Scribd
Upload
96 views8 pages

Setup An Ipv6 Tunnel Through Hurricane Electric On A Cisco Router

The document provides instructions for setting up an IPv6 tunnel through Hurricane Electric on a Cisco router. It describes how IPv6-in-IPv4 tunnels work, the steps to set up an account and tunnel with Hurricane Electric, and how to configure the Cisco router with the tunnel interface, default route, DHCPv6 server, and local LAN interface using the assigned IPv6 prefix. It concludes by demonstrating how to test the tunnel connectivity and client IPv6 configuration.

Uploaded by

new media
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
96 views8 pages

Setup An Ipv6 Tunnel Through Hurricane Electric On A Cisco Router

The document provides instructions for setting up an IPv6 tunnel through Hurricane Electric on a Cisco router. It describes how IPv6-in-IPv4 tunnels work, the steps to set up an account and tunnel with Hurricane Electric, and how to configure the Cisco router with the tunnel interface, default route, DHCPv6 server, and local LAN interface using the assigned IPv6 prefix. It concludes by demonstrating how to test the tunnel connectivity and client IPv6 configuration.

Uploaded by

new media
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Setup an IPv6 Tunnel through Hurricane

Electric on a Cisco Router

I've setup my home network with an IPv6 tunnel through Hurricane Electric. The process is
pretty straight forward and I'll share my learnings with you in this post.

How a Manual IPv6-in-IPv4 Tunnel Works


Using an IPv6-in-IPv4 tunnel through Hurricane Electric is useful when your current ISP
doesn't offer native IPv6 service or tunneled 6rd service yet. In this case, you need to tunnel
IPv6 traffic across an intermediate IPv4-only network (or the Internet). I setup my tunnel
broker account through HE as an initial step in learning IPv6 prior to switching to the IPv6
service offered from my current ISP (CenturyLink). In a future post, I'll describe setting up
the CenturyLink 6rd tunneling service, which will be slightly different.

The HE tunnel broker service uses a manually configured IPv6-in-IPv4 tunnel. It's pretty
straightforward to understand how this works. You will define an IPv4 tunnel source (your
local dual-stack router's WAN interface), an IPv4 tunnel destination (the HE dual-stack
router), and a default route on your local router that directs all IPv6 traffic across the tunnel.
All IPv6 traffic will be encapsulated inside an IPv4 packet and sent across the IPv4-only
network. When the frame reaches the tunnel destination router the outer IPv4 header is
stripped off and the IPv6 packet is forwarded to it's destination.

Manual IPv6-in-IPv4 Tunnel

There are a few things you'll need before you get started:

 A static IPv4 address from your ISP - preferred for a manual IPv6-in-IPv4 tunnel so
the tunnel destination router can encapsulate return traffic back to your local router.
You can use a dynamic IPv4 address, but it requires updating the tunnel definition
every time it changes (see this FAQ).
 A dual-stack capable router - in my case, I'm using a Cisco router.
Setting Up the Tunnel Broker Service
There are a few steps involved in setting up the tunnel broker service.

1. Create an account at http://tunnelbroker.net


Enter a username and password in the login box and click the "Register" button. Fill in
your information to complete the process.

2. Create a new tunnel


Click the "Create Regular Tunnel" link in the User Functions section. You'll need to
enter the IPv4 address of your local router's WAN interface, which must be a publicly
routable Internet address (not a private RFC 1918 address). Then select a tunnel server
from the list below. This will be the tunnel destination router that Hurricane Electric
provides to terminate your tunnel service. I recommend selecting the closest server to
your location for lowest latency performance. Click the "Create Tunnel" button on the
bottom of the form.

Hurricane Electric Regular Tunnel Creation

3. View your tunnel details


You will need to take note of a few items that will be used when configuring your
local router:
- Server IPv4 Address - will be used as the IPv4 tunnel destination.
- Server IPv6 Address - for reference only as the IPv6 tunnel endpoint.
- Client IPv4 Address - will be used on your local router's WAN interface as the tunnel
source.
- Client IPv6 Address - will be used on your local router's tunnel interface to establish
a neighbor relationship with the server's IPv6 address on the other end of the tunnel.
- Routed /64 - this is the /64 network prefix that you can use internally on your local
network for IPv6 capable hosts.
- Available DNS Resolvers - you can use these ISP provided IPv6 DNS capable
servers to lookup IPv6 resources on the Internet (such as web servers, mail servers,
etc.). Or you could alternatively use any public IPv6 DNS servers (such as OpenDNS
or Google).

