取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

December 2020

【原创】思科路由器使用电信IPv6上网

11358
查看次数
42
有帮助
28
评论
本帖最后由 wuhao0015 于 2019-1-21 21:28 编辑
为了响应国家号召。分享是关键。多年前我曾经发过一个帖子询问电信IPv6上网的事宜,没有得到解决。原帖地址:
http://bbs.csc-china.com.cn/forum.php?mod=viewthread&tid=968948
这次我分享下解决的过程。路由器外网通过无状态获取地址,内网客户端通过DHCP-PD获取前缀配置地址。
首先你的运营上要支持DHCP-PD,我之前的问题就一直卡在这。一直获取不到IPv6的前缀,导致内网无法或地址。打电话给电信客服,居然没人知道什么是IPv6,我也是晕了。。。从片区的电信运营人员开始打电话,一直打到区里,一直到打到省里,最近才把问题解决了。。
我的路由起发送DHCP-PD的请求,DHCP服务器居然没给我回复前缀。Debug如下:
Jan 21 19:55:29.213: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on Dialer1
Jan 21 19:55:29.217: IPv6 DHCP: Received ADVERTISE from FE80::DED2:FCFF:FE97:2291 on Dialer1
Jan 21 19:55:29.217: IPv6 DHCP: detailed packet contents
Jan 21 19:55:29.217: src FE80::DED2:FCFF:FE97:2291 (Dialer1)
Jan 21 19:55:29.217: dst FE80::100:1 (Dialer1)
Jan 21 19:55:29.217: type ADVERTISE(2), xid 15980133
Jan 21 19:55:29.217: option CLIENTID(1), len 10
Jan 21 19:55:29.217: 00030001649EF36869A4
Jan 21 19:55:29.217: option SERVERID(2), len 14
Jan 21 19:55:29.217: 00010006889630ABE0247FFB8855
Jan 21 19:55:29.217: option IA-PD(25), len 31
Jan 21 19:55:29.217: IAID 0x00180001, T1 0, T2 0
Jan 21 19:55:29.217: option STATUS-CODE(13), len 15
Jan 21 19:55:29.217: status code NOPREFIX-AVAIL(6)
Jan 21 19:55:29.217: status message: NoPrefixAvail
Jan 21 19:55:29.217: IPv6 DHCP: Adding server FE80::DED2:FCFF:FE97:2291
Jan 21 19:55:29.217: IPv6 DHCP: Received NoPrefixAvail - ignoring
Jan 21 19:55:29.217: IPv6 DHCP: Discarding message due to parse error
Jan 21 19:55:29.217: IPv6 DHCP: Removing server FE80::DED2:FCFF:FE97:2291
瞧,上面说没前缀。不过通过和后台的运维人员debug沟通,居然说dhcp地址池用满了,我擦。
继续打电话给后台然后到省电信沟通增加了地址范围。重新拨号,擦。居然拿到了前缀。自此内网获取到地址。问题解决。
下面是关键配置:
interface Dialer1
ipv6 address FE80::100:1 link-local #可选
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd dianxin
interface Vlan50
ipv6 address FE80::55:1 link-local #可选
ipv6 address dianxin ::/64
ipv6 address autoconfig
ipv6 enable
如下是show的信息
NJ-Test-C892#show ipv6 interface dialer 1
Dialer1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::100:1
No Virtual link-local address(es):
Description: uT:DianXin-ISP1
Stateless address autoconfig enabled
Global unicast address(es):
240E:EC:412:EFXX::100:1, subnet is 240E:EX:412:EEC4::/64 [EUI/CAL/PRE]
valid lifetime 259185 preferred lifetime 172785
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Input features: Common Flow Table Stile classification Dialer i/f override
Output features: Common Flow Table Stile Classification Dialer idle reset
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
ND RAs are suppressed (periodic)
Hosts use stateless autoconfig for addresses.
NJ-Test-C892#show ipv6 dhcp interface dialer 1
Dialer1 is in client mode
Prefix State is OPEN (0)
Information refresh timer expires in 22:44:27
Renew will be sent in 22:44:27
Address State is IDLE
List of known servers:
Reachable via address: FE80::AE4E:91FF:FE61:8835
DUID: 000100068896B76C707BE8F45641
Preference: 255
Configuration parameters:
IA PD: IA ID 0x00180001, T1 86400, T2 138240
Prefix: 240E:EC:FX6:6X00::/56
preferred lifetime 172800, valid lifetime 259200
expires at Jan 24 2019 08:10 PM (254854 seconds)
DNS server: 240E:5A::6666
DNS server: 240E:5B::6666
Information refresh time: 0
Prefix name: dianxin
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
NJ-Test-C892#
traceroute远程一个站点也没有问题:
C:\Users\Administrator>tracert -d iteachs.com
通过最多 30 个跃点跟踪
到 iteachs.com [2001:19f0:6001:799:938b:8e5e:6d95:7ce7] 的路由:
1 1 ms 1 ms 1 ms 240e:ec:fa6:6d00::
2 3 ms 4 ms 4 ms 240e:1a:2000::23
3 7 ms 7 ms 7 ms 240e:1a:2000:2223::2
4 8 ms 6 ms 7 ms 240e:1a:2000:f201::2
5 * * * 请求超时。
6 15 ms 12 ms 12 ms 240e::21:21:2103
7 * 9 ms 9 ms 240e:0:a::c9:1cb5
8 13 ms 11 ms 9 ms 240e:0:a::c9:5b4d
9 * * * 请求超时。
10 * 271 ms * 2a04:f580:8200:100::2
11 218 ms 222 ms * 2001:470:0:2cf::2
12 246 ms 248 ms 245 ms 2001:470:0:299::1
13 * 238 ms 236 ms 2001:470:0:324::2
14 234 ms 232 ms 232 ms 2001:470:0:72::2
15 * * * 请求超时。
16 228 ms 224 ms 225 ms 2001:19f0:6000::a44:22
17 * * * 请求超时。
18 235 ms 236 ms 235 ms 2001:19f0:6001:799:938b:8e5e:6d95:7ce7
跟踪完成。
困扰2年的问题最终解决。
评论
wuhao0015
Rising star
本帖最后由 wuhao0015 于 2019-6-19 08:55 编辑
wusiye1986 发表于 2019-3-31 12:37
就是按照这个配置的
之前用routeros可以,就是renew麻烦些,每次移动重新下发pd都要在交换机上clear

路由器上没有PD的池,路由器上的pd是运营商给的。下联的三层交换机只能无状态获取地址。
此时你需要在路由器上开代理,三层交换机或许能获取到前缀,但是问题是运营商未必给新获取的前缀加路由。
wusiye1986
Community Member
wuhao0015 发表于 2019-6-19 08:54
路由器上没有PD的池,路由器上的pd是运营商给的。下联的三层交换机只能无状态获取地址。
此时你需要在路 ...

其实路由跟交换机都启用trunk,路由上子接口做RA就可以实现了,只不过一直不想这么做,这样的效果是ipv6的网关是在路由上,而不是在交换机的vlan接口上,可能会对路由的性能产生影响
wuhao0015
Rising star
wusiye1986 发表于 2019-7-9 13:12
其实路由跟交换机都启用trunk,路由上子接口做RA就可以实现了,只不过一直不想这么做,这样的效果是ipv6 ...

这也是个方法。。。·
wusiye1986
Community Member
贴下配置,还是一样的问题,PD不能传递到下一层交换
ipv6 unicast-routing
ipv6 dhcp pool router
prefix-delegation pool ct-prefix
interface Dialer1
description CnTel
mtu 1492
ip address negotiated
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer down-with-vInterface
no cdp enable
ipv6 address dhcp rapid-commit
ipv6 address FE80::7281:5FF:FEF6:93C1 link-local
ipv6 enable
ipv6 dhcp client pd ct-prefix rapid-commit
interface GigabitEthernet0/0
ip address 192.168.181.100 255.255.255.128
ip nat inside
no ip virtual-reassembly in
duplex auto
speed auto
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd ra suppress all
ipv6 dhcp server router
wuhao0015
Rising star
wusiye1986 发表于 2019-8-14 23:06
贴下配置,还是一样的问题,PD不能传递到下一层交换
ipv6 unicast-routing
ipv6 dhcp pool router

ipv6 dhcp pool router
prefix-delegation pool ct-prefix
这里面的前缀地址是你配置local pool里面的地址,不是你获取ISP的前缀。还有你g0/0的地址怎么获取的呢?
wusiye1986
Community Member
wuhao0015 发表于 2019-8-15 09:08
ipv6 dhcp pool router
prefix-delegation pool ct-prefix
这里面的前缀地址是你配置local pool里面的 ...

所以麻烦就在这里,获取的PD不能直接作为pool,g0/0的v6地址不配置,昨晚给配了site-local
wusiye1986
Community Member
大佬,你的跨vlan分配ipv6地址解决了吗,我试了一下路由子接口可以,不太舒服就是
wusiye1986
Community Member
找到这个
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-asr1k-nptv6.html
nptv6,设定内网ipv6前缀,出局转换公网前缀,不过只有ISR4K以上支持,没有设备可以测试
wuhao0015
Rising star
wusiye1986 发表于 2019-9-10 13:37
找到这个
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16 ...

这个不行,电信拿到的前缀是动态的,这个只能针对静态的地址段才行,好像写接口也不行。但是防火墙是可以这么玩的~!
jasonzhan3151
Beginner
看不懂,但觉得很厉害,马克
wusiye1986
Community Member
我没有ISR4K可以测试,但是NAT64在2951上也不能使用电信的动态前缀,
digitalfox
Beginner
wuhao0015 发表于 2019-9-10 15:04
这个不行,电信拿到的前缀是动态的,这个只能针对静态的地址段才行,好像写接口也不行。但是防火墙是可以 ...

确认防火墙可以?那我休息的时候用我家的asa5506折腾一下
wuhao0015
Rising star
digitalfox 发表于 2019-12-8 17:21
确认防火墙可以?那我休息的时候用我家的asa5506折腾一下

貌似可以,不确定,要是成功了可以反馈下~~!
创建
认可您的同行
Content for Community-Ad