Cisco has long supported IPv6, but it's unfortunately somewhat of a here and there affair. Tonight's goal involved getting the wireless and IPv6 for clients going on the 877W sitting in our rack; not as straight forward as one might hope. We've had IPv6 (via
Hurricane Electric) for a while, but it's been limited to the wired network. IPv6 for otoh.org and gometric.us will come in the next week or two.
All this was made just a little bit more difficult as every time I did anything to the wireless, my Mac stopped talking to it. The Solaris based T61 was fine (re-authenticates even after changes and didn't lose the connection at all), but MacOS just seems to hate it when things change underneath it. In all fairness, it's just as much the fault of the 877W as I had to reboot it to get the two to talk again.
The first thing I bumped into was getting the VLANs and the wireless to play together. If you're trying to do this, you need to link them via a bridge interface. No hard, but not expected (thus a call to Cisco TAC to work out WTF). Particularly not expected as none of the examples I'd come across mentioned it (they all just assigned the VLAN to Dot11Radio0 and off they went).
- create a bridge
- create a sub interface on Dot11Radio0
- assign the bridge to the sub interface
- assign the bridge to the VLAN
Then you're good to go. Or not. Well, associates fine, but no DHCP.
All the IP information has to be assigned to the BVI to actually work. So, a bit more fiddling and then hooray, we have a link
and we can get IPv4 addresses over it.
Let go the TAC guy and set about working out how to add IPv6 to this (he's got better things to do and I won't learn unless I at least try first).
First thing to try, add it to the BVI. Hmm.... doesn't work.
What happens if I add it to the VLAN. Nope, that doesn't work either.
Now add it to the sub interface. Nope
How about the main interface. Yes.
Then a bit of fiddling to see if I can clean up some of the allocated addresses. No. Looks like it doesn't want to play unless everything that's attached to the bridge has IPv6 on it. Oh well, lucky there's lots of IP space to make use of. The address the clients get is from the Dot11Radio0 sub interface though.
Add a few ACLs (via ipv6 inspect and ipv6 access-list/traffic-filter) and we're good to go.
psas-macbook-pro:~ psa$ traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2001:4860:b002::68), 30 hops max, 12 byte packets
.1 2001:470::1 1.754 ms 1.005 ms 0.951 ms
2 hurdboy.tunnel.tserv2.fmt.ipv6.he.net 23.486 ms 23.25 ms 24.015 ms
3 1g-3-9.core1.fmt1.ipv6.he.net 21.41 ms 30.676 ms 29.087 ms
4 10gigabitethernet1-2.core1.sjc2.he.net 24.006 ms 22.048 ms 24.402 ms
5 eqixsjc-v6.google.com 23.339 ms 22.513 ms 22.583 ms
6 * * *
7 2001:4860:b002::68 101.545 ms 101.264 ms *
For others, here's my minimally stripped configuration (no, you don't get to peek at my access lists):
Current configuration : 11738 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER_NAME
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-22.T.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3426617278
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3426617278
revocation-check none
rsakeypair TP-self-signed-3426617278
!
!
crypto pki certificate chain TP-self-signed-3426617278
certificate self-signed 01
LONG STRING
quit
dot11 syslog
!
dot11 ssid No network selected
vlan 16
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 MY_PRIVATE_PSK
!
dot11 ssid OTOH
vlan 64
authentication open
authentication key-management wpa
wpa-psk ascii 7 MY_GUEST_PSK
!
no ip source-route
!
!
no ip dhcp use vrf connected
!
ip dhcp pool otoh
network VLAN_32_IP 255.255.255.0
bootfile nbp.SUNW.i86pc
next-server BOOT_SERVER
default-router VLAN_32_IP
dns-server 64.81.79.2 216.231.41.2
domain-name otoh.org
!
ip dhcp pool wireless
network VLAN_64_IP 255.255.255.0
dns-server 64.81.79.2 216.231.41.2
domain-name otoh.org
default-router VLAN_64_ROUTER
!
ip dhcp pool ip5200r
host IP5200_ADDR 255.255.255.0
hardware-address 0000.855e.8241
client-name ip5200r
!
ip dhcp pool vlan16
network VLAN_16 255.255.255.0
dns-server 64.81.79.2 216.231.41.2
domain-name otoh.org
default-router VLAN_16_ROUTER
!
!
ip cef
no ip bootp server
ip domain name otoh.org
ip name-server 64.81.79.2
ip name-server 216.231.41.2
ip ips notify SDEE
ip inspect name external-out dns
ip inspect name external-out tcp
ip inspect name external-out udp
ip inspect name external-out ntp
ip inspect name external-out imaps
ip inspect name external-out pptp
ip inspect name external-out isakmp
ip inspect name external-out ssh
ip inspect name external-out snmp
ip inspect name external-out icmp
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name ipv6-inspect icmp
ipv6 inspect name ipv6-inspect ftp
ipv6 inspect name ipv6-inspect tcp
ipv6 inspect name ipv6-inspect udp
ipv6 dhcp pool otoh.org
domain-name otoh.org
!
!
multilink bundle-name authenticated
!
!
!
!
no spanning-tree vlan 4
no spanning-tree vlan 8
no spanning-tree vlan 16
no spanning-tree vlan 64
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh version 2
!
bridge irb
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel
no ip address
ipv6 address TUNNEL_ROUTE/64
ipv6 enable
ipv6 traffic-filter ipv6-tunnel0-in in
ipv6 inspect ipv6-inspect out
tunnel source EXTERNAL_IP
tunnel destination HE_ROUTER
tunnel mode ipv6ip
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
no ip mroute-cache
snmp trap ip verify drop-rate
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
!
bundle atm
!
bridge-group 1
hold-queue 224 in
!
interface FastEthernet0
description Server Briged Interface
switchport access vlan 4
no cdp enable
!
interface FastEthernet1
description DMZ server
switchport access vlan 4
no cdp enable
hold-queue 100 out
!
interface FastEthernet2
description DMZ server
switchport access vlan 4
no cdp enable
!
interface FastEthernet3
switchport access vlan 8
no cdp enable
!
interface Dot11Radio0
description Wireless
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
snmp trap ip verify drop-rate
no dot11 extension aironet
!
encryption vlan 64 mode ciphers aes-ccm
!
encryption vlan 16 mode ciphers aes-ccm
!
broadcast-key vlan 64 change 45
!
broadcast-key vlan 16 change 45
!
!
ssid No network selected
!
ssid OTOH
!
speed basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country US both
ipv6 address 2001:470:D16::1/64
ipv6 enable
ipv6 dhcp server otoh.org
ipv6 inspect ipv6-inspect in
no cdp enable
!
interface Dot11Radio0.16
encapsulation dot1Q 16
ip flow ingress
ipv6 address 2001:470:E16::1/64
ipv6 enable
ipv6 dhcp server otoh.org
ipv6 inspect ipv6-inspect in
no cdp enable
bridge-group 16
bridge-group 16 subscriber-loop-control
bridge-group 16 spanning-disabled
bridge-group 16 block-unknown-source
no bridge-group 16 source-learning
no bridge-group 16 unicast-flooding
!
interface Dot11Radio0.64
encapsulation dot1Q 64
ip flow ingress
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan16
description Private wireless VLAN
no ip address
ipv6 address 2001:470:F16::1/64
ipv6 enable
ipv6 dhcp server otoh.org
ipv6 inspect ipv6-inspect in
bridge-group 16
!
interface Vlan4
description Briged VLAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
!
interface Vlan8
description Wired Lan
ip address INTERNAL_IP 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:32::1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server otoh.org
ipv6 inspect ipv6-inspect in
!
interface Vlan64
description Guest Wireless VLAN
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
snmp trap ip verify drop-rate
bridge-group 64
!
interface BVI16
ip address INTERNAL_IP 255.255.255.0
ip verify unicast reverse-path
ip flow ingress
ip nat inside
ip virtual-reassembly
snmp trap ip verify drop-rate
ipv6 address 2001:470:16::1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server otoh.org
ipv6 inspect ipv6-inspect in
!
interface BVI1
ip address EXTERNAL_IP 255.255.255.0
ip access-group 107 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect external-out out
ip virtual-reassembly
!
interface BVI64
ip address INTERNAL_IP 255.255.255.0
ip verify unicast reverse-path
ip flow ingress
ip nat inside
ip virtual-reassembly
snmp trap ip verify drop-rate
ipv6 address 2001:470:64::1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server otoh.org
ipv6 inspect ipv6-inspect in
!
ip default-gateway UPSTREAM_ROUTER
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 UPSTREAM_ROUTER
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
ip nat inside source list 1 interface BVI1 overload
!
logging trap debugging
logging my-log-host-ip
access-list 1 permit INTERNAL_IP_RANGE 0.0.0.255
access-list 1 remark NAT ACL
access-list 10 permit SNMP_HOST 0.0.0.7
access-list 10 remark SNMP
access-list 107 remark BVI1 inbound
access-list 107 deny ip host ROUTER any
access-list 107 deny ip 10.0.0.0 0.255.255.255 any
access-list 107 deny ip 172.16.0.0 0.15.255.255 any
access-list 107 deny ip 192.168.0.0 0.0.255.255 any
access-list 107 deny ip 224.0.0.0 31.255.255.255 any
access-list 107 permit icmp any any echo-reply
access-list 107 permit icmp any any time-exceeded
access-list 107 permit icmp any any packet-too-big
access-list 107 permit icmp any any unreachable
access-list 107 permit icmp any host EXTERNAL_IP echo
access-list 107 permit udp host HOST_A host HOST_B eq snmp
access-list 107 deny ip any any
snmp-server community SNMP_COMMUNITY RO 10
no cdp run
ipv6 route 2001:470::/48 Tunnel0
ipv6 route ::/0 Tunnel0
!
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
ipv6 access-list ipv6-tunnel0-in
permit icmp any any
deny ipv6 any any
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 16 protocol ieee
bridge 16 route ip
bridge 64 protocol ieee
bridge 64 route ip
banner login ^C
This is a private server.
Unauthorized access is forbidden. Log off now!
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 64.209.210.20
ntp server 66.148.71.103
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
