Ipv6 NAT-PT Transition

NAT-PT method allow IPv6 ONLY nodes to communicate with IPv4 ONLY nodes or vice versa, a sort of gateway for IPv4/IPv6 networks, so dual stack is needed ONLY the NAT-PT device.

This Transition method can be a good solution when IPv6 will be the predominant connectivity type with a need to connect to specific IPv4 nodes in their way to die out.

Depending on your needs you can use NAT-PT in four different ways (similar to NAT for IPv4):

- Static NAT-PT.

- Dynamic NAT-PT.

- PAT overload.

- IPv4-mapped.

Also an example of NAT-PT with ALG (Application Layer Gateway) is provided.

 

In this lab, IPv6 site is communicating with specific IPv4 nodes from IPv4 site (except for IPv4-mapped NAT-prefix)

 

Figure 1 illustrate the Lab topology used to test each of the previously mentioned NAT-PT methods.

 

Figure 1 Topology:

 

 

So if you have an internal IPv6-only network, and you want to communicate with the outside world (IPv4-ONLY), all hosts will see the outside world as IPv6; also the outside world will have no idea about what is happening inside (figure 2,3).

Both networks route their traffic to the Border router (NAT gateway) supporting dual-stack, where translation from IPv6 to IPv4 and IPv4 to IPv6 will be performed.

 

Figure 2: The network as seen from IPv4 side.

 

Figure 3: The network as seen from IPv6 side

 

 

The key concept in Translation is how the IPv6 site will see IPv4 nodes, and how IPv4 site will see IPv6 nodes (figure2 & 3)

 

 

STATIC NAT-PT

Table 1 :v6v4 Address translation

v6v4	IPv6 network IPv6	IPv6 nodes as seen by IPv4 network	IPv4
	2001:a:b:c::1/64	====> will be seen as	192.168.40.1
	2001:a:b:c::2/64	====> will be seen as	192.168.40.2
	2001:a:b:c::3/64	====> will be seen as	192.168.40.3

So any traffic originated from 2001:a:b:c::
will trigger v6v4 operations. (figure4)

The prefix 2001:a:b:c:: represent IPv6 address scheme inside IPv6 site.

 

Table 2 :v4v6 Address translation

v4v6	IPv4 node	IPv4 nodes as seen by IPv6 network	IPv6 network IPv6
	192.168.40.200	====> will be seen as	2001::c018:28c8/96

 

c018:28c8 Is the representation of IPv4 address in Hexadecimal.

The prefix 2001::/96

is called NAT-PT prefix and represent IPv6 address prefix reserved for IPv4 nodes from the IPv4 site as seen from the IPv6 site, it could be part of the IPv6 site address scheme or a different prefix allocated from the ISP for the subject in matter.

Any IPv4 node will be represented inside IPv6 site as <NAT-PT-prefix>::<IPv4-in-hex>

So any traffic destined to an IPv6 address with <NAT-PT-prefix> will trigger v4v6 operations. (figure4)

As mentioned earlier, IPv6 site is communicating with specific IPv4 nodes from IPv4 site (except for IPv4-mapped NAT-prefix).

Figure 4: v6v4 & v4v6 operations

 

Static NAT-PT:

!! This is the IPv6 side interface interface FastEthernet0/0 no ip address ipv6 address 2001:A:B:C::4/64 !! Enable IPv6 NAT ipv6 nat ! !! This is the IPv4 side interface interface FastEthernet1/0 ip address 192.168.40.199 255.255.255.0 !! Enable IPv6 NAT ipv6 nat ! ! !! any IPv6 packet with destination 2001::c0a8:28c8 will be translated to an IPv4 destination !!192.168.40.200 ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8 !! any IPv6 packet with IPv6 source address 2001:a:b:c:X with X=1,2,3 will be translated to an IPv4 source address 192.168.40.X with X=1,2,3 respectively. ipv6 nat v6v4 source 2001:A:B:C::1 192.168.40.1 ipv6 nat v6v4 source 2001:A:B:C::2 192.168.40.2 ipv6 nat v6v4 source 2001:A:B:C::3 192.168.40.3 !! IPv6 prefix 2001::/96 is allocated to represent IPv4 addresses in IPv6 format and will be inspected by NAT-PT otherwise dropped ipv6 nat prefix 2001::/96

 

connectivity check:

Routerv6_1#ping 2001::C0A8:28C8 repeat 3   Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 72/80/88 ms Routerv6_1#   Routerv6_2#ping 2001::C0A8:28C8 repeat 3   Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 60/125/164 ms Routerv6_2#   Routerv6_3#ping 2001::C0A8:28C8 repeat 3   Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 88/134/208 ms Routerv6_3#

 

Each traffic from each IPv6 host is translated according to the configured static NAT-PT

NAT-PT# *Mar 1 04:18:57.446: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:18:57.502: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) *Mar 1 04:18:57.554: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:18:57.634: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) *Mar 1 04:18:57.662: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:18:57.682: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) NAT-PT#

 

NAT-PT(config)# *Mar 1 04:25:50.854: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:25:50.962: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) *Mar 1 04:25:51.022: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:25:51.038: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) *Mar 1 04:25:51.086: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:25:51.178: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) NAT-PT(config)#

 

NAT-PT(config)# *Mar 1 04:26:13.274: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:26:13.354: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) *Mar 1 04:26:13.398: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:26:13.470: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) *Mar 1 04:26:13.494: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:26:13.570: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) NAT-PT(config)#

 

NAT-PT#sh ipv6 nat translations Prot IPv4 source IPv6 source IPv4 destination IPv6 destination — — — 192.168.40.200 2001::C0A8:28C8   — 192.168.40.1 2001:A:B:C::1 192.168.40.200 2001::C0A8:28C8   — 192.168.40.1 2001:A:B:C::1 — —   NAT-PT#

 

DYNAMIC NAT-PT

With Dynamic translation a specific IPv6 prefix will be translated to a pool of IPv4 address as the source address; and the destination is translated to the static v4v6 entry.

Table 3 :v6v4 Address translation

v6v4	IPv6 network IPv6	IPv6 nodes as seen by IPv4 network	IPv4
	Any 2001:a:b:c::/64 node (3 nodes in our case)	====> will be represented by	192.168.40.1
			192.168.40.2
			192.168.40.3

Any traffic originated from 2001:a:b:c::/64
will trigger v6v4 operations.

Because there is 3 IPv6 nodes and 3 IPv4 addresses a one-to-one translation will occur

Table 4 :v4v6 Address translation

v4v6	IPv4 node	IPv4 nodes as seen by IPv6 network	IPv6 network IPv6
	192.168.40.200	====> will be seen as	2001::c018:28c8/96

 

interface FastEthernet0/0 no ip address ipv6 address 2001:A:B:C::4/64 ipv6 nat ! interface FastEthernet1/0 ip address 192.168.40.199 255.255.255.0 ipv6 nat   ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8 ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool ipv6 nat v6v4 pool ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24 ipv6 nat prefix 2001::/96 ! ipv6 access-list list_to-ipv4 permit ipv6 2001:A:B:C::/64 any

 

Connectivity check:

NAT-PT(config)#do sh ipv6 nat trans Prot IPv4 source IPv6 source IPv4 destination IPv6 destination — — — 192.168.40.200 2001::C0A8:28C8   — 192.168.40.1 2001:A:B:C::1 192.168.40.200 2001::C0A8:28C8   — 192.168.40.1 2001:A:B:C::1 — —   — 192.168.40.2 2001:A:B:C::2 192.168.40.200 2001::C0A8:28C8   — 192.168.40.2 2001:A:B:C::2 — —   — 192.168.40.3 2001:A:B:C::3 192.168.40.200 2001::C0A8:28C8   — 192.168.40.3 2001:A:B:C::3 — —   NAT-PT(config)#

 

NAT-PT(config)#do sh ipv6 nat stat Total active translations: 7 (-5 static, 12 dynamic; 0 extended) NAT-PT interfaces: FastEthernet0/0, FastEthernet1/0, NVI0 Hits: 0 Misses: 0 Expired translations: 0 NAT-PT(config)#

 

debug:

NAT-PT(config)# *Mar 1 04:44:15.454: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:15.586: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) *Mar 1 04:44:15.650: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:15.730: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) *Mar 1 04:44:15.794: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:15.810: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1) NAT-PT(config)# NAT-PT(config)# NAT-PT(config)# *Mar 1 04:44:29.122: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:29.230: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) *Mar 1 04:44:29.262: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:29.326: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) *Mar 1 04:44:29.386: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:29.410: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2) NAT-PT(config)# NAT-PT(config)# NAT-PT(config)# *Mar 1 04:44:42.434: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:42.514: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) *Mar 1 04:44:42.546: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:42.574: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) *Mar 1 04:44:42.622: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:44:42.678: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3) NAT-PT(config)#

 

PAT NAT-PT

Table 5 :v6v4 Address translation

v6v4	IPv6 network IPv6	IPv6 nodes as seen by IPv4 network	IPv4
	Any 2001:a:b:c::/64 node (3 nodes in our case)	====> will be represented by	192.168.40.199

Any traffic originated from 2001:a:b:c::/64
will trigger v6v4 operations. and will be translated to the unique IPv4 outbound interface

Table 6 :v4v6 Address translation

v4v6	IPv4 node	IPv4 nodes as seen by IPv6 network	IPv6 network IPv6
	192.168.40.200	====> will be seen as	2001::c018:28c8/96

We’re still communicating to IPv4 node 192.168.40.200 represented by 2001::c018:28c8/96

By the way, IOS will not allow you to disable configured commands if their corresponding translations are still active, so you have to clear all translation entries before making any changes in the configuration.

