No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Application of Firewalls in the CGN Solution

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of Firewalls in the CGN Solution

Application of Firewalls in the CGN Solution

Introduction

The shortage of public IPv4 addresses entails the transition from IPv4 to IPv6, and the CGN solution enables smooth transition from IPv4 to IPv6.

This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00 and can be used as a reference for Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

As a new network system architecture, the IPv6 network needs to be improved and optimized even if the IPv6 protocol has various similar or same contents as the IPv4 protocol. The transition from the IPv4 network to the IPv6 network is undertaken step by step. The transition plan must fully consider the conditions of the live network, fully use the existing network infrastructure, protect existing network investments to the maximum extent, and ensure the smooth transition of user services and support of new services. The dual-stack technology, tunneling technology, and network address translation (NAT) technology can resolve the network interconnection and Internet resource access issues during the transition from the IPv4 network to the IPv6 network. These technologies are well recognized. The NAT44(4), DS-Lite, and NAT64 schemes of the technology and the 6RD scheme of the tunneling technology are widely applied by the industry as recognized transition schemes.

NAT44(4)

You can understand the NAT44 as the traditional IPv4 NAT function. The NAT44 is mainly used to translate the private IPv4 addresses to public IPv4 addresses. The public network address assignment authority specifies the following network addresses as the reserved addresses for the private network:

  • 10.0.0.0 to 10.255.255.255
  • 172.16.0.0 to 172.31.255.255
  • 192.168.0.0 to 192.168.255.255

The addresses on the preceding network segments are not allocated to Internet users. These addresses are used on private networks. Private network addresses are not used on the Internet. Hosts assigned with private network addresses cannot directly access the Internet. With the NAT function, private network addresses are translated into public network addresses so that the hosts on the private network can access the Internet. The NAT device allocates a temporary valid IP address to a host when the host accesses the Internet. In this manner, hosts can access the Internet without legitimate IP addresses. Therefore, IP address resources are optimized.

As shown in Figure 1-1, to further save IP address resources, carriers deploy two-level NAT (NAT444) on the egress gateway at the user side and the egress gateway at the carrier side. That is, the NAT444 is deployed on the customer premise equipment (CPE) and carrier grade NAT (CGN).

Figure 1-1 Schematic diagram of NAT444

The NAT function deployed on the CPE translates the user's private network addresses into the carrier's private network addresses. Then, the NAT function deployed on the CGN translates the addresses of the carrier private network into the public network addresses. With two-level NAT on the CPE and CGN, the NAT444 technology supports three types of addresses, that is, addresses of the user's private network, carrier's private network addresses, and public network addresses. The private network addresses cannot conflict with the carrier's private network addresses. Therefore, the network segments of private networks are effectively used and the issue about insufficient private network addresses is avoided.

Dual Stack

The dual stack technology is the basis for the transition from IPv4 to IPv6. All the other transition technologies are developed on the basis of the dual stack technology. When nodes on the network support the IPv4 and IPv6 protocols, source nodes select different protocol stacks based on different destination nodes. Network devices use different protocol stacks to process and forward packets based on different protocol types of the packets. The dual stack technology can be implemented on single network device or on a dual-stack network. For the dual-stack network, all devices must support both IPv4 and IPv6 protocol stacks. The interfaces that connect to the dual-stack network must be configured with both IPv4 and IPv6 addresses. Figure 1-2 shows the schematic diagram of the dual stack.

Figure 1-2 Schematic diagram of the dual stack

The advantages of the dual stack technology used in the transition from the IPv4 network to the IPv6 network are as follows:

  1. On the dual-stack network, IPv6 and IPv4 service data is forwarded on respective forwarding planes. Logically, two forwarding planes are considered as two networks to facilitate network deployment. The dual stack technology supports smooth transition to the IPv6 network.
  2. The dual-stack network does not involve interconnection and access between IPv6 services and IPv4 services. Therefore, the implementation is simple.
  3. The dual-stack network is easy to maintain and manage.

6RD Tunneling

The 6RD tunneling technology is based on the existing IPv4 network. It helps users to deploy the IPv6 access service rapidly. The 6RD tunneling technology is improved based on the original 6to4 solution. The difference between these two is: The address defined by the 6to4 uses the known 2002::/16 as its prefix. However, the 6RD address prefix can be obtained after the carrier divides its IPv6 address space.

To facilitate IPv6 users to send packets over carriers' IPv4 network and access IPv6 services and resources, the 6RD solution automatically establishes and removes the channel between Customer Edges (CEs) or between the CE and the gateway in order to make IPv6 packets traverse the IPv4 network. Automatically establishing the tunnel is completed based on predefining the 6RD prefix.

The 6RD address consists of 6RD prefix (an IPv6 prefix allocated by the carrier and the 6RD prefix length is between 0 to 32), IPv4 address, subnet ID (allocated by the carrier), and interface identifier. Figure 1-3 shows the 6RD address format.

Figure 1-3 6RD address format

The 6RD delegated prefix contains the 6RD prefix and part or entire IPv4 address, and is calculated on the basis of them. The IPv4 address length in the 6RD delegated prefix is determined by the IPv4 address length configured for the 6RD tunnel.

Figure 1-4 shows the 6RD tunneling.

Figure 1-4 Schematic diagram of the 6RD tunneling

  1. The carrier allocates a 6RD prefix, an IPv4 address, and an IPv4 address of the CGN (6RD Border Relay) for the user's CPE. The CPE generates its own 6RD delegated prefix and then delivers it to the IPv6 terminal.
  2. Upon receiving the packet sent by the IPv6 terminal, the CPE encapsulates the IPv6 packet in the IPv4 tunnel and send it to the CGN. The external layer source address of the tunnel is the CPE IPv4 address and the destination address is the CGN IPv4 address.
  3. The CGN decapsulates the received IPv4 tunnel packet and then forwards the IPv6 packet.

NAT64

The NAT64 technology is mainly applied in the scenario where a single stack host on the IPv6 network accesses resources on the IPv4 network. As shown in Figure 1-5, the CGN device is deployed between the IPv6 network and the IPv4 network to bidirectionally translate addresses of the IPv6 and IPv4 networks. The DNS64 devices that support the resolution of IPv4 and IPv6 domain names must be deployed on the network.

NOTE:

The DNS64 device provides a mapping between domain names and IPv6 addresses, generates IPv6 addresses by combining the NAT64 prefixes configured on the CGN device and the IPv4 addresses on the IPv4 server, and generates corresponding AAAA records.

Figure 1-5 Schematic diagram of NAT64

The NAT64 is classified into static NAT64 and dynamic NAT64.

  • Static NAT64

    The static NAT64 maps IPv6 addresses and IPv4 addresses on the CGN statically. When an IPv4 host interworks with an IPv6 host, the CGN translates addresses based on the mapping information. Any host can initiate the connection to the other host.

  • Dynamic NAT64

    The dynamic NAT64 uses the dynamic address mapping and upper-layer protocol mapping methods to translate a large number of IPv6 addresses with a few IPv4 addresses. The dynamic NAT64 allows only IPv6 users to access the IPv4 network.

    Figure 1-5 shows the process for a host on the IPv6 network accessing a server on the IPv4 network through a domain name.

    1. The IPv6 host obtains the IPv6 address mapped to the domain name of the IPv4 server. The IPv6 address contains an IPv6 prefix and the IPv4 address of the server. The host uses this IPv6 address as the destination address when requesting the access to the IPv4 server.
    2. If the CGN receives an IPv6 packet containing a NAT64 prefix (predefined on the CGN), the CGN performs NAT64 translation on the IPv6 packet.
    3. The CGN uses the address translation algorithm to extract the IPv4 address from the IPv6 packet. The IPv6 packet is then translated into an IPv4 packet according to the interzone dynamic NAT64 mapping, using the IPv4 addresses in the NAT address pool as the source IP addresses of the resulting IPv4 packets. A session table is generated in this process.
    4. The CGN sends the resulting IPv4 packet to the server.
    5. The CGN receives the response packet from the IPv4 server, translates the IPv4 packet into an IPv6 packet according to the session table, and sends the resulting IPv6 packet to the host.

DS-Lite

The dual stack technology is an effective technology used during the transition from the IPv4 network to the IPv6 network. The dual stack technology, however, requires the maintenance of both IPv4 and IPv6 networks. In the mid-and-late phase of the transition, some carriers require the deployment of the IPv6 MAN to simplify network management and maintenance. Certain emerging carriers require direct deployment of the IPv6 MAN to provide large-scale IPv6 services and a few IPv4 services. In this scenario, certain IPv4 nodes need to traverse the IPv6 network to access the IPv4 network. To fulfill this requirement, the DS-Lite technology is developed as an IPv6 transition technology.

The DS-Lite system consists of dual-stack hosts and IPv6 network. As shown in Figure 1-6, only the CPE and CGN on the DS-Lite network support dual stack. Other network nodes support only the IPv6 protocol.

Figure 1-6 Schematic diagram of DS-Lite

The CGN must support IPv4 over IPv6 tunneling and NAT44 functions. The CPE users can obtain IPv6 addresses and private IPv4 addresses so that IPv6 packets directly traverse the CPE and access the IPv6 Internet. IPv4 packets are transmitted to the CGN over the IPv4 over IPv6 tunnel and are decapsulated on the CGN. After the private IPv4 addresses are translated into public network addresses, the packets are transmitted to the IPv4 Internet. The packet traversing process from the private IPv4 network to the IPv4 Internet over the IPv6 network is as follows:

  1. The carrier supports only IPv6 service access. The IPv6 prefix is allocated to the CPE. The CPE allocates private IPv4 addresses to internal network users.
  2. When a private IPv4 user accesses the IPv4 Internet, an IPv4 packet is sent to the CPE. The CPE encapsulates the packet and sends the packets to the CGN over the IPv4 over IPv6 tunnel.
  3. After decapsulating the packet, the CGN translates the IPv4 packet using the NAT44. After translating the private IPv4 address into the IPv4 Internet address, the CGN sends the packet to the IPv4 network.

Scenarios for Transition Schemes

In actual situations, carriers comprehensively consider various factors such as network, user, service, and upgrade cost when selecting transition schemes. Multiple transition technologies can be used together to plan a proper network transition solution.

The transition solutions and technical methods vary with IPv4 address quantity, network status, development scale of IPv4 and IPv6 users, and service provisioning status. The network transition technologies are mainly applied in the following scenarios:

  • Scenario 1:

    The carrier's network is mainly the IPv4 network and the IPv4 public addresses are not exhausted. The IPv4 traffic still dominates the service traffic. Service applications are not migrated to the IPv6 network in a large scale. The carrier requires the development of a few IPv6 users for commercial network trials. In this scenario, the transition scheme targets the service interconnection for IPv6 services traversing the IPv4 network. The 6RD and NAT444 technologies are applicable to this scenario.

  • Scenario 2:

    The carrier's network is the dual-stack network. The dual-stack network mainly serves IPv4 users and certain IPv6 users and services. Most service applications are not migrated to the IPv6 network. The IPv4 traffic still dominates the service traffic. The carriers require the interaction of IPv6 and IPv4 services and the migration to the IPv6 network because of insufficient IPv4 addresses. The transition scheme targets the IPv6 service interaction, IPv4 service interaction, and interaction between IPv6 and IPv4 services. The dual stack, NAT444, and NAT64 technologies are applicable to this scenario.

  • Scenario 3:

    The backbone MAN of the carrier is the IPv6 network or dual-stack network on which the IPv6 traffic dominates the service traffic. The networks and services mainly use the IPv6 protocol. The network also serves certain IPv4 users and provides IPv4 services. The carrier requires the service interaction between IPv4 users and access of the IPv4 users to the IPv6 network. In this scenario, the transition scheme targets the service interconnection for IPv4 services traversing the IPv6 network and access to the IPv6 network resources. The NAT64 and DS-Lite technologies are applicable to this scenario.

Scheme 1: 6RD+NAT444

Typical Networking

Networking

Carrier A's live network is the IPv4 network. The IPv4 public addresses are not exhausted. To save the IPv4 public addresses, carrier A assigns private IPv4 addresses to the internal MAN. To fulfill increasing service requirements, carrier A requires to develop a few IPv6 users on the live network for trial commercial network purposes.

The carrier uses the solution shown in Figure 1-7 to meet the preceding requirements. The solution is as follows:

  1. To save IPv4 public addresses, private addresses are allocated to IPv4 users. The CPE and CGN are configured with the 2-level NAT function so that users on the IPv4 private network can access the IPv4 Internet.
  2. For newly-developed IPv6/IPv4 dual-stack users, IPv4 traffic is carried over the IPv4 network and the IPv6 traffic is transmitted to the CGN over the 6RD tunnel.
    NOTE:

    The 6RD tunnel is established on the CPE and CGN.

  3. Currently, carrier A needs to develop only a few IPv6 users for the trial commercial network. Therefore, in network interface planning, only the CPE and CGN need to be upgraded to dual stack for tunnel establishment. The devices on the internal MAN do not need to be upgraded, which saves network reconstruction cost. Due to less IPv6 service traffic and no need for the interaction between IPv4 and IPv6 services, the network configuration can be simple.
Figure 1-7 NAT444+6RD networking diagram

CPE: customer premises equipment

CGN: carrier grade NAT

BRAS: broadband remote access server

-

  • The CPE is used to connect terminal users and allocate addresses to the users.
    • The CPE allocates private IPv4 addresses to IPv4 users.
    • The CPE allocates IPv6 addresses to IPv6 users. The IPv6 address prefix indicates the 6RD delegated prefix calculated by the CPE.

      In addition, the CPE translates addresses for the private IPv4 users and establishes 6RD tunnels with the CGN.

  • As an egress gateway on the MAN, the CGN translates addresses for private IPv4 users to access the IPv4 Internet and provides 6RD tunnels for IPv6 users to access the IPv6 Internet.
  • As a device at the convergence layer, the BRAS allocates IPv4 addresses for the CPEs to connect to the MAN.

Application of the FW in the Networking

The FW serves as the CPE and the CGN in the scenario and provides the following functions:

  • Providing the NAT function

    To save public IP addresses, the carrier uses private addresses internally. Therefore, it is necessary to configure address translation on the CPE and the CGN to enable access to the IPv4 Internet using private addresses through two translations.

  • Providing the tunneling function

    A 6RD tunnel is established between the CGN and the CPE so that IPv6 users can access the IPv6 Internet over the IPv4 network.

  • Providing routing tunnels

    The CPE and the CGN need to forward both IPv4 and IPv6 traffic. Therefore, they must support both the IPv6 and IPv6 protocols.

Service Planning

Requirements Analysis

Table 1-1 Scheme Implementation Analysis

Scheme

Advantage

Implementation

The 6RD tunneling technology is used to access IPv6 services.

Compared with IPv6 over IPv4 tunneling technologies, the 6RD tunneling features the following advantages:

  • The 6RD tunneling technology is improved based on the 6to4 tunneling technology while inheriting all the advantages of the 6to4 tunneling technology, for example, point-to-multipoint connection and automatic discovery of the remote end of a tunnel.
  • Compared with the 6to4 tunnel, the 6RD uses IPv6 prefixes of the carriers rather than the well-known 2002::/16 prefix. Therefore, different carriers can use different prefixes to deploy 6RD tunnels, which facilitates the network planning.

