Tip
This is the documentation for the 21.07 version. Looking for the documentation of the latest version? Have a look here.
MAP Configuration¶
MAP configurations consist of MAP domains, MAP rules, and interface configuration.
MAP Domains¶
A MAP domain encompasses a set of addresses, translation parameters, and MAP rules. Groups of CE devices belong to specific MAP domains.
A MAP domain is created in config mode using the nat nat64 map <domain name>
command from within config
mode. That command enters config-map
mode.
This mode, config-map
, contains a number of MAP options specific to a MAP
domain:
- description:
A short text description noting the name or purpose of this MAP domain.
- port-set <length|offset>:
A port set is, as the name implies, a set of ports. This is typically divided up into multiple sets of ports, the exact size and ranges of which are calculated using the port set length and offset, discussed next. With MAP, users are overloaded onto a single IP address, with different port sets on a single IP address being allocated to multiple users. In this way, users can share individual IP addresses but only have access to specific ranges of ports.
- port-set length <psid-length>:
Determines the number of port sets to allocate inside the available 16-bit port range (1-65536). A larger port set length allows for more users to share an address, but allocates them each a smaller number of ports. For example, a port set length of 8 uses 8 bits to define the port set, leaving the remaining 8 bits for use by each customer, or 256 ports each.
- port-set offset <psid-offset>:
Determines the position of the port set identifier inside the available bits which represent the port. An offset of 0 means the identifier is first, and the ports per user will be contiguous. Placing the offset in the middle of the available space will allow users to utilize multiple ranges that are not contiguous, but each user will have slightly less ports available. For example, with a port set length of 8, but an offset of 2, each user can utilize only 192 ports instead of 256, since it is split into three ranges of 64 ports each. The offset cannot be larger than the port set length subtracted from the total available bits (16).
There are minor security benefits when using multiple non-contiguous port ranges since it is more difficult for an attacker to guess which ports belong to a given customer, but the loss of port capacity may outweigh this benefit in most environments.
- embedded-address bit-length <ea-width>:
The Embedded Address Bits value is the sum of the bits needed for the IPv4 prefix and the port set length. For example, if the IPv4 prefix is a /24, that requires 8 bits to embed and allows 256 addresses for users. A port set length of 8 allows for 256 port sets. With a port set offset of 0, this yields a maximum of 65,536 users sharing 256 IPv4 addresses, each of which can use 256 ports.
Note
To utilize MAP rules, this value must be 0.
- ipv4 prefix <ip4-prefix>:
The IPv4 Prefix is available pool of IPv4 addresses which can be utilized by MAP clients. The size of this prefix must be represented in the Embedded Address Bits. For example, a /24 prefix network requires 8 bits to uniquely identify an address.
- ipv6 prefix <ip6-prefix>:
The IPv6 prefix contains the range of possible addresses assigned to clients. The end-user network must be at least a 64 prefix, leaving 64 bits to represent both this prefix and the embedded address bits. The smallest possible IPv6 prefix will be 128 bits less the sum of the end user network and embedded address bits. For example, with an embedded address length of 16, 48 bits remain for the IPv6 prefix. Shorter prefixes (e.g. 44) allow for additional IPv6 subnets to be assigned to clients.
- ipv6 source <ip6-src>:
The IPv6 source address on the router used as the MAP domain BR address and Tunnel source. This address should exist on the interface used for mapping. For MAP-T, this must have a prefix length of either
/64
or/96
. For MAP-E, this is a single address (/128
) and not a prefix.- mtu <mtu-val>:
The Maximum Transmission Unit (MTU) is the largest packet which can traverse the link without fragmentation. This must be set appropriately due to the importance of MAP fragment handling, as required information to calculate targets is only in the first packet and not additional fragments.
MAP Rules¶
MAP rules exist inside a MAP domain and are configured from within
config-map
mode. MAP rules map specific port sets to specific MAP CE end
user addresses. These are 1:1 manual mappings and take the place of automatic
calculation, and as such to use MAP rules, the embedded-address bit-length
must be 0
.
A map rule takes the following form:
rule port-set <psid> ipv6-destination <ip6-destination>
The components of a rule are:
- port-set <psid>:
The port set ID (PSID) to match for this rule.
- ipv6-destination <ip6-destination>:
The MAP CE IPv6 address to associate with this specific port set ID.
MAP Interface Configuration¶
TNSR must be told which interface is used with MAP, and how that interface will operate.
Within config-interface
mode (Configure Interfaces), there are two
possible settings for MAP:
- map <enable|disable>:
Enables or disables MAP for this interface.
- map translate:
When present and MAP is enabled, the interface operates in translate mode (MAP-T). When not set, encapsulation is used instead (MAP-E).
View MAP Configuration¶
The MAP configuration can be viewed with the show map [<map-domain-name>]
command. Without a given domain name, information is printed for all MAP
domains, plus the MAP parameters.
tnsr# show map cpoc
Name IP4 Prefix IP6 Prefix IP6 Src Pref EA Bits PSID Off PSID Len MTU
---- -------------- ------------- ------------------------ ------- -------- -------- ----
cpoc 192.168.1.0/24 2001:db8::/32 1234:5678:90ab:cdef::/64 16 6 4 1280
tnsr# show map
MAP Parameters
--------------
Fragment: outer
Fragment ignore-df: false
ICMP source address: 0.0.0.0
ICMP6 unreachable msgs: disabled
Pre-resolve IPv4 next hop: 0.0.0.0
Pre-resolve IPv6 next hop: ::
Security check enabled: true
Security check fragments enabled: false
Traffic-class copy: enabled
Traffic-class value: 0
Name IP4 Prefix IP6 Prefix IP6 Src Pref EA Bits PSID Off PSID Len MTU
---- -------------- ------------- ------------------------ ------- -------- -------- ----
cpoc 192.168.1.0/24 2001:db8::/32 1234:5678:90ab:cdef::/64 16 6 4 1280