F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP CGNAT: Implementations
  5. Using DS-Lite with CGNAT
Manual Chapter : Using DS-Lite with CGNAT

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Using DS-Lite with CGNAT

Overview: DS-Lite Configuration on BIG-IP systems

As IPv4 addresses are becoming depleted, service providers (DSL, cable, and mobile) face the challenge of supplying IP addresses to new customers. Providing IPv6 addresses alone is often not workable, because most of the public Internet still uses only IPv4, and many customer systems do not yet fully support IPv6. The Dual-Stack Lite (DS-Lite) tunneling technology is one solution to this problem. DS-Lite gives service providers the means to migrate to an IPv6 access network without changing end user devices or software.

What is DS-Lite?

DS-Lite is an IPv4-to-IPv6 transition technology, described in RFC 6333, that uses tunneling and network address translation (NAT) to send IPv4 packets over an IPv6 network. This technology makes it possible, for example, for a service provider with an IPv6 backbone to properly route traffic while overlapping IPv4 networks.

How does DS-Lite work?

The customer-premises equipment (CPE), known as the B4 (Basic Bridging BroadBand) device, encapsulates the IPv4 packets inside IPv6 packets, and sends them to the AFTR (Address Family Transition Router) device. The AFTR device includes carrier-grade NAT (CGNAT), which has a global IPv4 address space. The AFTR device decapsulates the IPv4 traffic and performs address translation, as it sends the traffic to the external IPv4 network.

How does F5 implement DS-Lite?

On the BIG-IP® system, a DS-Lite tunnel is a variation of IPIP tunnels that uses augmented flow lookups to route traffic. Augmented flow lookups include the IPv6 address of the tunnel to identify the accurate source of packets that might have the same IPv4 address. When the BIG-IP device receives an IPv6 encapsulated packet, the system terminates the tunnel, decapsulates the packet, and marks it for DS-Lite. When the system re-injects the packet into the IP stack, it performs an augmented flow lookup to properly route the response.

Illustration of a DS-Lite deployment

In this example, a service provider transports encapsulated IPv4 traffic over its IPv6 network.

Example of a DS-Lite configuration

Example of a DS-Lite configuration

About CGNAT hairpinning

An optional feature on the BIG-IP ®system, hairpinning routes traffic from one subscriber's client to an external address of another subscriber's server, where both client and server are located in the same subnet. To each subscriber, it appears that the other subscriber's address is on an external host and on a different subnet. The BIG-IP system can recognize this situation and send, or hairpin, the message back to the origin subnet so that the message can reach its destination.

Note: At present hairpinning works with all BIG-IP CGNAT scenarios except NAT64.

Task summary

When you set up DS-Lite, you must configure devices at both ends of the tunnel: the B4 device and the AFTR device. For this implementation, the AFTR device is a BIG-IP® system.

Before you configure the AFTR device, set up your CPE as a B4 device, and configure it to send traffic to the v6 self IP address of the BIG-IP® system. For instructions, consult the manufacturer's documentation for your device.

Creating a DS-Lite tunnel on the BIG-IP device as an AFTR device

Before you configure the tunnel, ensure that the BIG-IP® device you are configuring has an IPv6 address.
You can create a DS-Lite (wildcard) tunnel for terminating IPv4-in-IPv6 tunnels to remote B4 devices, and recycling the IPv4 address space.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create .
    The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Encapsulation Type list, select dslite.
  4. In the Local Address field, type the IPv6 address of the local BIG-IP device.
  5. For the Remote Address setting, retain the default selection, Any, which indicates a wildcard IP address.
  6. Click Finished.
You have now created a DS-Lite tunnel that functions as an AFTR (Address Family Translation Router) device.

Assigning a self IP address to an AFTR device

Ensure that you have created a DS-Lite tunnel before you start this task.
Self IP addresses can enable the BIG-IP® system, and other devices on the network, to route application traffic through the associated tunnel.
  1. On the Main tab, click Network > Self IPs .
    The Self IPs screen opens.
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP.
  4. In the IP Address field, type an IP address.
    This IP address is the IPv4 gateway that the B4 devices use to reach the Internet. F5 recommends using the IP address space that the IANA has specifically allocated for an AFTR device, for example, 192.0.0.1.
  5. In the Netmask field, type the network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select the tunnel with which to associate this self IP address.
  7. Click Finished.

Configuring CGNAT for DS-Lite

Before starting this task, ensure that CGNAT is licensed and the feature module enabled on the BIG-IP® system, and you have created at least one LSN pool.
When you are configuring DS-Lite, you must set up a forwarding virtual server to provide the Large Scale NAT (LSN), which is specified by the DS-Lite tunnel as an augmented flow lookup.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Servers screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Performance (Layer 4).
  5. For the Destination setting, select Network, and type 0.0.0.0 in the Address field and 0.0.0.0 in the Mask field.
  6. In the Service Port field, type * or select * All Ports from the list.
  7. From the Configuration list, select Advanced.
  8. From the Protocol list, select * All Protocols.
  9. From the LSN Pool list, select an LSN pool.
  10. Click Finished.
This virtual server now intercepts traffic leaving the DS-Lite tunnel, provides the LSN address translation, and forwards the traffic to the IPv4 gateway.

Verifying traffic statistics for a DS-Lite tunnel

After you configure DS-Lite on a BIG-IP® system, you can check the statistics for the tunnel to verify that traffic is passing through it.
  1. Log on to the BIG-IP command-line interface.
  2. At the command prompt, type tmsh show sys connection all-properties.
    The result should show tunnel with any as the remote endpoint (on the first line), and ipencap as the Protocol, as shown in the example. 
    2001:db8::/32.any - 2001:db8::46.any - any6.any - any6.any
---------------------------------------------------------
  TMM           0
  Type          any
  Acceleration  none
  Protocol      ipencap
  Idle Time     1
  Idle Timeout  300
  Unit ID       1
  Lasthop       /Common/wan 00:d0:01:b9:88:00
  Virtual Path  2001:db8::46.any

                     ClientSide  ServerSide
  Client Addr  2001:db8::45.any    any6.any
  Server Addr  2001:db8::46.any    any6.any
  Bits In                171.6K           0
  Bits Out               171.6K           0
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information