dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2294
share rss forum feed


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

[IPv6] DHCP on Cisco 881 IPv6

Hey Everyone,

So I have a Cisco 881 and I will be the first to admit I don't know much about it.

Have IPv6 dual stacking working on Comcast and it works quite well. I set up IPv6 access lists for obvious reasons and so far so good.

I have run in to one little issue though. I can't seem to get DHCPv6 to work when the firewall is enabled. The router won't pull a 6 address from Comcast when the firewall rules are enabled. I remove the traffic-filters from the interface, let the router pull address, and then add the traffic-filters back and everything works great.

I took a huge KISS approach when it came to the ACLs on this router. My goal is to set up a stateful firewall that basically allows traffic out my network, but allows nothing in (yet). Again, I've never really worked with them before. Below is the relevant config for the interfaces and ACLs. If anyone could help me out on my DHCP issue I would greatly appreciate it.


ipv6 unicast-routing
ipv6 cef
ipv6 inspect name traffic tcp
ipv6 inspect name traffic udp
ipv6 inspect name traffic icmp

interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd comcast-ipv6
ipv6 traffic-filter wan-in in
ipv6 traffic-filter wan-out out

interface Vlan1
ip address x.x.x.x x.x.x.x
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ipv6 address comcast-ipv6 ::/64 eui-64
ipv6 nd other-config-flag
ipv6 dhcp server poolv6

ipv6 access-list wan-in
permit icmp any any
evaluate reflectout
!
ipv6 access-list wan-out
permit icmp any any
permit tcp any any reflect reflectout
permit udp any any reflect reflectout



whfsdude
Premium
join:2003-04-05
Washington, DC

2 recommendations

I think you need to allow dhcp6 w/o a stateful rule on your wan-in ACL which is udp.

Edit: corrected ports.

permit udp any eq 546 any eq 547


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

1 recommendation

That did the trick! Thanks whfsdude!

Below is most of my config for my 881 in case anyone is interested. Working really well so far.



router01#sh run
Building configuration...

Current configuration : 4464 bytes
!
version 15.2
!
boot-start-marker
boot system flash c880data-universalk9-mz.152-3.T.bin
boot-end-marker
!
no aaa new-model
!
!
!
ip dhcp excluded-address 172.20.1.0 172.20.1.99
ip dhcp excluded-address 172.20.1.150 172.20.1.255
!
ip dhcp pool pool172
import all
network 172.20.1.0 255.255.255.0
default-router 172.20.1.1
dns-server 208.67.222.222 208.67.220.220
!
!
ip domain name router.local
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name traffic tcp
ipv6 inspect name traffic udp
ipv6 inspect name traffic icmp
ipv6 dhcp pool poolv6
dns-server 2620:0:CCC::2
dns-server 2620:0:CCD::2
!
!
!
controller Cellular 0
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport mode trunk
no ip address
!
interface FastEthernet2
switchport mode trunk
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd comcast-ipv6
ipv6 traffic-filter wan-in in
ipv6 traffic-filter wan-out out
!
interface Cellular0
no ip address
encapsulation ppp
!
interface Vlan1
ip address 172.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ipv6 address comcast-ipv6 ::/64 eui-64
ipv6 nd other-config-flag
ipv6 dhcp server poolv6
!
!
ip nat inside source list 23 interface FastEthernet4 overload
!
access-list 23 permit 172.20.1.0 0.0.0.255
no cdp run
!
!
ipv6 access-list wan-in
permit icmp any any
evaluate reflectout
permit udp any any eq 546
permit udp any any eq 547
!
ipv6 access-list wan-out
permit icmp any any
permit tcp any any reflect reflectout
permit udp any any reflect reflectout
!
!
end



NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
reply to whfsdude
said by whfsdude:

I think you need to allow dhcp6 w/o a stateful rule on your wan-in ACL which is udp.

Edit: corrected ports.

permit udp any eq 546 any eq 547

Thanks for the info I was going to pull my router tonight and get him what I needed to allow.. I will still look but I think that was it.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by NetDog:

Thanks for the info I was going to pull my router tonight and get him what I needed to allow.. I will still look but I think that was it.

When you lab it out tonight, try without port 547. It is likely not needed but I wasn't sure enough so I went with both to eliminate confusion.


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL
Because 547 is technically caught by the stateful out rules?


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by Clever_Proxy:

Because 547 is technically caught by the stateful out rules?

Yup! At least that's my thought.


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

1 recommendation

It appears to be working without 547