- play_arrow Overview
- play_arrow Services Overview
- play_arrow Services Configuration Overview
-
- play_arrow Network Address Translation
- play_arrow NAT Overview
- play_arrow Stateful NAT64
- play_arrow Static Source NAT
- play_arrow Static Destination NAT
- play_arrow Network Address Port Translation
- play_arrow Deterministic NAT
- play_arrow NAT Protocol Translation
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT
- play_arrow Port Control Protocol
- play_arrow Secured Port Block Allocation
- play_arrow Port Forwarding
- play_arrow Dynamic Address-Only Source Translation
- play_arrow Inline NAT
- play_arrow Stateless Source Network Prefix Translation for IPv6
- play_arrow Monitoring NAT
- play_arrow Packet Translation and GRE Tunneling
-
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- Mapping of Address and Port with Translation (MAP-T)
-
- play_arrow ALGs
- play_arrow ALGs
-
- play_arrow Access Security
- play_arrow Stateful Firewalls
- play_arrow IDS on MS-DPC
- play_arrow Network Attack Protection on MS-MPC and MS-MIC
-
- play_arrow IPsec Tunnels
- play_arrow IPsec Overview
- play_arrow Inline IPsec
- play_arrow IPsec Tunnels With Static Endpoints
- play_arrow IPsec Tunnels With Dynamic Endpoints
-
- play_arrow CoS on Services Cards
- play_arrow CoS on Services Cards
- play_arrow Class of Service on Link Services Interfaces
-
- play_arrow Inter-Chassis Redundancy for NAT and Stateful Firewall Flows
- play_arrow Configuring Inter-Chassis MS-MPC and MS-MIC for NAT and Stateful Firewall (Release 16.1 and later)
- play_arrow Configuring Inter-Chassis Stateful Synchronization for NAT and Stateful Firewall (Release 15.1 and earlier)
-
- play_arrow Multilinks
- play_arrow Link Services Interface Redundancy
- play_arrow Link Bundling
-
- play_arrow Traffic Load Balancer
- play_arrow Traffic Load Balancer
-
- play_arrow Services Card Redundancy
- play_arrow Services Card Redundancy for MS-MPC and MS-MIC
- play_arrow Services Card Redundancy for Multiservices PIC
-
- play_arrow Voice Services
- play_arrow Voice Services
-
- play_arrow Layer 2 PPP Tunnels
- play_arrow Layer 2 Tunneling of PPP Packets
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Configuration Statements and Operational Commands
Configuring a 6rd Softwire
Configuring a 6rd Softwire Concentrator
The 6rd feature is supported on Multiservices 100, 400, and 500 PICs on M Series routers, and on MX Series routers equipped with Multiservices DPCs. The 6rd feature is not supported on MX Series routers with MS-MPCs or MS-MICs.
To configure a 6rd softwire concentrator:
Configuration changes to 6rd softwire concentrators do not become effective in the Packet Forwarding Engine. This is a known limitation. If you attempt to add the new configuration of softwire concentrators by overriding the existing configuration of 1024 softwire concentrators, which is the maximum limit of softwire concentrators that the system supports, the new configuration is not updated. To work around this limitation, you must delete the existing configuration and commit the settings, and then add the new configuration of softwire concentrators and commit the settings.
For 6rd softwire concentrators, packet drops are observed
and error messages logged on the virtual terminal session (VTY) console,
if one inline services (si-) interface is replaced with
another si- interface without stopping the traffic during
the replacement of the interface. In a scenario in which an si- interface is associated with a service set that has a large number
of softwire concentrators, replacing that interface without halting
the traffic causes traffic disruption. You must stop the traffic and
restart it during such a replacement of si- interfaces
with 6rd softwire concentrators. The following error messages are
displayed on the VTY console of the FPC:
packet discarded because no ifl or not SI ifl
Configuring Stateful Firewall Rules for 6rd Softwire
You must configure a stateful firewall rule for use with 6rd softwires. The stateful firewall service is used only to direct packets to the softwire, not for firewalling purposes. The 6rd softwire service itself must be stateless. To support stateless processing, you must include an allow term in both directions of the stateful firewall policy.
