Cisco ASR 9000 Series Aggregation Services Router CGv6 ... · 11 Cisco ASR 9000 Series Aggregation...

Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration GuideCisco IOS XR Software Release 5.1.x

Cisco Systems, Inc.www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Customer Order Number: OL-30392-02

http://www.cisco.com

http://www.cisco.com/go/offices

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide

© 2013 - 2014 Cisco Systems, Inc. All rights reserved.

https://www.cisco.com/go/trademarks

Cisco ASR 9000 Series Ag

OL-30392-01

C O N T E N T S

1

Preface 1

Changes to This Document 1

Obtaining Documentation and Submitting a Service Request 1

C H A P T E R 1 New and Changed Information in Cisco IOS XR Release 5.1.x 1-1

C H A P T E R 2 Introduction 2-1

Contents 2-1

Overview of CGv6 2-2

CGv6 Overview 2-2

Benefits of CGv6 2-3

IPv4 Address Shortage 2-3

Prerequisites for Implementing the CGv6 2-3

Implementation of NAT 2-3

This section explains various implementations of NAT. The implementation of NAT over ISM and VSM are explained in the following chapters. 2-3

Implementing NAT with ICMP 2-3

ICMP Query Session Timeout 2-4

Implementing NAT with TCP 2-4

Address and Port Mapping Behavior 2-4

Internally Initiated Connections 2-4

Externally Initiated Connections 2-4

Double NAT 444 2-5

Address Family Translation 2-5

Additional References 2-5

Related Documents 2-5

Standards 2-5

MIBs 2-6

RFCs 2-6

Technical Assistance 2-6

11gregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide

Contents

C H A P T E R 3 Carrier Grade IPv6 over Integrated Services Module (ISM) 3-3

Contents 3-3

Cisco Integrated Service Module 3-3

Solution Components 3-3

Support for Multiple ISM Line Cards 3-4

CGN as Default Application on ISM 3-5

Configuring CGN as Default Application on ISM 3-5

Implementing NAT over ISM 3-5

Implementing NAT 44 over ISM 3-5

Implementing NAT 64 over ISM 3-8

CGv6 Applications 3-11

Network Address Translation (NAT44) 3-11

Dual-Stack Lite 3-12

Stateful NAT64 3-13

Mapping of Address and Port-Translation Mode 3-15

IPv6 Rapid Deployment 3-16

Mapping of Address and Port-Encapsulation Mode 3-17

Policy Functions 3-17

Application Level Gateway 3-17

TCP Maximum Segment Size Adjustment 3-18

Static Port Forwarding 3-18

High Availability 3-18

External Logging 3-19

Netflow v9 Support 3-19

Syslog Support 3-19

Bulk Port Allocation 3-20

Destination-Based Logging 3-20

Configuring CGv6 on Cisco IOS XR Software 3-20

Installing Carrier Grade IPv6 on ISM 3-20

Hardware 3-20

Software 3-20

FPGA UPGRADE 3-21

Accessing CPU consoles on ISM Card 3-22

Installing CGv6 Application on an ISM Running CDS-TV/CDS-IS for Cisco IOS XR Software Release 4.2.0 3-22

Installing CGv6 Application on an ISM Running CDS-TV/CDS-IS for Cisco IOS XR Software Release 4.2.1 3-23

Configuring the Service Role for the Carrier Grade IPv6 3-24

Configuring the Service Instance and Location for the Carrier Grade IPv6 3-26

12Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide

OL-30392-01

Contents

Configuring the Infrastructure Service Virtual Interface for the Carrier Grade IPv6 3-27

Configuring Different CGv6 Applications on ISM 3-29

Configuring NAT44 on ISM 3-29

Configuring the Application Service Virtual Interface 3-29

Configuring a NAT44 Instance 3-31

Configuring an Inside and Outside Address Pool Map 3-32

Configuring the Policy Functions 3-34

Configuring External Logging for the NAT Table Entries 3-51

Netflow Logging 3-52

Syslog Logging 3-60


Destination-Based Logging for NAT44 3-68

Configuring DS-Lite on ISM 3-72


Configuring a DS Lite Instance 3-74


Configuring External Logging 3-91


Syslog Logging 3-98


Destination-Based Logging for DS-Lite 3-105

Configuring Stateful NAT64 on ISM 3-109


Configuring a Stateful NAT64 Instance 3-111


Configuring External Logging 3-143

Configuring MAP-T on ISM 3-153


Configuring a MAP-T Instance 3-155


Configuring 6RD on ISM 3-173


Configuring a 6RD Instance 3-175


Configuring MAP-E on ISM 3-193


Configuring a MAP-E Instance 3-195


Configuring High Availability on ISM 3-210

Configuring Active or Standby ISM 3-210


OL-30392-01

Contents

Enabling Failure Detection 3-212

Configuration Examples for Implementing CGv6 3-214

Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44: Example 3-214

NAT44 Configuration: Example 3-215

Bulk Port Allocation and Syslog Configuration: Example 3-217

DS Lite Configuration: Example 3-217

IPv6 ServiceApp and Static Route Configuration 3-217

IPv4 ServiceApp and Static Route Configuration 3-218

DS Lite Configuration 3-218

Stateful NAT64 Configuration: Example 3-218

MAP-T Configuration: Example 3-221

DBL Configuration: Example 3-222

NAT44 Instance 3-222

DS-Lite Instance 3-222

Services Redundancy Configuation (Active/Standby ISM): Example 3-222

6RD Configuration: Example 3-223

MAP-E Configuration: Example 3-224

PPTP ALG Configuration: Example 3-225

NAT44 Instance 3-225

C H A P T E R 4 Carrier Grade IPv6 over Virtualized Services Module (VSM) 4-1

Virtualized Services Module (VSM) 4-1

VSM Components 4-1

Features and Considerations 4-2

Installing CGv6 on VSM 4-2

Prerequisites 4-3

Installing CGv6 OVA Package 4-3

Activating CGv6 VM 4-4

Uninstalling CGv6 on VSM 4-5

Deactivating CGv6 VM 4-5

Uninstalling CGv6 OVA Package 4-5

Disabling the Service Enablement Feature 4-5

Implementing NAT44 on VSM 4-5

TCP Sequence Check 4-6

Address and Port-Dependent Filtering 4-6

Configuring NAT44 on VSM 4-7

Configuring a NAT44 Instance 4-7



OL-30392-01

Contents

4-10

Configuring an Inside and Outside Address Pool Map 4-10


Configuring External Logging for the NAT Table Entries 4-35


Syslog Logging 4-43

Configuration Examples for Implementing CGv6 4-49

Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44: Example 4-49

NAT44 Configuration: Example 4-50

Configuring TCP Sequence-Check: Example 4-52

Configuring Address and Port-Dependent Filtering: Example 4-53

Bulk Port Allocation and Syslog Configuration: Example 4-53

C H A P T E R 5 External Logging 5-3


Restrictions for Bulk Port Allocation 5-3

Session logging 5-4

Syslog 5-4

Restrictions for Syslog 5-4

Syslog Message Format 5-5

Header 5-5

Structured Data 5-6

MSG 5-6

Netflow v9 Support 5-9

Considerations 5-9

NetFlow Record Format 5-9

Header 5-9

Templates 5-9

Options Templates 5-9

Events 5-10

Frequently Asked Questions 5-20

I N D E X


OL-30392-01

Contents


OL-30392-01

Preface

The Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide preface contains the following sections:

• Changes to This Document, page 1

• Obtain Documentation and Submit a Service Request, page 1

Changes to This DocumentTable 1 lists the technical changes made to this document since it was first printed.

Obtain Documentation and Submit a Service RequestFor information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.

To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.

Table 1 Changes to This Document

Revision Date Change Summary

OL-30392-02 May 2014 Re-published with documentation updates for Cisco IOS XR Release 5.1.2 features.

OL-30392-01 September 2013 Initial release of this document.


OL-30392-01

https://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

https://www.cisco.com/assets/cdc_content_elements/rss/whats_new/whatsnew_rss_feed.xml

Obtain Documentation and Submit a Service Request


OL-30392-01

Cisco ASR 9000 Series Aggregation Services Router C

OL-30392-01

C H A P T E R 1
New and Changed Information in Cisco IOS XR Release 5.1.x
This table summarizes the new and changed information for the Cisco ASR 9000 Series Aggregation Services Router CGv6 Configuration Guide, and tells you where the features are documented.

Table 1-1 New and Changed Features

Feature DescriptionIntroduced/Changed in Release Where Documented

VSM CGv6 over Virtualized Services Module (VSM) has been introduced

Release 5.1.2 CGv6 over VSM chapter

No new features. NA Release 5.1.0 NA

1-11arrier Grade IPv6 (CGv6) Configuration Guide

Chapter 1 New and Changed Information in Cisco IOS XR Release 5.1.x

1-12Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide

OL-30392-01


OL-30392-01

C H A P T E R 2
Introduction
This module provides an overview of the Carrier Grade IPv6 (CGv6) on Cisco IOS XR software.

Contents• Overview of CGv6

• Implementation of NAT

• Double NAT 444

• Address Family Translation

• Additional References

The following table lists changes made to the document.

Table 2-1 Feature History for Implementing CGv6 on ASR 9000 Router

Release Modification

Release 4.2.0 Initial release of this document.

CGv6 applications such as CGN or NAT44 are supported.

Release 4.2.1 These features were introduced:

• DS-Lite.

• Syslog and Bulk Port Allocation for NAT44 and DS-Lite.

Release 4.2.3 Support for multiple ISM line cards.


• Stateful NAT64

• Mapping of Address and Port-Translation Mode

• High Availability

• Destination-Based Logging


Chapter 2 IntroductionOverview of CGv6

Overview of CGv6To implement the CGv6, you should understand the following concepts.

• CGv6 Overview, page 2-2

• Benefits of CGv6, page 2-3

• Prerequisites for Implementing the CGv6, page 2-3

CGv6 Overview

Internet Protocol version 4 (IPv4) has reached exhaustion at the international level (IANA). But service providers must maintain and continue to accelerate growth. Billions of new devices such as mobile phones, portable multimedia devices, sensors, and controllers are demanding Internet connectivity at an increasing rate. The Cisco Carrier Grade IPv6 Solution (CGv6) is designed to help address these challenges. With Cisco CGv6, you can:

• Preserve investments in IPv4 infrastructure, assets, and delivery models.

• Prepare for the smooth, incremental transition to IPv6 services that are interoperable with IPv4.

• Prosper through accelerated subscriber, device, and service growth that are enabled by the efficiencies that IPv6 can deliver.

Cisco CGv6 extends the already wide array of IPv6 platforms, solutions, and services. Cisco CGv6 helps you build a bridge to the future of the Internet with IPv6.

Cisco ASR 9000 Series Aggregation Services Router is part of the Cisco CGv6 solution portfolio and therefore different CGv6 solutions or applications are implemented on this platform (specifically on ISM service card).


• IPv6 Rapid Deployment

• Mapping of Address and Port-Encapsulation Mode

• Point-to-Point Tunneling Protocol-Application Level Gateway on NAT44

• Real-Time Streaming Proocol-Application Level Gateway on Stateful NAT64

Release 5.1.1 Support for Virtualized Services Module (VSM) has been introduced in this release.

Table 2-1 Feature History for Implementing CGv6 on ASR 9000 Router

Release Modification


OL-30392-01

Chapter 2 IntroductionImplementation of NAT

Benefits of CGv6

CGv6 offers these benefits.

• Enables service providers to execute orderly transitions to IPv6 through mixed IPv4 and IPv6 networks.

• Provides address family translation but not limited to just translation within one address family.

• Delivers a comprehensive solution suite for IP address management and IPv6 transition.

IPv4 Address Shortage

A fixed-size resource such as the 32-bit public IPv4 address space will run out in a few years. Therefore, the IPv4 address shortage presents a significant and major challenge to all service providers who depend on large blocks of public or private IPv4 addresses for provisioning and managing their customers.

Service providers cannot easily allocate sufficient public IPv4 address space to support new customers that need to access the public IPv4 Internet.

Prerequisites for Implementing the CGv6

The following prerequisites are required to implement CGv6.

• You must be running Cisco IOS XR software Release 4.2.0 and above.

• You must have installed the CGv6 service package, asr9k-services-p.pie (to be used with RSP2) or asr9k-services-px.pie (to be used with RSP3).

• You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.

Note All the error conditions result in a syslog message. On observation of Heartbeat failure messages, contact Cisco Technical Support with show tech-support services cgn information.

If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Implementation of NATThis section explains various implementations of NAT. The implementation of NAT over ISM and VSM are explained in the following chapters.

Implementing NAT with ICMPThis section explains how the Network Address Translation (NAT) devices work in conjunction with Internet Control Message Protocol (ICMP).

The implementations of NAT varies in terms of how they handle different traffic.


OL-30392-01

Chapter 2 IntroductionImplementing NAT with ICMP

ICMP Query Session Timeout

RFC 5508 provides ICMP Query Session timeouts. A mapping timeout is maintained by NATs for ICMP queries that traverse them. The ICMP Query Session timeout is the period during which a mapping will stay active without packets traversing the NATs. The timeouts can be set as either Maximum Round Trip Time (Maximum RTT) or Maximum Segment Lifetime (MSL). For the purpose of constraining the maximum RTT, the Maximum Segment Lifetime (MSL) is considered a guideline to set packet lifetime.

If the ICMP NAT session timeout is set to a very large duration (240 seconds) it can tie up precious NAT resources such as Query mappings and NAT Sessions for the whole duration. Also, if the timeout is set to very low it can result in premature freeing of NAT resources and applications failing to complete gracefully. The ICMP Query session timeout needs to be a balance between the two extremes. A 60-second timeout is a balance between the two extremes.

Implementing NAT with TCP

This section explains various NAT behaviors that are applicable to TCP connection initiation. The detailed NAT with TCP functionality is defined in RFC 5382.

Address and Port Mapping Behavior

A NAT translates packets for each TCP connection using the mapping. A mapping is dynamically allocated for connections initiated from the internal side, and potentially reused for certain connections later.

Internally Initiated Connections

A TCP connection is initiated by internal endpoints through a NAT by sending SYN packet. All the external IP address and port used for translation for that connection are defined in the mapping.

Generally for the client-server applications where an internal client initiates the connection to an external server, to translate the outbound SYN, the resulting inbound SYN-ACK response mapping is used, the subsequent outbound ACK, and other packets for the connection.

The 3-way handshake corresponds to method of connection initiation.

Externally Initiated Connections

For the first connection that is initiated by an internal endpoint NAT allocates the mapping. For some situations, the NAT policy may allow reusing of this mapping for connection initiated from the external side to the internal endpoint.


OL-30392-01

Chapter 2 IntroductionDouble NAT 444

Double NAT 444The Double NAT 444 solution offers the fastest and simplest way to address the IPv4 depletion problem without requiring an upgrade to IPv6 anywhere in the network. Service providers can continue offering new IPv4 customers access to the public IPv4 Internet by using private IPv4 address blocks, if the service provider is large enough; However, they need to have an overlapping RFC 1918 address space, which forces the service provider to partition their network management systems and creates complexity with access control lists (ACL).

Double NAT 444 uses the edge NAT and CGv6 to hold the translation state for each session. For example, both NATs must hold 100 entries in their respective translation tables if all the hosts in the residence of a subscriber have 100 connections to hosts on the Internet). There is no easy way for a private IPv4 host to communicate with the CGv6 to learn its public IP address and port information or to configure a static incoming port forwarding.

Address Family TranslationThe IPv6-only to IPv4-only protocol is referred to as address family translation (AFT). The AFT translates the IP address from one address family into another address family. For example, IPv6 to IPv4 translation is called NAT 64 or IPv4 to IPv6 translation is called NAT 46.

Additional ReferencesFor additional information related to Implementing the Carrier Grade IPv6, see the following references:

Related Documents

Standards

Related Topic Document Title

Cisco IOS XR Carrier Grade IPv6 commands Cisco IOS XR Carrier Grade IPv6 (CGv6) Command Reference for the Cisco CRS-1 Router.

Cisco CRS-1 Router Getting Started material Cisco IOS XR Getting Started Guide

Information about user groups and task IDs Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide

Standards1

1. Not all supported standards are listed.

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

—


OL-30392-01

Chapter 2 IntroductionAdditional References

MIBs

RFCs

Technical Assistance

MIBs MIBs Link

— To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs1

1. Not all supported RFCs are listed.

Title

RFC 4787 Network Address Translation (NAT) Behavioral Requirements for Unicast UDP

RFC 5382 NAT Behavioral Requirements for TCP

RFC 5508 NAT Behavioral Requirements for ICMP

Description Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport


OL-30392-01

http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

http://www.cisco.com/techsupport


OL-30392-01

C H A P T E R 3
Carrier Grade IPv6 over Integrated Services Module (ISM)
This module describes how to implement the Carrier Grade IPv6 (CGv6) over Integrated Services Module (ISM).

Contents• Cisco Integrated Service Module

• Implementing NAT over ISM

• Configuring Different CGv6 Applications on ISM

• Configuring High Availability on ISM

• Configuration Examples for Implementing CGv6

Cisco Integrated Service ModuleCisco Integrated Service Module (ISM) is a physical line interface module (PLIM) that provides a highly scalable modular services delivery platform for delivering multiple types of services. ISM is designed to deliver flexible and highly scalable service integration that allows operational efficiency, service flexibility, and faster time to market. The module offers the architectural advantages of integration with the routing system.

Solution Components

These are the solution components of the Cisco Integrated Service Module (ISM).

• ASR 9000 with IOS XR

– High-capacity, carrier-class SP platform with Cisco IOS XR Software

– Leverages XR infrastructure to divert packets to ISM

– Uniform, integrated configuration and management

• Integrated Service Module

– Flexible Linux-based development & test environment


Chapter 3 Carrier Grade IPv6 over Integrated Services Module (ISM)Cisco Integrated Service Module

– Supports required CGv6

– First IPv6 Transition Strategy

• Integrated Service Module

– Hardware-

• CGv6 function residing on ISM

• Intel x86 with 12 CPU cores

– Software-

• IOS-XR on LC, Linux on Intel CPUs

• Integrated configuration and management through Cisco IOS XR Software

• Service Virtual Interface (SVI)

– Two types of Service Virtual Interfaces are used in ISM

• ServiceInfra SVI

• ServiceApp SVI

There can be only one ServiceInfra SVI per ISM Slot. This is used for the management plane and is required to bring up ISM. This is of local significance within the chassis.

ServiceApp SVI is used to forward the data traffic to the Application. Scale of ISM 244 ServiceApp per chassis is validated. These interfaces can be advertised in IGP/EGP.

Support for Multiple ISM Line Cards

Cisco IOS XR Software Release 4.2.3 and onwards supports a maximum of six ISM line cards in each Cisco ASR 9000 Series Aggregation Services Router chassis. For applications such as NAT44 and DS-Lite, the configuration can be independently applied to each ISM line card.

For NAT-44, a maximum of twenty million sessions are supported by each ISM line card.

For NAT-64, a maximum of fifteen million sessions are supported by each ISM line card

For DS-Lite, a maximum of twenty million sessions are supported by each ISM line card.

Note No additional configuration is required to support multiple ISM line cards.


OL-30392-01

Chapter 3 Carrier Grade IPv6 over Integrated Services Module (ISM)Implementing NAT over ISM

CGN as Default Application on ISM

ISM supports CGN as the default application.

Configuring CGN as Default Application on ISM

To configure CGN as the default application, perform these steps.

Step 1 Install CGN services.pie.

Step 2 Configure the CGN role using hw-module service cgn location <node_id> command.

Step 3 Load the CGN Linux image as the default image instead of CDS-IS.

Step 4 Reload ISM.

Implementing NAT over ISMThese sections provide the information about implementation of NAT.

• Implementing NAT 44 over ISM, page 3-5

• Implementing NAT 64 over ISM, page 3-8

Implementing NAT 44 over ISM

The following figure illustrates the implementation of NAT 44 over ISM.

The components of this illustration are as follows:

• Private IP4 subscribers: It denotes a private network.

• Interface/VLAN: It denotes a designated interface or VLAN which is associated with the VRF.

• Inside VRF: It denotes the VRF that handles packets coming from the subscriber network. It is known as inside VRF as it forwards packets from the private network.

• App SVI: It denotes an application interface that forwards the data packet to and from the ISM. The data packet may be sent from another line card through a backplane. Because the ISM card does not have a physical interface, the APP SVI acts as a logical entry into it.

Private IPv6Subscribers

3610

60

Interface

InsideVRF

OutsideVRF

VLAN

ISM onASR9K

App SV App SV

Interface

VLAN

VLAN

Public IPv4


OL-30392-01


The inside VRF is bound to an App SVI. There are 2 App SVIs required; one for the inside VRF and the other one for the outside VRF. Each App SVI pair will be associated with a unique "inside VRF" and a unique public IP address pool. The VRF consists of a static route for forwarding packets to App SVI1.

• Outside VRF: It denotes the VRF that handles packets going out to the public network. It is known as outside VRF as it forwards packets from the public network.

• Public IPV4: It denotes a public network.

The following figure illustrates the path of the data packet from a private network to a public network in a NAT implementation.

The packet goes through the following steps when it travels from the private network to the public network:

Step 1 In the network shown in this figure, the packet travels from the host A (having the IP address 10.222.5.55) in the private network to host B (having the IP address 5.5.5.2) in the public network. The private address has to be mapped to the public address by NAT44 that is implemented in ISM.

Step 2 The packet enters through the ingress port on the Gigabit Ethernet (GigE) interface at Slot 0. While using NAT44, it is mandatory that the packet enters through VRF.

Step 3 Once the packet reaches the designated interface or VLAN on ASR9K, it is forwarded to the inside VRF either through static routing or ACL-based forwarding (ABL). After the inside VRF determines that the packet needs address translation, it is forwarded to the App SVI that is bound to the VRF.

Step 4 The packet is forwarded by AppSVI1 through a default static route (ivrf1). The destination address and the port get translated because of the CGN configuration applied on ISM.

Step 5 The ISM applies NAT44 to the packet and a translation entry is created. The CGN determines the destination address from the FIB Look Up. It pushes the packet to the egress port.

Step 6 The packet is then forwarded to the egress port on the interface through App SVI2. An inside VRF is mapped to an outside VRF. The outside VRF is associated with this interface. The packet is forwarded by App SVI2 through the default static route (ovrf1). Then the packet is sent to the public network.

PVTNW

10.222.5.22

s: 10.222.5.55 : 5000d: 50.12.13.8 : 5000

s: 10.222.5.55 : 5000d: 50.12.13.8 : 5000

s: 100.0.0.192 : 23156d: 50.12.13.8 : 5000

s: 100.0.0.192 : 23156d: 50.12.13.8 : 5000

G0/6/5/0.110.222.5.2/24

Slot 6GigE

Slot 3ISM

G0/6/5/1.150.12.13.2/24

ServiceApp2ipv4 addr 2.1.1.1/24

Ap

p N

: SR

C IP

/Por

t: 10

.222

.5.5

5 : 5

000

-->

(af

ter

NAT

) 10

0.0.

0.19

2 : 2

3156

PUBNW

50.12.13.8

Via FIB look-up (VRF:OutsideCustomer1),sends traffic to egress port on Slot 6 GE LC

Default static route (VRF:InsideCustomer1)to send traffic to ServiceApp1


OL-30392-01


Step 7 The packets that do not need the address translation can bypass the App SVI and can be forwarded to the destination through a different static route and a different egress port.

The following figure illustrates the path of the packet coming from the public network to the private network.

The packet goes through the following steps when it travels from the public network to the private network:

Step 1 In the network shown in this figure, the packet travels from the host A (having the IP address 10.222.5.55) in the public network to host B (having the IP address 5.5.5.2) in the private network. The public address has to be mapped to the private address by NAT44 that is implemented in ISM.

Step 2 The packet enters through the ingress port on the Gigabit Ethernet (GigE) interface at Slot 0.

Step 3 Once the packet reaches the designated interface or VLAN on ASR9K, it is forwarded to the outside VRF either through static routing or ACL-based forwarding (ABL).

Step 4 The packet is forwarded by App SVI2 through a default static route. The destination address and the port are mapped to the translated address.

Step 5 The ISM applies NAT44 to the packet. The CGN determines the destination address from the FIB Look Up. It pushes the packet to the egress port.

Step 6 The packet is then forwarded to the egress port on the interface through App SVI2. Then the packet is sent to the private network through the inside VRF.


PVTNW

10.222.5.22

s: 50.12.13.8 : 5000d: 10.222.5.55 : 5000

s: 50.12.13.8 : 5000d: 10.222.5.55 : 5000

s: 50.12.13.8 : 5000d: 100.0.0.192 : 23156

s: 50.12.13.8 : 5000d: 100.0.0.192 : 23156

G0/6/5/0.110.222.5.2/24

Slot 6GigE

Slot 3ISM

G0/6/5/1.150.12.13.2/24



Viking with 2 or 3 LCs (ingessandegress GE LCs could be different)

Ap

p N

: DS

T IP

: 100

.0.0

.192

: 23

156

-->

(R

ever

se N

AT)

eth1

: 10.

222.

