Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring Dual-Stack Lite for IPv6 Access

This example shows how to configure DS-Lite for IPv6 access.

Requirements

This example uses the following hardware and software components:

  • Juniper Networks MX Series 3D Universal Edge Routers with Multiservices Dense Port Concentrators (DPCs)
  • Juniper Networks® Junos® operating system (Junos OS) 10.4 or later running on the Address Family Transition Routers (AFTRs)

Overview

In Figure 1, the AFTR is running on an MX Series router with two Gigabit Ethernet interfaces and a Multiservices DPC. The interface toward the Basic Bridging BroadBand Element (B4) is ge-3/1/5, and the interface toward the Internet is ge-3/1/0.

Figure 1: Logical Topology

Logical Topology
  • The source IPv4 address connected to the home router is 10.0.0.1.
  • The source address (or B4 interface address) of the IPv4-in-IPv6 softwire is 2001:0:0:1::1.
  • The address of the NAT pool between the AFTR and the Internet is 129.0.0.1.
  • The address of the IPv4 host connected to the Internet is 128.0.0.1.
  • The address of the softwire on the AFTR is 2001:0:0:2::1/48.

Configuration

Configuring DS-Lite involves the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

AFTR

set chassis fpc 0 pic 0 adaptive-services service-package layer-3set interfaces sp-0/0/0 unit 0 family inetset interfaces sp-0/0/0 unit 0 family inet6set interfaces ge-3/1/0 description AFTR-Internetset interfaces ge-3/1/0 unit 0 family inet address 128.0.0.2/24set interfaces ge-3/1/5 description AFTR-B4set interfaces ge-3/1/5 unit 0 family inetset interfaces ge-3/1/5 unit 0 family inet6set interfaces ge-3/1/5 unit 0 family inet6 service input service-set ssetset interfaces ge-3/1/5 unit 0 family inet6 service output service-set ssetset interfaces ge-3/1/5 unit 0 family inet6 address 2001:0:0:2::1/48set services service-set sset syslog host local services anyset services service-set sset softwire-rules r1set services service-set sset tcp-mss 1024set services service-set sset nat-rules r1set services service-set sset interface-service service-interface sp-0/0/0.0set services softwire softwire-concentrator ds-lite ds1 softwire-address 1001::1set services softwire softwire-concentrator ds-lite ds1 mtu-v6 1460set softwire softwire-concentrator ds-lite ds1 copy-dscpset softwire softwire-concentrator ds-lite ds1 flow-limit 10set services softwire rule r1 match-direction inputset services softwire rule r1 term t1 then ds-lite ds1set services nat pool p1 address 129.0.0.1/32set services nat pool p1 port automaticset services nat rule r1 match-direction inputset services nat rule r1 term t1 from source-address 10.0.0.0/16set services nat rule r1 term t1 then translated source-pool p1set services nat rule r1 term t1 then translated translation-type napt-44set services nat rule r1 term t1 then syslog

Enabling the Layer-3 Service Package

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see the CLI User Guide.

  • Configure the Layer 3 service package.

    This example assumes that the PIC is in FPC 0, slot 0.

    [edit chassis]user@AFTR# set fpc 0 pic 0 adaptive-services service-package layer-3

    The service package with its associated sp- interface is for manipulating traffic before it is delivered to its destination. For details about configuring service packages, see the Junos OS Services Interfaces Configuration Guide.

Configuring Network Address and Port Translation

Step-by-Step Procedure

To configure NAT and Port Address Translation (PAT) rules:

  1. Configure an IPv4 address and port for the NAT pool to specify the IPv4-to-IPv6 translation for packets traveling between the AFTR router and the Internet.
    [edit services nat]user@AFTR# set pool p1 address 129.0.0.1/32user@AFTR# set pool p1 port automatic
  2. Configure a NAT rule to translate the private IPv4 address from the home network to NAT pool p1.

    NAT rules specify the traffic to be matched and the action to be taken when traffic matches the rule. In this example, only one rule is required to accomplish the address translation. The rule selects all traffic coming from the source address 10.0.0.0.

