Example for Configuring the 6RD Tunnel (6RD Domain-IPv6 Network)
This section provides an example for configuring 6RD tunnels between 6RD Customer Edge (CE) devices and 6RD Border Relay (BR) devices on the borders of IPv6 networks and IPv4 networks. Then hosts on the IPv6 networks can communicate over the 6RD tunnels.
Networking Requirements
As shown in Figure 1, FW_A and FW_B connect to the IPv6 networks and the IPv4 network. FW_A serves as the 6RD CE device and connects to the 6RD domain, which is an IPv6 network. FW_B is a 6RD BR device and connects to an ordinary IPv6 network outside the 6RD domain. A 6RD tunnel needs to be established between FW_A and FW_B, so that hosts on the 6RD domain and IPv6 network can communicate.
Configuration Roadmap
The configuration roadmap is as follows:
The 6RD CE and 6RD BR devices between the IPv6 islands and IPv4 networks support IPv4/IPv6 dual stack. Therefore, set IPv4 addresses for interfaces on FW_A and FW_B and enable IPv6 packet forwarding.
Set the 6RD tunnel source address and IPv6 address of the tunnel interface on the 6RD CE and 6RD BR devices.
- FW_A is on the border of the 6RD domain, and therefore its interface connecting to the IPv6 network uses a 6RD prefix for its IPv6 address. FW_B is on the border of the IPv6 network, and the interface connecting the IPv6 network to FW_B can use any IPv6 prefix.
Configure routes. (This example uses static routes.)
Procedure
- Configure FW_A.
# Configure an IPv4 address for GE0/0/2.
<FW_A> system-view [FW_A] interface GigabitEthernet0/0/2 [FW_A-GigabitEthernet0/0/2] ip address 1.1.1.1 24 [FW_A-GigabitEthernet0/0/2] quit
[FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet0/0/2 [FW_A-zone-untrust] quit
# Enable the IPv6 packet forwarding function on the 6RD CE.
[FW_A] ipv6# Set an encapsulation type, a source address, a 6RD prefix, and an IPv4 prefix length and specify the IPv4 address of the 6RD BR.
[FW_A] interface tunnel 1 [FW_A-Tunnel1] tunnel-protocol ipv6-ipv4 6rd [FW_A-Tunnel1] ipv6 enable [FW_A-Tunnel1] source GigabitEthernet0/0/2 [FW_A-Tunnel1] ipv6-prefix 22::/32 [FW_A-Tunnel1] ipv4-prefix length 8 [FW_A-Tunnel1] border-relay address 1.1.2.1
[FW_A-Tunnel1] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface Tunnel1 [FW_A-zone-untrust] quit
After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated prefix.
# Display the calculated 6RD delegated prefix.
[FW_A] display interface Tunnel 1 Tunnel1 current state : UP Line protocol current state : DOWN Description: Tunnel1 Interface Route Port,The Maximum Transmit Unit is 1500 Internet protocol processing : disabled Encapsulation is TUNNEL, loopback not set Tunnel source 1.1.1.1 (GigabitEthernet0/0/2), destination auto Tunnel protocol/transport IPv6 over IPv4(6rd) ipv6 prefix 22::/32 ipv4 prefix length 8 6RD Operational, Delegated Prefix is 22:0:101:100::/56
# Configure an IPv6 address for the tunnel interface based on the 6RD delegated prefix, tunnel source address, and IPv4 prefix length.
[FW_A-Tunnel1] ipv6 address 22:0:101:100::1 56# Configure an IPv6 address for GE0/0/1.