Implement the following configurations on the CGN and CPE:

  • CGN
    • Create a tunnel interface.
    • Set the tunnel encapsulation mode to 6RD.
    • Specify the source address or source interface of the 6RD tunnel.
    • Set the 6RD prefix and prefix length.
    • Set the IPv4 prefix length for the 6RD tunnel.
    • Configure the IPv6 address for the tunnel interface using the calculated delegated prefix.
  • CPE

    Different from the CGN, the 6RD BR IPv4 address must be configured on the CPE. In this case, the IPv4 address is the private IPv4 address used by the CGN to connect to the internal MAN.

Two-level NAT (NAT444) function is used to enable private IPv4 users to access the IPv4 Internet.

Without upgrading the live network to the IPv6 network, the NAT444 function can be deployed to resolve the IPv4 address shortage issue. The IPv4-based NAT technology is mature and widely applied on IPv4 networks. Therefore, the two-level NAT444 scheme is a feasible transition scheme.

Deploy two-level NAT on the CPE and the CGN.

  • Set the NAT mode of the CPE to Easy IP, that is, replacing the source IP address in a packet with the address of the outbound interface.
  • The CGN translates addresses using NAPT, which requires configuration of a public address pool. On the CGN, a port is pre-allocated to the CPE to facilitate the ease of user tracing.

Data Planning

Figure 1-8 shows the networking diagram with data to facilitate configurations and understanding.

Figure 1-8 NAT444+6RD networking diagram with data

Table 1-2 describes the general network data planning.

Table 1-2 Data planning

Item

IP Address

Description

CPE

GE1/0/0 (Trust zone)

IPv4 private address: 192.168.0.1/24

GE1/0/0 (Trust zone) is used to connect to the private IPv4 user.

GE1/0/1 (Trust zone)

The prefix is allocated based on the calculated 6RD delegated prefixes.

In this case, the 6RD delegated prefix is 22:0:101:100::/56. The address of the GE1/0/1 interface is set to 22:0:101:101::1/64.

IPv6 users on the CPE belong to the same 6RD domain.

GE1/0/2 (Untrust zone)

Private IPv4 address of the carrier: 10.1.1.1/24

GE1/0/2 (Untrust zone) is used to connect to the MAN of the carrier. Assume that the next hop address that connects to the MAN is 10.1.1.2.

Tunnel1 interface (Untrust zone)

6RD prefix: 22::/32

IPv4 prefix length: 8

NOTE:

The IPv4 prefix length of the 6RD tunnel may be different from the mask length of the interface. The length of the IPv4 address in the IPv6 address equals to the value that 32 is subtracted by the IPv4 prefix length.

IPv6 address: The IPv6 address is calculated based on the 6RD delegated prefix and source address of the 6RD tunnel. In this case, the 6RD delegated prefix is 22:0:101:100::/56. The address of the Tunnel1 interface is set to 22:0:101:100::1/56.

6RD BR IPv4 address: 10.1.2.1/24

The Tunnel1 interface (Untrust zone) is used to create a 6RD tunnel with the CGN.

Address pool

The address of the GE1/0/2 interface is used as the translated address.

The address pool is used to translate the private IPv4 addresses of the users to the private IPv4 address of the carrier.

CGN

GE1/0/0 (Untrust zone)

IPv4 Internet address: 1.1.1.1/24

GE1/0/0 (Untrust zone) is used to connect to the IPv4 Internet. Assume that the next hop address is 1.1.1.2/24.

GE1/0/1 (Untrust zone)

IPv6 address: 3000::1/64

GE1/0/1 (Untrust zone) is used to connect to the IPv6 Internet.

GE1/0/2 (Trust zone)

IPv4 private address: 10.1.2.1/24

GE1/0/2 (Trust zone) is used to connect to the MAN of the carrier. Assume that the next hop address that connects to the MAN is 10.1.2.2.

Tunnel1 interface (Trust zone)

6RD prefix: 22::/32

IPv4 prefix length: 8

NOTE:

The IPv4 prefix length of the 6RD tunnel may be different from the mask length of the interface. The length of the IPv4 address in the IPv6 address equals to the value that 32 is subtracted by the IPv4 prefix length.

IPv6 address: The IPv6 address is calculated based on the 6RD delegated prefix and source address of the 6RD tunnel. In this case, the 6RD delegated prefix is 22:0:102:100::/56. The address of the Tunnel1 interface is set to 22:0:102:100::1/56.

The Tunnel1 interface (Trust zone) is used to create a 6RD tunnel with the CPE.

Address pool

Addresses in the address pool: 1.1.2.1 to 1.1.2.5.

The size of the pre-allocated port block is 256 bytes.

The address pool is used to translate the private IPv4 addresses of the carrier to the public IPv4 addresses.

PC1

IPv4 private address: 192.168.0.2/24

PC2

IPv6 address: 22:0:101:100::2/64

The address prefix is the 6RD delegate prefix calculated by the CPE.

PC3

IPv6 address: 3000::2/64

FTP Server

IPv4 Internet address: 1.1.3.1/32

Table 1-3 shows the IPv4 route planning.

Table 1-3 IPv4 route planning

Item

Routing Protocol

Destination Network Segment

Next Hop Address

Description

CPE

Static IPv4 route

10.1.2.0/24

10.1.1.2

Route connecting the CPE to the MAN interface of the CGN

CGN

Static IPv4 route

10.1.1.0/24

10.1.2.2

Route connecting the CGN to the MAN interface of the CPE

Static IPv4 route

1.1.3.1/32

1.1.1.2

Route connecting the CGN to the server on the IPv4 Internet

Table 1-4 shows the IPv6 route planning.

Table 1-4 IPv6 route planning

Item

Routing Protocol

Destination Network Segment

Next Hop Address and Interface

Description

CPE

Static IPv6 route

22::/32

Tunnel1 interface

Route from the CPE to the 6RD tunnel interface of the CGN

Static IPv6 route

3000::/64

22:0:102:100::1

Route connecting the CPE to the IPv6 network interface of the CGN

CGN

Static IPv6 route

22::/32

Tunnel1 interface

Route connecting the CGN to the 6RD tunnel interface and 6RD domain of the CPE

Precautions

When the Eudemon8000E-X serves as the CGN, if port pre-allocation is configured, the hash-based CPU selection mode must be source address hash.

Configuration Flow

Table 1-5 shows the configuration flow of the solution.

Table 1-5 Configuration flow

Item

Procedure

Operation

Description

CPE

1

Configure the uplink and downlink interface data.

Mandatory

You can configure the data based on the actual interface and IP address planning.

2

Configure the NAT function.

Mandatory

You can set the NAT mode for the interface IP addresses to NAPT (Easy IP). The private IPv4 addresses of the users are translated into the private IPv4 addresses of the carrier.

3

Configure the 6RD tunnel.

Mandatory

The 6RD tunnel that connects to the CGN is created to implement the interaction between IPv6 users.

3.1

Specify the encapsulation type of the tunnel.

Mandatory

The encapsulation type of the tunnel is ipv6-ipv4 6rd.

3.2

Specify the source address or source interface of the tunnel.

Mandatory

  • It specifies the source address or source interface of the 6RD tunnel. You can specify the IPv6 address of the interface that is connected to the IPv6 network as the source address of the tunnel, or directly specify the interface as the source interface.
  • You can specify either a physical interface or a logical interface such as the loopback interface as the source interface of the tunnel.

3.3

Set the 6RD prefix and prefix length.

Mandatory

It is the IPv6 address prefix used by the carrier and serves as a part of the 6RD delegated prefix.

3.4

Set the IPv4 prefix length for the 6RD tunnel.

Mandatory

The IPv4 prefix length indicates that the high-order bits of the length are deleted from the source IPv4 address of the tunnel and other bits form a part of the 6RD prefix.

3.5

Specify the 6RD BR IPv4 address.

Mandatory

Different from the CGN, the CPE requires specific 6RD BR IPv4 address, that is, the private IPv4 address (10.1.2.1/24) that connects the CGN to the internal MAN.

3.6

Configure the interface address of the 6RD tunnel.

Mandatory

The interface address of the 6RD tunnel is configured based on the 6RD delegated prefix that includes the 6RD prefix and a part of or the entire IPv4 address.

4

Configure routes.

Mandatory

Routes include the IPv4 service route and IPv6 service route. You can configure the route based on the route planning in Service Planning.

CGN

1

Configure the uplink and downlink interface data.

Mandatory

You can configure the data based on the actual interface and IP address planning.

2

Configure the NAT function.

Mandatory

The NAT function is used to translate private IPv4 addresses of the carrier to the public IPv4 address.

2.1

Configure the NAT address pool.

Mandatory

The NAT address pool is a collection of consecutive IP addresses. When a packet from the private network reaches the public network through NAT, an address in the NAT address pool is selected as the IP address after translation.

Set the pre-allocated port block size in the address pool for the pre-allocation of port resources for NAT to the CPE.

2.2

Configure the NAT policy.

Mandatory

Specify the security interzone in which the NAT policy takes effect and the NAT address pool referenced in the NAT policy.

3

Configure the 6RD tunnel.

Mandatory

The 6RD tunnel that connects to the CPE is created to implement the interaction between IPv6 users.

3.1

Specify the encapsulation type of the tunnel.

Mandatory

The encapsulation type of the tunnel is ipv6-ipv4 6rd.

3.2

Specify the source address or source interface of the tunnel.

Mandatory

  • It specifies the source address or source interface of the 6RD tunnel. You can specify the IPv6 address of the interface that is connected to the IPv6 network as the source address of the tunnel, or directly specify the interface as the source interface.
  • You can specify either a physical interface or a logical interface such as the loopback interface as the source interface of the tunnel.

3.3

Set the 6RD prefix and prefix length.

Mandatory

It is the IPv6 address prefix used by the carrier and serves as a part of the 6RD delegated prefix.

3.4

Set the IPv4 prefix length for the 6RD tunnel.

Mandatory

The IPv4 prefix length indicates that the high-order bits of the length is deleted from the source IPv4 address of the tunnel and other bits form a part of the 6RD prefix.

3.5

Configure the interface address of the 6RD tunnel.

Mandatory

The interface address of the 6RD tunnel is configured based on the 6RD delegated prefix that includes the 6RD prefix and a part of or the entire IPv4 address.

4

Configure routes.

Mandatory

Routes include the IPv4 service route and IPv6 service route. You can configure the route based on the route planning in Service Planning.

Configuration Procedure

Procedure

  • Configure the CPE.
    1. Enable the IPv6 packet forwarding function.
      <CPE> system-view  
      [CPE] ipv6
    2. Set an interface address and add the interface to the Trust zone.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CPE] interface GigabitEthernet 1/0/0  
      [CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0  
      [CPE-GigabitEthernet1/0/0] quit  
      [CPE] firewall zone trust  
      [CPE-zone-trust] add interface GigabitEthernet 1/0/0  
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CPE] interface GigabitEthernet 1/0/2  
      [CPE-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0  
      [CPE-GigabitEthernet1/0/2] quit  
      [CPE] firewall zone untrust  
      [CPE-zone-untrust] add interface GigabitEthernet 1/0/2  
      [CPE-zone-untrust] quit
    3. Configure a security policy.
      [CPE] security-policy 
      [CPE-policy-security] rule name policy1 
      [CPE-policy-security-policy1] source-zone trust untrust 
      [CPE-policy-security-policy1] destination-zone trust untrust 
      [CPE-policy-security-policy1] action permit 
      [CPE-policy-security-policy1] quit 
      [CPE-policy-security] rule name policy2 
      [CPE-policy-security-policy2] source-zone local untrust 
      [CPE-policy-security-policy2] destination-zone local untrust 
      [CPE-policy-security-policy2] action permit 
      [CPE-policy-security-policy2] quit 
      [CPE-policy-security] quit
    4. Configure the NAT function to translate the private IPv4 addresses of the users into the private IPv4 addresses of the carrier.
      [CPE] nat-policy 
      [CPE-policy-nat] rule name policy_nat_1 
      [CPE-policy-nat-rule-policy_nat_1] source-zone trust 
      [CPE-policy-nat-rule-policy_nat_1] destination-zone untrust 
      [CPE-policy-nat-rule-policy_nat_1] source-address 192.168.0.0 24 
      [CPE-policy-nat-rule-policy_nat_1] action source-nat easy-ip 
      [CPE-policy-nat-rule-policy_nat_1] quit 
      [CPE-policy-nat] quit

      # Configure NAT ALG for the Trust-Untrust interzone to ensure the proper running of the FTP service.

      NOTE:

      Enable the ASPF functions for the corresponding services. This section uses the FTP protocol as an example.

      [CPE] firewall interzone trust untrust  
      [CPE-interzone-trust-untrust] detect ftp  
      [CPE-interzone-trust-untrust] quit
    5. Configure the 6RD tunnel.

      # Configure the interface Tunnel1 of the 6RD tunnel.

      [CPE] interface Tunnel 1  
      [CPE-Tunnel1] tunnel-protocol ipv6-ipv4 6rd  
      [CPE-Tunnel1] ipv6 enable  
      [CPE-Tunnel1] source 10.1.1.1  
      [CPE-Tunnel1] ipv6-prefix 22::/32  
      [CPE-Tunnel1] ipv4-prefix length 8  
      [CPE-Tunnel1] border-relay address 10.1.2.1 
      [CPE-Tunnel1] quit
      NOTE:

      After the 6RD prefix and IPv4 prefix length are configured, the CPE automatically calculates the 6RD delegated prefix. When you run the display interface Tunnel 1 command, the 6RD delegated prefix is displayed. You can configure the IPv6 address for the Tunnel interface based on this 6RD delegated prefix.

      # View the calculated 6RD delegated prefix.

      [CPE] display interface Tunnel 1 
      Tunnel1 current state : UP                                                       
      Line protocol current state : UP                                               
      Description: Tunnel1 Interface                           
      Route Port,The Maximum Transmit Unit is 1500                                     
      Internet protocol processing : disabled                                          
      Encapsulation is TUNNEL, loopback not set                                        
      Tunnel source 10.1.1.1(GigabitEthernet1/0/2), destination auto                   
      Tunnel protocol/transport IPV6 over IPv4(6rd)                                    
      ipv6 prefix 22::/32                                                              
      ipv4 prefix length 8                                                             
      6RD Operational, Delegated Prefix is 22:0:101:100::/56

      # Configure the IPv6 address for the Tunnel1 interface based on the 6RD delegated prefix.

      [CPE-Tunnel1] ipv6 address 22:0:101:100::1 56  
      [CPE-Tunnel1] quit

      # Add the Tunnel1 interface to the Untrust zone.

      [CPE] firewall zone untrust  
      [CPE-zone-untrust] add interface Tunnel 1  
      [CPE-zone-untrust] quit

      # Configure the IPv6 address for the GigabitEthernet 1/0/1 interface.

      [CPE] interface GigabitEthernet 1/0/1  
      [CPE-GigabitEthernet1/0/1] ipv6 address 22:0:101:101::1 64  
      [CPE-GigabitEthernet1/0/1] quit  
      [CPE] firewall zone trust  
      [CPE-zone-trust] add interface GigabitEthernet 1/0/1  
      [CPE-zone-trust] quit
    6. Configure routes.

