Ipv6 NAT-PT Transition

NAT-PT method allow IPv6 ONLY nodes to communicate with IPv4 ONLY nodes or vice versa, a sort of gateway for IPv4/IPv6 networks, so dual stack is needed ONLY the NAT-PT device.

This Transition method can be a good solution when IPv6 will be the predominant connectivity type with a need to connect to specific IPv4 nodes in their way to die out.

Depending on your needs you can use NAT-PT in four different ways (similar to NAT for IPv4):

- Static NAT-PT.

- Dynamic NAT-PT.

- PAT overload.

- IPv4-mapped.

Also an example of NAT-PT with ALG (Application Layer Gateway) is provided.

 

In this lab, IPv6 site is communicating with specific IPv4 nodes from IPv4 site (except for IPv4-mapped NAT-prefix)

 

Figure 1 illustrate the Lab topology used to test each of the previously mentioned NAT-PT methods.

 

Figure 1 Topology:

 

 

So if you have an internal IPv6-only network, and you want to communicate with the outside world (IPv4-ONLY), all hosts will see the outside world as IPv6; also the outside world will have no idea about what is happening inside (figure 2,3).

Both networks route their traffic to the Border router (NAT gateway) supporting dual-stack, where translation from IPv6 to IPv4 and IPv4 to IPv6 will be performed.

 

Figure 2: The network as seen from IPv4 side.

 

Figure 3: The network as seen from IPv6 side

 

 

The key concept in Translation is how the IPv6 site will see IPv4 nodes, and how IPv4 site will see IPv6 nodes (figure2 & 3)

 

 

STATIC NAT-PT

Table 1 :v6v4 Address translation

v6v4	IPv6 network IPv6	IPv6 nodes as seen by IPv4 network	IPv4
	2001:a:b:c::1/64	====> will be seen as	192.168.40.1
	2001:a:b:c::2/64	====> will be seen as	192.168.40.2
	2001:a:b:c::3/64	====> will be seen as	192.168.40.3

So any traffic originated from 2001:a:b:c::
will trigger v6v4 operations. (figure4)

The prefix 2001:a:b:c:: represent IPv6 address scheme inside IPv6 site.

 

Table 2 :v4v6 Address translation

v4v6	IPv4 node	IPv4 nodes as seen by IPv6 network	IPv6 network IPv6
	192.168.40.200	====> will be seen as	2001::c018:28c8/96

 

c018:28c8 Is the representation of IPv4 address in Hexadecimal.

The prefix 2001::/96

is called NAT-PT prefix and represent IPv6 address prefix reserved for IPv4 nodes from the IPv4 site as seen from the IPv6 site, it could be part of the IPv6 site address scheme or a different prefix allocated from the ISP for the subject in matter.

Any IPv4 node will be represented inside IPv6 site as <NAT-PT-prefix>::<IPv4-in-hex>

So any traffic destined to an IPv6 address with <NAT-PT-prefix> will trigger v4v6 operations. (figure4)

As mentioned earlier, IPv6 site is communicating with specific IPv4 nodes from IPv4 site (except for IPv4-mapped NAT-prefix).

Figure 4: v6v4 & v4v6 operations

 

Static NAT-PT:

!! This is the IPv6 side interface interface FastEthernet0/0 no ip address ipv6 address 2001:A:B:C::4/64 !! Enable IPv6 NAT ipv6 nat ! !! This is the IPv4 side interface interface FastEthernet1/0 ip address 192.168.40.199 255.255.255.0 !! Enable IPv6 NAT ipv6 nat ! ! !! any IPv6 packet with destination 2001::c0a8:28c8 will be translated to an IPv4 destination !!192.168.40.200 ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8 !! any IPv6 packet with IPv6 source address 2001:a:b:c:X with X=1,2,3 will be translated to an IPv4 source address 192.168.40.X with X=1,2,3 respectively. ipv6 nat v6v4 source 2001:A:B:C::1 192.168.40.1 ipv6 nat v6v4 source 2001:A:B:C::2 192.168.40.2 ipv6 nat v6v4 source 2001:A:B:C::3 192.168.40.3 !! IPv6 prefix 2001::/96 is allocated to represent IPv4 addresses in IPv6 format and will be inspected by NAT-PT otherwise dropped ipv6 nat prefix 2001::/96

 

connectivity check:

