• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Cisco 877W with Mac OS X client

Started by bundu, August 12, 2008, 06:38:37 AM

Previous topic - Next topic

bundu

Hi everyone,

I setup my Cisco 877W as the tunnel end. Tunnel succesfully established and I am able to ping IPv6 addresses from my router.

Question1: There is a quite busy pinging going on, is this the normal behavior ?

logging output sample (approx. 900 icmp packets in 10 minutes, logging is full of these entries):

Aug 12 15:48:56.612 TR: %IPV6-6-ACCESSLOGDP: list IPV6FILTER/10 permitted icmpv6 2001:X:X:X::1 -> 2001:X:X:X::2 (135/0), 299 packets
Aug 12 15:53:56.528 TR: %IPV6-6-ACCESSLOGDP: list IPV6FILTER/10 permitted icmpv6 2001:X:X:X::1 -> 2001:X:X:X::2 (135/0), 300 packets
Aug 12 15:58:56.443 TR: %IPV6-6-ACCESSLOGDP: list IPV6FILTER/10 permitted icmpv6 2001:X:X:X::1 -> 2001:X:X:X::2 (135/0), 299 packets

debug output sample:

Aug 12 15:40:53.372 TR: ICMPv6: Received ICMPv6 packet from 2001:X:X:X::1, type 135
Aug 12 15:40:53.372 TR: ICMPv6-ND: Received NS for 2001:X:X:X::2 on Tunnel0 from 2001:X:X:X::1
Aug 12 15:40:53.372 TR: ICMPv6-ND: Sending NA for 2001:X:X:X::2 on Tunnel0
Aug 12 15:40:54.368 TR: ICMPv6: Received ICMPv6 packet from 2001:X:X:X::1, type 135
Aug 12 15:40:54.368 TR: ICMPv6-ND: Received NS for 2001:X:X:X::2 on Tunnel0 from 2001:X:X:X::1
Aug 12 15:40:54.368 TR: ICMPv6-ND: Sending NA for 2001:X:X:X::2 on Tunnel0





Then I tried to connect my Mac ibook G4 (Tiger 10.4.11) via ethernet to the router, but no successful pinging.  :(
I really like to see kame turtle dancing :)

Question2: Can anyone please point out what I am doing wrong ?

My router config (relating to IPv6):
...
ipv6 unicast-routing
ipv6 cef
...
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:X:X:X::2/64
ipv6 enable
ipv6 traffic-filter IPV6FILTER in
tunnel source Dialer0
tunnel destination 216.66.80.30
tunnel mode ipv6ip
...
interface Vlan1 
[cisco 877 has 4 switchports but you cannot assign IPs to them, they work in bridged mode, so I had to assign IPv6 address to Vlan 1 interface]
no ip address
ip tcp adjust-mss 1452
ipv6 address 2001:Y:Y:7777::/64 eui-64 [2001:Y:Y:: is my routed/48 assigned by Hurricane Electric]
ipv6 enable
ipv6 nd prefix 2001:Y:Y:7777::/64  [This command doesn't seem to make difference, clients still see the router's prefix without it]
bridge-group 1
bridge-group 1 spanning-disabled
...
ipv6 route ::/0 Tunnel0
...
line vty 0 4
ipv6 access-class IPV6VTY in
...
ipv6 access-list IPV6FILTER
permit icmp any any log
deny ipv6 any any log
...
ipv6 access-list IPV6VTY
remark Drop IPv6 traffic to VTY ports
deny ipv6 any any log


show ipv6 interface brief output:

R877W#sh ipv6 int br
FastEthernet0              [up/up]
FastEthernet1              [up/up]
FastEthernet2              [up/down]
FastEthernet3              [up/up]
Dot11Radio0                [up/up]
Dot11Radio0.1              [up/up]
ATM0                       [up/up]
ATM0.1                     [up/up]
Vlan1                      [up/up]
    FE80::21F:CAFF:FEA0:93B0
    2001:Y:Y:7777:21F:CAFF:FEA0:93B0
Tunnel0                    [up/up]
    FE80::21F:CAFF:FEA0:93B0
    2001:X:X:X::2
Dialer0                    [up/up]
Virtual-Template2          [down/down]
NVI0                       [up/up]
BVI1                       [up/up]
    unassigned
Virtual-Access1            [down/down]
Virtual-Access2            [up/up]

show ipv6 route output:

R877W#sh ipv6 route
IPv6 Routing Table - 6 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
S   ::/0 [1/0]
     via ::, Tunnel0
C   2001:X:X:X::/64 [0/0]
     via ::, Tunnel0
L   2001:X:X:X::2/128 [0/0]
     via ::, Tunnel0
C   2001:Y:Y:7777::/64 [0/0]
     via ::, Vlan1
L   2001:Y:Y:7777:21F:CAFF:FEA0:93B0/128 [0/0]
     via ::, Vlan1
L   FF00::/8 [0/0]
     via ::, Null0

When I try to ping6 the router from my ibook or vice versa (Later, I also tried another ibook, another XP laptop), no success. Although I was able to ping6 two ibooks with each other when I connected them via crossover cable. I get these debug output at the router when I try to ping the client:

R877W#ping ipv6 fe80::20d:93ff:feb3:e55c
Output Interface: vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::20D:93FF:FEB3:E55C, timeout is 2 seconds:
Packet sent with a source address of FE80::21F:CAFF:FEA0:93B0

Aug 11 14:22:33.794 TR: ICMPv6: Sending echo request to FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:33.794 TR: ICMPv6-ND: DELETE -> INCMP: FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:33.794 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1
Aug 11 14:22:34.794 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1.
Aug 11 14:22:35.793 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1
Aug 11 14:22:35.793 TR: ICMPv6: Sending echo request to FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:36.793 TR: ICMPv6-ND: INCMP deleted: FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:36.793 TR: ICMPv6-ND: INCMP -> DELETE: FE80::20D:93FF:FEB3:E55C.
Aug 11 14:22:37.793 TR: ICMPv6: Sending echo request to FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:37.793 TR: ICMPv6-ND: DELETE -> INCMP: FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:37.793 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1
Aug 11 14:22:38.792 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1.
Aug 11 14:22:39.368 TR: ICMPv6-ND: Request to send RA for FE80::21F:CAFF:FEA0:93B0
Aug 11 14:22:39.368 TR: ICMPv6-ND: Sending RA from FE80::21F:CAFF:FEA0:93B0 to FF02::1 on Vlan1
Aug 11 14:22:39.368 TR: ICMPv6-ND:     Other stateful configuration
Aug 11 14:22:39.368 TR: ICMPv6-ND:     MTU = 1500
Aug 11 14:22:39.368 TR: ICMPv6-ND:     prefix = 2001:Y:Y:7777::/64 onlink autoconfig
Aug 11 14:22:39.368 TR: ICMPv6-ND:           2592000/604800 (valid/preferred)
Aug 11 14:22:39.792 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1
Aug 11 14:22:39.792 TR: ICMPv6: Sending echo request to FE80::20D:93FF:FEB3:E55C.
Aug 11 14:22:40.792 TR: ICMPv6-ND: INCMP deleted: FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:40.792 TR: ICMPv6-ND: INCMP -> DELETE: FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:41.792 TR: ICMPv6: Sending echo request to FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:41.792 TR: ICMPv6-ND: DELETE -> INCMP: FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:41.792 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1.
Success rate is 0 percent (0/5)
R877W#
Aug 11 14:22:42.791 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1
Aug 11 14:22:43.791 TR: ICMPv6-ND: Sending NS for FE80::20D:93FF:FEB3:E55C on Vlan1
R877W#
Aug 11 14:22:44.791 TR: ICMPv6-ND: INCMP deleted: FE80::20D:93FF:FEB3:E55C
Aug 11 14:22:44.791 TR: ICMPv6-ND: INCMP -> DELETE: FE80::20D:93FF:FEB3:E55C
R877W#



ibook outputs:

$ netstat -rnf inet6
Routing tables

Internet6:
Destination                                    Gateway                                   Flags      Netif Expire
default                                          2001:Y:Y:7777:21f:caff:fea0:93b0 UGSc       en0
::1                                               ::1                                           UH          lo0
2001:Y:Y:7777::/64                         link#4                                      UC          en0
2001:Y:Y:7777:20d:93ff:feb3:e55c     0:d:93:b3:e5:5c                         UHL         lo0
2001:Y:Y:7777:31d6:aaa6:fbb3:ac93  0:d:93:b3:e5:5c                         UHL         lo0
fe80::%lo0/64                                fe80::1%lo0                              Uc          lo0
fe80::1%lo0                                   link#1                                      UHL         lo0
fe80::%en0/64                               link#4                                       UC          en0
fe80::20d:93ff:feb3:e55c%en0          0:d:93:b3:e5:5c                         UHL         lo0
fe80::21f:caff:fea0:93b0%en0           0:1f:ca:a0:93:b0                       UHLW        en0
fe80::%en2/64                               link#5                                       UC          en2
ff01::/32                                        ::1                                           U           lo0
ff02::/32                                        ::1                                           UC          lo0