 

NAT-PT(config)#no ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool NAT-PT(config)#$ ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24 %Pool ipv4_pool in use, cannot destroy NAT-PT(config)# *Mar 1 04:56:14.094: %Dynamic mapping in use, cannot remove NAT-PT(config)#do clear ipv6 nat trans * NAT-PT(config)# NAT-PT(config)#no ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool NAT-PT(config)#no ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24 NAT-PT(config)#

 

interface FastEthernet0/0 no ip address ipv6 address 2001:A:B:C::4/64 ipv6 nat ! interface FastEthernet1/0 ip address 192.168.40.199 255.255.255.0 ipv6 nat   ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8 ipv6 nat v6v4 source list list_to-ipv4 interface overload ipv6 nat prefix 2001::/96 ! ipv6 access-list list_to-ipv4 permit ipv6 2001:A:B:C::/64 any

 

NAT-PT(config)#do sh ipv6 nat translation Prot IPv4 source IPv6 source IPv4 destination IPv6 destination — — — 192.168.40.200 2001::C0A8:28C8   icmp 192.168.40.199,7704 2001:A:B:C::1,7704 192.168.40.200,7704 2001::C0A8:28C8,7704   icmp 192.168.40.199,7126 2001:A:B:C::2,7126 192.168.40.200,7126 2001::C0A8:28C8,7126   icmp 192.168.40.199,9979 2001:A:B:C::3,9979 192.168.40.200,9979 2001::C0A8:28C8,9979   NAT-PT(config)#

 

NAT-PT(config)#do sh ipv6 nat stat Total active translations: 4 (-5 static, 9 dynamic; 3 extended) NAT-PT interfaces: FastEthernet0/0, FastEthernet1/0, NVI0 Hits: 0 Misses: 0 Expired translations: 0 NAT-PT(config)#

 

NAT-PT(config)# *Mar 1 04:59:10.218: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:10.310: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 04:59:10.366: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:10.418: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 04:59:10.466: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:10.514: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) NAT-PT(config)# NAT-PT(config)# *Mar 1 04:59:20.674: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:20.766: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2) *Mar 1 04:59:20.826: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:20.882: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2) *Mar 1 04:59:20.918: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:20.950: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2) NAT-PT(config)# NAT-PT(config)# *Mar 1 04:59:24.266: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:24.354: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3) *Mar 1 04:59:24.402: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:24.450: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3) *Mar 1 04:59:24.482: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 04:59:24.526: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3) NAT-PT(config)#

 

DNS embedded data (ALG)

Let’s keep previously configured PAT and see how NAT-PT handle application layer data like IPv6 addresses embedded in the DNS traffic.

We a need static translation to access the specific IPv4 node (DNS server).

Name lookup is enabled and DNS IPv6 address configured.

 

NAT-PT:

ipv6 nat v4v6 source 192.168.40.104 2001::C0A8:2858 ! ip domain lookup ip domain name nouri.com ip name-server 2001::C0A8:2858

 

On Clients:

ip domain lookup ip domain name nouri.com ip name-server 2001::C0A8:2858

 

The following shows successful connectivity with the DNS server:

Routerv6_1#ping 2001::C0A8:2858 repeat 1   Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 2001::C0A8:2858, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 88/88/88 ms Routerv6_1#

 

NAT-PT(config)# *Mar 1 05:37:46.478: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104) *Mar 1 05:37:46.586: IPv6 NAT: src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1) NAT-PT(config)#

 

Routerv6_1#ping Routerv4_1.nouri.com Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]   Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]   Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/111/256 ms Routerv6_1#

 

Debug:

The NAT device:

receive a DNS request packet with IPv6 source (2001:A:B:C::1) and IPv6 destination (2001::C0A8:2858).

translate the IPv6 src (2001:A:B:C::1) -> IPv4 src (192.168.40.199)

translate the IPv6 dst (2001::C0A8:2858) -> IPv4 dst (192.168.40.104)

send DNS request AAA to IPv4 DNS server with IPv4 src (192.168.40.199) + IPv4 dst (192.168.40.104)

 

receive DNS response with IPv4 src (192.168.40.104) + IPv4 dst. (192.168.40.199) + embedded response to AAA IPv4 (192.168.40.200)

translate embedded response IPv4 (192.168.40.200) -> IPv6 (2001::C0A8:28C8)

translate back the IPv4 src (192.168.40.104)-> IPv6 src (2001::C0A8:2858)

translate back the IPv4 dst (192.168.40.199) -> IPv6 dst (2001:A:B:C::1)

send DNS response with IPv6 src (2001::C0A8:2858) + IPv6 dst. (2001:A:B:C::1) + embedded response to AAA IPv6 (2001::C0A8:28C8)

 

Internal IPv6 node:

send ping with IPv6 src (2001:A:B:C::1) + IPv6 dst (2001::C0A8:28C8)

 

The NAT device:

translate the IPv6 src (2001:A:B:C::1) -> IPv4 src (192.168.40.199)

translate the IPv6 dst (2001::C0A8:28C8) -> IPv4 dst (192.168.40.200)

send ping with IPv4 src (192.168.40.199) + IPv4 dst (192.168.40.200)

 

receive ping reply with IPv4 src (192.168.40.200) + IPv4 dst. (192.168.40.199)

translate back the IPv4 src (192.168.40.200) -> IPv6 src (2001::C0A8:28C8)

translate back the IPv4 dst (192.168.40.199) -> IPv6 dst (2001:A:B:C::1)

 

send ping reply with IPv6 src (2001::C0A8:28C8) + IPv6 dst. (2001:A:B:C::1)

 

NAT-PT(config)# *Mar 1 05:46:33.854: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104) *Mar 1 05:46:33.994: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.166: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104) *Mar 1 05:46:34.230: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.246: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104) *Mar 1 05:46:34.278: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.322: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.346: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.442: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.650: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.726: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.758: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.774: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.802: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) *Mar 1 05:46:34.818: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200) *Mar 1 05:46:34.834: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1) NAT-PT(config)#

 

IPv4 MAPPED

So far, we have been dealing with specific IPv4 hosts inside IPv4 network, but what if we just want to make connections to any IPv4 hosts (ex: to Internet)?

In this case the mapping of destination addresses should be automatic, that is the role of IPv4 mapped:

interface FastEthernet0/0 no ip address ipv6 address 2001:A:B:C::4/64 ipv6 nat ! interface FastEthernet1/0 ip address 192.168.40.199 255.255.255.0 ipv6 nat ! ! DNS still need Translation ipv6 nat v4v6 source 192.168.40.104 2001::C0A8:2858 ! PAT Translation is the appropriate configuration for this case ipv6 nat v6v4 source list list_to-ipv4 interface FastEthernet1/0 overload ipv6 nat prefix 2001::/96 v4-mapped WHAT_to_IPv4 ! ! ! ipv6 access-list list_to-ipv4 permit ipv6 2001:A:B:C::/64 any ! ipv6 access-list WHAT_to_IPv4 permit ipv6 any 2001::/96

 

CONCLUSION

IPv6 NAT-PT as with IPv4 NAT represent a single point of failure in the network and cannot support end-to-end security.

Don’t forget that the primary goal is to build a native IPv6 connectivity, so as transition mechanisms it is recommended to use 6to4 tunneling and ONLY as a last resort NAT-PT

Automatic 6to4 Transition

Unfortunately NOT all Internet Service Providers have switched fully to IPv6 and until a native IPv6 connection is provided to your IPv6 site(s) you will have to use some transition methods like automatic 6to4.

 

Automatic 6to4 is a point-to-multipoint tunneling method, where the tunnel destination is determined from the border router IPv4 address facing the IPv4 network.

a- The border routers that delimit the 6to4 tunnel must support IPv4 and IPv6 and are not configured in pair.

b- Automatic 6to4 can be used to connect two IPv6 networks as well an IPv6 host to an IPv6 network.

c- IPv6 network is treated as NBMA link.

d- The IPv4 embedded in IPv6 is used to find the other end of the tunnel.

e- Border routers create a tunnel on a per packet basis to other IPv6 Border router.

 

Don’t share the same tunnel source interface between different tunnels, because it is used for de-multiplex incoming packet to tunnel interface.

Each IPv6 site must have a globally unique IPv4.

 

The IPv6 address format used for this type of transition method is as follow:

2002	<ipv4 address in HEX>	<subnet_part>	Interface ID
16 bits	32 bits	16 bits	64 bits
		The subnet part can be used to number networks within the site

2002:<ipv4 address in HEX>:<subnet_part>:<interface_ID>/64

 

The configuration commands are quite simple:

ipv6 unicast-routing ! interface Tunnel <X> ipv6 address 2002:<ipv4 address in HEX>:<subnet>:<int_ID>/64 tunnel source <src_int> tunnel mode ipv6ip 6to4 ! ipv6 route 0::0/0 Tunnel<X>

 

Before start configuring, carefully plan your addressing scheme, all ipv6 addresses are based on the IPv4 addresses assigned to physical interfaces of each site facing the IPv4 network.

IPv6 Addresses is done per-site, NOT in pair (between border routers).

Make sure you have successful connectivity between sites through IPv4 network in place.

Because automatic 6to4 handles tunnel interface as point-to-multipoint and all site traffic (IPv6) should be transported over IPv4 network, a static route to the tunnel interface is required.

 

 

In this lab three types of media will be treated : Serial HDLC, Ethernet and Frame Relay.

 

1. SERIAL:
   

Figure 1 depicts the topology used for serial connection:

Figure 1: Topology for serial connection

 

The ipv4 address of 192.168.0.0/24 is used for the link between East IPv6 site and West IPv6 site:

• BWest – serial1/0 ipv4 = 192.168.0.1 = c0a8:0001
  
• Best – serial1/0 ipv4 = 192.168.0.2 = c0a8:0002
  

 

Addressing scheme for West IPv6 site:

The IPv6 address format used is as follow:

2002:	C0a8:0001:	0001:/48		Subnet used for tunnel ipv6 address at BWest
2002:	C0a8:0001:	0001:	::1/64	BWest tunnel ipv6 address.
2002:	C0a8:0001:	0002:/48		Subnet used for network inside West site.
2002:	C0a8:0001:	0002:	::1	BWest Fa0/0 ipv6 address.
2002:	C0a8:0001:	0002:	::2	Westv6 Fa0/0 ipv6 address.

Addressing scheme for Est IPv6 site:

The IPv6 address format used is as follow:

2002:	C0a8:0002:	0001:/48		Subnet used for tunnel ipv6 address at BEst
2002:	C0a8:0002:	0001:	::1/64	BEst tunnel ipv6 address.
2002:	C0a8:0002:	0002:/48		Subnet used for network inside Est site.
2002:	C0a8:0002:	0002:	::1	BEst Fa0/0 ipv6 address.
2002:	C0a8:0002:	0002:	::2	Estv6 Fa1/0 ipv6 address.

Do not forget to enable ipv6 unicast routing on All IPv6 routers, not like IPv6 routing protocols, the IOS will not warn you if you are using ipv6 static routing with ipv6 routing disabled.

Make sure you have a static route to all 2002::/16 prefix routes pointed to the tunnel interface.

 

Configuration commands:

BEast:

ipv6 unicast-routing ! ! ! interface Tunnel1 ipv6 address 2002:C0A8:2:1::1/64 tunnel source Serial1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:2:2::1/64 ! interface Serial1/0 ip address 192.168.0.2 255.255.255.0 ! ! ipv6 route 2002::/16 Tunnel1

Estv6:

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2001:B:B:B::B/64 ipv6 address FE80:B:B:B::B link-local ! interface FastEthernet1/0 ipv6 address 2002:C0A8:2:2::2/64 ! ipv6 route ::/0 2002:C0A8:2:2::1

BWest:

ipv6 unicast-routing ! ! interface Tunnel1 ipv6 address 2002:C0A8:1:1::1/64 tunnel source Serial1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:1:2::1/64 ! interface Serial1/0 ip address 192.168.0.1 255.255.255.0 ! ! ipv6 route 2002::/16 Tunnel1

Westv6

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2002:C0A8:1:2::2/64 ! ipv6 route ::/0 2002:C0A8:1:1::1

Troubleshooting:

East6:

Eastv6(config)#do ping 2002:c0a8:1:2::2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:1:2::2, timeout is 2 seconds: !!!!! Success rate is 40 percent (2/5), round-trip min/avg/max = 176/182/188 ms Eastv6(config)#

BEast:

BEast#sh int tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.0.2 (Serial1/0), destination UNKNOWN Tunnel protocol/transport IPv6 6to4   Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) … BEast#

Because 6to4 tunnelling is point-to-multipoint, the tunnel destination is not preconfigured “UNKNOWN”.

BEast(config)#do debug tunnel Tunnel Interface debugging is on *Mar 1 09:26:48.445: Tunnel1: IPv6/IP to classify 192.168.0.1->192.168.0.2 (len=120 ttl=254 tos=0×0) *Mar 1 09:26:48.445: Tunnel1: to decaps IPv6/IP packet 192.168.0.1->192.168.0.2 (len=120, ttl=254) *Mar 1 09:26:48.449: Tunnel1: decapsulated IPv6/IP packet *Mar 1 09:26:48.449: 2002:C0A8:1:2::2 -> 2002:C0A8:2:2::2 (len=60 ttl=63) *Mar 1 09:26:50.605: Tunnel1: IPv6/IP to classify 192.168.0.1->192.168.0.2 (len=120 ttl=254 tos=0×0) *Mar 1 09:26:50.605: Tunnel1: to decaps IPv6/IP packet 192.168.0.1->192.168.0.2 (len=120, ttl=254) *Mar 1 09:26:50.609: Tunnel1: decapsulated IPv6/IP packet *Mar 1 09:26:50.609: 2002:C0A8:1:2::2 -> 2002:C0A8:2:2::2 (len=60 ttl=63) *Mar 1 09:26:52.777: Tunnel1: IPv6/IP to classify 192.168.0.1->192.168.0.2 (len=120 ttl=254 tos=0×0) *Mar 1 09:26:52.781: Tunnel1: to decaps IPv6/IP packet 192.168.0.1->192.168.0.2 (len=120, ttl=254) *Mar 1 09:26:52.781: Tunnel1: decapsulated IPv6/IP packet *Mar 1 09:26:52.781: 2002:C0A8:1:2::2 -> 2002:C0A8:2:2::2 (len=60 ttl=63) BEast(config)#

 

1. ETHERNET:
   

Another site (North) is added and all sites are connected through an Ethernet switch like illustrated in Figure2.

Figure2: Topology with Ethernet

The previous East and West site address schemas are kept and a new address scheme is designed for North site:

The ipv4 address of 192.168.0.0/24 is used for Ethernet between North, East, and West IPv6 sites:

• BNorth – serial1/0 ipv4 = 192.168.0.3 = c0a8:0003
  

Addressing scheme for North IPv6 site:

The IPv6 address format used is as follow:

2002:	C0a8:0003:	0001:/48		Subnet used for tunnel ipv6 address at BNorth
2002:	C0a8:0003:	0001:	::1/64	BNorth tunnel ipv6 address.
2002:	C0a8:0003:	0002:/48		Subnet used for network inside North site.
2002:	C0a8:0003:	0002:	::1	BNorth Fa0/0 ipv6 address.
2002:	C0a8:0003:	0002:	::2	Northv6 Fa0/0 ipv6 address.

Configuration commands:

As follow the configuration of the North site, practically nothing changed, this time we are just dealing with Ethernet media.

BNorth:

ipv6 unicast-routing ! interface Tunnel1 ipv6 address 2002:C0A8:3:1::1/64 tunnel source FastEthernet1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:3:2::1/64 ! interface FastEthernet1/0 ip address 192.168.0.3 255.255.255.0 ! ! ipv6 route 2002::/16 Tunnel1

Northv6:

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2002:C0A8:3:2::2/64 ! ! ipv6 route ::/0 2002:C0A8:3:2::1

BWest:

ipv6 unicast-routing ! interface Tunnel1 ipv6 address 2002:C0A8:1:1::1/64 tunnel source FastEthernet1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:1:2::1/64 ! interface FastEthernet1/0 ip address 192.168.0.1 255.255.255.0 ! ipv6 route 2002::/16 Tunnel1

BEst:

ipv6 unicast-routing ! interface Tunnel1 ipv6 address 2002:C0A8:2:1::1/64 tunnel source FastEthernet1/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ipv6 address 2002:C0A8:2:2::1/64 ! interface FastEthernet1/0 ip address 192.168.0.2 255.255.255.0 ! ipv6 route 2002::/16 Tunnel1

Troubleshooting

Northv6:

Northv6(config)#do ping 2002:c0a8:1:2::2 repeat 1   Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 2002:C0A8:1:2::2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 220/220/220 ms Northv6(config)#do ping 2002:c0a8:2:2::2 repeat 1   Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 2002:C0A8:2:2::2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 220/220/220 ms Northv6(config)#

BNorth:

BNorth(config)#do debug tunnel Tunnel Interface debugging is on BNorth(config)# *Mar 1 01:01:13.351: Tunnel1: IPv6/IP to classify 192.168.0.1->192.168.0.3 (len=120 ttl=254 tos=0×0) *Mar 1 01:01:13.355: Tunnel1: to decaps IPv6/IP packet 192.168.0.1->192.168.0.3 (len=120, ttl=254) *Mar 1 01:01:13.359: Tunnel1: decapsulated IPv6/IP packet *Mar 1 01:01:13.359: 2002:C0A8:1:2::2 -> 2002:C0A8:3:2::2 (len=60 ttl=63) BNorth(config)# *Mar 1 01:01:32.979: Tunnel1: IPv6/IP to classify 192.168.0.2->192.168.0.3 (len=120 ttl=254 tos=0×0) *Mar 1 01:01:32.983: Tunnel1: to decaps IPv6/IP packet 192.168.0.2->192.168.0.3 (len=120, ttl=254) *Mar 1 01:01:32.987: Tunnel1: decapsulated IPv6/IP packet *Mar 1 01:01:32.987: 2002:C0A8:2:2::2 -> 2002:C0A8:3:2::2 (len=60 ttl=63) BNorth(config)# BNorth(config)#

Note that automatic 6to4 determine each time the needed tunnel destination address and send each packet accordingly.

To reach the Eastern isolated IPv6 network it uses the IP packet with addresses 192.168.0.3->192.168.0.2 that encapsulates IPv6 packet 2002:C0A8:3:2::2 -> 2002:C0A8:2:2::2.

To reach the Western isolated IPv6 network it uses the IP packet with addresses 192.168.0.3->192.168.0.1 that encapsulates IPv6 packet 2002:C0A8:3:2::2 -> 2002:C0A8:1:2::2; and what we see in the previous debug is return traffic.

The following trace command output illustrates the different path taken each time to reach different destination tunnel.

Northv6(config)#do trace 2002:c0a8:2:2::2   Type escape sequence to abort. Tracing the route to 2002:C0A8:2:2::2   1 2002:C0A8:3:2::1 104 msec 32 msec 56 msec 2 2002:C0A8:2:1::1 232 msec 88 msec 120 msec 3 2002:C0A8:2:2::2 280 msec 168 msec 108 msec Northv6(config)# Northv6(config)#do trace 2002:c0a8:1:2::2   Type escape sequence to abort. Tracing the route to 2002:C0A8:1:2::2   1 2002:C0A8:3:2::1 76 msec 24 msec 40 msec 2 2002:C0A8:1:1::1 200 msec 120 msec 64 msec 3 2002:C0A8:1:2::2 216 msec 152 msec 124 msec Northv6(config)# Northv6(config)#

 

1. FR NBMA point-to-multipoint(figure3):
   

The same thing here, except for the FR Connectivity with point-multipoint there is no change to 6to4 configuration, first make sure that FR connectivity is successful and then you can set the 6to4 transition method using the interface ipv4.

Figure3: Topology FR

FR configuration commands:

BNorth:

interface Serial1/0 no ip address encapsulation frame-relay serial restart-delay 0 ! interface Serial1/0.123 multipoint ip address 192.168.0.3 255.255.255.0 frame-relay map ip 192.168.0.1 102 broadcast frame-relay map ip 192.168.0.2 101 broadcast

 

BNorth(config-if)#do sh frame map Serial1/0.123 (up): ip 192.168.0.1 dlci 102(0×66,0×1860), static, broadcast, CISCO, status defined, active Serial1/0.123 (up): ip 192.168.0.2 dlci 101(0×65,0×1850), static, broadcast, CISCO, status defined, active BNorth(config-if)#

BEast:

interface Serial1/0 no ip address encapsulation frame-relay no frame-relay inverse-arp ! interface Serial1/0.123 multipoint ip address 192.168.0.2 255.255.255.0 frame-relay map ip 192.168.0.1 203 broadcast frame-relay map ip 192.168.0.3 110 broadcast

 

BEast(config-subif)#do sh frame map Serial1/0.123 (up): ip 192.168.0.1 dlci 203(0xCB,0×30B0), static, broadcast, CISCO, status defined, active Serial1/0.123 (up): ip 192.168.0.3 dlci 110(0×6E,0×18E0), static, broadcast, CISCO, status defined, active BEast(config-subif)#

BWest:

interface Serial1/0 no ip address encapsulation frame-relay no frame-relay inverse-arp ! interface Serial1/0.123 multipoint ip address 192.168.0.1 255.255.255.0 frame-relay map ip 192.168.0.2 302 broadcast frame-relay map ip 192.168.0.3 201 broadcast

 

BWest(config-subif)#do sh frame map Serial1/0.123 (up): ip 192.168.0.2 dlci 302(0×12E,0×48E0), static, broadcast, CISCO, status defined, active Serial1/0.123 (up): ip 192.168.0.3 dlci 201(0xC9,0×3090), static, broadcast, CISCO, status defined, active BWest(config-subif)#

FR Connectivity Check:

BNorth(config-if)#do ping 192.168.0.2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/58/96 ms BNorth(config-if)#do ping 192.168.0.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/61/108 ms BNorth(config-if)#

Automatic 6to4 configuration:

BNorth:

ipv6 unicast-routing ! ! interface Tunnel1 ipv6 address 2002:C0A8:3:1::1/64 tunnel source Serial1/0.123 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel1

 

BNorth(config)#do ping 2002:c0a8:2:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:2:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/70/112 ms BNorth(config)#do ping 2002:c0a8:1:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:1:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/62/112 ms BNorth(config)#

BEast:

ipv6 unicast-routing ! ! interface Tunnel1 ipv6 address 2002:C0A8:2:1::1/64 tunnel source Serial1/0.123 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel1

 

BEast(config)# do ping 2002:c0a8:3:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:3:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/71/120 ms BEast(config)# do ping 2002:c0a8:1:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:1:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/56/156 ms BEast(config)#

BWest:

ipv6 unicast-routing ! ! interface Tunnel1 ipv6 address 2002:C0A8:1:1::1/64 tunnel source Serial1/0.123 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel1

 

BWest(config-if)#do ping 2002:c0a8:3:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:3:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/76/132 ms BWest(config-if)#do ping 2002:c0a8:2:1::1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:2:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/62/156 ms BWest(config-if)#

Now the final check guys!

Ping and trace route from Westv6 and to Eastv6 and Northv6:

Westv6(config)#do ping 2002:c0a8:2:2::2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:2:2::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/182/428 ms Westv6(config)#do ping 2002:c0a8:3:2::2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2002:C0A8:3:2::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/228 ms Westv6(config)#do trace 2002:c0a8:2:2::2   Type escape sequence to abort. Tracing the route to 2002:C0A8:2:2::2   1 2002:C0A8:1:2::1 64 msec 56 msec 32 msec 2 2002:C0A8:2:1::1 228 msec 64 msec 72 msec 3 2002:C0A8:2:2::2 152 msec 124 msec 56 msec Westv6(config)#do trace 2002:c0a8:3:2::2   Type escape sequence to abort. Tracing the route to 2002:C0A8:3:2::2   1 2002:C0A8:1:2::1 64 msec 56 msec 28 msec 2 2002:C0A8:3:1::1 136 msec 120 msec 32 msec 3 2002:C0A8:3:2::2 124 msec 72 msec 112 msec Westv6(config)#

Another opportunity to show you that mastering each technology separately will make your life easier when dealing with many technologies combined together.

Manual IPv6 GRE tunnel over IPv4

OVERVIEW

By definition GRE is used to encapsulate IP/non-IP protocols into IPv4/IPv6, in the following lab we will transport IPv6 into IPv4, so the outer packet has IPv4/6 source and destination addresses and the inner packet GRE, has IPv6 source and destination addresses (figure 1).

Figure 1: Packet encapsulation

Figure 2 depicts the lab topology in which 3 sites: North, East, and West are isolated IPv6 sites and connected with each other over an IPv4 network with their respective border routers (support both IPv4 and IPv6).

Each site establish a FR point-to-point PVC to the other two with IPv4 as the network layer.

Figure 2: Topology

This document is organized as follow:

- Planning the address scheme.

- IPv6 address configuration.

- IPv6 connectivity check.

- FR configuration.

- FR connectivity check.

- Manual IPv6 GRE tunnel

-tunnel configuration

- Connectivity check.