The 6rd feature is supported on Multiservices 100, 400, and 500 PICs on M Series routers, and on MX Series routers equipped with Multiservices DPCs. The 6rd feature is not supported on MX Series routers with MS-MPCs or MS-MICs.
To include a stateful firewall rule for 6rd softwire processing:
See Also
Example: Basic 6rd Configuration
Requirements
The 6rd feature is supported on Multiservices 100, 400, and 500 PICs on M Series routers, and on MX Series routers equipped with Multiservices DPCs. The 6rd feature is not supported on MX Series routers with MS-MPCs or MS-MICs.
This example describes how a 6rd concentrator can be configured for a 6rd domain, D1, to provide IPv6 Internet connectivity.
The following hardware components can perform 6rd:
M Series Multiservice Edge routers with Multiservices PICs
T Series Core routers with Multiservices PICs
MX Series 5G Universal Routing Platforms with Multiservices DPCs
Overview
This configuration example describes how to configure a basic 6rd tunneling solution.
Configuration
- CLI Quick Configuration
- Chassis Configuration
- Softwire Concentrator, Softwire Rule, and Stateful Firewall Rule Configuration
- Service Set Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set interfaces ge-1/2/0 unit 0 family inet service input service-set v6rd-dom1-service-set set interfaces ge-1/2/0 unit 0 family inet service output service-set v6rd-dom1-service-set set interfaces ge-1/2/0 unit 0 family inet address 10.10.10.1/24 set interfaces ge-1/2/0 unit 0 family inet6 service input service-set v6rd-dom1-service-set set interfaces ge-1/2/0 unit 0 family inet6 service output service-set v6rd-dom1-service-set set interfaces ge-1/2/2 unit 0 family inet6 address 3abc::1/16 set interfaces sp-0/2/0 unit 0 family inet set interfaces sp-0/2/0 unit 0 family inet6 set services softwire softwire-concentrator v6rd v6rd-dom1 softwire-address 30.30.30.1 set services softwire softwire-concentrator v6rd v6rd-dom1 ipv4-prefix 10.10.10.0/24 set services softwire softwire-concentrator v6rd v6rd-dom1 v6rd-prefix 3040::0/16 set services softwire softwire-concentrator v6rd v6rd-dom1 mtu-v4 9192 set services softwire rule v6rd-dom1 match-direction input set services softwire rule v6rd-dom1 term t1 then v6rd v6rd-dom1 set services service-set v6rd-dom1-service-set softwire-rules v6rd-dom1 set services service-set v6rd-dom1-service-set stateful-firewall-rules r1 set services service-set v6rd-dom1-service-set interface-service service-interface sp-0/2/0 set services stateful-firewall rule r1 match-direction input-output set services stateful-firewall rule r1 term t1 then accept
Chassis Configuration
Step-by-Step Procedure
To configure the chassis:
Define the ingress interface.
content_copy zoom_out_mapuser@host# edit interfaces ge-1/2/0Configure the ingress interface logical unit and input/output service options.
content_copy zoom_out_map[edit interfaces ge-1/2/0] user@host# set unit 0 family inet service input service-set v6rd-dom1-service-set user@host# set unit 0 family inet service output service-set v6rd-dom1-service-set user@host# set unit 0 family inet6 service input service-set v6rd-dom1-service-set user@host# set unit 0 family inet6 service output service-set v6rd-dom1-service-set
Configure the address of the ingress interface.
content_copy zoom_out_map[edit interfaces ge-1/2/0]user@host# set unit 0 family inet address 10.10.10.1/24Define the egress interface.
content_copy zoom_out_mapuser@host# up
[edit interfaces]user@host# edit ge-1/2/2Define the logical unit and address for the egress interface.
