IPv6 HSI CGN Solution Introduction www.huawei.com Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Foreword ⚫ Currently, DS+NAT444 and DS-lite are mainstream IPv6 transition solutions in the industry. Both solutions are implemented by using the CGN devices or boards. ⚫ When deploying new devices, carriers need to consider many factors, such as the deployment costs, impacts on services, and subsequent capacity expansion. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page1 Objective ⚫ Upon completion of this course, you will be able to: Describe the functions of the CGN in the IPv6 transition solutions Describe CGN deployment solutions Describe characteristics of CGN NAT and NAT traversal Describe characteristics of the CGN port allocation solutions Describe the CGN user tracing solutions Complete data configuration in typical CGN application scenarios Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page2 Contents 1. Overview of CGN 2. Introduction to CGN networking solutions 3. Introduction to CGN NAT and NAT traversal 4. Introduction to the CGN port allocation solution 5. Introduction to CGN user tracing solutions 6. Configuration example for the typical CGN application scenarios Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page3 Contents 1. Overview of CGN 2. Introduction to CGN networking solution 3. Introduction to CGN NAT and NAT traversal 4. Introduction to the CGN port allocation solution 5. Introduction to CGN user tracing solutions 6. Configuration example for the typical CGN application scenarios Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page4 Contents 1. Overview of CGN Terms related to CGN NAT DS+NAT44(4) solution DS-lite solution Factors affecting CGN deployment Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page5 Terms Related to CGN ⚫ CGN---Carrier Grade NAT ⚫ NAT ---Network Address Translation: NAT addresses the issue of IPv4 address exhaustion. It is major function is to reuse addresses. NATs are classified into basic NAT and network address port translator (NAPT). ⚫ DS---Dual-stack ⚫ NAT444: twice IPv4-to-IPv4 address translation NAT444 consists of CPE NAT44 and CGN NAT44. These two levels of NAT are independent of each other. NAT444 increases the address reuse rate. ⚫ DS-Lite--- Dual-Stack Lite ⚫ CPE ---Customer Premises Equipment Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page6 NAT—Basic NAT Address Translation ⚫ Basic NAT is also called NO-PAT mode in which only the IP address is translated. Each private IP address is mapped to a public IP address. Therefore, the public network address resource cannot be saved. Host Direction Before NAT After NAT Outbound 192.168.1.3 20.1.1.1 Src: 192.168.1.3 Dst: 1.1.1.2 NAT 192.168.1.1 Intranet 192.168.1.3 Src: 1.1.1.2 Dst: 192.168.1.3 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Src: 20.1.1.1 Dst: 1.1.1.2 Server 20.1.1.1 Internet Src: 1.1.1.2 Dst: 20.1.1.1 Page7 1.1.1.2 NAT— NAPT Address Translation ⚫ In NAPT mode, both the private IP address and port number are translated into a public IP address and port number. Source addresses of packets coming from different private addresses can be mapped to the same public address, but the port numbers of these packets are translated into different port numbers under this address. Therefore, these packets can share the same address. Host A 192.168.1.2 Direction Before NAT After NAT Outbound 192.168.1.2:1111 20.1.1.1:1001 Outbound 192.168.1.2:2222 20.1.1.1:1002 Outbound 192.168.1.3:1111 20.1.1.1:1003 Packet 1 Src:192.168.1.2:1111 Packet 2 Src: 192.168.1.2:2222 192.168.1.1 Intranet Host B Packet 1 Src: 20.1.1.1:1001 NAT Packet 2 Src: 20.1.1.1:1002 Server 20.1.1.1 Internet 1.1.1.2 Packet 3 Src: 192.168.1.3:1111 Packet 3 Src: 20.1.1.1:1003 192.168.1.3 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page8 DS+NAT44(4) Terminal Access Metro Servers CR BRAS TV Core CGN CPE PC LSW P IPv4/IPv6 DualStack PE Phone OLT BRAS PE CR P CGN IPv6 NAT44 NAT44 Private IPv4 IPv4 Private IPv4 Public IPv4 CPE Route Mode DS+NAT444 Public IPv4 CPE Bridge Mode DS+NAT44 IPv6 NAT44 Private IPv4 IPv6 ⚫ In the DS+NAT44(4) solution, the packet containing the private IPv4 address must be redirected to the CGN device or board. The CGN performs NAT to translate the source private IPv4 address into a public IP address, and then forwards the packet. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page9 DS-lite Terminal Access Metro Servers CR BRAS TV Core CGN PC CPE DSLAM IPv6-Only P Dual stakck PE Phone OLT PE CR BRAS P CGN NAT44 Private IPv4 4in6 Tunnel IPv6 CPE routemode DS-Lite+NAT+PPPoE Public IPv4 IPv6 ⚫ IPv4 For access requests sent from IPv4 users, the CPE sets up a 4in6 tunnel with the CGN. A user obtains the private IPv4 address from the CPE. The CGN translates the private IPv4 address into a public IPv4 address, which is used to access the IPv4 Internet. ⚫ In the DS-lite solution, the CGN sets up 4in6 tunnels and implements NAT Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page10 Factors Affecting CGN Deployment 3. CAPEX • Equipment Cost 2. Impacts on services • User management • Engineering delivery costs and risks • User tracing 3 • Intelligent network services • Lawful interception 1. Impacts on the bearer network 4. OPEX • O&M interface • Troubleshooting 2 Factors affecting CGN deployment 1 • Network traffic direction 4 • Equipment upgrade 5 5. Impacts on network evolution • Smooth network evolution • Network reliability Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page11 Self-Test Questions 1. Functions of the CGN in the mainstream IPv6 transition solutions (including DS+NAT444 and DS-lite) are ( ) A. Setting up 4in6 tunnels with the CPE B. Parsing domain names for the IPv6 services C. Translating the MAN IPv6 addresses into IPv4 addresses D. Performing NAT on uplink private network packets of the MAN Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page12 Contents 1. Overview of CGN 2. Introduction to CGN networking solution 3. Introduction to CGN NAT and NAT traversal 4. Introduction to the CGN port allocation solution 5. Introduction to CGN user tracing solutions 6. Configuration example for the typical CGN application scenarios Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page13 Contents 2. Introduction to CGN networking solution Classification of CGN forms Comparison of CGN forms CGN networking solutions Comparison of CGN networking solutions Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page14 Classification of CGN Forms–Stand-alone CGN ⚫ A stand-alone CGN can be mounted beside or directly to other network devices CR CR PE PE CGN CGN CGN CGN CR CR Directly mounted between the CR and the PE CR Directly mounted between the CR and the BRAS CR CGN BRAS BRAS CR CGN Mounted beside the CR BRAS CR BRAS Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. CGN BRAS Mounted beside