Adding OS X ipv6 clients to LAN with Cisco 87x router

[cholzhauer]

I haven't worked with an Airport extreme, so I wouldn't even know where to start, sorry.

[jimb]

I'm getting an IPv6 address assigned to a Mac running OS X Snow Leopard server that is connected to the LAN via ethernet.  The OS X clients that connect to the LAN via 802.11n Airport Express WiFi access points are not getting IPv6 addresses.  This Airport Express is set up for bridging mode.  It doesn't do NAT or any routing.  Any suggestions on how to configure the AirPort so that WiFi clients can pass IPv6 traffic to/from the Cisco 87x router?

That's odd.  If it's doing simple bridging to the LAN, it should just work.  Are you sure it's bridging the traffic and not routing?  Are there any settings on the Airports which restrict multicasts, or some type of layer 2 firewall?  If so, turn that off.  I have IPv6 going on two wifi networks using two diff linksys access points (wap54g and a wrt610n [set up as a bridge]), and it works fine for me.

[cholzhauer]

I'm running ipv6 over a Procurve access point without any problems.  My boss says that the airport's are supposed to support it...I'll get a chance to look at one this week..if you still have the problem, I'll post back then.

[jimb]

Yeah.  As long as the Wifi box isn't routing, and is just bridging, IPv6 should be no issue.  Shouldn't have to "support" it.  It just has to not actively block it.    I wonder if it's doing something dumb like dropping packets with the IPv6 ethertype (0x86DD)?

[derby]

The Apple Airport Express, under the "Advanced" settings has an IPv6 tab where you can choose:

-  Link-local only
-  Node
-  Tunnel

I've chosen Link-local only hoping that would result in IPv6 traffic just moving through as a bridge connection to the Cisco 871W.  Of course Apple has little documentation on what these settings actually do (or I don't know where to find the documentation).

Someone at this web site http://newsgroups.derkeiler.com/Archive/Uk/uk.comp.sys.mac/2008-01/msg03804.html claims that

The "Link-local only" setting means that IPv6 can only be used between
computers on your local network, and IPv6 traffic will not pass through
the Airport Extreme to or from the Internet. All attempted outgoing or
incoming IPv6 traffic will be completely blocked.

Anyone successfully passing IPv6 bridged traffic through an Apple Airport Express?

[jimb]

Node sounds like what you want.  Probably just means it'll bridge IPv6, and configure itself for an IPv6 address also (management).

You might also want to look into making sure it's running the latest firmware in case there's some bug.

[derby]

After a break, I'm still trying to get IPV6 to work.  Seems that RA is not working from the CISCO 871W.  None of the Mac OS X Snow Leopard clients are picking up IPv6 addresses.

Here are some details:

The version of IOS on the Cisco 871W:

Code:

Cisco IOS Software, C870 Software (C870-ADVENTERPRISEK9-M), Version 12.4(12.13)T, INTERIM SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Sat 20-Jan-07 01:55 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE

The ipv6 related settings:

Code:

ipv6 unicast-routing

interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:7:444::2/64
 ipv6 enable
 tunnel source 208.37.xx.yy
 tunnel destination 216.66.22.2
 tunnel mode ipv6ip


interface BVI1
 ip address 10.6.18.204 255.255.255.0
 ip access-group 199 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 ipv6 address 2001:470:8:444::1/64
 ipv6 enable

ipv6 route ::/0 Tunnel0

And if I ssh to the router, I can successfully ping the other side of the tunnel:

Code:

cisco#ping ipv6 2001:470:7:444::2   

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:7:444::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
cisco#ping ipv6 2001:470:8:444::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:8:444::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
cisco#

Anyone see anything amiss in my settings?

Two of the Macs are hardwired to the same subnet as the CISCO.  One Mac is connected via an Airport Express, 802.11n with IPv6 set to "Node"

None of the 3 self assign an IPv6 address.

