Home > Articles > Cisco Network Technology > IP Communications/VoIP > Deploying IPv6 in WAN/Branch Networks

Deploying IPv6 in WAN/Branch Networks

Chapter Description

This chapter provides and overview of WAN/branch deployment and also covers WAN/branch IPv6 deployment considerations, WAN/branch deployment over native IPv6, and includes an example of WAN/branch implementation.

WAN/Branch Implementation Example

Much of the configuration and design among the three different WAN/branch deployment profiles is similar. The largest variables are usually the number of devices within a branch for high-availability purposes and the scale of the overall environment.

The implementation example given in this chapter combines properties from each of the three WAN/branch profiles so that you can get a basic understanding of the various tiers, network roles, and specific products and features when configured for IPv6 support.

Throughout the remainder of this chapter, the example topology is called the "hybrid branch example," or HBE. Again, this is just an example configuration that is meant to combine elements from each of the three WAN/branch profiles and is not meant to be a recommended best practice design.

Figure 8-4 shows the high-level overview of the HBE environment.

Figure 8-4

Figure 8-4 Hybrid Branch Example Overview

The HBE has the flexibility to run almost any WAN type to include Frame Relay, MPLS, point-to-point IPsec VPN, DMVPN, and so on. In this example, the branch has redundant WAN access routers that connect to the HQ through redundant head-end routers. Behind the WAN access routers in the branch there is a Cisco ASA 5500 series firewall. Optionally a redundant ASA can be added for additional availability. There is a Cisco ISR series router with either a built-in Cisco EtherSwitch Module or a separate Catalyst switch that can connect local host resources such as PCs, printers, and other network-attached resources.

Additional devices might be required to meet the business requirements for each branch, such as additional routers, switches, and other network devices that can augment the high-availability, security, or robust network services goals of the branch.

Tested Components

Table 8-2 lists the components that were used and tested in the hybrid branch example.

Table 8-2. HBE-Tested Components

Role

Hardware

Software

Router

Integrated Services Router: 2800 and 3800 Series

Advanced Enterprise Services 15.0.1M1

Switch

Cisco Catalyst 3750E/3560E

12.2(46)SE

Firewall

Cisco ASA 5510

8.2(2)

Host devices

Various laptops—PC

Microsoft Windows Vista, Windows 7

Network Topology

Figure 8-5 serves as a reference for all the configurations for the HBE. The figure shows the IPv6 addressing layout for the branch and HQ connections.

Figure 8-5

Figure 8-5 HBE IPv6 Addressing Details

The following sections discuss the physical and logical connectivity of the WAN access, branch LAN, and firewalls.

WAN Connectivity

The HBE uses the Dual DMVPN Cloud Topology with spoke-to-spoke support, as outlined in the Cisco DMVPN Design Guide at http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html.

The Dual DMVPN Cloud Topology has each branch site configured with a primary (solid lines between branch and HW) and secondary (dashed lines) DMVPN tunnel configuration. Each tunnel configuration is on a separate IPv4 and IPv6 network. The IGP is tuned to prefer one tunnel over another, and if the primary tunnel fails, the IGP reconverges and traffic flows between the branch routers and the secondary head-end router using the secondary tunnel configuration.

The HBE could easily use a traditional Frame Relay, MPLS, or point-to-point IPsec VPN as well. DMVPN was selected for this example to give the reader a usable configuration for Cisco DMVPN support with IPv6.

Being that this is just an example and that there are many variables that could influence how this network is connected and configured, a simplistic approach was taken for addressing and physical connectivity. The important thing to take away from the HBE shown here is that most things are the same as with IPv4. The goal is to illustrate the minor syntax adjustments.

Branch LAN Connectivity

The LAN connectivity between the WAN access routers and the Cisco ASA is through a Catalyst switch. Each router is configured as a Hot Standby Router Protocol (HSRP) group member for both IPv4 and IPv6. The Cisco ASA has a default route to the HSRP standby address.

The LAN access router and ASA connect to each other using the EtherSwitch Module in the router. Alternatively a dedicated Catalyst switch could be used.