5.55

: 50

00

Traffic: outside --> inside

PUBNW

50.12.13.8

3610

61

Via FIB look-up (VRF:InsideCustomer1),sends traffic to Slot 6 GE port

Static route (VRF:OutsideCustomer1)sends traffic to ServiceApp2


OL-30392-01


Implementing NAT 64 over ISM

This section explains how NAT64 is implemented over ISM. The figure illustrates the implementation of NAT64 over ISM.

The components of this implementation are as follows:

• Private IP6 subscribers – It denotes a private network.

• Interface/VLAN- It denotes a designated interface or VLAN which is associated with the VRF.

• Inside VRF – It denotes the VRF that handles packets coming from the subscriber network. It is known as inside VRF as it forwards packets from the private network.

• App SVI- It denotes an application interface that forwards the data packet to and from the ISM. The data packet may be sent from another line card through a backplane. Because the ISM card does not have a physical interface, the APP SVI acts as a logical entry into it.

The inside VRF is bound to an App SVI. There are 2 App SVIs required; one for the inside VRF and the other one for the outside VRF. Each App SVI pair will be associated with a unique "inside VRF" and a unique public IP address pool. The VRF consists of a static route for forwarding packets to App SVI1.

• Outside VRF- It denotes the VRF that handles packets going out to the public network. It is known as outside VRF as it forwards packets from the public network.

• Public IPV4- It denotes a public network.

The following figure illustrates the path of the data packet from a private network to a public network in a NAT64 implementation.

Stateful NAT64

Private IPv6Subscribers

3001:DB8:E0E:E03::

3301:DB8:a0a:102::

UDP port 3000, 3000

Payload

3610

59

52.52.52.187

10.10.1.2

UDP port 10546, 3000

Payload

Interface

VLANISMApp SV

Ipv6 destination prefix(eg: 3301:db8::/32)

Ipv6 Prefix3301:db8::/32

Ipv4 map pool52.52.52.0/24

App SVInterface

VLANPublic IPv4


OL-30392-01


The packet goes through the following steps when it travels from the private network to the public network:

Step 1 In the network shown in this figure, the packet travels from the host A (having the IP address 3001:DB8:E0E:E03::/40) in the private network to host B (having the IP address 11.11.11.2) in the public network. The private address has to be mapped to the public address by NAT64 that is implemented in ISM.


Step 3 Once the packet reaches the designated interface or VLAN on ASR9K, it is forwarded to the inside VRF either through static routing or ACL-based forwarding (ABL). Based on this routing decision, the packet that needs address translation is determined and is forwarded to the App SVI that is bound to the VRF.

Step 4 The packet is forwarded by AppSVI1 through a default static route. The destination address and the port get translated because of the CGN configuration applied on ISM.

Step 5 The ISM applies NAT64 to the packet and a translation entry is created. The CGN determines the destination address from the FIB Look Up. It pushes the packet to the egress port.

Step 6 The packet is then forwarded to the egress port on the interface through App SVI2. The packet is forwarded by App SVI2 through the default static route. Then the packet is sent to the public network.


The following figure illustrates the path of the packet coming from the public network to the private network.

Private IPv6subscribers

Port 3 (HTTP V6 Client)3001:DB8:E0E:E03::

NAT64 Prefix: 3301:0db8::/40IPV4 pool map : 52.52.52.0/24U-bit not reserved

Gi0/3/1/33001:db8:e0e:e01::

Slot 3GigE

Slot 2CGSE

Gi0/3/1/111.11.11.1/24

ServiceApp4141.1.1.1/30

ServiceApp612001.202::/32

routerstaticaddress-family ipv6 unicast3301:db8::/32 ServiceApp612001:202:2

Traffic: Inside - Outside

Public IPv4

Port 3 (HTTP V4 Server)11.11.11.2

3610

58


OL-30392-01


The packet goes through the following steps when it travels from the public network to the private network:

Step 1 In the network shown in this figure, the packet travels from the host A (having the IP address 11.11.11.2) in the public network to host B (having the IP address 3001:DB8:E0E:E03::) in the private network. The public address has to be mapped to the private address by NAT64 that is implemented in ISM.


Step 3 Once the packet reaches the designated interface or VLAN on ASR9K, it is forwarded to the outside VRF either through static routing or ACL-based forwarding (ABL). Based on this routing decision, the packet is forwarded to the App SVI that is bound to the VRF.

Step 4 The packet is forwarded by App SVI2 through a default static route. The destination address and the port are mapped to the translated address.

Step 5 The ISM applies NAT64 to the packet. The CGN determines the destination address from the FIB Look Up. It pushes the packet to the egress port.

Step 6 The packet is then forwarded to the egress port on the interface through App SVI2. Then the packet is sent to the private network through the inside VRF.


Private IPv6subscribers

Port 3 (HTTP V6 Client)3001:DB8:E0E:E03::

Dest V4address

11.11.11.2 80

Port s: 11.11.11.2-->3301 : DB8:B0B:B02:: 80

d: 52.52.52.123-->3001 : DB8:E0E:B03::63209-->80

s: 3301 : DB8:B0B:B02:: 80

d: 3001 : DB8:E0E:B03:: 80

Gi0/3/1/33001:db8:e0e:e01::

Slot 3GigE

Slot 2CGSE

Gi0/3/1/111.11.11.1/24

ServiceApp4141.1.1.1/30

ServiceApp612001.202::/32

routerstaticaddress-family ipv6 unicast3301:db8::/32 ServiceApp612001:202:2

routerstaticaddress-family ipv4 unicast52.52.52.0/24 ServiceApp41 41.1.1.2

Traffic: Outside - Inside

Public IPv4

Port 3 (HTTP V4 Server)11.11.11.2

3610

62


OL-30392-01


Table 3-1 Supported Interfaces and Forwarding Features on CGv6

4.3.x 5.1.x 5.2.x 5.3.x

Egress Interfaces

Physical Interface Yes Yes Yes Yes

VLAN Sub-interface Yes Yes Yes Yes

Bundle Interface Yes Yes Yes Yes

Bundle Sub-interface Yes Yes Yes Yes

BVI Interface No No No No

BNG IP-Sub-interface/PPPoE

No Yes Yes Yes

Ethernet Attachment Circuit or Pseudo wire

No No No No

GRE Tunnel No No No No

L3 Unicast Forwarding Features

Basic IPv4 IGP Forwarding Yes Yes Yes Yes

BGP Traffic Yes Yes Yes Yes

Forwarding in VRF Yes Yes Yes Yes

Recursive Routes Yes Yes Yes Yes

uRPF No No No No

BGP-PA No No No No

MPLS and Fast Reroute (FRR) SupportNote: The ISM card does not generate label for packets. It only processes unlabeled packets.

MPLS-TE Paths No Yes Yes Yes

Basic Labeled Path Yes Yes Yes Yes

MPLS-TE Tunnel No Yes Yes Yes

MPLS-TP Tunnel No No No No

TE-FRR No Yes Yes Yes

IP-FRR No No No No

LFA-FRR No No No No

Multicast

IP Multicast No No No No

MVPN No No No No

Label Switched Multicast No No No No

ServiceApp Interfaces

ABF to ServiceApp Interface

Yes Yes Yes Yes

ABF from ServiceApp Interface

No No No No


OL-30392-01


Note • The table refers to packet handling after CGv6 processing (from ingress to egress).

• The CGv6 application processes only L3 unicast traffic. Other traffic types such as L2 and L3 multicast are not supported.

• The forwarding features that are supported are only those where traffic is injected from CGv6 application as an IPv4 or IPv6 packet.

CGv6 Applications

These applications are deployed on the ISM line card.

• Network Address Translation (NAT44), page 3-13

• Dual-Stack Lite, page 3-14

• Stateful NAT64, page 3-15

• Mapping of Address and Port-Translation Mode, page 3-17

• IPv6 Rapid Deployment, page 3-17

• Mapping of Address and Port-Encapsulation Mode, page 3-19

ACL to ServiceApp Interface

No No No No

QOS on ServiceApp Interface

No No No No

Lawful Intercept (LI) on ServiceApp Interface

No No No No

IPv4 Enable/Disable (Per Interface)

No No No No

MPLS Enable/Disable (Per Interface)

No No No No

MTU Setting (Per Interface)

No No No No

Statistics on ServiceApp Interface

Partial.

Per-interface per-protocol packet/byte count is supported

Partial.

Per-interface per-protocol packet/byte count is supported

Yes Yes

Pre-Label Tunnel Interface No No No No

4.3.x 5.1.x 5.2.x 5.3.x


OL-30392-01


Network Address Translation (NAT44)

Network Address Translation (NAT44) or Carrier Grade Network Address Translation (CGN) is a large scale NAT that is capable of providing private IPv4 to public IPv4 address translation in the order of millions of translations to support a large number of subscribers, and at least 10 Gbps full-duplex bandwidth throughput.

CGN is a workable solution to the IPv4 address completion problem, and offers a way for service provider subscribers and content providers to implement a seamless transition to IPv6. CGN employs network address and port translation (NAPT) methods to aggregate many private IP addresses into fewer public IPv4 addresses. For example, a single public IPv4 address with a pool of 32 K port numbers supports 320 individual private IP subscribers assuming each subscriber requires 100 ports. For example, each TCP connection needs one port number.

A Network Address Translation (NAT) box is positioned between private and public IP networks that are addressed with non-global private addresses and a public IP addresses respectively. A NAT performs the task of mapping one or many private (or internal) IP addresses into one public IP address by employing both network address and port translation (NAPT) techniques. The mappings, otherwise referred to as bindings, are typically created when a private IPv4 host located behind the NAT initiates a connection (for example, TCP SYN) with a public IPv4 host. The NAT intercepts the packet to perform these functions:

• Rewrites the private IP host source address and port values with its own IP source address and port values

• Stores the private-to-public binding information in a table and sends the packet. When the public IP host returns a packet, it is addressed to the NAT. The stored binding information is used to replace the IP destination address and port values with the private IP host address and port values.

Traditionally, NAT boxes are deployed in the residential home gateway (HGW) to translate multiple private IP addresses. The NAT boxes are configured on multiple devices inside the home to a single public IP address, which are configured and provisioned on the HGW by the service provider. In enterprise scenarios, you can use the NAT functions combined with the firewall to offer security protection for corporate resources and allow for provider-independent IPv4 addresses. NATs have made it easier for private IP home networks to flourish independently from service provider IP address provisioning. Enterprises can permanently employ private IP addressing for Intranet connectivity while relying on a few NAT boxes, and public IPv4 addresses for external public Internet connectivity. NAT boxes in conjunction with classic methods such as Classless Inter-Domain Routing (CIDR) have slowed public IPv4 address consumption.

Network Address and Port Mapping

Network address and port mapping can be reused to map new sessions to external endpoints after establishing a first mapping between an internal address and port to an external address. These NAT mapping definitions are defined from RFC 4787:

• Endpoint-independent mapping—Reuses the port mapping for subsequent packets that are sent from the same internal IP address and port to any external IP address and port.

• Address-dependent mapping—Reuses the port mapping for subsequent packets that are sent from the same internal IP address and port to the same external IP address, regardless of the external port.

Note CGN on ISM implements Endpoint-Independent Mapping.


OL-30392-01


Translation Filtering

RFC 4787 provides translation filtering behaviors for NATs. These options are used by NAT to filter packets originating from specific external endpoints:

• Endpoint-independent filtering—Filters out only packets that are not destined to the internal address and port regardless of the external IP address and port source.

• Address-dependent filtering—Filters out packets that are not destined to the internal address. In addition, NAT filters out packets that are destined for the internal endpoint.

• Address and port-dependent filtering—Filters out packets that are not destined to the internal address. In addition, NAT filets out packets that are destined for the internal endpoint if the packets were not sent previously.

Note CGN on ISM implements Endpoint-Independent Filtering.

Dual-Stack Lite

The DS-Lite (DS-Lite) feature enables legacy IPv4 hosts and server communication over both IPv4 and IPv6 networks. Also, IPv4 hosts may need to access IPv4 internet over an IPv6 access network. The IPv4 hosts will have private addresses which need to have network address translation (NAT) completed before reaching the IPv4 internet.

The DS-Lite application has these two components:

• Basic Bridging BroadBand Element (B4): This is a Customer Premises Equipment (CPE) router that is attached to the end hosts. The IPv4 packets entering B4 are encapsulated using a IPv6 tunnel and sent to the Address Family Transition Router (AFTR).

• Address Family Transition Router(AFTR): This is the router that terminates the tunnel from the B4. It decapsulates the tunneled IPv4 packet, translates the network address and routes to the IPv4 network. In the reverse direction, IPv4 packets coming from the internet are reverse network address translated and the resultant IPv4 packets are sent the B4 using a IPv6 tunnel.

The Dual Stack Lite feature helps in these functions:

• Tunnelling IPv4 packets from CE devices over IPv6 tunnels to the ISM blade.

• Decapsulating the IPv4 packet and sending the decapsulated content to the IPv4 internet after completing network address translation.

• In the reverse direction completing reverse-network address translation and then tunnelling them over IPv6 tunnels to the CPE device.

IPv6 traffic from the CPE device is natively forwarded.

Note The number of DS-Lite instances supported on the Integrated Service Module (ISM) line card is 64.

Scalability and Performance of DS Lite

The DS-Lite feature pulls translation entries from the same pool as the NAT44.

• Supports a total of 20 million sessions.

• Number of unique users behind B4 router, basically IPv6 and IPv4 Source tuple, can scale to 1 million.


OL-30392-01


There is no real limit to the number of B4 routers and their associated tunnels connecting to the AFTR, except the session limit, which is 20 million B4 routers (assuming each router has only one session). In reality, a maximum of 1 million B4 routers can connect to an AFTR at any given time.

The performance of DS-Lite traffic, combined IPv4 and IPv6, is 10 Gbps.

Stateful NAT64

Stateful NAT64 provides a translation mechanism that translates IPv6 packets into IPv4 packets, and vice versa.

Stateful NAT64 supports Internet Control Message Protocol (ICMP), TCP, and UDP traffic. Packets that are generated in an IPv6 network and destined for an IPv4 network are routed within the IPv6 network towards the Stateful NAT64 translator. Stateful NAT64 translates the packets and forwards them as IPv4 packets through the IPv4 network. The process is reversed for traffic that is generated by hosts connected to the IPv4 network and destined for an IPv6 receiver.

The Stateful NAT64 translation is not symmetric, because the IPv6 address space is larger than the IPv4 address space and a one-to-one address mapping is not possible. Before it can perform an IPv6 to an IPv4 translation, Stateful NAT64 requires a state that binds the IPv6 address and the TCP or UDP port to the IPv4 address. The binding state is either statically configured or dynamically created when the first packet that flows from the IPv6 network to the IPv4 network is translated. After the binding state is created, packets flowing in both directions are translated. In dynamic binding, Stateful NAT64 supports communication initiated by the IPv6-only node toward an IPv4-only node. Static binding supports communication initiated by an IPv4-only node to an IPv6-only node, and vice versa. Stateful NAT64 with port overloading provides a 1:n mapping between IPv4 and IPv6 addresses.

Each NAT64 instance configured is associated with two serviceApps for the following purposes:

• One serviceApp is used to carry traffic from IPv6 side

• Another serviceApp is used to carry traffic from IPv4 side of the NAT64.

NAT64 instance parameters are configured using the CGN CLI. The NAT64 application in the octeons updates its NAT64 instance and serviceApp databases, which are used to perform the translation between IPv6 and IPv4 and vice versa.

Active CGN instance configuration is replicated in the standby CGN instance through the XR control plane. Translations that are established on the Active CGN instance are exported to the Standby CGN instance as the failure of the Active CGN affects the service until translations are re-established through normal packet flow. Service interruption is moderate for the given fault detection time and translation learning rate in terms of seconds or tens of seconds for a large translation database.

Note A maximum of 64 NAT64 instances are supported in the NAT64 configuration.

Prefix Format

A set of bits at the start of an IPv6 address is called the format prefix. Prefix length is a decimal value that specifies the number of the left-most contiguous bits of an address.

When packets flow from the IPv6 to the IPv4 direction, the IPv4 host address is derived from the destination IP address of the IPv6 packet that uses the prefix length. When packets flow from the IPv4 to the IPv6 direction, the IPv6 host address is constructed using the stateful prefix.

According to the IETF address format, a u-bit (bit 70) defined in the IPv6 architecture should be set to zero. The reserved octet, also called u-octet, is reserved for compatibility with the host identifier format defined in the IPv6 addressing architecture. When constructing an IPv6 packet, the translator has to


OL-30392-01


make sure that the u-bits are not tampered, and are set to the value suggested by RFC 2373. The suffix will be set to all zeros by the translator. IETF recommends that the 8 bits of the u-octet (bit range 64-71) be set to zero.

Well Known Prefix (WKP)

Well Known Prefix (WKP) 64:FF9B::/96 is supported for Stateful NAT64. During stateful translation, if no stateful prefix is configured (either on the interface or globally), the WKP prefix is used to translate the IPv4 host addresses.

Stateful IPv4-to-IPv6 Packet Flow

The packet flow of IPv4-initiated packets for Stateful NAT64:

• The destination address is routed to a NAT Virtual Interface (NVI). A virtual interface is created when Stateful NAT64 is configured. For Stateful NAT64 translation to work, all packets must get routed to the NVI. When you configure an address pool, a route is automatically added to all IPv4 addresses in the pool. This route automatically points to the NVI.

• The IPv4-initiated packet hits static or dynamic binding. Dynamic address bindings are created by the Stateful NAT64 translator when you configure dynamic Stateful NAT64. A binding is dynamically created between an IPv6 and an IPv4 address pool. Dynamic binding is triggered by the IPv6-to-IPv4 traffic and the address is dynamically allocated. Based on your configuration, you can have static or dynamic binding.

• The IPv4-initiated packet is protocol-translated and the destination IP address of the packet is set to IPv6 based on static or dynamic binding. The Stateful NAT64 translator translates the source IP address to IPv6 by using the Stateful NAT64 prefix (if a stateful prefix is configured) or the Well Known Prefix (WKP) (if a stateful prefix is not configured).

• A session is created based on the translation information.

All subsequent IPv4-initiated packets are translated based on the previously created session.

Stateful IPv6-to-IPv4 Packet Flow

Stateful IPv6-initiated packet flow:

• The first IPv6 packet is routed to the NAT Virtual Interface (NVI) based on the automatic routing setup that is configured for the stateful prefix. Stateful NAT64 performs a series of lookups to determine whether the IPv6 packet matches any of the configured mappings based on an access control list (ACL) lookup. Based on the mapping, an IPv4 address (and port) is associated with the IPv6 destination address. The IPv6 packet is translated and the IPv4 packet is formed by using these methods:

– Extracting the destination IPv4 address by stripping the prefix from the IPv6 address. The source address is replaced by the allocated IPv4 address (and port).

– Translating the rest of the fields from IPv6-to-IPv4 to form a valid IPv4 packet.

• Creating a new NAT64 translation in the session database and in the bind database. The pool and port databases are updated depending on the configuration. The return traffic and the subsequent traffic of the IPv6 packet flow will use this session database entry for translation.

Note Static port forwarding is not supported over StatefulNAT64 on ISM.


OL-30392-01


IP Packet Filtering

Stateful NAT64 filters IPv6 and IPv4 packets. All IPv6 packets that are transmitted into the stateful translator are filtered because statefully translated IPv6 packets consume resources in the translator. These packets consume processor resources for packet processing, memory resources (always session memory) for static configuration, IPv4 address resources for dynamic configuration, and IPv4 address and port resources for Port Address Translation (PAT).

Stateful NAT64 utilizes configured access control lists (ACLs) and prefix lists to filter IPv6-initiated traffic flows that are allowed to create the NAT64 state. Filtering of IPv6 packets is done in the IPv6-to-IPv4 direction because dynamic allocation of mapping between an IPv6 host and an IPv4 address can be done only in this direction.

Stateful NAT64 supports endpoint-dependent filtering for the IPv4-to-IPv6 packet flow with PAT configuration. In a Stateful NAT64 PAT configuration, the packet flow originates from the IPv6 realm and creates the state information in NAT64 state tables. Packets from the IPv4 side that do not have a previously created state are dropped. Endpoint-independent filtering is supported with static NAT and non-PAT configurations.

Mapping of Address and Port-Translation Mode

Mapping of Address and Port-Translation Mode (MAP-T) is a CGN solution that enables IPv4-only clients to communicate with IPv6-only resources using address and packet translation. MAP-T is also referred to as Dual IVI (dIVI) or Stateless NAT46. This enables a service provider to offer IPv4 services to IPv6 enabled (customer) sites to which it provides customer premise equipment (CPE). This approach utilizes stateless IPv4 to IPv6 translation (that is NAT64) to transit IPv6-enabled network infrastructure. The provider access network can now be on IPv6, while customers use IPv6 and IPv4 services simultaneously. MAP-T keeps the stateful NAT44 on CPE, as usual, to handle IPv4 address exhaustion, in addition to stateless NAT64 on CPE and Border Router.

MAP-T is attractive to those SPs who have deployed, or are planning to deploy IPv6 end-to-end services, and want to manage IPv4 address exhaustion with utmost predictability.

MAP-T is a preferred alternate to DS-Lite in a sevice provider network when there is no tunneling needed.

Note MAP-T is offered in stateless mode only.

IPv6 Rapid Deployment

IPv6 Rapid Deployment (6RD) is a mechanism that allows service providers to provide a unicast IPv6 service to customers over their IPv4 network. This approach utilizes stateless IPv6 in IPv4 encapsulation to transit IPv4-only network infrastructure. 6RD encapsulates an IPv6 packet with an IPv4 header for transport over an IPv4 network. The mapping between an IPv6 destination address in the inner packet, and the IPv4 destination address of the outer packet is computed at the time of packet forwarding.

The encapsulation must be supported by the Customer Premise Equipment (CPE), while the CGv6 solution (6RD Border Relay) must support tunnel termination to route packets to Internet hosts on IPv6. The provider access network continues to be on IPv4, while customers experience IPv6 and IPv4 service simultaneously.


OL-30392-01


6RD Concepts

• 6RD Customer Edge: The 6RD Customer Edge (CE) router sits between an IPv6-enabled site and an IPv4-enabled SP network. In the context of residential broadband deployment, this is the Residential Gateway (RG) or Customer Premises Equipment (CPE) or Internet Gateway Device (IGD). This router has a 6RD tunnel interface acting as an endpoint for the IPv6 in IPv4 encapsulation and forwarding, with at least one 6RD CE LAN side interface and 6RD CE WAN side interface, respectively.

• 6RD Border Relay: The 6RD Border Relay (BR) router is located at the service provider's premises. It has at least one IPv4 interface, a 6RD tunnel interface for multi-point tunneling, and at least one IPv6 interface that is reachable through the IPv6 Internet or IPv6-enabled part of the SP network.

• 6RD Delegated Prefix: The 6RD Delegated Prefix (DP) is an IPv6 prefix, determined by the 6RD CE device, for use by hosts within the customer site.

• 6RD Service Provider Prefix: The 6RD Service Provider Prefix (SP Prefix) is an IPv6 prefix selected by the service provider for use by a 6RD domain. There is only one 6RD prefix for a given 6RD domain.

• Customer Edge LAN side: The functionality of a 6RD Customer Edge (CE) that serves the LAN or customer-facing side of the CE. The CE LAN side interface is only IPv6-enabled.

• Customer Edge WAN side: The functionality of a 6RD Customer Edge (CE) that serves the WAN or service provider-facing side of the CE. The CE WAN side is only IPv4-enabled.

• Border Relay IPv4 address: The IPv4 address of the 6RD Border Relay (BR) for a given 6RD domain. This IPv4 address is used by the CE to send packets to a BR in order to reach IPv6 destinations outside the 6RD domain.

• Customer Edge IPv4 address: The IPv4 address assigned to the CE as part of normal IPv4 Internet access (configured through DHCP, PPP, or otherwise). This address may be global or private within the 6RD domain. This address is used by a 6RD CE to create the 6RD delegated prefix, and to send and receive IPv4-encapsulated IPv6 packets.


OL-30392-01


Mapping of Address and Port-Encapsulation Mode

Mapping of Address and Port-Encapsulation Mode (MAP-E) is a CGN solution that allows a service provider to enable IPv4 services at IPv6 (customer) sites to which it provides Customer Premise Equipment (CPE). This approach utilizes stateless IPv4-in-IPv6 encapsulation to transit IPv6-enabled network infrastructure. The encapsulation must be supported by the CPE and MAP-E Gateway/Border Relay, which removes the IPv6 encapsulation from IPv4 packets while forwarding them to the Internet. The provider access network can now be on IPv6, while customers see IPv6 and IPv4 service simultaneously.

MAP-E also helps manage IPv4 address exhaustion by keeping the stateful NAT44 on CPE.

Policy Functions

These are the policy functions used to configure CGv6 applications.

• Application Level Gateway, page 3-19

• TCP Maximum Segment Size Adjustment, page 3-20

• Static Port Forwarding, page 3-20

Application Level Gateway

The Application Level Gateway (ALG) deals with the applications that are embedded in the IP address payload. Active File Transfer Protocol (FTP), Point-to-Point Tunneling Protocol (PPTP), and Real Time Streaming Protocol (RTSP) are supported.

FTP-ALG

CGN supports both passive and active FTP. FTP clients are supported with inside (private) address and servers with outside (public) addresses. Passive FTP is provided by the basic NAT function. Active FTP is used with the ALG.

