web analytics
  • RSS

  • Polls

    What Cisco Cert Are You Currently Studying?

    View Results

    Loading ... Loading ...
  • Search on CiscoBibles

  • Popular Posts

  • Recent Comments

  • Archives

  • « | Main | »

    IPv6 over IPv4 tunneling

    By admin | August 26, 2009

    IPv6 over IPv4 tunneling allow access to the IPv6 Internet in absence of an IPv6 native access provider (Or interconnection between any IPv6 islands over an IPv4 infrastructure). Cisco routers support automatic (6to4, ISATAP) and configured IPv6 over IPv4 tunneling.

    Image:V6tunnelimg1-conceptoverview.png

    IPv6 packets are encapsulated directly behind the IPv4 header. The IPv4 header protocol type field is set to 41.

    Image:V6tunnelimg2-tunneledpacket.png

    The presented config examples have been tested with IOS 12.4(22)T SP Services.

    Basic internet access router IPv6 configurations

    Enabling IPv6 routing & CEF:

    ipv6 unicast routing
    ipv6 cef

    IPv6 default route:

    ipv6 route ::/0 <IPv6 outside interface or next-hop>

    IPv4/6 dual-stack interface (most probably your inside interface will be dual stack):

    interface <Any Interface>
     description DUAL-STACK-INTERFACE
     ip address 192.168.0.1 255.255.255.0
     ipv6 address 2001:db8:1234:1::1/64
     ipv6 enable

    IPv6 only interface:

    interface <Any Interface>
     description IPV6-ONLY-INTERFACE
     no ip address
     ipv6 address 2001:db8:1234:1::1/64
     ipv6 enable

    ACL for incoming traffic:

    !
    interface <IPv6 Outside Interface>
     description IPV6-OUTSIDE
     ipv6 address 2001:db8:5678:1::2/64
     ipv6 enable
     ipv6 traffic-filter IPv6-OUTSIDE in
    !
     ipv6 access-list IPv6-OUTSIDE
     permit icmp any any
    !

    The incoming ACL on the outside interface allows only incoming icmp connections.

    IOS Firewall CBAC for outgoing traffic:

    !
    ipv6 inspect name V6-INSPECT tcp
    ipv6 inspect name V6-INSPECT udp
    ipv6 inspect name V6-INSPECT ftp
    ipv6 inspect name V6-INSPECT icmp
    !
    interface <IPv6 Inside Interface>
     description IPV6-INSIDE
     ipv6 address 2001:db8:1234:1::1/64
     ipv6 enable
     ipv6 inspect V6-INSPECT in
    !

    Currently Cisco IOS Firewall for IPv6 supports CBAC (Context based access control) with basic inspect rules for TCP, UDP, ICMP and application layer inspect rule for FTP. In the above sample all are configured for basic outgoing internet access.

    6to4 automatic tunnel – Public 6to4 relay

    If used for public internet access 6to4 [2] tunneling relies on public 6to4 relays reachable on the IPv4 internet by means of the anycasted address 192.88.99.1 [3]. The 6to4 prefix is defined as 2002::/16, the next 32 bits are based on the public IPv4 addresses of the tunnel endpoints such as that for every IPv4 address exists a corresponding /48 IPv6 net and 65k /64 subnets; for "free".

    Define 6to4 prefix:

    ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0
    !
    interface FastEthernet0/0
     ip address 198.18.0.1 255.255.255.0

    The name 6TO4PREFIX can now be used as placeholder for an IPv6 prefix constructed as follows:

    Image:V6tunnelimg3-6to4-addressing.png

    Apply an IPv6 address to the internal interface (normally you would want to configure the internal interface dual stack, allthough IPv6 only is possible):

    interface FastEthernet0/1
     ip address 192.168.0.1 255.255.255.0
     ipv6 address 6TO4PREFIX ::1:0:0:0:1/64
     ipv6 enable

    Configure the 6to4 tunnel interface:

    interface Tunnel0
     description 6TO4-TUNNEL
     no ip address
     no ip redirects
     ipv6 enable
     tunnel source FastEthernet0/0
     tunnel mode ipv6ip 6to4

    Configure a "recursive" default route as follows:

    ipv6 route 2002::/16 Tunnel0
    ipv6 route ::/0 2002:C058:6301::

    The IPv6 default route points to the 6to4 anycast relay address (c058:6301 = 192.88.99.1), all 2002::/16 destined traffic is routed through the 6to4 tunnel interface (Tunnel0).

