Smooth transition of the company network to IPv6

Hello, habrasociety.

I would like to highlight the transition of the network to IPv6, since this topic is poorly covered, especially in Russian. First, let's look at how our network looks before the transition:

image

What do we have? A router connected to the Internet that performs NAT functions for internal networks. Networks are in vlan10 and vlan20.

The configuration of the router is as follows: In order to switch to IPv6, you need to get an address block. Negotiations with the two providers to which the company’s office is connected did not end as we would like - one provider is testing IPv6 inside its network and has not yet issued blocks to clients, while the second has not even thought about using IPv6. A brief search led to TunnelBroker from Hurricane Electric
Router(config)#int fa0/0
Router(config-if)#ip address 192.0.2.2 255.255.255.252
Router(config-if)#ip nat outside
Router(config)#int fa0/1.10
Router(config-if)#encapsulation dot1Q 10
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config)#int fa0/1.20
Router(config-if)#encapsulation dot1Q 20
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config)#ip nat pool natpool 192.0.2.2 192.0.2.2 netmask 255.255.255.252
Router(config)#ip nat inside source list 100 pool natpool overload
Router(config)#ip access-list extended 100
Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any
Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any


. Of the proposed features after registration - up to 5 blocks / 64 or / 48 (optional). For those who have not yet encountered IPv6, it’s quite difficult to imagine how many addresses this is. For comparison, the entire IPv4 block is 2 32 = 4,2 × 10 9 addresses. In IPv6, the / 64 block is 2 64 = 1.8 × 10 19 addresses. 10 orders of magnitude more than the entire IPv4 block.

To get a block of IPv6 addresses, you need to fill out one form in which to specify an external IPv4 address and select one of the servers (at the time of writing, there are a total of 18 servers - 3 in Asia, 6 in Europe and 9 in North America).

image

After receiving the block, make changes to the router.
Enable ipv6 routing support:
Router(config)#ipv6 unicast-routing
Router(config)#ipv6 cef


We create a tunnel interface with the IPv6 provider (TunnelBroker): Add a default route: If DNS is configured on your router, you can already enjoy working through IPv6: At this point I had a question - how to transfer the old address so that I don’t have to remember each computer has two IP addresses - IPv4 and IPv6. There is an exit. First you need to translate IPv4 to hex, which is what we will do: We will write in a form that is more consistent with IPv6: C0A8: 0100 and C0A8: 0200. Leading zeros can be omitted, so C0A8: 100 and C0A8: 200.
Router(config)#interface Tunnel0
Router(config-if)#description Hurricane Electric IPv6 Tunnel Broker
Router(config-if)#no ip address
Router(config-if)#ipv6 address 2001:470:18:11A::2/64
Router(config-if)#ipv6 enable
Router(config-if)#tunnel source GigabitEthernet0/0.510
Router(config-if)#tunnel destination 216.218.221.6
Router(config-if)#tunnel mode ipv6ip



Router(config)#ipv6 route ::/0 Tunnel0


Router#ping ipv6.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A00:1450:4008:C00::6A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/69/84 ms



192.168.1.0 → C0.A8.1.0
192.168.2.0 → C0.A8.2.0




Our networks 192.168.1.0 and 192.168.2.0 had a mask of 255.255.255.0 (or shorter - / 24). Let us recall a little theory - the mask / 24 says that the initial 24 bits do not change within the network, and only the remaining 8 bits can change (IPv4 address consists of 32 bits - 4 bits of 8 bits). We need to make a similar mask for the new IPv6 network, however, the IPv6 address consists of already 128 bits. The last 8 bits can change, the first 120 bits can not. Mask: / 120.

When we have decided on the desired mask, it is necessary to introduce the old networks into the new IPv6 block. Configure the router: The configuration of the router is completed. It remains on the computers to enable IPv6 support, register the address, mask and gateway. For example, configure a computer with the address 192.168.2.189: Disable Teredo (if enabled):
192.168.1.0/24 → 2001:470:18:11A::C0A8:100/120
192.168.2.0/24 → 2001:470:18:11A::C0A8:200/120



Router(config)#int fa0/1.10
Router(config-if)#ipv6 enable
Router(config-if)#ipv6 address 2001:470:18:11A::C0A8:101/120
Router(config)#int fa0/1.20
Router(config-if)#ipv6 enable
Router(config-if)#ipv6 address 2001:470:18:11A::C0A8:201/120





192.168.2.189 → C0.A8.2.BD → C0A8:2BD → 2001:470:18:11A::C0A8:2BD
Маска: /120
Шлюз по-умолчанию: 2001:470:18:11A::C0A8:201



>netsh interface teredo set state disabled
OK.


Checking work through IPv6: In addition, you can enjoy the animated turtle at www.kame.net (if your turtle is not animated, then you got to the site via IPv4). I would like to take stock. There is no need to configure port forwarding, you can log in using ssh or remote desktop to any computer / server within the local network. However, the security issue is very open - the concept of an internal network disappears, now it is part of the Internet.
>ping ipv6.google.com
Обмен пакетами с ipv6.l.google.com [2a00:1450:4008:c00::6a] с 32 байтами данных:
Ответ от 2a00:1450:4008:c00::6a: время=80мс
Ответ от 2a00:1450:4008:c00::6a: время=65мс
Ответ от 2a00:1450:4008:c00::6a: время=81мс
Ответ от 2a00:1450:4008:c00::6a: время=76мс

Статистика Ping для 2a00:1450:4008:c00::6a:
Пакетов: отправлено = 4, получено = 4, потеряно = 0
(0% потерь)
Приблизительное время приема-передачи в мс:
Минимальное = 65мсек, Максимальное = 81 мсек, Среднее = 75 мсек





Also popular now: