In the previous section we configured IPv4 pppoe connection, and I'll talk about IPv6 in this article.
IPv6 connection support
In fact, many websites now support IPv6, and ISPs are ready to providing IPv6 network access in different forms.
There are two main ways for user to get access to IPv6:
- Obtain a / 64 prefix from the ISP with the IP through the DHCP-PD protocol, and then your router assigns the host addresses under this prefix to the device connected to it. (Approximately 18 billion-billion host addresses can be allocated, more than enough to let every grain of sand in the home go online)
- The router only plays the role of a Layer 2 switch for IPv6 communication, and all devices are independently connected to the ISP's network. The so-called IPv6 passthrough or IPv6 bridge mode.
Both of these methods are called dual stack, that is, two sets of completely unrelated communication protocols are deployed on the same network equipment (ipv4 and ipv6 operate independently and do not interfere with each other).
IPv6 communication does not need to pass through the crowded old IPv4 network infrastructure, so it has a great advantage in transmission speed. But IPv4 connections won't be affected.You have to use IPv4 protocol to access IPv4 sites.
IPv4 over IPv6 technologies
In order to make IPv4 connections benefits from IPv4 connection, some so-called "IPv4 over IPv6" techs have been developed, such as MAP-E and DS-LITE. The main idea is to package the IPv4 data packet into the IPv6 data packet and transmit it through the IPv6 network.
Now ISPs in Japan are promoting this technology for free, because using this technology, user will only need some IPv6 address, reducing the pressure to the crowded IPv4 network.
For users, making ipv4 traffic reach the speed of ipv6 for free would be beneficial, but I still want an IPv4 public IP (this is the choice that gave birth to this website later), so I'll stay with dual stack solution.
Configure IPv6 passthrough on the router
The configuration based on Previous Article.
Start configuration mode first, add a bridge irb command to start the bridge function of the router.
enable config terminal bridge irb
Then add the WAN port to the bridge group.
interface GigabitEthernet8 bridge-group 1 bridge-group 1 input-type-list 200 exit
In the previous article, we directly set the IP address of Vlan1 as the gateway of the subnet. Now we need a virtual bridge interface (BVI) as the gateway to implement IPv6 bridging. So first use
default interface Vlan1
to clear all configurations under Vlan1, and then use the following commands to add Vlan1 to the bridge group.
interface Vlan1 no ip address bridge-group 1
Then create BVI1 as gateway
interface BVI1 ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1414 exit
Finally set up bridging rules and access control (ACL)
control-plane bridge 1 protocol ieee bridge 1 route ip exit access-list 200 permit 0x86DD 0x0000 access-list 200 permit 0x0800 0x0000 access-list 200 permit 0x0806 0x0000
0x86DD corresponds to IPv6 protocol, 0x0800 corresponds to ipv4 protocol, and 0x0806 is for ARP protocol.
Once complete, you should see that the PC has obtained a IPv6 address.
In this way, the router works as a layer 2 switch for ipv6 and does not have its own IPv6 address.
Configure dhcp-pd on the router
The dhcp-pd method allows the router to work as a real router, obtain its own IPv6 prefix, and assign an IPv6 address to the devices as needed.
The dhcp-pd method is almost the same as the dhcp intranet mode of IPv4.
First enable IPv6 routing and establish IPv6 dhcp:
ipv6 unicast-routing ipv6 cef ipv6 dhcp pool STATELESS import dns-server import domain-name exit
Start ipv6 on the WAN port and get the prefix from hdcp-pd:
interface GigabitEthernet8 ipv6 address autoconfig default ipv6 enable ipv6 dhcp client pd PREFIX exit
Setup gateway and DHCP on Vlan1:
interface Vlan1 ipv6 address PREFIX :: 1: 0: 0: 0: 1/64 ipv6 enable ipv6 nd other-config-flag ipv6 dhcp server STATELESS
The STATELESS mode is to not save the allocation of ipv6 addresses, and re-assign a new ipv6 address to the device every time it connects.
About the security
If you are accustomed to NAT translation of subnets in IPv4 networks, you may have questions about the security of IPv6. However, NAT technology itself is not to solve the problem of network security. Instead, it should be considered as the excessive application of NAT technology.
For most user who does not log the host address to the external DNS, the huge address space of ipv6 actually guarantees the security because even if an external attacker knows your ipv6 prefix segment, scanning billions of billions address space under this prefix is an impossible task.