Shmcfarl slb66-slb64-nat64-proxy

3,725 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,725
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Shmcfarl slb66-slb64-nat64-proxy

  1. 1. Cisco Solutions for Content Access in the DC/Internet Edge Cisco Public
  2. 2. Dual Stack the DC and Internet Edge Internet  Dual stack the same ISP 1 ISP 2 network you have  If not, do just enough Edge Router IPv6-only to get you going  Most design elements Outer Switch should be the same as with IPv4 (minus pure Security NAT/PAT) Services Enterprise Core  You may have to embrace SLB64/ Proxy/NAT64 for IPv4- Inner switching/ only apps DMZ/Server Farm SLB/Proxy/ Compute Internal Enterprise © 2010 Cisco and/or its affiliates. All rights reserved. Web, Email, Other Cisco Public 2
  3. 3. What if I Can’t Dual Stack My Edge?Server Load Balancer Stateful NAT64 Proxy IPv6 IPv6 IPv6 Internet Internet Internet IPv6 IPv6 IPv6 -Apache -MSFT PortProxy IPv4 IPv4 IPv4 IPv4-only Host IPv4-only Host IPv4-only Host © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  4. 4. ACE + IPv6 / ASR + NAT64ACE SLB66 ACE SLB64 v6 v4 v6 v6 v6 v4 v6 v4A5(1.0) (ACE30, ACE4710) A5(1.0) (ACE30, ACE4710) Stateful NAT64 + SLB44 v6 v4 v4 server © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  5. 5. ACE SLB66 – One Arm Mode 2001:db8:cafe:10::17 v6VIP: 2001:db8:cafe:12::ace3SNAT: 2001:db8:cafe:12::beef v6 2001:db8:cafe:12::15 2001:db8:cafe:12::25 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  6. 6. Cisco ACE – Context DefinitionInterface Configuration (Admin Context) interface gigabitEthernet 1/1 channel-group 1 no shutdown interface gigabitEthernet 1/2 channel-group 1 no shutdown interface port-channel 1 switchport trunk allowed vlan 11-13 port-channel load-balance dst-ip Define WEB-V6 Context no shutdown context WEB-V6 allocate-interface vlan 12 interface vlan 13 ipv6 enable ip address 2001:db8:cafe:13::ace1/64 ip address 10.121.13.100 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 10.121.13.1 ip route ::/0 vlan 13 fe80::5:73ff:fea0:2 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  7. 7. WEB_V6 Context - MGMTclass-map type management match-any mgmt-cm 2 match protocol xml-https any 3 match protocol https any 4 match protocol ssh any 5 match protocol snmp any 6 match protocol icmp any 7 match protocol http any 8 match protocol telnet anyclass-map type management match-any mgmt-cm-v6 2 match protocol icmpv6 anyv6policy-map type management first-match MGMT class mgmt-cm permit class mgmt-cm-v6 permitinterface vlan 12 service-policy input MGMT IP Access through the Cisco ACEaccess-list EVERYONE line 10 extended permit icmp any anyaccess-list EVERYONE line 20 extended permit ip any anyaccess-list EVERYONE-v6 line 8 extended permit icmpv6 anyv6 anyv6access-list EVERYONE-v6 line 16 extended permit ip anyv6 anyv6interface vlan 12 access-group input EVERYONE access-group input EVERYONE-v6 its affiliates. All rights reserved. © 2010 Cisco and/or Cisco Public 7
  8. 8. WEB_V6 Context Specific Configurations class-map match-all WEB_V6_VIPprobe icmp PING_V6_PROBE 2 match virtual-address 2001:db8:cafe:12::ace3 tcp eq www ip address 2001:db8:cafe:12::25 interval 15 policy-map type loadbalance first-match WEB_V6_SLB passdetect interval 60 class class-default!probe http WEB_V6_PROBE serverfarm WEB_V6_SF! interval 15 ! passdetect interval 5 policy-map multi-match WEB_V6_POL request method get url /welcome.png class WEB_V6_VIP expect status 200 200 loadbalance vip inservice open 1 loadbalance policy WEB_V6_SLBrserver host WEB_V6_1 loadbalance vip icmp-reply active ip address 2001:db8:cafe:12::25 nat dynamic 1 vlan 12 inservicerserver host WEB_V6_2 interface vlan 12 ip address 2001:db8:cafe:12::15 ipv6 enable inservice ip address 2001:db8:cafe:12::ace1/64serverfarm host WEB_V6_SF access-group input EVERYONE predictor leastconns slowstart 300 access-group input EVERYONE-v6 probe PING_V6_PROBE nat-pool 1 2001:db8:cafe:12::beef probe WEB_V6_PROBE 2001:db8:cafe:12::beef/128 pat rserver WEB_V6_1 service-policy input MGMT inservice service-policy input WEB_V6_POL rserver WEB_V6_2 inservice ip route ::/0 vlan 12 Cisco Public fe80::5:73ff:fea0:2 © 2010 Cisco and/or its affiliates. All rights reserved. 8
