR can mirror traffic that matches selection criteria defined in aProfile ACL.For example, you can mirror all IGMP traffic on the SSR. You use a Profile ACL to definethe selection criteria (in this example, all IGMP traffic). Then you use a port mirroringcommand to copy packets that match the selection criteria to a specified mirror port. Thefollowing commands illustrate this example.ssr(config)# acl local permit ip 10.1.1.0/24ssr(config)# nat create dynamic local-acl-pool local global-pool 192.50.20.10/24