IPv6

=Internet Protocol version 6= = = toc


 * ===__Addressing and Address Types__===
 * =====**Types**=====
 * Aggregatable Global Unicast - 2000::/3 - host-to-host communication
 * Multicast - FF00::/8 - one-to-many and many-to-many communication
 * Anycast - same as unicast - application based, including load balancing
 * Link-Local Unicast - FE80::/10 - connected link communications
 * Solicited-Node Multicast - FF02::1::FF00:0/104 - neighbor solicitation
 * =====**Aggregatable Global Address**=====
 * begins with binary 001 - 2000:/3
 * next 45 bits represent global routing prefix
 * last 16 bits (preceding Interface ID) are Site Level Aggregator (SLA)
 * also known as Subnet ID
 * last 64 bits make up the Interface ID
 * =====**Link-Local Address**=====
 * begin with FE80::/10
 * Interface ID is derived using modified EUI-64 format
 * remaining 54 bits of prefix are always set to 0
 * ethernet uses 802 MAC address for the Interface ID
 * other interfaces use pool of virtual MAC addresses
 * =====**IPv4-Compatible IPv6 Addresses**=====
 * first 96 bits are 0s
 * IPv4 10.10.100.16
 * 0:0:0:0:0:10:10:100:16
 * ::10:10:100:16
 * ::A:A:64:10
 * =====**Assigning Unicast Address to Router Interface**=====
 * config# ipv6 unicast-routing
 * config-if# ipv6 address 2001:128:ab2e:1a::1/64
 * config-if# ipv6 address fe80::1 link-local
 * =====**Multicast Format**=====
 * begins with FF or FF00::/8 (first octet)
 * specifies lifetime and scope (second octet)
 * lifetime can be permanent (0000) or temporary (0001)
 * scope can be
 * Node - 0001
 * Link - 0010
 * Site - 0101
 * Organization - 1000
 * Global - 1110
 * ======**Well-Known**======
 * all hosts - FF02::1 - subnet broadcast
 * all routers - FF02::2 - 224.0.0.2
 * OSPFv3 routers - FF02::5 - 224.0.0.5
 * OSPFv3 designated routers - FF02::6 - 224.0.0.6
 * EIGRP routers - FF02::A - 224.0.0.10
 * PIM routers - FF02::D - 224.0.0.13
 * ======**Solicited-Node Group**======
 * each router must join for each of it's unicast and anycast addresses
 * FF02::1:FF00:0000/104
 * Example
 * 2001:1AB:2003:1::CB__AC:DF01__ becomes FF02::1:FF__AC:DF01__
 * used in Neighbor Discovery (ND) process
 * =====**Anycast**=====
 * drawn from the IPv6 unicast address pool
 * config-if# ipv6 address 3001:FFFE::104/64 anycast
 * ===__Address Autoconfiguration__===
 * =====**Methods**=====
 * Stateful autoconfiguration - assigns 128 bit address using DHCP
 * Stateless autoconfiguration - assigns 64 bit prefix
 * EUI-64 - host derives last 64 bits
 * =====**EUI-64 Address Format**=====
 * Interface ID is configured locally by host
 * uses 48 bit MAC address as the seed
 * hex value FFFE is placed in the center of the MAC
 * sets the universal/local bit in the MAC
 * 7th bit in Interface ID, indicates global scope
 * config-if# ipv6 address 2001:128:1F:633::/64 eui-64
 * ===__Protocols__===
 * =====**Neighbor Discovery Protocol (NDP)**=====
 * uses ICMPv6 messages and solicited-node multicast address
 * ======**Major Roles**======
 * stateless address autoconfiguration
 * duplicated address detection (DAD)
 * router discovery
 * prefix discovery
 * parameter discovery (link MTU, hop limits, ...)
 * neighbor discovery
 * neighbor address resolution (replaces ARP)
 * neighbor and router reachability verification
 * ======**Message Types**======
 * Router Advertisement (RA) - ICMP 134; source is the link local; destination is FF02::1
 * Router Solicitation (RS) - ICMP 133; source is the interface; destinationis FF02::2
 * Neighbor Solicitation (NS) - ICMP 135; source the interface; destination is multicast address
 * Neighbor Advertisement (NA) - ICMP 136; destination is address of requester
 * Redirect - ICMP 137; source is link local; destination is the source of the requesting node
 * ======**Neighbor Advertisements**======
 * sent periodically to inform other hosts of their presence and link-layer address
 * ======**Neighbor Solicitation**======
 * duplicate address detection
 * neighbor reachability verification
 * layer 3 and layer 2 address resolution
 * ======**Advertisement and Solicitation**======
 * Advertisements
 * include all 64 bit IPv6 prefixes configured on the interface
 * includes link MTU, hop limits and if it is a candidate for the default router