  9. 9. Health Monitoring (Probes) - ICMPace-4710-1/WEB-V6# show probe probe : PING_V6_PROBE type : ICMP state : ACTIVE---------------------------------------------- port : 0 address : 2001:DB8:CAFE:12::25 addr type : TRANSPARENT interval : 15 pass intvl : 60 pass count: 3 fail count: 3 recv timeout: 10 ------------------ probe results ------------------ associations ip-address port porttype probes failed passed health ------------ ----------------------+----+--------+------+------+------+------ serverfarm : WEB_V6_SF real : WEB_V6_1[0] 2001:DB8:CAFE:12::25 0 PROBE 6 0 6 SUCCESS © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  10. 10. Health Monitoring (Probes) - HTTP probe : WEB_V6_PROBE type : HTTP state : ACTIVE---------------------------------------------- port : 80 address : 0.0.0.0 addr type : - interval : 15 pass intvl : 5 pass count: 3 fail count: 3 recv timeout: 10 ------------------ probe results ------------------ associations ip-address port porttype probes failed passed health ------------ ----------------------+----+--------+------+------+------+------ 2001:DB8:CAFE:12::25 80 VIP 26 0 26 SUCCESS real : WEB_V6_2[0] 2001:DB8:CAFE:12::15 80 VIP 51 51 0 FAILED Source Destination Protocol Info 2001:db8:cafe:12::ace1 2001:db8:cafe:12::25 HTTP GET /welcome.png HTTP/1.1 Source Destination Protocol Info 2001:db8:cafe:12::25 2001:db8:cafe:12::ace1 HTTP HTTP/1.1 200 OK (PNG) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  11. 11. Validation of Connectionconn-id np dir proto source sport state vlan destination dport----------+--+---+-----+------------------------------------------+-----+------+131884 1 in TCP 2001:db8:cafe:10::17 59374 ESTAB Client-2-VIP 12 2001:db8:cafe:12::ace3 80129952 1 out TCP 2001:db8:cafe:12::25 80 ESTAB Svr-2-SNAT 12 2001:db8:cafe:12::beef 1027C:>netstatActive ConnectionsProto Local Address Foreign Address State ServerTCP [2001:db8:cafe:12::25]:80 [2001:db8:cafe:12::beef]:1027 ESTABLISHED © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  12. 12. ACE Show Output (1)ace-4710-1/WEB-V6# show serverfarm serverfarm type rservers predictor current conns +--------------------+---------+--------+------------------+--------------- WEB_V6_SF HOST 2 LEASTCONNS 0ace-4710-1/WEB-V6# show rserver rserver : WEB_V6_1, type: HOST state : OPERATIONAL (verified by ND response) -------------------------------------------connections----------- real weight state current total ---+---------------------+------+------------+----------+-------------------- serverfarm: WEB_V6_SF 2001:db8:cafe:12::25]:0 8 OPERATIONAL 0 3 rserver : WEB_V6_2, type: HOST state : ND_FAILED -------------------------------------------connections----------- real weight state current total ---+---------------------+------+------------+----------+-------------------- serverfarm: WEB_V6_SF [2001:db8:cafe:12::15]:0 8 ND_FAILED 0 0 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  13. 13. ace-4710-1/WEB-V6# show service-policyPolicy-map : WEB_V6_POLStatus : ACTIVE----------------------------------------- ACE Show Output (2)Interface: vlan 1 12 service-policy: WEB_V6_POL class: WEB_V6_VIP nat: nat dynamic 1 vlan 12 curr conns : 0 , hit count : 2 dropped conns : 0 client pkt count : 35 , client byte count: 4145 server pkt count : 159 , server byte count: 197507 conn-rate-limit : 0 , drop-count : 0 bandwidth-rate-limit : 0 , drop-count : 0 loadbalance: L7 loadbalance policy: WEB_V6_SLB VIP ICMP Reply : ENABLED-WHEN-ACTIVE VIP State: INSERVICE VIP DCI state: VPC_DISABLED VIP DAD state: DAD_PASSED Persistence Rebalance: DISABLED curr conns : 0 , hit count : 23 dropped conns : 20 client pkt count : 121 , client byte count: 10563 server pkt count : 314 , server byte count: 392943 conn-rate-limit : 0 , drop-count : 0 bandwidth-rate-limit and/or 0 affiliates. All rights reserved. © 2010 Cisco : its , drop-count : 0 Cisco Public 13
