tunneling, cgn and 6rd
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. 1
Tunneling, CGN and 6RD
Stefan Kollar Consulting Systems Engineer CCIE #10668 [email protected]
© 2006 Cisco Systems, Inc. All rights reserved. 2
Agenda
IPv6 tunnels IPv6 CGN 6RD introduction 6RD deployment Perform basic 6RD troubleshooting DEMO
© 2006 Cisco Systems, Inc. All rights reserved. 3
Tunnels: IPv6-over-IPv4
6to4 Stateless 6-over-4 encap using WK 2002::/16 prefix Public IPv4 only Asymmetric routing problem
6rd Stateless 6-over-4 encap using SP IPv6 prefix Works over public/private IPv4 RFC5969
Softwires H/S RFC5571; uses L2TPv2/IPv4 infra
Public IPv4
6to4
Public/ Private
IPv4
6rd BR
6rd
Public/ Private
IPv4
LAC
LNS
IPv4 Internet IPv6
Internet
6to4
v4 v4/6 v4 v4/6 v4 v4/6
© 2006 Cisco Systems, Inc. All rights reserved. 4
Tunnels: IPv4-over-IPv6
Softwires H/S RFC5571; leverages L2TPv2/IPv6 infra
Dual-Stack Lite 4over6 tunnels terminate in CGN NAT44 on AFTR Stateful IPv4 address sharing
4rd Stateless IPv4-over-IPv6 tunnel encap/decap Can do stateless IPv4 address sharing by allocating per-CPE port ranges CPE does NAT44+4rd encap/decap draft-despres-intarea-4rd-xx
IPv6
4rd
4rd
IPv6
v4 V4/6
LAC
LNS
IPv4 Internet
IPv6
B4
DS-Lite AFTR
CGN+ 4ov6
TC
v4 V4/6 v4 V4/6
© 2006 Cisco Systems, Inc. All rights reserved. 5
What about DS-Lite?
Not deployable due to lack of IPv6-only access network(s) and missing B4 elements
Solves same problem(s) as CGN + 6rd which is deployable right now using existing IETF standards and multi-vendor equipment
AFTR coverage limited to IPv6-only reachability to remote B4 elements
IPv6 Access Network
IPv4 Internet
CGN NAT44 AFTR
4
4
6
B4
IPv6 Internet
Softwire 4over6
© 2006 Cisco Systems, Inc. All rights reserved. 6
IPv6 Transition Solutions – deployable today
Customer Network
IPv4 Access Network
IPv4 Internet
CPE CGN
NAT44 4
IPv6
IPv6 Internet
6
XLAT 1:1/ N:1
1. CGN NAT44 to address IPv4 Run-Out same IPv4 access network 2. 6rd for IPv6 access to IPv6 Internet same IPv4 access network 3. Controlled deployment of native IPv6 hosts/apps plus NAT64 (XLAT)
4
6
6rd 6rd 6rd Tunnel
1.
1.
2.
2. 2.
3.
3.
© 2006 Cisco Systems, Inc. All rights reserved. 7
CGv6 – Carrier Grade NAT (1.) CGN NAT44 to address IPv4 Address Run-Out Deployed and is foundation for future SP-class translation
solutions (including NAT64)
(2.) 6rd for IPv6 subscriber access to native IPv6 Internet (3.) for native IPv6 interworking with IPv4 Stateless XLAT (1:1) for controlled deployments available now (supported already in ASR1k – IOS XE 3.2) Stateful XLAT (N:1) NAT64/DNS64 available in 2H2011 Why Stateful XLAT (NAT64) ? Performs IPv4 address sharing Based on IETF BEHAVE WG standards Compliments and completes standards-based XLAT portfolio
© 2006 Cisco Systems, Inc. All rights reserved. 8
CGv6 – Carrier Grade NAT - Logging NAT binding records
1) Preferably Netflow9 (or its standardized successor IPFIX) with format (11)
2) Syslog - consume more resources (e.g. CPU, bandwidth, memory) , less scalable and lower throughput
© 2006 Cisco Systems, Inc. All rights reserved. 9
CGv6 – Carrier Grade NAT – PCP (Port Control Protocol)
Why Stateful XLAT (NAT64) ? PCP protocol enables home network subscribers to create a port forwarding entry on the CGN
https://datatracker.ietf.org/wg/pcp/
© 2006 Cisco Systems, Inc. All rights reserved. 10
6RD - Introduction
IPv6 Rapid Deployment Defined in draft-ietf-softwire-ipv6-6rd-10.txt and was approved on May 20, 2010, by the IESG for publication as a standards track RFC (RFC5969) Mechanism for Service Providers to deliver IPv6 via their IPv4 network 6rd firstly deployed in Free Telecom and is fully supported by Google
Why not 6to4 6to4 service is "over the top" - operating without the SP really controlling who uses the service and who doesn't. IPv6 community to try and kill/deprecate 6to4
© 2006 Cisco Systems, Inc. All rights reserved. 11
6RD – Variation of 6to4
Use SP’s own IPv6 address prefix instead of 2002::/16 Operational domain is limited to the SP’s network and is under its direct control Not all 32 bits from the IPv4 destination address be carried in the IPv6 payload header
© 2006 Cisco Systems, Inc. All rights reserved. 12
6RD Deployment
6RD SP Prefix – The IPv6 prefix selected by the SP for the given 6RD deployment 6RD Delegated Prefix – The IPv6 prefix derived from the SP prefix and the IPv4 address bits . Used by the CE for hosts within its site.
