MAP-T BR

Load map-t.lab1.init.cfg

#IOS-XE
config replace flash:nat64.lab1.init.cfg

#IOS-XR (XR1 only)
configure
load bootflash:nat64.lab1.init.cfg
commit replace
y

Configure R6 as a MAP-T BR. The BR’s role is to statelessly translate IPv4-embedded IPv6 addresses to IPv4 addresses, and then translate return traffic back to IPv6 to the correct CPE.

Use the following settings:

  • Use 2001:db8:1000:1000::/64 as the prefix that CPEs will use for embedding the IPv4 destination address

  • Use 2001:1111::/48 as the prefix that CPEs will use as their source address when translating IPv4 traffic to IPv6

  • Use 100.1.1.0/24 as the public IPv4 address range

  • Allow only 1 CPE per IPv4 address

Answer

#R6
int GigabitEthernet2.36
 nat64 enable
int GigabitEthernet2.46
 nat64 enable
int GigabitEthernet2.56
 nat64 enable
int GigabitEthernet2.619
 nat64 enable
!
nat64 map-t domain 1
 default-mapping-rule 2001:DB8:1000:1000::/64
 basic-mapping-rule
  ipv6-prefix 2001:1111::/48
  ipv4-prefix 100.1.1.0/24
  port-parameters share-ratio 1
!
ipv6 router ospf 1
 redistribute static

Explanation

MAP-T is a technology which allows for IPv4 traffic to be transported across an IPv6-only domain. The BR is stateless which is very scalable. This allows you to easily use multiple BRs with the same exact configuration for redundancy. Asymmetric traffic is not a concern.

In MAP-T, the IPv4 public address space is shared among the CPEs. Each CPE uses a math formula to determine which source ports it is allowed to use for the public IPv4 address. This requires special software. IOS-XE is only capable of acting as the stateless BR. For this reason, we simply use a share-ratio of 1. This means each CPE gets its own IPv4 address.

To configure the BR, we start by enabling NAT64 on all interfaces as we have seen previously.

#R6
int GigabitEthernet2.36
 nat64 enable
int GigabitEthernet2.46
 nat64 enable
int GigabitEthernet2.56
 nat64 enable
int GigabitEthernet2.619
 nat64 enable

Next we define the mapping domain. Each mapping domain has a default mapping rule and a basic mapping rule. The default mapping rule is the IPv6 prefix that CPEs will use to embed the destination IPv4 address. (The CPE will translate the original IPv4 header to an IPv6 header, placing the original IPv4 destination inside the default-mapping-rule IPv6 prefix). The basic mapping rule contains the IPv6 prefix that CPEs will use as the source address, the public IPv4 range, and the share-ratio.

#R6
nat64 map-t domain 1
 default-mapping-rule 2001:DB8:1000:1000::/64
 basic-mapping-rule
  ipv6-prefix 2001:1111::/48
  ipv4-prefix 100.1.1.0/24
  port-parameters share-ratio 1

As we saw with stateful NAT64, R6 will create a static route for 100.1.1.0/24 via the NAT virtual interface:

Additionally, a static route is added for the default mapping rule 2001:db8:1000:1000::/64.

We must redistribute 2001:db8:1000:1000::/64 into the IGP so that the CPEs will direct the traffic to the BR.

#R6
ipv6 router ospf 1
 redistribute static

Verification

Let’s use R2 as the CPE. We’ll set the address 2001:1111:0:100:0:6401:101:0 on a loopback and advertise this into the IGP. This would be the source address that R2 would use to source IPv4-translated traffic. R2 owns the IPv4 prefix 100.1.1.1.

#R2
int lo100
 ipv6 address 2001:1111:0:100:0:6401:101:0/128
 ipv6 ospf 1 area 0

Where did this address come from?

#R2
int lo100
 ipv6 address 2001:1111:0:100:0:6401:101:0/128
 ipv6 ospf 1 area 0
 
2001:1111:0: = basic mapping rule (/48)

100: = index 1, since .1 is the last octect of 100.1.1.1. 

0: = subnet ID which is zero
  - With a /24, there are 8 bits for the EA (embedded address) to uniquely identify
    which IPv4 address is being used.

6401:101: = 100.1.1.1 in hex

0 = final bits are unused and are zero'ed out. I believe this contains the port range
     information.

When XR1 pings 100.1.1.1, it receives a reply:

R6 translates 100.1.1.1 to 2001:1111:0:100:0:6401:101:0, and then translates XR1’s source address (192.0.2.6) to 2001:db8:1000:1000:c0:2:100:0. The reverse happens for return traffic sent back from R2 to XR1.

We will not see any translations on R6, as this is stateless. However, we will see hits for MAP-T in the statistics:

We can view the definition of the domain as follows:

If we set a larger share-ratio, for example 128:1, we can see that the router will automatically calculate the variables:

#R6
nat64 map-t domain 1
 basic-mapping-rule
  port-parameters share-ratio 128

Traffic destined to 100.1.1.1 is now translated to 2001:111:0:146:0:6401:101:23. (We can see this with a packet capture). The math behind this translation is probably too involved for the CCIE exam, but we can at least understand that as the share ratio increases above 1:1, the port information must also be used to calculate the IPv4-back-to-IPv6 translation to direct the traffic back to the correct CPE.

Summary

MAP-T allows for IPv4 traffic to transported across an IPv6-only domain. The CPE does the stateful NAT44, and multiple BRs (for redundancy) can do stateless NAT (which I would consider NAT64). The BRs simply need the correct mapping rules to be able to translate the IPv4 address back to the correct IPv6 address.

In MAP-T, IPv6 traffic from the user is native. IPv4 traffic is NATed by the CPE, but multiple CPEs can share the same public IPv4 address. Each CPE calculates which source ports it is allowed to use. The CPE then does a second translation, translating the IPv4 packet to IPv6. The BR translates the packet back to IPv4. Return traffic is translated back to IPv6 to return the packet back to the correct CPE. The source IPv6 address the CPE uses for the translation is calculed based on its IPv4 address and which port range it is using.

Further Reading

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-10/nat-xe-16-10-book/ip-nat-divi-v4v6.html

PreviousNAT64 StatelessNextBFD

Last updated