 * config# ipv6 nd ra-interval (200 default)
 * config# ipv6 nd ra-lifetime 0 (make this not a candidate for default router)
 * config# ipv6 nd supress-ra (disable advertisements)
 * ======**Duplicate Address Detection**======
 * a function of neighbor solicitation
 * to verify that an autoconfigured address is unique
 * sends NS message to it's own address's corresponding solicited-node multicast address
 * sourced from ::
 * ======**Neighbor Unreachability Detection**======
 * not defined as presence of advertisements from a router
 * two ways to confirm reachability
 * host sends a probe to the desired host's solicited-node multicast address
 * receives RA or NA in response
 * host receives a clue form a high-layer protocol
 * possible a TCP ACK
 * only connection oriented protocols
 * =====**ICMPv6**=====
 * ======**Message Groups**======
 * error reporting
 * informational
 * config# ipv6 icmp error-interval (default 100ms)
 * default bucket size is 10
 * 1 token in the bucket every 100ms
 * when bucket is full, 10 ICMPv6 error messages can be sent
 * when bucket empties the router cannot send anymore
 * =====**Unicast Reverse Path Forwarding**=====
 * ======**Configure**======
 * config-if# ipv6 verify unicast reverse-path
 * Example
 * will drop the packet if the check fails or the source address is within 2007::/64 range
 * config# ipv6 access-list WORD
 * config-ipv6-acl# deny ipv6 2007::/64 any
 * config-ipv6-acl# permit ipv6 any any
 * config-if# ipv6 verify unicast reverse-path WORD
 * =====**Dynamic Host Configuration Protocol (DHCP)**=====
 * stateful autoconfiguration
 * two conditions
 * host is explicitly configured to use DHCPv6
 * IPv6 router advertises in RA messages
 * routers set M flag (Managed Address Configuration) in RAs
 * hosts send DHCP request using multicast address on UDO port 547
 * FF02::1:2 - all DHCP relay agents and servers
 * FF02::1:3 - all DHCP servers
 * config-if# ipv6 dhcp server 
 * ===__Access Lists__===
 * implicit permit for Network Discovery Protocol
 * config# ipv6 traffic-filter WORD [in | out]
 * lists are always named
 * =====**Configuration**=====
 * config# ipv6 access-list WORD
 * config-ipv6-acl# permit tcp any 2001:1:2:3::/64 eq telnet dscp cs1 log
 * config-ipv6-acl# deny tcp any any log-input
 * config# line vty 0 4
 * config-line# access-class WORD in
 * =====**Traffic Filtering**=====
 * config# ipv6 access-list WORD
 * config-ipv6-acl# deny tcp any eq www 2001:DB8:128::/64
 * config-ipv6-acl# permit ipv6 any any
 * config# interface FastEthernet0/0
 * config-if# ipv6 traffic-filter WORD in
 * ===__Static Routes__===
 * static route to an interface has an administrative distance of 1 (ipv4 is 0)
 * static route to next-hop IP has an administrative distance of 1 (just like ipv4)
 * static route to a broadcast interface, such as ethernet, must specify the next-hop
 * because ipv6 does not use ARP
 * =====**Tip**=====
 * debug ipv6 routing
 * show ipv6 route
 * config# ipv6 route 2001:129::/64 2001::207:85FF:FE80:7208
 * ===__Unicast Routing Protocols__===
 * =====**OSPFv3**=====
 * differences from version 2
 * configured using interface commands
 * config-if# ipv6 ospf 1 area 2
 * will automatically "ipv6 router ospf 1" globally
 * if multiple IPv6 address are on an interface, all of them are advertised
 * RID must be set
 * would usually use IPv4, bur if it's not configured then the RID is not generated
 * Flooding Scopes
 * link-local scope - used by new LSA type, Link LSA
 * area scope - for LSAs flooded throughout a single area
 * AS scope - flooded throughout the routing domain, for External LSAs
 * multiple instances per link
 * config-if# ipv6 ospf 1 area 0 session 33
 * Terminology
 * OSPFv2 "network" is now called OSPFv3 "link"
 * sources packets from link-local address
 * besides virtual links
 * uses link-local address for all communications between neighbors
 * Authentication
 * is not provided since IPv6 covers this requirement
 * Networks in LSAs
 * expressed as a prefix and a prefix length
 * default routes are expressed with a prefix length of 0
 * ======**LSA Types**======
 * 1 - router LSA - describes a router's link states and costs - area scope