      # Configure the static IPv4 route from the CGN to the MAN. Assume that the next hop address of the CPE to the MAN is 10.1.1.2.

      [CPE] ip route-static 10.1.2.0 255.255.255.0 10.1.1.2

      # Configure the route from the CPE to the 6RD tunnel interface of the CGN.

      [CPE] ipv6 route-static 22:: 32 Tunnel 1

      # Configure the static route from the CGN to the IPv6 network. Set the next hop address to the IPv6 address of the Tunnel interface of the CGN.

      [CPE] ipv6 route-static 3000:: 64 22:0:102:100::1
  • Configure the CGN.
    1. Enable the IPv6 packet forwarding function.
      <CGN> system-view  
      [CGN] ipv6
    2. Set an interface address and add the interface to the Trust zone.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CGN] interface GigabitEthernet 1/0/0  
      [CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0  
      [CGN-GigabitEthernet1/0/0] quit  
      [CGN] firewall zone untrust  
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/0  
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CGN] interface GigabitEthernet 1/0/2  
      [CGN-GigabitEthernet1/0/2] ip address 10.1.2.1 255.255.255.0  
      [CGN-GigabitEthernet1/0/2] quit  
      [CGN] firewall zone trust  
      [CGN-zone-trust] add interface GigabitEthernet 1/0/2  
      [CGN-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CGN] interface GigabitEthernet 1/0/1  
      [CGN-GigabitEthernet1/0/1] ipv6 enable  
      [CGN-GigabitEthernet1/0/1] ipv6 address 3000::1 64  
      [CGN-GigabitEthernet1/0/1] quit  
      [CGN] firewall zone untrust  
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/1  
      [CGN-zone-untrust] quit

      # Configure a security policy.

      [CGN] security-policy 
      [CGN-policy-security] rule name policy1 
      [CGN-policy-security-policy1] source-zone trust untrust 
      [CGN-policy-security-policy1] destination-zone trust untrust 
      [CGN-policy-security-policy1] action permit 
      [CGN-policy-security-policy1] quit 
      [CGN-policy-security] rule name policy2 
      [CGN-policy-security-policy2] source-zone local trust 
      [CGN-policy-security-policy2] destination-zone local trust 
      [CGN-policy-security-policy2] action permit 
      [CGN-policy-security-policy2] quit 
      [CGN-policy-security] quit
    3. Configure the NAT function to translate the private IP addresses of the carrier to the public IPv4 addresses.

      # Configure the NAT address pool. Set the size of the pre-allocated port block to 256.

      [CGN] nat address-group addressgroup1 
      [CGN-address-group-addressgroup1] mode pat 
      [CGN-address-group-addressgroup1] route enable 
      [CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5 
      [CGN-address-group-addressgroup1] port-block-size 256 
      [CGN-address-group-addressgroup1] quit

      # Configure a NAT policy.

      [CGN] nat-policy 
      [CGN-policy-nat] rule name policy_nat_1 
      [CGN-policy-nat-rule-policy_nat_1] source-zone trust 
      [CGN-policy-nat-rule-policy_nat_1] destination-zone untrust 
      [CGN-policy-nat-rule-policy_nat_1] source-address 10.1.1.0 24 
      [CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1 
      [CGN-policy-nat-rule-policy_nat_1] quit 
      [CGN-policy-nat] quit

      # Configure NAT ALG for the Trust-Untrust interzone to ensure the proper running of the FTP service.

      NOTE:

      Enable the ASPF functions for the corresponding services. This section uses the FTP protocol as an example.

      [CGN] firewall interzone trust untrust 
      [CGN-interzone-trust-untrust] detect ftp 
      [CGN-interzone-trust-untrust] quit
    4. Configure the 6RD tunnel.

      # Configure the interface Tunnel1 of the 6RD tunnel.

      [CGN] interface Tunnel 1 
      [CGN-Tunnel1] tunnel-protocol ipv6-ipv4 6rd 
      [CGN-Tunnel1] ipv6 enable 
      [CGN-Tunnel1] source 10.1.2.1 
      [CGN-Tunnel1] ipv6-prefix 22::/32 
      [CGN-Tunnel1] ipv4-prefix length 8
      NOTE:

      After the 6RD prefix and IPv4 prefix length are configured, the CGN automatically calculates the 6RD delegated prefix. When you run the display interface Tunnel 1 command, the 6RD delegated prefix is displayed. You can configure the IPv6 address for the Tunnel interface based on this 6RD delegated prefix.

      # View the calculated 6RD delegated prefix.

      [CGN] display interface Tunnel 1 
      Tunnel1 current state : UP                                                       
      Line protocol current state : UP                                               
      Description: Tunnel1 Interface                           
      Route Port,The Maximum Transmit Unit is 1500                                     
      Internet protocol processing : disabled                                          
      Encapsulation is TUNNEL, loopback not set                                        
      Tunnel source 10.1.2.1(GigabitEthernet1/0/2), destination auto                   
      Tunnel protocol/transport IPV6 over IPv4(6rd)                                    
      ipv6 prefix 22::/32                                                              
      ipv4 prefix length 8                                                             
      6RD Operational, Delegated Prefix is 22:0:102:100::/56

      # Configure the IPv6 address for the Tunnel interface based on the 6RD delegated prefix.

      [CGN-Tunnel1] ipv6 address 22:0:102:100::1 56  
      [CGN-Tunnel1] quit

      # Add the Tunnel1 interface to the Untrust zone.

      [CGN] firewall zone trust  
      [CGN-zone-untrust] add interface Tunnel 1  
      [CGN-zone-untrust] quit
    5. Configure routes.

      Configure the static IPv4 route to the MAN interface of the CPE. Assume that the next hop address of the CGN to the MAN is 10.1.2.2.

      [CGN] ip route-static 10.1.1.0 255.255.255.0 10.1.2.2

      Configure the static IPv4 route to the FTP Server on the Internet. Assume that the next hop address of the CGN to the WAN is 1.1.1.2.

      [CGN] ip route-static 1.1.3.1 255.255.255.255 1.1.1.2

      # Configure the route to the 6RD tunnel interface and 6RD domain of the CPE.

      [CGN] ipv6 route-static 22:: 32 Tunnel 1
  • Configure the FTP Server.

    In normal situations, the ISP is responsible for configuring the FTP servers. This topic describes only the key points of FTP Server configuration.

    • Set the IP address of the FTP Server to 1.1.3.1/32.
    • The route to the addresses in the address pool of the CGN must be configured for the FTP Server.
  • Configure PC1, PC2, and PC3.

    You must specify gateways for each PC. The configuration methods of PC addresses and routes vary with operating systems of the PCs. The configuration methods are not described here.

Verification

  • Verify the IPv4 services.
    1. After the configuration is complete, access the FTP Server on the Internet using PC1 on the private IPv4 network.
      C:\Documents and Settings\Administrator>ftp 1.1.3.1 
      Connected to 1.1.3.1. 
      220 FTP service ready. 
      User (1.1.3.1:(none)): admin 
      331 Password required for admin. 
      Password: 
      230 User logged in. 
      ftp>
    2. Run the display firewall session table verbose command on the CPE to check the address translation.
      [CPE] display firewall session table verbose 
       Current Total Sessions : 2                                                      
        ftp  VPN:public --> public  ID: ab016391fa4c03558d54c16fac122  
        Zone: untrust --> trust  TTL: 00:00:10 Left: 00:00:03 
        Interface: GigabitEthernet1/0/2  NextHop: 10.1.1.2  MAC: 0018-8239-1e5c     
        <--packets:20 bytes:1168   -->packets:26 bytes:1150                            
        192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21  PolicyName:policy_sec_1   
                                                                                       
        ftp-data  VPN:public --> public  ID: ab016391fa4c03558d54c16acd159             
        Zone: untrust--> trust  TTL: 00:00:10  Left: 00:00:07                          
        Interface: GigabitEthernet1/0/0  NextHop: 192.168.0.2  MAC: 0018-826f-b3f4  
        <--packets:3 bytes:124   -->packets:5 bytes:370                                
        1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034]  PolicyName:policy_nat_1 

      According to output 192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 and 1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034], you can learn that IPv4 address 192.168.0.2 of the user's private network is translated to the carrier's private IPv4 address 10.1.1.1. The session information indicates that the control channel and data channel are enabled.

    3. Run the display firewall session table verbose command on the CGN to check the address translation.
      [CGN] display firewall session table verbose 
       Current total sessions: 2                                                       
       ftp VPN: public --> public  ID: a38f36333beb0f5654453374                   
       Zone: trust --> untrust Slot: 6 CPU: 2 TTL: 00:10:00 Left: 00:09:56             
       Interface: GigabitEthernet1/0/0 Nexthop: 1.1.1.2                              
       <--packets: 15 bytes: 676 -->packets: 17 bytes: 764                                
       10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21  PolicyName:policy_nat_1  
                                                                                       
       ftp-data VPN: public --> public  ID: a48f3636f5030144b54453ad0                   
       Zone: untrust --> trust Slot: 6 CPU: 0 TTL: 00:00:10 Left: 00:00:07             
       Interface: GigabitEthernet1/0/2 Nexthop: 10.1.2.2                               
       <--packets: 3 bytes: 124 -->packets: 5 bytes: 370                               
       1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362]  PolicyName:policy_nat_1      

      According to output 10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21 and 1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362], you can learn that IPv4 address 10.1.1.1 of the carrier's private network is translated to IPv4 Internet address 1.1.2.4 (an address in the address pool). The session information indicates that the control channel and data channel are enabled.

    4. Run the display cpe-user information cpe-ipv4 10.1.1.1 command in any view of the CGN to check the details about the CPE user at 10.1.1.1.
      [CGN] display cpe-user information cpe-ipv4 10.1.1.1 slot 6 cpu 2 
       This operation will take a few minutes. Press 'Ctrl+C' to break ... 
       UserTbl item(s) on slot 6 cpu 2                                     
       -------------------------------------------------------------------- 
       Scene: NAT444  DstZone: untrust CPEIP: 10.1.1.1                  
       TTL: 40   LeftTime: 34 Increase Count: 0  VPN: public                 
       PoolID: addressgroup1  SectionID: 1  PublicIP: 1.1.2.4  StartPort: 2048PortNumber: 256  PortTotal: 256  Used Port Number: 1              

      As shown in the preceding command output, the source addresses of service flows sent by the CPE at 10.1.1.1 are translated into 1.1.2.4. The port range is from 2048 to 2303, containing 256 ports.

  • Verify the IPv6 services.
    1. After the 6RD tunnel is configured, ping the interface address of the 6RD tunnel of the CGN from the CPE.
      <CPE> ping ipv6 22:0:102:100::1 
        PING 22:0:102:100::1 : 56  data bytes, press CTRL_C to break                   
          Reply from 22:0:102:100::1                                                   
          bytes=56 Sequence=1 hop limit=64  time = 90 ms                               
          Reply from 22:0:102:100::1                                                   
          bytes=56 Sequence=2 hop limit=64  time = 100 ms                              
          Reply from 22:0:102:100::1                                                   
          bytes=56 Sequence=3 hop limit=64  time = 40 ms                               
          Reply from 22:0:102:100::1                                                   
          bytes=56 Sequence=4 hop limit=64  time = 60 ms                               
          Reply from 22:0:102:100::1                                                   
          bytes=56 Sequence=5 hop limit=64  time = 40 ms                               
                                                                                       
        --- 22:0:102:100::1 ping statistics ---                                        
          5 packet(s) transmitted                                                      
          5 packet(s) received                                                         
          0.00% packet loss                                                            
          round-trip min/avg/max = 40/66/100 ms

      If the ping is successful, the 6RD tunnel configuration is correct. Run the display ipv6 interface tunnel command in any view on the CGN to view the IPv6 status and configurations of the Tunnel1 interface.

      [CGN] display ipv6 interface tunnel 1 
      Tunnel1 current state : UP 
      IPv6 protocol current state : UP 
      IPv6 is enabled, link-local address is FE80::101:101 
        Global unicast address(es): 
          22:0:102:100::1, subnet is 22:0:102:100::/64 
        Joined group address(es): 
          FF02::1:FF00:1 
          FF02::1:FF01:101 
          FF02::2 
        MTU is 1500 bytes 
        ND reachable time is 30000 milliseconds 
        ND retransmit interval is 1000 milliseconds 
        ND stale time is 1200 seconds 
    2. Ping the interface address of the CGN that connects to the IPv6 network from the CPE, that is, the address of the GigabitEthernet 1/0/1 interface.
      <CPE> ping ipv6 3000::1 
        PING 3000::1 : 56  data bytes, press CTRL_C to break                   
          Reply from 3000::1                                                   
          bytes=56 Sequence=1 hop limit=64  time = 90 ms                       
          Reply from 3000::1                                                   
          bytes=56 Sequence=2 hop limit=64  time = 100 ms                      
          Reply from 3000::1                                                   
          bytes=56 Sequence=3 hop limit=64  time = 40 ms                       
          Reply from 3000::1                                                   
          bytes=56 Sequence=4 hop limit=64  time = 60 ms                       
          Reply from 3000::1                                                   
          bytes=56 Sequence=5 hop limit=64  time = 40 ms                       
                                                                               
        --- 3000::1 ping statistics ---                                        
          5 packet(s) transmitted                                              
          5 packet(s) received                                                 
          0.00% packet loss                                                    
          round-trip min/avg/max = 40/66/100 ms

      If the ping is successful, the IPv6 route between the CPE to the CGN works properly.

    3. On PC2, ping PC3.
      C:\> ping6 3000::2 
      from 22:0:101:100::1 with 32 bytes of data: 
      Reply from 3000::2: time<1ms 
      Reply from 3000::2: time<1ms 
      Reply from 3000::2: time<1ms 
      Reply from 3000::2: time<1ms 
      Ping statistics for 3000::2: 
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
      Approximate round trip times in milli-seconds: 
          Minimum = 0ms, Maximum = 0ms, Average = 0ms

      If the ping is successful, the configurations of devices on the entire network are correct.

Configuration Scripts

  • The CPE configuration script is as follows:
    #                                                                           
     sysname CPE                                                                     
    #                                                                                
     ipv6                                                                            
    #                                                                                
    acl number 2000                                                                  
     rule 5 permit source 192.168.1.0 0.0.0.255                                      
    #                                                                                
    interface GigabitEthernet1/0/0                                                   
     ip address 192.168.0.1 255.255.255.0                                            
    #                                                                                
    interface GigabitEthernet1/0/1                                                   
     ipv6 enable                                                                     
     ipv6 address 22:0:101:101::1/64                                                 
    #                                                                                
    interface GigabitEthernet1/0/2                                                   
     ip address 10.1.1.1 255.255.255.0                                               
    #                                                                                
    interface Tunnel1                                                                
     ipv6 enable                                                                     
     ipv6 address 22:0:101:100::1/56                                                 
     tunnel-protocol ipv6-ipv4 6rd                                                   
     source 10.1.1.1                                                                 
     ipv6-prefix 22::/32                                                             
     ipv4-prefix length 8                                                            
     border-relay address 10.1.2.1                                                   
    #                                                                                
    firewall zone local                                                              
     set priority 100                                                                
    #                                                                                
    firewall zone trust                                                              
     set priority 85                                                                 
     add interface GigabitEthernet1/0/0                                              
     add interface GigabitEthernet1/0/1                                              
    #                                                                                
    firewall zone untrust                                                            
     set priority 5                                                                  
     add interface GigabitEthernet1/0/2                                              
     add interface Tunnel1                                                           
    #                                                                                
    firewall zone dmz                                                                
     set priority 50                                                                 
    #                                                                                
    firewall interzone trust untrust                                                 
     detect ftp                                                                      
    #                                                                                
     ipv6 route-static 22:: 32 Tunnel 1                                              
     ipv6 route-static 3000:: 64 22:0:102:100::1                                     
    #                                                                                
    security-policy                                                                  
     rule name policy1                                                               
      source-zone trust                                                              
      source-zone untrust                                                            
      destination-zone trust                                                         
      destination-zone untrust                                                       
      action permit                                                                  
     rule name policy2                                                               
      source-zone local                                                              
      source-zone untrust                                                            
      destination-zone local                                                         
      destination-zone untrust                                                       
      action permit                                                                  
    #                                                                                 
    nat-policy                                                                       
      rule name policy_nat_1                                                         
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 192.168.1.0 24                                                
        action source-nat easy-ip                                                           
    #                                                                                
    return                                                                          
  • The CGN configuration script is as follows:
    #                                                                           
     sysname CGN                    
    #                                                                                
     ipv6                                                                            
    #                                                                                
    firewall hash-mode source-only                                                   
    #                                                                                
    interface GigabitEthernet1/0/0                                                   
     undo shutdown                                                                   
     ip address 1.1.1.1 255.255.255.0                                              
    #                                                                                
    interface GigabitEthernet1/0/1                                                   
     undo shutdown                                                                   
     ipv6 enable                                                                     
     ipv6 address 3000::1/64                                                         
    #                                                                                
    interface GigabitEthernet1/0/2                                                   
     undo shutdown                                                                   
     ip address 10.1.2.1 255.255.255.0                                               
    #                                                                                
    interface Tunnel1                                                                
     ipv6 enable                                                                     
     ipv6 address 22:0:102:100::1/56                                                 
     tunnel-protocol ipv6-ipv4 6rd                                                   
     source 10.1.2.1                                                                 
     ipv6-prefix 22::/32                                                             
     ipv4-prefix length 8                                                            
    #                                                                                
    firewall zone local                                                              
     set priority 100                                                                
    #                                                                                
    firewall zone trust                                                              
     set priority 85                                                                 
     add interface GigabitEthernet1/0/2                                              
     add interface Tunnel1                                                           
    #                                                                                
    firewall zone untrust                                                            
     set priority 5                                                                  
     add interface GigabitEthernet1/0/0                                              
     add interface GigabitEthernet1/0/1                                              
    #                                                                                
    firewall zone dmz                                                                
     set priority 50   
    #                                                                                 
     nat address-group addressgroup1                                                  
     mode pat                                                                         
     port-block-size 256                                                              
     route enable                                                                     
     section 1 1.1.2.1 1.1.2.5                                                   
    #                                                                                
    security-policy                                                                  
     rule name policy1                                                               
      source-zone trust                                                              
      source-zone untrust                                                            
      destination-zone trust                                                         
      destination-zone untrust                                                       
      action permit                                                                  
     rule name policy2                                                               
      source-zone local                                                              
      source-zone trust                                                            
      destination-zone local                                                         
      destination-zone trust                                                       
      action permit                                                                  
    #                                                                                
    nat-policy                                                                       
      rule name policy_nat_1                                                         
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 10.1.1.0 24                                                   
        action source-nat address-group addressgroup1                                       
    #                                                                                
    firewall interzone trust untrust                                                 
     detect ftp                                                                      
    #                                                                                
     ipv6 route-static 22:: 32 Tunnel 1                                              
    #                                                                                
    return                                                                          

Scheme 2: Dual Stack+NAT444+NAT64

Typical Networking

Networking

After a period of operation and development, the IPv6 user and service scale reach a certain extent. The IPv4 addresses on the Internet are insufficient. Most services are not migrated to the IPv6 network. The IPv4 traffic still dominates the service traffic. The MAN of carrier A is upgraded from the IPv4 network to the dual stack network. To enable the IPv4 users to access the IPv4 Internet, the IPv6 users to access the IPv6 Internet, and the IPv6 users to access IPv4 Internet, carrier uses the solution shown in Figure 1-9.

  1. For the IPv4 services, two-level NAT function (NAT444) is configured on the CPE and CGN. The NAT444 translates the private IPv4 addresses to the public IPv4 addresses.
  2. The MAN of carrier A is upgraded to the dual-stack network. Therefore, the IPv6 users can directly access the IPv6 Internet using the IPv6 routes.
  3. If the IPv6 users need to access the IPv4 Internet, the NAT64 function is configured on the CGN so that the IPv6 addresses are translated into IPv4 public addresses.
Figure 1-9 Dual stack+NAT444+NAT64

CPE: customer premises equipment

CGN: carrier grade NAT

BRAS: broadband remote access server

-

  • The CPE is used to connect terminal users and allocate addresses to the users.
    • The CPE allocates private IPv4 addresses to IPv4 users.
    • The CPE allocates private IPv6 addresses to IPv6 users.

      The CPE translates addresses for users on the IPv4 private network.

  • As an egress gateway of the MAN, the CGN translates addresses for the IPv4 users to access the IPv4 Internet, provides channels for the IPv6 users to access the IPv6 Internet, and translates IPv6 addresses into IPv4 addresses for the IPv6 users to access the IPv4 network. In this scenario, the CGN functions as only the CGN.
  • As a device at the convergence layer, the BRAS allocates IPv4 or IPv6 addresses for the CPEs to connect to the MAN.

Application of the FW in the Networking

The FW serves the CPE and the CGN in the scenario and provides the following functions:

  • Providing the NAT function

    To save public IP addresses, the carrier uses private addresses internally. Therefore, it is necessary to configure address translation on the CPE and the CGN to enable access to the IPv4 Internet using private addresses through two translations.

  • Providing routing

    The CGN functions as an egress gateway on the MAN. All the IPv4 and IPv6 traffic must pass the CGN. Therefore, the CGN must provide routing tunnels for both IPv4 and IPv6 traffic.

  • Providing NAT from IPv6 addresses to IPv4 addresses

    The CPE and the CGN need to forward both IPv4 and IPv6 traffic. Therefore, they must support both the IPv6 and IPv6 protocols.

Service Planning

Requirements Analysis

Table 1-6 Scheme implementation analysis

Scheme

Advantage

Implementation

The dual stack technology is used.

The dual stack technology is the basis for the transition from IPv4 to IPv6. All the other transition technologies are developed on the basis of the dual stack technology. The advantages of the dual stack technology used in the transition from the IPv4 network to the IPv6 network are as follows:

  • On the dual-stack network, IPv6 and IPv4 service data is forwarded on respective forwarding planes. Logically, two forwarding planes are considered as two networks to facilitate network deployment. The dual stack technology supports smooth transition to the IPv6 network.
  • The dual-stack network does not involve interconnection and access between IPv6 services and IPv4 services. Therefore, the implementation is simple.
  • The dual-stack network is easy to maintain and manage.

The configuration of the dual stack function is simple. The configuration of dual stack on the CGN and CPE is as follows:

  • Enable the IPv4 function at the IPv4 service interface. By default, the IPv4 function is enabled.
  • Enable the IPv6 function at the IPv6 service interface. Enable the IPv6 function in the system view.

Two-level NAT (NAT444) function is used to enable private IPv4 users to access the IPv4 Internet.

On the live network, the IPv4 traffic still dominates the service traffic and the Internet IP addresses are insufficient. Therefore, the NAT444 function can be deployed to resolve the IPv4 address shortage issue. The IPv4-based NAT technology is mature and widely applied on IPv4 networks. Therefore, the two-level NAT444 scheme is a feasible transition scheme.

Deploy two-level NAT on the CPE and the CGN.

  • Set the NAT mode of the CPE to Easy IP, that is, replacing the source IP address in a packet with the address of the outbound interface.
  • The CGN translates addresses using NAPT, which requires a public address pool. On the CGN, a port is pre-allocated to the CPE to facilitate the ease of user tracing.

The dynamic NAT64 function is used to implement the communication between IPv4 and IPv6 users.

The dynamic NAT64 uses the dynamic address mapping and upper-layer protocol mapping methods to translate a large number of IPv6 addresses with a few IPv4 addresses. The dynamic NAT64 function saves IPv4 public addresses and is applicable to large-scale deployment.

Configure the NAT64 function on the CGN.

  • Configure the NAT64 prefix.
  • Configure the address pool for the IPv4 Internet.
  • Configure the NAT64 policy.

Data planning

Figure 1-10 shows the networking diagram with data to facilitate configurations and understanding.

Figure 1-10 Dual stack+NAT444+NAT64 networking diagram with data

Generally, the NAT64 is deployed with the DNS64. The DNS64 performs domain name translation. The prefix and length configured for the DNS64 are the same as those of the NAT64 device. Figure 1-11 shows the NAT64 networking diagram.

Figure 1-11 NAT64 networking diagram

After the MAN is upgraded to the dual-stack network, two networks exist, that is, IPv4 and IPv6. For the IPv4 network, the routing plan keeps unchanged. The route between the CPE and the CGN uses the static routing protocol. For the IPv6 network, the OSPFv3 routing protocol is used, as shown in Figure 1-12.

Figure 1-12 OSPFv3 protocol planning on the IPv6 network

Table 1-7 describes the general network data planning.

Table 1-7 Data planning

Item

IP Address

Description

CPE

GE1/0/0 (Trust zone)

IPv4 private address: 192.168.0.1/24

GE1/0/0 (Trust zone) is used to connect to the private IPv4 user.

GE1/0/1 (Trust zone)

IPv6 address: 2000::1/64

The GE1/0/1 (Trust zone) is used to connect to the IPv6 user.

GE1/0/2 (Untrust zone)

Private IPv4 address of the carrier: 10.1.1.1/24

The MAN is upgraded to the dual-stack network. Therefore, the interface is used to connect to the IPv4 MAN. Assume that the next hop address to the IPv4 MAN is 10.1.1.2.

GE1/0/3 (Untrust zone)

IPv6 address: 3000::1/64

The MAN is upgraded to the dual-stack network. Therefore, the interface is used to connect to the IPv6 MAN.

Address pool

The address of the GE1/0/2 interface is used as the translated address.

The address pool is used to translate IPv4 addresses of the user's private network to the IPv4 address of the carrier's private network.

CGN

GE1/0/0 (Untrust zone)

IPv4 Internet address: 1.1.1.1/24

GE1/0/0 (Untrust zone) is used to connect to the IPv4 Internet. Assume that the next hop address is 1.1.1.2/24.

GE1/0/1 (Untrust zone)

IPv6 address: 5000::1/64

The GE1/0/1 (Untrust zone) is used to connect to the IPv6 Internet.

GE1/0/2 (Trust zone)

Private IPv4 address of the carrier: 10.1.2.1/24

The MAN is upgraded to the dual-stack network. Therefore, the interface is used to connect to the IPv4 MAN. Assume that the next hop address to the IPv4 MAN is 10.1.2.2.

GE1/0/3 (Trust zone)

IPv6 address: 4000::1/64

The MAN is upgraded to the dual-stack network. Therefore, the interface is used to connect to the IPv6 MAN.

Address pool

Addresses in address pool 1: 1.1.2.1 to 1.1.2.5

Addresses in address pool 2: 1.1.2.11 to 1.1.2.15

  • Address pool 1 is used to translate IPv4 addresses of the carrier's private network to the IPv4 address of the IPv4 public addresses.
  • Address pool 2 is used to translate IPv6 addresses to the IPv4 address of the IPv4 public addresses.

NAT64 prefix

6000::/96

The CGN determines whether to perform the NA64 function on an IPv6 packet by checking whether the IPv6 packet contains the NAT64 prefix.

DNS64

NAT64 prefix

6000::/96

The NAT64 prefix configured on the DNS64 must be the same as that configured on the CGN.

Domain name: www.example.com

Address that corresponds to the domain name: 6000::0101:301

The address that corresponds to the domain name is calculated based on the NAT64 prefix and IPv4 Internet address of the server on the IPv4 Internet.

PC1

IPv4 private address: 192.168.0.2/24

PC2

IPv6 address: 2000::2/64

PC3

IPv6 address: 5000::2/64

Server

IPv4 Internet address: 1.1.3.1/32

Table 1-8 shows the IPv4 route planning.

Table 1-8 IPv4 route planning

Item

Routing Protocol

Target Network Segment

Next Hop Address

Description

CPE

Static IPv4 route

10.1.2.0/24

10.1.1.2

Route connecting the CPE to the IPv4 MAN interface of the CGN

CGN

Static IPv4 route

10.1.1.0/24

10.1.2.2

Route connecting the CGN to the IPv4 MAN interface of the CPE

Static IPv4 route

1.1.3.1/32

1.1.1.2

Route connecting the CGN to the server on the IPv4 Internet

Table 1-9 shows the IPv6 route planning.

Table 1-9 IPv6 route planning

Item

Routing Protocol

Advertising Network Segment

Area

Description

CPE

OSPFv3

2000::/64

Area 1

Route connecting the CPE to the IPv6 user interface

OSPFv3

3000::/64

Area 0

Route connecting the CPE to the IPv6 MAN

CGN

OSPFv3

4000::/64

Area 0

Route connecting the CGN to the IPv6 MAN

OSPFv3

5000::/64

Area 2

Route connecting the CGN to the IPv6 Internet

Precautions

When the CGN is the Eudemon8000E-X, if triplet DS-Lite NAT is configured, the hash-based CPU selection mode must be source address hash.

Configuration Flow

Table 1-10 shows the configuration flow of the solution.

Table 1-10 Configuration flow

Item

Procedure

Action

Description

CPE

1

Configure the uplink and downlink interface data.

Mandatory

You can configure the data based on the actual interface and IP address planning.

2

Configure the NAT function.

Mandatory

You can configure Easy IP. The IPv4 addresses of the user's private network are translated into the carrier's IPv4 addresses.

3

Configure routes.

Mandatory

The routes configured for the CPE include:

  • Static IPv4 route: forwards IPv4 service packets
  • OSPFv3 configured at the interface to connect to the IPv6 network: forwards IPv6 service packets

CGN

1

Configure the uplink and downlink interface data.

Mandatory

You can configure the data based on the actual interface and IP address planning.

2

Configure the NAT function.

Mandatory

The NAT function is used to translate IPv4 addresses of the carrier's private network to the IPv4 address of the IPv4 public addresses.

2.1

Configure the NAT address pool.

Mandatory

The NAT address pool is a collection of consecutive IP addresses. When a packet from the private network reaches the public network through NAT, an address in the NAT address pool is selected as the IP address after translation.

Set the pre-allocated port block size in the address pool for the pre-allocation of port resources for NAT to the CPE.

2.2

Configure the NAT policy.

