Router - Cisco IPv6 Native Config: Difference between revisions

From AAISP Support Site
Line 48: Line 48:


<pre>
<pre>
#conf t
conf t
#ipv6 access-list ipv6 adsl-ipv6
ipv6 access-list ipv6 adsl-ipv6
#permit tcp any any established
permit tcp any any established
#permit icmp any any
permit icmp any any
#deny ipv6 any any
deny ipv6 any any
#interface dialer0
interface dialer0
#ipv6 traffic-filter adsl-ipv6 in
ipv6 traffic-filter adsl-ipv6 in
</pre>
</pre>



Revision as of 13:55, 2 November 2011

This page will walk you through getting IPv6 to work correctly on your Cisco device

Enable IPv6 routing on your router

#conf t
#ipv6 source-route
#ipv6 unicast-routing
#ipv6 cef
#ipv6 multicast-routing
#ipv6 route ::/0 Dialer0

Enable IPv6 to work on your internal Ethernet Ports

#conf t
#interface FastEthernet 0/0
#ipv6 address <your_slash_48>:1::/64 eui-64
#ipv6 enable
#ipv6 nd prefix <your_slash_48>:1::/64
#ipv6 nd managed-config-flag
#ipv6 nd router-preference High
#ipv6 nd ra interval 60

Enable IPv6 to work on your WAN side

 conf t
 interface dialer0
 ipv6 enable
 ipv6 traffic-filter adsl-ipv6 in

02/11/2011 The above config didn't work for me I had to create a new /64 via Clueless and add this here as an IP address

 ipv6 nd prefix <your_slash_64>::1/64

I would also add the following traffic-filter to the dialer interface

 ipv6 traffic-filter outboundfilters-ipv6 out

Lock down your IPv6 network with an access list

 conf t
 ipv6 access-list ipv6 adsl-ipv6
 permit tcp any any established
 permit icmp any any
 deny ipv6 any any
 interface dialer0
 ipv6 traffic-filter adsl-ipv6 in


02/11/2011 I would use the following access-list - I would advise against allowing any IPv6 ICMP into the network unless absolutely necessary and then only allow on a case-by-case basis

ipv6 access-list adsl-ipv6
! This only allows in IPv6 traffic which originated from our local network
! No need for a deny at the end as an implicit deny is the default
 evaluate tcptraffic-out-ipv6
 evaluate udptraffic-out-ipv6
 evaluate icmptraffic-out-ipv6

ipv6 access-list outboundfilters-ipv6
! This only creates a reflexive access-list that adsl-ipv6 uses to allow traffic back in
! No need for a deny at the end as an implicit deny is the default
 permit tcp any any reflect tcptraffic-out-ipv6 timeout 30
 permit icmp any any reflect icmptraffic-out-ipv6 timeout 30
 permit udp any any reflect udptraffic-out-ipv6 timeout 30

interface dialer<n>
 ipv6 traffic-filter adsl-ipv6 in
 ipv6 traffic-filter outboundfilters-ipv6 out