annuler
Affichage des résultats de 
Rechercher plutôt 
Vouliez-vous dire : 
  • Fermés

How to enable IPV6 on a Cisco Router connected to Swisscom (Bluewin)

Contributor
1 de 2

How to enable IPV6 on a Cisco connected to Swisscom (Bluewin)

 

 

N.B.  :D is << : D >> (without space and <<>>)

 

http://pastebin.com/raw.php?i=cMfeXMR5

 

 

!
ipv6 unicast-routing
ipv6 cef
!
ipv6 general-prefix 6RD-SWISSCOM 6rd Tunnel6
!
interface Ethernet0
ipv6 enable
!
interface Tunnel6
description Swisscom 6RD Tunnel to Local LAN
no ip address
no ip redirects
ipv6 enable
ipv6 mtu 1480
tunnel source Ethernet0
tunnel mode ipv6ip 6rd
tunnel 6rd ipv4 prefix-len 0
tunnel 6rd prefix 2A02:1200::/28
tunnel 6rd br 193.5.29.1
!
ipv6 route ::/0 Tunnel6 2A02:120C:1051:D010::
!
interface Vlan1
ipv6 enable
ipv6 address 6RD-SWISSCOM ::1:0:0:0:1/64
ipv6 nd autoconfig prefix
!
! and for all VLANs…
!
interface Vlan13
ipv6 enable
ipv6 address 6RD-SWISSCOM ::D:0:0:0:1/64
ipv6 nd autoconfig prefix
!
interface Vlan16
ipv6 enable
ipv6 address 6RD-SWISSCOM ::F:0:0:0:1/64
ipv6 nd autoconfig prefix
!

 

Swisscom uses /28 for 6rd, using the full 32 bits of the IPv4 

address. Every subscriber gets a /60, i.e. 16x /64-subnets (0..F)

 

Sample Dynamic IPV6 assignation :
2A02:1205:C684:D320::/60 = 2a02:1205:c684:D320:0000:0000:0000:0000/60
2a02:1205:c684:D320/60 => 2a02:1205:c684:D320/64 .. 2a02:1205:c684:D32F/64
2a02:1205:c684:D32x:0000:0000:0000:0000/60 here x can be any value from 0 to F

 

To configure a 6rd-capable router, you need to know the following elements:

  • The IPv4 address of the 6rd Border Relay: 6rd.swisscom.com (currently 193.5.29.1)
  • The 6rd IPv6 prefix: 2a02:1200::/28
  • The IPv4 mask length: 0 (default)
  • Set MTU manually to 1480 Bytes
  • The Gateway (Next-Hop) is 2A02:120C:1051:D010::

N.B. ::193.5.29.1, ::193.5.122.254, 2A02:120A:4809:B170:: are not working as gateway

 

V6 Prefix: 2A02:1200::/28
Border Relay address: 193.5.29.1
V4 Prefix, Length: 0
V4 Suffix, Length: 0
Next-Hop: 2A02:120C:1051:D010::

 

6rd Border Relay: 6rd.ip-plus.net
[OLD] … => 2013-04-08 : 193.5.122.254
[NEW] 2013-04-09 => … : 193.5.29.1

 

baco-router#show ipv6 neighbors | inc 193.5.29.1
2A02:120C:1051:D010:: 20 193.5.29.1 REACH Tu6

 

DNS Servers:
DNS Swisscom 2001:918:0:1d::2
OpenDNS servers 2620:0:ccc::2 and 2620:0:ccd::2
The Swisscom / Bluewin DNS servers are:
195.186.1.162 (cns7.bluewin.ch) and 195.186.4.162 (cns8.bluewin.ch)

 

VLANs:
VLAN 1
2a02:1205:c684:D321:0000:0000:0000:0001/64
2a02:1205:c684:D321::1/64
ipv6 address 6RD-SWISSCOM ::1:0:0:0:1/64

VLAN 13
2a02:1205:c684:D32d:0000:0000:0000:0001/64
2a02:1205:c684:D32d::1/64
ipv6 address 6RD-SWISSCOM ::D:0:0:0:1/64

VLAN 16
2a02:1205:c684:D32f:0000:0000:0000:0001/64
2a02:1205:c684:D32f::1/64
ipv6 address 6RD-SWISSCOM ::F:0:0:0:1/64

 

