• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

HowTo get LAN hosts to obtain assigned /48 prefix and use IPv6 Enabled Router

Started by moc, October 08, 2008, 06:15:28 PM

Previous topic - Next topic

moc

Hello.  I am new to the IPv6 world.  So far my experience has been good.  Here is my set up:

Cisco 2811 Router is up and online with a tunnel from HE.  I can ping out to IPV6 address and using IPV6 ping tools my router can get pinged.  Thanks to the directions on this site.

What I ma now stuck on is how to move forward.  Coming from the IPv4 world my thought process is to have a DHCP server (preferrably the same 2811) to hand out my /48 prefix.  I associate this /48 to "private" ipv4 address space like 192.168... or 10.10... I made this assumption based on the text "This allows your endpoint device to operate as the router for this netblock and allows you to utilize DHCPv6 or RADVD to hand out IP's from this allocation to multiple internal networks." which is displayed on my tunnel summary page.  my assumption is that once the router is handing out ipv6 addresses to my hosts internally i can also pass routing info such as default gateway, dns, etc just like DHCP for ipv4.  Are these correct assumptions?  In summary here are my specific questions"

1) Can a cisco 2811 act as a DHCPv6 server to my local LAN?
2) If so what are the commands to set that up.
3) Once DHCPv6 is set up, how do I tell it to hand out the /48 prefix given to me by HE, along with other option to ensure ipv6 traffic is routed out the 2811?

PS: I will be more than happy to post router config info, I just don't know exactly what would be relevant.  Thanks for the help in advance.

moc

UPDATE:
I found this on the Internet:  http://arstechnica.com/articles/paedia/IPv6.ars/2

In summary they are saying DHCP for IPV6 is not necessary.  Is this article accurate in its concepts?  If so my previous questions would be altered to :
How do I get my router to "advertise" the /48 prefix to my internal hosts? then how can I ensure that my hosts utilize that prefix when generating their own address? and how can I ensure that they will know how to route out ipv6 through the router ?

thanks

broquea

You'll actually want to break it out into /64 allocations per interface/lan and use router advertisements to let hosts autoconfigure themselves.

As for the config, I think if the appliance supports IPv6 out of the box then its a matter of enabling IPv6 on the interface. For example on a VXR we have (sanitized):

interface GigabitEthernet0/1
ip address xxx.xxx.xxx.xxx 255.255.255.252
speed auto
duplex auto
negotiation auto
ipv6 address 2001:470:X:X::1/64
ipv6 enable
ipv6 nd suppress-ra


"ipv6 enable" allows the port to actively use IPv6.
"ipv6 nd suppress-ra" we use to disable router advertising, because it is on by default (and the particular set of machines behind that link don't want autoconfigured addresses).

moc

OK. I think I am close.


show ipv6 interface tunnel 0
Tunnel0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::472B:CF34
  Description: HE IPv6 Tunnel Broker
  Global unicast address(es):
    2001:470:4:138::2, subnet is 2001:470:4:138::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FF2B:CF34
  MTU is 1480 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  Hosts use stateless autoconfig for addresses.


show ipv6 interface fastEthernet 0/1
FastEthernet0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::217:59FF:FE71:5439
  Description: inside
  Global unicast address(es):
    2001:470:D847::1, subnet is 2001:470:D847::/48
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF71:5439
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.


I also turned on ipv6 debuging and tcpdump.  I have a Mac and a linux box on my LAN.  THey both configured themselves without me doing a thing.  I can ping the IPV6 address of FastEthernet0/1 from these hosts, but they can not go any further.  when I try to ping a public ipv6 address I get:

Oct  9 02:54:03.035: IPV6: source FE80::201:6CFF:FE33:E26D (FastEthernet0/1)
Oct  9 02:54:03.035:       dest 2001:DC0:1:0:4777::140 (Tunnel0)
Oct  9 02:54:03.035:       traffic class 0, flow 0x0, len 103+14, prot 17, hops 64, invalid source address


My hunch is that I have to configure the internal hosts with the address space assigned to me from HE.