$ ifconfig en0 inet6
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::20d:93ff:feb3:e55c%en0 prefixlen 64 scopeid 0x4
        inet6 2001:Y:Y:7777:20d:93ff:feb3:e55c prefixlen 64 autoconf
        inet6 2001:Y:Y:7777:31d6:aaa6:fbb3:ac93 prefixlen 64 autoconf temporary

[These above are the stateless autoconfig addresses, I also tried giving a static IPv6 address, it still didn't work.]

Thanks a lot for any ideas..

bundu

Regarding Question 2, the problem turned out to be the Vlan 1 being a member of a bridge group and BVI interface only routing ipv4 packets. I realized this when I detached Vlan 1 from the bridge group, pings started to work. Of course then I lost my LAN's connectivity to Internet, now I have to come up with a different config. But finally I regained my sanity.   ::)

If anyone still answers my first question I appreciate it.

bundu

For those who are interested I finally get it to work. My config relating to IPv6 on Cisco 877W is as below.
A few notes though;
1- Mac OS X Tiger's Network GUI for IPv6 auto-config seems buggy, terminal command line is better.
2- I am currently using Cisco 877W with IOS 12.4(15)T2 Advanced IP Services, ipv6 part seems to have bugs on this platform.
3- I couldn't use the native vlan1 for ipv6 (didn't work), so I connected my ibook to vlan2, you need the advipservices or better for multiple vlans on this platform, advanced security IOS won't do it.
4- Don't try to ping vlan 2's ipv6 address from your computer, it won't work (because they are not SVI's, ethernet ports bridged and they act as layer 2 switch). But it has to be there for proper prefix advertisements and routing. For local testing try pinging BVI2 instead.
5-Vlan 1 has to be up/up, that means you need to plug in some other computer to one of the vlan1 ports.

*** My ibook's ipv6 address is 2001:Y:Y:1111::2/64 and ipv4 address is 192.168.2.2/24 for the sample config.



!
ipv6 unicast-routing
!
bridge irb
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:X:X:X::2/64
ipv6 enable
tunnel source Dialer0
tunnel destination 216.66.80.30
tunnel mode ipv6ip
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
no ip address
ipv6 address 2001:Y:Y:1111::1/64
ipv6 enable
bridge-group 2
bridge-group 2 spanning-disabled
!
!
interface BVI2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ipv6 address 2001:Y:Y:2222::1/64
ipv6 enable
!
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ipv6 route 2001:Y:Y:1111::/64 Vlan2
ipv6 route ::/0 Tunnel0
!
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!



$ traceroute6 -n ipv6.google.com
traceroute6 to ipv6.l.google.com (2001:4860:0:1001::68) from 2001:Y:Y:1111::2, 30 hops max, 12 byte packets
1  2001:Y:Y:1111::1  2.965 ms  1.024 ms  0.955 ms
2  2001:X:X:X::1  92.164 ms  109.481 ms  92.629 ms
3  2001:470:0:69::1  96.721 ms  90.842 ms  89.653 ms
4  2001:470:0:47::1  99.213 ms  97.276 ms  98.017 ms
5  2001:7f8:1::a501:5169:1  388.967 ms !P  349.665 ms !P  349.698 ms !P
$



mindlesstux

Does this little config support ipv6 on the wireless as well?  That is my issue with my 871W.  As a hack I setup ISATAP with the router and that seems to work for wifi windows boxes but its not what I would really like to have.

rollernet

I have an 877W myself at home and I recently opened a TAC case about this whole thing. This morning, the response I received was:

QuoteThe problem is not that 877W can not route ipv6 traffic, rather,
Integrated Routing and Bridging (IRB) does not support IPV6 at all.  You
see, in order for IRB to route and bridge IPv4, you need command "bridge
1 route ip" to enable it. However, there is no such command "bridge 1
route ipv6" available.

