Friday, 18 September 2015

Configuring IPv6 Prefix Delegation on a Cisco router for Ethernet or Dialer interfaces

This post shows an example of how to configure IPv6 on Ethernet or Dialer delivered services. This might come in handy if you want to configure IPv6 on Telstra TBiz on the NBN or pretty much any IPv6 delivered service.

So let's say for example, your ISP has given you a PD (Prefix Delegation) of 2001:1111:2222:333::/56 and you'd like to give a couple of your attached VLAN's onsite their own /64 subnets for eating up the new IPv6 space in the internet.

It's actually pretty easy to do, but you're going to have to forget everything you ever knew about IPv4 because the game has changed slightly.

Firstly, let's pick up that nice new prefix delegation your ISP has given you. Login, enable and go to configuration terminal. Let's enable ipv6 routing and cisco express forwarding (cef).

router(config)# ipv6 cef
router(config)# ipv6 unicast-routing

First things first, the best thing to do is make a new IPv6 ACL to keep all the script kiddies out of your network. Everything on IPv6 is publicly routable. Goodbye NAT and sitting safely behind private IP addresses. This is no more. Once you're IPv6 configured, everything on your local LAN sits on the public internet, so security is a big player. Let's create an ACL to allow things to happen.

router(config)# ipv6 access-list IPV6-IN
router(config-ipv6-acl)# permit icmp any any
router(config-ipv6-acl)# permit tcp any any established
router(config-ipv6-acl)# permit udp any any eq 546

Note the udp port 546. This is used for autoconfiguration and will need to be allowed for your ISP to give you a prefix delegation. Once we have our new ACL, we're ready to configure our first interface.

Type in the interface facing your ISP. In this example, it's GigabitEthernet0/0. I'll assume you already have all the normal IPv4 things in here, so I won't show them in the below example.

I recommend that you configure a "link-local" address. It is normally generated from the interface's MAC address, however if you're using any subinterfaces or using port-channels, you can get duplicate link-local addresses and IPv6 simply won't work. For our internet facing interface, we'll give it a link-local address on FE80::1.

router(config)# interface GigabitEthernet0/0
router(config-if)# ! configure a link-local address
router(config-if)# ipv6 address FE80::1 link-local
router(config-if)# ! assign the first /64 of our new prefix delegation
router(config-if)# ipv6 address IPV6-PD ::1/64
router(config-if)# ! enable ipv6 on the interface
router(config-if)# ipv6 enable
router(config-if)# ! enable the router to find the default route
router(config-if)# ipv6 nd autoconfig default-route
router(config-if)# ! enable the DHCP client and assign a name of IPV6-PD to your prefix delegation
router(config-if)# ipv6 dhcp client pd IPV6-PD
router(config-if)# ! Assign our ACL to the interface
router(config-if)# ipv6 traffic-filter IPV6-IN in

Now is a good time to check whether or not you have received your prefix delegation. Because IPv6 is new, it's not uncommon for ISP's to stuff it up.

router# sh ipv6 dhcp int


It should output what your assigned prefix is. If this is all good, then carry on. Otherwise, something isn't right with your ISP.

In this example, I have two VLAN's which I want to divide up the next two /64's to. VLAN 2 is on GigabitEthernet0/1.2 and VLAN 3 is on GigabitEthernet0/1.3

Unfortunately there is an issue with how Windows processes ICMPv6 Router Advertisements (RA's) within its NDIS drivers. It's an issue which has long plagued many network administrators, and a quick Google search will show you that.

What happens is, for example you have two VLAN's, one is a General use VLAN and another might be for VOIP. Frames are tagged on the VOIP VLAN for example. If you want to enable IPv6 for both VLAN's, Windows (in its wisdom) will untag the RA frame from the router and pass it through to the operating system. What you essentially end up with is a Windows client with an IPv6 address and gateway on the tagged VLAN as well as the untagged causing weird disconnection issues with Windows clients.

There is a workaround, but it involves some hackery which the router will complain about, but I'll show you how here. What you need to do is set the same Link-Local address on each subinterface. This includes things like port-channels. To do this however, you'll need to disable a feature called Duplicate Address Detection, or "DAD" for short.