[jimb]

Maybe on that particular version of IOS you have to turn on RA?  Try "ipv6 ?" and poke around. 

[cholzhauer]

Maybe you missed it in the copy and paste segment, but somewhere you need to tell the router what prefix to announce.

[derby]

On the Cisco 871W the LAN connections are grouped together as BVI1.  Here is what IOS reports for ipv6 for BVI1:

Code:

cisco# show ipv6 interface BVI1
BVI1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::216:C8FF:FE31:39F9
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:470:8:444::1, subnet is 2001:470:8:444::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF31:39F9
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is not supported
  ND reachable time is 30000 milliseconds
  Hosts use stateless autoconfig for addresses.

The tunnel interface details from IOS:

Code:

cisco#show ipv6 interface Tunnel0
Tunnel0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::D025:63E3
  No Virtual link-local address(es):
  Description: Hurricane Electric IPv6 Tunnel Broker
  Global unicast address(es):
    2001:470:7:444::2, subnet is 2001:470:7:444::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FF25:63E3
  MTU is 1480 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  Hosts use stateless autoconfig for addresses.

And here are the IPV6 routes reported by the 871:

Code:

cisco#show ipv6 route
IPv6 Routing Table - 6 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
S   ::/0 [1/0]
     via ::, Tunnel0
C   2001:470:7:444::/64 [0/0]
     via ::, Tunnel0
L   2001:470:7:444::2/128 [0/0]
     via ::, Tunnel0
C   2001:470:8:444::/64 [0/0]
     via ::, BVI1
L   2001:470:8:444::1/128 [0/0]
     via ::, BVI1
L   FF00::/8 [0/0]
     via ::, Null0

The Cisco web site documentation that I've found on their web site claims RA is automatic.  I don't see an IOS command to explicitly cause RA to occur or I would add it.

I suspect there is something missing that "binds" the 4 LAN ports grouped as Interface BVI1 together to the IPV6 Tunnel.  But I am totally new to IPV6 and am trying to learn, time permitting.  I'm sure I've messed up some fundamental setting that is keeping this from working.

[HobbesIE]

I have a cisco 871w and am just coming to grips wit a HE tunnel as well at the moment. I read somewere online (can't recall where) that you can't put your IPv6 config in the BV1 interface, that it has to be in wither your vlan or dot11radio sub interface...

here's my ios config, which is working...:

Code:

service password-encryption
hostname abc.local
enable secret xxxxxx
enable password xxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip http server
ip http secure-server
line con 0
 password xxxxxx
line vty 0 4
 password xxxxxx
username admin privilege 15 password xxxxxx

snmp-server location A
snmp-server contact B
snmp-server community xxxxxx RO

logging buffered 4096 debugging

ip domain name abc.local
   ip name-server 216.146.35.35
   ip name-server 216.146.36.36
   ip name-server 2001:470:20::2
ntp server time.windows.com

ip ddns update method tunnelbroker
 HTTP
  add http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=xxxx&user_id=xxxx&tunnel_id=xxxx
  remove http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=xxxx&user_id=xxxx&tunnel_id=xxxx
  exit
 interval maximum 0 1 0 0
 interval minimum 0 0 30 0
exit

ip dhcp excluded-address 192.168.2.1 192.168.2.99
service dhcp
ip dhcp pool Internal-net
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254
   import all
   domain-name abc.local
   lease 4
   dns-server 216.146.35.35 216.146.36.36

ipv6 dhcp pool test
 dns-server 2001:470:20::2
 domain-name abc.local
 prefix-delegation pool test lifetime 3600 3600

access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet4 overload

interface FastEthernet4
 ip address 192.168.1.1 255.255.255.0
 ip tcp adjust-mss 1460
 ip nat outside
 no cdp enable
 ip ddns update tunnelbroker
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ipv6 unicast-routing
interface FastEthernet0
 spanning-tree portfast
interface FastEthernet1
 spanning-tree portfast
interface FastEthernet2
 spanning-tree portfast
interface FastEthernet3
 spanning-tree portfast
bridge irb
interface Dot11Radio0
 encryption vlan 1 mode ciphers tkip
 ssid cisco871w
    vlan 1
    authentication open
    infrastructure-ssid
    authentication key-management wpa
    guest-mode
    wpa-psk ascii xxxxxxx
 channel 1

interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding

interface Vlan1
 description Internal Network
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
 ipv6 address 2001:470:xxxx:xxx::/64 eui-64
 ipv6 rip 1 enable
 ipv6 dhcp server test

interface BVI1
 description Bridge to Internal Network
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
bridge 1 route ip

interface tunnel 0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 enable
 ipv6 address 2001:470:xxxx:xxx::2/64
 tunnel source 192.168.1.1
 tunnel destination 216.66.80.26
 tunnel mode ipv6ip
ipv6 route ::/0 tunnel 0

int f0
 no shut
int f1
 no shut
int f2
 no shut
int f3
 no shut
int f4
 no shut
int dot11Radio 0
 no shut
int dot11Radio 0.1
 no shut
router rip
network 192.168.1.0
network 192.168.2.0
version 2
interface vlan 1 ip split-horizon

[derby]

HobbesIE,

Thank you!  This is a HUGE help.  I can see a number of places where your working config differs from my non-working config.  For starts, you are tunneling from HE to your LAN IP address.  I'm tunneling from HE to my WAN IP address, so that is probably why my LAN clients can't get to the tunnel.

I'll redo my config following your approach and see how it goes.  Is your configuration working completely?  You implied in your posting, "coming to grips with an HE tunnel", that maybe all isn't working as you expect? 

Paul

[HobbesIE]

HobbesIE,

Thank you!  This is a HUGE help.  I can see a number of places where your working config differs from my non-working config.  For starts, you are tunneling from HE to your LAN IP address.  I'm tunneling from HE to my WAN IP address, so that is probably why my LAN clients can't get to the tunnel.

I'll redo my config following your approach and see how it goes.  Is your configuration working completely?  You implied in your posting, "coming to grips with an HE tunnel", that maybe all isn't working as you expect? 

Paul

Hi there - glad if I am any help!

Regarding the tunnel end points - my cisco is behind a netopia cayman router which is my DSL modem - so the tunnel endpoint address from the cisco's perspective is the lan ipv4 address given to it by the netopia. I have to use another means to let HE know what my wan ipv4 address is, which is why I am experimenting with using the dynamic dns update function of the cisco & hurricane electric to keep HE updated as to my WAN IPv4 addres:

Code:

ip ddns update method tunnelbroker
 HTTP
  add http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=xxxx&user_id=xxxx&tunnel_id=xxxx
  remove http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=xxxx&user_id=xxxx&tunnel_id=xxxx
  exit
 interval maximum 0 1 0 0
 interval minimum 0 0 30 0
exit

Just have a look at: http://ipv4.tunnelbroker.net/ipv4_end.php for details of how to form up your details here if necessary - you have to calculate the hash versions of your password etc.

A problem I'm currently experiencing is that while my LAN clients are getting an IPv6 address and are able to route in & out no problem, at present they are not getting their dns server assigned over dhcpv6.... It's no huge problem if the clients run as dual stack-they can just do their dns lookup over ipv4...but I would prefer to be able to run ipv6 single stack, and not have to manually type the dnsv6 address into each lan client.

The other problem  I'm experiencing is setting an IPv6 address to the dot11radio0.1 interface - any time I type one in, it claims that I am conflicting with the address already assigned to vlan1...I suspect I need to investigate this further!

[jimb]

If your wireless and ethernet interfaces are bridged together, and part of vlan 1, shouldn't all your inside IPv4 and IPv6 addresses logically be on the vlan1 interface?

Is dhcpv6 actually handing out the DNS servers?  Do you think the client OS is just ignoring this component?

