IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 3S
Mapping of Address and Port Using Translation
Downloads: This chapterpdf (PDF - 1.46MB) The complete bookPDF (PDF - 5.62MB) | The complete bookePub (ePub - 1.18MB) | Feedback

Contents

Mapping of Address and Port Using Translation

The Mapping of Address and Port Using Translation feature provides connectivity to IPv4 hosts across IPv6 domains. Mapping of address and port using translation (MAP-T) is a mechanism that performs double translation (IPv4 to IPv6 and vice versa) on customer edge (CE) devices and border routers.

This module provides an overview of MAP-T and explains how to configure this feature.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Mapping of Address and Port Using Translation

  • The mapping of address and port using translation (MAP-T) customer edge (CE) functionality is not supported.
  • A maximum of 128 MAP-T domains are supported.
  • Forwarding mapping rule (FMR) is not supported.

Information About Mapping of Address and Port Using Translation

Mapping of Address and Port Using Translation Overview

The Mapping of Address and Port Using Translation feature provides connectivity to IPv4 hosts across IPv6 domains. Mapping of address and port using translation (MAP-T) builds on the existing stateless IPv4 and IPv6 address translation techniques that are specified in RFCs 6052, 6144, and 6145.

MAP-T is a mechanism that performs double translation (IPv4 to IPv6 and vice versa) on customer edge (CE) devices and border routers. The Mapping of Address and Port Using Translation feature supports only the MAP-T border router functionality. This feature does not support the MAP-T CE functionality.

The Mapping of Address and Port Using Translation feature leverages the Network Address Translation 64 (NAT64) translation engine and adds the MAP-T border router function to the NAT64 stateless function. MAP-T is enabled on IPv4 and IPv6 interfaces. MAP-T uses IPv4 and IPv6 forwarding, IPv4 and IPv6 fragmentation functions, and NAT64 translation functions. A MAP-T domain is one or more MAP CE devices and a border router, all connected to the same IPv6 network.

A MAP-T CE device connects a user’s private IPv4 address and the native IPv6 network to the IPv6-only MAP-T domain. The MAP-T border router uses the stateless IPv4/IPv6 translation to connect external IPv4 networks to all devices available in the one or more MAP-T domains. MAP-T requires only one IPv6 prefix per network and supports the regular IPv6 prefix/address assignment mechanisms. The MAP-T domain contains regular IPv6-only hosts or servers that have an IPv4-translatable IPv6 address. MAP-T does not require the operation of an IPv4 overlay network or the introduction of a non-native-IPv6 network device or server functionality.

A MAP-T configuration provides the following features:
  • Retains the ability for IPv4 end hosts to communicate across the IPv6 domain with other IPv4 hosts.
  • Permits both individual IPv4 address assignment and IPv4 address sharing with a predefined port range.
  • Allows communication between IPv4-only and IPv6-enabled end hosts and native IPv6-only servers in domains that use IPv4-translatable IPv6 addresses.
  • Allows the use of IPv6 native network operations, including the ability to classify IP traffic and perform IP traffic routing optimization policies such as routing optimization based on peering policies for IPv4 destinations outside the domain.

MAP-T Mapping Rules

Mapping rules define the mapping between an IPv4 prefix and an IPv4 address or between a shared IPv4 address and an IPv6 prefix/address. Each mapping of address and port using translation (MAP-T) domain uses a different mapping rule.

A MAP-T configuration has one basic mapping rule (BMR), one default mapping rule (DMR), and one or more forwarding mapping rules (FMRs) for each MAP-T domain. You must configure the DMR before configuring the BMR for a MAP-T domain.

The three types of mapping rules are described below:
  • A BMR configures the MAP IPv6 address or prefix. The basic mapping rule is configured for the source address prefix. You can configure only one basic mapping rule per IPv6 prefix. The basic mapping rule is used by the MAP-T CE to configure itself with an IPv4 address, an IPv4 prefix, or a shared IPv4 address from an IPv6 prefix. The basic mapping rule can also be used for forwarding packets, where an IPv4 destination address and a destination port are mapped into an IPv6 address/prefix. Every MAP-T node (a CE device is a MAP-T node) must be provisioned with a basic mapping rule. You can use the port-parameters command to configure port parameters for the MAP-T BMR.
  • A DMR is a mandatory rule that is used for mapping IPv4 information to IPv6 addresses for destinations outside a MAP-T domain. A 0.0.0.0/0 entry is automatically configured in the MAP rule table (MRT) for this rule.
  • An FMR is used for forwarding packets. Each FMR results in an entry in the MRT for the rule IPv4 prefix. FMR is an optional rule for mapping IPv4 and IPv6 destinations within a MAP-T domain.

