组网及说明
终端---(GigabitEthernet3/0/19)SR66(Ten-GigabitEthernet3/0/0)----(10.47.0.1)S125
问题描述
现场做nat 6to4的AFT 不通
Debug看不到aft的会话和aft packet记录
#
acl ipv6 basic 2000
rule 0 permit source 2001:0:0:2223::/64 counting
rule 5 deny
#
aft address-group 0
address 10.47.0.89 10.47.0.89
#
aft prefix-nat64 2001:0:0:2224:: 64
aft v6tov4 source acl ipv6 number 2000 address-group 0
aft log enable
#
interface GigabitEthernet3/0/18
port link-mode route
combo enable copper
ip binding vpn-instance ipv6
ipv6 address 2001:0:0:2223::2/64
#
interface GigabitEthernet3/0/19
port link-mode route
combo enable copper
aft enable
ipv6 address 2001:0:0:2223::1/64
undo ipv6 nd ra halt
测试电脑直连和设备自环测试都一样
终端---(GigabitEthernet3/0/19)SR66(Ten-GigabitEthernet3/0/0)----(10.47.0.1)S125
设备上debug ipv6 packet看收到报文后发给了NULL0口,导致aft转换失败
*Aug 25 22:23:35:987 2020 H3C IP6FW/7/IP6FW_PACKET: -MDC=1-Slot=3;
Receiving, interface = GigabitEthernet3/0/19, version = 6, traffic class = 0,
flow label = 0, payload length = 40, protocol = 58, hop limit = 64,
Src = 2001:da8:8001:2223:ad77:c963:15e2:8566, Dst = 2001:da8:8001:2224::a2f:1,
prompt: Received an IPv6 packet.
*Aug 25 22:23:35:987 2020 H3C IP6FW/7/IP6FW_PACKET: -MDC=1-Slot=3;
Sending, interface = NULL0, version = 6, traffic class = 0,
flow label = 0, payload length = 40, protocol = 58, hop limit = 63,
Src = 2001:da8:8001:2223:ad77:c963:15e2:8566, Dst = 2001:da8:8001:2224::a2f:1,
prompt: Sending the packet from GigabitEthernet3/0/19 through NULL0.
过程分析
从测试结果来看,设备收到了报文,但是没有进行aft转换
怀疑aft部分配置依然存在问题
检查发现现场aft中转换的是64位地址非96位
怀疑因此报文转换封装差异导致aft功能异常
解决方法
Aft进行目的转换的地址前缀改为96解决,能够看到nat aft的转换会话
aft prefix-nat64 2001:DA8:8001:2224:: 64
# 配置NAT64前缀为2012::/96,报文的目的地址根据该NAT64前缀转换为IPv4地址。
[Router] aft prefix-nat64 2012:: 96
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作