More Related Content
Similar to Shmcfarl slb66-slb64-nat64-proxy
Similar to Shmcfarl slb66-slb64-nat64-proxy (20)
Shmcfarl slb66-slb64-nat64-proxy
- 2. Dual Stack the DC and Internet Edge
Internet
Dual stack the same ISP 1 ISP 2
network you have
If not, do just enough Edge Router
IPv6-only to get you
going
Most design elements Outer Switch
should be the same as
with IPv4 (minus pure Security
NAT/PAT) Services Enterprise
Core
You may have to
embrace SLB64/
Proxy/NAT64 for IPv4- Inner
switching/
only apps DMZ/Server Farm SLB/Proxy/
Compute
Internal
Enterprise
© 2010 Cisco and/or its affiliates. All rights reserved. Web, Email, Other
Cisco Public 2
- 3. What if I Can’t Dual Stack My Edge?
Server Load Balancer Stateful NAT64 Proxy
IPv6 IPv6 IPv6
Internet Internet Internet
IPv6
IPv6 IPv6
-Apache
-MSFT
PortProxy
IPv4 IPv4
IPv4
IPv4-only Host IPv4-only Host IPv4-only Host
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
- 4. ACE + IPv6 / ASR + NAT64
ACE SLB66 ACE SLB64
v6 v4
v6 v6 v6 v4
v6 v4
A5(1.0) (ACE30, ACE4710) A5(1.0) (ACE30, ACE4710)
Stateful NAT64 + SLB44
v6
v4
v4 server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
- 5. ACE SLB66 – One Arm Mode
2001:db8:cafe:10::17
v6
VIP: 2001:db8:cafe:12::ace3
SNAT: 2001:db8:cafe:12::beef
v6
2001:db8:cafe:12::15 2001:db8:cafe:12::25
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
- 6. Cisco ACE – Context Definition
Interface Configuration (Admin Context)
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 11-13
port-channel load-balance dst-ip Define WEB-V6 Context
no shutdown
context WEB-V6
allocate-interface vlan 12
interface vlan 13
ipv6 enable
ip address 2001:db8:cafe:13::ace1/64
ip address 10.121.13.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.121.13.1
ip route ::/0 vlan 13 fe80::5:73ff:fea0:2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
- 7. WEB_V6 Context - MGMT
class-map type management match-any mgmt-cm
2 match protocol xml-https any
3 match protocol https any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol icmp any
7 match protocol http any
8 match protocol telnet any
class-map type management match-any mgmt-cm-v6
2 match protocol icmpv6 anyv6
policy-map type management first-match MGMT
class mgmt-cm
permit
class mgmt-cm-v6
permit
interface vlan 12
service-policy input MGMT
IP Access through the Cisco ACE
access-list EVERYONE line 10 extended permit icmp any any
access-list EVERYONE line 20 extended permit ip any any
access-list EVERYONE-v6 line 8 extended permit icmpv6 anyv6 anyv6
access-list EVERYONE-v6 line 16 extended permit ip anyv6 anyv6
interface vlan 12
access-group input EVERYONE
access-group input EVERYONE-v6 its affiliates. All rights reserved.
© 2010 Cisco and/or Cisco Public 7
- 8. WEB_V6 Context Specific Configurations
class-map match-all WEB_V6_VIP
probe icmp PING_V6_PROBE 2 match virtual-address 2001:db8:cafe:12::ace3 tcp eq www
ip address 2001:db8:cafe:12::25
interval 15 policy-map type loadbalance first-match WEB_V6_SLB
passdetect interval 60 class class-default!
probe http WEB_V6_PROBE serverfarm WEB_V6_SF!
interval 15 !
