CISCO NAT66 Configure Catalyst User Guide

: June 15, 2024
: Cisco

Table of Contents

NAT66 Configure Catalyst
Information About NAT66 DIA
Note
Configure NAT66 DIA and a DIA Route
Configure a NAT66 DIA Route
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

NAT66 Configure Catalyst

CISCO NAT66 Configure Catalyst -

Configure NAT66

Note

To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN Controller. See the latest Release Notes for a
comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.

Table 1: Feature History

Feature Name	Release Information	Description
Support for NAT66 DIA	Cisco IOS XE Catalyst SD-WAN Release 17.7.1a Cisco
vManage Release 20.7.1	The IPv6-to-IPv6 Network Address Translation (NAT66)

Direct Internet Access (DIA) feature enables an IPv6 device to translate an inside source address prefix to an outside source address prefix in IPv6 packet headers.
NAT66 DIA allows you to direct local IPv6 internet traffic to exit directly to the internet from the service-side VPN (VPN 1) through the transport VPN (VPN 0).
You can configure NAT66 DIA using Cisco SD-WAN Manager, the CLI, or a device CLI template.
This feature introduces new CLI commands. For more information on the new NAT commands, see the Cisco IOS XE Catalyst SD-WAN Qualified Command Reference Guide.
Support for Multiple WAN Links for NAT66 DIA| Cisco IOS XE Catalyst SD-WAN Release 17.12.1a Cisco Catalyst SD-WAN Manager Release 20.12.1| You can configure NAT66 to use multiple WAN links to direct local IPv6 traffic to exit directly to the internet.

Information About NAT66 DIA

IPv6-to-IPv6 Network Prefix Translation (NPTv6) is a mechanism that is used to convert an IPv6 address prefix to another IPv6 address prefix. The address translation method used is IPv6-to-IPv6 Network Address Translation (NAT66). A device that supports a NAT66 function is known as a NAT66 translator. A NAT66 translator provides source and destination address translation capability.

Note

NPTv6 functionality was already available on Cisco IOS XE platforms before it was introduced in Cisco Catalyst SD-WAN in the Cisco IOS XE Catalyst SD-WAN Release 17.7.1a. For more information, see the IP Addressing: NAT Configuration Guide.
NAT66 DIA allows you to redirect or forward packets from one network to another in an IPv6 environment. NAT66 DIA provides an algorithmic translation function with a 1:1 relationship between addresses within the inside network and the outside network. You can interconnect different networks and support multihoming, load balancing, and peer-to-peer networking.
NAT66 DIA supports prefixes longer than 64 bits and static IPv6 host-to-host translations. Only the prefix portion of an IPv6 address is translated.

Note

To access Cisco SD-WAN Manager using an IPv6 address, specify port number 8443 in the URL.
Example:
https://[cisco-vmanageIPv6-address]:8443/

How NAT66 DIA Works

An IPv6 client in a branch site attempts to access Cisco SD-WAN Manager in a data center on the transport side of the network (VPN 0).
The Cisco IOS XE Catalyst SD-WAN device routes the IPv6 address from the service VPN (VPN 1) to the next-hop transport VPN (VPN 0), which is the WAN side of the network.
A NAT66 translator performs an IPv6-to-IPv6 prefix translation. Dynamic Host Configuration Protocol version 6 (DHCPv6) requires a source IPv6 prefix in the IPv6 prefix range for prefix delegation.
NAT66 conversion occurs in the transport VPN interface.
DHCPv6 prefix delegation allows an ISP to automate the process of assigning prefixes to a customer for use within the customer’s network. Prefix delegation occurs between a provider edge (PE) device and customer premises equipment (CPE) using the DHCPv6 prefix delegation option. After an ISP has delegated prefixes to a customer, the customer can further divide the network and assign prefixes to the links in the customer’s network.
When traffic is returned from Cisco SD-WAN Manager, the Cisco IOS XE Catalyst SD-WAN device looks up the NAT66 entry in the DIA route table and forwards the packet to the client’s IPv6 address.

