 Home --> Cisco Tips --> IPv6 over IPv4 Tunnels Kenny Taylor, CCNA A problem has been looming over the internet for the past 15 years or so. We're bound to run out of IPv4 addresses, and it's going to happen soon. Many organizations are predicting exhaustion of IPv4 address space around 2010. IPv4 supports 2^32 (or 4,294,967,296) addresses. In reality, only 3,723,427,840 of those addresses are usable due to reserved blocks (multicast, private RFC 1918 addresses, etc). IPv6 solves this problem by giving us a 128-bit address space, resulting in roughly 3.4 x 1038 addresses. That works out to 5 x 1028 addresses per person on Earth. That should hold us over for a while.. So why and how do we adopt IPv6? Sometime in 2010, the IANA's address pool will be exhausted. When that happens, regional registries such as ARIN and RIPE will have no choice but to deny requests for new allocations. This will push new customers to accept only IPv6 assignments. Sometime before this happens, we need to add IPv6 support to our publicly-available business systems (primarily HTTP, SMTP, and DNS). Of course, it's never that simple.. Tier 1 internet providers have begun deploying IPv6 alongside IPv4, but very few local providers offer IPv6 service at this time. The popular solution now is to employ IPv6-in-IPv4 tunnels. This allows IPv6 to be routed from your router, across your ISP's IPv4 network, to a larger provider who supports IPv6. There are several providers, but I prefer Hurricane Electric and Sixxs because they have a good selection of endpoints in the United States. If your Cisco router has a public IPv4 address, the tunnel is surprisingly easy to set up. Tunnel brokers offer three subnet choices: /64, /56, and /48. If you plan to connect a single host, a /64 is sufficient. This allocates 64 bits to the subnet prefix (provided by the broker), and 64 bits to host addresses. If you need to share your IPv6 connection with your network, you will need a second subnet. Your original /64 functions as a point-to-point subnet, and you'll assign part of your /56 or /48 to your LAN interface. Brokers offer a /56 allocation (256 x /64 subnets) and a /48 (65536 x /64) subnets. To set up your first IPv6 tunnel, there's a few easy steps: 1) Sign up with a tunnel broker--it's free. I prefer Hurricane Electric because it does not penalize you if your tunnel goes offline. 2) Add the virtual tunnel interface to your router:
configure terminal 3) Now test the configuration from the IOS command line. You can ping my web server at 2001:470:c:1b3::2
ping 2001:470:c:1b3::2 4) Assign part of your /48 or /56 subnet to your LAN interface. Assume that your broker gave you 2001:470:12::/48
interface ethernet0/0 Notice we only assigned one /64 subnet to the LAN interface. This leaves other /64 subnets available for other interfaces. At this point, fire up one of your PCs, make sure that IPv6 is enabled, and your PC will automatically pick up an IPv6 address with a 2001:470:12::/64 prefix. Sweet! Now that you've extended IPv6 into your network, there are a couple of things to bear in mind. 1) There is no NAT in IPv6. Every IPv6 address is fully exposed to the internet. If you have sensitive services on your LAN that need protected, you will need to implement IPv6 access lists on your router to control what can be accessed from the outside. 2) IPv6 addresses are auto-configured by default. When a system joins the network, it listens for an IPv6 prefix send in a router advertisement. This 64-bit prefix is appended to the device's 48-bit MAC address (plus a few extra bytes) to generate a globally unique IPv6 address--with no intervention from the user, and no DHCP server!
|