ON THIS PAGE
Example: Configuring AFTR Redundancy Using an IPv6 Anycast Address on Multiple AFTRs
This example shows how to configure redundancy with two or more DS-Lite Address Family Transition Routers (AFTRs) using a single IPv6 anycast address.
Requirements
This example uses the following hardware and software components:
Juniper Networks MX Series 3D Universal Edge Routers with Multiservices Dense Port Concentrators (DPCs)
Juniper Networks® Junos® operating system (Junos OS) 10.4 or later running on the AFTRs
This configuration example has been tested using the software release listed and is assumed to work on all later releases.
Overview
You can provide redundancy using DS-Lite by configuring the same IPv6 anycast address on two or more AFTRs (softwire concentrators) as the softwire address. Basic Bridging Broadband Elements (B4s) only need to know this anycast address for the softwire endpoint, and the least-cost AFTR, per the routing updates, is used for the other softwire endpoint. If the least-cost AFTR goes down or the cost to get to this AFTR becomes higher than another AFTR, packets are redirected to the other AFTR. This is automatically handled by routing updates in the IPv6 cloud. You can also configure different Network Address Translation (NAT) pools at AFTRs and provide continuous service between IPv4 nodes in different domains.
Topology
Figure 1 provides a sample network topology for configuring IPv6 anycast address on two or more AFTRs.
In Figure 1:
The IPv4 client or host in the home network is configured with an IPv4 interface to the ISP and a static route to the IPv4 server on the Internet.
The address of the NAT pool between AFTR1 and the Internet is 7.7.7.0/24. The address of the NAT pool between AFTR2 and the Internet is 8.8.8.0/24.
The B4 or softwire initiator is configured with an IPv4 interface, an IPv6 interface, and an IPv4-in-v6 tunnel to an anycast address.
The pure IPv6 node in the IPv6 cloud is configured with interfaces to the IPv6 interfaces and OSPFv3 for route updates.
The AFTRs (AFTR1 and AFTR2) are configured with anycast address B001::1/128. If one of the links between the B4 and an AFTR fails, the other AFTR is used for traffic.
The IPv4 node on the Internet is configured with an IPv4 interface and routes for reverse traffic.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
AFTR1
set chassis fpc 1 pic 1 adaptive-services service-package layer-3 set services service-set dsl-ss softwire-rules dsl-sw set services service-set dsl-ss nat-rules dsl-nat1 set services service-set dsl-ss interface-service service-interface sp-1/1/0 set services softwire softwire-concentrator ds-lite dsl1 softwire-address b001::1 set services softwire softwire-concentrator ds-lite dsl1 mtu-v6 9192 set services softwire rule dsl-sw match-direction input set services softwire rule dsl-sw term t1 then ds-lite dsl1 set services nat pool dsl-p1 address 7.7.7.0/24 set services nat pool dsl-p1 port automatic set services nat rule dsl-nat1 match-direction input set services nat rule dsl-nat1 term t1 from source-address 11.11.1.0/24 set services nat rule dsl-nat1 term t1 then translated source-pool dsl-p1 set services nat rule dsl-nat1 term t1 then translated translation-type napt-44 set services nat rule dsl-nat1 term t1 then syslog set interfaces sp-1/1/0 unit 0 family inet set interfaces sp-1/1/0 unit 0 family inet6 set interfaces ge-2/1/0 description B4-toward-AFTR set interfaces ge-2/1/0 unit 0 family inet set interfaces ge-2/1/0 unit 0 family inet6 service input service-set dsl-ss set interfaces ge-2/1/0 unit 0 family inet6 service output service-set dsl-ss set interfaces ge-2/1/0 unit 0 family inet6 address 8001::2/120 set interfaces ge-2/1/6 description AFTR-to-IPV4-node-on-the-Internet set interfaces ge-2/1/6 unit 0 family inet address 88.88.1.1/24 set protocols ospf3 area 0.0.0.0 interface lo0.0 set protocols ospf3 area 0.0.0.0 interface ge-2/1/0.0
AFTR2
