Add to collection(s) Add to saved
  1. Math
Uploaded by Ramos

CGN-412-Class-202306

advertisement 
A10 Carrier Grade
Networking
Tom Dattilo
02/14/2023
©A10
Networks, Inc.
1
Table of Contents
0. Course Introduction
1.
Concepts
2. LSN NAT44(4) Configuration
3. LSN Additional Features
4. IPv6 Overview
5. IPv6 Migration (NAT/DNS64)
6. NAT64 Additional Features
7. Routing and Networking
8. Logging
9. Troubleshooting and Monitoring
©A10
Networks, Inc.
2
Course Introduction
Section 0
©A10
Networks, Inc.
3
Facilities and materials
Basics:
Schedule (class time / breaks)
Department Contact: training@a10networks.com
Material:
Lecture materials
Lab equipment
©A10
Networks, Inc.
4
Class layout
192.168.0.0/24
.1
.254
.2
.2
.2
.3
.11
.21
.254
.254
210.0.0.0/24
110.0.0.0/24
.254
.100
.2
.1
200.0.0.0/24
.21
.1
3.0.0.0/24
100.0.0.0/24
.100
.1
.12
.12
.3
.3
.11
.3
Echo servers:
200.0.8.1 – 200.0.11.254
©A10
Networks, Inc.
5
Introductions
Your name
Location of your home office
What are you looking for from this class
Experience with CGNAT and IPv6
Experience with ACOS devices
©A10
Networks, Inc.
6
Carrier Grade Networking
Concepts
Section 1
©A10
Networks, Inc.
7
Section objectives
Broad Context of CGNetworking
IPv4 and IPv6 Topologies (general)
CGNAT vs. Traditional NAT
Sticky-NAT
User-Quotas
©A10
Networks, Inc.
8
Depletion of Existing IPv4 Address Space
2015-09-22 copyright NetworkWorld
http://www.networkworld.com/article/2985340/ipv6/arin-finally-runs-out-of-ipv4-addresses.html
2015-01-25 CC copyright Mro
(https://commons.wikimedia.org/wiki/User:Mro)
https://en.wikipedia.org/wiki/IPv4_address_exhaustion#/media/File:Ipv4-exhaust.svg
2016-07-22 copyright http://www.ipv4auctions.com/
©A10
Networks, Inc.
9
Exponential Rise in Devices, Users and Traffic
The Digital Universe: 50-fold Growth from the
beginning of 2010 to the
End of 2020
Source: IDC’s Digital Universe Study, sponsored by EMC,
December 2012
IPv6 Traffic Volume
Source: Akamai
IP Traffic by Year
Extend IPv4
& Migrate
to IPv6
Source: Cisco VNI, 2013
Total of Connected Devices,
Billions of Units (Installed Bases)
Source: Gartner (November 2013)
©A10
Networks, Inc.
10
A10 Thunder Carrier Grade Networking (CGN)
IPv4
Extend IPv4
IPv6
IPv6 Transition
App Reliability
Comprehensive Feature Set
▪ Standardized CGNAT
▪ Diverse set of ALGs
▪ All IPv6 migration techniques
▪ Interplay: Phased IPv6 transition
▪ All inclusive license
Extends use of scarce IPv4 resources
©A10
Networks, Inc.
11
A10 CGN Solutions to Extend IPv4
Subscriber/ User
Access/Core
PrivateIPv4
Private IPv4
RFC6598
100.64 /10
©A10
Networks, Inc.
A10 Feature
Destination /
Service
NAT44
IPv4
Internet
NAT444
IPv4
Internet
12
Connecting The World to your IPv6
My Network
IPv6
A10 Feature
The World
routing
IPv6
Internet
The goal, in 20 years?
IPv6
Stateless
NAT46
©A10
Networks, Inc.
IPv4
Internet
13
A10 CGN Solutions to Migrate to IPv6
Subscriber/ User
IPv4
A10 Feature
Destination /
Service
IPV6
DS-lite or
Lw-4o6
IPv4
Internet
IPv4
6rd
IPv6
Internet
IPV6
Stateful
NAT64/DNS64
IPv4
Internet
Access/Core
IPv6
©A10
Networks, Inc.
14
CGN vs Traditional NAT
©A10
Networks, Inc.
15
Large Scale NAT (LSN) Requirements – NAT44(4) and NAT64
Highly transparent
Well defined NAT behavior
Fairness in resource sharing
Works for both client-server (traditional) and client-client (P2P) applications
©A10
Networks, Inc.
16
Differences between LSN and Traditional NAT
Traditional Hide NAT
Large Scale
NAT
Public IPs allocated
1 or few
Many (subnets?)
Inbound port mapping
None or static
Dynamic or static
Outbound port selection
“Random”
Deterministic
Resource (port) allocation
“1st come, 1st serve”
User Limits &
User guarantees
“Hairpin” TCP/UDP connections
Not supported
Supported
Gaming/other P2P apps
Not supported
Supported
LSN provides well defined, consistent, deterministic NAT behavior
©A10
Networks, Inc.
17
LSN/CGNAT RFCs
NAT44(4) RFCs
NAT64/DNS64 RFCs
BEHAVE-TCP (RFC 5382)
Stateful NAT64 (RFC 6146)
BEHAVE-UDP (RFC 4787)
DNS64 (RFC 6147)
BEHAVE-ICMP (RFC 5508)
IP/ICMP Translation Algorithm (RFC 7915)
Carrier-Grade NATs (RFC 6888)
 All of those, too
Primary Features
Sticky External IP mapping
Resource Sharing Fairness – User Quotas
Endpoint-Independent Mapping & Filtering (Full Cone NAT)
Hair-pinning support
Connectivity between IPv6 clients and IPv4 destinations
Translation between IPv6 and IPv4
Connection of IPv6 migrated clients to IPv4-only content
©A10
Networks, Inc.
18
Carrier Grade NAT Requirements
Requirements
Supported Features
User can use same NAT address
Sticky NAT
Fairness in sharing NAT resources per user
Configurable User-Quotas for public IP port
High application transparency for SIP, P2P et. al.
Endpoint-independent mapping & filtering (Full-Cone NAT)
To allow inside clients to communicate with each other by using the clients’
outside addresses
Hair-pinning
To ensure the application continue to work by translating address and port
information embedded in the payload
Application Layer Gateways (ALG)
To offer flexible and granular CGN traffic handling policy
Rule-List
To provide efficient NAT resource use technique
Protocol Port Overloading
Carrier grade performance and scalability
High performance CGN products, providing up to 155 Gbps Throughput,
100M pps and 256M concurrent sessions.
Efficient logging mechanism for large volume CGN logs
High performance logging with wide variety of logging options such as
traffic logging, port mapping log and more.
Collocation of technologies (Multi-play)
All technologies (CGN, Fixed-NAT, NAT64, NAT46, Ds-Lite, 6rd) are
supported concurrently on a single device
©A10
Networks, Inc.
19
Sticky NAT
192.0.2.99
CGN
192.168.1.1
IPv4
Internet
2001:2::9: 4444
Inside
SRC
DST
TCP
192.168.1.1: 2222
192.0.2.99: 80
UDP
192.168.1.1: 3333
TCP
2001:2::9: 4444
Outside
8.8.8.8
SRC
DST
TCP
198.18.0.11: 5555
192.0.2.99: 80
8.8.8.8: 53
UDP
198.18.0.11: 5557
8.8.8.8: 53
203.0.113.33: 25
TCP
198.18.2.88: 8888
203.0.113.33: 25
Enabled by default
Lasts until all related sessions clear (including EIM/EIF sessions)
©A10
Networks, Inc.
20
User Quotas
Reserve Resources for Individual to Provide Predictable Behavior
Restrict Individual’s usage to Preserve Resources for Everyone
CGN
TCP 1000
192.168.1.99
172.19.2.33
User-Quota UDP 1000
ICMP 500
TCP 2000
User-Quota UDP 2000
ICMP 500
TCP 3000
UDP
3000
User-Quota
ICMP 500
CGN
IPv4
Internet
Limit number of NAT port mapping
(TCP/UDP/ICMP) per internal user
2001:db8:30::22
©A10
Networks, Inc.
21
Calculating User Quota
Start at 1000 (or 500 or 250) and see if users complain
Rough Guess Rule of Thumb
Quota ≈ ((NAT_Pool_Address * 64000) / Desired Users)
254 NAT address * 64000 / 10,000 Users = 1625 ports per user
Start High (or no quota) and monitor
Tabulate from Logging
Sample the Session Table regularly
Bar-graph results
1. Analyze TCP and UDP separately
2. Find all Unique Inside IP / Port tuples
3. Chose your bucket sizes (e.g., 1-255, 256-511, 512-767,…)
4. For each Inside IP, put in bucket by number of Ports used
5. Set Quota for 95% of users (or 75% or 50%)
©A10
Networks, Inc.
22
Carrier Grade Networking
LSN NAT44(4) Configuration
Section 2
©A10
Networks, Inc.
23
Section objectives
5 Parts of Dynamic NAT configuration
Alternative: Fixed NAT
Troubleshooting NAT(4)44 (i.e., lsn)
©A10
Networks, Inc.
24
Components of a NAT44(4) LSN configuration
aka Dynamic-NAT
ACOS CGNv6 configuration has five required elements:
NAT-Pool
Limit-ID
Class List of IP addresses / subnets
Source Class List Binding
Inside/Outside Interfaces
Apply
LID
Packet
Inside
interface?
Class List
Bound?
NAT
Packet
NAT
Pool?
Match in
Class List?
©A10
Apply
NAT
Networks, Inc.
25
Define a NAT Pools
Configure NAT pools at the global configuration level
cgnv6 nat pool NAT1 192.0.2.224 192.0.2.254 netmask /27 vrid 1
Name of Pool: NAT1
Start Address: 192.0.2.224
End Address(optional): 192.0.2.254
Netmask used for routing advertisements
VRID used for HA
Includes all addresses,
from 224 to 254, inclusive
Additional Features (specific to cgnv6 nat pools)
cgnv6 nat pool NAT1 exclude-ip 192.0.2.230 [to 192.0.2.235]
©A10
Networks, Inc.
26
Define NAT Pool Group (Best Practice)
Configure NAT pool groups at global configuration level
cgnv6 nat pool-group NAT-Group
member NAT1
member NAT2
member NAT3
Edit Pool Group members while group assigned to LSN-LID
Remove member, edit member, re-add member
Add new member to add more nat addresses
All members must share same VRID group.
©A10
Networks, Inc.
Changes affect new sessions,
only.
27
Configuring IP address selection algorithms
cgnv6 lsn ip-selection round-robin
Algorithm for IP address selection from NAT pool is configurable on a global basis
Algorithm
Selects IP address with the fewest …
random
(default)
round-robin
least-used-strict
NAT ports of any type (ICMP, TCP, or UDP) used
least-udp-used-strict
UDP NAT ports used
least-tcp-used-strict
TCP NAT ports used
least-reserved-strict
NAT ports of any type reserved
least-udp-reserved-strict
UDP NAT ports reserved
least-tcp-reserved-strict
TCP NAT ports reserved
least-users-strict
users
©A10
Networks, Inc.
Only applies to
individual pools,
not selection of
pools within a poolgroup
28
Define LSN Limit IDs (LID) – the policy
LID define policy, i.e., the rules
Configure LSN-LID at global configuration level
cgnv6 lsn-lid 1
source-nat-pool NAT-Group
user-quota icmp 50
user-quota udp 250
user-quota tcp 250
cgnv6 lsn-lid 1023
override drop
Up to 1023 LIDs
can be defined
©A10
Networks, Inc.
29
User-Quota and Reserve
(config-lsn-lid)# user-quota udp 500 reserve 100
User-Quota reserves full amount on first request
More Predictable NAT Behavior
User-Quota Reserve reserves in chunks
More Efficient NAT Pool Usage
Good Idea:
Align with Port Batching
show cgnv6 nat pool statistics
©A10
Networks, Inc.
30
Understanding class lists
Classifies/segments address space into groups
Set of IP host or subnet addresses and mapping to LSN LIDs
1 list -> 64,000 subnets and 8 million host IP addresses
Each entry (row) defines a class
Supports IPv4 or IPv6 addresses
Define inline or as external file
Up to 255 class lists can be created
Only 1 can be used for LSN
Up to 255 class lists, but only
one for LSN
Only 1 bound to lsn inside source
Matches on IP SRC addresses
©A10
Networks, Inc.
31
Define and Bind LSN Class List
Create the class list at global configuration level
class-list CL_ CGN1
100.64.1.0/24 lsn-lid 1
100.64.254.123 lsn-lid 2
100.64.8.6/32 lsn-lid 3
0.0.0.0/0 lsn-lid 1023
subnet class
host class
host class
wildcard class
File based class list:
class-list CL_CGN1 file
Everything else the same
Bind class list to LSN at global configuration level
cgnv6 lsn inside source class-list CL_CGN1
©A10
Networks, Inc.
32
Configure Inside and Outside LSN interfaces
IP Inside NAT Interface: ingress for traffic to be NATed (client side)
IP Outside NAT Interface: ingress for return traffic (everything else)
More than 1 allowed
Watch your routing
AX1(config)# interface eth 1
AX1(config-if:Ethernet:1)#ip nat inside
AX1(config)# interface ve 200
AX1(config-if:ve:200)#ip nat outside
©A10
Networks, Inc.
33
Fixed-NAT: alternate configuration mechanism
Map inside addresses to public address and L4 port range
Deterministic allocation
L4 ports pre-allocated
✓ User Quota
✓ Less / No logging.
✓ Easier Environment Provisioning?
Trade-off: L4 port usage efficiency
©A10
Networks, Inc.
34
Fixed-Nat Dynamic Pool
Subscriber 1
IP addr 1
Optional hybrid Fixed/Dynamic
max 100 ports
Subscriber 2
IP addr 1
Reserves pool each NAT address
Try 6000 ports
Sticky NAT still applies
Dynamic Pool use triggers
Logging
100 ports
692 ports
NAT IP 1: 1024-1715
NAT IP 1: 1716-2407
. . .
<= 5000
Subscriber 87
IP addr 2
NAT IP 1 Dynamic
60536 - 65535
Logging
NAT IP 2: 1024-1715
. . .
NAT IP 2 Dynamic
60536 - 65535
©A10
Networks, Inc.
35
Components of a Fixed-NAT configuration
ACOS CGNv6 Fixed-NAT configuration has two required elements:
Fixed-Nat config with inside IP addresses and NAT addresses
Inside/Outside Interfaces
Apply
NAT
Packet
Inside
interface?
NAT
Packet
Match in
Fixed-NAT?
©A10
Networks, Inc.
36
Define a Fixed-NAT
Configure Fixed-NAT global configuration level (command on 1 line)
cgnv6 fixed-nat inside 100.64.0.2 100.64.15.254 netmask /20
nat 192.0.2.225 192.0.2.254 netmask /27 dynamic-pool-size 5000
vrid 1
Inside (private) addresses: 100.64.0.2 to 100.64.15.254 (4093 users)
Outside (NAT, public) addresses: 192.0.2.225 to 192.0.2.254 (30 addresses)
Netmask used for routing advertisements
Reserved Ports per NAT addr (optional): 5000
VRID used for HA
Use ip-list <name>
434 ports allocated to each user
to shorten config line
©A10
Networks, Inc.
37
Fixed NAT math
~
5,500 𝑐𝑙𝑖𝑒𝑛𝑡𝑠
𝒄𝒍𝒊𝒆𝒏𝒕𝒔
= 229.16 ~ 230
𝑷𝒖𝒃𝒍𝒊𝒄_𝑰𝑷𝒔
24 𝑃𝑢𝑏𝑙𝑖𝑐_𝐼𝑃𝑠
230 × 23 = 5290 𝑐𝑙𝑖𝑒𝑛𝑡𝑠
Only 210 clients on 24th IP Addr
𝐿4_𝑃𝑜𝑟𝑡𝑠
𝑃𝑢𝑏𝑙𝑖𝑐_𝐼𝑃
𝑳𝟒_𝑷𝒐𝒓𝒕𝒔
5𝟗, 𝟓𝟏𝟏
𝑷𝒖𝒃𝒍𝒊𝒄_𝑰𝑷
(65535 -1024 -5000)
=
𝑢𝑠𝑒𝑑𝑃𝑜𝑟𝑡𝑠
𝑃𝑢𝑏𝑙𝑖𝑐_𝐼𝑃
230 × 258 = 59340
(171 × 23) + 5331 unused Ports
59,511
𝑳𝟒_𝑷𝒐𝒓𝒕𝒔
~ 258.74 = 2𝟓𝟖
𝒄𝒍𝒊𝒆𝒏𝒕
230
(9264)
5,500 client, 22 Public_IPs, and 5011 dynamic-pool-size
equals
𝑳𝟒_𝑷𝒐𝒓𝒕𝒔
23𝟖
,
𝒄𝒍𝒊𝒆𝒏𝒕
2 free IPs, and no waste.
©A10
Networks, Inc.
38
Troubleshooting LSN
Confirm ip nat inside/outside
show interfaces [ [ethernet 1] or [ve 100] ]
Check config (esp. “lsn inside source”, “lsn-lid”, “nat pool-group” )
sh running-config cgnv6
or
sh running-config | sec cgnv6\|class
Check class lists
sh class-list [CL_NAME]
Check NAT pools
sh cgnv6 nat pool [statistics]
Wide screen helpful
©A10
Networks, Inc.
39
Troubleshooting LSN Sessions
Check sessions
show session [...]
show session filter <filter>
Clear sessions
clear session [all | filter <filter>]
Check sessions for internal (NATed) user
sh cgnv6 lsn inside-user <user.inside.IP.addr>
Check sessions tied to external NAT address
sh cgnv6 lsn nat-address <NAT.pool.IP.addr>
Check User-Quota related details
sh cgnv6 lsn user-quota-sessions [...]
©A10
Networks, Inc.
40
Lab 1 Configuring CGNAT
©A10
Networks, Inc.
41
Carrier Grade Networking
LSN Additional Features
Section 3
©A10
Networks, Inc.
42
Section objectives
ALGs
Static Port Mapping
Full-Cone NAT
EIM
EIF
Session User Quotas
Hairpinning
Stateful Firewall
©A10
Networks, Inc.
43
Application Layer Gateways (ALGs)
192.0.2.9
CGN
192.168.1.1
IPv4
Internet
Inside
SRC
DST
TCP/IP
192.168.1.1: 5678
192.0.2.99: 554
L7
ports 6001-6002
Outside
SRC
DST
TCP/IP
198.18.0.11: 7891
192.0.2.99: 554
L7
ports 6001-6002
TCP/IP
©A10
Networks, Inc.
DST
SRC
198.18.0.11: 6001
192.0.2.99: 8912
44
ALG Support
Header
Modification
SIP
External Session
Initiation
PPTP/GRE
SIP
App Specific
Requirements
TFTP
SIP
PPTP
Session Aging
FTP
DNS
ICMP
Built in. Not really ALG
Protocol
FTP
TFTP
RTSP
PPTP
SIP
ESP
H.323
CGN (LSN)
Y
Y
Y
Y
Y
Y
Y
NAT64
Y
Y
Y
Y
Y*
Y
Y1
DS-Lite
Y
Y
Y
Y
Y
N
Y
6rd
Y
Y
Y
N
Y
N
Y
NAT64-6rd
Y
Y
Y
N
N
N
Y
Stateless NAT46
N
N
N
N
N
N
Y
Fixed-NAT for NAT44
Y
Y
Y
Y
Y
Y
Y
Fixed-NAT for NAT64
Y
Y
Y
Y
Y
Y
Y
Fixed-NAT for DS-Lite
Y
Y
Y
Y†
Y
N
Y
* Provides SIP ALG support for NAT64.
† Provides PPTP ALG support for Fixed-NAT DS-Lite.
©A10
Networks, Inc.
1
H.323 ALG not fully verified for NAT64 features.
45
Static Port Mapping
Override default behaviors (e.g., NAT Pool address selection)
Open inbound ports (Port Forwarding)
Sticky Nat still applies
UDP and TCP, always
cgnv6 lsn port-reservation inside 100.64.2.3 80 80
nat 198.18.0.224 8080 8080
Inside Addr: 100.64.2.3
Inside Port Range: 80 to 80 (1 port, UDP and TCP)
Outside Addr: 198.18.0.224
Outside Open Ports: 8080 to 8080
©A10
Networks, Inc.
Consider using lsn-lid without
NAT Pool and Statefull FW
feature
46
Full Cone NAT
Full Cone NAT == EIM + EIF
Mimics One-To-One NAT
©A10
Networks, Inc.
47
EIM: Endpoint Independent Mapping
P:p->Y1:y1 NAT X1:x1->Y1:y1
P:p->Y2:y2 NAT X2:x2->Y2:y2
If EIM: X1:x1 == X2:x2
Reuse inside to outside port mappings
Inside client must still initiate
203.0.113.8:7777
198.18.0.11:3333
100.64.53.18:5555
1 Port
used
192.0.2.9:8888
SRC
DST
NAT SRC
DST
100.64.53.18:5555
203.0.113.8:7777
198.18.0.11:3333
203.0.113.8:7777
100.64.53.18:5555
192.0.2.9:8888
198.18.0.11:3333
192.0.2.9:8888
©A10
Networks, Inc.
48
EIF: Endpoint Independent Filtering
Opens path back to initiating client (NAT Transparency)
Inside client initiates 1st session, outside initiates others
198.18.0.11
At 3333
Requires EIM
203.0.113.8:7777
203.0.113.8:7778
198.18.0.11:3333
192.0.2.9:8888
192.0.2.9:8889
Gaming, Rendezvous servers,
SIP (e.g. VOIP)
©A10
Networks, Inc.
49
Configure EIM and EIF (Full Cone NAT)
Configured for specific ports
cgnv6 lsn endpoint-independent-mapping tcp
port 1024 to 65535
cgnv6 lsn endpoint-independent-mapping udp
port 1024 to 65535
cgnv6 lsn endpoint-independent-filtering tcp
port 1024 to 65535
cgnv6 lsn endpoint-independent-filtering udp
port 1024 to 65535
©A10
Networks, Inc.
50
Session and STUN timers
STUN: Session Traversal Utilities for NAT
cgnv6 translation [icmp|service|tcp|udp]-timeout <seconds>
Set Session Table timeouts
service-timeout sets exceptions for specific ports
show running-config cgnv6 translation
DNS, ICMP – Fast (3s)
cgnv6 lsn stun-timeout [tcp|udp] <port> to <port> minutes <num>
Set timeout for EIM/EIF (full-cone NAT) sessions
Timer starts after Session timeout expires
For gaming,
set to 4 min
cgnv6 lsn alg sip rtp-stun-timeout <minutes>
SIP ALG specific STUN timeout
©A10
Networks, Inc.
51
Additional LSN-LID configurations
(config-lsn-lid)# user-quota session 500
User-Quota [udp|tcp|icmp] count outside ports used
EIM and EIF related sessions count as 1 port
User-Quota Session counts Sessions
(config-lsn-lid)# conn-rate-limit 100
Maximum connections per second
Preservation of CPU and Bandwidth
More useful for TCP sessions
©A10
Networks, Inc.
52
Hairpinning
ALG, Static Port Mapping, and EIF open inbound ports
Hairpinning allows internal hosts to reach those ports
198.18.0.11:3544
By default
UDP: filter none (can talk to itself)
TCP: filter on self and port
ICMP: not possible
Use filters to limit
cgnv6 lsn hairpinning filter-self-ip
©A10
Networks, Inc.
53
CGN Stateful Firewall
~2% endpoints need static/Public IP
Internet
GOAL: Provide protection similar to EIM/EIF
Problem: ACLs are stateless
Solution: Stateful Firewall
Rules defined with ACL
Client initiation to outside allows reply
User
Start
Unsolicited traffic blocked
Server
Reply
User Networks
©A10
Networks, Inc.
54
Stateful Firewall Configuration (1)
Only for unNATed traffic passing through CGN device
Not compatible with LSN or NAT64
FTP, SIP, PPTP, RTSP, & TFTP ALGs supported (on by default)
Create LSN-LID without source-nat-pool
Create Class-list entry for hosts/subnets with Public Address
Simple, lightweight, classic
firewall.
©A10
Networks, Inc.
55
Stateful Firewall Configuration (2)
access-list 101 deny ip any any
Need at least 1 rule, but “deny ip any any” is an included last rule
interface ve 21
ip stateful-firewall inside
interface ve 22
ip stateful-firewall outside
access-list 101
Define your Inside and Outside interfaces, and apply the access-list
ip stateful-firewall enable
Enable the feature
©A10
Networks, Inc.
56
Additional Troubleshooting LSN
Check EIM/EIF sessions
show cgnv6 lsn full-cone-sessions
Clear EIM/EIF sessions
clear sessions
maybe multiple times
Check Session Timeouts
show running-config cgnv6 translation
©A10
Networks, Inc.
57
Lab 2 Additional CGN Features
©A10
Networks, Inc.
59
Carrier Grade Networking
IPv6 Overview
Section 4
©A10
Networks, Inc.
60
Section objectives
What is IPV6
RFC Compliances
Understanding IPv6 Addresses
IPV6 Features
©A10
Networks, Inc.
61
History
1981 – IPv4
1994 – Initiate IPng development
1998 – First standard - RFC 2460
2003, 2004,2006 – More standards published
©A10
Networks, Inc.
62
IPV6 RFCs
RFC 2460 IPv6 Specifications
RFC 6146 Stateful NAT64
RFC 4193 Unique Local IPv6 Unicast Addresses
RFC 4443 ICMPv6 for IPv6
RFC 4291 IPv6 Addressing Architectures
RFC 6434 IPv6 Node Requirements
RFC 2375 IPv6 Multicast Address Assignments
RFC 3587 IPv6 Global Unicast Address Format
RFC 4861 IPv6 Neighbor Discovery
RFC 6540 IPv6 Support Required for All IP-Capable
Nodes
RFC 3849 IPv6 Address Prefix For Documentation
RFC 3596 DNS Extensions to Support IP Version 6
RFC 4862 IPv6 Stateless Address Configuration
RFC 6147 DNS64 DNS Extensions for NAT64
RFC 4941 Privacy Extensions for SLAAC in IPv6
RFC 1981 Path MTU Discovery for IPv6
©A10
Networks, Inc.
63
What is IPV6?
128 bit IP addressing scheme
8 groups of 4 hexadecimal digits separated by colons
2001:0DB8:0A10:ABCD:0000:0000:0000:0001/64
USUALLY divided in half
64 bits for Network
64 bits for subnet and host
(but can be further sub-netted if needed)
Uses “/” to denote network bits by mask(CIDR Like)
©A10
Networks, Inc.
64
Breaking Down a Routable IPV6 Address
Abbreviations
Leading zeros in quad are
optional
2001:0DB8:E800:0000:0260:3EFF:FE47:0001
2001:DB8:E800:0:260:3EFF:FE47:1
Fields of 0 represented as ::
but only once.
2001:0DB8:E800:0000:0260:0000:0000:0001
2001:DB8:E800:0:260::1
©A10
Networks, Inc.
65
IPv6 Addresses to know
::1/128
::/0
100::/64
The Loopback Address
Default Route
Discard Prefix (blackhole)
2001::/32
Teredo Tunnel related
2002::/16
6to4 addresses (RFC 3056)
64:ff9b::/96
2001:02## – 2001:b##,
2003:0###-2003:3###,
240#, 260#, 280#, 2a0#, 2c0#
“Well Known Prefix” for NAT64
Beginnings of real Global Unicast
IPv6 addresses (2016)
©A10
Networks, Inc.
67
More IPv6 Addresses to know
fc00::/7
fe80::/10
Multicast Addresses
1111 1111 0000 0010 :: X
Site Local Unicast (like RFC 1918)
Link Local addresses for NDP
Replaces broadcast
8bit Indicator, 4bit Flags, 4bit Scope, 112bit Group ID
ff02::1
Multicast, Flag: Well-Known,
Scope: Link Local, Group: All Nodes
ff02::2
Multicast, Flag: Well-Known,
Scope: Link Local, Group: All Routers
ff02::1:ffxx:xxxx
Solicited Node Multicast Address (part of NDP)
©A10
Networks, Inc.
68
IPv6 “Features” and Terms
DNS: AAAA records (Quad-A records) like A record, but for IPv6
NDP (Neighbor Discovery Protocol) replaces ARP
NDP routing auto-configuration
Neighbor Discovery, Router Solicitation, Router Advertisement
Auto-Configuration
SLAAC (StateLess Address AutoConfiguration)
Based on MAC (think IPX), “Random”(RFC4941), or Semantically Opaque (RFC7217
DHCPv6
SLAAC and DHCPv6
OSPFv3, BGP(4) Multi-protocol extensions.
©A10
Networks, Inc.
69
Working with IPv6
http://[2001:db8:a10:110::100]/
most browsers
ping ipv6 2001:db8:a10:100::1
ping -6 2001:db8:a10:100::1
on ACOS
many hosts (Windows, Linux)
show ipv6 interfaces
show ipv6 neighbor
show interfaces brief
show arp
show ipv6 route
next hop frequently neighbor’s Link-Local address
interface ve 100
manually set Link-Local for easier reading
[...]
ipv6 address fe80::a10:100:1/64 link-local
©A10
Networks, Inc.
70
Configuring Fragmentation options
IPv6 requires Hosts (not Routers) to Fragment
IPv6 Hosts perform Path MTU Discovery (RFC8201 and ICMPv6, or RFC4821)
IPv4 Hosts don’t know IPv6 rules
Mostly handled automatically
IPv4 to inside IPv6 hosts fragmented at CGN
CGN adjusts TCP MSS to avoid (TCP MSS Clamping options)
NAT64 Fragmentation and Fragmentation DF bit Transparency settings for tuning
e.g., Lots of half sized frames because extra 20 bytes pushes UDP over limit
©A10
Networks, Inc.
71
Carrier Grade Networking
IPv6 Migration (NAT/DNS64)
Section 5
©A10
Networks, Inc.
73
Section objectives
Stateless NAT46
Stateful NAT64 and DNS64
NAT64 Prefix
DNS64 Virtual Server Configuration
5 Parts of Dynamic NAT64 configuration
Need for User Quota
Alternative: Fixed NAT
Troubleshooting NAT64
©A10
Networks, Inc.
74
Stateless NAT46 Topology
Enables IPv4 clients to reach internal IPv6 servers
IPv4
Internet
Requires:
IPv4 address(es)
DNS A and AAAA records
Routing
; zone fragment for example.com
$TTL 2d ; zone default = 2 days or 172800 seconds
$ORIGIN example.com.
....
www
IN
A
192.0.2.99
www
IN
AAAA
2001:db8:a10::c000:263
DNS
IPv6
Servers
Maybe use ADC instead?
©A10
Networks, Inc.
75
Stateless NAT46
Define the Prefix
cgnv6 nat46-stateless prefix 2001:db8:a10:1::/96
Outside 203.0.113.33 → Inside 2001:db8:a10:1::cb00:7121
Must be /96
Watch your routing
on /64
standard networks
Define the Mapping (one line)
cgnv6 nat46-stateless static-dest-mapping 200.0.0.40
2001:db8:a10:110::140 count 5 vrid 1
Count: define more than 1 mapping
VRID used for HA
©A10
Networks, Inc.
76
Stateful NAT64 and DNS64
Enables internal IPv6 clients to reach IPv4 services
Requires:
Public IPv4 Addresses
IPv6 /96 Prefix (subnet)
Routing
DNS
Prefix + IPv4 ADDR routed to CGN device
IPv4
Internet
DNS64
CGN Strips Prefix for Destination
CGN Performs LSN for Source
DNS64 Dynamically synthesize AAAA record from A record
IPv6
Clients
Can be Separate Device
©A10
Networks, Inc.
77
A10 DNS64 Implementation
DNS Front End
VIP-DNS64
port 53 dns-udp
SG-DNSV4
DNS64 Synthesizing Only
No DNS Resolution
Virtual-Server, vPort, Service-Group, Servers
DNS1
IPv4 and IPv6 DNS Servers are Supported
Up to 32 DNS Servers in the backend
53 udp
DNS Template controls behavior
AAAA first then A query (default)
A only
Parallel AAAA & A
Support for AAAA, A, CNAME, SRV & PTR records
©A10
Networks, Inc.
DNS1
53 udp
78
NAT64 & DNS64 Traffic Flow
1
2
AAAA Query www.example.com
AAAA Query www.example.com
Empty Record / Error
3
A Query www.example.com
AAAA Response: 2001:DB8:122:344::198.51.100.99
4
IPv6
Clients
DNS64 virtual-server
NAT64 IPv6 Prefix:
2001:DB8:122:344::/96
IPv4
Internet
NAT=192.0.2.2
IPv6
5
Auth. DNS
A www.example.com = 198.51.100.99
SIP, SPort: 192.0.2.2, 12129
DIP, DPort: 198.51.100.99, 80
SIP, SPort: 2002:ACE:888:007::101, 1024
DIP, DPort: 2001:DB8:122:344::198.51.100.99, 80
www.example.com
198.51.100.99
IPv4
DNS64 device owns IPv6 Prefix 2001:DB8:122:344::/96
NAT64 owns IPv4 Address Pool 192.0.2.0/27
©A10
Networks, Inc.
79
NAT64 Prefix
cgnv6 nat64 prefix 2001:db8:a10:624::/96 vrid 1
VRID used for HA
Must be /96 mask
Prefix routed by local IPv6 network to CGN
2001:db8:a10::198.100.51.99
is human readable for
2001:DB8:122:344::c664:3363
and implies /96
Can use “Well Known Prefix” for NAT64 - 64:ff9b::/96
Can use subnet from allocation
©A10
Networks, Inc.
80
DNS64 Virtual Server - Define real servers and service group
Configure cgnv6 servers
cgnv6 server LOCAL_DNS11 203.0.113.11
port 53 udp
Name: LOCAL_DNS11
IP Address: 203.0.113.11
Port and Type: 53 udp
Name used inside ACOS, like a
function, to refer to entry
IP ADDR reachable from ACOS data
interfaces
Configure cgnv6 service-group
cgnv6 service-group DNSV4 udp
member LOCAL_DNS11 53
Name: DNSV4
Type: udp (connectionless)
Members: up to 32 cgnv6 server/port
©A10
Networks, Inc.
81
DNS64 Virtual Server - Define Templates and Dedicated NAT Pool
cgnv6 template dns TP_DNS64_SETTINGS
dns64 enable
Name: TP_DNS64_SETTINGS
Options: min config: dns64 enable
Behavior of specific DNS64 virtual
server
controlled by template
Create NAT Pool (dedicated to DNS64)
ip nat pool DNS64_POOL 192.0.2.53 192.0.2.53 netmask /32 vrid 1
Name of Pool: DNS64_POOL
Start Address: 192.0.2.53
End Address(required): 192.0.2.253
Netmask used for routing advertisements
VRID used for HA (must match virtual server)
©A10
Networks, Inc.
Notice: this is an
ip nat pool, not cgnv6
82
DNS64 Virtual Server - Define Virtual Server and vPort
cgnv6 dns64-virtualserver LOCAL_DNS 2001:db8:a10:100::53
vrid 1
port 53 dns-udp
First line is global config level. VRID
source-nat pool DNS64_POOL
at dnsvserver level.
service-group DNSV4
Service-group at vport level.
template dns TP_DNS64_SETTINGS
Name: LOCAL_DNS
VIP: 2001:db8:a10:100::53
VRID used for HA
vPort and Server type: 53, type dns-udp
Min vPort Config shown for accessing IPv4 DNS servers
©A10
Networks, Inc.
Config elements referenced
by name
83
Components of a NAT64 LSN configuration
aka Dynamic-NAT
ACOS CGNv6 configuration has five required elements:
NAT-Pool
Limit-ID
Class List of IP addresses / subnets
Source Class List Binding
Inside/Outside Interfaces
Prerequisite: NAT64 Prefix
Apply
LID
Packet
Inside
interface?
Class List
Bound?
NAT
Packet
NAT
Pool?
Match in
Class List?
©A10
Apply
NAT
Networks, Inc.
84
Define a NAT Pools
Configure NAT pools at the global configuration level
cgnv6 nat pool NAT1 192.0.2.224 192.0.2.254 netmask /27 vrid 1
Name of Pool: NAT1
Start Address: 192.0.2.224
End Address(optional): 192.0.2.254
Netmask used for routing advertisements
VRID used for HA
Includes all addresses,
from 224 to 254, inclusive
Additional Features (specific to cgnv6 nat pools)
VRIDs of various elements
must match
cgnv6 nat pool NAT1 exclude-ip 192.0.2.230 [to 192.0.2.235]
cgnv6 nat pool NAT2 192.0.2.208 netmask /28
addresses 208-223
©A10
Networks, Inc.
85
Define NAT Pool Group (Best Practice)
Configure NAT pool groups at global configuration level
cgnv6 nat pool-group NAT-Group
member NAT1
member NAT2
member NAT3
Edit Pool Group members while group assigned to LSN-LID
Remove member, edit member, re-add member
Add new member to add more nat addresses
All members must share same VRID group.
©A10
Networks, Inc.
Changes affect new sessions,
only.
86
Configuring IP address selection algorithms
Algorithm for IP address selection from NAT pool is configurable on a global basis
cgnv6 lsn ip-selection round-robin
Algorithm
Selects IP address with the fewest …
random
(default)
round-robin
least-used-strict
NAT ports of any type (ICMP, TCP, or UDP) used
least-udp-used-strict
UDP NAT ports used
least-tcp-used-strict
TCP NAT ports used
least-reserved-strict
NAT ports of any type reserved
least-udp-reserved-strict
UDP NAT ports reserved
least-tcp-reserved-strict
TCP NAT ports reserved
least-users-strict
users
©A10
Networks, Inc.
Only applies to
individual pools,
not selection of
pools within a poolgroup
Used by LSN NAT
and NAT64
87
Define LSN Limit IDs (LID) – the policy
LID define policy, i.e., the rules
Configure LSN-LID at global configuration level
cgnv6 lsn-lid 1
source-nat-pool NAT-Group
user-quota icmp 50
user-quota udp 250
user-quota tcp 250
cgnv6 lsn-lid 1023
user-quota icmp 0
user-quota udp 0
user-quota tcp 0
Up to 1023 LIDs
can be defined
©A10
Networks, Inc.
88
User-Quota and Reserve
(config-lsn-lid)# user-quota udp 500 reserve 100
User-Quota reserves full amount on first request
More Predictable NAT Behavior
User-Quota Reserve reserves in chunks
More Efficient NAT Pool Usage
Good Idea:
Align with Port Batching
show cgnv6 nat pool statistics
©A10
Networks, Inc.
89
Understanding class lists
Classifies/segments address space into groups
Set of IP host or subnet addresses and mapping to LSN LIDs
1 list -> 64,000 subnets and 8 million host IP addresses
Each entry (row) defines a class
Supports IPv4 or IPv6 addresses
Define inline or as external file
Up to 255 class lists can be created
Only 1 can be used for NAT64 LSN
Up to 255 class lists, but only
one for NAT64
Only 1 bound to nat64 inside source
Matches on IP SRC addresses
©A10
Networks, Inc.
90
Define and Bind LSN Class List
Create the class list at global configuration level
class-list CL_ CGN1
2001:db8:a10::/64 lsn-lid 1
subnet class
2001:db8:a10::73 lsn-lid 2
host class
2001:db8::19/128 lsn-lid 2
host class
File based class list:
class-list CL_CGN1 file
Everything else the same
wildcard class
::/0 lsn-lid 1023
Bind class list to LSN at global configuration level
cgnv6 nat64 inside source class-list CL_CGN1
©A10
Networks, Inc.
91
Configure Inside and Outside NAT64 LSN interfaces
IP Inside NAT Interface: ingress for traffic to be NATed (client side)
IP Outside NAT Interface: ingress for return traffic (everything else)
More than 1 allowed
Watch your routing
AX1(config)# interface eth 1
AX1(config-if:Ethernet:1)# ipv6 nat inside
AX1(config)# interface ve 200
AX1(config-if:ve:200)# ip nat outside
©A10
Networks, Inc.
92
Fixed-NAT: alternate configuration mechanism
Map inside addresses to public address and L4 port range
Deterministic allocation
L4 ports pre-allocated
✓ User Quota
✓ Less / No logging.
✓ Easier Environment Provisioning?
Trade-off: L4 port usage efficiency
IPv6 Challenge: non-sequential inside addressing
©A10
Networks, Inc.
93
Components of a Fixed-NAT configuration
ACOS CGNv6 Fixed-NAT configuration has two required elements:
Fixed-Nat config with inside IP addresses and NAT addresses
Inside/Outside Interfaces
Apply
NAT
Packet
Inside
interface?
NAT
Packet
Match in
Fixed-NAT?
©A10
Networks, Inc.
94
Define a Fixed-NAT
Configure Fixed-NAT global configuration level (command on 1 line)
cgnv6 fixed-nat inside
2001:db8:a10::6440:2 2001:db8:a10::6440:ffe netmask 96
nat 192.0.2.225 192.0.2.254 netmask /27 dynamic-pool-size 5000
vrid 1
Inside (private) addresses: 4093 address
Outside (NAT, public) addresses: 192.0.2.225 to 192.0.2.254 (30 addresses)
Netmask used for routing advertisements
Reserved Ports per NAT addr (optional): 5000
Use ip-list <name>
VRID used for HA
to shorten config line
434 ports allocated to each user
©A10
Networks, Inc.
95
Fixed NAT math
~
5,500 𝑐𝑙𝑖𝑒𝑛𝑡𝑠
𝒄𝒍𝒊𝒆𝒏𝒕𝒔
= 229.16 ~ 230
𝑷𝒖𝒃𝒍𝒊𝒄_𝑰𝑷𝒔
24 𝑃𝑢𝑏𝑙𝑖𝑐_𝐼𝑃𝑠
230 × 23 = 5290 𝑐𝑙𝑖𝑒𝑛𝑡𝑠
Only 210 clients on 24th IP Addr
𝐿4_𝑃𝑜𝑟𝑡𝑠
𝑃𝑢𝑏𝑙𝑖𝑐_𝐼𝑃
𝑳𝟒_𝑷𝒐𝒓𝒕𝒔
5𝟗, 𝟓𝟏𝟏
𝑷𝒖𝒃𝒍𝒊𝒄_𝑰𝑷
(65535 -1024 -5000)
=
𝑢𝑠𝑒𝑑𝑃𝑜𝑟𝑡𝑠
𝑃𝑢𝑏𝑙𝑖𝑐_𝐼𝑃
230 × 258 = 59340
(171 × 23) + 5331 unused Ports
59,511
𝑳𝟒_𝑷𝒐𝒓𝒕𝒔
~ 258.74 = 2𝟓𝟖
𝒄𝒍𝒊𝒆𝒏𝒕
230
(9264)
5,500 client, 22 Public_IPs, and 5011 dynamic-pool-size
equals
𝑳𝟒_𝑷𝒐𝒓𝒕𝒔
23𝟖
,
𝒄𝒍𝒊𝒆𝒏𝒕
2 free IPs, and no waste.
©A10
Networks, Inc.
96
Troubleshooting NAT64
Confirm ip nat inside/outside
show interfaces [ [ethernet 1] or [ve 100] ]
Check config (esp. “lsn inside source”, “lsn-lid”, “nat pool-group” )
sh running-config cgnv6
or
sh running-config | sec cgnv6\|class
Check class lists
sh class-list [CL_NAME]
Check NAT pools
sh cgnv6 nat pool [statistics]
Wide screen helpful
©A10
Networks, Inc.
97
Troubleshooting NAT64 Sessions
Check sessions
show session
Check sessions for internal (NATed) user
sh cgnv6 nat64 inside-user {user.inside.IP.addr}
Check sessions tied to external NAT address
sh cgnv6 nat64 nat-address {NAT.pool.IP.addr}
Check User-Quota related details
sh cgnv6 nat64 user-quota-sessions [...]
©A10
Networks, Inc.
98
Lab 3 – Configuring NAT64/DNS64
©A10
Networks, Inc.
99
Carrier Grade Networking
NAT64 Additional Features
Section 6
©A10
Networks, Inc.
100
Section objectives
ALGs
Static Port Mapping
Full-Cone NAT
EIM
EIF
Session User Quotas
Hairpinning
©A10
Networks, Inc.
101
Application Layer Gateways (ALGs)
192.0.2.9
CGN
2001:db8::1
IPv4
Internet
Inside
SRC
DST
TCP/IP
[2001:db8::1]:5678
192.0.2.99: 554
L7
ports 6001-6002
Outside
SRC
DST
TCP/IP
198.18.0.11: 7891
192.0.2.99: 554
L7
ports 6001-6002
TCP/IP
©A10
Networks, Inc.
DST
SRC
198.18.0.11: 6001
192.0.2.99: 8912
102
ALG Support
Header
Modification
SIP
External Session
Initiation
PPTP/GRE
SIP
App Specific
Requirements
TFTP
SIP
PPTP
Session Aging
FTP
DNS
ICMP
Built in. Not really ALG
Protocol
FTP
TFTP
RTSP
PPTP
SIP
ESP
H.323
CGN (LSN)
Y
Y
Y
Y
Y
Y
Y
NAT64
Y
Y
Y
Y
Y*
Y
Y1
DS-Lite
Y
Y
Y
Y
Y
N
Y
6rd
Y
Y
Y
N
Y
N
Y
NAT64-6rd
Y
Y
Y
N
N
N
Y
Stateless NAT46
N
N
N
N
N
N
Y
Fixed-NAT for NAT44
Y
Y
Y
Y
Y
Y
Y
Fixed-NAT for NAT64
Y
Y
Y
Y
Y
Y
Y
Fixed-NAT for DS-Lite
Y
Y
Y
Y†
Y
N
Y
* Provides SIP ALG support for NAT64.
† Provides PPTP ALG support for Fixed-NAT DS-Lite.
©A10
Networks, Inc.
1
H.323 ALG not fully verified for NAT64 features.
103
Full Cone NAT
Full Cone NAT == EIM + EIF
Mimics One-To-One NAT
198.18.0.11:3544
©A10
Networks, Inc.
104
EIM: Endpoint Independent Mapping
P:p->Y1:y1 NAT X1:x1->Y1:y1
P:p->Y2:y2 NAT X2:x2->Y2:y2
If EIM: X1:x1 == X2:x2
Reuse inside to outside port mappings
Reduce number of session entries (because of reuse)
Inside client must still initiate
203.0.113.8:7777
198.18.0.11:3333
[2001:db8::1]:5555
1 Port
used
192.0.2.9:8888
SRC
DST
NAT SRC
DST
[2001:db8::1]:5555
[64:ff9b::cb00:7108]:7777
198.18.0.11:3333
203.0.113.8:7777
[2001:db8::1]:5555
[64:ff9b::c000:209]:8888
198.18.0.11:3333
192.0.2.9:8888
©A10
Networks, Inc.
105
EIF: Endpoint Independent Filtering
Opens path back to initiating client (NAT Transparency)
Inside client initiates 1st session, outside initiates others
Requires EIM
198.18.0.11
At 3333
203.0.113.8:7777
203.0.113.8:7778
2001:db8::1:5555
198.18.0.11:3333
192.0.2.9:8888
192.0.2.9:8889
Gaming, Rendezvous servers,
SIP (e.g. VOIP)
©A10
Networks, Inc.
106
Configure EIM and EIF (Full Cone NAT)
Applies to both NAT44 and NAT64
Configured for specific ports
cgnv6 lsn endpoint-independent-mapping tcp
port 1024 to 65535
cgnv6 lsn endpoint-independent-mapping udp
port 1024 to 65535
cgnv6 lsn endpoint-independent-filtering tcp
port 1024 to 65535
cgnv6 lsn endpoint-independent-filtering udp
port 1024 to 65535
©A10
Networks, Inc.
107
Session and STUN timers
STUN: Session Traversal Utilities for NAT
Applies to both NAT44 and NAT64
cgnv6 translation [icmp|service|tcp|udp]-timeout <seconds>
Set Session Table timeouts
service-timeout sets exceptions for specific ports
show running-config cgnv6 translation
DNS, ICMP – Fast (3s)
cgnv6 lsn stun-timeout [tcp|udp] <port> to <port> minutes <num>
Set timeout for EIM/EIF (full-cone NAT) sessions
Timer starts after Session timeout expires
For gaming,
set to 4 min
cgnv6 lsn alg sip rtp-stun-timeout <minutes>
SIP ALG specific STUN timeout
©A10
Networks, Inc.
108
Additional LSN-LID configurations
Applies to both NAT44 and NAT64
(config-lsn-lid)# user-quota session 500
User-Quota [udp|tcp|icmp] count outside ports used
EIM and EIF related sessions count as 1 port
User-Quota Session counts Sessions
(config-lsn-lid)# conn-rate-limit 100
Maximum connections per second
Preservation of CPU and Bandwidth
More useful for TCP sessions
©A10
Networks, Inc.
109
Hairpinning
Applies to both NAT44 and NAT64
ALG, Static Port Mapping, and EIF open inbound ports
Hairpinning allows internal hosts to reach those ports
198.18.0.11:3544
By default
UDP: filter-none (can talk to itself)
TCP: filter-self-ip-port
ICMP: not possible
Use filters to limit
cgnv6 lsn hairpinning filter-self-ip
Most restrictive
©A10
Networks, Inc.
110
Additional Troubleshooting LSN
Check EIM/EIF sessions
show cgnv6 lsn full-cone-sessions
Clear EIM/EIF sessions
clear sessions
maybe multiple times
Check Session Timeouts
show running-config cgnv6 translation
©A10
Networks, Inc.
111
Carrier Grade Networking
Routing and Networking
Section 7
©A10
Networks, Inc.
113
Section objectives
Topologies
Pass-Through
Out-of-line
Application Delivery Partitions
Configuring Routing
Static Routing
BGP
OSPF
OSPFv3
©A10
Networks, Inc.
114
CGNAT is about routing
Routing between domains must be stopped!
Connection only through CGNAT
Routing to CGNAT and from CGNAT, not through
Supports major routing protocols
OSPF, OSPFv3, RIP, RIPng, IS-IS, BGP4+
(and static routing)
Active/Active requires routing
PBR (Policy Based Routing) on upstream /
downstream routers (not ACOS)
NAT is not Transparent or Bridging
A10 CGN not an endpoint (mostly)
User Network1
©A10
Networks, Inc.
User Network2
115
Pass Through
IPv4
Internet
Easy to configure and test
CGNAT devices at boundary
i/e-BGP
CGNAT devices see all Internet traffic
Static routing
i/e-BGP
Need rules to handle public IPv4 traffic
Floating IP
Static routing
SRC based PBR
OSPF / iBGP
User Networks
©A10
Networks, Inc.
Internal
Services
User Networks
116
Out of Line
IPv4
Internet
CGNAT on side of path to Internet
i/e-BGP
Only NATed traffic (more scale)
Floating IP
Internal
Services
SRC based PBR
OSPF / iBGP
Public Networks
©A10
Networks, Inc.
Private Networks
117
Routing View from ACOS
IPv4
Internet
Even in On The Side, One-Arm Mode
CGN sees world as Outside and Inside
Egress
Floating IP
Ingress
User Networks
©A10
Networks, Inc.
118
Application Delivery Partitions
IPv4
Internet
Multi-tenant using tenant’s public IPs
Partition autonomous
Configure LSN and Logging in private partition
Multi-tenant using provider’s public IPs
shared
partition
Inter-Partition Routing
aaa.com
partition
Logging and NAT Pools configured in Shared
LIDs and Class-Lists configured in private partitions
bbb.com
partition
ccc.com
partition
Converge multiple overlapping RFC1918
addresses spaces
Likely with Inter-Partition Routing
10.10.0.0/16
©A10
Networks, Inc.
172.16.0.0/16 172.16.0.0/16
119
Static Route - Egress
Simplest configuration
Can be configured in GUI
(config)# ip route 0.0.0.0 /0 100.64.1.1 10
Destination Network: 0.0.0.0 /0
Next Hop: 100.64.1.1
Metric(optional): 10
(config)# ipv6 route ::/0 <Global_or_LinkLocal_Unicast_Addr> 10
Bi-Directional Forwarding Detection (BFD) supported for
©A10
Networks, Inc.
120
Static Route - Ingress
Create VRRP-A Floating-IP
vrrp-a vrid 1
floating-ip 100.64.3.1
device-context 1
blade-parameters
[. . .]
VRID 1
active
Set Floating-IP as Next-Hop
Floating IP:
100.64.3.1
VRID 1
standby
Active-Active needs 2 VRIDs and
PBR (Policy Based Routing) on inside router
©A10
Networks, Inc.
121
Egress BGP (part 1)
Goal 1: Learn outbound (default?) route
Goal 2: Inform network how to get to NAT pool
With redundancy
Default
eBGP / iBGP, your choice
router bgp 64500
neighbor 100.64.1.1 [. . .]
neighbor 100.64.1.1 prefix-list EXT_NET in
[. . .]
redistribute ip-nat
NAT Pool
Floating IP
ip prefix-list EXT_NET seq 5 permit 0.0.0.0/0
Protect your routing table
©A10
Networks, Inc.
122
Egress BGP (part 2)
NAT Pool can be separate from interface networks
IPv4
Internet
Recursive Routing can speed up re-convergence
vrrp-a vrid 1
floating-ip 100.64.3.1
100.64.0.0/10
100.64.3.11
router bgp 64500
[. . .]
redistribute floating-ip
redistribute ip-nat route-map TO_FLOATIP
100.64.3.12
Floating IP:
100.64.3.1
NAT Pool
route-map TO_FLOATIP permit 1
match group 1 active
set ip next-hop 100.64.3.1
©A10
Networks, Inc.
123
Ingress OSPF
Goal 1: Inform inside network of outbound (default?) route
Goal 2: Learn how to get to inside user networks
With redundancy
Use VRRP-A Floating IP to speed re-convergence
Need to prevent CGN devices from learning
default route from each other
VRID 1
active
Floating IP
VRID 1
standby
Default
Administrative distance
Separate links / OSPF areas
Users
User Networks
©A10
Networks, Inc.
User Networks
124
Ingress OSPF (part 2)
router ospf 1
network 100.64.3.0 0.0.0.255 area 0
distance 210
default-information originate always route-map TO_FLOATIP
Use of always depends on egress routing
VRID 1
active
route-map TO_FLOATIP permit 1
match group 1 active
set ip next-hop 100.64.3.1
Floating IP:
100.64.3.1
100.64.3.11
vrrp-a vrid 1
floating-ip 100.64.3.1
VRID 1
standby
100.64.3.12
100.64.3.254
User Networks
©A10
Networks, Inc.
User Networks
125
Ingress OSPF (alternate config)
Dev A1
router ospf 1
default-information originate always route-map TO_FLOATIP
distribute-internal floating-ip area 0 cost 10
network 100.64.3.5 0.0.0.0 area 0
Additional network statements for more routers
VRID 1
Floating IP:
Dev A2
router ospf 1
[...]
network 100.64.3.9 0.0.0.0 area 0
active
100.64.3.1
100.64.3.5/30
100.64.3.6/30
Both
route-map TO_FLOATIP permit 1
match group 1 active
set ip next-hop 100.64.3.1
User Networks
©A10
Networks, Inc.
VRID 1
standby
100.64.3.9/30
100.64.3.10/30
User Networks
126
Ingress BGP and Egress OSPF
IPv4
Internet
Left as an exercise to the reader
Combine either with Static Routes
Can design All BGP or All OSPF
NAT Pool
Service Provider Design: Routing with BGP,
OSPF for learning Router-ID
Default
Double BGP: At Least 2 Control CPU
Default?
Floating IP:
100.64.128.1
Users
User Networks
©A10
Networks, Inc.
127
Ingress OSPFv3
Goal 1: Inform inside network route NAT64 Prefix
Goal 2: Inform inside network route to DNS64
Goal 3: Learn how to get to inside user networks
With redundancy
VRID 1
active
Using VRRP-A Floating IP to speed
re-convergence
Floating IP
VRID 1
standby
Default
Users
User Networks
©A10
Networks, Inc.
User Networks
128
Ingress OSPFv3 (part 2)
Process ID must match Tag
router ipv6 ospf 1
router-id 0.0.0.1
redistribute nat64 route-map TO_NAT64
redistrib vip 2001:db8:a10::53 floating-IP-forward-address 2001:db8:a10::1
route-map TO_NAT64 permit 1
match group 1 active
set ip next-hop 2001:db8:a10::1
interface ve 100
[...]
ipv6 address 2001:db8:a10::10/64
ipv6 enable
ipv6 router ospf area 0 tag 1
VRID 1
active
Floating IP:
2001:db8:a10::1
2001:db8:a10::11
2001:db8:a10::12
2001:db8:a10::254
User Networks
©A10
VRID 1
standby
Networks, Inc.
User Networks
129
Lab 4 – CGN Routing
©A10
Networks, Inc.
130
Carrier Grade
Networking Logging
Section 8
©A10
Networks, Inc.
131
Section objectives
Issues in Logging
Data Plane Logging Configuration
Logging Template
Port Batching (v1 and v2)
Fixed-NAT Table Export and Logging
NetFLOW(IPFIX)
©A10
Networks, Inc.
132
Issues in Logging
Law Enforcement Requests
Volume of logs (TB per month)
Map packet to real person
Every connection, IP address, L4 port
Recording network activity
Start time, Stop time
CPU and Network Throughput Intensive
Connecting to current infrastructure
Control Plane vs. Data Plane
Syslog (tcp, udp), RADIUS,
NetFLOW, sFLOW
Operational Logs vs. Traffic Logs
Custom fields (HTTP headers, RADIUS attr)
Logging MUST be flexible
Every network different
©A10
Networks, Inc.
133
Data Plane Logging: Managing Logging Volume
Logging is overhead but critical
Logging Template
Bottlenecks: single link, single CPU, single server
SG-SYSLOG
Solution:
Balance logging over all Data CPUs
Balance over (up to) 32 servers
syslog1
514 tcp
Servers -> Service-Group -> Logging Template
syslog2
514 tcp
syslog3
514 tcp
©A10
Networks, Inc.
134
Data Plane Logging: Define real servers and service group
Configure cgnv6 servers
cgnv6 server SYSLOG01 203.0.113.61
port 514 [udp|tcp]
Name: used to reference in config and stats
IP Address: IPv4 or IPv6, reachable from DATA interfaces
Port and Type: 514, udp or tcp depending on syslog server
Configure cgnv6 service-group
cgnv6 service-group SG_SYSLOG udp
member SYSLOG01 514
Name: SG_SYSLOG
Type: udp (must match cgnv6 server type)
Members: up to 32 cgnv6 server/port
©A10
Networks, Inc.
135
Logging Template: Provide the flexibility
For logging template settings, see documentation Traffic Logging Guide for IPv6 Migration
cgnv6 template logging CGN_LOG
service-group SG_SYSLOG
format [...]
facility local7
<- Facility is Syslog RFC parameter
severity informational
<- Severity is Syslog RFC parameter
disable-log-by-destination
udp port 53
Bind the logging template
cgnv6 lsn logging default-template CGN_LOG
Default is for NAT44 or NAT64
Can bind specific templates to specific NAT Pools
©A10
Networks, Inc.
136
Log Template Format Options (message size)
Default: ASCII log
<135> Jun
<135> Jun
[ASCII log: ~80 bytes]
9 21:58:19 ax69 NAT-TCP-C: 10.225.3.101:51411 -> 111.67.226.15:51411
9 21:58:23 ax69 NAT-TCP-F: 10.225.3.101:51411 -> 111.67.226.15:51411
Log Type
RFC5424: alternate standard syslog
Internal IP: Port
NAT IP: Port
[RFC5424 log: ~110bytes]
<191>1 2017-04-05T01:39:43-07:00 1.0.0.1 A1 - LSN:PortAllocated:TCP [110.0.0.100 1078 200.0.0.122 1078]
Compact: hexadecimal format
[HEX log: 58 bytes]
<135> Jun
9 21:59:01 ax69 TC: 0ae10365:c8d3->6f43e2ac:c8d3
Binary: A10 proprietary format
[BIN log: 28 bytes]
10001c000000 00004fd35cee0019 880e0ae03656f43 e26fca1fca1f
©A10
Networks, Inc.
137
Combining Log Messages
Port Batching (v2 and v1)
Separate from User Quota, but should align with User Quota
1st connection triggers allocation, which triggers log message
Last freed triggers log message
Batched Logging
Not to be confused with port-batching.
Logs sent when buffer is full or timer expires (default)
Disable in cgnv6 template logging
Logs sent immediately
ACOS(config-logging:CGN_LOG)# batched-logging-disable
©A10
Networks, Inc.
138
Port Batching (v1)
ACOS(config)# cgnv6 enable-port-batch-v1
New for ACOS 4.1.2
Must be run before any CGN NAT pools are created
ACOS(config:1)# cgnv6 lsn port-batching size ?
1 is default
Possible values: 8, 16, 32, … 51
NAT-TCP-B: 110.0.0.100 -> 200.0.0.22:5274,8,3
NAT-TCP-X: 110.0.0.100 -> 200.0.0.22:5274,8,3
©A10
Networks, Inc.
139
Port Batching (v2)
Defined as part of the CGNV6 NAT Pool
A10 recommends migrating from v1 to v2
Larger and more efficient port batching
v1 and v2 can exist together in same config
cgnv6 nat pool NAT1 192.0.0.0 netmask /16 vrid 1 port-batch-v2-size 64
1 is default
Possible values: 64, 128, … 4096
NAT-TCP-T: [2001:db8:a10:110::100] -> 200.0.0.165:63680,63743
NAT-TCP-Y: [2001:db8:a10:110::100] -> 200.0.0.165:63680,63743
©A10
Networks, Inc.
140
Logging To Meet Specific Needs
These options set in the Logging Template
• Based on legal requirement
• Reduces benefit from
port-batching
To Include Destination information
(config-logging:CGN_LOG)# include-destination
or
(config-logging:CGN_LOG)# log port-mappings disable
(config-logging:CGN_LOG)# log sessions
(config-logging:CGN_LOG)# format custom
(config-logging:CGN_LOG)# custom message session-created “<...>”
(config-logging:CGN_LOG)# custom message session-deleted “<...>”
Adjust message for ingestion by existing infrastructure (e.g., Sandvine SDE)
©A10
Networks, Inc.
141
Fixed-NAT Table Export
cgnv6 fixed-nat create-port-mapping-file
Enables the creation (and therefore export) of file
Support for 1000 concurrent files
show cgnv6 fixed-nat port-mapping-files
delete cgnv6 fixed-nat <map-name>
export fixed-nat <map-name> [...]
Also, extract Fixed-NAT mapping table via aXAPI
MIB for the Fixed-NAT mapping table
axFixedNatPortMappingPortNatIpAddress
axFixedNatPortMappingPortInsideUser
axFixedNatPortMappingPortInsideUserIpType
axFixedNatPortMappingPortTcpBeginPort
axFixedNatPortMappingPortTcpEndPort
axFixedNatPortMappingPortUdpBeginPort
axFixedNatPortMappingPortUdpEndPort
axFixedNatPortMappingPortIcmpBeginPort
axFixedNatPortMappingPortIcmpEndPort
Index Value
192.168.25.200 192.168.64.2
ipv4
1024
©A10
2023
Networks, Inc.
1024
2023
1024
2023 14.49.57.50.46.49.54.56.46
142
Fixed-NAT Logging Options
Adds logging to Fixed-NAT
Optional periodic logging of Fixed-NAT mapping for active Fixed-NAT users
log fixed-nat user-ports periodic 1 start-time 11:51
MAC Address Insertion
Inclusion of HTTP headers in CGN logs
RFC 5424 Format not supported
Cookie, Referer, and User-Agent, others by name (e.g. Content-length, etc)
Aug 16 04:28:51 AX3000 HTTP: 10.225.3.2:38695<-->40.0.0.1:80,40.0.0.1:80<-->1.1.3.182:38695 Q=1
URL=http://www.a10networks.com/^_ User-Agent=Mozilla/5.0 Gecko/20100101 Firefox/22.0^_ Cookie=A=123; B=456
HTTP request/response byte counts in session deletion log messages
Aug 9 05:24:23 AX3000 NAT-TCP-D: 10.225.3.2:38695<-->40.0.0.1:80, 0.0.0.1:80<-->1.1.3.182:38695
REQ_SIZE=1300 RSP_SIZE=15486
©A10
Networks, Inc.
143
NetFLOW (IPFIX)
Alternative to Logging
Easier to perform Traffic Accounting analysis
Uses more memory (~33% more) but less CPU
Binary format
NetFlow Monitor
SG-NETFLOW
ACOS is NetFlow exporter
Collector does not respond/acknowledge data
Supports NetFlow v9 (default) and IPFIX (NetFlow v10)
Uses CGNV6 Service-Group to load-balance
Destination can be single IP reachable from Data Interface (but…)
Flow Record templates control what is exported
netflow1
9996 ucp
netflow2
9996 ucp
netflow3
9996 ucp
Define multiple monitors to segment/filter output
to different destinations
©A10
Networks, Inc.
144
NetFLOW(IPFIX)
Configure cgnv6 servers and service-group (optional)
cgnv6 server NETFLOW01 203.0.113.61
port 9996 udp
health-check-disable
cgnv6 service-group SG_SYSLOG udp
member NETFLOW01 9996
[...]
Create / Configure the NetFlow Monitor
Destination must be reachable from ACOS data interface (not management)
netflow monitor MYNETFLOW
destination service-group SG-NETFLOW
[...]
©A10
Networks, Inc.
145
NetFLOW Settings
`record` settings define what to send
See Documentation (SAG) for details
`nat44` and `nat64` contain traffic
accounting info but sent when mapping is
freed
`sample` settings focus monitoring
`disable-log-by-destination`
filters monitoring
netflow monitor MYNETFLOW
disable-log-by-destination
udp port 53
icmp
record nat44
record nat64
sample nat-pool CGN121
destination service-group SG-NETFLOW
device-context 1
source-address ip 100.0.0.1
Monitor the NetFlow Monitor
show netflow monitor
©A10
Networks, Inc.
146
NetFLOW Record Settings
ACOS(config-netflow-monitor)# record ?
dslite
DS-Lite Flow Record Template
nat44
NAT44 Flow Record Template
nat64
NAT64 Flow Record Template
netflow-v5
NetFlow V5 Flow Record Template
netflow-v5-ext
Extended NetFlow V5 Flow Record Template, supports ipv6
port-batch-dslite
DS-Lite Port Batching Event Template
port-batch-nat44
NAT44 Port Batching Event Template
port-batch-nat64
NAT64 Port Batching Event Template
port-batch-v2-dslite DS-Lite NAT Port Batching v2 Event Template
port-batch-v2-nat44
NAT44 NAT Port Batching v2 Event Template
port-batch-v2-nat64
NAT64 NAT Port Batching v2 Event Template
port-mapping-dslite
DS-Lite Port Mapping Event Template
port-mapping-nat44
NAT44 Port Mapping Event Template
port-mapping-nat64
NAT64 Port Mapping Event Template
sesn-event-dslite
DS-Lite Session Event Template
sesn-event-nat44
NAT44 Session Event Template
sesn-event-nat64
NAT64 Flow Record Template
©A10
Networks, Inc.
147
Lab 5 – CGN Logging
©A10
Networks, Inc.
148
Carrier Grade Networking
Monitoring and Troubleshooting
Section 9
©A10
Networks, Inc.
149
Section objectives
Monitoring
Logs
Performance
NAT pool utilization
SNMP Traps
Troubleshooting
Troubleshooting Checklist
Session Table and Filtering
Axdebug
Advanced Troubleshooting
©A10
Networks, Inc.
150
System Log
ACOS logs many informational, warning, and error messages.
Port/Interface up/down messages
Router status and VRRP-A status changes
Data Plane Logging Server & service port up/down messages
System Monitor messages
Hard disk, RAM, CPU usage warnings
Temperature warnings
Application-specific error messages
User-quota exceeded message
ACOS# show log ?
length
master
policy
|
<cr>
Number of lines to display
show master log
Setup Policy
Output modifiers
©A10
Networks, Inc.
151
Audit Log
ACOS logs administrative actions with username, date, and time stamp.
It also logs new administrative sessions.
ACOS# audit [ | inc <reg_ex> ]
Audit Log Examples
<date> [admin] web: [1503433013437215] RESP HTTP status 200 OK
<date> [admin] web: [1503433013437215] payload section 1
{"pool": {"start-address": "10.0.30.1", "vrid": "1", "netmask": "255.255.255.254",
"pool-name": "CGN10-30"}}
<date> [admin] web: [1503433013437215] POST: /axapi/v3/cgnv6/nat/pool
<date>
[admin] cli: [1.0.0.100:1615] cgnv6 nat pool CGN172-16 172.16.2.1 netmask /28
©A10
Networks, Inc.
152
ACOS Performance: Memory Usage
Display memory utilization (current)
ACOS# show memory [system]
Total(KB)
Free
Shared
Buffers
Cached
Usage
--------------------------------------------------------------------------4041415
1728952 0
23252
479798
57.00%
47.90% no config
58.80% under load
Medium Term: GUI
Dashboard > System
(https://<ACOS>/gui/#/dashboard/)
Long term: SNMP
©A10
Networks, Inc.
153
ACOS Performance: CPU Usage
Display cpu utilization
ACOS# show cpu [ interval […] ]
1Sec
5Sec
10Sec
30Sec
60Sec
-------------------------------------------------------CPU0
6%
7%
7%
9%
9%
CPU1
10%
9%
4%
1%
0%
CPU2
11%
10%
5%
1%
0%
CPU3
10%
9%
5%
1%
0%
Medium Term: GUI
Dashboard > System
(https://<ACOS>/gui/#/dashboard/)
Long term: SNMP
©A10
Networks, Inc.
154
Monitoring NAT pool utilization
Real time details
ACOS# show cgnv6 nat pool statistics ?
WORD
top
brief
peaks
misc
|
<cr>
Show a specific LSN pool
Display the top pool Ips
Show Current Users, UDP, and TCP only
Show Peak Statistics
Show miscellaneous per-IP information
Output modifiers
LSN Address Pool Statistics:
---------------------------CGN21
Address
Users
ICMP
Freed
Total
UDP
Freed
Total
Rsvd
TCP
Freed
Total
Rsvd
---------------------------------------------------------------------------------------------------------------------200.0.0.2
0
0
0
0
0
16206
16206
0
0
16232
16232
0
200.0.0.3
3
0
0
0
3916
16186
20102
4500
9
20126
20135
4500
[...]
------------------------------------------------------------------------Pool Name
Total IPs
Total Users
Free IPs
Used Ips
CGN21
126
100
59
67
-------------------------------------------------------------------------
©A10
Networks, Inc.
155
Monitoring NAT pool utilization (part 2)
Long term: SNMP
Medium Term: GUI
Dashboard > System >> CGN
(https://<ACOS>/gui/#/dashboard/cgn)
©A10
Networks, Inc.
156
SNMP Traps
ACOS(config)# snmp-server enable traps routing [bgp|ospf|isis]
ACOS(config)# snmp-server enable traps snmp [linkdown|linkup|all]
ACOS(config)# snmp-server enable traps lsn ?
all
fixed-nat-port-mapping-file-change
per-ip-port-usage-threshold
total-port-usage-threshold
traffic-exceeded
Enable all LSN group traps
Enable LSN trap when fixed nat port mapping file change
Enable LSN trap when IP total port usage reaches the
threshold (default 64512)
Enable LSN trap when NAT total port usage reaches the
threshold (default 655350000)
Enable LSN trap when NAT pool reaches the threshold
May need to tweak thresholds
©A10
Networks, Inc.
157
Advanced CGNv6 Monitoring
ACOS# show cgnv6 [lsn|nat64] ?
alg
full-cone-sessions
inside-user
nat-address
port-overloading
port-reservations
radius
statistics
system-status
user-quota-sessions
Displays LSN ALG Status or Statistics
Full Cone Sessions
All for given LSN user
All sessions for given NAT address
Displays port-overloading configuration
Port Reservation Configuration
Display RADIUS Information
LSN traffic statistics
Displays System Status
Per User Statistics
ACOS# show cgnv6 lsn statistics
Traffic statistics for LSN:
--------------------------Total TCP Ports Allocated
Total TCP Ports Freed
Total UDP Ports Allocated
[...]
Data Session Created
[...]
65046
64907
25000
90046
©A10
New User NAT Resource Unavailable
TCP User-Quota Exceeded
UDP User-Quota Exceeded
[...]
TCP Full-cone Session Created
[...]
Hairpin Session Created
Self-Hairpinning Drop
[...]
Networks, Inc.
0
0
39934
0
0
0
158
System Log
ACOS logs many informational, warning, and error messages.
Port/Interface , Router, and VRRP-A status changes
Duplicate IP warnings
Application-specific error messages
User-quota exceeded message
First place to check when experiencing issues
ACOS# show log [ | inc <reg_ex> ]
ACOS# export syslog messages [use-mgmt-port] <URI: ftp://...>
ACOS# terminal monitor
©A10
Networks, Inc.
159
Examining running config
Examine running config with the following tools
ACOS# show run [ | sec ^[0-z] ]
↑ the optional element at the end of this command strips blank lines from the output
ACOS# show run | sec <config_element> (e.g., CGN)
ACOS# show run <config_element>
(e.g., cgnv6 lsn-lid)
ACOS# show run | begin <router_elem> (e.g., bgp, router ipv6)
ACOS# diff startup-config running-config
ACOS# diff start run | inc <\|>\||
©A10
Networks, Inc.
160
OSI Based Troubleshooting
Layer 1-2
show interfaces […]
show interfaces brief
show ipv6 interfaces
Layer 3
show
show
show
show
show
show
show
show
show
show
arp
ipv6 neighbor
ip route
ipv6 route
run | sec router
bgp summary
bgp ipv4 unicast
bgp ipv6 unicast
ip ospf database
ipv6 ospf database
Layer 4
ACOS# axdebug ?
ACOS# telnet <ip> <port>
ACOS# show session [...]
capture
filter-config
setting
©A10
Networks, Inc.
Dump packets
Global debug filter
AX Debug Commands
161
Troubleshooting Check-List
1. Check Logs
2. Check Routing
a)
b)
c)
d)
NAT Pool reachable by Internet
NAT64 prefix reachable by inside network
Access router sending to CGN
“inside” and “outside” interfaces receiving expected traffic
3. Check Class-List
a) show running-config cgnv6 [lsn|nat64]
•
Check “inside source class-list”
b) show cgnv6 [lsn|nat64] statistics
•
Check “No Class-List Match” and “LSN LID”
©A10
Networks, Inc.
162
Troubleshooting Check-List (part 2)
4. Check LSN-LID Configuration
5. Check NAT Pool Group and NAT Pool Configuration
a) vrid and `show vrrp-a`
b) Addresses, network, and netmask boundries
6. Check Sessions Table
7. Check Packet Flow (axdebug)
8. Check ACLs and DDoS
a) show cgnv6 ddos-protection ?
ip-entries
l4-entries
statistics
Abnormal IP Entries
Abnormal L4 Port Entries
DDoS Statistics
©A10
Networks, Inc.
163
Show Sessions Table
ACOS# show session
ACOS# show session [ipv4|ipv6|...]
ACOS# show session ipv4 [dest-port|...]
ACOS# show cgnv6 fixed-nat ?
alg
ALG Statistics
full-cone-sessions
inside-user
Inside User Details
nat-address
NAT Address Details
port-mapping-files
statistics
Traffic Type
Total
-------------------------------------------Total Sessions
3714
TCP Established
1853
TCP Half Open
13
SCTP Established
0
[...]
Prot Forward Source
Forward Dest
Reverse Source
Reverse Dest
Age
Hash Flags
Type
------------------------------------------------------------------------------------------------Tcp 110.0.0.115:10006
200.0.10.146:80
200.0.10.146:80
200.0.0.88:10006
300
1
NFe0f0r0 LSN
©A10
Networks, Inc.
164
Session filtering
Fine tune session monitoring by using reusable filters
ACOS(config)# session-filter <filter_name> set ?
dest-addr
dest-port
source-addr
source-port
ipv6
sip
Forward Destination IP
Forward Destination Port
Forward Source IP
Forward Source Port
Display ipv6 sessions only
SIP sessions
Fine tune session clearing by using filters
ACOS# clear session filter <filter_name>
Example
session-filter c1 set source-addr 10.0.1.160 source-mask /28 dest-port 80
show session filter c1
Prot Forward Source
Tcp 10.0.1.161:36690
Tcp 10.0.1.161:36660
Forward Dest
10.0.1.12:80
10.0.1.12:80
Reverse Source Reverse Dest
10.0.2.18:80
10.0.2.16:14075
10.0.2.18:80
10.0.2.16:14045
©A10
Networks, Inc.
Age
0
0
Hash Flags Type
1
NSe1 SLB-L7
1
NSe1 SLB-L7
165
axdebug
View real time and/or save
Saved captured files in pcap format (Wireshark / tcpdump)
Captures entire frame
axdebug is session based
When one packet matches filter, dump all the following packets in the same session
Client
10.10.10.30
CGNAT
packet1
Server
40.40.40.40
packet2
Src 30.30.30.123 (nat pool)
Src port 44444
Dst 40.40.40.40
Dst port 80
Src 10.10.10.30
Src port 35525
Dst 40.40.40.40
Dst port 80
©A10
Networks, Inc.
166
axdebug filters
Build filters to fine tune your capture
Multiple conditions within a filter are ANDed, multiple filters are Ored
ACOS# axdebug filter-config 1
ACOS(axdebug-filter:1)# ip 1.2.3.4 /32
ACOS(axdebug-filter:1)# port 80
ACOS(axdebug-filter:1)# exit
ACOS# axdebug filter-config 2
ACOS(axdebug-filter:2)# proto icmp
ACOS(axdebug-filter:2)# exit
ACOS# axdebug capture
ACOS(axdebug-capture)#
ACOS(axdebug-capture)#
ACOS(axdebug-capture)#
ACOS(axdebug-capture)#
brief
detail
save <file_name>
brief save <file_name>
©A10
Networks, Inc.
167
axdebug caveats/reference
Data interfaces only
Export trace
GUI: System > Diagnostics >>> Show AXDebug Files
(https://<ACOS>/gui/#/dashboard/)
ACOS# show axdebug file
ACOS# export axdebug <filename> [...] <URI>/<filename>
Export options (part of […])
merged-pcap : default. 1 file of all captures. <filename> automatically given .pcap extension
per-cpu
: GUI default. Tarball of all captures. <filename> automatically given .tar.gz extension
tgz
: Output like merged-pcap, but wrapped in tar.gz tarball
Check config
ACOS# show axdebug status
ACOS# show axdebug config
ACOS# show axdebug filter
©A10
Networks, Inc.
168
Debug
Two sets of utilities
Debug message logging function (OSPF, BGP, System)
Packet capture function
Text output, intended for examining protocol interactions
axdebug generally better for packet capture
debug packet partially breaks axdebug filters
Not officially documented or supported
Check status of debug options
ACOS# show debug <feature>
©A10
Networks, Inc.
169
Debug Based Packet Capture (part 1)
Special use of debug
ACOS# show debug
Without <feature>, shows debug packet status
ACOS# debug packet
ACOS# debug monitor [filename]
Optional filename for export of debug output
ACOS# show debug file
ACOS# export debug-monitor <filename> [use-mgmt-port] <URI>
Export deletes from system
©A10
Networks, Inc.
170
Debug Based Packet Capture (part 2)
ACOS# debug packet ?
count
detail
interface
l3-protocol
l4-protocol
<cr>
Maximum packets to capture. Default is 3000
Print packet content
Interface to debug
Filters, but they don’t quite work
Layer 3 protocol
as expected
Layer 4 protocol
ACOS# debug monitor
@2598455 i( 1, 100, 10078)>
92f213e9:6ead8c77(0)
@2598455 o( 2, 200, 10078)>
92f213e9:6ead8c77(0)
@2598456 o( 1, 100, 1a232)>
@2598456 o( 1, 100, 1b22d)>
len 62
ip 110.0.0.100 > 200.0.8.3 tcp
ip 200.0.0.22 > 200.0.8.3 tcp
2749 > 80 A
2749 > 80 A
ip 100.0.0.1 > 224.0.0.210 udp 65244 > 65244 len 62
ipv6 2001:db8:a10:100::1 > ff02::d2 udp 65244 > 65244
ACOS# no debug packet
Very important. Don’t forget!
©A10
Networks, Inc.
171
Debug Routing Protocol
Requires some setup
ACOS(config)#
ACOS(config)#
ACOS(config)#
ACOS(config)#
router
router
router
router
log
log
log
log
file
file
file
file
per-protocol
name routertgt.log
rotate 10
size 1
To start debug capture
Rotate and Size critical,
Or you’ll get locked out
of the box
ACOS# debug [bgp|ospf|ipv6 ospf] [...]
To view the debug log/capture
ACOS# show router log file [bgpd|ospfd|ospf6d]
To export, use backup log [...]
©A10
Networks, Inc.
172
ShowTech
ShowTech is a comprehensive collection of output from many troubleshooting utilities.
When contacting A10 Tech Support you will be asked to generate one.
CLI: generate and export file to a remote server or view on the screen
ACOS# show techsupport [export] [use-mgmt-port] [<remote_destination>]
GUI
©A10
Networks, Inc.
173
Exporting the ‘backup log’
Create tarball of logs, system messages, periodic showtechs
Can be quite large
For A10 Engineering
Sometimes requested by Customer Support
ACOS# backup log [use-mgmt-port] [<remote_destination>]
expedite – allow up to 50% control cpu
period <n> - number of days to include (to reduce size. Default is all)
stats-data – include system statistics as displayed in the A10 GUI
©A10
Networks, Inc.
174
Lab 6 – CGN Monitoring
©A10
Networks, Inc.
175
Thank You
©A10
Networks, Inc.
176
Related documents
empowerment quiz
empowerment quiz
MATRIX NULL SPACE RANGE −
MATRIX NULL SPACE RANGE −
Excel Lesson 5 – Functions/Formulas
Excel Lesson 5 – Functions/Formulas
Anti-Annexin A10 antibody ab115531 Product datasheet 1 Image
Anti-Annexin A10 antibody ab115531 Product datasheet 1 Image
8-spreadsheetIntro - Department of Computer and Information
8-spreadsheetIntro - Department of Computer and Information
Download
advertisement