• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Adding OS X ipv6 clients to LAN with Cisco 87x router

Started by derby, December 08, 2009, 11:51:55 AM

Previous topic - Next topic

derby

I have a Cisco 871W router set up with a tunnel to Hurricane Electric.  I can use IOS commands on the Cisco router to reach HE and verify the tunnel is working.

Now that I have a tunnel, I'd like to have an OS X client (Snow Leopard) access ipv6.google.com and other ipv6 servers.  I'm new to this and having trouble understanding how to set up the OS X client so it will work with the Cisco router to use the tunnel.  There don't seem to be examples of the setups needed to get OS X to work.

So if someone has been successful with this type of configuration - is the setup documented somewhere that I can read?

Some questions about areas that I'm trying to learn and understand:

-  Do I have to turn off ipv4 on the Mac if I'm using ipv6?
-  HE provided the following:

2001:470:7:444::2/64 as the Client IPv6 address for the tunnel endpoint
2001:470:e068::/48  for routed /48
2001:470:8:444::/64 for routed/64

In the Mac OS X Systems Preferences "network" panel, Configure IPv6 settings should I use "Automatically" or "Manually"?

Does the CISCO have to be enabled with "ipv6 unicast-routing" for OS X "Automatically" to work?

If OS X does not support DHCPv6 how does one handle DNS on OS X?

DO I add a DNS entry for ipv6?  Should I add both the available DNS Resolvers that NE provided?   to the OS X DNS servers?

How does "Protocol 41" fit into the picture.  Do I need to do anything to my Cisco 871 to support Protocol 41?  To OS X?

With the Cisco tunnel endpoint of 2001:470:7:444::2/64  if I am to assign a manual address to the OS X client, what IPv6 address do I assign to the OS X client?  Would it be an address in the range of 2001:470:e068::1 to 2001:470:e068::48?  is that the range available to me or is the range 2001:470:8:444::1 to 2001:470:8:444::64?   Is the correct "prefix length" 48 or 64?  How do I know which is correct?

If someone has a working OS X client configuration for HE setup I would be grateful if you could share your configuration settings with me so I could learn how this works from a working configuration rather than experimenting with all the possibilities and not getting very far.

Thanks!



cholzhauer

QuoteDo I have to turn off ipv4 on the Mac if I'm using ipv6?

Nope.  You can, but you'll probably want to run dual stack.

QuoteHow does "Protocol 41" fit into the picture.  Do I need to do anything to my Cisco 871 to support Protocol 41?  To OS X?

You only need that between your router and HE.  The Mac doesn't see any proto-41 traffic

QuoteDoes the CISCO have to be enabled with "ipv6 uniast-routing" for OS X "Automatically" to work?

Possibly, but I don't know for sure..Someone else like JimB would know for sure. My Cisco ASA can do Router Advertisement...can your router?  If so, and you don't need any other special options that DHCPv6 can do, I suggest that you use that.  Just make sure you use either your routed /64 or pick a /64 out of your routed /48

I have Macs here that work great with IPv6.  If you use RA, they'll pick up an address automatically (leave that setting you mentioned set to auto)

cholzhauer

QuoteDO I add a DNS entry for ipv6?

For name lookups or for local name lookups (ie you can refer to your computer as computer.domain.com) As for DNS, what are you using to provide DNS?  I use MSDNS and I need to manually insert the IP addresses into my DNS server (both v4 and v6)

For external lookups, you can just give OSx the address of your local dns server (v4 or v6) or use DNS from HE (in that case, yes, use both addresses)

broquea

/48 and /64 do not mean how many IPs per block, they are block sizes, with a single /64 having 18 quintillion IPv6 addresses, and a /48 has 65536 /64 subnet allocations.

you'll want ipv6 unicast-routing enabled.

I think if you simply put like 2001:470:8:444::1/64 on your LAN facing interface on the cisco, that it will automatically start to use RA to get your LAN machines configured. I believe you have to explicitly set "ipv6 nd suppress-ra" or similar on that LAN facing interface to not use RA.

jimb

Quote from: broquea on December 08, 2009, 01:11:00 PM
/48 and /64 do not mean how many IPs per block, they are block sizes, with a single /64 having 18 quintillion IPv6 addresses, and a /48 has 65536 /64 subnet allocations.

you'll want ipv6 unicast-routing enabled.

