From SixXS Wiki
Jump to: navigation, search

Using SixXS tunnels with Cisco equipment

This article attempts to provide information to use Cisco routers as a SixXS endpoint and provide links to other Cisco-related articles within the Wiki.

Links to other Cisco-related articles in the Wiki

How to configure a Cisco router as an endpoint for a SixXS Heartbeat tunnel

Configuring a Cisco ASA to allow Protocol 41 through to an endpoint behind it CiscoAsa

Configuring a static tunnel on IOS

Firstly we need to enable IPv6 routing on the Cisco router.

ipv6 unicast-routing

If this command is not recognised, your version of IOS does not support IPv6. An IOS upgrade (either purchased or covered by a Cisco SMARTNet contract) may be available to add IPv6 functionality if your router has sufficient memory and flash storage to accept it.

Next you will probably want to enable Cisco Express Forwarding for the IPv6 protocol as it will speed up performance.

ipv6 cef

To configure the actual tunnel you will need the information given in the Tunnel Approval email. Ensure that you allow the tunnel in through your existing IPv4 access list by adding the following line to it:

permit 41 host [SixXS IPv4] host [Your IPv4]

Then you can configure the tunnel as follows:

interface Tunnel61
 description 6in4 tunnel to SixXS
 no ip address
 ip tcp adjust-mss 1420
 ipv6 address [your IPv6]
 ipv6 enable
 tunnel source ethernet0
 tunnel destination [SixXS IPv4]
 tunnel mode ipv6ip

Your source interface may be different - for example it may be Vlan1 or Dialer0. The source interface is the router's WAN interface.

Confirming your tunnel is active

To check if your tunnel is up, enter the following command and you should get the response below it

show ip interface tunnel61
Tunnel61 is up, line protocol is up
  Internet protocol processing disabled

For IPv6 specific information relating to the tunnel, you can use this command

show ipv6 interface tunnel61

If your tunnel is up, you should now be able to ping the IPv6 address of the far end [SixXS IPv6] as follows:

ping 2a00:12:34:54::1

This is an example. Use the SixXS end IPV6 address specified in the "Tunnel Approval" email.


To send all IPv6 traffic via your new tunnel, you will need the following

ipv6 route ::/0 Tunnel61

Once you've done this you should be able to ping external IPv6 addresses such as Google IPV6 DNS:

ping 2001:4860:4860::8888
ping 2001:4860:4860::8844


Take care, there is currently a bug in ipv6 traffic-filter (first found in 15.1(2)T1) Cisco Bug CSCtn42301 This could result in a router crash in rare conditions when receiving ICMPv6. Bug solution: turn off traffic-filter. Real solution: switch over to Zone Based Firewall CiscoZone-BasedPolicyFirewall CiscoZBF

You will want to apply and access list to your tunnel so that you aren't wide open to the IPv6 internet. The following should start your firewall off but I am only just getting to grips with IPv6 myself so I'd welcome suggestions of improvements and cannot guarantee security. IPv6 Prefix is Your IPv6 without the '2' eg. 2a00:12:34:56::/64

ipv6 access-list ipv6-internet-in
 remark allow ping by SixXS PoP to determine tunnel status
 permit icmp host [SixXS IPv6] host [Your IPv6] echo-request
 remark Prevent spoofing
 deny ipv6 [Your IPv6 prefix] any log
 remark prevent ingress of all addresses except global unicast and multicast
 deny ipv6 ::/3 any log
 deny ipv6 8000::/2 any log
 deny ipv6 C000::/3 any log
 deny ipv6 E000::/4 any log
 deny ipv6 F000::/5 any log
 deny ipv6 F800::/6 any log
 deny ipv6 FC00::/7 any log
 deny ipv6 FE00::/8 any log
 [allow any inbound services you require here - eg. web server]
 permit icmp any any time-exceeded
 permit icmp any any packet-too-big
 permit icmp any any echo-request
 permit icmp any any echo-reply
 deny ipv6 any any log

To allow replies to outgoing traffic, if your IOS feature set allows it, you may want to set up CBAC

ipv6 inspect name cbac-ipv6 tcp
ipv6 inspect name cbac-ipv6 udp
ipv6 inspect name cbac-ipv6 icmp
ipv6 inspect name cbac-ipv6 ftp

To apply both of these to your tunnel inteface:

interface Tunnel61
 ipv6 traffic-filter ipv6-internet-in in
 ipv6 inspect cbac-ipv6 out

If you use SSH to access your router from outside, you may want to lock that down as IPv6 is NOT covered by any existing IPv4 access list that you may have applied. You can always add exceptions for local hosts or trusted remote hosts if you wish.

ipv6 access-list ipv6-ssh-lockdown
 deny ipv6 any any log

line vty 0 4
 ipv6 access-class ipv6-ssh-lockdown in

Providing IPv6 internet access to other hosts on the LAN

Although your tunnel has a /64 prefix, only the first two addresses are routed so only your router will be able access the IPv6 internet. To provide access to other hosts behind it, you will need to apply for a subnet. To get enough ISK credit to apply, your tunnel will have to be up for a week. After that, you should be able to request it from the SixXS Home. I'm currently waiting to build up enough credit so I cannot yet test this but there is a snippet of code provided by SixXS here:

ipv6 unicast-routing
interface Ethernet0/0
ipv6 address [IPv6 Prefix]/64
ipv6 enable
ipv6 nd ra-interval 60
ipv6 nd ra-lifetime 180
ipv6 nd prefix-advertisement [IPv6 Prefix]/64 360 60 autoconfig

I will update this article once I am able to do this myself.