PLANNING THE ADDRESS SCHEME

Table 1:Addressing scheme:

2001:a:a:a::/64	Subnet used between BNorth and Northv6
2001:a:a:aa::64	North site Internal network
2001:b:b:b::/64	Subnet used between BWest and Westv6
2001:b:b:bb::/64	Worth site Internal network
2001:c:c:c::/64	Subnet used between BEast and Eastv6
2001:c:c:cc/64	East site Internal network
Tunnel’s IPv6 addressing
2001a:a:ab::/64	Tunnel between BNorth and BWest
2001:a:a:ac::/64	Tunnel between BNorth and Beast
2001:a:a:bc::/64	Tunnel between BWest and BEast
IPv4 NBMA addressing
192.168.13.0/24	NBMA subnet for point-to-point PVC between BNorth and BWest
192.168.32.0/24	NBMA subnet for point-to-point PVC between BEast and BWest
192.168.12.0/24	NBMA subnet for point-to-point PVC between BNorth and BEst

IPv6 ADDRESS CONFIGURATION

North Site:

Northv6:

!! Do not forget to enable IPv6 routing ipv6 unicast-routing ! !! loopback is used to simulate internal networks !! interface Loopback0 ipv6 address 2001:A:A:AA::1/64 ! !! Interface that connect to the Border router !! interface FastEthernet0/0 ipv6 address 2001:A:A:A::2/64 ! !! A default route will point to the next-hop (Border Router) ipv6 route ::/0 2001:A:A:A::1

BNorth:

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2001:A:A:A::1/64 !! This a route to the internal network that points the internal router ipv6 route 2001:A:A:AA::/64 2001:A:A:A::2

East Site:

Eastv6:

ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:C:C:CC::1/64 ! interface FastEthernet1/0 ipv6 address 2001:C:C:C::2/64 ! ipv6 route ::/0 2001:C:C:C::1

BEast:

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2001:C:C:C::1/64 ! ipv6 route 2001:C:C:CC::/64 2001:C:C:C::2

West Site:

Westv6:

ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:B:B:BB::1/64 ! interface FastEthernet0/0 ipv6 address 2001:B:B:B::2/64 ! ipv6 route ::/0 2001:B:B:B::1

BWest:

ipv6 unicast-routing ! interface FastEthernet0/0 ipv6 address 2001:B:B:B::1/64 ! ipv6 route 2001:B:B:BB::/64 2001:B:B:B::2

IPv6 connectivity

BNorth(config)#do ping 2001:a:a:aa::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:A:A:AA::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/56/92 ms BNorth(config)#

BEast(config)#do ping 2001:c:c:cc::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:C:C:CC::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/88 ms BEast(config)#

BWest(config)#do ping 2001:b:b:bb::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:B:B:BB::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/43/96 ms BWest(config)#

FR CONFIGURATION

The configuration for point-to-point FR is very simple, configure the ip address and the local DLCI, no need for neither inverse ARP nor static mapping as there is only one DLCI in the other side of the PVC.

BNorth:

interface Serial1/0 no ip address encapsulation frame-relay no frame-relay inverse-arp ! interface Serial1/0.101 point-to-point ip address 192.168.12.1 255.255.255.0 frame-relay interface-dlci 101 ! interface Serial1/0.102 point-to-point ip address 192.168.13.1 255.255.255.0 frame-relay interface-dlci 102

BEst:

interface Serial1/0 no ip address encapsulation frame-relay no frame-relay inverse-arp ! interface Serial1/0.110 point-to-point ip address 192.168.12.2 255.255.255.0 frame-relay interface-dlci 110 ! interface Serial1/0.203 point-to-point ip address 192.168.32.1 255.255.255.0 frame-relay interface-dlci 203

BWest:

interface Serial1/0 no ip address encapsulation frame-relay no frame-relay inverse-arp ! interface Serial1/0.201 point-to-point ip address 192.168.13.2 255.255.255.0 frame-relay interface-dlci 201 ! interface Serial1/0.302 point-to-point ip address 192.168.32.2 255.255.255.0 frame-relay interface-dlci 302

FR connectivity check

BWest#ping 192.168.13.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/80/108 ms BWest# BWest#ping 192.168.32.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.32.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/72/120 ms BWest#

IPv6 GRE

It is a point-to-point tunnel, so the tunnel source and destination are preconfigured, the logical topology is illustrated in figure3.

Figure3: Logical topology

Table2: Point-to-point GRE parameters on BNorth

Tunnelling parameters	BEast	BWest
Tunnel interface	Tunnel 12	Tunnel 13
Tunnel ip address &mask	2001:a:a:ac::1/64	2001:a:a:ab::1/64
Tunnel source interface	s0/0.101	s0/0.102
Tunnel destination	192.168.12.2	192.168.13.2
Tunnel mode	Ipv6ip

BNorth:

interface Tunnel12 no ip address ipv6 address 2001:A:A:AC::1/64 tunnel source Serial1/0.101 tunnel destination 192.168.12.2 tunnel mode ipv6ip ! interface Tunnel13 no ip address ipv6 address 2001:A:A:AB::1/64 tunnel source Serial1/0.102 tunnel destination 192.168.13.2 tunnel mode ipv6ip ! !!Each Border router will be configured with static routes to other sites !!internal networks ipv6 route 2001:B::/32 Tunnel13 ipv6 route 2001:C::/32 Tunnel12

BEst:

Table2: Point-to-point GRE parameters on BEast

Tunnelling parameters	BNorth	BWest
Tunnel interface	Tunnel 21	Tunnel 23
Tunnel ip address &mask	2001:a:a:ac::2/64	2001:a:a:bc::1/64
Tunnel source interface	s0/0.110	s0/0.203
Tunnel destination	192.168.12.1	192.168.32.1
Tunnel mode	Ipv6ip

interface Tunnel21 no ip address ipv6 address 2001:A:A:AC::2/64 tunnel source Serial1/0.110 tunnel destination 192.168.12.1 tunnel mode ipv6ip ! interface Tunnel23 no ip address ipv6 address 2001:A:A:BC::1/64 tunnel source Serial1/0.203 tunnel destination 192.168.32.2 tunnel mode ipv6ip ! ipv6 route 2001:A::/32 Tunnel21 ipv6 route 2001:B::/32 Tunnel23

BWest:

Table2: Point-to-point GRE parameters on BWest

Tunnelling parameters	BEast	BNorth
Tunnel interface	Tunnel 32	Tunnel 31
Tunnel ip address &mask	2001:a:a:bc::2/64	2001:a:a:ab::2/64
Tunnel source interface	s0/0.302	s0/0.201
Tunnel destination	192.168.32.2	192.168.13.1
Tunnel mode	Ipv6ip

interface Tunnel31 no ip address ipv6 address 2001:A:A:AB::2/64 tunnel source Serial1/0.201 tunnel destination 192.168.13.1 tunnel mode ipv6ip ! interface Tunnel32 no ip address ipv6 address 2001:A:A:BC::2/64 tunnel source Serial1/0.302 tunnel destination 192.168.32.1 tunnel mode ipv6ip ! ipv6 route 2001:A::/32 Tunnel31 ipv6 route 2001:C::/32 Tunnel32

CONNECTIVITY CHECK

For each destination site IPv6 packets take the corresponding tunnel and encapsulated into a packet with that tunnel source and destination.

Northv6#trace 2001:c:c:cc::1 Type escape sequence to abort. Tracing the route to 2001:C:C:CC::1 1 2001:A:A:A::1 36 msec 32 msec 48 msec 2 2001:A:A:AC::2 132 msec 72 msec 100 msec 3 2001:C:C:CC::1 148 msec 196 msec 120 msec Northv6#trace 2001:b:b:bb::1 Type escape sequence to abort. Tracing the route to 2001:B:B:BB::1 1 2001:A:A:A::1 40 msec 36 msec 12 msec 2 2001:A:A:AB::2 136 msec 136 msec 44 msec 3 2001:B:B:BB::1 136 msec 68 msec 188 msec Northv6#

DEBUGGING:

BNorth(config)# *Mar 1 05:41:36.790: Tunnel13: IPv6/IP encapsulated 192.168.13.1->192.168.13.2 (linktype=79, len=120) *Mar 1 05:41:36.914: Tunnel13: IPv6/IP to classify 192.168.13.2->192.168.13.1 (len=120 ttl=254 tos=0×0) *Mar 1 05:41:36.918: Tunnel13: to decaps IPv6/IP packet 192.168.13.2->192.168.13.1 (len=120, ttl=254) *Mar 1 05:41:36.922: Tunnel13: decapsulated IPv6/IP packet *Mar 1 05:41:36.926: 2001:B:B:BB::1 -> 2001:A:A:A::2 (len=60 ttl=63) BNorth(config)# BNorth(config)# BNorth(config)# *Mar 1 05:42:03.730: Tunnel12: IPv6/IP encapsulated 192.168.12.1->192.168.12.2 (linktype=79, len=120) *Mar 1 05:42:03.850: Tunnel12: IPv6/IP to classify 192.168.12.2->192.168.12.1 (len=120 ttl=254 tos=0×0) *Mar 1 05:42:03.858: Tunnel12: to decaps IPv6/IP packet 192.168.12.2->192.168.12.1 (len=120, ttl=254) *Mar 1 05:42:03.858: Tunnel12: decapsulated IPv6/IP packet *Mar 1 05:42:03.862: 2001:C:C:CC::1 -> 2001:A:A:A::2 (len=60 ttl=63) BNorth(config)# BNorth(config)# BNorth(config)#do un all All possible debugging has been turned off BNorth(config)#

Ipv6 ISATAP tunneling

OVERVIEW

In this Lab ISATAP (Intra-site Automatic Tunnel Addressing Protocol) tunneling method is viewed, as opposed to a method like 6to4, ISATAP builds a tunnel for transport of IPv6 traffic over ipv4 within an IPv4 network not between IPv6 networks.

