Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-AFT configuration | 153.28 KB |
Content
Configuring an IPv6-to-IPv4 destination address translation policy
Configuring an IPv6-to-IPv4 source address translation policy
Configuring an IPv4-to-IPv6 destination address translation policy
About IPv4-to-IPv6 destination address translation policies
Restrictions and guidelines for configuring an IPv4-to-IPv6 destination address translation policy
Configuring an AFT mapping for an IPv6 internal server
Configuring an IPv6-to-IPv4 source address static mapping
Configuring an IPv4-to-IPv6 destination address translation policy based on IVI or general prefix
Configuring an IPv4-to-IPv6 source address translation policy
About IPv4-to-IPv6 source address translation policies
Restrictions and guidelines for configuring an IPv4-to-IPv6 source address translation policy
Configuring an IPv4-to-IPv6 source address static mapping
Configuring an IPv4-to-IPv6 source address translation policy based on NAT64 or general prefix
Setting the ToS field to 0 for translated IPv4 packets
Setting the Traffic Class field to 0 for translated IPv6 packets
Configuring AFT
About AFT
Address Family Translation (AFT) translates an IP address of one address family into an IP address of the other address family. It enables an IPv4 network and an IPv6 network to communicate with each other, as shown in Figure 1. The IPv4 host and the IPv6 host can communicate with each other without changing the existing configuration.
Figure 1 AFT application scenario
AFT translation methods
Static AFT
Static AFT creates a fixed mapping between an IPv4 address and an IPv6 address.
Dynamic AFT
Dynamic AFT creates a dynamic mapping between an IPv4 address and an IPv6 address.
When dynamic AFT performs IPv6-to-IPv4 source address translation, the Not Port Address Translation (NO-PAT) and Port Address Translation (PAT) modes are available.
NO-PAT
NO-PAT translates one IPv6 address to one IPv4 address. An IPv4 address assigned to one IPv6 host cannot be used by any other IPv6 host until it is released.
NO-PAT supports all IP packets.
PAT
PAT translates multiple IPv6 addresses to a single IPv4 address by mapping each IPv6 address and port to the IPv4 address and a unique port. PAT supports the following packet types:
· TCP packets.
· UDP packets.
· ICMPv6 echo request and echo reply messages.
PAT supports port blocks for connection limit and user tracing. Port blocks are generated by dividing the port range (1024 to 65535) by the port block size. Port block based PAT maps multiple IPv6 addresses to one IPv4 address and uses a port block for each IPv6 address.
Port block based PAT functions as follows:
1. When an IPv6 host first initiates a connection to the IPv4 network, it creates a mapping from the host's IPv6 address to an IPv4 address and a port block.
2. It translates the IPv6 address to the IPv4 address, and the source ports to ports in the port block for subsequent connections from the IPv6 host until the ports in the port block are exhausted.
|
|
NOTE: If the port range cannot be divided by the port block size exactly, the remaining ports are not used for translation. |
Prefix translation
NAT64 prefix translation
NAT64 prefix is an IPv6 address prefix used to construct an IPv6 address representing an IPv4 node in an IPv6 network. The IPv6 hosts do not use a constructed IPv6 address as their real IP address. The length of a NAT64 prefix can be 32, 40, 48, 56, 64, or 96.
As shown in Figure 2, the construction methods vary depending on the NAT64 prefix length. Bits 64 through 71 in the constructed IPv6 address are reserved bits.
· If the prefix length is 32, 64, or 96 bits, the IPv4 address contained in the IPv6 address will be intact.
· If the prefix length is 40, 48, or 56 bits, the IPv4 address contained in the IPv6 address will be divided into two parts by bits 64 through 71.
Figure 2 IPv6 address construction with NAT 64 prefix and IPv4 address
AFT uses a NAT64 prefix to perform the following translation:
· IPv4-to-IPv6 source address translation. AFT translates a source IPv4 address to an IPv6 address that is created by using the NAT64 prefix and the IPv4 address.
· IPv6-to-IPv4 destination address translation. AFT uses the NAT64 prefix to match destination IPv6 addresses and extracts the embedded IPv4 address from the matching IPv6 addresses.
A NAT64 prefix cannot be on the same subnet as any interface on the device.
IVI prefix translation
An IVI prefix is a 32-bit IPv6 address prefix. An IVI address is the IPv6 address that an IPv6 node uses. As shown in Figure 3, the IVI address includes an IVI prefix and an IPv4 address.
AFT uses an IVI prefix for IPv6-to-IPv4 source address translation. If a source IPv6 address matches the IVI prefix, AFT translates it to the embedded IPv4 address.