Mandatory

Specify the security interzone in which the NAT policy takes effect and the NAT address pool referenced in the NAT policy.

3

Configure routes.

Mandatory

The routes configured include:

  • Static route to the CPE and IPv4 Internet: forwards IPv4 service packets
  • OSPFv3 configured at the interface to connect to the IPv6 network: forwards IPv6 service packets

4

Configure the NAT64 function.

Mandatory

The NAT64 function enables the IPv6 users to access the IPv4 network.

4.1

Configure the NAT address pool.

Mandatory

The addresses in the NAT address pool are used as the IPv4 addresses after the NAT64 translation.

4.2

Configure the NAT64 prefix and advertise it on the IPv6 network.

Mandatory

Whether the CGN performs NAT64 translation on an IPv6 packet depends on whether the IPv6 packet contains a NAT64 prefix.

4.3

Configure the NAT64 policy.

Mandatory

Configure NAT64 dynamic mapping in the NAT policy, and specify the NAT type as NAT64. When performing NAT64 translation, the CGN selects one IPv4 address randomly from the NAT address pool referenced in the NAT64 policy as the source address of a packet after translation.

Configuration Procedure

Procedure

  • Configure the CPE .
    1. Enable the IPv6 packet forwarding function.
      <CPE> system-view  
      [CPE] ipv6
    2. Set addresses for interfaces and add the interfaces to security zones.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CPE] interface GigabitEthernet 1/0/0 
      [CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0 
      [CPE-GigabitEthernet1/0/0] quit 
      [CPE] firewall zone trust 
      [CPE-zone-trust] add interface GigabitEthernet 1/0/0 
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CPE] interface GigabitEthernet 1/0/1 
      [CPE-GigabitEthernet1/0/1] ipv6 enable 
      [CPE-GigabitEthernet1/0/1] ipv6 address 2000::1 64 
      [CPE-GigabitEthernet1/0/1] quit 
      [CPE] firewall zone trust 
      [CPE-zone-trust] add interface GigabitEthernet 1/0/1 
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CPE] interface GigabitEthernet 1/0/2 
      [CPE-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0 
      [CPE-GigabitEthernet1/0/2] quit 
      [CPE] firewall zone untrust 
      [CPE-zone-untrust] add interface GigabitEthernet 1/0/2 
      [CPE-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/3 interface.

      [CPE] interface GigabitEthernet 1/0/3 
      [CPE-GigabitEthernet1/0/3] ipv6 enable 
      [CPE-GigabitEthernet1/0/3] ipv6 address 3000::1 64 
      [CPE-GigabitEthernet1/0/3] quit 
      [CPE] firewall zone untrust 
      [CPE-zone-untrust] add interface GigabitEthernet 1/0/3 
      [CPE-zone-untrust] quit
    3. Configure a security policy.
      [CPE] security-policy 
      [CPE-policy-security] rule name policy_sec_1 
      [CPE-policy-security-rule-policy_sec_1] source-zone trust 
      [CPE-policy-security-rule-policy_sec_1] destination-zone untrust 
      [CPE-policy-security-rule-policy_sec_1] source-address 192.168.0.0 24 
      [CPE-policy-security-rule-policy_sec_1] action permit 
      [CPE-policy-security-rule-policy_sec_1] quit 
      [CPE-policy-security] rule name policy_sec_2 
      [CPE-policy-security-rule-policy_sec_2] source-zone trust 
      [CPE-policy-security-rule-policy_sec_2] destination-zone untrust 
      [CPE-policy-security-rule-policy_sec_2] source-address 2000::2 64 
      [CPE-policy-security-rule-policy_sec_2] action permit 
      [CPE-policy-security-rule-policy_sec_2] quit 
      [CPE-policy-security] rule name policy_sec_3 
      [CPE-policy-security-rule-policy_sec_3] source-zone untrust 
      [CPE-policy-security-rule-policy_sec_3] destination-zone local 
      [CPE-policy-security-rule-policy_sec_3] action permit 
      [CPE-policy-security-rule-policy_sec_3] quit 
      [CPE-policy-security] quit
    4. # Configure a NAT policy.
      [CPE] nat-policy 
      [CPE-policy-nat] rule name policy_nat_1 
      [CPE-policy-nat-rule-policy_nat_1] source-zone trust 
      [CPE-policy-nat-rule-policy_nat_1] destination-zone untrust 
      [CPE-policy-nat-rule-policy_nat_1] source-address 192.168.0.0 24 
      [CPE-policy-nat-rule-policy_nat_1] action source-nat easy-ip 
      [CPE-policy-nat-rule-policy_nat_1] quit 
      [CPE-policy-nat] quit

      # Configure the NAT ALG between the Trust zone and the Untrust zone so that the server can provide FTP services externally.

      [CPE] firewall interzone trust untrust 
      [CPE-interzone-trust-untrust] detect ftp 
      [CPE-interzone-trust-untrust] quit
    5. Configure the OSPFv3 protocol for routing the IPv6 services.
      [CPE] ospfv3 
      [CPE-ospfv3-1] router-id 1.1.1.1 
      [CPE-ospfv3-1] quit 
      [CPE] interface GigabitEthernet1/0/3 
      [CPE-GigabitEthernet1/0/3] ospfv3 1 area 0 
      [CPE-GigabitEthernet1/0/3] quit 
      [CPE] interface GigabitEthernet1/0/1 
      [CPE-GigabitEthernet1/0/1] ospfv3 1 area 1 
      [CPE-GigabitEthernet1/0/1] quit
    6. Configure the static IPv4 route.

      Configure the static IPv4 route to the CGN. Assume that the next hop address from the CPE to the IPv4 MAN is 10.1.1.2.

      [CPE] ip route-static 10.1.2.0 255.255.255.0 10.1.1.2
  • Configure the CGN.
    1. Enable the IPv6 packet forwarding function.
      <CGN> system-view 
      [CGN] ipv6
    2. Configure the hash mode to be oriented to source IP address.
      [CGN] firewall hash-mode source-only
    3. Set addresses for interfaces and add the interfaces to security zones.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CGN] interface GigabitEthernet 1/0/0 
      [CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0 
      [CGN-GigabitEthernet1/0/0] quit 
      [CGN] firewall zone untrust 
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/0 
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CGN] interface GigabitEthernet 1/0/1 
      [CGN-GigabitEthernet1/0/1] ipv6 enable 
      [CGN-GigabitEthernet1/0/1] ipv6 address 5000::1 64 
      [CGN-GigabitEthernet1/0/1] quit 
      [CGN] firewall zone untrust 
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/1 
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CGN] interface GigabitEthernet 1/0/2 
      [CGN-GigabitEthernet1/0/2] ip address 10.1.2.1 255.255.255.0 
      [CGN-GigabitEthernet1/0/2] quit 
      [CGN] firewall zone trust 
      [CGN-zone-trust] add interface GigabitEthernet 1/0/2 
      [CGN-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/3 interface.

      [CGN] interface GigabitEthernet 1/0/3 
      [CGN-GigabitEthernet1/0/3] ipv6 enable 
      [CGN-GigabitEthernet1/0/3] ipv6 address 4000::1 64 
      [CGN-GigabitEthernet1/0/3] quit 
      [CGN] firewall zone trust 
      [CGN-zone-trust] add interface GigabitEthernet 1/0/3 
      [CGN-zone-trust] quit
    4. Configure a security policy.
      [CGN] security-policy 
      [CGN-policy-security] rule name policy1 
      [CGN-policy-security-policy1] source-zone trust untrust 
      [CGN-policy-security-policy1] destination-zone trust untrust 
      [CGN-policy-security-policy1] action permit 
      [CGN-policy-security-policy1] quit 
      [CGN-policy-security] rule name policy2 
      [CGN-policy-security-policy2] source-zone untrust 
      [CGN-policy-security-policy2] destination-zone local 
      [CGN-policy-security-policy2] action permit 
      [CGN-policy-security-policy2] quit 
      [CGN-policy-security] quit
    5. Configure the NAT function to translate the private IP addresses of the carrier to the public IPv4 addresses.

      # Configure the NAT address pool.

      [CGN] nat address-group addressgroup1 
      [CGN-address-group-addressgroup1] mode pat 
      [CGN-address-group-addressgroup1] route enable 
      [CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5 
      [CGN-address-group-addressgroup1] port-block-size 256 
      [CGN-address-group-addressgroup1] quit

      # Configure a NAT policy.

      [CGN] nat-policy 
      [CGN-policy-nat] rule name policy_nat_1 
      [CGN-policy-nat-rule-policy_nat_1] source-zone trust 
      [CGN-policy-nat-rule-policy_nat_1] destination-zone untrust 
      [CGN-policy-nat-rule-policy_nat_1] source-address 10.1.1.0 24 
      [CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1 
      [CGN-policy-nat-rule-policy_nat_1] quit 
      [CGN-policy-nat] quit

      # Configure the NAT ALG between the Trust zone and the Untrust zone so that the server can provide FTP services externally.

      NOTE:

      Enable the ASPF functions for the corresponding services. This section uses the FTP protocol as an example.

      [CGN] firewall interzone trust untrust 
      [CGN-interzone-trust-untrust] detect ftp 
      [CGN-interzone-trust-untrust] quit
    6. Configure the static IPv4 route.

      Configure the static IPv4 route to the CPE. Assume that the next hop address from the CGN to the IPv4 MAN is 10.1.2.2.

      [CGN] ip route-static 10.1.1.0 255.255.255.0 10.1.2.2

      Configure the static IPv4 route to the FTP server on the Internet. Assume that the next hop address of the CGN to the Internet is 1.1.1.2.

      [CGN] ip route-static 1 1.3.1 255.255.255.255 1.1.1.2
    7. Configure the OSPFv3 protocol for routing the IPv6 services.
      [CGN] ospfv3 
      [CGN-ospfv3-1] router-id 2.2.2.2 
      [CGN-ospfv3-1] quit 
      [CGN] interface GigabitEthernet1/0/3 
      [CGN-GigabitEthernet1/0/3] ospfv3 1 area 0 
      [CGN-GigabitEthernet1/0/3] quit 
      [CGN] interface GigabitEthernet1/0/1 
      [CGN-GigabitEthernet1/0/1] ospfv3 1 area 2 
      [CGN-GigabitEthernet1/0/1] quit
    8. Configure the NAT64 function.

      # Configure IPv4 NAT address pool 2 and set the address range to 1.1.2.11 to 1.1.2.15. Use the addresses in the NAT address pool as the IPv4 addresses after the NAT64 processing.

      [CGN] nat address-group addressgroup2 
      [CGN-address-group-addressgroup2] mode pat 
      [CGN-address-group-addressgroup2] route enable 
      [CGN-address-group-addressgroup2] section 1 1.1.2.11 1.1.2.15 
      [CGN-address-group-addressgroup2] quit

      # Set the NAT64 prefix to 6000::/96.

      [CGN] nat64 prefix 6000:: 96

      # Configure a NAT64 policy.

      [CGN] nat-policy 
      [CGN-policy-nat] rule name policy_nat64 
      [CGN-policy-nat-rule-policy_nat64] nat-type nat64 
      [CGN-policy-nat-rule-policy_nat64] source-zone trust 
      [CGN-policy-nat-rule-policy_nat64] destination-zone untrust 
      [CGN-policy-nat-rule-policy_nat64] source-address 2000:: 64 
      [CGN-policy-nat-rule-policy_nat64] action source-nat address-group addressgroup2 
      [CGN-policy-nat-rule-policy_nat64] quit 
      [CGN-policy-nat] quit

      # Configure the blackhole route to advertise the NAT64 prefix.

      [CGN] ipv6 route-static 6000:: 96 NULL 0

      # Introduce the blackhole route with the NAT64 prefix to the OSPFv3 protocol.

      [CGN] ospfv3 
      [CGN-ospfv3-1] import-route static 
      [CGN-ospfv3-1] quit
  • Configure the DNS64 device.

    Set the NAT64 prefix of the DNS64 device to 6000::/96, which is the same as that configured on the CGN.

    Set the routes between the DNS64 to the PC and server to ensure reachability.

    On the DNS64 device, set the IPv6 address that corresponds to domain name www.example.com to 6000::ca01:301.

  • Configure the server.

    In normal situations, the ISP is responsible for configuring the server. This topic describes only the key points of server configuration.

    • Set the IP address of the FTP server to 1.1.3.1/32.
    • The route to the addresses in the address pool of the CGN must be configured for the FTP Server.
    • The server provides both FTP and HTTP services.
  • Configure PC1, PC2, and PC3.

    You must specify gateways for each PC. (The configuration methods of PC addresses and routes vary with the operating systems of the PCs. The configuration methods are not described here.)

Verification

  • Verify the IPv4 services.
    1. After the configuration is complete, PC1 on the private IPv4 network can be used to access the FTP service provided by the server on the Internet.
      C:\Documents and Settings\Administrator>ftp 1.1.3.1 
      Connected to 1.1.3.1. 
      220 FTP service ready. 
      User (1.1.3.1:(none)): admin 
      331 Password required for admin. 
      Password: 
      230 User logged in. 
      ftp>
    2. Run the display firewall session table verbose command on the CPE to check the address translation.
      [CPE] display firewall session table verbose 
       Current Total Sessions : 2                                                      
        ftp  VPN:public --> public  ID: ab016391fa4c03558d54c16fac122                  
        Zone: trust--> untrust  TTL: 00:10:00  Left: 00:09:59                          
        Interface: GigabitEthernet1/0/2  NextHop: 10.1.1.2  MAC: 0018-8239-1e5c     
        <--packets:20 bytes:1168   -->packets:26 bytes:1150                            
        192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21  PolicyName:policy_sec_1      
                                                                                       
        ftp-data  VPN:public --> public  ID: ab016391fa4c03558d54c16acd159             
        Zone: untrust--> trust  TTL: 00:00:10  Left: 00:00:07                          
        Interface: GigabitEthernet1/0/0  NextHop: 192.168.0.2  MAC: 0018-826f-b3f4  
        <--packets:3 bytes:124   -->packets:5 bytes:370                                
        1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034]  PolicyName:policy_nat_1     

      According to output 192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 and 1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034], you can learn that IPv4 address 192.168.0.2 of the user's private network is translated to the carrier's privateIPv4 address 10.1.1.1. The session information indicates that the control channel and data channel are enabled.

    3. Run the display firewall session table verbose command on the CGN to check the address translation.
      [CGN] display firewall session table verbose 
       Current total sessions: 2                                                       
       ftp VPN: public --> public  ID: a38f36333beb0f5654453374                 
       Zone: trust --> untrust Slot: 6 CPU: 2 TTL: 00:10:00 Left: 00:09:56             
       Interface: GigabitEthernet1/0/0 Nexthop: 1.1.1.2                              
       <--packets: 0 bytes: 0 -->packets: 17 bytes: 764                                
       10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21   PolicyName:policy_nat_1  
                                                                                       
       ftp-data VPN: public --> public  ID: a48f3636f5030144b54453ad0                  
       Zone: untrust --> trust Slot: 6 CPU: 2 TTL: 00:00:10 Left: 00:00:07             
       Interface: GigabitEthernet1/0/2 Nexthop: 10.1.2.2                               
       <--packets: 3 bytes: 124 -->packets: 5 bytes: 370                               
       1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362]  PolicyName:policy_nat_1      

      According to output 10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21 and 1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362], you can learn that IPv4 address 10.1.1.1 of the carrier's private network is translated to IPv4 Internet address 1.1.2.4 (an address in the address pool). The session information indicates that the control channel and data channel are enabled.

    4. Run the display cpe-user information cpe-ipv4 10.1.1.1 command in any view of the CGN to check the details about the CPE user at 10.1.1.1.
      [CGN] display cpe-user information cpe-ipv4 10.1.1.1 slot 6 cpu 2 
       This operation will take a few minutes. Press 'Ctrl+C' to break ... 
       UserTbl item(s) on slot 6 cpu 2                                     
       -------------------------------------------------------------------- 
       Scene: NAT444  DstZone: untrust CPEIP: 10.1.1.1                  
       TTL: 40   LeftTime: 34 Increase Count: 0  VPN: public                 
       PoolID: addressgroup1  SectionID: 1  PublicIP: 1.1.2.4  StartPort: 2048PortNumber: 256  PortTotal: 256  Used Port Number: 1              

      As shown in the preceding command output, the source addresses of service flows sent by the CPE at 10.1.1.1 are translated into 1.1.2.4. The port range is from 2048 to 2303, containing 256 ports.

  • Verify the IPv6 services.
    1. Ping the interface address of the CGN that connects to the IPv6 network from the CPE, that is, the address of the GigabitEthernet 1/0/3 interface.
      <CPE> ping ipv6 4000::1 
        PING 4000::1 : 56  data bytes, press CTRL_C to break                   
          Reply from 4000::1                                                   
          bytes=56 Sequence=1 hop limit=64  time = 90 ms                       
          Reply from 4000::1                                                   
          bytes=56 Sequence=2 hop limit=64  time = 100 ms                      
          Reply from 4000::1                                                   
          bytes=56 Sequence=3 hop limit=64  time = 40 ms                       
          Reply from 4000::1                                                   
          bytes=56 Sequence=4 hop limit=64  time = 60 ms                       
          Reply from 4000::1                                                   
          bytes=56 Sequence=5 hop limit=64  time = 40 ms                       
                                                                               
        --- 4000::1 ping statistics ---                                        
          5 packet(s) transmitted                                              
          5 packet(s) received                                                 
          0.00% packet loss                                                    
          round-trip min/avg/max = 40/66/100 ms

      The CGN can be successfully pinged and the IPv6 routes to the CPE and CGN are configured. On the CPE and CGN, you can run the display ospfv3 routing command to view the OSPFv3 routing tables.

      [CPE] display ospfv3 routing 
      OSPFv3 Process (1)                                                               
         Destination                                            Metric                 
           Next-hop                                                                    
           2000::/64                                            1                      
           directly connected, GigabitEthernet1/0/1                                    
           3000::/64                                            1                      
           directly connected, GigabitEthernet1/0/3                                    
        IA 4000::/64                                           2                  
            via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/3                         
        IA 5000::/64                                           3                      
            via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/3                        

      According to the OSPFv3 routing table, you can learn that the CPE learns the routes from the CGN to the IPv6 MAN and IPv6 Internet.

      [CGN] display ospfv3 routing 
      OSPFv3 Process (1)                                                               
         Destination                                                 Metric            
           Next-hop                                                                    
        IA 2000::/64                                                     3         
             via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/3                          
        IA 3000::/64                                                     2         
             via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/3                          
           4000::/64                                                     1             
            directly connected, GigabitEthernet1/0/3                                   
           5000::/64                                                     1             
            directly connected, GigabitEthernet1/0/1                                  

      According to the OSPFv3 routing table, you can learn that the CGN learns the routes from the CPE to the IPv6 MAN and IPv6 users.

    2. On PC2, ping PC3.
      C:\> ping6 5000::2 
      from 2000::2 with 32 bytes of data: 
      Reply from 5000::2: time<1ms 
      Reply from 5000::2: time<1ms 
      Reply from 5000::2: time<1ms 
      Reply from 5000::2: time<1ms 
      Ping statistics for 5000::2: 
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
      Approximate round trip times in milli-seconds: 
          Minimum = 0ms, Maximum = 0ms, Average = 0ms

      PC3 is successfully pinged and the configurations of IPv6 routes on the entire network are correct.

  • Enable an IPv6 user to access the IPv4 Internet.
    1. Ping domain name www.example.com on PC2.
      Pinging 6000::0101:301 with 32 bytes of data: 
       
      Reply from 6000::0101:301: time=23ms 
      Reply from 6000::0101:301: time=6ms 
      Reply from 6000::0101:301: time=12ms 
      Reply from 6000::0101:301: time=33ms 
       
      Ping statistics for 6000::0101:301: 
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
      Approximate round trip times in milli-seconds: 
          Minimum = 6ms, Maximum = 33ms, Average = 18ms

      The IPv4 address of the server can be successfully pinged on the PC.

    2. In any view of the CGN, run the display firewall ipv6 session table command to check the NAT64 session table.
      <CGN> display firewall ipv6 session table 
       Slot: 6 CPU: 1                                                                  
      NAT64: icmp6 VPN: public --> public  2000::2.44152[1.1.2.14:10296] --> 6000::0101:301.2048[1.1.3.1:2048]

      According to the NAT64 session table, you can learn the translation mapping between IPv6 addresses and IPv4 addresses.

Configuration Scripts

  • The CPE configuration script is as follows:
    #                                                                           
     sysname CPE                                                                     
    #                                                                                
     ipv6                                                                            
    #                                                                                
    interface GigabitEthernet1/0/0                                                   
     ip address 192.168.0.1 255.255.255.0                                            
    #                                                                                
    interface GigabitEthernet1/0/1                                                   
     ipv6 enable                                                                     
     ipv6 address 2000::1/64                                                         
     ospfv3 1 area 0.0.0.1                                                           
    #                                                                                
    interface GigabitEthernet1/0/2                                                   
     ip address 10.1.1.1 255.255.255.0                                               
    #                                                                                
    interface GigabitEthernet1/0/3                                                   
     ipv6 enable                                                                     
     ipv6 address 3000::1/64                                                         
     ospfv3 1 area 0.0.0.0                                                           
    #                                                                                
    firewall zone local                                                              
     set priority 100                                                                
    #                                                                                
    firewall zone trust                                                              
     set priority 85                                                                 
     add interface GigabitEthernet1/0/0                                              
     add interface GigabitEthernet1/0/1                                              
    #                                                                                
    firewall zone untrust                                                            
     set priority 5                                                                  
     add interface GigabitEthernet1/0/2                                              
     add interface GigabitEthernet1/0/3                                              
    #                                                                                
    firewall zone dmz                                                                
     set priority 50                                                                 
    #                                                                                
    firewall interzone trust untrust                                                 
     detect ftp                                                                      
    #                                                                                
    ospfv3 1                                                                         
     router-id 1.1.1.1                                                               
     area 0.0.0.0                                                                    
     area 0.0.0.1                                                                    
    #                                                                                
     ip route-static 10.1.2.0 255.255.255.0 10.1.1.2                                 
    #                                                                                
    security-policy                                                                  
      rule name policy_sec_1                                                         
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 192.168.0.0 24                                                   
        action permit     
      rule name policy_sec_2                                                         
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 2000::2 64                                                   
        action permit    
      rule name policy_sec_3                                                         
        source-zone untrust                                                            
        destination-zone local                                                                                                     
        action permit                                                                          
    #                                                                                 
    nat-policy                                                                       
      rule name policy_nat_1                                                         
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 192.168.0.0 24                                                
        action source-nat easy-ip                                                           
    #                                                                                
    return                                                                          
  • The CGN configuration script is as follows:
    #                                                                           
     sysname CGN                    
    #                                                                                
     ipv6    
    #                                                                                
    firewall hash-mode source-only                                                   
    #                                                                                
     nat64 prefix 6000:: 96                                                          
    #                                                                                
    interface GigabitEthernet1/0/0                                                   
     undo shutdown                                                                   
     ip address 1.1.1.1 255.255.255.0                                              
    #                                                                                
    interface GigabitEthernet1/0/1                                                   
     undo shutdown                                                                   
     ipv6 enable                                                                     
     ipv6 address 5000::1/64                                                         
     ospfv3 1 area 0.0.0.2                                                           
    #                                                                                
    interface GigabitEthernet1/0/2                                                   
     undo shutdown                                                                   
     ip address 10.1.2.1 255.255.255.0                                               
    #                                                                                
    interface GigabitEthernet1/0/3                                                   
     undo shutdown                                                                   
     ipv6 enable                                                                     
     ipv6 address 4000::1/64                                                         
     ospfv3 1 area 0.0.0.0                                                           
    #                                                                                
    firewall zone local                                                              
     set priority 100                                                                
    #                                                                                
    firewall zone trust                                                              
     set priority 85                                                                 
     add interface GigabitEthernet1/0/2                                              
     add interface GigabitEthernet1/0/3                                              
    #                                                                                
    firewall zone untrust                                                            
     set priority 5                                                                  
     add interface GigabitEthernet1/0/0                                              
     add interface GigabitEthernet1/0/1                                              
    #                                                                                
    firewall zone dmz                                                                
     set priority 50 
    #                                                                                
    security-policy                                                                  
     rule name policy1                                                               
      source-zone trust                                                              
      source-zone untrust                                                            
      destination-zone trust                                                         
      destination-zone untrust                                                       
      action permit                                                                  
     rule name policy2                                                                                                                           
      source-zone untrust                                                                                                                 
      destination-zone local                                                      
      action permit                                                                  
    #                                                                                 
    nat address-group addressgroup1                                                  
     mode pat                                                                         
     port-block-size 256                                                              
     route enable                                                                     
     section 1 1.1.2.1 1.1.2.5                                                   
    nat address-group addressgroup2                                                  
     nat-type nat64                                                                    
     mode pat                                                              
     route enable                                                                     
     section 1 1.1.2.11 1.1.2.15                                                   
    #                                                                                
    nat-policy                                                                       
      rule name policy_nat_1                                                         
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 10.1.1.0 24                                                   
        action source-nat address-group addressgroup1                                       
      rule name policy_nat64                                                         
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 2000:: 64                                                   
        action source-nat address-group addressgroup2                                       
    #                                                                                
    firewall interzone trust untrust                                                 
     detect ftp                                                                      
    #                                                                                
    ospfv3 1                                                                         
     router-id 2.2.2.2                                                               
     import-route static                                                             
    #                                                                                
     ipv6 route-static 6000:: 96 NULL0                                               
    #                                                                                
    return                                                                          

Scheme 3: DS-Lite+NAT64

Typical Networking

Networking

After the IPv4 and IPv6 services on carrier A's network are developed for a period, the IPv4 public addresses are exhausted. Services are gradually migrated to the IPv6 network. The IPv6 traffic dominates the service traffic. The carrier's MAN is completely upgraded to the IPv6 network. To meet the network development requirements, carrier A uses the DS-Lite+NAT64 solution, as shown in Figure 1-13.

  • For the IPv6 users, the IPv6 users can directly access the IPv6 Internet over the IPv6 routes because the IPv6 routes are reachable.
  • For the IPv4 users, the DS-Lite function must be configured because the access to the IPv4 Internet requires the IPv6 MAN. The configuration procedure of the DS-Lite function is as follows:
    1. Configure a DS-Lite tunnel between the CPE and the CGN.
    2. Configure the DS-Lite NAT policy on the CGN.
  • If the IPv6 users need to access the IPv4 Internet, the NAT64 function is configured on the CGN so that the IPv6 addresses are translated into IPv4 public addresses.
Figure 1-13 DS-Lite+NAT64

CPE: Customer Premises Equipment

CGN: Carrier Grade NAT

BRAS: Broadband Remote Access Server

-

  • The CPE is used to connect terminal users and allocate addresses to the users.
    • The CPE allocates private IPv4 addresses to IPv4 users.
    • The CPE allocates private IPv6 addresses to IPv6 users.

      The DS-Lite tunnel must be established between the CPE and the CGN.

  • As an egress gateway of the MAN, the CGN provides DS-Lite tunnels for the IPv4 users to access the IPv4 Internet and translates IPv4 addresses into IPv4 Internet address; the CGN provides routing channels for addresses for the IPv6 users to access the IPv4 network and translates IPv6 addresses into IPv4 ones.
  • As a device at the convergence layer, the BRAS allocates IPv6 addresses for the CPEs to connect to the MAN.

Application of the FW in the Networking

The FW serves the CPE and the CGN in the scenario and provides the following functions:

  • Providing the DS-Lite function

    To enable private IPv4 users to access the IPv4 Internet using the IPv6 MAN of a carrier, it is necessary to configure the DS-Lite tunnel on the CPE and the CGN. It is also necessary to configure the DS-Lite NAT policy on the CGN.

  • Providing routing tunnels

    The CPE and the CGN need to forward both IPv4 and IPv6 traffic. Therefore, they must support both the IPv6 and IPv6 protocol stacks.

  • Providing NAT from IPv6 addresses to IPv4 addresses

    To enable the IPv6 users to access the IPv4 network, configure NAT64 on the CGN.

Service Planning

Requirements Analysis

Table 1-11 Scheme implementation analysis

Scheme

Advantage

Implementation

The DS-Lite technology helps private IPv4 users access the IPv4 Internet over the IPv6 network.

DS-Lite, also called lightweight 4over6, consists of dual-stack hosts and IPv6 network. On DS-Lite networks, only CPEs and CGNs support the dual stack. Other intermediate network nodes need to support only IPv6. Therefore, all the configuration and maintenance operations are performed on CPEs and CGNs.

The configuration of the DS-Lite function is as follows:

  • CPE
    • Configure the tunnel interfaces.
    • Set the encapsulation mode of the tunnel to IPv4 over IPv6.
    • Specify the source address or source interface of the tunnel.
    • Set the destination address of the tunnel.
    • Configure the IPv4 address for the tunnel interface.
  • CGN
    • Configure the tunnel interfaces.
    • Set the encapsulation mode of the tunnel to DS-Lite.
    • Specify the source address or source interface of the tunnel.
    • Configure the IPv4 address for the tunnel interface.
    • Configure the address pool.
    • Configure the DS-Lite NAT policy.

The dynamic NAT64 function is used to implement the communication between IPv4 and IPv6 users.

The dynamic NAT64 uses the dynamic address mapping and upper-layer protocol mapping methods to translate a large number of IPv6 addresses with a few IPv4 addresses. The dynamic NAT64 function saves IPv4 public addresses and is applicable to large-scale deployment.

Configure the NAT64 function on the CGN.

  • Configure the NAT64 prefix.
  • Configure the address pool for the IPv4 Internet.
  • Configure the NAT64 policy.

Data Planning

Figure 1-14 shows the networking diagram with data to facilitate configurations and understanding.

Figure 1-14 DS-Lite+NAT64 networking diagram with data

Generally, the NAT64 is deployed with the DNS64. The DNS64 performs domain name translation. The prefix and length configured for the DNS64 are the same as those of the NAT64 device. Figure 1-15 shows the NAT64 networking diagram.

Figure 1-15 NAT64 networking diagram

After the MAN is upgraded to the IPv6 network, the OSPFv3 protocol is still used to plan IPv6 routing. Figure 1-16 shows the protocol planning.