passdetect interval 5 policy-map multi-match WEB_V6_POL
request method get url /welcome.png class WEB_V6_VIP
expect status 200 200 loadbalance vip inservice
open 1 loadbalance policy WEB_V6_SLB
rserver host WEB_V6_1 loadbalance vip icmp-reply active
ip address 2001:db8:cafe:12::25 nat dynamic 1 vlan 12
inservice
rserver host WEB_V6_2 interface vlan 12
ip address 2001:db8:cafe:12::15 ipv6 enable
inservice ip address 2001:db8:cafe:12::ace1/64
serverfarm host WEB_V6_SF access-group input EVERYONE
predictor leastconns slowstart 300 access-group input EVERYONE-v6
probe PING_V6_PROBE nat-pool 1 2001:db8:cafe:12::beef
probe WEB_V6_PROBE 2001:db8:cafe:12::beef/128 pat
rserver WEB_V6_1 service-policy input MGMT
inservice service-policy input WEB_V6_POL
rserver WEB_V6_2
inservice ip route ::/0 vlan 12 Cisco Public
fe80::5:73ff:fea0:2
© 2010 Cisco and/or its affiliates. All rights reserved. 8
- 9. Health Monitoring (Probes) - ICMP
ace-4710-1/WEB-V6# show probe
probe : PING_V6_PROBE
type : ICMP
state : ACTIVE
----------------------------------------------
port : 0 address : 2001:DB8:CAFE:12::25
addr type : TRANSPARENT interval : 15 pass intvl : 60
pass count: 3 fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : WEB_V6_SF
real : WEB_V6_1[0]
2001:DB8:CAFE:12::25 0 PROBE 6 0 6 SUCCESS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
- 10. Health Monitoring (Probes) - HTTP
probe : WEB_V6_PROBE
type : HTTP
state : ACTIVE
----------------------------------------------
port : 80 address : 0.0.0.0
addr type : - interval : 15 pass intvl : 5
pass count: 3 fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
2001:DB8:CAFE:12::25 80 VIP 26 0 26 SUCCESS
real : WEB_V6_2[0]
2001:DB8:CAFE:12::15 80 VIP 51 51 0 FAILED
Source Destination Protocol Info
2001:db8:cafe:12::ace1 2001:db8:cafe:12::25 HTTP GET /welcome.png HTTP/1.1
Source Destination Protocol Info
2001:db8:cafe:12::25 2001:db8:cafe:12::ace1 HTTP HTTP/1.1 200 OK (PNG)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
- 11. Validation of Connection
conn-id np dir proto source sport state
vlan destination dport
----------+--+---+-----+------------------------------------------+-----+------+
131884 1 in TCP 2001:db8:cafe:10::17 59374 ESTAB Client-2-VIP
12 2001:db8:cafe:12::ace3 80
129952 1 out TCP 2001:db8:cafe:12::25 80 ESTAB Svr-2-SNAT
12 2001:db8:cafe:12::beef 1027
C:>netstat
Active Connections
Proto Local Address Foreign Address State Server
TCP [2001:db8:cafe:12::25]:80 [2001:db8:cafe:12::beef]:1027 ESTABLISHED
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
- 12. ACE Show Output (1)
ace-4710-1/WEB-V6# show serverfarm
serverfarm type rservers predictor current conns
+--------------------+---------+--------+------------------+---------------
WEB_V6_SF HOST 2 LEASTCONNS 0
ace-4710-1/WEB-V6# show rserver
rserver : WEB_V6_1, type: HOST
state : OPERATIONAL (verified by ND response)
-------------------------------------------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: WEB_V6_SF
2001:db8:cafe:12::25]:0 8 OPERATIONAL 0 3
rserver : WEB_V6_2, type: HOST
state : ND_FAILED
-------------------------------------------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: WEB_V6_SF
[2001:db8:cafe:12::15]:0 8 ND_FAILED 0 0
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
- 13. ace-4710-1/WEB-V6# show service-policy
Policy-map : WEB_V6_POL
Status : ACTIVE
----------------------------------------- ACE Show Output (2)
Interface: vlan 1 12
service-policy: WEB_V6_POL
class: WEB_V6_VIP
nat:
nat dynamic 1 vlan 12
curr conns : 0 , hit count : 2
dropped conns : 0
client pkt count : 35 , client byte count: 4145
server pkt count : 159 , server byte count: 197507
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: WEB_V6_SLB
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
VIP DCI state: VPC_DISABLED
VIP DAD state: DAD_PASSED
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 23
dropped conns : 20
client pkt count : 121 , client byte count: 10563
server pkt count : 314 , server byte count: 392943
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit and/or 0 affiliates. All rights reserved.