RTSP-ALG

CGN supports the RTSP, an application-level protocol for control over the delivery of data with real-time properties. RTSP provides an extensible framework to enable controlled, on-demand delivery of real-time data, such as audio and video. Sources of data can include both live data feeds and stored clips.

PPTP-ALG

CGN supports the PPTP, a network protocol that enables secure transfer of data from a remote client to a private enterprise server by creating a Virtual Private Network (VPN). It is used to provide IP security at the network layer.

PPTP-ALG allows traffic from all clients to pass through a single PPTP tunnel.

PPTP uses a control channel over TCP, and a GRE tunnel operating to encapsulate Point-to-Point Protocol (PPP) packets.

A PPTP tunnel is instantiated on a TCP port. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer.


OL-30392-01


Components of PPTP:

PPTP uses an access controller and a network server to establish the connection.

• PPTP Access Controller (PAC)- A device attached to one or more PSTN or ISDN lines capable of Point-to-Point Protocol operation and handling the PPTP protocol. It terminates the PPTP tunnel and provides VPN connectivity to a remote client.

• PPTP Network Server (PNS)-A device which provides the interface between the PPP (encapsulated in the PPTP protocol) and a LAN or WAN. The PNS uses the PPTP protocol to support tunneling between a PAC and the PNS. It requests to establish a VPN connectivity using PPTP tunnel.

• Control Connection-A control connection is established between a PAC and a PNS for TCP.

• Tunnel-A tunnel carries GRE encapsulated PPP datagrams between a PAC and a PNS.

Note Active FTP, PPTP ALG, and RTSP ALG are supported on NAT44 applications. Active FTP and RTSP ALG are supported on DS-Lite and Stateful NAT64 applications.

TCP Maximum Segment Size Adjustment

When a host initiates a TCP session with a server, the host negotiates the IP segment size by using the maximum segment size (MSS) option. The value of the MSS option is determined by the maximum transmission unit (MTU) that is configured on the host.

Static Port Forwarding

Static port forwarding configures a fixed, private (internal) IP address and port that are associated with a particular subscriber while CGv6 allocates a free public IP address and port. Therefore, the inside IP address and port are associated to a free outside IP address and port.

High Availability

High Availability (HA) or 1:1 redundancy enables network-wide protection by providing fast recovery from faults that may occur in any part of the network. With Cisco High Availability on ISM, the network hardware and software work together and enable rapid recovery from disruption, to ensure fault transparency to users and network applications. It provides continuous access to applications, data, and content anywhere, anytime by addressing potential causes of downtime with functionality, design, and best practices.

ISM HA supports:

• 1:1 active or standby redundancy infrastructure for the services running on the ISM

– Intra-chassis redundancy

– Cold standby redundancy

• Replication of CGN-related configuration into a standby card


OL-30392-01


Note Before upgrading or downgrading the CGv6 OVA package on the Active VSM card in HA (high availability) mode, perform a graceful shift of the traffic from Active VSM to Standby VSM. This will ensure that the CGN-related configuration is replicated into a standby card. To perform graceful shift of the traffic, run the “service redundancy failover service-type all preferred-active <active-vsm-slot>” command in EXEC mode.

• Failure detection

– Punt path - Channel between the ISM line card CPU and CGv6 application processes

– Data path - Channel through which CGV6 application data packets traverse

– CPU health monitoring

– Control path

– Crashed processes

The following commands are supported for failure detection:

– Punt Path

RP/0/RP0/CPU0:router(config)# service-cgv6-ha location location-name puntpath-test

– Data Path

RP/0/RP0/CPU0:router(config)# service-cgv6-ha location location-name datapath-test

Note By default, failure detection for punt path, data path is not triggered unless the above commands are configured.These commands can be configured only when ISM role is CGN and ISM in “App-Ready” state.

• Failure reporting and recovery

– If redundant ISM card is configured, then switch-over the stand by ISM to active and reload the active ISM.

– If redundant ISM card is not configured, then reload the ISM. This comes up again as an active ISM.

External Logging

External logging configures the export and logging of the NAT table entries, private bindings that are associated with a particular global IP port address, and to use Netflow to export the NAT table entries.

• Netflow v9 Support, page 3-21

• Syslog Support, page 3-22

• Bulk Port Allocation, page 3-22

• Destination-Based Logging, page 3-22

Netflow v9 Support

The NAT44 and DS Lite features support Netflow for logging of the translation records. Logging of the translation records can be mandated by for Lawful Intercept. The Netflow uses binary format and hence requires software to parse and present the translation records.


OL-30392-01

Chapter 3 Carrier Grade IPv6 over Integrated Services Module (ISM)Configuring CGv6 on Cisco IOS XR Software

Syslog Support

The DS Lite and NAT44 features support Syslog as an alternative to Netflow. Syslog uses ASCII format, which can be read by users. However, the log data volume is higher in Syslog than Netflow.

Attributes of Syslog Collector

• Syslog is supported in ASCII format only.

• Logging to multiple syslog collectors (or relay agents) is not supported.

Bulk Port Allocation

The creation and deletion of NAT sessions need to be logged and these create huge amount of data. These are stored on Syslog collector which is supported over UDP. In order to reduce the volume of data generated by the NAT device, bulk port allocation can be enabled. When bulk port allocation is enabled and when a subscriber creates the first session, a number of contiguous outside ports are pre-allocated. A bulk allocation message is logged indicating this allocation. Subsequent session creations will use one of the pre-allocated port and hence does not require logging.

Destination-Based Logging

Destination-Based Logging (DBL) includes the destination IPv4 address and port number in the Netflow create and delete records for NAT44, Stateful NAT64, and DS-Lite applications. It is also known as Session-Logging.

Note Session-Logging and Bulk Port Allocation are mutually exclusive.

Configuring CGv6 on Cisco IOS XR SoftwareThese configuration tasks are required to implement CGv6 on Cisco IOS XR software.

• Installing Carrier Grade IPv6 on ISM, page 3-22

• Configuring the Service Role for the Carrier Grade IPv6, page 3-27

• Configuring the Service Instance and Location for the Carrier Grade IPv6, page 3-29

• Configuring the Infrastructure Service Virtual Interface for the Carrier Grade IPv6, page 3-30

Installing Carrier Grade IPv6 on ISM

This section provides instructions on installing CGv6 on the ISM line card, removing CGv6 on the ISM line card, and reinstalling the CDS TV application support.

Hardware

• ISM hardware in chassis


OL-30392-01


Software

• asr9k-mini-p.vm or asr9k-mini-px.vm

• asr9k-services-p.pie or asr9k-services-px.pie

• asr9k-fpd-p.pie or asr9k-fpd-px.pie


OL-30392-01


FPGA UPGRADE

The installation is similar to an FPGA upgrade on any other ASR 9000 cards.

Step 1 Load the fpd pie.

Step 2 Run the show hw-module fpd location <> command in admin mode.

RP/0/RP0/CPU0:#adminRP/0/RSP1/CPU0:LHOTSE#show hw-module fpd location 0/1/CPU0

===================================== ================================================ Existing Field Programmable Devices ================================================ HW Current SW Upg/Location Card Type Version Type Subtype Inst Version Dng?============ ======================== ======= ==== ======= ==== =========== ==== =====--------------------------------------------------------------------------------------0/1/CPU0 A9K-ISM-100 1.0 lc fpga1 0 0.29 No

1.0 lc cbc 0 18.04 Yes 1.0 lc cpld1 0 0.01 No 1.0 lc fpga7 0 0.17 No 1.0 lc cpld3 0 0.16 No 1.0 lc fpga2 0 0.01 Yes

--------------------------------------------------------------------------------------

If one or more FPD needs an upgrade (can be identified from the Upg/Dng column in the output) then this can be accomplished using the following steps.

Step 3 Upgrade the identified FPGAs using the relevant commands:

upgrade hw-module fpd fpga1 location <>upgrade hw-module fpd cbc location <>upgrade hw-module fpd cpld1 location <>upgrade hw-module fpd fpga7 location <> upgrade hw-module fpd cpld3 location <> upgrade hw-module fpd fpga2 location <>

To upgrade all FPGA using a single command, type:

upgrade hw-module fpd all location <>

Step 4 If one or more FPGAs were upgraded, reload the ISM card after all the upgrade operation completes successfully.

hw-module location <> reload

Step 5 After the ISM card comes up, check for the FPGA version. This can be done using the following command from the admin mode.

show hw-module fpd location <>


OL-30392-01


Accessing CPU consoles on ISM Card

This output shows ISM card in slot1:

RP/0/RSP0/CPU0 #show platform0/RSP0/CPU0 A9K-RSP-4G(Active) IOS XR RUN PWR,NSHUT,MON0/1/CPU0 A9K-ISM-100(LCP) IOS XR RUN PWR,NSHUT,MON0/1/CPU1 A9K-ISM-100(SE) SEOS-READY

To access LC CPU console:

RP/0/RSP0/CPU0#run attach 0/1/CPU0#

To return to RSP console:

#exit

To access X86 CPU console:

RP/0/RSP0/CPU0:CRANE#run attachCon 0/0/cpu1 115200 attachCon: Starting console session to node 0/0/cpu1attachCon: To quit console session type 'detach'Current Baud 115200Setting Baud to 115200

localhost.localdomain login: rootPassword: rootroot[root@localhost ~]#

To return to RSP console:

[root@localhost]# detach

Installing CGv6 Application on an ISM for Cisco IOS XR Software Release 4.2.0

If the card is in CDS-IS mode, then it must be converted to CDS-TV before installing CGv6. For installation instructions, see the Cisco ASR 9000 Series Aggregation Services Router ISM Line Card Installation Guide.

Note With kernel.rpm, the "kernel.rpm" or "kernel-4.2.0.rpm" file is referred and with "ism_infra.tgz", the "ism_infra.tgz" or "ism_infra-4.2.0.tgz" file is referred.

Step 1 Manually remove the non-CGv6 (CDS TV) configuration.

Step 2 Install the R4.2.0 image on the ASR 9000 router.

Step 3 To handle version incompatibility between APIs of Cisco IOS XR and Linux software, run these commands as soon as the ISM LCP is in IOS XR RUN state.

RP/0/RSP0/CPU0#proc mandatory OFF fib_mgr location <ism_node_location>RP/0/RSP0/CPU0#proc SHUTDOWN fib_mgr location <ism_node_location>RP/0/RP0/CPU0:#adminRP/0/RSP0/CPU0(admin)#debug sim reload-disable location<ism_node_location>

Caution Any delay may result in card reload due to API mismatch.

Step 4 Extract the ism_infra.tgz and kernel.rpm image from the tar file (available in the Download Software page in Cisco.com) and copy the content to the disk on the RSP console.

RP/0/RSP0/CPU0#copy tftp://<tftp_addr><image_location>/ism_infra.tgz disk0:/RP/0/RSP0/CPU0#copy tftp://<tftp_addr><image_location>/kernel.rpm disk0:/


OL-30392-01

http://www.cisco.com/cisco/software/navigator.html?mdfid=282267600&dvdid=279017029&flowid=15628


Step 5 Copy kernel.rpm and ism_infra.tgz to X86 location.

a. Log into X86 CPU console and start the se_mbox_server process:

[root@localhost]# se_mbox_server -d

b. Log into ISM LC CPU and upload the images to X86:

#avsm_se_upload /disk0:/kernel.rpm #avsm_se_upload /disk0:/ism_infra.tgz

c. After successful upload, the images should be available under /tmp directory in the X86 CPU.

Step 6 Install the images on X86:

[root@localhost /] cd /tmp [root@localhost tmp]# rpm -i --force kernel.rpm[root@localhost tmp]# avsm_install ism_infra.tgz

Step 7 Run the following Cisco IOS XR Software Release 4.2.0 commands in admin mode, on RSP to install the Services PIE:

RP/0/RSP0/CPU0#admin(admin)#install add tftp://<tftp_addr>/<image_location>/asr9k-services-p.pie synchronous activate. . . . . . . . . . . (admin)#exit

Step 8 Run the following Cisco IOS XR Software Release 4.2.0 commands on the RSP to set the service role as cgn.

RP/0/RSP0/CPU0#config(config)#hw-module service cgn location <ism_node_location>(config)#commit(config)#exit

Step 9 Revert the changes made in Step 3

RP/0/RSP0/CPU0#proc mandatory ON fib_mgr location <ism_node_location>RP/0/RSP0/CPU0#proc START fib_mgr location <ism_node_location>RP/0/RP0/CPU0:#adminRP/0/RSP0/CPU0:(admin)#no debug sim reload-disable location <ism_node_location>

Step 10 Reload the ISM line card.

RP/0/RSP0/CPU0#hw-module location <ism_node_location> reload

Step 11 Wait for the card to return to SEOS-READY and proceed with ServiceInfra interface configuration.

Installing CGv6 Application on an ISM for Cisco IOS XR Software Release 4.2.1 and later

From R4.2.1 onwards, the CGv6 application can be installed on an ISM line card directly without changing from CDS-IS to CDS-TV and then CGv6.

Step 1 Manually remove the non-CGv6 configuration, if any.

Step 2 Install the Cisco IOS XR Software Release 5.1.x image(asr9k-mini-p/px.vm/pie) on the router.

Step 3 To handle version incompatibility between APIs of Cisco IOS XR and Linux software, run the following commands in admin mode. Enter into maintenance mode by using the following command.

RP/0/RP0/CPU0:#admin


OL-30392-01


RP/0/RSP0/CPU0(admin)#debug sim reload-disable location<ism_node_location>

The card must be in the following state:

RP/0/RSP0/CPU0# show platform

Node Type State Config State___________________________________________________________________________0/5/CPU0 A9K-ISM-100(LCP) IOS XR RUN PWR,NSHUT,MON0/5/CPU1 A9K-ISM-100(SE) RECOVERY MODE

Sometimes, the card goes into IN-RESET state due to multiple resets or if you miss to execute the step for a long time.

Reload the card using the following command to get out of the state:

RP/0/RSP0/CPU0(admin)# hw-module location <ism_node_location> reload

Note The command must be executed in admin mode.

Step 4 To install the Services PIE on RSP, run the commands in admin mode:

RP/0/RSP0/CPU0#admin(admin)#install add tftp://<tftp_addr>/<image_location>/asr9k-services-p.pie synchronous activate. . . . . . . . . . . (admin)#exit

Step 5 To set the service role as cgn on RSP, run the following commands.

RP/0/RSP0/CPU0#config(config)#hw-module service cgn location <ism_node_location>(config)#commit(config)#exit

Step 6 To install Linux Install-Kit from RSP, run the commands in admin mode.

RP/0/RSP0/CPU0#adminRP/0/RSP0/CPU0(admin)# download install-image <install_kit_name_and_location> from <rsp_where_kit_present> to <ism_node_location>

Note For Cisco IOS XR Release 4.2.1, you can download the Install-Kit from the File Exchage Server https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=IOS-XR

Step 7 Wait for around 12-14 minutes for the card to come at SEOS-READY. Proceed with ServiceInfra interface configuration.

Configuring the Service Role for the Carrier Grade IPv6

Perform this task to configure the service role on the specified location to start the CGv6 service.

Note Removal of service role is strictly not recommended while the card is active. This puts the card into FAILED state, which is service impacting.


OL-30392-01


SUMMARY STEPS

1. configure

2. hw-module service cgn location node-id

3. end orcommit

DETAILED STEPS

Command or Action Purpose

Step 1 configure

Example:RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 hw-module service cgn location node-id

Example:RP/0/RP0/CPU0:router(config)# hw-module service cgn location 0/1/CPU0

Configures a CGv6 service role (cgn) on location 0/1/CPU0.

Step 3 endorcommit

Example:RP/0/RP0/CPU0:router(config)# end

or

RP/0/RP0/CPU0:router(config)# commit

Saves configuration changes.

• When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before exiting (yes/no/cancel)?[cancel]:

– Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

– Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

– Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

• Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.


OL-30392-01


Configuring the Service Instance and Location for the Carrier Grade IPv6

Perform this task to configure the service instance and location for the CGv6 application.

SUMMARY STEPS

1. configure

2. service cgn instance-name

3. service-location preferred-active node-id

4. endorcommit

DETAILED STEPS


Step 1 configure



Step 2 service cgn instance-name

Example:RP/0/RP0/CPU0:router(config)# service cgn cgn1RP/0/RP0/CPU0:router(config-cgn)#

Configures the instance named cgn1 for the CGv6 application and enters CGv6 configuration mode.


OL-30392-01


Configuring the Infrastructure Service Virtual Interface for the Carrier Grade IPv6

Perform this task to configure the infrastructure service virtual interface (SVI) to forward the control traffic. The subnet mask length must be at least 30 (denoted as /30).

Note Do not remove or modify service infra interface configuration when the card is in Active state. The configuration is service affecting and the line card must be reloaded for the changes to take effect.

SUMMARY STEPS

1. configure

2. interface ServiceInfra value

3. service-location node-id

4. ipv4 address address/mask

5. endorcommit

6. reload

Step 3 service-location preferred-active node-id

Example:RP/0/RP0/CPU0:router(config-cgn)# service-location preferred-active 0/1/CPU0

Configures the active locations for the CGv6 application.

Note preferred-standby option is supported in Cisco IOS XR Release 4.3.0 onwards for redundancy.

Step 4 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn)# end

or

RP/0/RP0/CPU0:router(config-cgn)# commit










OL-30392-01


DETAILED STEPS


Step 1 configure



Step 2 interface ServiceInfra value

Example:RP/0/RP0/CPU0:router(config)# interface ServiceInfra 1RP/0/RP0/CPU0:router(config-if)#

Configures the infrastructure service virtual interface (SVI) as 1 and enters CGv6 configuration mode.

Note Only one service infrastructure SVI can be configured for a CGv6 instance.

Step 3 service-location node-id

Example:RP/0/RP0/CPU0:router(config-if)# service-location 0/1/CPU0

Configures the location of the CGv6 service for the infrastructure SVI.

Step 4 ipv4 address address/mask

Example:RP/0/RP0/CPU0:router(config-if)# ipv4 address 1.1.1.1/30

Sets the primary IPv4 address for an interface.

Step 5 endorcommit

Example:RP/0/RP0/CPU0:router(config-if)# end

or

RP/0/RP0/CPU0:router(config-if)# commit








Step 6 reload

Example:RP/0/RP0/CPU0:Router#hw-mod location 0/3/cpu0 reload

Once the configuration is complete, the card must be reloaded for changes to take effect.

WARNING: This will take the requested node out of service.Do you wish to continue?[confirm(y/n)] y


OL-30392-01

Chapter 3 Carrier Grade IPv6 over Integrated Services Module (ISM)Configuring Different CGv6 Applications on ISM

Configuring Different CGv6 Applications on ISMThese CGv6 applications are configured on ISM.

• Configuring NAT44 on ISM, page 3-32

• Configuring DS-Lite on ISM, page 3-75

• Configuring Stateful NAT64 on ISM, page 3-112

• Configuring MAP-T on ISM, page 3-156

• Configuring 6RD on ISM, page 3-176

• Configuring MAP-E on ISM, page 3-196

Configuring NAT44 on ISM

Perform these tasks to configure NAT44 on ISM.

• Configuring the Application Service Virtual Interface, page 3-32

• Configuring a NAT44 Instance, page 3-34

• Configuring the Policy Functions, page 3-37

• Configuring External Logging for the NAT Table Entries, page 3-54

Configuring the Application Service Virtual Interface

The following section lists guidelines for selecting serviceapp interfaces for NAT44.

• Pair ServiceApp<n> with ServiceApp<n+1>, where <n> is an odd integer. This is to ensure that the ServiceApp pairs works with a maximum throughput. For example, ServiceApp1 with ServiceApp2 or ServiceApp3 with ServiceApp4

• Pair ServiceApp<n> with ServiceApp<n+5> or ServiceApp<n+9>, and so on, where <n> is an odd integer. However, maintaining a track of these associations can be error prone. For example, ServiceApp1 with ServiceApp6, ServiceApp1 with ServiceApp10, ServiceApp3 with ServiceApp8, or ServiceApp3 with ServiceApp12

• Pair ServiceApp<n> with ServiceApp<n+4>, where <n> is an integer (odd or even integer). For example, ServiceApp1 with ServiceApp5, or ServiceApp2 with ServiceApp6. Although such ServiceApp pairs work, the aggregate throughput for Inside-to-Outside and Outside-to-Inside traffic for the ServiceApp pair is halved.

• Do not pair ServiceApp<n> with ServiceApp<n+1>, where <n> is an even integer. When used, Outside-to-Inside traffic is dropped becasue traffic flows in the wrong dispatcher and core.

• Do not pair ServiceApp<n> with ServiceApp<n+1>, where <n> is an integer. When used, Outside-to-Inside traffic is dropped becasue traffic flows in the wrong dispatcher and core.

One ServiceApp pair can be used as inside and the other as outside.

Perform the following tasks to configure the application service virtual interface (SVI) to forward data traffic.

SUMMARY STEPS

1. configure


OL-30392-01


2. interface ServiceApp value

3. service cgn instance-name service-type nat44

4. vrf vrf-name

5. endorcommit

DETAILED STEPS


Step 1 configure



Step 2 interface ServiceApp value

Example:RP/0/RP0/CPU0:router(config)# interface ServiceApp 1RP/0/RP0/CPU0:router(config-if)#

Configures the application SVI as 1 and enters interface configuration mode.

Step 3 service cgn instance-name service-type nat44

Example:RP/0/RP0/CPU0:router(config-if)# service cgn cgn1



OL-30392-01


Configuring a NAT44 Instance

Perform this task to configure a NAT44 instance.

SUMMARY STEPS

1. configure


3. service-type nat44 instance-name

4. endorcommit

Step 4 vrf vrf-name

Example:RP/0/RP0/CPU0:router(config-if)# vrf insidevrf1

Configures the VPN routing and forwarding (VRF) for the

Service Application interface

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring an Inside and Outside Address Pool Map

Perform this task to configure an inside and outside address pool map with the following scenarios.

• The designated address pool is used for CNAT.

• One inside VRF is mapped to only one outside VRF.

• Multiple non-overlapping address pools can be used in a specified outside VRF mapped to different inside VRF.

• Max Outside public pool per ISM/CGv6 instance is 64 K or 65536 addresses. That is, if a /16 address pool is mapped, then we cannot map any other pool to that particular ISM.


Step 1 configure



Step 2 service cgn nat44 instance-name


Configures the instance named cgn1 for the CGv6 NAT44 application and enters CGv6 configuration mode.

Step 3 service-type nat44 nat1

Example:RP/0/RP0/CPU0:router(config-cgn)# service-type nat44 nat1

Configures the service type keyword definition for CGv6 NAT44 application.

Step 4 endorcommit


or










OL-30392-01


• Multiple inside vrf cannot be mapped to same outside address pool.

• While Mapping Outside Pool Minimum value for prefix is 16 and maximum value is 30.

SUMMARY STEPS

1. configure


3. service-type nat44 nat1

4. inside-vrf vrf-name

5. map [outside-vrf outside-vrf-name] address-pool address/prefix

6. endorcommit

DETAILED STEPS


Step 1 configure









Step 4 inside-vrf vrf-name

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# inside-vrf insidevrf1RP/0/RP0/CPU0:router(config-cgn-invrf)#

Configures an inside VRF named insidevrf1 and enters CGv6 inside VRF configuration mode.


OL-30392-01


Configuring the Policy Functions

Perform these tasks to configure the policy functions.

• Configuring the Port Limit Per Subscriber, page 3-37

• Configuring the Timeout Value for the Protocol, page 3-39

• Configuring FTP ALG, page 3-44

• Configuring PPTP ALG, page 3-45

• Configuring RTSP ALG, page 3-46

• Configuring the TCP Adjustment Value for the Maximum Segment Size, page 3-48

• Configuring the Refresh Direction for the Network Address Translation, page 3-50

• Configuring Static Port Forwarding for Port Numbers, page 3-52

• Configuring the Dynamic Port Ranges, page 3-53

Configuring the Port Limit Per Subscriber

Perform this task to configure the port limit per subscriber for the system that includes TCP, UDP, and ICMP.

Step 5 map [outside-vrf outside-vrf-name] address-pool address/prefix

Example:RP/0/RP0/CPU0:router(config-cgn-invrf)# map outside-vrf outside vrf1 address-pool 10.10.0.0/16

Configures an inside VRF to an outside VRF and address pool mapping.

Step 6 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-afi)# end

or

RP/0/RP0/CPU0:router(config-cgn-invrf-afi)# commit










OL-30392-01


SUMMARY STEPS

1. configure



4. portlimit value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring the Timeout Value for the Protocol

• Configuring the Timeout Value for the ICMP Protocol, page 3-39

• Configuring the Timeout Value for the TCP Session, page 3-41

• Configuring the Timeout Value for the UDP Session, page 3-42

Configuring the Timeout Value for the ICMP Protocol

Perform this task to configure the timeout value for the ICMP type for the CGv6 instance.

SUMMARY STEPS

1. configure



4. protocol icmp

5. timeout seconds

6. endorcommit

Step 4 portlimit value

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# portlimit 10

Limits the number of entries per address for each subscriber of the system

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 protocol icmp

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# protocol icmpRP/0/RP0/CPU0:router(config-cgn-proto)#

Configures the ICMP protocol session. The example shows how to configure the ICMP protocol for the CGv6 instance named cgn1.

Step 5 timeout seconds

Example:RP/0/RP0/CPU0:router(config-cgn-proto)# timeout 908

Configures the timeout value as 908 for the ICMP session for the CGv6 instance named cgn1.

Step 6 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-proto)# end

or

RP/0/RP0/CPU0:router(config-cgn-proto)# commit









OL-30392-01


Configuring the Timeout Value for the TCP Session

Perform this task to configure the timeout value for either the active or initial sessions for TCP.

SUMMARY STEPS

1. configure



4. protocol tcp

5. session {active | initial} timeout seconds

6. endorcommit

DETAILED STEPS


Step 1 configure









Step 4 protocol tcp

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# protocol tcpRP/0/RP0/CPU0:router(config-cgn-proto)#

Configures the TCP protocol session. The example shows how to configure the TCP protocol for the CGv6 instance named cgn1.


OL-30392-01


Configuring the Timeout Value for the UDP Session

Perform this task to configure the timeout value for either the active or initial sessions for UDP.

SUMMARY STEPS

1. configure



4. protocol udp


6. endorcommit

Step 5 session {active | initial} timeout seconds

Example:RP/0/RP0/CPU0:router(config-cgn-proto)# session initial timeout 90

Configures the timeout value as 90 for the TCP session. The example shows how to configure the initial session timeout.

Step 6 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 protocol udp

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# protocol udpRP/0/RP0/CPU0:router(config-cgn-proto)#

Configures the UDP protocol sessions. The example shows how to configure the TCP protocol for the CGv6 instance named cgn1.


Example:RP/0/RP0/CPU0:router(config-cgn-proto)# session active timeout 90

Configures the timeout value as 90 for the UDP session. The example shows how to configure the active session timeout.

Step 6 endorcommit


or










OL-30392-01


Configuring FTP ALG

Perform this task to configure FTP as the ALG for the specified NAT44 instance.

SUMMARY STEPS

1. configure



4. alg activeFTP

5. endorcommit

DETAILED STEPS


Step 1 configure





Configures the instance named cgn1 for the CGN application and enters CGN configuration mode.



Configures the service type keyword definition for NAT44 application.


OL-30392-01


Configuring PPTP ALG

Perform this task to configure PPTP as the ALG for the specified NAT44 instance.

SUMMARY STEPS

1. configure



4. alg pptpAlg

5. endorcommit

Step 4 alg activeFTP

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# alg activeFTP

Configures the FTP ALG on the NAT44 instance.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring RTSP ALG

Perform this task to configure RTSP as the ALG for the specified NAT44 instance. RTSP packets are usually destined to port 554. But this is not always true because RTSP port value can be configured.


Step 1 configure









Step 4 alg pptpAlg

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# alg pptpAlg

Configures PPTP as the ALG for the NAT44 instance.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. alg rtsp server-port value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring the TCP Adjustment Value for the Maximum Segment Size

Perform this task to configure the adjustment value for the maximum segment size (MSS) for the VRF. You can configure the TCP MSS adjustment value on each VRF.

SUMMARY STEPS

1. configure




5. protocol tcp

6. mss size

7. endorcommit

Step 4 alg rtsp [server-port] value

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# alg rtsp server-port 5000

Configures the rtsp ALG on the NAT44 instance for server port 5000. The range is from 1 to 65535. The default port is 554.

Caution The option of specifying a server port) is currently not supported. Even if you configure some port, RTSP works only on the default port (554).

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure











Configures the inside VRF for the CGv6 instance named cgn1 and enters CGv6 inside VRF configuration mode.

Step 5 protocol tcp

Example:RP/0/RP0/CPU0:router(config-cgn-invrf)# protocol tcpRP/0/RP0/CPU0:router(config-cgn-invrf-proto)#

Configures the TCP protocol session and enters CGv6 inside VRF AFI protocol configuration mode.


OL-30392-01


Configuring the Refresh Direction for the Network Address Translation

Perform this task to configure the NAT mapping refresh direction as outbound for TCP and UDP traffic.

SUMMARY STEPS

1. configure



4. refresh-direction Outbound

5. endorcommit

Step 6 mss size

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-afi-proto)# mss 1100

Configures the adjustment MSS value as 1100 for the inside VRF.

Step 7 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-proto)# end

or

RP/0/RP0/CPU0:router(config-cgn-invrf-proto)# commit










OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 refresh-direction Outbound

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# protocol tcpRP/0/RP0/CPU0:router(config-cgn-proto)#refresh-direction Outbound

Configures the NAT mapping refresh direction as outbound for the CGv6 instance named cgn1.

Step 5 endorcommit


or










OL-30392-01


Configuring Static Port Forwarding for Port Numbers

Perform this task to configure static port forwarding for reserved or nonreserved port numbers.

SUMMARY STEPS

1. configure




5. protocol tcp

6. static-forward inside

7. address address port number

8. endorcommit

DETAILED STEPS


Step 1 configure












Step 5 protocol tcp




OL-30392-01


Configuring the Dynamic Port Ranges

Perform this task to configure dynamic port ranges for TCP, UDP, and ICMP ports. The default value range of 0 to 1023 is preserved and not used for dynamic translations. Therefore, if the value of dynamic port range start is not configured explicitly, the dynamic port range value starts at 1024.

SUMMARY STEPS

1. configure



4. dynamic port range start value

5. endorcommit

Step 6 static-forward inside

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-proto)# static-forward insideRP/0/RP0/CPU0:router(config-cgn-ivrf-sport-inside)#

Configures the CGv6 static port forwarding entries on reserved or nonreserved ports and enters CGv6 inside static port inside configuration mode.

Step 7 address address port number

Example:RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-inside)# address 1.2.3.4 port 90

Configures the CGv6 static port forwarding entries for the inside VRF.

Step 8 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-inside)# end

or

RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-inside)# commit










OL-30392-01


DETAILED STEPS

Configuring External Logging for the NAT Table Entries

Perform the following to configure external logging for NAT table entries.

• Netflow Logging, page 3-55


Step 1 configure









Step 4 dynamic port range start value

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# dynamic port range start 1024

Configures the value of dynamic port range start for a CGv6 NAT 44 instance. The value can range from 1 to 65535.

Step 5 endorcommit


or










OL-30392-01


• Syslog Logging, page 3-63


• Destination-Based Logging for NAT44, page 3-71

Netflow Logging

Perform the following tasks to configure Netflow Logging for NAT table entries.

• Configuring the Server Address and Port for Netflow Logging, page 3-55

• Configuring the Path Maximum Transmission Unit for Netflow Logging, page 3-57

• Configuring the Refresh Rate for Netflow Logging, page 3-59

• Configuring the Timeout for Netflow Logging, page 3-61

Configuring the Server Address and Port for Netflow Logging

Perform this task to configure the server address and port to log network address translation (NAT) table entries for Netflow logging.

SUMMARY STEPS

1. configure




5. external-logging netflow version 9

6. server


8. endorcommit

DETAILED STEPS


Step 1 configure







OL-30392-01






Example:RP/0/RP0/CPU0:router(config-cgn)# inside-vrf insidevrf1RP/0/RP0/CPU0:router(config-cgn-invrf)#


Step 5 external-logging netflow version 9

Example:RP/0/RP0/CPU0:router(config-cgn-invrf)# external-logging netflow version 9RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog)#

Configures the external-logging facility for the CGv6 instance named cgn1 and enters CGv6 inside VRF address family external logging configuration mode.

Step 6 server

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog)# serverRP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)#

Configures the logging server information for the IPv4 address and port for the server that is used for the netflowv9-based external-logging facility and enters CGv6 inside VRF address family external logging server configuration mode.



OL-30392-01


Configuring the Path Maximum Transmission Unit for Netflow Logging

Perform this task to configure the path maximum transmission unit (MTU) for the netflowv9-based external-logging facility for the inside VRF.

SUMMARY STEPS

1. configure





6. server

7. path-mtu value

8. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# address 2.3.4.5 port 45

Configures the IPv4 address and port number 45 to log Netflow entries for the NAT table.

Step 8 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# end

or

RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# commit










OL-30392-01


DETAILED STEPS


Step 1 configure















Step 6 server




OL-30392-01


Configuring the Refresh Rate for Netflow Logging

Perform this task to configure the refresh rate at which the Netflow-v9 logging templates are refreshed or resent to the Netflow-v9 logging server.

SUMMARY STEPS

1. configure





6. server

7. refresh-rate value

8. endorcommit

Step 7 path-mtu value

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# path-mtu 200

Configures the path MTU with the value of 200 for the netflowv9-based external-logging facility.

Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure















Step 6 server


Configures the logging server information for the IPv4 address and port for the server that is used for the netflow-v9 based external-logging facility and enters CGv6 inside VRF address family external logging server configuration mode.


OL-30392-01


Configuring the Timeout for Netflow Logging

Perform this task to configure the frequency in minutes at which the Netflow-V9 logging templates are to be sent to the Netflow-v9 logging server.

SUMMARY STEPS

1. configure





6. server

7. timeout value

8. endorcommit

Step 7 refresh-rate value

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# refresh-rate 50

Configures the refresh rate value of 50 to log Netflow-based external logging information for an inside VRF.

Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 external-logging netflowv9



Step 6 server




OL-30392-01


Syslog Logging

Perform the following tasks to configure Syslog Logging for NAT table entries.

• Configuring the Server Address and Port for Syslog Logging, page 3-63

• Configuring the Host-Name for Syslog Logging, page 3-65

• Configuring the Path Maximum Transmission Unit for Syslog Logging, page 3-67

Configuring the Server Address and Port for Syslog Logging

Perform this task to configure the server address and port to log NAT table entries for Syslog logging.

SUMMARY STEPS

1. configure




5. external-logging syslog

6. server


Step 7 timeout value

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# timeout 50

Configures the timeout value of 50 for Netflow logging of NAT table entries for an inside VRF.

Step 8 endorcommit


or











OL-30392-01


8. endorcommit

DETAILED STEPS


Step 1 configure












Step 5 external-logging syslog

Example:RP/0/RP0/CPU0:router(config-cgn-invrf)# external-logging syslogRP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog)#


Step 6 server


Configures the logging server information for the IPv4 address and port for the server that is used for the syslog-based external-logging facility and enters CGv6 inside VRF address family external logging server configuration mode.


OL-30392-01


Configuring the Host-Name for Syslog Logging

Perform this task to configure the host name to be filled in the Netflow header for the syslog logging.

SUMMARY STEPS

1. configure





6. server

7. host-name name

8. endorcommit




Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure















Step 6 server




OL-30392-01


Configuring the Path Maximum Transmission Unit for Syslog Logging

Perform this task to configure the path maximum transmission unit (MTU) for the syslog-based external-logging facility for the inside VRF.

SUMMARY STEPS

1. configure





6. server

7. path-mtu value

8. endorcommit

Step 7 host-name name

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# host-name host1

Configures the host name for the syslog-based external-logging facility.

Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure















Step 6 server




OL-30392-01



Perform this task to configure bulk port allocation to reduce Netflow or Syslog data volume.

SUMMARY STEPS

1. configure



4. inside-vrf vrf-instance

5. bulk-port-alloc size number of ports

6. endorcommit



Configures the path MTU with the value of 200 for the syslog-based external-logging facility.

Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure













OL-30392-01


Destination-Based Logging for NAT44

Perform these tasks to configure destination-based logging for NAT table entries.

• Configuring the Session-Logging for Netflow Logging, page 3-71

• Configuring the Session-Logging for Syslog Logging, page 3-73

Configuring the Session-Logging for Netflow Logging

Perform this task to configure session-logging if destination IP and Port information needs to logged in the Netflow records.

SUMMARY STEPS

1. configure





6. server

7. session-logging

Step 5 bulk-port-alloc size number of ports

Example:RP/0/RP0/CPU0:router(config-cgn-nat44-invrf-)# bulk-port-alloc size 64RP/0/RP0/CPU0:router(config-cgn-nat44-invrf)

Allocate ports in bulk to reduce Netflow/Syslog data volume.

Step 6 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-nat44-invrf)# end

or

RP/0/RP0/CPU0:router(config-cgn-nat44-invrf)# commit










OL-30392-01


8. endorcommit

DETAILED STEPS


Step 1 configure











Configures the inside VRF for the CGN instance named cgn1 and enters CGN inside VRF configuration mode.



Configures the external-logging facility for the NAT44 instance.

Step 6 server


Configures the logging server information for the IPv4 address and port for the server that is used for the netflow-v9 based external-logging facility.


OL-30392-01


Configuring the Session-Logging for Syslog Logging


SUMMARY STEPS

1. configure





6. server

7. session-logging

8. endorcommit

Step 7 session-logging

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# session-logging

Configures the session logging for a NAT44 instance.

Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure











Configures the inside VRF for the CGN instance named cgn1 and enters CGN inside VRF configuration mode.



Configures the external-logging facility for the NAT44 instance.

Step 6 server


Configures the logging server information for the IPv4 address and port for the server that is used for the syslog-based external-logging facility.


OL-30392-01


Configuring DS-Lite on ISM

Perform these tasks to configure DS-Lite on ISM.


• Configuring a DS Lite Instance, page 3-77


• Configuring External Logging, page 3-94


The following section lists guidelines for selecting serviceapp interfaces for DS-Lite.




Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# session-logging

Configures the session logging for a NAT44 instance.

Step 8 endorcommit


or











OL-30392-01







SUMMARY STEPS

1. configure


3. service cgn instance-name service-type ds-lite

4. endorcommit

DETAILED STEPS


Step 1 configure







OL-30392-01


Configuring a DS Lite Instance

Perform this task to configure an instance of the DS-Lite application.

SUMMARY STEPS

1. configure


3. service-type ds-lite instance name

4. endorcommit

Step 3 service cgn instance-name service-type ds-lite

Example:RP/0/RP0/CPU0:router(config-if)# service cgn cgn1 service-type ds-lite ds-lite1


Step 4 endorcommit


or











OL-30392-01


DETAILED STEPS


Perform these tasks to configure the policy functions:

• Configuring IPv6 Tunnel Endpoint Address, page 3-79

• Configuring the FTP ALG, page 3-80

• Configuring the RTSP ALG, page 3-81

• Configuring an Address Pool Map, page 3-83

• Configuring the Path Maximum Transmission Unit, page 3-84


Step 1 configure






Step 3 service-type ds-lite instance-name

Example:RP/0/RP0/CPU0:router(config-cgn)# service-type ds-lite ds-lite1RP/0/RP0/CPU0:router(config-cgn-ds-lite)#

Configures the service type keyword definition for CGv6 DS-Lite application.

Step 4 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# end

or

RP/0/RP0/CPU0:router(config-cgn-ds-lite)# commit









OL-30392-01





Configuring IPv6 Tunnel Endpoint Address

Perform this task to configure the IPv6 tunnel endpoint address:

SUMMARY STEPS

1. configure



4. aftr-tunnel-endpoint-address X:X::X IPv6 address

5. endorcommit

DETAILED STEPS


Step 1 configure







Example:RP/0/RP0/CPU0:router(config-cgn)# service-type ds-lite ds-lite1



OL-30392-01


Configuring the FTP ALG

Perform this task to configure the FTP ALG for the specified DS-Lite instance.

SUMMARY STEPS

1. configure


3. service-type ds-lite instance-name

4. alg ftp

5. endorcommit

Step 4 aftr-tunnel-endpoint-address X:X::X IPv6 address

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# aftr-tunnel-endpoint-address 10:2::10RP/0/RP0/CPU0:router(config-cgn-ds-lite)

Configures an IPv6 tunnel endpoint address.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring the RTSP ALG

Perform this task to configure the ALG for the rtsp for the specified DS-Lite instance. RTSP packets are usually destined to port 554. But this is not always true because RTSP port value is configurable.


Step 1 configure






Step 3 service-type ds-lite ds-lite1


Configures the service type keyword definition for DS-Lite application.

Step 4 alg ftp

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# alg ftp

Configures the FTP ALG on the DS-Lite instance.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. alg rtsp {server-port} value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring an Address Pool Map

Perform this task to configure an address pool map.

SUMMARY STEPS

1. configure



4. map address-pool address/prefix

5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# alg rtsp server-port 5000

Configures the rtsp ALG on the DS-Lite instance for server port 5000. The range is from 1 to 65535. The default port is 554.


Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring the Path Maximum Transmission Unit

Perform this task to configure the path maximum transmission unit (MTU):


Step 1 configure









Step 4 map address-pool address/prefix

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# map address-pool 10.10.0.0/16or RP/0/RP0/CPU0:router(config-cgn-ds-lite)# map address-pool 100.1.0.0/16

Configures an address pool mapping.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. path-mtu value

5. endorcommit

DETAILED STEPS


Step 1 configure







Example:RP/0/RP0/CPU0:router(config-cgn)# service-type ds-lite ds-lite1RP/0/RP0/CPU0:router(config-cgn-ds-lite)



OL-30392-01




SUMMARY STEPS

1. configure



4. port-limit value

5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# path-mtu 2000RP/0/RP0/CPU0:router(config-cgn-ds-lite)

Configures the path MTU with the value of 2000 for the ds-lite instance.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS





Step 1 configure









Step 4 port-limit value

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# port-limit 65RP/0/RP0/CPU0:router(config-cgn-ds-lite)

Configures the port value that restricts the number of translations for the ds-lite instance.

Step 5 endorcommit


or










OL-30392-01




Perform this task to configure the timeout value for the ICMP type.

SUMMARY STEPS

1. configure



4. protocol icmp

5. timeout seconds

6. endorcommit

DETAILED STEPS


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# protocol icmpRP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)

Configures the ICMP protocol session.


OL-30392-01




SUMMARY STEPS

1. configure



4. protocol tcp

5. session {active | init} timeout seconds

6. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)timeout 90RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)

Configures the timeout value for the ICMP session.

Step 6 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#end

or

RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)# commit










OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 protocol tcp

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# protocol tcpRP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)

Configures the TCP protocol session.



Configures the timeout value for the TCP session. The example shows how to configure the initial session timeout.

Step 6 endorcommit


or










OL-30392-01




SUMMARY STEPS

1. configure



4. protocol udp

5. session {active | init} timeout seconds

6. endorcommit

DETAILED STEPS


Step 1 configure









Step 4 protocol udp

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# protocol icmpRP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)

Configures the UDP protocol session.


OL-30392-01



Perform this task to configure the adjustment value for the maximum segment size (MSS).

SUMMARY STEPS

1. configure



4. protocol tcp

5. mss size

6. endorcommit



Configures the timeout value for the UDP session. The example shows how to configure the initial session timeout.

Step 6 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 protocol tcp

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# protocol tcpRP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)

Configures the TCP protocol session.

Step 5 mss size

Example:RP/0/RP0/CPU0:router(config-cgn-proto)# mss 90

Configures maximum segment size value for TCP sessions for a ds-lite instance

Step 6 endorcommit


or










OL-30392-01


Configuring External Logging

Perform the following to configure external logging for DS-Lite entries.

• Netflow Logging, page 3-94

• Syslog Logging, page 3-101


• Destination-Based Logging for DS-Lite, page 3-108

Netflow Logging

Perform these tasks to configure Netflow Logging for DS-Lite entries.






Perform this task to configure the server address and port for Netflow logging.

SUMMARY STEPS

1. configure



4. external-logging netflow9

5. server


7. endorcommit

DETAILED STEPS


Step 1 configure







OL-30392-01





Step 4 external-logging netflow9

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# external-logging netflow9RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)#

Configures the external-logging facility for the CGv6 instance named cgn1 and enters CGv6 external logging configuration mode.

Step 5 server

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)# serverRP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)#

Configures the logging server information for the IPv4 address and port for the server that is used for the netflowv9-based external-logging facility and enters CGv6 external logging server configuration mode.


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# address 10.3.20.130 port 45RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)

Configures the IPv4 address and port number to log Netflow entries for the DS-Lite instance.

Step 7 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# end

or

RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# commit










OL-30392-01



Perform this task to configure the path maximum transmission unit (MTU) for the netflow9-based external-logging facility.

SUMMARY STEPS

1. configure




5. server

6. path-mtu value

7. endorcommit

DETAILED STEPS


Step 1 configure













OL-30392-01



Perform this task to configure the refresh rate at which the Netflow-9 logging templates are refreshed or resent to the Netflow-9 logging server:

SUMMARY STEPS

1. configure




5. server


Step 5 server


Configures the logging server information for the IPv4 address and port for the server that is used for the netflow9-based external-logging facility and enters CGv6 external logging server configuration mode.


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# path mtu 200RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)


Step 7 endorcommit


or











OL-30392-01


7. endorcommit

DETAILED STEPS


Step 1 configure












Step 5 server




OL-30392-01



Perform this task to configure the frequency in minutes at which the Netflow-9 logging templates are to be sent to the Netflow-9 logging server:

SUMMARY STEPS

1. configure




5. server

6. timeout value

7. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# refresh-rate 200RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)

Configures the refresh rate value of 200 to log Netflow-based external logging information.

Step 7 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 server




OL-30392-01


Syslog Logging

Perform the following tasks to configure Syslog Logging for DS-Lite entries.





Perform this task to configure the server address and port to log DS-Lite entries for Syslog logging.

SUMMARY STEPS

1. configure




5. server



Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# timeout 200RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)

Configures the timeout value of 200 for Netflow logging of the DS-Lite instance.

Step 7 endorcommit


or











OL-30392-01


7. endorcommit

DETAILED STEPS


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# external-logging syslogRP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)#


Step 5 server


Configures the logging server information for the IPv4 address and port for the server that is used for the syslog-based external-logging facility and enters CGv6 external logging server configuration mode.


OL-30392-01




SUMMARY STEPS

1. configure




5. server

6. host-name name

7. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# address 2.3.4.5 port 45

Configures the IPv4 address and port number 45 to log Netflow entries.

Step 7 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 server




OL-30392-01



Perform this task to configure the path maximum transmission unit (MTU) for the syslog-based external-logging facility.

SUMMARY STEPS

1. configure




5. server

6. path-mtu value

7. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# host-name host1


Step 7 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 server




OL-30392-01



Perform this task to configure bulk port allocation to reduce Netflow or Syslog data volume.

SUMMARY STEPS

1. configure


3. service-type ds-lite ds-lite1

4. bulk-port-alloc size number of ports

5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# path-mtu 200


Step 7 endorcommit


or











OL-30392-01


DETAILED STEPS

Destination-Based Logging for DS-Lite

Perform these tasks to configure destination-based logging for DS-Lite entries.

• Configuring Session-Logging for Netflow Logging, page 3-109


Step 1 configure









Step 4 bulk-port-alloc size number of ports

Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite)# bulk-port-alloc size 64RP/0/RP0/CPU0:router(config-cgn-ds-lite)

Allocate ports in bulk to reduce Netflow/Syslog data volume.

Step 5 endorcommit


or










OL-30392-01


• Configuring the Session-Logging for Syslog Logging, page 3-110

Configuring Session-Logging for Netflow Logging


SUMMARY STEPS

1. configure


3. service-type ds-lite ds-lite1


5. server

6. session-logging

7. endorcommit

DETAILED STEPS


Step 1 configure









Step 4 external-loging netflow9

Example:RP/0/RP0/CPU0:router(config-cgn)# external-logging netflow9RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)#

Configures the external-logging facility for the DS-Lite instance.


OL-30392-01


Configuring the Session-Logging for Syslog Logging


SUMMARY STEPS

1. configure




5. server

6. session-logging

Step 5 server


Configures the logging server information for the IPv4 address and port for the server that is used for the netflow-9 based external-logging facility.


Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# session-logging

Configures the session logging for a DS-Lite instance.

Step 7 endorcommit


or











OL-30392-01


7. endorcommit

DETAILED STEPS


Step 1 configure











Configures the external-logging facility for the DS-Lite instance.

Step 5 server


Configures the logging server information for the IPv4 address and port for the server that is used for the syslog-based external-logging facility.


OL-30392-01


Configuring Stateful NAT64 on ISM

Perform these tasks to configure Stateful NAT64 on ISM.


• Configuring a Stateful NAT64 Instance, page 3-114


• Configuring External Logging, page 3-146


The following section lists guidelines for selecting serviceapp interfaces for Stateful NAT64.




Example:RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog-server)# session-logging

Configures the session logging for a DS-Lite instance.

Step 7 endorcommit


or











OL-30392-01







SUMMARY STEPS

1. configure


3. service cgn instance-name service-type nat64 stateful

4. endorcommit

DETAILED STEPS


Step 1 configure







OL-30392-01


Configuring a Stateful NAT64 Instance

Perform this task to configure a stateful NAT64 instance.

SUMMARY STEPS

1. configure


3. service-type nat64 stateful instance-name

4. endorcommit

Step 3 service cgn instance-name service-type nat64 stateful

Example:RP/0/RP0/CPU0:router(config-if)# service cgn cgn1 service-type nat64 stateful nat1


Step 4 endorcommit


or











OL-30392-01


DETAILED STEPS



• Configuring Address Family, page 3-116


• Configuring Dynamic Port Range, page 3-130

• Configuring Filter-Policy, page 3-131


Step 1 configure





Configures the instance for the CGv6 application and enters CGv6 configuration mode.

Step 3 service-type nat64 stateful instance-name

Example:RP/0/RP0/CPU0:router(config-cgn)# service-type nat64 stateful nat64-instRP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#

Configures the service type keyword definition for CGv6 Stateful NAT64 application.

Step 4 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)# end

or

RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)# commit









OL-30392-01


• Configuring Fragment-Timeout, page 3-132

• Configuring an IPv4 Address Pool, page 3-134

• Configuring an IPv6-Prefix, page 3-135

• Configuring Portlimit per Subscriber, page 3-137

• Configuring the Timeout Value for ICMP, TCP and UDP Sessions, page 3-139

• Configuring the Timeout Value for ICMP, TCP and UDP Sessions per Address and Port, page 3-140

• Configuring the Timeout Value for IPv4 Initiated Sessions, page 3-142

• Configuring TCP Policy, page 3-143

• Configuring Ubit-Reserved, page 3-144

Configuring Address Family

• Configuring IPv4 Address Family, page 3-116


Configuring IPv4 Address Family

• Configuring an IPv4 Interface, page 3-116

• Configuring IPv4 TCP Maximum Segment Size (MSS), page 3-118

• Configuring IPv4 Type of Service (ToS), page 3-119

Configuring an IPv4 Interface

Perform this task to configure an IPv4 interface for a stateful NAT64 instance.

SUMMARY STEPS

1. configure



4. address-family ipv4 interface ServiceApp number

5. endorcommit


OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 address-family ipv4 interface ServiceApp number

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#address-family ipv4 interface serviceApp 66RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)

Configures the IPv4 interface to divert Ipv4 nat64 traffic.

Step 5 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)# end

or

RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)# commit









OL-30392-01


Configuring IPv4 TCP Maximum Segment Size (MSS)

Perform this task to configure the MSS for TCP in bytes.

SUMMARY STEPS

1. configure



4. address-family ipv4 tcp mss value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring IPv4 Type of Service (ToS)

Perform this task to configure the configure ToS value to be used when translating a packet from IPv6 to IPv4.

SUMMARY STEPS

1. configure



4. address-family ipv4 tos value

5. endorcommit

Step 4 address-family ipv4 tcp mss value

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#address-family ipv4 tcp mss 66RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)

Configures the MSS for TCP in bytes.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 address-family ipv4 tos value

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#address-family ipv4 tos 66RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)

Configures the ToS value.

Step 5 endorcommit


or










OL-30392-01



• Configuring IPv6 Do not Fragment (DF) Override, page 3-121


• Configuring IPv6 Reset Maximum Transmission Unit (MTU) for an ICMP Protocol, page 3-124


• Configuring IPv6 Traffic-Class, page 3-127

Configuring IPv6 Do not Fragment (DF) Override

Perform this task to enable DF override configuration.

SUMMARY STEPS

1. configure



4. address-family ipv6 df-override

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01



Perform this task to configure an IPv6 interface for a stateful NAT64 instance.

SUMMARY STEPS

1. configure




5. endorcommit

Step 4 address-family ipv6 df-override

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#address-family ipv6 df-overrideRP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)

Configures the DF-Override.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#address-family ipv6 interface serviceApp 66RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)

Configures the IPv6 interface to divert IPv6 nat64 traffic.

Step 5 endorcommit


or










OL-30392-01


Configuring IPv6 Reset Maximum Transmission Unit (MTU) for an ICMP Protocol

Perform this task to reset the MTU for an ICMP protocol.

SUMMARY STEPS

1. configure



4. address-family ipv6 protocol icmp reset-mtu

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01




SUMMARY STEPS

1. configure




5. endorcommit

Step 4 address-family ipv6 protocol icmp reset-mtu

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#address-family ipv6 protocol icmp reset-mtuRP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)

Resets the MTU value of the ICMP protocol packet.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#address-family ipv6 tcp mss 66RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)


Step 5 endorcommit


or










OL-30392-01


Configuring IPv6 Traffic-Class

Perform this task to configure a traffic-class.

SUMMARY STEPS

1. configure



4. address-family ipv6 traffic-class value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01



Perform this task to configure RTSP as the ALG for the specified Stateful NAT64 instance. RTSP packets are usually destined to port 554. But this is not always true because RTSP port value can be configured.

SUMMARY STEPS

1. configure




5. endorcommit

Step 4 address-family ipv6 traffic-class value

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#address-family ipv6 traffic-class 66RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)

Configures the traffic class to be set.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 alg rtsp server-port value

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#alg rtsp server-port 66RP/0/RP0/CPU0:router(config-cgn-nat64-stful-afi)

Configures the server port for RTSP. The default port is 554. The range is from 1 to 65535.

Step 5 endorcommit


or










OL-30392-01


Configuring Dynamic Port Range

Perform this task to configure a dynamic port range.

SUMMARY STEPS

1. configure



4. dynamic-port-range start port number

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring Filter-Policy

Perform this task to configure the filter policy.

SUMMARY STEPS

1. configure



4. filter-policy

5. endorcommit

Step 4 dynamic-port-range start port number

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#dynamic-port-range start 66RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures the port range from 1 to 65535.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Fragment-Timeout

Perform this task to configure the time interval to store packet fragments.


Step 1 configure









Step 4 filter-policy

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#filter-policyRP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures the address-dependent filtering policy.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. fragment-timeout value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring an IPv4 Address Pool

Perform this task to configure an IPv4 address pool.

SUMMARY STEPS

1. configure



4. ipv4 address-pool address/prefix

5. endorcommit

Step 4 fragment-timeout value

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#fragment-timeout 6RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures the time interval, in seconds, to store packet fragments.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring an IPv6-Prefix

Perform this task to configure an IPv6 prefix.


Step 1 configure









Step 4 ipv4 address-pool address/prefix

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#ipv4 address-pool 10.2.2.24/32RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures an IPv4 address pool.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. ipv6-prefix address/prefix

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring Portlimit per Subscriber

Perform this task to restrict the number of ports used by an IPv6 address.

SUMMARY STEPS

1. configure



4. portlimit value

5. endorcommit

Step 4 ipv6-prefix address/prefix

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#ipv6-prefix 2001:db8::/32RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures the IPv6 prefix that is used to convert destination IPv6 address to an external destination IPv4 address.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#portlimit 66RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures a value to restict the number of ports used by an IPv6 address.

Step 5 endorcommit


or










OL-30392-01


Configuring the Timeout Value for ICMP, TCP and UDP Sessions

Perform this task to configure the timeout value for ICMP, TCP or UDP sessions for a stateful NAT64 instance:

SUMMARY STEPS

1. configure



4. protocol tcp session {active | initial} timeout value

protocol {icmp | udp} timeout value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring the Timeout Value for ICMP, TCP and UDP Sessions per Address and Port

Perform this task to configure the timeout value for ICMP, TCP or UDP sessions for any given IPv4 address and port.

SUMMARY STEPS

1. configure



4. protocol {icmp | tcp | udp} address IPv4 address port port number timeout value

5. endorcommit

Step 4 protocol tcp session {active | initial} timeout value

or

protocol {icmp | udp} timeout value

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#protocol tcp session active timeout 90

or

protocol icmp timeout 90RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures the timeout value, in seconds, for ICMP and UDP.

Configures the initial and active session timeout values for TCP.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 protocol {icmp | tcp | udp} address IPv4 address port port number timeout value

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#protocol icmp address 10.2.2.24 port 66 timeout 777RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures the timeout value, in seconds, for the specified address and port.

Step 5 endorcommit


or










OL-30392-01


Configuring the Timeout Value for IPv4 Initiated Sessions

Perform this task to configure the timeout value for IPv4 sessions:

SUMMARY STEPS

1. configure



4. protocol {icmp | tcp | udp} v4-init-timeout value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring TCP Policy

Perform this task to enable or disable IPv4 initiated sessions.

SUMMARY STEPS

1. configure



4. tcp-policy

5. endorcommit

Step 4 protocol {icmp | tcp | udp} v4-init-timeout value

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#protocol icmp v4-init-timeout 777RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Configures the timeout value, in seconds, for IPv4 sessions.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Ubit-Reserved

Perform this task to enable reserving ubits in IPv6 addresses.


Step 1 configure









Step 4 tcp-policy

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#tcp-policyRP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Enables or disables IPv4 initiated sessions.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. ubit-reserved

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring External Logging

Perform these tasks to configure external logging for Stateful NAT64 entries.




• Configuring Session Logging for Netflow Logging, page 3-152



Perform this task to configure the server address and port.

SUMMARY STEPS

1. configure



4. external-logging netflowversion 9

Step 4 ubit-reserved

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)#ubit-reservedRP/0/RP0/CPU0:router(config-cgn-nat64-stateful)

Enables reserving ubits in IPv6 addresses.

Step 5 endorcommit


or











OL-30392-01


5. server

6. address ipv4 address port number

7. endorcommit

DETAILED STEPS


Step 1 configure








Configures the service type keyword definition for CGv6.


Example:RP/0/RP0/CPU0:router(config-cgn-nat64-stateful)# external-logging netflow version 9RP/0/RP0/CPU0:router(config-cgn-nat64-extlog)#

Configures the external-logging facility for the CGv6 instance and enters CGv6 external logging configuration mode.

Step 5 server

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-extlog)# serverRP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)#

Configures the logging server information for the IPv4 address and port for the server that is used for the netflow version 9-based external-logging facility and enters CGv6 external logging server configuration mode.


OL-30392-01



Perform this task to configure the path maximum transmission unit (MTU).

SUMMARY STEPS

1. configure




5. server

6. path-mtu value

7. endorcommit

Step 6 address ipv4 address port number

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)# address 10.3.20.130 port 45RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)

Configures the IPv4 address and port number to log Netflow entries.

Step 7 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)# end

or

RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)# commit










OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 server




OL-30392-01



Perform this task to configure the refresh rate.

SUMMARY STEPS

1. configure




5. server


7. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)# path-mtu 120RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)

Configures the path MTU for the netflow version 9-based external-logging facility.

Step 7 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 server




OL-30392-01


Configuring Session Logging for Netflow Logging

Perform this task to configure session logging.

SUMMARY STEPS

1. configure




5. server

6. session-logging

7. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)# refresh-rate 120RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)

Configures the refresh rate value netflow-based external logging information.

Step 7 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 server




OL-30392-01



Perform this task to configure the frequency in minutes at which the Netflow-version 9 logging templates are to be sent to the Netflow-v9 logging server.

SUMMARY STEPS

1. configure



4. external-logging netflow

5. server

6. timeout value

7. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)# session-loggingRP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)

Configures session-logging.

Step 7 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 server




OL-30392-01


Configuring MAP-T on ISM

Perform these tasks to configure MAP-T on ISM.


• Configuring a MAP-T Instance, page 3-158



The following section lists guidelines for selecting serviceapp interfaces for MAP-T.




Example:RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)# timeout 660RP/0/RP0/CPU0:router(config-cgn-nat64-extlog-server)

Configures the timeout value in minutes. The range is from 1 to 3600.

Step 7 endorcommit


or











OL-30392-01




Perform this task to configure the application service virtual interface (SVI) to forward data traffic.

SUMMARY STEPS

1. configure


3. service cgn instance-name service-type map-t

4. endorcommit

DETAILED STEPS


Step 1 configure







OL-30392-01


Configuring a MAP-T Instance

Perform this task to configure a MAP-T instance.

SUMMARY STEPS

1. configure


3. service-type map-t instance-name

4. endorcommit

Step 3 service cgn instance-name service-type map-t

Example:RP/0/RP0/CPU0:router(config-if)# service cgn cgn1 service-type map-t map1


Step 4 endorcommit


or











OL-30392-01


DETAILED STEPS




• Configuring Contiguous Ports, page 3-170

• Configuring Customer Premise Equipment Domain Parameters, page 3-171

• Configuring External Domain Parameters, page 3-173

• Configuring Port Sharing Ratio, page 3-174


Step 1 configure






Step 3 service-type map-t instance-name

Example:RP/0/RP0/CPU0:router(config-cgn)# service-type map-t map-t-instRP/0/RP0/CPU0:router(config-cgn-mapt)#

Configures the service type keyword definition for CGv6 MAP-T application.

Step 4 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-mapt)# end

or

RP/0/RP0/CPU0:router(config-cgn-mapt)# commit









OL-30392-01



Perform these tasks to configure address family.




Perform these tasks configure IPv4 address family for a MAP-T instance.



• Configuring IPv4 Type of Service (ToS), page 3-162


Perform this task to configure an IPv4 interface for a MAP-T instance.

SUMMARY STEPS

1. configure




5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01




SUMMARY STEPS

1. configure




5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#address-family ipv4 interface serviceApp 66RP/0/RP0/CPU0:router(config-cgn-mapt-afi)

Configures the IPv4 interface to divert IPv4 map-t traffic.

Step 5 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-mapt-afi)# end

or

RP/0/RP0/CPU0:router(config-cgn-mapt-afi)# commit










OL-30392-01


DETAILED STEPS

Configuring IPv4 Type of Service (ToS)

Perform this task to configure the configure ToS value to be used when translating a packet from IPv6 to IPv4.


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#address-family ipv4 tcp mss 66RP/0/RP0/CPU0:router(config-cgn-mapt-afi)


Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. address-family ipv4 tos value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01



Perform these tasks configure an IPv6 address family.

• Configuring IPv6 Do not Fragment (DF) Override, page 3-164



• Configuring IPv6 Traffic-Class, page 3-168

Configuring IPv6 Do not Fragment (DF) Override

Perform this task to enable DF override configuration.

SUMMARY STEPS

1. configure



4. address-family ipv6 df-override

Step 4 address-family ipv4 tos value

Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#address-family ipv4 tos 66RP/0/RP0/CPU0:router(config-cgn-mapt-afi)

Configures the ToS value.

Step 5 endorcommit


or











OL-30392-01


5. endorcommit

DETAILED STEPS


Step 1 configure









Step 4 address-family ipv6 df-override

Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#address-family ipv6 df-overrideRP/0/RP0/CPU0:router(config-cgn-mapt-afi)

Configures the DF-Override.

Step 5 endorcommit


or










OL-30392-01



Perform this task to configure an IPv6 interface.

SUMMARY STEPS

1. configure




5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01




SUMMARY STEPS

1. configure




5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#address-family ipv6 interface serviceApp 66RP/0/RP0/CPU0:router(config-cgn-mapt-afi)

Configures the IPv6 interface to divert IPv6 nat64 traffic.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring IPv6 Traffic-Class

Perform this task to configure a traffic-class.


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#address-family ipv6 tcp mss 66RP/0/RP0/CPU0:router(config-cgn-mapt-afi)


Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. address-family ipv6 traffic-class value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring Contiguous Ports

Perform this task to configure contiguous ports.

SUMMARY STEPS

1. configure



4. contiguous-ports number

5. endorcommit

Step 4 address-family ipv6 traffic-class value

Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#address-family ipv6 traffic-class 66RP/0/RP0/CPU0:router(config-cgn-mapt-afi)

Configures the traffic class to be set.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Customer Premise Equipment Domain Parameters

Perform this task to configure Customer Premise Equipment (CPE) domain parameters.


Step 1 configure









Step 4 contiguous-ports number

Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#contiguous-ports 14RP/0/RP0/CPU0:router(config-cgn-mapt)

Configures the number of ports and the value is expressed in powers of 2. The range is from 1 to 65536.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. cpe-domain ipv4 prefix ipv4 address/prefix

cpe-domain ipv6 prefix ipv6 address/prefix

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring External Domain Parameters

Perform this task to configure external domain parameters.

SUMMARY STEPS

1. configure



4. external-domain ipv6 prefix ipv6 address/prefix

5. endorcommit

Step 4 cpe-domain ipv4 prefix ipv4 address/prefix

Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#cpe-domain ipv4 prefix 10.2.2.24/2RP/0/RP0/CPU0:router(config-cgn-mapt)

or


Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#cpe-domain ipv6 prefix 10:2::2/24RP/0/RP0/CPU0:router(config-cgn-mapt)

Configures the cpe domain parameters.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Port Sharing Ratio

Perform this task to configure port sharing ratio.


Step 1 configure









Step 4 external-domain ipv6 prefix ipv6 address/prefix

Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#external-domain ipv6 prefix 10:2::2/24RP/0/RP0/CPU0:router(config-cgn-mapt)

Configures the external domain parameters.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. sharing-ratio number

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring 6RD on ISM

Perform these tasks to configure 6RD on ISM.


• Configuring a 6RD Instance, page 3-178



This section lists the guidelines for selecting service application interfaces for 6RD.

• Pair ServiceApp<n> with ServiceApp<n+1>, where <n> is an odd integer. This is to ensure that the ServiceApp pairs works with a maximum throughput. For example, ServiceApp1 with ServiceApp2 or ServiceApp3 with ServiceApp4.

• Pair ServiceApp<n> with ServiceApp<n+5> or ServiceApp<n+9>, and so on, where <n> is an odd integer. For example, ServiceApp1 with ServiceApp6, ServiceApp1 with ServiceApp10, ServiceApp3 with ServiceApp8, or ServiceApp3 with ServiceApp12.

• Pair ServiceApp<n> with ServiceApp<n+4>, where <n> is an integer (odd or even integer). For example, ServiceApp1 with ServiceApp5, or ServiceApp2 with ServiceApp6.

Step 4 sharing-ratio number

Example:RP/0/RP0/CPU0:router(config-cgn-mapt)#sharing-ratio 14RP/0/RP0/CPU0:router(config-cgn-mapt)

Configures the port sharing ratio and the value is expressed in powers of 2. The range is from 1 to 32768.

Step 5 endorcommit


or











OL-30392-01


Warning Although ServiceApp pairs work, the aggregate throughput for Inside-to-Outside and Outside-to-Inside traffic for the ServiceApp pair is halved.

Caution Do not pair ServiceApp<n> with ServiceApp<n+1>, where <n> is an even integer. When used, Outside-to-Inside traffic is dropped because traffic flows in the incorrect dispatcher and core.


SUMMARY STEPS

1. configure



4. service-type tunnel v6rd instance-name

5. endorcommit

DETAILED STEPS


Step 1 configure





Configures the application SVI to 1, and enters interface configuration mode.


Example:RP/0/RP0/CPU0:router(config-if)# service cgn cgn1

Configures the instance named cgn1 for the CGv6 application, and enters CGv6 configuration mode.


OL-30392-01


Configuring a 6RD Instance

Perform this task to configure a 6RD instance.

SUMMARY STEPS

1. configure



4. endorcommit

Step 4 service-type tunnel v6rd instance-name

Example:RP/0/RSP0/CPU0:router(config-cgn)# service-typetunnel v6rd 6rd1RP/0/RSP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the service-type as tunnel v6rd, and the instance name as 6rd1.

Step 5 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-v6rd)# end

or

RP/0/RP0/CPU0:router(config-cgn-tunnel-v6rd)# commit










OL-30392-01


DETAILED STEPS




• Configuring Border Relay, page 3-182

• Configuring Maximum Transmission Unit, page 3-188

• Configuring Reassembly-Enable, page 3-190

• Configuring Reset-df-bit, page 3-191


Step 1 configure







Example:RP/0/RP0/CPU0:router(config-cgn)# service-type tunnel v6rd 6rd1RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the service type keyword definition for CGv6 6RD application.

Step 4 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)# end

or

RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)# commit









OL-30392-01


• Configuring Type of Service, page 3-193

• Configuring Time to Live, page 3-194


Perform these tasks to configure address family for a 6RD instance.




Perform this task to configure IPv4 address family for a 6RD instance.

• Configuring IPv4 Interface, page 3-180

Configuring IPv4 Interface

Perform this task to configure an IPv4 interface for a 6RD instance.

SUMMARY STEPS

1. configure




5. endorcommit

DETAILED STEPS


Step 1 configure





Creates an instance of the CGv6 application, and enters the CGv6 configuration mode.



Defines the service type keyword definition for CGv6 6RD application.


OL-30392-01



Perform this task to configure an IPv6 address family for a 6RD instance.



Perform this task to configure an IPv6 interface for a 6RD instance.

SUMMARY STEPS

1. configure




5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)# address-family ipv4 interface serviceApp 66RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the IPv4 interface to divert IPv4 6RD traffic. The range is from 1 to 2000.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Border Relay

Perform these tasks to configure a border relay router for a 6RD instance.



Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)# address-family ipv6 interface serviceApp 66RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the IPv6 interface to divert IPv4 6RD traffic. The range is from 1 to 2000.

Step 5 endorcommit


or










OL-30392-01


• Configuring IPv6 Prefix, page 3-184

• Configuring Source Address, page 3-185

• Configuring Unicast Address, page 3-187


Perform this task to configure an IPv4 interface for a border relay router.

SUMMARY STEPS

1. configure



4. br ipv4 prefix | suffix length value

5. endorcommit

DETAILED STEPS


Step 1 configure





Creates an instance of the CGv6 application and enters the CGv6 configuration mode.





OL-30392-01


Configuring IPv6 Prefix

Perform this task to configure IPv6 address and prefix for a border relay router.

SUMMARY STEPS

1. configure



4. br ipv6-prefix address

5. endorcommit

Step 4 br ipv4 prefix | suffix length value

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)# br ipv4 prefix length 20RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the IPv4 interface for a border relay router. The IPv4 prefix or suffix length is used to derive delegated IPv6 prefix.

The prefix or suffix value range is from 0 to 31.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Source Address

Perform this task to configure IPv4 source address for a tunnel.


Step 1 configure









Step 4 br ipv6-prefix address

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)# br ipv6-prefix 2001:db8::/32RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the IPv6 address and prefix for a border relay router.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. br source-address address

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring Unicast Address

Perform this task to configure IPv6 unicast address.

SUMMARY STEPS

1. configure



4. br unicast address address

5. endorcommit

Step 4 br source-address address

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)# br source-address 22.23.24.26RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the IPv4 source address for a tunnel.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Maximum Transmission Unit

Perform this task to configure the Maximum Transmission Unit (MTU) of the tunnel for a 6RD instance.


Step 1 configure









Step 4 br unicast address address

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)# br unicast address 3001:db8:1617:181a::1RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the IPv6 address that is unicast from the IPv6 network.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. path-mtu value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring Reassembly-Enable

Perform this task to assemble the fragmented packets for a 6RD instance.

SUMMARY STEPS

1. configure



4. reassembly-enable

5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#path-mtu 1282RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the path mtu of the tunnel. The range is from 1280 to 9216.

Step 5 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#end

or











OL-30392-01


DETAILED STEPS

Configuring Reset-df-bit

Perform this task to reset the df bit and enable the anycast feature for a 6RD instance.


Step 1 configure









Step 4 reassembly-enable

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#reassembly-enableRP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Assembles the fragmented packets after forwarding is complete.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. reset-df-bit

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring Type of Service

Perform this task to configure the Type of Service (ToS) to be used for the IPv4 tunnel for a 6RD instance.

SUMMARY STEPS

1. configure



4. tos value

5. endorcommit

Step 4 reset-df-bit

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#reset-df-bitRP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Resets the df bit and enables the anycast feature.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Time to Live

Perform this task to configure Time to Live (TTL) value to be used for the IPv4 tunnel for a 6RD instance.


Step 1 configure









Step 4 tos value

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#tos 66RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the type of service to be used for the IPv4 tunnel. The range is from 0 to 255.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. ttl value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring MAP-E on ISM

Perform these tasks to configure MAP-E on ISM.


• Configuring a MAP-E Instance, page 3-198



This section lists the guidelines for selecting service application interfaces for MAP-E.

• Pair ServiceApp<n> with ServiceApp<n+1>, where <n> is an odd integer. This is to ensure that the ServiceApp pairs works with a maximum throughput. For example, ServiceApp1 with ServiceApp2 or ServiceApp3 with ServiceApp4.

• Pair ServiceApp<n> with ServiceApp<n+5> or ServiceApp<n+9>, and so on, where <n> is an odd integer. For example, ServiceApp1 with ServiceApp6, ServiceApp1 with ServiceApp10, ServiceApp3 with ServiceApp8, or ServiceApp3 with ServiceApp12.

• Pair ServiceApp<n> with ServiceApp<n+4>, where <n> is an integer (odd or even integer). For example, ServiceApp1 with ServiceApp5, or ServiceApp2 with ServiceApp6.

Step 4 ttl value

Example:RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#ttl 220RP/0/RP0/CPU0:router(config-cgn-tunnel-6rd)#

Configures the time-to-live value, in seconds, to be used for the IPv4 tunnel. The range is from 1 to 255.

Step 5 endorcommit


or











OL-30392-01


Warning Although ServiceApp pairs work, the aggregate throughput for Inside-to-Outside and Outside-to-Inside traffic for the ServiceApp pair is halved.

Caution Do not pair ServiceApp<n> with ServiceApp<n+1>, where <n> is an even integer. When used, Outside-to-Inside traffic is dropped because traffic flows in the incorrect dispatcher and core.


SUMMARY STEPS

1. configure


3. endorcommit


OL-30392-01


DETAILED STEPS

Configuring a MAP-E Instance

Perform this task to configure a MAP-E instance.

SUMMARY STEPS

1. configure


3. service-type map-e instance-name

4. endorcommit


Step 1 configure


Enters the global configuration mode.



Configures the application SVI to 1, and enters interface configuration mode.

