linkproof ipv6 prefix-nat

North America

Radware Inc.

575 Corporate Dr., Lobby 1

Mahwah, NJ 07430

Tel: (888) 234-5763

International

Radware Ltd.

22 Raoul Wallenberg St.

Tel Aviv 69710, Israel

Tel: 972 3 766 8666

www.radware.com

LinkProof

IPv6 Prefix-NAT

Technical Whitepaper

Version 6.20

October 1, 2011

LinkProof version 6.20 IPv6 Prefix-NAT Whitepaper

Date: October 1, 2011

Page - 2 -

Table of Contents

Regular IPv4 WAN Load-balancing ............................................................................................... 3

IPv6, NAT, and Radware Prefix NAT ............................................................................................. 4

IPv6-Address Structure ................................................................................................................. 4

GUA Structure ...................................................................................................................... 4

ULA Structure ....................................................................................................................... 5

Load-Balancing Traffic Across IPv6 WAN (or Internet) Connections ............................................. 5

Prefix-NAT Entry Parameters ........................................................................................................ 9

Configuring Prefix-NAT Using Web Based Management .......................................................... 10

Configuring Prefix-NAT Using CLI .............................................................................................. 10

IPv6 Prefix-NAT Calculator .......................................................................................................... 11

Motivation ................................................................................................................................... 11

Usage ......................................................................................................................................... 12

VRRP Configuration with IPv6 Prefix-NAT ................................................................................. 13

Ensuring Proper Connectivity ..................................................................................................... 13

IPv6 Prefix-NAT Address Range ................................................................................................ 14

VRRP Associated IP Addresses ................................................................................................. 15

VRRP Configuration Steps ......................................................................................................... 15

Disabling VRRP .................................................................................................................. 15

Interface Grouping Considerations ...................................................................................... 15

Full Configuration Flow of VRRP Setup with IPv6 and IPv6 Prefix-NAT ...................................... 16

VRRP with IPv6 Prefix-NAT Example Configuration ................................................................... 17



Page - 3 -

Regular IPv4 WAN Load-balancing In a regular IPv4 WAN load-balancing connection, LinkProof uses NAT for outbound and inbound

load balancing.

Depending on the needs of the network administrator, LinkProof can load-balance at Layers 2, 3, 4,

or 7. For transparent firewalls (those that operate at Layer 2), LinkProof can redirect client requests

to the MAC address of the router. For proxy-based firewall/routers, LinkProof can utilize Virtual

Addresses, which contain the firewall/routers’ actual address and any NAT addresses applicable.

When doing regular load balancing across multiple links (as ISPs may), LinkProof uses either

Dynamic NAT for outbound connections and Static NAT/Static PAT for inbound connections.

Using this combination of NAT and adding DNS, LinkProof can perform load balancing.

Figure 1 shows the topology that LinkProof uses. The topology is also common to multi-homing

solutions where available. If the clients access the Internet via ISP A, they will be visible with one of

the IP address 1.2.3.X/25 (for example 1.2.3.10/25) assigned by ISP A. If the clients access the

Internet via ISP B, they will be visible with a public IP of ISP B (for example, 4.5.6.10/25). Thus,

LinkProof can assign Dynamic NAT addresses to outbound traffic and inbound addresses using

Static NAT feature. All of the NAT on LinkProof is configured using the SmartNAT feature set.

Figure 1: Example LinkProof or Multihoming IPv4 Topology



Page - 4 -

IPv6, NAT, and Radware Prefix NAT Internet Protocol version 6 (IPv6) is a network layer protocol for packet-switched internetworks. It is

designated as the successor to IPv4, the current version of the Internet Protocol, for general use on

the Internet.

NAT in its original form does not exist in IPv6, since, due to the massive amount of addresses, there

is no reason to hide or replace internal addresses using external addresses. In addition, many of the

problems associated with NAT traversal (UDP, IPsec, and so on) were considered irrelevant when

IPv6 was designed. For these reasons and others, NAT was not planned or standardized in IPv6

(although there are several pending RFC drafts).

To be able to perform true load balancing—using address replacement, sending traffic to various

ISPs, and load-balancing the load, Radware devised Prefix-NAT.

Using internal and external IPv6 addresses requires the following:

Unique Local Addresses (ULAs) have already been configured by the network administrator.

The administrator must ensure that the internal IPv6 network (the network behind the LinkProof

device).uses internal addresses (as described in RFC4193). The ULAs are in the format

FC00:AAAA:BBBB:CCCC:0001:0002:0003:0004.

Note: From the perspective of network design, the logic is analogous to RFC1918 in IPv4, where

the usage of internal IP addresses is recommended.

Each external router is assigned a public IPv6 addresses—that is, a global unicast address

(GUA).

IPv6-Address Structure

An IPv6 address is 128 bits long, in the format 2020:1020:1001:1000:0001:0002:0003:0004.

As defined by IANA, the following two ranges are reserved:

Global Unicast Address (GUA)—2000::/3

Unique Local Address (ULA)—FC00::/7

GUA Structure

Figure 2 shows the GUA structure. The global routing prefix is assigned to an Internet Service

Provider by the Internet Assigned Numbers Authority (IANA). The site-level aggregator (SLA), or

subnet ID, is assigned to a customer by the service provider. The LAN ID represents individual

networks within the customer site, and it is administered by the customer. The Host or Interface ID

has the same meaning for all unicast addresses. It is 64 bits long and is typically created by using the

EUI-64 format.

http://tools.ietf.org/html/rfc4193

http://tools.ietf.org/html/rfc1918



Page - 5 -

Figure 2: Global Unicast Address Structure

Note: According to IANA regulations, customers are assigned IPv6 addresses with prefixes from /48

to /64. The smallest network prefix is /64 (somewhat analogous to class C in IPv4). The /48 prefix is

dedicated by the ISP to a customer.

ULA Structure

Figure 3 shows the Unique Local Address structure.

Figure 3: Unique Local Address Structure

Load-Balancing Traffic Across IPv6 WAN (or Internet) Connections

Due to the nature of GUAs and ULAs, the suffix of the address (the last 64 bits) are identical, hence,

the first 48 bits are interchangeable. Utilizing these attributes, it is possible to use the same prefix

manipulation for load balancing of traffic across IPv6 WAN (or Internet) connections.

Note: Due to the nature of the IPv6 address scheme, the following scenario presents a simplistic

approach. According to IANA, the LIR/RIR address assignment should be /48 for subscribers

(including private housing). This enables each subscriber to configure about 216

networks. The

numbers are immense, so the scenario uses a simple address scheme based on IPv6 subnneting.

Consider the following scenario, which is shown in Figure 4.

LinkProof is connected to two IPv6 service providers:

ISP A dedicates the following public addresses: 2030:2020:1000:: /48

ISP B dedicates the following public addresses: 2040:1020:2000:: /52

The network administrator has followed IANA recommendations and has subnetted the internal

network using ULA.

The subnetting of the external routers has resulted in the topology shown in Figure 4.



Page - 6 -

Figure 4: Example LinkProof IPv6 Topology

Notes:

The use of the /55 prefix to subnet the /48 network is completely arbitrary. In real life, subnetting

will usually be based on the need for free networks as well as the existing topology.

The Prefix-NAT feature supports network ranges from /64 to /48.

Prefix NAT is allowed as long as the number of internal IPv6 address is smaller than or equal to

the number of external IPv6 addresses. So, for example, when the external router is configured

with a /64 range, using a ULA /48 for Prefix-NAT is not allowed. When the public IPv6 address

range of the external router is /59, using a ULA /59 for Prefix-NAT is allowed.

The translation is done per address. So, for example, an IPv6 ULA address with the address

fc00:1002:fc01:3000:2000::1001/48 will be translated on the external interface using

2030:2020:1000::/48 as 2030:2020:1000:3000:2000::1001.



Page - 7 -

Based on the topology displayed in Figure 4, Table 1 lists LinkProof interface definitions:

Table 1: LinkProof Interface Definitions for Example IPv6 Topology

Role IP Address Prefix

Length

IF VLAN

Tag

Status Peer IP

Address

Preferred Lifetime

and

Valid Lifetime

ISP B 2030:1020:2000:a0::1001 59 G-11 0 Preferred :: Infinite

ISP A 2030:2020:1000:200::1001 55 G-5 0 Preferred :: Infinite

Internal

LAN fc00:1002:fc01:3000:2000::1001 59 G-2 0 Preferred :: Infinite

Table 2: Router Definitions for Example IPv6 Topology

Farm Name Router Name IP Address OperStatus Weight

IPv6Routers ISP A 2030:2020:1000:200::1000 Active 1

IPv6Routers ISP B 2030:1020:2000:a0::1000 Active 1

Notes:

In the example, the routers have all been defined in a single Router Farm.