© 2010 Cisco : its , drop-count : 0 Cisco Public 13
- 14. ACE SLB64 – One Arm Mode
2001:db8:cafe:10::17
v6
VIP: 2001:db8:cafe:12::ace4
SNAT: 10.121.12.90
v4
10.121.12.25 10.121.12.15
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
- 15. SLB64 Context Specific Configurations
class-map match-all WEB_V6_V4_VIP
2 match virtual-address 2001:db8:cafe:12::ace4 tcp eq www
probe http WEB_V4_PROBE
interval 15 policy-map type loadbalance first-match WEB_V6_V4_SLB
passdetect interval 5 class class-default
request method get url /welcome.png serverfarm WEB_V6_V4_SF
expect status 200 200 insert-http x-forward-for header-value "%is"
open 1 nat dynamic 2 vlan 12 serverfarm primary
rserver host WEB_V4_1
ip address 10.121.12.25 policy-map multi-match WEB_V6_POL
inservice class WEB_V6_V4_VIP
rserver host WEB_V4_2 loadbalance vip inservice
ip address 10.121.12.15 loadbalance policy WEB_V6_V4_SLB
inservice loadbalance vip icmp-reply active
serverfarm host WEB_V6_V4_SF
predictor leastconns slowstart 300 interface vlan 12
probe WEB_V4_PROBE ipv6 enable
rserver WEB_V4_1 80 ip address 2001:db8:cafe:12::ace1/64
inservice ip address 10.121.12.45 255.255.255.0
rserver WEB_V4_2 80 access-group input EVERYONE
inservice access-group input EVERYONE-v6
nat-pool 2 10.121.12.90 10.121.12.90
netmask 255.255.255.0 pat
service-policy input MGMT
service-policy inputCisco Public
© 2010 Cisco and/or its affiliates. All rights reserved. WEB_V6_POL 15
- 16. NAT64
Lots of RFCs to check out:
RFC 6144 – Framework for IPv4/IPv6 Translation
RFC 6052 – IPv6 Addressing of IPv4/IPv6 Translators
RFC 6145 – IP/ICMP Translation Algorithm
RFC 6146 – Stateful NAT64
RFC 6147 – DNS64
Stateless – Not your friend in the enterprise (corner case deployment)
1:1 mapping between IPv6 and IPv4 addresses (i.e. 254 IPv6 hosts-to-254 IPv4 hosts)
Requires the IPv6-only hosts to use an “IPv4 translatable” address format
Stateful – What we are after for translating IPv6-only hosts to IPv4-only host(s)
It is what it sounds like – keeps state between translated hosts
Several deployment models (PAT/Overload, Dynamic 1:1, Static, etc…)
This is what you will use to translate from IPv6 hosts (internal or Internet) to IPv4-only
servers (internal DC or Internet Edge)
Papers on Stateless vs. Stateful and use cases for NAT64:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/
white_paper_c11-676277.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/
white_paper_c11-676278.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
- 17. Stateful NAT64 – Example Topology
Static Example
10.121.13.52
DMZ/DC
Internet
IPv6 Host:
2001:db8:c150:10::16
10.121.12.70
G0/0/0: G0/0/1:
2001:DB8:CAFE:5555::1/64 10.121.220.1/24
interface GigabitEthernet0/0/0 ASR access-list EDGE_ACL
ipv6
permit ipv6 any host 2001:DB8:CAFE:BEEF::46
description to 6k-dmz-1 Outside
permit ipv6 any host 2001:DB8:CAFE:BEEF::34
no ip address
!
ipv6 address 2001:DB8:CAFE:5555::1/64
nat64 prefix stateful 2001:DB8:CAFE:BEEF::/96
ipv6 eigrp 10
nat64 v4 pool EDGE 10.121.55.1 10.121.55.1
nat64 enable
nat64 v4v6 static 10.121.12.70 2001:DB8:CAFE:BEEF::46
!
