Router - Cisco IPv6 Native Config: Difference between revisions

From AAISP Support Site
No edit summary
m (→‎Lock down your IPv6 network with an access list: clean up, typos fixed: a a → a)
Line 80: Line 80:
</pre>
</pre>


If you include the "deny any any" line a a "show access-lists ..." will show the number of
If you include the "deny any any" line a "show access-lists ..." will show the number of
packets that have hit that line. Thus you can tell if a problem exists because
packets that have hit that line. Thus you can tell if a problem exists because
the packets are not passing through the access list or failure to communicate is
the packets are not passing through the access list or failure to communicate is

Revision as of 21:16, 6 Ocak 2015

This page will walk you through getting IPv6 to work correctly on your Cisco device

Enable IPv6 routing on your router

 conf t
 ipv6 source-route
 ipv6 unicast-routing
 ipv6 cef
 ipv6 multicast-routing
 ipv6 route ::/0 Dialer0

Enable IPv6 to work on your internal Ethernet Ports

 conf t
 interface FastEthernet 0/0
 ipv6 address <your_slash_48>:1::/64 eui-64
 ipv6 enable
 ipv6 nd prefix <your_slash_48>:1::/64
 ipv6 nd managed-config-flag
 ipv6 nd router-preference High
 ipv6 nd ra interval 60

Enable IPv6 to work on your WAN side

 conf t
 interface dialer0
 ipv6 enable
 ipv6 traffic-filter adsl-ipv6 in

02/11/2011 The above config didn't work for me I had to create a new /64 via Clueless and add this here as an IP address

 ipv6 nd prefix <your_slash_64>::1/64

I would also add the following traffic-filter to the dialer interface

 ipv6 traffic-filter outboundfilters-ipv6 out

Lock down your IPv6 network with an access list

 conf t
 ipv6 access-list ipv6 adsl-ipv6
 permit tcp any any established
 permit icmp any any
 deny ipv6 any any
 interface dialer0
 ipv6 traffic-filter adsl-ipv6 in


02/11/2011 I would use the following access-list - I would advise against allowing any IPv6 ICMP into the network unless absolutely necessary and then only allow on a case-by-case basis

ipv6 access-list adsl-ipv6
! This only allows in IPv6 traffic which originated from our local network
! No need for a deny at the end as an implicit deny is the default
 evaluate tcptraffic-out-ipv6
 evaluate udptraffic-out-ipv6
 evaluate icmptraffic-out-ipv6

ipv6 access-list outboundfilters-ipv6
! This only creates a reflexive access-list that adsl-ipv6 uses to allow traffic back in
! No need for a deny at the end as an implicit deny is the default
 permit tcp any any reflect tcptraffic-out-ipv6 timeout 30
 permit icmp any any reflect icmptraffic-out-ipv6 timeout 30
 permit udp any any reflect udptraffic-out-ipv6 timeout 30

interface dialer<n>
 ipv6 traffic-filter adsl-ipv6 in
 ipv6 traffic-filter outboundfilters-ipv6 out

If you include the "deny any any" line a "show access-lists ..." will show the number of packets that have hit that line. Thus you can tell if a problem exists because the packets are not passing through the access list or failure to communicate is because of some other problem.