cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2821
Views
15
Helpful
0
Comments
pevaneyn
Cisco Employee
Cisco Employee

At the Fosdem conference in 2014 we used a IPv6 only network for the main wireless access.

To configure this we used as upstream link:

interface GigabitEthernet0/0/0

  description ---------- Uplink to COLT ----------------

   ip address 213.246.232.54 255.255.255.252

  ...

  ipv6 address 2001:920:0:1::5F/127

  nat64 enable

And the IPv6 only network used:

interface GigabitEthernet0/0/3.1400

  description ----------- WiFi Internet client traffic  ----------------

  ipv6 address 2001:67C:1810:F051::1/64

  ipv6 enable

  nat64 enable

While the legacy dualstack network had:

interface GigabitEthernet0/0/3.1402

  description ----------- WiFi FOSDEM-dualstack Internet client traffic  ----------------

  ip address 151.216.63.254 255.255.240.0

  ipv6 address 2001:67C:1810:F055::1/64

  ipv6 enable

  nat64 enable

To allow traffic to IPv4 only devices we use stateful nat64 with:

ipv6 access-list nat64-acl

  sequence 20 permit ipv6 any 2001:67C:1810:F050::/96

nat64 prefix stateful 2001:67C:1810:F050::/96

nat64 v4 pool nat-pool 151.216.42.1 151.216.42.254

nat64 v6v4 list nat64-acl pool nat-pool overload

This will NAT the IPv6 clients behind the 151.216.42.0/24 network range. The DNS server will lie to you and give an artificial IP.

So while a normal DNS server like google's 8.8.8.8 will give the IPv4 only:

$ host ipv4.imset.org 2001:67c:1810:f050::808:808

Using domain server:

Name: 2001:67c:1810:f050::808:808

Address: 2001:67c:1810:f050::808:808#53

Aliases:

ipv4.imset.org has address 94.23.24.89

Our resolver lies and gives the nat64 IPv6 IP too:

host ipv4.imset.org 2001:67c:1810:f056::2

Using domain server:

Name: 2001:67c:1810:f056::2

Address: 2001:67c:1810:f056::2#53

Aliases:

ipv4.imset.org has address 94.23.24.89

ipv4.imset.org has IPv6 address 2001:67c:1810:f050::5e17:1859

Notice that to reach the IPv4 8.8.8.8 we had to lie and use 2001:67c:1810:f050::808:808, and 94.23.24.89  in hex 5E 17 18 59 became 2001:67c:1810:f050::5e17:1859.

Alternatively we could also have used 2001:67c:1810:f050::8.8.8.8 (depending on the support in the OS for this notation).

We can check that it works with:

asr1k#show nat64 mappings dynamic

Dynamic mappings configured: 1

Direction ID      ACL

   Pool                             Flags

   RG ID Mapping ID

v6v4      3       nat64-acl

   nat-pool                         0x00000001 (overload)

   0     0

asr1k#show nat64 pools

Pools configured: 1

Protocol HSL ID     Name

   Is Single Range

   Ranges

IPv4     3          nat-pool

   TRUE            (151.216.42.1 - 151.216.42.254)

   151.216.42.1 - 151.216.42.254

asr1k#show nat64 prefix stateful global

Global Stateful Prefix: is valid, 2001:67C:1810:F050::/96

IFs Using Global Prefix

   Gi0/0/0

   Gi0/0/3.1400

   Gi0/0/3.1402

   Gi0/0/3.1401

asr1k#show nat64 statistics mapping dynamic

NAT64 Statistics

Dynamic Mapping Statistics

   v6v4

      access-list nat64-acl pool nat-pool refcount 4196

         pool nat-pool:

            start 151.216.42.1 end 151.216.42.254

            total addresses 254, allocated 1 (0%)

            address exhaustion packet count 0

asr1k#show nat64 statistics global

NAT64 Statistics

Total active translations: 4062 (0 static, 4062 dynamic; 4062 extended)

Sessions found: 2632830

Sessions created: 10314

Expired translations: 6251

Global Stats:

   Packets translated (IPv4 -> IPv6)

      Stateless: 0

      Stateful: 1971206

      MAP-T: 0

   Packets translated (IPv6 -> IPv4)

      Stateless: 0

      Stateful: 671944

      MAP-T: 0

asr1k#show nat64 translations port 80 total

Total number of translations: 2008

To check connections for a certain IPv6 IP use:

asr1k#show nat64 translations v6 original 2001:67c:1810:f051:e984:cbe2:d169:8ded verbose

Proto  Original IPv4         Translated IPv4

       Translated IPv6       Original IPv6

----------------------------------------------------------------------------

tcp    173.36.12.72:443      [2001:67c:1810:f050::ad24:c48]:443

       151.216.42.1:4801     [2001:67c:1810:f051:e984:cbe2:d169:8ded]:49407

         created: 01 Feb 2014 09:06:30, last-used:   01 Feb 2014 09:07:38,

           inactivity-time:     00:03:38

         flags: syn-in

         entry-id: 0x83a976e0, use-count: 1

...

Attached is a censored 'show run' of the router, please note that we have ACL's on all interfaces mainly to count traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links