Tunnel [ 1 / 4 ] Routed /64 Routed /48
moc-1.tunnel.tserv12.mia1.ipv6.he.net 2001:470:5:138::/64  2001:470:d847::/48


question now is how to do so?

moc

More info:
Ok I am trying to get the concepts down.
I did a traceroute from the router:

Tracing the route to www.kame.net (2001:200:0:8002:203:47FF:FEA5:3085)
  1 moc-1.tunnel.tserv12.mia1.ipv6.he.net (2001:470:4:138::1) 104 msec 80 msec 76 msec
  2 gige-g2-3.core1.mia1.he.net (2001:470:0:8C::1) 76 msec 84 msec 80 msec
  3 10gigabitethernet5-4.core1.ash1.he.net (2001:470:0:4B::1) 112 msec 104 msec 104 msec
...
Oct  9 03:18:09.123: IPv6: SAS picked source 2001:470:4:138::2 for 2001:200:0:8002:203:47FF:FEA5:3085 (Tunnel0)
Oct  9 03:18:09.123: IPV6: source 2001:470:4:138::2 (local)
Oct  9 03:18:09.123:       dest 2001:200:0:8002:203:47FF:FEA5:3085 (Tunnel0)
Oct  9 03:18:09.123:       traffic class 0, flow 0x0, len 48+0, prot 17, hops 1, originating
Oct  9 03:18:09.123: IPv6: Sending on Tunnel0

The trace is successful and the way I read the debug the router knows to use its "public" ipv6 address and send it out the tunnel.  Works great.
Here is the same thing from my linux host on the LAN side of that router:

traceroute 2001:200:0:8002:203:47ff:fea5:3085
traceroute to 2001:200:0:8002:203:47ff:fea5:3085 (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 40 byte packets
1  fe80::217:59ff:fe71:5439%eth1 (fe80::217:59ff:fe71:5439%eth1)  1.881 ms  2.951 ms  4.211 ms
2  * * *
DEBUG FROM ROUTER:
Oct  9 03:16:45.852: IPV6: source FE80::201:6CFF:FE33:E26D (FastEthernet0/1)
Oct  9 03:16:45.852:       dest 2001:200:0:8002:203:47FF:FEA5:3085 (Tunnel0)
Oct  9 03:16:45.852:       traffic class 0, flow 0x0, len 88+14, prot 17, hops 1, bad hop count
Oct  9 03:16:45.852: IPv6: SAS picked source FE80::217:59FF:FE71:5439 for FE80::201:6CFF:FE33:E26D (FastEthernet0/1)
Oct  9 03:16:45.852: IPV6: source FE80::217:59FF:FE71:5439 (local)
Oct  9 03:16:45.852:       dest FE80::201:6CFF:FE33:E26D (FastEthernet0/1)
Oct  9 03:16:45.852:       traffic class 0, flow 0x0, len 136+0, prot 58, hops 64, originating
Oct  9 03:16:45.852: IPv6: Sending on FastEthernet0/1
Oct  9 03:16:45.856: IPV6: source FE80::201:6CFF:FE33:E26D (FastEthernet0/1)
Oct  9 03:16:45.856:       dest 2001:200:0:8002:203:47FF:FEA5:3085 (Tunnel0)
Oct  9 03:16:45.856:       traffic class 0, flow 0x0, len 88+14, prot 17, hops 2, invalid source address


The way I am reading this the linux host "knows" that the ipv6 route is out through the FastEth0/1 interface of the router.  But the router is using the faste ipv6 addr instead of the one on the tunnel when forwarding the packets.  This to me seems similar to a NAT problem.  Am I on track ?  if I were able to add a NAT statement to translate the ipv6 address on the fastE0/1 interface to the ipv6 address on the tunnel 0 interface, would that work ?

broquea

Your linux box shouldn't be showing link-local addresses in a trace (fe80). The next hop with that configuration should be 2001:470:D847::1. Check your routing table, and also depending on the linux distro, you might not have a happy default route. I literally installed a CentOS 5.2 machine 4 hours ago, and even after updating the kernel, still had to use "ip route add 2000::/3 via 2001:470:X:X::1" for it to have a working default route. Although I don't use/rely on RA and instead statically configure.

I'd also say cut that /48 down into a /64 since RA from the router is supposed to provide the first 64bits and then the host uses its MAC (plus ff:fe) to configure the remaining 64bits. The /48 feels wrong, especially since I only ever assign /64s or in the past /127s on interfaces, never a /48.