General prefix translation
A general prefix is an IPv6 address prefix used to construct an IPv6 address representing an IPv4 node in an IPv6 network. The length of a general prefix can be 32, 40, 48, 56, 64, or 96.
As shown in Figure 4, a general prefix based IPv6 address does not have bits 64 through 71 reserved as a NAT64 prefix based IPv6 address does. An IPv4 address is embedded as a whole into an IPv6 address.
Figure 4 General prefix based IPv6 address format
AFT uses a general prefix for IPv6-to-IPv4 source and destination address translation. If a source or destination IPv6 address matches the general prefix, AFT translates it to the embedded IPv4 address.
A general prefix cannot be on the same subnet as any interface on the device.
AFT internal server
AFT internal server maps an IPv4 address and port number to the IPv6 address and port number of an IPv6 internal server. It allows the IPv6 internal server to provide services to IPv4 hosts.
AFT translation process
The address translation differs for IPv6-initiated communication and IPv4-initiated communication.
IPv6-initiated communication
As shown in Figure 5, when the IPv6 host initiates access to the IPv4 host, AFT operates as follows:
1. Upon receiving a packet from the IPv6 host, AFT compares the packet with IPv6-to-IPv4 destination address translation policies.
¡ If a matching policy is found, AFT translates the destination IPv6 address according to the policy.
¡ If no matching policy is found, AFT does not process the packet.
2. AFT performs pre-lookup to determine the output interface for the translated packet. PBR is not used for the pre-lookup.
¡ If a matching route is found, the process goes to step 3.
¡ If no matching route is found, AFT discards the packet.
3. AFT compares the source IPv6 address of the packet with IPv6-to-IPv4 source address translation policies.
¡ If a matching policy is found, AFT translates the source IPv6 address according to the policy.
¡ If no matching policy is found, AFT discards the packet.
4. AFT forwards the translated packet and records the mappings between IPv6 addresses and IPv4 addresses.
5. AFT translates the IPv4 addresses in the response packet header to IPv6 addresses based on the address mappings before packet forwarding.
For more information about IPv6-to-IPv4 destination address translation policies, see "Configuring an IPv6-to-IPv4 destination address translation policy."
For more information about IPv6-to-IPv4 source address translation policies, see "Configuring an IPv6-to-IPv4 source address translation policy."
Figure 5 AFT process for IPv6-initiated communication
IPv4-initiated communication
As shown in Figure 6, when the IPv4 host initiates access to the IPv6 host, AFT operates as follows:
1. Upon receiving a packet from the IPv4 host, AFT compares the packet with IPv4-to-IPv6 destination address translation policies.
¡ If a matching policy is found, AFT translates the destination IPv4 address according to the policy.
¡ If no matching policy is found, AFT does not perform address translation.
2. AFT performs the pre-lookup to determine output interface for the translated packet. PBR is not used for the pre-lookup.
¡ If a matching route is found, the process goes to step 3.
¡ If no matching route is found, AFT discards the packet.
3. AFT compares the source IPv4 address with IPv4-to-IPv6 source address translation policies.
¡ If a matching policy is found, AFT translates the source IPv4 address according to the policy.
¡ If no matching policy is found, AFT discards the packet.
4. AFT forwards the translated packet and records the mappings between IPv4 addresses and IPv6 addresses.
5. AFT translates the IPv6 addresses in the response packet header to IPv4 addresses based on the address mappings before packet forwarding.
For more information about IPv4-to-IPv6 destination address translation policies, see "Configuring an IPv4-to-IPv6 destination address translation policy."
For more information about IPv4-to-IPv6 source address translation policies, see "Configuring an IPv4-to-IPv6 source address translation policy."
Figure 6 AFT process for IPv4-initiated communication
AFT ALG
AFT ALG translates address or port information in the application layer payloads.
For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires AFT ALG to translate the address and port information.
AFT tasks at a glance
To configure AFT, perform the following tasks:
1. Enabling AFT
2. Configuring address translation for IPv6-initiated communication
¡ Configuring an IPv6-to-IPv4 destination address translation policy
¡ Configuring an IPv6-to-IPv4 source address translation policy
¡ (Optional.) Setting the ToS field to 0 for translated IPv4 packets
3. Configuring address translation for IPv4-initiated communication
¡ Configuring an IPv4-to-IPv6 destination address translation policy
¡ Configuring an IPv4-to-IPv6 source address translation policy
¡ (Optional.) Setting the Traffic Class field to 0 for translated IPv6 packets
4. (Optional.) Configuring AFT ALG
5. (Optional.) Configuring AFT logging
Enabling AFT
Restrictions and guidelines
To implement address translation between IPv4 and IPv6 networks, you must enable AFT on interfaces connected to the IPv4 network and interfaces connected to the IPv6 network.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable AFT.
aft enable
By default, AFT is disabled.