Hurricane Electric Tunnel Details

4. Optionally - assign a /48 prefix to your local network


If you need more than one IPv6 routed prefix on your local network, Hurricane
Electric can assign you an entire /48 prefix, which will be routed across the tunnel.
You can then break into smaller network prefixes for use on multiple links in your
local network. To assign a /48 prefix, click the "Assign /48" link.

Setting Up Your Cisco Router for IPv6


Next, we'll need to configure your local Cisco router.

First, enable IPv6 routing and Cisco Express Forwarding (CEF):

ipv6 unicast-routing
ipv6 cef

Second, you'll want to create a tunnel interface for the link to the Hurricane Electric tunnel
broker service.

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker

# No IPv4 address will be on the tunnel interface


no ip address
# Enable IPv6 on the interface
ipv6 enable

# Assign a Global Unicast Address to the Tunnel interface.


# Use the Client IPv6 Address assigned to you by Hurricane
# Electric. This will allow your router to establish a
neighbor
# relationship with the other tunnel endpoint router,
# referenced as Server IPv6 Address.
ipv6 address 2001:470:XXXX:XXXX::2/64

# Set an IPv6 MTU that adjusts for the 20-byte IPv4


# encapsulation caused by the tunnel. This prevents
# dropping packets and sending back an ICMP
# Packet-too-Big error. I have a PPPoE link and reduce
# the MTU another 8-bytes. 1500-20(IPv4)-8(PPPoE) = 1472.
ipv6 mtu 1472

# You may want to secure your local network using an


# IPv6 ACL and traffic inspection. I'll cover these in
# a subsequent post.
ipv6 inspect v6firewall in
ipv6 inspect v6firewall out
ipv6 traffic-filter v6Outside_ACL in

# Configure the tunnel mode as a manual IPv6-in-IPv4 tunnel.


tunnel mode ipv6ip

# Configure the tunnel source and destination IPv4 endpoints.


# The tunnel source is the IPv4 address on your local
router's
# WAN interface. The tunnel destination is Server IPv4
Address
# provided by Hurricane Electric.
tunnel source 63.224.XXX.XXX
tunnel destination 184.105.253.14

Next, install a default route for all IPv6 traffic originating from your local network to traverse
the tunnel.

ipv6 route ::/0 Tunnel0

Configure a stateless DHCPv6 server to assign IPv6 DNS servers and a domain suffix to
clients so they can resolve hostnames to IP addresses. A stateless DHCPv6 server does not
hand out IPv6 addresses to clients or maintain a binding database. In my setup, I'll be using
SLAAC to allow clients to autoconfigure addresses on the local link based on the prefix(es)
advertised by the router in ICMP Router Advertisements. You can use the ISP provided DNS
servers or any public server as mentioned previously.
ipv6 dhcp pool DHCPv6
dns-server 2001:470:20::2
domain-name yourdomain.com

Configure a local LAN interface with the routed IPv6 network assigned to you by Hurricane
Electric. This may be the /64 prefix originally assigned to your network or a smaller portion
of a /48 if you requested one (break the /48 into smaller /64 prefixes for multiple internal
network links). This interface is typically a dual-stack interface, meaning it will support both
IPv4 and IPv6 clients. This is important to allow clients to continue to use IPv4 to access
services which are not yet available over IPv6.

interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in

# Enable IPv6 on the interface


ipv6 enable

# Configure the assigned /64 prefix from Hurricane Electric


# on the local LAN interface.
ipv6 address 2001:470:XXXX:XXXX::1/64

# Advertise a smaller IPv6 MTU than the default 1500 bytes


# in order to account for tunnel overhead. The minimum IPv6
# MTU is 1280 bytes and is a safe bet. This prevents dropping
# packets due to IPv6 tunneling mechanisms.
ipv6 mtu 1280

# Advertise the ability for clients to configure other


# parameters such as DNS by setting the other-config-flag
# in Router Advertisements.
ipv6 nd other-config-flag

# Assign the previously defined DHCPv6 server to this


interface.
ipv6 dhcp server DHCPv6

The configuration of the IPv6 MTU on the local LAN interface is important because Path
MTU discovery often does not work across the Internet when stateful security devices block
ICMP Packet-too-Big error messages. Even if your tunnel supports a higher MTU than the
minimum 1280 bytes, such as 1472 bytes, you may run into situations where some IPv6
Internet resources still require a smaller MTU because tunneling occurs elsewhere along the
route.

Testing It All Out


Once you've got your tunnel established and local LAN configured, let's test it out.

Ping from your WAN interface across the tunnel. This will verify IPv6 reachability across the
tunnel between the two tunnel endpoints.
cisco-router#ping 2001:470:XXXX:XXXX::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:XXXX:XXXX::1,
timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
32/32/32 ms

Connect a client to your local LAN. This will verify that a client is properly receiving an IPv6
address from your router. Here is an example using an Apple MacBook Pro connected to an
IPv6 network over Wi-Fi:

Apple MacBook Pro IPv6 Network Connection


You will notice that the Cisco router sends Router Advertisements (RA) using it's link-local
address in the fe80::/16 address block. Embedded in the RA is information about the network
prefixes configured for the link, whether or not clients should use auto-configuration
(SLAAC) to obtain an address, and the other-config-flag related to stateless DHCPv6 for
DNS and domain suffix assignment. Most modern clients will auto-configure two global IPv6
addresses: one using the EUI-64 format based on the Ethernet MAC address on their
interface, and one using the auto-generated random method for security and privacy. Hosts
will typically prefer the random address when initiating sessions with other hosts.

vonNagyMBP13:~ andrewvonnagy$ ifconfig en1


en1: flags=8863 mtu 1500
ether 68:xx:xx:xx:1b:f0
inet6 fe80::6axx:xxff:fexx:1bf0%en1 prefixlen 64 scopeid 0x5
inet6 2001:470:XXXX:XXXX:6axx:xxff:fexx:1bf0 prefixlen 64
autoconf
inet6 2001:470:XXXX:XXXX:4d2f:7cb8:221c:f6a1 prefixlen 64
autoconf temporary
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
media: autoselect
status: active

You can also check the DNS settings on the host to ensure stateless DHCPv6 worked
properly.
Apple MacBook Pro IPv6 DNS Server(s) and Domain Suffix

Next, ping the remote tunnel endpoint from the local LAN host across the tunnel. This will
verify the routing for your assigned network prefix is working properly across the tunnel. Tip:
be sure to use the correct ping6 command on Mac OS X!

vonNagyMBP13:~ andrewvonnagy$ ping6 2001:470:XXXX:XXXX::1


PING6(56=40+8+8 bytes) 2001:470:XXXX:XXXX:4d2f:7cb8:221c:f6a1
--> 2001:470:XXXX:XXXX::1
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=0 hlim=63
time=35.977 ms
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=1 hlim=63
time=33.656 ms
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=2 hlim=63
time=32.902 ms
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=3 hlim=63
time=35.838 ms
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=4 hlim=63
time=35.926 ms
^C
--- 2001:470:1F10:36::1 ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 32.902/34.860/35.977/1.313 ms

You might want to try resolving a AAAA DNS record:

vonNagyMBP13:~ andrewvonnagy$ dig @2001:470:20::2


www.google.com AAAA

; <<>> DiG 9.8.1-P1 <<>> @2001:470:20::2 www.google.com AAAA


; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 14297="" font="" id:="" noerror="" opcode:=""
query="" status:="">
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN AAAA

;; ANSWER SECTION:
www.google.com. 52 IN AAAA 2607:f8b0:4009:802::1010
;; Query time: 38 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Tue Aug 13 15:24:33 2013
;; MSG SIZE rcvd: 60

Finally, try hitting an IPv6 test website. A good one for North America is the North American
IPv6 Task Force website. Look for the image of a turtle in the right sidebar along with
detection of the IPv6 address being used by your host. You can also try hitting the Google
IPv6 test webpage or http://test-ipv6.com/.

Cheers,
Andrew

Additional IPv6 posts you might be interested in:

 IPv6 Refresher: The Need for IPv6 and Address Format


 IPv6 Refresher: Unicast Addressing
 IPv6 Unicast Address Allocation

Tagged: cisco, hurricane electric, ipv6, tunnel broker, tunnel

You might also like