Also, why are you NATing if you're behind a Netopia which is presumably doing NAT for you?

[derby]

Well, I'm getting closer to this working, I think.

Using HobbesIE's sample IOS file as I guide I made changes to my IOS.  I was unable to get a tunnel to work from my LAN IP address to Hurricane Electric. I was able to ping ipv6 the tunnel server's ipV6 address from the Cisco 871w if I use my WAN address in the tunnel, not the LAN address.  So I am using the WAN address for the client address on the tunnel.

Mac clients are now getting ipV6 addresses assigned automatically on both the wireless Airport Express connections and Ethernet connections....  hooray!

But there are routing issues. I can't ping6 either ipv6.google.com or 2001:470:7:444::1 from a Mac client.  Probably getting from the LAN side to the WAN side.

I'm really not too good at IOS and rusty with the little knowledge I have.  Here's most of my Cisco config file.  Anyone see anything obviously wrong here?

Code:

cisco#wr t
Building configuration...

Current configuration : 8808 bytes
!
! Last configuration change at 18:30:07 EST Mon Jan 18 2010 by pderby
! NVRAM config last updated at 18:30:16 EST Mon Jan 18 2010 by pderby
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot system flash:c870-adventerprisek9-mz.124-12.13.T
boot system flash:c870-advsecurityk9-mz.124-9.T.bin
boot-end-marker
!
logging buffered 4096
logging console critical
enable secret 5 $1$VQ9E$XXN/SDUM5go21JJDIQR2m.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network vpngroup local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.6.18.1 10.6.18.20
ip dhcp excluded-address 10.6.18.1 10.6.18.25
!
ip dhcp pool dhcppool
   network 10.6.18.0 255.255.255.0
   dns-server 10.6.18.7 10.6.18.201
   default-router 10.6.18.204
!

!
!
no ip bootp server
ip domain name test.com
ip name-server 10.6.18.201
ip name-server 207.155.183.72
ipv6 unicast-routing
ipv6 dhcp pool test
 prefix-delegation pool test lifetime 3600 3600
 dns-server 2001:470:20::2
 domain-name abc.local
!
!
multilink bundle-name authenticated
!

archive
 log config
!
!

!
!

!
bridge irb
!
!
!        
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:xxx:yyy::2/64
 ipv6 enable
 tunnel source aaa.bbb.ccc.ddd
 tunnel destination 216.66.22.2
 tunnel mode ipv6ip
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 no cdp enable
!
interface FastEthernet2
 no cdp enable
!
interface FastEthernet3
 no cdp enable
!
interface FastEthernet4
 ip address aaa.bbb.ccc.ddd 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map vpnmap
!
interface Dot11Radio0
 no ip address
 !
 
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 ipv6 address 2001:470:8:444::/64 eui-64
 ipv6 dhcp server test
 ipv6 rip 1 enable
 bridge-group 1
!
interface BVI1
 ip address 10.6.18.204 255.255.255.0
 ip access-group 199 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!        
ip local pool clientpool 192.168.106.1 192.168.106.6
ip route 0.0.0.0 0.0.0.0 208.37.99.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 10.6.18.204 5190 interface FastEthernet4 5190
ip nat inside source route-map natmap interface FastEthernet4 overload

!
ip access-list extended nat
 deny   ip 10.6.18.0 0.0.0.255 192.168.106.0 0.0.0.7
 permit ip 10.6.18.0 0.0.0.255 any
ip access-list extended split
 permit ip 10.6.18.0 0.0.0.255 192.168.106.0 0.0.0.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.6.18.0 0.0.0.255
access-list 199 permit ip host 10.6.18.201 any log
access-list 199 permit ip any any
no cdp run
ipv6 route ::/0 Tunnel0
ipv6 router rip 1
!
!
!
!
route-map natmap permit 10
 match ip address nat
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175090
ntp server 24.172.8.162
ntp server 66.250.45.2
ntp server 207.188.193.83
end

cisco#