  14. 14. ACE SLB64 – One Arm Mode 2001:db8:cafe:10::17 v6VIP: 2001:db8:cafe:12::ace4SNAT: 10.121.12.90 v4 10.121.12.25 10.121.12.15 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  15. 15. SLB64 Context Specific Configurations class-map match-all WEB_V6_V4_VIP 2 match virtual-address 2001:db8:cafe:12::ace4 tcp eq wwwprobe http WEB_V4_PROBE interval 15 policy-map type loadbalance first-match WEB_V6_V4_SLB passdetect interval 5 class class-default request method get url /welcome.png serverfarm WEB_V6_V4_SF expect status 200 200 insert-http x-forward-for header-value "%is" open 1 nat dynamic 2 vlan 12 serverfarm primaryrserver host WEB_V4_1 ip address 10.121.12.25 policy-map multi-match WEB_V6_POL inservice class WEB_V6_V4_VIPrserver host WEB_V4_2 loadbalance vip inservice ip address 10.121.12.15 loadbalance policy WEB_V6_V4_SLB inservice loadbalance vip icmp-reply activeserverfarm host WEB_V6_V4_SF predictor leastconns slowstart 300 interface vlan 12 probe WEB_V4_PROBE ipv6 enable rserver WEB_V4_1 80 ip address 2001:db8:cafe:12::ace1/64 inservice ip address 10.121.12.45 255.255.255.0 rserver WEB_V4_2 80 access-group input EVERYONE inservice access-group input EVERYONE-v6 nat-pool 2 10.121.12.90 10.121.12.90 netmask 255.255.255.0 pat service-policy input MGMT service-policy inputCisco Public © 2010 Cisco and/or its affiliates. All rights reserved. WEB_V6_POL 15
  16. 16. NAT64  Lots of RFCs to check out: RFC 6144 – Framework for IPv4/IPv6 Translation RFC 6052 – IPv6 Addressing of IPv4/IPv6 Translators RFC 6145 – IP/ICMP Translation Algorithm RFC 6146 – Stateful NAT64 RFC 6147 – DNS64  Stateless – Not your friend in the enterprise (corner case deployment) 1:1 mapping between IPv6 and IPv4 addresses (i.e. 254 IPv6 hosts-to-254 IPv4 hosts) Requires the IPv6-only hosts to use an “IPv4 translatable” address format  Stateful – What we are after for translating IPv6-only hosts to IPv4-only host(s) It is what it sounds like – keeps state between translated hosts Several deployment models (PAT/Overload, Dynamic 1:1, Static, etc…) This is what you will use to translate from IPv6 hosts (internal or Internet) to IPv4-only servers (internal DC or Internet Edge)  Papers on Stateless vs. Stateful and use cases for NAT64: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/ white_paper_c11-676277.html http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/ white_paper_c11-676278.html © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  17. 17. Stateful NAT64 – Example Topology Static Example 10.121.13.52 DMZ/DC Internet IPv6 Host: 2001:db8:c150:10::16 10.121.12.70 G0/0/0: G0/0/1: 2001:DB8:CAFE:5555::1/64 10.121.220.1/24interface GigabitEthernet0/0/0 ASR access-list EDGE_ACL ipv6 permit ipv6 any host 2001:DB8:CAFE:BEEF::46 description to 6k-dmz-1 Outside permit ipv6 any host 2001:DB8:CAFE:BEEF::34 no ip address ! ipv6 address 2001:DB8:CAFE:5555::1/64 nat64 prefix stateful 2001:DB8:CAFE:BEEF::/96 ipv6 eigrp 10 nat64 v4 pool EDGE 10.121.55.1 10.121.55.1 nat64 enable nat64 v4v6 static 10.121.12.70 2001:DB8:CAFE:BEEF::46! nat64 v4v6 static 10.121.13.52 2001:DB8:CAFE:BEEF::34interface GigabitEthernet0/0/1 nat64 v6v4 list EDGE_ACL pool EDGE overload description to 6k-dmz-1 Inside ip address 10.121.220.1 255.255.255.0 nat64 enable © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 1 7