set chassis fpc 1 pic 1 adaptive-services service-package layer-3 set services nat pool dsl-p2 address 8.8.8.0/24 set services nat pool dsl-p2 port automatic set services nat rule ds1-nat2 term t1 from source-address 11.11.1.0/24 set services nat rule ds1-nat2 match-direction input set services nat rule ds1-nat2 term t1 then translated source-pool dsl-p2 set services nat rule ds1-nat2 term t1 then translated translation-type napt-44 set services softwire softwire-concentrator ds-lite dsl2 softwire-address b001::1 set services softwire softwire-concentrator ds-lite dsl2 mtu-v6 9192 set services softwire rule dsl-sw2 match-direction input set services softwire rule dsl-sw2 term t1 then ds-lite dsl2 set interfaces sp-1/1/0 unit 0 family inet set interfaces sp-1/1/0 unit 0 family inet6 set services service-set dsl-ss2 softwire-rules dsl-sw2 set services service-set dsl-ss2 nat-rules dsl-nat2 set services service-set dsl-ss2 interface-service service-interface sp-1/1/0 set interfaces ge-2/3/4 description V6-cloud-to-ipv6-node-in-v6-cloud set interfaces ge-2/3/4 unit 0 family inet set interfaces ge-2/3/4 unit 0 family inet6 service input service-set dsl-ss2 set interfaces ge-2/3/4 unit 0 family inet6 service output service-set dsl-ss2 set interfaces ge-2/3/4 unit 0 family inet6 address 9001::2/120 set interfaces ge-2/3/0 description to-ipv4-node-on-the-internet set interfaces ge-2/3/0 unit 0 family inet address 89.89.1.1/24 set protocols ospf3 area 0.0.0.0 interface ge-2/3/4.0 set protocols ospf3 area 0.0.0.0 interface lo0.0 set routing-options static route 88.88.1.0/24 next-hop 89.89.1.2
Configuring AFTR1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see the ../../../../../../.
Router AFTR1 is the primary router with an IPv6 interface
to the ISP network (IPv6 cloud) and an IPv4 interface to the Internet.
Configure the IPv4 interface, IPv6 interface, softwire endpoint, and
NAT.
Configure the Layer 3 service package.
This example assumes that the PIC is in FPC 1, slot 1.
[edit chassis] user@AFTR1# set fpc 1 pic 1 adaptive-services service-package layer-3
The service package with its associated
sp-interface is for manipulating traffic before it is delivered to its destination. For details about configuring service packages, see the Junos OS Services Interfaces Configuration Guide.Configure an IPv4 address and port for the NAT pool to specify the IPv4-to-IPv6 translation for packets traveling between the AFTR router and the Internet.
[edit services nat] user@AFTR1# set pool ds1-p1 address 7.7.7.0/24 user@AFTR1# set pool dsl-p1 port automatic
Configure a NAT rule to translate the private IPv4 address from the home network to NAT pool
ds1-p1.NAT rules specify the traffic to be matched and the action to be taken when traffic matches the rule. In this example, only one rule is required to accomplish the address translation. The rule selects all traffic coming from the source address
11.11.1.0.[edit services nat] user@AFTR1# set rule ds1-nat1 match-direction input user@AFTR1# set rule ds1-nat1 term t1 from source-address 11.11.1.0/24 user@AFTR1# set rule ds1-nat1 term t1 then translated source-pool ds1-p1 user@AFTR1# set rule ds1-nat1 term t1 then translated translation-type napt-44 user@AFTR1# set rule dsl-nat1 term t1 then syslog
Configure the softwire concentrator, associate it with the IPv6 anycast address, and create a softwire rule.
The rule in this example specifies that any traffic destined for the softwire concentrator
dsl1creates a new softwire. You can also configure more elaborate match conditions to perform as part of softwire initiator actions.[edit services softwire] user@AFTR1# set softwire-concentrator ds-lite dsl1 softwire-address b001::1 user@AFTR1# set rule dsl-sw match-direction input user@AFTR1# set rule dsl-sw term t1 then ds-lite dsl1
Configure the maximum transmission unit (ranging from 1280 to 9192 bytes) for the softwire for encapsulating IPv4 packets to IPv6.
This is the maximum packet size that can be sent on a tunnel from the AFTR to B4 without fragmentation. If the final length of the packet is greater than the MTU, the IPv6 packet would be fragmented.
Note:Including the
mtu-v6statement is mandatory, and you cannot commit the example configuration unless this statement is configured.[edit services softwire] user@AFTR1# set softwire-concentrator ds-lite dsl1 mtu-v6 9192
Configure the services interface that contains the service set.
