Yesterday I decided to try goofing around with IPv6 on my Cisco 871. I initially started by configuring some basic IPv6 addresses internally but that quickly got boring because there's not much to do with just three local machines. A few Google searches later and I set about hooking up a 6to4 tunnel so I could talk to the larger IPv6 Internet. The process is actually a lot simpler than I expected. I figured I'd share if anyone is interested in messing around with IPv6.
First, here's my topology:
Internet----FastEthernet4---Cisco871---VLAN 1---internal network
1. Go to http://www.tunnelbroker.net/ and register for an account. Its free of charge, but they do require your name, address, and phone number.
2. Once you have your account, login, and click "Create Regular Tunnel" from the menu on the left.
3. Put your OUTSIDE IP address in the box in the middle of the page, select the Tunnel server of your choosing and click Submit. Note, you NEED to have ICMP enabled on your home router, otherwise it won't provision a tunnel for you. If you block ICMP on your box, you'll need to allow it from the address they mention.
4. Once your tunnel is created you need to note down the following information:
Server IPv4 address - this is the IP address of the tunnel server your router will connect to.
Server IPv6 address - this is the IPv6 address you will set your default IPv6 route to point to.
Client IPv6 address - this is the IPv6 address that has been assigned to you for the tunnel interface.
Routed /64 - This is the IPv6 network prefix that will be routed to your "Client IPv6 Address." This is the prefix where your client machines will create their IP addresses from.
5. Generate the configuration. You can use the config tool they have on the tunnel information page, however, I think it generates a less than optimal configuration. This is what you need to get the tunnel up and running:
This config does a few things:
1. It creates an ipv6 in ipv4 tunnel with the IPv6 address that was assigned to the tunnel. It also sets the tunnel destination to the IPv4 address of the tunnel server.
2. It sets the default IPv6 route to the server IPv6 address.
3. It assigns an IPv6 address to VLAN 1. The address is derived from the Routed /64 plus the a unique interface identifier (the eui-64 keyword).
4. It sets the internal IPv6 interface MTU to 1480. Each packet is wrapped in an IPv4 packet (20 bytes), so 1500 - 20 = 1480 bytes.
This is enough to get basic IPv6 connectivity working between you and the rest of the IPv6-based Internet. However, you may want to also enable some security and DHCPv6. The security configuration is pretty straight forward, just a basic IOS firewall config:
Depending on the OS running on your clients, you may also want to enable DHCPv6 so you can provide an IPv6 DNS server address. I'm not doing this personally because Mac OS X sends all DNS queries via IPv4 and doesn't even support DHCPv6. However, if you want to do this, there's only a few additional commands:
You can get the IPv6 DNS server address from the tunnel information page over at TunnelBroker.
That's it, you should now have a working IPv6 to IPv4 tunnel that lets you hit valid IPv6 addresses on the public Internet. It's pretty cool to see in action.
Here's a link to the Cisco configuration guide:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/12_4/ipv6_12_4_book.html
Again, I'm using a Cisco 871 running 15.0(1)M3 IOS, running Advanced IP Services.
First, here's my topology:
Internet----FastEthernet4---Cisco871---VLAN 1---internal network
1. Go to http://www.tunnelbroker.net/ and register for an account. Its free of charge, but they do require your name, address, and phone number.
2. Once you have your account, login, and click "Create Regular Tunnel" from the menu on the left.
3. Put your OUTSIDE IP address in the box in the middle of the page, select the Tunnel server of your choosing and click Submit. Note, you NEED to have ICMP enabled on your home router, otherwise it won't provision a tunnel for you. If you block ICMP on your box, you'll need to allow it from the address they mention.
4. Once your tunnel is created you need to note down the following information:
Server IPv4 address - this is the IP address of the tunnel server your router will connect to.
Server IPv6 address - this is the IPv6 address you will set your default IPv6 route to point to.
Client IPv6 address - this is the IPv6 address that has been assigned to you for the tunnel interface.
Routed /64 - This is the IPv6 network prefix that will be routed to your "Client IPv6 Address." This is the prefix where your client machines will create their IP addresses from.
5. Generate the configuration. You can use the config tool they have on the tunnel information page, however, I think it generates a less than optimal configuration. This is what you need to get the tunnel up and running:
Code:
interface Tunnel0
ipv6 address <your client ipv6 address>
tunnel source FastEthernet4
tunnel mode ipv6ip
tunnel destination <server ipv4 address>
!
ipv6 route ::/0 <server ipv6 address>
!
interface Vlan 1
ipv6 address <Routed /64> eui-64
ipv6 mtu 1480
!
ipv6 unicast-routing
ipv6 cef
!
This config does a few things:
1. It creates an ipv6 in ipv4 tunnel with the IPv6 address that was assigned to the tunnel. It also sets the tunnel destination to the IPv4 address of the tunnel server.
2. It sets the default IPv6 route to the server IPv6 address.
3. It assigns an IPv6 address to VLAN 1. The address is derived from the Routed /64 plus the a unique interface identifier (the eui-64 keyword).
4. It sets the internal IPv6 interface MTU to 1480. Each packet is wrapped in an IPv4 packet (20 bytes), so 1500 - 20 = 1480 bytes.
This is enough to get basic IPv6 connectivity working between you and the rest of the IPv6-based Internet. However, you may want to also enable some security and DHCPv6. The security configuration is pretty straight forward, just a basic IOS firewall config:
Code:
ipv6 access-list firewallv6
permit icmp any any
deny ipv6 any any
!
ipv6 inspect name firewallv6 tcp
ipv6 inspect name firewallv6 udp
ipv6 inspect name firewallv6 icmp
!
interface Tunnel0
ipv6 inspect firewallv6 out
ipv6 traffic-filter firewallv6 in
!
Depending on the OS running on your clients, you may also want to enable DHCPv6 so you can provide an IPv6 DNS server address. I'm not doing this personally because Mac OS X sends all DNS queries via IPv4 and doesn't even support DHCPv6. However, if you want to do this, there's only a few additional commands:
Code:
ipv6 dhcp pool <name of your choice>
dns-server <ipv6 dns server address>
!
interface Vlan1
ipv6 nd other-config-flag
ipv6 dhcp server <name of your choice>
!
You can get the IPv6 DNS server address from the tunnel information page over at TunnelBroker.
That's it, you should now have a working IPv6 to IPv4 tunnel that lets you hit valid IPv6 addresses on the public Internet. It's pretty cool to see in action.
Here's a link to the Cisco configuration guide:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/12_4/ipv6_12_4_book.html
Again, I'm using a Cisco 871 running 15.0(1)M3 IOS, running Advanced IP Services.