I think if you simply put like 2001:470:8:444::1/64 on your LAN facing interface on the cisco, that it will automatically start to use RA to get your LAN machines configured. I believe you have to explicitly set "ipv6 nd suppress-ra" or similar on that LAN facing interface to not use RA.
LOL.  So on a Cisco, you have to explicitely tell it to route ipv6 (even though it's a router), but explicitly tell it NOT to do router advertisements on an IPv6 configured interface for it not to do it?  Please tell me it wont do RA unless you enable routing at least?  (haven't done much IPv6 on Ciscos, obviously)  :P

cholzhauer

my asa will route ipv6 traffic automatically as long as ipv6  is enabled on the interface.  as for RA, the asa will advertise on an interface unless you tell it not to

broquea

Quote from: jimb on December 08, 2009, 03:13:29 PM
LOL.  So on a Cisco, you have to explicitely tell it to route ipv6 (even though it's a router), but explicitly tell it NOT to do router advertisements on an IPv6 configured interface for it not to do it?  Please tell me it wont do RA unless you enable routing at least?  (haven't done much IPv6 on Ciscos, obviously)  :P

Actually this has been the behavior on both Cisco and Brocade/Foundry, if you ipv6 enable an interface, and don't explicitly configure it to suppress RA, it will do it based on the /64 you assign an IP onto that interface. And with at least Brocade/Foundry, it will do it for all /64s configured on that interface, unless you specifically configure it only to RA 1 specific /64. Needless to say anytime I put IPv6 on an interface my first two commands are

ipv6 enable
ipv6 nd suppress-ra

jimb

Ah.  Good to know.   8)

Will it advertise itself as an IPv6 default router if IPv6 unicast routing isn't enabled?  Or just advertise the prefix (if RA even does one without the other, which I'm not sure)?

derby

Quote from: cholzhauer on December 08, 2009, 11:58:59 AM
QuoteDO I add a DNS entry for ipv6?

As for DNS, what are you using to provide DNS?  I use MSDNS and I need to manually insert the IP addresses into my DNS server (both v4 and v6)

For external lookups, you can just give OSx the address of your local dns server (v4 or v6) or use DNS from HE (in that case, yes, use both addresses)

I use opendns.  I put 2001:470:20::2 into the OS X DNS list for the MacBook and with ipv4 and ipv6 enabled on OS X, a browser request to http://ipv6.he.net/ goes over port 80 instead of the tunnel...

I turn ipv4 off and it seems OS X ipv6 "automatic" doesn't find the router.  I did add "ipv6 unicast-routing" to the Cisco 871.


I'm still confused about the configuration settings.  Can someone maybe try to explain (without too many acronyms) what is going on here?  When OS X is in IPv6 "automatic" mode how does the client get an ipv6 IP address?  Is the IP traffic sent as lower level packets to the router which sends the traffic down the tunnel and the IP address of the router is used?  So is the OS X client and the router both using IP address "2001:470:7:444::2" in my configuration?

In the tunnelbroker.net suggested configuration for CISCO routers in the suggested IOS commands.  Why isn't the command "ipv6 unicast-routing" included as part of the suggested configuration for ipv6 listed here:

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:7:444::2/64
tunnel source 208.37.99.227
tunnel destination 216.66.22.2
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end
write
"




jimb

Quote from: derby on December 08, 2009, 05:11:59 PM
Quote from: cholzhauer on December 08, 2009, 11:58:59 AM
QuoteDO I add a DNS entry for ipv6?

As for DNS, what are you using to provide DNS?  I use MSDNS and I need to manually insert the IP addresses into my DNS server (both v4 and v6)

For external lookups, you can just give OSx the address of your local dns server (v4 or v6) or use DNS from HE (in that case, yes, use both addresses)

I use opendns.  I put 2001:470:20::2 into the OS X DNS list for the MacBook and with ipv4 and ipv6 enabled on OS X, a browser request to http://ipv6.he.net/ goes over port 80 instead of the tunnel...

