Configure IPv6 dual stack connection on CISCO router

In the previous section we configured IPv4 pppoe connection, and I'll talk about IPv6 in this article.

IPv6 connection support

In fact, many websites now support IPv6, and ISPs are ready to providing IPv6 network access in different forms.
There are two main ways for user to get access to IPv6:

  • Obtain a / 64 prefix from the ISP with the IP through the DHCP-PD protocol, and then your router assigns the host addresses under this prefix to the device connected to it. (Approximately 18 billion-billion host addresses can be allocated, more than enough to let every grain of sand in the home go online)
  • The router only plays the role of a Layer 2 switch for IPv6 communication, and all devices are independently connected to the ISP's network. The so-called IPv6 passthrough or IPv6 bridge mode.

Dual stack

Both of these methods are called dual stack, that is, two sets of completely unrelated communication protocols are deployed on the same network equipment (ipv4 and ipv6 operate independently and do not interfere with each other).
IPv6 communication does not need to pass through the crowded old IPv4 network infrastructure, so it has a great advantage in transmission speed. But IPv4 connections won't be affected.You have to use IPv4 protocol to access IPv4 sites.

IPv4 over IPv6 technologies

In order to make IPv4 connections benefits from IPv4 connection, some so-called "IPv4 over IPv6" techs have been developed, such as MAP-E and DS-LITE. The main idea is to package the IPv4 data packet into the IPv6 data packet and transmit it through the IPv6 network.
Now ISPs in Japan are promoting this technology for free, because using this technology, user will only need some IPv6 address, reducing the pressure to the crowded IPv4 network.
ipv4 vs ipv6 speed test
For users, making ipv4 traffic reach the speed of ipv6 for free would be beneficial, but I still want an IPv4 public IP (this is the choice that gave birth to this website later), so I'll stay with dual stack solution.

Configure IPv6 passthrough on the router

The configuration based on Previous Article.
Start configuration mode first, add a bridge irb command to start the bridge function of the router.

config terminal

bridge irb

Then add the WAN port to the bridge group.

interface GigabitEthernet8
bridge-group 1
bridge-group 1 input-type-list 200

In the previous article, we directly set the IP address of Vlan1 as the gateway of the subnet. Now we need a virtual bridge interface (BVI) as the gateway to implement IPv6 bridging. So first use

default interface Vlan1

to clear all configurations under Vlan1, and then use the following commands to add Vlan1 to the bridge group.

interface Vlan1
no ip address
bridge-group 1

Then create BVI1 as gateway

interface BVI1
ip address
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1414

Finally set up bridging rules and access control (ACL)

bridge 1 protocol ieee
bridge 1 route ip

access-list 200 permit 0x86DD 0x0000
access-list 200 permit 0x0800 0x0000
access-list 200 permit 0x0806 0x0000

0x86DD corresponds to IPv6 protocol, 0x0800 corresponds to ipv4 protocol, and 0x0806 is for ARP protocol.
Once complete, you should see that the PC has obtained a IPv6 address.

In this way, the router works as a layer 2 switch for ipv6 and does not have its own IPv6 address.

Configure dhcp-pd on the router

The dhcp-pd method allows the router to work as a real router, obtain its own IPv6 prefix, and assign an IPv6 address to the devices as needed.
The dhcp-pd method is almost the same as the dhcp intranet mode of IPv4.
First enable IPv6 routing and establish IPv6 dhcp:

ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool STATELESS
import dns-server
import domain-name

Start ipv6 on the WAN port and get the prefix from hdcp-pd:

interface GigabitEthernet8
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd PREFIX

Setup gateway and DHCP on Vlan1:

interface Vlan1
ipv6 address PREFIX :: 1: 0: 0: 0: 1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server STATELESS

The STATELESS mode is to not save the allocation of ipv6 addresses, and re-assign a new ipv6 address to the device every time it connects.

About the security

If you are accustomed to NAT translation of subnets in IPv4 networks, you may have questions about the security of IPv6. However, NAT technology itself is not to solve the problem of network security. Instead, it should be considered as the excessive application of NAT technology.
For most user who does not log the host address to the external DNS, the huge address space of ipv6 actually guarantees the security because even if an external attacker knows your ipv6 prefix segment, scanning billions of billions address space under this prefix is an impossible task.