ISATAP treats IPv4 network as NBMA, and determines the destination on a per packet-basis (point-to-multipoint).

There is two ISATAP node behavior, client and server, client will request an ipv6 address from the server to form a tunnel, a server which can be either a router or a server 2003 with ipv6 enabled, will advertise IPv6 network information and allow IPv6 nodes to configure their applications as they were connected to an Ethernet interface.

In this Lab a server 2003 will be configured as a ISATAP client node and a Cisco Router as an advertiser.

The method deployed to configure ISATAP on the ISATAP node is also applied to XP workstation as well.

ISATAP address scheme is developed as follow:

64-bit link-local or global unicast prefix + 0000:5EFE + <IPv4 of ISATAP link>

With 0000:5EFE as the ISATAP identifier.

DEPLOYMENT

ISATAP router configuration:

Table1: ISATAP router configuration guide:

Router Ethernet interface should be configured to communicate with all nodes that want to communicate in IPv4.

interface FastEthernet0/0 ip address 192.168.43.103 255.255.255.0 no sh

ISATAP-srv# ISATAP-srv#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.43.103 YES manual up up … Tunnel0 unassigned YES unset up up ISATAP-srv#ping 192.168.43.104 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.43.104, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/40 ms ISATAP-srv#

The interface is up and the ipv4 address connectivity is verified, this will allow the communication between IPv6 nodes and the router to automatically configure their ISATAP information.

On the tunnel interface IPv6 router advertisement is disabled by default and need to be re-enabled, also the ISATAP is specified under IPv6 over ipv4 tunnel mode.

ipv6 unicast-routing interface Tunnel0 ipv6 address 2001:DB8:2:1::/64 eui-64 no ipv6 nd suppress-ra tunnel source FastEthernet0/0 tunnel mode ipv6ip isatap no sh

IPv6 information are correctly configured and verified:

ISATAP-srv#sh ipv6 int brief FastEthernet0/0 [up/up] …   Tunnel0 [up/up] FE80::5EFE:C0A8:2B67 2001:DB8:2:1:0:5EFE:C0A8:2B67 ISATAP-srv#

ISATAP node configuration:

First of all ipv6 protocol must be enabled on windows server 2003 and XP, then within “netsh” mode ISATAP ipv6 mode must be specified.

As mentioned before the following command is applied to both XP/server2003

Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\>netsh interface ipv6 isatap set router \\192.168.43.103 Ok.

C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : mngmnt Primary Dns Suffix . . . . . . . : nouri.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : nouri.com Ethernet adapter loopback: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Loopback Adapter Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.43.104 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : fe80::4cff:fe4f:4f50%6 Default Gateway . . . . . . . . . : 192.168.43.103 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface Physical Address. . . . . . . . . : C0-A8-2B-68 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::5efe:192.168.43.104%2 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Disabled C:\>

ISATAP router and ipv6 node are communicating with success as the node is reached through its dynamically configured address:

ISATAP-srv#ping ipv6 fe80::5efe:c0a8:2b68 Output Interface: tunnel 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::5EFE:C0A8:2B68, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/44 ms ISATAP-srv#

Figure2: IPv6 traffic capture

ROUTER CONFIGURATION

Router ISATAP-srv configuration:

ISATAP-srv#sh run … ipv6 unicast-routing … interface Tunnel0 ipv6 address 2001:DB8:2:1::/64 eui-64 no ipv6 nd suppress-ra tunnel source FastEthernet0/0 tunnel mode ipv6ip isatap ! interface FastEthernet0/0 ip address 192.168.43.103 255.255.255.0 …

Ipv6 QoS

If you already grasp QoS concepts for IPv4, IPv6 QoS is a piece of cake!

As with IPv4, IPv6 uses MQC to configure Diffserv (Differentiated services) QoS.

IPv6 QoS is very similar to IPv4 QoS except for some twists:

- IPv6 doesn’t support NBAR (Network-Based Application recognition), certainly because it is based on IPv4 application.

- cRTP (Compressed-RTP).

- No way to match directly RTP.

- CAR (Committed Access Rate) replaced by CB- Policing already in IPv4 and no need to keep supporting it in IPv6.

- PQ/CQ replaced by MQC (Modular QoS CLI).

- IPv6 supports only named ACL.

- Layer2 (802.1q) commands works only with CEF- Switched ports not with process- switched nor router originated traffic.

 

The following is the topology used to deploy IPv6 QoS, no IPv4 addressing scheme. The serial link between the two routers is the bottleneck of the network where QoS is needed.

 

Figure1: Topology

 

 

Classification & Marking

The first and the most crucial step in deploying QoS is classification of traffic.

In this step you need to:

- identify various applications and protocols running on your network.

- understand the application behavior with respect to the available network resources.

- identify the mission critical and non-critical application.

- Categorize the applications and protocols in different classes of service accordingly.

 

The classification is based on packet native classifiers like:

- source/destination IPv6 addresses, IP protocol and source/destination ports.

- Precedence and dscp.

- Source/destination MAC.

- TCP/IP header parameters (packet length…).

- IPv6 specific classifiers (not currently used).

- IPv6 (traffic class) used in the same way as IPv4 (ToS).

 

IPv4 uses a great tool, NBAR, very useful to recognize applications and provides statistics about bandwidth utilization, which can avoid a lot of work to determine which classifiers define the application we want QoS to handle. Unfortunately NBAR recognize only IPv4 applications so cannot be used in IPv6.

You can use other tools such “Netflow” if it is deployed in your network as well as any traffic analyzer software for more granular inspection of the protocol you want to analyze. Then build IPv6 access control lists matching the relevant classifiers with the relevant values.

 

table1: Application classification and marking

ACL name	Permit/ Deny	Protocol	Source			Destination
			IP	mask	Src port	IP	Mask	Dst port
FTP	permit	tcp	2001:b:b:b::b	-	ftp (21)	any	-	-
	permit	tcp	2001:b:b:b::b	-	ftp-data (20)	any	-	-
UStream	permit	udp	any	-	-	any	-	1234

 

Table1 resumes information about applications that need QoS. The following applications are just used for demonstration purpose on how IPv6 can be are policed, each company deploys the appropriate applications that serve their business (front-end, back-end, middleware …)

 

Table2: Application classification and marking

Application	Bandwidth allocated	Flow direction	traffic classifiers	Class	Markers
unicast streaming	700 kbps	From HostB to HostA	dest IPv6=2001:a:a:a::a	MatchUStream	dscp=ef
			protocol I =Pv6
			dest port 1234
FTP download	30 kbps	From HostB to HostA	src port 21 (control)	MatchFTP	dscp=af41
			protocol I =Pv6
			src port 20 (data)
scavenger appli video streaming	150 kbps	From HostB to Host A	src port …

 

Generally dscp “ef” is reserved for VoIP application which require the most stringent QoS, in this lab we use dscp just to check at the destination host hostA whether the classification works, otherwise the end-to-end model used to test IPv6 QoS is depicted in Figure2.

 

Figure2: End-to-End QoS model

 

Congestion Management & avoidance

For the purpose of the lab, the unicast streaming application is given the highest priority and it is supposed to have stringent bandwidth, latency, delay and jitter requirements, LLQ is the most appropriate queuing mechanism for such applications.

The FTP traffic is considered critical with a minimum of  30kbps of bandwidth guaranteed .

Any other traffic, default-class is considered “scavenger” and will have no privilege when congestion is experienced in the link.

Each application is being allocated the needed bandwidth to perform correctly.

 

Table3: Classes and bandwidth allocation

Class	Bandwidth reserved	Queue	DSCP	Priority
MatchUStream	700 kbps	LLQ	af41	High
MatchFTP	30 kbps	CBWFQ	af21	Medium
class-default	no guarantee	WFQ	0	Low

 

policy-map QoS_Policy   class MatchUStream    set dscp ef    priority 700   class MatchFTP    set dscp af41     bandwidth 30   class class-default    fair-queue    set dscp default

 

Figure3 and 4 show a summary of general QoS mechanisms and queuing system types.

 

Figure3: Software and Hardware queuing systems

 

Figure4: QoS mechanisms

 

RouterB:

ipv6 access-list FTP permit tcp host 2001:B:B:B::B eq ftp any permit tcp host 2001:B:B:B::B eq ftp-data any ! ipv6 access-list UStream sequence 20 permit udp any any eq 1234 ! class-map match-all MatchFTP   match protocol ipv6   match access-group name FTP class-map match-all MatchUStream   match protocol ipv6   match access-group name UStream

 

Monitoring:

RouterB(config-pmap-c)#do show policy-map int s1/0 Serial1/0     Service-policy output: QoS_Policy       Class-map: MatchUStream (match-all)       23625 packets, 32602500 bytes       30 second offered rate 538000 bps, drop rate 0 bps       Match: protocol ipv6       Match: access-group name UStream       QoS Set         dscp ef           Packets marked 23624       Queueing         Strict Priority         Output Queue: Conversation 264         Bandwidth 700 (kbps) Burst 17500 (Bytes)         (pkts matched/bytes matched) 1455/2007900         (total drops/bytes drops) 1/1380       Class-map: MatchFTP (match-all)       5886 packets, 8192512 bytes       30 second offered rate 135000 bps, drop rate 0 bps       Match: protocol ipv6       Match: access-group name FTP       QoS Set         dscp af41           Packets marked 5929       Queueing         Output Queue: Conversation 265         Bandwidth 30 (kbps) Max Threshold 64 (packets)         (pkts matched/bytes matched) 3486/4784640         (depth/total drops/no-buffer drops) 0/0/0       Class-map: class-default (match-any)       105 packets, 8292 bytes       30 second offered rate 0 bps, drop rate 0 bps       Match: any       Queueing         Flow Based Fair Queueing         Maximum Number of Hashed Queues 256         (total queued/total drops/no-buffer drops) 0/0/0       QoS Set         dscp default           Packets marked 50 RouterB(config-pmap-c)#

 

RouterB(config-pmap-c)#do sh int s1/0 Serial1/0 is up, line protocol is up   Hardware is M4T   MTU 1500 bytes, BW 1024 Kbit, DLY 20000 usec,      reliability 255/255, txload 165/255, rxload 1/255   Encapsulation HDLC, crc 16, loopback not set   Keepalive set (10 sec)   Restart-Delay is 0 secs   Last input 00:00:07, output 00:00:00, output hang never   Last clearing of “show interface” counters 00:08:49   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 21   Queueing strategy: weighted fair   Output queue: 0/1000/64/1 (size/max total/threshold/drops)      Conversations  0/3/256 (active/max active/max total)      Reserved Conversations 1/1 (allocated/max allocated)      Available Bandwidth 38 kilobits/sec   30 second input rate 4000 bits/sec, 8 packets/sec   30 second output rate 666000 bits/sec, 59 packets/sec      4066 packets input, 261676 bytes, 0 no buffer      Received 61 broadcasts, 0 runts, 0 giants, 0 throttles      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort      32082 packets output, 44217146 bytes, 0 underruns      0 output errors, 0 collisions, 0 interface resets      0 output buffer failures, 0 output buffers swapped out      0 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up   RouterB(config-pmap-c)#

 

Shaping & Policing

Shaping and policing perform exactly as in IPv4.

Policing:

- Applied on inbound and outbound.

- Drops non conforming traffic.

- More efficient in term of memory utilization.

- Drops packets more often therefore more TCP retransmission.

Shaping:

- Applied only on outbound.

- Queue excess traffic.

- Less efficient because of additional queuing but less dropping , only when congestion occur.

- Cause variable delay (jitter) and increase buffer utilization therefore more delays.

Figurex shows the mechanism of token bucket used in shaping and policing.

 

Figure5: shaping and policing

Here is how the FTP traffic diagram looks like before any shaping or policing:

Figure6: FTP before shaping and policing

The following figurex shows different behavior based on three configuration of shaping and traffic:

 

Figure7: FTP with shaping and traffic

The first part of the graph corresponds to FTP traffic with just a configured guaranteed bandwidth of 30kbps.

 

policy-map QoS_Policy   class MatchFTP    bandwidth 30

 

In the second part of the graph, a high limit is set for FTP class using policing at 100kbps, you can note that this results in a frequent TCP global synchronization, this is a TCP protocol behavior when congestion occurs somewhere in the path to the destination, as long as the congestion exists the source continue to  receive requests to decrease the sending rate until restarting sending from zero and so on, hence the form of the graph (repeated short bursts from the bottom to the maximum).

 

policy-map QoS_Policy   class MatchFTP    bandwidth 30    police 100000

 

The third part of the graph represents the result of using shaping instead of policing, more optimal use of the bandwidth resource. Instead of dropping the TCP traffic and causing global synchronization, the exceed packets are queued for a certain amount of time and then sent, hence the higher used average bandwidth.

 

policy-map QoS_Policy   class MatchFTP    bandwidth 30    shape average 100000

 

RouterB#sh policy-map int s1/0 …     Class-map: MatchFTP (match-all)       32045 packets, 47038153 bytes       30 second offered rate 99000 bps, drop rate 0 bps       Match: protocol ipv6       Match: access-group name FTP       QoS Set         dscp af41           Packets marked 32074       Queueing         Output Queue: Conversation 265         Bandwidth 30 (kbps) Max Threshold 64 (packets)         (pkts matched/bytes matched) 17595/26364666         (depth/total drops/no-buffer drops) 0/0/0       Traffic Shaping            Target/Average   Byte   Sustain   Excess    Interval  Increment              Rate           Limit  bits/int  bits/int  (ms)      (bytes)            100000/100000    2000   8000      8000      80        1000           Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping         Active Depth                         Delayed   Delayed   Active         -      11        17134     25746208  17096     25689056  yes …

 

 

IPv6 EIGRP

IPv6 EIGRP and IPV4 EIGRP are very similar in concept except for the following differences:

• IPv6 is configured on interface basis (like OSPFv3 and RIPng) and networks are advertised based on interface command.
• When configured on interface, IPv6 EIGRP is initially placed in “shutdown” state.
• As with OSPFv3, IPv6 EIGRP require a router-id in IPv4 format.
• Passive interfaces can only be configured in the routing process mode.
• Need for extra memory resources and supported in IOS 12.4(6)T and later.

R1#sh ver | i Version Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1) BOOTLDR: 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1) 6 slot VXR midplane, Version 2.1 R1#

• No split horizon in IPv6 because it is possible to get multiple prefixes per interface.
• No concept of classful routing in IPv6 EIGRP consequently no automatic summary.

Figure1 depicts the Lab topology used for IPv6 EIGRP deployment, R1, R2 and R3 are connected to each other through a Frame Relay cloud and R2, R3 and R4 are connected to each other through LAN.

Each router protect its own set of local networks.

This lab covers the following topics related to the deployment of IPv6 EIGRP

• IPV6 addressing
• Frame Relay configuration
• IPv6 routing configuration
• IPv6 route manipulation 

Figure1 IPv6 EIGRP topology:

I) DEPLOYMENT

1. IPV6 addressing: 

First unicat IPv6 and link local addresses are configured.

Link local addresses are statically configured to make their manipulation easier.

R1(config)#int s1/0 R1(config-if)#ipv6 address 2001:1:1:210::1/60 R1(config-if)#ipv6 address FE80::210:1 link-local R1(config-if)#no sh

 

R2(config-if)#int s1/0 R2(config-if)#ipv6 address 2001:1:1:210::2/60 R2(config-if)#ipv6 address FE80::210:2 link-local R2(config-if)#no sh   R2(config)#int fa 0/0 R2(config-if)#ipv6 address 2001:1:1:410::2/60 R2(config-if)#ipv6 address FE80::410:2 link-local R2(config-if)#no sh

 

R3(config-if)#int s1/0 R3(config-if)#ipv6 address 2001:1:1:210::3/60 R3(config-if)#ipv6 address FE80::210:3 link-local R3(config-if)#no sh   R3(config-if)#int fa 0/0 R3(config-if)#ipv6 address 2001:1:1:410::3/60 R3(config-if)#ipv6 address FE80::410:3 link-local R3(config-if)#no sh

 

R4(config-if)#int fa 0/0 R4(config-if)#ipv6 address 2001:1:1:410::4/60 R4(config-if)#ipv6 address FE80::410:4 link-local R4(config-if)#no sh

1. FR Configuration:
   

For each interface connected to the Frame relay cloud FR encapsulation is set, Inverse ARP disabled and Static mapping is performed using next-hop unicat ipv6 as well as next-hop link local ipv6.