 * 2 - network LSA - generated by DR, describes aggregated link state and costs for routers - area scope
 * 3 - inter-area prefix LSA for ABRs - describes interarea networks to routers in other area - area scope
 * 4 - inter-area router LSA for ASBRs - advertise the ABSR location - as scope
 * 5 - as external LSA - describes the networks learned by other protocols - area scope
 * 8 - link LSA - advertises link-local address and prefix(es) to other routers - link scope
 * 9 - intra-area prefix LSA - area scope
 * ======**NBMA Networks**======
 * config-if# ipv6 ospf neighbor 3003::1
 * "nonbroadcast needs neighbors"
 * ======**Frame Relay**======
 * mapping IP to DLCI
 * requires two map statements
 * one points to link local (broadcast)
 * one points to unicast of next-hop
 * config# frame-relay map ipv6 FE80::207:85FF:FE80:7208 101 broadcast
 * config# frame-relay map ipv6 2001::207:85FF:FE80:7208 101
 * ======**Authentication and Encryption**======
 * uses IPv6's native authentication support
 * uses Authentication Header (AH)
 * uses Encapsulating Security Payload (ESP)
 * config# ipv6 ospf authentication (AH)
 * config# ipv6 ospf encryption (ESP)
 * ESP provides both encryption and authentication
 * =====**EIGRP**=====
 * ======**Differences**======
 * configured on the interface
 * config-if# ipv6 eigrp 100
 * must "no shut" the routing process
 * Router ID
 * requires 32 bit router ID before it starts
 * Passive Interfaces
 * configured in routing process only
 * Router Filtering
 * only using distributed-list and prefix-list
 * Automatic Summarization
 * does not have "no auto-summary" command
 * no concept of classful routing in IPv6
 * config-if# ipv6 next-hop-self eigrp 
 * ======**Configuration**======
 * config-if# ipv6 address 3001:0:4::/64 eui-64
 * config-if# ipv6 address autoconfig
 * config-if# ipv6 eigrp 100
 * config# ipv6 router eigrp 100
 * config-router# router-id 192.0.0.1
 * config-router# no shutdown
 * config-router# passive-interface loopback 3
 * config-router# redistribute connected metric 100000 100 255 10 1500 route-map WORD
 * config-router# ipv6 summary-address eigrp 100 3001:0:4:4::/63
 * ===__Route Redistribution__===
 * configured as part of the routing process of the destination routing protocol
 * can apply tags, manipulate metrics and filter routes
 * route maps can be applied which call access lists or prefix lists or perform other actions
 * into EIGRP or RIPng requires setting a metric
 * =====**Protocol Combinations**=====
 * RIPng - one process to another
 * OSPFv3 - one process to another
 * EIGRP - one As to another
 * EIGRP to OSPFv3 - and vice-versa
 * EIGRP to RIPng - and vice-versa
 * OSPFv3 to RIPng - and vice-versa
 * =====**Configuration**=====
 * config# ipv6 router ospf 1
 * config-rtr# redistribute rip RIPng route-map WORD1 [include-connected]
 * config# ipv6 prefix-list WORD2 seq 5 permit 3009:128:1::/48 ge 64 le 64
 * config# route-map WORD1 permit 10
 * config-route-map# match ipv6 address prefix-list WORD2
 * config-route-map# set metric-type type-1
 * config-route-map# set tag 32767
 * ===__QoS__===
 * features not available in version 6
 * Network Based Application Recognition (NBAR)
 * Compressed Real-Time Protocol (cRTP)
 * Committed Access Rate (CAR)
 * Priority Queuing (PQ)
 * Custom Queuing (CQ)
 * =====**Classification, Marking and Queuing**=====
 * config-cmap# match protocol [ip | ipv6]
 * Differences
 * no "match ip rtp"
 * "match cos" and "set cos"
 * support only CEF
 * does not support process-switched or router-originated
 * does not support ISL interfaces, even for CEF
 * =====**Traffic Shaping and Policing**=====
 * uses flow-based queuing by default
 * can use Class-Based WFQ to manage congestion
 * ===__Tunneling__===
 * tunneling refers to the process of encapsulating traffic at an OSI layer with another protocol in the same layer
 * =====**Methods**=====
 * Automatic 6to4 - point-to-multipoint; 2002::/16; isolated IPv6 island networks
 * Manually - point-to-point; reuqires dual-stack support on both ends
 * IPv6 over IPv4 GRE - point-to-point; unicast address; dual stack
 * ISATAP - point-to-multipoint; multicast address; within single site
 * Automatic IPv4-Compatible - point-to-multipoint; ::/96 address; dual stack
