Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4651
Views
5
Helpful
6
Replies

IPv6 via Tunnelbroker

Robert Lang
Level 1
Level 1

‎10-01-2012 12:25 AM - edited ‎03-01-2019 05:36 PM

Hello Everybody,

I created a test-setup with dual stack on a 1841 Router with IOS

c1841-advipservicesk9-mz.124-3e.bin

Cisco 1841 (revision 6.0) with 237568K/24576K bytes of memory.

Processor board ID FCZ1033209N

2 FastEthernet interfaces

2 Virtual Private Network (VPN) Modules

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)

It works so far - but I detected hi CPU load (up to 80-100%) and all IPv6 is awful slow - I got 32Mbps down and >2Mbps upstream - in v6 I get around only 800kbps throuput.

As IPv6 is prefferred over ipv4 this causes a slowdown of any related conenction to Internet.

Relevant parts of the setup:

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 2001:4860:4860::8888

ip name-server 2001:4860:4860::8844

ip inspect name FWRULES tcp

ip inspect name FWRULES udp

ip inspect name FWRULES ftp

ip inspect name FWRULES icmp

ip inspect name FWRULES rtsp

ip inspect name FWRULES h323

ipv6 unicast-routing

ipv6 cef

ipv6 dhcp pool LANG-IPV6

dns-server 2001:4860:4860::8888

dns-server 2001:4860:4860::8844

domain-name familie.lang

!

ipv6 inspect name cbac-ipv6 tcp

ipv6 inspect name cbac-ipv6 udp

ipv6 inspect name cbac-ipv6 icmp

ipv6 inspect name cbac-ipv6 ftp

!

interface Tunnel66

description 6in4 tunnel to SixXS

bandwidth 32000

no ip address

ipv6 address 2001:4DD0:FF00:F3B::2/64

ipv6 enable

ipv6 traffic-filter INBOUND_V6_TRAFFIC in

ipv6 inspect cbac-ipv6 out

tunnel source FastEthernet0/0

tunnel destination 78.35.24.124

tunnel mode ipv6ip

tunnel bandwidth transmit 6000

tunnel bandwidth receive 32000

!

!

interface FastEthernet0/0

description *** Outside Internet-Anschluss***

ip dhcp client update dns server both

ip ddns update hostname lang.dyndns-at-work.com

ip ddns update DynDNS

ip address dhcp

ip access-group INBOUND_TRAFFIC in

ip accounting access-violations

ip nat outside

ip inspect FWRULES out

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description *** Inside Interface (LAN) ***

ip address 192.168.1.251 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

!

!

ip access-list extended INBOUND_TRAFFIC

remark Inbound access rule

remark SDM_ACL Category=1

permit tcp any any established

permit udp any eq ntp any eq ntp

permit udp any eq domain any eq domain

permit tcp any any eq 22

permit udp any any

permit 41 host 78.35.24.124 host 188.193.89.173

permit icmp host 78.35.24.124 host 188.193.89.173

deny   ip any any

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 tag 666 name Internet_Default

!

ipv6 route ::/0 Tunnel66

!

ipv6 access-list INBOUND_V6_TRAFFIC

remark Inbound access rule for IPV6

permit tcp any any established

sequence 70 permit udp any any

sequence 75 permit icmp any any

sequence 80 permit icmp host 2001:4DD0:FF00:F3B::1 host 2001:4DD0:FF00:F3B::2 echo-request

sequence 100 remark prevent ingress of all addresses except global unicast and multicast

deny ipv6 ::/3 any log

deny ipv6 8000::/2 any log

deny ipv6 C000::/3 any log

deny ipv6 E000::/4 any log

deny ipv6 F000::/5 any log

deny ipv6 F800::/6 any log

deny ipv6 FC00::/7 any log

deny ipv6 FE00::/8 any log

!

My questions are:

1. What causes such a slowdown (or is the problem out of my property)?

2. Anything wrong/to be corrected with the seup?

3. If the anser is yes, what do I need to do?

Thank you for help!