  18. 18. NAT64 Translations ReferenceASR1k#sh nat64 translationsProto Original IPv4 Translated IPv4 Translated IPv6 Original IPv6------------------------------------------------------------------------------- 10.121.13.52 2001:db8:cafe:beef::48 Static --- ------ 10.121.12.70 2001:db8:cafe:beef::46 Entries --- ---tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443 10.121.55.1:1030 [2001:db8:cafe:10::16]:53601tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443 10.121.55.1:1029 [2001:db8:cafe:10::16]:53600tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443 Dynamic 10.121.55.1:1028 [2001:db8:cafe:10::16]:53599tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443 Overloaded 10.121.55.1:1024 [2001:db8:cafe:10::16]:53593 Entriestcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443 10.121.55.1:1025 [2001:db8:cafe:10::16]:53596tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443 10.121.55.1:1026 [2001:db8:cafe:10::16]:53597tcp 10.121.12.70:80 [2001:db8:cafe:beef::46]:80 10.121.55.1:1027 [2001:db8:cafe:10::16]:53598Total number of translations: 9 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  19. 19. NAT64 StatisticsASR1k#show nat64 statistics ReferenceTotal active translations: 6 (3 static, 3 dynamic; 3 extended)Sessions found: 171Sessions created: 3Global Stats: Packets translated (IPv4 -> IPv6) Stateless: 0 Stateful: 100 Packets translated (IPv6 -> IPv4) Stateless: 0 Stateful: 74Interface Statistics GigabitEthernet0/0/0 (IPv4 not configured, IPv6 configured): Packets translated (IPv6 -> IPv4) Stateless: 0 Stateful: 74 GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured): Packets translated (IPv4 -> IPv6) Stateful: 100Dynamic Mapping Statistics v6v4 access-list EDGE_ACL pool EDGE refcount 3 pool EDGE: start 10.121.55.1 end 10.121.55.1 total addresses 1, allocated 1 (100%) *Output reduced for clarity © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  20. 20. Apache2 Reverse ProxyNetstat - Client TCP [2001:db8:beef:10::16]:54640 [2001:db8:cafe:12::5]:80 ESTABLISHED TCP [2001:db8:beef:10::16]:54641 [2001:db8:cafe:12::5]:80 ESTABLISHED 2001:db8:beef:10::16 Netstat - Proxy Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.121.11.125:40475 10.121.11.60:80 ESTABLISHED 2001:db8:cafe:12::5 tcp 0 0 10.121.11.125:40476 10.121.11.60:80 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED 10.121.11.125 Apache One-Arm Apache Dual- Attached Netstat - Server TCP 10.121.11.60:80 10.121.11.125:40475 ESTABLISHED TCP 10.121.11.60:80 10.121.11.125:40476 ESTABLISHED IPv4-only Web Server<VirtualHost *:80>        ProxyPass / http://10.121.11.60:80/ ProxyPassReverse / 2010 Cisco and/or its affiliates. All rights reserved. http://10.121.11.60:80/ © Cisco Public 20
  21. 21. Microsoft Windows PortProxy  Can be treated like an appliance One-arm 2001:db8:cafe:12::25 Dual-attached (better perf) 10.121.12.25  Outside traffic comes in PortProxy One-Arm VIP=10.121.5.20 on IPv6—PortProxy to ACE PortProxy v4 (VIP address on Dual-Attached ACE)  Traffic is IPv4 to server IPv4-only Web Server © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  22. 22. PortProxy Configuration/Monitoring   adsf netsh interface portproxy>sh all Listen on ipv6: Connect to ipv4: Address Port Address Port --------------- ---------- --------------- ---------- 2001:db8:cafe:12::25 80 10.121.5.20 80 Active Connections Proto Local Address Foreign Address State TCP 10.121.12.25:58141 10.121.5.20:http ESTABLISHED TCP [2001:db8:cafe:12::25]:80 [2001:db8:cafe:10::17]:52047 ESTABLISHEDconn-id np dir proto vlan source destination state----------+--+---+-----+----+---------------------+---------------------+------+14 1 in TCP 5 10.121.12.25:58573 10.121.5.20:80 ESTAB13 1 out TCP 5 10.121.14.15:80 10.121.5.12:1062 ESTAB © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

×