Friday, July 25, 2008

now playing on... IPv6 Tunnels 6to4

An argument that i will try is 6to4 tunnels, first i read some Cisco docs:

http://www.cisco.com/en/US/docs/ios/solutions_docs/ipv6/v6domain.html#wp1030706

then i will try my own lab, as usually:

this is the lab for today...
The main goal is allow connectivity between all IPv6 clouds (here i use a Loopback 6 interface) through IPv4 wan connections.

When finished, i'll post configurations and comments.

Next step will be NAT-PT extension on CON8... stay tuned! see u ! ;-)

Here are some parts of my config:

CON5#
interface Tunnel0
description Tunn 6to4 CON5 <-> CON6 <-> CON7
no ip address
no ip redirects
ipv6 address 2002:AC20:6401:1::1/64
tunnel source Loopback100
tunnel mode ipv6ip 6to4
!
interface Serial0/0
description Link CON5 <-> CON7
ip address 10.0.2.30 255.255.255.224
!
interface Serial1/0
description Link CON5 <-> CON6
ip address 10.0.2.62 255.255.255.224
clockrate 4000000
!
interface Loopback100
ip address 172.32.100.1 255.255.255.255
!
ipv6 route 2002::/16 Tunnel0

CON6#
interface Tunnel0
no ip address
no ip redirects
ipv6 address 2002:AC20:6402:1::1/64
tunnel source Loopback100
tunnel mode ipv6ip 6to4
!

interface Serial0/0
description Link CON6 <-> CON5
ip address 10.0.2.33 255.255.255.224
!
interface Serial0/1
description Link CON6 <-> CON7
ip address 10.0.2.129 255.255.255.240
!
interface Loopback100
ip address 172.32.100.2 255.255.255.255
!
ipv6 route 2002::/16 Tunnel0
CON7#
interface Tunnel0
no ip address
no ip redirects
ipv6 address 2002:AC20:6404:1::1/64
tunnel source Loopback100
tunnel mode ipv6ip 6to4
!
interface Serial0/1/0
description Link CON7 <-> CON6
ip address 10.0.2.142 255.255.255.240
fair-queue
clock rate 800000
!
interface Serial0/2/0
description Link CON7 <-> CON5
ip address 10.0.2.1 255.255.255.224
clock rate 800000
!
interface Loopback100
ip address 172.32.100.4 255.255.255.255
!
ipv6 route 2002::/16 Tunnel0
Ping works with all tunnel Ipv6 addresses, here i used Loopback 100 as tunnel source because Lo100 are routed (via ospf in this case) so Tunnel is always up despite one serial possible failure.

Ok, after Tunnel interfaces pings... we must configure routing between our customers IPv6 networks (Lo6 in this lab).
So i read here: http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a00801f3b4f.shtml

"
The benefits to the enterprise of using 6to4 tunnels are as follows:
  • Cisco IOS software supports 6to4 tunnels.

  • The end-user host configuration is simple—it requires minimal management overhead.

  • The tunnel is automatic; no enterprise-specific configuration is required at the 6to4 relay site. 6to4 tunnels scale well.

  • This solution accommodates dynamic IP addresses at the enterprise.

  • The tunnel exists only for the duration of the session.

  • A 6to4 tunnel requires only a one-time configuration at the ISP, which makes the 6to4 relay service available simultaneously to many enterprises.

Limitations of 6to4 Tunnels

6to4 tunnel usage has the following limitations:

  • Independently managed NAT is not allowed along the path of the tunnel.

  • You cannot easily implement multihoming.

  • The 6to4 tunnel mechanism provides a /48 address block; no more addresses are available.

  • Because 6to4 tunnels are configured many-to-one and tunnel traffic can originate from multiple endpoints, 6to4 tunnels can provide only overall traffic information to the ISP.

  • The underlying IPv4 address determines the enterprise 6to4 IPv6 address prefix, so the migration to native IPv6 requires renumbering the network.

  • This solution is limited to static or BGP4+ routing. "

The most relevant for me is the limitation of routing via STATIC (mmm really don't like static routing!) or BGP4+ .
Well, my ios images seems doesn't suppport bgp4, but only RIP-NG and OSPFv3
... i tried to use OSPFv3 but no adiacency was established between tunnel interfaces, with RIP-NG too.. ;-(

Well i configured static ipv6 entries for end users lan (Lo6) for each router, as follows:

CON5#
ipv6 route 2001:1C5::/64 2002:AC20:6402:1::1
ipv6 route 2001:AFA::/64 2002:AC20:6404:1::1
CON6#
ipv6 route 2001:AFA::/64 2002:AC20:6404:1::1
ipv6 route 2001:FEFE::/64 2002:AC20:6401:1::1
CON7#
ipv6 route 2001:1C5::/64 2002:AC20:6402:1::1
ipv6 route 2001:FEFE::/64 2002:AC20:6401:1::1
For each router there are two static entries for L06 IPv6 network and the next hop is the remote tunnel IPv6 address.

Well, next step is NAT-PT on CON8...

6 comments:

abdiwae said...

Hi Marco,
Nice articles you have there.
Do you have any idea how my IPv6 ipv6ip 6to4 tunnel wont come up under GNS? the debug result was "ipv6 : failed encapsulation". But, surprising enough - it works under GRE.

really good articles, keep up the good work!

abdi.

Marco Rizzi said...

hi Abdi,

thanks for trying my labs ;-)

The first thing when you implement a topology like this is to ensure that all ipv4 links and loopbacks are up and routed properly.
If you can successfully ping loopbacks100 (tunnel sources) check the ipv6 routing table (sh ipv6 route)
Note that the tunnel ipv6 addresses are on different subnets (/64), so you need a static route, here I used the most "generic" ipv6 route 2002::/16 Tunnel0 in order to have a single static and reach the Loopbacks6 too.

enjoy your lab and studies!

every comment and suggestion is always wellcome


Marco

abdiwae said...

Hello again Marco,

Well, after over and over carefully tried various different setup - over ipv6ip, over GRE, etc, even using your exact scenario using my GNS, i still cant get it to work :( The route was fine, they know where to forward the traffic to tunnel interface, but - still, having that encapsulation failed error.

and like i said previously, the only method that worked was over GRE :(

oh well, perhaps i need to try it on a real gear.

thank you very much for the tutorial Marco, very much appreciated.

When will you heading for the IE lab?

Abdi.

Marco Rizzi said...

Hi Abdi,
let's me take a look to your lab, pls send me the .net and config files in attack to:
marco [dot] rizzi [dot] com [at] gmail [dot] com

ok?
so we can follow troubleshooting in pvt ;-)

Marco

abdiwae said...

Hi Marco,

ups, mi dispiace for this very late updates :( my bad.

the config? will do, i'll send you in pronto. hey, thank you for your big assistance, much appreciated once again :)

grazie,

abdi.

Marco Rizzi said...

ok, but let's write me directly to:

marco [dot] rizzi [dot] com [at] gmail [dot] com


where [dot] = ."
and [at] = @

;-)
Marco