Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

72

Figure 62 Network diagram

Configuration procedure

1.

Configure SecPath B (the AFT):
# Enable IPv6.

system-view

[SecPathB] ipv6

# Configure IP addresses for the interfaces and enable AFT on the interfaces.

[SecPathB] interface GigabitEthernet 0/1

[SecPathB-GigabitEthernet0/1] ipv6 address 6:0:ff06:606:100::/64

[SecPathB-GigabitEthernet0/1] aft enable

[SecPathB-GigabitEthernet0/1] quit

[SecPathB] interface GigabitEthernet 0/2

[SecPathB-GigabitEthernet0/2] ip address 4.4.4.1 24

[SecPathB-GigabitEthernet0/2] aft enable

[SecPathB-GigabitEthernet0/2] quit

# Configure the DNS64 prefix.

[SecPathB] aft prefix-dns64 2000:: 32

# Configure the IVI prefix.

[SecPathB] aft prefix-ivi 6::

# Create ACL 3000 to permit ICMP packets destined to the IPv4 network 6.6.6.0/24, which is
embedded in the IVI address.

[SecPathB] acl number 3000

[SecPathB-acl-adv-3000] rule permit icmp destination 6.6.6.0 0.0.0.255

[SecPathB-acl-adv-3000] quit

# Configure the 4to6 AFT policy for destination address translation so that the SecPath B can
translate the destination address into an IPv6 address by using the IVI prefix (6::) for packets

destined to network 6.6.6.0/24.

[SecPathB] aft 4to6 acl number 3000 prefix-ivi 6::

# Create ACL 2000 to permit packets from the IPv4 network 4.4.4.0/24, on which SecPath C
resides (this step is optional).

[SecPathB] acl number 2000

[SecPathB-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255

[SecPathB-acl-basic-2000] quit

# Configure the 4to6 AFT policy for source address translation so that the SecPath B can translate
the source address into an IPv6 address by using the DNS prefix (2000::/32) for packets from

network 4.4.4.0/24 (this step is optional).

[SecPathB] aft 4to6 acl number 2000 prefix-dns64 2000:: 32