Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
2570
Views
5
Helpful
1
Replies
vdbergp11
Beginner
Beginner
‎07-30-2014 07:23 AM
‎07-30-2014 07:23 AM

NAT64 for reaching overlapping IPv4 IPs

I want to reach multiple VPNs that contain overlapping IPv4 addresses from a single device.

Network diagram:

Is this possible? What type of device might be needed? (ideal current candidates include a 650x switch (with Supervisor Engine 720), or a FWSM with a recent ASA version in a 650x switch)

This seems like a nice candidate for stateless NAT64 (probably combined with VRFs), but I can't find documentation for specifying multiple prefixes. (The "nat64 prefix stateless" command seem to only allow a single prefix) (Or is is possible to apply it within a VRF?)

So summary (based on diagram):

Translation device has 3 subinterfaces, one for each VPN (with unique IPs for now)

A unique /96 prefix is assigned to each VPN, so a IPv6 device that want to address the IPv4 device with IP 10.101.22.12 within VPN1, it adresses 2001:DB8:1:10.101.22.12. The device should then do NAT64 to map it to a source IP within the VPN range (Something like 198.51.100.5 for the example) (Multiple IPv6 servers should be supported)

Is this possible with Cisco equipment? Can it be done with NAT64 (or which other mechanism if not)? What type of equipment would be necessary for the NAT and how would the configuration look? (Translation device is R1 in the diagram)

This seems like a nice, clean efficient way to deal with providing common services to multiple VPNs that have overlapping IPs, but the configuration stll seems like it might be difficult, if at all possible currently...

Another note: I don't care about DNS64 currently, so that is optional.

Labels:
1 person had this problem
0 Helpful
1 REPLY 1
Marc Luethi
Beginner
Beginner
‎08-17-2015 10:19 PM
‎08-17-2015 10:19 PM

Hi!

I've been having the same ideas. After studying Tore Andersen's documents...

(older paper, based on stateless NAT64 with it's requirement for IPv4 translatable addresses):

https://ripe64.ripe.net/presentations/67-20120417-RIPE64-The_Case_for_IPv6_Only_Data_Centres.pdf

(newer paper, based on (not quite so-)stateful NAT64)

http://fud.no/talks/20150317-V6_World_Congress_2015-SIIT_DC_IPv4_Service_Continuity_for_IPv6_Data_Centres.pdf

 

... I gave it a go on an CSR1000V - both stateless and not-so-stateful approaches turned out to be working, but only traffic coming from one single "external IPv4 domain" was being mapped into one single IPv6 prefix.

That's one problem: you can only define a single NAT64 prefix into which the IPv4 domain gets NATted.

 

There's a second problem:

In the return packet/outbound packet, after NAT64 extracts the (overlapping) v4-destination-address-to-be from the IPv6 address, there will be ambiguity which route is the correct one - into VPN1, VPN2, VPN3, all of which have overlapping IPv4 address space?

I don't think that policy routing would help here, as PBR is done upon ingress and fixes the outbound interface.  IPv6 PBR would then still have to pass along the packet to the NAT64 engine while giving a hint about the intended choice of egress interface. I' not quite shure, but that seems a loooong shot to me.

In short: I think NAT64 currently can only be used once per routing instance. So either...

  • it's one IOS XE router per customer/overlapping IPv4 domain (CSR1000V might come in handy, here)
  • we get an IOS XE release that has VRF aware NAT64 capabilities (and while wer'e at that - som DNS Fixup Engine right along would be really cool!)

 

Cheers
Marc

 

 

 

 

 

 

Latest Contents
DR and the Type-2 LSA in OSPFv3 versus OSPFv2
Created by Meddane on 06-24-2022 04:35 PM
0
0
0
0
When moving from OSPFv2 to OSPFv3, there are many changes in the format of the LSAs Type, but the most known changes are: IP prefix informations are no longer carried in Type-1 LSA and Type-2 LSA, new LSAs Type 8 and 9 are added to carry these prefixes. L... view more
Preview of the Book OSPF CCIE The Ultimate Ccie Enterprise E...
Created by Meddane on 06-23-2022 08:45 PM
0
0
0
0
Read a preview of my book OSPF The ultimate for CCIE Enterprise and Infrastructure exam in Books Google Doc.   Read a preview of my book OSPF The ultimate for CCIE Enterprise and Infrastructure exam in Books Google Doc #CCIE #Cisco #exam #Enterprise ... view more
Series of 20 OSPF Questions With Concise Answers.
Created by Meddane on 06-21-2022 03:08 AM
0
5
0
5
  Question 1: What are the OSPF Loop Prevention Mechanisms   In single area, the routers have the Link State Database, having the same LSDB helps the routers to build a loop-free topology.   Now in a multiarea topology, the ABRs are respon... view more
Preparing a series of OSPF questions and answers
Created by Meddane on 06-19-2022 05:29 AM
2
5
2
5
Question 1: What are the OSPF Loop Prevention Mechanisms Question 2: Why area 0 is required? Question 3: what is the command to stop Type-7 LSA ? Question 4: How the NSSA ABR translator election occurs? Question 5: How to stop receiving specific subnets I... view more
Why an NSSA ABR does not inject a default route automaticall...
Created by Meddane on 06-18-2022 03:44 AM
0
0
0
0
If an NSSA ASBR originates a default route into the OSPF in order to reach an external domain, the default route is injected as a Type 7 NSSA External LSA.  If at the same time the NSSA ABR connecting that NSSA to Area 0 is generating a default route... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad