A smooth transition of the company's network to IPv6
Hello, community.
I would like to highlight the transition of the network to IPv6, since this topic is poorly covered, especially in Russian. First, let's look at how our network looks like before the transition:
What we have? A router connected to the Internet that performs NAT functions for internal networks. Networks are in vlan10 and vlan20.
')
The configuration of the router is as follows:
In order to switch to IPv6 - you need to get a block of addresses. Negotiations with two providers to which the company's office is connected did not end as we would like - one provider is testing IPv6 within its network and has not yet issued blocks to customers, while the second has not even thought about using IPv6. Short searches resulted in TunnelBroker from Hurricane Electric . Of the options offered after registration - up to 5 blocks / 64 or / 48 (optional). Those who have not yet experienced IPv6 are quite hard to imagine how many addresses this is. For comparison, the entire IPv4 block - 2 32 = 4.2 × 10 9 addresses. The IPv6 / 64 block is 2 64 = 1.8 × 10 19 addresses. 10 orders more than the entire IPv4 block.
To get a block of IPv6 addresses, you need to fill out one form in which you must specify the external IPv4 address and select one of the servers (at the time of writing, only 18 servers — 3 in Asia, 6 in Europe and 9 in North America).
After receiving the block, make changes to the router.
Enable ipv6 routing support:
Create a tunnel interface with an IPv6 provider (TunnelBroker):
Add a default route:
If DNS is configured on your router, then you can already enjoy IPv6 operation:
At this stage, I had a question - how to transfer the old addressing, so as not to have to remember for each computer two IP addresses - IPv4 and IPv6. There is an exit. First you need to convert IPv4 to hex, and then we will:
We write in the form of more appropriate IPv6: C0A8: 0100 and C0A8: 0200. Leading zeros can be omitted, therefore C0A8: 100 and C0A8: 200.
Our networks 192.168.1.0 and 192.168.2.0 had a mask of 255.255.255.0 (or more shortly / 24). Let us recall a little theory - the mask / 24 says that the initial 24 bits do not change within the network, and only the remaining 8 bits can change (the IPv4 address consists of 32 bits - 4 bits of 8 bits). We need to make a similar mask for the new IPv6 network, but the IPv6 address consists of already 128 bits. The last 8 bits can change, the first 120 bits cannot. Mask: / 120.
When we have decided on the necessary mask - it is necessary to introduce old networks into the new IPv6 block.
Configure the router:
Configuration of the router is over.
It remains to enable IPv6 support on computers, register the address, mask, and gateway. For example, let's configure a computer with the address 192.168.2.189:
Disable Teredo (if enabled):
Checking work via IPv6:
In addition, you can enjoy the animated turtle on www.kame.net (if your tortoise is not animated, then you have reached the site via IPv4).
I would like to take stock. There is no need to configure port forwarding, you can use ssh or remote desktop to access any computer / server inside the local network. However, there is a very open security issue - the concept of the internal network disappears, now it is part of the Internet.
I would like to highlight the transition of the network to IPv6, since this topic is poorly covered, especially in Russian. First, let's look at how our network looks like before the transition:
What we have? A router connected to the Internet that performs NAT functions for internal networks. Networks are in vlan10 and vlan20.
')
The configuration of the router is as follows:
Router(config)#int fa0/0
Router(config-if)#ip address 192.0.2.2 255.255.255.252
Router(config-if)#ip nat outside
Router(config)#int fa0/1.10
Router(config-if)#encapsulation dot1Q 10
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config)#int fa0/1.20
Router(config-if)#encapsulation dot1Q 20
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config)#ip nat pool natpool 192.0.2.2 192.0.2.2 netmask 255.255.255.252
Router(config)#ip nat inside source list 100 pool natpool overload
Router(config)#ip access-list extended 100
Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any
Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 anyIn order to switch to IPv6 - you need to get a block of addresses. Negotiations with two providers to which the company's office is connected did not end as we would like - one provider is testing IPv6 within its network and has not yet issued blocks to customers, while the second has not even thought about using IPv6. Short searches resulted in TunnelBroker from Hurricane Electric . Of the options offered after registration - up to 5 blocks / 64 or / 48 (optional). Those who have not yet experienced IPv6 are quite hard to imagine how many addresses this is. For comparison, the entire IPv4 block - 2 32 = 4.2 × 10 9 addresses. The IPv6 / 64 block is 2 64 = 1.8 × 10 19 addresses. 10 orders more than the entire IPv4 block.
