- Table of Contents
-
- 03-Policies
- 01-Security policy
- 02-Attack defense
- 03-Connection limit
- 04-uRPF
- 05-NAT
- 06-AFT
- 07-Application audit
- 08-Bandwidth management
- 09-Load balancing common configuration
- 10-Server load balancing
- 11-Outbound link load balancing
- 12-Inbound link load balancing
- 13-Transparent DNS proxy
- 14-Application proxy
- 15-NetShare control
- 16-Security policy hit analysis
- 17-Security policy redundancy analysis
- 18-Global load balancing
- 19-IP reputation
- 20-NAT66
- 21-Server connection detection
- 22-Security policy optimization
- 23-Server load balancing
- 24-Load balancing common configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
06-AFT | 56.28 KB |
This help contains the following topics:
¡ Configure an AFT address group
Introduction
Address Family Translation (AFT) translates an IP address of one address family into an IP address of the other address family.
NAT64 prefix
NAT64 prefix is an IPv6 address prefix used to construct an IPv6 address representing an IPv4 node in an IPv6 network. The IPv6 hosts do not use a constructed IPv6 address as their real IP address. The length of a NAT64 prefix can be 32, 40, 48, 56, 64, or 96.
As shown in Figure 1, the construction methods vary depending on the NAT64 prefix length. Bits 64 through 71 in the constructed IPv6 address are reserved bits.
· If the prefix length is 32, 64, or 96 bits, the IPv4 address contained in the IPv6 address will be intact.
· If the prefix length is 40, 48, or 56 bits, the IPv4 address contained in the IPv6 address will be divided into two parts by bits 64 through 71.
Figure 1 IPv6 address construction with NAT 64 prefix and IPv4 address
AFT translation methods
Prefix translation
AFT uses a NAT64 prefix to perform IPv4-to-IPv6 source address translation or IPv6-to-IPv4 destination address translation.
Dynamic translation
Dynamic AFT creates a dynamic mapping between an IPv4 address and an IPv6 address.
When dynamic AFT performs IPv6-to-IPv4 source address translation, the Not Port Address Translation (NO-PAT) and Port Address Translation (PAT) modes are available.
· NO-PAT: NO-PAT translates one IPv6 address to one IPv4 address. An IPv4 address assigned to one IPv6 host cannot be used by any other IPv6 host until it is released.
NO-PAT supports all IP packets.
· PAT: PAT translates multiple IPv6 addresses to a single IPv4 address by mapping each IPv6 address and port to the IPv4 address and a unique port. PAT supports the following packet types:
¡ TCP packets.
¡ UDP packets.
¡ ICMPv6 echo request and echo reply messages.
PAT supports port blocks for connection limit and user tracing. Port blocks are generated by dividing the port range (1024 to 65535) by the port block size. Port block based PAT maps multiple IPv6 addresses to one IPv4 address and uses a port block for each IPv6 address.
Port block based PAT functions as follows:
a. When an IPv6 host first initiates a connection to the IPv4 network, it creates a mapping from the host's IPv6 address to an IPv4 address and a port block.
b. It translates the IPv6 address to the IPv4 address, and the source ports to ports in the port block for subsequent connections from the IPv6 host until the ports in the port block are exhausted.
AFT translation process
As shown in Figure 2, when the IPv6 host initiates access to the IPv4 host, AFT operates as follows:
1. Upon receiving a packet from the IPv6 host, AFT compares the packet with IPv6-to-IPv4 destination address translation policies.
¡ If a matching policy is found, AFT translates the destination IPv6 address according to the policy.
¡ If no matching policy is found, AFT does not process the packet.
2. AFT performs pre-lookup to determine the output interface for the translated packet. PBR is not used for the pre-lookup.
¡ If a matching route is found, the process goes to step 3.
¡ If no matching route is found, AFT discards the packet.
3. AFT compares the source IPv6 address of the packet with IPv6-to-IPv4 source address translation policies.
¡ If a matching policy is found, AFT translates the source IPv6 address according to the policy.
¡ If no matching policy is found, AFT discards the packet.
4. AFT forwards the translated packet and records the mappings between IPv6 addresses and IPv4 addresses.
5. AFT translates the IPv4 addresses in the response packet header to IPv6 addresses based on the address mappings before packet forwarding.
Figure 2 AFT process for IPv6-initiated communication
AFT address group
An AFT address group is a set of IPv4 address ranges and is intended for use by AFT policies for dynamic IPv6-to-IPv4 source address translation. Dynamic AFT can translate the source address of an IPv6 packet to an IPv4 address in the address group according to the AFT policy settings.
Configure AFT
Configure an AFT address group
1. Click the Policies tab.
2. Select AFT > AFT Address Groups.
3. Click Create.
4. Create an AFT address group.
Table 1 AFT address group configuration items
Item |
Description |
Address group ID |
Enter an address group ID. |
Start IP Address |
Click Add next to Group members. In the dialog box that opens, enter the start IP address of an IP address range to add to the address group. |
End IP Address |
Enter the end IP address of the IP address range. |
5. Click OK.
Configure a NAT64 prefix
1. Click the Policies tab.
2. Select AFT > NAT64 Prefixes.
3. Click Add.
4. Create a NAT64 prefix.
Table 2 NAT64 prefix configuration items
Item |
Description |
IPv6 prefix |
Specify a NAT64 prefix. |
NAT64 prefix length |
Select a NAT64 prefix length. Options are 32, 40, 48, 56, 64, and 96. |
5. Click OK.
Configure an AFT policy
1. Create an AFT policy:
a. Click the Policies tab.
b. Select AFT > AFT Policies.
c. Click Create.
d. Create an AFT policy and click OK.
Table 3 AFT policy configuration items
Item |
Description |
Translation method |
Translation method used by the AFT policy. Only the NAT64 prefix translation method is supported. The AFT policy performs dynamic IPv6-to-IPv4 source address translation based on a NAT64 prefix. |
ACL for packet matching |
Select the ACL for matching the IPv6 packets for address translation. |
Source address after AFT |
Specify the IPv4 address used for IPv6-to-IPv4 source address translation. You can select an address group or a loopback interface. |
Translation mode |
Select a translation mode. Options are NO-PAT and PAT. |
VRF after AFT |
Specify the VRF to which the address belongs after AFT. |
2. Apply AFT policies to interfaces:
a. Click the Policies tab.
b. Select AFT > Enable AFT.
c. Select the interfaces to which you want to apply all configured AFT policies.
d. Click Enable.