Cisco 6to4 Relay Service
From ARIN IPv6 Wiki
An ISP can set up a 6to4 relay service by configuring at least two well-connected IPv6-enabled routers to set up automatic 6to4 tunnels.
A 6to4 tunnel is an automatic IPv6 tunnel where a 6to4 border router in an isolated IPv6 network creates a tunnel to a 6to4 border router in another isolated IPv6 network over an IPv4 infrastructure. The tunnel destination is determined by the globally unique, 32-bit IPv4 address of the remote 6to4 border router that is concatenated to the prefix 2002::/16. 6to4 tunnels are configured between 6to4 border routers or between 6to4 border routers and hosts.
A 6to4 relay service is a 6to4 border router that offers traffic forwarding to the IPv6 Internet for remote 6to4 border routers. A 6to4 relay forwards packets that have a 2002::/16 source prefix.
6to4 tunnels and connections to a 6to4 relay service need not be requested or negotiated between customers and the ISP. The ISP simply configures the 6to4 relay service and customers can automatically connect to the service whenever they like. Because of the one-to-many relationship between the 6to4 relay service and each 6to4 tunnel (each customer), there is low maintenance and management overhead associated with 6to4 tunnels and a 6to4 relay service. However, given that customers use the IPv4 address of their border router to construct the 6to4 address that they use to connect to the 6to4 relay service (they are not delegated a /48 prefix from the ISP), the ISP may want to manage the IPv4 routing announcements for the relay service to control its use (the ISP will need IPv4 traffic statistics if it wants to identify and charge individual customers for using the service).
Reverse 6to4 delegation can be requested at: http://6to4.nro.net, please check the instructions at http://6to4.nro.net/6to4_reverse/non_2002/index.html.
Here is a minimal config fragment. Check Cisco's documentation for full details. This should be configured on a dual-stack router that has good IPv4 and IPv6 connectivity. To minimize latency, it should be on the border between your IPv4-only network and your dual-stack network. This configuration can be duplicated to additional dual-stack routers for increased reliability.
! Your unique Router ID ! Use your own real IP addresses here instead of 192.0.2.1 and 2001:db8::1 ! The 6to4 relay anycast address 188.8.131.52 (see RFC 3068) should be ! configured as a secondary address on the loopback interface interface Loopback0 ip address 184.108.40.206 255.255.255.0 secondary ip address 192.0.2.1 255.255.255.255 ipv6 address 2001:db8::1/128 ! interface Tunnel1 description 6to4 Tunnel no ip address ipv6 unnumbered Loopback0 tunnel source loopback0 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 Tunnel1
WARNING: The 220.127.116.11 address on the loopback interface may be selected as your router ID during a subsequent reboot or an OSPF or BGP process restart. To prevent this (particularly if you are running multiple 6to4 gateways for reliability) you should explicitly specify your OSPF or BGP router ID.
A 6to4 gateway provides routing in two different directions. First, it provides a route for packets from native IPv6 (non-6to4) devices within an IPv6 network to reach 6to4 devices which do not have native IPv6 connectivity. The 2002::/16 route should be distributed to other IPv6 routers using an IPv6-capable IGP (eg. OSPFv3 or RIPv6).
The gateway also allows packets from 6to4 devices which have only IPv4 connectivity to reach native IPv6 devices on the IPv6 network. The route to the anycast address 18.104.22.168 should be distributed via an IPv4 IGP (eg. OSPF or EIGRP) to other IPv4 routers.
For example, if you run OSPFv3 and OSPF on your routers:
ipv6 router ospf 10 ! Redistribute the 2002::/16 static route redistribute static ! router ospf 10 ! Redistribute the 22.214.171.124 route redistribute connected subnets
If the router will be a public 6to4 gateway, then the 126.96.36.199/24 network and/or the 2002::/16 network should also be announced via BGP to other networks (see RFC 3068, section 4.3). Depending on your BGP peering policy and configuration, accomplishing this may require one or more of the following:
- Adding a 'network 188.8.131.52' and/or 'network 2002::/16' to your BGP configuration
- Adjusting your BGP filters to permit the outgoing announcements
- Coordinating with your BGP peer(s) to accept the 184.108.40.206/24 and/or 2002::/16 prefixes and propagate them
- Adjusting your border interface ACLs to permit the traffic
Jordi Palet Martinez posted the following example on the AfriNIC mailing list:
Details of the example configuration
The examples below is assuming that the public IPv4 address in the WAN interface of the router is 220.127.116.11. You should replace that with the right information for your own case, same with other data used in the examples.
Also, you need to understand how to calculate the 6to4 IPv6 address for your router. This is done using the IPv4 address and the IPv6 6to4 prefix.
The 6to4 prefix 2002::/16 is taking the first 16 bits. Then the bits 17 to 48 are the nibble notation for your IPv4 address. So in our example it will be:
192 = c0 1 = 01 2 = 02 3 = 03
We will use the first address of the prefix for the WAN interface, so
Also, the anycast address for 6to4 is: 18.104.22.168 Following the same example as above, in IPv6 will be:
For our example using a Loopback, we use 22.214.171.124, which in IPv6 will be
We show below two options for the 6to4 Relay. One basic configuration and another using the anycast address for 6to4. You just need to configure one of them (A or B).
A Example configuration of a basic 6to4 Relay
This relay will only be reachable for hosts or routers with a manual configuration pointing to it.
