This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

Router - Cisco IPv6 Native Config

From AAISP Support Site
Jump to navigation Jump to search

This page will walk you through getting IPv6 to work correctly on your Cisco device

Enable IPv6 routing on your router

 conf t
 ipv6 source-route
 ipv6 unicast-routing
 ipv6 cef
 ipv6 multicast-routing
 ipv6 routeĀ ::/0 Dialer0

Enable IPv6 to work on your internal Ethernet Ports

 conf t
 interface FastEthernet 0/0
 ipv6 address <your_slash_48>:1::/64 eui-64
 ipv6 enable
 ipv6 nd prefix <your_slash_48>:1::/64
 ipv6 nd managed-config-flag
 ipv6 nd router-preference High
 ipv6 nd ra interval 60

EDIT - Feb 2015 - Above didn't work for me, alternative config below

! Feb 2015 - Cisco 1841 / FTTC 
! LAN Port (I used default /64 on clueless)
interface FastEthernet0/0
 ipv6 address 2001:8B0:xx:xxxx::1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server ipv6dhcp_pool
! Below gives out IPv6 DNS to clients
ipv6 dhcp pool ipv6dhcp_pool
  dns-server 2001:8B0::2020
  dns-server 2001:8B0::2021

Enable IPv6 to work on your WAN side

 conf t
 interface dialer0
 ipv6 enable
 ipv6 traffic-filter adsl-ipv6 in

02/11/2011 The above config didn't work for me I had to create a new /64 via Clueless and add this here as an IP address

 ipv6 nd prefix <your_slash_64>::1/64

I would also add the following traffic-filter to the dialer interface

 ipv6 traffic-filter outboundfilters-ipv6 out

EDIT Feb 2015 - Alternative config below

! Feb 2015 - Cisco 1841 / FTTC 
! WAN 
 interface Dialer0
  ipv6 address dhcp rapid-commit
  ipv6 enable

Lock down your IPv6 network with an access list

 conf t
 ipv6 access-list ipv6 adsl-ipv6
 permit tcp any any established
 permit icmp any any
 deny ipv6 any any
 interface dialer0
 ipv6 traffic-filter adsl-ipv6 in

02/11/2011 I would use the following access-list - I would advise against allowing any IPv6 ICMP into the network unless absolutely necessary and then only allow on a case-by-case basis

ipv6 access-list adsl-ipv6
! This only allows in IPv6 traffic which originated from our local network
! No need for a deny at the end as an implicit deny is the default
 evaluate tcptraffic-out-ipv6
 evaluate udptraffic-out-ipv6
 evaluate icmptraffic-out-ipv6

ipv6 access-list outboundfilters-ipv6
! This only creates a reflexive access-list that adsl-ipv6 uses to allow traffic back in
! No need for a deny at the end as an implicit deny is the default
 permit tcp any any reflect tcptraffic-out-ipv6 timeout 30
 permit icmp any any reflect icmptraffic-out-ipv6 timeout 30
 permit udp any any reflect udptraffic-out-ipv6 timeout 30

interface dialer<n>
 ipv6 traffic-filter adsl-ipv6 in
 ipv6 traffic-filter outboundfilters-ipv6 out

If you include the "deny any any" line a "show access-lists ..." will show the number of packets that have hit that line. Thus you can tell if a problem exists because the packets are not passing through the access list or failure to communicate is because of some other problem.