Configuring an IPv6-to-IPv4 destination address translation policy
About this task
AFT compares an IPv6 packet with IPv6-to-IPv4 destination address translation policies in the following order:
1. IPv4-to-IPv6 source address static mappings.
2. General prefixes.
3. NAT64 prefixes.
Restrictions and guidelines
Make sure the security policy on the device permits packets that are sent from the IPv6 network-side security zone to security zone Local.
Procedure
1. Enter system view.
system-view
2. Configure an IPv6-to-IPv4 destination address translation policy.
¡ Configure an IPv4-to-IPv6 source address static mapping.
aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance ipv6-vpn-instance-name ]
¡ Configure a general prefix.
aft prefix-general prefix-general prefix-length
¡ Configure a NAT64 prefix.
aft prefix-nat64 prefix-nat64 prefix-length
Configuring an IPv6-to-IPv4 source address translation policy
About this task
AFT compares an IPv6 packet with IPv6-to-IPv4 source address translation policies in the following order:
1. IPv6-to-IPv4 source address static mappings.
2. General prefixes.
3. IVI prefixes.
4. IPv6-to-IPv4 source address dynamic translation policies.
Restrictions and guidelines
Make sure the security policy on the device permits packets that are from security zone Local to the IPv4 network-side security zone.
Procedure
1. Enter system view.
system-view
2. (Optional.) Configure an AFT address group.
a. Create an AFT address group and enter AFT address group view.
aft address-group group-id
This step is required if you decide to use an address group in an IPv6-to-IPv4 source address dynamic translation policy.
b. Add an address range to the address group.
address start-address end-address
You can add multiple address ranges to an address group, but the address ranges must not overlap.
c. Return to system view.
quit
This configuration is supported only for the IPv6-to-IPv4 source address dynamic translation policies.
3. Configure an IPv6-to-IPv4 source address translation policy.
¡ Configure an IPv6-to-IPv4 source address static mapping.
aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ]
¡ Configure an IPv6-to-IPv4 source address dynamic translation policy.
aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6--vpn-instance-name ] } { address-group group-id [ no-pat | port-block-size blocksize ] | interface interface-type interface-number } [ vpn-instance ipv4-vpn-instance-name ]
¡ Configure a general prefix.
aft prefix-general prefix-general prefix-length
¡ Configure an IVI prefix.
aft prefix-ivi prefix-ivi
Configuring an IPv4-to-IPv6 destination address translation policy
About IPv4-to-IPv6 destination address translation policies
AFT compares an IPv4 packet with IPv4-to-IPv6 destination address translation policies in the following order:
1. AFT mappings for IPv6 internal servers.
2. IPv6-to-IPv4 source address static mappings.
3. IPv4-to-IPv6 destination address translation policies that use IVI prefixes or general prefixes.
Restrictions and guidelines for configuring an IPv4-to-IPv6 destination address translation policy
Make sure the security policy on the device permits packets that are sent from the IPv4 network-side security zone to security zone Local.
Configuring an AFT mapping for an IPv6 internal server
1. Enter system view.
system-view
2. Configure an AFT mapping for an IPv6 internal server.
aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ]
Configuring an IPv6-to-IPv4 source address static mapping
1. Enter system view.
system-view
2. Configure an IPv6-to-IPv4 source address static mapping.
aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ]
Configuring an IPv4-to-IPv6 destination address translation policy based on IVI or general prefix
1. Enter system view.
system-view
2. Configure an IVI prefix or general prefix. Choose one option as needed:
¡ Configure an IVI prefix.
aft prefix-ivi prefix-ivi
¡ Configure a general prefix.
aft prefix-general prefix-general prefix-length
3. Configure an IPv4-to-IPv6 destination address translation policy that uses an IVI prefix or a general prefix.
aft v4tov6 destination acl { name ipv4-acl-name prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] } }
You can use a nonexistent IVI prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.
