IPv6 Routing Problems

johnlutheran · ‎09-03-2018

Just as a sanity check - I have IPv4 routing working well. Now I am trying to run dual stack and route IPv6.

I have a static /56 and it is configured on my 3560g. I can ping ipv6 ipv6.google.com, etc.

Hosts on all VLANs are getting IPv6 addresses from the switch. I can ping6 from clients to the switch and beyond to the LAN/WAN interfaces on the router. I cannot ping6 out to the internet at all.

Here's my config:

Current configuration : 6891 bytes
!
! Last configuration change at 09:49:21 CDT Mon Sep 3 2018
! NVRAM config last updated at 09:49:22 CDT Mon Sep 3 2018
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname 3560g
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 Thisiswherethepasswordhashwouldbe
!
no aaa new-model
clock timezone MST -7 0
clock summer-time CDT recurring
system mtu routing 1500
vtp interface vlan11
ip routing
ip domain-name iroquois.lan
ip name-server 10.200.0.1
!
!
!
ipv6 unicast-routing
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-795879168
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-795879168
revocation-check none
rsakeypair TP-self-signed-795879168
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/24
description To Router
no switchport
ip address 172.16.0.253 255.255.255.0
ipv6 address xxxx:xxxx:xx:C0FF::253/64
ipv6 enable
!
interface GigabitEthernet0/25
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/26
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/27
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan6
ip address 172.16.6.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C001::254/64
ipv6 enable
!
interface Vlan10
ip address 172.16.10.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C002::254/64
ipv6 enable
!
interface Vlan11
ip address 10.200.0.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C003::254/64
ipv6 enable
!
interface Vlan20
ip address 172.16.20.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C004::254/64
ipv6 enable
!
interface Vlan30
ip address 172.16.30.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C005::254/64
ipv6 enable
!
interface Vlan40
ip address 172.16.40.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C006::254/64
ipv6 enable
!
interface Vlan50
ip address 172.16.50.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C007::254/64
ipv6 enable
!
interface Vlan60
ip address 172.16.60.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C008::254/64
ipv6 enable
!
interface Vlan70
ip address 172.16.70.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C009::254/64
ipv6 enable
!
interface Vlan80
ip address 172.16.80.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C00A::254/64
ipv6 enable
!
interface Vlan90
ip address 172.16.90.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C00B::254/64
ipv6 enable
!
interface Vlan100
ip address 172.16.100.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C00C::254/64
ipv6 enable
!
interface Vlan110
ip address 172.16.110.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C00D::254/64
ipv6 enable
!
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 172.16.0.254
ip route 10.1.10.0 255.255.255.0 172.16.0.254
!
logging host 10.200.0.50
ipv6 route ::/0 GigabitEthernet0/24 xxxx:xxxx:xx:C0FF::254
!
!
snmp-server community public RO
snmp-server enable traps vtp
snmp-server host 172.16.10.252 version 2c public
!
vstack
!
line con 0
line vty 0 4
password
login
line vty 5 15
password
login
!
ntp master 1
ntp server 172.16.0.254
end

What did I forget? This is driving me crazy.

Harold Ritter · ‎09-03-2018

From the workstation, are you pinging hostnames or ipv6 addresses?

Have you tried using traceroute to see where it breaks?

You say you have ipv4 working find, but I do not see any dhcp configuration to provide DNS server addresses to the workstation. Do you configure the workstation manually?

Your IPv4 DNS should provide IPv6 address resolution, but it would be good to provide an IPv6 DNS server address to the workstations as follow:

ipv6 dhcp pool dhcp-pool 
 dns-server 2001:4860:4860::8888 
 dns-server 2001:4860:4860::8888 
! 
interface Vlan6
 ipv6 nd other-config-flag 
 ipv6 dhcp server dhcp-pool

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

johnlutheran · ‎09-03-2018

PInging IPv6 addresses. DHCP is handled by a RedHat Server internally. I'll work on name resolution next. Just trying to get ICMP out to the internet first.

Just tried traceroute - looks like it stops at my router. I will investigate further.

Thanks.