Step 3 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# end

or

RP/0/RP0/CPU0:router(config-cgn-map_e)# commit









OL-30392-01


DETAILED STEPS




• Configuring AFTR Endpoint Address, page 3-206

• Configuring Contiguous Ports, page 3-207

• Configuring CPE Domain Parameters, page 3-209

• Configuring Path MTU of the Tunnel, page 3-210


Step 1 configure






Step 3 service-type map-e instance-name

Example:RP/0/RP0/CPU0:router(config-cgn)# service-type map-e m1RP/0/RP0/CPU0:router(config-cgn-map_e)#

Configures the service type keyword definition for CGv6 MAP-E application.

Step 4 endorcommit


or










OL-30392-01


• Configuring Port Sharing Ratio, page 3-211


Perform these tasks to configure address family.




Perform these tasks configure IPv4 address family for a MAP-E instance.


• Configuring TCP Maximum Segment Size, page 3-201


Perform this task to configure an IPv4 interface for a MAP-E instance.

SUMMARY STEPS

1. configure




5. endorcommit

DETAILED STEPS


Step 1 configure





Creates an instance of the CGv6 application and enters CGv6 configuration mode.



Defines the service type keyword definition for the CGv6 MAP-E application.


OL-30392-01


Configuring TCP Maximum Segment Size

Perform this task to configure the Maximum Segment Size (MSS) for TCP.

SUMMARY STEPS

1. configure




5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# address-family ipv4 interface serviceApp 66RP/0/RP0/CPU0:router(config-cgn-map_e-afi)#

Configures the IPv4 interface to divert IPv4 map-e traffic.

Step 5 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-map_e-afi)# end

or

RP/0/RP0/CPU0:router(config-cgn-map_e-afi)# commit










OL-30392-01


DETAILED STEPS


Perform these tasks configure an IPv6 address family.



Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# address-family ipv4 tcp mss 300RP/0/RP0/CPU0:router(config-cgn-map_e-afi)#

Configures the MSS to be used, in bytes. The range is from 28 to 1500.

Step 5 endorcommit


or










OL-30392-01


• Configuring TCP Maximum Segment Size, page 3-204


Perform this task to configure an IPv6 interface.

SUMMARY STEPS

1. configure




5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring TCP Maximum Segment Size

Perform this task to configure the Maximum Segment Size (MSS) to be used for TCP.

SUMMARY STEPS

1. configure




5. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# address-family ipv6 interface serviceApp 66RP/0/RP0/CPU0:router(config-cgn-map_e-afi)#

Configures the IPv6 interface to divert IPv6 map-e traffic.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# address-family ipv6 tcp mss 300RP/0/RP0/CPU0:router(config-cgn-map_e-afi)#

Configures the MSS to be used, in bytes. The range is from 28 to 1500.

Step 5 endorcommit


or










OL-30392-01


Configuring AFTR Endpoint Address

Perform this task to configure the Address Family Transition Router (AFTR) endpoint address.

SUMMARY STEPS

1. configure



4. aftr-endpoint-address ipv6 address

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring Contiguous Ports

Perform this task to configure the number of contiguous ports for a MAP-E instance.

SUMMARY STEPS

1. configure



4. contiguous-ports number

5. endorcommit

Step 4 aftr-endpoint-address IPv6 address

Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# aftr-endpoint-address 2001:db8::32RP/0/RP0/CPU0:router(config-cgn-map_e)#

Configures the AFTR endpoint address.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 contiguous-ports number

Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# contiguous-ports 16RP/0/RP0/CPU0:router(config-cgn-map_e)#

Configures the number of contiguous ports. The range is from 1 to 65536.

Note The value is expressed in powers of 2.

Step 5 endorcommit


or










OL-30392-01


Configuring CPE Domain Parameters

Perform this task to configure Customer Premise Equipment (CPE) domain parameters.

SUMMARY STEPS

1. configure



4. cpe-domain ipv4 prefix ipv4 address/prefix

or


5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring Path MTU of the Tunnel

Perform this task to configure the path Maximum Transmission Unit (MTU) of the tunnel.

SUMMARY STEPS

1. configure



4. path-mtu value

5. endorcommit

Step 4 cpe-domain ipv4 prefix ipv4 address/prefix

Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# cpe-domain ipv4 prefix 10.2.2.24/2RP/0/RP0/CPU0:router(config-cgn-map_e)#

or


Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# cpe-domain ipv6 prefix 2001:da8:a464::/48RP/0/RP0/CPU0:router(config-cgn-map_e)#

Configures the IPv4 or IPv6 prefixes of the CPE domain.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring Port Sharing Ratio

Perform this task to configure the sharing ratio of the port.


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# path-mtu 1300RP/0/RP0/CPU0:router(config-cgn-map_e)#

Configures the path MTU of the tunnel. The range is from 1280 to 9216.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure



4. sharing-ratio number

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01

Chapter 3 Carrier Grade IPv6 over Integrated Services Module (ISM)Configuring High Availability on ISM

Configuring High Availability on ISMISM supports high availability or 1:1 redundancy on different CGv6 applications.

Perform these tasks to configure HA on ISM.

• Configuring Active or Standby ISM, page 3-213

• Enabling Failure Detection, page 3-215

Configuring Active or Standby ISM

Perform this task to configure active or standby ISM.

SUMMARY STEPS

1. configure

2. hw-module service cgn location node-id

3. interface ServiceInfra value

4. service-location preferred-active node-id [preferred-standby node-id]


Step 4 sharing-ratio number

Example:RP/0/RP0/CPU0:router(config-cgn-map_e)# sharing-ratio 64RP/0/RP0/CPU0:router(config-cgn-map_e)#

Configures the port sharing ratio. The range is from 1 to 32768.

Note The value is expressed in powers of 2.

Step 5 endorcommit


or











OL-30392-01


6. endorcommit

7. reload

DETAILED STEPS


Step 1 configure



Step 2 hw-module service cgn location node-id

Example:RP/0/RP0/CPU0:router(config)# hw-module service cgn location 0/1/CPU0

Configures role as CGN on both the ISM locations.

Step 3 interface ServiceInfra value

Example:RP/0/RP0/CPU0:router(config)# interface ServiceInfra 1RP/0/RP0/CPU0:router(config-if)#

Configures the infrastructure service virtual interface (SVI) for both the ISM locations.

Step 4 service-location preferred-active node-id [preferred-standby node-id]

Example:RP/0/RP0/CPU0:router(config-if)# service-location preferred-active 0/1/CPU0 preferred-standby 0/4/CPU0

Configures the preferred active and preferred standby nodes.


Example:RP/0/RP0/CPU0:router(config-if)# ipv4 address 1.1.1.1/30

Sets the primary IPv4 address and netmask.


OL-30392-01


Enabling Failure Detection

Perform this task to enable failure detection.

SUMMARY STEPS

1. configure

2. service-cgv6-ha location node-id puntpath-test

3. service-cgv6-ha location node-id datapath-test

4. endorcommit

Step 6 endorcommit


or









Step 7 reload

Example:RP/0/RP0/CPU0:Router#hw-mod location 0/1/CPU0 reload

Once the configuration is complete, reload both the cards for changes to take effect and wait till in ‘APP READY’ state.



OL-30392-01


DETAILED STEPS

Note By default, failure detection for punt path, data path is not triggered unless the above commands are configured.These commands can be configured only when ISM role is CGN and ISM in “App-Ready” state.

To disable failure detection, use the no form of the commands:

• no service-cgv6-ha location node-id puntpath-test

• no service-cgv6-ha location node-id datapath-test


Step 1 configure



Step 2 service-cgv6-ha location node-id puntpath-test

Example:RP/0/RP0/CPU0:router(config)# service-cgv6-ha location 0/1/CPU0 puntpath-test

Configures role as CGv6 and failure detection for puntpath tests.

Step 3 service-cgv6-ha location node-id datapath-test

Example:RP/0/RP0/CPU0:router(config)# service-cgv6-ha location 0/1/CPU0 datapath-test

Configures role as CGv6 and failure detection for datapath tests.

Step 4 endorcommit


or










OL-30392-01

Chapter 3 Carrier Grade IPv6 over Integrated Services Module (ISM)Configuration Examples for Implementing CGv6

Configuration Examples for Implementing CGv6This section provides the following configuration examples for CGv6:

• Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44: Example, page 3-217

• Configuring Different Inside VRF Maps to Identical Outside VRF maps for NAT44: Example, page 3-218

• NAT44 Configuration: Example, page 3-219

• DS Lite Configuration: Example, page 3-221

• Stateful NAT64 Configuration: Example, page 3-222

• MAP-T Configuration: Example, page 3-225

• DBL Configuration: Example, page 3-226

• Services Redundancy Configuation (Active/Standby ISM): Example, page 3-226

• 6RD Configuration: Example, page 3-227

• MAP-E Configuration: Example, page 3-228

• PPTP ALG Configuration: Example, page 3-229

Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44: Example

This example shows how to configure a different inside VRF map to a different outside VRF and different outside address pools:

service cgn cgn1inside-vrf insidevrf1map outside-vrf outsidevrf1 address-pool 100.1.1.0/24!!inside-vrf insidevrf2map outside-vrf outsidevrf2 address-pool 100.1.2.0/24!service-location preferred-active 0/2/cpu0!interface ServiceApp 1vrf insidevrf1ipv4 address 210.1.1.1 255.255.255.0service cgn cgn1!router staticvrf insidevrf10.0.0.0/0 serviceapp 1!!interface ServiceApp 2vrf outsidevrf1ipv4 address 211.1.1.1 255.255.255.0service cgn cgn1service-type nat44 nat1!router staticvrf outsidevrf1


OL-30392-01


100.1.1.0/24 serviceapp 2!!interface ServiceApp 3vrf insidevrf2 ipv4 address 1.1.1.1 255.255.255.0service cgn cgn1service-type nat44 nat1!router staticvrf insidevrf20.0.0.0/0 serviceapp 3!!interface ServiceApp 4vrf outsidevrf2ipv4 address 2.2.2.1 255.255.255.0service cgn cgn1service-type nat44 nat1!router staticvrf outsidevrf2100.1.2.0/24 serviceapp 4

Configuring Different Inside VRF Maps to Identical Outside VRF maps for NAT44: Example

This example shows how to configure different inside VRF maps to identical outside VRF maps:

Note Configure outsideServiceApp in the CGN configuration for the following ServiceApp pair:

• Two different inside vrf

• Two identical outside vrf

service cgn cgn-service-kykwifiservice-location preferred-active 0/0/CPU0service-type nat44 kykwifi-nat44 portlimit 512 alg ActiveFTP alg rtsp alg pptpAlg inside-vrf INTERNET_PRIVATE_CGNAT map outside-vrf INTERNET outsideServiceApp ServiceApp2 address-pool 81.213.32.0/22 external-logging syslog server address 10.106.61.20 port 514 ! ! inside-vrf INTERNET_PRIVATE_CGNAT2 map outside-vrf INTERNET outsideServiceApp ServiceApp4 address-pool 81.213.36.0/22 external-logging syslog server address 10.106.61.20 port 514 !


OL-30392-01


NAT44 Configuration: Example

This example shows a NAT44 sample configuration:

interface Loopback40 description IPv4 Host for NAT44 ipv4 address 40.22.22.22 255.255.0.0!interface Loopback41 description IPv4 Host for NAT44 ipv4 address 41.22.22.22 255.255.0.0!interface GigabitEthernet0/3/0/0.1 description Connected to P2_ASR9000-8 GE 0/6/5/0.1 ipv4 address 10.222.5.22 255.255.255.0 encapsulation dot1q 1!router static address-family ipv4 unicast 180.1.0.0/16 10.222.5.2 181.1.0.0/16 10.222.5.2!!

Hardware Configuration for ISM

!vrf InsideCustomer1 address-family ipv4 unicast !!vrf OutsideCustomer1 address-family ipv4 unicast !!hw-module service cgn location 0/3/CPU0!!interface GigabitEthernet0/6/5/0.1 vrf InsideCustomer1 ipv4 address 10.222.5.2 255.255.255.0encapsulation dot1q 1!interface GigabitEthernet0/6/5/1.1 vrf OutsideCustomer1 ipv4 address 10.12.13.2 255.255.255.0encapsulation dot1q 1!interface ServiceApp1 vrf InsideCustomer1 ipv4 address 1.1.1.1 255.255.255.252 service cgn cgn1 service-type nat44!interface ServiceApp2 vrf OutsideCustomer1 ipv4 address 2.1.1.1 255.255.255.252 service cgn cgn1 service-type nat44!interface ServiceInfra1 ipv4 address 75.75.75.75 255.255.255.0 service-location 0/3/CPU0!


OL-30392-01


! router static !vrf InsideCustomer1 address-family ipv4 unicast 0.0.0.0/0 ServiceApp1 40.22.0.0/16 10.222.5.22 41.22.0.0/16 10.222.5.22 181.1.0.0/16 vrf OutsideCustomer1 GigabitEthernet0/6/5/1.1 10.12.13.1 ! ! vrf OutsideCustomer1 address-family ipv4 unicast 40.22.0.0/16 vrf InsideCustomer1 GigabitEthernet0/6/5/0.1 10.222.5.22 41.22.0.0/16 vrf InsideCustomer1 GigabitEthernet0/6/5/0.1 10.222.5.22 100.0.0.0/24 ServiceApp2 180.1.0.0/16 10.12.13.1 181.1.0.0/16 10.12.13.1 ! !!

ISM Configuration

service cgn cgn1 service-location preferred-active 0/3/CPU0 service-type nat44 nat44 portlimit 200 alg ActiveFTP inside-vrf InsideCustomer1 map outside-vrf OutsideCustomer1 address-pool 100.0.0.0/24 protocol tcp static-forward inside address 41.22.22.22 port 80 ! ! protocol icmp static-forward inside address 41.22.22.22 port 80 ! ! external-logging netflow version 9 server address 172.29.52.68 port 2055 refresh-rate 600 timeout 100 ! ! ! !!IPv4: 180.1.1.1/16!interface Loopback180 description IPv4 Host for NAT44 ipv4 address 180.1.1.1 255.255.0.0!interface Loopback181 description IPv4 Host for NAT44 ipv4 address 181.1.1.1 255.255.0.0!interface GigabitEthernet0/6/5/1.1 ipv4 address 10.12.13.1 255.255.255.0encapsulation dot1q 1


OL-30392-01


! router static address-family ipv4 unicast 40.22.0.0/16 10.12.13.2 41.22.0.0/16 10.12.13.2 100.0.0.0/24 10.12.13.2 !!

Bulk Port Allocation and Syslog Configuration: Example

service cgn cgn2service-type nat44 natA

inside-vrf broadbandmap address-pool 100.1.2.0/24external-logging syslog

serveraddress 20.1.1.2 port 514

!!

bulk-port-alloc size 64!!

DS Lite Configuration: Example

IPv6 ServiceApp and Static Route Configuration

confint serviceApp61service cgn cgn1 service-type ds-liteipv6 address 2001:202::/32commit

exit

router staticaddress-family ipv6 unicast3001:db8:e0e:e01::/128 ServiceApp61 2001:202::2commitexit

end

IPv4 ServiceApp and Static Route Configuration

confint serviceApp41service cgn cgn1 service-type ds-liteipv4 add 41.41.41.1/24commit

exit

router staticaddress-family ipv4 unicast52.52.52.0/24 ServiceApp41 41.1.1.2commitexit

end


OL-30392-01


DS Lite Configuration

service cgn cgn1service-location preferred-active 0/2/CPU0 preferred-standby 0/4/CPU0

service-type ds-lite dsl1portlimit 200bulk-port-alloc size 128map address-pool 52.52.52.0/24aftr-tunnel-endpoint-address 3001:DB8:E0E:E01::address-family ipv4

interface ServiceApp41address-family ipv6

interface ServiceApp61protocol tcp

session init timeout 300session active timeout 400mss 1200

external-logging netflow9server

address 90.1.1.1 port 99external-logging syslog

serveraddress 90.1.1.1 port 514

Stateful NAT64 Configuration: Exampleservice cgn cgn1 service-type nat64 stateful stful1 !!service cgn cgn1 service-type nat64 stateful stful1 ipv6-prefix 2001:db8::/32 ! !!service cgn cgn1 service-type nat64 stateful stful1 ipv4 address-pool 200.20.30.0/24 ! !!service cgn cgn1 service-type nat64 stateful stful1 ipv4 address-pool 200.20.30.0/24 ipv4 address-pool 300.20.30.0/24

! !!

service cgn cgn1 service-type nat64 stateful stful1 Ubit-reserved ! !!service cgn cgn1 service-type nat64 stateful stful1 portlimit 1000 !


OL-30392-01


!!service cgn cgn1 service-type nat64 stateful stful1 dynamic-port-range start 1010 ! !!service cgn cgn1 service-type nat64 stateful stful1

protocol icmptimeout 900

! ! !!

service cgn cgn1 service-type nat64 stateful stful1 protocol tcp session active timeout 90 ! ! !!service cgn cgn1 service-type nat64 stateful stful1 protocol tcp session initial timeout 90 ! ! !!service cgn cgn1 service-type nat64 stateful stful1 protocol udp

timeout 1800 ! ! !!service cgn cgn1 service-type nat64 stateful stful1 protocol udp

timeout 90 ! ! !!service cgn cgn1 service-type nat64 stateful stful1 protocol icmp address 123.33.4.4 port 1234 timeout 908 port 1235 timeout 1000 ! ! ! !!

service cgn cgn1 service-type nat64 stateful stful1 protocol tcp


OL-30392-01


address 123.33.4.4 timeout 908 timeout 1000 ! ! ! !!service cgn cgn1 service-type nat64 stateful stful1 protocol udp port 1234 timeout 908 ! !!service cgn cgn1 service-type nat64 stateful stful1 address-family ipv4 tcp mss 600 ! ! !!service cgn cgn1 service-type nat64 stateful stful1 address-family ipv6 tcp mss 600 ! ! !!service cgn cgn1 service-type nat64 stateful stful1 address-family ipv4 tos 100 ! ! !!service cgn cgn1 service-type nat64 stateful stful1 address-family ipv6 traffic class 100 ! ! !!service cgn cgn1 service-type nat64 stateful stful1 address-family ipv6 protocol icmp reset-mtu ! ! ! !!service cgn cgn1 service-type nat64 stateful stful1 address-family ipv6 df-override ! ! !


OL-30392-01


!service cgn cgn1 service-type nat64 stateful stful1 filtering-policy ! !!

service cgn cgn1 service-type nat64 stateful stful1 tcp-policy ! !!service cgn cgn1 service-type nat64 stateful stful1 protocol tcp v4-init-timeout 20 ! ! !!

MAP-T Configuration: Examplehw-module service cgn location 0/0/CPU0interface ServiceApp4 ipv4 address 30.30.30.1 255.255.255.0 service cgn test service-type map-t!interface ServiceApp6 ipv4 address 19.1.1.1 255.255.255.252 ipv6 address 2001:101::/32 service cgn test service-type map-t!interface ServiceInfra1 ipv4 address 200.1.1.1 255.255.255.0 service-location 0/0/CPU0!router static address-family ipv4 unicast202.38.102.0/24 ServiceApp4 30.30.30.2 ! address-family ipv6 unicast 2001:da8:a464:ffff::/64 ServiceApp6 2001:101::2!service cgn test service-location preferred-active 0/0/CPU0service-type map-t xlat1 cpe-domain ipv6 prefix 2001:da8:a464::/48 cpe-domain ipv4 prefix 202.38.102.0/24 external-domain ipv6 prefix 2001:da8:a464:ffff::/64 sharing-ratio 64 contiguous-ports 128

address-family ipv4 interface ServiceApp4 tcp mss 235 tos 100 ! address-family ipv6


OL-30392-01


interface ServiceApp6 tcp mss 1154 traffic-class 100 df-override; !!

DBL Configuration: Example

NAT44 Instance

service cgn cgn1service-type nat44 nat1 inside-vrf ivrf external-logging netflow version 9 server session-logging

DS-Lite Instance

service cgn cgn1service-type ds-lite ds-lite1

external-logging netflow9 server session-logging

Services Redundancy Configuation (Active/Standby ISM): Example

Active ISM Configuration

conf tinterface ServiceInfra 1service-location 0/1/CPU0ipv4 address 50.1.1.1/24exit

hw-module service cgn location 0/1/CPU0commitexit

Stand By ISM Configuration

conf tinterface ServiceInfra 2service-location 0/2/CPU0ipv4 address 100.1.1.1/24exit

hw-module service cgn location 0/2/CPU0commitexitconf tservice cgn <cgn name> service-location preferred-active 0/1/CPU0 preferred-standby 0/2/CPU0commitexit


OL-30392-01


6RD Configuration: Example

This example shows a sample 6RD configuration:

vrf ivrf!hw-module service cgn location 0/0/CPU0hw-module service cgn location 0/2/CPU0interface ServiceApp41vrf ivrfipv4 address 5.5.5.1 255.255.0.0service cgn cgn1 service-type tunnel v6rd!interface ServiceApp42ipv4 address 6.6.6.1 255.255.255.0service cgn cgn1 service-type tunnel v6rd!interface ServiceApp61ipv6 address 2001:db8:1617:1819::2/64service cgn cgn1 service-type tunnel v6rd!interface ServiceApp62ipv6 address 3001:db8:1617:181a::2/64service cgn cgn1 service-type tunnel v6rd!interface ServiceInfra1ipv4 address 1.1.1.1 255.255.255.0service-location 0/0/CPU0!interface ServiceInfra2ipv4 address 2.2.2.2 255.255.255.0service-location 0/2/CPU0!router staticaddress-family ipv4 unicast8.37.0.0/16 8.36.0.18.42.25.0/24 8.36.5.210.1.2.0/24 GigabitEthernet0/3/0/210.64.83.49/32 8.36.0.122.23.24.26/32 6.6.6.2102.2.0.0/16 ServiceApp3192.168.3.0/24 GigabitEthernet0/3/0/3192.168.3.0/24 GigabitEthernet0/3/0/4202.153.144.0/24 8.36.0.1!address-family ipv6 unicast2001:db8::/32 ServiceApp612001:db8:1617:1819::/64 Null02001:db8:1617:1819::/128 ServiceApp612001:db8:1617:1819::1/128 ServiceApp613001:db8::/32 ServiceApp623001:db8:1617:181a::/64 Null03001:db8:1617:181a::/64 ServiceApp623001:db8:1617:181a::1/128 ServiceApp62!vrf ivrfaddress-family ipv4 unicast0.0.0.0/0 5.6.5.222.23.24.25/32 5.5.5.2192.168.3.5/32 10.1.2.3!!!


OL-30392-01


service cgn cgn1service-location preferred-active 0/2/CPU0 preferred-standby 0/0/CPU0service-type tunnel v6rd 6rd1ttl 255path-mtu 1480bripv6-prefix 2001:db8::/32source-address 22.23.24.25unicast address 2001:db8:1617:1819::1!address-family ipv4interface ServiceApp41!address-family ipv6interface ServiceApp61!!service-type tunnel v6rd 6rd2bripv6-prefix 3001:db8::/32source-address 22.23.24.26unicast address 3001:db8:1617:181a::1!address-family ipv4interface ServiceApp42!address-family ipv6interface ServiceApp62!!!

MAP-E Configuration: Example

This example shows a sample MAP-E configuration:

hw-module service cgn location 0/0/CPU0interface ServiceApp1ipv4 address 30.30.30.1 255.255.255.0service cgn cgn1 service-type map-e m1!interface ServiceApp2ipv4 address 19.1.1.1 255.255.255.252ipv6 address 2001:101::/32service cgn cgn1 service-type map-e m1!interface ServiceInfra1ipv4 address 200.1.1.1 255.255.255.0service-location 0/0/CPU0!router staticaddress-family ipv4 unicast202.38.102.0/24 ServiceApp1 30.30.30.2!address-family ipv6 unicast2001:da8:a464:ffff::/64 ServiceApp2 2001:101::2!service cgn cgn1service-location preferred-active 0/0/CPU0service-type map-e m1cpe-domain ipv6 prefix 2001:da8:a464::/48cpe-domain ipv4 prefix 202.38.102.0/24


OL-30392-01


aftr-endpoint-address 2001:da8:a464:ffff::/128sharing-ratio 16contiguous-ports 32path-mtu 1300

address-family ipv4interface ServiceApp1tcp mss 235

!address-family ipv6interface ServiceApp2tcp mss 1154!!

PPTP ALG Configuration: Example

NAT44 Instance

service cgn cgn1 service-location preferred-active 0/1/CPU0 service-type nat44 inst1 alg pptpAlg


OL-30392-01



OL-30392-01


OL-30392-01

C H A P T E R 4
Carrier Grade IPv6 over Virtualized Services Module (VSM)
This module describes how to implement the Carrier Grade IPv6 (CGv6) over Virtualized Services Module (VSM).

Virtualized Services Module (VSM)VSM is the next generation service card on the Cisco ASR 9000 Series Aggregation Services Router. The software infrastructure on this card provides a virtual environment and the services run as virtual machines (VM) in this environment. The VMs simulate individual physical computing environments over a common hardware. The available hardware resources, like processor, memory, hard disk, and so on, are virtualized and allocated to individual virtual machines by the hypervisor.

VSM Components

VSM is capable of hosting multiple VMs. It consists of the following components:

• IOS XR VM: This VM is used for managing the routing functions.

• System Admin VM: This VM is used for the system administration.

