Ipv6整体解决方案Hillstone Networks Inc. 2016年03月10日内容提交人审核人更新内容日期V1 2016/3/10目录1需求分析 (3)2解决方案 (3)2.1设备信息 (3)2.2拓扑 (3)2.3主要配置 (4)2.3.1总部 (4)2.3.2分支1（模拟环境，不考虑上互联网问题） (6)2.3.3分支2 (8)3建设效果 (8)1需求分析某用户有100多个office，都采用电信光纤接入，需要逐步从IPv4演变为IPv6地址，在这种场景下，需要做到IPv4到IPv6内网的互通。

场景模拟如下：一个总部两个分支，总部内网采用IPv6地址，外网地址采用IPv4；分支1外网IPv4，内网IPv6；分支机构2内外网都为IPv4地址。

需求如下：A.总部的IPv6地址可以访问到互联网IPv4资源，总部的IPv6地址可以提供互联网用户访问。

B.总部和分支1的IPv6地址通过公网6in4隧道互相通信。

C.总部和分支2的IPv4地址互相通信。

2解决方案2.1设备信息2.2拓扑分支12005::2/96 2.3主要配置2.3.1总部A.接口interface ethernet0/1zone "untrust"ip address 200.0.0.2 255.255.255.0manage httpexitinterface ethernet0/2zone "trust"dns-proxyipv6 enableipv6 address 2005::1/96manage pingexitinterface tunnel1zone "trust"ipv6 enabletunnel ip6in4 "fenzhi1"exitB.Nat和路由ip vrouter "trust-vr"snatrule id 1 from "2005::/96" to "2003::/96" service "Any" eif ethernet0/1 trans-to eif-ip mode dynamicport #总部上网snatsnatrule id 2 from "2005::2/96" to "2004::2" service "Any" eif ethernet0/1 trans-to eif-ip mode dynamicport #与分支2通信snatsnatrule id 3 from "Any" to "200.0.0.2" service "Any" eif ethernet0/2 trans-to 2005::1 mode dynamicport #公网已知ip访问总部ipv6服务器snatdnatrule id 1 from "2005::/96" to "2003::/96" service "Any" v4-mapped #总部上网dnat dnatrule id 2 from "2005::2/96" to "2004::2" service "Any" trans-to "200.0.0.4" #与分支2通信dnatdnatrule id 3 from "Any" to "200.0.0.2" service "Any" trans-to "2005::2" #公网已知ip访问总部ipv6服务器dnatip route 0.0.0.0/0 200.0.0.1ipv6 route 2001::/96 tunnel1exitC.策略rule id 1action permitsrc-addr "Any"dst-addr "Any"service "Any"exitrule id 2action permitsrc-ip 2005::/96dst-ip 2004::/96service "Any"exitrule id 3action permitsrc-ip 2005::/96dst-ip 2003::/96service "Any"exitrule id 4action permitsrc-ip 2005::/96dst-ip 2001::/96service "Any"exitrule id 5action permitsrc-ip 2001::/96dst-ip 2005::/96service "Any"exitrule id 6action permitsrc-addr "IPv6-any"dst-addr "IPv6-any"service "Any"exitD.其他配置tunnel ip6in4 "fenzhi1" manualinterface "ethernet0/1"destination 200.0.0.3exitip name-server 8.8.8.8 vrouter trust-vrip dns-proxy domain any name-server 8.8.8.8 vrouter trust-vripv6 dns64-proxy id 1 prefix 2003::/96 source 2005::/96 trans-mapped-ip any2.3.2分支1（模拟环境，不考虑上互联网问题）A.接口interface ethernet0/1zone "untrust"ip address 200.0.0.3 255.255.255.0manage pingexitinterface ethernet0/2zone "trust"ipv6 enableipv6 address 2001::1/96manage pinginterface tunnel1zone "trust"ipv6 enabletunnel ip6in4 "zongbu"exitB.Nat和路由ip vrouter "trust-vr"ip route 0.0.0.0/0 200.0.0.1 ipv6 route 2005::/96 tunnel1C.策略rule id 1action permitsrc-addr "Any"dst-addr "Any"service "Any"exitrule id 33action permitsrc-ip 2001::/96dst-ip 2005::/96service "Any"exitrule id 34action permitsrc-ip 2005::/96dst-ip 2001::/96service "Any"exitrule id 35action permitsrc-addr "IPv6-any"dst-addr "IPv6-any" service "Any"exitD.其他配置tunnel ip6in4 "zongbu" manual interface "ethernet0/1" destination 200.0.0.2exit2.3.3分支2A.接口interface ethernet0/3zone "trust"ip address 192.168.2.1 255.255.255.0manage pingexitinterface ethernet0/4zone "untrust"ip address 200.0.0.4 255.255.255.0manage pingexitB.Nat和路由ip vrouter "trust-vr"snatrule id 1 from "Any" to "Any" service "Any" eif ethernet0/4 trans-to eif-ip mode dynamicport dnatrule id 1 from "200.0.0.2" to "200.0.0.4" service "Any" trans-to "192.168.2.254"ip route 0.0.0.0/0 200.0.0.1exitC.策略rule id 1action permitsrc-addr "Any"dst-addr "Any"service "Any"exit3建设效果通过以上配置可以实现：A.总部访问公网IPv4域名；可以访问固定的公网ip；互联网用户可以访问总部内网服务器B.总部和分支1可以相互通信C.总部和分支2可以相互通信A.由于Nat64技术的限制，如果公网ip不固定且无法对应到域名，则总部端无法访问该ip（因为需要在FW上添加固定的转换规则）B.策略中调用IPv6的any地址簿时应该用“IPv6-any”这个地址簿C.总部PC的DNS需要指向总部FW的内网口ip，即2005::1。