Community ForumCommunity Wiki * Blog Home  * Log in
« »

Achieving IPv6 Internet-Connectivity Using 6in4

posted in Cisco Networking, Technical
by on May 11th, 2009 tags: ,

This is the first of what I hope to be many blog posts on the new Networking Forum Blog.

Basic Info

In this post I will focus on transitioning your home (or any other small network using Cisco hardware) to a network that is IPv6-ready, something I believe to be very important these days. The following explanation will be using the “dual stack” transition method where most or all hosts on the network can and will operate using IPv6 or IPv4 concurrently. In addition, this post assumes a familiarity with IPv6 in general; so rather than delving into the theory, I will mainly present practical considerations.

It would behoove us to realize that a staggering majority of ISPs in the United States do not offer native IPv6 connectivity. With that in mind, we’ll need to connect to the IPv6 internet through a 6in4 tunnel. There are many companies out there that provide a “tunnel broker” service to allow disparate IPv6-capable networks to connect over 6in4 tunnels. One such company is Hurricane Electric, or HE (, the tunnel broker of choice for many connecting to the IPv6 Internet.

Hurricane Electric provides a no-cost tunnel broker service in addition to handing out large chunks of IPv6 address space to tunneling clients who ask. With that being said, the very first thing you should do is set up an account with a tunnel broker and request a chunk of address space (most-likely a /48). Typically the tunnel broker will give you an IPv4 address to which you can connect to set up an initial 6in4 tunnel.

On a Cisco box you’ll create a tunnel interface where the 6in4 tunnel is established from like so:

interface Tunnel0
no ip address
ipv6 address 2001:470:A:383::2/64
ipv6 enable
tunnel source
tunnel destination
tunnel mode ipv6ip
interface FastEthernet0/1
ip address
ip nat outside

As you can see, is my outside address, and that is where the tunnel is sourced from. is the IPv4 address of the tunnel brokering router on HE’s end. The “tunnel mode ipv6ip” has the tunnel encapsulate IPv6 directly on top of IPv4 rather than use GRE or anything like that. The IPv6 address applied to the Tunnel0 interface is one given to me by HE when signing up for the service. That /64 subnet can be thought of as the point-to-point link that connects you with HE. Considering we’re terminating the tunnel on a router rather than a single host, it’s clear that we’ve got a few more subnets we’d like to address behind the router. In order to do so, we’ll need to request a larger chunk of address space from the tunnel broker.

HE gave me the prefix 2001:470:e8a8::/48 to do what I want with. With that, I have addressed my inside LAN and my DMZ, and I still have 65,533 subnets left (a /48 can fit 65,535 /64s).

interface FastEthernet0/0.2
encapsulation dot1Q 9
ip address
ip nat inside
ipv6 address 2001:470:E8A8::1/64
ipv6 enable
interface FastEthernet0/0.3
encapsulation dot1Q 10
ip address
ip nat inside
ipv6 address 2001:470:E8A8:1::1/64
ipv6 enable

Finally, in order to access the IPv6 Internet through your router, write a default route for all IPv6 addresses to the endpoint of the tunnel and enable IPv6 routing:

ipv6 unicast-routing
ipv6 route ::/0 2001:470:A:383::1


At this point, you should be connected and ready to rock. However, it’s important to keep in mind that the IPv6 Internet is just like the normal Internet in that it’s not to be trusted. Fortunately, we can lock down our router with generally similar measures to IPv4 security using CBAC and IPv6 access-lists.

I have a web server hosted in my DMZ (2001:470:e8a8:1::2/64). I want the server to not be able to initiate traffic to my LAN, but to be able to respond, and then to have unrestricted access to the Internet in addition to locking down access to only port 80 from the Internet. The following config shows how the various parts operate together to make a cohesive solution:

ipv6 inspect name V6_INBOUND tcp timeout 43000
ipv6 inspect name V6_INBOUND udp
ipv6 inspect name V6_INBOUND icmp
interface Tunnel0
ipv6 traffic-filter V6_INBOUND in
ipv6 inspect V6_INBOUND out
interface FastEthernet0/0.3
ipv6 traffic-filter V6_DMZ_OUTBOUND in
ipv6 inspect V6_INBOUND out
ipv6 access-list V6_DMZ_OUTBOUND
deny ipv6 2001:470:E8A8:1::/64 2001:470:E8A8::/64
permit ipv6 2001:470:E8A8:1::/64 any
ipv6 access-list V6_INBOUND
permit tcp any host 2001:470:E8A8:1::2 eq 80
permit icmp any any echo-reply
deny ipv6 any any


At this point, you should have a fully-functional IPv6 gateway. Assuming you had IPv4 configured properly before this, IPv4 and IPv6 will work concurrently. Now you’re ready to test things out. Since the IPv6 Internet is still very much nascent, there isn’t a whole lot out there to mess around with. Google recently jumped on the bandwagon with the launch of, and there are a number of other sites out there dedicated to listing IPv6-compatible websites. It’s important to keep in mind that DNS should work from the get-go as well. IPv6 entries for DNS are known as AAAA records, and are entirely compatible with standard DNS-querying methods. Internet DNS servers will resolve IPv6 addresses properly:

ibarrere@cyclone ~ $ ping6 -n
PING 56 data bytes
64 bytes from 2001:4860:b005::68: icmp_seq=1 ttl=57 time=80.2 ms
64 bytes from 2001:4860:b005::68: icmp_seq=2 ttl=57 time=84.5 ms

As you have seen, my web server is at 2001:470:38a8:1::2 which is also accessible from the IPv6 Internet. Since I don’t have a DNS record for this box, you’ll have to use the IP address to surf to it. Keep in mind that many applications these days mandate a different format when supplied IPv6 addresses rather than DNS names. Typically for an application to understand that it’s being fed an IPv6 address, you wrap the address in brackets (depending on the application, you may also need to give it the “6” flag):

ibarrere@cyclone ~ $ scp -6 foo [2001:470:e8a8:1::2]:bar

The same goes for web browsers, in order to surf to my page, you’ll supply the address like http://[2001:470:e8a8:1::2] to your web browser.

Several other standard functions of our router will also support IPv6 as well. By default, management protocols such as SSH and telnet (if configured) will allow connections to the router’s IPv6 address(es). I also have syslog set up to dump to the IPv6 address of one of my servers:

logging trap debugging
logging host ipv6 2001:470:E8A8:1::2

For the most part, to allow Cisco functions to utilize IPv6, the “ipv6” keyword needs to be added to the standard command somewhere. Unfortunately it’s not always in the same spot, that’s just something we’ll have to get used to.

I certainly hope this was informative and interesting. I look forward to feedback from the user community and certainly hope to polish up my blogging skills for future posts. Thanks for reading!


A thread has been created on the site forum specifically for commenting on this blog post.

8 Responses to “Achieving IPv6 Internet-Connectivity Using 6in4”

  1. Steve

    This is a stellar post! I can’t wait to read it. :)

  2. Vito

    My head hurts.

  3. ibarrere

    Sorry. :(

    Should I keep them shorter in the future? Or not as retarded?

  4. Vito_Corleone

    Nah, it’s great. I’m just tired after work and having trouble wrapping my head around stuff. Thanks dude!

  5. leosv

    hey man, great post!!

  6. Steve

    Ok, now I’ve read it. NICE friggin post man! GJ!

  7. Project

    That’s great. I’m trying this out at home for sure.

    Cheers Ian.

  8. kannies

    Interesting read, good job