content_copy zoom_out_map[edit interfaces ge-1/2/2]user@host# set unit 0 family inet6 address 3ABC::1/16Define the services PIC.
content_copy zoom_out_map[edit interfaces ge-1/2/2]user@host# up[edit interfaces]user@host# edit sp-0/2/0Configure the logical unit for the services PIC.
content_copy zoom_out_map[edit interfaces sp-0/2/0]user@host# up[edit interfaces]user@host# set unit 0 family inet user@host# set unit 0 family inet6
Results
[edit interfaces]
user@host# show
sp-0/2/0 {
unit 0 {
family inet;
family inet6;
}
}
ge-1/2/0 {
unit 0 {
family inet {
service {
input {
service-set v6rd-dom1-service-set;
}
output {
service-set v6rd-dom1-service-set;
}
}
address 10.10.10.1/24;
}
family inet6 {
service {
input {
service-set v6rd-dom1-service-set;
}
output {
service-set v6rd-dom1-service-set;
}
}
}
}
}
ge-1/2/2 {
unit 0 {
family inet6 {
address 3abc::1/16;
}
}
}Softwire Concentrator, Softwire Rule, and Stateful Firewall Rule Configuration
Step-by-Step Procedure
To configure the softwire concentrator, softwire rule, and stateful firewall rule:
Define the 6rd softwire concentrator.
content_copy zoom_out_mapuser@host# top user@host# edit services softwire softwire-concentrator v6rd v6rd-dom1
Configure the softwire concentrator properties. Here, softwire address 30.30.30.1 is the softwire concentrator IPv4 address, 10.10.10.0/24 is the IPv4 prefix of the CE WAN side, and 3040::0/16 is the IPv6 prefix of the 6rd domain D1.
content_copy zoom_out_map[edit services softwire softwire-concentrator v6rd v6rd-dom1] user@host# set softwire-address 30.30.30.1 user@host# set ipv4-prefix 10.10.10.0/24 user@host# set v6rd-prefix 3040::0/16 user@host# set mtu-v4 9192
Define the softwire rule.
content_copy zoom_out_map[edit services softwire softwire-concentrator v6rd v6rd-dom1] user@host# up 2 [edit services softwire] user@host# edit rule v6rd-dom1 [edit services softwire rule v6rd-dom1] user@host# set match-direction input [edit services softwire rule v6rd-dom1] user@host# set term t1 then v6rd v6rd-dom1
Define a stateful firewall rule and properties. You must configure a stateful firewall rule that accepts all traffic in both the input and output direction in order for 6rd to work; however, this is not enforced through the CLI. This is because in IPv6, gratuitous IPv6 packets are expected (due to Anycast) and should not be dropped. The service PIC can handle reverse traffic without seeing all forward traffic. This can also happen with service PIC switchover in the middle of a session. By default, the stateful firewall on the service PIC will drop all traffic unless a rule is configured explicitly to allow it.
content_copy zoom_out_map[edit services softwire softwire-concentrator v6rd v6rd-dom1] user@host# up 3 [edit servicesl] user@host# edit services stateful-firewall [edit services stateful-firewall] user@host# edit rule r1 [edit services stateful-firewall rule r1] user@host# set match-direction input-output user@host# set term t1 then accept
Results
[edit services softwire]
user@host# show
softwire-concentrator {
v6rd v6rd-dom1 {
softwire-address 30.30.30.1;
ipv4-prefix 10.10.10.0/24;
v6rd-prefix 3040::0/16;
mtu-v4 9192;
}
}
rule v6rd-dom1-r1 {
match-direction input;
term t1 {
then {
v6rd v6rd-dom1;
}
}
}
Service Set Configuration
Step-by-Step Procedure
To configure the service set:
Define the service set for 6rd processing.
content_copy zoom_out_mapuser@host# top user@host# edit services service-set v6rd-dom1-service-set
Define the softwire and stateful firewall rules for the service set.
content_copy zoom_out_map[edit services service-set v6rd-dom1-service-set] user@host# set softwire-rules v6rd-dom1 user@host# set stateful-firewall-rules r1
Define the interface-service for the service set.
content_copy zoom_out_map[edit services service-set v6rd-dom1-service-set] user@host# set interface-service service-interface sp-0/2/0
Results
[edit service-set v6rd-dom1-service-set]
user@host# show
softwire-rules v6rd-dom1-r1
interface-service {
service-interface sp-0/2/0;
}
High Availability and Load Balancing for 6rd Softwires
The 6rd feature is supported on Multiservices 100, 400, and 500 PICs on M Series routers, and on MX Series routers equipped with Multiservices DPCs. The 6rd feature is not supported on MX Series routers with MS-MPCs or MS-MICs.
- Load Balancing a 6rd Domain Across Multiple Services PICs
- Example: Load Balancing a 6rd Domain Across Multiple Services PICs
- Configuring High Availability for 6rd Using 6rd Anycast
Load Balancing a 6rd Domain Across Multiple Services PICs
The 6rd domain is an IPv6 network, which can potentially be very large. A single PIC, or network processing unit (NPU) on a Multiservices DPC, might not be able to handle all the traffic for the 6rd domain. To alleviate load problems, you can load-balance the 6rd domain traffic across multiple PICs. To do so, assign the same softwire rule to different services sets that use different interfaces. Configure explicit routes and equal-cost multipath (ECMP) to load-balance the 6rd traffic.
Example: Load Balancing a 6rd Domain Across Multiple Services PICs
Hardware and Software Requirements
This example requires the following hardware:
An MX Series 5G Universal Routing Platform with a services DPC with two available NPUs or an M Series Multiservice Edge router with two services PICs available for 6rd softwire concentrator processing
A domain name server (DNS)
This example uses the following software:
Junos OS Release 11.4 or higher
Overview
Because of anticipated volume, a provider needs to balance 6rd softwire traffic between two services PICs.
Configuration
- Chassis Configuration
- Softwire Concentrator and Softwire Rule Configuration
- Stateful Firewall Configuration
- Service Set Configuration
- Load-Balancing Configuration
Chassis Configuration
Step-by-Step Procedure
To configure the chassis:
Define the ingress interface and its properties.
content_copy zoom_out_mapuser@host# edit interfaces ge-1/2/0 user@host# set unit 0 family inet address 10.10.10.1/16
Define the egress interface and its properties. In this example, the IPv6 clients try to reach the IPv6 server at 3abc::2/16.
content_copy zoom_out_mapuser@host# edit interfaces ge-1/2/2 user@host# set unit 0 family inet6 address 3ABC::1/16
Define the services PICs for selection as softwire concentrators by the load-balancing process. This configuration uses two PICs/NPUs: sp-3/0/0 and sp-3/1/0. A next-hop style service set is configured (shown in the next section).
content_copy zoom_out_mapuser@host# edit interfaces sp-3/0/0 [edit interfaces ge-3/0/0] user@host# set services-options syslog host local services any user@host# set unit 0 family inet user@host# set unit 0 family inet6 user@host# set unit 1 family inet service-domain inside user@host# set unit 1 family inet service-domain outside user@host# set unit 2 family inet service-domain inside user@host# set unit 2 family inet service-domain outside user@host# up 1 [edit] user@host# edit interfaces sp-3/1/0 [edit interfaces sp-3/1/0] user@host# set services-options syslog host local services any user@host# set unit 0 family inet user@host# set unit 0 family inet6 user@host# set unit 1 family inet service-domain inside user@host# set unit 1 family inet service-domain outside user@host# set unit 2 family inet service-domain inside user@host# set unit 2 family inet service-domain outside
Softwire Concentrator and Softwire Rule Configuration
Step-by-Step Procedure
The softwire configuration is straightforward. In this example, the 6rd domain prefix is 3040::0/16, the 6rd softwire concentrator IPv4 address is 30.30.30.1, and the customer IPv4 network is 10.10.0.0/16. In the customer premises equipment (CPE) network, all customer edge (CE) devices have addresses that belong to the 10.10.0.0/16 network. To configure the softwire:
Go to the
[edit services softwire]hierarchy level.content_copy zoom_out_mapuser@host# edit services softwire
Configure IPv6 multicast.
content_copy zoom_out_map[edit services softwire] user@host# set ipv6-multicast-interfaces all
Go to the softtwire concentrator v6rd hierarchy level and name the softwire concentrator shenick01-rd1.
content_copy zoom_out_map[edit services softwire] user@host# edit softwire-concentrator v6rd shenick01-rd1
Configure the softwire concentrator properties.
content_copy zoom_out_map[edit services softwire softwire-concentrator v6rdshenick01-rd1 ] user@host# set softwire-address 30.30.30.1 user@host# set ipv4-prefix 10.10.0.0/16 user@host# set v6rd-prefix 3040::/16 user@host# set mtu-v4 9192
Configure a softwire rule for incoming 6rd traffic.
content_copy zoom_out_map[edit services softwire softwire-concentrator v6rd shenick01-rd1 ] user@host# up 1 [edit services softwire ] user@host# edit rule shenick01-r1 [edit services softwire rule shenick01-r1] user@host# set match-direction input user@host# set term t1 then v6rd shenick01-rd1
Stateful Firewall Configuration
Step-by-Step Procedure
To configure the stateful firewall rule:
Go to the stateful firewall hierarchy level and define a rule.
content_copy zoom_out_mapuser@host# edit services stateful-firewall rule r1
Set the match direction.
content_copy zoom_out_map[edit services stateful-firewall rule r1] user@host# set match-direction input-output
Configure a term that accepts all traffic.
content_copy zoom_out_map[edit services stateful-firewall rule r1] user@host# set term t1 then accept
Service Set Configuration
Step-by-Step Procedure
This configuration provides two service sets, each pointing to a different network processing unit (NPU). Both service sets use the same stateful firewall and softwire rules. Because they use the same softwire rule, they refer to same 6rd softwire concentrator. This results in the software concentrator being hosted on both the NPUs.
To configure the service set:
Define a service set for the first NPU.
content_copy zoom_out_mapuser@host# edit services service-set v6rd-sset1
Configure the softwire and stateful firewall rules for the first NPU.
content_copy zoom_out_map[edit services service-set v6rd-sset1] user@host# set softwire-rules shenick01-r1 user@host# set stateful-firewall-rules r1
Configure the inside and outside interfaces for the next-hop service.
content_copy zoom_out_map[edit services service-set v6rd-sset1] user@host# set next-hop-service inside-service-interface sp-3/0/0.1 user@host# set next-hop-service outside-service-interface sp-3/0/0.2
Define a service set for the second NPU.
content_copy zoom_out_mapuser@host# edit services service-set v6rd-sset2
Configure the softwire and stateful firewall rules for the second NPU.
content_copy zoom_out_map[edit services service-set v6rd-sset2] user@host# set softwire-rules shenick01-r1 user@host# set stateful-firewall-rules r1
Configure the inside and outside interfaces for the next-hop service.
content_copy zoom_out_map[edit services service-set v6rd-sset1] user@host# set next-hop-service inside-service-interface sp-3/1/0.1 user@host# set next-hop-service outside-service-interface sp-3/1/0.2
Load-Balancing Configuration
Step-by-Step Procedure
To configure load balancing:
Configure explicit routes and ECMP to load-balance the 6rd traffic. Configure explicit routes for both the 6rd concentrator IPv4 address and the 6rd domain prefix, so that they point to both NPUs.
To configure static routes for the 6rd domain using the routing-table inet6.0, go to the
[edit forwarding-options rib inet6.0 static]hierarchy level and set the routes for the 6rd domain and the 6rd concentrator IPv4 address.content_copy zoom_out_mapuser@host edit forwarding-options rib inet6.0 static [edit forwarding-options rib inet6.0 static] user@host# set route 3040::0/16 next-hop [ sp-3/0/0.2 sp-3/1/0.2 ] user@host# set route 30.30.30.1/32 next-hop [ sp-3/0/0.1 sp-3/1/0.1 ]
The service PIC daemon (spd) also adds default routes to these addresses pointing to the NPUs. However, the routes added by the spd use different metrics, which are computed based on the FPC, PIC, slot numbers, and subunit of the services PIC if used in the service set configuration. The static routes configured in this sample configuration will have metrics of 5 and therefore a higher preference than the spd-added routes.
The explicitly configured routes are as follows:
content_copy zoom_out_maproot@host# run show route 30.30.30.1 inet.0: 37 destinations, 40 routes (36 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 30.30.30.1/32 *[Static/5] 00:00:10 > via sp-3/0/0.1 via sp-3/1/0.1 [Static/786433] 00:23:03 > via sp-3/0/0.1 [Static/851969] 00:00:09 > via sp-3/1/0.1 root@host# run show route 3040::/16 inet6.0: 20 destinations, 33 routes (20 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 3040::/16 *[Static/5] 00:00:15 via sp-3/0/0.2 > via sp-3/1/0.2 [Static/786434] 00:23:08 > via sp-3/0/0.2 [Static/851970] 00:00:14 > via sp-3/1/0.2
Best Practice:The spd-installed routes have higher metric values (hence a low preference) and the metrics are different. If the metrics are different and ECMP is not enabled, even though multiple routes exist for the same destination, only one of the routes is picked up all the time (based on the metric). For ECMP you must configure equal-cost routes, and hence a manual configuration of routes is needed as shown above.
Configure equal-cost multipath (ECMP) load balancing by configuring the hash key at the
[edit forwarding-optionshash-key]hierarchy level.content_copy zoom_out_mapuser@host# forwarding-options hash-key [edit forwarding-options hash-key] user@host# set family inet layer-3 destination-address user@host# set family inet layer-3 source-address user@host# set family inet6 layer-3 destination-address user@host# set family inet6 layer-3 source-address
Verify your configuration by displaying
forwarding-options.content_copy zoom_out_mapuser@host# show forwarding-options hash-key { family inet { <== IPv4 traffic from CEs uses this layer-3 { destination-address; source-address; } } family inet6 { <== IPv6 traffic from Internet uses this layer-3 { destination-address; source-address; } } }Tip:Both IPv4 and IPv6 hash keys must be configured. The IPv4 hash key is used to distribute the traffic coming from CPE devices to the 6rd branch relay. The IPv6 hash key is used to distribute the traffic coming from the IPv6 Internet to the 6rd domain. Because the hash in the forward and reverse direction is for different families, different flows from the same session can reside on different NPUs. However, 6rd processing is stateless (as far as mapping IPv6 packets to softwires is concerned), so this should not be a problem.
Configuring High Availability for 6rd Using 6rd Anycast
You configure 6rd Anycast by defining two service sets that use the same softwire rule in both service sets, just as you do when you configure load balancing for 6rd. However, you do not configure ECMP, and as a result, the services PIC daemon (spd) installs two routes each for the softwire concentrator address and 6rd domain pointing to each service interface. The forwarding plane can select any route based on the priority, which is computed when the spd installs the routes. The priority is computed based on the FPC, PIC, slot numbers, and subunit number used on the sp- interface. Only one PIC is used based on the route priority, and that PIC gets all of the 6rd traffic. If the PIC goes down. the route pointing to it is also deleted and the forwarding plane automatically selects the alternate available PIC.
6rd Anycast is completely stateless. The spd installs the route and doesn’t run any state machine for the PIC. Because the routes are pre-installed and service sets are already on the PIC, there is no service delay if a failover occurs.