Figure 1-16 OSPFv3 protocol planning on the IPv6 network

Table 1-12 describes the general network data planning.

Table 1-12 Data planning

Item

IP Address

Description

CPE

GE1/0/0 (Trust zone)

IPv4 private address: 192.168.0.1/24

GE1/0/0 (Trust zone) is used to connect to the private IPv4 user.

GE1/0/1 (Trust zone)

IPv6 address: 2000::1/64

GE1/0/1 (Trust zone) is used to connect to the IPv6 user.

GE1/0/2 (Untrust zone)

IPv6 address: 3000::1/64

GE1/0/2 (Untrust zone) is used to connect to the MAN.

Tunnel1 interface (Untrust zone)

Source address: 3000::1/64

Destination address: 4000::1/64

IPv4 address of the tunnel interface: 10.1.1.1/24

The Tunnel1 interface (Untrust zone) is used to create a IPv4 over IPv6 tunnel with the CGN.

CGN

GE1/0/0 (Untrust zone)

IPv4 Internet address: 1.1.1.1/24

GE1/0/0 (Untrust zone) is used to connect to the IPv4 Internet. Assume that the next hop address is 1.1.1.2/24.

GE1/0/1 (Untrust zone)

IPv6 address: 5000::1/64

GE1/0/1 (Untrust zone) is used to connect to the IPv6 Internet.

GE1/0/2 (Trust zone)

IPv6 address: 4000::1/64

GE1/0/2 (Untrust zone) is used to connect to the MAN.

Tunnel1 interface (Trust zone)

Source address: 4000::1/64

IPv4 address of the tunnel interface: 10.1.1.2/24

The Tunnel1 interface (Trust zone) is used to create a DS-Lite tunnel with the CPE.

Address pool

Addresses in address pool 1: 1.1.2.1 to 1.1.2.5

Addresses in address pool 2: 1.1.2.11 to 1.1.2.15

  • Address pool 1 is used to translate IPv4 addresses of the private IPv4 addresses to the IPv4 public addresses based on the DS-Lite NAT policy.
  • Address pool 2 is used to translate IPv6 addresses to the IPv4 address of the IPv4 public addresses.

NAT64 prefix

6000::/96

The CGN determines whether to perform the NA64 function on an IPv6 packet by checking whether the IPv6 packet contains the NAT64 prefix.

DNS64

NAT64 prefix

6000::/96

The NAT64 prefix configured on the DNS64 must be the same as that configured on the CGN.

Domain name: www.example.com

Address that corresponds to the domain name: 6000::ca01:301

The address that corresponds to the domain name is calculated based on the NAT64 prefix and IPv4 Internet address of the server on the IPv4 Internet.

PC1

IPv4 private address: 192.168.0.2/24

PC2

IPv6 address: 2000::2/64

PC3

IPv6 address: 5000::2/64

Server

IPv4 Internet address: 1.1.3.1/32

Table 1-13 shows the IPv4 route planning.

Table 1-13 IPv4 route planning

Item

Routing Protocol

Target Network Segment

Next Hop Address and Interface

Description

CPE

Default IPv4 route

0.0.0.0/0

Tunnel 1

Route connecting the CPE to the DS-Lite tunnel of the CGN

CGN

Static IPv4 route

1.1.3.1/32

1.1.1.2

Route connecting the CGN to the server on the IPv4 Internet

Table 1-14 shows the IPv6 route planning.

Table 1-14 IPv6 route planning

Item

Routing Protocol

Advertising Network Segment

Area

Description

CPE

OSPFv3

2000::/64

Area 1

Route connecting the CPE to the IPv6 user interface

OSPFv3

3000::/64

Area 0

Route connecting the CPE to the MAN

CGN

OSPFv3

4000::/64

Area 0

Route connecting the CGN to the MAN

OSPFv3

5000::/64

Area 2

Route connecting the CGN to the IPv6 Internet

Precautions

When the CGN is the Eudemon8000E-X, if the triplet DS-Lite NAT function is required, the hash board selection mode must be source address hash.

Configuration Flow

Table 1-15 shows the configuration flow of the solution.

Table 1-15 Configuration flow

Item

Procedure

Operation

Description

CPE

1

Configure the uplink and downlink interface data.

Mandatory

You can set the parameters based on the actual interface and IP address planning.

2

Configure an IPv4 over IPv6 tunnel.

Mandatory

The IPv4 over IPv6 tunnel is used by the IPv4 user to access the CGN by traversing the IPv6 MAN.

2.1

Specify the encapsulation type of the tunnel.

Mandatory

The encapsulation type of the tunnel is ipv4-ipv6

2.2

Specify the source address or source interface of the tunnel.

Mandatory

  • It specifies the source address or source interface of the IPv4 over IPv6 tunnel. You can specify the IPv6 address of the interface that is connected to the IPv6 network as the source address of the tunnel, or directly specify the interface as the source interface.
  • You can specify either a physical interface or a logical interface such as the loopback interface as the source interface of the tunnel.

2.3

Set the destination address of the tunnel.

Mandatory

The destination address of the tunnel indicates the address of the interface (4000::1/64) that connects the CGN to the MAN.

2.4

Configure the IPv4 address for the tunnel interface.

Mandatory

3

Configure routes.

Mandatory

The routes configured for the CPE include:

  • DS-Lite tunnel route: forwards IPv4 service packets
  • OSPFv3 configured at the interface to connect to the IPv6 network: forwards IPv6 service packets

CGN

1

Configure the uplink and downlink interface data.

Mandatory

You can set the parameters based on the actual interface and IP address planning.

2

Configure the DS-Lite function.

Mandatory

The DS-Lite enables private IPv4 users to traverse the IPv6 network and access the IPv4 Internet.

2.1

Configure the DS-Lite tunnel interfaces.

Mandatory

The IPv4 over IPv6 tunnel is used by the IPv4 user to access the CGN by traversing the IPv6 MAN.

2.2

Specify the encapsulation type of the tunnel.

Mandatory

The encapsulation type of the tunnel is ipv4-ipv6 ds-lite

2.3

Specify the source address or source interface of the tunnel.

Mandatory

  • It specifies the source address or source interface of the IPv4 over IPv6 tunnel. You can specify the IPv6 address of the interface that is connected to the IPv6 network as the source address of the tunnel, or directly specify the interface as the source interface.
  • You can specify either a physical interface or a logical interface such as the loopback interface as the source interface of the tunnel.

2.4

Configure the IPv4 address of the tunnel interface.

Mandatory

2.5

Configure the NAT address pool.

Mandatory

The addresses in the NAT address pool are used as the IPv4 addresses after the DS-Lite NAT translation.

2.6

Configure the DS-Lite NAT policy.

Mandatory

The DS-Lite NAT policy covers the DS-Lite NAT policy, and DS-Lite NAT Server. You can configure the DS-Lite NAT policy based on actual network conditions.

3

Configure routes.

Mandatory

The routes configured include:

  • Static route to the CPE and IPv4 Internet: forwards IPv4 service packets
  • OSPFv3 configured at the interface to connect to the IPv6 network: forwards IPv6 service packets

4

Configure the NAT64 function.

Mandatory

The DS-Lite NAT function enables the IPv6 users to access the IPv4 network.

4.1

Configure the NAT address pool.

Mandatory

The addresses in the NAT address pool are used as the IPv4 addresses after the NAT64 translation.

4.2

The NAT64 prefix is configured and advertised on the IPv6 network.

Mandatory

Whether the CGN performs NAT64 translation on an IPv6 packet depends on whether the IPv6 packet contains a NAT64 prefix.

4.4

Configure the NAT64 policy.

Mandatory

Configure NAT64 dynamic mapping in the NAT policy, and specify the NAT type as NAT64. When performing NAT64 translation, the CGN selects one IPv4 address randomly from the NAT address pool referenced in the NAT64 policy as the source address of a packet after translation.

Configuration Procedure

Procedure

  • Configure the CPE.
    1. Enable the IPv6 packet forwarding function.
      <CPE> system-view  
      [CPE] ipv6
    2. Set addresses for interfaces and add the interfaces to security zones.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CPE] interface GigabitEthernet 1/0/0 
      [CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0 
      [CPE-GigabitEthernet1/0/0] quit 
      [CPE] firewall zone trust 
      [CPE-zone-trust] add interface GigabitEthernet 1/0/0 
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CPE] interface GigabitEthernet 1/0/1 
      [CPE-GigabitEthernet1/0/1] ipv6 enable 
      [CPE-GigabitEthernet1/0/1] ipv6 address 2000::1 64 
      [CPE-GigabitEthernet1/0/1] quit 
      [CPE] firewall zone trust 
      [CPE-zone-trust] add interface GigabitEthernet 1/0/1 
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CPE] interface GigabitEthernet 1/0/2 
      [CPE-GigabitEthernet1/0/2] ipv6 enable 
      [CPE-GigabitEthernet1/0/2] ipv6 address 3000::1 64 
      [CPE-GigabitEthernet1/0/2] quit 
      [CPE] firewall zone untrust 
      [CPE-zone-untrust] add interface GigabitEthernet 1/0/2 
      [CPE-zone-untrust] quit
    3. Configure an IPv4 over IPv6 tunnel.

      # Configure the interface Tunnel1 of the IPv4 over IPv6 tunnel.

      [CPE] interface Tunnel 1 
      [CPE-Tunnel1] tunnel-protocol ipv4-ipv6 
      [CPE-Tunnel1] source 3000::1 
      [CPE-Tunnel1] destination 4000::1 
      [CPE-Tunnel1] ip address 10.1.1.1 255.255.255.0 
      [CPE-Tunnel1] quit

      # Add the Tunnel1 to the Untrust zone.

      [CPE] firewall zone untrust 
      [CPE-zone-untrust] add interface tunnel 1 
      [CPE-zone-untrust] quit
    4. Configure the security policy.
      [CPE] security-policy 
      [CPE-policy-security] rule name policy1 
      [CPE-policy-security-policy1] source-zone trust untrust 
      [CPE-policy-security-policy1] destination-zone trust untrust 
      [CPE-policy-security-policy1] action permit 
      [CPE-policy-security-policy1] quit 
      [CPE-policy-security] rule name policy2 
      [CPE-policy-security-policy2] source-zone local untrust 
      [CPE-policy-security-policy2] destination-zone local untrust 
      [CPE-policy-security-policy2] action permit 
      [CPE-policy-security-policy2] quit 
      [CPE-policy-security] quit
    5. Configure OSPFv3 for routing the IPv6 services.
      [CPE] ospfv3 
      [CPE-ospfv3-1] router-id 1.1.1.1 
      [CPE-ospfv3-1] quit 
      [CPE] interface GigabitEthernet1/0/2 
      [CPE-GigabitEthernet1/0/2] ospfv3 1 area 0 
      [CPE-GigabitEthernet1/0/2] quit 
      [CPE] interface GigabitEthernet1/0/1 
      [CPE-GigabitEthernet1/0/1] ospfv3 1 area 1 
      [CPE-GigabitEthernet1/0/1] quit
    6. Configure the default IPv4 route for the tunnel.
      [CPE] ip route-static 0.0.0.0 0.0.0.0 tunnel 1
  • Configure the CGN.
    1. Enable the IPv6 packet forwarding function.
      <CGN> system-view  
      [CGN] ipv6
    2. Configure the hash mode to be oriented to source IP address.
      [CGN] firewall hash-mode source-only
    3. Set addresses for interfaces and add the interfaces to security zones.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CGN] interface GigabitEthernet 1/0/0 
      [CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0 
      [CGN-GigabitEthernet1/0/0] quit 
      [CGN] firewall zone untrust 
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/0 
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CGN] interface GigabitEthernet 1/0/1 
      [CGN-GigabitEthernet1/0/1] ipv6 enable 
      [CGN-GigabitEthernet1/0/1] ipv6 address 5000::1 64 
      [CGN-GigabitEthernet1/0/1] quit 
      [CGN] firewall zone untrust 
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/1 
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CGN] interface GigabitEthernet 1/0/2 
      [CGN-GigabitEthernet1/0/2] ipv6 enable 
      [CGN-GigabitEthernet1/0/2] ipv6 address 4000::1 64 
      [CGN-GigabitEthernet1/0/2] quit 
      [CGN] firewall zone trust 
      [CGN-zone-trust] add interface GigabitEthernet 1/0/2 
      [CGN-zone-trust] quit
    4. Configure a security policy.
      [CGN] security-policy 
      [CGN-policy-security] rule name policy1 
      [CGN-policy-security-policy1] source-zone trust untrust 
      [CGN-policy-security-policy1] destination-zone trust untrust 
      [CGN-policy-security-policy1] action permit 
      [CGN-policy-security-policy1] quit 
      [CGN-policy-security] rule name policy2 
      [CGN-policy-security-policy2] source-zone local trust 
      [CGN-policy-security-policy2] destination-zone local trust 
      [CGN-policy-security-policy2] action permit 
      [CGN-policy-security-policy2] quit 
      [CGN-policy-security] quit
    5. Configure the DS-Lite function.

      # Configure the Tunnel1 interface for the DS-Lite tunnel.

      [CGN] interface Tunnel 1 
      [CGN-Tunnel1] tunnel-protocol ipv4-ipv6 ds-lite 
      [CGN-Tunnel1] source 4000::1 
      [CGN-Tunnel1] ip address 10.1.1.2 255.255.255.0 
      [CGN-Tunnel1] quit

      # Add the Tunnel1 to the Trust zone.

      [CGN] firewall zone trust 
      [CGN-zone-trust] add interface tunnel 1 
      [CGN-zone-trust] quit

      # Configure the NAT address pool.

      [CGN] nat address-group addressgroup1 
      [CGN-address-group-addressgroup1] route enable 
      [CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5 
      [CGN-address-group-addressgroup1] quit

      # Configure the DS-Lite NAT policy.

      [CGN] nat-policy 
      [CGN-policy-nat] rule name policy_nat_1 
      [CGN-policy-nat-rule-policy_nat_1] nat-type ds-lite 
      [CGN-policy-nat-rule-policy_nat_1] source-zone trust 
      [CGN-policy-nat-rule-policy_nat_1] destination-zone untrust 
      [CGN-policy-nat-rule-policy_nat_1] source-address 3000::1 64 
      [CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1 
      [CGN-policy-nat-rule-policy_nat_1] quit 
      [CGN-policy-nat] quit

      # Configure the NAT ALG between the Trust zone and the Untrust zone so that the server can provide FTP services externally.

      [CGN] firewall interzone trust untrust 
      [CGN-interzone-trust-untrust] detect ftp 
      [CGN-interzone-trust-untrust] quit
    6. Configure the static IPv4 route.

      Configure the static IPv4 route to the FTP server on the Internet. Assume that the next hop address of the CGN to the Internet is 1.1.1.2.

