Methods of Assigning an IPv6 Address to a Customer Router
A router residing at a customer’s location (often referred to as customer premises equipment [CPE]) needing to connect with an ISP using IPv6 can obtain an IPv6 address in a variety of ways:
■ Manual configuration: An ISP could provide an IPv6 address to its customer and instruct the customer to manually configure that IPv6 address on its router’s Internet-facing interface.
■ Stateless Address Autoconfiguration (SLAAC): With SLAAC, an ISP router could send Router Advertisements (RA), which advertise an IPv6 prefix, on the link connecting to a customer router. The customer router could then take the advertised prefix and fill in the remainder of the IPv6 address by either randomly selecting those bits or by using the EUI-64 process.
■ Stateless DHCPv6: If a router needs more IPv6 information than just an IPv6 address, it might benefit from a stateless DHCPv6 configuration. With this approach, a router obtains an IPv6 address using SLAAC. However, the RA has an otherconfig-flag set, which tells the router to check with a DHCP server to obtain additional IPv6 information (for example, the address of a Domain Name System [DNS]
server). However, because the router’s IPv6 address was obtained through SLAAC, the DHCPv6 server does not keep track of IPv6 address assignment.
■ Stateful DHCPv6: While stateless DHCPv6 allowed a router (or other device) to obtain an IPv6 address through SLAAC and set the other-config-flag instructing the router to learn additional IPv6 configuration information from a DHCPv6 server, stateful DHCPv6 sets the managed-config-flag to instruct the router to obtain its IPv6 address (along with other IPv6 configuration information) from a DHCPv6 server. Therefore, with stateful DHCPv6, a DHCPv6 server does keep track of IPv6
address assignment.
■ DHCPv6 Prefix Delegation (DHCPv6-PD): Rather than assigning a single IPv6 address to a router, DHCPv6-PD allows a DHCPv6 server to assign a collection of IPv6 networks to the router (or other DHCPv6 client). A router could then assign those different IPv6 networks to its various interfaces.
Manual Configuration of IPv6 Address and Default Route
Manually configuring a CPE router to point to an IPv6-speaking ISP router is a fairly simple process, involving only two steps:
Step 1. Configure the ISP-provided IPv6 address on a CPE router’s Internet-facing interface with the ipv6 address ipv6_address/prefix_length command in interface configuration mode.
Step 2. Statically configure a default route pointing to the IPv6 address of the nexthop ISP router, using the ipv6 route ::/0 next_hop_ipv6_address command in global configuration mode.
IPv6 ACL
Basic info, refer to http://frankfu.click/cisco/ccna/access-control-list-part2.html
IPv6 security concernings:
- The neighbor discovery process is vulnerable to man-in-the-middle attack.
- The NAT is no longer used in IPv6, so internal devices are visible to outside.
To mitigate such threats, Cisco recommends protecting an enterprise network with a stateful firewall. Additionally, IPv6 protocols should be hardened by disabling any unnecessary functions or services and tweaking any suboptimal default settings.
BGP support for IPv6
Multiprotocol BGP (MP-BGP), allows BGP to support multiple address types. This update consists of a set of multiprotocol extensions added to BGP-4.
MP-BGP allows you to consolidate a variety of protocol types under a single BGP configuration. These protocol types are called address families and include (as just a few examples):
■ Unicast IPv4
■ Multicast IPv4
■ Unicast IPv6
■ Multicast IPv6
MP-BGP contains several new elements and features not found in BGP-4, including
- Address Family Identifier (AFI): Specifies the type of address being used by an Address Family.
- Subsequent Address Family Identifier (SAFI): Provides additional address family information for some address families.
- Multiprotocol Reachable Network Layer Reachability Information (MP_REACH_NLRI): An attribute that transports a collection of reachable networks, along with next-hop information.
- Multiprotocol Unreachable Network Layer Reachability Information (MP_UNREACH_NLRI): An attribute that transports a collection of unreachable networks (used to indicate that specific previously reachable networks are no longer reachable).
- BGP Capabilities Advertisement: Used by a router to tell a neighboring router its BGP capabilities—used during BGP session negotiation.
The steps to configure IPv6 routing over an IPv4 BGP session are as follows:
Step 1. Enable IPv6 routing with the ipv6 unicast-routing
command, in global configuration mode.
Step 2. Create a route map by issuing the route-map route_map_name
command, in global configuration mode.