R1(config-if)#int s1/0 R1(config-if)#encapsulation frame-relay R1(config-if)#frame-relay map ipv6 2001:1:1:210::2 102 broadcast R1(config-if)#frame-relay map ipv6 FE80::210:2 102 R1(config-if)#frame-relay map ipv6 2001:1:1:210::3 103 broadcast R1(config-if)#frame-relay map ipv6 FE80::210:3 103

 

R2(config)#int s1/0 R2(config-if)#encapsulation frame-relay R2(config-if)#frame-relay map ipv6 2001:1:1:210::1 201 broadcast R2(config-if)#frame-relay map ipv6 FE80::210:1 201 R2(config-if)#frame-relay map ipv6 2001:1:1:210::3 203 broadcast R2(config-if)#frame-relay map ipv6 FE80::210:3 203

 

R3(config)#int s1/0 R3(config-if)#encapsulation frame-relay R3(config-if)#frame-relay map ipv6 2001:1:1:210::1 301 broadcast R3(config-if)#frame-relay map ipv6 FE80::210:1 301 R3(config-if)#frame-relay map ipv6 2001:1:1:210::2 302 broadcast R3(config-if)#frame-relay map ipv6 FE80::210:2 302

Before continuing further, it is recommended to check connectivity:

Frame Relay cloud:

unicast:

R1#ping ipv6 2001:1:1:210::2   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:1:1:210::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/73/88 ms   R1#ping ipv6 2001:1:1:210::3   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:1:1:210::3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/73/88 ms R1#

Link-local:

R1#ping ipv6 FE80::210:2 Output Interface: Serial1/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::210:2, timeout is 2 seconds: Packet sent with a source address of FE80::210:1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/60/80 ms R1#   R1#ping ipv6 FE80::210:3 Output Interface: Serial1/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::210:3, timeout is 2 seconds: Packet sent with a source address of FE80::210:1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/54/92 ms R1#

Ethernet :
Unicast:

R2#ping ipv6 2001:1:1:410::3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:1:1:410::3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/79/116 ms R2#ping ipv6 2001:1:1:410::4   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:1:1:410::4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/74/96 ms R2#

 Link-local:

R2#ping ipv6 FE80::410:3 Output Interface: FastEthernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::410:3, timeout is 2 seconds: Packet sent with a source address of FE80::410:2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 72/76/92 ms R2#ping ipv6 FE80::410:4 Output Interface: FastEthernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::410:4, timeout is 2 seconds: Packet sent with a source address of FE80::410:2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/71/96 ms R2#

Routing Configuration:

 Steps:
Now let’s proceed with IPv6 EIGRP:

• Enable unicast IPV6 routing globally.
• enable IPV6 on FR interface.
• enable IPv6 EIGRP per interface-basis.
• manually set IPv6 EIGRP router-id in IPv4 format.
• no shutdown EIGRP process.

R1(config)#ipv6 unicast-routing R1(config)#int s1/0 R1(config-if)#ipv6 enable R1(config-if)#ipv6 eigrp 10 R1(config-if)#exit R1(config)#ipv6 router eigrp 10 R1(config-rtr)#router-id 1.1.1.1 R1(config-rtr)#no sh

 Verify the IPv6 EIGRP protocol:

R1(config)#do sh ipv6 protocols IPv6 Routing Protocol is “connected” IPv6 Routing Protocol is “static” IPv6 Routing Protocol is “eigrp 10″ EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Interfaces: Serial1/0 Redistribution: None Maximum path: 16 Distance: internal 90 external 170   R1(config)#

 Repeat previous steps for R2 and R3 and make sure that IPV6 eigrp PROCESS id match.

R2(config)#ipv6 unicast-routing R2(config)#int s1/0 R2(config-if)#ipv6 enable R2(config-if)#ipv6 eigrp 10 R2(config-if)#exit R2(config)#ipv6 router eigrp 10 R2(config-rtr)#router-id 2.2.2.2 R2(config-rtr)#no sh   R2(config-rtr)#int fa 0/0 R2(config-if)#ipv6 enable R2(config-if)#ipv6 eigrp 10 R2(config-if)#exit R2(config)#

 

R3(config)#ipv6 unicast-routing R3(config-if)#int s1/0 R3(config-if)#ipv6 enable R3(config-if)#ipv6 eigrp 10 R3(config-if)#exit R3(config)#ipv6 router eigrp 10 R3(config-rtr)#router-id 3.3.3.3 R3(config-rtr)#no sh   R3(config-rtr)#int fa 0/0 R3(config-if)#ipv6 enable R3(config-if)#ipv6 eigrp 10 R3(config-if)#exit R3(config)#

 

R4(config)#ipv6 unicast-routing R4(config-rtr)#int fa 0/0 R4(config-if)#ipv6 enable R4(config-if)#ipv6 eigrp 10 R4(config-if)#exit R4(config)#

 Let’s check neighbor relationships and IPv6 routing table on R1 for example:

R1(config)#do sh ipv6 eigrp neigh IPv6-EIGRP neighbors for process 10 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 Link-local address: Se1/0 154 00:01:16 32 200 0 5 FE80::210:3 0 Link-local address: Se1/0 163 00:04:56 48 288 0 3 FE80::210:2 R1(config)#sh ipv6 eigrp neighbor IPv6-EIGRP interfaces for process 10   Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Se1/0 2 0/0 40 0/15 175 0 R1(config)#

 You can note that as in OSPFv3, IPv6 EIGRP use link-local addresses to establish neighbor relationships with its neighbors.

R1(config)#do sh ipv6 route eigrp IPv6 Routing Table – 35 entries Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP U – Per-user Static route I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2 ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2 D – EIGRP, EX – EIGRP external D 2001:1:1:410::/60 [90/2172416] via FE80::210:2, Serial1/0 via FE80::210:3, Serial1/0 R1(config)#

 R1 has learnt the LAN network 2001:1:1:410::/60 from both R2 and R3 and it is perfectly reachable:

R1(config)#do ping ipv6 2001:1:1:410::4   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:1:1:410::4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 116/136/164 ms R1(config)# R1#traceroute ipv6 2001:1:1:410::4 Type escape sequence to abort. Tracing the route to 2001:1:1:410::4   1 2001:1:1:210::2 80 msec 2001:1:1:210::3 120 msec 2001:1:1:210::2 68 msec 2 2001:1:1:410::4 144 msec 120 msec 144 msec R1#

 R1 load-balanced ICMP packets between the two paths through R2 and R3.

1. Route manipulation:
   

To practice IPv6 route summarization, loopback interfaces are created to simulated local networks for each router (figure1) and ipV6 EIGRP is enabled on each interface.
The result is as follow:

R4:

R4# sh ipv6 route eigrp IPv6 Routing Table – 22 entries Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP U – Per-user Static route I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2 ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2 D – EIGRP, EX – EIGRP external D 2001:1:1:110::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:120::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:130::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:140::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:150::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:160::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:170::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:180::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:190::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:1A0::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:1B0::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:1C0::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:1D0::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:1E0::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:1F0::/60 [90/2300416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 D 2001:1:1:210::/60 [90/2172416] via FE80::410:3, FastEthernet0/0 via FE80::410:2, FastEthernet0/0 R4#

 22 entries, only routes to FR network routes and R1 fifteen local networks, you just imagine if we add R2 and R3 local networks, or even worse in a production network with hundreds of site and thousands of routes!

Here is where summarization comes, to lessen the complexity of handling routes individually.

As in IPv4 EIGRP after configuring the summarization command the router drops IPv6 EIGRP relationships to reestablish them again, this renew input events and make neighbors rebuild their topology tables and perform DUAL algorithm local computation again using the new advertisements from the router who reconfigured summarization.

The summarization command is performed on interface-basis, so make sure than it is executed on all EIGRP interfaces through which you want to spread summary route.

R1:

R1(config-if)#int s1/0 R1(config-if)#ipv6 summary-address eigrp 10 2001:1:1:1::/56 *Jun 13 10:36:44.871: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::210:3 (Serial1/0) is down: summary configured *Jun 13 10:36:44.927: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::210:2 (Serial1/0) is down: summary configured R1(config-if)# *Jun 13 10:37:01.919: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::210:3 (Serial1/0) is up: new adjacency *Jun 13 10:37:02.019: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::210:2 (Serial1/0) is up: new adjacency R1(config-if)#

 Now let’s take a look at R4 routing table:

R4# sh ipv6 route eigrp IPv6 Routing Table – 10 entries Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP U – Per-user Static route I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2 ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2 D – EIGRP, EX – EIGRP external D 2001:1:1:100::/56 [90/2300416] via FE80::410:2, FastEthernet0/0 via FE80::410:3, FastEthernet0/0 D 2001:1:1:210::/60 [90/2172416] via FE80::410:2, FastEthernet0/0 via FE80::410:3, FastEthernet0/0 D 2001:1:1:300::/56 [90/156160] via FE80::410:3, FastEthernet0/0 D 2001:1:1:600::/56 [90/156160] via FE80::410:2, FastEthernet0/0 R4#

 The routing table is reduced to 10 entries with only summary routes to R1, R2 and R3 local networks.

II) CONCLUSION

As with other IPv6 routing protocols there is practically nothing to do if you grasp the concept of the IPv4 version of the protocol as well as IPV6 addressing.