Manual Chapter :
Using DS-Lite with CGNAT
Applies To:
Show VersionsBIG-IP LTM
- 14.1.0, 14.0.0
Using DS-Lite with CGNAT
Overview: DS-Lite Configuration on BIG-IP systems
As IPv4 addresses are becoming depleted, service providers (DSL, cable, and mobile) face the
challenge of supplying IP addresses to new customers. Providing IPv6 addresses alone is often not
workable, because most of the public Internet still uses only IPv4, and many customer systems do
not yet fully support IPv6. The Dual-Stack Lite (DS-Lite) tunneling technology is one solution to
this problem. DS-Lite gives service providers the means to migrate to an IPv6 access network
without changing end user devices or software.
What is DS-Lite?
DS-Lite
is an IPv4-to-IPv6 transition technology, described in RFC 6333, that
uses tunneling and network address translation (NAT) to send IPv4 packets over an IPv6 network.
This technology makes it possible, for example, for a service provider with an IPv6 backbone to
properly route traffic while overlapping IPv4 networks.How does DS-Lite work?
The customer-premises equipment (CPE), known as the B4 (Basic Bridging BroadBand) device,
encapsulates the IPv4 packets inside IPv6 packets, and sends them to the AFTR (Address Family
Transition Router) device. The AFTR device includes carrier-grade NAT (CGNAT), which has a
global IPv4 address space. The AFTR device decapsulates the IPv4 traffic and performs address
translation, as it sends the traffic to the external IPv4 network.
How does F5 implement DS-Lite?
On the BIG-IP system, a DS-Lite tunnel is a variation of IPIP tunnels
that uses augmented flow lookups to route traffic.
Augmented flow lookups
include
the IPv6 address of the tunnel to identify the accurate source of packets that might have the
same IPv4 address. When the BIG-IP device receives an IPv6 encapsulated packet, the system
terminates the tunnel, decapsulates the packet, and marks it for DS-Lite. When the system
re-injects the packet into the IP stack, it performs an augmented flow lookup to properly route
the response.Illustration of a DS-Lite deployment
In this example, a service provider transports encapsulated IPv4 traffic over its IPv6
network.
About CGNAT hairpinning
An optional feature on the BIG-IP system,
hairpinning
routes
traffic from one subscriber's client to an external address of another subscriber's server, where
both client and server are located in the same subnet. To each subscriber, it appears that the
other subscriber's address is on an external host and on a different subnet. The BIG-IP system
can recognize this situation and send, or hairpin, the message back to the origin subnet so that
the message can reach its destination.In order for hairpinning to function properly, the subscriber VLAN must be
configured as an egress interface on the LSN pool. If the subscriber VLAN is not configured as an
egress interface on the LSN pool, hairpinning fails.
At present hairpinning works with
all BIG-IP CGNAT scenarios except NAT64.
Creating a DS-Lite tunnel on the BIG-IP device as an AFTR device
Before you configure the tunnel, ensure that the BIG-IP device
you are configuring has an IPv6 address.
You can create a DS-Lite (wildcard) tunnel for terminating IPv4-in-IPv6 tunnels to
remote B4 devices, and recycling the IPv4 address space.
- On the Main tab, clickor .The New Tunnel screen opens.
- In theNamefield, type a unique name for the tunnel.
- From theProfilelist, selectdslite.
- In theLocal Addressfield, type the IPv6 address of the local BIG-IP device.
- For theRemote Addresssetting, retain the default selection,Any, which indicates a wildcard IP address.
- ClickFinished.
You have now created a DS-Lite tunnel that functions as an AFTR (Address Family
Translation Router) device.
Assigning a self IP
address to an AFTR device
Ensure that you have created a DS-Lite tunnel before you start this task.
Self IP addresses can enable the BIG-IP system,
and other devices on the network, to route application traffic through the associated
tunnel.
- On the Main tab, click.
- ClickCreate.The New Self IP screen opens.
- In theNamefield, type a unique name for the self IP address.
- In theIP Addressfield, type an IP address.This IP address is the IPv4 gateway that the B4 devices use to reach the Internet. F5 recommends using the IP address space that the IANA has specifically allocated for an AFTR device, for example,192.0.0.1.
- In theNetmaskfield, type the network mask for the specified IP address.For example, you can type255.255.255.0.
- From theVLAN/Tunnellist, select the tunnel with which to associate this self IP address.
- ClickFinished.
Configuring CGNAT for DS-Lite
Before starting this task, ensure that CGNAT is
licensed and the feature module enabled on the BIG-IP system, and you have created at
least one LSN pool.
When you are configuring DS-Lite, you must
set up a forwarding virtual server to provide the Large Scale NAT (LSN), which is
specified by the DS-Lite tunnel as an augmented flow lookup.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, selectPerformance (Layer 4).
- In theDestination Address/Maskfield, type0.0.0.0/0to translate all IPv4 traffic.
- In theService Portfield, type*or select* All Portsfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theProtocollist, select* All Protocols.
- From theLSN Poollist, select an LSN pool.
- ClickFinished.
This virtual server now intercepts traffic
leaving the DS-Lite tunnel, provides the LSN address translation, and forwards the
traffic to the IPv4 gateway.
Verifying traffic statistics for a DS-Lite tunnel
After you configure DS-Lite on a BIG-IP system, you can check
the statistics for the tunnel to verify that traffic is passing through it.
- Log on to the BIG-IP command-line interface.
- At the command prompt, typetmsh show sys connection all-properties.The result should show tunnel withanyas the remote endpoint (on the first line), andipencapas theProtocol, as shown in the example.2001:db8::/32.any - 2001:db8::46.any - any6.any - any6.any --------------------------------------------------------- TMM 0 Type any Acceleration none Protocol ipencap Idle Time 1 Idle Timeout 300 Unit ID 1 Lasthop /Common/wan 00:d0:01:b9:88:00 Virtual Path 2001:db8::46.any ClientSide ServerSide Client Addr 2001:db8::45.any any6.any Server Addr 2001:db8::46.any any6.any Bits In 171.6K 0 Bits Out 171.6K 0