CenturyLink 6rd on Cisco IOS

I have a static IPv4 address from CenturyLink (x.y.z.198). To find my corresponding IPv6 6rd address I need to convert my IPv4 address to hex and append CenturyLink’s 6rd prefix.

My ipv4 address: x.y.z.198
My IPv6 6rd address: XX:YY:ZZ:C6
where XX (in hex)=x (in decimal)

Prepending CenturyLink’s IPv6 6rd prefix (2602::/24) to my 6rd address leaves me with 2602:00XX:YYZZ:C600::

Note that the last two zeros in the 6rd address above are allocated to the customer, giving every CenturyLink customer 256 IPv6 subnets per public IPv4 address (assuming the customer’s IPv6 subnets are all /64s). Since I have an IPv4 /29 from CenturyLink, I could potentially use 256*8=2048 IPv6 /64 subnets. Whoa.

IOS will also need to know the IPv4 address of CenturyLink’s border router (205.171.2.64).

Putting this all into a tunnel interface leaves us with:

interface Tunnel2
 no ip address
 no ip redirects
 ipv6 address 2602:XX:YYZZ:C600::1/64
 tunnel source x.y.z.198
 tunnel mode ipv6ip 6rd
 tunnel 6rd prefix 2602::/24
 tunnel 6rd br 205.171.2.64
end

NOTE: The CenturyLink border router uses an anycast address. Based on a few traceroutes I’ve found border routers in Kansas City and Los Angeles.

Of course, you can’t ping any IPv6 addresses with this configuration since the router doesn’t know where to send the packets. Adding a static default route to the IPv4-compatible IPv6 address of CenturyLink’s border router will fix that:

ipv6 route ::/0 Tunnel2 ::205.171.2.64 !

EDIT: The default gateway above will get you nowhere.  To find the IPv6  6rd address of CenturyLink’s border router we’ll follow the same process we used above to find our own 6rd address.

Border router IPv4 address: 205.171.2.64
Border router equivalent 6rd address: CD:AB:02:40

Prepending CenturyLink’s IPv6 6rd prefix (2602::/24) to the border router’s 6rd address leaves us with 2602:00CD:AB02:4000::.  I also appended eight zeros (0x00 in hex) to the end to make the address 64 bits long.

Thus, to send all outbound IPv6 traffic to CenturyLink’s 6rd border router, we’ll instead do this:

ipv6 route ::/0 Tunnel2 2602:CD:AB02:4000::

Why do you specify the outgoing interface (Tunnel2), you ask?  Because 2602:CD:AB02:4000:: isn’t directly connected to our router.  How else will IOS know which interface to use?

Ok, what if we just specify the interface, and not the next-hop address?  I tried that too, here’s what happens:

vpn(config)#ipv6 route ::/0 tun2
vpn(config)#end
vpn#debug tunn
Tunnel Interface debugging is on
vpn#term mon
vpn#debug ipv6 packet det
IPv6 unicast packet debugging is on
vpn#
vpn#ping 2607:f298:1:130::dcd:e005 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2607:F298:1:130::DCD:E005, timeout is 2 seconds:

Jun 15 18:56:10: IPv6-Fwd: Destination lookup for 2607:F298:1:130::DCD:E005 : i/f=Tunnel2, nexthop=2607:F298:1:130::DCD:E005
Jun 15 18:56:10: IPv6-Sas: SAS picked source 2602:XX:YYZZ:C600::1 for 2607:F298:1:130::DCD:E005 (Tunnel2)
Jun 15 18:56:10: IPV6: source 2602:XX:YYZZ:C600::1 (local)
Jun 15 18:56:10: dest 2607:F298:1:130::DCD:E005 (Tunnel2)
Jun 15 18:56:10: traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating
Jun 15 18:56:10: IPv6-Fwd: Sending on Tunnel2
Jun 15 18:56:10: Tunnel2 count tx, adding 20 encap bytes.
Success rate is 0 percent (0/1)
vpn#