• Application VM: CGv6 is the application VM running on VSM. In the current release, only one CGv6 VM can run at a given time.

• Linux Host and Hypervisor: The routing functions and the system administration functions are run on separate virtual machines (VMs) over a Linux host operating system. The CGv6 VM, along with the other VMs, runs on the top of the KVM hypervisor.


Chapter 4 Carrier Grade IPv6 over Virtualized Services Module (VSM)Installing CGv6 on VSM

Features and Considerations

Some of the features and considerations of VSM are:

• The CGv6 application has to run in a VM environment.

• The IOS XR Service Enablement CLIs are needed to create, delete, access, and operate on CGv6 VM.

• The VSM card can co-exist with other LCs including ISM.

• Each NP has 6 NP ports and can send traffic to 24 CGv6 Application processes.

• For each VSM card, a ServiceInfra interface needs to be configured.

• Traffic diversion may be done based on a static route or ACL-based forwarding (ABF).

• In the current release, VSM does not support multiple CGv6 VMs on the same card.

Installing CGv6 on VSMThe process of installing CGv6 on VSM involves the following:

• Prerequisites

• Installing CGv6 OVA Package

• Activating CGv6 VM

• Deactivating CGv6 VM

• Uninstalling CGv6 OVA Package

Note If you are performing an upgrade or a downgrade of CGv6 VM, it needs to be deactivated first, uninstalled, installed, and then activated.

CGv6 VM(Socket 0-3)

IOS-XR VM(Socket 0)

Socket #0 Socket #1 Socket #2 Socket #3

SysadminVM

(Socket 0)

3618

13

Host Linux + Hypervisor


OL-30392-01


Note Before upgrading or downgrading the CGv6 OVA package on the Active VSM card in HA (high availability) mode, perform a graceful shift of the traffic from Active VSM to Standby VSM. This will ensure that the CGN-related configuration is replicated into a standby card. To perform graceful shift of the traffic, run the “service redundancy failover service-type all preferred-active <active-vsm-slot>” command in EXEC mode.

Prerequisites

Ensure that you have installed the following images:

• asr9k-mini-px.vm (Base IOS-XR image)

• asr9k-services-infra.pie (VSM Services Infra package)

• asr9k-services-px.pie (CGv6 Services package)

• asr9k-fpd-px.pie (FPGA Image IOS XR package)

• asr9k-vsm-cgv6-<version>.ova (Linux Open Virtual Alliance or OVA package)

Installing CGv6 OVA Package

The CGv6 Virtual Machine (VM) is provided as an OVA package. Open Virtualization Appliance (OVA) is a single file distribution of the file package. The CGv6 OVA package consists of the following files:

• OVA Profile Descriptor file

• Package version file

• Linux Image file

The process of installation of CGv6 OVA package consists of the following steps:

Step 1 Copy the OVA file from the remote location to the RP disk.

RP/0/RSP0/CPU0:router# copy <tftp location>/asr9k-vsm-cgv6.ova disk0:/

Note Once the CGv6 OVA package is copied to RP’s disk, you can install it on multiple VSMs on the same chassis.

Step 2 Before you run any VM command, enable virtual service.

RP/0/RSP0/CPU0:router(config)#virtual-service enable RP/0/RSP0/CPU0:router(config)#commit

Step 3 Install CGv6 VM on a specific VSM card.

RP/0/RSP0/CPU0:router#virtual-service install name <service/VM name> package <OVA package name> node <VSM_location>


OL-30392-01


Note The service or VM name can contain only alphanumeric characters (A to Z, a to z, or 0 to 9) or an underscore (_). All other special characters are not allowed. The installation process might take about 7-8 minutes.

Step 4 Check the progress of the installation process by using the show virtual-service list command. Once the installation is complete, the status is changed to Installed.

RP/0/RSP0/CPU0:router# show virtual-service listVirtual Service List:

Name Status Package Name Nodecgn1 Installing asr9k-vsm-cgv6.ova 0/1/CPU0

RP/0/RSP0/CPU0:NAT#sh virtual-service listName Status Package Name Nodecgn1 Installed asr9k-vsm-cgv6.ova 0/1/CPU0

Activating CGv6 VM

The steps to activate the CGv6 VM are as follows:

Step 1 Configure the CGv6 VM and the 12 Gigabit Ethernet (GE) interfaces in the global configuration mode.

RP/0/RSP0/CPU0:router(config)# virtual-service cgn123RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/0RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/1RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/2RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/3RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/4RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/5RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/6RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/7RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/8RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/9RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/10RP/0/RSP0/CPU0:router(config-virt-service)# vnic interface tenGigE 0/2/1/11RP/0/RSP0/CPU0:router(config-virt-service)# commit

Step 2 Activate the CGv6 VM.

RP/0/RSP0/CPU0:router(config-virt-service)# activateRP/0/RSP0/CPU0:router(config-virt-service)# commit

Step 3 Check the progress of the activation process by using the show virtual-service list command. Once the VM is activated, the status changes to Activated.

RP/0/RSP0/CPU0:router# show virtual-service list Virtual Service List:

Name Status Package Namecgn123 Activated asr9k-vsm-cgv6.ova

Note Once the VM is activated, it takes about 5 minutes for the CGv6 applications to come up.

Step 4 Configure the ServiceInfra interface.

RP/0/RSP0/CPU0:router# configure terminal


OL-30392-01

Chapter 4 Carrier Grade IPv6 over Virtualized Services Module (VSM)Uninstalling CGv6 on VSM

RP/0/RSP0/CPU0:router(config)# interface ServiceInfra 1RP/0/RSP0/CPU0:router(config-int)# ipv4 address 3.1.1.1 255.255.255.252RP/0/RSP0/CPU0:router(config-int)# service-location 0/2/CPU0 RP/0/RSP0/CPU0:router(config-int)# commit

Step 5 Before you configure NAT44, ensure that the 12 Gigabit Ethernet (GE) interfaces are up. If they are in the shutdown mode, then change their mode by using the no shut command.

Note In IOS-XR, by default, any interface that is not configured is shut down when the associated line card is reloaded. To prevent this behavior on the VSM TenGigE interface (port), add a minor configuration (such as, description) on the interface.

RP/0/RSP0/CPU0:router(config)# interface tenGigE 0/2/1/0RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/1RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/2RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/3RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/4RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/5RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/6RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/7RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/8RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/9RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/10RP/0/RSP0/CPU0:router(config-if)# interface tenGigE 0/2/1/11RP/0/RSP0/CPU0:router(config-if)# no shutRP/0/RSP0/CPU0:router(config-if)# commit

Uninstalling CGv6 on VSMThe process of uninstalling CGv6 VSM involves the following processes:

• Deactivating CGv6 VM

• Uninstalling CGv6 OVA Package

• Disabling the Service Enablement Feature

Deactivating CGv6 VM

To de-activate the CGv6 VM, perform the following in the global configuration mode:

RP/0/RP0/CPU0:router(config)# virtual-service cgn123 RP/0/RP0/CPU0:router(config-virt-service)# no activate RP/0/RP0/CPU0:router(config-virt-service)# commit

To remove the CGv6 instance, perform the following in the global configuration mode:

RP/0/RP0/CPU0:router(config)# no virtual-service cgn123RP/0/RP0/CPU0:router(config)# commit

Uninstalling CGv6 OVA Package

To uninstall the CGv6 OVA package, run the following commands in the EXEC mode:


OL-30392-01

Chapter 4 Carrier Grade IPv6 over Virtualized Services Module (VSM)Uninstalling CGv6 on VSM

RP/0/RSP0/CPU0:router# virtual-service uninstall name cgn123 node 0/2/CPU0

Disabling the Service Enablement Feature

To disable the service enablement feature, run the following commands in the global configuration mode:

RP/0/RP0/CPU0:router(config)# no virtual-service enableRP/0/RP0/CPU0:router(config)# commit

VSM scale numbers

ASR9K supports the following VSM scale numbers:

Parameter Name Value per VSMValue per ASR9K Chassis with VSM

Number of CGN or CGv6 Instances 1 4

Number of Service Infra Interfaces 1 4

Number of Service App interfaces 512

Number of NAT44 instances 1 4

Number of Stateful Translation 80 Millions

Number of NAT session 80 Millions

Number of NAT users 4 Million

Number of Static Port Forwarding Entries 6000

Number of Public IPv4 addresses 65536 or 16

Number of VRF per NAT44 instance 128 (inside) + 128 (outside)

BNG 32k per np

VRF 8000

GDOI(There are 15 Groups per Node. Two nodes for S2S VPN.)

15 Groups per Node

DS-Lite Sessions 80 Million

NAT64 Sessions 80 Million

6RD(ASR 9000 Enhanced Ethernet Line Card is inline with 6RD with an expectation rate of 90 percent.)

Note Number of VSM cards per chassis can be adjusted based on the type of chassis and traffic assessment.


OL-30392-01

Chapter 4 Carrier Grade IPv6 over Virtualized Services Module (VSM)Implementing NAT44 on VSM

Implementing NAT44 on VSMThis section explains the implementation of NAT44 on VSM.

In this release, VSM supports the following two features on NAT44. The configurations for these features are explained in the later sections.

• TCP Sequence Check

• Address and Port-Dependent Filtering

VSM scale numbers supported in NAT 44

NAT 44 supports the following VSM scale numbers:

VSM Scale numbers supported in NAT 64

NAT 64 supports the following VSM scale numbe

TCP Sequence Check

In order to overcome security threats to less secure networks, Cisco Virtualized Services Module (VSM) performs TCP sequence check.

A sequence number is a 32-bit number that is included in a packet in a TCP session. The sequence numbers of the incoming packets are stored in the translation or session entry. If a packet's sequence number does not match the expected sequence number, then the packet is dropped . In this way, the networks can be secured from spoofed packets.


Number of NAT44 instances 1 6

Number of Stateful Translation 80 Millions

Number of NAT session 80 Millions

Number of NAT users 4 Million

Number of Static Port Forwarding Entries 6000

Number of Public IPv4 addresses 65536 or 16

Number of VRF per NAT44 instance 128 (inside) + 128 (outside)


NAT64 Sessions 80 Millions 6


OL-30392-01


You can perform these TCP sequence checks by using the sequence-check command. An optional keyword, diff-window, has been provided for a user to define and configure the accepted expected range of sequence numbers. But it is recommended that the user does not specify this range and instead allows the router to compute the range for each TCP session based on the client-server negotiation.

Two counters are configured for the TCP sequence checks:

• Out-to-In packets counter: This counter keeps a count of the packets whose sequence numbers did not match the expected range. But yet these packets are translated and forwarded because TCP sequence check has not been configured.

• Dropped packets counter: This counter keeps a count of the packets that were dropped because of the TCP sequence check.

The counters are displayed by using the show cgn nat44 counters command.

Address and Port-Dependent Filtering

Currently, CGN on VSM implements the following by default:

• Endpoint-Independent Mapping: This mapping process reuses the port mapping for subsequent packets that are sent from the same internal IP address and port to any external IP address and port.

• Endpoint-Independent Filtering: This filtering process filters out only packets that are not destined to the internal address and port regardless of the external IP address and port source.

In such a configuration, by knowing the translated IP address and the port of a private host, any malicious host in a public network can initiate packet floods to that private host. In order to prevent such attacks, the address and port-dependent filtering feature has to be enabled by using the filter-policy command. The user can disable the filtering based on port by using the ignore-port keyword with this command.

Two counters are configured for the address and port-dependent filtering:

• Total number of sessions created due to Out2In packets: This counter keeps a count of the sessions that were created by the packets coming from outside.

• Number of Out2In drops due to end point filtering: This counter keeps a count of the packets that were dropped because of the endpoint filtering.

The counters are displayed by using the show cgn nat44 counters command.

Configuring NAT44 on VSM

Perform these tasks to configure NAT44 on VSM.

• Configuring a NAT44 Instance

• Configuring the Application Service Virtual Interface

• Configuring the Policy Functions

• Configuring One-to-One Mapping for NAT44 over VSM

Configuring a NAT44 Instance

Perform this task to configure a NAT44 instance.


OL-30392-01


SUMMARY STEPS

1. configure

2. service cgn nat44 instance-name

3. service-location preferred-active node-id


5. endorcommit

DETAILED STEPS


Step 1 configure



Step 2 service cgn nat44 instance-name


Configures the instance named cgn1 for the CGv6 NAT44 application and enters CGv6 configuration mode.

Step 3 service-location preferred-active node-id Configures the active locations for the CGv6 application.

Note: preferred-standby option is supported in Cisco

IOS XR Release 4.3.0 onwards for redundancy.


OL-30392-01



The following section lists guidelines for selecting serviceapp interfaces for NAT44. Here <n> is an odd integer.

• Pair ServiceApp<n> with ServiceApp<n+1>. This is to ensure that the ServiceApp pairs works with a maximum throughput. For example, ServiceApp1 with ServiceApp2 or ServiceApp3 with ServiceApp4.

• Pair ServiceApp<n> with ServiceApp<n+5> or ServiceApp<n+9>. However, maintaining a track of these associations can be error prone. For example, ServiceApp1 with ServiceApp6, ServiceApp1 with ServiceApp10, ServiceApp3 with ServiceApp8, or ServiceApp3 with ServiceApp12. Hence it is not recommended.

• Pair ServiceApp<n> with ServiceApp<n+4>. For example, ServiceApp1 with ServiceApp5, or ServiceApp2 with ServiceApp6. Although such ServiceApp pairs work, the aggregate throughput for Inside-to-Outside and Outside-to-Inside traffic for the ServiceApp pair is halved.

• Do not pair ServiceApp<n> with ServiceApp<n+1>. When used, Outside-to-Inside traffic is dropped because traffic flows in the wrong dispatcher and core.

One ServiceApp interface pair can be used as inside and the other as outside.





Step 5 endorcommit


or











OL-30392-01


SUMMARY STEPS

1. configure



4. service cgn instance-name service-type nat44

5. vrf vrf-name

6. endorcommit

DETAILED STEPS


Step 1 configure







Example:RP/0/RP0/CPU0:router(config-if)# ipv4 address1.1.1.1/30

Sets the primary IPv4 address for an interface.

Step 4 service cgn instance-name service-type nat44

Example:RP/0/RP0/CPU0:router(config-if)# service cgn cgn1 service-type nat44



OL-30392-01


Configuring an Inside and Outside Address Pool Map

Perform this task to configure an inside and outside address pool map with the following scenarios.

• The designated address pool is used for CNAT.

• One inside VRF is mapped to only one outside VRF or a default VRF.

• Max Outside public pool per VSM/CGv6 instance is 64 K or 65536 addresses. That is, if a /16 address pool is mapped, then we cannot map any other pool to that particular VSM.

• Multiple inside vrf cannot be mapped to same outside address pool.

• While Mapping Outside Pool Minimum value for prefix is 16 and maximum value is 27.

SUMMARY STEPS

1. configure




5. map [outside-vrf outside-vrf-name] address-pool address/prefix

Step 5 vrf vrf-name

Example:RP/0/RP0/CPU0:router(config-if)# vrf insidevrf1

Configures the VPN routing and forwarding (VRF) for the

Service Application interface

Step 6 endorcommit


or











OL-30392-01


6. endorcommit

DETAILED STEPS


Step 1 configure













OL-30392-01






• Configuring FTP ALG, page 4-21

• Configuring PPTP ALG, page 4-22



• Configuring the Refresh Direction for the Network Address Translation, page 4-27

• Configuring Static Port Forwarding for Port Numbers, page 4-28

• Configuring the Dynamic Port Ranges, page 4-30



Step 5 map [outside-vrf outside-vrf-name] address-pool address/prefix

Example:RP/0/RP0/CPU0:router(config-cgn-invrf)# map outside-vrf outside vrf1 address-pool 10.10.0.0/24

Configures an inside VRF to an outside VRF and address pool mapping. Sometimes, if 2 inside VRFs are mapped to a single outside VRF, then use the following:

map outside-vrf outside vrf1 outsideServiceApp ServiceApp206 address-pool 10.10.0.0/24

Step 6 endorcommit


or











OL-30392-01


SUMMARY STEPS

1. configure



4. portlimit value

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01







Perform this task to configure the timeout value for the ICMP type for the CGv6 instance.

SUMMARY STEPS

1. configure



4. protocol icmp

5. timeout seconds

6. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# portlimit 10

Limits the number of entries per address for each subscriber of the system

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure










Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# protocol icmpRP/0/RP0/CPU0:router(config-cgn-proto)#

Configures the ICMP protocol session. The example shows how to configure the ICMP protocol for the CGv6 instance named cgn1.


Example:RP/0/RP0/CPU0:router(config-cgn-proto)# timeout 908

Configures the timeout value as 908 for the ICMP session for the CGv6 instance named cgn1.

Step 6 endorcommit


or










OL-30392-01




SUMMARY STEPS

1. configure



4. protocol tcp


6. endorcommit

DETAILED STEPS


Step 1 configure









Step 4 protocol tcp

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# protocol tcpRP/0/RP0/CPU0:router(config-cgn-proto)#

Configures the TCP protocol session. The example shows how to configure the TCP protocol for the CGv6 instance named cgn1.


OL-30392-01




SUMMARY STEPS

1. configure



4. protocol udp


6. endorcommit



Configures the timeout value as 90 for the TCP session. The example shows how to configure the initial session timeout.

Step 6 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure









Step 4 protocol udp

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# protocol udpRP/0/RP0/CPU0:router(config-cgn-proto)#

Configures the UDP protocol sessions. The example shows how to configure the TCP protocol for the CGv6 instance named cgn1.


Example:RP/0/RP0/CPU0:router(config-cgn-proto)# session active timeout 90

Configures the timeout value as 90 for the UDP session. The example shows how to configure the active session timeout.

Step 6 endorcommit


or










OL-30392-01


Configuring FTP ALG

Perform this task to configure FTP as the ALG for the specified NAT44 instance.

SUMMARY STEPS

1. configure



4. alg activeFTP

5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01


Configuring PPTP ALG

Perform this task to configure PPTP as the ALG for the specified NAT44 instance.

SUMMARY STEPS

1. configure



4. alg pptpAlg

5. endorcommit

Step 4 alg activeFTP

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# alg activeFTP

Configures the FTP ALG on the NAT44 instance.

Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Perform this task to configure RTSP as the ALG for the specified NAT44 instance. RTSP packets are usually destined to port 554. But this is not always true because RTSP port value can be configured.


Step 1 configure









Step 4 alg pptpAlg

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# alg pptpAlg

Configures PPTP as the ALG for the NAT44 instance.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure




5. endorcommit

DETAILED STEPS


Step 1 configure










OL-30392-01



Perform this task to configure the adjustment value for the maximum segment size (MSS) for the VRF. You can configure the TCP MSS adjustment value on each VRF.

SUMMARY STEPS

1. configure




5. protocol tcp

6. mss size

7. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# alg rtsp server-port 5000

Configures the rtsp ALG on the NAT44 instance for server port 5000. The range is from 1 to 65535. The default port is 554.


Step 5 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure












Step 5 protocol tcp




OL-30392-01


Configuring the Refresh Direction for the Network Address Translation

Perform this task to configure the NAT mapping refresh direction as outbound for TCP and UDP traffic.

SUMMARY STEPS

1. configure



4. refresh-direction Outbound

5. endorcommit

Step 6 mss size

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-afi-proto)# mss 1100

Configures the adjustment MSS value as 1100 for the inside VRF.

Step 7 endorcommit

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-proto)# end

or

RP/0/RP0/CPU0:router(config-cgn-invrf-proto)# commit










OL-30392-01


DETAILED STEPS

Configuring Static Port Forwarding for Port Numbers

Perform this task to configure static port forwarding for reserved or nonreserved port numbers.


Step 1 configure









Step 4 refresh-direction Outbound

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# protocol tcpRP/0/RP0/CPU0:router(config-cgn-proto)#refresh-direction Outbound

Configures the NAT mapping refresh direction as outbound for the CGv6 instance named cgn1.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure




5. protocol tcp

6. static-forward inside


8. endorcommit

DETAILED STEPS


Step 1 configure












Step 5 protocol tcp




OL-30392-01


Configuring the Dynamic Port Ranges

Perform this task to configure dynamic port ranges for TCP, UDP, and ICMP ports. The default value range of 0 to 1023 is preserved and not used for dynamic translations. Therefore, if the value of dynamic port range start is not configured explicitly, the dynamic port range value starts at 1024.

SUMMARY STEPS

1. configure



4. dynamic port range start value

5. endorcommit

Step 6 static-forward inside

Example:RP/0/RP0/CPU0:router(config-cgn-invrf-proto)# static-forward insideRP/0/RP0/CPU0:router(config-cgn-ivrf-sport-inside)#

Configures the CGv6 static port forwarding entries on reserved or nonreserved ports and enters CGv6 inside static port inside configuration mode.


Example:RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-inside)# address 1.2.3.4 port 90

Configures the CGv6 static port forwarding entries for the inside VRF.

Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS

Configuring One-to-One Mapping for NAT44 over VSM

Perform this task to configure one-to-one mapping for private addresses in NAT44 over VSM.


Step 1 configure









Step 4 dynamic port range start value

Example:RP/0/RP0/CPU0:router(config-cgn-nat44)# dynamic port range start 1024

Configures the value of dynamic port range start for a CGv6 NAT 44 instance. The value can range from 1 to 65535.

Step 5 endorcommit


or










OL-30392-01


SUMMARY STEPS

1. configure




5. map ip one-to-one

6. endorcommit

DETAILED STEPS


Step 1 configure













OL-30392-01


Configuring TCP Sequence Check

Perform the following steps for checking the sequence numbers of the packets in a TCP session:

SUMMARY STEPS

1. configure




5. firewall protocol tcp

6. sequence-check

7. endorcommit

Step 5 map ip one-to-one

Example:RP/0/RP0/CPU0:router(config-cgn-invrf)# map ip one-to-one

Configures one-to-one mapping for a CGv6 NAT44 instance.

Step 6 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure






Step 3 service-type nat44 instance-name






Step 5 firewall protocol tcp

Example:RP/0/RP0/CPU0:router(config-cgn-invrf)# firewall protocol tcp

Enters the firewall mode and the protocol tcp submode.


OL-30392-01


Configuring Address and Port-Dependent Filtering

Perform the following steps to configure address and port-dependent filtering in a NAT44 configuration.

SUMMARY STEPS

1. configure




5. filter-policy ignore-port

6. endorcommit

Step 6 sequence-check

RP/0/RP0/CPU0:router(config-cgn-invrf)# firewall protocol tcp

Enables checking of the sequence numbers. The optional diff-window keyword allows user to configure a value equal to the difference between the expected and received sequence numbers. The range for this value is 0 to 1,073,725,440.

Step 7 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure






Step 3 service-type nat44 instance-name







OL-30392-01


Configuring External Logging for the NAT Table Entries

Perform the following to configure external logging for NAT table entries.

Netflow Logging

Perform the following tasks to configure Netflow Logging for NAT table entries.





Step 5 filter-policy ignore-port

Example:To enable address and port-dependent filtering:

RP/0/RP0/CPU0:router(config-cgn-invrf)#filter-policy

To enable address and port-dependent filtering when the port is not checked:

RP/0/RP0/CPU0:router(config-cgn-invrf)#filter-policy ignore-port

Enables the address and port-dependent filtering. The optional ignore-port keyword is used to disable the port-dependent filtering.

Step 6 endorcommit


or











OL-30392-01



Perform this task to configure the server address and port to log network address translation (NAT) table entries for Netflow logging.

SUMMARY STEPS

1. configure





6. server


8. endorcommit

DETAILED STEPS


Step 1 configure













OL-30392-01



Perform this task to configure the path maximum transmission unit (MTU) for the netflowv9-based external-logging facility for the inside VRF.

SUMMARY STEPS

1. configure





Step 6 server






Step 8 endorcommit


or











OL-30392-01





6. server

7. path-mtu value

8. endorcommit

DETAILED STEPS


Step 1 configure















Step 6 server




OL-30392-01



Perform this task to configure the refresh rate at which the Netflow-v9 logging templates are refreshed or resent to the Netflow-v9 logging server.

SUMMARY STEPS

1. configure





6. server


8. endorcommit




Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure















Step 6 server


Configures the logging server information for the IPv4 address and port for the server that is used for the netflow-v9 based external-logging facility and enters CGv6 inside VRF address family external logging server configuration mode.


OL-30392-01



Perform this task to configure the frequency in minutes at which the Netflow-V9 logging templates are to be sent to the Netflow-v9 logging server.

SUMMARY STEPS

1. configure





6. server

7. timeout value

8. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# refresh-rate 50

Configures the refresh rate value of 50 to log Netflow-based external logging information for an inside VRF.

Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure















Step 6 server




OL-30392-01


Syslog Logging

Perform the following tasks to configure Syslog Logging for NAT table entries.





Perform this task to configure the server address and port to log NAT table entries for Syslog logging.

SUMMARY STEPS

1. configure





6. server



Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# timeout 50

Configures the timeout value of 50 for Netflow logging of NAT table entries for an inside VRF.

Step 8 endorcommit


or











OL-30392-01


8. endorcommit

DETAILED STEPS


Step 1 configure















Step 6 server




OL-30392-01




SUMMARY STEPS

1. configure





6. server

7. host-name name

8. endorcommit




Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure















Step 6 server




OL-30392-01



Perform this task to configure the path maximum transmission unit (MTU) for the syslog-based external-logging facility for the inside VRF.