To get a block of IPv6 addresses, you need to fill out one form in which you must specify the external IPv4 address and select one of the servers (at the time of writing, only 18 servers — 3 in Asia, 6 in Europe and 9 in North America).
After receiving the block, make changes to the router.
Enable ipv6 routing support:
Router(config)#ipv6 unicast-routing
Router(config)#ipv6 cefCreate a tunnel interface with an IPv6 provider (TunnelBroker):
Router(config)#interface Tunnel0
Router(config-if)#description Hurricane Electric IPv6 Tunnel Broker
Router(config-if)#no ip address
Router(config-if)#ipv6 address 2001:470:18:11A::2/64
Router(config-if)#ipv6 enable
Router(config-if)#tunnel source GigabitEthernet0/0.510
Router(config-if)#tunnel destination 216.218.221.6
Router(config-if)#tunnel mode ipv6ipAdd a default route:
Router(config)#ipv6 route ::/0 Tunnel0If DNS is configured on your router, then you can already enjoy IPv6 operation:
Router#ping ipv6.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A00:1450:4008:C00::6A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/69/84 msAt this stage, I had a question - how to transfer the old addressing, so as not to have to remember for each computer two IP addresses - IPv4 and IPv6. There is an exit. First you need to convert IPv4 to hex, and then we will:
192.168.1.0 → C0.A8.1.0
192.168.2.0 → C0.A8.2.0We write in the form of more appropriate IPv6: C0A8: 0100 and C0A8: 0200. Leading zeros can be omitted, therefore C0A8: 100 and C0A8: 200.
Our networks 192.168.1.0 and 192.168.2.0 had a mask of 255.255.255.0 (or more shortly / 24). Let us recall a little theory - the mask / 24 says that the initial 24 bits do not change within the network, and only the remaining 8 bits can change (the IPv4 address consists of 32 bits - 4 bits of 8 bits). We need to make a similar mask for the new IPv6 network, but the IPv6 address consists of already 128 bits. The last 8 bits can change, the first 120 bits cannot. Mask: / 120.
When we have decided on the necessary mask - it is necessary to introduce old networks into the new IPv6 block.
192.168.1.0/24 → 2001:470:18:11A::C0A8:100/120
192.168.2.0/24 → 2001:470:18:11A::C0A8:200/120Configure the router:
Router(config)#int fa0/1.10
Router(config-if)#ipv6 enable
Router(config-if)#ipv6 address 2001:470:18:11A::C0A8:101/120
Router(config)#int fa0/1.20
Router(config-if)#ipv6 enable
Router(config-if)#ipv6 address 2001:470:18:11A::C0A8:201/120Configuration of the router is over.
It remains to enable IPv6 support on computers, register the address, mask, and gateway. For example, let's configure a computer with the address 192.168.2.189:
192.168.2.189 → C0.A8.2.BD → C0A8:2BD → 2001:470:18:11A::C0A8:2BD
: /120
-: 2001:470:18:11A::C0A8:201Disable Teredo (if enabled):
>netsh interface teredo set state disabled
OK.Checking work via IPv6:
>ping ipv6.google.com
ipv6.l.google.com [2a00:1450:4008:c00::6a] 32 :
2a00:1450:4008:c00::6a: =80
2a00:1450:4008:c00::6a: =65
2a00:1450:4008:c00::6a: =81
2a00:1450:4008:c00::6a: =76
Ping 2a00:1450:4008:c00::6a:
: = 4, = 4, = 0
(0% )
- :
= 65, = 81 , = 75In addition, you can enjoy the animated turtle on www.kame.net (if your tortoise is not animated, then you have reached the site via IPv4).
I would like to take stock. There is no need to configure port forwarding, you can use ssh or remote desktop to access any computer / server inside the local network. However, there is a very open security issue - the concept of the internal network disappears, now it is part of the Internet.
Source: https://habr.com/ru/post/119968/
All Articles