Router - Cisco IPv6 Native Config: Difference between revisions

From AAISP Support Site
Line 79: Line 79:
ipv6 traffic-filter outboundfilters-ipv6 out
ipv6 traffic-filter outboundfilters-ipv6 out
</pre>
</pre>

If you include the "deny any any" line a a "show access-lists ..." will show the number of
packets that have hit that line. Thus you can tell if a problem exists because
the packets are not passing through the access list or failure to communicate is
because of some other problem.

Revision as of 17:46, 17 Ocak 2012

This page will walk you through getting IPv6 to work correctly on your Cisco device

Enable IPv6 routing on your router

 conf t
 ipv6 source-route
 ipv6 unicast-routing
 ipv6 cef
 ipv6 multicast-routing
 ipv6 route ::/0 Dialer0

Enable IPv6 to work on your internal Ethernet Ports

 conf t
 interface FastEthernet 0/0
 ipv6 address <your_slash_48>:1::/64 eui-64
 ipv6 enable
 ipv6 nd prefix <your_slash_48>:1::/64
 ipv6 nd managed-config-flag
 ipv6 nd router-preference High
 ipv6 nd ra interval 60

Enable IPv6 to work on your WAN side

 conf t
 interface dialer0
 ipv6 enable
 ipv6 traffic-filter adsl-ipv6 in

02/11/2011 The above config didn't work for me I had to create a new /64 via Clueless and add this here as an IP address

 ipv6 nd prefix <your_slash_64>::1/64

I would also add the following traffic-filter to the dialer interface

 ipv6 traffic-filter outboundfilters-ipv6 out

Lock down your IPv6 network with an access list

 conf t
 ipv6 access-list ipv6 adsl-ipv6
 permit tcp any any established
 permit icmp any any
 deny ipv6 any any
 interface dialer0
 ipv6 traffic-filter adsl-ipv6 in


02/11/2011 I would use the following access-list - I would advise against allowing any IPv6 ICMP into the network unless absolutely necessary and then only allow on a case-by-case basis

ipv6 access-list adsl-ipv6
! This only allows in IPv6 traffic which originated from our local network
! No need for a deny at the end as an implicit deny is the default
 evaluate tcptraffic-out-ipv6
 evaluate udptraffic-out-ipv6
 evaluate icmptraffic-out-ipv6

ipv6 access-list outboundfilters-ipv6
! This only creates a reflexive access-list that adsl-ipv6 uses to allow traffic back in
! No need for a deny at the end as an implicit deny is the default
 permit tcp any any reflect tcptraffic-out-ipv6 timeout 30
 permit icmp any any reflect icmptraffic-out-ipv6 timeout 30
 permit udp any any reflect udptraffic-out-ipv6 timeout 30

interface dialer<n>
 ipv6 traffic-filter adsl-ipv6 in
 ipv6 traffic-filter outboundfilters-ipv6 out

If you include the "deny any any" line a a "show access-lists ..." will show the number of packets that have hit that line. Thus you can tell if a problem exists because the packets are not passing through the access list or failure to communicate is because of some other problem.