N.B. if you have VLAN id higher than 16
you can simply assign one after the other
::0:0:0:0:1/64 to ::F:0:0:0:1/64
one for each VLAN up to 16
=> read 4.9 Using VLAN Numbers in IPv6_addressing_plan4.pdf

 

TEST

http://test-ipv6.com/
http://ip6.me/
http://ipv6-test.com/

ping6 2a00:1450:400a:805::1011 # ipv6.google.com
telnet 2a02:898:17:8000::42 # towel.blinkenlights.nl

 

TROUBLESHOOT
show ipv6 general-prefix
show tunnel 6rd
show ipv6 route
show ipv6 interface

 

FIREWALL

 

It's vital to have a firewall (ZBF) in place in front of your computers when

you enable IPv6 otherwise they will not be "protected" like when they are

in IPv4 behind a NAT (of course Malware in Java, Flash, in Emails, NSA/FBI

/etc. trojan can infect your computer in any case).

 

You can test which ports are open on your IPv6 IP :

http://ipv6.chappell-family.com/ipv6tcptest/

 

You also need to be aware that some website (or agency) will be able to track

you using your MAC address because it's part of your IPv6 IP (EUI-64) unless you enable

the PrivacyAddress in the OS :

https://wikispaces.psu.edu/display/ipv6/General+IPv6+Notes#GeneralIPv6Notes-Enabling/DisablingPrivac...

 

ZBF with IPV6 6RD (protocol 41)

%FW-6-PASS_PKT: (target:class)-(SELF_TO_OUTSIDE:CLM_SELF_TO_OUTSIDE_IPV6) Passing Unknown-l4 pkt 92.104.77.50:0 => 193.5.29.1:0 with ip ident 0

 

!
interface Ethernet0
zone-member security OUTSIDE
!
interface Tunnel6
zone-member security OUTSIDE
!
interface Vlan1
zone-member security INSIDE
!
interface Vlan13
zone-member security INSIDE
!
ip access-list extended ACL_IPV6
permit 41 any any
!
class-map type inspect match-all CLM_SELF_TO_OUTSIDE_IPV6
match access-group name ACL_IPV6
!
class-map type inspect match-all CLM_OUTSIDE_TO_SELF_IPV6
match access-group name ACL_IPV6
!
policy-map type inspect POM_SELF_TO_OUTSIDE
class type inspect CLM_SELF_TO_OUTSIDE_IPV6
pass
class class-default
pass log
!
policy-map type inspect POM_OUTSIDE_TO_SELF
class type inspect CLM_OUTSIDE_TO_SELF_IPV6
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
!
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect POM_INSIDE_TO_OUTSIDE
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect POM_OUTSIDE_TO_INSIDE
zone-pair security SELF_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect POM_SELF_TO_OUTSIDE
zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect POM_OUTSIDE_TO_SELF
;

REFERENCES
http://www.apnic.net/__data/assets/pdf_file/0005/53735/IPv6_addressing_plan4.pdf
http://phaq.phunsites.net/2012/04/10/swisscom-ftth-6rd-mit-cisco-892f-nutzen/
http://forum.pfsense.org/index.php/topic,45102.0.html
http://www.blinkenlights.ch/ccms/linux/bluewin-6rd.html
http://network-chef.blogspot.ch/2013/04/understanding-zone-based-firewalls.html
http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
http://stor.balios.net/Live2011/ITMCCS-2943.pdf

http://www.swissipv6council.ch/sites/default/files/docs/residential_ipv6_at_swisscom_--_memberanlass...

http://www.swissipv6council.ch/sites/default/files/images/ipv6_roadmap_swisscom.pdf

http://www.swissipv6council.ch/sites/default/files/images/ipv6-residential-swisscom.pdf

http://supportcommunity.swisscom.ch/t5/Diskussionen-zu-Swisscom/IPv6-f%C3%BCr-Fritz-Box/m-p/87711#M1...

http://supportcommunity.swisscom.ch/t5/Diskussionen-zu-Swisscom/Swisscom-Centro-Grande-IPv6-Prefix-6...

http://supportcommunity.swisscom.ch/t5/Swisscom-Services-Products/IPv6/td-p/4369

http://supportcommunity.swisscom.ch/t5/Discussions-sur-l-internet-de/Configuration-Cisco-887VA/td-p/...

http://www.dslreports.com/forum/r14778245-IPv6-tracking-your-every-move-

http://www.tuxone.ch/search?q=ipv6

 

 

1 Commentaire
Expert
2 de 2

Thanks a lot.