© 2006 Cisco Systems, Inc. All rights reserved. 13
6RD Prefix Delegation
IPv4 Address Bits SP Prefix Subnet ID Interface ID
6RD delegate prefix
0-32 bits
16 bits
64 bits
Ipv4 Common Prefix
IPv4 Address Bits
Ipv4 common Suffix
IPv4 Destination Address 8 bits 8 bits
0-32 bits
Users Address Space
SP v6 Prefix: 2001:B000::/32 v4 common prefix 10.1.0.0/16 v4 common suffix 0.0.0.1/8
© 2006 Cisco Systems, Inc. All rights reserved. 14
6RD Prefix Delegation
BR IPv6 Internet
SP IPv4 Network CE1
CE2 Site 1
Site 2
SP v6 Prefix: 2001:B000::/32
10.1.1.1
10.1.4.1 10.1.2.1 6RD CE LAN Multipoint Tunnel
IPv4 Common Prefix: 10.1.0.0/16 IPv4 Common Suffix: 0.0.0.1/8
CE3 10.1.3.1 Site 3
SP Prefix 2001:B000::/32
V4 Common Prefix 10.1.0.0/16
V4 Common Suffix 0.0.0.1/8
CE1: Delegated 6RD prefix 2001:B000:0100::/40
CE2: Delegated 6RD prefix 2001:B000:0200::/40
BR: Delegated 6RD prefix 2001:B000:0400::/40
CE1 (V4) tunnel transport source 10.1.1.1
CE2 (V4) tunnel transport source 10.1.2.1
BR (V4) tunnel transport source 10.1.4.1
© 2006 Cisco Systems, Inc. All rights reserved. 15
6RD Tunnel Security
For packets received on 6RD tunnel interface
• IPv4 tunnel source must match the configured IPv4 common prefix and suffix.
• IPv4 source address must match the IPv4 address embedded in the IPv6 source address for packets received from CEs.
Packets not matching this criteria are dropped
© 2006 Cisco Systems, Inc. All rights reserved. 16
Configuration
© 2006 Cisco Systems, Inc. All rights reserved. 17
6RD Configuration Steps
interface Tunnel0 ipv6 address 2001:B000:200::1/124 tunnel source GigabitEthernet1/1/7 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:B000::/32 tunnel 6rd ipv4 prefix-len 16 suffix-len 8 interface GigabitEthernet1/1/7 ip address 100.1.2.1 255.255.255.0
6RD Tunnel Mode Service Provider IPv6 Prefix Common IPv4 prefix and suffix
© 2006 Cisco Systems, Inc. All rights reserved. 18
CE-specific CLI
router(config-if)# tunnel 6rd br <ipv4-address>
Optional CLI configured when router is used as CE Skip security check for packets with the configured IPv4 address as their
source IPv4 address.
© 2006 Cisco Systems, Inc. All rights reserved. 19
IPv6 General-Prefix
ipv6 general-prefix <name> 6rd tunnel <tunnel-interface-number>
Used to define an IPv6 general-prefix computed from a 6rd tunnel interface
asr1k(config)#ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0 *May 23 11:12:05.644: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state asr1k(config)# asr1k(config)#do sh run int tun 0 Building configuration...
Current configuration : 40 bytes ! interface Tunnel0 no ip address end
asr1k(config)#
© 2006 Cisco Systems, Inc. All rights reserved. 20
Cisco IOS Configuration_related to 6RD only Loopbacks(/32) 6RD-BR Anycast Routing
6RD-CE
6RD-BR
IPv4 access network
6RD-BR
6RD-CE (CPE)
! interface Loopback0 ip address 10.11.12.13 255.255.255.255 ! interface Tunnel0 no ip address no ip redirects ipv6 address DELEGATED_PREFIX 2001:1000::/128 anycast tunnel source Loopback0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:1000::/32 ! ipv6 route 2001:1000::/32 Tunnel0 !