SUMMARY STEPS

1. configure





6. server

7. path-mtu value

8. endorcommit


Example:RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog-server)# host-name host1


Step 8 endorcommit


or











OL-30392-01


DETAILED STEPS


Step 1 configure















Step 6 server




OL-30392-01

Chapter 4 Carrier Grade IPv6 over Virtualized Services Module (VSM)Configuration Examples for Implementing CGv6

Configuration Examples for Implementing CGv6This section provides the following configuration examples for CGv6:

• Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44: Example

• NAT44 Configuration: Example

Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44: Example

This example shows how to configure a different inside VRF map to a different outside VRF and different outside address pools:

service cgn cgn1inside-vrf insidevrf1map outside-vrf outsidevrf1 address-pool 100.1.1.0/24!!inside-vrf insidevrf2map outside-vrf outsidevrf2 address-pool 100.1.2.0/24!service-location preferred-active 0/2/cpu0!




Step 8 endorcommit


or











OL-30392-01


interface ServiceApp 1vrf insidevrf1ipv4 address 210.1.1.1 255.255.255.0service cgn cgn1!router staticvrf insidevrf10.0.0.0/0 serviceapp 1!!interface ServiceApp 2vrf outsidevrf1ipv4 address 211.1.1.1 255.255.255.0service cgn cgn1service-type nat44 nat1!router staticvrf outsidevrf1100.1.1.0/24 serviceapp 2!!interface ServiceApp 3vrf insidevrf2 ipv4 address 1.1.1.1 255.255.255.0service cgn cgn1service-type nat44 nat1!router staticvrf insidevrf20.0.0.0/0 serviceapp 3!!interface ServiceApp 4vrf outsidevrf2ipv4 address 2.2.2.1 255.255.255.0service cgn cgn1service-type nat44 nat1!router staticvrf outsidevrf2100.1.2.0/24 serviceapp 4

NAT44 Configuration: Example

This example shows a NAT44 sample configuration:

interface Loopback40 description IPv4 Host for NAT44 ipv4 address 40.22.22.22 255.255.0.0!interface Loopback41 description IPv4 Host for NAT44 ipv4 address 41.22.22.22 255.255.0.0!interface GigabitEthernet0/3/0/0.1 description Connected to P2_ASR9000-8 GE 0/6/5/0.1 ipv4 address 10.222.5.22 255.255.255.0 dot1q vlan 1!router static address-family ipv4 unicast


OL-30392-01


180.1.0.0/16 10.222.5.2 181.1.0.0/16 10.222.5.2!!

Hardware Configuration for VSM

!vrf InsideCustomer1 address-family ipv4 unicast !!vrf OutsideCustomer1 address-family ipv4 unicast !!hw-module service cgn location 0/3/CPU0!!interface GigabitEthernet0/6/5/0.1 vrf InsideCustomer1 ipv4 address 10.222.5.2 255.255.255.0 dot1q vlan 1!interface GigabitEthernet0/6/5/1.1 vrf OutsideCustomer1 ipv4 address 10.12.13.2 255.255.255.0 dot1q vlan 1!interface ServiceApp1 vrf InsideCustomer1 ipv4 address 1.1.1.1 255.255.255.252 service cgn cgn1 service-type nat44!interface ServiceApp2 vrf OutsideCustomer1 ipv4 address 2.1.1.1 255.255.255.252 service cgn cgn1 service-type nat44!interface ServiceInfra1 ipv4 address 75.75.75.75 255.255.255.0 service-location 0/3/CPU0! ! router static !vrf InsideCustomer1 address-family ipv4 unicast 0.0.0.0/0 ServiceApp1 40.22.0.0/16 10.222.5.22 41.22.0.0/16 10.222.5.22 181.1.0.0/16 vrf OutsideCustomer1 GigabitEthernet0/6/5/1.1 10.12.13.1 ! ! vrf OutsideCustomer1 address-family ipv4 unicast 40.22.0.0/16 vrf InsideCustomer1 GigabitEthernet0/6/5/0.1 10.222.5.22 41.22.0.0/16 vrf InsideCustomer1 GigabitEthernet0/6/5/0.1 10.222.5.22 100.0.0.0/24 ServiceApp2 180.1.0.0/16 10.12.13.1 181.1.0.0/16 10.12.13.1 ! !


OL-30392-01


!

VSM Configuration

service cgn cgn1 service-location preferred-active 0/3/CPU0 service-type nat44 nat44 portlimit 200 alg ActiveFTP inside-vrf InsideCustomer1 map outside-vrf OutsideCustomer1 address-pool 100.0.0.0/24 protocol tcp static-forward inside address 41.22.22.22 port 80 ! ! protocol icmp static-forward inside address 41.22.22.22 port 80 ! ! external-logging netflow version 9 server address 172.29.52.68 port 2055 refresh-rate 600 timeout 100 ! ! ! !!IPv4: 180.1.1.1/16!interface Loopback180 description IPv4 Host for NAT44 ipv4 address 180.1.1.1 255.255.0.0!interface Loopback181 description IPv4 Host for NAT44 ipv4 address 181.1.1.1 255.255.0.0!interface GigabitEthernet0/6/5/1.1 ipv4 address 10.12.13.1 255.255.255.0 dot1q vlan 1! router static address-family ipv4 unicast 40.22.0.0/16 10.12.13.2 41.22.0.0/16 10.12.13.2 100.0.0.0/24 10.12.13.2 !!

Configuring TCP Sequence-Check: Example

configureservice cgn cgn1service-type nat44 nat1inside-vrf vrf1firewall protocol tcpsequence-check


OL-30392-01


Configuring Address and Port-Dependent Filtering: Example

configureservice cgn cgn1service-type nat44 nat1inside-vrf vrf1filter-policy ignore-port

Bulk Port Allocation and Syslog Configuration: Example

service cgn cgn2service-type nat44 natAinside-vrf broadbandmap address-pool 100.1.2.0/24external-logging syslog

serveraddress 20.1.1.2 port 514!!

bulk-port-alloc size 64!!


OL-30392-01



OL-30392-01


OL-30392-01

C H A P T E R 5
External Logging
Many a times, the service providers are asked to identify subscribers based on data such as public source IP address, port, Layer 4 protocol, and time of usage. In the deployments involving NAPT or NAT, such identification is possible only if NAT entries are preserved. Only by searching and parsing these NAT entries, it is possible to identify the subscriber (private IP address) based on the parameters such as post NAT Source IP Address (public IP address), post NAT source port, protocol and the time of usage.

To make the identification process possible, the external logging is required. The translation information has to be exported to external collectors. The CGv6 applications export translation information in either Netflow or Syslog formats.

This chapter provides format details for these logs such as messages, message types and other important information. The chapter aslo describes few configuration options that affect these logs.

Bulk Port AllocationThe creation and deletion of NAT translations lead to creation of logs. If logs of all such translations are stored, then a huge volume of data is created. This data is stored on a NetFlow or a Syslog collector. To reduce the volume of this data, a block of ports is allocated. If bulk port allocation is enabled, as soon as a subscriber creates the first session, a number of contiguous external ports are allocated. To indicate this allocation, a bulk allocation message is created in the log.

Note The bulk allocation message is created only during the first session. Rest of the sessions use one of the allocated ports. Hence no logs are created for them.

A bulk delete message is created in the log when the subscriber deletes all the sessions that are using the allocated ports.

Another pool of ports is allocated only if the number of simultaneous sessions is more than N where N is the size of the bulkk allocation. The size of the pool can be configured from the CLI.

Restrictions for Bulk Port Allocation

The restrictions for bulk port allocation are as follows:

• The value for the size of bulk allocation can be 16, 32, 64, 128, 256, 512, 1024, 2048 and 4096. For optimum results, it is recommended that you set this size to half of the port limit.


Chapter 5 External LoggingSession logging

• If the size of bulk allocation is changed, then all the current dynamic translations will be deleted. Hence it is advisable to change the bulk port allocation size (only if necessary) during a maintenance window.

• The port numbers below the value of dynamic-port-range start value (which is 1024 by default), are not allocated in bulk.

• The algorithm that is used to allocate a public address to a user remains the same.

• When bulk allocation is enabled, session logging is not available.

• When bulk allocation is enabled, the translation record will not contain information about L4 protocol.

• Bulk port allocation features is not supported in NAT64 stateful application. Bulk port allocation is supported in NAT44 and DS Lite applications

Session loggingIn general, NAT translation entries contain information about private source IP, port and translated public IP and port. However, there could be cases when the destination IP address and port may also be needed. In such cases, session logging has to be enabled so that Netflow or Syslog translation records include these values as well.

Note • Session logging cannot be enabled if bulk port allocation is enabled and vice-versa.

• Session logging can increase the volume of translation log data significantly. Hence it is advised to turn on session logging only if it is needed.

SyslogDS Lite and NAT44 features support Syslog as an alternative to Netflow. Syslog uses ASCII format, which can be read by users. However, the log data volume is higher in Syslog than Netflow.

Restrictions for Syslog

The restrictions for syslog are as follows:

• Syslog is supported over UDP only.

• Syslog is supported in ASCII format only.

• You cannot log onto multiple collectors or relay agents.

• All the messages comply to RFC 5425 except for the timestamp format. Timestamp is represented in a simpler way as explained later in this section.

• Syslog shall be supported for DS-Lite and NAT444 as of now. Support for NAT64 is not yet available.


OL-30392-01

Chapter 5 External LoggingSyslog

Syslog Message Format

In general, the syslog message is made up of header, structured data, and msg fields. However, in the CGv6 applications, the structured data is not used.

Header

The header fields shall be as per the RFC 5424. Fields shall be separated by ' ' (white space) as per the RFC.

The header consists of the following fields:

Field Description

Priority • The priority value represents both the facility and severity.

• Ensure that the severity code is set to Informational for all the messages at value 6.

Version • This field denotes the version of the specification of the syslog protocol.

• In CGv6 application, the version value is set to 1.

Timestamp • This field is needed to trace the time of port usage.

• The format is <year> <mon> <day> <hh:mm:ss>.

• Ensure that the syslog collector converts the time to local time whenever needed.

Note: The timestamp is always reported in GMT/UTC irrespective of the time zone configured on the device.

Hostname • This field is used to identify the device that sent the syslog message. In the deployment, if there are more than one router having an ISM/VSM/CGSE/CGSE+, and/or if there are multiple instances of CGv6 applications running on different ISM/VSM/CGSE/CGSE+ slots and/or if there are multiple NAT/DS Lite instances configured, this field can be used to identify the specific Instance of NAT/DS Lite which is sending the log messages.

• While configuring the syslog server, ensure that the host name does not exceed 31 characters.

• The default value for the host name is '-'.


OL-30392-01


Structured Data

It is not used.

MSG

This field consists of the information about the NAT44 or DS Lite events. In a single UDP packet, there could be one or more MSG fields each enclosed in [] brackets. The MSG field has many sub fields as it has a common structure across different records (for both NAT44 and DS Lite). Note, that, depending on the event, some of the fields may not be applicable. For example, fields such as 'Original Source IPv6' address are not applicable for all NAT44 events. In such cases, the inapplicable fields will be replaced by '-'.

The syntax of the MSG part is as follows:

[EventName <L4> <Original Source IP> <Inside VRF Name> <Original Source IPv6> < Translated Source IP> <Original Port> <Translated First Source Port> <Translated Last Source Port> <Destination IP> <Destination Port>]

The descriptions of the fields in this format are as follows:

App name and PROC ID These fields are not included. In ASCII format, '-' is included for these fields.

MSG ID • This field identifies the type of the syslog message.

• In the ASCII format, the values for NAT44 and DS Lite messages are NAT44 and DS LITE respectively.

Field Description


OL-30392-01


Field Description

EventName The CGv6 applications choose any of the values for EventName from the following based on the event:

• UserbasedA: User-based port assignment

Note UserbasedA is used only when bulk port allocation is configured

• SessionbasedA: Session-based port assignment

Note SessionBasedA is chosen when neither the bulk port allocation nor the session logging are enabled.

• SessionbasedAD: Session-based port assignment with destination information

Note: SessionbasedAD is used only if session logging is enabled. Also, session-logging and bulk port allocation are mutually exclusive.

• UserbasedW: User-based port withdrawal

• SessionbasedW: Session-based port withdrawal

• SessionbasedWD: Session-based port withdrawal with destination information

• Portblockrunout: Ports exhausted

L4 Specifies the identifier for the transport layer protocol. The values for L4 could be as follows:

• 1 for ICMP

• 6 for TCP

• 17 for UDP

• 47 for GRE

Original Source IP Specifies the private IPv4 address.

Inside VRF Name The Inside VRF is the realm in which the private IP addresses are unique. The private IP addresses can overlap across two different Inside VRFs. Hence VRF name is included along with private source IP address to uniquely identify the subscriber.


OL-30392-01


Let us look at an example for NAT444 user-based UDP port translation mapping:

[UserbasedA - 10.0.0.1 Broadband - 100.1.1.1 - 2048 3071 - -]

The description for this example is as follows:

Note The number of MSG fields in an UDP packet are determined by the following factors:

• The space available in the UDP packet depends on MTU.

• The translation events pertaining to MSG records in a given packet must have happened within a second (starting from the time at which the first event of that packet happened).

Original Source IPv6 Specifies the IPv6 source address of the tunnel in case of DS Lite.

Translated Source IP Specifies the public IPv4 address post translation

Original Port Specifies the source port number before translation. This is not applicable for the UserbasedA and UserbasedW events.

Translated First Source Port Specifies the first source port after translation.

Translated Last Source Port Specifies the last source port after translation. This is applicable only for the UserbasedA and UserbasedW events.

Destination IP Specifies the destination IP recorded in the syslogs for the SessionbasedAD and SessionbasedWD events.

Destination Port Specifies the destination port recorded in the syslogs for the SessionbasedAD and SessionbasedWD events.

Field Description

Value Description

UserbasedA Event Name

10.0.0.1 Original Source IP

Broadband Inside VRF name

100.1.1.1 Translated Source IP

2048 Translated First Source Port

3071 Translated Last Source Port

Note: Both First and Last source ports are inclusive.


OL-30392-01

Chapter 5 External LoggingNetflow v9 Support

Netflow v9 SupportThe NAT64 stateful, NAT44, and DS Lite features support Netflow for logging of the translation records.. The Netflow uses binary format and hence requires software to parse and present the translation records. However, for the same reason, Netflow requires lesser space than Syslog to preserve the logs

Considerations

The considerations for NetFlow are as follows:

• NetFlow V9 is supported over UDP.

• You cannot log onto multiple collectors or relay agents.

• All the messages comply to RFC 3954.

NetFlow Record Format

As NetFlow V9 is based on templates, the record format contains a packet header and templates or data records based on templates.

Header

All the fields of the header follow the format prescribed in RFC 3954. The source ID field is composed of the IPv4 address of ServiceInfra interface (of the card) and specific CPU-core that is generating the record. The collector device can use the combination of the Source IP address of the UDP packet plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.

Templates

The templates are defined and used for logging various NAT64 stateful, NAT44 and DS Lite events as follows. The templates may change in future software releases. Hence it is advised that the Netflow collector software is designed to understand the templates as distributed by the router and accordingly parse the records.

Options Templates

The translation entries consist of VRF IDs. The VRF IDs are numbers identifying a VRF configured on the router. For the users looking at the translation records, these numbers are difficult to comprehend. To simplify this process, the CGv6 applications send the options templates along with the data templates.

Options template is a special type of data record that indicates the format of option data related to the process of NetFlow. The options data consist of the mapping between VRF Ids and VRF names. By parsing and using this data, the NetFlow collectors can modify the translation entries by adding VRF names instead of VRF IDs.

The value for the Template ID of options template is 1 where as the value of the Template ID for data template is 0. For more information on Options template, see RFC3954.


OL-30392-01


Events

The events and the corresponding template details are described in the following table:

EventTemplate ID


Destination/Session Logging Field Name

IANA IPFIX ID

Size in bytes Description

Nat444 translation create event

256 Disabled Disabled ingressVRFID

234 4 ID of the Ingress VRF

egressVRFID

235 4 ID of the Egress VRF

sourceIPv4Address (pre-NAT)

8 4 Original Source IPv4 address

postNATSourceIPv4 Address

225 4 Post NAT (outside) source IPV4 address

sourceTransportPort (pre NAT)

7 2 Original source port

postNAPTSourceTransportPort

227 2 Post NAT (translated) source port

protocolIdentifier

4 1 L4 protocol identifier


OL-30392-01


Nat444 session create event - session based (with destination)

271 Disabled Enabled ingressVRFID


egressVRFID


sourceIPv4Address

8 4 Original source IPV4 address

postNATSourceIPv4Address


sourceTransportPort

7 2 Original Source Port



destinationIPv4Address

12 4 Destination IP address

destinationTransportPort

11 2 Destination port

protocolIdentifier


EventTemplate ID



IANA IPFIX ID



OL-30392-01


Nat444 translation create event - user based

265 Enabled Disabled ingressVRFID


egressVRFID


sourceIPv4Address




postNATPortBlockStart

361 2 Start of Post NAT (translated) source port block.

postNATPortBlockEnd

362 2 End of Post NAT source port block

Nat444 translation delete event

257 Disabled ingressVRFID


sourceIPv4Address


sourceTransportPort


protocolIdentifier


EventTemplate ID



IANA IPFIX ID



OL-30392-01


Nat444 session delete event - session based (with destination)



sourceIPv4Address








protocolIdentifier


Nat444 translation delete event - user based



sourceIPv4Address



361 2 Start of Post NAT (translated) source port block. Note this is not defined by IANA yet.

EventTemplate ID



IANA IPFIX ID



OL-30392-01


DS-Lite translation create event



egressVRFID


Pre NAT Source IPv4 Address

8 4 Original source IPV4 address. This field is valid only when session-logging is enabled. Else, it will be reported as 0

Pre NAT Source IPv6 Address

27 16 IPv6 address of the B4 element (Tunnel source)



sourceTransportPort




EventTemplate ID



IANA IPFIX ID



OL-30392-01


DS-Lite session create event - session based (with destination)



egressVRFID


sourceIPv4Address


sourceIPv6Address




sourceTransportPort








protocolIdentifier


EventTemplate ID



IANA IPFIX ID



OL-30392-01


DS-Lite translation create event - user based

269 Enabled Disabled ingressVRFID


egressVRFID


sourceIPv4Address

8 4 Original source IPV4 address. This field is valid only when session-logging is enabled. Else, it will be reported as 0

sourceIPv6Address





361 2 Start of Post NAT (translated) source port block

postNATPortBlockEnd

362 2 End of Post NAT source port block

EventTemplate ID



IANA IPFIX ID



OL-30392-01


DS-Lite translation delete event



sourceIPv4Address

Original source IPV4 address

sourceIPv6Address

IPv6 address of the B4 element (Tunnel source)

sourceTransportPort

Original source port

protocolIdentifier

L4 protocol identifier

DS-Lite session delete event - session based (with destination)

ingressVRFID


sourceIPv4Address


sourceIPv6Address


sourceTransportPort


protocolIdentifier


EventTemplate ID



IANA IPFIX ID



OL-30392-01


DS-Lite translation delete event - user based


234 4 ingressVRFID

sourceIPv4Address


sourceIPv6Address



361 2 Start of Post NAT (translated) source port block

NAT64 stateful translation create event

258 Disabled Disabled sourceIPv6Address

27 16 Source IPv6 address



sourceTransportPort




protocolIdentifier


EventTemplate ID



IANA IPFIX ID



OL-30392-01


NAT64 stateful session create event - session based (with destination)

260 Disabled Enabled sourceIPv6Address

27 16 Source IPv6 address (pre translation)




28 16 Destination IPv6 address (pre translation)

Post translation Destination IP address

226 4 Destination IPv4 address (post translation)

sourceTransportPort






protocolIdentifier


NAT64 translation delete event

259 Disabled Disabled sourceIPv6Address


sourceTransportPort


protocolIdentifier


EventTemplate ID



IANA IPFIX ID



OL-30392-01

Chapter 5 External LoggingFrequently Asked Questions

Frequently Asked QuestionsThis section provides answers to the following frequently asked questions on external logging.

• Q.How to trace a subscriber by using the NAT logs?

• Q.The Netflow records provide VRF IDs for ingress and egress VRFs. How will I know the VRF names?

• Q.Does the time format in Syslog or Netflow account for Day light saving?

• Q.Since the Netflow and Syslog use UDP, how can we know if a packet containing translation record was lost?

• Q.What is the use of session-logging?

• Q.How does the bulk port allocation reduce data volume of translation logs?

• Q.What else can be done to reduce log data volume?

Q. How to trace a subscriber by using the NAT logs?

A. In order to trace a subscriber, you should know the public source IP address (post NAT source address), post NAT source port, protocol, and the time of usage. With these parameters, the steps to trace a subscriber are as follows:

a. Search for the create event that has the matching public IP address, post NAT Source IP address (postNATSourceIPv4Address) and protocol, egress VRF ID/Name and the time of the usage. Ensure that the time of the create-event is the same or earlier than the time of usage reported. You may not find the protocol entry or the exact post NAT source port in the logs if bulk

NAT64 stateful session delete event - session based (with destination)

261 Disabled Enabled sourceIPv6Address



28 16 Destination IPv6 address (pre translation)

sourceTransportPort




protocolIdentifier


EventTemplate ID



IANA IPFIX ID



OL-30392-01


allocation is enabled. In such cases, find the create-event whose Post NAT Port Block Start and Post NAT Port Block End values include the post NAT source port. The Pre NAT source IP address along with the corresponding ingress VRF ID/Name will identify the subscriber.

b. The corresponding delete record may be found optionally to confirm that the subscriber was using the specified public IP and port during the time of the reported usage.

Q. The Netflow records provide VRF IDs for ingress and egress VRFs. How will I know the VRF names?

A. The following are the two ways to find the VRF name from the VRF ID.

a. Use the command show rsi vrf-id <vrf-id> on the Router console to find VRF-ID to VRF-NAME associations.

b. The CGv6 applications periodically send out option templates containing the VRF-ID to VRF-NAME mapping. The Netflow collector software presents the information with VRF-Names rather than VRF IDs.

Q. Does the time format in Syslog or Netflow account for Day light saving?

A. The Syslog and Netflow formats report time corresponding to GMT/UTC. The Netflow header contains the time in seconds that elapsed since EPOCH whereas the Syslog header contains time in human readable formats. In both cases, the day light saving is not accounted. The Netflow/Syslog collectors have to make that adjustments if needed.

Q. Since the Netflow and Syslog use UDP, how can we know if a packet containing translation record was lost?

A. The Netflow header contains a field called Sequence Number. This number is indicates the count of the packet coming from each Source ID. The Netflow collector traces the Seqence Number pertaining to each unique Source ID. The sequence numbers should be increased by one for each packet sent out by the Source. If the collector ever receives two successive packets with the same Source ID, but with a Sequence number difference of more than 1, it indicate a packet loss.

However, currently, no such mechanism exists for Syslog.

Q. What is the use of session-logging?

A. Session logging includes destination IP and port number as well. Though this information is not directly useful in tracing the subscriber, in some cases, this information may be useful or may be mandated by the legal authorities. There are cases where, legal authorities may not have the post NAT source 'port', however may know the destination IP address (and optionally destination port, such as IP address and port of an e-mail server). In the absence of post NAT source port information, a list of subscribers who used the specified public IP during that time may have to be pruned further based on the destination IP and port information.

Q. How does the bulk port allocation reduce data volume of translation logs?

A. With bulk port allocation, subscribers are allocated a range of contiguous ports on a public IP. Quite often, a subscriber will need more ports than just one. Especially AJAX based web pages and other web applications simultaneously open several ports. In such cases, pre-allocated ports are used and only one log entry is made that specifies the range of ports allocated to the user. Hence, bulk port allocation significantly reduces log data volume and hence the demand on storage space needed for the translation logs.

Q. What else can be done to reduce log data volume?


OL-30392-01


A. Predefined NAT is an option that can be used to eliminate the logging altogether. The Predefined NAT translates private IP address to public IP address and a certain port range by using an algorithm. Hence there is no need to keep track of NAT entries.


OL-30392-01


OL-30392-01

I N D E X

C

CGv6 Overview 2-2

D

Double NAT 444 2-5

E

External Logging 3-19

I

ICMP Query Session Timeout 2-4

Inside and Outside Address Pool Map 3-32, 4-10

IPv4 Address Completion 2-3

N

NAT 3-5

NAT and NAPT

Overview 3-11

NATwith

ICMP 2-3

P

Policy Functions

Application Gateway 3-17

configuring 3-34, 4-12

overview 3-17

prerequisites 2-3

T

Translation Filtering 3-12

IN-11arrier Grade IPv6 (CGv6) Configuration Guide

Index

IN-12Cisco ASR 9000 Series Aggregation Services Router Carrier G
rade IPv6 (CGv6) Configuration Guide
OL-30392-01

Cisco ASR 9000 Series Aggregation Services Router CGv6 ... · 11 Cisco ASR 9000 Series Aggregation...

Documents

Transcript of Cisco ASR 9000 Series Aggregation Services Router CGv6 ... · 11 Cisco ASR 9000 Series Aggregation...