Session Name
Transcription
Session Name
Session Name: Session Number: Date: Starting Time: NAT64 Technical Deep Dive Question Answer ETA for Stateful NAT64? ASR1k is now shipping stateful NAT64 starting with release XE3.4 Also, will NAT64 (stateless/stateful) ever be available on IOS (ISRs)? If yes - ETA? ISR is likely to support NAT64, but I have not seen any official annoucement on this yet does 7206 vxr support ip v6 7206 vxr supports IPV6 but NAT64 is not supported there. Is there an ETA for NPT (Network Prefix Translation? answered in later response Thanks Cheryl - didn't realize stateful NAT64 was already out. Yes, XE3.4 was posted on CCO 7/25/11 To get NAT64 capability this would be a software update for our existing devices (like ASAs or L3 switches fro example)? I do not believe ASA currently supports NAT64. It is supported on ASR1k XE3.4 released end of August what is the NAT64 capacility different between a CGN module on CRS-1/3 and an ASR1006 with ESP20/40? I can not comment of CRS, but ESP20/40 support 2M stateful NAT64 translation at 5.5 Million packets per second 206151477 Wednesday, September 14, 2011 11:28 AM In looking at IPv6 and NAT64, one of the issues of concern was the availability of something to proxy IPV4 to IPv6 DNS....i.e. what to pass as a DNS AA record to an IPv6 host to reach an IPv4 host via NAT. Does Cisco have a solution for this DNS64 need? as of now we are using OPEN source DNS64 to convert the queries. In looking at IPv6 and NAT64, one of the issues of concern was the availability of something to proxy IPV4 to IPv6 DNS....i.e. what to pass as a DNS AA record to an IPv6 host to reach an IPv4 host via NAT. Does Cisco have a solution for this DNS64 need? we don't have any solution out as of now for DNS64 Any plans for NAT66 or NAT46? these are being considered for ASR1k roadmap, but are not currently official in plan Regarding NPT (RFC 6296) authored by Cisco employee, if you don't know ETA can you refer me to someone? I have heard this is planned but have been unable to get further info. NPT is being considered for the ASR1k roadmap, but is not official in plan at this time. Support on FWSM? sorry we do not know the plans for that platform. I have clients that have a IPV4 inside network but has IPV6 outside IP. Will NAT64 allow us the ablity to NAT/PAT the inside IPv4 private IP to the IPV6. We do support this kind of translations with Static Mapping as of now in our NAT64 solution Will FWSM support NAT64 sorry we do not know the plans for that platform. Does ASR 1K support Stateful NAT 64 in HA mode (hot standby) ? Yes To running NAT64, does it require any limitation per node? No, I assume you are asking about the number of sessions per host? how about 3845 does it support nat64 No 3845 does not support NAT64 impact of converting on VoIP VOIP will come under ALG's and right now we don't support VOIP ALG's with NAT64, only supported ALG is FTP. but other ALGs are in our roadmap. When will the ASA code see NAT64 sorry we don't know the plans of that platform. As of now only ASR1k and CRS support NAT64 Which DNS64 open source solution are you using? Viagenie Is there support in NX-OS for NAT64? As I understand it, the ASA will allow the creation of IPv6 addresses to be IPSEC tunneled within IPv4 packets with the creation of 8.4. I have successfully tested native IPv6 tunnels but have not yet tried to see if I can tunnel IPv6 through IPv4 tunnels sorry we do not have ASA expertise among the panelist Currently ASR 1K supports NAT 64 translation logging over Netflow. How about Syslog integration ? No commited plans for syslog integration as of yet, but in the roadmap ipv6 voice packets - impact VOICE packet like SIP/Skinny/h323 will need ALG support with NAT64, it's not available as of now but it's in the Roadmap. What would be magical numbers per node to run NAT64? Just approx.. If you are asking about scalining, ASR1k on ESP20 supports up to 2M stateful translations Virginia Tech is also running IPv6, they're the first ones in US. Thanks for the info So, as an enterprise, who would like to start testing Ipv6 in the internal environment, would it be right to say that as of now, with a support for NAT-PT was withdrawn; if you want to use a IPv4 <-> IPv6 translation, then using NAT64 Cisco 2951, I could use NAT-PT? is recommended using a platform like ASR1k or CRS. and anyone tell me what the RFC for this is - I am concerned since the RFC 4966 states that IETF should reclassify RFC 2766 from Proposed Standard to Historic status So I guess that NAT64 does not supported inbound NAT to an IPV4. Example I have IPV6 outside IP but our DMZ is IPv4 . Can we do an inbount NAT so a users can reach our website in our DMZ? NAT64 on ASR1k does support IPv4 initiated traffic, but only in a limited scope. What is support is static v6v4 mappings which allows IPv4 initiated traffic. Is NAT64 supported on 4500 sup6? in hardware? No It's not supported in 4500. bandwidth bogged down by ipv6 versus ipv4 please clarify. this question is not clear is nat64 only supported on ASR 1000, any other devices ASR1k and CRS CGN If I am running an ASA and a 3750 layer 3 switch in my environmnet, for example, what is my migration path to being able to develop a network with an external IPV6 address NAT'd over to a multi-VLAN IPV4 internal environment? Nothing smaller than ASR-1k? Nothing as of now. only ASR 1k and CRS supports NAT64 as of now so the ASR 1K is the recommened platform for where you want NAT64 and currently use 7206VXR's? Yes ASR1k is the best choice in this case. Or a switch/fw? none of the switch support NAT64 as of now. Is it possible to get an ETA for NAT64 support in IOS (e.g. ISR/ISR G2s)? 5.5 M packets per second is based on which packet size? 64, or hybrid? it's with packet size 68. For Dual-Stack technologies, do you see Dual-Stack PPP on the broadband access networks playing a big role in transitioning to IPv6? It really depends on the network design to be honest. For some folks that have older devices' it'll be big NAT64 and the ASA Services module for the C6500? Are there any configuration examples available to configure tunnelling and translation (i.e. NAT64) for the ASR1001? Are you asking is this supported? Yes you can go to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11676278.html In FWs, what Codes are being supported for NAT64? We don't support firewall with NAT64 as of now this code is in testing as of now and will be out in another 4-5 Month time. What product will be positioned for NAT64 support for the SMB market? You might want to consider ASR1001 Do you recommend an IPAM solution for deploying IPv6? I sure do and use one for my networks because the space is so large and we have so many options Can you pls send me a link that explains NAT 64 HA (hot standby) mode. The docs only indicate cold standby support for NAT 64... Thanks. Sorry, I realized that HA hot standby is due in the next release which is in testing now Is DNS64 embedded into the ASR1001 are does it rely on a BIND server to perform DNS64? DNS64 is in roadmap for ASR1k, but NAT64 is currently been deployed with a external box as the DNS64 I have Cisco 7201 at the edge, Cisco ASA 5550 as firewall and CISCO ACE 4710 as a Lbalancer. For me, how is it possible to deploy IPV6? NAT64 isn't supports on 7200/asa/ace. Dual-stack won't work either, as ACE has no IPV6 support. No ipv6 is possible? We do support IPV6 in 7200 but yes with all these Boxes you can't do NAT64. what is QFP qfp is quantum flow processor used in ASR!! This is all brand new gear (under 1 year old) and I could never get ipv6 up on our internet site, but I do have ipv6 transit delivered. Are you dual stacking? How is your DNS AAAA records config'ed? and anyone tell me what the RFC for this is - I am concerned since the RFC 4966 states that IETF should reclassify RFC 2766 from Proposed Standard to Historic status rfc 6144, 6145 and anyone tell me what the RFC for this is - I am concerned since the RFC 4966 states that IETF should reclassify RFC 2766 from Proposed Standard to Historic status apologize, 6145 & 6146 - the references are in the slide deck These are web servers We use a top level DNS server and several lower level DNS servers. Is NAT64/DNS64 additional to existing DNS infrastructure are does it have to replace the top level DNS server? DNS64 support is must on your server, you've to check with the DNS server vendor if they support DNS64. but yes open source DNS64 servers are available. So NAT64 does not support on asa? not at this time, but we are not sure of the panelist are not aware of their roadmap Will NAT64 be eventually supported on a Cat6509E with Sup720? sorry the panelist are not familar with the roadmap of this platform because ipv6 has more info in packets, i herd that the bandwith is divided by 2 Meh...Really depends more on the internal architecture then anything else. Some gear dividing by 10 will be required! Not Cisco stuff of course... Are there plans for NX-OS support for NAT64? sorry the panelist are not familar with the roadmap of this platform If ISP delivers dual stack via single circuit, can the ASR pass-through the Internet IPv4 traffic while NATting only Ipv6 for inside enterprise use? Yes if IPV4 traffic is just pass-through everything will work and you can have NAT64 only for your V6 network, but on the same ASR we don't recomend NAT44 and NAT64 together. Can we NAT our IPv4 addresses to IPv6 at out Internet connection with an ASA or router? ASA does not currently support NAT64. ASR1k, does support some IPv4 initiated translation via static v6v4 mappings What does QFP stand for? Since ASR 1K does not support hot standby HA for now, do you recommend a combination of HSRP design with cold standby ? Quantum flow processor ASR1k will support hot standby intrabox redundancy in XE3.5 which is targeted the end of November of this year. NAT64 box-to-box is a high priority in our roadmap, but you should be able to achieve redundancy via HSRP until then Is it support on 6500 sup 720 No as of now we only support NAT64 on ASR and CRS Are there any performance improvements/detriments in running ipv6 over ipsec/gre based vpn tunnels? Tunneling will always add a little overhead to the entire process nat64 for 6500 series switches? Not supported as of now only ASR and CRS supports NAT64 today Today internet has almost 415554 IPV4 prefix which is already challenge to maintain in BGP table, how will IPV6 help in this direction, will IPV6 worse the situation ? Yeah no kidding...That is rough. LISP helps some, but honestly, it going to get much worse Is NAT-PT still supported in IOS (even though it's deprecated by the IETF)? NAT-PT is no longer supported in IOS You said "DNS64 is in roadmap for ASR1k, but NAT64 is currently been deployed with a external box as the DNS64". What do you mean by external box? BIND server? yes with external box we mean the DNS server from any vendor or open source DNS64 running on a linux box. Dushyant -- Is there anyway to deploy ipv6 at all? I can do nat-pt on the 7201, but as far as I can tell the dual-stack strategy doesn't Paul if you want to convert IPV6 network to IPV4 you've to use any box like ASR1k or CRS, but work either due to lack of IPV6 support for native on the ACE 4710? without that i'm not sure how you will achieve it. if these large networks (AT&T, Comcast etc.) move to IP6 natively, wont that free up huge blocks of IP4 addresses returning them to the available pool? IF they turn them back in. They are under no obligation to do so that is what they said in the IPv6 web conference that we attended earlier this week and still nothing there. Scenario 4 is a large concern for SSL content providers. What work is being done in this area? Scenario 4 is for v4 network to a v6 internet Scenario 4 is a large concern for SSL content providers. What work is being done in this area? dushyant - The last input I found was this (https://supportforums.cisco.com/servlet/JiveServlet/download/4628026821/Microsoft_Word-ACE_IPv6_Statement_of_Direction_Nov_2008_IR.pdf) but as far as I can tell it was never implemented in ACE? (for native Dual- which is towards the end of the transition Paul this talks about the IPV6 support on ACE, i'm not much aware about ACE but yes V6 to V4 conversion will not be there for sure. i think you can write your doubt to me on this offline sometime [email protected] When was RFC 6145 published, April 2011? yes, that is correct What were the protocols supported by Stateful NAT64 again? I couldn't write fast enough....;-) Stateful nat64 can support all protocols - but for conserving IP address doing NAPT TCP/UDP/ICMP are supported is there an ipv6 to ipv6 nat? there is and is being considered for the asr1k roadmap dushyant - or will nat64 come to the 7200/IOS 15 first? I would deploy either at this point. the panelist are no familar with the IOS roadmap Can these services run on ASA as well, or just ASR 1k? currently only on asr1k and crs Will the 6 to 4 work on ASR using firewall module and zone-based firewalls? Not with the current released code, but IPv6 Firewall support on ASR1k is a very high priority and expected soon. When it is support the scenario you described would be supported When can we expect ACE to support IPv6? Can you please clearify what you mean by ACE as I have multiple definitions for that and I'm not sure which you are referring to When can we expect ACE to support IPv6? Nest Thursday. Just kidding. The best person to ask would be your Cisco AM and/or SE if i am currently NAT webhosting sites thru loadbalancers wouldn't this create double nating issues? what cisco firewalls and load balancers support nat64 ASR1k Firewall IPv6 and interworking