Configuration procedure, Configuration example, Network requirements – H3C Technologies H3C SecPath F1000-E User Manual
Page 123
111
•
Configuring a destination address on the AFTR is unnecessary. When receiving a packet from the
tunnel, the AFTR records the source IPv6 address of the packet and uses it as the IPv6 address of the
tunnel destination (address of the CPE).
•
You must enable NAT on the AFTR's interface which is connected to the Internet. AFTR does not
support static NAT mappings or VPN instance matching. If an ACL rule includes a VPN instance,
the rule does not take effect.
•
A CPE tunnel interface can establish tunnel with only one AFTR tunnel interface, but an AFTR tunnel
interface can establish tunnels with multiple CPE tunnel interfaces.
Configuration procedure
To configure the AFTR of a DS-Lite tunnel:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable IPv6.
ipv6
By default, the IPv6 packet
forwarding function is disabled.
3.
Enter tunnel interface view. interface tunnel number N/A
4.
Configure an IPv4 address
for the tunnel interface.
ip address ip-address { mask |
mask-length } [ sub ]
By default, no IPv4 address is
configured for the tunnel interface.
5.
Specify the DS-Lite AFTR
tunnel mode.
tunnel-protocol ipv4-ipv6 dslite-aftr
By default, the tunnel mode is GRE
over IPv4.
The tunnel mode at the other end of
the tunnel should be DS-Lite CPE.
Otherwise, packet delivery will fail.
6.
Configure the source
address or interface for the
tunnel interface.
source { ipv6-address |
interface-type interface-number }
By default, no source address or
interface is configured for the tunnel.
Configuration example
Network requirements
As shown in
, a private IPv4 network and a public IPv4 network are separated by an IPv6
network.
Build a DS-Lite tunnel between CPE (SecPath A) and AFTR (SecPath B) and configure NAT on AFTR's
interface connecting to the public IPv4 network, so that hosts in the private IPv4 network can access the
public IPv4 network and hosts from different private IPv4 networks can use the same IPv4 addresses.
In the IPv6 network, deploy a DHCPv6 server (SecPath C) for CPE to obtain AFTR's IPv6 address.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS