NAT64 Stateless

Load nat64.lab1.init.cfg

#IOS-XE
config replace flash:nat64.lab1.init.cfg

#IOS-XR (XR1 only)
configure
load bootflash:nat64.lab1.init.cfg
commit replace
y

Configure stateless NAT64 on R6 using the following settings:

  • Traffic sourced from R5 will use 2001:db8:64:64::/96 to embed the IPv4 address that should be used for the source NAT.

    • Use IPv4 prefix 100.1.2.3/32 for R5

      • So traffic sourced from R5 will have a source IPv6 address with prefix 2001:db8:64:64::, and 100.1.2.3 mapped as the remaining bits.

  • R5 will embed the IPv4 destination in the IPv6 destination prefix 2001:db8:100:100::/64

Test a ping from R5 to XR1 (192.0.2.1)

Answer

#R6
int GigabitEthernet2.56
 nat64 enable
 nat64 prefix stateless v6v4 2001:db8:64:64::/96
int GigabitEthernet2.619
 nat64 enable
!
nat64 route 100.1.2.3/32 Gi2.56
nat64 prefix stateless v4v6 2001:db8:100:100::/64
!
ipv6 router ospf 1
 redistribute static
 
#R5
int lo100
 ipv6 add 2001:db8:64:64::6401:203/128
 ipv6 ospf 1 area 0

Explanation

Stateless NAT64 is not very popular, because 1 IPv4 address is used per IPv6 host. There is no address conservation when using stateless NAT.

In stateless NAT64, we enable NAT64 on the interfaces as usual. Also, on the interface facing the IPv6 host, we configure the stateless v6v4 prefix. This is the prefix that has the source host’s intended IPv4 address embedded within it. In this case, we are using 2001:db8:64:64::/96. Traffic sourced from R5 will be 2001:db8:64:64::6401:203, which has 100.1.2.3 embedded within the prefix.

#R6
int GigabitEthernet2.56
 nat64 enable
 nat64 prefix stateless v6v4 2001:db8:64:64::/96
int GigabitEthernet2.619
 nat64 enable

Next we create a route to 100.1.2.3/32 via R5. This creates a static route in the RIB pointing to the NVI. Incoming traffic destined to 100.1.2.3 will use the stateless prefix configured under Gi1.56 to translate back to IPv6.

#R6
nat64 route 100.1.2.3/32 Gi2.56

Finally we set the stateless v6 prefix that will be used to embed v4 destinations. You could use 64:ff96::/96 as before, but in this lab we use a /64 to demonstrate a quirk.

#R6
nat64 prefix stateless v4v6 2001:db8:100:100::/64

When you use a non-/96 prefix for embedding IPv4 addresses, you must be careful about where you embed the IPv4 address. For a /64, there is an 8 bit padding, so the embedded address starts at bit 72. These rules come from RFC6052.

So when we ping XR1 from R5, we use 2001:db8:100:100:00c0:0002:0100:0.

R5#ping 2001:db8:100:100:00c0:0002:0100:: so lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:100:100:C0:2:100:0, timeout is 2 seconds:
Packet sent with a source address of 2001:DB8:64:64::6401:203
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/6/22 ms

We do not use <prefix>::c000:201. In that case we get back an administratevly prohibited from R6.

R5#ping 2001:db8:100:100::c000:201 so lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:100:100::C000:201, timeout is 2 seconds:
Packet sent with a source address of 2001:DB8:64:64::6401:203
AAAAA

Note that since this is stateless NAT64, there will never be any translations seen under show nat64 translations. However, you will see hits for “stateless” under show nat64 statistics.

PreviousNAT64 Stateful w/ Static NATNextMAP-T BR

Last updated