with NAT64 is currently in works and should be available in the near future What flavour of DNS64 was used in Cisco testing? I am not sure what they use. But I use Ecdysis in my labs are there any plans to support nat64 on the 4500 in the future? timeline? the panalists do not have much idea on 4500 roadmap. Will we have access to these slides after this presentation? You'll get emailed a link to these presentation does that do content load balancing also? I'm not sure of that, so am sending this privately in case one of the other panelist know the anser with which DNS servers is the ASR NAT64 implementation supported? Any DNS64 server will work with NAT64, we have tried it with OpenSource DNS64 like Ecdysis what release on ASR 1000 would have IPv6 support? IPv6 has been supported on ASR1k for a long time. Stateful NAT64 support was added XE3.4 August 2011 What are the current known limitations of NAT64 Buy a ASR1k, of course. :) Besides translation the other two main solutions are are dual stack lite and tunneling Stateful NAT64 has similar limitations as any type of NAT, but the main one is that is designed primarily for IPv6 initiated traffic. ASR1k does support limited Ipv4 initiated traffic via v6v4 static mappings what changes are reauired on V6 hosts to support stateless NAT64? For stateless NAT64 you need to have the IPV6 address which can be converted to IPV4 directly. i guess RFC 2464 talks about this ... also called as IPV4 embedded IPV6 address. what is the pps if we use RFC standard mixed size packets for test? With ESP20 on ASR1k, you could expect 5.5MPPS for stateful NAT64. would 2941 MWR support NAT64, or the element hast to be replaced with ASR 1000? Only ASR1k and CRS supports NAT64 as of now. What is the best solution for me if I don't have a ASr1K? if i am currently NAT webhosting sites thru loadbalancers wouldn't this create double nating issues? Thru a LB yes it would for sure Who can verify if/when the ASA platform will support NAT64? Honestly, your Cisco AM and/or SE is the best person to do this. So IPv4 initiated PAT to IPv6 is intentionally left out of the RFC and unsupported by the standard, but IS supported by ASR1K? You are current that IPv4 initiated PAT is out of RFC. It is *not* supported by ASR1k. But ASR1k does support v4 initiated via static mappings do you mean with any packet size, it can reach 5.5MPPS? No we have measured this 5.5 MPPS with packet size ~70-80 B Is there a doc or whitepaper which outlines the complete solution including the DNS config and ASR config Our testing was with small packets which is our worse case. Larger packets would handles at the same rate until we start hitting bandwidth issues on the network This is the doc which talks about the configuration but we dont' have any specific DNS64 soulution as of now, you need to check differnt Vendors like Microsoft or Open source DNS64 server like Ecdysis http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6 Is there a doc or whitepaper which outlines the complete solution including the DNS config and ASR config http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11676278.html in another word, just limited by ESP20, 20Gbps? y do you mean with any packet size, it can reach 5.5MPPS? I tought IPv6 would remove the need to NAT :) I tought IPv6 would remove the need to NAT :) Maybe it would if everything were IPv6. Remove the need for NAT as a means to save address space... True for v4. In v6, we use it to translate back and forth. Once v4 is the minority this will be less and less of an issue What is the point of the NVI (NAT Virtual Interface) - is there anything we can do with it? NVI is just an interface which will not be configurable, it'll be created with NAT64 configuration and internally we forward packets which need the NAT64 translations to NVI. great! Thanks. Just feel 2M connections are low for mobile clients solution That is the currently limitation for ASR1k. CRS support much higher and ASR1k will support much higher Application Control Engine I don't know if you intended to reply to mine with that answer, but I do have dual stack today, and would use that instead of NAT64, but ace does not support ipv6. We are working on this one. I know it sucks, but it's coming! can only items to the stateful prefix (and not the iana global nat64 prefix, or a subset of it) be handled statefully? ASR1k stateful NAT64 traffic must have either the configured NAT64 prefix of the Well Known Prefix defined in the standards; this must be the prefix for how IPv4 hosts appears in the ipv6 network not sure if i understand it correctly, but we need to configure stateful Prefix in asr1k to tell which prefix address it has to translate, only WKP (well known prefix) will be translated without configuration i see the QFP deployed only on ASR1000, and it is not on any other box? would this box also support SAToPSN and CESoPSN? QFP is only on ASR1k. As to support of the other items I would ask a more general marketing person as we are very NAT focused Yeah, the NAT statement was in regards to Sev Kelians statement about NAT not being needed anymore Groovy man! Can we get the slides for this? cost a dollar Can we advertise the IPV6 stateful prefix (which has an NVI table entry) thro' any routing protocol (like OSPFV3) ? We dont' configure anything on NVI interface, so the stateful prefix should have a route via any routing protocol to tell the ASR1k where it has to forward the packet. can only items to the stateful prefix (and not the iana global nat64 prefix, or a subset of it) be handled statefully? I don't see any examples in the diagrams with loadbalancers - are there designs with this included? Do you have a list of Netflow Collectors which support the enhanced Netflow v9 packets the ASR 1k generates? if you plan to run dual stack is there any need for NAT? NAT you will be needing in that case too, to convert Private IP's to Public IP's isn't it. Sweet You'll get an email link to this stuff Will John Madden be supporting IPv6? In the Bret Favre edition But IPV6 NAT is IPV6 to IPV6 correct? There is no IPV6 to IPV6 nat ... NAT44 will convert IPV4 to IPV4 you can convert private add to public add and NAT64 is to convert the Packets from IPV6 add to IPV4 add. hsl debug? The others all seem self-explanatory but not sure what that does. hsl is high speed logging used to collect the information about the NAT translations like port/ips/time/protocol etc....HSL logging is just the name we use. Link to slide set? Really what is nat66? I'm not really sure about the NAT66 thing...Cheryl might answer this one.. Not sure if i'm understanding it correctly. but in Statelss NAT64 solution you need to have a Static route with nat64 route ...." CLI, but in Stateful nat64 you basically translate the IPV6 network to How do we make other external devices aware of the IPV6 stateful NAT prefix (configured on the ASR 1K) other than static routes ? IPV4 network so you mainly send the traffic from IPV6" Network and if you are initiating the traffic from IPV4 to IPV6 you must need static NAT64 How do we make other external devices aware of the IPV6 stateful NAT prefix (configured on the ASR 1K) other than static routes ? configuration which will do the job. Are there any protections for DoS Attacks with Stateful NAT64? Stateful NAT64 is not a Firewall, but does have some security aspect to protect itself. In particular only create translation which match ACLs. There are also several internal protections which are part of the design What ASR IOS support these new Features We support Stateless NAT64 from XE3.2 and Stateful support is available from 3.4 are the nat64 statistics available to monitor via snmp? not at this time, but is the roadmap what is the rate of connection setups/second? I was told that - A stateful NAT66 is the same as a NAT44 with the code extended to work with IPv6 addresses. Maybe a draft would be useful to say it. ESP20 support up to 175k setup/teardowns per second i like to have ipv6 enabled in our internal network, how can i make sure it's protected from the internet. we currently use ASA 5550. I like to have ipv6 work in parallel to 1pv4 How will this affect BGP Tables where do we download the slides? So if I am running dual stack - i can't NAT the IPV6 addresses from outside my load balancer to inside my web servers? Awesome presentation - best overview of NAT64 I've seen. Pretty Amazing content ! THANKS! Gerry Kaufhold with In-Stat Was a good presentation, thank you. I'm the IPv6 zealot at United Airlines! Can't get enough of this stuff! any extra links for ipv6 migration from ipv4 and dual stack migration options would be much appreciated. Why is Jimmy always so happy about ipv6? Cause it AWESOME!! I LOVE CISCO! Thank you! Hopefully we can watch the presentation (recorded form) and not just see the slides? is there anyway to get a list of this question/answer sessin? Dushyant - Can we advertise the global stateful NAT64 prefix out over OSPFV3, so other devices can forward packets into the ASR 1K for NAT64 translation ? Not very sure about this Krishnan i might give you the answer [email protected]