 * =====**Modes and Destinations**=====
 * Manual - ipv6ip - ipv4 address is the destination
 * GRE over IPv4 - gre ip - ipv4 address is the destination
 * Automatic 6to4 - ipv6ip 6to4 - auto determined
 * ISATAP - ipv6ip isatap - auto determined
 * Automatic IPv4-Compatible - ipv6ip auto-tunnel - auto determined
 * =====**Manually Configured**=====
 * config# interface tunnel 0
 * config-if# no ip address
 * config-if# ipv6 address 2001:DB8::1:1/64
 * config-if# tunnel source loopback 0
 * config-if# tunnel destination 172.30.20.1
 * config-if# tunnel mode ipv6ip
 * =====**Automatic IPv4-Compatible**=====
 * uses IPv4-compatible IPv6 address for tunnel interfaces
 * taken from ::/96 address space (first 96 bits are 0s)
 * address written as 0:0:0:0:0:0:A.B.C.D
 * tunnel destination for IPv4 compatible tunnel is automatically determined
 * config-if# tunnel mode ipv6ip auto-tunnel
 * =====**IPv6 over IPv4 GRE**=====
 * Key Features
 * encapsulation of traffic other than IPv6
 * support for IPsec
 * config-if# tunnel mode gre ipv6
 * =====**Automatic 6to4**=====
 * point-to-multipoint
 * treats underlying IPv4 network as NBMA cloud
 * destination address is IPv6 prefix combined with the destination's IPv4 address
 * begins with 2002::/16
 * 2002:IPv4::/48
 * other 16 bits are for number networks
 * IOS only supports one automatic 6to4 tunnel per router
 * config-if# tunnel-mode ipv6ip 6to4
 * tunnel destination not explicitly configured
 * routing needs to be configured
 * config# ipv6 route 2002::/16 tunnel 0
 * =====**ISATAP**=====
 * Intra-Site Automatic Tunnel Addressing Protocol
 * treat IPv4 network as NBMA cloud
 * [64-bit link-local or global unicast prefix]:0000:5EFE:[IPv4 address of ISATAP link]
 * Exmaple
 * IPv6 prefix - 2001:0DB8:0ABC:0DEF::/64
 * IPv4 destination - 172.20.20.1 = AC14:1401
 * ISATAP address - 2001:0DB8:0ABC:0DEF:0000:5EFE:AC14:1401
 * config-if# tunnel mode ipv6ip isatap
 * must be configured to derive IPv6 using UIE-64
 * differs from a non-tunnel interface
 * only derives last 32 bits of the Interface ID form the tunnel source interface's IPv4 address
 * by default Router Advertisements (RA) are disabled in the tunnel interface
 * RAs must be enabled to support client autoconfiguration
 * config-if# no ipv6 nd supress-ra
 * ===__Network Address Translation - Protocol Translation (NAT-PT)__===
 * translated between IPv4 and IPv6
 * ===__Multicast__===
 * =====**Multicast Listener Discovery (MLD)**=====
 * based on IGMP from IPv4
 * uses ICMPv6
 * routers act as MLD queriers to determine who wants traffic
 * MLD snooping is the same as IGMP snooping
 * can configure an interface to join a multicast group
 * config-if# ipv6 mld join-group FF02::FE
 * regardless if group members are present on the interface or not
 * ======**Explicit Tracking**======
 * allows multicast routers to track behaviors of hosts
 * supports fast-leave mechanism in MLDv2
 * disabled by default
 * config-if# ipv6 mld explicit-tracking
 * =====**PIM**=====
 * ======**Modes of Operation**======
 * sparse Mode (SM)
 * Source-Specific Multicast (SSM)
 * does nt support dense mode
 * PIM-SM routers can learn about a RP
 * embeds RP info in MLD report messages and PIM messages
 * ======**Source-Specific Multicast**======
 * derived from sparse mode
 * requires MLDv2 to operate
 * config# ipv6 mld ssm-map enable
 * config# no ipv6 mld ssm-map query dns
 * config# ipv6 mld ssm static
 * =====**Static Routes**=====
 * RPF checks can cause problems with tunnels
 * config# ipv6 route ::/0 tunnel 0 multicast
 * =====**Routing**=====
 * config# ipv6 multicast-routing

=Basic Configuration=

config# ipv6 unicast-routing config-if# ipv6 address 10:5:1::2/48 [eui-64] (eui-64 will use mac address)

=Tunnels=

config# interface tunnel 0 config-if# ipv6 address 3ffe:b00:c18:1::3/64 config-if# tunnel source 192.168.99.1 config-if# tunnel destination 192.168.30.1 config-if# tunnel mode ipv6ip

=NAT=

config-if# ipv6 nat config-if# ipv6 nat prefix 2010:1111::/96 (must be 96)

config# route-map WORD1 config-route-map# match interface ethernet 0 config# ipv6 nat v6v4 source route-map WORD1 config# ipv6 nat v6v4 pool WORD2 192.168.1.10 192.168.1.50 prefix-length 24 config# ipv6 nat v4v6 source 192.168.1.2 2010:1111::1