      [CGN] ip route-static 1.1.3.1.255.255.255.255 1.1.1.2
    7. Configure OSPFv3 for routing the IPv6 services.
      [CGN] ospfv3 
      [CGN-ospfv3-1] router-id 2.2.2.2 
      [CGN-ospfv3-1] quit 
      [CGN] interface GigabitEthernet1/0/2 
      [CGN-GigabitEthernet1/0/2] ospfv3 1 area 0 
      [CGN-GigabitEthernet1/0/2] quit 
      [CGN] interface GigabitEthernet1/0/1 
      [CGN-GigabitEthernet1/0/1] ospfv3 1 area 2 
      [CGN-GigabitEthernet1/0/1] quit
    8. Configure the NAT64 function.

      # Configure IPv4 NAT address pool 2 and set the address range to 1.1.2.11 to 1.1.2.15. Use the addresses in the NAT address pool as the IPv4 addresses after the NAT64 processing.

      [CGN] nat address-group addressgroup2 
      [CGN-address-group-addressgroup2] mode pat 
      [CGN-address-group-addressgroup2] route enable 
      [CGN-address-group-addressgroup2] section 1 1.1.2.11 1.1.2.15 
      [CGN-address-group-addressgroup2] quit

      # Set the NAT64 prefix to 6000::/96.

      [CGN] nat64 prefix 6000:: 96

      # Configure the NAT64 policy.

      [CGN] nat-policy 
      [CGN-policy-nat] rule name policy_nat64 
      [CGN-policy-nat-rule-policy_nat64] nat-type nat64 
      [CGN-policy-nat-rule-policy_nat64] source-zone trust 
      [CGN-policy-nat-rule-policy_nat64] destination-zone untrust 
      [CGN-policy-nat-rule-policy_nat64] source-address 2000:: 64 
      [CGN-policy-nat-rule-policy_nat64] action source-nat address-group addressgroup2 
      [CGN-policy-nat-rule-policy_nat64] quit 
      [CGN-policy-nat] quit

      # Configure the blackhole route to advertise the NAT64 prefix.

      [CGN] ipv6 route-static 6000:: 96 NULL 0

      # Introduce the blackhole route with the NAT64 prefix to the OSPFv3 protocol.

      [CGN] ospfv3 
      [CGN-ospfv3-1] import-route static 
      [CGN-ospfv3-1] quit
  • Configure the DNS64 device.

    Set the NAT64 prefix of the DNS64 device to 6000::/96, which is the same as that configured on the CGN.

    Set the routes between the DNS64 to the PC and server to ensure reachability.

    On the DNS64 device, set the IPv6 address that corresponds to domain name www.example.com to 6000::ca01:301.

  • Configure the server.

    In normal situations, the ISP is responsible for configuring the servers. This topic describes only the key points of server configuration.

    • Set the IP address of the FTP Server to 1.1.3.1/32.
    • The route to addresses in the address pool of the CGN must be configured for the FTP Server.
    • The server provides both FTP and HTTP services.
  • Configure PC1, PC2, and PC3.

    You must specify gateways for each PC. The configuration methods of PC addresses and routes vary with the operating systems of the PCs. The configuration methods are not described here.

Verification

  • Verify the IPv4 services.
    1. After the configuration is complete, access the FTP service provided by the server on the Internet using PC1 on the private IPv4 network.
      C:\Documents and Settings\Administrator>ftp 1.1.3.1 
      Connected to 1.1.3.1. 
      220 FTP service ready. 
      User (1.1.3.1:(none)): admin 
      331 Password required for admin. 
      Password: 
      230 User logged in. 
      ftp>
    2. Run the display firewall session table verbose command on the CPE to check the session information.
      [CPE] display firewall session table verbose 
       Current Total Sessions : 2                                                      
        ftp  VPN:public --> public  ID: ab016391fa4c03558d54c16fac122                 
        Zone: trust--> untrust  TTL: 00:10:00  Left: 00:09:59                      
        Interface: Tunnel1  NextHop: 1.1.3.1  MAC: 0000-0000-0000        
        <--packets:8 bytes:498   -->packets:12 bytes:541                               
        192.168.0.2:1035+->1.1.3.1:21  PolicyName: ---                    
                                                                                       
        ftp-data  VPN:public --> public  ID: ab016391fa4c03558d54c16acd159                
        Zone: untrust--> trust  TTL: 00:00:10  Left: 00:00:00                      
        Interface: GigabitEthernet1/0/0  NextHop: 192.168.0.2  MAC: 0018-826f-b3f4  
        <--packets:3 bytes:124   -->packets:5 bytes:370                                
        1.1.3.1:20-->192.168.0.2:1036  PolicyName: ---                       

      The output shows that the outbound interface is the Tunnel1 interface and the tunnel is successfully established.

  • Verify the IPv6 services.
    1. Ping the interface address of the CGN that connects to the IPv6 network from the CPE, that is, the address of the GigabitEthernet 1/0/2 interface.
      <CPE> ping ipv6 4000::1 
        PING 4000::1 : 56  data bytes, press CTRL_C to break                   
          Reply from 4000::1                                                   
          bytes=56 Sequence=1 hop limit=64  time = 90 ms                       
          Reply from 4000::1                                                   
          bytes=56 Sequence=2 hop limit=64  time = 100 ms                      
          Reply from 4000::1                                                   
          bytes=56 Sequence=3 hop limit=64  time = 40 ms                       
          Reply from 4000::1                                                   
          bytes=56 Sequence=4 hop limit=64  time = 60 ms                       
          Reply from 4000::1                                                   
          bytes=56 Sequence=5 hop limit=64  time = 40 ms                       
                                                                               
        --- 4000::1 ping statistics ---                                        
          5 packet(s) transmitted                                              
          5 packet(s) received                                                 
          0.00% packet loss                                                    
          round-trip min/avg/max = 40/66/100 ms

      If the CGN can be successfully pinged, the IPv6 routes to the CPE and CGN are configured. On the CPE and CGN, you can run the display ospfv3 routing command to view the OSPFv3 routing tables.

      [CPE] display ospfv3 routing 
      OSPFv3 Process (1)                                                               
         Destination                                            Metric                 
           Next-hop                                                                    
           2000::/64                                            1                      
           directly connected, GigabitEthernet1/0/1                                    
           3000::/64                                            1                      
           directly connected, GigabitEthernet1/0/2                                    
        IA 4000::/64                                           2                  
            via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/2                         
        IA 5000::/64                                           3                      
            via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/2                        

      According to the OSPFv3 routing table, you can learn that the CPE learns the routes from the CGN to the IPv6 MAN and IPv6 Internet.

      [CGN] display ospfv3 routing 
      OSPFv3 Process (1)                                                               
         Destination                                                 Metric            
           Next-hop                                                                    
        IA 2000::/64                                                     3         
             via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/2                          
        IA 3000::/64                                                     2         
             via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/2                          
           4000::/64                                                     1             
            directly connected, GigabitEthernet1/0/2                                   
           5000::/64                                                     1             
            directly connected, GigabitEthernet1/0/1                                  

      According to the OSPFv3 routing table, you can learn that the CGN learns the routes from the CPE to the IPv6 MAN and IPv6 users.

    2. On PC2, ping PC3.
      C:\> ping6 5000::2 
      from 2000::2 with 32 bytes of data: 
      Reply from 5000::2: time<1ms 
      Reply from 5000::2: time<1ms 
      Reply from 5000::2: time<1ms 
      Reply from 5000::2: time<1ms 
      Ping statistics for 5000::2: 
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
      Approximate round trip times in milli-seconds: 
          Minimum = 0ms, Maximum = 0ms, Average = 0ms

      If PC3 is pinged through, the configurations of the IPv6 routes on the entire network are correct.

  • Enable an IPv6 user to access the IPv4 Internet.
    1. Ping domain name www.example.com on PC2.
      Pinging 6000::ca01:301 with 32 bytes of data: 
       
      Reply from 6000::ca01:301: time=23ms 
      Reply from 6000::ca01:301: time=6ms 
      Reply from 6000::ca01:301: time=12ms 
      Reply from 6000::ca01:301: time=33ms 
       
      Ping statistics for 6000::ca01:301: 
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
      Approximate round trip times in milli-seconds: 
          Minimum = 6ms, Maximum = 33ms, Average = 18ms

      The IPv4 address of the server can be successfully pinged on the PC.

    2. In any view of the CGN, run the display firewall ipv6 session table command to check the NAT64 session table.
      <CGN> display firewall ipv6 session table 
       Slot: 6 CPU: 1                                                                  
      NAT64: icmp6 VPN: public --> public  2000::2.44152[1.1.2.14:10296] --> 6000::CA01:301.2048[1.1.3.1:2048]

      According to the NAT64 session table, you can learn the translation mapping between IPv6 addresses and IPv4 addresses.

Configuration Scripts

  • The CPE configuration script is as follows:
    #                                                                           
     sysname CPE                                                                     
    #                                                                                
     ipv6                                                                            
    #                                                                                
    interface GigabitEthernet1/0/0                                                   
     ip address 192.168.0.1 255.255.255.0                                            
    #                                                                                
    interface GigabitEthernet1/0/1                                                   
     ipv6 enable                                                                     
     ipv6 address 2000::1/64                                                         
     ospfv3 1 area 0.0.0.1                                                           
    #                                                                                
    interface GigabitEthernet1/0/2                                                   
     ipv6 enable                                                                     
     ipv6 address 3000::1/64                                                         
     ospfv3 1 area 0.0.0.0                                                           
    #                                                                                
    interface Tunnel1                                                                
     ip address 10.1.1.1 255.255.255.0                                             
     tunnel-protocol ipv4-ipv6                                                       
     source 3000::1                                                                  
     destination  4000::1                                                            
    #                                                                                
    firewall zone local                                                              
     set priority 100                                                                
    #                                                                                
    firewall zone trust                                                              
     set priority 85                                                                 
     add interface GigabitEthernet1/0/0                                              
     add interface GigabitEthernet1/0/1                                              
    #                                                                                
    firewall zone untrust                                                            
     set priority 5                                                                  
     add interface GigabitEthernet1/0/2                                              
     add interface Tunnel1                                                           
    #                                                                                
    security-policy                                                                  
     rule name policy1                                                               
      source-zone trust                                                              
      source-zone untrust                                                            
      destination-zone trust                                                         
      destination-zone untrust                                                       
      action permit                                                                  
     rule name policy2                                                               
      source-zone local                                                              
      source-zone untrust                                                            
      destination-zone local                                                         
      destination-zone untrust                                                       
      action permit                                                                  
    #                                                                                
    firewall zone dmz                                                                
     set priority 50                                                                 
    #                                                                                
    ospfv3 1                                                                         
     router-id 1.1.1.1                                                               
     area 0.0.0.0                                                                    
     area 0.0.0.1                                                                    
    #                                                                                
     ip route-static 0.0.0.0 0.0.0.0 Tunnel1                                         
    #                                                                                
    return                                                                          
  • The CGN configuration script is as follows:
    #                                                                           
     sysname CGN                    
    #                                                                                
     ipv6                                                                            
    #                                                                                
    firewall hash-mode source-only                                                   
    #                                                                                
     nat address-group 1  
      section 1 1.1.2.1 1.1.2.5                                                  
     #                                                                                
     nat address-group 1  
      section 1 1.1.2.11 1.1.2.15                                                  
    #                                                                                
     nat64 prefix 6000:: 96                                                          
    #                                                                                
    interface GigabitEthernet1/0/0                                                   
     undo shutdown                                                                   
     ip address 1.1.1.1 255.255.255.0                                              
    #                                                                                
    interface GigabitEthernet1/0/1                                                   
     undo shutdown                                                                   
     ipv6 enable                                                                     
     ipv6 address 5000::1/64                                                         
     ospfv3 1 area 0.0.0.2                                                           
    #                                                                                
    interface GigabitEthernet1/0/2                                                   
     undo shutdown                                                                   
     ipv6 enable                                                                     
     ipv6 address 4000::1/64                                                         
     ospfv3 1 area 0.0.0.0                                                           
    #                                                                                
    interface Tunnel1                                                                
     ip address 10.1.1.2 255.255.255.0                                               
     tunnel-protocol ipv4-ipv6 ds-lite                                               
     source 4000::1                                                                  
    #                                                                                
    firewall zone local                                                              
     set priority 100                                                                
    #                                                                                
    firewall zone trust                                                              
     set priority 85                                                                 
     add interface GigabitEthernet1/0/2                                              
     add interface Tunnel1                                                           
    #                                                                                
    firewall zone untrust                                                            
     set priority 5                                                                  
     add interface GigabitEthernet1/0/0                                              
     add interface GigabitEthernet1/0/1                                              
    #                                                                                
    firewall zone dmz                                                                
     set priority 50                                                                 
    #                                                                                
    security-policy                                                                  
     rule name policy1                                                               
      source-zone trust                                                              
      source-zone untrust                                                            
      destination-zone trust                                                         
      destination-zone untrust                                                       
      action permit                                                                  
     rule name policy2                                                               
      source-zone local                                                              
      source-zone trust                                                            
      destination-zone local                                                         
      destination-zone trust                                                       
      action permit                                                                  
    #                                                                                 
    nat address-group addressgroup1                                                  
     route enable                                                                     
     section 1 1.1.2.1 1.1.2.5                                                   
    nat address-group addressgroup2                                                  
     mode pat                                                              
     route enable                                                                     
     section 1 1.1.2.11 1.1.2.15                                                   
    # 
    nat-policy                                                                       
      rule name policy_nat_1                                                         
        nat-type ds-lite 
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 3000::1 64                                                   
        action source-nat address-group addressgroup1                                       
      rule name policy_nat64                                                         
        nat-type nat64 
        source-zone trust                                                            
        destination-zone untrust                                                     
        source-address 2000:: 64                                                   
        action source-nat address-group addressgroup2                                       
    #                                                                                
    firewall interzone trust untrust                                                 
     detect ftp                                                                      
     #                                                                                
    ospfv3 1                                                                         
     router-id 2.2.2.2                                                               
     import-route static                                                             
    #                                                                                
     ipv6 route-static 6000:: 96 NULL0                                               
    #                                                                                
    return                                                                          

Conclusion and Suggestions

The selection of the three schemes for the CGN solution depends on the deployment of IPv4 and IPv6 protocols on the network. The three schemes correspond respectively to IPv4-dominated network, IPv4 and IPv6 coexistent network, and IPv6-dominated network.

  • IPv4-dominated network

    Use NAT444 as the major transitional technology to save public addresses as many possible. Configure port pre-allocation for early planning of the ports for translation, which ensures proper utilization of the ports. In addition, configure linkage with the log server to resolve the issue of user tracing.

    Use IPv6 tunneling to enable the access between the small number of IPv6 users on the network.

  • IPv4 and IPv6 coexistent network

    Use NAT444 and port pre-allocation in combination for IPv4 services to save public addresses and facilitate the ease of user tracing.

    Because IPv6 has been deployed on the network, the access between IPv6 services can be implemented through IPv6 route query.

    The access between IPv6 and IPv4 services can be completed through NAT64.

  • IPv6-dominated network

    IPv6 services on the network can access each other through IPv6 route query without the need of any transitional technology.

    The access between the small quantity of IPv4 services can be completed through DS-Lite. You can also configure port pre-allocation to pre-allocate ports for the users and provide user tracing.

    The access between IPv6 and IPv4 services can be completed through NAT64.

Translation
Download
Updated: 2019-06-17

Document ID: EDOC1100087915

Views: 352

Downloads: 18

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next