    Complete IPv4/IPv6 6to4 access router config example:

    !
    version 12.4
    !
    ip cef
    !
    ip inspect name V4-INSPECT http
    ip inspect name V4-INSPECT https
    ip inspect name V4-INSPECT ftp
    ip inspect name V4-INSPECT pop3
    ip inspect name V4-INSPECT smtp
    ip inspect name V4-INSPECT dns
    ip inspect name V4-INSPECT tcp
    ip inspect name V4-INSPECT udp
    ip inspect name V4-INSPECT icmp
    ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0
    ipv6 unicast-routing
    ipv6 cef
    ipv6 inspect name V6-INSPECT tcp
    ipv6 inspect name V6-INSPECT udp
    ipv6 inspect name V6-INSPECT ftp
    ipv6 inspect name V6-INSPECT icmp
    !
    interface Tunnel0
     description 6TO4-TUNNEL
     no ip address
     no ip redirects
     ipv6 enable
     ipv6 traffic-filter IPV6-OUTSIDE in
     tunnel source FastEthernet0/0
     tunnel mode ipv6ip 6to4
    !
    interface FastEthernet0/0
     description OUTSIDE-WAN-INTERNET
     ip address 198.18.0.1 255.255.255.0
     ip access-group IPV4-OUTSIDE in
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     description INSIDE-LAN
     ip address 192.168.0.1 255.255.255.0
     ip inspect V4-INSPECT in
     ipv6 address 6TO4PREFIX ::1:0:0:0:1/64
     ipv6 enable
     ipv6 inspect V6-INSPECT in
    !
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
    !
    ip access-list extended IPV4-OUTSIDE
     permit icmp any any
     permit ip host 192.88.99.1 host 198.18.0.1
    !
    ipv6 route 2002::/16 Tunnel0
    ipv6 route ::/0 2002:C058:6301::
    !
    ipv6 access-list IPV6-OUTSIDE
     permit icmp any any
    !
    end

    Configured 6in4 tunnel – Tunnelbroker

    Disadvantages of public 6to4 relays (Anycasted 192.88.99.1) are the unknown service quality/availability and the probability of "asymmetric routing". This can be fixed using a Tunnelbroker service which allows a fix configured IPv6 tunnel and the possibility of getting a "real" IPv6 prefix routed or even announcing ones own (RIR allocated) IPv6 prefix. Hurricane Electric or SixXS are providing IPv6 tunnels, routed /48 prefixes and even BGP access for free.

    Example IPv6 tunnel parameters:

    Apply a respective IPv6 subnet to the internal interface (for our example we choose subnet 1):

    interface FastEthernet0/1
     ip address 192.168.0.1 255.255.255.0
     ipv6 address 2001:db8:1234:1::1/64
     ipv6 enable

    Configure the IPv6 tunnel interface:

    interface Tunnel0
     description IPV6-CONFIGURED-TUNNEL
     no ip address
     ipv6 address 2001:db8:5678:1::2/64
     ipv6 enable
     tunnel source 198.18.0.1
     tunnel destination 1.2.3.4
     tunnel mode ipv6ip

    Configure the IPv6 default route:

    ipv6 route ::/0 2001:db8:5678:1::1

    Complete IPv4/IPv6 6in4/Tunnelbroker access router config example:

    !
    version 12.4
    !
    ip cef
    !
    ip inspect name V4-INSPECT http
    ip inspect name V4-INSPECT https
    ip inspect name V4-INSPECT ftp
    ip inspect name V4-INSPECT pop3
    ip inspect name V4-INSPECT smtp
    ip inspect name V4-INSPECT dns
    ip inspect name V4-INSPECT tcp
    ip inspect name V4-INSPECT udp
    ip inspect name V4-INSPECT icmp
    ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0
    ipv6 unicast-routing
    ipv6 cef
    ipv6 inspect name V6-INSPECT tcp
    ipv6 inspect name V6-INSPECT udp
    ipv6 inspect name V6-INSPECT ftp
    ipv6 inspect name V6-INSPECT icmp
    !
    interface Tunnel0
     description IPV6-CONFIGURED-TUNNEL
     no ip address
     ipv6 address 2001:db8:5678:1::2/64
     ipv6 enable
     ipv6 traffic-filter IPV6-OUTSIDE in
     tunnel source 198.18.0.1
     tunnel destination 1.2.3.4
     tunnel mode ipv6ip
    !
    interface FastEthernet0/0
     description OUTSIDE-WAN-INTERNET
     ip address 198.18.0.1 255.255.255.0
     ip access-group IPV4-OUTSIDE in
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     description INSIDE-LAN
     ip address 192.168.0.1 255.255.255.0
     ip inspect V4-INSPECT in
     ipv6 address 2001:db8:1234:1::1/64
     ipv6 enable
     ipv6 inspect V6-INSPECT in
    !
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
    !
    ip access-list extended IPV4-OUTSIDE
     permit icmp any any
     permit ip host 1.2.3.4 host 198.18.0.1
    !
    ipv6 route ::/0 2001:db8:5678:1::1
    !
    ipv6 access-list IPV6-OUTSIDE
     permit icmp any any
    !
    end

    LAN IPv6 Hosts

    In an IPv6 LAN you can but do not need to use DHCP for address assignement. The preferred process is stateless autoconfiguration using router discovery & router advertisments. As soon as you connect an IPv6 enabled host to your LAN it generates an ICMPv6 router discovery message and the router answers advertising the locally configured subnet prefix (in our above example 2001:db8:1234:1::/64). The host then configures its local IPv6 address (interface identifier) . Some hosts (eg. Windows XP) additionally assign temporary random generated identifiers and prefer these over the EUI-64 identifier.

    ISATAP

    In case you want to connect a more complex network to the IPv6 internet you may find that some of your internal layer 3 devices (eg. lower end Cisco Catalyst Switches) do not currenlty support IPv6 routing. You can either implement configured tunnels between IPv6 islands or use the automatic tunneling mechanism ISATAP.

    Image:V6tunnelimg5-isatap-concept.png

    ISATAP makes use of an underlying IPv4 network as NBMA layer 2 network. A hosts ISATAP IPv6 interface identifier is constructed concatenating the IPv4 address for the last 32 bits after 00×0:5efe. If the IPv4 address is global x=1 otherwise x=0.

    Image:V6tunnelimg4-isatapaddressing.png

    The router internal LAN interface does not need to be IPv6 enabled:

    interface FastEthernet0/1
     description INSIDE-LAN
     ip address 192.168.0.1 255.255.255.0

    Configure the ISATAP tunnel interface using an available IPv6 prefix:

    interface Tunnel1
     description ISATAP
     no ip address
     no ip redirects
     ipv6 address 2001:db8:1234:1::/64 eui-64
     no ipv6 nd ra suppress
     tunnel source FastEthernet0/1
     tunnel mode ipv6ip isatap

    The configuration of "no ipv6 nd ra suppress" is required to enable router advertisments on a tunnel interface (disabled by default).

    The configuration of "eui-64" interface identifier with tunnel mode "isatap" results in an assgined ipv6 isatap address corresponding to the Fastethernet0/1 interface:

    RouterISATAP#sh ipv6 int brief
    Tunnel1                    [up/up]
        FE80::5EFE:C0A8:6447
        2001:db8:1234:1:0:5EFE:C0A8:1

    Complete IPv4/IPv6 6in4/Tunnelbroker & ISATAP access router config example:

    !
    version 12.4
    !
    ip cef
    !
    ip inspect name V4-INSPECT http
    ip inspect name V4-INSPECT https
    ip inspect name V4-INSPECT ftp
    ip inspect name V4-INSPECT pop3
    ip inspect name V4-INSPECT smtp
    ip inspect name V4-INSPECT dns
    ip inspect name V4-INSPECT tcp
    ip inspect name V4-INSPECT udp
    ip inspect name V4-INSPECT icmp
    ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0
    ipv6 unicast-routing
    ipv6 cef
    ipv6 inspect name V6-INSPECT tcp
    ipv6 inspect name V6-INSPECT udp
    ipv6 inspect name V6-INSPECT ftp
    ipv6 inspect name V6-INSPECT icmp
    !
    interface Tunnel0
     description IPV6-CONFIGURED-TUNNEL
     no ip address
     ipv6 address 2001:db8:5678:1::2/64
     ipv6 enable
     ipv6 traffic-filter IPV6-OUTSIDE in
     tunnel source 198.18.0.1
     tunnel destination 1.2.3.4
     tunnel mode ipv6ip
    !
    interface Tunnel1
     description ISATAP
     no ip address
     no ip redirects
     ipv6 address 2001:db8:1234:1::/64 eui-64
     no ipv6 nd ra suppress
     ipv6 inspect V6-INSPECT in
     tunnel source FastEthernet0/1
     tunnel mode ipv6ip isatap
    !
    interface FastEthernet0/0
     description OUTSIDE-WAN-INTERNET
     ip address 198.18.0.1 255.255.255.0
     ip access-group IPV4-OUTSIDE in
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     description INSIDE-LAN
     ip address 192.168.0.1 255.255.255.0
     ip inspect V4-INSPECT in
    !
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
    !
    ip access-list extended IPV4-OUTSIDE
     permit icmp any any
     permit ip host 1.2.3.4 host 198.18.0.1
    !
    ipv6 route ::/0 2001:db8:5678:1::1
    !
    ipv6 access-list IPV6-OUTSIDE
     permit icmp any any
    !
    end

    The NBMA nature prevents the usage of ICMPv6 for router solicitaion therefore ISATAP hosts discover the router either via DNS or via a preconfigured router list.

    Configuring the ISATAP router on a Win XP host:

    netsh interface ipv6 isatap set router 192.168.0.1

    By Ma xyz

             

    Topics: CCNA, CCNA Articles, CCNA R&S | No Comments »

    Comments

    You must be logged in to post a comment.