Router - Cisco IPv6 Native Config: Difference between revisions
Line 79: | Line 79: | ||
ipv6 traffic-filter outboundfilters-ipv6 out |
ipv6 traffic-filter outboundfilters-ipv6 out |
||
</pre> |
</pre> |
||
If you include the "deny any any" line a a "show access-lists ..." will show the number of |
|||
packets that have hit that line. Thus you can tell if a problem exists because |
|||
the packets are not passing through the access list or failure to communicate is |
|||
because of some other problem. |
Revision as of 17:46, 17 Ocak 2012
This page will walk you through getting IPv6 to work correctly on your Cisco device
Enable IPv6 routing on your router
conf t ipv6 source-route ipv6 unicast-routing ipv6 cef ipv6 multicast-routing ipv6 route ::/0 Dialer0
Enable IPv6 to work on your internal Ethernet Ports
conf t interface FastEthernet 0/0 ipv6 address <your_slash_48>:1::/64 eui-64 ipv6 enable ipv6 nd prefix <your_slash_48>:1::/64 ipv6 nd managed-config-flag ipv6 nd router-preference High ipv6 nd ra interval 60
Enable IPv6 to work on your WAN side
conf t interface dialer0 ipv6 enable ipv6 traffic-filter adsl-ipv6 in
02/11/2011 The above config didn't work for me I had to create a new /64 via Clueless and add this here as an IP address
ipv6 nd prefix <your_slash_64>::1/64
I would also add the following traffic-filter to the dialer interface
ipv6 traffic-filter outboundfilters-ipv6 out
Lock down your IPv6 network with an access list
conf t ipv6 access-list ipv6 adsl-ipv6 permit tcp any any established permit icmp any any deny ipv6 any any interface dialer0 ipv6 traffic-filter adsl-ipv6 in
02/11/2011
I would use the following access-list - I would advise against allowing any IPv6 ICMP into the network unless absolutely necessary and then only allow on a case-by-case basis
ipv6 access-list adsl-ipv6 ! This only allows in IPv6 traffic which originated from our local network ! No need for a deny at the end as an implicit deny is the default evaluate tcptraffic-out-ipv6 evaluate udptraffic-out-ipv6 evaluate icmptraffic-out-ipv6 ipv6 access-list outboundfilters-ipv6 ! This only creates a reflexive access-list that adsl-ipv6 uses to allow traffic back in ! No need for a deny at the end as an implicit deny is the default permit tcp any any reflect tcptraffic-out-ipv6 timeout 30 permit icmp any any reflect icmptraffic-out-ipv6 timeout 30 permit udp any any reflect udptraffic-out-ipv6 timeout 30 interface dialer<n> ipv6 traffic-filter adsl-ipv6 in ipv6 traffic-filter outboundfilters-ipv6 out
If you include the "deny any any" line a a "show access-lists ..." will show the number of packets that have hit that line. Thus you can tell if a problem exists because the packets are not passing through the access list or failure to communicate is because of some other problem.