关于IPv6是否支持NAT的问题与获取前缀的配置案例

之前，收到很多电话，询问设备是否支持IPv6的NAT，而本人在经过反复确认后，答复目前不支持此功能，原因是没有这个需求。

对于IPv4网络来，基本的组网如下：

NAT产生的原因是公网地址不足，而在这个转换过程中也隐藏了内部的私网地址；IPv6有私网吗？当然有，如站点本地地址FEC0。但对于IPv6，不存在地址不足的问题，故不需要NAT。

之所以问是否有IPv6的NAT技术，很大的原因是对于IPv4的基本组网印象很深刻，基本的思维是向运营商申请一个公网IP，然后内部用私网IP，再在出口进行NAT转换。既然IPv6中不存在NAT，那么这种形式的组网在IPv6中如何实现呢？

一般我们向运营商申请的时候会得到一个公网IPv6地址、网关与前缀（部分也可以动态获取地址与前缀），而这个前缀就用来为终端分配地址。  

对于上面的组网，配置如下

Server端配置：

#

 sysname DHCPv6-server

#

 dhcp enable

#

 ipv6 dhcp prefix-pool 1 prefix 2001:410::/32 assign-len 48

#

dhcp server ip-pool 1

 gateway-list 1.1.1.1

 network 1.1.1.0 mask 255.255.255.0

 forbidden-ip 1.1.1.1

#

ipv6 dhcp pool 1

 network 1::/64

 dns-server 2:2::3

 domain-name h3c.com

 prefix-pool 1 preferred-lifetime 86400 valid-lifetime 259200

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

 ipv6 address 2::2/64

#

interface GigabitEthernet0/0

ip address 1.1.1.1 255.255.255.0

 ipv6 dhcp select server

 ipv6 dhcp server allow-hint preference 255 rapid-commit

 ipv6 address 1::1/64

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

undo ipv6 nd ra halt

#

 ipv6 route-static 2001:410:: 48 1::2

#

Client端配置：

1、 动态获取IPv6地址与前缀

#

 sysname DHCPv6-clinet

#

 dhcp enable

#

dhcp server ip-pool 1

 gateway-list 192.168.0.1

 network 192.168.0.0 mask 255.255.255.0

 forbidden-ip 192.168.0.1

#

interface GigabitEthernet0/0

ip address dhcp-alloc

 nat outbound 2000

 ipv6 address dhcp-alloc

 ipv6 dhcp client pd 1

#

interface GigabitEthernet0/1

 ip address 192.168.0.1 255.255.255.0

 ipv6 address 1 ::1/64

 undo ipv6 nd ra halt

#

 ip route-static 0.0.0.0 0 1.1.1.1

#

acl basic 2000

 rule 0 permit source 192.168.0.0 0.0.0.255

#

[DHCPv6-clinet-GigabitEthernet0/0]dis ipv6 int bri

*down: administratively down

(s): spoofing

Interface                                 Physical Protocol IPv6 Address

GigabitEthernet0/0                        up       up       1::2

GigabitEthernet0/1                        up       up       2001:410::1

2、 运营商给了IPv6地址、网关与前缀

#

 sysname DHCPv6-clinet

#

 dhcp enable

#

dhcp server ip-pool 1

 gateway-list 192.168.0.1

 network 192.168.0.0 mask 255.255.255.0

 forbidden-ip 192.168.0.1

#

interface GigabitEthernet0/0

 ip address dhcp-alloc

 nat outbound 2000

 ipv6 address 1::2/64

#

interface GigabitEthernet0/1

 ip address 192.168.0.1 255.255.255.0

 ipv6 address 1 ::1/64

 undo ipv6 nd ra halt

#

 ipv6 prefix 1 2001:410::/48

#

 ip route-static 0.0.0.0 0 1.1.1.1

 ipv6 route-static :: 0 1::1

#

acl basic 2000

 rule 0 permit source 192.168.0.0 0.0.0.255

#

[DHCPv6-clinet-GigabitEthernet0/0]dis ipv6 int bri

*down: administratively down

(s): spoofing

Interface                                 Physical Protocol IPv6 Address

GigabitEthernet0/0                        up       up       1::2

GigabitEthernet0/1                        up       up       2001:410::1

PC配置：

#

interface GigabitEthernet0/0

 ip address dhcp-alloc

 ipv6 address auto

#

PC测试：

[PC]ping 2.2.2.2

Ping 2.2.2.2 (2.2.2.2): 56 data bytes, press CTRL_C to break

56 bytes from 2.2.2.2: icmp_seq=0 ttl=254 time=1.000 ms

56 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=2.000 ms

56 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=2.000 ms

56 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=1.000 ms

56 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=1.000 ms

--- Ping statistics for 2.2.2.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms

[PC]%Jan  7 13:06:00:052 2020 PC PING/6/PING_STATISTICS: Ping statistics for 2.2.2.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms.

[PC]ping ipv6 2::2

Ping6(56 data bytes) 2001:410::2477:CDFF:FEC9:305 --> 2::2, press CTRL_C to break

56 bytes from 2::2, icmp_seq=0 hlim=63 time=2.000 ms

56 bytes from 2::2, icmp_seq=1 hlim=63 time=1.000 ms

56 bytes from 2::2, icmp_seq=2 hlim=63 time=2.000 ms

56 bytes from 2::2, icmp_seq=3 hlim=63 time=1.000 ms

56 bytes from 2::2, icmp_seq=4 hlim=63 time=1.000 ms

--- Ping6 statistics for 2::2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms

[PC]%Jan  7 13:06:02:330 2020 PC PING/6/PING_STATISTICS: Ping6 statistics for 2::2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms.

真机测试：

Ping IPv4：

Ping IPv6：

总结：我们向运营商申请的时候会得到一个公网IPv6地址与前缀，用这个前缀为终端分配地址，从而实现IPv6网络的互通，但这个过程不存在类似于NAT的情况。

在一些情况下，运营商提供的网关不一定能否ping通（过滤了相关报文），可以测试以下地址：