The LAN access portion of the branch uses a Catalyst switch to provide network access for hosts, IP phones, and printers. There are three VLANs in use in the HBE that are used for host access:

  • VLAN 104: Used as the PC data VLAN. IPv4 addressing is provided by a local DHCP pool on the router. IPv6 addressing is provided by the branch router using SLAAC, and DNS/domain name are provided by a local DHCP pool for IPv6. Optionally, full DHCP for IPv4 and IPv6 can be used at the HQ site.
  • VLAN 105: Used as the voice VLAN. IPv4 addressing is provided by a local DHCP pool on the router to include any voice-specific options (TFTP server). IPv6 addressing is provided by stateful DHCPv6. Optionally, stateless DHCP IPv6 can be used.
  • VLAN 106: Used as the printer VLAN. IPv4 addressing is provided by a local DHCP pool on the router. The print server cards located in the branch automatically receive an IPv6 address from the router interface through stateless autoconfiguration. Optionally, full DHCP for IPv4 and IPv6 can be used at the HQ site.

Firewall Connectivity

Depending on the branch design and the security policy, a dedicated firewall might or might not be deployed. Some sites deploy a firewall at the branch if local Internet access for that branch is permitted (split-tunneling scenario) or if the firewall itself is used as the branch VPN device. Also, firewall support on the WAN access routers can be enabled to offer perimeter protection instead of using a dedicated ASA.

In the HBE, the Cisco ASA Firewall is used and configured in a basic way. There is an "outside" interface and an "inside" interface. The Cisco ASA can be deployed as a single standalone firewall with no redundancy, or the ASA can be configured in a stateful failover deployment, where a second ASA is deployed and used as standby unit (as shown earlier in Figure 8-4).

The Cisco ASA can be deployed in a routed mode or a transparent mode (sometimes known as bridge mode). Routed mode is what is used in this chapter and is the most popular of the deployment choices. Routed mode, simply put, is where the ASA has distinct Layer 3 interfaces, each on a different IPv4 and IPv6 network, and acts as a routed hop in the network (static and dynamic routing is supported in this mode). Transparent mode has the ASA in a Layer 2 configuration where packets are bridged across and inspected; the ASA is basically a bump-in-the-wire. These are oversimplified explanations of the routed and transparent modes, and the reader should fully understand the differences of each and their pros/cons. More information on routed and transparent mode can be found at http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/fwmode.html.

Head-End Configuration

The HBE WAN configuration begins at that headquarters site, where there are two Cisco routers acting as head-end termination points for the Dual DMVPN Cloud Topology.

The two head-end routers (HE1 and HE2) have connections to the ISP through Fast Ethernet connections but could just as easily be T1/E1, DS3, and any other connection option. Fast Ethernet was the option selected to generate the configurations for this chapter.

DMVPN is the VPN technology that carries both IPv4 and IPv6. The DMVPN configuration used in this chapter uses Phase 3 of Cisco IOS support for DMVPN. The following three phases are defined for DMVPN:

  • Phase 1: Hub-and-spoke capability only
  • Phase 2: Initial spoke-to-spoke capability
  • Phase 3: Support for IPv6 and enhancements for spoke-to-spoke to support larger-scale nonbroadcast multiaccess (NBMA) networks

More information on the theory, operation, and configuration of DMVPN for IPv6, Phase 3 enhancements, and next hop resolution protocol (NHRP) operation can be found at the following URLs:

You need to configure different features and values for the DMVPN configuration such as keys, hold times, and so on.

HE1 and HE2 have one tunnel configuration each. HE1 is the primary head-end, and because this a dual DMVPN cloud configuration, the tunnel used on HE1 is in a different IPv4 and IPv6 network than the tunnel used by HE2. One thing to note is that when IPv6 multicast is enabled on a router, Protocol Independent Multicast (PIM) uses tunnel numbers 0 and 1 to communicate with rendezvous points (RP) and tunnel sources. It is recommended to use tunnel numbers beginning at 2.

The configuration for HE1 is shown in Example 8-3. The configuration for HE2 is identical with the exception of different IPv4 and IPv6 addressing and route preference. The configuration for HE2 is not shown.

Example 8-3. HE1 Configuration

ipv6 unicast-routing
ipv6 cef
!
crypto isakmp policy 1      #Set ISAKMP Policy using pre-shared
                              #keys
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
crypto isakmp key CISCO address ipv6 ::/0  #Pre-share key for
                                              #any (::/0) peer
!
crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac
!
crypto ipsec profile HUB
 set transform-set HUB
!
interface Tunnel2                 #If deployed, PIMv6 uses
                                   #tunnel 0 and 1 by default
                                   #so it is recommended to start
                                   #at 2
 description DMVPN Tunnel 1
 ip address 10.126.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ipv6 address 2001:DB8:CAFE:20A::1/64
 ipv6 mtu 1416                    #Set MTU to account for
                                   #Tunnel/IPSec overhead
 ipv6 eigrp 10                    #Enable IPv6 EIGRP
 ipv6 hold-time eigrp 10 35
 no ipv6 next-hop-self eigrp 10
 no ipv6 split-horizon eigrp 10
 ipv6 nhrp authentication CISCO    #Set authentication string
                                      #for NHRP
 ipv6 nhrp map multicast dynamic   #Automatically add routers to
                                      #NHRP mappings
 ipv6 nhrp network-id 10           #Enables NHRP on interface
 ipv6 nhrp holdtime 600
 ipv6 nhrp redirect                #Phase 3 NHRP redirect for
                                    #spoke-to-spoke
 tunnel source Serial1/0
tunnel mode gre multipoint            #Multipoint GRE to support
                                        #multiple end-points
tunnel key 10
tunnel protection ipsec profile HUB  #Apply IPSec profile
!
interface GigabitEthernet2/0        #LAN interface to HQ network
 description to HQ
 ip address 10.123.1.2 255.255.255.0
 ipv6 address 2001:DB8:CAFE:202::2/64
 ipv6 eigrp 10
 standby version 2
 standby 2 ipv6 autoconfig
 standby 2 priority 120
 standby 2 preempt delay minimum 30
 standby 2 authentication CISCO
 standby 2 track 2 decrement 90
!
interface FastEthernet0/0
 description to ISP
 ip address 172.16.1.1 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
ipv6 router eigrp 10                       #Enable EIGRP for IPv6
 no shutdown

Branch WAN Access Router Configuration

The branch routers have serial (T1/E1) connections to the ISP. Again, these connections can be broadband (DSL/cable/wireless), Ethernet, DS3, and so on. The branch WAN access routers have IPv4-only connectivity to the ISP and should have ACLs permitting access to/from the ISP for only the necessary ports/protocols required to establish DMVPN connectivity to the head-end routers. (This assumes that no split tunneling is allowed.) The IPv6 portion of the configuration is similar to that of the head-end, where the IPv6 configuration applies to the local branch Ethernet interface and the DMVPN tunnel interfaces.

Both branch WAN access routers (BR1-1 and BR1-2) are configured nearly identically. The differences are in the unique IPv4 and IPv6 addressing, routing preferences, and HSRP preferences. The configuration for BR1-1 is shown in Example 8-4 (only one of the two DMVPN tunnel configurations is shown).

Example 8-4. BR1-1 Configuration

ipv6 unicast-routing
ipv6 cef
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
crypto isakmp key CISCO address ipv6 ::/0
!
crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPOKE
 set transform-set SPOKE
!
interface Tunnel2
description to HUB
 ip address 10.126.1.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ipv6 address 2001:DB8:CAFE:20A::2/64
 ipv6 mtu 1416
 ipv6 eigrp 10
 ipv6 hold-time eigrp 10 35
 no ipv6 next-hop-self eigrp 10
 no ipv6 split-horizon eigrp 10
 ipv6 nhrp authentication CISCO
 ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1
 ipv6 nhrp map multicast 172.16.1.1
 ipv6 nhrp network-id 10
 ipv6 nhrp holdtime 600
 ipv6 nhrp nhs 2001:DB8:CAFE:20A::1
 ipv6 nhrp shortcut
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 10
 tunnel protection ipsec profile SPOKE
interface Serial1/0
 description to ISP
 ip address 172.16.1.9 255.255.255.252
!
interface GigabitEthernet2/0
 description to BRANCH LAN
 ip address 10.124.1.2 255.255.255.0
 negotiation auto
 ipv6 address 2001:DB8:CAFE:1000::2/64
 ipv6 eigrp 10
 standby version 2
 standby 1 ip 10.124.1.1
 standby 1 priority 120
 standby 1 preempt delay minimum 30
 standby 1 authentication CISCO
 standby 1 track 1 decrement 90
 standby 2 ipv6 autoconfig
 standby 2 priority 120
 standby 2 preempt delay minimum 30
 standby 2 authentication CISCO
 standby 2 track 2 decrement 90
!
router eigrp 10
 network 10.0.0.0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.10
!
ipv6 router eigrp 10
 no shutdown

Branch Firewall Configuration

As was previously mentioned, the Cisco ASA firewall deployment in the HBE is simple and meant only as a reference for you. Many customers avoid the cost and management of a branch firewall because they believe the branch is a trusted site connected to the HQ through a trusted private WAN or VPN link. Because of this, the customer often configures some ACLs on the WAN access router to protect against basic attacks. The common thinking is that because the branch is configured to not enable direct Internet access by branch users, no comprehensive firewall policies are required, and the cost and complexity of deploying a dedicated firewall (and redundant pair of them) are avoided.

This chapter is not meant to argue the values of having a dedicated branch firewall but rather offers a basic design and configuration example if you do plan to include a dedicated Cisco ASA Firewall as a part of your branch design.

The following configuration is for a Cisco ASA Firewall running version 8.2(2), and there are two firewalls for redundancy sake. The firewalls are configured for a routed mode deployment.

Because the application types and ACL options are so diverse from customer to customer, no comprehensive security policies are provided in this chapter. Rather, a basic ACL example is shown for reference.

The configuration example begins with defining an alias that associates an IPv6 prefix with a user-defined name; prefix 2001:DB8:CAFE:1003::/64 is known as "BR1-LAN." Another alias is created for associating a full IPv6 address with a user-defined name (in this case, a server located at the branch that is IPv6-enabled).

The "outside" and "inside" interfaces are defined with the security level, IPv4 addresses, and IPv6 addresses. The standby keyword defines the peer address of the redundant ASA Firewall.

An example object group is configured (this is not required) for RDP using TCP port 3389. This object group is used by the ACL, permitting any source from 2001:DB8:CAFE::/48 to the previously defined branch server (Br1-v6-Server) over RDP. The configured ACLs are applied inbound on the "outside" interface.

At the time of this writing, the Cisco ASA supports dynamic routing only for IPv4 IGPs. For IPv6, static routing must be used. The example shown has a route configured for the inside branch LAN networks as well as the network between the Cisco ASA and the EtherSwitch Module located in the BR1-LAN router. This route uses one of the aliases defined previously. A static default route is configured for the outside interface, and the next hop is defined as the HSRP virtual link-local address of both the branch WAN access routers.

Interface GigabitEthernet0/3 will be used as the failover interface, and this ASA (ASA-1) is configured to be the primary unit. On the failover interface, the administrator must choose between defining an IPv4 or IPv6 address; both are not supported. In this case, an IPv6 address was used for the failover interface IP address.

Finally, Secure Shell (SSH) is permitted on the "inside" interface from the prefix shown.

Example 8-6. ASA-1 Configuration

name 2001:db8:cafe:1003:: BR1-LAN description VLAN on EtherSwitch
name 2001:db8:cafe:1004:9db8:3df1:814c:d3bc Br1-v6-Server
!
interface GigabitEthernet0/0
 description TO WAN
 nameif outside
 security-level 0
 ip address 10.124.1.4 255.255.255.0 standby 10.124.1.5
 ipv6 address 2001:db8:cafe:1000::4/64 standby 2001:db8:cafe:1000::5
!
interface GigabitEthernet0/1
 description TO BRANCH LAN
 nameif inside
 security-level 100
 ip address 10.124.3.1 255.255.255.0 standby 10.124.3.2
 ipv6 address 2001:db8:cafe:1002::1/64 standby 2001:db8:cafe:1002::2
!
interface GigabitEthernet0/3
 description LAN Failover Interface
!
object-group service RDP tcp
 description Microsoft RDP
 port-object eq 3389
!
ipv6 route inside BR1-LAN/64 2001:db8:cafe:1002::3
ipv6 route inside 2001:db8:cafe:1004::/64 2001:db8:cafe:1002::3
ipv6 route inside 2001:db8:cafe:1005::/64 2001:db8:cafe:1002::3
ipv6 route inside 2001:db8:cafe:1006::/64 2001:db8:cafe:1002::3

#Default route to HSRP address on WAN access routers
ipv6 route outside ::/0 fe80::5:73ff:fea0:2
ipv6 access-list v6-ALLOW permit icmp6 any any
ipv6 access-list v6-ALLOW permit tcp 2001:db8:cafe::/48 host Br1-v6-Server object-
group RDP
failover
failover lan unit primary
failover lan interface FO-LINK GigabitEthernet0/3
failover interface ip FO-LINK 2001:db8:cafe:1001::1/64 standby
2001:db8:cafe:1001::2
access-group v6-ALLOW in interface outside
ssh 2001:db8:cafe::/48 inside

Example 8-7 output shows the summary of the failover interface (G0/3) configuration.

Example 8-7. ASA-1 show failover interface Command Output

asa-1# show failover interface
        interface FO-LINK GigabitEthernet0/3
                 System IP Address: 2001:db8:cafe:1001::1/64
                 My IP Address    : 2001:db8:cafe:1001::1
                 Other IP Address : 2001:db8:cafe:1001::2

A general view of the failover state and configuration is shown in Example 8-8. The output shows that this ASA is the primary unit and is active. Interface information for both the "outside" and "inside" interfaces is shown. The information shows the IPv4 and IPv6 address information that is used on both interfaces for failover tracking.

Example 8-8. ASA-1 show failover Command Output

asa-1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO-LINK GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 05:15:12 UTC Apr 12 2010
        This host: Primary - Active
                Active time: 48 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface outside (10.124.1.4/fe80::21e:7aff:fe81:8e2c): Normal
                  Interface inside (10.124.3.1/fe80::21e:7aff:fe81:8e2d): Normal
                slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Secondary - Standby Ready
                Active time: 261 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface outside (10.124.1.5/fe80::21d:a2ff:fe59:5fe4): Normal
                  Interface inside (10.124.3.2/fe80::21d:a2ff:fe59:5fe5): Normal
                slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10)
status (Up)

The output in Example 8-9 shows the connection state of the firewall. There is a TCP connection between a host on the outside and a host on the inside over TCP port 23 (Telnet).

Example 8-9. Connection State of the Firewall

asa-1# show conn
6 in use, 13 most used
TCP outside 2001:db8:cafe:1000::2:23 inside
2001:db8:cafe:1004:c53c:2d6a:ccef:f2c5:1044, idle 0:02:49, bytes 115, flags UIO

EtherSwitch Module Configuration

The EtherSwitch Module is an optional component and can be replaced with a traditional Catalyst switch. It is shown in this chapter to give you a view of the configuration that is almost identical to that of a Catalyst 3560/3750 switch. The EtherSwitch Module used in this example is an NME-16ES-1G.

In the HBE, the EtherSwitch Module connects the branch LAN access router and the two ASA firewalls. Before enabling IPv6 features and functionality on the EtherSwitch Module, the Switch Database Management (SDM) template needs to be configured to support both IPv4 and IPv6. The three SDM templates that support IPv4 and IPv6 are

  • Dual IPv4 and IPv6 default template
  • Dual IPv4 and IPv6 routing template
  • Dual IPv4 and IPv6 VLAN template

The dual IPv4 and IPv6 SDM template configuration is defined from the global configuration mode as follows:

BR1-EtherSwitch(config)#sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan}

The device needs to be rebooted for the changes to take effect. After the EtherSwitch Module has rebooted, the show sdm prefer command (shown in Example 8-10) can verify that the correct SDM template is in use.

Example 8-10. EtherSwitch Module show sdm prefer Command Output

BR1-EtherSwitch# show sdm prefer
 The current template is "desktop IPv4 and IPv6 default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                   2K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                     3K
  number of directly-connected IPv4 hosts:          2K
  number of indirect IPv4 routes:                    1K
  number of IPv6 multicast groups:                   1.125k
  number of directly-connected IPv6 addresses:      2K
  number of indirect IPv6 unicast routes:            1K
  number of IPv4 policy based routing aces:          0
  number of IPv4/MAC qos aces:                        0.5K
  number of IPv4/MAC security aces:                   1K
  number of IPv6 policy based routing aces:          0
  number of IPv6 qos aces:                            0.625k
  number of IPv6 security aces:                       0.5K

More information on the SDM template configuration can be found at http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swsdm.html#wp1077854.

The IPv6 portion of the EtherSwitch Module configuration is straightforward. In the HBE, there are only three interfaces that are in use on the module. There is the EtherSwitch-to-router internal interface (GigabitEthernet 1/0/2) and two Ethernet interfaces connecting the two Cisco ASA firewalls.

At the time of this writing, the Cisco ASA does not yet support dynamic routing for IPv6, so a default static route is configured on the module that points to the failover IPv6 address of the Cisco ASA. Optionally, EIGRP for IPv6 is enabled so that the default route can be advertised to the internal "BR1-LAN" router and so that all internal routes on that device can be advertised to the EtherSwitch Module. Static routes on "BR1-LAN" and the EtherSwitch Module work as well. The configuration for the EtherSwitch Module is shown in Example 8-11.

