In What Every Network Admin Should Know About IPv6, we explore a number of topics that are integral to understanding how IPv6 works (including IPV6 addressing, the Neighbor Discovery Protocol, link-local addresses, IPv6 multicasts, and more).
In this article, we look at how to configure IPv6 on a simple network with Cisco devices.
How to enable IPv6
Turning on IPv6 on a Cisco device is a simple matter.
! ipv6 unicast-routing !
This command enables on IPv6 on just the device. It establishes an IPv6 routing table, allows you to configure IPv6 addresses on interfaces, and gives you access to the various IPv6 services the device can run.
How to configure interfaces for IPv6
Configuring IPv6 on an interface is similar to configuring IPv4, just with more options for addressing. The simplest option is “auto-config”.
! interface GigabitEthernet0/0 ipv6 address auto-config !
In this case, the device uses the IPv6 Neighbor Discovery Protocol to figure out the /64 subnet for the network. Then it uses its own MAC address and a standard algorithm called EUI-64 to create the unique address.
Your Guide to Selling Managed Network Services
Get templates for network assessment reports, presentations, pricing & more—designed just for MSPs.
Then, because it’s a really bad thing to have duplicate addresses in any protocol, it uses another standard protocol to ensure the automatically generated address is actually unique.
The trouble with auto-config is that there has to be a router on the network before neighbor discovery is useful. So usually the network devices need to be deliberately configured with a particular subnet. You can do this while still using the MAC address-generated host part for the IPv6 address.
! interface GigabitEthernet0/0 ipv6 address ABCD::/64 eui-64 !
And you can also configure the full address by hand, which allows you to specify different host portions for the address as well as potentially different subnet mask lengths.
! interface GigabitEthernet0/0 ipv6 address ABCD::1/64 !
Note that I still used a /64 subnet. In general, you’ll want to use /64 subnets for any network that includes end devices like workstations or servers because just about everything uses the EUI-64 algorithm. Don’t fight it.
How to configure IPv6 routing
IPv6 has similar routing options to IPv4. You can configure static routes as well as various dynamic routing protocols such as Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP). And you can redistribute routes between different routing protocols.
These are very big topics, however. For getting started with IPv6 in a simple network, it’s often sufficient to use static routes.
! ipv6 route ABCD::/64 ABC0::1 ipv6 route ABCE::/64 ABC1::1 !
The syntax is exactly what you’d expect from IPv4 routing. Traffic to be sent to the prefix (ABCD::/64 in the first example) is forwarded first to the router at ABC0::1.
One interesting option in IPv6 routing is to use link-local addresses for the next hop device. The option appears automatically when you use a dynamic routing protocol, but you can use either global or link-local addresses with static routes.
How to configure IPv6 security
There are a couple of useful IPv6 security options. The first is the Access Control List (ACL), which is similar to an IPv4 ACL. First, configure a named ACL.
! ipv6 access-list BLOCK-TRAFFIC permit ipv6 ABCD::/64 any deny ipv6 any any !
Then apply the ACL to an interface using the “ipv6 traffic-filter” command.
! interface GigabitEthernet0/0 ipv6 traffic-filter BLOCK-TRAFFIC in !
Another useful security feature is RA Guard, which prevents internal IPv6 attacks against the neighbor discovery feature. The concern is that an attacker device could advertise itself as an IPv6 router for the network segment. The attacker could then either disrupt communication or, more subtly, intercept and inspect every packet as it goes by.
! interface GigabitEthernet0/0 ipv6 nd raguard attach-policy !
Apply this command to every interface that connects to an end device, and it will block IPv6 router advertisements from that interface. If the switch itself is the only real router on the segment, then apply this command to all interfaces.
As I’ve shown, IPv6 has a lot of configuration options that are similar to IPv4, and a lot more that are quite different. It has its own complications and its own security problems. But there are also ways that it’s simpler. For example, you can easily make a simple rule that all subnets are /64 address ranges.
Most of your devices are already turning IPv6 on by default, so it makes sense to make your network ready as well. The basic commands we‘ve reviewed here are a great start.
Great post.