[FW_A] ipv6 [FW_A] interface GigabitEthernet0/0/1 [FW_A-GigabitEthernet0/0/1] ipv6 enable [FW_A-GigabitEthernet0/0/1] ipv6 address 22:0:101:101::1 64 [FW_A-GigabitEthernet0/0/1] quit
[FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet0/0/1 [FW_A-zone-trust] quit
# Configure a security policy.
[FW_A] security-policy [FW_A-policy-security] rule name policy1 [FW_A-policy-security-policy1] source-zone trust untrust [FW_A-policy-security-policy1] destination-zone trust untrust [FW_A-policy-security-policy1] action permit [FW_A-policy-security-policy1] quit [FW_A-policy-security] rule name policy2 [FW_A-policy-security-policy2] source-zone local untrust [FW_A-policy-security-policy2] destination-zone local untrust [FW_A-policy-security-policy2] action permit
# Configure a static route from the 6RD CE to the IPv6 network connected to FW_B and set the next-hop address to the IPv6 address of the tunnel interface on FW_B.
[FW_A] ipv6 route-static 3000:: 64 Tunnel 1 22:0:102:100::1# Configure a static IPv4 route, with the next hop being the gateway address of GigabitEthernet0/0/2 on FW_A (1.1.1.254 in this example).
[FW_A] ip route-static 1.1.2.0 255.255.255.0 1.1.1.254# (Optional) Configure a static IPv6 route to FW_B, with the next hop being the Tunnel1 interface. If you do not configure this route, pinging FW_B on FW_A fails, but the communication between PC1 and PC2 is not affected.
[FW_A] ipv6 route-static 22:: 32 Tunnel 1 - Configure an address for of PC1.
# Based on the 6RD delegated prefix, set the address to 22:0:101:101::2 64 for PC1. This address is on the same network segment as that of GE0/0/1. (The method for setting IPv6 addresses is determined by the operating system of PC1.)
- Configure the FW_B.
# Configure an IPv4 address for GE0/0/2.
<FW_B> system-view [FW_B] interface GigabitEthernet0/0/2 [FW_B-GigabitEthernet0/0/2] ip address 1.1.2.1 24 [FW_B-GigabitEthernet0/0/2] quit
[FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet0/0/2 [FW_B-zone-untrust] quit
# Enable the IPv6 packet forwarding function on FW_B.
[FW_B] ipv6# Set an encapsulation type, a source address, a 6RD prefix, and an IPv4 prefix length.
[FW_B] interface tunnel 1 [FW_B-Tunnel1] tunnel-protocol ipv6-ipv4 6rd [FW_B-Tunnel1] ipv6 enable [FW_B-Tunnel1] source GigabitEthernet0/0/2 [FW_B-Tunnel1] ipv6-prefix 22::/32 [FW_B-Tunnel1] ipv4-prefix length 8
[FW_B-Tunnel1] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface Tunnel1 [FW_B-zone-untrust] quit
After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated prefix.
# Display the calculated 6RD delegated prefix.
[FW_B] display interface Tunnel 1 Tunnel1 current state : UP Line protocol current state : DOWN Description:Tunnel1 Interface Route Port,The Maximum Transmit Unit is 1500 Internet protocol processing : disabled Encapsulation is TUNNEL, loopback not set Tunnel source 1.1.2.1(GigabitEthernet0/0/2), destination auto Tunnel protocol/transport IPV6 over IPv4(6rd) ipv6 prefix 22::/32 ipv4 prefix length 8 6RD Operational, Delegated Prefix is 22:0:102:100::/56
# Configure an IPv6 address for the tunnel interface based on the 6RD delegated prefix, tunnel source address, and IPv4 prefix length.
[FW_B-Tunnel1] ipv6 address 22:0:102:100::1 56# Configure an IPv6 address for GE0/0/1.
[FW_B] interface GigabitEthernet0/0/1 [FW_B-GigabitEthernet0/0/1] ipv6 enable [FW_B-GigabitEthernet0/0/1] ipv6 address 3000::1 64 [FW_B-GigabitEthernet0/0/1] quit
[FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet0/0/1 [FW_B-zone-trust] quit
# Configure a security policy.
[FW_B] security-policy [FW_B-policy-security] rule name policy1 [FW_B-policy-security-policy1] source-zone trust untrust [FW_B-policy-security-policy1] destination-zone trust untrust [FW_B-policy-security-policy1] action permit [FW_B-policy-security-policy1] quit [FW_B-policy-security] rule name policy2 [FW_B-policy-security-policy2] source-zone local untrust [FW_B-policy-security-policy2] destination-zone local untrust [FW_B-policy-security-policy2] action permit
# Configure a route to the 6RD domain connected to FW_A
[FW_B] ipv6 route-static 22:: 32 Tunnel 1# Configure a static IPv4 route, with the next hop being the gateway address of GigabitEthernet0/0/2 on FW_B (1.1.2.254 in this example).
[FW_B] ip route-static 1.1.1.0 255.255.255.0 1.1.2.254
- Configure an address for PC2.
# Set the address to 3000::2/64 for PC2. This address is on the same network segment as that of GE0/0/1. (The method for setting IPv6 addresses is determined by the operating system of PC2.)
Verification
# After you complete the preceding configurations, run the display ipv6 interface tunnel command in any view to check the IPv6 status and configuration of Tunnel1. The command output on the FW is as follows:
[FW_B] display ipv6 interface tunnel 1
Tunnel1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::101:101
Global unicast address(es):
22:0:102:100::1, subnet is 22:0:102:100::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF01:101
FF02::2
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
# Run the ping ipv6 -a 3000::1 22:0:101:101::1 command on FW_B to view the tunnel established between FW_A and FW_B and their connectivity.
[FW_B] ping ipv6 -a 3000::1 22:0:101:101::1
PING 22:0:101:101::1 : 56 data bytes, press CTRL_C to break
Reply from 22:0:101:101::1
bytes=56 Sequence=1 hop limit=64 time = 210 ms
Reply from 22:0:101:101::1
bytes=56 Sequence=2 hop limit=64 time = 151 ms
Reply from 22:0:101:101::1
bytes=56 Sequence=3 hop limit=64 time = 251 ms
Reply from 22:0:101:101::1
bytes=56 Sequence=4 hop limit=64 time = 1 ms
Reply from 22:0:101:101::1
bytes=56 Sequence=5 hop limit=64 time = 1 ms
--- 22:0:101:101::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/122/251 ms
By default, the interface has the access control and management function enabled. Therefore, you need to run the undo service-manage enable command on the FW to disable the access control and management function of the interface so that the FW can be pinged.
Configuration Scripts
Configuration script of FW_A:
# sysname FW_A # ipv6 # interface GigabitEthernet0/0/2 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 22:0:101:101::1 64 # interface Tunnel 1 tunnel-protocol ipv6-ipv4 6rd ipv6 enable source GigabitEthernet0/0/2 ipv6-prefix 22::/32 ipv4-prefix length 8 ipv6 address 22:0:101:100::1 56 border-relay address 1.1.2.1 # firewall zone trust add interface GigabitEthernet0/0/1 # firewall zone untrust add interface GigabitEthernet0/0/2 add interface tunnel1 # ip route-static 1.1.2.0 255.255.255.0 1.1.1.254 # ipv6 route-static 22:: 32 Tunnel 1 ipv6 route-static 3000:: 64 22:0:102:100::1 # security-policy rule name policy1 source-zone trust source-zone untrust destination-zone trust destination-zone untrust action permit rule name policy2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit # return
Configuration script of FW_B:
# sysname FW_B # ipv6 # interface GigabitEthernet0/0/2 ip address 1.1.2.1 255.255.255.0 # interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 3000::1 64 # interface Tunnel1 ipv6 enable ipv6 address 22:0:102:100::1 56 tunnel-protocol ipv6-ipv4 6rd source GigabitEthernet0/0/2 ipv6-prefix 22::/32 ipv4-prefix length 8 # firewall zone trust add interface GigabitEthernet0/0/1 # firewall zone untrust add interface GigabitEthernet0/0/2 add interface tunnel1 # ip route-static 1.1.1.0 255.255.255.0 1.1.2.254# ipv6 route-static 22:: 32 Tunnel 1 # security-policy rule name policy1 source-zone trust source-zone untrust destination-zone trust destination-zone untrust action permit rule name policy2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit # return