- Preface
- Using the Command-Line Interface
-
- Configuring Spanning Tree Protocol
- Configuring Multiple Spanning-Tree Protocol
- Configuring Optional Spanning-Tree Features
- Configuring EtherChannels
- Configuring Link-State Tracking
- Configuring Flex Links and the MAC Address-Table Move Update Feature
- Configuring UniDirectional Link Detection
- Configuring Resilient Ethernet Protocol
-
- Security Features Overview
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Cisco TrustSec
- Configuring FIPS
- Index
- Finding Feature Information
- Information About Configuring IPv6 Host Functions
- Configuration Examples for IPv6 Unicast Routing
Configuring IPv6 Unicast Routing
- Finding Feature Information
- Information About Configuring IPv6 Host Functions
- Configuration Examples for IPv6 Unicast Routing
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Configuring IPv6 Host Functions
This chapter describes how to configure IPv6 host functions on the Catalyst 2960, 2960-S, and 2960-C.
Note | To use IPv6 Host Functions, the switch must be running the LAN Base image. |
For information about configuring IPv6 Multicast Listener Discovery (MLD) snooping, see Configuring MLD Snooping.
To enable dual stack environments (supporting both IPv4 and IPv6) on a Catalyst 2960 switch, you must configure the switch to use the a dual IPv4 and IPv6 switch database management (SDM) template. See the "Dual IPv4 and IPv6 Protocol Stacks" section. This template is not required on Catalyst 2960-S switches.
Note | For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS documentation referenced in the procedures. |
- Understanding IPv6
- Default IPv6 Configuration
- Configuring IPv6 Addressing and Enabling IPv6 Routing
- Configuring IPv6 ICMP Rate Limiting (CLI)
- Configuring Static Routing for IPv6 (CLI)
- Displaying IPv6
Understanding IPv6
IPv4 users can move to IPv6 and receive services such as end-to-end security, quality of service (QoS), and globally unique addresses. The IPv6 address space reduces the need for private addresses and Network Address Translation (NAT) processing by border routers at network edges.
For information about how Cisco Systems implements IPv6, go to:
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html
For information about IPv6 and other features in this chapter
IPv6 Addresses
The switch supports only IPv6 unicast addresses. It does not support site-local unicast addresses, or anycast addresses.
The IPv6 128-bit addresses are represented as a series of eight 16-bit hexadecimal fields separated by colons in the format: n:n:n:n:n:n:n:n. This is an example of an IPv6 address:
2031:0000:130F:0000:0000:09C0:080F:130B
For easier implementation, leading zeros in each field are optional. This is the same address without leading zeros:
2031:0:130F:0:0:9C0:80F:130B
You can also use two colons (::) to represent successive hexadecimal fields of zeros, but you can use this short version only once in each address:
2031:0:130F::09C0:080F:130B
For more information about IPv6 address formats, address types, and the IPv6 packet header, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com.
In the “Information About Implementing Basic Connectivity for IPv6” chapter, these sections apply to the switch:
Supported IPv6 Unicast Routing Features
These sections describe the IPv6 protocol features supported by the switch:
The switch provides IPv6 routing capability over Routing Information Protocol (RIP) for IPv6, and Open Shortest Path First (OSPF) Version 3 Protocol. It supports up to 16 equal-cost routes and can simultaneously forward IPv4 and IPv6 frames at line rate.
- 128-Bit Wide Unicast Addresses
- DNS for IPv6
- ICMPv6
- Neighbor Discovery
- IPv6 Stateless Autoconfiguration and Duplicate Address Detection
- IPv6 Applications
- Dual IPv4 and IPv6 Protocol Stacks
- SNMP and Syslog Over IPv6
- HTTP(S) Over IPv6
- EIGRP IPv6
- EIGRPv6 Stub Routing
128-Bit Wide Unicast Addresses
The switch supports aggregatable global unicast addresses and link-local unicast addresses. It does not support site-local unicast addresses.
-
Aggregatable global unicast addresses are IPv6 addresses from the aggregatable global unicast prefix. The address structure enables strict aggregation of routing prefixes and limits the number of routing table entries in the global routing table. These addresses are used on links that are aggregated through organizations and eventually to the Internet service provider.
These addresses are defined by a global routing prefix, a subnet ID, and an interface ID. Current global unicast address allocation uses the range of addresses that start with binary value 001 (2000::/3). Addresses with a prefix of 2000::/3(001) through E000::/3(111) must have 64-bit interface identifiers in the extended unique identifier (EUI)-64 format.
-
Link local unicast addresses can be automatically configured on any interface by using the link-local prefix FE80::/10(1111 1110 10) and the interface identifier in the modified EUI format. Link-local addresses are used in the neighbor discovery protocol (NDP) and the stateless autoconfiguration process. Nodes on a local link use link-local addresses and do not require globally unique addresses to communicate. IPv6 routers do not forward packets with link-local source or destination addresses to other links.
For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
DNS for IPv6
IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes. The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4. The switch supports DNS resolution for IPv4 and IPv6.
ICMPv6
The Internet Control Message Protocol (ICMP) in IPv6 generates error messages, such as ICMP destination unreachable messages, to report errors during processing and other diagnostic functions. In IPv6, ICMP packets are also used in the neighbor discovery protocol and path MTU discovery.
Neighbor Discovery
The switch supports NDP for IPv6, a protocol running on top of ICMPv6, and static neighbor entries for IPv6 stations that do not support NDP. The IPv6 neighbor discovery process uses ICMP messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), to verify the reachability of the neighbor, and to keep track of neighboring routers.
The switch supports ICMPv6 redirect for routes with mask lengths less than 64 bits. ICMP redirect is not supported for host routes or for summarized routes with mask lengths greater than 64 bits.
Neighbor discovery throttling ensures that the switch CPU is not unnecessarily burdened while it is in the process of obtaining the next hop forwarding information to route an IPv6 packet. The switch drops any additional IPv6 packets whose next hop is the same neighbor that the switch is actively trying to resolve. This drop avoids further load on the CPU.
IPv6 Stateless Autoconfiguration and Duplicate Address Detection
The switch uses stateless autoconfiguration to manage link, subnet, and site addressing changes, such as management of host and mobile IP addresses. A host autonomously configures its own link-local address, and booting nodes send router solicitations to request router advertisements for configuring interfaces.
For more information about autoconfiguration and duplicate address detection, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com.
IPv6 Applications
The switch has IPv6 support for these applications:
-
Ping, traceroute, Telnet, and TFTP
-
Secure Shell (SSH) over an IPv6 transport
-
HTTP server access over IPv6 transport
-
DNS resolver for AAAA over IPv4 transport
-
Cisco Discovery Protocol (CDP) support for IPv6 addresses
For more information about managing these applications, see the Cisco IOS IPv6 Configuration Library on Cisco.com.
Dual IPv4 and IPv6 Protocol Stacks
You must use the dual IPv4 and IPv6 template to allocate hardware memory usage to both IPv4 and IPv6 protocols.
This figure shows a router forwarding both IPv4 and IPv6 traffic through the same interface, based on the IP packet and destination addresses.
Use the dual IPv4 and IPv6 switch database management (SDM) template to enable IPv6 routing dual stack environments (supporting both IPv4 and IPv6). For more information about the dual IPv4 and IPv6 SDM template, see Configuring SDM Templates.
The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments.
-
If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message appears.
-
In IPv4-only environments, the switch routes IPv4 packets and applies IPv4 QoS and ACLs in hardware. IPv6 packets are not supported.
-
In dual IPv4 and IPv6 environments, the switch applies IPv4 QoS and ACLs in hardware .
-
The switch supports QoS for both IPv4and IPv6 traffic.
If you do not plan to use IPv6, do not use the dual stack template because this template results in less hardware memory capacity for each resource.
For more information about IPv4 and IPv6 protocol stacks, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com.
SNMP and Syslog Over IPv6
To support both IPv4 and IPv6, IPv6 network management requires both IPv6 and IPv4 transports. Syslog over IPv6 supports address data types for these transports.
SNMP and syslog over IPv6 provide these features:
-
Support for both IPv4 and IPv6
-
IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host
-
SNMP- and syslog-related MIBs to support IPv6 addressing
-
Configuration of IPv6 hosts as trap receivers
For support over IPv6, SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and IPv6. These SNMP actions support IPv6 transport management:
-
Opens User Datagram Protocol (UDP) SNMP socket with default settings
-
Provides a new transport mechanism called SR_IPV6_TRANSPORT
-
Sends SNMP notifications over IPv6 transport
-
Supports SNMP-named access lists for IPv6 transport
-
Supports SNMP proxy forwarding using IPv6 transport
-
Verifies SNMP Manager feature works with IPv6 transport
For information on SNMP over IPv6, including configuration procedures, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
For information about syslog over IPv6, including configuration procedures, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
HTTP(S) Over IPv6
The HTTP client sends requests to both IPv4 and IPv6 HTTP servers, which respond to requests from both IPv4 and IPv6 HTTP clients. URLs with literal IPv6 addresses must be specified in hexadecimal using 16-bit values between colons.
The accept socket call chooses an IPv4 or IPv6 address family. The accept socket is either an IPv4 or IPv6 socket. The listening socket continues to listen for both IPv4 and IPv6 signals that indicate a connection. The IPv6 listening socket is bound to an IPv6 wildcard address.
The underlying TCP/IP stack supports a dual-stack environment. HTTP relies on the TCP/IP stack and the sockets for processing network-layer interactions.
Basic network connectivity (ping) must exist between the client and the server hosts before HTTP connections can be made.
For more information, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
EIGRP IPv6
Switches support the Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6. It is configured on the interfaces on which it runs and does not require a global IPv6 address. Switches running IP Lite only support EIGRPv6 stub routing.
Before running, an instance of EIGRP IPv6 requires an implicit or explicit router ID. An implicit router ID is derived from a local IPv6 address, so any IPv6 node always has an available router ID. However, EIGRP IPv6 might be running in a network with only IPv6 nodes and therefore might not have an available IPv6 router ID.
For more information about EIGRP for IPv6, see the “Implementing EIGRP for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
EIGRPv6 Stub Routing
The EIGRPv6 stub routing feature, reduces resource utilization by moving routed traffic closer to the end user.
In a network using EIGRPv6 stub routing, the only allowable route for IPv6 traffic to the user is through a switch that is configured with EIGRPv6 stub routing. The switch sends the routed traffic to interfaces that are configured as user interfaces or are connected to other devices.
When using EIGRPv6 stub routing, you need to configure the distribution and remote routers to use EIGRPv6 and to configure only the switch as a stub. Only specified routes are propagated from the switch. The switch responds to all queries for summaries, connected routes, and routing updates.
Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes, and a router that has a stub peer does not query that peer. The stub router depends on the distribution router to send the proper updates to all peers.
In the figure given below, switch B is configured as an EIGRPv6 stub router. Switches A and C are connected to the rest of the WAN. Switch B advertises connected, static, redistribution, and summary routes to switch A and C. Switch B does not advertise any routes learned from switch A (and the reverse).
For more information about EIGRPv6 stub routing, see “Implementing EIGRP for IPv6” section of the Cisco IOS IP Configuration Guide, Volume 2 of 3: Routing Protocols, Release 12.4.
IPv6 and Switch Stacks
The switch supports IPv6 forwarding across the stack and IPv6 host functionality on the stack master. The stack master runs IPv6 host functionality and IPv6 applications.
While the new stack master is being elected and is resetting, the switch stack does not forward IPv6 packets. The stack MAC address changes, which also changes the IPv6 address. When you specify the stack IPv6 address with an extended unique identifier (EUI) by using the ipv6 addressipv6-prefix/prefix length eui-64 interface configuration command, the address is based on the interface MAC address. See the "Configuring IPv6 Addressing and Enabling IPv6 Host" section.
If you configure the persistent MAC address feature on the stack and the stack master changes, the stack MAC address does not change for approximately 4 minutes. For more information, see the "Enabling Persistent MAC Address" section in "Managing Switch Stacks."
Default IPv6 Configuration
Feature |
Default Setting |
||
---|---|---|---|
SDM template |
Advance desktop. Default is advanced template |
||
IPv6 routing |
Disabled globally and on all interfaces |
||
CEFv6 or dCEFv6 |
Disabled (IPv4 CEF and dCEF are enabled by default)
|
||
IPv6 addresses |
None configured |
Configuring IPv6 Addressing and Enabling IPv6 Routing
This section describes how to assign IPv6 addresses to individual Layer 3 interfaces and to globally forward IPv6 traffic on the switch.
Before configuring IPv6 on the switch, consider these guidelines:
-
Be sure to select a dual IPv4 and IPv6 SDM template.
-
In the ipv6 address interface configuration command, you must enter the ipv6-address and ipv6-prefix variables with the address specified in hexadecimal using 16-bit values between colons. The prefix-length variable (preceded by a slash [/]) is a decimal value that shows how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address).
