This guide provides detailed design and implementation information relating to the deployment of Dynamic Multipoint VPN (DMVPN) for IPv6 with the Cisco® Virtual Office solution.
Please refer to the Cisco Virtual Office overview (http://www.cisco.com/go/cvo) for further information about the solution, its architecture, and all of its components.
The Cisco Virtual Office solution includes a DMVPN architecture for data gateway infrastructure. IPv6 is supported on the LAN side of the infrastructure while using the existing IPv4 connectivity for the WAN side. This setup allows enterprises to convert their internal networks to IPv6 while using the existing IPv4 Internet and WAN infrastructure to connect to other sites that are not yet IPv6-compatible. Figure 1 shows the network topology of DMVPN for IPv6.
Figure 1. DMVPN for IPv6 Network Topology
In Figure 1, the small office or home office (SOHO) network behind the spoke router and the corporate network behind the DMVPN hub router can have either IPv6 or IPv4 devices. However, the Internet connection between spoke and hub must be an IPv4 connection.
This guide assumes basic knowledge about DMVPN for IPv4 deployment and basic IPv6 addressing.
Recommended Platforms and Images
The configuration example in this guide uses a Cisco 3945E Integrated Services Router as hub and a Cisco 881W Integrated Services Router as spoke. For other Cisco router platforms, the sample configuration may differ. For a full list of supported hardware and software, please refer to the "Cisco Virtual Office Supported Hardware and Software" guide at http://www.cisco.com/go/cvo.
Benefits of Using IPv6
The major advantage of IPv6 over IPv4 is the larger address space. IPv6 quadruples the number of network address bits from 32 bits (in IPv4) to 128 bits, or approximately 3.4 x 1038 addressable nodes, providing more than enough globally unique IP addresses for every network device on the planet. As more and more mobile devices are added to the SOHO network, the need for individual IP addresses is increasing. IPv6 allows the growth of IP networking to continue.
Other benefits of using IPv6 include:
• Better network layer security is ensured by mandatory IP Security (IPsec) integration in IPv6 (optional in IPv4).
• Simpler header compared to IPv4 improves routing efficiency, performance, and forwarding-rate scalability.
Migration Steps (IPv4 to IPv6)
The following describes how to migrate from a DMVPN IPv4 deployment to a DMVPN IPv6 deployment:
• Enable IPv6 in the upstream corporate network for the DMVPN hub routers. In particular, a Domain Name System (DNS) server to manage IPv6 addresses is required.
• Upgrade the hub-and-spoke routers to Cisco IOS® Software Release 12.4(20)T or later.
• Apply DMVPN for IPv6 configurations on hub-and-spoke routers.
• Enable IPv6 on host devices behind the spoke routers.
Things to consider before starting the deployment of DMVPN for IPv6:
• The WAN connection between the hub-and-spoke routers is IPv4 only. Routers in between do not need IPv6 capability.
• Because most websites and DNS servers continue to use IPv4 addresses, it is mandatory to have IPv4 and IPv6 addresses on the host devices behind the spoke router for connectivity to all websites.
• For the LAN side, use IPv6 stateless autoconfiguration (RFC 2462), which requires a 64-bit network prefix. Use stateless autoconfiguration on all devices behind the hub-and-spoke router to avoid manual assignment of IPv6 addresses and to allow easy transition from IPv4 to IPv6.
• IPv6 is supported on Bridge Group Virtual Interface (BVI) only on a Cisco IOS Software 15.1(2)T1 or later image.
Configuring DMVPN for IPv6
The following explains how to configure DMVPN hub-and-spoke routers for IPv6. It covers only the necessary configuration for enabling DMVPN and IPv6. This configuration is only a sample one; it needs to be customized to your correct corporate subnets and servers.
Hub-side LAN (corporate) subnet: 10.1.0.0/16
Spoke-side LAN subnet: 10.10.0.0/20 and 10.20.0.0/20
DMVPN tunnel subnet: 192.168.0.0/24
Hub NBMA address: 172.16.0.100
Corporate upstream v6 prefix: 2001:db8:1111::/64
Spoke-side LAN v6 prefix: 2001:db8:BBBB::/48 and 2001:db8:CCCC::/48
DMVPN v6 tunnel prefix: 2001:db8:AAAA::/64
Sample DMVPN Hub Configuration for IPv6
!!! Hostname and domain name form a fully qualified domain name in certificates !!!
ip domain-name cisco.com
!!! Make sure clock and timezone are in sync !!!
clock timezone PST -8
clock summer-time PDT recurring
ntp server 10.1.1.101
!!! Public Key Infrastructure (PKI) configuration !!!
ip host cvo-pki-cs 10.1.1.105
crypto pki trustpoint cvo-pki-cs
enrollment url http://cvo-pki-cs:80
!!! Enable IPv6 unicast routing !!!
!!! The following routing protocols are supported: Border Gateway Protocol (BGP), Enhanced Interior Gateway Routing Protocol (EIGRP), On-Demand Routing (ODR), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP) !!!
!!! Statically assigned IPv6 address (EUI-64 can be used instead). Note: A 64-bit
prefix is used to allow stateless autoconfiguration !!!
ipv6 address 2001:db8:BBBB:1::1/64
ipv6 eigrp 6
!!! Tunnel Configuration !!!
description DMVPN IPv6 Phase 3
ip address 192.168.0.2 255.255.255.0
no ip redirect
ip mtu 1400
ip nhrp map multicast 172.16.0.100
ip nhrp map 192.168.0.1 172.16.0.100
ip nhrp network-id 6000
ip nhrp nhs 192.168.0.1
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
!!! Tunnel IPv6 unicast address !!!
ipv6 address 2001:db8:AAAA::2/64
ipv6 mtu 1400
ipv6 eigrp 6
!!! The NBMA address is IPv4 only !!!
ipv6 nhrp map multicast 172.16.0.100
ipv6 nhrp map 2001:db8:AAAA::1/64 172.16.0.100
ipv6 nhrp network-id 6000
ipv6 nhrp nhs 2001:db8:AAAA::1
ipv6 nhrp shortcut
ipv6 nhrp redirect
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 600
tunnel protection ipsec profile cvo-profile-1
Wireless IPv6 Access
If an integrated wireless access point (AP) is available in the spoke router, IPv6 access can be provided to the wireless hosts.
In case of integrated AP, e.g., those in Cisco 871W or Cisco 1811W routers, IPv6 addresses should be assigned to the virtual bridging interface (BVI). IPv6 addresses on BVI is supported using image 15.1(2)T1 or later.
In case of integrated AP module, e.g., those in Cisco 881W or Cisco 891W routers, you do not need to assign IPv6 address to the AP. By default, the AP allows IPv6 pass-through, and IPv6 traffic is directly routed from the hosts to the router through the AP transparently.
Verification and Troubleshooting
For DMVPN, the following commands are used to verify and monitor the connection and configuration:
• show dmvpn-Displays DMVPN-specific session information
• show ipv6 nhrp-Displays Next Hop Resolution Protocol (NHRP) mapping information
• show ipv6 nhrp multicast-Displays NHRP multicast mapping information
• show ipv6 nhrp summary-Displays NHRP mapping summary information
• show ipv6 nhrp traffic-Displays NHRP traffic statistics information
• clear dmvpn session-Clears DMVPN sessions
• clear ipv6 nhrp-Clears all dynamic entries from the NHRP cache
• debug dmvpn-Displays debug DMVPN session information