Click here to log in.

Home
Articles
Blog
Forum
Register
Login
Contact

IPv6 Configuration

This section explains how to enable and configure IPv6 on Firewall Services Module (FWSM). IPv6 is available in routed firewall mode only.

IPv6-Enabled Commands:

capture, configure,copy,http, name, object-group, ping, show conn, show local-host,show tcpstat, ssh, telnet, tftp-server,who, write

Note: Failover does not support IPv6. The ipv6 address command does not support setting standby addresses for failover configurations. The failover interface ip command does not support using IPv6 addresses on the failover and Stateful Failover interfaces.

When entering IPv6 addresses in commands that support them, simply enter the IPv6 address using standard IPv6 notation, for example ping fe80::2e0:b6ff:fe01:3b7a. The FWSM correctly recognizes and processes the IPv6 address. However, you must enclose the IPv6 address in square brackets ([ ]) in the following situations:

  • You need to specify a port number with the address, for example [fe80::2e0:b6ff:fe01:3b7a]:8080.
  • The command uses a colon as a separator, such as the write net and config net commands. For example, configure net [fe80::2e0:b6ff:fe01:3b7a]:/tftp/config/pixconfig.
The following commands were change to work for IPv6:

debug, fragment, ip verify, mtu icmp (entered as ipv6 icmp)

The following inspection engines support IPv6:

FTP, HTTP, ICMP,SMTP, SIP, TCP, UDP

Configuring IPv6 on an Interface

Note:FWSM does not support IPv6 anycast addresses. You can configure both IPv6 and IPv4 addresses on an interface. You cannot configure IPv6 on an interface that is used by more than one context (a shared VLAN).

Execute the following to configure IPv6 on an interface:

  1. Enter interface configuration mode for the interface for which you are configuring the IPv6 addresses: hostname(config)# interface interface_name
  2. Configure an IPv6 address for the interface. You can assign several IPv6 addresses to an interface, such as an IPv6 link-local, site-local, and global address. However, at a minimum, you must configure a link-local address.

A number of methods available in configuring IPv6 addresses for an interface. Select the method that ensemble your needs:

  • The simplest method is to enable stateless autoconfiguration on the interface. Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages. A link-local address, based on the Modified EUI-64 interface ID, is automatically generated for the interface when stateless autoconfiguration is enabled. To enable stateless autoconfiguration, enter the following command: hostname(config-if)# ipv6 address autoconfig
  • If you only need to configure a link-local address on the interface and are not going to assign any other IPv6 addresses to the interface, you have the option of manually defining the link-local address or generating one based on the interface MAC address (Modified EUI-64 format). Enter the following command to manually specify the link-local address: hostname(config-if)# ipv6 address ipv6-address link-local Enter the following command to enable IPv6 on the interface and automatically generate the link-local address using the Modified EUI-64 interface ID based on the interface MAC address: hostname(config-if)# ipv6 enable

    Note: You do not need to use the ipv6 enable command if you enter any other ipv6 address commands on an interface; IPv6 support is automatically enabled as soon as you assign an IPv6 address to the interface

  • Assign a site-local or global address to the interface. When you assign a site-local or global address, a link-local address is automatically created. Enter the following command to add a global or site-local address to the interface. Use the optional eui-64 keyword to use the Modified EUI-64 interface ID in the low order 64 bits of the address. hostname(config-if)# ipv6 address ipv6-address [eui-64]

Configuring a Dual IP Stack on an Interface

Because FWSM supports the configuration of both IPv6 and IPv4 on an interface, you do not need to enter any special commands to do so. Merely enter the IPv4 configuration commands and IPv6 configuration commands as you usually would. Make sure you configure the default route for both IPv4 and IPv6.

Configuring IPv6 Duplicate Address Detection

Through the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces. This means that the new addresses remain in a provisional state while duplicate address detection is still performed. Duplicate address detection is performed first on the new link-local address.

When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface. Duplicate address detection is suspended on interfaces that are administratively down. An interface returning to an administratively up state restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.

When a duplicate address is identified, the state of the address is set to duplicate and the address is not used. If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface and an error message is issued. If the duplicate address is a global address of the interface, the address is not used and an error message is issued. However, all configuration commands associated with the duplicate address remain as configured while the state of the address is set to duplicate.

If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated. FWSM uses neighbor solicitation messages to perform duplicate address detection. By default, the number of times an interface performs duplicate address detection is 1. To change the number of duplicate address detection attempts, enter the following command: hostname(config-if)# ipv6 nd dad attempts value

The value argument can be any value from 0 to 600. Setting the value argument to 0 disables duplicate address detection on the interface. When you configure an interface to send out more than one duplicate address detection attempt, you can also use the ipv6 nd ns-interval command to configure the interval at which the neighbor solicitation messages are sent out. By default, they are sent out once every 1000 milliseconds. To change the neighbor solicitation message interval, enter the following command: Hostname(config-if)# ipv6 nd ns-interval value

The value argument can be from 1000 to 3600000 milliseconds.

Note: Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just those used for duplicate address detection.

Configuring IPv6 Default and Static Routes

IPv6 unicast routing is always enabled. FWSM routes IPv6 traffic between interfaces as long as the interfaces are enabled for IPv6 and the IPv6 access lists allow the traffic. You can add a default route and static routes using the ipv6 route command.

Follow the steps below to configure an IPv6 default route and static routes:

  • Use the following command to add the default route: hostname(config)# ipv6 route interface_name ::/0 next_hop_ipv6_addr The address ::/0 is the IPv6 equivalent of "any."
  • Define IPv6 static routes. Use the following command to add an IPv6 static route to the IPv6 routing table: (Note: this step is optional) hostname(config)# ipv6 route if_name destination next_hop_ipv6_addr [admin_distance]

    Note: The ipv6 route command works like the route command used to define IPv4 static routes.

Configuring IPv6 Access Lists

Do the following to configure an IPv6 access list:

  • Generate an access entry. To generate an access list, use the ipv6 access-list command to create entries for the access list. There are two main forms of this command to choose, one for creating access list entries distinctively for ICMP traffic, and one to create access list entries for all other types of IP traffic.
    1. To create an IPv6 access list entry specifically for ICMP traffic, enter the following command: hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source destination [icmp_type]
    2. To create an IPv6 access list entry, enter the following command: hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source [src_port] destination [dst_port]

      The following explains the arguments for the ipv6 access-list command:

      • id-the name of the access list.
      • line num-specifies the line number in the list where the entry should appear.
      • permit | deny-determines whether the specified traffic is blocked or allowed to pass.
      • icmp-indicates that the access list entry applies to ICMP traffic.
      • Protocol- specifies the traffic being controlled by the access list entry. This can be the name (ip, tcp, or udp) or number (1-254) of an IP protocol. You can identify a protocol object group using object-group grp_id.
      • source and destination-specifies the source or destination of the traffic. The source or destination can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr.
      • src_port and dst_port- the source and destination port (or service) argument. Enter an operator (lt for less than, gt for greater than, eq for equal to, neq for not equal to, or range for an inclusive range) followed by a space and a port number (or two port numbers separated by a space for the range keyword).
      • icmp_type- specifies the ICMP message type being filtered by the access rule. The value can be a valid ICMP type number (from 0 to 155) or one of the ICMP type literals. You can specify an ICMP object group using object-group id.
  • To apply the access list to an interface, enter the following command: hostname(config)# access-group access_list_name {in | out} interface if_name

Configuring IPv6 Neighbor Discovery

The IPv6 neighbor discovery method uses ICMPv6 messages and solicited-node multicast addresses to verify the link-layer address of a neighbor on the local link which confirm the attainability of a neighbor and keep track of neighboring routers.

  1. Configuring Neighbor Solicitation Messages

    Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to discover the link-layer addresses of other nodes on the local link. The neighbor solicitation message is sent to the solicited-node multicast address. The source address in the neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation message. The neighbor solicitation message also includes the link-layer address of the source node.