Step 3. Specify the IPv6 address of the router’s interface connecting to a neighbor as a next-hop IPv6 address, using the set ipv6 next-hop ipv6_address
, in route map configuration mode.
Step 4. Define the BGP autonomous system with the router bgp as-number
command, in global configuration mode.
Step 5. Define an IPv4 BGP neighbor with the neighbor neighbor’s_ipv4_address
remote-as command, in router configuration mode.
Step 6. Enter address family configuration mode for the IPv4 address family with the address-family ipv4
command, in router configuration mode.
Step 7. Specify which interfaces will participate in the IPv4 address family by issuing one or more network ip4_network_address [mask subnet_mask
]
commands, in IPv4 address family configuration mode. (Note: The neighbor neighbor’s ipv4_address activate command is automatically entered for you in IPv4 address family configuration mode.)
Step 8. Exit IPv4 address family configuration mode with the exit-address-family
command, in IPv4 address family configuration mode.
Step 9. Enter address family configuration mode for the IPv6 address family with the address-family ipv6
command, in router configuration mode.
Step 10. Specify which interfaces will participate in the IPv6 address family by issuing one or more network ipv6_network_address/prefix-length
commands, in IPv6 address family configuration mode.
Step 11. Activate the BGP neighbor for the IPv6 address family with the neighbor neighbor’s_ipv4_address activate
command, in IPv6 address family configuration mode.
Step 12. Associate the previously configured route map (which specifies the next-hop IPv6 address to advertise to a neighbor) with the neighbor using the neighbor neighbor_ipv4_address route-map route_map_name out
command, in IPv6 address family configuration mode.
Verify
- show ipv6 route
- show bgp ipv6 unicast [summary]
IPv6 routing over an IPv6 BGP session
You can create an IPv6 BGP session between two routers and then advertise IPv6 networks over that session. If you also needed to advertise IPv4 networks, you could do so by creating an additional BGP routing process, using an IPv4 BGP session, just for the handling of IPv4 networks.
The steps to configure IPv6 routing over an IPv6 BGP session are as follows:
Step 1. Enable IPv6 routing with the ipv6 unicast-routing
command, in global configuration mode.
Step 2. Define the BGP autonomous system with the router bgp as-number
command, in global configuration mode.
Step 3. Define an IPv6 BGP neighbor with the neighbor neighbor’s_ipv6_address remote-as
command, in router configuration mode.
Step 4. Enter address family configuration mode for the IPv6 address family with the address-family ipv6
command, in router configuration mode.
Step 5. Specify which interfaces will participate in the IPv6 address family by issuing one or more network ipv6_network_address/prefix-length
commands, in IPv6 address family configuration mode.
Step 6. Activate the BGP neighbor for the IPv6 address family with the neighbor neighbor’s_ipv4_address activate
command, in IPv6 address family configuration mode.
Note :Unlike the configuration for IPv6 routing over an IPv4 BGP session, the configuration for IPv6 routing over an IPv6 session does not require the configuration of a route map to specify a next-hop IPv6 address. This step is not required, because the neighbors
are configured with one another’s IPv6 addresses. Therefore, they know the appropriate next-hop IPv6 address to associate with IPv6 route updates received from a neighbor.
IPv4 BGP session VS dual sessions
Single IPv4 BGP session:
- Fewer neighborships are formed.
- When sending IPv6 route information over the IPv4 BGP session, you need to create a route map to modify the Next-Hop BGP attribute.
Dual (IPv4/IPv6) BGP sessions:
- More neighborships must be configured.
- You do not need to configure a route map to modify the Next-Hop BGP attribute.
Filtering IPv6 Routes with Prefix Lists
The Cisco IOS implementation of MP-BGP allows you to filter IPv6 routes in much the same way that you filtered IPv4 routes.
Specifically, you can filter IPv6 routes using prefix lists, filter lists, and route maps.
The order in which the filtering applies to IPv6 routes:
Order of operations for ingress IPv6 BGP route filtering:
- Inbound route map
- Inbound filter list
- Inbound prefix list
Order of operations for egress IPv6 BGP route filtering:
- Outbound prefix list
- Outbound filter list
- Outbound route map
Syntax:
Router(config)#ipv6 prefix-list list_name seq number permit ipv6_prefix/lengh
Router(config) # router bgp as_number
Router(config-router)# address-family ipv6
Router(config-router-af)# neighbor ip_address prefix-list list_name {out | in}
Using Local Preference for IPv6 Path Selection
Router (config)# route-map name
Router (config-route-map)# set local-preference number