linkproof ipv6 prefix-nat
Post on 16-Oct-2021
12 Views
Preview:
TRANSCRIPT
North America
Radware Inc.
575 Corporate Dr., Lobby 1
Mahwah, NJ 07430
Tel: (888) 234-5763
International
Radware Ltd.
22 Raoul Wallenberg St.
Tel Aviv 69710, Israel
Tel: 972 3 766 8666
www.radware.com
LinkProof
IPv6 Prefix-NAT
Technical Whitepaper
Version 6.20
October 1, 2011
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 2 -
Page 2
Table of Contents
Regular IPv4 WAN Load-balancing ............................................................................................... 3
IPv6, NAT, and Radware Prefix NAT ............................................................................................. 4
IPv6-Address Structure ................................................................................................................. 4
GUA Structure ...................................................................................................................... 4
ULA Structure ....................................................................................................................... 5
Load-Balancing Traffic Across IPv6 WAN (or Internet) Connections ............................................. 5
Prefix-NAT Entry Parameters ........................................................................................................ 9
Configuring Prefix-NAT Using Web Based Management .......................................................... 10
Configuring Prefix-NAT Using CLI .............................................................................................. 10
IPv6 Prefix-NAT Calculator .......................................................................................................... 11
Motivation ................................................................................................................................... 11
Usage ......................................................................................................................................... 12
VRRP Configuration with IPv6 Prefix-NAT ................................................................................. 13
Ensuring Proper Connectivity ..................................................................................................... 13
IPv6 Prefix-NAT Address Range ................................................................................................ 14
VRRP Associated IP Addresses ................................................................................................. 15
VRRP Configuration Steps ......................................................................................................... 15
Disabling VRRP .................................................................................................................. 15
Interface Grouping Considerations ...................................................................................... 15
Full Configuration Flow of VRRP Setup with IPv6 and IPv6 Prefix-NAT ...................................... 16
VRRP with IPv6 Prefix-NAT Example Configuration ................................................................... 17
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 3 -
Page 3
Regular IPv4 WAN Load-balancing In a regular IPv4 WAN load-balancing connection, LinkProof uses NAT for outbound and inbound
load balancing.
Depending on the needs of the network administrator, LinkProof can load-balance at Layers 2, 3, 4,
or 7. For transparent firewalls (those that operate at Layer 2), LinkProof can redirect client requests
to the MAC address of the router. For proxy-based firewall/routers, LinkProof can utilize Virtual
Addresses, which contain the firewall/routers’ actual address and any NAT addresses applicable.
When doing regular load balancing across multiple links (as ISPs may), LinkProof uses either
Dynamic NAT for outbound connections and Static NAT/Static PAT for inbound connections.
Using this combination of NAT and adding DNS, LinkProof can perform load balancing.
Figure 1 shows the topology that LinkProof uses. The topology is also common to multi-homing
solutions where available. If the clients access the Internet via ISP A, they will be visible with one of
the IP address 1.2.3.X/25 (for example 1.2.3.10/25) assigned by ISP A. If the clients access the
Internet via ISP B, they will be visible with a public IP of ISP B (for example, 4.5.6.10/25). Thus,
LinkProof can assign Dynamic NAT addresses to outbound traffic and inbound addresses using
Static NAT feature. All of the NAT on LinkProof is configured using the SmartNAT feature set.
Figure 1: Example LinkProof or Multihoming IPv4 Topology
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 4 -
Page 4
IPv6, NAT, and Radware Prefix NAT Internet Protocol version 6 (IPv6) is a network layer protocol for packet-switched internetworks. It is
designated as the successor to IPv4, the current version of the Internet Protocol, for general use on
the Internet.
NAT in its original form does not exist in IPv6, since, due to the massive amount of addresses, there
is no reason to hide or replace internal addresses using external addresses. In addition, many of the
problems associated with NAT traversal (UDP, IPsec, and so on) were considered irrelevant when
IPv6 was designed. For these reasons and others, NAT was not planned or standardized in IPv6
(although there are several pending RFC drafts).
To be able to perform true load balancing—using address replacement, sending traffic to various
ISPs, and load-balancing the load, Radware devised Prefix-NAT.
Using internal and external IPv6 addresses requires the following:
Unique Local Addresses (ULAs) have already been configured by the network administrator.
The administrator must ensure that the internal IPv6 network (the network behind the LinkProof
device).uses internal addresses (as described in RFC4193). The ULAs are in the format
FC00:AAAA:BBBB:CCCC:0001:0002:0003:0004.
Note: From the perspective of network design, the logic is analogous to RFC1918 in IPv4, where
the usage of internal IP addresses is recommended.
Each external router is assigned a public IPv6 addresses—that is, a global unicast address
(GUA).
IPv6-Address Structure
An IPv6 address is 128 bits long, in the format 2020:1020:1001:1000:0001:0002:0003:0004.
As defined by IANA, the following two ranges are reserved:
Global Unicast Address (GUA)—2000::/3
Unique Local Address (ULA)—FC00::/7
GUA Structure
Figure 2 shows the GUA structure. The global routing prefix is assigned to an Internet Service
Provider by the Internet Assigned Numbers Authority (IANA). The site-level aggregator (SLA), or
subnet ID, is assigned to a customer by the service provider. The LAN ID represents individual
networks within the customer site, and it is administered by the customer. The Host or Interface ID
has the same meaning for all unicast addresses. It is 64 bits long and is typically created by using the
EUI-64 format.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 5 -
Page 5
Figure 2: Global Unicast Address Structure
Note: According to IANA regulations, customers are assigned IPv6 addresses with prefixes from /48
to /64. The smallest network prefix is /64 (somewhat analogous to class C in IPv4). The /48 prefix is
dedicated by the ISP to a customer.
ULA Structure
Figure 3 shows the Unique Local Address structure.
Figure 3: Unique Local Address Structure
Load-Balancing Traffic Across IPv6 WAN (or Internet) Connections
Due to the nature of GUAs and ULAs, the suffix of the address (the last 64 bits) are identical, hence,
the first 48 bits are interchangeable. Utilizing these attributes, it is possible to use the same prefix
manipulation for load balancing of traffic across IPv6 WAN (or Internet) connections.
Note: Due to the nature of the IPv6 address scheme, the following scenario presents a simplistic
approach. According to IANA, the LIR/RIR address assignment should be /48 for subscribers
(including private housing). This enables each subscriber to configure about 216
networks. The
numbers are immense, so the scenario uses a simple address scheme based on IPv6 subnneting.
Consider the following scenario, which is shown in Figure 4.
LinkProof is connected to two IPv6 service providers:
ISP A dedicates the following public addresses: 2030:2020:1000:: /48
ISP B dedicates the following public addresses: 2040:1020:2000:: /52
The network administrator has followed IANA recommendations and has subnetted the internal
network using ULA.
The subnetting of the external routers has resulted in the topology shown in Figure 4.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 6 -
Page 6
Figure 4: Example LinkProof IPv6 Topology
Notes:
The use of the /55 prefix to subnet the /48 network is completely arbitrary. In real life, subnetting
will usually be based on the need for free networks as well as the existing topology.
The Prefix-NAT feature supports network ranges from /64 to /48.
Prefix NAT is allowed as long as the number of internal IPv6 address is smaller than or equal to
the number of external IPv6 addresses. So, for example, when the external router is configured
with a /64 range, using a ULA /48 for Prefix-NAT is not allowed. When the public IPv6 address
range of the external router is /59, using a ULA /59 for Prefix-NAT is allowed.
The translation is done per address. So, for example, an IPv6 ULA address with the address
fc00:1002:fc01:3000:2000::1001/48 will be translated on the external interface using
2030:2020:1000::/48 as 2030:2020:1000:3000:2000::1001.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 7 -
Page 7
Based on the topology displayed in Figure 4, Table 1 lists LinkProof interface definitions:
Table 1: LinkProof Interface Definitions for Example IPv6 Topology
Role IP Address Prefix
Length
IF VLAN
Tag
Status Peer IP
Address
Preferred Lifetime
and
Valid Lifetime
ISP B 2030:1020:2000:a0::1001 59 G-11 0 Preferred :: Infinite
ISP A 2030:2020:1000:200::1001 55 G-5 0 Preferred :: Infinite
Internal
LAN fc00:1002:fc01:3000:2000::1001 59 G-2 0 Preferred :: Infinite
Table 2: Router Definitions for Example IPv6 Topology
Farm Name Router Name IP Address OperStatus Weight
IPv6Routers ISP A 2030:2020:1000:200::1000 Active 1
IPv6Routers ISP B 2030:1020:2000:a0::1000 Active 1
Notes:
In the example, the routers have all been defined in a single Router Farm.