It looks like the packets are being sent, but they’re not.  IOS can’t find the next-hop’s L2 address like it can when using a static protocol 41 tunnel to Hurricane Electric. I think it’s because the normal IPv6 ND features don’t work with the automatic encapsulation stuff that 6rd does. Here are the debugs when the default route is configured correctly:

vpn#conf t
vpn(config)#no ipv6 route ::/0 tun2
vpn(config)#ipv6 route ::/0 Tunnel2 2602:CD:AB02:4000::
vpn#
vpn#ping 2607:f298:1:130::dcd:e005 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2607:F298:1:130::DCD:E005, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 96/96/96 ms
vpn#
Jun 15 18:56:33: IPv6-Fwd: Destination lookup for 2607:F298:1:130::DCD:E005 : i/f=Tunnel2, nexthop=2602:CD:AB02:4000::
Jun 15 18:56:33: IPv6-Sas: SAS picked source 2602:XX:YYZZ:C600::1 for 2607:F298:1:130::DCD:E005 (Tunnel2)
Jun 15 18:56:33: IPv6-Fwd: nexthop 2602:CD:AB02:4000::,
Jun 15 18:56:33: IPV6: source 2602:XX:YYZZ:C600::1 (local)
Jun 15 18:56:33: dest 2607:F298:1:130::DCD:E005 (Tunnel2)
Jun 15 18:56:33: traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating
Jun 15 18:56:33: IPv6-Fwd: Created tmp mtu cache entry for 2602:XX:YYZZ:C600::1 2607:F298:1:130::DCD:E005 00000000
Jun 15 18:56:33: IPv6-Fwd: Sending on Tunnel2
Jun 15 18:56:33: Tunnel2 count tx, adding 20 encap bytes
Jun 15 18:56:33: Tunnel2: IPv6/IP to classify 205.171.2.64->x.y.z.198 (tbl=0,"default" len=120 ttl=247 tos=0x0) ok, oce_rc=0x1
Jun 15 18:56:33: Tunnel2: IPv6/IP (PS) to decaps 205.171.2.64->x.y.z.198 (tbl=0, "default", len=120, ttl=247)
Jun 15 18:56:33: Tunnel2: decapsulated IPv6/IP packet (len 120)
Jun 15 18:56:33: IPv6-Fwd: Destination lookup for 2602:XX:YYZZ:C600::1 : Local, i/f=Tunnel2, nexthop=2602:XX:YYZZ:C600::1
Jun 15 18:56:33: IPV6: source 2607:F298:1:130::DCD:E005 (Tunnel2)
Jun 15 18:56:33: dest 2602:XX:YYZZ:C600::1 (Tunnel2)
Jun 15 18:56:33: traffic class 0, flow 0x0, len 100+20, prot 58, hops 54, forward to ulp
vpn#
vpn#

You can see the tunnel encapsulation happening now, whereas there was no encapsulation before.  Happy pinging.

7 comments

  • Hi Mark,
    Thanks for this post! I’m setting up a Cisco 2811 router for use with CenturyLink home DSL and found your walkthrough spot on.

    One question: on the default ipv6 route, do you need to specify the IPv4 compatible IPv6 address of the CenturyLink BR or would just specifying the Tunnel0 interface suffice? I ask because I have an existing ipv6ip tunnel to Hurricane Electric which is not using 6rd, but I don’t need to specify the HE.net gateway IPv4 compatible IPv6 address, just simply enter a default route out the Tunnel0 interface. For example:

    ipv6 route ::/0 Tunnel0

    I’m just trying to understand the need under the covers for including that BR IPv6 address.

    Thanks!
    Andrew

  • Hi Andrew,

    I also have a static 6in4 tunnel to HE on this same router. It took me a while to figure out why the CenturyLink connection wouldn’t work. I believe it has something to do with the dynamic nature of the 6rd encapsulation. When specifying just the interface for the HE static default route, IOS performs IPv6 ND to find the next-hop for a particular destination. Since this is a point-to-point link, all of the ND packets reach the HE gateway, which responds to the ND request.

    Configuring the same kind of static default route for the CenturyLink connection will cause IOS to generate IPv6 ND packets as above, but since this tunnel isn’t a point-to-point

    I don’t buy what I just wrote. I’ll have to look into it deeper. Excellent question…

    -Mark

  • Also, working through this further, it might be helpful to create a general-prefix for internal facing interfaces and subnets:

    Router(config)# ipv6 general-prefix MyAssignedPrefix 6rd Tunnel0
    Router(config)# interface FastEthernet0/0
    Router(config-if)# ipv6 address MyAssignedPrefix 0:0:0:abcd::1/64
    (where abcd are internally administered subnets under your control within your home or site)

    This would make it easier to change the prefix automatically if you don’t have a static IP address from the ISP.

    As yet a 3rd option, does CenturyLink support DHCPv6 Prefix Delegation? This would allow the WAN interface to request the prefix from the ISP via DHCPv6, put that into a general-prefix, and assign sub-prefixes automatically to internal interfaces.

    Thanks,
    Andrew

  • Sorry, I got the prefix length wrong in my previous comment. Since CenturyLink uses 2602::/24 (not /16), and the 32 bits from 6rd (IPv4 on WAN interface), then only 8 bits are left for internal subnetting as you mentioned.

    The correct command is then:
    Router(config-if)# ipv6 address MyAssignedPrefix 0:0:0:00ab::1/64
    (where ab are internally administered subnets under your control within your home or site)

    Andrew

  • mark,
    for residential customers that obtain a DHCP address, how does this work?

    still trying to figure it out and i cant ping outside, however, i can contact my router via IPV6 open port tools (i had ssh open) i dont need to do ipv6 nat translations right?

    here is what i have configed with my tunnel and such i also enabled ipv6 and ipv6 autoconfig on all interfaces.

    ipv6 route ::/0 Tunnel2 2602:CD:AB02:4000::

    dialer config

    interface Dialer1
    ip ddns update ccp_ddns1
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ipv6 address dhcp
    ipv6 address autoconfig
    ipv6 enable
    ppp authentication chap pap callin
    ppp ipcp dns request accept
    ppp ipcp route default
    ppp ipcp address accept
    no cdp enable
    (omitted chap user /pass)

    tunnel config
    interface Tunnel2
    no ip address
    ip access-group BlockIN in
    no ip redirects
    ip mtu 1492
    ipv6 address autoconfig
    tunnel source Dialer1
    tunnel mode ipv6ip 6rd
    tunnel 6rd prefix 2602::/24
    tunnel 6rd br 205.171.2.64

    prefix commands

    ipv6 general-prefix MyPrefix 6rd Tunnel2

    fa 0/0
    interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    ipv6 address dhcp
    ipv6 address MyPrefix ::61:0:0:0:1/64
    ipv6 enable
    no mop enabled

    thats all i have, i can ping the fa 0/0 address

    FastEthernet0/0 [up/up]
    FE80::21C:58FF:FEEE:D45E
    2602:62:7D09:6561::1
    FastEthernet0/1 [administratively down/down]
    unassigned
    ATM0/1/0 [up/up]
    FE80::21C:58FF:FEEE:D45E
    ATM0/1/0.1 [up/up]
    FE80::21C:58FF:FEEE:D45E
    Dialer1 [up/up]
    FE80::21C:58FF:FEEE:D45E

    tunnel 2 does not have an IPV6 address except for link local, should i be worried about that?

  • Mark, I think you’re out of luck.

    RFC 5969 Section 7.1.1 provides DHCPv4 option 212 for your situation. All the CE 6rd config would be taken care of automatically. Unfortunately, the only reference to DHCPv4 option 212 I could find on Cisco’s website is here, and it says IOS does not support that option.

  • Mark, I’m not sure what i did, but going back and also upgraded to a 2821 i re-evaluated my commands and i’m fully ivp6 ready 🙂

Leave a Reply