Routerv6_1#ping 2001::C0A8:28C8 repeat 3   Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 72/80/88 ms Routerv6_1#   Routerv6_2#ping 2001::C0A8:28C8 repeat 3   Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 60/125/164 ms Routerv6_2#   Routerv6_3#ping 2001::C0A8:28C8 repeat 3   Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 88/134/208 ms Routerv6_3#

 

Each traffic from each IPv6 host is translated according to the configured static NAT-PT

NAT-PT# *Mar 1 04:18:57.446: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:18:57.502: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) *Mar 1 04:18:57.554: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:18:57.634: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) *Mar 1 04:18:57.662: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:18:57.682: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) NAT-PT#

 

NAT-PT(config)# *Mar 1 04:25:50.854: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:25:50.962: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) *Mar 1 04:25:51.022: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:25:51.038: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) *Mar 1 04:25:51.086: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:25:51.178: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) NAT-PT(config)#

 

NAT-PT(config)# *Mar 1 04:26:13.274: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:26:13.354: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) *Mar 1 04:26:13.398: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:26:13.470: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) *Mar 1 04:26:13.494: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:26:13.570: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) NAT-PT(config)#

 

NAT-PT#sh ipv6 nat translations Prot IPv4 source IPv6 source IPv4 destination IPv6 destination — — — 192.168.40.200 2001::C0A8:28C8   — 192.168.40.1 2001:A:B:C::1 192.168.40.200 2001::C0A8:28C8   — 192.168.40.1 2001:A:B:C::1 — —   NAT-PT#

 

DYNAMIC NAT-PT

With Dynamic translation a specific IPv6 prefix will be translated to a pool of IPv4 address as the source address; and the destination is translated to the static v4v6 entry.

Table 3 :v6v4 Address translation

v6v4	IPv6 network IPv6	IPv6 nodes as seen by IPv4 network	IPv4
	Any 2001:a:b:c::/64 node (3 nodes in our case)	====> will be represented by	192.168.40.1
			192.168.40.2
			192.168.40.3

Any traffic originated from 2001:a:b:c::/64
will trigger v6v4 operations.

Because there is 3 IPv6 nodes and 3 IPv4 addresses a one-to-one translation will occur

Table 4 :v4v6 Address translation

v4v6	IPv4 node	IPv4 nodes as seen by IPv6 network	IPv6 network IPv6
	192.168.40.200	====> will be seen as	2001::c018:28c8/96

 

interface FastEthernet0/0 no ip address ipv6 address 2001:A:B:C::4/64 ipv6 nat ! interface FastEthernet1/0 ip address 192.168.40.199 255.255.255.0 ipv6 nat   ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8 ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool ipv6 nat v6v4 pool ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24 ipv6 nat prefix 2001::/96 ! ipv6 access-list list_to-ipv4 permit ipv6 2001:A:B:C::/64 any

 

Connectivity check:

NAT-PT(config)#do sh ipv6 nat trans Prot IPv4 source IPv6 source IPv4 destination IPv6 destination — — — 192.168.40.200 2001::C0A8:28C8   — 192.168.40.1 2001:A:B:C::1 192.168.40.200 2001::C0A8:28C8   — 192.168.40.1 2001:A:B:C::1 — —   — 192.168.40.2 2001:A:B:C::2 192.168.40.200 2001::C0A8:28C8   — 192.168.40.2 2001:A:B:C::2 — —   — 192.168.40.3 2001:A:B:C::3 192.168.40.200 2001::C0A8:28C8   — 192.168.40.3 2001:A:B:C::3 — —   NAT-PT(config)#

 

NAT-PT(config)#do sh ipv6 nat stat Total active translations: 7 (-5 static, 12 dynamic; 0 extended) NAT-PT interfaces: FastEthernet0/0, FastEthernet1/0, NVI0 Hits: 0 Misses: 0 Expired translations: 0 NAT-PT(config)#

 

debug:

NAT-PT(config)# *Mar 1 04:44:15.454: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:15.586: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) *Mar 1 04:44:15.650: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:15.730: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) *Mar 1 04:44:15.794: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:15.810: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) NAT-PT(config)# NAT-PT(config)# NAT-PT(config)# *Mar 1 04:44:29.122: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:29.230: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) *Mar 1 04:44:29.262: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:29.326: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) *Mar 1 04:44:29.386: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:29.410: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) NAT-PT(config)# NAT-PT(config)# NAT-PT(config)# *Mar 1 04:44:42.434: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:42.514: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) *Mar 1 04:44:42.546: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:42.574: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) *Mar 1 04:44:42.622: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:42.678: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) NAT-PT(config)#