[edit interfaces]
user@AFTR1#set sp-1/1/0 unit 0 family inetuser@AFTR1#set sp-1/1/0 unit 0 family inet6Configure a service set for the NAT and DS-Lite services using the
dsl-nat1NAT rule and theds1-swsoftwire rule configured in Step 3 and Step 4.In this example, the name of the service set it is
dsl-ss.Associate the softwire and NAT rules and the service interface with the service set.
[edit services] user@AFTR1# set service-set dsl-ss softwire-rules dsl-sw user@AFTR1# set service-set dsl-ss nat-rules dsl-nat1 user@AFTR1# set service-set dsl-ss interface-service service-interface sp-1/1/0
Configure the interface between the home router running the B4 and the router in the ISP network running the AFTR, and include the IPv6 address of the AFTR router (softwire address).
In this example, the interface is
ge-2/1/0.[edit interfaces] user@AFTR1# set ge-2/1/0 description B4-toward-AFTR user@AFTR1# set ge-2/1/0 unit 0 family inet user@AFTR1# set ge-2/1/0 unit 0 family inet6 address 8001::2/120
Associate the appropriate service set for the NAT and DS-Lite services.
[edit interfaces] user@AFTR1# set ge-2/1/0 unit 0 family inet6 service input service-set dsl-ss user@AFTR1# set ge-2/1/0 unit 0 family inet6 service output service-set dsl-ss
Configure the IPv4 interface between the AFTR and the Internet, and specify the IPv4 address connected to the Internet.
In this example, the interface is
ge-2/1/6.[edit interfaces] user@AFTR1#
set ge-2/1/6 description AFTR-to-V4-node-on-the-Internetuser@AFTR1#set ge-2/1/6 unit 0 family inet address 88.88.1.1/24Configure OSPFv3 for route advertisements.
[edit protocols]
user@AFTR1#set ospf3 area 0.0.0.0 interface lo0.0user@AFTR1#set ospf3 area 0.0.0.0 interface ge-2/1/0.0
Results
In configuration mode, confirm your configuration by
entering the show chassis, show services, show interfaces, and show protocols ospf3 commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@AFTR1# show chassis
fpc 1 {
pic 1 {
adaptive-services {
service-package layer-3;
}
}
}
user@AFTR1# show services
service-set dsl-ss {
softwire-rules dsl-sw;
nat-rules dsl-nat1;
interface-service {
service-interface sp-1/1/0;
}
}
softwire {
softwire-concentrator {
ds-lite dsl1 {
softwire-address b001::1;
mtu-v6 9192;
}
}
rule dsl-sw {
match-direction input;
term t1 {
then {
ds-lite dsl1;
}
}
}
}
nat {
pool dsl-p1 {
address 7.7.7.0/24;
port {
automatic;
}
}
rule dsl-nat1 {
match-direction input;
term t1 {
from {
source-address {
11.11.1.0/24;
}
}
then {
translated {
source-pool dsl-p1;
translation-type {
napt-44;
}
}
syslog;
}
}
}
}
user@AFTR1# show interfaces
sp-1/1/0 {
unit 0 {
family inet;
family inet6;
}
}
ge-2/1/0 {
description B4-toward-AFTR;
unit 0 {
family inet;
family inet6 {
service {
input {
service-set dsl-ss;
}
output {
service-set dsl-ss;
}
}
address 8001::2/120;
}
}
}
ge-2/1/6 {
description AFTR-to-V4-node-on-the-Internet;
unit 0 {
family inet {
address 88.88.1.1/24;
}
}
}
user@AFTR1# show protocols ospf3
area 0.0.0.0 {
interface lo0.0;
interface ge-2/1/0.0;
}
If you are done configuring the device, enter commit from configuration mode.
Configuring AFTR2
Step-by-Step Procedure
Router AFTR2 is the secondary router with
an IPv6 interface to the ISP network (IPv6 cloud) and an IPv4 interface
to the Internet. Configure the IPv4 interface, IPv6 interface, softwire
endpoint, and NAT.
Configure the Layer 3 service package.
This example assumes that the PIC is in FPC 1, slot 1.
[edit chassis] user@AFTR2# set fpc 1 pic 1 adaptive-services service-package layer-3
The service package with its associated
sp-interface is for manipulating traffic before it is delivered to its destination. For details about configuring service packages, see the Junos OS Services Interfaces Configuration Guide.Configure an IPv4 address and port for the NAT pool to specify the IPv4-to-IPv6 translation for packets traveling between the AFTR router and the Internet.
