Thank you for attending our healthcare security webinar! View our recording on our event page. Webinar

5/3
2013
Peter Welcher

CCIE R&S Prep: IPv6 Part 2

This is the second CCIE R&S prep blog on IPv6, IPv6 Part 2. On March 1, 2013 I blogged that I intended to start a series of CCIE R&S Written exam prep blogs. That blog contains the “ground rules” and some general advice. The full URL for it is http://netcraftsmen.net/blogs/entry/ccie-ras-written-review-blog-series.html. The first blog in the series was IPv6 Part 1.

It turns out there were three bits that should have been in the prior blog but dropped out somewhere along the way. So I’ll put them here, next. The rest of this blog covers IPv6 tunneling variants in summary form, with config samples.

IPv6 Filtering

! CONFIG SAMPLE
! CONFTYPE: IPv6 Route Filtering
!
ipv6 prefix-list EFILTER seq 10 deny 2001::/64
ipv6 prefix-list EFILTER seq 20 permit ::/0 le 128
!
ipv6 router eigrp 100
distribute-list prefix-list EFILTER out   ! or in, route-map NOT allowed
!

IPv6 Redistribution

  • IPv6 can redistribute routing protocols, here is the generic router command syntax:
! CONFIG SAMPLE
! CONFTYPE: IPv6 Route Redistribution
!
router …
redistribute source-protocol [process-id] [include-connected {level-1 | level-1-2 | level-2}] [as-number] [metric {metric-value | transparent}] [metric-type type-value]
[match {external [1 | 2] | internal | nssa-external [1 | 2]}] [tag tag-value] [route-map map-tag]
!
  • A route map can be used.
  • Note the “include-connected” option. It redistributes connected prefixes on the interface where the source protocol is running.

IPv6 Other

  • NAT64 is better in practice than NAT-PT, latter has ALG (App Layer Gateway) for DNS and the fixups can create problems. Cf. Ivan  Pepelnjak blogs, RFC’s, and other sources Ivan cites at ipspace.net.
  • IPv6 only uses named ACLs. They can be used as access-class on the vty lines.
  • IPv6 ACLs implicitly allow ND unless you block it.
  • For QoS, you can use “match protocol ip” and “match protocol ipv6” to treat IPv4 and 6 differently, if desired.
  • BGP and MPLS  6PE or 6VPN are not on the CCIE topics list above. Hence I omitted them here. 

IPv6 Tunneling

See also  http://ardenpackeer.com/tutorials/routeswitch/tutorial-ipv6-tunnels-part-1-manual-gre-ipv6ip-tunnels/ and  http://ardenpackeer.com/tutorials/routeswitch/tutorial-ipv6-tunnels-part-2-automatic-6to4-tunnels/

Types of IPv6 over IPv4 overlay tunnels:

  • Manually coded destination:
    • Manual IPv6 over IPv4 (NOT “6over4”) tunnel uses IP protocol 41, no GRE header: tunnel mode ipv6ip
    • GRE (IPv4 | GRE | IPv6, slightly bigger header): tunnel mode gre
  • Automatic:
    • IPv4-compatible: tunnel mode ipv6ip auto-tunnel. ISATAP is recommended by Cisco over IPv4-compatible.
    • 6to4 (and IPv6 Rapid Deployment, 6RD for SP’s): tunnel mode ipv6ip 6to4
    • Intrasite Automatic Tunnel Addressing Protocol (ISATAP): tunnel mode ipv6ip isatap
    • 6over4: not implemented by Cisco – out of scope
    • Teredo: not supported on routers  – out of scope
    • 6RD (Rapid Deployment, for SP’s) – out of scope

Summary table to memorize:

Tunnel type

Manual?

Syntax

IPv6 over IPv4

manual

tunnel mode ipv6ip

GRE

manual

tunnel mode gre

IPv4 compatible

tunnel mode ipv6ip auto-tunnel

6to4

tunnel mode ipv6ip 6to4

ISATAP

tunnel mode ipv6ip isatap

6over4

NOT SUPPORTED

Manual IPv6IP and GRE

! CONFIG SAMPLE
! CONFTYPE: Manual IPv6 over IPv4 tunnel
interface tunnel 0
ipv6 address 3ffe:b00:c18:1::3/127
tunnel source ethernet 0
tunnel destination 192.168.16.1
tunnel mode ipv6ip
!

GRE

! GRE
interface tunnel 0
no ip address
ipv6 address 3ffe:b00:c18:1::3/127
tunnel source Ethernet 0/0
tunnel destination 192.168.16.1
tunnel mode gre
!

IPv4 Compatible

  • Automatic, uses IPv4-compatible IPv6 addresses, 0’s in the 96 high-order bits, then the IPv4 address in hex at end.
  • Some examples show using BGP for dynamic routing with this.
! CONFIG SAMPLE
! CONFTYPE: IPv4 compatible tunnel
interface tunnel 0
tunnel source Ethernet 0  ! or IPv4 address
tunnel mode ipv6ip auto-tunnel
!