10.11.12.13
10.11.12.13
FE0 vlan 10 ! interface Tunnel0 no ip address no ip redirects ipv6 enable tunnel source FastEthernet0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:1000::/32 tunnel 6rd br 10.11.12.13 ! interface FastEthernet0 ip address dhcp duplex auto speed auto ! interface Vlan10 no ip address ipv6 address DELEGATED_PREFIX 2001:1000::/64 eui-64 ! ipv6 route 2001:1000::/32 Tunnel0 ipv6 route ::/0 Tunnel0 2001:1000:B0C:D00::
© 2006 Cisco Systems, Inc. All rights reserved. 21
6RD Deployment
tunnel 6rd ipv4 prefix-len 8 (32-8) tunnel 6rd prefix 2011:1000::/32
© 2006 Cisco Systems, Inc. All rights reserved. 22
Debugging
© 2006 Cisco Systems, Inc. All rights reserved. 23
6RD IOS Show Commands
show ipv6 interface tunnel <n> show tunnel 6rd tunnel <n> show tunnel 6rd destination <SP-v6prefix> tunnel <n> show tunnel 6rd prefix <v4-destination> tunnel <n>
© 2006 Cisco Systems, Inc. All rights reserved. 24
Sample IOS Show Command output asr1k#sh ipv6 int tun 0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A0B:C0D No Virtual link-local address(es): General-prefix in use for addressing Global unicast address(es): 2001:1000:B0C:D00::, subnet is 2001:1000:B0C:D00::/128 [ANY] Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:0 FF02::1:FF0B:C0D MTU is 1480 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent Post_Encap features: Tunnel 6RD ND DAD is not supported ND reachable time is 30000 milliseconds (using 30000) ND RAs are suppressed (periodic) Hosts use stateless autoconfig for addresses. asr1k#
© 2006 Cisco Systems, Inc. All rights reserved. 25
Sample IOS Show Command output
asr1k#sh tunnel 6rd tunnel 0 Interface Tunnel0: Tunnel Source: 10.11.12.13 6RD: Operational, V6 Prefix: 2001:1000::/32 V4 Prefix, Length: 8, Value: 10.0.0.0 V4 Suffix, Length: 0, Value: 0.0.0.0 General Prefix: 2001:1000:B0C:D00::/56
isr1812#sh tunnel 6rd tunnel 0 Interface Tunnel0: Tunnel Source: 10.10.20.2 6RD: Operational, V6 Prefix: 2001:1000::/32 V4 Prefix, Length: 8, Value: 10.0.0.0 V4 Suffix, Length: 0, Value: 0.0.0.0 Border Relay address: 10.11.12.13 General Prefix: 2001:1000:A14:200::/56
6RD Border Relay Router
6RD Customer Edge - CPE
© 2006 Cisco Systems, Inc. All rights reserved. 26
Sample IOS Show Command output
routerasr1k#sh tunnel 6rd destination 2001:1000:B0C:D00:: tunnel 0 Interface: Tunnel0 6RD Prefix: 2001:1000:B0C:D00:: Destination: 10.11.12.13
asr1k#sh tunnel 6rd prefix 10.10.20.2 tunnel 0 Interface: Tunnel0 Destination: 10.10.20.2 6RD Prefix: 2001:1000:A14:200::
© 2006 Cisco Systems, Inc. All rights reserved. 27
Sample QFP show platform output router# show platform hardware qfp active statistics drop ---------------------------------------------------------------- Global Drop Stats Packets Octets --------------------------------------------------------------- TunnelDecapSecChkFail 5 690
© 2006 Cisco Systems, Inc. All rights reserved. 28
6RD Statistics
router# show interfaces tunnel 0 stats Tunnel0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 0 0 0 0 Distributed cache 100 11200 100 13200 Total 100 11200 100 13200
© 2006 Cisco Systems, Inc. All rights reserved. 29
IOS 15.1(3)T for 800, 1800, 1900, 2800, 2900, 3800, 3900, 7200
IOS XE Release 3.1S Series for ASR 1K
IOS 15.1(3)S 7600 (come ~ July 2011)
IOS-XR 3.9.3 CGSE (CGNv6) blade in CRS
6RD on CPE : Linksys Pirelli and many other CPE vendors
Software Release and platforms
© 2006 Cisco Systems, Inc. All rights reserved. 30