Session Name

Session Name:
Session Number:
Date:
Starting Time:
NAT64 Technical Deep Dive
Question
Answer
ETA for Stateful NAT64?
ASR1k is now shipping stateful NAT64 starting with release XE3.4
Also, will NAT64 (stateless/stateful) ever be available on IOS (ISRs)? If yes - ETA?
ISR is likely to support NAT64, but I have not seen any official annoucement on this yet
does 7206 vxr support ip v6
7206 vxr supports IPV6 but NAT64 is not supported there.
Is there an ETA for NPT (Network Prefix Translation?
answered in later response
Thanks Cheryl - didn't realize stateful NAT64 was already out.
Yes, XE3.4 was posted on CCO 7/25/11
To get NAT64 capability this would be a software update for our existing devices (like ASAs or L3 switches fro example)?
I do not believe ASA currently supports NAT64. It is supported on ASR1k XE3.4 released end of
August
what is the NAT64 capacility different between a CGN module on CRS-1/3 and an ASR1006 with ESP20/40?
I can not comment of CRS, but ESP20/40 support 2M stateful NAT64 translation at 5.5 Million
packets per second
206151477
Wednesday, September 14, 2011
11:28 AM
In looking at IPv6 and NAT64, one of the issues of concern was the availability of something to proxy IPV4 to IPv6 DNS....i.e. what to
pass as a DNS AA record to an IPv6 host to reach an IPv4 host via NAT. Does Cisco have a solution for this DNS64 need?
as of now we are using OPEN source DNS64 to convert the queries.
In looking at IPv6 and NAT64, one of the issues of concern was the availability of something to proxy IPV4 to IPv6 DNS....i.e. what to
pass as a DNS AA record to an IPv6 host to reach an IPv4 host via NAT. Does Cisco have a solution for this DNS64 need?
we don't have any solution out as of now for DNS64
Any plans for NAT66 or NAT46?
these are being considered for ASR1k roadmap, but are not currently official in plan
Regarding NPT (RFC 6296) authored by Cisco employee, if you don't know ETA can you refer me to someone? I have heard this is
planned but have been unable to get further info.
NPT is being considered for the ASR1k roadmap, but is not official in plan at this time.
Support on FWSM?
sorry we do not know the plans for that platform.
I have clients that have a IPV4 inside network but has IPV6 outside IP. Will NAT64 allow us the ablity to NAT/PAT the inside IPv4
private IP to the IPV6.
We do support this kind of translations with Static Mapping as of now in our NAT64 solution
Will FWSM support NAT64
sorry we do not know the plans for that platform.
Does ASR 1K support Stateful NAT 64 in HA mode (hot standby) ?
Yes
To running NAT64, does it require any limitation per node?
No, I assume you are asking about the number of sessions per host?
how about 3845 does it support nat64
No 3845 does not support NAT64
impact of converting on VoIP
VOIP will come under ALG's and right now we don't support VOIP ALG's with NAT64, only supported
ALG is FTP. but other ALGs are in our roadmap.
When will the ASA code see NAT64
sorry we don't know the plans of that platform. As of now only ASR1k and CRS support NAT64
Which DNS64 open source solution are you using?
Viagenie
Is there support in NX-OS for NAT64?
As I understand it, the ASA will allow the creation of IPv6 addresses to be IPSEC tunneled within IPv4 packets with the creation of
8.4. I have successfully tested native IPv6 tunnels but have not yet tried to see if I can tunnel IPv6 through IPv4 tunnels
sorry we do not have ASA expertise among the panelist
Currently ASR 1K supports NAT 64 translation logging over Netflow. How about Syslog integration ?
No commited plans for syslog integration as of yet, but in the roadmap
ipv6 voice packets - impact
VOICE packet like SIP/Skinny/h323 will need ALG support with NAT64, it's not available as of now but
it's in the Roadmap.
What would be magical numbers per node to run NAT64? Just approx..
If you are asking about scalining, ASR1k on ESP20 supports up to 2M stateful translations
Virginia Tech is also running IPv6, they're the first ones in US.
Thanks for the info
So, as an enterprise, who would like to start testing Ipv6 in the internal environment, would it be right to say that as of now, with a support for NAT-PT was withdrawn; if you want to use a IPv4 <-> IPv6 translation, then using NAT64
Cisco 2951, I could use NAT-PT?
is recommended using a platform like ASR1k or CRS.
and anyone tell me what the RFC for this is - I am concerned since the RFC 4966 states that IETF should reclassify RFC 2766 from
Proposed Standard to Historic status
So I guess that NAT64 does not supported inbound NAT to an IPV4. Example I have IPV6 outside IP but our DMZ is IPv4 . Can we
do an inbount NAT so a users can reach our website in our DMZ?
NAT64 on ASR1k does support IPv4 initiated traffic, but only in a limited scope. What is support is
static v6v4 mappings which allows IPv4 initiated traffic.
Is NAT64 supported on 4500 sup6? in hardware?
No It's not supported in 4500.
bandwidth bogged down by ipv6 versus ipv4
please clarify. this question is not clear
is nat64 only supported on ASR 1000, any other devices
ASR1k and CRS CGN
If I am running an ASA and a 3750 layer 3 switch in my environmnet, for example, what is my migration path to being able to
develop a network with an external IPV6 address NAT'd over to a multi-VLAN IPV4 internal environment?
Nothing smaller than ASR-1k?
Nothing as of now. only ASR 1k and CRS supports NAT64 as of now
so the ASR 1K is the recommened platform for where you want NAT64 and currently use 7206VXR's?
Yes ASR1k is the best choice in this case.
Or a switch/fw?
none of the switch support NAT64 as of now.
Is it possible to get an ETA for NAT64 support in IOS (e.g. ISR/ISR G2s)?
5.5 M packets per second is based on which packet size? 64, or hybrid?
it's with packet size 68.
For Dual-Stack technologies, do you see Dual-Stack PPP on the broadband access networks playing a big role in transitioning to
IPv6?
It really depends on the network design to be honest. For some folks that have older devices' it'll be
big
NAT64 and the ASA Services module for the C6500?
Are there any configuration examples available to configure tunnelling and translation (i.e. NAT64) for the ASR1001?
Are you asking is this supported?
Yes you can go to
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11676278.html
In FWs, what Codes are being supported for NAT64?
We don't support firewall with NAT64 as of now this code is in testing as of now and will be out in
another 4-5 Month time.
What product will be positioned for NAT64 support for the SMB market?
You might want to consider ASR1001
Do you recommend an IPAM solution for deploying IPv6?
I sure do and use one for my networks because the space is so large and we have so many options
Can you pls send me a link that explains NAT 64 HA (hot standby) mode. The docs only indicate cold standby support for NAT 64...
Thanks.
Sorry, I realized that HA hot standby is due in the next release which is in testing now
Is DNS64 embedded into the ASR1001 are does it rely on a BIND server to perform DNS64?
DNS64 is in roadmap for ASR1k, but NAT64 is currently been deployed with a external box as the
DNS64
I have Cisco 7201 at the edge, Cisco ASA 5550 as firewall and CISCO ACE 4710 as a Lbalancer. For me, how is it possible to deploy
IPV6? NAT64 isn't supports on 7200/asa/ace. Dual-stack won't work either, as ACE has no IPV6 support. No ipv6 is possible?
We do support IPV6 in 7200 but yes with all these Boxes you can't do NAT64.
what is QFP
qfp is quantum flow processor used in ASR!!
This is all brand new gear (under 1 year old) and I could never get ipv6 up on our internet site, but I do have ipv6 transit delivered.
Are you dual stacking? How is your DNS AAAA records config'ed?
and anyone tell me what the RFC for this is - I am concerned since the RFC 4966 states that IETF should reclassify RFC 2766 from
Proposed Standard to Historic status
rfc 6144, 6145
and anyone tell me what the RFC for this is - I am concerned since the RFC 4966 states that IETF should reclassify RFC 2766 from
Proposed Standard to Historic status
apologize, 6145 & 6146 - the references are in the slide deck
These are web servers
We use a top level DNS server and several lower level DNS servers. Is NAT64/DNS64 additional to existing DNS infrastructure are
does it have to replace the top level DNS server?
DNS64 support is must on your server, you've to check with the DNS server vendor if they support
DNS64. but yes open source DNS64 servers are available.
So NAT64 does not support on asa?
not at this time, but we are not sure of the panelist are not aware of their roadmap
Will NAT64 be eventually supported on a Cat6509E with Sup720?
sorry the panelist are not familar with the roadmap of this platform
because ipv6 has more info in packets, i herd that the bandwith is divided by 2
Meh...Really depends more on the internal architecture then anything else. Some gear dividing by
10 will be required! Not Cisco stuff of course...
Are there plans for NX-OS support for NAT64?
sorry the panelist are not familar with the roadmap of this platform
If ISP delivers dual stack via single circuit, can the ASR pass-through the Internet IPv4 traffic while NATting only Ipv6 for inside
enterprise use?
Yes if IPV4 traffic is just pass-through everything will work and you can have NAT64 only for your V6
network, but on the same ASR we don't recomend NAT44 and NAT64 together.
Can we NAT our IPv4 addresses to IPv6 at out Internet connection with an ASA or router?
ASA does not currently support NAT64. ASR1k, does support some IPv4 initiated translation via
static v6v4 mappings
What does QFP stand for?
Since ASR 1K does not support hot standby HA for now, do you recommend a combination of HSRP design with cold standby ?
Quantum flow processor
ASR1k will support hot standby intrabox redundancy in XE3.5 which is targeted the end of November
of this year. NAT64 box-to-box is a high priority in our roadmap, but you should be able to achieve
redundancy via HSRP until then
Is it support on 6500 sup 720
No as of now we only support NAT64 on ASR and CRS
Are there any performance improvements/detriments in running ipv6 over ipsec/gre based vpn tunnels?
Tunneling will always add a little overhead to the entire process
nat64 for 6500 series switches?
Not supported as of now only ASR and CRS supports NAT64 today
Today internet has almost 415554 IPV4 prefix which is already challenge to maintain in BGP table, how will IPV6 help in this
direction, will IPV6 worse the situation ?
Yeah no kidding...That is rough. LISP helps some, but honestly, it going to get much worse
Is NAT-PT still supported in IOS (even though it's deprecated by the IETF)?
NAT-PT is no longer supported in IOS
You said "DNS64 is in roadmap for ASR1k, but NAT64 is currently been deployed with a external box as the DNS64". What do you
mean by external box? BIND server?
yes with external box we mean the DNS server from any vendor or open source DNS64 running on a
linux box.
Dushyant -- Is there anyway to deploy ipv6 at all? I can do nat-pt on the 7201, but as far as I can tell the dual-stack strategy doesn't Paul if you want to convert IPV6 network to IPV4 you've to use any box like ASR1k or CRS, but
work either due to lack of IPV6 support for native on the ACE 4710?
without that i'm not sure how you will achieve it.
if these large networks (AT&T, Comcast etc.) move to IP6 natively, wont that free up huge blocks of IP4 addresses returning them
to the available pool?
IF they turn them back in. They are under no obligation to do so
that is what they said in the IPv6 web conference that we attended earlier this week and still nothing there.
Scenario 4 is a large concern for SSL content providers. What work is being done in this area?
Scenario 4 is for v4 network to a v6 internet
Scenario 4 is a large concern for SSL content providers. What work is being done in this area?
dushyant - The last input I found was this (https://supportforums.cisco.com/servlet/JiveServlet/download/4628026821/Microsoft_Word-ACE_IPv6_Statement_of_Direction_Nov_2008_IR.pdf) but as far as I can tell it was never implemented in
ACE? (for native Dual-
which is towards the end of the transition
Paul this talks about the IPV6 support on ACE, i'm not much aware about ACE but yes V6 to V4
conversion will not be there for sure. i think you can write your doubt to me on this offline sometime
[email protected]
When was RFC 6145 published, April 2011?
yes, that is correct
What were the protocols supported by Stateful NAT64 again? I couldn't write fast enough....;-)
Stateful nat64 can support all protocols - but for conserving IP address doing NAPT TCP/UDP/ICMP
are supported
is there an ipv6 to ipv6 nat?
there is and is being considered for the asr1k roadmap
dushyant - or will nat64 come to the 7200/IOS 15 first? I would deploy either at this point.
the panelist are no familar with the IOS roadmap
Can these services run on ASA as well, or just ASR 1k?
currently only on asr1k and crs
Will the 6 to 4 work on ASR using firewall module and zone-based firewalls?
Not with the current released code, but IPv6 Firewall support on ASR1k is a very high priority and
expected soon. When it is support the scenario you described would be supported
When can we expect ACE to support IPv6?
Can you please clearify what you mean by ACE as I have multiple definitions for that and I'm not sure
which you are referring to
When can we expect ACE to support IPv6?
Nest Thursday. Just kidding. The best person to ask would be your Cisco AM and/or SE
if i am currently NAT webhosting sites thru loadbalancers wouldn't this create double nating issues?
what cisco firewalls and load balancers support nat64
ASR1k Firewall IPv6 and interworking with NAT64 is currently in works and should be available in the
near future
What flavour of DNS64 was used in Cisco testing?
I am not sure what they use. But I use Ecdysis in my labs
are there any plans to support nat64 on the 4500 in the future? timeline?
the panalists do not have much idea on 4500 roadmap.
Will we have access to these slides after this presentation?
You'll get emailed a link to these presentation
does that do content load balancing also?
I'm not sure of that, so am sending this privately in case one of the other panelist know the anser
with which DNS servers is the ASR NAT64 implementation supported?
Any DNS64 server will work with NAT64, we have tried it with OpenSource DNS64 like Ecdysis
what release on ASR 1000 would have IPv6 support?
IPv6 has been supported on ASR1k for a long time. Stateful NAT64 support was added XE3.4 August
2011
What are the current known limitations of NAT64
Buy a ASR1k, of course. :) Besides translation the other two main solutions are are dual stack lite
and tunneling
Stateful NAT64 has similar limitations as any type of NAT, but the main one is that is designed
primarily for IPv6 initiated traffic. ASR1k does support limited Ipv4 initiated traffic via v6v4 static
mappings
what changes are reauired on V6 hosts to support stateless NAT64?
For stateless NAT64 you need to have the IPV6 address which can be converted to IPV4 directly. i
guess RFC 2464 talks about this ... also called as IPV4 embedded IPV6 address.
what is the pps if we use RFC standard mixed size packets for test?
With ESP20 on ASR1k, you could expect 5.5MPPS for stateful NAT64.
would 2941 MWR support NAT64, or the element hast to be replaced with ASR 1000?
Only ASR1k and CRS supports NAT64 as of now.
What is the best solution for me if I don't have a ASr1K?
if i am currently NAT webhosting sites thru loadbalancers wouldn't this create double nating issues?
Thru a LB yes it would for sure
Who can verify if/when the ASA platform will support NAT64?
Honestly, your Cisco AM and/or SE is the best person to do this.
So IPv4 initiated PAT to IPv6 is intentionally left out of the RFC and unsupported by the standard, but IS supported by ASR1K?
You are current that IPv4 initiated PAT is out of RFC. It is *not* supported by ASR1k. But ASR1k
does support v4 initiated via static mappings
do you mean with any packet size, it can reach 5.5MPPS?
No we have measured this 5.5 MPPS with packet size ~70-80 B
Is there a doc or whitepaper which outlines the complete solution including the DNS config and ASR config
Our testing was with small packets which is our worse case. Larger packets would handles at the
same rate until we start hitting bandwidth issues on the network
This is the doc which talks about the configuration but we dont' have any specific DNS64 soulution
as of now, you need to check differnt Vendors like Microsoft or Open source DNS64 server like
Ecdysis http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6
Is there a doc or whitepaper which outlines the complete solution including the DNS config and ASR config
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11676278.html
in another word, just limited by ESP20, 20Gbps?
y
do you mean with any packet size, it can reach 5.5MPPS?
I tought IPv6 would remove the need to NAT :)
I tought IPv6 would remove the need to NAT :)
Maybe it would if everything were IPv6.
Remove the need for NAT as a means to save address space...
True for v4. In v6, we use it to translate back and forth. Once v4 is the minority this will be less and
less of an issue
What is the point of the NVI (NAT Virtual Interface) - is there anything we can do with it?
NVI is just an interface which will not be configurable, it'll be created with NAT64 configuration and
internally we forward packets which need the NAT64 translations to NVI.
great! Thanks. Just feel 2M connections are low for mobile clients solution
That is the currently limitation for ASR1k. CRS support much higher and ASR1k will support much
higher
Application Control Engine
I don't know if you intended to reply to mine with that answer, but I do have dual stack today, and would use that instead of
NAT64, but ace does not support ipv6.
We are working on this one. I know it sucks, but it's coming!
can only items to the stateful prefix (and not the iana global nat64 prefix, or a subset of it) be handled statefully?
ASR1k stateful NAT64 traffic must have either the configured NAT64 prefix of the Well Known Prefix
defined in the standards; this must be the prefix for how IPv4 hosts appears in the ipv6 network
not sure if i understand it correctly, but we need to configure stateful Prefix in asr1k to tell which
prefix address it has to translate, only WKP (well known prefix) will be translated without
configuration
i see the QFP deployed only on ASR1000, and it is not on any other box? would this box also support SAToPSN and CESoPSN?
QFP is only on ASR1k. As to support of the other items I would ask a more general marketing person
as we are very NAT focused
Yeah, the NAT statement was in regards to Sev Kelians statement about NAT not being needed anymore
Groovy man!
Can we get the slides for this?
cost a dollar
Can we advertise the IPV6 stateful prefix (which has an NVI table entry) thro' any routing protocol (like OSPFV3) ?
We dont' configure anything on NVI interface, so the stateful prefix should have a route via any
routing protocol to tell the ASR1k where it has to forward the packet.
can only items to the stateful prefix (and not the iana global nat64 prefix, or a subset of it) be handled statefully?
I don't see any examples in the diagrams with loadbalancers - are there designs with this included?
Do you have a list of Netflow Collectors which support the enhanced Netflow v9 packets the ASR 1k generates?
if you plan to run dual stack is there any need for NAT?
NAT you will be needing in that case too, to convert Private IP's to Public IP's isn't it.
Sweet
You'll get an email link to this stuff
Will John Madden be supporting IPv6?
In the Bret Favre edition
But IPV6 NAT is IPV6 to IPV6 correct?
There is no IPV6 to IPV6 nat ... NAT44 will convert IPV4 to IPV4 you can convert private add to public
add and NAT64 is to convert the Packets from IPV6 add to IPV4 add.
hsl debug? The others all seem self-explanatory but not sure what that does.
hsl is high speed logging used to collect the information about the NAT translations like
port/ips/time/protocol etc....HSL logging is just the name we use.
Link to slide set?
Really what is nat66?
I'm not really sure about the NAT66 thing...Cheryl might answer this one..
Not sure if i'm understanding it correctly. but in Statelss NAT64 solution you need to have a Static
route with nat64 route ...." CLI, but in Stateful nat64 you basically translate the IPV6 network to
How do we make other external devices aware of the IPV6 stateful NAT prefix (configured on the ASR 1K) other than static routes ? IPV4 network so you mainly send the traffic from IPV6"
Network and if you are initiating the traffic from IPV4 to IPV6 you must need static NAT64
How do we make other external devices aware of the IPV6 stateful NAT prefix (configured on the ASR 1K) other than static routes ? configuration which will do the job.
Are there any protections for DoS Attacks with Stateful NAT64?
Stateful NAT64 is not a Firewall, but does have some security aspect to protect itself. In particular
only create translation which match ACLs. There are also several internal protections which are part
of the design
What ASR IOS support these new Features
We support Stateless NAT64 from XE3.2 and Stateful support is available from 3.4
are the nat64 statistics available to monitor via snmp?
not at this time, but is the roadmap
what is the rate of connection setups/second?
I was told that - A stateful NAT66 is the same as a NAT44 with the code extended to work with IPv6 addresses.
Maybe a draft would be useful to say it.
ESP20 support up to 175k setup/teardowns per second
i like to have ipv6 enabled in our internal network, how can i make sure it's protected from the internet. we currently use ASA
5550. I like to have ipv6 work in parallel to 1pv4
How will this affect BGP Tables
where do we download the slides?
So if I am running dual stack - i can't NAT the IPV6 addresses from outside my load balancer to inside my web servers?
Awesome presentation - best overview of NAT64 I've seen.
Pretty Amazing content ! THANKS! Gerry Kaufhold with In-Stat
Was a good presentation, thank you. I'm the IPv6 zealot at United Airlines! Can't get enough of this stuff!
any extra links for ipv6 migration from ipv4 and dual stack migration options would be much appreciated.
Why is Jimmy always so happy about ipv6?
Cause it AWESOME!!
I LOVE CISCO!
Thank you!
Hopefully we can watch the presentation (recorded form) and not just see the slides?
is there anyway to get a list of this question/answer sessin?
Dushyant - Can we advertise the global stateful NAT64 prefix out over OSPFV3, so other devices can forward packets into the ASR
1K for NAT64 translation ?
Not very sure about this Krishnan i might give you the answer [email protected]