    Note


    FMR is not supported by the Mapping of Address and Port Using Translation feature.


MAP-T Address Formats

The mapping of address and port using translation (MAP-T) customer edge (CE) device address format is defined by the IETF draft Mapping of Address and Port (MAP). Address formats are used during mapping rule operations to construct the source and destination IPv6 addresses.


Note


Forwarding mapping rule (FMR) is not supported by the Mapping of Address and Port Using Translation feature.


The figure below shows the mapped CE address format as defined in MAP-T configuration. This address format is used in basic mapping rule (BMR) and FMR operations.

Figure 1. IPv4-Translatable Address for BMR and FMR

The figure below shows the address format used by the MAP-T default mapping rule (DMR), an IPv4-translated address that is specific to MAP-T configuration.

Figure 2. IPv4-Translated Address for DMR

Packet Forwarding in MAP-T Customer Edge Devices

IPv4-to-IPv6 Packet Forwarding


Note


The Mapping of Address and Port Using Translation feature does not support the MAP-T customer edge (CE) functionality. The CE functionality is provided by third-party devices.


A mapping of address and port using translation (MAP-T) CE device that receives IPv4 packets performs Network Address Translation (NAT) and creates appropriate NAT stateful bindings. The resulting IPv4 packets contain the source IPv4 address and the source transport number defined by MAP-T. This IPv4 packet is forwarded to the CE’s MAP-T, which performs IPv4-to-IPv6 stateless translation. IPv6 source and destination addresses are then derived by the MAP-T translation, and IPv4 headers are replaced with IPv6 headers.

IPv6-to-IPv4 Packet Forwarding

A MAP-T CE device that receives an IPv6 packet performs its regular IPv6 operations. Only the packets that are addressed to the basic mapping rule (BMR) address are sent to the CE’s MAP-T. All other IPv6 traffic is forwarded based on the IPv6 routing rules on the CE device. The CE device checks if the transport-layer destination port number of the packets received from MAP-T is in the range that was configured and forwards packets that confirm to the port number. The CE device drops all nonconforming packets and responds with an Internet Control Message Protocol Version 6 (ICMPv6) “Address Unreachable” message.

Packet Forwarding in Border Routers

IPv4-to-IPv6 Packet Forwarding

An incoming IPv4 packet is processed by the IPv4 input interface, and the destination route lookup routes the IPv4 packet to the mapping of address and port using translation (MAP-T) virtual interface. The border router compares the packet against the IPv4 prefix lookup unit (PLU) tree to obtain the corresponding basic mapping rule (BMR), the default mapping rule (DMR), and the forwarding mapping rule (FMR). Based on the BMR or FMR rules, the border router constructs the IPv6 destination address by encoding the embedded address (EA) bits and adding a suffix. The IPv6 source address is constructed from the DMR rule.

After the IPv6 source and destination addresses are constructed, the packet uses the Network Address Translation 64 (NAT64) IPv4-to-IPv6 translation to construct the IPv6 packet. A routing lookup is done on the IPv6 packet, and the packet is forwarded to the IPv6 egress interface for processing and transmission.

IPv6-to-IPv4 Packet Forwarding

An incoming IPv6 packet is processed by the IPv6 input interface, and the destination route lookup routes the IPv6 packet to the MAP-T virtual interface. The software compares the packet against the IPv6 PLU tree to obtain the corresponding BMR, DMR, and FMR rules. The border router checks whether the port-set ID (PSID) and the port set match. If the port-set ID and port set match, the DMR rule matches the packet destination of the IPv6 packet. Based on the BMR and FMR, the border router constructs the IPv4 source address and extracts the IPv4 destination address from the IPv6 destination address. The IPv6 packet uses the NAT64 IPv6-to-IPv4 translation engine to construct the IPv4 packet from the IPv6 packet. A routing lookup is done on the IPv4 packet, and the IPv4 packet is forwarded to the IPv4 egress interface for processing and transmission.

ICMP/ICMPv6 Header Translation for MAP-T

Mapping of address and port using translation (MAP-T) customer edge (CE) devices and border routers use the ICMP/ICMPv6 translation for address sharing of port ranges.

Unlike TCP and UDP, which provide two port fields to represent source and destination addresses, the Internet Control Message Protocol (ICMP) and ICMP Version 6 (ICMPv6) query message headers have only one ID field.

When an ICMP query message originates from an IPv4 host that exists beyond a MAP-T CE device, the ICMP ID field is exclusively used to identify the IPv4 host. The MAP-T CE device rewrites the ID field to a port-set value that is obtained through the basic mapping rule (BMR) during the IPv4-to-IPv6 translation, and the border router translates ICMPv6 packets to ICMP.

When a MAP-T border router receives an ICMP packet that contains an ID field that is bound for a shared address in the MAP-T domain, the MAP-T border router uses the ID field as a substitute for the destination port to determine the IPv6 destination address. The border router derives the destination IPv6 address by mapping the destination IPv4 address without the port information for packets that do not contain the ID field, and the corresponding CE device translates the ICMPv6 packets to ICMP.

Path MTU Discovery and Fragmentation in MAP-T

Mapping of address and port using translation (MAP-T) uses path maximum transmission unit (MTU) discovery and fragmentation for IPv4-to-IPv6 translation because the size of IPv4 (more than 20 octets) and IPv6 (40 octets) headers is different. The MTU defines the largest size of a packet that an interface can transmit without the need to fragment the packet. IP packets larger than the MTU must go through IP fragmentation procedures.

When an IPv4 node performs path MTU discovery by setting the Don't Fragment (DF) bit in the packet header, path MTU discovery operates end-to-end across the MAP-T border router and customer edge (CE) translators. During IPv4 path MTU discovery, either the IPv4 device or the IPv6 device can send ICMP “Packet Too Big” messages to the sender. When IPv6 devices send these messages as Internet Control Message Protocol Version 6 (ICMPv6) errors, the packets that follow the message pass through the translator and result in an appropriate ICMP error message sent to the IPv4 sender.

When the IPv4 sender does not set the DF bit, the translator fragments the IPv4 packet and includes the packet with fragment headers to fit the packet in the minimum MTU 1280-byte IPv6 packets. When packets are fragmented, either by the sender or by IPv4 devices, the low-order 16 bits of the fragment identification are carried end-to-end across the MAP-T domain to ensure that packets are reassembled correctly.

How to Configure Mapping of Address and Port Using Translation

Configuring Mapping of Address and Port Using Translation

Before You Begin
Prerequisites:
  • Configure the ipv6 enable command on interfaces on which you configure the Mapping of Address and Port Using Translation feature.
  • Configure the default mapping rule before you configure the basic mapping rule.
  • While configuring mapping of address and port using translation (MAP-T), the default mapping rule (DMR) prefix, the IPv6 user prefix, and the IPv6 prefix plus the embedded address (EA) bits must be less than or equal to 64 bits, and the share ratio plus the contiguous ports plus the start port must be 16 bits.
SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    nat64 map-t domain number

    4.    default-mapping-rule ipv6-prefix/prefix-length

    5.    basic-mapping-rule

    6.    ipv6-prefix prefix/length

    7.    ipv4-prefix prefix/length

    8.    port-parameters share-ratio ratio [start-port port-number]

    9.    end

    10.    show nat64 map-t domain name


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable 
     
    Enables privileged EXEC mode.
    • Enter you password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 nat64 map-t domain number


    Example:
    Device(config)# nat64 map-t domain 1 
     

    Configures the Network Address Translation 64 (NAT64) mapping of address and port using translation (MAP-T) domain and enters NAT64 MAP-T configuration mode.

     
    Step 4 default-mapping-rule ipv6-prefix/prefix-length


    Example:
    Device(config-nat64-mapt)# default-mapping-rule 2001:DB8:B001:FFFF::/64
     

    Configures the default domain mapping rule for the MAP-T domain.

     
    Step 5 basic-mapping-rule


    Example:
    Device(config-nat64-mapt)# basic-mapping-rule  
     

    Configures the basic mapping rule (BMR) for the MAP-T domain and enters NAT64 MAP-T BMR configuration mode.

     
    Step 6 ipv6-prefix prefix/length


    Example:
    Device(config-nat64-mapt-bmr)# ipv6-prefix 2001:DB8:B001::/56
     

    Configures an IPv6 address and prefix for the MAP-T BMR.

     
    Step 7 ipv4-prefix prefix/length


    Example:
    Device(config-nat64-mapt-bmr)# ipv4-prefix 209.165.202.129/28
     

    Configures an IPv4 address and prefix for the MAP-T BMR.

     
    Step 8 port-parameters share-ratio ratio [start-port port-number]


    Example:
    Device(config-nat64-mapt-bmr)# port-parameters share-ratio 16 
     

    Configures port parameters for the MAP-T BMR.

     
    Step 9 end


    Example:
    Device(config-nat64-mapt-bmr)# end 
     

    Exits NAT64 MAP-T BMR configuration mode and returns to privileged EXEC mode.

     
    Step 10 show nat64 map-t domain name


    Example:
    Device# show nat64 map-t domain 1 
     

    Displays MAP-T domain information.

     

    Example:

    The following is sample output from the show nat64 map-t domain command:

    Device# show nat64 map-t domain 1
    
    MAP-T Domain 1
       Mode MAP-T
       Default-mapping-rule
          Ip-v6-prefix 2001:DB8:B001:FFFF::/64
       Basic-mapping-rule
          Ip-v6-prefix 2001:DB8:B001::/56
          Ip-v4-prefix 209.165.202.129/28
          Port-parameters
             Share-ratio 16   Contiguous-ports 256   Start-port 4096
             Share-ratio-bits 4   Contiguous-ports-bits 8   Port-offset-bits 4

    Configuration Examples for Mapping of Address and Port Using Translation

    Example: Configuring Mapping of Address and Port Using Translation

    Device# configure terminal
    Device(config)# nat64 map-t domain 1
    Device(config-nat64-mapt)# default-mapping-rule 2001:DB8:B001:FFFF::/64
    Device(config-nat64-mapt)# basic-mapping-rule
    Device(config-nat64-mapt-bmr)# ipv6-prefix 2001:DB8:B001::/56
    Device(config-nat64-mapt-bmr)# ipv4-prefix 209.165.202.129/28
    Device(config-nat64-mapt-bmr)# port-parameters share-ratio 16 
    Device(config-nat64-mapt-bmr)# end

    Example: MAP-T Deployment Scenario

    The following illustration shows a mapping of address and port using translation (MAP-T) deployment scenario.

    The following is the configuration for the MAP-T deployment scenario:

    Device# configure terminal
    Device(config)# nat64 map-t domain 1
    Device(config-nat64-mapt)# default-mapping-rule 2001:DB8:B001:FFFF::/64
    Device(config-nat64-mapt)# basic-mapping-rule
    Device(config-nat64-mapt-bmr)# ipv6-prefix 2001:DB8:B001::/48
    Device(config-nat64-mapt-bmr)# ipv4-prefix 202.38.102.128/28
    Device(config-nat64-mapt-bmr)# port-parameters share-ratio 16 start-port 1024
    Device(config-nat64-mapt-bmr)# end

    At the PC:

    An IPv4 packet goes from 192.168.1.12 to 74.1.1.1. At the customer edge (CE) device the Mapping of address and port mapping using translation (MAP-T) function translates the packet to 2001:DB8:B001:20:CB:2666:8200:: Dest: 2001:DB8:B001:FFFF:4a:01001:100::.

    At the border router the MAP-T border router translates the packet to

    Packet goes from 192.168.1.2 ---> 74.1.1.1, source 6400, destination port : 80

    At the CPE the MAP-T CE function translates the

    packet to 2001:DA8:B001:20:CB:2666:8200:: Dest: 2001:DA8:B001:FFFF:4a:0101:100::

    At the BR the MAP-T BR function translates the packet to

    Src:203.38.102.130 Dst:74.1.1.1 SrcPort:6400 DstPort:80

    From End device:

    Src:74.1.1.1 Dst:203.38.102.130 SrcPort:80 DstPort:6400

    At the BR the MAP-T BR function translates the packet to

    Src: 2001:DA8:B001:FFFF:4a:0101:100:: Dest: 2001:DA8:B001:20:CB:2666:8200::

    At the CE the MAP-T CE function translates the packet from

    Src: 2001:DA8:B001:FFFF:4a:0101:100:: Dest: 2001:DA8:B001:20:CB:2666:8200::

    To

    Src:74.1.1.1 Dst:203.38.102.130 SrcPort:80 Dstport:6400

    Let me know if you see any anomaly in the example.

    Additional References for Mapping of Address and Port Using Translation

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Command List, All Releases

    NAT commands

    Cisco IOS IP Addressing Services Command Reference

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for Mapping of Address and Port Using Translation

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for Mapping of Address and Port Using Translation

    Feature Name

    Releases

    Feature Information

    Mapping of Address and Port Using Translation

    Cisco IOS XE Release 3.8S

    Cisco IOS XE Release 3.10S

    The Mapping of Address and Port Using Translation feature provides connectivity to IPv4 hosts across IPv6 domains. MAP-T is a mechanism that performs double translation (IPv4 to IPv6 and vice versa) on CE devices and border routers.

    The following commands were introduced or modified: basic-mapping-rule, default-mapping-rule, ipv4-prefix, ipv6-prefix, mode (nat64), nat64 map-t domain, port-parameters, and show nat64 map-t.

    In Cisco IOS XE Release 3.10S, support was added for the Cisco CSR 1000V Series Routers.

    Glossary

    EA bits—Embedded address bits. The IPv4 EA bits in the IPv6 address identify an IPv4 prefix/address (or part thereof) or a shared IPv4 address (or part thereof) and a port-set identifier.

    IP fragmentation—The process of breaking a datagram into a number of pieces that can be reassembled later. The IP source, destination, identification, total length, and fragment offset fields, along with the More fragments and Don't Fragment (DF) flags in the IP header, are used for IP fragmentation and reassembly. A DF bit is a bit within the IP header that determines whether a device is allowed to fragment a packet.

    IPv4-translatable address—IPv6 addresses that are used to represent IPv4 hosts. These addresses have an explicit mapping relationship to IPv6 addresses. This relationship is self-described by mapping the IPv4 address in the IPv6 address. Both stateless and stateful translators use IPv4-translatable (also called IPv4-converted) IPv6 addresses to represent IPv4 hosts.

    IPv6-translatable address—IPv6 addresses that are assigned to IPv6 hosts for stateless translation. These IPv6-translatable addresses (also called IPv6-converted addresses) have an explicit mapping relationship to IPv4 addresses. This relationship is self-described by mapping the IPv4 address in the IPv6 address. The stateless translator uses corresponding IPv4 addresses to represent IPv6 hosts. The stateful translator does not use IPv6-translatable addresses because IPv6 hosts are represented by the IPv4 address pool in the translator via dynamic states.

    MAP rule—A set of parameters that define the mapping between an IPv4 prefix, an IPv4 address or a shared IPv4 address, and an IPv6 prefix or address. Each MAP domain uses a different mapping rule set.

    MAP-T border router—A mapping of address and port using translation (MAP-T)-enabled router or translator at the edge of a MAP domain that provides connectivity to the MAP-T domain. A border relay router has at least one IPv6-enabled interface and one IPv4 interface connected to the native IPv4 network, and this router can serve multiple MAP-T domains.

    MAP-T CE—A device that functions as a customer edge (CE) router in a MAP-T deployment. A typical MAP-T CE device that adopts MAP rules serves a residential site with one WAN-side interface and one or more LAN-side interfaces. A MAP-T CE device can also be referred to as a “CE” within the context of a MAP-T domain.

    MAP-T domain—Mapping of address and port using translation (MAP-T) domain. One or more customer edge (CE) devices and a border router, all connected to the same IPv6 network. A service provider may deploy a single MAP-T domain or use multiple MAP domains.

    MRT—MAP rule table. Address and port-aware data structure that supports the longest match lookups. The MRT is used by the MAP-T forwarding function.

    path MTU—Path maximum transmission unit (MTU) discovery prevents fragmentation in the path between endpoints. Path MTU discovery is used to dynamically determine the lowest MTU along the path from a packet’s source to its destination. Path MTU discovery is supported only by TCP and UDP. Path MTU discovery is mandatory in IPv6, but it is optional in IPv4. IPv6 devices never fragment a packet—only the sender can fragment packets.

    stateful translation—Creates a per-flow state when the first packet in a flow is received. A translation algorithm is said to be stateful if the transmission or reception of a packet creates or modifies a data structure in the relevant network element. Stateful translation allows the use of multiple translators interchangeably and also some level of scalability. Stateful translation enables IPv6 clients and peers without mapped IPv4 addresses to connect to IPv4-only servers and peers.

    stateless translation—A translation algorithm that is not stateful. A stateless translation requires configuring a static translation table or may derive information algorithmically from the messages that it is translating. Stateless translation requires less computational overhead than stateful translation. It also requires less memory to maintain the state because the translation tables and the associated methods and processes exist in a stateful algorithm and do not exist in a stateless one. Stateless translation enables IPv4-only clients and peers to initiate connections to IPv6-only servers or peers that are equipped with IPv4-embedded IPv6 addresses. It also enables scalable coordination of IPv4-only stub networks or ISP IPv6-only networks. Because the source port in an IPv6-to-IPv4 translation may have to be changed to provide adequate flow identification, the source port in the IPv4-to-IPv6 direction need not be changed.