 

PAT NAT-PT

Table 5 :v6v4 Address translation

v6v4	IPv6 network IPv6	IPv6 nodes as seen by IPv4 network	IPv4
	Any 2001:a:b:c::/64 node (3 nodes in our case)	====> will be represented by	192.168.40.199

Any traffic originated from 2001:a:b:c::/64
will trigger v6v4 operations. and will be translated to the unique IPv4 outbound interface

Table 6 :v4v6 Address translation

v4v6	IPv4 node	IPv4 nodes as seen by IPv6 network	IPv6 network IPv6
	192.168.40.200	====> will be seen as	2001::c018:28c8/96

We’re still communicating to IPv4 node 192.168.40.200 represented by 2001::c018:28c8/96

By the way, IOS will not allow you to disable configured commands if their corresponding translations are still active, so you have to clear all translation entries before making any changes in the configuration.

 

NAT-PT(config)#no ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool NAT-PT(config)#$ ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24 %Pool ipv4_pool in use, cannot destroy NAT-PT(config)# *Mar 1 04:56:14.094: %Dynamic mapping in use, cannot remove NAT-PT(config)#do clear ipv6 nat trans * NAT-PT(config)# NAT-PT(config)#no ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool NAT-PT(config)#no ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24 NAT-PT(config)#

 

interface FastEthernet0/0 no ip address ipv6 address 2001:A:B:C::4/64 ipv6 nat ! interface FastEthernet1/0 ip address 192.168.40.199 255.255.255.0 ipv6 nat   ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8 ipv6 nat v6v4 source list list_to-ipv4 interface overload ipv6 nat prefix 2001::/96 ! ipv6 access-list list_to-ipv4 permit ipv6 2001:A:B:C::/64 any

 

NAT-PT(config)#do sh ipv6 nat translation Prot IPv4 source IPv6 source IPv4 destination IPv6 destination — — — 192.168.40.200 2001::C0A8:28C8   icmp 192.168.40.199,7704 2001:A:B:C::1,7704 192.168.40.200,7704 2001::C0A8:28C8,7704   icmp 192.168.40.199,7126 2001:A:B:C::2,7126 192.168.40.200,7126 2001::C0A8:28C8,7126   icmp 192.168.40.199,9979 2001:A:B:C::3,9979 192.168.40.200,9979 2001::C0A8:28C8,9979   NAT-PT(config)#

 

NAT-PT(config)#do sh ipv6 nat stat Total active translations: 4 (-5 static, 9 dynamic; 3 extended) NAT-PT interfaces: FastEthernet0/0, FastEthernet1/0, NVI0 Hits: 0 Misses: 0 Expired translations: 0 NAT-PT(config)#

 

NAT-PT(config)# *Mar 1 04:59:10.218: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:10.310: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 04:59:10.366: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:10.418: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 04:59:10.466: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:10.514: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) NAT-PT(config)# NAT-PT(config)# *Mar 1 04:59:20.674: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:20.766: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2) *Mar 1 04:59:20.826: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:20.882: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2) *Mar 1 04:59:20.918: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:20.950: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2) NAT-PT(config)# NAT-PT(config)# *Mar 1 04:59:24.266: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:24.354: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3) *Mar 1 04:59:24.402: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:24.450: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3) *Mar 1 04:59:24.482: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:24.526: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3) NAT-PT(config)#

 

DNS embedded data (ALG)

Let’s keep previously configured PAT and see how NAT-PT handle application layer data like IPv6 addresses embedded in the DNS traffic.

We a need static translation to access the specific IPv4 node (DNS server).

Name lookup is enabled and DNS IPv6 address configured.

 

NAT-PT:

ipv6 nat v4v6 source 192.168.40.104 2001::C0A8:2858 ! ip domain lookup ip domain name nouri.com ip name-server 2001::C0A8:2858

 

On Clients:

ip domain lookup ip domain name nouri.com ip name-server 2001::C0A8:2858

 

The following shows successful connectivity with the DNS server:

Routerv6_1#ping 2001::C0A8:2858 repeat 1   Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 2001::C0A8:2858, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 88/88/88 ms Routerv6_1#

 

NAT-PT(config)# *Mar 1 05:37:46.478: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104) *Mar 1 05:37:46.586: IPv6 NAT: src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1) NAT-PT(config)#

 

Routerv6_1#ping Routerv4_1.nouri.com Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]   Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]   Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/111/256 ms Routerv6_1#

 

Debug:

The NAT device:

receive a DNS request packet with IPv6 source (2001:A:B:C::1) and IPv6 destination (2001::C0A8:2858).

translate the IPv6 src (2001:A:B:C::1) -> IPv4 src (192.168.40.199)

translate the IPv6 dst (2001::C0A8:2858) -> IPv4 dst (192.168.40.104)

send DNS request AAA to IPv4 DNS server with IPv4 src (192.168.40.199) + IPv4 dst (192.168.40.104)

 

receive DNS response with IPv4 src (192.168.40.104) + IPv4 dst. (192.168.40.199) + embedded response to AAA IPv4 (192.168.40.200)

translate embedded response IPv4 (192.168.40.200) -> IPv6 (2001::C0A8:28C8)

translate back the IPv4 src (192.168.40.104)-> IPv6 src (2001::C0A8:2858)

translate back the IPv4 dst (192.168.40.199) -> IPv6 dst (2001:A:B:C::1)

send DNS response with IPv6 src (2001::C0A8:2858) + IPv6 dst. (2001:A:B:C::1) + embedded response to AAA IPv6 (2001::C0A8:28C8)

 

Internal IPv6 node:

send ping with IPv6 src (2001:A:B:C::1) + IPv6 dst (2001::C0A8:28C8)

 

The NAT device:

translate the IPv6 src (2001:A:B:C::1) -> IPv4 src (192.168.40.199)

translate the IPv6 dst (2001::C0A8:28C8) -> IPv4 dst (192.168.40.200)

send ping with IPv4 src (192.168.40.199) + IPv4 dst (192.168.40.200)

 

receive ping reply with IPv4 src (192.168.40.200) + IPv4 dst. (192.168.40.199)

translate back the IPv4 src (192.168.40.200) -> IPv6 src (2001::C0A8:28C8)

translate back the IPv4 dst (192.168.40.199) -> IPv6 dst (2001:A:B:C::1)

 

send ping reply with IPv6 src (2001::C0A8:28C8) + IPv6 dst. (2001:A:B:C::1)

 

NAT-PT(config)# *Mar 1 05:46:33.854: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104) *Mar 1 05:46:33.994: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.166: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104) *Mar 1 05:46:34.230: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.246: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104) *Mar 1 05:46:34.278: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.322: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.346: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.442: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.650: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.726: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.758: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.774: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.802: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.818: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.834: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) NAT-PT(config)#

 

IPv4 MAPPED

So far, we have been dealing with specific IPv4 hosts inside IPv4 network, but what if we just want to make connections to any IPv4 hosts (ex: to Internet)?

In this case the mapping of destination addresses should be automatic, that is the role of IPv4 mapped:

interface FastEthernet0/0 no ip address ipv6 address 2001:A:B:C::4/64 ipv6 nat ! interface FastEthernet1/0 ip address 192.168.40.199 255.255.255.0 ipv6 nat ! ! DNS still need Translation ipv6 nat v4v6 source 192.168.40.104 2001::C0A8:2858 ! PAT Translation is the appropriate configuration for this case ipv6 nat v6v4 source list list_to-ipv4 interface FastEthernet1/0 overload ipv6 nat prefix 2001::/96 v4-mapped WHAT_to_IPv4 ! ! ! ipv6 access-list list_to-ipv4 permit ipv6 2001:A:B:C::/64 any ! ipv6 access-list WHAT_to_IPv4 permit ipv6 any 2001::/96

 

CONCLUSION

IPv6 NAT-PT as with IPv4 NAT represent a single point of failure in the network and cannot support end-to-end security.

Don’t forget that the primary goal is to build a native IPv6 connectivity, so as transition mechanisms it is recommended to use 6to4 tunneling and ONLY as a last resort NAT-PT

Automatic 6to4 Transition

Unfortunately NOT all Internet Service Providers have switched fully to IPv6 and until a native IPv6 connection is provided to your IPv6 site(s) you will have to use some transition methods like automatic 6to4.

