Cisco
Contents
Using SixXS tunnels with Cisco equipment
This article attempts to provide information to use Cisco routers as a SixXS endpoint and provide links to other Cisco-related articles within the Wiki.
How to configure a Cisco router as an endpoint for a SixXS Heartbeat tunnel
Configuring a Cisco ASA to allow Protocol 41 through to an endpoint behind it CiscoAsa
Configuring a static tunnel on IOS
Firstly we need to enable IPv6 routing on the Cisco router.
ipv6 unicast-routing
If this command is not recognised, your version of IOS does not support IPv6. An IOS upgrade (either purchased or covered by a Cisco SMARTNet contract) may be available to add IPv6 functionality if your router has sufficient memory and flash storage to accept it.
Next you will probably want to enable Cisco Express Forwarding for the IPv6 protocol as it will speed up performance.
ipv6 cef
To configure the actual tunnel you will need the information given in the Tunnel Approval email. Ensure that you allow the tunnel in through your existing IPv4 access list by adding the following line to it:
permit 41 host [SixXS IPv4] host [Your IPv4]
Then you can configure the tunnel as follows:
interface Tunnel61 description 6in4 tunnel to SixXS no ip address ip tcp adjust-mss 1420 ipv6 address [your IPv6] ipv6 enable tunnel source ethernet0 tunnel destination [SixXS IPv4] tunnel mode ipv6ip
Your source interface may be different - for example it may be Vlan1 or Dialer0. The source interface is the router's WAN interface.
Confirming your tunnel is active
To check if your tunnel is up, enter the following command and you should get the response below it
show ip interface tunnel61
Tunnel61 is up, line protocol is up Internet protocol processing disabled
For IPv6 specific information relating to the tunnel, you can use this command
show ipv6 interface tunnel61
If your tunnel is up, you should now be able to ping the IPv6 address of the far end [SixXS IPv6] as follows:
ping 2a00:12:34:54::1
This is an example. Use the SixXS end IPV6 address specified in the "Tunnel Approval" email.
Routing
To send all IPv6 traffic via your new tunnel, you will need the following
ipv6 route ::/0 Tunnel61
Once you've done this you should be able to ping external IPv6 addresses such as Google IPV6 DNS:
ping 2001:4860:4860::8888 ping 2001:4860:4860::8844
Firewalling
Take care, there is currently a bug in ipv6 traffic-filter (first found in 15.1(2)T1) Cisco Bug CSCtn42301 This could result in a router crash in rare conditions when receiving ICMPv6. Bug solution: turn off traffic-filter. Real solution: switch over to Zone Based Firewall CiscoZone-BasedPolicyFirewall CiscoZBF
You will want to apply and access list to your tunnel so that you aren't wide open to the IPv6 internet. The following should start your firewall off but I am only just getting to grips with IPv6 myself so I'd welcome suggestions of improvements and cannot guarantee security. IPv6 Prefix is Your IPv6 without the '2' eg. 2a00:12:34:56::/64
ipv6 access-list ipv6-internet-in remark allow ping by SixXS PoP to determine tunnel status permit icmp host [SixXS IPv6] host [Your IPv6] echo-request remark Prevent spoofing deny ipv6 [Your IPv6 prefix] any log remark prevent ingress of all addresses except global unicast and multicast deny ipv6 ::/3 any log deny ipv6 8000::/2 any log deny ipv6 C000::/3 any log deny ipv6 E000::/4 any log deny ipv6 F000::/5 any log deny ipv6 F800::/6 any log deny ipv6 FC00::/7 any log deny ipv6 FE00::/8 any log [allow any inbound services you require here - eg. web server] permit icmp any any time-exceeded permit icmp any any packet-too-big permit icmp any any echo-request permit icmp any any echo-reply deny ipv6 any any log
To allow replies to outgoing traffic, if your IOS feature set allows it, you may want to set up CBAC
ipv6 inspect name cbac-ipv6 tcp ipv6 inspect name cbac-ipv6 udp ipv6 inspect name cbac-ipv6 icmp ipv6 inspect name cbac-ipv6 ftp
To apply both of these to your tunnel inteface:
interface Tunnel61 ipv6 traffic-filter ipv6-internet-in in ipv6 inspect cbac-ipv6 out
If you use SSH to access your router from outside, you may want to lock that down as IPv6 is NOT covered by any existing IPv4 access list that you may have applied. You can always add exceptions for local hosts or trusted remote hosts if you wish.
ipv6 access-list ipv6-ssh-lockdown deny ipv6 any any log line vty 0 4 ipv6 access-class ipv6-ssh-lockdown in
Providing IPv6 internet access to other hosts on the LAN
Although your tunnel has a /64 prefix, only the first two addresses are routed so only your router will be able access the IPv6 internet. To provide access to other hosts behind it, you will need to apply for a subnet. To get enough ISK credit to apply, your tunnel will have to be up for a week. After that, you should be able to request it from the SixXS Home. I'm currently waiting to build up enough credit so I cannot yet test this but there is a snippet of code provided by SixXS here:
ipv6 unicast-routing interface Ethernet0/0 ipv6 address [IPv6 Prefix]/64 ipv6 enable ipv6 nd ra-interval 60 ipv6 nd ra-lifetime 180 ipv6 nd prefix-advertisement [IPv6 Prefix]/64 360 60 autoconfig
I will update this article once I am able to do this myself.
