Product Documentation

Dual-Stack Lite

Jan 04, 2016

Because of the shortage of IPv4 addresses, and the advantages of IPv6 over IPv4, many ISPs have started transitioning to IPv6 infrastructure. But during the transition, ISPs must continue to support IPv4 along with IPv6, because most of the public Internet still uses only IPv4, and many subscribers do not support IPv6.

Dual Stack Lite (DS-Lite) is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv4 subscribers to the Internet. DS-Lite uses IPv4-in-IPv6 tunneling to send a subscriber’s IPv4 packet through a tunnel on the IPv6 access network to the ISP. The IPv6 packet is decapsulated to recover the subscriber’s IPv4 packet and is then sent to the Internet after NAT address and port translation and other LSN related processing. The response packets traverse through the same path to the subscriber.

The NetScaler appliance implements the AFTR component of a DS-Lite deployment and is compliant with RFC 6333.

This document includes the following details:

Architecture

The Dual-Stack Lite architecture for an ISP consists of the following components:

  • Basic Bridging Broadband (B4). Basic Bridging broadband, or B4, is a device or component that resides in the subscriber premises. Typically, B4 is a component in the CPE devices in the subscriber premises.  IPv4 subscribers are connected to the IPv6-only ISP access network through the CPE device containing the B4 component. The main function of the B4 is to initiate an IPv6 tunnel between B4 and an address family transition router (AFTR) in order to send or receive subscriber IPv4 request or response packets over the tunnel.  B4 includes an IPv6 address known as the B4 tunnel endpoint address. B4 uses this address to source IPv6 packets to AFTR and receive packets from AFTR.
  • Address family transition router (AFTR).  AFTR is a device or component residing in the ISP’s core network. AFTR terminates the IPv6 tunnel from the B4 device. In other words, the IPv6 tunnel is formed between B4 in the subscriber premise and AFTR in ISP core network. AFTR decapsulates IPv6 packets received from B4 to recover the subscribers’ original IPv4 packets.  AFTR sends the IPv4 packets to the LSN device or component. LSN routes the IPv4 packets to their destination after performing NAT address and port translation (NAT 44) and other LSN related processing. AFTR includes an IPv6 address known as the AFTR tunnel endpoint address. AFTR uses this address to source IPv6 packets to B4 and receive IPv6 packets from B4. The NetScaler appliance implements the AFTR component. 
  • Softwire. The IPv6 tunnel created between B4 and AFTR is called a softwire. 
localized image

The DS-Lite architecture of an ISP using a NetScaler appliance consists of subscribers in private address spaces accessing the Internet through a NetScaler appliance deployed in ISP’s core network. IPv4 subscribers are connected to a CPE device that includes the DS-Lite B4 functionality. The CPE device is connected to the ISP core network through ISP’s IPv6-only access network. The NetScaler appliance contains the DS-Lite AFTR and LSN functionality.

IPv4 subscribers connected to the CPE device are assigned private IPv4 addresses either manually or through DHCP server running on the CPE device. On the CPE device, the AFTR tunnel endpoint address is specified manually or through DHCPv6. Configuration of CPE devices is vendor specific and therefore outside the scope of this documentation.

Upon receiving a request packet that is from an IPv4 subscriber and destined to a location on the Internet, the B4 component of the CPE device encapsulates the IPv4 packet in an IPv6 packet and sends it to the NetScaler appliance in the ISP core network.  The NetScaler appliance‘s AFTR functionality decapsulates the IPv6 packet to recover the subscriber’s original IPv4 packet. The LSN functionality of the NetScaler appliance translates the source IP address and port of the IPv4 packet to an NAT IP address and NAT port selected from the configured NAT pool, and then sends the packet to its destination on the Internet.

The appliance maintains a record of all active sessions that use the AFTR and LSN functionalities. These sessions are called DS-Lite sessions. The NetScaler appliance also maintains the mappings between B4 IPv6 address, subscriber IPv4 address and port, and NAT IPv4 address and port, for each DS-Lite session. These mappings are called DS-Lite LSN mappings. From DS-Lite session entries and DS-Lite LSN mapping entries, the NetScaler appliance recognizes a response packet (received from the Internet) as belonging to a particular DS-Lite session.

When the NetScaler appliance receives a response packet belonging to a particular DS-Lite session, the appliance’s LSN functionality translates the destination IP address and port of the response packet from NAT IP address and port to the subscriber IP address and port, the AFTR functionality encapsulates the resulting packet in an IPv6 packet and sends it to the CPE device. The B4 functionality of the CPE device decapsulates the IPv6 packet to recover the IPv4 response packet, and then sends the IPv4 packet to the subscriber.

Example

Consider an example of a DS-Lite deployment consisting of NetScaler NS-1 in an ISP’s core network, CPE device B4-CPE-1 in a subscriber premise, and a single IPv4 subscriber SUB-1. B4-CPE-1 supports the B4 functionality of DS-Lite feature. 

localized image

The following table lists the settings used in this example.

Entity

Name

Details

IPv4 address of subscriber SUB-1

 

192.0.2.51

IPv6 address of softwire endpoint on the B4 device (B4-CPE-1)

 

2001:DB8::3:4

IPv6 address of the softwire endpoint on the AFTR device (NS-1)

 

2001:DB8::5:6

 

 

 

Settings on NetScaler appliance NS-1

LSN client

LSN-DSLITE-CLIENT-1

  • Network6 (Identifying traffic from B4 devices) = 2001:DB8::3:0/100

 

LSN pool

 

LSN-DSLITE-POOL-1

 

  • LSN IPs (NAT IP) = 203.0.113.61 - 203.0.113.70

IPv6 Profile

 

LSN-DSLITE-PROFILE-1

 

  • Type = DS-LITE
  • IPv6 address (AFTR IPv6 address) = One of the NetScaler owned IPv6 address of type SNIP6 = 2001:DB8::5:6

LSN group

 

 

LSN-DSLITE-GROUP-1

  • LSN client = LSN-DSLITE-CLIENT-1
  • LSN pool = LSN-DSLITE-POOL-1
  • IPv6 profile = LSN-DSLITE-PROFILE-1

 

Following is the traffic flow in this example:

1.    IPv4 subscriber SUB-1 sends a request to www.example.com.  The IPv4 packet has:

  • Source IP address = 192.0.2.51
  • Source port = 2552
  • Destination IP address =  198.51.100.250
  • Destination port = 80

2.    Upon receiving the IPv4 request packet, B4-CPE-1 encapsulates it in the payload of an IPv6 packet and then sends the IPv6 packet to NS-1. The IPv6 packet has:

  • Source IP address = 2001:DB8::3:4
  • Destination IP address =  2001:DB8::5:6

3.    When NS-1 receives the IPv6 packet, the AFTR module decapsulates the packet by removing the IPv6 headers. The resulting packet is SUB-1’s original IPv4 request packet.

4.    The LSN module of NS-1 translates the source IP address and port of the packet to an NAT IP address and NAT port selected from the configured NAT pool. The translated IPv4 packet has:

  • Source IP address = 203.0.113.61
  • Source port = 3002
  • Destination IP address =  198.51.100.250
  • Destination port = 80

5.    The LSN module also creates an LSN mapping and session entry for this DS Lite session. The mapping includes the following information:

  • Source IP address of the IPv6 packet (B4-CPE-1’s IPv6 address) = 2001:DB8::3:4
  • Source IP address of the IPv4 packet (SUB-1’s IPv4 address) = 192.0.2.51
  • Source port of the IPv4 packet = 2552
  • NAT IP address = 203.0.113.61
  • NAT port = 3002

6.    NS-1 sends the resulting IPv4 packet to its destination on the Internet.

7.    The server for www.example.com processes the request packet and sends a response packet. The IPv4 response packet has:

  • Source IP address = 198.51.100.250
  • Source port = 80
  • Destination IP address = 203.0.113.61
  • Destination port = 3002

8.    Upon receiving the IPv4 packet, NS-1 examines the LSN mapping and session entries and finds that the IPv4 response packet belongs to a DS Lite session. The LSN module of NS-1 translates the destination IP address and port. The IPv4 packet now has:

  • Source IP address = 198.51.100.250
  • Source port = 80
  • Destination IP address = 192.0.2.51
  • Destination port = 2552

9.    The AFTR module of NS-1 encapsulates the IPv4 packet in an IPv6 packet and then sends the IPv6 packet to B4-CPE-1. The IPv6 packet has:

  • Source IP address = 2001:DB8::5:6
  • Destination IP address = 2001:DB8::3:4

10.  Upon receiving the packet, B4-CPE-1 decapsualtes the IPv6 packet by removing the IPv6 headers, and then sends the resulting IPv4 packet to CL-1.

Points to Consider before Configuring DS-Lite

Consider the following points before configuring DS-Lite on a NetScaler appliance:

1. You must understand the different components of DS-Lite, described in RFC 6333. 

2. A DS-lite configuration on a NetScaler appliance uses the LSN commands sets. In a DS-Lite configuration, the LSN client entity specifies the IPv6 address or IPv6 network address or ACL6 rules for identifying the traffic from the B4 device.  A DS-Lite configuration also includes an IPv6 profile, which specifies the IPv6 address AFTR component on a NetScaler appliance. For more information on NetScaler’s LSN feature, see Large Scale NAT.

3. For a DS-Lite configuration, the NetScaler appliance supports LSN for IPv4 packets that belong to one of the following protocols only. The NetScaler appliance drops IPv4 packets belonging to other protocols:

  • TCP
  • UDP
  • ICMP
4. The NetScaler appliance supports the following ALGs DS-Lite:
  • ICMP
  • FTP
5. The NetScaler appliance does not support the following features for DS-Lite:
  • Deterministic NAT (Note: This feature is supported in release 11.0 build 64.x and later.)
  • Static LSN maps (Note: This feature is supported in release 11.0 build 64.x and later.)
  • Hair Pin flow
  • Application layer gateways (ALG) for the following protocols:
    • Session Initiation Protocol (SIP)
    • Real Time Streaming Protocol (RTSP)
    • Point-to-Point Protocol (PPTP)
  • Subscriber aware traffic steering

Configuring DS-Lite

A DS-lite configuration on a NetScaler appliance uses the LSN commands sets. In a DS-Lite configuration, the LSN client entity specifies the IPv6 address or IPv6 network address or ACL6 rules for identifying the traffic from the B4 device.  For more information on the NetScaler LSN feature, see Large Scale NAT. A DS-Lite configuration also includes an IPv6 profile, which specifies the IPv6 address (of type SNIP6) of the DS-Lite AFTR component on a NetScaler appliance.

Configuring DS-Lite on a NetScaler appliance consists of the following tasks:

  • Set the global LSN parameters. Global parameters include the amount of NetScaler memory reserved for the LSN feature and synchronization of LSN sessions in a high availability setup.
  • Create an LSN client entity for identifying traffic from B4 CPE devices. The LSN client entity refers to a set of DS-Lite B4 devices. The client entity includes IPv6 addresses or IPv6 network address or ACL6 rules for identifying the traffic from these B4 devices. An LSN client can be bound to only one LSN group. The command line interface has two commands for creating an LSN client entity and binding a subscriber to the LSN client entity. The configuration utility combines these two operations on a single screen.
  • Create an LSN pool and bind NAT IP addresses to it. An LSN pool defines a pool of NAT IP addresses to be used by the NetScaler appliance to perform LSN.  The command line interface has two commands for creating an LSN pool and binding NAT IP addresses to the LSN pool. The configuration utility combines these two operations on a single screen.
  • Create an LSN IP6 profile. An LSN IP6 profile defines the IPv6 address of the DS-Lite AFTR component on the NetScaler appliance. The IPv6 address must be one of the NetScaler owned IPv6 address of type SNIP6.
  • (Optional) Create an LSN Transport Profile for a specified protocol. An LSN transport profile defines various timeouts and limits, such as maximum LSN sessions and maximum ports usage that a subscriber can have for a given protocol. You bind an LSN transport profile for each protocol (TCP, UDP, and ICMP) to an LSN group. A profile can be bound to multiple LSN groups. A profile bound to an LSN group applies to all subscribers of an LSN client bound to the same group. By default, one LSN transport profile with default settings for TCP, UDP, and ICMP protocols is bound to an LSN group during its creation. This profile is called the default transport profile. An LSN transport profile that you bind to an LSN group overrides the default LSN transport profile for that protocol.
  • (Optional) Create an LSN Application Profile for a specified protocol and bind a set of destination ports to it. An LSN application profile defines the LSN mapping and LSN filtering controls of a group for a given protocol and for a set of destination ports. For a set of destination ports, you bind an LSN profile for each protocol (TCP, UDP, and ICMP) to an LSN group. A profile can be bound to multiple LSN groups. An LSN application profile bound to an LSN group applies to all subscribers of an LSN client bound to the same group. By default, one LSN application profile with default settings for TCP, UDP, and ICMP protocols for all destination ports is bound to an LSN group during its creation. This profile is called a default application profile. When you bind an LSN application profile, with a specified set of destination ports, to an LSN group, the bound profile overrides the default LSN application profile for that protocol at that set of destination ports. The command line interface has two commands for creating an LSN application profile and binding a set of destination ports to the LSN application profile. The configuration utility combines these two operations on a single screen.
  • Create an LSN Group and bind LSN pools, LSN IPv6 profile, (optional) LSN transport profiles, and (optional) LSN application profiles to the LSN group. An LSN group is an entity consisting of an LSN client, an LSN IPv6 profile, LSN pool(s), LSN transport profile(s), and LSN application profiles(s). A group is assigned parameters, such as port block size and logging of LSN sessions. The parameter settings apply to all the subscribers of an LSN client bound to the LSN group. Only one LSN IPv6 profile can be bound to an LSN group, and an LSN IPv6 profile bound to an LSN group cannot be bound to other LSN groups. Only LSN Pools and LSN groups with the same NAT type settings can be bound together. Multiples LSN pools can be bound to an LSN group. Only one LSN client entity can be bound to an LSN group, and an LSN client entity bound to an LSN group cannot be bound to other LSN groups. The command line interface has two commands for creating an LSN group and binding LSN pools, LSN transport profiles, and LSN application profiles to the LSN group. The configuration utility combines these two operations in a single screen.

Configuration Using the Command Line

To create an LSN client by using the command line interface

At the command prompt, type:

  • add lsn client <clientname>
  • show lsn client

To bind an IPv6 network or an ACL6 rule to an LSN client by using the command line interface

At the command prompt, type:

  • bind lsn client <clientname> (-network6 <ipv6_addr|*>| -acl6name <string>)
  • show lsn client

To create an LSN pool by using the command line interface

At the command prompt, type:

  • add lsn pool <poolname> [-nattype ( DYNAMIC )] [-portblockallocation ( ENABLED | DISABLED )] [-portrealloctimeout <secs>] [-maxPortReallocTmq <positive_integer>]
  • show lsn pool

To bind an IP address range to an LSN pool by using the command line interface

At the command prompt, type:

  • bind lsn pool <poolname> <lsnip>
  • show lsn pool

Note: For removing LSN IP addresses from an LSN pool, use the unbind lsn pool command.

To configure an LSN IPv6 profile by using the command line interface

At the command prompt, type:

  • add lsn ip6profile <name> –type DS-Litenetwork6 < ipv6_addr|*s >
  • show lsn ip6profile

To create an LSN transport profile by using the command line interface

At the command prompt, type:

  • add lsn transportprofile <transportprofilename> <transportprotocol> [-sessiontimeout <secs>] [-finrsttimeout <secs>] [-portquota <positive_integer>] [-sessionquota <positive_integer>] [-portpreserveparity ( ENABLED | DISABLED )] [-portpreserverange (ENABLED | DISABLED )] [-syncheck ( ENABLED | DISABLED )]
  • show lsn transportprofile

To create an LSN application profile by using the command line interface

At the command prompt, type:

  • add lsn appsprofile <appsprofilename> <transportprotocol> [-ippooling (PAIRED | RANDOM )] [-mapping <mapping>] [-filtering <filtering>][-tcpproxy ( ENABLED | DISABLED )] [-td <positive_integer>]
  • show lsn appsprofile

To bind an application protocol port range to an LSN application profile by using the command line interface

At the command prompt, type:

  • bind lsn appsprofile <appsprofilename> <lsnport>
  • show lsn appsprofile  

To create an LSN group by using the command line interface

At the command prompt, type:

  • add lsn group <groupname> -clientname <string> [-nattype ( DYNAMIC )] [-portblocksize <positive_integer>] [-logging (ENABLED | DISABLED )] [-sessionLogging ( ENABLED | DISABLED )][-sessionSync ( ENABLED | DISABLED )] [-snmptraplimit<positive_integer>] [-ftp ( ENABLED | DISABLED )] [-pptp ( ENABLED |DISABLED )] [-sipalg ( ENABLED | DISABLED )] [-rtspalg ( ENABLED |DISABLED )] [-ip6profile <string>]
  • show lsn group

To bind LSN protocol profiles and LSN pools to an LSN group by using the command line interface

At the command prompt, type:

  • bind lsn group <groupname> (-poolname <string> | -transportprofilename <string> | -httphdrlogprofilename <string> | -appsprofilename <string> | -sipalgprofilename <string> | rtspalgprofilename <string>)
  • show lsn group

Configuration Using the Configuration Utility

To configure an LSN client and bind an IPv6 network address or an ACL6 rule by using the configuration utility

Navigate to System > Large Scale NAT > Clients, and add a client and then bind an IPv6 network address or an ACL6 rule to the client.

To configure an LSN pool and bind NAT IP addresses by using the configuration utility

Navigate to System > Large Scale NAT > Pools, and add a pool and then bind an NAT IP address or a range of NAT IP addresses to the pool.

To configure an LSN IPv6 profile by using the configuration utility

Navigate to System > Large Scale NAT > Profiles, click the IPv6 tab, and assign an IPv6 address for DS-Lite AFTR.

To configure an LSN transport profile by using the configuration utility

  1. Navigate to System > Large Scale NAT > Profiles.
  2. On the details pane, click Transport tab, and then add a transport profile.

To configure an LSN application profile by using the configuration utility

  1. Navigate to System > Large Scale NAT > Profiles.
  2. On the details pane, click Application tab, and then add an application profile.

To configure an LSN group and bind an LSN client, an LSN IPv6 profile, pools, transport profiles, and application profiles by using the configuration utility

Navigate to System > Large Scale NAT > Groups, and add a group and then bind an LSN client, an LSN IPv6 profile, pools, transport profiles, and application profiles to the group.

Example 複製

> add lsn client LSN-DSLITE-CLIENT-1

Done

> bind lsn client LSN-DSLITE-CLIENT-1 -network6 2001:DB8::3:0/100

Done

> add lsn pool LSN-DSLITE-POOL-1

Done

> bind lsn pool LSN-DSLITE-POOL-1 203.0.113.61 - 203.0.113.70

Done

> add lsn ip6profile LSN-DSLITE-PROFILE-1 -type DS-Lite -network6 2001:DB8::5:6

Done

> add lsn group LSN-DSLITE-PROFILE-1 -clientname LSN-DSLITE-CLIENT-1 -portblocksize 1024 -ip6profile LSN-DSLITE-PROFILE-1

Done

> bind lsn group group1 -poolname LSN-DSLITE-POOL-1

Done

Logging DS-Lite Information

You can log DS-Lite information to diagnose or troubleshoot problems, and to meet legal requirements. The NetScaler appliance supports all LSN logging features for logging DS-Lite information. For configuring DS-Lite logging, use the procedures for configuring LSN logging, described at Logging and Monitoring LSN.

A log message for a DS-Lite LSN mapping entry consists of the following information:

•        NetScaler owned IP address (NSIP address or SNIP address) from which the log message is sourced.

•        Time stamp

•        Entry type (MAPPING)

•        Whether the DS-Lite LSN mapping entry was created or deleted

•        IPv6 address of B4

•        Subscriber's IP address, port, and traffic domain ID

•        NAT IP address and port

•        Protocol name

•        Destination IP address, port, and traffic domain ID might be present, depending on the following conditions:

◦          Destination IP address and port are not logged for Endpoint-Independent mapping.

◦          Only the destination IP address is logged for Address-Dependent mapping. The port is not logged.

◦          Destination IP address and port are logged for Address-Port-Dependent mapping.

A log message for a DS-Lite session consists of the following information:

◦          NetScaler owned IP address (NSIP address or SNIP address) from which the log message is sourced.

◦          Time stamp

◦          Entry type (SESSION)

◦          Whether the DS-Lite session is created or removed

◦          IPv6 address of B4

◦          Subscriber's IP address, port, and traffic domain ID

◦          NAT IP address and port

◦          Protocol name

◦          Destination IP address, port, and traffic domain ID

The following table shows sample DS-Lite log entries of each type stored on the configured log servers. These log entries are generated by a NetScaler appliance whose NSIP address is 10.102.37.115.

LSN Log Entry Type

Sample Log Entry

DS-Lite session creation

Local4.Informational 10.102.37.115 08/14/2015:13:35:38 GMT   0-PPE-1 : default LSN LSN_SESSION 37647607 0 :  SESSION CREATED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 203.0.113.61:3002, Destination IP:Port:TD 198.51.100.250:80:0, Protocol:TCP

DS-Lite session deletion

Local4.Informational 10.102.37.115 08/14/2015:13:38:22 GMT   0-PPE-1 : default LSN LSN_SESSION 37647617 0 :  SESSION DELETED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 203.0.113.61:3002, Destination IP:Port:TD 198.51.100.250:80:0, Protocol: TCP

DS-Lite LSN mapping creation

Local4.Informational 10.102.37.115 08/14/2015:13:35:39 GMT  0-PPE-1 : default LSN LSN_EIM_MAPPING 37647610 0 :  EIM CREATED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 198.51.100.250:80, Protocol: TCP

DS-Lite LSN mapping deletion

Local4.Informational 10.102.37.115 08/14/2015:13:38:25 GMT  0-PPE-1 : default LSN LSN_EIM_MAPPING 37647618 0 :  EIM DELETED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 198.51.100.250:80, Protocol: TCP

Displaying Current DS-Lite Sessions

You can display the current DS-Lite sessions for detecting any unwanted or inefficient sessions on the NetScaler appliance. You can display all or some DS-Lite sessions, on the basis of selection parameters.

Configuration Using the Command Line Interface

To display all DS-Lite sessions by using the command line interface

At the command prompt, type:

show lsn session –nattype DS-Lite

To display selected DS-Lite sessions by using the command line interface

At the command prompt, type:

show lsn session –nattype DS-Lite [-clientname <string>] [-network <ip_addr> [-netmask <netmask>] [-td <positive_integer>]] [-natIP <ip_addr> [-natPort <port>]]

Example 複製

The following sample ouput displays all DS-Lite sessions existing on a NetScaler appliance:

> show lsn session –nattype DS-Lite

  B4-Address SubscrIP SubscrPort SubscrTD DstIP DstPort DstTD NatIP NatPort Proto Dir
1. 2001:DB8::3:4 192.0.2.51 2552 0 198.51.100.250 80 0 203.0.113.61 3002 TCP OUT
2. 2001:DB8::3:4 192.0.2.51 3551 0 198.51.100.300 80 0 203.0.113.61 52862 TCP OUT
3. 2001:DB8::3:4 192.0.2.100 4556 0 198.51.100.250 0 0 203.0.113.61 48116 ICMP OUT
4. 2001: DB8::190 192.0.2.150 3881 0 198.51.100.199 80 0 203.0.113.69 48305 TCP OUT

Done

Configuration Using the Configuration Utility

To display all or selected DS-Lite sessions by using the configuration utility

  1. Navigate to System > Large Scale NAT > Sessions, and click the DS-Lite tab.
  2. For displaying DS-Lite sessions on the basis of selection parameters, click Search.

Clearing DS-Lite Sessions

You can remove any unwanted or inefficient DS-Lite sessions from the NetScaler appliance. The appliance immediately releases the resources (such as NAT IP address, port, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected DS-Lite sessions from the NetScaler appliance.

To clear all DS-Lite sessions by using the command line interface

At the command prompt, type:

  • flush lsn session –nattype DS-Lite
  • show lsn session –nattype DS-Lite

To clear selected DS-Lite sessions by using the command line interface

At the command prompt, type:

  • flush lsn session –nattype DS-Lite [-clientname <string>] [-network <ip_addr> [-netmask <netmask>] [-td <positive_integer>]] [-natIP <ip_addr> [-natPort <port>]]
  • show lsn session –nattype DS-Lite

To clear all or selected DS-Lite sessions by using the configuration utility

  1. Navigate to System Large Scale NAT > Sessions, and click the DS-Lite tab.
  2. Click Flush Sessions.

Configuring DS-Lite Static LSN Maps

The NetScaler appliance supports manual creation of DS-Lite LSN mappings, which contain the mapping between the following information:

•  Subscriber's IP address and port, and IPv6 address of B4 device or component

•  NAT IP address and port

Static DS-Lite LSN mappings are useful in cases where you want to ensure that the connections initiated to a NAT IP address and port map to the subscriber IP address and port through the specified B4 device (for example, web servers located in the internal network).

Note: This feature is supported in release 11.0 build 64.x and later.

To create a DS-Lite static LSN mapping by using the command line

At the command prompt, type:

  • add lsn static <name> <transportprotocol> <subscrIP> <subscrPort> [-td <positive_integer>] [-network6 <B4_ADDR>] [<natIP> [<natPort>]] [-destIP<ip_addr> [-dsttd <positive_integer>]]
  • show lsn static 

To create a DS-Lite static LSN mapping by using the configuration utility

Navigate to System > Large Scale NAT > Static, and add a new DS-Lite static LSN mapping.

Parameter Descriptions

add lsn static

name

Name for the LSN static mapping entry. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN group is created. The following requirement applies only to the NetScaler CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "ds-lite lsn static1" or 'ds-lite lsn static1'). This is a mandatory argument. Maximum Length: 127

transportprotocol

Protocol for the DS-Lite LSN mapping entry.

subscrIP

IPv4 address of a subscriber for the DS-Lite LSN mapping entry.

subscrPort

Port of the subscriber for the DS-Lite LSN mapping entry.

Network6

IPv6 address of the B4 device or component.

td

ID of the traffic domain to which the B4 device belongs. The IPv6 address of the B4 device is specified in the network6 paramter. If you do not specify an ID, the B4 device is assumed to be a part of the default traffic domain.

natIP

IPv4 address, already existing on the NetScaler appliance as type LSN, to be used as NAT IP address for this mapping entry.

natPort

NAT port for this DS-Lite LSN mapping entry.

destIP

Destination IP address for the DS-Lite LSN mapping entry.

dsttd

ID of the traffic domain through which the destination IP address for this DS-Lite LSN mapping entry is reachable from the NetScaler appliance. If you do not specify an ID, the destination IP address is assumed to be reachable through the default traffic domain, which has an ID of 0.

Configuring Deterministic NAT Allocation for DS-Lite

Deterministic NAT allocation for DS-Lite LSN deployments is a type of NAT resource allocation in which the NetScaler appliance pre-allocates, from the LSN NAT IP pool and on the basis of the specified port block size, an LSN NAT IP address and a block of ports to each subscriber (subscriber behind B4 device).

Note: This feature is supported in release 11.0 build 64.x and later.

The appliance sequentially allocates NAT resources to these subscribers. It assigns the first block of ports on the beginning NAT IP address to the beginning subscriber IP address. The next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. At that point, the first port block on the next NAT address is assigned to the subscriber, and so on.

The NetScaler appliance logs the allocated NAT IP address and the port block for a subscriber.  For a connection, a subscriber can be identified by just its mapped NAT IP address and port block. For this reason, the NetScaler appliance does not log the creation or deletion of an LSN session.

A DS-Lite subscriber can have only one deterministic port block. If the entire block of ports is being used, the NetScaler appliance drops any new connection from the subscriber.

Example: Deterministic DS-Lite

In this example, a deterministic DS-Lite configuration includes four subscribers with IP addresses 192.0.17.5, 192.0.17.6, 192.0.17.7, and 192.0.17.8. These ipv4 subscribers are behind a B4 device having the IPv6 address 2001:DB8::3:4. In this configuration, the port block size is set to 20480 and LSN NAT IP address pool has IP addresses in the range 203.0.113.41-203.0.113.42.

The NetScaler appliance sequentially pre-allocates, from the LSN NAT IP pool and on the basis of the set port block size, an LSN NAT IP address and a block of ports to each subscriber. It assigns the first block of ports (1024-21503) on the beginning NAT IP address (203.0.113.41) to the beginning subscriber IP address (192.0.17.5). The next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. At that point, the first port block on the next NAT IP address is assigned to the subscriber, and so on. The NetScaler logs the NAT IP address and the block of ports allocated for each subscriber.

The NetScaler appliance does not log any LSN session created or deleted for these subscribers.

The following table lists the NAT IP address and blocks of ports allocated to each subscriber in this example:

Subscriber IP address

Allocated NAT IP address

Allocated Block of Ports

IPv6 address of B4

192.0.17.5

203.0.113.41

1024 - 21503

2001:DB8::3:4

192.0.17.6

203.0.113.41

21504 - 41983

2001:DB8::3:4

192.0.17.7 

203.0.113.41

41984 - 62463

2001:DB8::3:4

192.0.17.8 

203.0.113.42

1024 - 21503

2001:DB8::3:4

Configuration Steps

You need to configure deterministic NAT as part of the DS-Lite configuration. For instructions on configuring DS-Lite, see Configuring DS-Lite.

While configuring DS-Lite, make sure that you:

  • Set the NAT Type parameter to Deterministic when adding the LSN pool and the LSN group.
  • Set the desired port block size parameter when adding the LSN group, unless you can accept the default value.

Points to Consider before Configuring Deterministic DS-Lite:

Consider the following points before configuring deterministic DS-Lite:

  • The complete IP address of each subscriber must be specified in a separate add lsn client command, by setting the Network and Netmask parameters. (Set Netmask to 255.255.255.255.) Also the IPv4 address of the B4 device specified in Network6 parameter must be complete (/128 prefix). In other words, Network and Network6 parameter do not accept addresses other than /32 bit mask and /128 prefix, respectively.
  • The NetScaler appliance drops connections from subscribers that are not specified in any deterministic DS-Lite configuration but are behind B4 devices specified in a deterministic DS-lite configuration.
  • The NetScaler appliance recognizes subscribers having the same IPv4 address as different subscribers if they are behind different B4 devices. A combination of subscriber IPv4 address and B4 device defines a unique subscriber in the LSN client entity of a DS-Lite configuration.
Sample Deterministic DS-Lite Configuration 複製

The following configuration uses the settings listed in section Example: Deterministic DS-Lite.

> add lsn client LSN-DSLITE-CLIENT-10
Done

> bind lsn client LSN-DSLITE-CLIENT-10 -network 192.0.17.5 -netmask 255.255.255.255 -network6 2001:DB8::3:4/128
Done

> bind lsn client LSN-DSLITE-CLIENT-10 -network 192.0.17.6 -netmask 255.255.255.255 -network6 2001:DB8::3:4/128
Done

> bind lsn client LSN-DSLITE-CLIENT-10 -network 192.0.17.7 -netmask 255.255.255.255 -network6 2001:DB8::3:4/128
Done

> bind lsn client LSN-DSLITE-CLIENT-10 -network 192.0.17.8 -netmask 255.255.255.255 -network6 2001:DB8::3:4/128
Done

> add lsn pool LSN-DSLITE-POOL-10 -nattype DETERMINISTIC
Done

> bind lsn pool LSN-DSLITE-POOL-10  203.0.113.41-203.0.113.42
Done

> add lsn ip6profile LSN-DSLITE-PROFILE-10 -type DS-Lite -network6 2001:DB8::5:6
Done

> add lsn group LSN-DSLITE-GROUP-10 -clientname LSN-DSLITE-CLIENT-10 -nattype DETERMINISTIC -portblocksize 20480 -ip6profile LSN-DSLITE-PROFILE-10
Done

> bind lsn group LSN-DSLITE-GROUP-10 -poolname LSN-DSLITE-POOL-10
Done