6to4

  • Automatic 6to4 allows pockets of IPv6 to be connected. The tunnel is point-to-multipoint. IPv4 treated as NBMA link.
  • Uses IPv4 protocol type 41 (also used for ISATAP, IPv6IP manual tunnels). You can only have 1 6to4 and one IPv4 comptible tunnel on a router, and they’d best have different source interfaces (so the rotuer can tell inbound traffic apart, as both use IP protocol 41).
  • Relay routers can connect 6to4 networks to native IPv6 networks.
  • Format of address: 2002:border-router-ipv4::/48.
  • Note: there is no link-local addressing, so IGP routing protocols won’t work. Use static or BGP.
! CONFIG SAMPLE
! CONFTYPE: 6to4 Tunnel
interface Tunnel0
description IPv6 uplink
no ip address
ipv6 address 2002:c0a8:6301::1/64   ! could even be /128
tunnel source Ethernet 0
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 tunnel 0
!

ISATAP

  • http://en.wikipedia.org/wiki/ISATAP
  • Intra-Site Automatic Tunnel Addressing Protocol. ISATAP is intended for Intrasite IPv6 tunneling. ISATAP uses IPv4 as a virtual NBMA link. It regards the IPv4 as a single link for link-local communications. It does not require IPmc the way 6over4 does. Instead, it does neighbor discovery over IPv4. (Note the addresses contain a router IPv4 address in them.)
  • ISATAP hosts must have a potential routers list. Or DNS: isatap.corp.com. This is used to obtain the prefixes on the ISATAP link, and to find the routers, since router discovery won’t work (if unicast only network).
  • ISATAP addresses use a global or link local 64 bit prefix followed by 0000:5EFE, making it a /96, then the IPv4 address in last 32 bits.
  • Generally you should block IP protocol 41 (IPv6 tunnel / ISATAP) at the firewall.
! CONFIG SAMPLE
! CONFTYPE: ISATAP on head end router
ipv6 unicast-routing
interface tunnel 1
tunnel source ethernet 0
tunnel mode ipv6ip isatap
ipv6 address 2001:DB8::/64 eui-64 ! could do autoconfig on client
no ipv6 nd ra suppress.   ! RA disabled by default
!

6over4 Tunnel

  • Not implemented by Cisco. Scaling issues. RFC 2529.
  • 6over4 tunnels use IPv4 virtual link layer addresses. The link local addresses are FE80::IPv4 address.
  • 6over4 requires IPv4 multicast support.
  • IP protocol type 41 (ISATAP, 6over4).
  • Multicast is used for Neighbor Discovery. An IPv6 multicast packet gets encapsulated in an IPv4 multicast packet with destination 239.192.x.y, where x and y are the last two bytes of the IPv6 multicast address.
  • The source interface IP and destination IP (from last 4 bytes of IPv6 address) then are used to tunnel the IPv6 traffic.
  • ISATAP has the advantage of not relying on IPmc the way 6over4 does.

Teredo

Not configurable on Cisco routers, included here for completeness of review.

  • http://en.wikipedia.org/wiki/Teredo_tunneling
  • Teredo is encapsulated IPv6 in IPv4 UDP. Teredo server listens on IPv4 UDP 3544.
  • Teredo diagnoses the type of NAT present. Symmetric NAT is not supported.
  • Teredo prefix is normally 2001:://32, followed by IPv4 of Teredo server used.
  • Teredo relays terminate that and pass traffic as native IPv6.
  • Teredo servers do not forward traffic, stateless: supports initial tunnel configuration.
  • Intended as temporary last resort.

Related Links

Prior blogs in this CCIE R&S Prep series:

My prior blogs / articles on IPv6:

Life Log

My consulting workload has picked up, so I’ll be blogging as much as I can around work necessities. I enjoyed the quick trip and final presentation in Boston (you know who you are!) this past Monday, a tightly focused trip. I’m glad Spring has come to the Washington/Annapolis/Baltimore area, making the commute more pleasant. For a while there, it seemed like Winter just wouldn’t end!

Disclosure

The vendors for NFD 5 paid for my travel expenses and perhaps small items, so I wish to disclose that in my blogs now. The vendors in question are: Cisco, Brocade, Juniper, Plexxi, Ruckus, and SolarWinds. I’d like to think that my blogs aren’t influenced by that. Yes, the time spent in presentations and discussion gets me and the other attendees looking at and thinking about the various vendors’ products, marketing spin, and their points of view. I intend to try to remain as objective as possible in my blogs. I’ll concede that cool technology gets my attention!

Stay tuned!

Twitter: @pjwelcher

Peter Welcher

Peter Welcher

Architect, Operations Technical Advisor

A principal consultant with broad knowledge and experience in high-end routing and network design, as well as data centers, Pete has provided design advice and done assessments of a wide variety of networks. CCIE #1773, CCDP, CCSI (#94014)

View more Posts

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.