Open main menu

AAISP Support Site β

Router - Cisco IPv6 Native Config


This page will walk you through getting IPv6 to work correctly on your Cisco device

Enable IPv6 routing on your router

 conf t
 ipv6 source-route
 ipv6 unicast-routing
 ipv6 cef
 ipv6 multicast-routing
 ipv6 routeĀ ::/0 Dialer0

Enable IPv6 to work on your internal Ethernet Ports

 conf t
 interface FastEthernet 0/0
 ipv6 address <your_slash_48>:1::/64 eui-64
 ipv6 enable
 ipv6 nd prefix <your_slash_48>:1::/64
 ipv6 nd managed-config-flag
 ipv6 nd router-preference High
 ipv6 nd ra interval 60

EDIT - Feb 2015 - Above didn't work for me, alternative config below

! Feb 2015 - Cisco 1841 / FTTC 
! LAN Port (I used default /64 on clueless)
interface FastEthernet0/0
 ipv6 address 2001:8B0:xx:xxxx::1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server ipv6dhcp_pool
! Below gives out IPv6 DNS to clients
ipv6 dhcp pool ipv6dhcp_pool
  dns-server 2001:8B0::2020
  dns-server 2001:8B0::2021

Enable IPv6 to work on your WAN side

 conf t
 interface dialer0
 ipv6 enable
 ipv6 traffic-filter adsl-ipv6 in

02/11/2011 The above config didn't work for me I had to create a new /64 via Clueless and add this here as an IP address

 ipv6 nd prefix <your_slash_64>::1/64

I would also add the following traffic-filter to the dialer interface

 ipv6 traffic-filter outboundfilters-ipv6 out

EDIT Feb 2015 - Alternative config below

! Feb 2015 - Cisco 1841 / FTTC 
! WAN 
 interface Dialer0
  ipv6 address dhcp rapid-commit
  ipv6 enable

Lock down your IPv6 network with an access list

 conf t
 ipv6 access-list ipv6 adsl-ipv6
 permit tcp any any established
 permit icmp any any
 deny ipv6 any any
 interface dialer0
 ipv6 traffic-filter adsl-ipv6 in

02/11/2011 I would use the following access-list - I would advise against allowing any IPv6 ICMP into the network unless absolutely necessary and then only allow on a case-by-case basis

ipv6 access-list adsl-ipv6
! This only allows in IPv6 traffic which originated from our local network
! No need for a deny at the end as an implicit deny is the default
 evaluate tcptraffic-out-ipv6
 evaluate udptraffic-out-ipv6
 evaluate icmptraffic-out-ipv6

ipv6 access-list outboundfilters-ipv6
! This only creates a reflexive access-list that adsl-ipv6 uses to allow traffic back in
! No need for a deny at the end as an implicit deny is the default
 permit tcp any any reflect tcptraffic-out-ipv6 timeout 30
 permit icmp any any reflect icmptraffic-out-ipv6 timeout 30
 permit udp any any reflect udptraffic-out-ipv6 timeout 30

interface dialer<n>
 ipv6 traffic-filter adsl-ipv6 in
 ipv6 traffic-filter outboundfilters-ipv6 out

If you include the "deny any any" line a "show access-lists ..." will show the number of packets that have hit that line. Thus you can tell if a problem exists because the packets are not passing through the access list or failure to communicate is because of some other problem.