the BRAS Page15 BRAS CGN Classification of CGN Forms–Integrated CGN CR CR CR CGN board installed on a BRAS CGN board installed on a CR BRAS/SR CR BRAS/SR BRAS BRAS Comparison of the preceding deployment modes is as follows: ⚫ The mode in which the CGN board is installed on a CR is applicable to the scenario where users are scattered. The costs at the early stage are low. As the number of users increases, however, the distributed CGN needs to be added. Users cannot be managed and real-time tracing is difficult to implement. The mode in which the CGN board is installed on a BRAS is applicable to the scenario where users are centralized. This mode allows lean user management and facilitates real-time tracing. Page16 System Architecture of the Integrated CGN 1 3 LPU LPU SFU 2 VSUI-20-A (CGN) ⚫ The integrated CGN is implemented by the VSUI series board, which is a multicore service board. This board is a centralized board that does not provide any outbound interface. ⚫ Service flow: The interface board routes the traffic to the service board. The service board completes the CGN function and then sends the traffic to the interface board. The interface board sends the traffic out of the system. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page17 Comparison of CGN Forms Stand-alone CGN Feasibility of deployment Integrated CGN Integrated with a CR Integrated with an SR/BRAS Occupies a forwarding port Occupies a forwarding slot Occupies a forwarding slot. External interfaces Uses a stand-alone subrack. The number of interfaces is limited Shares a subrack with other boards. The number of interfaces is not limited. Shares a subrack with other boards. The number of interfaces is not limited Cost The cost is high. A device must be added The cost is low. Only a board needs to be added. The cost is low. Only a board needs to be added Tracing capability Does not participate in user authentication. Cannot detect users. The tracing capability is poor. Does not support online tracing Does not participate in user authentication. Cannot detect users. The tracing capability is poor. Does not support online tracing. Participates in user authentication. Can detect users. The tracing capability is good. Supports online tracing. Reliability Connected to dual hosts in side mounting mode. The reliability is high, but functions are not rich, and the cooperation with the network is poor. Supports the two-board configuration Supports the two-board configuration. Is integrated with network services. Supports various protection modes of the network. The reliability is high., Service capability and user management Does not provide the service capability. Cannot detect users. Does not provide the service capability. Cannot detect users. Provides functions to maintain accessed users. Has strong control capability. Capacity and scalability The capacity and scalability are high The capacity and scalability are affected by the vacant slots on the device with which the CGN is integrated. Provides functions to maintain accessed users. Has strong control capability. The capacity and scalability are affected by the empty slots on the device with which the CGN is integrated. Change in network topology A device is added, which changes the existing network topology Only boards are added, which does not change the existing network topology Only boards are added, which does not change the existing network topology. Page18 CGN Networking Solutions—Centralized Mode Deployment of the CGN in centralized mode Backbone ⚫ Deployment position: deployed at the egress of the MAN ⚫ Deployment mode: stand-alone CGN device mounted beside the CR ⚫ IDC low. It is easy to deploy new devices in a centralized manner. CGN deployment position CR CGN ⚫ L3 MAN Deployment difficulty: The investment at the early stage is Traffic analysis: Traffic within a city is transferred to CRs and CGN devices for processing. This increases the traffic volume on CRs and the CGN is more likely to become a SR performance bottleneck.。 BRAS ⚫ Reliability: The CGN needs to maintain a large number of sessions. Therefore, a single-point failure affects a large LSW Access network DSLAM OLT number of users. Reliability requirements are high and the LSW networking is complex OLT DSLAM L2 ⚫ Long-term trend: With flattening of the network and the increase in IPv4 traffic, the position of the CGN will gradually be moved downwards.。 ⚫ CPE CPE CPE CPE CPE CPE User management: The CGN deployment position is high on the network. The CGN cannot obtain the user information. CPE CPE Therefore, it is difficult to implement user policy control and user tracing. ⚫ Values: The total cost is low. The solution facilitates centralized control and is suitable for fast deployment at the early stage of IPv6 network deployment. Page19 CGN Networking Solutions—Distributed Mode Deployment of the CGN in Distributed mode ⚫ Backbone position IDC CR Deployment position: deployed at the BRAS/SR ⚫ Deployment mode: board installed on a BRAS/SR ⚫ Deployment difficulty: The investment at the early CGN stage is highly. Should deploy in multiple points. L3 MAN ⚫ SR Traffic analysis: Traffic mode is unchanged and the forwarding effectively is high. The performance of BRAS the equipment is low. CGN deployment position LSW Access network DSLAM OLT ⚫ LSW number of sessions. Therefore, a single-point OLT DSLAM Reliability: The CGN needs to maintain a few failure affects a few number of users. Reliability L2 requirements are low and the networking is simple ⚫ Fit for the distributed and flattening development architecture nowadays. CPE CPE CPE CPE CPE CPE CPE CPE ⚫ Values::the architecture of the network is unchanged to realize address and NAT resource distributed. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page20 CGN Networking Solutions—Reliability Centralized mode The fault affects Trouble No dual-device backup dual-host backup Centralize d mode The BRAS cannot detect faults on the CGN. If faults on the CGN are not rectified, users will be always in online state but cannot access the Internet normally. The active/standby backup is often implemented using the cold backup mode. The faulttriggered switching time is determined by the route convergence time and the backup time of a large number of NAT sessions.。 