CenturyLink 6rd on Cisco IOS
I have a static IPv4 address from CenturyLink (x.y.z.198). To find my corresponding IPv6 6rd address I need to convert my IPv4 address to hex and append CenturyLink’s 6rd prefix.
My ipv4 address: x.y.z.198
My IPv6 6rd address: XX:YY:ZZ:C6
where XX (in hex)=x (in decimal)
Prepending CenturyLink’s IPv6 6rd prefix (2602::/24) to my 6rd address leaves me with 2602:00XX:YYZZ:C600::
Note that the last two zeros in the 6rd address above are allocated to the customer, giving every CenturyLink customer 256 IPv6 subnets per public IPv4 address (assuming the customer’s IPv6 subnets are all /64s). Since I have an IPv4 /29 from CenturyLink, I could potentially use 256*8=2048 IPv6 /64 subnets. Whoa.
IOS will also need to know the IPv4 address of CenturyLink’s border router (205.171.2.64).
Putting this all into a tunnel interface leaves us with:
interface Tunnel2
no ip address
no ip redirects
ipv6 address 2602:XX:YYZZ:C600::1/64
tunnel source x.y.z.198
tunnel mode ipv6ip 6rd
tunnel 6rd prefix 2602::/24
tunnel 6rd br 205.171.2.64
end
NOTE: The CenturyLink border router uses an anycast address. Based on a few traceroutes I’ve found border routers in Kansas City and Los Angeles.
Of course, you can’t ping any IPv6 addresses with this configuration since the router doesn’t know where to send the packets. Adding a static default route to the IPv4-compatible IPv6 address of CenturyLink’s border router will fix that:
ipv6 route ::/0 Tunnel2 ::205.171.2.64 !
EDIT: The default gateway above will get you nowhere. To find the IPv6 6rd address of CenturyLink’s border router we’ll follow the same process we used above to find our own 6rd address.
Border router IPv4 address: 205.171.2.64
Border router equivalent 6rd address: CD:AB:02:40
Prepending CenturyLink’s IPv6 6rd prefix (2602::/24) to the border router’s 6rd address leaves us with 2602:00CD:AB02:4000::. I also appended eight zeros (0x00 in hex) to the end to make the address 64 bits long.
Thus, to send all outbound IPv6 traffic to CenturyLink’s 6rd border router, we’ll instead do this:
ipv6 route ::/0 Tunnel2 2602:CD:AB02:4000::
Why do you specify the outgoing interface (Tunnel2), you ask? Because 2602:CD:AB02:4000:: isn’t directly connected to our router. How else will IOS know which interface to use?
Ok, what if we just specify the interface, and not the next-hop address? I tried that too, here’s what happens:
vpn(config)#ipv6 route ::/0 tun2 vpn(config)#end vpn#debug tunn Tunnel Interface debugging is on vpn#term mon vpn#debug ipv6 packet det IPv6 unicast packet debugging is on vpn# vpn#ping 2607:f298:1:130::dcd:e005 re 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 2607:F298:1:130::DCD:E005, timeout is 2 seconds: Jun 15 18:56:10: IPv6-Fwd: Destination lookup for 2607:F298:1:130::DCD:E005 : i/f=Tunnel2, nexthop=2607:F298:1:130::DCD:E005 Jun 15 18:56:10: IPv6-Sas: SAS picked source 2602:XX:YYZZ:C600::1 for 2607:F298:1:130::DCD:E005 (Tunnel2) Jun 15 18:56:10: IPV6: source 2602:XX:YYZZ:C600::1 (local) Jun 15 18:56:10: dest 2607:F298:1:130::DCD:E005 (Tunnel2) Jun 15 18:56:10: traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating Jun 15 18:56:10: IPv6-Fwd: Sending on Tunnel2 Jun 15 18:56:10: Tunnel2 count tx, adding 20 encap bytes. Success rate is 0 percent (0/1) vpn#
It looks like the packets are being sent, but they’re not. IOS can’t find the next-hop’s L2 address like it can when using a static protocol 41 tunnel to Hurricane Electric. I think it’s because the normal IPv6 ND features don’t work with the automatic encapsulation stuff that 6rd does. Here are the debugs when the default route is configured correctly:
vpn#conf t vpn(config)#no ipv6 route ::/0 tun2 vpn(config)#ipv6 route ::/0 Tunnel2 2602:CD:AB02:4000:: vpn# vpn#ping 2607:f298:1:130::dcd:e005 re 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 2607:F298:1:130::DCD:E005, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 96/96/96 ms vpn# Jun 15 18:56:33: IPv6-Fwd: Destination lookup for 2607:F298:1:130::DCD:E005 : i/f=Tunnel2, nexthop=2602:CD:AB02:4000:: Jun 15 18:56:33: IPv6-Sas: SAS picked source 2602:XX:YYZZ:C600::1 for 2607:F298:1:130::DCD:E005 (Tunnel2) Jun 15 18:56:33: IPv6-Fwd: nexthop 2602:CD:AB02:4000::, Jun 15 18:56:33: IPV6: source 2602:XX:YYZZ:C600::1 (local) Jun 15 18:56:33: dest 2607:F298:1:130::DCD:E005 (Tunnel2) Jun 15 18:56:33: traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating Jun 15 18:56:33: IPv6-Fwd: Created tmp mtu cache entry for 2602:XX:YYZZ:C600::1 2607:F298:1:130::DCD:E005 00000000 Jun 15 18:56:33: IPv6-Fwd: Sending on Tunnel2 Jun 15 18:56:33: Tunnel2 count tx, adding 20 encap bytes Jun 15 18:56:33: Tunnel2: IPv6/IP to classify 205.171.2.64->x.y.z.198 (tbl=0,"default" len=120 ttl=247 tos=0x0) ok, oce_rc=0x1 Jun 15 18:56:33: Tunnel2: IPv6/IP (PS) to decaps 205.171.2.64->x.y.z.198 (tbl=0, "default", len=120, ttl=247) Jun 15 18:56:33: Tunnel2: decapsulated IPv6/IP packet (len 120) Jun 15 18:56:33: IPv6-Fwd: Destination lookup for 2602:XX:YYZZ:C600::1 : Local, i/f=Tunnel2, nexthop=2602:XX:YYZZ:C600::1 Jun 15 18:56:33: IPV6: source 2607:F298:1:130::DCD:E005 (Tunnel2) Jun 15 18:56:33: dest 2602:XX:YYZZ:C600::1 (Tunnel2) Jun 15 18:56:33: traffic class 0, flow 0x0, len 100+20, prot 58, hops 54, forward to ulp vpn# vpn#
You can see the tunnel encapsulation happening now, whereas there was no encapsulation before. Happy pinging.