I turn ipv4 off and it seems OS X ipv6 "automatic" doesn't find the router.  I did add "ipv6 unicast-routing" to the Cisco 871.


I'm still confused about the configuration settings.  Can someone maybe try to explain (without too many acronyms) what is going on here?  When OS X is in IPv6 "automatic" mode how does the client get an ipv6 IP address?  Is the IP traffic sent as lower level packets to the router which sends the traffic down the tunnel and the IP address of the router is used?  So is the OS X client and the router both using IP address "2001:470:7:444::2" in my configuration?

In the tunnelbroker.net suggested configuration for CISCO routers in the suggested IOS commands.  Why isn't the command "ipv6 unicast-routing" included as part of the suggested configuration for ipv6 listed here:

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:7:444::2/64
tunnel source 208.37.99.227
tunnel destination 216.66.22.2
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end
write
"
The commands the HE page gives are only for setting up the 6in4 tunnel itself.  In order to use IPv6 on LAN machines, you must use IPs out of your routed /64 on your inside LAN.  You must configure an IPv6 address on the LAN interface of your Cisco router.  So for instance, using your routed /64, you would do something like:

conf t
interface fastethernet0
 ipv6 enable
 ipv6 address 2001:470:8:444::1/64
end
write


This will put an address out of your routed /64 onto your LAN interface, and should enable route advertisement (RA) on that interface.

Your machines on your LAN (including OSX) will pick up the IPv6 addresses and default route via the RA announcements which the router will send, and will automatically configure IPv6 addresses.  Alternatively, you can statically configure IPv6 addresses, or even set up a DHCPv6 server (presuming OSX supports it).  Just use an IPv6 out of your 2001:470:8:444::/64 network for static assignments, or for your DHCPv6 scope (e.g. 2001:470:8:444::100-1000/64 ... you can use the entire range of 2001:0470:0008:0444:0000:0000:0000:0001 - 2001:0470:0008:0444:ffff:ffff:ffff:ffff to assign IPv6s on your LAN)

RA can also support setting the DNS server via RDNSS announcements, but I don't think many OSes support it natively at this point (I know linux requires a script/daemon to pick these up and use them).  So most use the DNS servers either manually configured, or, if running dual stack, the IPv4 DNS servers serve as DNS for the machines.  Note that DNS servers can return IPv6 AAAA records and ip6.arpa RDNS records over either IPv4 or IPv6.

Also note that some DNS servers seem to filter AAAA responses.  So you may want to manually configure the HE one, or hand out the HE IPv4 DNS server as one of the servers in your IPv4 DHCP setup.

HTH

derby

#10
JimB,

Thank you so much!  I'll give this a try tomorrow and maybe I'll be able to connect to the outside via ipv6.  Eventually I'm going to have to deal with ipv6 migration at work where I'm part of a small group, so we don't have a lot of specialized people, just a few "generalists".  I configured the 871W I use at home as my "learning lab" a couple of years ago and it has run splendidly with no attention.  Now time to relearn IOS with the IPv6 additional commands.    I'm grateful to have a place to learn this from people that are helpful!

Thanks!

derby

I finally have some time to try to get my Cisco 871 configured to route IPV6 from my home LAN out to the internet.

The 871W has 4 LAN interfaces...

interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable


And an interface BVI1 that handles the LAN traffic:

interface BVI1
ip address 10.6.18.204 255.255.255.0
ip access-group 199 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
ipv6 address 2001:470:8:444::1/64
ipv6 enable

The OS X clients aren't showing IPV6 addresses nor doe a connection to ipv6.google.com work.

Any ideas to help get this going would be appreciated.

cholzhauer

I don't know about the routers, but with the Cisco firewalls, you need to tell it to do RA

cholzhauer


derby

I'm getting an IPv6 address assigned to a Mac running OS X Snow Leopard server that is connected to the LAN via ethernet.  The OS X clients that connect to the LAN via 802.11n Airport Express WiFi access points are not getting IPv6 addresses.  This Airport Express is set up for bridging mode.  It doesn't do NAT or any routing.  Any suggestions on how to configure the AirPort so that WiFi clients can pass IPv6 traffic to/from the Cisco 87x router?