 

Automatic 6to4 is a point-to-multipoint tunneling method, where the tunnel destination is determined from the border router IPv4 address facing the IPv4 network.

a- The border routers that delimit the 6to4 tunnel must support IPv4 and IPv6 and are not configured in pair.

b- Automatic 6to4 can be used to connect two IPv6 networks as well an IPv6 host to an IPv6 network.

c- IPv6 network is treated as NBMA link.

d- The IPv4 embedded in IPv6 is used to find the other end of the tunnel.

e- Border routers create a tunnel on a per packet basis to other IPv6 Border router.

 

Don’t share the same tunnel source interface between different tunnels, because it is used for de-multiplex incoming packet to tunnel interface.

Each IPv6 site must have a globally unique IPv4.

 

The IPv6 address format used for this type of transition method is as follow:

2002	<ipv4 address in HEX>	<subnet_part>	Interface ID
16 bits	32 bits	16 bits	64 bits
		The subnet part can be used to number networks within the site

2002:<ipv4 address in HEX>:<subnet_part>:<interface_ID>/64

 

The configuration commands are quite simple:

ipv6 unicast-routing ! interface Tunnel <X> ipv6 address 2002:<ipv4 address in HEX>:<subnet>:<int_ID>/64 tunnel source <src_int> tunnel mode ipv6ip 6to4 ! ipv6 route 0::0/0 Tunnel<X>

 

Before start configuring, carefully plan your addressing scheme, all ipv6 addresses are based on the IPv4 addresses assigned to physical interfaces of each site facing the IPv4 network.

IPv6 Addresses is done per-site, NOT in pair (between border routers).

Make sure you have successful connectivity between sites through IPv4 network in place.

Because automatic 6to4 handles tunnel interface as point-to-multipoint and all site traffic (IPv6) should be transported over IPv4 network, a static route to the tunnel interface is required.

 

 

In this lab three types of media will be treated : Serial HDLC, Ethernet and Frame Relay.

 

1. SERIAL:
   

Figure 1 depicts the topology used for serial connection:

Figure 1: Topology for serial connection

 

The ipv4 address of 192.168.0.0/24 is used for the link between East IPv6 site and West IPv6 site:

• BWest – serial1/0 ipv4 = 192.168.0.1 = c0a8:0001
  
• Best – serial1/0 ipv4 = 192.168.0.2 = c0a8:0002
  

 

Addressing scheme for West IPv6 site:

The IPv6 address format used is as follow:

2002:	C0a8:0001:	0001:/48		Subnet used for tunnel ipv6 address at BWest
2002:	C0a8:0001:	0001:	::1/64	BWest tunnel ipv6 address.
2002:	C0a8:0001:	0002:/48		Subnet used for network inside West site.
2002:	C0a8:0001:	0002:	::1	BWest Fa0/0 ipv6 address.
2002:	C0a8:0001:	0002:	::2	Westv6 Fa0/0 ipv6 address.

Addressing scheme for Est IPv6 site:

The IPv6 address format used is as follow:

2002:	C0a8:0002:	0001:/48		Subnet used for tunnel ipv6 address at BEst
2002:	C0a8:0002:	0001:	::1/64	BEst tunnel ipv6 address.
2002:	C0a8:0002:	0002:/48		Subnet used for network inside Est site.
2002:	C0a8:0002:	0002:	::1	BEst Fa0/0 ipv6 address.
2002:	C0a8:0002:	0002:	::2	Estv6 Fa1/0 ipv6 address.

Do not forget to enable ipv6 unicast routing on All IPv6 routers, not like IPv6 routing protocols, the IOS will not warn you if you are using ipv6 static routing with ipv6 routing disabled.

Make sure you have a static route to all 2002::/16 prefix routes pointed to the tunnel interface.

