Monday, October 15, 2012

IPv6 with Hurricane Electric

Configuring IPv6 

 Cisco router with Hurricane Electric's tunnel service

To get this working you will need a few things:

- A publicly routable IPv4 Address
- Cisco Router running a version of IOS that will take IPv6 commands
- Account with Hurricane Electric
- Lots of patience











• Lets get started

- Hurricane is really good about giving you a sample config for the device you have complete with the tunnel interface information and IP addressing.  What they are not good at is giving you instructions on how to get your LAN setup to connect to the IPv6 cloud.  You would be left to wonder why hosts are unable to connect, if you should be setting up NAT... well wonder no more.

• Address information for the WAN
The address information you get to connect your router to the HE Router will look something like this:

Server IPv4 Address
- This is their routers internet facing IPv4 address
72.52.X.X

Server IPv6 Address
-  This is their routers internet facing IPv6 address
2001:470:1f04:XXX::2/64

-----------------------------------------------------------------------

Client IPv4 Address
- This is the IPv4 address you will put on your tunnel interface**

76.20.X.X

Client IPv6 Address
- This is the IPv6 address you will put on your tunnel interface**

2001:470:1f04:XXX::2/64

** The config that they give you has all this configured.

It looks like this:
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f04:XXX::2/64
tunnel source 76.20.X.X
tunnel destination 72.52.X.X
tunnel mode ipv6ip

• Routing traffic 

 Now that you have a tunnel interface you need to ensure that any traffic that comes from inside gets routed out the tunnel.  Thats where this statement comes in:

ipv6 route ::/0 Tunnel0

• Address information for the LAN
All the WAN stuff makes sense, you are connecting two tunnels with IPv4 and IPv6 addresses and setting a router.  Now what about hosts on the LAN?

- The address information that HE gives you also includes an IPv6 block that needs to be assigned to your inside network.  They call it the "Routed IPv6 Prefixes" but it really means IPv6 LAN addresses that need to be placed on your inside network.

My network has a single LAN segment so I picked used the entire /64 (which is a bazillion addresses but who cares).  If you have more that one LAN segment you can have fun with an IPv6 subnet calculator and slice the block up.

Routed /64:
2001:470:1f05:XXX::/64

• DNS Information 

 You inside VLAN(s) should look something like this:
!
interface Vlan1
description LAN
ip address 192.168.X.X 255.255.255.0
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F05:XXX::1/64

- DHCP config for the inside VLAN looks no different for IPv6:
!
ip dhcp pool Inside
network 192.168.X.X 255.255.255.0
default-router 192.168.X.X
domain-name x.com
dns-server 208.67.222.222 208.67.220.220 (open DNS) ** you can also use 8.8.8.8
lease infinite

• OS

 I have not tested with anything other than Mac OS 10.7 and 10.8 so I don't know how other operating systems acquire their IPv6 address.  This is what the ifconfig output on a host looks like:
!
inet6 2001:470:1f05:XXX:xxx:xxxx:xxxx:xxxx prefixlen 64 autoconf

If you want to see who else on your local subnet has an IPV6 address you can't do an arp -a like you would with IPV4.  You need to do a  ndp -a to see them.

• Validation 

 OK, we have a Tunnel interface and we have an IPv6 address block assigned to the LAN, how do we know any traffic is getting to the IPv6 cloud?

- Ping (ping6) is your best friend for ensuring you can get to an IPv6 host.  Lets use google, or ipv6.google.com

ping6 ipv6.google.com

PING6(56=40+8+8 bytes) 2001:470:1f05:XXX:xxx:xxxx:xxxx:xxxx --> 2607:f8b0:400e:c02::68
16 bytes from 2607:f8b0:400e:c02::68, icmp_seq=0 hlim=54 time=43.195 ms
16 bytes from 2607:f8b0:400e:c02::68, icmp_seq=1 hlim=54 time=41.067 ms
!
--- ipv6.l.google.com ping6 statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 41.067/42.131/43.195 ms

- Traceroute (traceroute6)
If pings are working great, if not, lets ensure that traffic is going out the tunnel interface.

traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com from 2001:470:1f05:XXX:xxx:xxxx:xxxx:xxxx

30 hops max, 12 byte packets

1  2001:470:1f05:XXX::1  1.571 ms  1.036 ms  1.495 ms
2  X.tunnel.tserv3.fmt2.ipv6.he.net  27.442 ms  21.487 ms  19.709 ms
3  gige-g5-19.core1.fmt2.he.net  16.116 ms  17.895 ms  16.826 ms
4  10gigabitethernet1-1.core1.sjc2.he.net  17.334 ms  20.602 ms  39.567 ms
5  2001:4860:1:1::1b1b:0:9  16.703 ms  21.06 ms  100.722 ms
6  2001:4860::1:0:7ea  35.26 ms  32.691 ms  32.399 ms
7  2001:4860::8:0:2cb7  28.861 ms 2001:4860::8:0:2cb6  18.845 ms 2001:4860::8:0:2cb7  19.177 ms
!!
!

- ARP
Since the router has no concept of this command you need to enter the show ipv6 neighbors instead:


#show ipv6 neighbors

IPv6 Address                                            Age       Link-layer              Addr       State Interface
FE80::216:CBFF:xxxx:xxxx                    0      0016.cba3.ace0       STALE   Vl1
FE80::7ED1:C3FF:xxxx:xxxx                 101    7cd1.c399.b86c      STALE    Vl1
2001:470:1F05:xxx:xxx:xxxx:xxxx:xxxx       0 0016.cba3.ace0   STALE    Vl1
FE80::1AE7:F4FF:xxxx:xxxx                 121    18e7.f445.b82a       STALE    Vl1
!

• Links

Good support page on IPV6 and NDP discovery -  Cisco Support 

At this point you should be able to surf the expansive IPv6 Internet... kidding. You should be able to validate that your browser is not only capable but that you are able to "see" an IPv6 delivered web page.  Here is a good site to do this with.


Posted by at No comments:
Subscribe to: Posts (Atom)