At the Fosdem conference in 2014 we used a IPv6 only network for the main wireless access.
To configure this we used as upstream link:
interface GigabitEthernet0/0/0
description ---------- Uplink to COLT ----------------
ip address 213.246.232.54 255.255.255.252
...
ipv6 address 2001:920:0:1::5F/127
nat64 enable
And the IPv6 only network used:
interface GigabitEthernet0/0/3.1400
description ----------- WiFi Internet client traffic ----------------
ipv6 address 2001:67C:1810:F051::1/64
ipv6 enable
nat64 enable
While the legacy dualstack network had:
interface GigabitEthernet0/0/3.1402
description ----------- WiFi FOSDEM-dualstack Internet client traffic ----------------
ip address 151.216.63.254 255.255.240.0
ipv6 address 2001:67C:1810:F055::1/64
ipv6 enable
nat64 enable
To allow traffic to IPv4 only devices we use stateful nat64 with:
ipv6 access-list nat64-acl
sequence 20 permit ipv6 any 2001:67C:1810:F050::/96
nat64 prefix stateful 2001:67C:1810:F050::/96
nat64 v4 pool nat-pool 151.216.42.1 151.216.42.254
nat64 v6v4 list nat64-acl pool nat-pool overload
This will NAT the IPv6 clients behind the 151.216.42.0/24 network range. The DNS server will lie to you and give an artificial IP.
So while a normal DNS server like google's 8.8.8.8 will give the IPv4 only:
$ host ipv4.imset.org 2001:67c:1810:f050::808:808
Using domain server:
Name: 2001:67c:1810:f050::808:808
Address: 2001:67c:1810:f050::808:808#53
Aliases:
ipv4.imset.org has address 94.23.24.89
Our resolver lies and gives the nat64 IPv6 IP too:
host ipv4.imset.org 2001:67c:1810:f056::2
Using domain server:
Name: 2001:67c:1810:f056::2
Address: 2001:67c:1810:f056::2#53
Aliases:
ipv4.imset.org has address 94.23.24.89
ipv4.imset.org has IPv6 address 2001:67c:1810:f050::5e17:1859
Notice that to reach the IPv4 8.8.8.8 we had to lie and use 2001:67c:1810:f050::808:808, and 94.23.24.89 in hex 5E 17 18 59 became 2001:67c:1810:f050::5e17:1859.
Alternatively we could also have used 2001:67c:1810:f050::8.8.8.8 (depending on the support in the OS for this notation).
We can check that it works with:
asr1k#show nat64 mappings dynamic
Dynamic mappings configured: 1
Direction ID ACL
Pool Flags
RG ID Mapping ID
v6v4 3 nat64-acl
nat-pool 0x00000001 (overload)
0 0
asr1k#show nat64 pools
Pools configured: 1
Protocol HSL ID Name
Is Single Range
Ranges
IPv4 3 nat-pool
TRUE (151.216.42.1 - 151.216.42.254)
151.216.42.1 - 151.216.42.254
asr1k#show nat64 prefix stateful global
Global Stateful Prefix: is valid, 2001:67C:1810:F050::/96
IFs Using Global Prefix
Gi0/0/0
Gi0/0/3.1400
Gi0/0/3.1402
Gi0/0/3.1401
asr1k#show nat64 statistics mapping dynamic
NAT64 Statistics
Dynamic Mapping Statistics
v6v4
access-list nat64-acl pool nat-pool refcount 4196
pool nat-pool:
start 151.216.42.1 end 151.216.42.254
total addresses 254, allocated 1 (0%)
address exhaustion packet count 0
asr1k#show nat64 statistics global
NAT64 Statistics
Total active translations: 4062 (0 static, 4062 dynamic; 4062 extended)
Sessions found: 2632830
Sessions created: 10314
Expired translations: 6251
Global Stats:
Packets translated (IPv4 -> IPv6)
Stateless: 0
Stateful: 1971206
MAP-T: 0
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 671944
MAP-T: 0
asr1k#show nat64 translations port 80 total
Total number of translations: 2008
To check connections for a certain IPv6 IP use:
asr1k#show nat64 translations v6 original 2001:67c:1810:f051:e984:cbe2:d169:8ded verbose
Proto Original IPv4 Translated IPv4
Translated IPv6 Original IPv6
----------------------------------------------------------------------------
tcp 173.36.12.72:443 [2001:67c:1810:f050::ad24:c48]:443
151.216.42.1:4801 [2001:67c:1810:f051:e984:cbe2:d169:8ded]:49407
created: 01 Feb 2014 09:06:30, last-used: 01 Feb 2014 09:07:38,
inactivity-time: 00:03:38
flags: syn-in
entry-id: 0x83a976e0, use-count: 1
...
Attached is a censored 'show run' of the router, please note that we have ACL's on all interfaces mainly to count traffic.