I responded:

QuoteIf I remove the BVI configuration, won't I lose the ability to have the
Dot11Radio0 interface on the same segment as the ethernet ports? As far
as I understand it, the only way to have the Fa port and Dot11Radio0
bound together is through a bridge group.

Ideally, I would hope IRB could be expanded to support IPv6.

Failing IRB support for ipv6, I suspect the only other workaround would be to assign the VLAN and Dot11Radio0 their own IP addresses. The router would be able to route between them, but they wouldn't be part of the same segment anymore. I am awaiting a response from TAC on this point.

rollernet

The word from TAC is that it's just not supported. I did find a bug CSCej50923 from 2005 to add IPv6 IRB support, but the bug went without a fix, and there is no support for this in the roadmap for future releases. Unfortunately this means there's no way to put the ethernet ports and the wireless radio on the same network segment.

An another interesting note, I bricked my 877W with the following sequence of events:

* Assign IPv6 address to int vlan 1
* do "no bridge-group 1" on int vlan 1
* IPv6 works! no IPv4, though
* do "bridge-group 1" on int vlan 1
* ipv6 and ipv4 work! however...
* router locks up after a bit, then never boots again after a power cycle

Waiting for an RMA now. IPv6 seems to be really, really buggy and incomplete on this thing.

keeska

Quoterouter locks up after a bit, then never boots again after a power cycle
I have never seen the 877W do this due to any config.  I have seen it get into a loop whereby it boots, doesn't like the config and reloads.  I assume you set the "Do not read startup config" bit in the config register and tried booting that way.  Did Cisco give you any theories as to why the box won't boot?

Unfortunately we discovered the no ipv6 on BVI problem awhile ago and now deploy all of our IOS boxes without built-in wireless.  We then deploy an AP (non-cCsco) to provide wireless support.  The APs we use support ipv6 perfectly and the router happily routes the ipv6 traffic to/from the AP.

For a company which claims to support ipv6 not allowing wireless to use ipv6 is unacceptable.  I wonder how committed Cisco really is to ipv6.

gometric

I just went through this tonight and got it working, not pretty. :(

For those who're interested in my config: http://otoh.org/xwiki/bin/view/Blog/2009%2D02%2D06%2DIPv6

MacOS (even 10.5) seems to be a little on the flakey side and I lose IPv6 every now and again. Then again, the 877W has been more than a little flakey itself. :(

On the other hand, OpenSolaris has no problems at all with IPv6 (but doesn't have a command to list IPv6 neighbors which is a bit of a PITA).

bundu

Hey,

I upgraded to c870-advipservicesk9-mz.124-22.T.bin, and I am able to use IPv6 over wireless now!

Omer.

mindlesstux

bundu:

Are you able to do IPv6 over wireless via a bridge? or what means?

ciscouser

I can confirm...
Running:
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(22)T1, RELEASE SOFTWARE (fc5)

Works with ipv6 and wireless autoconfiguration (both on XP SP2 and MacOS (Leopard)).

Here's my config:
interface Dot11Radio0
no ip address
no ip redirects
no ip proxy-arp
no dot11 extension aironet
!
encryption mode ciphers tkip
!
encryption vlan 5 mode ciphers tkip
!
ssid OfficeFW
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power local cck 10
power local ofdm 10
power client 10
channel 2412
station-role root
no cdp enable
!
interface Dot11Radio0.5
encapsulation dot1Q 5
ip address 192.168.252.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1440
ip policy route-map clear-df
ipv6 address my_ipv6_ip::1/64
ipv6 enable
no cdp enable
end

No bridge group defined ... no ipv6 configured under the main (dot11 0) interface.

I was running 12.4.20(T2), and was running into a problem where the mac (according to tcpdump) was sending neighbor solicitation packets over the wireless, but wasn't getting anything back.  According to the router (debug ipv6 nd), it was getting the nd packets and was sending responses ... but somehow the mac wasn't seeing them - so autoconfig didn't work.  (It was working on 12.4.20T2 when I manually configured the wireless en1 interface with an valid ipv6 address ... but that's no fun).

After upgrading to 12.4.22T1, the nd packets actually made it to the mac ... also tested 12.4.22T1 on XP SP2 (didn't test it with 12.4.20T2) and the XP box is also working with stateless autoconf.

Also tested 12.4.24T, and no luck ... it didn't take the ipv6 commands under the dot11.* interfaces.

Finally, Cisco! A working ipv6 wireless stack!

ipv6.google.com, here I come.