dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2009
share rss forum feed

drussel2

join:2002-11-05
Hayward, CA

[Config] Dual stack

I have 1941 with IOS 15.3(1)T, one interface is dhcp client (ISP/Internet), the other is my LAN 192.168.1.0/24.

Can (and how) I configure this to also support IPv6 and have a mixture of IPv4/IPv6 devices on my LAN ?

I'm thinking the first step would be to configure the ISP side to use IPv6, but then will it do the NAT to handle both, or do I need multiple vLANs.

Any clarification, and/or pointers to some tutorial type doc would be appreciated.

Thanks
--
There are 10 types of people in the world; those who understand binary and those who don't.

nosx

join:2004-12-27
00000
kudos:5

1 recommendation

The most important question is does your ISP support IPv6? If not, there are some limited options (tunnel brokers) that can tunnel you an IPv6 connection over your normal IPv4 internet connection. Hurricane Electric is probablly the best out there with detailed instructions on how to correctly setup your router.

There is no (working, scalable, good, etc) 6-to-6 NAT. You do not need NAT with IPv6, every global unicast V6 address is directly reachable. You will want to take some minor care in providing basic stateful packet filtering (drop unsolicited unwanted ipv6 packets) which can be done in a normal IPv6 access-list.

IPv6 operates independantly in most cases when doing dual-stack. It is completely unaware of IPv4 existing, the IPv4 routes or ACLs etc. The IPv6 configuration can go on the same interfaces and VLANs without issue, but putting an IPv4 ACL on a port is different than an IPv6 ACL, with similar rules around other configuration.

The simplest basic IPv6 configuration is to enable IPv6 globally (ipv6 unicast-routing) with an IPv6 address on your lan interface (int vlan blah, ipv6 address 2620:123::1/64) and a default route out to your ISP or tunnel provider (ipv6 route ::/0 Tunnel6). The hosts on the LAN that are IPv6 enabled will automagically configure themselves through router-advertisments and neighbor discovery. Keep in mind that ICMP is especially important in IPv6 and take care not to block or mangle it.

Anyways, have fun, check out hurricane electrics tunnel broker service if your ISP doesnt run native dual stack service, and happy V6'ing.

drussel2

join:2002-11-05
Hayward, CA
Thanks for the info... Yes, I believe my ISP supports IPv6....

You mentioned NAT isn't need for IPv6, and that I could put an IPv6 address on it... With IPv4 I can use 192.168.0.0/24 or 10.0.0.0/8 etc. Those are defined as private, you mentioned 2620:123::1/64... But if all IPv6 addresses are globally reachable, how do I choose ones that aren't in use by somebody else? Or is that what a Vlan does? The addresses are only "known" within the Vlan, and the default route for the Vlan goes to the ISP interface? That would make sense..

As for ACLs etc, I'm looking at changing to a policy-based model too.
--
There are 10 types of people in the world; those who understand binary and those who don't.


Paulg
Displaced Yooper
Premium
join:2004-03-15
Neenah, WI
kudos:1
HE.net will give you a /64 and a /48 for free


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL
reply to drussel2
Check out the following topic.

»[IPv6] DHCP on Cisco 881 IPv6

I got dual stacking working on my residential Comcast internet connection. Working great with NAT for IPv4 and a Stateful firewall for IPv6.

I've modified my config slightly since then. If you want a fresh one to check out, let me know and I'll dig it up.


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

1 recommendation

reply to drussel2
If your ISP supports IPv6, they usually will hand out a prefix for you to use. The concept of "Private/Public IPs" is removed in IPv6. Every devices on your network gets a "Public" IP.

My ISP (Comcast) hands out a /64 of IPv6 addresses to use on your network. From there you can set it up any way you want to. I have chosen the method of using Prefix-Deligation (eui-64) to assign the addresses to the internal devices on my network since Comcast supports it. As of now, nothing on my network has a static v6 address. The address doesn't change thanks to prefix-delegation, of course unless Comcast decides they want me to use a different prefix assignment at any time :P


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

1 recommendation

Not entirely removed.

There are still link-local addresses which only work between devices on the same network segment, fe80:..... addresses.

Those cannot be routed.

The equivalent in IPv4 is 169.254.x.x which you tend to see when DHCP is not working.

drussel2

join:2002-11-05
Hayward, CA
reply to Clever_Proxy
said by Clever_Proxy:

I've modified my config slightly since then. If you want a fresh one to check out, let me know and I'll dig it up.

--
There are 10 types of people in the world; those who understand binary and those who don't.

drussel2

join:2002-11-05
Hayward, CA
reply to Clever_Proxy
Doh! I meant to include my reply when quoting your offer to show me your config...

So, yes, that would be very helpful... Thanks.
--
There are 10 types of people in the world; those who understand binary and those who don't.

drussel2

join:2002-11-05
Hayward, CA
reply to TomS_
said by TomS_:

Not entirely removed.

There are still link-local addresses which only work between devices on the same network segment, fe80:..... addresses.

Does that mean I can define a new DHCP pool for IPv6 like
ipv6 dhcp pool DHCPOOL6
import all
default-router fe80::.... something

interface gigabitethernet0/0
ipv6 address fe80::something

Then if an IPv6 device on my lan connects, it will get a dhcp assigned address that is local to my network only, and if it wants to get outside, the router will directthe traffic accordingly, similar to NAT?

On another note... I have several ip dhcp pools with only one address... I use that so I can configure specific devices as DHCP, but then code their mac address (client id) in the pool so they always get the same address.

can I also assign a specifc IPv6 addres so a device that is capable, will get an IPv4 and IPv6 address?
--
There are 10 types of people in the world; those who understand binary and those who don't.


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL
reply to drussel2
There you go. I omitted logins, licensing and crypto, that's about it though.

I'm not too sure if I'm very knowledgeable on the DHCPv6 server on the Cisco. I'm not using it. I'm just using the DHCP client with prefix delegation and letting autoconfig do the rest.

With that in mind, if you are able to tell the DHCPv6 server to define the prefix that's provided by the DHCPv6 client, you should be able to use it. That's complete untested theory on my part though. I'll let someone else smarter than me comment on that :)
router01#sh run
Building configuration...
 
Current configuration : 4691 bytes
!
! Last configuration change at 18:58:17 UTC Sat Mar 23 2013 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router01
!
boot-start-marker
boot system flash c880data-universalk9-mz.152-3.T.bin
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
memory-size iomem 10
!
ip dhcp excluded-address 172.20.1.0 172.20.1.99
ip dhcp excluded-address 172.20.1.150 172.20.1.255
!
ip dhcp pool pool172
 import all
 network 172.20.1.0 255.255.255.0
 default-router 172.20.1.1 
 dns-server 208.67.222.222 208.67.220.220 
!
!
ip domain name router.local
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name traffic tcp
ipv6 inspect name traffic udp
ipv6 inspect name traffic icmp
ipv6 dhcp pool poolv6
 dns-server 2620:0:CCC::2
 dns-server 2620:0:CCD::2
!
!
archive
 log config
  hidekeys
!
no spanning-tree vlan 1
!
!
!
!
!
controller Cellular 0
!
! 
!
!
!
!
!
!
!
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 switchport mode trunk
 no ip address
!
interface FastEthernet2
 switchport mode trunk
 no ip address
!
interface FastEthernet3
 switchport mode trunk
 no ip address
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd comcast-ipv6
 ipv6 traffic-filter wan-in in
 ipv6 traffic-filter wan-out out
!
interface Cellular0
 no ip address
 encapsulation ppp
!
interface Vlan1
 ip address 172.20.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ipv6 address comcast-ipv6 ::/64 eui-64
 ipv6 nd other-config-flag
 ipv6 dhcp server poolv6
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 23 interface FastEthernet4 overload
ip nat inside source static tcp 172.20.1.222 22 interface FastEthernet4 22022
ip nat inside source static tcp 172.20.1.110 25565 interface FastEthernet4 25565
!
access-list 23 permit 172.20.1.0 0.0.0.255
no cdp run
!
!
ipv6 access-list wan-in
 permit icmp any any
 evaluate reflectout
 permit udp any any eq 546
!
ipv6 access-list wan-out
 permit icmp any any
 permit tcp any any reflect reflectout
 permit udp any any reflect reflectout
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 3    
 no exec
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
 

Also, this may be useful. (Xs) are just omitted potions of an IP. FE4 is my WAN plugged into my cable modem.
router01#sh ipv6 int br
Cellular0              [down/down]
    unassigned
FastEthernet0          [up/up]
    unassigned
FastEthernet1          [down/down]
    unassigned
FastEthernet2          [down/down]
    unassigned
FastEthernet3          [up/up]
    unassigned
FastEthernet4          [up/up]
    FE80::226:XXXX:XXXX:950
NVI0                   [administratively down/down]
    unassigned
Vlan1                  [up/up]
    FE80::226:XXXX:XXXX:94C
    2601:D:XXXX:1A:226:XXXX:XXXX:94C
 

And here's an ifconfig and ip -6 route on my desktop

inet6 addr: 2601:d:XXXX:1a:52e5:XXXX:XXXX:8378/64 Scope:Global
inet6 addr: fe80::52e5:XXXX:XXXX:8378/64 Scope:Link
 
default via fe80::226:XXXX:XXXX:94c dev eth0  proto static  metric 1 
default via fe80::226:XXXX:XXXX:94c dev eth0  proto kernel  metric 1024  expires 1638sec
 


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

1 recommendation

reply to drussel2
NAT defeats the entire purpose of IPv6. Dont do it, its evil enough for IPv4.

So no, you'll still need a pool of IP addresses, but these will be assigned to you by your provider. Those IP addresses, which are all publicly routable, will be assigned to your devices.

If you use something like SLAAC, then your devices will auto-configure themselves with an IP address based on their MAC address, so they'll always be using the same IPv6 address on your network by default.

DHCP for IPv6 is not widely supported by client devices/OSes so you tend to have to rely on auto-configuration methods like SLAAC.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

1 edit

1 recommendation

reply to Clever_Proxy
ipv6 inspect name traffic tcp
 

Be aware that in some older versions of IOS, this command might break some of your TCP sessions.

There was a bug open for this with Cisco, which is now marked resolved.

IOS 15.2 should be fine, as Clever_Proxy is running, but most 12.4 (and earlier), 15.0, and some 15.1 images are probably faulty.

If you have a CCO login, look here for information:
»tools.cisco.com/Support/BugToolK···Ctb10776

If you dont, and you suspect this might be causing issues, look here for a workaround (which basically involves using an ACL to permit established TCP sessions back in):
»www.internode.on.net/support/gui···routers/

Alternatively, you can do what I do and use a reflexive ACL:

interface WAN
 ipv6 traffic-filter ipv6-inbound-filter in
 ipv6 traffic-filter ipv6-outbound-filter out
!
ipv6 access-list ipv6-inbound-filter
 permit tcp any any established
 evaluate ipv6-in-from-out
 permit udp any any eq 546
 permit icmp any any
 permit udp any any range 33434 33534
!
ipv6 access-list ipv6-outbound-filter
 permit ipv6 any any reflect ipv6-in-from-out
!
 

Works perfectly fine for my needs, but doesn't have a lot of "smarts" like a firewall would have.

markysharkey
Premium
join:2012-12-20
united kingd
Nice to see a reflexive ACL in use
--
Binary is as easy as 01 10 11


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

1 edit
reply to TomS_
I've had no issues with traffic inspection, but I'm going to give that a try tonight anyways. I've had 0 training on Cisco equipment so I like to tinker and learn.

A reflective firewall without actual traffic inspection seems more my style. It's very similar to how I would set up iptables coming from the Linux world.

Thanks!


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to TomS_
I likely need to revise my IPv6 ACL, though I do have a server that I want to keep reachable via ipv6, and DNS and some other stuff

I think after I solve my other issue I'll see how I can make use of an ACL like that
--
»www.change.org/petitions/create-···imcity-4