The BRAS can detect faults on the CGN. A rollback domain is configured on the BRAS to force users to get offline and dial up again and switch over users to the public network domain. In this way, users are protected against faults on the CGN. The dual-host hot backup mode is used. The active/standby switchover is implementing using VRRP. The fault-triggered switching time is determined by the BFD time and the backup time of NAT sessions. users served by all BRASs connected to the CR. CR Metro Distributed mode BRAS PPP The fault affects only local users. B4 Distribute d mode IPv4+IPv6 Page21 CGN Networking Solutions—Equipment Cost (1/3) Uplink LPU Downlink LPU ⚫ When the CGN is deployed in distributed mode, the traffic model is as follows: CR The data is routed to the service board, redirected to the CGN board based on a policy, sent to the Uplink LPU C G N Downlink LPU service board, and finally forwarded by the service board. ⚫ Cost: A CGN board is added BRAS Centralized mode SFU Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page22 CGN Networking Solutions—Equipment Cost (2/3) ⚫ When the CGN is deployed in centralized mode, the traffic model is as follows: C G N Up linkLPU Up link LPU Up link LPU Down linkLPU Down link LPU Down link LPU through the BRAS service board. The CR redirects the user packet to the CGN device CR CGN User data is routed to the CR on the MAN based on the routing policy. The CGN device processes the packet and sends it to the CR. The model of the traffic from the Internet to users is the reverse operations of the UplinkLPU outbound traffic model. DownlinkLPU ⚫ BRAS Cost: A CGN device is added to the existing traffic model. A pair of interfaces Centralized mode must be added respectively on the CR and the CGN device for interworking SFU Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. between them. Page23 CGN Networking Solutions—Equipment Cost (3/3) Cost calculation: ⚫ Preset conditions: ⚫ 10G Port,processing capability of the CGN board Cost of equipment bit:CGN per Port cost=1; CR per Port cost=1.5;CGN per Board cost=3 Deployment in every area 50 Bit Cost Centralized mode 30 Distributed mode deployment 10 Mode 1(10G traffic): ⚫ Distributed mode:3 Centralized mode: 1×2+1.5×2+3 = 8 Mode 2(50G traffic): ⚫ 30G 10G ⚫ 50G 100G User Traffic As the traffic increases, the cost per Distributed mode :3×3 = 9 bit in centralized deployment mode is Centralized mode:1×10+1.5×10+3×3 = 34 much higher than that in distributed Mode 3(100G traffic): ⚫ Distributed mode:3×5 = 15 Centralized mode:1×20+1.5×20+3×5 = 59 deployment mode Page24 CGN Networking Solutions—Engineering Delivery Costs and Risks Distributed Deployment of the CGN Installed on the BRAS Centralized Deployment of the CGN Mounted Beside the CR Public IP addresses are managed on the BRAS Public IP addresses are managed on the CR and the NAT device. Public IP addresses used by all BRASs connected to the CR must be consistently planned. The CGN board must be purchased and installed on the BRAS. The BRAS must be upgraded to support the CGN feature The CR interface board and the NAT device and server must be purchased. The NAT device and log server must be installed. The CE must be connected to the NAT device. The configuration on BRAS must be modified to support CGN users Data used for interworking between the NAT device and the CR must be configured. In addition, the NAT device must be configured. Migration to the live network The migration involves only the BRAS. Risks may arise only on devices under the BRAS Adjustment must be made simultaneously on the BRAS, CR, and NAT device to complete the migration. The CR is located on a key position and faces greater risks. Engineering delivery and operation The delivery involves only the BRAS and is irrelevant to the CR. Coordination between different levels of O&M teams is not required The delivery involves the BRAS, CR, and NAT device. Issues related to these devices must be planned in a centralized manner. The routing information must be adjusted on the entire network. In addition, coordination between different levels of O&M teams in different cities or in the provincial center is required. The CGN board is added. Related configuration must be modified on the BRAS The boards of the NAT device and the CR interface board are added. The configuration of the entire network must be modified. Network planning Equipment procurement, installation, and upgrade Network element configuration Service expansion Page25 CGN Networking Solutions—Network O&M Cost Analysis O&M interface: ⚫ Generally, the O&M interface between the provincial company and the city companies of a carrier is located between the BRAS and the CR. BRAS and devices under the BRAS are managed by city companies, whereas the CR and devices above the CR are managed by the provincial company. If tunnels are faulty when the DS-lite centralized deployment mode is used, the O&M personnel of both the provincial company and the city companies must cooperate with each to rectify the faults. This increases the coordination costs B4 BRAS IPv4+IPv6 ⚫ Fault location: DS-Lite Tunnel Company in each city AFTR CR Provincial company Distributed networking: 1->N fault location Locate the fault by checking the BRAS and devices under the BRAS BRAS BRAS BRAS BRAS BRAS BRAS BRAS. With gradual deployment of the CGN and BRAS, the O&M process is a 1->N process. Centralized networking: 1+N fault location Locate the fault by checking all BRASs and CRs on the access CR CR CR network and MAN. Therefore, the O&M process is a 1+N process and devices in a large scope need to be checked to locate the fault. BRAS Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. BRAS BRAS Page26 BRAS BRAS BRAS BRAS Comparison of CGN Networking Solutions(1/2) Centralized Deployment of the CGN CGN Mounted Beside a CR Total cost User manag ement Distributed Deployment of the CGN CGN Board Installed on a CR CGN Integrated with a BRAS or an SR The cost is high when users are scattered and low when users are centralized. CGN needs to be deployed at multiple points and cannot be controlled in a centralized manner. The installation and subsequent O&M workload is heavy. The investment at the early stage is low. It is easy to deploy new devices in a centralized manner. The private network routes of users must be advertised on the MAN. Private address planning and the solution for isolating the public network routes from private network routes are complex. The CGN deployment position is high on the network. The CGN cannot obtain the user information. Therefore, it is difficult to implement user policy control and user tracing. It is difficult to implement application level gateway (ALG) control on the NAT located at the core. This seriously prevents deployment of new applications. The log server must be deployed to record logs and implement tracing. This increases the investment and O&M difficulty. The CGN is integrated with the BRAS. The Radius server reports the user log to implement user tracing. The solution is simple and facilitates user-based lean policy control and real-time and accurate tracing. Service traffic Traffic within a city is transferred to CRs and CGN devices for processing. This increases the traffic volume on CRs. The CGN can meet the development requirements of new users. Traffic within a city increases the traffic on CRs. The CGN can