[edit services nat] user@AFTR2# set pool dsl-p2 address 8.8.8.0/24 user@AFTR2# set pool dsl-p2 port automatic
Configure a NAT rule to translate the private IPv4 address from the home network to NAT pool
dsl-p2.NAT rules specify the traffic to be matched and the action to be taken when traffic matches the rule. In this example, only one rule is required to accomplish the address translation. The rule selects all traffic coming from the source address
11.11.1.0.[edit services nat] user@AFTR2# set rule ds1-nat2 match-direction input user@AFTR2# set rule ds1-nat2 term t1 from source-address 11.11.1.0/24 user@AFTR2# set rule ds1-nat2 term t1 then translated source-pool dsl-p2 user@AFTR2# set rule ds1-nat2 term t1 then translated translation-type napt-44
Configure the softwire concentrator, associate it with the IPv6 anycast address, and create a softwire rule.
The rule in this example specifies that any traffic destined for the
dsl2softwire concentrator creates a new softwire.[edit services softwire] user@AFTR2# set softwire-concentrator ds-lite dsl2 softwire-address b001::1 user@AFTR2# set rule dsl-sw2 match-direction input user@AFTR2# set rule dsl-sw2 term t1 then ds-lite dsl2
Configure the maximum transmission unit (ranging from 1280 to 9192 bytes) for the softwire for encapsulating IPv4 packets to IPv6.
This is the maximum packet size that can be sent on a tunnel from the AFTR to B4 without fragmentation. If the final length of the packet is greater than the MTU, the IPv6 packet would be fragmented.
Note:Including the
mtu-v6statement is mandatory, and you cannot commit the example configuration unless this statement is configured.[edit services softwire] user@AFTR2# set softwire-concentrator ds-lite dsl2 mtu-v6 9192
Configure the services interface that contains the service set.
[edit interfaces] user@AFTR2# set sp-1/1/0 unit 0 family inet user@AFTR2# set sp-1/1/0 unit 0 family inet6
Configure a service set for the NAT and DS-Lite services using the
dsl-nat2NAT rule and thedsl-sw2softwire rule configured in Step 3 and Step 4.In this example, the name of the service set is
dsl-ss2.Associate the softwire and NAT rules and the service interface with the service set.
[edit services] user@AFTR2# set service-set dsl-ss2 softwire-rules dsl-sw2 user@AFTR2# set service-set dsl-ss2 nat-rules ds1-nat2 user@AFTR2# set service-set dsl-ss2 interface-service service-interface sp-1/1/0
Configure the interface between the pure IPv6 node in the IPv6 cloud and the AFTR. In this example, the interface is
ge-2/3/4.[edit interfaces] user@AFTR2# set ge-2/3/4 description V6-cloud-to-ipv6-node-in-v6-cloud user@AFTR2# set ge-2/3/4 unit 0 family inet
Include the IPv6 address of the AFTR router (softwire address).
[edit interfaces] user@AFTR2# set ge-2/3/4 unit 0 family inet6 address 9001::2/120
Associate the appropriate service set for the NAT and DS-Lite services.
[edit interfaces] user@AFTR2# set ge-2/3/4 unit 0 family inet6 service input service-set dsl-ss2 user@AFTR2# set ge-2/3/4 unit 0 family inet6 service output service-set dsl-ss2
Configure the IPv4 interface between the AFTR and the Internet and specify the IPv4 address connected to the Internet.
In this example, the interface is
ge-2/3/0.[edit interfaces] user@AFTR2# set ge-2/3/0 description to-ipv4-node-on-the-internet user@AFTR2# set ge-2/3/0 unit 0 family inet address 89.89.1.1/24
Configure OSPFv3 for route advertisements.
[edit protocols ospf3] user@AFTR2# set area 0.0.0.0 interface ge-2/3/4.0 user@AFTR2# set area 0.0.0.0 interface lo0.0
Configure a static route to the IPv4 node on the Internet.
[edit routing-options] user@AFTR2#
set static route 88.88.1.0/24 next-hop 89.89.1.2
Results
In configuration mode, confirm your configuration by
entering the show chassis, show interfaces, show services, show protocols ospf3, and show
routing-options commands. If the output does not display the
intended configuration, repeat the instructions in this example to
correct the configuration.
user@AFTR2# show chassis
fpc 1 {
pic 1 {
adaptive-services {
service-package layer-3;
}
}
}
user@AFTR2# show interfaces
sp-1/1/0 {
unit 0 {
family inet;
family inet6;
}
}
ge-2/3/0 {
description to-ipv4-node-on-the-internet;
unit 0 {
family inet {
address 89.89.1.1/24;
}
}
}
ge-2/3/4 {
description V6-cloud-to-ipv6-node-in-v6-cloud;
unit 0 {
family inet;
family inet6 {
service {
input {
service-set dsl-ss2;
}
output {
service-set dsl-ss2;
}
}
address 9001::2/120;
}
}
}
user@AFTR2# show services
service-set dsl-ss2 {
softwire-rules dsl-sw2;
nat-rules ds1-nat2;
interface-service {
service-interface sp-1/1/0;
}
}
softwire {
softwire-concentrator {
ds-lite dsl2 {
softwire-address b001::1;
mtu-v6 9192;
}
}
rule dsl-sw2 {
match-direction input;
term t1 {
then {
ds-lite dsl2;
}
}
}
}
nat {
pool dsl-p2 {
address 8.8.8.0/24;
port {
automatic;
}
}
rule ds1-nat2 {
match-direction input;
term t1 {
from {
source-address {
11.11.1.0/24;
}
}
then {
translated {
source-pool dsl-p2;
translation-type {
napt-44;
}
}
}
}
}
}
user@AFTR2# show protocols ospf3
area 0.0.0.0 {
interface ge-2/3/4.0;
interface lo0.0;
}
user@AFTR2# show routing-options
static {
route 88.88.1.0/24 next-hop 89.89.1.2;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Redundancy of the AFTRs
Purpose
Verify that traffic flow is maintained using the secondary AFTR if an interface on one AFTR is brought offline.
Action
Verify traffic flow between the IPv4 host on the home network and the IPv4 node on the Internet.
Additionally, check the softwire flows for AFTR1.
user@AFTR1> show services stateful-firewall flows Interface: sp-1/0/0, Service set: dsl-ss Flow State Dir Frm count TCP 20.20.1.2:1025 -> 200.200.200.2:80 Forward I 107621 NAT source 20.20.1.2:1025 -> 7.7.7.0 Softwire 2001::3 -> 1001::1 TCP 200.200.200.2:80 -> 7.7.7.0 208420 NAT source 7.7.7.0 -> 20.20.1.2:1025 Softwire 2001::3 -> 1001::1 ICMP 10.0.10.1 -> 88.88.88.1.1 Watch I 3 NAT source 10.0.10.1 -> 129.0.0.1 Softwire 8001::2 -> 1001::1 DS-LITE 2001::3 -> 1001::1 Forward I 6 ICMP 88.88.88.1 -> 129.0.0.1 Watch O 3 NAT dest 129.0.0.1 -> 10.0.10.1 Softwire 8001::2 -> 1001::1The output shows ICMP source and destination addresses indicating traffic flow between the IPv4 host on the home network and the IPv4 node on the Internet. The DS-Lite protocol statistics indicate the softwire flows.
Deactivate the interface
ge-2/1/0on AFTR1.user@AFTR1# deactivate interfaces ge-2/1/0
Commit the configuration.
Issue the
show services stateful-firewall flowscommand on AFTR2 to verify the creation of softwire flows.Additionally, verify traffic flows between the IPv4 host on the home network and the IPv4 node on the Internet.
user@AFTR2> show services stateful-firewall flows Interface: sp-1/0/0, Service set: dsl-ss2 Flow State Dir Frm count TCP 20.20.1.2:1025 -> 200.200.200.2:80 Forward I 107621 NAT source 20.20.1.2:1025 -> 8.8.8.0 Softwire 2001::3 -> 1001::1 TCP 200.200.200.2:80 -> 7.7.7.0 208420 NAT source 8.8.8.0 -> 20.20.1.2:1025 Softwire 2001::3 -> 1001::1 ICMP 10.0.10.1 -> 88.88.88.1.1 Watch I 3 NAT source 10.0.10.1 -> 129.0.0.1 Softwire 2001::3 -> 1001::1 DS-LITE 2001::3 -> 1001::1 Forward I 6 ICMP 88.88.88.1 -> 129.0.0.1 Watch O 3 NAT dest 129.0.0.1 -> 10.0.10.1 Softwire 2001::3 -> 1001::1
Meaning
The output shows NAT and softwire source and destination addresses for traffic flow between AFTR2 and the IPV4 node on the Internet. This indicates that AFTR2 is now operating as the secondary AFTR when AFTR1 is offline.