    [edit services nat]user@AFTR# set rule r1 match-direction inputuser@AFTR# set rule r1 term t1 from source-address 10.0.0.0/16user@AFTR# set rule r1 term t1 then translated source-pool p1user@AFTR# set rule r1 term t1 then translated translation-type napt-44user@AFTR# set rule r1 term t1 then syslog

Configuring the Softwire Concentrator

Step-by-Step Procedure

  1. Create a softwire concentrator object of type ds-lite and associate it with the IPv6 address of the softwire.

    Specify a name for the softwire concentrator to facilitate references in logs, in the CLI, and in other operations and management activities.

    [edit services softwire]user@AFTR# set softwire-concentrator ds-lite ds1 softwire-address 1001::1
  2. Configure the maximum transmission unit (ranging from 1280 to 9192 bytes) for the softwire for encapsulating IPv4 packets to IPv6.

    This is the maximum packet size that can be sent on a tunnel from the AFTR to B4 without fragmentation. If the final length of the packet is greater than the MTU, the IPv6 packet would be fragmented.

    Note: Including the mtu-v6 statement is mandatory, and you cannot commit the example configuration unless this statement is configured.

    [edit services softwire]user@AFTR# set softwire-concentrator ds-lite ds1 mtu-v6 1460
  3. (Optional) Configure the softwire to copy DSCP information from the IPv6 header into the decapsulated IPv4 header.
    [edit services softwire]user@AFTR# set softwire-concentrator ds-lite ds1 copy-dscp
  4. (Optional) Configure a flow limit for the maximum number of IPv4 flows or sessions (ranging from 1280 to 9192 bytes) per softwire from the IPv4 host to the B4.
    [edit services softwire]user@AFTR# set softwire-concentrator ds-lite ds1 flow-limit 10
  5. Create a softwire rule.

    The rule in this example specifies that any traffic destined for the softwire concentrator ds1 creates a new softwire. You can also configure more elaborate match conditions to perform as part of softwire initiator actions.

    [edit services softwire]user@AFTR# set rule r1 match-direction inputuser@AFTR# set rule r1 term t1 then ds-lite ds1

Configuring the Service Set with Softwire and NAT Rules

Step-by-Step Procedure

To configure the service set on service interface sp-0/0/0 to contain the softwire and NAT rules:

  1. Configure a service set using the same NAT and softwire rules configured in the previous two procedures.
    [edit services]user@AFTR# set service-set sset softwire-rules r1user@AFTR# set service-set sset nat-rules r1user@AFTR# set service-set sset interface-service service-interface sp-0/0/0.0
  2. Configure the service interface.

    In this example, the interface is sp-0/0/0.

    [edit interfaces]user@AFTR# set sp-0/0/0 unit 0 family inetuser@AFTR# set sp-0/0/0 unit 0 family inet6
  3. (Optional) Configure a TCP maximum segment size value on a service-set basis to ensure that TCP traffic works through links with different MTUs.
    [edit services]user@AFTR# set service-set sset tcp-mss 1024
  4. Associate the softwire and NAT rules and the service interface with the service set.
    [edit services]user@AFTR# set service-set sset interface-service service-interface sp-0/0/0.0user@AFTR# set service-set sset softwire-rules r1user@AFTR# set service-set sset nat-rules r1
  5. Configure system log parameters for the service set.
    [edit services]user@AFTR# set service-set sset syslog host local services any

Configuring Interfaces and Associating Service Sets with the Interfaces

Step-by-Step Procedure

  1. Configure the ge-3/1/5 interface between the home router running the B4 and the router in the ISP network running the AFTR.
    [edit interfaces]user@AFTR# set ge-3/1/5 description AFTR-B4user@AFTR# set ge-3/1/5 unit 0 family inetuser@AFTR# set ge-3/1/5 unit 0 family inet6

    Note: Even if IPv6 packets are received on the media interface, configuring family inet on this interface is very important for the DS-Lite configuration to work properly.

  2. Associate the appropriate service set for the NAT and DS-Lite services.

    Service sets can be configured in either interface style or nexthop VPN routing and forwarding (VRF) style. This example depicts the interface style configuration.

    [edit interfaces]user@AFTR# set ge-3/1/5 unit 0 family inet6 service input service-set ssetuser@AFTR# set ge-3/1/5 unit 0 family inet6 service output service-set sset
  3. Include the IPv6 softwire address of the AFTR router.
    [edit interfaces]user@AFTR# set ge-3/1/5 unit 0 family inet6 address 2001:0:0:2::1/48
  4. Configure the ge-3/1/0 interface between the AFTR and the Internet, and specify the IPv4 address connected to the Internet.
    [edit interfaces]user@AFTR# set ge-3/1/0 description AFTR-Internetuser@AFTR# set ge-3/1/0 unit 0 family inet address 128.0.0.2/24

Results

In configuration mode, confirm your configuration by entering the show chassis, show services nat, show services softwire, show services service-set, and show interfaces commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@AFTR# show chassis
fpc 0 {pic 0 {adaptive-services {service-package layer-3;}}}
user@AFTR# show services nat
pool p1 {address 129.0.0.1/32;port {automatic;}}
rule r1 {match-direction input;term t1 {from {source-address {10.0.0.0/16;}}then {translated {source-pool p1;translation-type {napt-44;}}syslog;}}}
user@AFTR# show services softwire
softwire-concentrator {ds-lite ds1 {softwire-address 1001::1;mtu-v6 1460;}rule r1 {match-direction input;term t1 {then {ds-lite ds1;}}}}
user@AFTR# show services service-set sset
syslog {host local {services any;}softwire-rules r1;nat-rules r1;interface-service {service-interface sp-0/0/0.0;}}
user@AFTR# show interfaces
sp-0/0/0 {unit 0 {family inet;family inet6;}}
ge-3/1/0 {description AFTR-Internet;unit 0 {family inet {address 128.0.0.2/24;}}}
ge-3/1/5 {description AFTR-B4;unit 0 {family inet;family inet6 {service {input {service-set sset;}output {service-set sset;}}address 2001:0:0:2::1/48;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Softwires

Purpose

Verify the creation of the softwires.

Action

  1. Issue the show services softwire command to view information about the softwires created.
    user@AFTR> show services softwire
    Interface: sp-0/0/0, Service set: sset
Softwire                                     Direction     Flow count
2001::3         ->        1001::1               I                   3

Interface: sp-1/3/0, Service set: dslite-svc-set1
Softwire                                     Direction     Flow count
2001::2         ->        1001::1               I                   3
2001::4         ->        1001::1               I                   3
  2. Issue the show services softwire statistics ds-lite command to view details of global softwire statistics.
    user@AFTR> show services softwire statistics ds-lite
    DS-Lite Statistics:


  Service PIC Name:                              :sp-0/0/0

  Statistics
  ----------

    Softwires Created                            :6
    Softwires Deleted                            :6
    Softwires Flows Created                      :6
    Softwires Flows Deleted                      :6
    Slow Path Packets Processed                  :6
    Fast Path Packets Processed                  :21
    Fast Path Packets Encapsulated               :20
    Rule Match Succeeded                         :6
    Rule Match Failed                            :0
    IPv6 Packets Fragmented                      :0
    IPv4 Client Fragments                        :0
    ICMPv4 Error Packets sent                    :0
    ICMPv6 Packets sent                          :0

  Transient Errors
  ----------------

    Flow Creation Failed - Retry                 :0
    Slow Path Failed - Retry                     :0

  Errors
  ------

    Softwire Creation Failed                     :0
    Flow Creation Failed                         :0
    Slow Path Failed                             :0
    Packet not IPv4-in-IPv6                      :0
    IPv6 Fragmentation Error                     :0
    Slow Path Failed - IPv6 Next Header Offset   :0
    Decapsulated Packet not IPv4                 :0
    Fast Path Failed - IPv6 Next Header Offset   :0
    No Softwire ID                               :0
    No Flow Extension                            :0
    Flow Limit Exceeded                          :0

Verifying NAT Flows

Purpose

Verify pre-NAT and post-NAT flows.

