• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Do I need a routing protocol to find the tunnel?

Started by NCFTA, March 22, 2010, 04:26:15 PM

Previous topic - Next topic

NCFTA

I'm configuring a cisco 2611 to use the tunnel broker.  My tunnel, "tunnel0", is configured as are my other interfaces.  When I use a show ipv6 route I get all of my interfaces but not the tunnel.  I can route traffic on my lan using the ipv6 addresses and do ping.  I can't ping the tunnel however, either the IPv6 source and destination, or the ipv4 destination at Hurricane Electrics end.  Am I missing a step?  Do I need to configure a routing protocol like RIP or OSPF?  I have used the ? command in the IOS, and checked out Cisco's site but I'm at a loss for how to tell my interfaces the tunnel is there and route traffic through it for the outside.

Details:

I set up my tunnel using the example ios (cisco 12.2) commands:

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:****:*:***::*/64
tunnel source 206.**.**.**
tunnel destination 216.**.**.*
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end

I got my /48 address and allocated one /64 per router interface.  The computers on my vlans all auto-configured an appropriate global unicast from the respective /64.  From the hosts on my lan I can ping6 my lan facing router interface. Or any other IPv6 address on my lan.

But I can't reach the internet from hosts.  I have cef and unicast routing enabled.  I don't have a routing protocol enabled.  I know I'm missing something but I'm not sure what.   



jimb

#1
The tunnel interface should show up, and you should see routes through it.  Is it up?  Can you ping the other side of the tunnel using the tunnel IPv6 as source?

You should see it in sh ipv route, etc.

If the /64s you carved out of the /48 are directly attached to the router's VLAN interfaces or physical interfaces, then all the nets should be reachable from the router.  But to get to the internet you need to give your hosts on your LANs a default route through their respective router interface, which should be done automagically by RA.

As long as there's a default route pointing to the router on each host, you should be able to ping any interface of the router, including the tunnel interface.

If there are multiple layers of routers, then of course either static routes need to be added in the appropriate places, or you can run a routing protocol.

You may also need to add "ipv6 unicast-routing" to the global config.  I had to do that to even get the router to take ipv6 interface commands and such IIRC.  This was under 12.4 though.

NCFTA

Quote from: jimb on March 22, 2010, 06:00:08 PM
The tunnel interface should show up, and you should see routes through it.  Is it up?

When I do "sh running-config" or "sh ipv6 int tunnel0" it gives me that the tunnel is up, but line protocol is down.  The ethernet interface for my outbound line is configured for the tunnels ipv4 address and shows "up/up".  I've done a "no shutdown" on both the IPV4 interface and the tunnel interface.

I can see routes in my routing tables for all of my interfaces to my lans on ipv6 when I do "sh ipv6 route".  I can't see an entry for the "tunnel0", though.

Quote from: jimb on March 22, 2010, 06:00:08 PM
Can you ping the other side of the tunnel using the tunnel IPv6 as source?

I tried pinging from my router to the ipv4 address HE provided as the destination.  My ping always times out without a reply. I haven't done a ping6 because my router doesn't seem to support that.  I connected the line and ipv4 address to a laptop and was able to ping outside IPs (google.com etc).  So it isn't the physical connection outbound.

Quote from: jimb on March 22, 2010, 06:00:08 PM
You should see it in sh ipv route, etc.

I don't see anything entries for "tunnel0".

Quote from: jimb on March 22, 2010, 06:00:08 PM

If the /64s you carved out of the /48 are directly attached to the router's VLAN interfaces or physical interfaces, then all the nets should be reachable from the router.  But to get to the internet you need to give your hosts on your LANs a default route through their respective router interface, which should be done automagically by RA.

As long as there's a default route pointing to the router on each host, you should be able to ping any interface of the router, including the tunnel interface.

I can "ping6" the ipv6 addresses for the router's lan-facing interfaces, but can't ping6 the ipv6 address for the tunnel.
Quote from: jimb on March 22, 2010, 06:00:08 PM
If there are multiple layers of routers, then of course either static routes need to be added in the appropriate places, or you can run a routing protocol.

My topology is pretty simple.  I only have a switch with several VLANS and a single router connected to the switch.
Quote from: jimb on March 22, 2010, 06:00:08 PM
You may also need to add "ipv6 unicast-routing" to the global config.  I had to do that to even get the router to take ipv6 interface commands and such IIRC.  This was under 12.4 though.

I checked sh running-config and it says ipv6 unicast-routing "enabled".  I'm able to route using ipv6 on the router, just not outbound to the internet via the tunnel.

I'll keep plugging away.  I have only  configured a few routers before in ipv4, and this is my first attempt with ipv6.  I appreciate the help in narrowing things down.  Thanks.

jimb

One thing I noticed is that when I turned on multicast routing on a 7200 is that it used tunnel0 for itself.  I wonder if something similar is going on.

May want to try a different tunnel interface.  But that's probably not it.

If your router is behind a NAT then you need to use that NAT address as the tunnel source, not the outside IPv6.  Also, make sure no ACLs are blocking IP protocol 41 or ICMP.

NCFTA

Quote from: jimb on March 24, 2010, 03:31:29 PM
One thing I noticed is that when I turned on multicast routing on a 7200 is that it used tunnel0 for itself.  I wonder if something similar is going on.

May want to try a different tunnel interface.  But that's probably not it.

If your router is behind a NAT then you need to use that NAT address as the tunnel source, not the outside IPv6.  Also, make sure no ACLs are blocking IP protocol 41 or ICMP.
I'm not Nat-ed.  Did you add a static route for your IPv4 tunnel source?  How about the IPv6 address for the tunnel source?  I am going to try resetting to my startup config and building the tunnel again and just enabling a routing protocol.  Thanks.

jimb

Quote from: NCFTA on March 26, 2010, 07:43:08 AM
Quote from: jimb on March 24, 2010, 03:31:29 PM
One thing I noticed is that when I turned on multicast routing on a 7200 is that it used tunnel0 for itself.  I wonder if something similar is going on.

May want to try a different tunnel interface.  But that's probably not it.

If your router is behind a NAT then you need to use that NAT address as the tunnel source, not the outside IPv6.  Also, make sure no ACLs are blocking IP protocol 41 or ICMP.
I'm not Nat-ed.  Did you add a static route for your IPv4 tunnel source?  How about the IPv6 address for the tunnel source?  I am going to try resetting to my startup config and building the tunnel again and just enabling a routing protocol.  Thanks.
If the router you're using for the tunnel isn't the default router for your LAN, then you'd need to add a static route somewhere to be able to get to the IPv4 tunnel source from your LAN, if that's what you're asking.

Also, likewise, if the router itself isn't the internet router for your LAN, it needs either  a default route set to the upstream gateway to the internet, or a static route for the HE tunnel server pointing to your upstream gateway.  Also, you'll need to add a static for the HE server which does the pings to even add the tunnel.

If your tunnel router is the default gateway/internet router for your LAN you don't need any of this, except a default route on the router itself of course pointing to your upstream gateway.  But if you didn't have already that you wouldn't have internet access :P.