Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[M/MX-series] How to configure DS-Lite on MX router

0

0

Article ID: KB24061 KB Last Updated: 25 Jun 2012Version: 1.0
Summary:
This article provides information on how to configure DS-Lite on a MX router.
Symptoms:
  • Dual-Stack Lite (DS Lite) is a promising approach to allow ISPs to transition to IPv6, deal with IPv4 addresses that enable IPv4 traffic to be carried over the IPv6 cloud, and then reach to IPv4 internet resources.

  • Basically, the B4 and AFTR routers are used to implement this feature.

  • The B4 router is normally located at the user's home and AFTR is deployed at the SP edge.

  • For more information about DS-Lite, refer to the following link:

    http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/ipv6-access-ds-lite-configuring.html
Cause:
 
Solution:
Lab diagram:
        +----------------+
        |                |
        |    host        |
        |                |
        +-------|--------+
                |10.0.0.1
                |
                |
                |           
                |
       ge-2/2/9 |10.0.0.2
        +-------|-----------+
        |   home router     |
        |                   |loopback 2401:fa00:0004:107f::3
        |       B4          |
        +-------|-----------+
       ge-2/0/9 |2001:0:0:1::1/48
                |
         ///----------\\\
         ||| IPV6NET   |||
         \\\----------///
                |         
                |
       ge-4/0/9 |2001:0:0:1::2/48
        +-------|-------+
        |  SP Router    |
        |               |
        |    AFTR       |
        +-------|-------+
       ge-4/3/3 |218.0.0.2/24
                |
                |
           ///-----\\\
          |||       ||| IPV6 Internet
           \\\-----///
                |
                |
       ge-4/3/4 |218.0.0.1/24
          +-----|-------+
          |             |
          |  internet   |
          |   server    |
          +-------------+



Platform
: MX480 with MS-DPC (Ver. 11.2R1).

Description:

  • The host is the subscriber's computer, which is configured with the ISP allocated IPv4 address (RFC 1918).

  • B4 is the home router, which encapsulates the IPv4 traffic into the IPv6 tunnel, and vice versa.

  • AFTR is the softwire concentrator, which performs the IPv6 tunnel termination and 4to4 NAT.

  • The Internet server is the target internet resource, to which the home computer has access, and is configured with the public IPv4 address.
Configuration procedure:

  1. Host: Configure the private IPv4 address or DHCP via the B4 router.

  2. B4: Configure both the IPv4 and IPv6 addresses and create the IP tunnel, as well as the necessary static route or routing protocol:
    interfaces {
        ge-2/0/9 {
            unit 0 {
                family inet6 {
                    address 2001:0:0:1::1/48;
                }
            }
        }
    ge-2/2/9 {
        unit 0 {
            family inet {
                address 10.0.0.2/24;
            }
        }
    }
    ip-3/0/0 {
        unit 0 {
            tunnel {
                source 2401:fa00:0004:107f::3;
                destination 2001:0:0:1::2;
            }
    family inet {
        address 192.0.0.2/29;
    }
    family inet6;
        }
    }
    lo0 {
        unit 2000 {
            family inet6 {
                address 2401:fa00:0004:107f::3/128;
            }
        }
    }
    }
    routing-options {
        static {
            route 218.0.0.0/8 next-hop ip-3/0/0.0;
        }
    }


  3. AFTR: Configure both the IPv4 and IPv6 addresses with tunnel and softwire; IPv4-v4 NAT is also required:
    ge-4/0/9 {

    unit 0 {
        family inet;
        family inet6 {
            service {
                input {
                    service-set sset1 service-filter service-filter-ds-lite;
                }
    output {
        service-set sset1 service-filter service-filter-ds-lite;
    }
            }
    address 2001:0:0:1::2/64;
        }
    }
    }

    ge-4/3/3 {
        unit 0 {
            family inet {
                address 218.0.0.2/24;
            }
        }
    }

    sp-2/0/0 {
        unit 0 {
            family inet;
            family inet6;
        }  
    }

    lo0 {
        unit 2000 {
            family inet6 {
            address 2401:fa00:0004:107f::1/64;
            }
        }
    }

    routing-options {
        rib inet6.0 {
            static {
                route 2401:fa00:4:107f::3/128 next-hop 2001:0:0:1::1;
            }
        }
    }
    services {
        service-set sset1 {
            syslog {
                host local {
                    services any;
                }
            }
    tcp-mss 1024;
    softwire-rules r1;
    nat-rules r1;
    interface-service {
        service-interface sp-2/0/0.0;
    }
        }
    softwire {
        softwire-concentrator {
           ds-lite ds1 {
               softwire-address 2001:0:0:1::2;
               mtu-v6 1460;
           }
        }
    rule r1 {
        match-direction input;
        term t1 {
            then {
                ds-lite ds1;
            }
        }
    }
    }
    nat {
        pool p1 {
            address 129.0.0.1/32;
            port {
                automatic;
            }
        }
    rule r1 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    10.0.0.0/16;
                }
            }
    then {
        translated {
            source-pool p1;
            translation-type {
                napt-44;
            }
        }
    syslog;
    }
        }
    }
    }
    }

    firewall {

        family inet6 {

            service-filter service-filter-ds-lite {

                term sset {
                    from {
                        source-address {
                            2401:fa00:0004:107f::3/128;
                        }
    destination-address {
        2001:0:0:1::2/128;
    }
                }
    then service;
                }
    term default {
         then skip;
    }
       }
     }
    }

  4. Internet server: Configure the IPv4 address and default gateway.

Monitoring and troubleshooting:

Ping from host PC:
ping 218.0.0.1 
PING 218.0.0.1 (218.0.0.1): 56 data bytes
!!!!!
 Monitor the softwire flows and NAT. The softwire is established by user traffic being triggered and the Source IPv4 NAT is in operation.

user@AFTR> show services softwire flows
May 11 19:51:35
Interface: sp-2/0/0, Service set: sset1
Flow State Dir Frm count
DS-LITE2401:fa00:4:107f::3 -> 2001:0:0:1::2 Forward I 23138
ICMP 218.0.0.1 -> 129.0.0.1 Watch O 11631
NAT dest 129.0.0.1 -> 10.0.0.1
Softwire 2001:0:0:1::2 -> 2401:fa00:4:107f::3
ICMP 10.0.0.1 -> 218.0.0.1 Watch I 11667
NAT source 10.0.0.1 -> 129.0.0.1
Softwire 2401:fa00:4:107f::3 -> 2001:0:0:1::2

user@AFTR> show services nat pool
May 11 19:53:48
Interface: sp-2/0/0, Service set: sset1
NAT pool Type Address Port Ports used
p1 dynamic 129.0.0.1-129.0.0.1 512-65535 1

user@AFTR> show services softwire statistics
May 11 19:55:06

DS-Lite Statistics (Service PIC Name: :sp-2/0/0):

Statistics
----------

Softwires Created :15
Softwires Deleted :14
Softwires Flows Created :13
Softwires Flows Deleted :14
Slow Path Packets Processed :15
Fast Path Packets Processed :203212
Fast Path Packets Encapsulated :203033
Rule Match Succeeded :15
Rule Match Failed :0
IPv6 Packets Fragmented :0

Transient Errors
----------------

Flow Creation Failed - Retry :2
Slow Path Failed - Retry :2

Errors
------

Softwire Creation Failed :0
Flow Creation Failed :0
Slow Path Failed :0
Packet not IPv4-in-IPv6 :0
IPv6 Fragmentation Error :0
Slow Path Failed - IPv6 Next Header Offset :0
Decapsulated Packet not IPv4 :0
Fast Path Failed - IPv6 Next Header Offset :0
No Softwire ID :0
No Flow Extension :0
Flow Limit Exceeded :0

Troubleshooting tips:

  • Ensure that the IPv6 addresses are reachable on both the B4 and AFTR routers. They may need a static or dynamic route between the B4 and AFTR routers.

  • Check the service-filter firewall to ensure that the correct term and action are present.

  • Use monitor traffic/tcpdump on the host and server to check the traffic flow.

  • It may use a interface tap on AFTR to check for any discarded packets with incorrect configuration, such as no-IPv6 route.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search