Router - Cisco IPv6 Native Config
This page will walk you through getting IPv6 to work correctly on your Cisco device
Enable IPv6 routing on your router
conf t ipv6 source-route ipv6 unicast-routing ipv6 cef ipv6 multicast-routing ipv6 route ::/0 Dialer0
Enable IPv6 to work on your internal Ethernet Ports
conf t interface FastEthernet 0/0 ipv6 address <your_slash_48>:1::/64 eui-64 ipv6 enable ipv6 nd prefix <your_slash_48>:1::/64 ipv6 nd managed-config-flag ipv6 nd router-preference High ipv6 nd ra interval 60
EDIT - Feb 2015 - Above didn't work for me, alternative config below
! Feb 2015 - Cisco 1841 / FTTC ! LAN Port (I used default /64 on clueless) ! interface FastEthernet0/0 ipv6 address 2001:8B0:xx:xxxx::1/64 ipv6 enable ipv6 nd other-config-flag ipv6 dhcp server ipv6dhcp_pool ! ! Below gives out IPv6 DNS to clients ! ipv6 dhcp pool ipv6dhcp_pool dns-server 2001:8B0::2020 dns-server 2001:8B0::2021
Enable IPv6 to work on your WAN side
conf t interface dialer0 ipv6 enable ipv6 traffic-filter adsl-ipv6 in
02/11/2011 The above config didn't work for me I had to create a new /64 via Clueless and add this here as an IP address
ipv6 nd prefix <your_slash_64>::1/64
I would also add the following traffic-filter to the dialer interface
ipv6 traffic-filter outboundfilters-ipv6 out
EDIT Feb 2015 - Alternative config below
! Feb 2015 - Cisco 1841 / FTTC ! WAN ! interface Dialer0 ipv6 address dhcp rapid-commit ipv6 enable
Lock down your IPv6 network with an access list
conf t ipv6 access-list ipv6 adsl-ipv6 permit tcp any any established permit icmp any any deny ipv6 any any interface dialer0 ipv6 traffic-filter adsl-ipv6 in
02/11/2011
I would use the following access-list - I would advise against allowing any IPv6 ICMP into the network unless absolutely necessary and then only allow on a case-by-case basis
ipv6 access-list adsl-ipv6 ! This only allows in IPv6 traffic which originated from our local network ! No need for a deny at the end as an implicit deny is the default evaluate tcptraffic-out-ipv6 evaluate udptraffic-out-ipv6 evaluate icmptraffic-out-ipv6 ipv6 access-list outboundfilters-ipv6 ! This only creates a reflexive access-list that adsl-ipv6 uses to allow traffic back in ! No need for a deny at the end as an implicit deny is the default permit tcp any any reflect tcptraffic-out-ipv6 timeout 30 permit icmp any any reflect icmptraffic-out-ipv6 timeout 30 permit udp any any reflect udptraffic-out-ipv6 timeout 30 interface dialer<n> ipv6 traffic-filter adsl-ipv6 in ipv6 traffic-filter outboundfilters-ipv6 out
If you include the "deny any any" line a "show access-lists ..." will show the number of packets that have hit that line. Thus you can tell if a problem exists because the packets are not passing through the access list or failure to communicate is because of some other problem.