ipv6 with a Cisco ADSL router a short howto

[pvaneynd]

For a long time I wanted to play with IPv6, but I never liked any of the tunnels I saw. This evening I started wondering if my Cisco 837 ADSL router cannot handle some form of tunnel.

A short time later and:

router#ping ipv6.google.com
Translating "ipv6.google.com"...domain server (195.238.2.21) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4860:0:1001::68, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 276/278/284 ms

How to do it: I configured a 6to4 tunnel on the router:

ipv6 unicast-routing
ipv6 cef
! enable ipv6
ipv6 inspect name MyIPv6Inspection tcp
ipv6 inspect name MyIPv6Inspection udp
ipv6 inspect name MyIPv6Inspection ftp
ipv6 inspect name MyIPv6Inspection icmp
! let's have a firewall
interface Tunnel1
no ip address
no ip redirects
ipv6 address 2002:51F0:CCA5::1/128
ipv6 enable
ipv6 traffic-filter ipv6ip in
ipv6 inspect MyIPv6Inspection out
tunnel source Dialer1
tunnel mode ipv6ip 6to4

interface Ethernet0
ipv6 address 2002:51F0:CCA5:DEAD::1/128
ipv6 enable

ipv6 route 2002::/16 Tunnel1
ipv6 route ::/0 2002:C058:6301::

ipv6 access-list ipv6ip
 deny ipv6 any any

Of course the 6to4 ip (the one on Tunnel0) is derived from my ipv4 ip. Which changes now and again. So I uploaded to the flash of my router the following file:

proc doconf { section setting} {
if { [ catch { ios_config $section $setting } errmsg ] } { error "configuration of $section $setting failed"; }
}

set ipaddr [exec "show ip interface Dialer1 | i Internet address"]
regexp {is ([0-9.]*)/} $ipaddr match ip
regexp {([0-9]*).([0-9]*).([0-9]*).([0-9]*)} $ip match a b c d
set newipv6 [format "2002:%2x%2x:%2x%2x::1" $a $b $c $d]
set newintipv6 [format "2002:%2x%2x:%2x%2x:dead::1" $a $b $c $d]
doconf "interface Dialer1" "no ipv6 address"
doconf "interface Dialer1" "ipv6 address $newipv6/128"
doconf "interface Ethernet0" "no ipv6 address"
doconf "interface Ethernet0" "ipv6 address $newintipv6/64"

This is a TCL script that will get the current external ip (from Dialer1) and give the correct IPv6 ips to the right interfaces.

And with alias exec updateipv6 tclsh flash:update-ipv6.tcl I can quickly login and adapt the addresses myself.

The router handles IPv6 autoconfiguration on the inside, so my machine now says:

# ip addr show dev wlan0 scope global
4: wlan0: 

[Error: Irreparable invalid markup ('<broadcast,multicast,up,lower_up>') in entry. Owner must fix manually. Raw contents below.]

For a long time I wanted to play with IPv6, but I never liked any of the tunnels I saw. This evening I started wondering if my Cisco 837 ADSL router cannot handle some form of tunnel.<br /><br />A short time later and:<br /><tt><pre>router#ping ipv6.google.com<br />Translating "ipv6.google.com"...domain server (195.238.2.21) [OK]<br /><br />Type escape sequence to abort.<br />Sending 5, 100-byte ICMP Echos to 2001:4860:0:1001::68, timeout is 2 seconds:<br />!!!!!<br />Success rate is 100 percent (5/5), round-trip min/avg/max = 276/278/284 ms</pre></tt><br /><br />How to do it: I configured a 6to4 tunnel on the router:<br /><br /><pre><tt>ipv6 unicast-routing<br />ipv6 cef<br />! enable ipv6<br />ipv6 inspect name MyIPv6Inspection tcp<br />ipv6 inspect name MyIPv6Inspection udp<br />ipv6 inspect name MyIPv6Inspection ftp<br />ipv6 inspect name MyIPv6Inspection icmp<br />! let's have a firewall<br />interface Tunnel1<br />no ip address<br />no ip redirects<br />ipv6 address 2002:51F0:CCA5::1/128<br />ipv6 enable<br />ipv6 traffic-filter </tt><tt><tt>ipv6ip</tt></tt><tt> in<br />ipv6 inspect MyIPv6Inspection out<br />tunnel source Dialer1<br />tunnel mode ipv6ip 6to4<br /><br />interface Ethernet0<br />ipv6 address 2002:51F0:CCA5:DEAD::1/128<br />ipv6 enable<br /><br />ipv6 route 2002::/16 Tunnel1<br />ipv6 route ::/0 2002:C058:6301::<br /><br />ipv6 access-list ipv6ip<br /> deny ipv6 any any</tt></pre><tt></tt><br /><br />Of course the 6to4 ip (the one on <tt>Tunnel0</tt>) is derived from my ipv4 ip. Which changes now and again. So I uploaded to the flash of my router the following file:<br /><br /><tt><pre>proc doconf { section setting} {<br />if { [ catch { ios_config $section $setting } errmsg ] } { error "configuration of $section $setting failed"; }<br />}<br /><br />set ipaddr [exec "show ip interface Dialer1 | i Internet address"]<br />regexp {is ([0-9.]*)/} $ipaddr match ip<br />regexp {([0-9]*).([0-9]*).([0-9]*).([0-9]*)} $ip match a b c d<br />set newipv6 [format "2002:%2x%2x:%2x%2x::1" $a $b $c $d]<br />set newintipv6 [format "2002:%2x%2x:%2x%2x:dead::1" $a $b $c $d]<br />doconf "interface Dialer1" "no ipv6 address"<br />doconf "interface Dialer1" "ipv6 address $newipv6/128"<br />doconf "interface Ethernet0" "no ipv6 address"<br />doconf "interface Ethernet0" "ipv6 address $newintipv6/64"<br /></pre></tt><br /><br />This is a TCL script that will get the current external ip (from <tt>Dialer1</tt>) and give the correct IPv6 ips to the right interfaces.<br /><br />And with <tt>alias exec updateipv6 tclsh flash:update-ipv6.tcl</tt> I can quickly login and adapt the addresses myself.<br /><br />The router handles IPv6 autoconfiguration on the inside, so my machine now says: <tt><pre># ip addr show dev wlan0 scope global<br />4: wlan0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast qlen 1000<br /> link/ether 00:19:d2:28:2c:a4 brd ff:ff:ff:ff:ff:ff<br /> inet 192.168.1.53/24 brd 192.168.1.255 scope global wlan0<br /> inet6 2002:51f0:cca5:dead:219:d2ff:fe28:2ca4/64 scope global dynamic<br /> valid_lft 2590061sec preferred_lft 602861sec</broadcast,multicast,up,lower_up></pre></tt><br />The one remaining problem is that when the external ip changes the autoconfig announcements change too, but the old ipv6 IPs remain on the interfaces.<br /><br />PS: for those not in the know: I work for Cisco but this was done after hours and using public information (of course)