Looking for IPv6 config for the Cisco IOS router? Here it is!
Here is an example of Comcast IPv6 config I have at home. I have the router with 3 GigE interfaces: g0/0 is LAN, g0/2 is Comcast Cable modem connected in the bridge mode.
The router gets /56 IPv6 prefix assigned through DHCP-Prefix Delegation and use it to assign the address on the internal g0/0 interface. Also, it assigns a separate /64 subnet on the g0/1 interface where all of my IPv6 servers are connected. I rely on Google DNS instead of Comcast.
Basic management access list prevents ingress ssh connections from non-whitelisted subnets.
router#show running-config
Building configuration...
Current configuration : 3497 bytes
!
upgrade fpd auto
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <my-router>
!
boot-start-marker
boot system disk0:/ciscoXXXX.bin
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$secret
!
aaa new-model
!
!
!
!
aaa session-id common
no ip source-route
ip cef
!
!
!
ip dhcp pool homenet
network 10.0.1.0 255.255.255.0
domain-name domain.net
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.1.1
!
!
ip domain name domain.net
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool homenet6
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
domain-name domain.net
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$adminpassword//
archive
log config
hidekeys
!
!
!
!
!
ip tcp ecn
ip tcp path-mtu-discovery
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description <<home network>>
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
no negotiation auto
ipv6 address comcast ::1/64
ipv6 nd other-config-flag
ipv6 dhcp server homenet6
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
ipv6 address comcast ::1:0:0:0:1/64
!
interface GigabitEthernet0/2
description <<comcast cable modem>>
ip address dhcp
ip access-group internet_in in
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
no negotiation auto
ipv6 address dhcp rapid-commit
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd hint ::/60
ipv6 dhcp client pd comcast rapid-commit
no cdp enable
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet0/2 overload
!
ip access-list standard remote_management
permit 10.0.1.0 0.0.0.255 log
deny any log
!
ip access-list extended internet_in
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 100.64.0.0 0.63.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny icmp any any echo log
deny icmp any any redirect log
deny icmp any any timestamp-request log
deny icmp any any information-request log
deny icmp any any mask-request log
permit ip any any
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.1.0 0.0.0.255
!
!
!
!
!
!
ipv6 access-list remote_mangement_v6
permit ipv6 dead:beef:c0ff:D0::/64 any
deny ipv6 any any log
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
transport output all
stopbits 1
line aux 0
transport output all
stopbits 1
line vty 0 4
access-class remote_management in
ipv6 access-class remote_mangement_v6 in
transport input ssh
transport output all
line vty 5 15
access-class remote_management in
ipv6 access-class remote_mangement_v6 in
transport input ssh
transport output all
!
end
Here is an example of Comcast IPv6 config I have at home. I have the router with 3 GigE interfaces: g0/0 is LAN, g0/2 is Comcast Cable modem connected in the bridge mode.
The router gets /56 IPv6 prefix assigned through DHCP-Prefix Delegation and use it to assign the address on the internal g0/0 interface. Also, it assigns a separate /64 subnet on the g0/1 interface where all of my IPv6 servers are connected. I rely on Google DNS instead of Comcast.
Basic management access list prevents ingress ssh connections from non-whitelisted subnets.
router#show running-config
Building configuration...
Current configuration : 3497 bytes
!
upgrade fpd auto
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <my-router>
!
boot-start-marker
boot system disk0:/ciscoXXXX.bin
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$secret
!
aaa new-model
!
!
!
!
aaa session-id common
no ip source-route
ip cef
!
!
!
ip dhcp pool homenet
network 10.0.1.0 255.255.255.0
domain-name domain.net
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.1.1
!
!
ip domain name domain.net
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool homenet6
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
domain-name domain.net
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$adminpassword//
archive
log config
hidekeys
!
!
!
!
!
ip tcp ecn
ip tcp path-mtu-discovery
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description <<home network>>
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
no negotiation auto
ipv6 address comcast ::1/64
ipv6 nd other-config-flag
ipv6 dhcp server homenet6
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
ipv6 address comcast ::1:0:0:0:1/64
!
interface GigabitEthernet0/2
description <<comcast cable modem>>
ip address dhcp
ip access-group internet_in in
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
no negotiation auto
ipv6 address dhcp rapid-commit
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd hint ::/60
ipv6 dhcp client pd comcast rapid-commit
no cdp enable
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet0/2 overload
!
ip access-list standard remote_management
permit 10.0.1.0 0.0.0.255 log
deny any log
!
ip access-list extended internet_in
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 100.64.0.0 0.63.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny icmp any any echo log
deny icmp any any redirect log
deny icmp any any timestamp-request log
deny icmp any any information-request log
deny icmp any any mask-request log
permit ip any any
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.1.0 0.0.0.255
!
!
!
!
!
!
ipv6 access-list remote_mangement_v6
permit ipv6 dead:beef:c0ff:D0::/64 any
deny ipv6 any any log
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
transport output all
stopbits 1
line aux 0
transport output all
stopbits 1
line vty 0 4
access-class remote_management in
ipv6 access-class remote_mangement_v6 in
transport input ssh
transport output all
line vty 5 15
access-class remote_management in
ipv6 access-class remote_mangement_v6 in
transport input ssh
transport output all
!
end
No comments:
Post a Comment