1 Session Name: NAT64 Technical Deep Dive Session Number: Date: Wednesday, September 14, 2011 Starting Time: 11:28 AM Question Answer ETA for Stateful NAT64? ASR1k is now shipping stateful NAT64 starting with release XE3.4 Also, will NAT64 (stateless/stateful) ever be available on IOS (ISRs)? If yes - ETA? ISR is likely to support NAT64, but I have not seen any official annoucement on this yet does 7206 vxr support ip v vxr supports IPV6 but NAT64 is not supported there. Is there an ETA for NPT (Network Prefix Translation? answered in later response Thanks Cheryl - didn't realize stateful NAT64 was already out. Yes, XE3.4 was posted on CCO 7/25/11 To get NAT64 capability this would be a software update for our existing devices (like ASAs or L3 switches fro example)? what is the NAT64 capacility different between a CGN module on CRS-1/3 and an ASR1006 with ESP20/40? I do not believe ASA currently supports NAT64. It is supported on ASR1k XE3.4 released end of August I can not comment of CRS, but ESP20/40 support 2M stateful NAT64 translation at 5.5 Million packets per second In looking at IPv6 and NAT64, one of the issues of concern was the availability of something to proxy IPV4 to IPv6 DNS...i.e. what to pass as a DNS AA record to an IPv6 host to reach an IPv4 host via NAT. Does Cisco have a solution for this DNS64 need? In looking at IPv6 and NAT64, one of the issues of concern was the availability of something to proxy IPV4 to IPv6 DNS...i.e. what to pass as a DNS AA record to an IPv6 host to reach an IPv4 host via NAT. Does Cisco have a solution for this DNS64 need? as of now we are using OPEN source DNS64 to convert the queries. we don't have any solution out as of now for DNS64 Any plans for NAT66 or NAT46? Regarding NPT (RFC 6296) authored by Cisco employee, if you don't know ETA can you refer me to someone? I have heard this is planned but have been unable to get further info. these are being considered for ASR1k roadmap, but are not currently official in plan NPT is being considered for the ASR1k roadmap, but is not official in plan at this time. Support on FWSM? I have clients that have a IPV4 inside network but has IPV6 outside IP. Will NAT64 allow us the ablity to NAT/PAT the inside IPv4 private IP to the IPV6. sorry we do not know the plans for that platform. We do support this kind of translations with Static Mapping as of now in our NAT64 solution Will FWSM support NAT64 sorry we do not know the plans for that platform. Does ASR 1K support Stateful NAT 64 in HA mode (hot standby)? Yes To running NAT64, does it require any limitation per node? No, I assume you are asking about the number of sessions per host? how about 3845 does it support nat64 impact of converting on VoIP No 3845 does not support NAT64 VOIP will come under ALG's and right now we don't support VOIP ALG's with NAT64, only supported ALG is FTP. but other ALGs are in our roadmap. When will the ASA code see NAT64 sorry we don't know the plans of that platform. As of now only ASR1k and CRS support NAT64 Which DNS64 open source solution are you using? Viagenie Is there support in NX-OS for NAT64? As I understand it, the ASA will allow the creation of IPv6 addresses to be IPSEC tunneled within IPv4 packets with the creation of 8.4. I have successfully tested native IPv6 tunnels but have not yet tried to see if I can tunnel IPv6 through IPv4 tunnels sorry we do not have ASA expertise among the panelist Currently ASR 1K supports NAT 64 translation logging over Netflow. How about Syslog integration? ipv6 voice packets - impact No commited plans for syslog integration as of yet, but in the roadmap VOICE packet like SIP/Skinny/h323 will need ALG support with NAT64, it's not available as of now but it's in the Roadmap. What would be magical numbers per node to run NAT64? Just approx.. If you are asking about scalining, ASR1k on ESP20 supports up to 2M stateful translations Virginia Tech is also running IPv6, they're the first ones in US. Thanks for the info So, as an enterprise, who would like to start testing Ipv6 in the internal environment, would it be right to say that as of now, with a Cisco 2951, I could use NAT-PT? Proposed Standard to Historic status support for NAT-PT was withdrawn; if you want to use a IPv4 <-> IPv6 translation, then using NAT64 is recommended using a platform like ASR1k or CRS. So I guess that NAT64 does not supported inbound NAT to an IPV4. Example I have IPV6 outside IP but our DMZ is IPv4. Can we do an inbount NAT so a users can reach our website in our DMZ? NAT64 on ASR1k does support IPv4 initiated traffic, but only in a limited scope. What is support is static v6v4 mappings which allows IPv4 initiated traffic. Is NAT64 supported on 4500 sup6? in hardware? No It's not supported in 4500.
2 bandwidth bogged down by ipv6 versus ipv4 please clarify. this question is not clear is nat64 only supported on ASR 1000, any other devices ASR1k and CRS CGN If I am running an ASA and a 3750 layer 3 switch in my environmnet, for example, what is my migration path to being able to develop a network with an external IPV6 address NAT'd over to a multi-vlan IPV4 internal environment? Nothing smaller than ASR-1k? Nothing as of now. only ASR 1k and CRS supports NAT64 as of now so the ASR 1K is the recommened platform for where you want NAT64 and currently use 7206VXR's? Yes ASR1k is the best choice in this case. Or a switch/fw? none of the switch support NAT64 as of now. Is it possible to get an ETA for NAT64 support in IOS (e.g. ISR/ISR G2s)? 5.5 M packets per second is based on which packet size? 64, or hybrid? it's with packet size 68. For Dual-Stack technologies, do you see Dual-Stack PPP on the broadband access networks playing a big role in transitioning to IPv6? It really depends on the network design to be honest. For some folks that have older devices' it'll be big NAT64 and the ASA Services module for the C6500? Are there any configuration examples available to configure tunnelling and translation (i.e. NAT64) for the ASR1001? In FWs, what Codes are being supported for NAT64? Are you asking is this supported? Yes you can go to We don't support firewall with NAT64 as of now this code is in testing as of now and will be out in another 4-5 Month time. What product will be positioned for NAT64 support for the SMB market? You might want to consider ASR1001 Do you recommend an IPAM solution for deploying IPv6? Can you pls send me a link that explains NAT 64 HA (hot standby) mode. The docs only indicate cold standby support for NAT Thanks. Is DNS64 embedded into the ASR1001 are does it rely on a BIND server to perform DNS64? I have Cisco 7201 at the edge, Cisco ASA 5550 as firewall and CISCO ACE 4710 as a Lbalancer. For me, how is it possible to deploy IPV6? NAT64 isn't supports on 7200/asa/ace. Dual-stack won't work either, as ACE has no IPV6 support. No ipv6 is possible? I sure do and use one for my networks because the space is so large and we have so many options Sorry, I realized that HA hot standby is due in the next release which is in testing now DNS64 is in roadmap for ASR1k, but NAT64 is currently been deployed with a external box as the DNS64 We do support IPV6 in 7200 but yes with all these Boxes you can't do NAT64. what is QFP qfp is quantum flow processor used in ASR!! This is all brand new gear (under 1 year old) and I could never get ipv6 up on our internet site, but I do have ipv6 transit delivered. Are you dual stacking? How is your DNS AAAA records config'ed? Proposed Standard to Historic status rfc 6144, 6145 Proposed Standard to Historic status apologize, 6145 & the references are in the slide deck These are web servers We use a top level DNS server and several lower level DNS servers. Is NAT64/DNS64 additional to existing DNS infrastructure are does it have to replace the top level DNS server? DNS64 support is must on your server, you've to check with the DNS server vendor if they support DNS64. but yes open source DNS64 servers are available. So NAT64 does not support on asa? not at this time, but we are not sure of the panelist are not aware of their roadmap Will NAT64 be eventually supported on a Cat6509E with Sup720? because ipv6 has more info in packets, i herd that the bandwith is divided by 2 sorry the panelist are not familar with the roadmap of this platform Meh...Really depends more on the internal architecture then anything else. Some gear dividing by 10 will be required! Not Cisco stuff of course... Are there plans for NX-OS support for NAT64? If ISP delivers dual stack via single circuit, can the ASR pass-through the Internet IPv4 traffic while NATting only Ipv6 for inside enterprise use? Can we NAT our IPv4 addresses to IPv6 at out Internet connection with an ASA or router? sorry the panelist are not familar with the roadmap of this platform Yes if IPV4 traffic is just pass-through everything will work and you can have NAT64 only for your V6 network, but on the same ASR we don't recomend NAT44 and NAT64 together. ASA does not currently support NAT64. ASR1k, does support some IPv4 initiated translation via static v6v4 mappings What does QFP stand for? Since ASR 1K does not support hot standby HA for now, do you recommend a combination of HSRP design with cold standby? Quantum flow processor ASR1k will support hot standby intrabox redundancy in XE3.5 which is targeted the end of November of this year. NAT64 box-to-box is a high priority in our roadmap, but you should be able to achieve redundancy via HSRP until then Is it support on 6500 sup 720 No as of now we only support NAT64 on ASR and CRS
3 Are there any performance improvements/detriments in running ipv6 over ipsec/gre based vpn tunnels? Tunneling will always add a little overhead to the entire process nat64 for 6500 series switches? Today internet has almost IPV4 prefix which is already challenge to maintain in BGP table, how will IPV6 help in this direction, will IPV6 worse the situation? Not supported as of now only ASR and CRS supports NAT64 today Yeah no kidding...that is rough. LISP helps some, but honestly, it going to get much worse Is NAT-PT still supported in IOS (even though it's deprecated by the IETF)? You said "DNS64 is in roadmap for ASR1k, but NAT64 is currently been deployed with a external box as the DNS64". What do you mean by external box? BIND server? NAT-PT is no longer supported in IOS yes with external box we mean the DNS server from any vendor or open source DNS64 running on a linux box. Dushyant -- Is there anyway to deploy ipv6 at all? I can do nat-pt on the 7201, but as far as I can tell the dual-stack strategy doesn't work either due to lack of IPV6 support for native on the ACE 4710? Paul if you want to convert IPV6 network to IPV4 you've to use any box like ASR1k or CRS, but without that i'm not sure how you will achieve it. if these large networks (AT&T, Comcast etc.) move to IP6 natively, wont that free up huge blocks of IP4 addresses returning them to the available pool? IF they turn them back in. They are under no obligation to do so that is what they said in the IPv6 web conference that we attended earlier this week and still nothing there. Scenario 4 is a large concern for SSL content providers. What work is being done in this area? Scenario 4 is for v4 network to a v6 internet Scenario 4 is a large concern for SSL content providers. What work is being done in this area? dushyant - The last input I found was this (https://supportforums.cisco.com/servlet/jiveservlet/download/ /microsoft_word-ace_ipv6_statement_of_direction_nov_2008_ir.pdf) but as far as I can tell it was never implemented in ACE? (for native Dual- which is towards the end of the transition Paul this talks about the IPV6 support on ACE, i'm not much aware about ACE but yes V6 to V4 conversion will not be there for sure. i think you can write your doubt to me on this offline sometime When was RFC 6145 published, April 2011? What were the protocols supported by Stateful NAT64 again? I couldn't write fast enough...;-) yes, that is correct Stateful nat64 can support all protocols - but for conserving IP address doing NAPT TCP/UDP/ICMP are supported is there an ipv6 to ipv6 nat? there is and is being considered for the asr1k roadmap dushyant - or will nat64 come to the 7200/IOS 15 first? I would deploy either at this point. the panelist are no familar with the IOS roadmap Can these services run on ASA as well, or just ASR 1k? Will the 6 to 4 work on ASR using firewall module and zone-based firewalls? When can we expect ACE to support IPv6? currently only on asr1k and crs Not with the current released code, but IPv6 Firewall support on ASR1k is a very high priority and expected soon. When it is support the scenario you described would be supported Can you please clearify what you mean by ACE as I have multiple definitions for that and I'm not sure which you are referring to When can we expect ACE to support IPv6? Nest Thursday. Just kidding. The best person to ask would be your Cisco AM and/or SE if i am currently NAT webhosting sites thru loadbalancers wouldn't this create double nating issues? what cisco firewalls and load balancers support nat64 ASR1k Firewall IPv6 and interworking with NAT64 is currently in works and should be available in the near future What flavour of DNS64 was used in Cisco testing? I am not sure what they use. But I use Ecdysis in my labs are there any plans to support nat64 on the 4500 in the future? timeline? the panalists do not have much idea on 4500 roadmap. Will we have access to these slides after this presentation? You'll get ed a link to these presentation does that do content load balancing also? I'm not sure of that, so am sending this privately in case one of the other panelist know the anser with which DNS servers is the ASR NAT64 implementation supported? what release on ASR 1000 would have IPv6 support? What is the best solution for me if I don't have a ASr1K? What are the current known limitations of NAT64 what changes are reauired on V6 hosts to support stateless NAT64? Any DNS64 server will work with NAT64, we have tried it with OpenSource DNS64 like Ecdysis IPv6 has been supported on ASR1k for a long time. Stateful NAT64 support was added XE3.4 August 2011 Buy a ASR1k, of course. :) Besides translation the other two main solutions are are dual stack lite and tunneling Stateful NAT64 has similar limitations as any type of NAT, but the main one is that is designed primarily for IPv6 initiated traffic. ASR1k does support limited Ipv4 initiated traffic via v6v4 static mappings For stateless NAT64 you need to have the IPV6 address which can be converted to IPV4 directly. i guess RFC 2464 talks about this... also called as IPV4 embedded IPV6 address. what is the pps if we use RFC standard mixed size packets for test? With ESP20 on ASR1k, you could expect 5.5MPPS for stateful NAT64. would 2941 MWR support NAT64, or the element hast to be replaced with ASR 1000? Only ASR1k and CRS supports NAT64 as of now.
4 if i am currently NAT webhosting sites thru loadbalancers wouldn't this create double nating issues? Thru a LB yes it would for sure Who can verify if/when the ASA platform will support NAT64? So IPv4 initiated PAT to IPv6 is intentionally left out of the RFC and unsupported by the standard, but IS supported by ASR1K? Honestly, your Cisco AM and/or SE is the best person to do this. You are current that IPv4 initiated PAT is out of RFC. It is *not* supported by ASR1k. But ASR1k does support v4 initiated via static mappings do you mean with any packet size, it can reach 5.5MPPS? do you mean with any packet size, it can reach 5.5MPPS? Is there a doc or whitepaper which outlines the complete solution including the DNS config and ASR config Is there a doc or whitepaper which outlines the complete solution including the DNS config and ASR config No we have measured this 5.5 MPPS with packet size ~70-80 B Our testing was with small packets which is our worse case. Larger packets would handles at the same rate until we start hitting bandwidth issues on the network This is the doc which talks about the configuration but we dont' have any specific DNS64 soulution as of now, you need to check differnt Vendors like Microsoft or Open source DNS64 server like Ecdysis in another word, just limited by ESP20, 20Gbps? y I tought IPv6 would remove the need to NAT :) I tought IPv6 would remove the need to NAT :) Remove the need for NAT as a means to save address space... What is the point of the NVI (NAT Virtual Interface) - is there anything we can do with it? great! Thanks. Just feel 2M connections are low for mobile clients solution Maybe it would if everything were IPv6. True for v4. In v6, we use it to translate back and forth. Once v4 is the minority this will be less and less of an issue NVI is just an interface which will not be configurable, it'll be created with NAT64 configuration and internally we forward packets which need the NAT64 translations to NVI. That is the currently limitation for ASR1k. CRS support much higher and ASR1k will support much higher Application Control Engine I don't know if you intended to reply to mine with that answer, but I do have dual stack today, and would use that instead of NAT64, but ace does not support ipv6. can only items to the stateful prefix (and not the iana global nat64 prefix, or a subset of it) be handled statefully? can only items to the stateful prefix (and not the iana global nat64 prefix, or a subset of it) be handled statefully? i see the QFP deployed only on ASR1000, and it is not on any other box? would this box also support SAToPSN and CESoPSN? We are working on this one. I know it sucks, but it's coming! ASR1k stateful NAT64 traffic must have either the configured NAT64 prefix of the Well Known Prefix defined in the standards; this must be the prefix for how IPv4 hosts appears in the ipv6 network not sure if i understand it correctly, but we need to configure stateful Prefix in asr1k to tell which prefix address it has to translate, only WKP (well known prefix) will be translated without configuration QFP is only on ASR1k. As to support of the other items I would ask a more general marketing person as we are very NAT focused Yeah, the NAT statement was in regards to Sev Kelians statement about NAT not being needed anymore Groovy man! Can we get the slides for this? Can we advertise the IPV6 stateful prefix (which has an NVI table entry) thro' any routing protocol (like OSPFV3)? cost a dollar We dont' configure anything on NVI interface, so the stateful prefix should have a route via any routing protocol to tell the ASR1k where it has to forward the packet. I don't see any examples in the diagrams with loadbalancers - are there designs with this included? Do you have a list of Netflow Collectors which support the enhanced Netflow v9 packets the ASR 1k generates? if you plan to run dual stack is there any need for NAT? NAT you will be needing in that case too, to convert Private IP's to Public IP's isn't it. Sweet You'll get an link to this stuff Will John Madden be supporting IPv6? But IPV6 NAT is IPV6 to IPV6 correct? hsl debug? The others all seem self-explanatory but not sure what that does. In the Bret Favre edition There is no IPV6 to IPV6 nat... NAT44 will convert IPV4 to IPV4 you can convert private add to public add and NAT64 is to convert the Packets from IPV6 add to IPV4 add. hsl is high speed logging used to collect the information about the NAT translations like port/ips/time/protocol etc...hsl logging is just the name we use. Link to slide set? Really what is nat66? I'm not really sure about the NAT66 thing...cheryl might answer this one.. Not sure if i'm understanding it correctly. but in Statelss NAT64 solution you need to have a Static route with nat64 route..." CLI, but in Stateful nat64 you basically translate the IPV6 network to How do we make other external devices aware of the IPV6 stateful NAT prefix (configured on the ASR 1K) other than static routes? IPV4 network so you mainly send the traffic from IPV6" How do we make other external devices aware of the IPV6 stateful NAT prefix (configured on the ASR 1K) other than static routes? Network and if you are initiating the traffic from IPV4 to IPV6 you must need static NAT64 configuration which will do the job.
5 Are there any protections for DoS Attacks with Stateful NAT64? Stateful NAT64 is not a Firewall, but does have some security aspect to protect itself. In particular only create translation which match ACLs. There are also several internal protections which are part of the design What ASR IOS support these new Features We support Stateless NAT64 from XE3.2 and Stateful support is available from 3.4 are the nat64 statistics available to monitor via snmp? not at this time, but is the roadmap what is the rate of connection setups/second? I was told that - A stateful NAT66 is the same as a NAT44 with the code extended to work with IPv6 addresses. Maybe a draft would be useful to say it. ESP20 support up to 175k setup/teardowns per second i like to have ipv6 enabled in our internal network, how can i make sure it's protected from the internet. we currently use ASA I like to have ipv6 work in parallel to 1pv4 How will this affect BGP Tables where do we download the slides? So if I am running dual stack - i can't NAT the IPV6 addresses from outside my load balancer to inside my web servers? Awesome presentation - best overview of NAT64 I've seen. Pretty Amazing content! THANKS! Gerry Kaufhold with In-Stat Was a good presentation, thank you. I'm the IPv6 zealot at United Airlines! Can't get enough of this stuff! any extra links for ipv6 migration from ipv4 and dual stack migration options would be much appreciated. Why is Jimmy always so happy about ipv6? Cause it AWESOME!! I LOVE CISCO! Thank you! Hopefully we can watch the presentation (recorded form) and not just see the slides? is there anyway to get a list of this question/answer sessin? Dushyant - Can we advertise the global stateful NAT64 prefix out over OSPFV3, so other devices can forward packets into the ASR 1K for NAT64 translation? Not very sure about this Krishnan i might give you the answer
ZyWALL 5 Internet Security Appliance Support Notes Version 4.02 Dec. 2006 INDEX Application Notes...12 Seamless Incorporation into your network...12 Using Transparent (Bridge Mode) Firewall...12 Internet
IP Telephony Systems: What You Need to Know Visit Corporate Telecomm at http://www.corporatetelecomm.com/learn for more Learning Guides and additional resources. IP Telephony Systems Introduction IP (Internet
Accessing the WAN Chapter 7 Objectives 2 Configure DHCP in an Enterprise branch network. DHCP features and benefits Differences between BOOTP and DHCP DHCP operation: and configuring, verifying, and troubleshooting
The 3CX IP PBX Tutorial Matthew M. Landis Robert A. Lloyd Chapter No. 5 "Trunks Connecting to the Outside World" In this package, you will find: A Biography of the authors of the book A preview chapter
Solving the Firewall/NAT Traversal Issue of SIP: Who Should Control Your Security Infrastructure? Ingate Systems www.ingate.com 1 1 Executive Summary...3 2 SIP, NATs and Enterprise Firewalls...4 3 Methods
3 Network Design Before purchasing equipment or deciding on a hardware platform, you should have a clear idea of the nature of your communications problem. Most likely, you are reading this book because
SIP Trunking Benefits and Best Practices White Paper Janne Magnusson Vice President, Product Management Ingate Systems Abstract 1 1 What is SIP trunking 1 2 The benefits of SIP trunking 1 2.1 Calculating
Firewalls in the Data Center: Main Strategies and Metrics Joel Snyder, PhD Senior Partner, Opus One What You Will Learn Measuring performance in networks has usually involved looking at one number: throughput.
INTRODUCTION TO LINUX CLUSTERING DOCUMENT RELEASE 1.1 Copyright 2008 Jethro Carr This document may be freely distributed provided that it is not modified and that full credit is given to the original author.
Session Border Controllers FOR DUMmIES 2ND SONUS SPECIAL EDITION By Pat Hurley Session Border Controllers For Dummies, 2nd Sonus Special Edition Published by John Wiley & Sons, Inc. 111 River Street Hoboken,
WHITE PAPER 1 (24) Evaluating your On-line success with Web Analytics By Vincent Kermorgant, Senior Web Analyst, Nokia WHITE PAPER 2 (24) 1 Why this methodology?...3 2 Fullfilling the fundamental goals...4
An IT Briefing produced by IT Briefing: By Richard Bejtlick SearchSecurity Table of Contents SearchSecurity Page 3 By Richard Bejtlick Webcast Transcription & Design Copyright 2003 by TechTarget, except
Vision & High Level Design Overview OpenDI Release 1 October 2008 v1.6 J. Carolan, J. Kirby, L. Springer, J. Stanford http://opendi.kenai.com Abstract This document provides a high level overview of the
The Definitive IP PBX Guide Understand what an IP PBX or Hosted VoIP solution can do for your organization and discover the issues that warrant consideration during your decision making process. This comprehensive
UNIVERSITY OF OSLO Department of Informatics Performance Measurement of Web Services Linux Virtual Server Muhammad Ashfaq Oslo University College May 19, 2009 Performance Measurement of Web Services Linux
Guide to Selecting a New IP Business Phone System A guide to identifying, selecting, purchasing and installing a new IP business phone system. By Trevor Jones, Director of Marketing & Product Development,
Using Moodle in small to medium sized business A practical guide for small to medium size business' on using Moodle to deliver effective and successful online learning. 2012, HRDNZ Forward - who is this
Appliance Administration Manual v6.21 This document covers all required administration information for Loadbalancer.org appliances Copyright 2014 Loadbalancer.org, Inc. Table of Contents Section A Introduction...7
Linux on IBM Netfinity Servers A Collection of Papers Introduces Linux high availability solutions Describes systems and network management tools Explores interoperability of Linux solutions Jonathan Follows
Building Telephony Systems with Asterisk An easy introduction to using and configuring Asterisk to build feature-rich telephony systems for small and medium businesses David Gomillion Barrie Dempster BIRMINGHAM
Transcription Crashplan vs Backblaze Hey and welcome to cloudwards.net and another exciting video of two major unlimited online backup services namely Backblaze and CrashPlan or CrashPlan or Backblaze.