Action

  1. On the host router, issue the show services stateful-firewall flows command to verify the creation of the softwires, pre-NAT flows, and post-NAT flows within the configuration.
    user@AFTR> show services stateful-firewall flows
    Interface: sp-0/0/0, Service set: sset
Flow                                                State    Dir       Frm count
TCP          20.20.1.2:1025  ->  200.200.200.2:80    Forward  I          107621
    NAT source       20.20.1.2:1025    ->      44.44.44.1:1024    
    Softwire           2001::3         ->         1001::1
TCP      200.200.200.2:80    ->     44.44.44.1:1024  Forward  O          208420
    NAT dest        44.44.44.1:1024    ->       20.20.1.2:1025    
    Softwire           2001::3         ->         1001::1
DS-LITE         2001::3      ->        1001::1       Forward  I          322166

    In this example:

    • In the output direction (O), the protocol (TCP) line shows the Internet-to-IPv4 host address translated to the address of the AFTR.
    • In the output direction, the NAT-translated IPv4 address is translated to the IPv4 address of the home host (NAT dest).
    • In the output direction, the IPv6 address of the B4 is translated to the IPv6 address of the AFTR (Softwire).
    • In the input direction (I), the protocol (TCP) line shows the address of the home host sending the packet to the address of the Internet-to-IPv4 host.
    • In the input direction, the IPv6 address of the B4 is translated to the IPv6 address of the AFTR (NAT source).
  2. Issue the show services stateful-firewall conversations command to verify the conversations (collections of related flows).
    user@AFTR> show services stateful-firewall conversations
    Interface: sp-0/0/0, Service set: sset

Conversation: ALG protocol: tcp
  Number of initiators: 1, Number of responders: 1
Flow                                                State    Dir       Frm count
TCP          20.20.1.2:1025  ->  200.200.200.2:80    Forward  I          189280
    NAT source       20.20.1.2:1025    ->      44.44.44.1:1024    
    Softwire           2001::3         ->         1001::1
TCP      200.200.200.2:80    ->     44.44.44.1:1024  Forward  O          363675
    NAT dest        44.44.44.1:1024    ->       20.20.1.2:1025    
    Softwire           2001::3         ->         1001::1
  3. Issue the show services nat pool detail command to display global NAT statistics related to pool usage.

    You normally use this command in conjunction with the show services stateful-firewall flows command, which displays the source and output of the translation.

    user@AFTR> show services nat pool detail
    Interface: sp-0/0/0, Service set: sset
   NAT pool: p1, Translation type: dynamic
    Address range: 129.0.0.1-129.0.0.1
    Port range: 512-65535, Ports in use: 16,Out of port errors: 0,Max ports used: 17

Verifying Traceroute

Purpose

Examine the traceroute from the IPv4 host on the home network to the IPV4 node on the Internet.

Action

Examine the traceroute.

The following output of a traceroute from the client, to the home host, to the IPv4 host on the Internet is based on Configuring the Softwire Concentrator.

user@AFTR> show services stateful-firewall flows
Interface: sp-0/0/0, Service set: sset
Flow                                                    		State      Dir     Frm count
ICMP     10.0.0.1             ->    128.0.0.1            	Watch      I        4      
     NAT source    10.0.0.1         ->    129.0.0.1                     
     Softwire     2001:0:0:1::1     ->    2002:0:0:2::1
ICMP      128.0.0.1           ->   129.0.0.1             	Watch      O        1
     NAT dest    129.0.0.1          ->    10.0.0.1   
     Softwire    2001:0:0:1::1      ->       2002:0:0:2::1
DS-LITE         2001:0:0:1::1      ->        2002:0:0:2::1 Forward  	I        322166

Note: If a traceroute starts from the home host and goes to an IPv4 host on the Internet, the softwire concentrator does not return an ICMP error and, therefore, is not properly identified as an intermediate hop. However, the traceroute still functions.

Meaning

The ICMP source and destination addresses in the output indicate that the traffic is flowing from the IPv4 host on the home network (10.0.0.1) to the IPV4 node on the Internet (128.0.01).

 

Related Documentation

 

Published: 2013-02-08

Previous Page Next Page