World IPv6 Day: Connecting the Enterprise

Jun 8th is less than two weeks away, on that day some of the biggest websites on the Internet (Google, Facebook,  Akamai, etc.) will add to their DNS entries a AAAA record, enabling IPv4 and IPv6 simultaneously. Clients with broken IPv6 connectivy will have issues connecting to the sites that could range from delays to not being able to use them at all. Google estimates the number of users with problems could range in the 0.05%, the list of potential issues is in the ARIN IPv6 Blog.

An easy way of verifying if our enterprise users will have problems is to test beforehand. There are several websites to test IPv6 connectivy, I particulary use testipv6.com, just going to website will give you a nice result such as this one:

No problems for me on IPv6 day, yay. How about if you do want to connect to the IPv6 Internet?. There are several options, I highly reccomend to take a look at Ivan Pepelnjak’s Enterprise IPv6 Webninar for a high level overview on the subject. Since my ISPs doesn’t seem to provide IPv6 natively, I decided to use a tunnel broker on a test subnet at my enterprise. There are several of them such as tunnelbroker.netsixxs.net, or gogo6 aka freenet6

I used tunnelbroker from Hurricane Electric and a Cisco 1800 Router with IOS 15.1. The router has a public IPv4 address on a WAN interface and a FastEthernet interface on my test subnet.Let’s try it out. The first step is to register at http://www.tunnelbroker.net/register.php

After registration, you will get an email with the password. On the main panel there are several options, since we want to create a new tunnel, we’ll select “Create regular tunnel”.

Now you’ll have to input your public IP address and to which tunnel server  you want to be connected.

The tunnel is created and you will get a Routed /64 IPv6 prefix to use on your test subnet, you can request a Routed /48 in case you need more.


In the example configuration tab, there is a drop-down menu with multiple systems such as Windows/ Linux / Cisco / etc. This is a great starting point to get a configuration going, for example for a Cisco IOS device:


With the example configuration, we can just copy/paste and have IPv6 connectivy on the router. A simple ping will confirm that the tunnel is working as expected:

IPv6-GW#ping 2001:470:1f08:184c::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:1F08:184C::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/104/108 ms

Now to get the users on the IPv6 Internet, we first need to configure the FastEthernet interface of the router with the routed IPv6 prefix and enable ipv6-unicast routing:

IPv6-GW#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
IPv6-GW(config)#ipv6 unicast-routing
IPv6-GW(config)#int fa0
IPv6-GW(config-if)#ipv6 address 2001:470:1f09:184c::1/64
IPv6-GW(config-if)#ipv6 nd prefix 2001:470:1f09:184c::/64

With this setup SLAAC works and end hosts are able to do stateless autoconfiguration since we are announcing our /64 prefix on the subnet. We can see our neighbors using the command sh ipv6 neighbors:

IPv6-GW#sh ipv6 neighbors | e FE
IPv6 Address                              Age Link-layer Addr State Interface
2001:470:1F09:184C:7573:5C7E:6297:E0D1      16 001b.2124.1640  STALE Fa0
2001:470:1F09:184C:2CA6:7182:AF39:E807       3 d8d3.85b2.a98a  STALE Fa0
2001:470:1F09:184C:110:430A:3981:FAA5        4 0050.56b4.42dd  STALE Fa0
2001:470:1F09:184C:ADE5:FA76:7A09:4BBE       0 001d.609c.2e28  DELAY Fa0
2001:470:1F09:184C:3C3F:C462:1F93:6712      13 000c.2992.7428  STALE Fa0

You might be asking yourselves, is this it?. Well, lets test it out by pinging ipv6.google.com

C:\>ping ipv6.google.com
Ping request could not find host ipv6.google.com. Please check the name and try
again.

It seems my corporate DNS servers do not have IPv6 capabilities, we need to push an IPv6 DNS server to the clients:

IPv6-GW# conf t
IPv6-GW(config)# ipv6 dhcp pool DHCP_POOL
IPv6-GW(config-dhcp)# dns-server 2001:470:20::2
IPv6-GW(config-dhcp)# domain-name foo.bar
IPv6-GW(config-dhcp)# int fa0
IPv6-GW(config-if)# ipv6 dhcp server DHCP_POOL
IPv6-GW(config-if)# ipv6 nd other-config-flag

The ipv6 nd other-config-flag command is enabling the use of the “Other configuration” flag. From the RFC:

When set, it indicates that other configuration information is available via DHCPv6. Examples of such information are DNS-related information or information on other servers within the network.

Let’s test the client again, this time on the website:

That’s it, anyone on my test subnet with SLAAC enabled will have transparent IPv6 connectivy. A recommended next step would be to deploy a security solution (ACLs/IOS FW/etc) to ensure no evil IPv6 hackers are able to reach your new and shinny IPv6 enabled end-hosts. Also, dont be shy, even if you dont have a test subnet, you can try this out from a single device, just make sure to configure your router to forward the protocol 41 (IPv6 encapsulation) to your private IP.

What have you been doing for the World IPv6 Day?

More info

ARIN Customer problems that could occur
ARIN Troubleshoot IPv6 Issues
IPv6 Training
June 8th: the day your phone won’t stop ringing
World IPv6 Day: What should you do?
KAME (The dancing turtle)
Initialdraft on IPv6

Jose Leitao

Jose has been working in the IT industry for the last 10 years, he holds the following certifications: CCNP, CCIP, CCDP, CCNA, CCDA, CCAI, HP AIS Procurve Networking, HP ASE Procurve Campus LANs, JNCIA-Junos and he is currently preparing for the CCIE R&S Lab.

More Posts - Website - Twitter

Creative Commons License
The World IPv6 Day: Connecting the Enterprise by CCIE Blog, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Tags: ,

2 Responses to "World IPv6 Day: Connecting the Enterprise"

  • Steve B says:
    • Jose Leitao says:
Leave a Comment

*

Notify me of followup comments via e-mail. You can also subscribe without commenting.