hardly meet the service development requirements due to the restriction of CR slots. If the loads of BRASs on the live network cannot be distributed to different CRs, the network topology must be changed to prevent the failure of allocating different public IP addresses to the same user. Reliabil ity The CGN devices need to maintain a large number of sessions. Therefore, a single-point failure affects a large number of users. Reliability requirements are high and the networking is complex. The CGN devices need to maintain a large number of sessions. Therefore, a single-point failure affects a large number of users. CRs must be upgraded. The CGN faults affect CRs, introducing high risks. Reliability requirements are high. The traffic model is not changed. The forwarding efficiency is high and performance requirements are low. Deploy ment value New devices must be managed and maintained. With flattening of the network and increase in the IPv4 traffic, the CGN must be gradually moved downwards. Devices can be managed in a centralized manner. CGNs and CRs belong to different O&M teams, which increases difficulty in O&M coordination and is difficult to meet the service development requirements. With increase in the IPv4 traffic, the CGN must be gradually moved downwards. This solution can be deployed in areas where users are centralized. The CGN can be directly deployed in these areas without being moved downwards like that in the centralized deployment mode. The traffic model is not changed. The forwarding efficiency is high and performance requirements are low. Page27 Comparison of CGN Networking Solutions(2/2) Mainstream CGN deployment solutions: ⚫ Distributed deployment of CGN that is integrated with the BRAS/SR Centralized deployment of CGN that is mounted beside the CR ⚫ ⚫ ⚫ ⚫ The CGN deployment position is high on the users are centralized. network. The CGN cannot obtain the user The CGN is integrated with the BRAS. information. Therefore, it is difficult to The tracing solution is simple, which implement user policy control and user tracing. facilitates user-based lean policy control. ⚫ CGNs in areas where users are scattered. This solution is suitable for direct deployment of CGNs in areas where This solution is suitable for fast deployment of ⚫ Traffic within a city is transferred to CRs and The traffic model is not changed. The CGN devices for processing. This increases forwarding efficiency is high and the traffic volume on CRs and the CGN is performance requirements are low. more likely to become a performance bottleneck. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page28 Self-Test Questions 2. Mainstream CGN deployment solutions include ( ) A. Distributed deployment of CGN that is integrated with the BRAS/SR B. Centralized deployment of CGN that is mounted beside the CR C. Distributed deployment of CGN that is mounted beside the BRAS/SR D. Centralized deployment of CGN that is integrated with the CR Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page29 Contents 1. Overview of CGN 2. Introduction to CGN networking solution 3. Introduction to CGN NAT and NAT traversal 4. Introduction to the CGN port allocation solution 5. Introduction to CGN user tracing solutions 6. Configuration example for the typical CGN application scenarios Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page30 Contents 3. Introduction to CGN NAT and NAT traversal Introduction to CGN NAT NAT Traversal Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page31 Introduction to CGN NAT—Full-Cone ⚫ Full-cone:Full-cone NAT is also called triplet NAT. In this mode, the peer address and port translation mode is not cared. The device distributes addresses and filters packets by creating triplet entries (source address, source port number, and protocol type). The full-cone NAT reduces the security performance, but supports a wider application of NAT traversal. 10.1.1.200:100 -> 121.12.124.20:80 10.1.1.200:100 <- 121.12.124.20:80 10.1.1.200 10.1.1.200:100 <- 131.15.124.22:80 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. 152.100.1.21:10240 -> 121.12.124.20:80 152.100.1.21:10240 <- 121.12.124.20:80 152.100.1.21:10240 <- 131.15.124.22:80 Page32 121.12.124.20 131.15.124.22 Introduction to CGN NAT—Symmetrical Mode ⚫ Symmetrical NAT is also called quintuple NAT. In quintuple NAT, if the destination IP addresses and port numbers of packets are different but the source IP addresses and port numbers are the same, the NAT device translates the source IP addresses and port numbers into different external network IP addresses and port numbers. 10.1.1.200:100 -> 121.12.124.20:80 10.1.1.200:100 <- 121.12.124.20:80 10.1.1.200 152.100.1.21:10240 -> 121.12.124.20:80 152.100.1.21:10240 <- 121.12.124.20:80 121.12.124.20 152.100.1.21:10240 <- 131.15.124.22:80 131.15.124.22 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page33 NAT Traversal—Overview(1/2) Why is NAT traversal required? ⚫ With wide application of NAT, application layer protocols that use the IP address and port number as communication IDs cannot run properly. Applications, such as instant messaging (session and control messages), SIP (RTP/RTCP), and online payment, require that session connections of the same host use the same source IP address. If the same host originates sessions that contain the same IP address and port number, the NAT results may be different due to the dynamic address translation of the standard NAT. The standard NAT is implemented by changing the address information in the IP packet header or UDP/TCP port number. The payload of some application layer protocols, however, contains the IP address and port number. Consequently, some packets may be judged as invalid and therefore discarded. Assume that external networks need to use services provided by servers on an internal network. If a standard NAT solution is used, when a packet coming from an external network arrives at the CGN, NAT mapping may fail and the packet may be lost because the related triplet or quintuple entry is not created. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page34 NAT Traversal—Overview(2/2) ⚫ NAT traversal technologies ALG ◼ Application scenario: ALG translation of frequently-used protocols Full-cone mode ◼ It is also called triplet NAT. In this mode, the peer address and port translation mode is not cared. The device distributes addresses and filters packets by creating triplet entries (source address, source port number, and protocol type). The full-cone NAT reduces the security performance, but supports a wider application of NAT traversal. Application scenario: P2P services Direct distribution of public IP addresses and port forwarding ◼ Application scenario: External networks need to use services provided by internal networks. Considering the complexity in deploying port forwarding, the solution of directly distributing public IP addresses is recommended for this application scenario. CGN-independent NAT traversal ◼ STUN、 TURN and so on Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page35 NAT Traversal—NAT ALG Client and FTPS server set control connection Data Packet header 202.10.1.2 192.168.1.2 Send port Packet S:192.168.1.2:1084 D:202.10.1.1:21 S:192.168.1.2:1084 D:202.10.1.1:21 S:192.168.1.2:1084 D:202.10.1.1:21 S:202.10.1.2:12486 D:202.10.1.1:21 Data Set data transmit tunnel Set the control connection with 202.10.1.2 NAT Packet header dencapsulation Data Access client Private network I didn’t set connection with192.168.1.2 CGN card Send port packet Packet header Metro 202.10.1.1 192.168.1.2 Data Public network S:192.168.1.2:1084 Data S:192.168.1.2:1084 D:202.10.1.1:21 S:192.168.1.2:1084 D:202.10.1.1:21 Data Packet header Packet header NAT ALG Handling S:200.10.1.1:20 D:192.168.1.2:12486 S:202.10.1.1:20 D:192.168.1.2:12486 FTPS server S:200.10.1.2:12486 D:202.10.1.1:21 S:202.10.1.2:12486 D:202.100.1.1:21 Port packet load has been transferred Data FTPS server sent data connection to HOST Packet header FTPS server sent data connection to HOST trasmit the data on the established data tunnel Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page36 S:200.10.1.1:20 D:202.10.1.1:12486 S:202.10.1.1:20 D:202.100.1.2:12486 NAT Traversal—Full-Cone Mode ⚫ The full-cone mode is applicable to P2P services BRAS User 1 Triplet-based filtering that does not involve the destination IP address and port Protocol number Source IP address: 192.168.1.2: 2 Destination IP address: *: * 1 . Registration CGN 1 Access 2 . Communication 202.38.162.2 BRAS P2P service server 1. Registration User 2 CGN2 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page37 CGN-Independent NAT Traversal–STUN ⚫ CGN 1 Access My public address and port? User 2 ⚫ well-known server located on the public network to obtain the NAT type and NAT BRA S User 1 The application communicates with the external network address and port number. rendezvous server Private Public network network CGN2 BRA S Public Address POOL: 245.49.1.2: -… 202.38.162.2 The public address and port are 245.49.1.2... CGN-independent NAT traversal is implemented by the application software itself. STUN ( Session Traversal Utilities for NAT ) TURN ( Traversal Using Relay NAT ) Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page38 Self-Test Questions 3. Which of the following modes are supported by the CGN to implement NAT traversal? ( ) A. Full-cone mode B. Symmetrical mode C. NAT ALG D. STUN Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page39 Contents 1. Overview of CGN 2. Introduction to CGN networking solution 3. Introduction to CGN NAT and NAT traversal 4. Introduction to the CGN port allocation solution 5. Introduction to CGN user tracing solutions 6. Configuration example for the typical CGN application scenarios Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page40 Contents 4. Introduction to the CGN port allocation solution Session-based port allocation Port Range Pre-allocation Comparison of Port Allocation Solutions Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page41 Traditional Session-based Port Allocation ⚫ Session-based port allocation: The traditional NAT supports demand-based port allocation. Each session of a user is randomly allocated a port with the public IP address. This allocation mechanism causes many management problems. If a log record is generated for the address translation of each session, a massive number of log records are generated. To reduce the log size, the traditional session-based port allocation generally uses the binary stream log mode to output log records. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page42 Port Range Pre-allocation IPv4 IPv4 Public Address POOL: 245.49.1.2: -… CPE1 Private IPv4 10.112.1.2 port-range 1024 IPv4 BRAS CGN CR Private IPv4 10.112.1.10 PC IPv4 Private IPv4 Public IPv4 Start port 1 End port 1 … 10.112.1.2 245.49.1.2 3001 4024 … 10.112.1.10 245.49.1.2 6001 7024 … CPE2 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page43 Internet Comparison of Port Allocation Solutions ⚫ Session-based port allocation and port range pre-allocation can both resolve the port allocation problems. ⚫ Advantages of the port range pre-allocation solution: User tracing can be easily implemented based on the public address and the corresponding port range allocated to each user. The log information does not need to be recorded based on each session. This greatly reduces the massive log information generated on the CGN and effectively reduces the system load. The solution prevents a few users from over-consuming the address and port resources. The same public address and port range are allocated for data streams that come from the same user or source IP address. ⚫ Disadvantages of the port range pre-allocation solution: Based on the preset port range value, a fixed port range is reserved for each user. Therefore, the port range value is set based on the maximum number of ports required by a user. This causes a waste of the port resource and port allocation is less flexible. Owing to the product limitations, the port range can only be set to 256, 512, 1024, 2048, or 4096. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page44 Contents 1. Overview of CGN 2. Introduction to CGN networking solution 3. Introduction to CGN NAT and NAT traversal 4. Introduction to the CGN port allocation solution 5. Introduction to CGN user tracing solutions 6. Configuration example for the typical CGN application scenarios Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page45 Contents 5. Introduction to CGN user tracing solutions Overview of User Tracing Solutions Dynamic User Tracing Solution Offline User Tracing Solution Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page46 Overview of User Tracing Solutions ⚫ Why is user tracing required? User tracing is implemented to meet the national security monitoring requirement. For example, when a person releases a post that contains reactionary contents on a network, the network records the release time, user information, and the contents of the post. The user information consists of <public IPv4 address of the user, public port number of the user>. The national security organization can locate the user based on the time and public IPv4 address. For example, the Radius server records the online and offline time and allocated public IPv4 addresses of all users. ⚫ Complexity of user tracing after the CGN deployment: After the CGN is deployed, users are identified based on the public IPv4 address and port number instead of the IPv4 address during user tracing. The uncertainty of the public IPv4 address and port number occupied by a user makes user tracing more complex. ⚫ User tracing modes after the CGN deployment: Dynamic user tracing: It is also called online user tracing. It is classified into Radius user tracing and static algorithm user tracing. Offline user tracing: It is a user tracing mode after users get offline. Users are traced based on the log on the syslog server. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page47 Dynamic User Tracing Solution(1/2) ⚫ Principle of dynamic user tracing: The dynamic user tracing is applicable to the scenario where the CGN boards are installed on a BRAS and the BRAS generates the user address mapping and reports it to the AAA server. The BRAS selects the public address and port for user addresses and creates the user address mapping, to ensure that the BRAS can select different combinations of addresses and ports for different user addresses. The port range is allocated in advance. The BRAS reports information such as the address and port range corresponding to the user address in the accounting-Request message by using extended Radius attributes. The AAA server obtains information such as the user address, public IP address, and port range, and maintains the mapping with user information. • • • 3 NAT-IP-Address: 26-161 Public address after NAT NAT-Port-Start: 26-162 Start port number after NAT NAT-Port-End: 26-163 End port number after NAT The BRAS reports the user address mapping to the AAA server by using Radius attributes. Each BRAS creates the user address mapping. 1 AAA Server 2 BRAS integrated with the CGN 2 1 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. The AAA server maintains the mapping between addresses and user information. 2 BRAS integrated with the CGN 1 Page48 BRAS integrated with the CGN Dynamic User Tracing Solution(2/2) AAA Server PC HG DSLAM/MxU/OLT BRAS integrated with the CGN Internet 1 Set up a connection and initiate an authentication User access and authenticat ion 3 Allocate a private IPv4 address to the user. 2 Report the allocated private IP address to the AAA server using Radius attributes. 4 Report the public IP address and port range. 3 User tracing 2 5 Search the user information and address mapping table based on the private IP address, and translate the private IP address into a public IP address and port number. 7 4 Based on the private IP address, allocate and report the translated public IP address and port range to the AAA server using Radius attributes. 1 Private source address access request Internet access 1 User 2 authentication The AAA server maintains the mapping between user information (containing homing CGNs, user names, domain names, private IP addresses, and port numbers) and address information (public IP addresses and port numbers). Public source address access request Query the user information and address mapping table based on the pubic IP addresses, port numbers, and time period to obtain user names, and directly locate the user. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. The AAA server maintains the user information table, including the user names and domain names. (The AAA server can issues an NAT policy template to implement port preallocation. 6 The security organization cannot locate the user who accesses the network illegally based on the obtained public network address and port number. 1 Query the user information based on the public IP address and port number 2 Return the user information. Page49 Offline User Tracing Solution(1/2) ⚫ Principle of offline user tracing: When users are offline, security organizations query the log server and AAA server to obtain the user information. Offline user tracing is applicable to all the CGN deployment modes, for example, the CGN integrated with the CR or BRAS or stand-alone CGN. Generally, the log server stores user logs that are generated in three to six months. The log server maintains the user log information, including the time period, private IP address and port, public IP address and port, and destination address and port. The CGN sends the log information that contains the user address mapping to the log server using elog or syslog. The CGN generates the mapping between the private IP address and public IP addresses and port ranges. 1 CGN 2 Log server 2 1 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. 2 CGN 1 Page50 CGN Offline User Tracing Solution(2/2) Log server PC HG DSLAM/MxU/OLT BRAS AAA Server CGN Internet 1 Set up a connection and initiate an authentication. User access and authenticatio n Internet access 3 Allocate a private IPv4 address to the user. 2 2 User authentication 1 The AAA server maintains the user information table, including user names and domain names. 3 The AAA server maintains the user information and private IP address mapping table that contains the home BRAS, user names, domain names, and private IP address. 4 Report the private IP address information. Report the allocated private IP address to the AAA server using Radius attributes. 1 Private source address access request 4 5 Search the user information and address mapping table based on the private IP address, and translate the private IP address into a public IP address and port number. 2 Public source address access request 3 The CGN sends the log information that contains the user information and address mapping to the log server in real time. User tracing 8 Query the user log information based on the pubic IP addresses, port numbers, and time period to obtain private IP address and port number. Send the obtained information to the AAA server. 9 2 Query the log server again. 3 Return the private IP address and port number. Query the user information on the AAA server based on the returned private IP address and port number to obtain the user name and locate the user. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. The security organization cannot locate the user who accesses the network illegally based on the obtained public network address and port number. Query the user information based on the public IP address and port number. 6 User log information 1 The AAA server does not have the 7 private IP address information and therefore sends a query request that contains the public IP address and port number to the log server through the webservice interface. 4 Query the user information to locate the user based on the private IP address and port number, and return the user information Page51 Self-Test Questions 4. To which of the following CGN networking mode is dynamic user tracing applicable? ( ) A. Distributed deployment of CGN that is integrated with the BRAS/SR B. Centralized deployment of CGN that is mounted beside the CR C. Distributed deployment of CGN that is mounted beside the BRAS/SR D. Centralized deployment of CGN that is integrated with the CR Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page52 Contents 1. Overview of CGN 2. Introduction to CGN networking solution 3. Introduction to CGN NAT and NAT traversal 4. Introduction to the CGN port allocation solution 5. Introduction to CGN user tracing solutions 6. Configuration example for the typical CGN application scenarios Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page53 Contents 6. Configuration example for the typical CGN application scenarios CGN Integrated with BRAS to Support Internet Access of Users in NAT444+PPPoE Mode CGN Integrated with BRAS to Support Internet Access of Users in DS-Lite+PPPoE Mode Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page54 CGN Integrated with BRAS to Support Internet Access of Users in NAT444+PPPoE Mode Ssylog Server GE6/0/0 PC1 CPE CGN Access network PC2 Radius Server ISP Core BRAS DHCP Server Web Server ⚫ The CGN is integrated with the BRAS. ⚫ DS users access the BRAS through a CPE. The BRAS allocates an IPv6 address to the CPE. The BRAS manages users, translates IPv4 addresses, and sets up 4in6 tunnels for users. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page55 Configuration Procedure 1 Configure the user access part. 2 Configure NAT instance 3 Configure a domain and bind the domain with a DS-lite instance 4 Configure the traffic policy 5 Advertise routes 6 Check the configuration Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page56 Configure NAT Instance(1/3) #Allocate the license resource to service boards. [ME60] nat session-table 6M slot 2 [ME60] nat session-table 6M slot 8 # Create a DS-lite instance [ME60] nat instance 1 # Configure NAT mode as full-cone [ME60-nat-instance-1] nat filter mode full-cone #Set the port range and allocate a port segment to each private IP address. (Optional) [ME60-nat-instance-1] port-range 2048 #Add service boards to the configured NAT instance. You can add two service boards that work in active/standby mode to an instance. [ME60-nat-instance-1] add slot 2 master [ME60-nat-instance-1] add slot 8 slave #Configure the NAT address pool. The public IP addresses required for address translation are selected from the address segments configured in the address pool. [ME60-nat-instance-1] nat address-group 1 112.112.10.1 112.112.10.254 #Configure the addresses in the address pool that are used for address translation. [ME60-nat-instance-1] nat outbound any address-group 1 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page57 Configure NAT Instance(2/3) # Enable the session limitation function to improve the security. (Optional) [ME60-nat-instance-1] nat session-limit enable [ME60-nat-instance-1] nat reverse-session-limit enable # Adjust the number of limited sessions. (Optional and configured based on the network model) [ME60-nat-instance-1] nat session-limit tcp 4096 [ME60-nat-instance-1] nat session-limit udp 4096 [ME60-nat-instance-1] nat reverse-session-limit tcp 4096 [ME60-nat-instance-1] nat reverse-session-limit udp 4096 # Configure a server that receives the NAT log. (This configuration is required when the syslog-based user tracing is enabled. The address and port information are configured based on the actual situation.) [ME60-nat-instance-1] nat log session enable [ME60-nat-instance-1] nat session-log host 102.102.102.102 555 source 1.1.1.1 555 name 1 # By default, the NAT log is in Huawei format. When Huawei devices interwork with China Telecom servers, the NAT log format must be changed to the China Telecom format. [ME60] nat syslog descriptive format cn Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page58 Configure NAT Instance(3/3) # Configure the NAT ALG functions as required. [ME60-nat-instance-1] nat alg all # Enable hot backup between boards. (Optional) [ME60] nat board hot-backup enable # Adjust the TCP-MSS negotiation value. (Optional) [ME60] nat tcp-mss 1000 # Adjust the session aging time. (Optional) [ME60] nat session aging-time tcp 300 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page59 Configure Domain Binding NAT #Configure the user group used for Internet access. [ME60] user-group 1 # Switch to the user access domain and bind the user group with the NAT instance. [ME60-aaa] domain domain1 [ME60-aaa-domain-domain1] user-group 1 bind nat instance 1 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page60 Configure the traffic policy #Configure the user control list (UCL) and match the user group. [ME60] acl 6000 [ME60-acl-ucl-6000] rule 5 permit ip source user-group 1 #Configure a traffic classifier. [ME60] traffic classifier nat444 [ME60-classifier- nat444] if-match acl 6000 #Configure the traffic behavior and bind the NAT instance. [ME60] traffic behavior nat444 [ME60- behavior - nat444] nat bind instance 1 #Configure the traffic policy and bind the behavior in the system view. [ME60] traffic policy nat444 [ME60- trafficpolicy - nat444] classifier nat444 behavior nat444 #Apply the traffic policy in the global configuration view. Only one traffic policy can be sent in one direction. [ME60] traffic-policy nat444 inbound Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page61 Advertise Routes #Directly import the user network routes (UNRs) in the routing protocol configuration so that all NAT addresses are advertised as 32-bit host routes. When a user gets online and NAT is performed, a route policy must be configured to filter out the private IP route of the user when UNR routes are advertised. [ME60]ip ip-prefix nat index 10 permit 112.112.10.1 24 [ME60]route-policy nat permit node 5 [ME60-route-policy] if-match ip-prefix nat [ME60]ospf 1 [ME60-ospf-1]import-route unr route-policy nat #Configure the destination route segment of static routes as the address segment in the address pool and direct the route to NULL0. In the routing protocol, import static routes for advertisement. (Recommended) [ME60]ip route-static 112.112.10.0 255.255.255.0 NULL 0 [ME60]ospf 1 [ME60-ospf-1]import-route static Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page62 Check the Configuration #Check online users information display access-user user-id 2 User access index : 2 State : Used User name : 1111 Domain name : domain1 。。。。。。(Omitted) User IP address : 10.10.10.198 。。。。。。(Omitted) User-Group : 1 NAT IP address : 112.112.2.27 NAT Port Scope(Start,End) : 2048,4095 #Check session information display nat session table slot 2 Slot: 2 Engine: 0 Current total sessions: 1. udp: 10.10.10.198:34[112.112.10.27:2944]-->112.112.2.3:2342 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page63 CGN Integrated with BRAS to Support Internet Access of Users in DS-Lite+PPPoE Mode Internet IPv6 BRAS (DS-LITE) DS-LITE CPE IPV6 access network IPv4/IPv6 Internet IPv4 ⚫ The CGN is integrated with the BRAS. ⚫ DS users access the BRAS through a CPE. The BRAS allocates an IPv6 address to the CPE. The BRAS manages users, translates IPv4 addresses, and sets up 4in6 tunnels for users. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page64 Configuration Procedure 1 Configure the user access part. 2 Configure an IPv6 address pool. 3 Configure a DS-lite instance. 4 Configure a domain and bind the domain with a DS-lite instance. 5 Configure the traffic policy. 6 Advertise routes 7 Check the configuration Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page65 Configure IPv6 Address Pool(1/2) #Create a prefix with the IPv6 attribute set to local and configure the address prefix, which is used to allocate a WAN interface address to a CPE. [ME60]ipv6 prefix 1 local [ME60-ipv6-prefix-1]prefix 4001:10::48 # Create a prefix with the IPv6 attribute set to delegation and configure the address prefix, which is used to allocate the public IPv6 address to a PC. [ME60]ipv6 prefix 2 delegation [ME60-ipv6-prefix-2] prefix 4002:10::/48 # Create an address pool with the IPv6 attribute set to local. Configure the DNS server address and AFTR domain name. Bind the prefixes with the address pools. [ME60]ipv6 pool 1 bas local //Create an IPv6 local address pool [ME60-ipv6-pool-1]dns-server 2001:1::E //Configure the IPv6 DNS server address. [ME60-ipv6-pool-1]prefix 1 //Bind the IPv6 prefix with the address pool. [ME60-ipv6-pool-1]aftr-name www.ds-lite.cn //Configure the AFTR domain name. #Create an IPv6 delegation prefix address pool and bind the prefix with the address pool. [ME60]ipv6 pool 2 bas delegation [ME60-ipv6-pool-2]prefix 2 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page66 Configure IPv6 Address Pool(2/2) #Switch to the AAA server view and bind the IPv6 local prefix address pool with the delegation prefix address pool. [ME60]aaa [ME60-aaa]domain domain1 [ME60-aaa-domain-domain1]ipv6-pool 1 [ME60-aaa-domain-domain1]ipv6-pool 2 #Set managed-address-flag and other-flag to 1 so that addresses and DNS server are allocated in IA_NA mode. [ME60-aaa-domain-domian1]ipv6 nd autoconfig managed-address- flag [ME60-aaa-domain-domian1] ipv6 nd autoconfig other-flag Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page67 Configure DS-lite Instance #Allocate the license resource to service boards. Configurations in the system view are shared by NAT and DS-lite. Both use the NAT key word. [ME60] nat session-table 6M slot 2 [ME60] nat session-table 6M slot 6 # Create a DS-lite instance. [ME60] ds-lite instance 1 # Configure the endpoint addresses of the DS-lite tunnel. [ME60- ds-lite -instance-1] local-ipv6 6001::1 prefix-length 64 # Configure the IPv6 address range of the remote CPEs that can be connected. You can configure multiple IPv6 addresses. [ME60- ds-lite -instance-1] remote-ipv6 4001:10:: prefix-length 48 # Use the following command lines to configure the basic part of the DS-lite instance. The configuration is consistent with the NAT instance configuration. [ME60- ds-lite -instance-1] ds-lite filter mode full-cone [ME60- ds-lite -instance-1] port-range 2048 [ME60- ds-lite -instance-1] add slot 2 master [ME60- ds-lite -instance-1] add slot 6 slave #The remaining configurations are optional and consistent with the NAT instance configurations. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Configure Domain Binding DS-lite Instance #Configure the user group used for Internet access. [ME60] user-group 1 # Switch to the user access domain and bind the user group with the DS-lite instance. [ME60-aaa] domain domain1 [ME60-aaa-domain-domain1] user-group 1 bind ds-lite instance 1 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page69 Configure Traffic Policy #Configure UCL , match the on line users [ME60] acl ipv6 6000 [ME60-acl6-ucl-6000] rule 5 permit ipv6 source user-group 1 #Configure traffic classifier [ME60] traffic classifier dslite [ME60-classifier- dslite] if-match ipv6 acl 6000 #Configure traffic behavior [ME60] traffic behavior dslite [ME60- behavior - dslite] ds-lite bind instance 1 #Configure traffic policy and binding in the system view [ME60] traffic policy dslite [ME60-trafficpolicy-dslite] classifier dslite behavior dslite [ME60] traffic-policy dslite inbound Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page70 Route Advertisement #Configure the static route and the route segment is address pool to NULL0. [ME60]ip route-static 112.112.10.0 255.255.255.0 NULL 0 [ME60]ipv6 route-static 4001:10:: 48 NULL0 [ME60]ipv6 route-static 4002:10:: 48 NULL0 [ME60]ospf 1 [ME60-ospf-1]import-route static [ME60]ospfv3 1 [ME60-ospfv3-1]import-route static Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. //Import IPv6 static route Page71 Check the Configuration(1/2) #Check the 4to6 tunnel establishment [ME60]display ds-lite tunnel table Slot: 2 Engine: 0 Current total sessions: 1. CPE:4001:0010::0001 --> Local-ip:6001::0001 Slot: 2 Engine: 1 Current total sessions: 1. CPE:4001:0010::0001 --> Local-ip:6001::0001 Slot: 2 Engine: 2 Current total sessions: 1. CPE:4001:0010::0001 --> Local-ip:6001::0001 Slot: 2 Engine: 3 Current total sessions: 0. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page72 Check the Configuration(2/2) #Check NAT information [ME60]display nat session table verbose This operation will take a few minutes. Press 'Ctrl+C' to break ... Slot: 2 Engine: 0 Current total sessions: 1. udp: 10.10.10.198:34[112.112.10.27:2944]-->112.112.2.3:2342 DS-Lite Instance: 1 VPN:--->Tag:0x88b,FixedTag:0x4006805, Status:hit, TTL:00:00:50 ,Left:00:00:45 , Master AppProID: 0x0, CPEIP:4001:10::1, FwdType:FORWARD Nexthop:112.112.2.3 OutPort:0x7 -->packets:12, bytes:769, drop:0 <--packets:12, bytes:1124, drop:0 Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page73 Self-Test Questions 5. In the CGN DS-lite solution, is it necessary to allocate an IPv4 address to a CPE? ( ) A. No B. Yes Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page74 Summary ⚫ This course describes the mainstream CGN deployment solutions: When adding CGN devices, carriers need to consider multiple factors such as costs and impacts on services, and select an appropriate networking solution for their own networks. The mainstream CGN network solutions include distributed deployment of CGNs integrated with BRASs and centralized deployment of CGNs mounted beside CRs. Major functions of the CGN include setup of 4in6 tunnels and NAT. During NAT444, users under the CGN share the port resource. The port resource must be pre-allocated to prevent a few users from over-consuming the port resource. User tracing is a major concern of carriers. Deployment of new CGN devices increases difficulty in user tracing. You need to learn how user tracing is implemented after CGN devices are added. CGNs must be added to deploy an IPv6 transition solution. You need to complete the basic configurations related to the CGN when different IPv6 transition solutions are used. Copyright © 2011 Huawei Technologies Co., Ltd. All rights reserved. Page75 Thank you www.huawei.com