 

Configuration commands:

BEast:

ipv6 unicast-routing ! ! ! interface Tunnel1 ipv6 address 2002:C0A8:2:1::1/64 tunnel source Serial1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:2:2::1/64 ! interface Serial1/0 ip address 192.168.0.2 255.255.255.0 ! ! ipv6 route 2002::/16 Tunnel1

Estv6:

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2001:B:B:B::B/64 ipv6 address FE80:B:B:B::B link-local ! interface FastEthernet1/0 ipv6 address 2002:C0A8:2:2::2/64 ! ipv6 route ::/0 2002:C0A8:2:2::1

BWest:

ipv6 unicast-routing ! ! interface Tunnel1 ipv6 address 2002:C0A8:1:1::1/64 tunnel source Serial1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:1:2::1/64 ! interface Serial1/0 ip address 192.168.0.1 255.255.255.0 ! ! ipv6 route 2002::/16 Tunnel1

Westv6

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2002:C0A8:1:2::2/64 ! ipv6 route ::/0 2002:C0A8:1:1::1

Troubleshooting:

East6:

Eastv6(config)#do ping 2002:c0a8:1:2::2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:1:2::2, timeout is 2 seconds: !!!!! Success rate is 40 percent (2/5), round-trip min/avg/max = 176/182/188 ms Eastv6(config)#

BEast:

BEast#sh int tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.0.2 (Serial1/0), destination UNKNOWN Tunnel protocol/transport IPv6 6to4   Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) … BEast#

Because 6to4 tunnelling is point-to-multipoint, the tunnel destination is not preconfigured “UNKNOWN”.

BEast(config)#do debug tunnel Tunnel Interface debugging is on *Mar 1 09:26:48.445: Tunnel1: IPv6/IP to classify 192.168.0.1->192.168.0.2 (len=120 ttl=254 tos=0×0) *Mar 1 09:26:48.445: Tunnel1: to decaps IPv6/IP packet 192.168.0.1->192.168.0.2 (len=120, ttl=254) *Mar 1 09:26:48.449: Tunnel1: decapsulated IPv6/IP packet *Mar 1 09:26:48.449: 2002:C0A8:1:2::2 -> 2002:C0A8:2:2::2 (len=60 ttl=63) *Mar 1 09:26:50.605: Tunnel1: IPv6/IP to classify 192.168.0.1->192.168.0.2 (len=120 ttl=254 tos=0×0) *Mar 1 09:26:50.605: Tunnel1: to decaps IPv6/IP packet 192.168.0.1->192.168.0.2 (len=120, ttl=254) *Mar 1 09:26:50.609: Tunnel1: decapsulated IPv6/IP packet *Mar 1 09:26:50.609: 2002:C0A8:1:2::2 -> 2002:C0A8:2:2::2 (len=60 ttl=63) *Mar 1 09:26:52.777: Tunnel1: IPv6/IP to classify 192.168.0.1->192.168.0.2 (len=120 ttl=254 tos=0×0) *Mar 1 09:26:52.781: Tunnel1: to decaps IPv6/IP packet 192.168.0.1->192.168.0.2 (len=120, ttl=254) *Mar 1 09:26:52.781: Tunnel1: decapsulated IPv6/IP packet *Mar 1 09:26:52.781: 2002:C0A8:1:2::2 -> 2002:C0A8:2:2::2 (len=60 ttl=63) BEast(config)#

 

1. ETHERNET:
   

Another site (North) is added and all sites are connected through an Ethernet switch like illustrated in Figure2.

Figure2: Topology with Ethernet

The previous East and West site address schemas are kept and a new address scheme is designed for North site:

The ipv4 address of 192.168.0.0/24 is used for Ethernet between North, East, and West IPv6 sites:

• BNorth – serial1/0 ipv4 = 192.168.0.3 = c0a8:0003
  

Addressing scheme for North IPv6 site:

The IPv6 address format used is as follow:

2002:	C0a8:0003:	0001:/48		Subnet used for tunnel ipv6 address at BNorth
2002:	C0a8:0003:	0001:	::1/64	BNorth tunnel ipv6 address.
2002:	C0a8:0003:	0002:/48		Subnet used for network inside North site.
2002:	C0a8:0003:	0002:	::1	BNorth Fa0/0 ipv6 address.
2002:	C0a8:0003:	0002:	::2	Northv6 Fa0/0 ipv6 address.

Configuration commands:

As follow the configuration of the North site, practically nothing changed, this time we are just dealing with Ethernet media.