nat64 v4v6 static 10.121.13.52 2001:DB8:CAFE:BEEF::34
interface GigabitEthernet0/0/1
nat64 v6v4 list EDGE_ACL pool EDGE overload
description to 6k-dmz-1 Inside
ip address 10.121.220.1 255.255.255.0
nat64 enable
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 1
7
- 18. NAT64 Translations Reference
ASR1k#sh nat64 translations
Proto Original IPv4 Translated IPv4
Translated IPv6 Original IPv6
----------------------------------------------------------------------------
--- 10.121.13.52 2001:db8:cafe:beef::48
Static
--- ---
--- 10.121.12.70 2001:db8:cafe:beef::46
Entries
--- ---
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1030 [2001:db8:cafe:10::16]:53601
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1029 [2001:db8:cafe:10::16]:53600
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
Dynamic
10.121.55.1:1028 [2001:db8:cafe:10::16]:53599
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
Overloaded
10.121.55.1:1024 [2001:db8:cafe:10::16]:53593 Entries
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1025 [2001:db8:cafe:10::16]:53596
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1026 [2001:db8:cafe:10::16]:53597
tcp 10.121.12.70:80 [2001:db8:cafe:beef::46]:80
10.121.55.1:1027 [2001:db8:cafe:10::16]:53598
Total number of translations: 9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
- 19. NAT64 Statistics
ASR1k#show nat64 statistics
Reference
Total active translations: 6 (3 static, 3 dynamic; 3 extended)
Sessions found: 171
Sessions created: 3
Global Stats:
Packets translated (IPv4 -> IPv6)
Stateless: 0
Stateful: 100
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 74
Interface Statistics
GigabitEthernet0/0/0 (IPv4 not configured, IPv6 configured):
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 74
GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured):
Packets translated (IPv4 -> IPv6)
Stateful: 100
Dynamic Mapping Statistics
v6v4
access-list EDGE_ACL pool EDGE refcount 3
pool EDGE:
start 10.121.55.1 end 10.121.55.1
total addresses 1, allocated 1 (100%) *Output reduced for clarity
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
- 20. Apache2 Reverse Proxy
Netstat - Client
TCP [2001:db8:beef:10::16]:54640 [2001:db8:cafe:12::5]:80 ESTABLISHED
TCP [2001:db8:beef:10::16]:54641 [2001:db8:cafe:12::5]:80 ESTABLISHED
2001:db8:beef:10::16
Netstat - Proxy
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.121.11.125:40475 10.121.11.60:80 ESTABLISHED
2001:db8:cafe:12::5 tcp 0 0 10.121.11.125:40476 10.121.11.60:80 ESTABLISHED
tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED
tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED
10.121.11.125
Apache
One-Arm
Apache
Dual-
Attached Netstat - Server
TCP 10.121.11.60:80 10.121.11.125:40475 ESTABLISHED
TCP 10.121.11.60:80 10.121.11.125:40476 ESTABLISHED
IPv4-only Web Server
<VirtualHost *:80>
ProxyPass / http://10.121.11.60:80/
ProxyPassReverse / 2010 Cisco and/or its affiliates. All rights reserved.
http://10.121.11.60:80/
© Cisco Public 20
- 21. Microsoft Windows PortProxy
Can be treated like an
appliance
One-arm 2001:db8:cafe:12::25
Dual-attached (better perf)
10.121.12.25
Outside traffic comes in PortProxy
One-Arm
VIP=10.121.5.20
on IPv6—PortProxy to
ACE PortProxy
v4 (VIP address on Dual-Attached
ACE)
Traffic is IPv4 to server
IPv4-only Web Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
- 22. PortProxy Configuration/Monitoring
adsf
netsh interface portproxy>sh all
Listen on ipv6: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
2001:db8:cafe:12::25 80 10.121.5.20 80
Active Connections
Proto Local Address Foreign Address State
TCP 10.121.12.25:58141 10.121.5.20:http ESTABLISHED
TCP [2001:db8:cafe:12::25]:80 [2001:db8:cafe:10::17]:52047 ESTABLISHED
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
14 1 in TCP 5 10.121.12.25:58573 10.121.5.20:80 ESTAB
13 1 out TCP 5 10.121.14.15:80 10.121.5.12:1062 ESTAB
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22