2019040901Cisco1801Aal5snap
Cisco 1801 configuration to use IPv6 through an ADSL connection to Zen Internet Ltd.
This configuration is for the case using prefix delegation.
PPPoE is required to deal with IPv6 given by Zen Internet Limited. If a connection is ADSL, PPPoE must be prepared on AAL5 by using LLC-SNAP.
Refer
https://www.cresc.co.jp/tech/network/NET_TUTORIAL/Section_25.htm. どうして、この内容が「ネットワークの基礎」なんだろう? 上級向けだと思うけど。素晴らしい資料なので、英語もあれば、英人に紹介するのだが。
If the global IPv6 address is used in the customer's LAN, a filter at a customer edge router should be considered to block direct access from Internet to inside the LAN.
aaa session-id common
ip cef
ipv6 unicast-routing
ipv6 cef
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5snap
Important! Use PPPoE on PPPoA. This must be aal5snap to use IPv6 with Zen Internet Ltd. aal5mux does not work for IPv6.
protocol ppp dialer
dialer pool-member 1
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
no ip address
interface FastEthernet5
no ip address
interface FastEthernet6
no ip address
interface FastEthernet7
no ip address
interface FastEthernet8
no ip address
interface Vlan1
ip address 192.168.WWW.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address PrefixDelegationZen ::1:0:0:0:1/64
As this example is for the case using the prefix delegation, this line appears. By this setting, the obtained prefix at Dialer0 connection is used.
ipv6 enable
interface Dialer0
mtu 1492
ip address ZZZ.ZZZ.ZZZ.182 255.255.255.248
ip access-group Di0InList in
ip access-group Di0OutList out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ipv6 address FE80::1 link-local
ipv6 address autoconfig default
The addres opposite of Zen Internet Ltd is created by SLAAC in this example. You can statically specify the address instead.
ipv6 enable
ipv6 dhcp client pd PrefixDelegationZen rapid-commit
Obtain the prefix for the prefix delegation.
ipv6 traffic-filter v6Di0InList in
Block unnecessory accesses coming from Internet.
ipv6 traffic-filter v6Di0OutList out
ppp authentication chap callin
ppp chap hostname zen??????@zen
ppp chap password 7 ????????????????
ip route 0.0.0.0 0.0.0.0 Dialer0
ip access-list extended Di0InList
evaluate tmplist
deny ip 127.0.0.0 0.255.255.255 any
permit icmp any ZZZ.ZZZ.ZZZ.176 0.0.0.7
permit udp any eq ntp any eq ntp
deny ip any any
ip access-list extended Di0OutList
permit icmp any any
permit tcp any any reflect tmplist timeout 300
permit udp any any reflect tmplist timeout 300
permit udp any eq ntp any eq ntp
deny ip any any
ipv6 access-list v6Di0InList
As most of users use global IPv6 addresses in their LAN, please carefully define the incoming filter.
remark 1.============================================
remark 1. For RFC 4890, but echo-request is limited
Refer RFC 4890.
remark 1.
permit icmp any any echo-reply
permit icmp any 2A02:8011:XXXX:XXXX::/64 echo-request
Permit ICMP to the devices between the customer edge router and Zen Internet Ltd..
permit icmp any host 2A02:8010:YYYY:YYYY::1 echo-request
Block ICMP to a customer's internal LAN, but permit ICMP to this customer edge router.
permit icmp any any 1 3
permit icmp any any 1 4
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any parameter-problem
permit icmp any any mld-query
permit icmp any any mld-reduction
permit icmp any any mld-report
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any router-solicitation
remark 1..
remark 2.============================================
remark 2. To access to Internet sites
remark 2.
evaluate v6tmplist
Reply packets are allowed.
remark 2..
remark 3.============================================
remark 3. This customer edge router accepts all ICMP
ICMP not discribed in RFC4890 is allowed if you want.
remark 3.
permit icmp any host 2A02:8010:YYYY:YYYY::1
remark 3..
remark 4.============================================
remark 4. To accept incoming connection
remark 4.
permit tcp any host 2A02:8010:YYYY:YYYY::100 eq www
Example. In case you have a web server.
permit tcp any host 2A02:8010:YYYY:YYYY::100 eq 443
Example. In case you have the web server.
remark 4..
remark 5.============================================
remark 5. To block unnesessary packets
remark 5.
deny ipv6 any any
remark 5..
ipv6 access-list v6Di0OutList
permit icmp any any reflect v6tmplist
permit tcp any any reflect v6tmplist
permit udp any any reflect v6tmplist
ipv6 route ::/0 Dialer0