Example 8-11. EtherSwitch Module Configuration

ipv6 unicast-routing
!
interface FastEthernet1/0/1
 description TO ASA-1
 switchport access vlan 101
!
interface FastEthernet1/0/2
 description TO ASA-2
 switchport access vlan 101
!
interface GigabitEthernet1/0/2    #Interface connecting to
                                     #branch LAN access
                                     #router (EtherSwitch internal
                                     #interface)
 description to BR1-LAN
 no switchport
 ip address 10.124.4.2 255.255.255.0
 ipv6 address 2001:DB8:CAFE:1003::2/64
 ipv6 eigrp 10                    #Optional - dynamic routing
                                   #for IPv6 inside the branch
!
interface Vlan101
 ip address 10.124.3.3 255.255.255.0
 ipv6 address 2001:DB8:CAFE:1002::3/64   #VLAN for network
                                            #connecting ASA
 ipv6 eigrp 10
!
ipv6 route ::/0 2001:DB8:CAFE:1002::1    #Default route pointing
                                            #to ASA
ipv6 router eigrp 10               #Enable EIGRP for IPv6
 redistribute static               #Redistribute default route
                                     #to LAN router
 passive-interface Vlan101         #Do not attempt adjacency on
                                     #VLAN101

Branch LAN Router Configuration

The BR1-LAN branch LAN access router (configuration shown in Example 8-12) acts as a Layer 3 distribution device for the branch. BR1-LAN terminates the VLAN trunks from the Layer 2 access switch (BR1-LAN-SW) that the individual hosts connect to. In addition to basic L3 termination and routing, the BR1-LAN router provides basic addressing services to IPv6-attached hosts through stateless DHCPv6 (RFC 3736) and provides stateful DHCPv6 relay functionality (RFC 3315). With stateless DHCPv6, the router provides IPv6 addressing services through SLAAC (RFC 4862), but other information, such as DNS name and DNS server, is provided through a stateless DHCPv6 pool (G0/0.104 example). With stateful DHCPv6 relay, the router forwards on the DHCP requests to a defined DHCPv6 server (G0/0.105 example).

Example 8-12. BR1-LAN Configuration Example

ipv6 unicast-routing
ipv6 cef
!
ipv6 dhcp pool DATA_W7                  #DHCPv6 pool name
 dns-server 2001:DB8:CAFE:102::8       #Primary IPv6 DNS server
 domain-name cisco.com                  #DNS domain name passed
                                          #to client
!
interface GigabitEthernet0/0
 description to BR1-LAN-SW
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.104
 description VLAN-PC
 encapsulation dot1Q 104
 ip address 10.124.104.1 255.255.255.0
 ipv6 address 2001:DB8:CAFE:1004::1/64      #Client uses SLAAC
                                               #with this prefix
 ipv6 nd other-config-flag         #Set flag in RA to instruct
                                     #host how to obtain "other"
                                     #information such as domain
 ipv6 dhcp server DATA_W7          #Use DHCP pool above for
                                     #options
 ipv6 eigrp 10
!
interface GigabitEthernet0/0.105
 description VLAN-PHONE
 encapsulation dot1Q 105
 ip address 10.124.105.1 255.255.255.0
 ipv6 address 2001:DB8:CAFE:1005::1/64
 ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig #Do
                                               #not use prefix for
                                               #autoconfiguration
ipv6 nd managed-config-flag      #Set flag in RA to instruct
                                   #host to use DHCPv6
 ipv6 dhcp relay destination 2001:DB8:CAFE:102::9    #Relay for
                                                     #DHCPv6 server
 ipv6 eigrp 10
 interface GigabitEthernet0/0.106
 description VLAN-PRINTER
 encapsulation dot1Q 106
 ip address 10.124.106.1 255.255.255.0
 ipv6 address 2001:DB8:CAFE:1006::1/64
 ipv6 eigrp 10
!
interface GigabitEthernet1/0
 description TO ETHERSWITCH MODULE
 ip address 10.124.4.1 255.255.255.0
 ipv6 address 2001:DB8:CAFE:1003::1/64
 ipv6 eigrp 10
!
ipv6 router eigrp 10
 no shutdown

The BR1-LAN-SW Catalyst switch is configured with an interface connected to the BR1-LAN router and is configured for IEEE 802.1Q trunking. VLANs 104–106 are carried over the trunk link. No relevant IPv6 configurations are made on the BR1-LAN-SW except that a management interface is defined that is reachable over both IPv4 and IPv6. The configuration for the BR1-LAN-SW device is not shown.

4. WAN/Branch Deployment over Native IPv6 | Next Section Previous Section