5 Replies Latest reply: Sep 25, 2011 11:26 AM by Scott Morris - CCDE/4xCCIE/2xJNCIE RSS

    6to4 tunnel interface subnet

    sg4rb0sss

      Hey guys,

       

      So I'm updating my notes for automatic 6to4 tunnels.  I understand everything bar 1 thing which is highlighted in red below.  I don't understand the point/purose of ever creating a subnet on a tunnel interface.

       

      ipv6 unicast-routing

      !

      interface Loopback0

      ip address 192.168.1.1 255.255.255.0

      !so this is the ipv4 ip i am using to send info between networks for my tunnel.

      !when the tunnel is created it embeds this ip in the 2nd and 3rd quartet (ipv6).

      !When the tunnel sends the message, it uses IPV4 to reach destinations. so here

      !to reach R11 it will use 192.168.2.1.  Which when embeded in IPV6 looks like:

      !2002:c0a8:201::/48.

      !remember that this ipv4 network needs to be advertised through the internet

      !as this is the public ipv4 we will be using for our tunnel. For the purpose

      !of our network, we just need to route this network as well as the one on the

      !physical interface.  The physical interface IP would be equivalent to our frame IP.

      !the one on this loopback would be equivalent to a public subnet that our ISP can

      !give us

      !

      interface Loopback1

      no ip address

      ipv6 address 2002:C0A8:101:5::1/64

      !this is a network on the router (i.e. another network a group of users are on)

      !this must match the first 2002:ip-v4:address::/48 of the lo0 ip that were using

      !for talking between tunnels.  i.e.:2002:C0A8:101::/48 (this is the ipv4 address

      !embeded into ipv6).  The last 16 bits can be used for the subnets were making

      !on the router.  Here we are using 5.

      !

      interface Tunnel0

      no ip address

      no ip redirects

      ipv6 address 2002:C0A8:101:20::1/64

      !so here we have made a subnet of 20 for this particular router.  Just random,

      !and i can't even see a reason for doing this, but thats what you gotta do

      !

      tunnel source Loopback0

      tunnel mode ipv6ip 6to4

      !

      interface FastEthernet0/0

      ip address 10.10.10.1 255.255.255.0

      duplex auto

      speed auto

      !

      interface FastEthernet0/1

      ip address 10.10.20.1 255.255.255.0

      duplex auto

      speed auto

      !

      !

      no ip http server

      no ip http secure-server

      ip forward-protocol nd

      ip route 192.168.2.0 255.255.255.0 FastEthernet0/0

      ip route 192.168.3.0 255.255.255.0 FastEthernet0/1

      !paramount that we route this, as we are routing our tunnels via this ipv4

      !address and need to access other routers on ipv4. 

      !

      !

      !

      ipv6 route 2002::/16 Tunnel0

       

       

      I can't possibly see any benefits that are derived from using subnet(s) on a tunnel interface.  It's simply just 1 unique IP that remote devices will use to connect to when they need to use the tunnel.  Any elaboration on this is greatly appreciated.

       

      Cheers,

      Stephen

        • 1. Re: 6to4 tunnel interface subnet
          Scott Morris - CCDE/4xCCIE/2xJNCIE

          You don't NEED to have that at all....

           

          In 6to4 tunneling, the bits from 17-48 are interpreted as the address by which to be used as a destination for the tunnel.

           

          So "C0A8:101" are the important pieces here inticating 192.168.1.1, and as you point out, what others will use as a destination.  But a subnet beyond that is tecehnically irrelevant.  I suppose if you had multiple tunnels setup this would be helpful for sourcing, but that would be odd.

           

          The problem with most of the examples of 6to4 tunnels is that they really don't tell the whole story of implementation and what kinds of things you may end up seeing.

           

          First, think about what would drive packets into a tunnel to begin with.  Routing.  You have a single static route of 2002::/16 into tunnel0.  Which is all nice and all, but assumes that everyone is using 2002 addresses and to what end?  That's a set reserved for tunneling as a set-aside, but not what you will use for the rest of your network!

           

          So let's say that company A has FC08:0100:ABCD::/48 (a unique local address), Company B has 2020:1111:2222::/48 (a global address), and Company C has FEC0:300:300::/48 (a deprecated site local address set).

           

          You would like to talk to each of them but have no IPv6 provider...

           

          You'll need to figure out your own internal IPv6 addressing (forget about the tunnels for a moment) and set that all up.  Once you know your range (let's pick FC11:1111:1111/48 for fun) then you'll need to share that with the other companies.

           

          They've told you that their public IPv4 addresses are:

           

          Company A:  101.101.101.101

          Company B:  111.111.111.111

          Company C: 200.200.200.200

           

          Now you have to set up other routes.  If you're going to stick with the 2002 addreses, that's cool, but actually isn't required...  (Just a nice idea to play well with others!)

           

          ipv6 route FC08:0100:ABCD::/48 2002:6565:6565::1

          ipv6 route 2020:1111:2222::/48 2002:6F6F:6F6F:200::2

          ipv6 route FEC0:300:300::/48 2002:C8C8:C8C8:AB:381:1111:2222:1111:3333

           

          All of those will now route into your tunnel 0.

           

          Based on the "tunnel mode ipv6 6to4" statement, the router will then interpret:

           

          6565:6565 to be 101.101.101.101

          6F6F:6F6F to be 111.111.111.111

          C8C8:C8C8 to be 200.200.200.200

           

          The remaining parts of:

           

          0:0:0:0:1

          200:0:0:0:2

          AB:381:1111:2222:1111:3333

           

          Are technically irrelevant, but definitely will be used on the receiving side one IPv6 is fucntional to know about next hop info (especially if you're using any dynamic routing protocols where that's important to resolve).

           

          HTH,

           

          Scott

          • 2. Re: 6to4 tunnel interface subnet
            sg4rb0sss

            Right, I think I follow that.  So if (in your network demo) I remove the #ipv6 route 2002::/16 statment ,and replace it with the

             

            ipv6 route FC08:0100:ABCD::/48 2002:6565:6565::1  tun0

            ipv6 route 2020:1111:2222::/48 2002:6F6F:6F6F:200::2  tun0

            ipv6 route FEC0:300:300::/48 2002:C8C8:C8C8:AB:381:1111:2222:1111:3333 tun0

             

            Then that explicitly states which networks I am joining together.  And these 2002:: addresses would be the ipv6 address configured on the interface of the other side of the tunnels?  Is that right (it sounds logical anyway )

             

            And this : FC11:1111:1111/48  address is the one I'm using in my tunnel interface?

             

            Good stuff

            • 3. Re: 6to4 tunnel interface subnet
              Scott Morris - CCDE/4xCCIE/2xJNCIE

              The FC address is what you've used through the REST of your network to get IPv6 working on whatever interfaces you want.  The 2002 address is what you have ONLY on the tunnel interface.

               

              I think I'd keep the /16 static route in there also, just to future-proof configurations as a placeholder.  (Remind myself what's going where)

               

              Yes, the 2002 addresses are the other side of the tunnel, but remember, the immediate need is for the 2002:xxxx:xxxx part to determine the IPv4 address as the tunnel destination address.

               

              HTH,

               

              Scott

              • 4. Re: 6to4 tunnel interface subnet
                sg4rb0sss

                Cheers Scott.  Thats cleared up things nicely.

                 

                Regards,

                Stephen

                • 5. Re: 6to4 tunnel interface subnet
                  Scott Morris - CCDE/4xCCIE/2xJNCIE

                  No problems.   Enjoy!