Hi Mark,
Thanks for this post! I’m setting up a Cisco 2811 router for use with CenturyLink home DSL and found your walkthrough spot on.
One question: on the default ipv6 route, do you need to specify the IPv4 compatible IPv6 address of the CenturyLink BR or would just specifying the Tunnel0 interface suffice? I ask because I have an existing ipv6ip tunnel to Hurricane Electric which is not using 6rd, but I don’t need to specify the HE.net gateway IPv4 compatible IPv6 address, just simply enter a default route out the Tunnel0 interface. For example:
ipv6 route ::/0 Tunnel0
I’m just trying to understand the need under the covers for including that BR IPv6 address.
Thanks!
Andrew
Hi Andrew,
I also have a static 6in4 tunnel to HE on this same router. It took me a while to figure out why the CenturyLink connection wouldn’t work. I believe it has something to do with the dynamic nature of the 6rd encapsulation. When specifying just the interface for the HE static default route, IOS performs IPv6 ND to find the next-hop for a particular destination. Since this is a point-to-point link, all of the ND packets reach the HE gateway, which responds to the ND request.Configuring the same kind of static default route for the CenturyLink connection will cause IOS to generate IPv6 ND packets as above, but since this tunnel isn’t a point-to-pointI don’t buy what I just wrote. I’ll have to look into it deeper. Excellent question…
-Mark
Also, working through this further, it might be helpful to create a general-prefix for internal facing interfaces and subnets:
Router(config)# ipv6 general-prefix MyAssignedPrefix 6rd Tunnel0
Router(config)# interface FastEthernet0/0
Router(config-if)# ipv6 address MyAssignedPrefix 0:0:0:abcd::1/64
(where abcd are internally administered subnets under your control within your home or site)
This would make it easier to change the prefix automatically if you don’t have a static IP address from the ISP.
As yet a 3rd option, does CenturyLink support DHCPv6 Prefix Delegation? This would allow the WAN interface to request the prefix from the ISP via DHCPv6, put that into a general-prefix, and assign sub-prefixes automatically to internal interfaces.
Thanks,
Andrew
Sorry, I got the prefix length wrong in my previous comment. Since CenturyLink uses 2602::/24 (not /16), and the 32 bits from 6rd (IPv4 on WAN interface), then only 8 bits are left for internal subnetting as you mentioned.
The correct command is then:
Router(config-if)# ipv6 address MyAssignedPrefix 0:0:0:00ab::1/64
(where ab are internally administered subnets under your control within your home or site)
Andrew
mark,
for residential customers that obtain a DHCP address, how does this work?
still trying to figure it out and i cant ping outside, however, i can contact my router via IPV6 open port tools (i had ssh open) i dont need to do ipv6 nat translations right?
here is what i have configed with my tunnel and such i also enabled ipv6 and ipv6 autoconfig on all interfaces.
ipv6 route ::/0 Tunnel2 2602:CD:AB02:4000::
dialer config
interface Dialer1
ip ddns update ccp_ddns1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ppp authentication chap pap callin
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
(omitted chap user /pass)
tunnel config
interface Tunnel2
no ip address
ip access-group BlockIN in
no ip redirects
ip mtu 1492
ipv6 address autoconfig
tunnel source Dialer1
tunnel mode ipv6ip 6rd
tunnel 6rd prefix 2602::/24
tunnel 6rd br 205.171.2.64
prefix commands
ipv6 general-prefix MyPrefix 6rd Tunnel2
fa 0/0
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address dhcp
ipv6 address MyPrefix ::61:0:0:0:1/64
ipv6 enable
no mop enabled
thats all i have, i can ping the fa 0/0 address
FastEthernet0/0 [up/up]
FE80::21C:58FF:FEEE:D45E
2602:62:7D09:6561::1
FastEthernet0/1 [administratively down/down]
unassigned
ATM0/1/0 [up/up]
FE80::21C:58FF:FEEE:D45E
ATM0/1/0.1 [up/up]
FE80::21C:58FF:FEEE:D45E
Dialer1 [up/up]
FE80::21C:58FF:FEEE:D45E
tunnel 2 does not have an IPV6 address except for link local, should i be worried about that?
Mark, I think you’re out of luck.
RFC 5969 Section 7.1.1 provides DHCPv4 option 212 for your situation. All the CE 6rd config would be taken care of automatically. Unfortunately, the only reference to DHCPv4 option 212 I could find on Cisco’s website is here, and it says IOS does not support that option.
Mark, I’m not sure what i did, but going back and also upgraded to a 2821 i re-evaluated my commands and i’m fully ivp6 ready 🙂