The processing required by NAT is a serious bottleneck at a campus border router; it also limits the ability for people at different institutions to work collaboratively.
In this lab you'll add IPv6 to your campus network.
This university was allocated 2c0f:f6d0:1::/48 by RENU out of which we have reserved 2c0f:f6d0:1::/52 for the lab. You'll use the following simple numbering plan for your internal networks:
2c0f:f6d0:1:XYY::/64where X is your group number, and YY is the VLAN ID in hexadecimal. This gives you the following overall address plan:
| Building | Network | VLAN | IPv4 | NAT to | IPv6 |
|---|---|---|---|---|---|
| - | Fallback NAT | - | - | 100.64.X.140 | - |
| NOC | Servers | 2 | 100.64.X.0/25 | - | 2c0f:f6d0:1:X02::/64 |
| NOC | P2P border-core | 3 | 100.64.X.128/30 | - | 2c0f:f6d0:1:X03::/64 |
| Admin (1) | Wired | 10 | 10.1.0.0/24 | 100.64.X.141 | 2c0f:f6d0:1:X0a::/64 |
| Library (2) | Wired | 20 | 10.2.0.0/24 | 100.64.X.142 | 2c0f:f6d0:1:X14::/64 |
| Science (3) | Wired | 30 | 10.3.0.0/24 | 100.64.X.143 | 2c0f:f6d0:1:X1e::/64 |
| Business (4) | Wired | 40 | 10.4.0.0/24 | 100.64.X.144 | 2c0f:f6d0:1:X28::/64 |
| Arts (5) | Wired | 50 | 10.5.0.0/24 | 100.64.X.145 | 2c0f:f6d0:1:X32::/64 |
(Note for example that 20 in decimal is 14 in hex: 1 x 16 + 4 = 20)
This plan allows for up to 256 subnets. In real life your institution would get at least a /48 of IPV6 address space, enough for 65,536 subnets.
Firstly, you need to turn on IPv6 globally. In configuration mode:
! On your BORDER router
ipv6 unicast-routingNow you can give your outside interface an IPv6 address. In real life, this would be assigned by your upstream provider out of their address space, and it might be a /126 or /127 point-to-point address.
interface FastEthernet 0/0
ipv6 address 2c0f:f6d0:1:aaa::22X/64 << replace X with your group number
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress all
ipv6 enableThe
no-advertisecommand says not to use this prefix in router advertisements; thesuppress allcommand says not to send any router advertisements at all. It would be bad form to announce yourself as a router on the uplink, since you are not the default gateway on that network. Note that some older versions of IOS only supportipv6 nd ra suppresswithoutall.
And just like IPv4, you need a default gateway:
ipv6 route ::/0 2c0f:f6d0:1:aaa::254The strange-looking address ::/0 is equivalent to 0.0.0.0/0 in IPv4.
Once this is done, if your class had IPv6 routing you would be able to ping a public IPv6 address like 2001:4860:4860::8888 (Google DNS)
You should however be able to ping the outside address of the routers in other groups.
Next step is to IPv6-enable the link from the border to the core.
! On your BORDER router
interface FastEthernet 0/1
ipv6 address 2c0f:f6d0:1:X03::1/64
ipv6 enableThe core router is configured in exactly the same way, except its default route is pointing at your border router.
NOTE: if your core router is a 3750 switch, you need to issue the command
sdm prefer dual-ipv4-and-ipv6 routingand reboot before IPv6 will work
! On your CORE router
ipv6 unicast-routing
interface Vlan 3
ipv6 enable
ipv6 address 2c0f:f6d0:1:X03::2/64
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress all
ipv6 route ::/0 2c0f:f6d0:1:X03::1At this point, your core router should be able to ping the border and the lab gateway. A traceroute from the core router should take two hops.
! On your CORE router
ping 2c0f:f6d0:1:X03::1
ping 2c0f:f6d0:1:aaa::254
traceroute 2c0f:f6d0:1:aaa::254If this isn't working, stop and ask for help.
Enabling IPv6 to the end users is actually really easy. For each subnet you have three choices:
IPv6 manual configuration is a good idea in early stages of testing. It's also the preferred approach for server subnet: normally servers are given static IPv6 addresses. Furthermore, we want to deploy IPv6 in a controlled fashion, one server at a time, rather than them all magically starting to use IPv6 at once.
So let's do this for your server subnet, which is vlan 2.
! On your CORE router
interface Vlan 2
ipv6 address 2c0f:f6d0:1:X02::1/64
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress all
ipv6 enableAgain, we have disabled router advertisements entirely.
Now you can manually configure a machine on your server network with an IPv6 address like 2c0f:f6d0:1:X02::10/64 (in Windows, use IPv6 Properties), and a default gateway of 2c0f:f6d0:1:X02::1
You should be able to ping and traceroute out, like you did from the core router. Ask for help if this does not work.
Deployment with SLAAC is really easy because it is enabled by default. Configuring an IPv6 address on the router interface will automatically announce the prefix via Router Advertisements, and clients will use it to auto-configure.
! On your CORE router
interface Vlan 10
ipv6 address 2c0f:f6d0:1:X0a::1/64
ipv6 enableThat's it. Clients will now pick up an IPv6 address and default gateway.
However they won't yet know which DNS server to use. There is a way to announce DNS server settings through Router Advertisements, called "RDNSS", which you can also enable easily under the interface configuration:
interface Vlan 10
ipv6 nd ra dns server 2c0f:f6d0:1:aaa::241
! Repeat if you have more than one DNS serverUnfortunately, not all clients understand these announcements - and in particular, Microsoft Windows does not.
This means that to get clients to auto-configure you need to run stateless DHCPv6 service on the router, and you need to set the "other-config" flag in your router advertisements.
ipv6 dhcp pool dns-pool
domain-name ws.nsrc.org
dns-server 2c0f:f6d0:1:aaa::241
! Repeat if you have more than one DNS server
interface Vlan 10
ipv6 dhcp server dns-pool
ipv6 nd other-config-flagOnce you have done this, even Windows machines connected to Vlan 10 should automatically configure both an IPv6 address and IPv6 DNS settings. Use ipconfig /all to confirm.
There are some problems with SLAAC for address assignment. Most clients implement "privacy addresses" which mean that they pick a new, random IPv6 address every few hours. This makes logging and tracking activity on your network very difficult. You also lose the logs you would have had from your DHCP server.
So many sites (especially campuses) choose to run DHCPv6 instead.
To do this, you need to set the "managed config flag" in router advertisements. Furthermore, you need to run a DHCPv6 server, and this server must have an IPv6 address (you can't forward DHCPv6 over IPv4)
So firstly, you need to enable IPv6 on your VM. Add this to /etc/network/interfaces, as usual changing X to your group number:
iface eth0 inet6 static
address 2c0f:f6d0:1:aaa::X/64
gateway 2c0f:f6d0:1:aaa::254Then use ifdown eth0; ifup eth0 (all on one line) to reinitialise eth0. Use ifconfig eth0 to check it has both v4 and v6 addresses. Check you can ping it from your core router on its new IPv6 address.
Next, create a file /etc/dhcp/dhcpd6.conf
ddns-update-style none;
option dhcp6.name-servers 2c0f:f6d0:1:aaa::241;
option dhcp6.domain-search "ws.nsrc.org";
default-lease-time 3600;
max-lease-time 7200;
log-facility local7;
subnet6 2c0f:f6d0:1:aaa::/64 {
}
# vlan 20 range
subnet6 2c0f:f6d0:1:X14::/64 {
range6 2c0f:f6d0:1:X14::100 2c0f:f6d0:1:X14::fff;
}After creating this file, start the dhcp6 server and look for errors:
# service isc-dhcp-server6 start
# tail -25 /var/log/syslog
# ps auxwww | grep dhcpYou should see two dhcpd process, one for IPv4 (-4) and one for IPv6 (-6)
dhcpd 1701 0.0 0.9 7608 4604 ? Ss 19:45 0:00 dhcpd -user dhcpd -group dhcpd -f -q -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf eth0
dhcpd 1843 0.0 0.7 6612 3648 ? Ss 19:49 0:00 dhcpd -user dhcpd -group dhcpd -f -q -6 -pf /run/dhcp-server/dhcpd6.pid -cf /etc/dhcp/dhcpd6.conf eth0Now you are ready to configure your core router to forward DHCPv6 requests to it.