The routers are all set as active, although it is not necessary for the feature functionality.

In LinkProof 6.20 and later, the LinkProof administrator can configure how the internal clients

will access the public Internet. To do this, the LinkProof administrator uses the following Web

Based Management (WBM) GUI to create an entry in the Static Prefix-NAT table.

In this example, the system administrator has specified that the all /59 ULAs will be replaced

when accessing the IPv6 Internet using ISP A. And the range of ULAs starting from ::1001 and

ending with 2001 will be replaced with the prefix of ISP B when accessing the IPv6 Internet.

Figure 5: Creating an Entry in the Static Prefix-NAT Table in WBM



Page - 8 -

The following figures (Figure 6 and Figure 7), show the following Static Prefix-NAT configuration

in WBM:

The entire /59 ULA will be replaced when accessing the IPv6 Internet using ISP A.

The ULA range from ::1001 to ::2001 will be replaced with the prefix of ISP B when accessing

the IPv6 Internet.

In this example, the system administrator has specified that the all /59 ULAs will be replaced

when accessing the IPv6 Internet using ISP A. And the range of ULAs starting from ::1001 and

ending with 2001 will be replaced with the prefix of ISP B when accessing the IPv6 Internet.

Figure 6: Configuration of Example Static Prefix-NAT Entry in WBM

Figure 7: Example Static Prefix-NAT Table in WBM



Page - 9 -

Prefix-NAT Entry Parameters

Table 3: Prefix-NAT Entry Parameters

Parameter Description

From Local IP (Mandatory) The first IP address in the internal network that uses Prefix-

NAT. When a value for To Local IP is specified, this value must be the

first IP address in the internal network that uses Prefix-NAT. When a

value for Range Defined by Prefix is specified, this value can be the first

IP address in the internal network that uses Prefix-NAT.

To Local IP (Optional. Mutually exclusive with Range Defined by Prefix.) The last IP

address in the range. When a value is specified for this parameter, the

device translates the addresses in the specified range (From Local IP-To

Local IP). When no value is specified for this parameter, the device

translates all the addresses starting from the specified value for From

Local IP.

Server Name The IPv6 routers for the Prefix-NAT entry.

Values: The IPv6 routers that are defined in the routers definition as

having an IPv6 address. This includes all IPv6 routers from all farms.

IPv4- only routers are not exposed in the drop-down list.

Range Defined by

Prefix

(Optional. Mutually exclusive with To Local IP.) When specified, the

network is defined according to the value for the From Local IP

parameter and the network prefix. This enables LinkProof to translate all

the IPv6 addresses on the local interface.

The value can be less than or equal to the value of the actual prefix of the

router. So, for example, if the router is defined with prefix /55 and the

internal network is defined with prefix /55, the administrator can

configure any value between /55 and /128 (single address).

Replaced with Prefix (Read only) The Global Unicast Prefix associated with the router with

which the LinkProof device will replace the ULA’s prefix. LinkProof

calculates the value according to the router specified in the Server Name

field and the IPv6 address of the external LinkProof interface.

Redundancy Mode Specifies whether the prefix represents a main (regular) or backup device.

Values: regular, backup

Default: regular



Page - 10 -

Configuring Prefix-NAT Using Web Based Management Configuring Prefix-NAT using Web Based Management (WBM) comprises the following steps:

1. Configuring the IPv6 interfaces (internal, and router-bound).

2. Configuring the farm, and enabling NAT in the configuration of the farm. In the configuration of

the farm, you must ensure that the value of the NAT Mode parameter is Enable. (The default

value of the NAT Mode parameter is Disable.) The NAT Mode parameter specifies whether the

LinkProof device does network address translation on the packets for IPv4 addresses or Prefix-

NAT for IPv6 addresses.

3. Configuring the IPv6 routers.

To configuring Prefix-NAT in WBM

Select LinkProof > Smart NAT > IPv6 Prefix-NAT.

There are two panes:

Prefix-NAT Parameters Summary—This includes the parameter Block ULA Address on Edge

Router. By default, the option is enabled (according to the recommendation in RFC 4193). When

the option is enabled, the device blocks ULAs from crossing the border of the LinkProof device.

Static Prefix-NAT Table—The table contains the configurations of the Static Prefix-NAT

entries. Each entry specifies how one ULA is translated in the IPv6 public Internet. To create a

new IPv6 Prefix-NAT entry, click Create. To modify the editable values, double-click the entry

link. For descriptions of the Prefix-NAT parameters, see Table 3.

Configuring Prefix-NAT Using CLI For descriptions of the Prefix-NAT parameters, see Table 3.

LinkProof CLI supports the following switches for the Prefix-NAT parameters:

tip—To Local IP

rp—Range Defined by Prefix

rw—Replaced With Prefix

m—Redundancy Mode <regular|backup>

LinkProof CLI exposes the following commands:

lp smartnat ipv6nat blockula set <enable|disable>

Enables or disables the blocking of ULAs from crossing the border of the LinkProof device

(according to the recommendation in RFC 4193).

Default: enable

lp smartnat ipv6nat get <From Local IP> <Server Name>

Gets the entry with the specified values.



Page - 11 -

lp smartnat ipv6nat set <From Local IP> <Server Name> <-switch>

Modifies parameters of an existing Static Prefix-NAT entry.

lp smartnat ipv6nat destroy|del <From Local IP> <Server Name>

Deletes the specified Static Prefix-NAT entry.

lp smartnat ipv6nat create|add <From Local IP> <Server Name> <-switch>

Adds a new Static Prefix-NAT entry.

Example:

lp smartnat ipv6nat create fc00:1002:fc01:3000:2000::1001 IPv6Routers/ISP A –

tip fc00:1002:fc01:3000:2000::2000 –rw 2030:2020:1000:200::/55 –m regular

lp smartnat ipv6nat help <-switch>

Displays help for the specified parameter.

IPv6 Prefix-NAT Calculator LinkProof provides the IPv6 Prefix-NAT calculator to predict the outcome of an internal IPv6

address (that is, a ULA), passing through the LinkProof device and being translated to a GUA.

Motivation

The calculator is needed to calculate the external router IPv6 address—especially when the internal

prefix is different from the external router prefix.

The logic of the (IPv4) SmartNAT Dynamic NAT feature is quite simple to understand and

implement.

Table 4: (IPv4) Dynamic NAT Example

Source IP for Packet Via the LinkProof External Public

Address

Source IP with Which the Client Will

Reach the Internet

192.168.10.250 200.100.150.200 200.100.150.200

For the (IPv4) SmartNAT Static NAT feature, a set of predefined IP address is provided to the source

IP via the Static NAT table, and there is a one-to-one translation.



Page - 12 -

In IPv6, there is no longer the concept of Dynamic NAT. Since there is no depletion of IPv6 address

in IPv6–to-IPv6 communication, the SmartNAT feature does not translate one to many addresses,

but rather, the SmartNAT feature translates the source IP address from a ULA (or from any other

IPv6 address) to the corresponding external routable (public) IPv6 address. Notes:

Using the IPv6 Prefix-NAT calculator is extremely important when working with predefined

IPv6 addresses (such as external VRRP addresses).

Although Radware recommends adopting the IPv6 ULA concept as detailed in the RFC, the IPv6

Prefix-NAT calculator also supports internal public IPv6 address of the 2000::/3 (Global Unicast

range).

There can be two cases where the prefix of the internal address is translated to the prefix of the

external IPv6 address.

Case 1—The internal prefix is identical to the external-router prefix (as is the case in ISP B in

Figure 4). It is simple to understand and manually calculate the result IP address (that is, the public

IPv6 address) that will be seen by the Internet as the source of the internal packet. In the case of ISP

B), a full prefix (/59) is replaced with a full prefix (/59). The replacement happens on each IPv6

source address passing through the LinkProof device that the IPv6 Prefix-NAT policy identifies.

Table 5: Case 1—Internal Prefix is Identical to the External Router Prefix

Source IP for Packet Via the LinkProof External

Public Address

Source IP with Which the Client

Will Reach the Internet

fc00:1002:fc01:3000:2000::1001 /59 2030:1020:2000:a0::1000 /59 2030:1020:2000:a0:2000::1001

Case 2—The internal prefix is different from the external-router prefix (as is the case in ISP A in

Figure 4). Here, calculating the result IP address (that is, the public IPv6 address) is complex; it

involves several mathematical calculations. In the example case of ISP A, the result is

2030:2020:1000:200:2000::1001 (with a prefix of /55). The IPv6 Prefix-NAT calculator can do the

calculation for you.

Table 6: Case 2—Internal Prefix is Different from the External Router Prefix

Source IP for Packet Via Router External Public

Address

Result Client will reach the

internet with source IP

fc00:1002:fc01:3000:2000::1001 /59 2030:2020:1000:200::1000 /55 2030:2020:1000:200:2000::1001

Usage

The IPv6 Prefix-NAT Calculator works in CLI only.

Syntax:

lp smartnat ipv6nat calc <Local IPv6 Address> <Router IPv6 Internal

Address> <Router IPv6 Prefix>



Page - 13 -

Example:

lp smartnat ipv6nat calc fc00:1002:fc01:3000:2000::1001

2030:2020:1000:200::1000 55

Result

The nat address is: 2030:2020:1000:200:2000::1001

VRRP Configuration with IPv6 Prefix-NAT This section describes VRRP configuration with IPv6 Prefix-NAT.

Ensuring Proper Connectivity

When creating an IPv6-Prefix-NAT configuration, it is critical that you make sure not to overlap the

IPv6 addresses used by the routers for their internal IPv6 interfaces. If there is overlap, the

LinkProof device will lose connectivity to the external router.

Figure 8: Example Valid Topology

Internal address of LinkProof device is

FC00:1000::FFF1/64

External address of LinkProof device is

2040:2100::2001/48

Internal address of router is

2040:2100::2222/48

External

Segment 02

External Router 02

RST

APSolute Application DeliveryPWR

USB MNG 2

MNG 1

CONSOLE

PWR

FAN

SYS OK

Link Proof1000

10/100

G1

G13 G14 G15 G16

G3 G5 G7 G9 G11

G2 G4 G6 G8 G10 G12

1000

10/100

To configure proper connectivity for IPv6, you must define a proper IPv6 Prefix-NAT range.

Defining a full IPv6 Prefix-NAT range of 2040:2100::/48 will cause an IPv6 address overlap thus

causing network connectivity failure.



Page - 14 -

Defining an IPv6 Prefix-NAT range such as in Figure 9 and Figure 10 is improper. The

configurations result in address overlap. That is, LinkProof can translate a packet with address

fc00:1000::2222 as 2040:2100::2222, causing the internal router address to be overlapped by the

LinkProof device.

Figure 9: Improper Configuration 1—Full IPv6 Prefix-NAT Range Causes Address Overlap

Figure 10: Improper Configuration 2—Full IPv6 Prefix-NAT Range Causes Address Overlap

To prevent overlapping addresses, you must insert spaces in the IPv6 range for Prefix-NAT to use,

excluding the external router IPv6 address and eliminating any overlap.

Figure 11: Proper Configuration—Separated IPv6 Prefix-NAT Ranges Prevent Address

Overlap

IPv6 Prefix-NAT Address Range

In VRRP with SmartNAT, you explicitly configured each IPv4 address used for (Static NAT,

Dynamic NAT, or Basic NAT). In VRRP with IPv6 Prefix-NAT due to the massive number of

potential IPv6 address used for Prefix-NAT, you cannot explicitly configure the address. You

configure a single IPv6 Prefix-NAT address from the IPv6 Prefix-NAT ranges in the VRRP

Associated IP Addresses table. The device looks up the configured IPv6 Prefix-NAT address and

creates a special associated VR IPv6 entry that includes the entire IPv6 Prefix-NAT range.



Page - 15 -

VRRP Associated IP Addresses

When a VR ID that supports IPV6 is configured on the device, LinkProof creates an associated IP

address for the Primary IP parameter. The entry is created with a link-local address derived from VR

MAC. This is part of IPv6 RFC and does not affect regular device functionality.

VRRP Configuration Steps

In IPv4, the order in which you configure VRRP in LinkProof does not matter. In IPv6, the order in

which you configure VRRP in LinkProof is crucial. You can, however, modify the Prefix-NAT

configuration. The reason why the order is crucial is that the IPv6 Prefix-NAT ranges define the VR

associated IP address that will be used in the IPv6 neighbor solicitation process, which enables the

LinkProof device to announce the relevant IPv6 addresses that the VR holds and responds to.

VRRP configuration involves the following steps:

1. Configuring all the relevant interfaces, routing, and so on.

2. Configuring e the relevant VR and relevant IP address.

3. Deriving the IPv6 associated IP address from the IPv6 Prefix-NAT calculator (using the

calculator as described in ―IPv6 Prefix-NAT Calculator‖).

4. Configuring the IPv6 Prefix-NAT addresses.

5. Configuring VR associated IPv6 ranges (using the calculator as described in ―IPv6 Prefix-NAT

Calculator‖).

Disabling VRRP

When you disable VRRP with IPv6 Prefix-NAT associated IP addresses (after disabling the VRRP

configuration), you will have to clean the ARP table on the adjacent routers (connected directly to

the device). This is done because IPv6 neighbor solicitation messages may still point to the VR

MAC address.

Interface Grouping Considerations

Interface Grouping is disabled by default. When Interface Grouping is enabled, if any of the

interfaces in the group fails, the entire device is declared down and VRRP failover occurs (master

switches to backup). When you configure VRRP, make sure to enable Interface Grouping as

required.

By default, the Master Interface Grouping Table includes all the device interfaces except for

management interfaces. When working with IPv6 interfaces in LinkProof, by default, every interface

has an IP address (a link-local address). Thus, all of the interfaces affect the configuration. If you

want a failed interface not to affect VRRP fail-over, you must exclude manually it from the Interface

grouping.



Page - 16 -

Full Configuration Flow of VRRP Setup with IPv6 and IPv6 Prefix-NAT

Enable VRRP

Create a VR and

set State to Down

Use the calculator to create

Associated IPv6 address with

IPv6 Address for VR

More VRs to

configure?

Need to ping

the VR IP or have a

VDNS?

Create a remote VIP or VDNS

IP address to use

Configuring the

primary device?Set VR priority to 200

Change VR State to Up

Set VR priority < 200

(for example, 100)

Check failover configuration

If the VIP is in the IPv6

Prefix-NAT range, create

Associated IP Addresses for

the VIP or VDNS

Using Interface

Grouping?

Assign interfaces in the Master

Interface Grouping table

Using IPv6

Prefix-NAT?

Use the calculator to derive

the VRRP IPv6 Associated IP

Create IPv6 Prefix-NAT

addresses or rangesCreate Associated IPv6

address if needed

Configure the following on each device:

Interfaces

IP Addresses

Routing

Farm and flows

NAT

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No



Page - 17 -

VRRP with IPv6 Prefix-NAT Example Configuration

Consider the scenario in following figure. For the sake of simplicity, the configuration uses the same

segment for both routers, although in real-life scenarios, due to security considerations, the common

practice would be to have a LinkProof device connected to each router via a different LinkProof

port. In addition, the figure shows the external virtual router as a single entity, whereas in real life, it

can be represented by several virtual routers with different VR IDs. This section will focus on a

configuration of IPv6 routers and the IPv6 Prefix-NAT associated address. (The topology would be

the same in the context of IPv6 Prefix-NAT and VRRP setup.)

Figure 12: VRRP with IPv6 Prefix-NAT Configuration Example

LinkProof 01

Primary

Internet

Internal Segment

LinkProof 02

Secondary

FC00:1000::FFF1 /64

is the IP address of the

internal interface of the

LinkProof device

2030:1000:2000::2222 /64 2040:2100::2222 /48

FC00:1000::2000/64

FC00:1000::FFF2 /64

is the IP address of the

internal interface of the

LinkProof device

2030:1000:2000::2002 /64 2040:2100::2001 /48

2040:2100::2002 /48

is used to access

External Router 02

2030:1000:2000::2001 /64

is used to access

External Router 01

External

Segment 01

Router, ISP 01 Router, ISP 02

Users

Virtual router

2030:1000:2000::2020 /64

2040:2100::2020 /48

Virtual router

FC00:1000::FFFE/64

RST


USB MNG 2

MNG 1

CONSOLE

PWR

FAN

SYS OK

Link Proof1000

10/100

G1

G13 G14 G15 G16

G3 G5 G7 G9 G11

G2 G4 G6 G8 G10 G12

1000

10/100

External

Segment 02

RST


USB MNG 2

MNG 1

CONSOLE

PWR

FAN

SYS OK

Link Proof1000

10/100

G1

G13 G14 G15 G16

G3 G5 G7 G9 G11

G2 G4 G6 G8 G10 G12

1000

10/100



Page - 18 -

The scenario in Figure 12 assumes the following:

Both LinkProof devices are in VRRP setup providing failover for one another.

LinkProof 01 Primary is the VRRP master.

LinkProof 02 Secondary is the VRRP backup.

Users on the internal LAN are coming from ULA address (FC00:: /64)

The administrator has connected the LinkProof to the following two routers:

ISP01 with an IPv6 prefix of 2030:1000:2000:: /64

ISP02 with an IPv6 prefix of 2040:2100:: /48

Each LinkProof is connected to two routers (using an external segment).

Figure 13: IPv6 Addresses Summary

As mentioned above, the IPv6 associated IP addresses are derived from the IPv6 Prefix-NAT ranges.

Therefore, only one IP address from each range needs to be defined in the Redundancy Associated

IP Addresses table. This will inform the LinkProof device as to the associated IP address ranges for

which it is responsible. In the example, an address from the LinkProof external interface 01 can be

2030:1000:2000::2000, and an address from the LinkProof external interface 02 can be

2040:2100::2000.

Prior to the VRRP configuration, we assume all IPv6 interfaces are configured properly. That is,

routing is configured properly (especially, the default route ::/0 to both external routers), and

connectivity is working end to end.



Page - 19 -

To configure the VRRP with the IPv6 Prefix-NAT example configuration

1. Configure the internal virtual router, VR ID 1 (internal interface).

On the Master LinkProof Priority = 200

on the backup LinkProof Priority = 100

Redundancy > VRRP > Virtual Routers

2. Configure the associated IP address for internal interface.

Redundancy > VRRP > Associated IP Addresses

3. Enable the internal virtual router, VR ID 1, which you configured in step 1.

4. Repeat steps 1–3 for the backup device.

Note: Once enabled, the VR ID shows a Primary IP from the LLA (link-local address). This is

regular IPv6 behavior according to RFC and IPv6 logo specifications.



Page - 20 -

5. Configure the external virtual router, VR ID 2 (on the LP external interface 02).

6. Create Prefix-NAT ranges for internal users accessing the Internet from router ISP02.

LinkProof >Smart NAT > IPv6 Prefix-NAT > Static Prefix-NAT Table

And



Page - 21 -

The result is:

7. Using the IPv6 Prefix-NAT calculator, derive the associated IP address of the external interface.

From the CLI, run:

lp smartnat ipv6nat calc fc00:1000::2000 2040:1000::2000 48

which generates the following:

result

The nat address is: 2040:1000::2000

8. Configure the associated IP address for the internal interface.

Note: Since here, the IPv6 associated addresses are derived from the Prefix-NAT, we only need

to configure one address from the Prefix-NAT range.

One address from the range (using the result of the prefix-NAT calculator from above) is:

The result is:



Page - 22 -

The associated IP Address range shows the range From Address – To Address as configured

by the IPv6 Prefix-NAT feature.

9. Configure the associated IP address for the second range.

The result is:

10. Enable VR ID 2 as configured in step ‎5.

11. Repeat steps ‎5 – ‎9 for the backup device (with the exclusion of step ‎7, as the result is the same)

but with the following exceptions:

VR ID Priority should be 100 for the backup device.

Redundancy mode in the Static Prefix-NAT Table Create pane should be set to backup.

12. For the second router (LinkProof external interface 01), follow the exact same steps using the

same VR ID (VR ID 2).



Page - 23 -

13. In the Static Prefix-NAT pane, for the router ISP01 the configuration should be:

And

The result is:

14. Follow steps ‎7 – ‎9 , for the external interface VR ID 1 settings using the exact same

methodology.



Page - 24 -

15. Repeat the same steps for secondary (VRRP backup) LinkProof device.

16. Once both VRIDs are enabled, check connectivity and failover.

IPv6 end-to-end connectivity should be working with IPv6 router load balancing according to

LinkProof functionality.

2011 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A.

linkproof ipv6 prefix-nat

Documents