Benefits of NAT66 DIA

Supports local IPv6 internet traffic to exit directly to the internet from the service-side VPN through the transport VPN
Allows you to redirect or forward packets from one network to another in an IPv6 environment
Enables good application performance
Contributes to reduced bandwidth consumption and latency
Contributes to lower bandwidth cost
Enables improved branch office user experience by providing DIA at remote site locations

Restrictions for NAT66 DIA

Firewall, AppNav-XE, and multicast are not supported.
From Cisco IOS XE Catalyst SD-WAN Release 17.12.1a, NAT66 supports the use of a firewall.
Only NAT66 DIA traffic flows are supported. There is no support for service-side traffic flows.
Centralized data policy is not supported for NAT66 DIA.
Combined NAT64 and NAT66 is not supported on the same interface.
Only one single prefix translation is supported for each VRF.
From Cisco IOS XE Catalyst SD-WAN Release 17.12.1a, multiple prefix translations are supported for each VRF.
Use of multiple WAN links for NAT66 DIA is not supported.
From Cisco IOS XE Catalyst SD-WAN Release 17.12.1a, multiple WAN links are supported for NAT66 DIA.
NAT66 DIA route redistribution using the service IPv6 routing protocol is not supported.
Real-time operational application programming interface (APIs) are not supported.
You must include a default route in VPN 0 for successful NAT66 DIA route operations.
Only physical Ethernet subinterfaces are supported.
Router Advertisement (RA) prefix names are not supported in NAT66 prefix translations.
Multitenancy resource limits are not supported.
IPv6 TLOC extension with NAT66 is not supported.

Configure NAT66 DIA and a DIA Route

Workflow for Enabling NAT66 DIA and a NAT66 DIA Route

Enable NAT66 DIA using a Cisco VPN Interface Ethernet feature template for IPv6.
A Cisco VPN Interface Ethernet template is used as a transport (WAN) interface.
For more information on enabling NAT66 DIA using a Cisco VPN Interface Ethernet template, see Configure NAT66 DIA.
Configure a NAT66 DIA IPv6 route using a Cisco VPN feature template, which is a service-side VPN (VPNs other than VPN 0).
For more information on configuring a NAT66 DIA IPv6 route, see Configure a NAT66 DIA Route.

Configure NAT66 DIA

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
Click Feature Templates.
Note
In Cisco vManage Release 20.7.x release, Feature Templates is titled Feature.
Edit a Cisco VPN Interface Ethernet template by clicking . . . adjacent to it, and then choosing Edit.
Click NAT and choose IPv6.
In the NAT drop-down list, change the scope from Default to Global.
Click On to enable NAT66.
In the NAT Selection field, choose NAT66.
Click New Static NAT.
In the Source Prefix field, specify the source IPv6 prefix.
In the Translated Source Prefix field, specify the translated source prefix.
In the Source VPN ID field, specify the source VPN ID.
Click Update.

Enable DHCPv6 Prefix Delegation Using a CLI Add-On Template

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
Click Feature Templates.
Click Add Template.
Under Select Devices, choose the device for which you are creating the template.
Under Select Template, scroll down to the OTHER TEMPLATES section, and click CLI Add-On Template.
In the Template Name field, enter a name for the feature template.
In the Description field, enter a description for the feature template.
In the CLI CONFIGURATION area, enter the DHCPv6 configuration.
interface GigabitEthernet1 ipv6 dhcp client pd prefix-from-provider ipv6 dhcp client request vendor
Click Save.
The CLI add-on template is displayed in the CLI CONFIGURATION table.
To use the CLI add-on feature template, edit the device template as follows:
a. From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
b. Click Device Templates.
Note
In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device.
c. Click . . . adjacent to the device template for which you want to add the CLI add-on feature template, and choose Edit.
d. Scroll down to Additional Templates, and from the CLI Add-On Template drop- down list, choose the CLI add-on feature template that you previously created.

Configure a NAT66 DIA Route

Enable an IPv6 route with NAT66 DIA in a Cisco VPN template.
Every service VPN, for example, VPN 1, routes packets into the transport VPN (VPN 0) for DIA traffic.
Configure a NAT66 DIA Route Using a Cisco VPN Template

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
Click Feature Templates.
Note
In Cisco vManage Release 20.7.x release, Feature Templates is titled Feature.
Edit a Cisco VPN template by clicking . . . adjacent to it, and then choosing Edit.
Click IPv6 Route.
Click New IPv6 Route.
In the Prefix field, enter an IPv6 prefix for NAT66 translation.
Global inside and outside prefixes should be unique per virtual routing and forwarding (VRF).
IPv6-prefix delegation (PD) prefix length should be equal to or less than /56.
A global outside prefix should be unique per VRF.
The inside prefix length and an outside prefix length should be the same.
Up to 250 VRFs are supported with a PD prefix of /56.
In the Gateway field, click VPN.
In the Enable VPN drop-down list, change the scope from Default to Global, and click On to enable VPN.
In the NAT drop-down list, change the scope from Default to Global, and click On to enable NAT66.
Click Update.

Configure NAT66 DIA Using the CLI
Configure Static NAT Prefix Translation for NAT66 DIA interface GigabitEthernet1
ip address 10.1.15.15 255.0.0.0
no ip redirects
load-interval 30
negotiation auto
nat66 outside
ipv6 address 2001:DB8:A1:F::F/64
no ipv6 redirects
service-policy output shape_GigabitEthernet1
!
nat66 prefix inside 2001:DB8:380:1::/80 outside 2001:DB8:A1:F:0:1::/80 vrf 1
nat66 prefix inside 2001:DB8:A14:18::/80 outside 2001:DB8:A1:F::/80 vrf 1
nat66 route vrf 1 2001:DB8:A14:19::/64 global
nat66 route vrf 1 2001:DB8:3D0:1::/64 global
Configure multiple links for NAT66 DIA
From Cisco IOS XE Catalyst SD-WAN Release 17.12.1a, you can configure multiple egress interfaces for NAT66 DIA.
Here is an example of configuring NAT66 DIA with two interfaces, GigabitEthernet1 and GigabitEthernet4:
interface GigabitEthernet1
no shutdown
ipv6 address 2001:a1:f::f/64
ipv6 nd ra suppress all
no mop enabled
no mop sysid
negotiation auto
nat66 outside
!
interface GigabitEthernet4
no shutdown
ipv6 address 2001:a0:14::f/64
ipv6 enable
ipv6 nd ra suppress all
no mop enabled
no mop sysid
negotiation auto
nat66 outside
!
nat66 prefix inside 2001:a14:18:0::/64 outside 2001:a1:f::/64 vrf 1 egress- interface
GigabitEthernet1
nat66 prefix inside 2001:a14:18:0::/64 outside 2001:a0:14::/64 vrf 1 egress- interface
GigabitEthernet4
nat66 prefix inside FC00:1:2:3::/80 outside 3001:a1:5::/80 vrf 100
nat66 route vrf 1 2001:a0:5::/64 global
nat66 route vrf 100 ::/0 global
For more information, see the nat66 prefix command in the Cisco IOS XE SD-WAN Qualified Command
Reference Guide.
Configure DHCPv6 Prefix Delegation for NAT66 DIA
interface GigabitEthernet1
ip address 10.1.15.15 255.0.0.0
no ip redirects
load-interval 30
negotiation auto
nat66 outside
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client pd prefix-from-provider
ipv6 dhcp client request vendor
arp timeout 1200
no mop enabled
no mop sysid
service-policy output shape_GigabitEthernet1
!
nat66 prefix inside 2001:DB8:10:1::/64 outside prefix-from-provider vrf 1
nat66 prefix inside 2001:DB8:100:1::/64 outside prefix-from-provider vrf 100
nat66 prefix inside 2001:DB8:101:1::/64 outside prefix-from-provider vrf 101
nat66 route vrf 1 2001:DB8:A14:19::/64 global
nat66 route vrf 1 2001:DB8:3D0:1::/64 global
nat66 route vrf 100 ::/0 global
nat66 route vrf 101 ::/0 global
Verify NAT66 DIA and DIA Route Configuration

Display NAT66 Prefix Translation Entries
Device# show nat66 prefix
Prefixes configured: 2
NAT66 Prefixes
Id: 1 Inside 2001:DB8:380:1::/80 Outside 2001:DB8:A1:F:0:1::/80
Id: 2 Inside 22001:DB8:A14:18::/80 Outside 2001:DB8:A1:F::/80
Verify NAT66 DIA Routes
Device# show nat66 route-dia
Total interface NAT66 DIA enabled count [1] route add [1] addr [2001:DB8:A14:19::] vrfid [2] prefix len [64] route add [1] addr [2001:DB8:3D0:1::] vrfid [2] prefix len [64] Display NAT66 Neighbor Discovery
Device# show nat66 nd
NAT66 Neighbor Discovery
ND prefix DB:
2001:DB8:A1:F::/80
2001:DB8:A1:F:0:1::/80
2001:DB8:A1:F:1::/64
2001:DB8:A1:F:2::/64
2001:DB8:A1:F:3::/64
ipv6 ND entries:
2001:DB8:A1:F::F
2001:DB8:A1:F::11
Verify NAT66 Global Statistics for Translated Packets
Device# show nat66 statistics
NAT66 Statistics
Global Stats:
Packets translated (In -> Out)
: 7
Packets translated (Out -> In)
: 7
Display NAT66 Platform for Each Prefix Counter for Inside and Outside Translations
Device# show platform hardware qfp active feature nat66 datapath prefix
prefix hasht 0x89628400 max 2048 chunk 0x8c392bb0 hash_salt 719885386
NAT66 hash[1] id(1) len(64) vrf(0) in: 2001:db8:ab01:0000:0000:0000:0000:0000:0000 out:
2001:db8:ab02:0000:0000:0000:0000:0000:0000 in2out: 7 out2in: 7
Verify NAT66 Platform Global Counters
Device# show platform software nat66 fp active statistics
QFP Stats:
Interface:
Add: 2, Ack: 2, Err: 0
Mod: 0, Ack: 0, Err: 0
Del: 0, Ack: 0, Err: 0
Prefix Trans:
Add: 5, Ack: 5, Err: 0
Mod: 0, Ack: 0, Err: 0
Del: 0, Ack: 0, Err: 0
AOM Stats:
Interface:
Add: 2, Err: 0
Mod: 0, Err: 0
Del: 0, Err: 0
Free: 0, Err: 0
Prefix Translation:
Add: 5, Err: 0
Mod: 0, Err: 0
Del: 0, Err: 0
Free: 0, Err: 0
DB Stats:
Interface:
Add: 2, Err: 0
Mod: 0, Err: 0
Del: 0, Err: 0
Prefix Translations:
Add: 5, Err: 0
Mod: 0, Err: 0
Del: 0, Err: 0
Message RX Stats:
Interface:
Add: 2
Configuration Example for NAT66 DIA
The following is an end-to-end configuration example for NAT66 DIA:
interface GigabitEthernet1
ip address 10.1.15.15 255.0.0.0
no ip redirects
load-interval 30
negotiation auto
nat66 outside
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client pd prefix-from-provider
ipv6 dhcp client request vendor
arp timeout 1200
no mop enabled
no mop sysid
service-policy output shape_GigabitEthernet1
!
nat66 prefix inside 2001:DB8:380:1::/80 outside 2001:DB8:A1:F:1::/80 vrf 1
nat66 prefix inside 2001:DB8:A14:18::/80 outside 2001:DB8:A1:F::/80 vrf 1
nat66 prefix inside 2001:DB8:10:1::/64 outside prefix-from-provider vrf 1
nat66 prefix inside 2001:DB8:100:1::/64 outside prefix-from-provider vrf 100
nat66 prefix inside 2001:DB8:101:1::/64 outside prefix-from-provider vrf 101
nat66 route vrf 1 2001:DB8:A14:19::/64 global
nat66 route vrf 1 2001:DB8:3D0:1::/64 global
nat66 route vrf 100 ::/0 global
nat66 route vrf 101 ::/0 global
The following is an end-to-end configuration example with multiple links for NAT66 DIA:
interface GigabitEthernet3
no shutdown
ipv6 address 2001:a1:f::f/64
ipv6 nd ra suppress all
no mop enabled
no mop sysid
negotiation auto
nat66 outside
!
interface GigabitEthernet4
no shutdown
ipv6 address 2001:a0:14::f/64
ipv6 enable
ipv6 nd ra suppress all
no mop enabled
no mop sysid
negotiation auto
nat66 outside
!
nat66 prefix inside 2001:a14:18:0::/64 outside 2001:a1:f::/64 vrf 1 egress- interface
GigabitEthernet3
nat66 prefix inside 2001:a14:18:0::/64 outside 2001:a0:14::/64 vrf 1 egress- interface
GigabitEthernet4
nat66 prefix inside FC00:1:2:3::/80 outside 3001:a1:5::/80 vrf 100
nat66 route vrf 1 2001:a0:5::/64 global
nat66 route vrf 100 ::/0 global