A1) Enable IPv6 in the router
A2) Ethernet0/0 interface configuration (obviously you can use another interface)
interface Ethernet0/0 description 6to4 Relay Service ip address 126.96.36.199 255.255.255.0
A3) tunnel 6to4 virtual interface
interface Tunnel2002 description 6to4 Relay Interface no ip address no ip redirects ipv6 address 2002:c001:0203::1/128 tunnel source Ethernet0/0 tunnel mode ipv6ip 6to4
A4) 6to4 prefix route
ipv6 route 2002::/16 Tunnel2002
B Example configuration of a 6to4 Relay with anycast support
B1) Enable IPv6 in the router
B2) We use the loopback (recommended), but you could use an Ethernet Interface or any other one
interface Loopback0 description 6to4 Anycast Relay Service ip address 188.8.131.52 255.255.255.0 secondary ip address 184.108.40.206 255.255.255.255 ipv6 address 2002:c003:0203::1/128 ipv6 mtu 1480 no ipv6 mfib fast
Note: When using IPv4 anycast addresses is recommended to configure explicitly the BGP/OSPF ID with a unicast address, otherwise, the router may take by default the anycast address as the ID.
B3) tunnel 6to4 virtual interface
interface Tunnel2002 description anycast 6to4 Relay Interface no ip address no ip redirects ipv6 address 2002:C058:6301::/128 anycast ipv6 unnumbered Loopback0 no ipv6 mfib fast tunnel source Loopback0 tunnel mode ipv6ip 6to4 tunnel path-mtu-discovery
C Configuration for a public Relay
If you choose the anycast option (B), then you can also make the relay public via the following steps.
C1) You need to announce the 2002::/16 prefix usually via BGP. The example below will help you. You should add this to the normal unicast IPv6 configuration and replace the right information for your own case.
router bgp myASN no bgp default ipv4-unicast bgp log-neighbor-changes neighbor remotepeer_IPv6_address remote-as remoteASN neighbor remotepeer_IPv6_address description Peer to remoteISP address-family ipv6 neighbor remotepeer_IPv6_address activate neighbor remotepeer_IPv6_address route-map remoteISP_in in neighbor remotepeer_IPv6_address route-map remoteISP_out out network my_IPv6_prefix network 2002::/16 exit-address-family ipv6 route 2002::/16 Null0 ipv6 prefix-list 6to4_prefix seq 5 permit 2002::/16 route-map remoteISP_out permit 10 match ipv6 address prefix-list 6to4_prefix
Note: Of course, you need to replace some of the parameters with your specific data, such as myASN, remotepeer_IPv6, my_IPv6_prefix, remoteASN, remoteISP, remoteISP_in and remoteISP_out.
C2) Additionally you need to configure the announce of the 6to4 anycast prefix, 220.127.116.11/24, to your neighbor ISPs.
Once you have started announcing this prefix, add yourself to the list of ISPs currently announcing a 6to4 prefix.
D Configuration for a Private Relay
Alternatively, if you only want to offer the relay to your own customers, you need to announce the 18.104.22.168/24 prefix only to them. Then you will need to use example A) and use something adapted to your own network/routing protocol.
For example, if you are using OSPF as your IGP, you will add something such as:
router ospf 1 log-adjacency-changes auto-cost reference-bandwidth 10000 network 22.214.171.124 0.0.0.255 area 0
E Real-life configuration for 6to4 public relay on a Cisco 7600 platform
In addition to the scenarios above it could be really tricky to debug all of the associated problems. If you're using a Cisco 7600 platform it is worth checking out the following:
1) DO NOT put 126.96.36.199 as a secondary address on a Loopback interface. Otherwise you will not enable cef fully.
2) Additional addressing on Loopback ('normal' IPv4- and IPv6-loopbacks on Lo64 below) is not obligatory, though it will allow for proper diagnostics from the router towards 6to4 clients.
3) In an MPLS environment CHECK OUT for "mls mpls tunnel-recir" in the running-conf. It is mandatory to ensure bi-directional traffic flows.
Below is a real-life configuration that delivers (appears courtesy of CCIE #10389), IGP part is omitted for clarity. Feel free to ask questions/comment at aa916-ripe contacts.
! mls mpls tunnel-recir ! interface Loopback64 ip address 192.168.2.155 255.255.255.255 secondary ip address 188.8.131.52 255.255.255.0 no ip redirects ipv6 address 2002:C0a8:029B::1/128 ipv6 enable ipv6 mtu 1280 no ipv6 redirects no ipv6 unreachables ! interface Tunnel64 no ip address no ip redirects ipv6 address 2002:C058:6301::/128 anycast ipv6 unnumbered Loopback64 ipv6 enable ipv6 mtu 1280 no ipv6 redirects tunnel source Loopback64 tunnel mode ipv6ip 6to4 tunnel path-mtu-discovery ! ipv6 route 2002::/16 Tunnel64 ! router bgp xxxx ! address-family ipv4 redistribute connected route-map to-bgp ! address-family ipv6 redistribute static route-map to-bgp6 ! route-map to-bgp permit 10 match ip address prefix-list xxxx:6to4-anycast set local-preference 200 set community xxxx:yy xxxx:zz ! route-map to-bgp6 permit 10 match ipv6 address prefix-list xxxx:6to4 set local-preference 200 set community xxxx:yy xxxx:zz ! ip prefix-list xxxx:6to4-anycast seq 5 permit 184.108.40.206/24 ipv6 prefix-list xxxx:6to4 seq 5 permit 2002::/16|