I'd say assign fe0/1 this: 2001:470:D847:0::1/64   just to see if it improves or makes any difference on the hosts.

moc

I am not exactly sure what you are saying.  But here is what I did:
1) First the initial config was setup as instructed from HE:



2) I changed the fe0/1 (local LAN interface) ipv6 to 2001:470:D847:0::1/64 as suggested

show ipv6 interface fastEthernet 0/1
FastEthernet0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::217:59FF:FE71:5439
  Description: inside
  Global unicast address(es):
    2001:470:D847::1, subnet is 2001:470:D847::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF71:5439
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.


the linux box adjusted its address and it appears to understand the default route:

ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:01:6c:33:e2:6d 
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:470:d847:0:201:6cff:fe33:e26d/64 Scope:Global
          inet6 addr: fe80::201:6cff:fe33:e26d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:139979019 errors:784 dropped:2698 overruns:249 frame:0
          TX packets:165672763 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:29889199306 (27.8 GiB)  TX bytes:156847410689 (146.0 GiB)
          Interrupt:18 Base address:0x2000

traceroute 2001:200:0:8002:203:47ff:fea5:3085
traceroute to 2001:200:0:8002:203:47ff:fea5:3085 (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 40 byte packets
1  2001:470:d847::1 (2001:470:d847::1)  2.029 ms  3.106 ms  4.313 ms
2  * * *
3  * * *


The router now shows forwarding in its debug:

Oct  9 14:04:35.620: IPV6: source 2001:470:D847:0:201:6CFF:FE33:E26D (FastEthernet0/1)
Oct  9 14:04:35.624:       dest 2001:200:0:8002:203:47FF:FEA5:3085 (Tunnel0)
Oct  9 14:04:35.624:       traffic class 0, flow 0x0, len 104+14, prot 58, hops 63, forwarding
Oct  9 14:04:36.620: IPV6: source FE80::201:6CFF:FE33:E26D (FastEthernet0/1)
Oct  9 14:04:36.624:       dest FE80::217:59FF:FE71:5439
Oct  9 14:04:36.624:       traffic class 0, flow 0x0, len 72+14, prot 58, hops 255, forward to ulp


So it appears that the packets are now being forwarded, however I am not getting the response.
What is the next step ?

broquea

Next step was me reviewing the tunnel's config on the tunnel-server and seeing the /48 static route missing. I pushed out the config to the tunnel-server and it properly set the route now.

Also I can reach your linux machine now :)

[broquea@www ~]$ traceroute6 2001:470:d847:0:201:6cff:fe33:e26d
traceroute to 2001:470:d847:0:201:6cff:fe33:e26d (2001:470:d847:0:201:6cff:fe33:e26d), 30 hops max, 40 byte packets
1  master.deus-exmachina.net (2001:470:1:9::a)  0.028 ms  0.011 ms  0.011 ms
2  10gigabitethernet1-2.core1.pao1.he.net (2001:470:0:30::2)  5.767 ms  5.827 ms  5.871 ms
3  10gigabitethernet2-4.core1.ash1.he.net (2001:470:0:35::2)  75.521 ms  75.584 ms  75.635 ms
4  10gigabitethernet1-1.core1.mia1.he.net (2001:470:0:4b::2)  103.323 ms  103.383 ms  103.442 ms
5  2001:470:0:8c::2 (2001:470:0:8c::2)  103.384 ms  103.429 ms  103.502 ms
6  moc-1-pt.tunnel.tserv12.mia1.ipv6.he.net (2001:470:4:138::2)  179.946 ms  182.374 ms  182.359 ms
7  2001:470:d847:0:201:6cff:fe33:e26d (2001:470:d847:0:201:6cff:fe33:e26d)  185.968 ms  185.225 ms  185.192 ms


Looks like I need to fix the missing rDNS for the link between the core router and the tunnel server, but you should be good now.

moc

Awesome!
So now for me I would assume that I can just work on the router to set up things like ACLs etc.  obviously I don't want an ipv6 back door to hosts on my private LAN.
In essence though I should now be able to set ipv6 addresses on DNS somewhere and it would work?  I know I need to read up now, but is managing it essentially the same as ipv4?  Are ports the same on ipv6? Could I set rules in the router to say only allow port 80 to that linux host you pinged?

Thanks again for all your help.   ;D Feels cool to be on the ipv6 Web.

broquea

Yes, ports will be the same. Forward DNS can go wherever you already control that at. In the tunnelbroker.net interface you'll want to delegate rDNS to 1-3 nameservers of your choice that will maintain reverse zones for your /64 and /48. AAAA for forward entries, and same old PTR for reverse.

Also if you have another FastE interface and second lan, you can now use something like 2001:470:d847:1::/64 on it, etc etc for other interfaces. And you still have the default /64 allocation as well.