Configuring an IPv4-to-IPv6 source address translation policy
About IPv4-to-IPv6 source address translation policies
AFT compares an IPv4 packet with IPv4-to-IPv6 source address translation policies in the following order:
1. IPv4-to-IPv6 source address static mappings.
2. IPv4-to-IPv6 source address translation policies that use NAT64 prefixes or general prefixes.
3. The first NAT64 prefix.
Restrictions and guidelines for configuring an IPv4-to-IPv6 source address translation policy
Make sure the security policy on the device permits packets that are sent from security zone Local to the IPv6 network-side security zone.
Configuring an IPv4-to-IPv6 source address static mapping
1. Enter system view.
system-view
2. Configure an IPv4-to-IPv6 source address static mapping.
aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance ipv6-vpn-instance-name ]
Configuring an IPv4-to-IPv6 source address translation policy based on NAT64 or general prefix
1. Enter system view.
system-view
2. Configure a NAT64 prefix or general prefix. Choose one option as needed:
¡ Configure a NAT64 prefix.
aft prefix-nat64 prefix-nat64 prefix-length
¡ Configure a general prefix.
aft prefix-general prefix-general prefix-length
3. Configure an IPv4-to-IPv6 source address translation policy that uses a NAT64 prefix or general prefixes.
aft v4tov6 source acl { name ipv4-acl-name prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } }
You can use a nonexistent NAT64 prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.
Configuring a NAT64 prefix
1. Enter system view.
system-view
2. Configure a NAT64 prefix.
aft prefix-nat64 prefix-nat64 prefix-length
Setting the ToS field to 0 for translated IPv4 packets
About this task
You can set the ToS field value for IPv4 packets translated from IPv6 packets:
· If the value is set to 0, the priority of the IPv4 packets is set to the lowest.
· If the value is kept the same as the Traffic Class field value of original IPv6 packets, the priority is not changed.
Procedure
1. Enter system view.
system-view
2. Set the ToS field to 0 for IPv4 packets translated from IPv6 packets.
aft turn-off tos
By default, the ToS field value of translated IPv4 packets is the same as the Traffic Class field value of original IPv6 packets.
Setting the Traffic Class field to 0 for translated IPv6 packets
About this task
You can set the Traffic Class field value for IPv6 packets translated from IPv4 packets:
· If the value is set to 0, the priority of the IPv6 packets is set to the lowest.
· If the value is kept the same as the ToS field value of original IPv4 packets, the priority is not changed.
Procedure
1. Enter system view.
system-view
2. Set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.
aft turn-off traffic-class
By default, the Traffic Class field value of translated IPv6 packets is the same as the ToS field value of original IPv4 packets.
Configuring AFT ALG
Restrictions and guidelines
In an IRF fabric, AFT configured on physical interfaces does not support ALG.
Procedure
1. Enter system view.
system-view
2. Enable AFT ALG for a protocol or all protocols.
aft alg { all | dns | ftp | http | icmp-error }
By default, AFT ALG is enabled for DNS, FTP, ICMP error messages, and HTTP.
Configuring AFT logging
About this task
For security auditing, you can configure AFT logging to record AFT session information. AFT sessions refer to sessions whose source and destination addresses have been translated by AFT.
AFT can log the following events:
· An AFT port block is created.
· An AFT port block is deleted.
· An AFT session is established.
· An AFT session is removed.
The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable AFT logging.
aft log enable
By default, AFT logging is disabled.
After you configure this command, AFT logs the creation and deletion events of AFT port blocks.
3. (Optional.) Enabling AFT session establishment and removal logging.
¡ Enable AFT session establishment logging.
aft log flow-begin
By default, AFT session establishment logging is disabled.
AFT session establishment logging takes effect only after you execute the aft log enable command to enable AFT logging.
¡ Enable AFT session removal logging.
aft log flow-end
By default, AFT session removal logging is disabled.
AFT session removal logging takes effect only after you execute the aft log enable command to enable AFT logging.
Display and maintenance commands for AFT
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display AFT configuration. |
display aft configuration |
|
Display AFT address group information. |
display aft address-group [ group-id ] |
|
Display AFT mappings. |
display aft address-mapping [ chassis chassis-number slot slot-number ] |
|
Display information about AFT NO-PAT entries. |
display aft no-pat [ chassis chassis-number slot slot-number ] |
|
Display AFT port block mappings. |
display aft port-block [ chassis chassis-number slot slot-number ] |
|
Display information about AFT sessions. |
display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn –instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ] display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ] |
|
Display AFT statistics. |
display aft statistics [ chassis chassis-number slot slot-number ] |
|
Clear AFT sessions. |
reset aft session [ chassis chassis-number slot slot-number ] |
|
Clear AFT statistics. |
reset aft statistics [ chassis chassis-number slot slot-number ] |