Harold Ritter · ‎09-03-2018

I remember that you had a PFsense device between the router and the Internet. Did you configure the static route on that device as I suggested.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

johnlutheran · ‎09-03-2018

Yes, I did. I can ping from the switch to the internet. Just clients in the configured VLANs cannot ping the internet.

Harold Ritter · ‎09-03-2018

Pinging from switch only means that the directly connected interface (G0/24) has connectivity. For the vlan users to have access to the Internet, the PFsense device needs to know how to route the entire /56.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

johnlutheran · ‎09-03-2018

This is what I set up:

Harold Ritter · ‎09-03-2018

Assuming that the part that is hidden is properly configured, this route looks good to me. Could you please attach the output of a traceroute from one of the workstations?

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

johnlutheran · ‎09-03-2018

C:\>tracert -6 2001:4860:4860::8888

Tracing route to google-public-dns-a.google.com [2001:4860:4860::8888]
over a maximum of 30 hops:

1 <1 ms <1 ms 3 ms xxxx:xxxx:xx:c002::254 SVI Address
2 <1 ms <1 ms <1 ms xxxx:xxxx:xx:c0ff::254 pfSense LAN interface address
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.

It's stopping at my Router. But it doesn't make sense that the 3560 can traceroute all the way to 2001:4860:4860::8888 & the workstations cannot??????????

3560g#traceroute ipv6 2001:4860:4860::8888
Type escape sequence to abort.
Tracing the route to google-public-dns-a.google.com (2001:4860:4860::8888)

1 xxxx:xxxx:xx:C0FF::254 0 msec 0 msec 0 msec
2 *
xxxx:xxxx:xx:C000:FC91:14FF:FEC8:D069 0 msec 33 msec
3 2001:558:4001:1::1 26 msec 109 msec 25 msec
4 po-101-rur02.albuquerque.nm.albuq.comcast.net (2001:558:42:83::1) 17 msec 17 msec 25 msec
5 po-2-rur01.albuquerque.nm.albuq.comcast.net (2001:558:40:4::1) 100 msec 17 msec 34 msec
6 be-5-ar01.albuquerque.nm.albuq.comcast.net (2001:558:40:44::1) 25 msec 17 msec 16 msec
7 be-33654-cr02.1601milehigh.co.ibone.comcast.net (2001:558:0:F7FB::1) 33 msec * 25 msec
8 be-12176-pe02.910fifteenth.co.ibone.comcast.net (2001:558:0:F8D7::2) 25 msec * *
9 2001:559::114A 26 msec
2001:559::10C6 25 msec
as40009-2-c.11greatoaks.ca.ibone.comcast.net (2001:559:0:18::2) 33 msec
10 2001:4860:0:122E::1 17 msec
2001:4860:0:134D::1 41 msec
2001:4860:0:122D::1 25 msec
11 2001:4860:0:1::2A69 25 msec
2001:4860:0:1::27DF 25 msec
2001:4860:0:1::1C11 25 msec
12 *
google-public-dns-a.google.com (2001:4860:4860::8888) 17 msec 33 msec

johnlutheran · ‎09-03-2018

From workstation:

C:\>tracert -6 2001:4860:4860::8888

Tracing route to google-public-dns-a.google.com [2001:4860:4860::8888]
over a maximum of 30 hops:

1 <1 ms <1 ms 3 ms xxxx:xxxx:xx:c002::254 SVI Address
2 <1 ms <1 ms <1 ms xxxx:xxxx:xx:c0ff::254 pfSense LAN interface address
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.

From Switch:

3560g#traceroute ipv6 2001:4860:4860::8888
Type escape sequence to abort.
Tracing the route to google-public-dns-a.google.com (2001:4860:4860::8888)

1 xxxx:xxxx:xx:C0FF::254 0 msec 0 msec 0 msec
2 *
xxxx:xxxx:xx:C000:FC91:14FF:FEC8:D069 0 msec 33 msec
3 2001:558:4001:1::1 26 msec 109 msec 25 msec
4 po-101-rur02.albuquerque.nm.albuq.comcast.net (2001:558:42:83::1) 17 msec 17 msec 25 msec
5 po-2-rur01.albuquerque.nm.albuq.comcast.net (2001:558:40:4::1) 100 msec 17 msec 34 msec
6 be-5-ar01.albuquerque.nm.albuq.comcast.net (2001:558:40:44::1) 25 msec 17 msec 16 msec
7 be-33654-cr02.1601milehigh.co.ibone.comcast.net (2001:558:0:F7FB::1) 33 msec * 25 msec
8 be-12176-pe02.910fifteenth.co.ibone.comcast.net (2001:558:0:F8D7::2) 25 msec * *
9 2001:559::114A 26 msec
2001:559::10C6 25 msec
as40009-2-c.11greatoaks.ca.ibone.comcast.net (2001:559:0:18::2) 33 msec
10 2001:4860:0:122E::1 17 msec
2001:4860:0:134D::1 41 msec
2001:4860:0:122D::1 25 msec
11 2001:4860:0:1::2A69 25 msec
2001:4860:0:1::27DF 25 msec
2001:4860:0:1::1C11 25 msec
12 *
google-public-dns-a.google.com (2001:4860:4860::8888) 17 msec 33 msec

johnlutheran · ‎09-03-2018

strange - I keep posting and then go back and the post is gone. Did I do something wrong?

johnlutheran · ‎09-03-2018

Workstation:

C:\>tracert -6 2001:4860:4860::8888

Tracing route to google-public-dns-a.google.com [2001:4860:4860::8888]
over a maximum of 30 hops:

1 <1 ms <1 ms 3 ms xxxx:xxxx:xx:c002::254
2 <1 ms <1 ms <1 ms xxxx:xxxx:xx:c0ff::254
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

Switch:

3560g#traceroute ipv6 2001:4860:4860::8888
Type escape sequence to abort.
Tracing the route to google-public-dns-a.google.com (2001:4860:4860::8888)

1 xxxx:xxxx:xx:C0FF::254 0 msec 0 msec 0 msec
2 xxxx:xxxx:xx:C000:FC91:14FF:FEC8:D069 9 msec * 17 msec
3 2001:558:4001:1::1 25 msec 17 msec 17 msec
4 po-101-rur02.albuquerque.nm.albuq.comcast.net (2001:558:42:83::1) 17 msec 25 msec 17 msec
5 po-2-rur01.albuquerque.nm.albuq.comcast.net (2001:558:40:4::1) 16 msec 26 msec 25 msec
6 be-5-ar01.albuquerque.nm.albuq.comcast.net (2001:558:40:44::1) 33 msec 17 msec 25 msec
7 * * *
8 * *
be-12176-pe02.910fifteenth.co.ibone.comcast.net (2001:558:0:F8D7::2) 33 msec
9 2001:559::10C6 34 msec
as40009-2-c.11greatoaks.ca.ibone.comcast.net (2001:559:0:18::2) 25 msec 34 msec
10 2001:4860:0:122D::1 25 msec 42 msec
2001:4860:0:134E::1 25 msec
11 2001:4860:0:1::2A69 26 msec
2001:4860:0:1::2A67 25 msec
2001:4860:0:1::1C13 25 msec
12 google-public-dns-a.google.com (2001:4860:4860::8888) 25 msec 33 msec 34 msec

Harold Ritter · ‎09-03-2018

I think it is not you, but the community itself. I saw the traceroute though. Thanks.

From what I can see, xxxx:xxxx:xx:c0ff::/64 works, but xxxx:xxxx:xx:c002::/64 doesn't.

It could be that the problem is the FW configuration. Could you please check that?

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

johnlutheran · ‎09-04-2018

My firewall rules are pretty simple:

here's the Alias:

Here's WAN:

Sure wish I understood what's happening.

johnlutheran · ‎09-04-2018

Just read another Comcast Business user's complaint that he can only use the 1st /64 out of the 256 that are assigned to him. This would explain my problem perfectly. I'm going to verify, but I think I may be fighting a losing battle here. I may just go back to residential Xfinity service and use an HE Tunnel instead.