Labels:
0 Helpful
6 Replies 6

Phillip Remaker
Cisco Employee
Cisco Employee

‎10-01-2012 01:33 PM

Can you see which processes are consuming the CPU (show process CPU)?

Is there a lot of packet fragmentation? 

0 Helpful

Robert Lang
Level 1
Level 1
In response to Phillip Remaker

‎10-02-2012 01:50 AM

Average CPU is low - I just see peeks going up.

Fragmentation is not an issue, my tunnel neighbor is setup to provide 1480 as my own router.

IPv6 does path mtu detection hence end devices should do all fragementation at beginning of transmission.

However, I tried out packet sizes on WAN from 1280 up to 1480 in 50 steps and it made no difference for the troughput at all.

From my point of view it slows down at the tunnel brokers address - I attached a tracepath from a linux system.

LX-NMS-VM:~ # tracepath6  six.heise.de

1?: [LOCALHOST]                        0.021ms pmtu 1480

1:  2001:4dd0:ff00:8f3b:8000::1                           1.451ms

1:  2001:4dd0:ff00:8f3b:8000::1                           1.480ms

2:  gw-3900.cgn-01.de.sixxs.net                          28.909ms

3:  2001:4dd0:1234:3::42                                 28.028ms asymm  2

4:  core-eup2-ge1-22.netcologne.de                      123.901ms asymm  3

5:  core-pg1-te4-3.netcologne.de                         28.207ms asymm  4

6:  rtint3-po5netcologne.de                              29.436ms asymm  5

7:  gi1-15.c1.d.de.plusline.net                          31.308ms asymm  6

8:  2a02:2e0:12:6::1                                     39.045ms asymm  6

9:  te6-1.c13.f.de.plusline.net                          30.527ms asymm  7

10:  www.six.heise.de                                     32.974ms reached

     Resume: pmtu 1480 hops 10 back 57

0 Helpful

Phillip Remaker
Cisco Employee
Cisco Employee
In response to Robert Lang

‎10-03-2012 12:34 PM

I don't see an obvious reason for the high CPU usage, but I do know that the free Tunnel Brokers tend to have extraordinarily high load.

You might want to see if there is a local POP for www.tunnelbroker.net (Hurricaine Electric's free IPv6 tunnel broker) and see if that makes a difference.

The proper course of action is to demand that your ISP provide IPv6 service! 

http://www.sixxs.net/faq/connectivity/?faq=native

0 Helpful

Robert Lang
Level 1
Level 1
In response to Phillip Remaker

‎10-05-2012 01:16 AM

Hello Phillip,

Seems I found it:

https://supportforums.cisco.com/message/3192800#3192800

This article pointed to a bug in IOS with IPv6 inspect.

I removed ip inspection from my interface now it works with acceptable speed!

Seems I need to cover this network now with a extra firewall or to get a bugfix in IOS

I use currently c1841-advipservicesk9-mz.124-3e.bin, how could I get a newer version, where this bug is fixed?

As of what version is this bug fixed?

Bye, Robert

Phillip Remaker
Cisco Employee
Cisco Employee
In response to Robert Lang

‎10-05-2012 06:49 PM

12.4(25b)M1 or later, or the appropriate 15.x release.  Watch that you hvae the appropriate amount of memory required for the newer release.

If you followed the bug link on in that article, you'd see the bug is fixed in:

15.1(0.18)T

12.4(25b)M0.13

15.0(1)M1.2

15.1(0.2.7)PIB13

15.1(24.6.25)PIL13

15.1(24.6.26)PIL13

15.1(1.5.1)PIA13

15.1(1)XB1

15.1(0.0.10)PIL14

15.1(1.7.1)PIA14

15.1(0.0.3)PIL15

12.4(24)T6

Which can be a little tricky to understand, but practically speaking: 12.4(25b)M1, 12.4(25)T6, 15.0(1)M2, and most all 15.1 releases.

0 Helpful

Robert Lang
Level 1
Level 1
In response to Phillip Remaker

‎10-06-2012 04:41 AM

Yeah, you are right if I had access to it :-)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents