User:Ma xyz/sandbox

IPv6 over IPv4 tunneling allow access to the IPv6 Internet in absence of an IPv6 native access provider (Or interconnection between any IPv6 islands over an IPv4 infrastructure). Cisco routers support automatic (6to4, ISATAP) and configured IPv6 over IPv4 tunneling.

IMAGE overview

IPv6 packets are encapsulated directly behind the IPv4 header. The IPv4 header protocol type field is set to 41.

IMAGE 6over4 packet

The presented config examples have been tested with IOS 12.4(22)T SP Services.

Basic internet access router IPv6 configurations
Enabling IPv6 routing & CEF:

ipv6 unicast routing ipv6 cef

IPv6 default route:

ipv6 route ::/0 

IPv4/6 dual-stack interface (most probably your inside interface will be dual stack):

interface  description DUAL-STACK-INTERFACE ip address 192.168.0.1 255.255.255.0 ipv6 address 2001:db8:1234:1::1/64 ipv6 enable

IPv6 only interface:

interface  description IPV6-ONLY-INTERFACE no ip address ipv6 address 2001:db8:1234:1::1/64 ipv6 enable

ACL for incoming traffic:

! interface  description IPV6-OUTSIDE ipv6 address 2001:db8:5678:1::2/64 ipv6 enable ipv6 traffic-filter IPv6-OUTSIDE in ! ipv6 access-list IPv6-OUTSIDE permit icmp any any !

The incoming ACL on the outside interface allows only incoming icmp connections.

IOS Firewall CBAC for outgoing traffic:

! ipv6 inspect name V6-INSPECT tcp ipv6 inspect name V6-INSPECT udp ipv6 inspect name V6-INSPECT ftp ipv6 inspect name V6-INSPECT icmp ! interface  description IPV6-INSIDE ipv6 address 2001:db8:1234:1::1/64 ipv6 enable ipv6 inspect V6-INSPECT in !

Currently Cisco IOS Firewall for IPv6 supports CBAC (Context based access control) with basic inspect rules for TCP, UDP, ICMP and application layer inspect rule for FTP. In the above sample all are configured for basic outgoing internet access.

6to4 automatic tunnel - Public 6to4 relay
If used for public internet access 6to4 tunneling relies on public 6to4 relays reachable on the IPv4 internet by means of the anycasted address 192.88.99.1. The 6to4 prefix is defined as 2002::/16, the next 32 bits are based on the public IPv4 addresses of the tunnel endpoints such as that for every IPv4 address exists a corresponding /48 IPv6 net and 65k /64 subnets; for "free".

Define 6to4 prefix:

ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0 ! interface FastEthernet0/0 ip address 198.18.0.1 255.255.255.0

The name 6TO4PREFIX can now be used as placeholder for an IPv6 prefix constructed as follows:

IMAGE 6to4prefix

Apply an IPv6 address to the internal interface (normally you would want to configura the internal interface dual stack, allthough IPv6 only is possible):

interface FastEthernet0/1 ip address 192.168.0.1 255.255.255.0 ipv6 address 6TO4PREFIX ::1:0:0:0:1/64 ipv6 enable

Configure the 6to4 tunnel interface:

interface Tunnel0 description 6TO4-TUNNEL no ip address no ip redirects ipv6 enable tunnel source FastEthernet0/0 tunnel mode ipv6ip 6to4

Configure a "recursive" default route as follows:

ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301::

The IPv6 default route points to the 6to4 anycast relay address (c058:6301 = 192.88.99.1), all 2002::/16 destined traffic is routed through the 6to4 tunnel interface (Tunnel0).

Complete IPv4/IPv6 6to4 access router config example:

! version 12.4 ! ip cef ! ip inspect name V4-INSPECT http ip inspect name V4-INSPECT https ip inspect name V4-INSPECT ftp ip inspect name V4-INSPECT pop3 ip inspect name V4-INSPECT smtp ip inspect name V4-INSPECT dns ip inspect name V4-INSPECT tcp ip inspect name V4-INSPECT udp ip inspect name V4-INSPECT icmp ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0 ipv6 unicast-routing ipv6 cef ipv6 inspect name V6-INSPECT tcp ipv6 inspect name V6-INSPECT udp ipv6 inspect name V6-INSPECT ftp ipv6 inspect name V6-INSPECT icmp ! interface Tunnel0 description 6TO4-TUNNEL no ip address no ip redirects ipv6 enable ipv6 traffic-filter IPV6-OUTSIDE in tunnel source FastEthernet0/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 description OUTSIDE-WAN-INTERNET ip address 198.18.0.1 255.255.255.0 ip access-group IPV4-OUTSIDE in duplex auto speed auto ! interface FastEthernet0/1 description INSIDE-LAN ip address 192.168.0.1 255.255.255.0 ip inspect V4-INSPECT in ipv6 address 6TO4PREFIX ::1:0:0:0:1/64 ipv6 enable ipv6 inspect V6-INSPECT in ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ! ip access-list extended IPV4-OUTSIDE permit icmp any any permit ip host 192.88.99.1 host 198.18.0.1 ! ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301:: ! ipv6 access-list IPV6-OUTSIDE permit icmp any any ! end

Configured 6in4 tunnel - Tunnelbroker
Disadvantages of public 6to4 relays (Anycasted 192.88.99.1) are the unknown service quality/availability and the probability of "asymmetric routing". This can be fixed using a Tunnelbroker service which allows a fix configured IPv6 tunnel and the possibility of getting a "real" IPv6 prefix routed or even announcing ones own (RIR allocated) IPv6 prefix. Hurricane Electric or SixXS are providing IPv6 tunnels, routed /48 prefixes and even BGP access for free.

Example IPv6 tunnel parameters:
 * Tunnelbroker IPv4 address: 1.2.3.4
 * Tunnelbroker IPv6 tunnel endpoint: 2001:db8:5678:1::1
 * Our IPv6 tunnel endpoint: 2001:db8:5678:1::2
 * Our routed /48 prefix: 2001:db8:5678::/48

Apply a respective IPv6 subnet to the internal interface (for our example we choose subnet 1):

interface FastEthernet0/1 ip address 192.168.0.1 255.255.255.0 ipv6 address 2001:db8:1234:1::1/64 ipv6 enable

Configure the IPv6 tunnel interface:

interface Tunnel0 description IPV6-CONFIGURED-TUNNEL no ip address ipv6 address 2001:db8:5678:1::2/64 ipv6 enable tunnel source 198.18.0.1 tunnel destination 1.2.3.4 tunnel mode ipv6ip

Configure the IPv6 default route:

ipv6 route ::/0 2001:db8:5678:1::1

Complete IPv4/IPv6 6in4/Tunnelbroker access router config example:

! version 12.4 ! ip cef ! ip inspect name V4-INSPECT http ip inspect name V4-INSPECT https ip inspect name V4-INSPECT ftp ip inspect name V4-INSPECT pop3 ip inspect name V4-INSPECT smtp ip inspect name V4-INSPECT dns ip inspect name V4-INSPECT tcp ip inspect name V4-INSPECT udp ip inspect name V4-INSPECT icmp ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0 ipv6 unicast-routing ipv6 cef ipv6 inspect name V6-INSPECT tcp ipv6 inspect name V6-INSPECT udp ipv6 inspect name V6-INSPECT ftp ipv6 inspect name V6-INSPECT icmp ! interface Tunnel0 description IPV6-CONFIGURED-TUNNEL no ip address ipv6 address 2001:db8:5678:1::2/64 ipv6 enable ipv6 traffic-filter IPV6-OUTSIDE in tunnel source 198.18.0.1 tunnel destination 1.2.3.4 tunnel mode ipv6ip ! interface FastEthernet0/0 description OUTSIDE-WAN-INTERNET ip address 198.18.0.1 255.255.255.0 ip access-group IPV4-OUTSIDE in duplex auto speed auto ! interface FastEthernet0/1 description INSIDE-LAN ip address 192.168.0.1 255.255.255.0 ip inspect V4-INSPECT in ipv6 address 2001:db8:1234:1::1/64 ipv6 enable ipv6 inspect V6-INSPECT in ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ! ip access-list extended IPV4-OUTSIDE permit icmp any any permit ip host 1.2.3.4 host 198.18.0.1 ! ipv6 route ::/0 2001:db8:5678:1::1 ! ipv6 access-list IPV6-OUTSIDE permit icmp any any ! end

LAN IPv6 Hosts
In an IPv6 LAN you can but do not need to use DHCP for address assignement. The preferred process is stateless autoconfiguration using router discovery & router advertisments. As soon as you connect an IPv6 enabled host to your LAN it generates an ICMPv6 router discovery message and the router answers advertising the locally configured subnet prefix (in our above example 2001:db8:1234:1::/64). The host then configures its local IPv6 address (interface identifier) as described here. Some hosts (eg. Windows XP) additionally assign temporary random generated identifiers and prefer these over the EUI-64 identifier.

ISATAP
In case you want to connect a more complex network to the IPv6 internet you may find that some of your internal layer 3 devices (eg. lower end Cisco Catalyst Switches) do not currenlty support IPv6 routing. You can either implement configured tunnels between IPv6 islands or use the automatic tunneling mechanism ISATAP.

IMAGE isatap

ISATAP makes use of an underlying IPv4 network as NBMA layer 2 network. A hosts ISATAP IPv6 interface identifier is constructed concatenating the IPv4 address for the last 32 bits after 00x0:5efe. If the IPv4 address is global x=1 otherwise x=0.

The router internal LAN interface does not need to be IPv6 enabled:

interface FastEthernet0/1 description INSIDE-LAN ip address 192.168.0.1 255.255.255.0

Configure the ISATAP tunnel interface using an available IPv6 prefix:

interface Tunnel1 description ISATAP no ip address no ip redirects ipv6 address 2001:db8:1234:1::/64 eui-64 no ipv6 nd ra suppress tunnel source FastEthernet0/1 tunnel mode ipv6ip isatap

The configuration of "no ipv6 nd ra suppress" is required to enable router advertisments on a tunnel interface (disabled by default).

The configuration of "eui-64" interface identifier with tunnel mode "isatap" results in an assgined ipv6 isatap address corresponding to the Fastethernet0/1 interface:

RouterISATAP#sh ipv6 int brief Tunnel1                   [up/up] FE80::5EFE:C0A8:6447 2001:db8:1234:1:0:5EFE:C0A8:1

Complete IPv4/IPv6 6in4/Tunnelbroker & ISATAP access router config example:

! version 12.4 ! ip cef ! ip inspect name V4-INSPECT http ip inspect name V4-INSPECT https ip inspect name V4-INSPECT ftp ip inspect name V4-INSPECT pop3 ip inspect name V4-INSPECT smtp ip inspect name V4-INSPECT dns ip inspect name V4-INSPECT tcp ip inspect name V4-INSPECT udp ip inspect name V4-INSPECT icmp ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0 ipv6 unicast-routing ipv6 cef ipv6 inspect name V6-INSPECT tcp ipv6 inspect name V6-INSPECT udp ipv6 inspect name V6-INSPECT ftp ipv6 inspect name V6-INSPECT icmp ! interface Tunnel0 description IPV6-CONFIGURED-TUNNEL no ip address ipv6 address 2001:db8:5678:1::2/64 ipv6 enable ipv6 traffic-filter IPV6-OUTSIDE in tunnel source 198.18.0.1 tunnel destination 1.2.3.4 tunnel mode ipv6ip ! interface Tunnel1 description ISATAP no ip address no ip redirects ipv6 address 2001:db8:1234:1::/64 eui-64 no ipv6 nd ra suppress ipv6 inspect V6-INSPECT in tunnel source FastEthernet0/1 tunnel mode ipv6ip isatap ! interface FastEthernet0/0 description OUTSIDE-WAN-INTERNET ip address 198.18.0.1 255.255.255.0 ip access-group IPV4-OUTSIDE in duplex auto speed auto ! interface FastEthernet0/1 description INSIDE-LAN ip address 192.168.0.1 255.255.255.0 ip inspect V4-INSPECT in ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ! ip access-list extended IPV4-OUTSIDE permit icmp any any permit ip host 1.2.3.4 host 198.18.0.1 ! ipv6 route ::/0 2001:db8:5678:1::1 ! ipv6 access-list IPV6-OUTSIDE permit icmp any any ! end

The NBMA nature prevents the usage of ICMPv6 for router solicitaion therefore ISATAP hosts discover the router either via DNS or via a preconfigured router list.

Configuring the ISATAP router on a Win XP host:

netsh interface ipv6 isatap set router 192.168.0.1

DNS
If you are connecting to the IPv6 internet via one of the described transition mechanisms most probably you do not have acces to a IPv6 enabled DNS server (if you did not implement one for yourself). In a dual-stack environment this does not represent a problem as DNS resolution is independent of the used network protocol (You can request an IPv6 address for a name from a IPv4 DNS server and vice versa).

The today available (eg. Windows Vista or Dibbler for other plattforms) solution for a host to get a IPv6 DNS address is DHCPv6. Future implementations probably will add the possibility to discover DNS servers via router advertisments.