    After receiving a neighbor solicitation message, the destination node replies by sending a neighbor advertisement message (ICPMv6 Type 136) on the local link. The source address in the neighbor advertisement message is the IPv6 address of the node sending the neighbor advertisement message; the destination address is the IPv6 address of the node that sent the neighbor solicitation message. The data portion of the neighbor advertisement message includes the link-layer address of the node sending the neighbor advertisement message.

    After the source node receives the neighbor advertisement, the source node and destination node can communicate, it then shows the neighbor solicitation and response process.

    To configure the neighbor solicitation message interval and neighbor reachable time on a per-interface basis, try to do the following:

    • Configuring the Neighbor Solicitation Message Interval To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, enter the following command: hostname(config-if)# ipv6 nd ns-interval value Valid values for the value argument range from 1000 to 3600000 milliseconds. The default value is 1000 milliseconds. This setting is also sent in router advertisement messages.
    • Configuring the Neighbor Reachable Time The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation. To configure the amount of time that a remote IPv6 node is considered reachable after an attainable confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Valid values for the value argument range from 0 to 3600000 milliseconds. The default is 0. This information is also sent in router advertisement messages
    • Configuring Router Advertisement Messages

      • Configuring the Router Advertisement Transmission Interval

        By default, router advertisements are sent out every 200 seconds. To change the interval between router advertisement transmissions on an interface, enter the following command: ipv6 nd ra-interval [msec] value Valid values range from 3 to 1800 seconds (or 500 to 1800000 milliseconds if the msec keyword is used). The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if FWSM is configured as a default router by using the ipv6 nd ra-lifetime command. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the desired value.

      • Configuring the Router Lifetime Value

        The router lifetime value specifies how long nodes on the local link should consider FWSM as the default router on the link. To configure the router lifetime value in IPv6 router advertisements on an interface, enter the following command: hostname(config-if)# ipv6 nd ra-lifetime seconds Valid values range from 0 to 9000 seconds. The default is 1800 seconds. Entering 0 indicates that FWSM should not be considered a default router on the selected interface.

      • Suppressing Router Advertisement Messages

        By default, Router Advertisement messages are automatically sent in response to router solicitation messages. To suppress IPv6 router advertisement transmissions on an interface, enter the following command: hostname(config-if)# ipv6 nd suppress-ra
  2. Configuring a Static IPv6 Neighbor Enter the following command to configure a static entry in the IPv6 neighbor discovery cache: hostname(config-if)# ipv6 neighbor ipv6_address if_name mac_address
    • ipv6_address the link-local IPv6 address of the neighbor
    • if_name the interface through which the neighbor is available
    • mac_address the MAC address of the neighbor interface

    Note: The clear ipv6 neighbors command does not remove static entries from the IPv6 neighbor discovery cache.

  3. Verifying the IPv6 Configuration

    Various show commands to verify your IPv6 settings:

    1. Viewing IPv6 Interface Settings To show the IPv6 interface settings, enter the following command: hostname# show ipv6 interface [if_name] Including the interface name shows the settings for the specified interface. Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on them. The output for the command shows the following:
      • The name and status of the interface
      • The link-local and global unicast addresses
      • The multicast groups the interface belongs to
      • ICMP redirect and error message settings
      • Neighbor discovery settings

        Note: The show interface command only displays the IPv4 settings for an interface. You must use the show ipv6 interface command to see the IPv6 configuration on an interface. The show ipv6 interface command does not display any IPv4 settings for the interface if both are configured on the interface.

    2. Viewing IPv6 Routes To display the routes in the IPv6 routing table, enter the following command: hostname# show ipv6 route

      The output from the show ipv6 route command is comparable to the IPv4 show route command. It displays all of the following informations:

      • The address of the next-hop router
      • The interface through which the next hop router to the specified network is reached
      • The protocol that derived the route
      • The IPv6 prefix of the remote network
      • The administrative distance and metric for the route
Top of Page
© 2009 Active Discovery Designs