To forward IPv6 traffic on an interface, you must configure a global IPv6 address on that interface. Configuring an IPv6 address on an interface automatically configures a link-local address and activates IPv6 for the interface. The configured interface automatically joins these required multicast groups for that link:
-
solicited-node multicast group FF02:0:0:0:0:1:ff00::/104 for each unicast address assigned to the interface (this address is used in the neighbor discovery process.)
-
all-nodes link-local multicast group FF02::1
-
all-routers link-local multicast group FF02::2
For more information about configuring IPv6 routing, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 forwarding:
Configuring IPv6 ICMP Rate Limiting (CLI)
ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10.
Beginning in privileged EXEC mode, follow these steps to change the ICMP rate-limiting parameters:
Configuring Static Routing for IPv6 (CLI)
Before configuring a static IPv6 route, you must enable routing by using the ip routing global configuration command, enable the forwarding of IPv6 packets by using the ipv6 unicast-routing global configuration command, and enable IPv6 on at least one Layer 3 interface by configuring an IPv6 address on the interface.
For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Displaying IPv6
For complete syntax and usage information on these commands, see the Cisco IOS command reference publications.
Command |
Purpose |
---|---|
show ipv6 access-list |
Displays a summary of access lists. |
show ipv6 cef |
Displays Cisco Express Forwarding for IPv6. |
show ipv6 interfaceinterface-id |
Displays IPv6 interface status and configuration. |
show ipv6 mtu |
Displays IPv6 MTU per destination cache. |
show ipv6 neighbors |
Displays IPv6 neighbor cache entries. |
show ipv6 ospf |
Displays IPv6 OSPF information. |
show ipv6 prefix-list |
Displays a list of IPv6 prefix lists. |
show ipv6 protocols |
Displays a list of IPv6 routing protocols on the switch. |
show ipv6 rip |
Displays IPv6 RIP routing protocol status. |
show ipv6 rip |
Displays IPv6 RIP routing protocol status. |
show ipv6 route |
Displays IPv6 route table entries. |
show ipv6 routers |
Displays the local IPv6 routers. |
show ipv6 static |
Displays IPv6 static routes. |
show ipv6 traffic |
Displays IPv6 traffic statistics. |
Command |
Purpose |
---|---|
show ipv6 eigrp [as-number] interface |
Displays information about interfaces configured for EIGRP IPv6. |
show ipv6 eigrp [as-number] neighbor |
Displays the neighbors discovered by EIGRP IPv6. |
show ipv6 interface[as-number] traffic |
Displays the number of EIGRP IPv6 packets sent and received. |
show ipv6 eigrptopology [as-number | ipv6-address] [active | all-links | detail-links | pending | summary | zero-successors | Base] |
Displays EIGRP entries in the IPv6 topology table. |
Configuration Examples for IPv6 Unicast Routing
- Configuring IPv6 Addressing and Enabling IPv6 Routing: Example
- Configuring IPv6 ICMP Rate Limiting: Example
- Configuring Static Routing for IPv6: Example
- Displaying IPv6: Example
Configuring IPv6 Addressing and Enabling IPv6 Routing: Example
This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64. The EUI-64 interface ID is used in the low-order 64 bits of both addresses. Output from the show ipv6 interface EXEC command is included to show how the interface ID (20B:46FF:FE2F:D940) is appended to the link-local prefix FE80::/64 of the interface.
Switch(config)# ipv6 unicast-routing Switch(config)# interface gigabitethernet1/0/11 Switch(config-if)# no switchport Switch(config-if)# ipv6 address 2001:0DB8:c18:1::/64 eui 64 Switch(config-if)# end Switch# show ipv6 interface gigabitethernet1/0/11 GigabitEthernet1/0/11 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 2001:0DB8:c18:1:20B:46FF:FE2F:D940, subnet is 2001:0DB8:c18:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.
Configuring IPv6 ICMP Rate Limiting: Example
This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens.
Switch(config)#ipv6 icmp error-interval 50 20
Configuring Static Routing for IPv6: Example
This example shows how to configure a floating static route to an interface with an administrative distance of 130:
Switch(config)# ipv6 route 2001:0DB8::/32 gigabitethernet2/0/1 130
Displaying IPv6: Example
This is an example of the output from the show ipv6 interface privileged EXEC command:
Switch# show ipv6 interface
Vlan1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940
Global unicast address(es):
3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF2F:D940
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
<output truncated>