Under configuration terminal, type the following:

router(config)# ipv6 nd dad time 1

This makes duplicate address detections only last 1ms. Otherwise if it see's the same Link-Local address configured on different interfaces, it'll disable IPv6 on that interface.

So here's what we do....

router(config)# interface GigabitEthernet0/1.2
router(config-subif)# ! configure a link-local address of FE80::2 for VLAN 2
router(config-subif)# ipv6 address FE80::2 link-local
router(config-subif)# ! Delegate the second /64 increment to this VLAN
router(config-subif)# ipv6 address IPV6-PD ::2:0:0:0:1/64
router(config-subif)# ! enable IPv6 on this interface
router(config-subif)# ipv6 enable
router(config-subif)# !
router(config-subif)# interface GigabitEthernet0/1.3
router(config-subif)# ! configure a link-local address of FE80::2 for VLAN 3 as well
router(config-subif)# ipv6 address FE80::2 link-local
router(config-subif)# ! Delegate the third /64 increment in this VLAN
router(config-subif)# ipv6 address IPV6-PD ::3:0:0:0:1/64
router(config-subif)# ! enable IPv6 on this interface
router(config-subif)# ipv6 enable

You may be wondering by this point. What about a static default route? Well the good news is, you don't need one. It is learned from your ISP by the "ipv6 nd autoconfig default-route" command we entered earlier on your Internet facing interface.

Everything should now be good to go. A refresh of your local LAN adapter should mean you receive an IPv6 address. Yup, you don't even need to configure DHCP! Your clients will learn their IP's off the router. Pretty cool huh?

Note: Some Dialer interfaces fail to refresh their Prefix Delegations after the Dialer interface comes back up. Perhaps it's ADSL and it performs a resync, forcing the Dialer interface to reauthenticate.

The below is a workaround for the problem. I have not had this issue, however if you do, this could come in handy. Thanks to Internode for this gem.

event manager applet MONITOR-IPV6-DHCP-APP
 event syslog pattern "DIALER-6-BIND"
 action 1.0 cli command "enable"
 ! Replace the Dialer interface with the correct number...
 action 1.1 cli command "clear ipv6 dhcp client Dialer1"
 action 2.0 syslog priority debugging msg "Refreshed IPv6 DHCP PD lease (Dialer rebind)"
!

11 comments:

  1. nice reference i got from your article keep sharing more information for us. and keep update lot of things used to develop my business growth. thanks for well info.
    Germany Education Consultants in Chennai

    ReplyDelete
  2. Great article. Are you able to post the complete config please? I've got an 887VAM that I'm struggling to get a purely IPv6 VDSL connection on. I'm with Internode and they don't provide any help whatsoever with setting this router up for their service.

    Matt.

    ReplyDelete
    Replies
    1. config t
      ipv6 cef
      ipv6 unicast-routing
      interface Ethernet0
      ipv6 address FE80::1 link-local
      ipv6 address IPV6-PD ::1/64
      ipv6 enable
      ipv6 nd autoconfig default-route
      ipv6 dhcp client pd IPV6-PD
      !
      ipv6 nd dad time 1
      interface Vlan1
      ipv6 address FE80::2 link-local
      ipv6 address IPV6-PD ::2:0:0:0:1/64
      ipv6 enable

      Delete
  3. Hi Matt,

    The 887VAM is a great router. On VDSL configurations, Ethernet0 becomes your internet facing interface.

    If you replace the interface GigabitEthernet0/0 like above with Ethernet0, and replace GigabitEthernet0/1 with Vlan1 all should work OK :)

    Good luck.

    Cheers,
    J.

    ReplyDelete
  4. Thanks Jordan. I've done all that but still no internet. I'm getting connected as per a "sh cont vdsl 0" but no ppp. There's no default route showing up either. Can I send you a .txt file with my config for you to have a look at please?

    ReplyDelete
    Replies
    1. If you want mate. Just remember to redact any passwords or usernames you have in there ;)

      Delete
    2. What's your email address? I couldn't find a contact me on this site.

      Delete
  5. Excellent .. Amazing .. I’m satisfied to find so many helpful information here within the put up, we want work out extra strategies in this regard, thanks for sharing..
    Home Interiors in Chennai

    ReplyDelete