BNorth:

ipv6 unicast-routing ! interface Tunnel1 ipv6 address 2002:C0A8:3:1::1/64 tunnel source FastEthernet1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:3:2::1/64 ! interface FastEthernet1/0 ip address 192.168.0.3 255.255.255.0 ! ! ipv6 route 2002::/16 Tunnel1

Northv6:

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2002:C0A8:3:2::2/64 ! ! ipv6 route ::/0 2002:C0A8:3:2::1

BWest:

ipv6 unicast-routing ! interface Tunnel1 ipv6 address 2002:C0A8:1:1::1/64 tunnel source FastEthernet1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:1:2::1/64 ! interface FastEthernet1/0 ip address 192.168.0.1 255.255.255.0 ! ipv6 route 2002::/16 Tunnel1

BEst:

ipv6 unicast-routing ! interface Tunnel1 ipv6 address 2002:C0A8:2:1::1/64 tunnel source FastEthernet1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:2:2::1/64 ! interface FastEthernet1/0 ip address 192.168.0.2 255.255.255.0 ! ipv6 route 2002::/16 Tunnel1

Troubleshooting

Northv6:

Northv6(config)#do ping 2002:c0a8:1:2::2 repeat 1   Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 2002:C0A8:1:2::2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 220/220/220 ms Northv6(config)#do ping 2002:c0a8:2:2::2 repeat 1   Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 2002:C0A8:2:2::2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 220/220/220 ms Northv6(config)#

BNorth:

BNorth(config)#do debug tunnel Tunnel Interface debugging is on BNorth(config)# *Mar 1 01:01:13.351: Tunnel1: IPv6/IP to classify 192.168.0.1->192.168.0.3 (len=120 ttl=254 tos=0×0) *Mar 1 01:01:13.355: Tunnel1: to decaps IPv6/IP packet 192.168.0.1->192.168.0.3 (len=120, ttl=254) *Mar 1 01:01:13.359: Tunnel1: decapsulated IPv6/IP packet *Mar 1 01:01:13.359: 2002:C0A8:1:2::2 -> 2002:C0A8:3:2::2 (len=60 ttl=63) BNorth(config)# *Mar 1 01:01:32.979: Tunnel1: IPv6/IP to classify 192.168.0.2->192.168.0.3 (len=120 ttl=254 tos=0×0) *Mar 1 01:01:32.983: Tunnel1: to decaps IPv6/IP packet 192.168.0.2->192.168.0.3 (len=120, ttl=254) *Mar 1 01:01:32.987: Tunnel1: decapsulated IPv6/IP packet *Mar 1 01:01:32.987: 2002:C0A8:2:2::2 -> 2002:C0A8:3:2::2 (len=60 ttl=63) BNorth(config)# BNorth(config)#

Note that automatic 6to4 determine each time the needed tunnel destination address and send each packet accordingly.

To reach the Eastern isolated IPv6 network it uses the IP packet with addresses 192.168.0.3->192.168.0.2 that encapsulates IPv6 packet 2002:C0A8:3:2::2 -> 2002:C0A8:2:2::2.

To reach the Western isolated IPv6 network it uses the IP packet with addresses 192.168.0.3->192.168.0.1 that encapsulates IPv6 packet 2002:C0A8:3:2::2 -> 2002:C0A8:1:2::2; and what we see in the previous debug is return traffic.

The following trace command output illustrates the different path taken each time to reach different destination tunnel.

Northv6(config)#do trace 2002:c0a8:2:2::2   Type escape sequence to abort. Tracing the route to 2002:C0A8:2:2::2   1 2002:C0A8:3:2::1 104 msec 32 msec 56 msec 2 2002:C0A8:2:1::1 232 msec 88 msec 120 msec 3 2002:C0A8:2:2::2 280 msec 168 msec 108 msec Northv6(config)# Northv6(config)#do trace 2002:c0a8:1:2::2   Type escape sequence to abort. Tracing the route to 2002:C0A8:1:2::2   1 2002:C0A8:3:2::1 76 msec 24 msec 40 msec 2 2002:C0A8:1:1::1 200 msec 120 msec 64 msec 3 2002:C0A8:1:2::2 216 msec 152 msec 124 msec Northv6(config)# Northv6(config)#

 

1. FR NBMA point-to-multipoint(figure3):
   

The same thing here, except for the FR Connectivity with point-multipoint there is no change to 6to4 configuration, first make sure that FR connectivity is successful and then you can set the 6to4 transition method using the interface ipv4.

Figure3: Topology FR

FR configuration commands:

BNorth:

interface Serial1/0 no ip address encapsulation frame-relay serial restart-delay 0 ! interface Serial1/0.123 multipoint ip address 192.168.0.3 255.255.255.0 frame-relay map ip 192.168.0.1 102 broadcast frame-relay map ip 192.168.0.2 101 broadcast

 

BNorth(config-if)#do sh frame map Serial1/0.123 (up): ip 192.168.0.1 dlci 102(0×66,0×1860), static, broadcast, CISCO, status defined, active Serial1/0.123 (up): ip 192.168.0.2 dlci 101(0×65,0×1850), static, broadcast, CISCO, status defined, active BNorth(config-if)#

BEast:

interface Serial1/0 no ip address encapsulation frame-relay no frame-relay inverse-arp ! interface Serial1/0.123 multipoint ip address 192.168.0.2 255.255.255.0 frame-relay map ip 192.168.0.1 203 broadcast frame-relay map ip 192.168.0.3 110 broadcast

 

BEast(config-subif)#do sh frame map Serial1/0.123 (up): ip 192.168.0.1 dlci 203(0xCB,0×30B0), static, broadcast, CISCO, status defined, active Serial1/0.123 (up): ip 192.168.0.3 dlci 110(0×6E,0×18E0), static, broadcast, CISCO, status defined, active BEast(config-subif)#

BWest:

interface Serial1/0 no ip address encapsulation frame-relay no frame-relay inverse-arp ! interface Serial1/0.123 multipoint ip address 192.168.0.1 255.255.255.0 frame-relay map ip 192.168.0.2 302 broadcast frame-relay map ip 192.168.0.3 201 broadcast

 

BWest(config-subif)#do sh frame map Serial1/0.123 (up): ip 192.168.0.2 dlci 302(0×12E,0×48E0), static, broadcast, CISCO, status defined, active Serial1/0.123 (up): ip 192.168.0.3 dlci 201(0xC9,0×3090), static, broadcast, CISCO, status defined, active BWest(config-subif)#

FR Connectivity Check:

BNorth(config-if)#do ping 192.168.0.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/58/96 ms BNorth(config-if)#do ping 192.168.0.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/61/108 ms BNorth(config-if)#

Automatic 6to4 configuration:

BNorth:

ipv6 unicast-routing ! ! interface Tunnel1 ipv6 address 2002:C0A8:3:1::1/64 tunnel source Serial1/0.123 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel1

 

BNorth(config)#do ping 2002:c0a8:2:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:2:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/70/112 ms BNorth(config)#do ping 2002:c0a8:1:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:1:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/62/112 ms BNorth(config)#

BEast:

ipv6 unicast-routing ! ! interface Tunnel1 ipv6 address 2002:C0A8:2:1::1/64 tunnel source Serial1/0.123 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel1

 

BEast(config)# do ping 2002:c0a8:3:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:3:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/71/120 ms BEast(config)# do ping 2002:c0a8:1:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:1:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/56/156 ms BEast(config)#

BWest:

ipv6 unicast-routing ! ! interface Tunnel1 ipv6 address 2002:C0A8:1:1::1/64 tunnel source Serial1/0.123 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel1

 

BWest(config-if)#do ping 2002:c0a8:3:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:3:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/76/132 ms BWest(config-if)#do ping 2002:c0a8:2:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:2:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/62/156 ms BWest(config-if)#

Now the final check guys!

Ping and trace route from Westv6 and to Eastv6 and Northv6:

Westv6(config)#do ping 2002:c0a8:2:2::2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:2:2::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/182/428 ms Westv6(config)#do ping 2002:c0a8:3:2::2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:3:2::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/228 ms Westv6(config)#do trace 2002:c0a8:2:2::2   Type escape sequence to abort. Tracing the route to 2002:C0A8:2:2::2   1 2002:C0A8:1:2::1 64 msec 56 msec 32 msec 2 2002:C0A8:2:1::1 228 msec 64 msec 72 msec 3 2002:C0A8:2:2::2 152 msec 124 msec 56 msec Westv6(config)#do trace 2002:c0a8:3:2::2   Type escape sequence to abort. Tracing the route to 2002:C0A8:3:2::2   1 2002:C0A8:1:2::1 64 msec 56 msec 28 msec 2 2002:C0A8:3:1::1 136 msec 120 msec 32 msec 3 2002:C0A8:3:2::2 124 msec 72 msec 112 msec Westv6(config)#

Another opportunity to show you that mastering each technology separately will make your life easier when dealing with many technologies combined together.