! On your CORE router
interface vlan 20
no ipv6 dhcp server
ipv6 dhcp relay destination 2c0f:f6d0:1:aaa::X
ipv6 nd managed-config-flag
ipv6 address 2c0f:f6d0:1:X14::1/64
ipv6 nd prefix default no-advertise
ipv6 enableNote that DHCPv6 has no "default gateway" option, and therefore we must have Router Advertisements running, because this is the only way the client can find its default gateway. The "managed config" flag tells it that it should use DHCPv6 to acquire an address.
The "no-advertise" line is optional, but prevents a badly-behaved client which ignores the managed config flag from using SLAAC.
Now disconnect and reconnect a client on vlan 20 and check if it picks up an IPv6 address and DNS settings via DHCP.
To debug, on your VM you can use tcpdump to show whether DHCPv6 requests are coming in, and whether replies are being sent out.
# tcpdump -i eth0 -nn -s0 -v udp port 547Repeat for the other vlans in your network; you will need to add further subnet declarations in your dhcpd6.conf file.
Now you have IPv6 working for clients.
In a real network, you would deploy IPv6 incrementally to your servers.
100.64.X.1232c0f:f6d0:1:X02::123www IN A 100.64.X.123www IN AAAA 2c0f:f6d0:1:X02::123Beware: for mail servers you should ensure you have reverse DNS correctly configured, as many servers on the Internet (including GMail) will reject mail from IPv6 sources which don't have reverse DNS.
If you have your own DNS caches you should definitely IPv6-enable these early on, so that clients can make DNS queries over IPv6.
Even if you don't deploy IPv6, there are some tweaks you can make to improve the performance of your NAT.
Make sure you install a local DNS cache inside your network (preferably two for resilience). It should have a public IP address. Then make your clients use this instead of your ISP's DNS caches.
This ensures that all DNS traffic is NAT-free:
If you don't do this, then every single DNS query will create a new entry in your NAT state table.
You can show how many NAT states you have using show ip nat statistics, and the raw translation table using show ip nat translations. If this table gets too large your router may run out of RAM.
You can reduce the size of the NAT tables by reducing the NAT timeouts. This mostly affects UDP services, since TCP NAT states are cleaned up shortly after the end of the TCP connection anyway.
These can be changed using the ip nat transation commands.
The defaut TCP timeout is 86400 seconds; UDP is 300 seconds; and most of the others are 60 seconds. So you may wish to reduce them like this:
! On the BORDER router
ip nat translation tcp-timeout 9000
ip nat translation udp-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30You could consider setting the tcp-timeout to something more aggressive, like 600 seconds. However the negative impact of this will be if someone keeps open a long-running TCP session (like an SSH or VNC connection), it will drop after 10 minutes if it is idle.
The workaround for SSH is to use an option like -o ServerAliveInterval=500
OpenSSH enables TCP KeepAlives by default, but the interval is configured globally in the operating system and normally defaults to 2 hours 1. Hence 9000 seconds (2.5 hours) is a good choice for the NAT TCP timeout.
If you join AfriNIC you can make an application for public IPv4 addresses. This needs to be supported by an addressing plan listing all the subnets where you will deploy them and the number of machines on each subnet. Apart from deploying IPv6, this is the only way really to avoid the problems of NAT. Apply now before they are all gone!
Linux: cat /proc/sys/net/ipv4/tcp_keepalive_time↩