The routers are all set as active, although it is not necessary for the feature functionality.
In LinkProof 6.20 and later, the LinkProof administrator can configure how the internal clients
will access the public Internet. To do this, the LinkProof administrator uses the following Web
Based Management (WBM) GUI to create an entry in the Static Prefix-NAT table.
In this example, the system administrator has specified that the all /59 ULAs will be replaced
when accessing the IPv6 Internet using ISP A. And the range of ULAs starting from ::1001 and
ending with 2001 will be replaced with the prefix of ISP B when accessing the IPv6 Internet.
Figure 5: Creating an Entry in the Static Prefix-NAT Table in WBM
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 8 -
Page 8
The following figures (Figure 6 and Figure 7), show the following Static Prefix-NAT configuration
in WBM:
The entire /59 ULA will be replaced when accessing the IPv6 Internet using ISP A.
The ULA range from ::1001 to ::2001 will be replaced with the prefix of ISP B when accessing
the IPv6 Internet.
In this example, the system administrator has specified that the all /59 ULAs will be replaced
when accessing the IPv6 Internet using ISP A. And the range of ULAs starting from ::1001 and
ending with 2001 will be replaced with the prefix of ISP B when accessing the IPv6 Internet.
Figure 6: Configuration of Example Static Prefix-NAT Entry in WBM
Figure 7: Example Static Prefix-NAT Table in WBM
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 9 -
Page 9
Prefix-NAT Entry Parameters
Table 3: Prefix-NAT Entry Parameters
Parameter Description
From Local IP (Mandatory) The first IP address in the internal network that uses Prefix-
NAT. When a value for To Local IP is specified, this value must be the
first IP address in the internal network that uses Prefix-NAT. When a
value for Range Defined by Prefix is specified, this value can be the first
IP address in the internal network that uses Prefix-NAT.
To Local IP (Optional. Mutually exclusive with Range Defined by Prefix.) The last IP
address in the range. When a value is specified for this parameter, the
device translates the addresses in the specified range (From Local IP-To
Local IP). When no value is specified for this parameter, the device
translates all the addresses starting from the specified value for From
Local IP.
Server Name The IPv6 routers for the Prefix-NAT entry.
Values: The IPv6 routers that are defined in the routers definition as
having an IPv6 address. This includes all IPv6 routers from all farms.
IPv4- only routers are not exposed in the drop-down list.
Range Defined by
Prefix
(Optional. Mutually exclusive with To Local IP.) When specified, the
network is defined according to the value for the From Local IP
parameter and the network prefix. This enables LinkProof to translate all
the IPv6 addresses on the local interface.
The value can be less than or equal to the value of the actual prefix of the
router. So, for example, if the router is defined with prefix /55 and the
internal network is defined with prefix /55, the administrator can
configure any value between /55 and /128 (single address).
Replaced with Prefix (Read only) The Global Unicast Prefix associated with the router with
which the LinkProof device will replace the ULA’s prefix. LinkProof
calculates the value according to the router specified in the Server Name
field and the IPv6 address of the external LinkProof interface.
Redundancy Mode Specifies whether the prefix represents a main (regular) or backup device.
Values: regular, backup
Default: regular
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 10 -
Page 10
Configuring Prefix-NAT Using Web Based Management Configuring Prefix-NAT using Web Based Management (WBM) comprises the following steps:
1. Configuring the IPv6 interfaces (internal, and router-bound).
2. Configuring the farm, and enabling NAT in the configuration of the farm. In the configuration of
the farm, you must ensure that the value of the NAT Mode parameter is Enable. (The default
value of the NAT Mode parameter is Disable.) The NAT Mode parameter specifies whether the
LinkProof device does network address translation on the packets for IPv4 addresses or Prefix-
NAT for IPv6 addresses.
3. Configuring the IPv6 routers.
To configuring Prefix-NAT in WBM
Select LinkProof > Smart NAT > IPv6 Prefix-NAT.
There are two panes:
Prefix-NAT Parameters Summary—This includes the parameter Block ULA Address on Edge
Router. By default, the option is enabled (according to the recommendation in RFC 4193). When
the option is enabled, the device blocks ULAs from crossing the border of the LinkProof device.
Static Prefix-NAT Table—The table contains the configurations of the Static Prefix-NAT
entries. Each entry specifies how one ULA is translated in the IPv6 public Internet. To create a
new IPv6 Prefix-NAT entry, click Create. To modify the editable values, double-click the entry
link. For descriptions of the Prefix-NAT parameters, see Table 3.
Configuring Prefix-NAT Using CLI For descriptions of the Prefix-NAT parameters, see Table 3.
LinkProof CLI supports the following switches for the Prefix-NAT parameters:
tip—To Local IP
rp—Range Defined by Prefix
rw—Replaced With Prefix
m—Redundancy Mode <regular|backup>
LinkProof CLI exposes the following commands:
lp smartnat ipv6nat blockula set <enable|disable>
Enables or disables the blocking of ULAs from crossing the border of the LinkProof device
(according to the recommendation in RFC 4193).
Default: enable
lp smartnat ipv6nat get <From Local IP> <Server Name>
Gets the entry with the specified values.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 11 -
Page 11
lp smartnat ipv6nat set <From Local IP> <Server Name> <-switch>
Modifies parameters of an existing Static Prefix-NAT entry.
lp smartnat ipv6nat destroy|del <From Local IP> <Server Name>
Deletes the specified Static Prefix-NAT entry.
lp smartnat ipv6nat create|add <From Local IP> <Server Name> <-switch>
Adds a new Static Prefix-NAT entry.
Example:
lp smartnat ipv6nat create fc00:1002:fc01:3000:2000::1001 IPv6Routers/ISP A –
tip fc00:1002:fc01:3000:2000::2000 –rw 2030:2020:1000:200::/55 –m regular
lp smartnat ipv6nat help <-switch>
Displays help for the specified parameter.
IPv6 Prefix-NAT Calculator LinkProof provides the IPv6 Prefix-NAT calculator to predict the outcome of an internal IPv6
address (that is, a ULA), passing through the LinkProof device and being translated to a GUA.
Motivation
The calculator is needed to calculate the external router IPv6 address—especially when the internal
prefix is different from the external router prefix.
The logic of the (IPv4) SmartNAT Dynamic NAT feature is quite simple to understand and
implement.
Table 4: (IPv4) Dynamic NAT Example
Source IP for Packet Via the LinkProof External Public
Address
Source IP with Which the Client Will
Reach the Internet
192.168.10.250 200.100.150.200 200.100.150.200
For the (IPv4) SmartNAT Static NAT feature, a set of predefined IP address is provided to the source
IP via the Static NAT table, and there is a one-to-one translation.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 12 -
Page 12
In IPv6, there is no longer the concept of Dynamic NAT. Since there is no depletion of IPv6 address
in IPv6–to-IPv6 communication, the SmartNAT feature does not translate one to many addresses,
but rather, the SmartNAT feature translates the source IP address from a ULA (or from any other
IPv6 address) to the corresponding external routable (public) IPv6 address. Notes:
Using the IPv6 Prefix-NAT calculator is extremely important when working with predefined
IPv6 addresses (such as external VRRP addresses).
Although Radware recommends adopting the IPv6 ULA concept as detailed in the RFC, the IPv6
Prefix-NAT calculator also supports internal public IPv6 address of the 2000::/3 (Global Unicast
range).
There can be two cases where the prefix of the internal address is translated to the prefix of the
external IPv6 address.
Case 1—The internal prefix is identical to the external-router prefix (as is the case in ISP B in
Figure 4). It is simple to understand and manually calculate the result IP address (that is, the public
IPv6 address) that will be seen by the Internet as the source of the internal packet. In the case of ISP
B), a full prefix (/59) is replaced with a full prefix (/59). The replacement happens on each IPv6
source address passing through the LinkProof device that the IPv6 Prefix-NAT policy identifies.
Table 5: Case 1—Internal Prefix is Identical to the External Router Prefix
Source IP for Packet Via the LinkProof External
Public Address
Source IP with Which the Client
Will Reach the Internet
fc00:1002:fc01:3000:2000::1001 /59 2030:1020:2000:a0::1000 /59 2030:1020:2000:a0:2000::1001
Case 2—The internal prefix is different from the external-router prefix (as is the case in ISP A in
Figure 4). Here, calculating the result IP address (that is, the public IPv6 address) is complex; it
involves several mathematical calculations. In the example case of ISP A, the result is
2030:2020:1000:200:2000::1001 (with a prefix of /55). The IPv6 Prefix-NAT calculator can do the
calculation for you.
Table 6: Case 2—Internal Prefix is Different from the External Router Prefix
Source IP for Packet Via Router External Public
Address
Result Client will reach the
internet with source IP
fc00:1002:fc01:3000:2000::1001 /59 2030:2020:1000:200::1000 /55 2030:2020:1000:200:2000::1001
Usage
The IPv6 Prefix-NAT Calculator works in CLI only.
Syntax:
lp smartnat ipv6nat calc <Local IPv6 Address> <Router IPv6 Internal
Address> <Router IPv6 Prefix>
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 13 -
Page 13
Example:
lp smartnat ipv6nat calc fc00:1002:fc01:3000:2000::1001
2030:2020:1000:200::1000 55
Result
The nat address is: 2030:2020:1000:200:2000::1001
VRRP Configuration with IPv6 Prefix-NAT This section describes VRRP configuration with IPv6 Prefix-NAT.
Ensuring Proper Connectivity
When creating an IPv6-Prefix-NAT configuration, it is critical that you make sure not to overlap the
IPv6 addresses used by the routers for their internal IPv6 interfaces. If there is overlap, the
LinkProof device will lose connectivity to the external router.
Figure 8: Example Valid Topology
Internal address of LinkProof device is
FC00:1000::FFF1/64
External address of LinkProof device is
2040:2100::2001/48
Internal address of router is
2040:2100::2222/48
External
Segment 02
External Router 02
RST
APSolute Application DeliveryPWR
USB MNG 2
MNG 1
CONSOLE
PWR
FAN
SYS OK
Link Proof1000
10/100
G1
G13 G14 G15 G16
G3 G5 G7 G9 G11
G2 G4 G6 G8 G10 G12
1000
10/100
To configure proper connectivity for IPv6, you must define a proper IPv6 Prefix-NAT range.
Defining a full IPv6 Prefix-NAT range of 2040:2100::/48 will cause an IPv6 address overlap thus
causing network connectivity failure.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 14 -
Page 14
Defining an IPv6 Prefix-NAT range such as in Figure 9 and Figure 10 is improper. The
configurations result in address overlap. That is, LinkProof can translate a packet with address
fc00:1000::2222 as 2040:2100::2222, causing the internal router address to be overlapped by the
LinkProof device.
Figure 9: Improper Configuration 1—Full IPv6 Prefix-NAT Range Causes Address Overlap
Figure 10: Improper Configuration 2—Full IPv6 Prefix-NAT Range Causes Address Overlap
To prevent overlapping addresses, you must insert spaces in the IPv6 range for Prefix-NAT to use,
excluding the external router IPv6 address and eliminating any overlap.
Figure 11: Proper Configuration—Separated IPv6 Prefix-NAT Ranges Prevent Address
Overlap
IPv6 Prefix-NAT Address Range
In VRRP with SmartNAT, you explicitly configured each IPv4 address used for (Static NAT,
Dynamic NAT, or Basic NAT). In VRRP with IPv6 Prefix-NAT due to the massive number of
potential IPv6 address used for Prefix-NAT, you cannot explicitly configure the address. You
configure a single IPv6 Prefix-NAT address from the IPv6 Prefix-NAT ranges in the VRRP
Associated IP Addresses table. The device looks up the configured IPv6 Prefix-NAT address and
creates a special associated VR IPv6 entry that includes the entire IPv6 Prefix-NAT range.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 15 -
Page 15
VRRP Associated IP Addresses
When a VR ID that supports IPV6 is configured on the device, LinkProof creates an associated IP
address for the Primary IP parameter. The entry is created with a link-local address derived from VR
MAC. This is part of IPv6 RFC and does not affect regular device functionality.
VRRP Configuration Steps
In IPv4, the order in which you configure VRRP in LinkProof does not matter. In IPv6, the order in
which you configure VRRP in LinkProof is crucial. You can, however, modify the Prefix-NAT
configuration. The reason why the order is crucial is that the IPv6 Prefix-NAT ranges define the VR
associated IP address that will be used in the IPv6 neighbor solicitation process, which enables the
LinkProof device to announce the relevant IPv6 addresses that the VR holds and responds to.
VRRP configuration involves the following steps:
1. Configuring all the relevant interfaces, routing, and so on.
2. Configuring e the relevant VR and relevant IP address.
3. Deriving the IPv6 associated IP address from the IPv6 Prefix-NAT calculator (using the
calculator as described in ―IPv6 Prefix-NAT Calculator‖).
4. Configuring the IPv6 Prefix-NAT addresses.
5. Configuring VR associated IPv6 ranges (using the calculator as described in ―IPv6 Prefix-NAT
Calculator‖).
Disabling VRRP
When you disable VRRP with IPv6 Prefix-NAT associated IP addresses (after disabling the VRRP
configuration), you will have to clean the ARP table on the adjacent routers (connected directly to
the device). This is done because IPv6 neighbor solicitation messages may still point to the VR
MAC address.
Interface Grouping Considerations
Interface Grouping is disabled by default. When Interface Grouping is enabled, if any of the
interfaces in the group fails, the entire device is declared down and VRRP failover occurs (master
switches to backup). When you configure VRRP, make sure to enable Interface Grouping as
required.
By default, the Master Interface Grouping Table includes all the device interfaces except for
management interfaces. When working with IPv6 interfaces in LinkProof, by default, every interface
has an IP address (a link-local address). Thus, all of the interfaces affect the configuration. If you
want a failed interface not to affect VRRP fail-over, you must exclude manually it from the Interface
grouping.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 16 -
Page 16
Full Configuration Flow of VRRP Setup with IPv6 and IPv6 Prefix-NAT
Enable VRRP
Create a VR and
set State to Down
Use the calculator to create
Associated IPv6 address with
IPv6 Address for VR
More VRs to
configure?
Need to ping
the VR IP or have a
VDNS?
Create a remote VIP or VDNS
IP address to use
Configuring the
primary device?Set VR priority to 200
Change VR State to Up
Set VR priority < 200
(for example, 100)
Check failover configuration
If the VIP is in the IPv6
Prefix-NAT range, create
Associated IP Addresses for
the VIP or VDNS
Using Interface
Grouping?
Assign interfaces in the Master
Interface Grouping table
Using IPv6
Prefix-NAT?
Use the calculator to derive
the VRRP IPv6 Associated IP
Create IPv6 Prefix-NAT
addresses or rangesCreate Associated IPv6
address if needed
Configure the following on each device:
Interfaces
IP Addresses
Routing
Farm and flows
NAT
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 17 -
Page 17
VRRP with IPv6 Prefix-NAT Example Configuration
Consider the scenario in following figure. For the sake of simplicity, the configuration uses the same
segment for both routers, although in real-life scenarios, due to security considerations, the common
practice would be to have a LinkProof device connected to each router via a different LinkProof
port. In addition, the figure shows the external virtual router as a single entity, whereas in real life, it
can be represented by several virtual routers with different VR IDs. This section will focus on a
configuration of IPv6 routers and the IPv6 Prefix-NAT associated address. (The topology would be
the same in the context of IPv6 Prefix-NAT and VRRP setup.)
Figure 12: VRRP with IPv6 Prefix-NAT Configuration Example
LinkProof 01
Primary
Internet
Internal Segment
LinkProof 02
Secondary
FC00:1000::FFF1 /64
is the IP address of the
internal interface of the
LinkProof device
2030:1000:2000::2222 /64 2040:2100::2222 /48
FC00:1000::2000/64
FC00:1000::FFF2 /64
is the IP address of the
internal interface of the
LinkProof device
2030:1000:2000::2002 /64 2040:2100::2001 /48
2040:2100::2002 /48
is used to access
External Router 02
2030:1000:2000::2001 /64
is used to access
External Router 01
External
Segment 01
Router, ISP 01 Router, ISP 02
Users
Virtual router
2030:1000:2000::2020 /64
2040:2100::2020 /48
Virtual router
FC00:1000::FFFE/64
RST
APSolute Application DeliveryPWR
USB MNG 2
MNG 1
CONSOLE
PWR
FAN
SYS OK
Link Proof1000
10/100
G1
G13 G14 G15 G16
G3 G5 G7 G9 G11
G2 G4 G6 G8 G10 G12
1000
10/100
External
Segment 02
RST
APSolute Application DeliveryPWR
USB MNG 2
MNG 1
CONSOLE
PWR
FAN
SYS OK
Link Proof1000
10/100
G1
G13 G14 G15 G16
G3 G5 G7 G9 G11
G2 G4 G6 G8 G10 G12
1000
10/100
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 18 -
Page 18
The scenario in Figure 12 assumes the following:
Both LinkProof devices are in VRRP setup providing failover for one another.
LinkProof 01 Primary is the VRRP master.
LinkProof 02 Secondary is the VRRP backup.
Users on the internal LAN are coming from ULA address (FC00:: /64)
The administrator has connected the LinkProof to the following two routers:
ISP01 with an IPv6 prefix of 2030:1000:2000:: /64
ISP02 with an IPv6 prefix of 2040:2100:: /48
Each LinkProof is connected to two routers (using an external segment).
Figure 13: IPv6 Addresses Summary
As mentioned above, the IPv6 associated IP addresses are derived from the IPv6 Prefix-NAT ranges.
Therefore, only one IP address from each range needs to be defined in the Redundancy Associated
IP Addresses table. This will inform the LinkProof device as to the associated IP address ranges for
which it is responsible. In the example, an address from the LinkProof external interface 01 can be
2030:1000:2000::2000, and an address from the LinkProof external interface 02 can be
2040:2100::2000.
Prior to the VRRP configuration, we assume all IPv6 interfaces are configured properly. That is,
routing is configured properly (especially, the default route ::/0 to both external routers), and
connectivity is working end to end.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 19 -
Page 19
To configure the VRRP with the IPv6 Prefix-NAT example configuration
1. Configure the internal virtual router, VR ID 1 (internal interface).
On the Master LinkProof Priority = 200
on the backup LinkProof Priority = 100
Redundancy > VRRP > Virtual Routers
2. Configure the associated IP address for internal interface.
Redundancy > VRRP > Associated IP Addresses
3. Enable the internal virtual router, VR ID 1, which you configured in step 1.
4. Repeat steps 1–3 for the backup device.
Note: Once enabled, the VR ID shows a Primary IP from the LLA (link-local address). This is
regular IPv6 behavior according to RFC and IPv6 logo specifications.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 20 -
Page 20
5. Configure the external virtual router, VR ID 2 (on the LP external interface 02).
6. Create Prefix-NAT ranges for internal users accessing the Internet from router ISP02.
LinkProof >Smart NAT > IPv6 Prefix-NAT > Static Prefix-NAT Table
And
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 21 -
Page 21
The result is:
7. Using the IPv6 Prefix-NAT calculator, derive the associated IP address of the external interface.
From the CLI, run:
lp smartnat ipv6nat calc fc00:1000::2000 2040:1000::2000 48
which generates the following:
result
The nat address is: 2040:1000::2000
8. Configure the associated IP address for the internal interface.
Note: Since here, the IPv6 associated addresses are derived from the Prefix-NAT, we only need
to configure one address from the Prefix-NAT range.
One address from the range (using the result of the prefix-NAT calculator from above) is:
The result is:
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 22 -
Page 22
The associated IP Address range shows the range From Address – To Address as configured
by the IPv6 Prefix-NAT feature.
9. Configure the associated IP address for the second range.
The result is:
10. Enable VR ID 2 as configured in step 5.
11. Repeat steps 5 – 9 for the backup device (with the exclusion of step 7, as the result is the same)
but with the following exceptions:
VR ID Priority should be 100 for the backup device.
Redundancy mode in the Static Prefix-NAT Table Create pane should be set to backup.
12. For the second router (LinkProof external interface 01), follow the exact same steps using the
same VR ID (VR ID 2).
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 23 -
Page 23
13. In the Static Prefix-NAT pane, for the router ISP01 the configuration should be:
And
The result is:
14. Follow steps 7 – 9 , for the external interface VR ID 1 settings using the exact same
methodology.
LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper
Date: October 1, 2011
Page - 24 -
Page 24
15. Repeat the same steps for secondary (VRRP backup) LinkProof device.
16. Once both VRIDs are enabled, check connectivity and failover.
IPv6 end-to-end connectivity should be working with IPv6 router load balancing according to
LinkProof functionality.
2011 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A.
top related