- WAN/Branch Deployment Overview
- General WAN/Branch IPv6 Deployment Considerations
- WAN/Branch Implementation Example
- WAN/Branch Deployment over Native IPv6
- Summary
- Additional References
This chapter is from the book
This chapter is from the book
This chapter is from the book
WAN/Branch Implementation Example
Much of the configuration and design among the three different WAN/branch deployment profiles is similar. The largest variables are usually the number of devices within a branch for high-availability purposes and the scale of the overall environment.
The implementation example given in this chapter combines properties from each of the three WAN/branch profiles so that you can get a basic understanding of the various tiers, network roles, and specific products and features when configured for IPv6 support.
Throughout the remainder of this chapter, the example topology is called the "hybrid branch example," or HBE. Again, this is just an example configuration that is meant to combine elements from each of the three WAN/branch profiles and is not meant to be a recommended best practice design.
Figure 8-4 shows the high-level overview of the HBE environment.
)
Figure 8-4 Hybrid Branch Example Overview
The HBE has the flexibility to run almost any WAN type to include Frame Relay, MPLS, point-to-point IPsec VPN, DMVPN, and so on. In this example, the branch has redundant WAN access routers that connect to the HQ through redundant head-end routers. Behind the WAN access routers in the branch there is a Cisco ASA 5500 series firewall. Optionally a redundant ASA can be added for additional availability. There is a Cisco ISR series router with either a built-in Cisco EtherSwitch Module or a separate Catalyst switch that can connect local host resources such as PCs, printers, and other network-attached resources.
Additional devices might be required to meet the business requirements for each branch, such as additional routers, switches, and other network devices that can augment the high-availability, security, or robust network services goals of the branch.
Tested Components
Table 8-2 lists the components that were used and tested in the hybrid branch example.
Table 8-2. HBE-Tested Components
|
Role |
Hardware |
Software |
|
Router |
Integrated Services Router: 2800 and 3800 Series |
Advanced Enterprise Services 15.0.1M1 |
|
Switch |
Cisco Catalyst 3750E/3560E |
12.2(46)SE |
|
Firewall |
Cisco ASA 5510 |
8.2(2) |
|
Host devices |
Various laptops—PC |
Microsoft Windows Vista, Windows 7 |
Network Topology
Figure 8-5 serves as a reference for all the configurations for the HBE. The figure shows the IPv6 addressing layout for the branch and HQ connections.
)
Figure 8-5 HBE IPv6 Addressing Details
The following sections discuss the physical and logical connectivity of the WAN access, branch LAN, and firewalls.
WAN Connectivity
The HBE uses the Dual DMVPN Cloud Topology with spoke-to-spoke support, as outlined in the Cisco DMVPN Design Guide at http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html.
The Dual DMVPN Cloud Topology has each branch site configured with a primary (solid lines between branch and HW) and secondary (dashed lines) DMVPN tunnel configuration. Each tunnel configuration is on a separate IPv4 and IPv6 network. The IGP is tuned to prefer one tunnel over another, and if the primary tunnel fails, the IGP reconverges and traffic flows between the branch routers and the secondary head-end router using the secondary tunnel configuration.
The HBE could easily use a traditional Frame Relay, MPLS, or point-to-point IPsec VPN as well. DMVPN was selected for this example to give the reader a usable configuration for Cisco DMVPN support with IPv6.
Being that this is just an example and that there are many variables that could influence how this network is connected and configured, a simplistic approach was taken for addressing and physical connectivity. The important thing to take away from the HBE shown here is that most things are the same as with IPv4. The goal is to illustrate the minor syntax adjustments.
Branch LAN Connectivity
The LAN connectivity between the WAN access routers and the Cisco ASA is through a Catalyst switch. Each router is configured as a Hot Standby Router Protocol (HSRP) group member for both IPv4 and IPv6. The Cisco ASA has a default route to the HSRP standby address.
The LAN access router and ASA connect to each other using the EtherSwitch Module in the router. Alternatively a dedicated Catalyst switch could be used.
The LAN access portion of the branch uses a Catalyst switch to provide network access for hosts, IP phones, and printers. There are three VLANs in use in the HBE that are used for host access:
- VLAN 104: Used as the PC data VLAN. IPv4 addressing is provided by a local DHCP pool on the router. IPv6 addressing is provided by the branch router using SLAAC, and DNS/domain name are provided by a local DHCP pool for IPv6. Optionally, full DHCP for IPv4 and IPv6 can be used at the HQ site.
- VLAN 105: Used as the voice VLAN. IPv4 addressing is provided by a local DHCP pool on the router to include any voice-specific options (TFTP server). IPv6 addressing is provided by stateful DHCPv6. Optionally, stateless DHCP IPv6 can be used.
- VLAN 106: Used as the printer VLAN. IPv4 addressing is provided by a local DHCP pool on the router. The print server cards located in the branch automatically receive an IPv6 address from the router interface through stateless autoconfiguration. Optionally, full DHCP for IPv4 and IPv6 can be used at the HQ site.
Firewall Connectivity
Depending on the branch design and the security policy, a dedicated firewall might or might not be deployed. Some sites deploy a firewall at the branch if local Internet access for that branch is permitted (split-tunneling scenario) or if the firewall itself is used as the branch VPN device. Also, firewall support on the WAN access routers can be enabled to offer perimeter protection instead of using a dedicated ASA.
In the HBE, the Cisco ASA Firewall is used and configured in a basic way. There is an "outside" interface and an "inside" interface. The Cisco ASA can be deployed as a single standalone firewall with no redundancy, or the ASA can be configured in a stateful failover deployment, where a second ASA is deployed and used as standby unit (as shown earlier in Figure 8-4).
The Cisco ASA can be deployed in a routed mode or a transparent mode (sometimes known as bridge mode). Routed mode is what is used in this chapter and is the most popular of the deployment choices. Routed mode, simply put, is where the ASA has distinct Layer 3 interfaces, each on a different IPv4 and IPv6 network, and acts as a routed hop in the network (static and dynamic routing is supported in this mode). Transparent mode has the ASA in a Layer 2 configuration where packets are bridged across and inspected; the ASA is basically a bump-in-the-wire. These are oversimplified explanations of the routed and transparent modes, and the reader should fully understand the differences of each and their pros/cons. More information on routed and transparent mode can be found at http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/fwmode.html.
Head-End Configuration
The HBE WAN configuration begins at that headquarters site, where there are two Cisco routers acting as head-end termination points for the Dual DMVPN Cloud Topology.
The two head-end routers (HE1 and HE2) have connections to the ISP through Fast Ethernet connections but could just as easily be T1/E1, DS3, and any other connection option. Fast Ethernet was the option selected to generate the configurations for this chapter.
DMVPN is the VPN technology that carries both IPv4 and IPv6. The DMVPN configuration used in this chapter uses Phase 3 of Cisco IOS support for DMVPN. The following three phases are defined for DMVPN:
- Phase 1: Hub-and-spoke capability only
- Phase 2: Initial spoke-to-spoke capability
- Phase 3: Support for IPv6 and enhancements for spoke-to-spoke to support larger-scale nonbroadcast multiaccess (NBMA) networks
More information on the theory, operation, and configuration of DMVPN for IPv6, Phase 3 enhancements, and next hop resolution protocol (NHRP) operation can be found at the following URLs:
- Implementing DMVPN for IPv6: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-dmvpn_ps10591_TSD_Products_Configuration_Guide_Chapter.html
- Shortcut switching enhancements for NHRP: http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_nhrp_dmvpn.html#wp1072593
- Configuring NHRP: http://cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_cfg_nhrp.html#wp1078234
You need to configure different features and values for the DMVPN configuration such as keys, hold times, and so on.
HE1 and HE2 have one tunnel configuration each. HE1 is the primary head-end, and because this a dual DMVPN cloud configuration, the tunnel used on HE1 is in a different IPv4 and IPv6 network than the tunnel used by HE2. One thing to note is that when IPv6 multicast is enabled on a router, Protocol Independent Multicast (PIM) uses tunnel numbers 0 and 1 to communicate with rendezvous points (RP) and tunnel sources. It is recommended to use tunnel numbers beginning at 2.
The configuration for HE1 is shown in Example 8-3. The configuration for HE2 is identical with the exception of different IPv4 and IPv6 addressing and route preference. The configuration for HE2 is not shown.
Example 8-3. HE1 Configuration
ipv6 unicast-routing
ipv6 cef
!
crypto isakmp policy 1 #Set ISAKMP Policy using pre-shared
#keys
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
crypto isakmp key CISCO address ipv6 ::/0 #Pre-share key for
#any (::/0) peer
!
crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac
!
crypto ipsec profile HUB
set transform-set HUB
!
interface Tunnel2 #If deployed, PIMv6 uses
#tunnel 0 and 1 by default
#so it is recommended to start
#at 2
description DMVPN Tunnel 1
ip address 10.126.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ipv6 address 2001:DB8:CAFE:20A::1/64
ipv6 mtu 1416 #Set MTU to account for
#Tunnel/IPSec overhead
ipv6 eigrp 10 #Enable IPv6 EIGRP
ipv6 hold-time eigrp 10 35
no ipv6 next-hop-self eigrp 10
no ipv6 split-horizon eigrp 10
ipv6 nhrp authentication CISCO #Set authentication string
#for NHRP
ipv6 nhrp map multicast dynamic #Automatically add routers to
#NHRP mappings
ipv6 nhrp network-id 10 #Enables NHRP on interface
ipv6 nhrp holdtime 600
ipv6 nhrp redirect #Phase 3 NHRP redirect for
#spoke-to-spoke
tunnel source Serial1/0
tunnel mode gre multipoint #Multipoint GRE to support
#multiple end-points
tunnel key 10
tunnel protection ipsec profile HUB #Apply IPSec profile
!
interface GigabitEthernet2/0 #LAN interface to HQ network
description to HQ
ip address 10.123.1.2 255.255.255.0
ipv6 address 2001:DB8:CAFE:202::2/64
ipv6 eigrp 10
standby version 2
standby 2 ipv6 autoconfig
standby 2 priority 120
standby 2 preempt delay minimum 30
standby 2 authentication CISCO
standby 2 track 2 decrement 90
!
interface FastEthernet0/0
description to ISP
ip address 172.16.1.1 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
ipv6 router eigrp 10 #Enable EIGRP for IPv6
no shutdown
Branch WAN Access Router Configuration
The branch routers have serial (T1/E1) connections to the ISP. Again, these connections can be broadband (DSL/cable/wireless), Ethernet, DS3, and so on. The branch WAN access routers have IPv4-only connectivity to the ISP and should have ACLs permitting access to/from the ISP for only the necessary ports/protocols required to establish DMVPN connectivity to the head-end routers. (This assumes that no split tunneling is allowed.) The IPv6 portion of the configuration is similar to that of the head-end, where the IPv6 configuration applies to the local branch Ethernet interface and the DMVPN tunnel interfaces.
Both branch WAN access routers (BR1-1 and BR1-2) are configured nearly identically. The differences are in the unique IPv4 and IPv6 addressing, routing preferences, and HSRP preferences. The configuration for BR1-1 is shown in Example 8-4 (only one of the two DMVPN tunnel configurations is shown).
Example 8-4. BR1-1 Configuration
ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 crypto isakmp key CISCO address ipv6 ::/0 ! crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac ! crypto ipsec profile SPOKE set transform-set SPOKE ! interface Tunnel2 description to HUB ip address 10.126.1.2 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ipv6 address 2001:DB8:CAFE:20A::2/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1 ipv6 nhrp map multicast 172.16.1.1 ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp nhs 2001:DB8:CAFE:20A::1 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile SPOKE interface Serial1/0 description to ISP ip address 172.16.1.9 255.255.255.252 ! interface GigabitEthernet2/0 description to BRANCH LAN ip address 10.124.1.2 255.255.255.0 negotiation auto ipv6 address 2001:DB8:CAFE:1000::2/64 ipv6 eigrp 10 standby version 2 standby 1 ip 10.124.1.1 standby 1 priority 120 standby 1 preempt delay minimum 30 standby 1 authentication CISCO standby 1 track 1 decrement 90 standby 2 ipv6 autoconfig standby 2 priority 120 standby 2 preempt delay minimum 30 standby 2 authentication CISCO standby 2 track 2 decrement 90 ! router eigrp 10 network 10.0.0.0 ! ip route 0.0.0.0 0.0.0.0 172.16.1.10 ! ipv6 router eigrp 10 no shutdown
Branch Firewall Configuration
As was previously mentioned, the Cisco ASA firewall deployment in the HBE is simple and meant only as a reference for you. Many customers avoid the cost and management of a branch firewall because they believe the branch is a trusted site connected to the HQ through a trusted private WAN or VPN link. Because of this, the customer often configures some ACLs on the WAN access router to protect against basic attacks. The common thinking is that because the branch is configured to not enable direct Internet access by branch users, no comprehensive firewall policies are required, and the cost and complexity of deploying a dedicated firewall (and redundant pair of them) are avoided.
This chapter is not meant to argue the values of having a dedicated branch firewall but rather offers a basic design and configuration example if you do plan to include a dedicated Cisco ASA Firewall as a part of your branch design.
The following configuration is for a Cisco ASA Firewall running version 8.2(2), and there are two firewalls for redundancy sake. The firewalls are configured for a routed mode deployment.
Because the application types and ACL options are so diverse from customer to customer, no comprehensive security policies are provided in this chapter. Rather, a basic ACL example is shown for reference.
The configuration example begins with defining an alias that associates an IPv6 prefix with a user-defined name; prefix 2001:DB8:CAFE:1003::/64 is known as "BR1-LAN." Another alias is created for associating a full IPv6 address with a user-defined name (in this case, a server located at the branch that is IPv6-enabled).
The "outside" and "inside" interfaces are defined with the security level, IPv4 addresses, and IPv6 addresses. The standby keyword defines the peer address of the redundant ASA Firewall.
An example object group is configured (this is not required) for RDP using TCP port 3389. This object group is used by the ACL, permitting any source from 2001:DB8:CAFE::/48 to the previously defined branch server (Br1-v6-Server) over RDP. The configured ACLs are applied inbound on the "outside" interface.
At the time of this writing, the Cisco ASA supports dynamic routing only for IPv4 IGPs. For IPv6, static routing must be used. The example shown has a route configured for the inside branch LAN networks as well as the network between the Cisco ASA and the EtherSwitch Module located in the BR1-LAN router. This route uses one of the aliases defined previously. A static default route is configured for the outside interface, and the next hop is defined as the HSRP virtual link-local address of both the branch WAN access routers.
Interface GigabitEthernet0/3 will be used as the failover interface, and this ASA (ASA-1) is configured to be the primary unit. On the failover interface, the administrator must choose between defining an IPv4 or IPv6 address; both are not supported. In this case, an IPv6 address was used for the failover interface IP address.
Finally, Secure Shell (SSH) is permitted on the "inside" interface from the prefix shown.
Example 8-6. ASA-1 Configuration
name 2001:db8:cafe:1003:: BR1-LAN description VLAN on EtherSwitch name 2001:db8:cafe:1004:9db8:3df1:814c:d3bc Br1-v6-Server ! interface GigabitEthernet0/0 description TO WAN nameif outside security-level 0 ip address 10.124.1.4 255.255.255.0 standby 10.124.1.5 ipv6 address 2001:db8:cafe:1000::4/64 standby 2001:db8:cafe:1000::5 ! interface GigabitEthernet0/1 description TO BRANCH LAN nameif inside security-level 100 ip address 10.124.3.1 255.255.255.0 standby 10.124.3.2 ipv6 address 2001:db8:cafe:1002::1/64 standby 2001:db8:cafe:1002::2 ! interface GigabitEthernet0/3 description LAN Failover Interface ! object-group service RDP tcp description Microsoft RDP port-object eq 3389 ! ipv6 route inside BR1-LAN/64 2001:db8:cafe:1002::3 ipv6 route inside 2001:db8:cafe:1004::/64 2001:db8:cafe:1002::3 ipv6 route inside 2001:db8:cafe:1005::/64 2001:db8:cafe:1002::3 ipv6 route inside 2001:db8:cafe:1006::/64 2001:db8:cafe:1002::3 #Default route to HSRP address on WAN access routers ipv6 route outside ::/0 fe80::5:73ff:fea0:2 ipv6 access-list v6-ALLOW permit icmp6 any any ipv6 access-list v6-ALLOW permit tcp 2001:db8:cafe::/48 host Br1-v6-Server object- group RDP failover failover lan unit primary failover lan interface FO-LINK GigabitEthernet0/3 failover interface ip FO-LINK 2001:db8:cafe:1001::1/64 standby 2001:db8:cafe:1001::2 access-group v6-ALLOW in interface outside ssh 2001:db8:cafe::/48 inside
Example 8-7 output shows the summary of the failover interface (G0/3) configuration.
Example 8-7. ASA-1 show failover interface Command Output
asa-1# show failover interface
interface FO-LINK GigabitEthernet0/3
System IP Address: 2001:db8:cafe:1001::1/64
My IP Address : 2001:db8:cafe:1001::1
Other IP Address : 2001:db8:cafe:1001::2
A general view of the failover state and configuration is shown in Example 8-8. The output shows that this ASA is the primary unit and is active. Interface information for both the "outside" and "inside" interfaces is shown. The information shows the IPv4 and IPv6 address information that is used on both interfaces for failover tracking.
Example 8-8. ASA-1 show failover Command Output
asa-1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO-LINK GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 05:15:12 UTC Apr 12 2010
This host: Primary - Active
Active time: 48 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface outside (10.124.1.4/fe80::21e:7aff:fe81:8e2c): Normal
Interface inside (10.124.3.1/fe80::21e:7aff:fe81:8e2d): Normal
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Standby Ready
Active time: 261 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface outside (10.124.1.5/fe80::21d:a2ff:fe59:5fe4): Normal
Interface inside (10.124.3.2/fe80::21d:a2ff:fe59:5fe5): Normal
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10)
status (Up)
The output in Example 8-9 shows the connection state of the firewall. There is a TCP connection between a host on the outside and a host on the inside over TCP port 23 (Telnet).
Example 8-9. Connection State of the Firewall
asa-1# show conn 6 in use, 13 most used TCP outside 2001:db8:cafe:1000::2:23 inside 2001:db8:cafe:1004:c53c:2d6a:ccef:f2c5:1044, idle 0:02:49, bytes 115, flags UIO
EtherSwitch Module Configuration
The EtherSwitch Module is an optional component and can be replaced with a traditional Catalyst switch. It is shown in this chapter to give you a view of the configuration that is almost identical to that of a Catalyst 3560/3750 switch. The EtherSwitch Module used in this example is an NME-16ES-1G.
In the HBE, the EtherSwitch Module connects the branch LAN access router and the two ASA firewalls. Before enabling IPv6 features and functionality on the EtherSwitch Module, the Switch Database Management (SDM) template needs to be configured to support both IPv4 and IPv6. The three SDM templates that support IPv4 and IPv6 are
- Dual IPv4 and IPv6 default template
- Dual IPv4 and IPv6 routing template
- Dual IPv4 and IPv6 VLAN template
The dual IPv4 and IPv6 SDM template configuration is defined from the global configuration mode as follows:
BR1-EtherSwitch(config)#sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan}
The device needs to be rebooted for the changes to take effect. After the EtherSwitch Module has rebooted, the show sdm prefer command (shown in Example 8-10) can verify that the correct SDM template is in use.
Example 8-10. EtherSwitch Module show sdm prefer Command Output
BR1-EtherSwitch# show sdm prefer The current template is "desktop IPv4 and IPv6 default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 2K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 3K number of directly-connected IPv4 hosts: 2K number of indirect IPv4 routes: 1K number of IPv6 multicast groups: 1.125k number of directly-connected IPv6 addresses: 2K number of indirect IPv6 unicast routes: 1K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 1K number of IPv6 policy based routing aces: 0 number of IPv6 qos aces: 0.625k number of IPv6 security aces: 0.5K
More information on the SDM template configuration can be found at http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swsdm.html#wp1077854.
The IPv6 portion of the EtherSwitch Module configuration is straightforward. In the HBE, there are only three interfaces that are in use on the module. There is the EtherSwitch-to-router internal interface (GigabitEthernet 1/0/2) and two Ethernet interfaces connecting the two Cisco ASA firewalls.
At the time of this writing, the Cisco ASA does not yet support dynamic routing for IPv6, so a default static route is configured on the module that points to the failover IPv6 address of the Cisco ASA. Optionally, EIGRP for IPv6 is enabled so that the default route can be advertised to the internal "BR1-LAN" router and so that all internal routes on that device can be advertised to the EtherSwitch Module. Static routes on "BR1-LAN" and the EtherSwitch Module work as well. The configuration for the EtherSwitch Module is shown in Example 8-11.
Example 8-11. EtherSwitch Module Configuration
ipv6 unicast-routing
!
interface FastEthernet1/0/1
description TO ASA-1
switchport access vlan 101
!
interface FastEthernet1/0/2
description TO ASA-2
switchport access vlan 101
!
interface GigabitEthernet1/0/2 #Interface connecting to
#branch LAN access
#router (EtherSwitch internal
#interface)
description to BR1-LAN
no switchport
ip address 10.124.4.2 255.255.255.0
ipv6 address 2001:DB8:CAFE:1003::2/64
ipv6 eigrp 10 #Optional - dynamic routing
#for IPv6 inside the branch
!
interface Vlan101
ip address 10.124.3.3 255.255.255.0
ipv6 address 2001:DB8:CAFE:1002::3/64 #VLAN for network
#connecting ASA
ipv6 eigrp 10
!
ipv6 route ::/0 2001:DB8:CAFE:1002::1 #Default route pointing
#to ASA
ipv6 router eigrp 10 #Enable EIGRP for IPv6
redistribute static #Redistribute default route
#to LAN router
passive-interface Vlan101 #Do not attempt adjacency on
#VLAN101
Branch LAN Router Configuration
The BR1-LAN branch LAN access router (configuration shown in Example 8-12) acts as a Layer 3 distribution device for the branch. BR1-LAN terminates the VLAN trunks from the Layer 2 access switch (BR1-LAN-SW) that the individual hosts connect to. In addition to basic L3 termination and routing, the BR1-LAN router provides basic addressing services to IPv6-attached hosts through stateless DHCPv6 (RFC 3736) and provides stateful DHCPv6 relay functionality (RFC 3315). With stateless DHCPv6, the router provides IPv6 addressing services through SLAAC (RFC 4862), but other information, such as DNS name and DNS server, is provided through a stateless DHCPv6 pool (G0/0.104 example). With stateful DHCPv6 relay, the router forwards on the DHCP requests to a defined DHCPv6 server (G0/0.105 example).
Example 8-12. BR1-LAN Configuration Example
ipv6 unicast-routing
ipv6 cef
!
ipv6 dhcp pool DATA_W7 #DHCPv6 pool name
dns-server 2001:DB8:CAFE:102::8 #Primary IPv6 DNS server
domain-name cisco.com #DNS domain name passed
#to client
!
interface GigabitEthernet0/0
description to BR1-LAN-SW
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.104
description VLAN-PC
encapsulation dot1Q 104
ip address 10.124.104.1 255.255.255.0
ipv6 address 2001:DB8:CAFE:1004::1/64 #Client uses SLAAC
#with this prefix
ipv6 nd other-config-flag #Set flag in RA to instruct
#host how to obtain "other"
#information such as domain
ipv6 dhcp server DATA_W7 #Use DHCP pool above for
#options
ipv6 eigrp 10
!
interface GigabitEthernet0/0.105
description VLAN-PHONE
encapsulation dot1Q 105
ip address 10.124.105.1 255.255.255.0
ipv6 address 2001:DB8:CAFE:1005::1/64
ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig #Do
#not use prefix for
#autoconfiguration
ipv6 nd managed-config-flag #Set flag in RA to instruct
#host to use DHCPv6
ipv6 dhcp relay destination 2001:DB8:CAFE:102::9 #Relay for
#DHCPv6 server
ipv6 eigrp 10
interface GigabitEthernet0/0.106
description VLAN-PRINTER
encapsulation dot1Q 106
ip address 10.124.106.1 255.255.255.0
ipv6 address 2001:DB8:CAFE:1006::1/64
ipv6 eigrp 10
!
interface GigabitEthernet1/0
description TO ETHERSWITCH MODULE
ip address 10.124.4.1 255.255.255.0
ipv6 address 2001:DB8:CAFE:1003::1/64
ipv6 eigrp 10
!
ipv6 router eigrp 10
no shutdown
The BR1-LAN-SW Catalyst switch is configured with an interface connected to the BR1-LAN router and is configured for IEEE 802.1Q trunking. VLANs 104–106 are carried over the trunk link. No relevant IPv6 configurations are made on the BR1-LAN-SW except that a management interface is defined that is reachable over both IPv4 and IPv6. The configuration for the BR1-LAN-SW device is not shown.