dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
40
drussel2
join:2002-11-05
Hayward, CA

drussel2 to cp

Member

to cp

Re: [Config] Dual stack

Doh! I meant to include my reply when quoting your offer to show me your config...

So, yes, that would be very helpful... Thanks.

cp
Premium Member
join:2004-05-14
Wheaton, IL

cp

Premium Member

There you go. I omitted logins, licensing and crypto, that's about it though.

I'm not too sure if I'm very knowledgeable on the DHCPv6 server on the Cisco. I'm not using it. I'm just using the DHCP client with prefix delegation and letting autoconfig do the rest.

With that in mind, if you are able to tell the DHCPv6 server to define the prefix that's provided by the DHCPv6 client, you should be able to use it. That's complete untested theory on my part though. I'll let someone else smarter than me comment on that :)
router01#sh run
Building configuration...
 
Current configuration : 4691 bytes
!
! Last configuration change at 18:58:17 UTC Sat Mar 23 2013 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router01
!
boot-start-marker
boot system flash c880data-universalk9-mz.152-3.T.bin
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
memory-size iomem 10
!
ip dhcp excluded-address 172.20.1.0 172.20.1.99
ip dhcp excluded-address 172.20.1.150 172.20.1.255
!
ip dhcp pool pool172
 import all
 network 172.20.1.0 255.255.255.0
 default-router 172.20.1.1 
 dns-server 208.67.222.222 208.67.220.220 
!
!
ip domain name router.local
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name traffic tcp
ipv6 inspect name traffic udp
ipv6 inspect name traffic icmp
ipv6 dhcp pool poolv6
 dns-server 2620:0:CCC::2
 dns-server 2620:0:CCD::2
!
!
archive
 log config
  hidekeys
!
no spanning-tree vlan 1
!
!
!
!
!
controller Cellular 0
!
! 
!
!
!
!
!
!
!
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 switchport mode trunk
 no ip address
!
interface FastEthernet2
 switchport mode trunk
 no ip address
!
interface FastEthernet3
 switchport mode trunk
 no ip address
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd comcast-ipv6
 ipv6 traffic-filter wan-in in
 ipv6 traffic-filter wan-out out
!
interface Cellular0
 no ip address
 encapsulation ppp
!
interface Vlan1
 ip address 172.20.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ipv6 address comcast-ipv6 ::/64 eui-64
 ipv6 nd other-config-flag
 ipv6 dhcp server poolv6
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 23 interface FastEthernet4 overload
ip nat inside source static tcp 172.20.1.222 22 interface FastEthernet4 22022
ip nat inside source static tcp 172.20.1.110 25565 interface FastEthernet4 25565
!
access-list 23 permit 172.20.1.0 0.0.0.255
no cdp run
!
!
ipv6 access-list wan-in
 permit icmp any any
 evaluate reflectout
 permit udp any any eq 546
!
ipv6 access-list wan-out
 permit icmp any any
 permit tcp any any reflect reflectout
 permit udp any any reflect reflectout
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 3    
 no exec
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
 

Also, this may be useful. (Xs) are just omitted potions of an IP. FE4 is my WAN plugged into my cable modem.
router01#sh ipv6 int br
Cellular0              [down/down]
    unassigned
FastEthernet0          [up/up]
    unassigned
FastEthernet1          [down/down]
    unassigned
FastEthernet2          [down/down]
    unassigned
FastEthernet3          [up/up]
    unassigned
FastEthernet4          [up/up]
    FE80::226:XXXX:XXXX:950
NVI0                   [administratively down/down]
    unassigned
Vlan1                  [up/up]
    FE80::226:XXXX:XXXX:94C
    2601:D:XXXX:1A:226:XXXX:XXXX:94C
 

And here's an ifconfig and ip -6 route on my desktop

inet6 addr: 2601:d:XXXX:1a:52e5:XXXX:XXXX:8378/64 Scope:Global
inet6 addr: fe80::52e5:XXXX:XXXX:8378/64 Scope:Link
 
default via fe80::226:XXXX:XXXX:94c dev eth0  proto static  metric 1 
default via fe80::226:XXXX:XXXX:94c dev eth0  proto kernel  metric 1024  expires 1638sec
 

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

1 edit

1 recommendation

TomS_

MVM

ipv6 inspect name traffic tcp
 

Be aware that in some older versions of IOS, this command might break some of your TCP sessions.

There was a bug open for this with Cisco, which is now marked resolved.

IOS 15.2 should be fine, as Clever_Proxy is running, but most 12.4 (and earlier), 15.0, and some 15.1 images are probably faulty.

If you have a CCO login, look here for information:
»tools.cisco.com/Support/ ··· Ctb10776

If you dont, and you suspect this might be causing issues, look here for a workaround (which basically involves using an ACL to permit established TCP sessions back in):
»www.internode.on.net/sup ··· routers/

Alternatively, you can do what I do and use a reflexive ACL:

interface WAN
 ipv6 traffic-filter ipv6-inbound-filter in
 ipv6 traffic-filter ipv6-outbound-filter out
!
ipv6 access-list ipv6-inbound-filter
 permit tcp any any established
 evaluate ipv6-in-from-out
 permit udp any any eq 546
 permit icmp any any
 permit udp any any range 33434 33534
!
ipv6 access-list ipv6-outbound-filter
 permit ipv6 any any reflect ipv6-in-from-out
!
 

Works perfectly fine for my needs, but doesn't have a lot of "smarts" like a firewall would have.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Nice to see a reflexive ACL in use

cp
Premium Member
join:2004-05-14
Wheaton, IL

1 edit

cp to TomS_

Premium Member

to TomS_
I've had no issues with traffic inspection, but I'm going to give that a try tonight anyways. I've had 0 training on Cisco equipment so I like to tinker and learn.

A reflective firewall without actual traffic inspection seems more my style. It's very similar to how I would set up iptables coming from the Linux world.

Thanks!

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix to TomS_

Premium Member

to TomS_
I likely need to revise my IPv6 ACL, though I do have a server that I want to keep reachable via ipv6, and DNS and some other stuff

I think after I solve my other issue I'll see how I can make use of an ACL like that