Lately I discovered that my ISP is providing IPv6 addresses via DHCPv6. So, I thought it would be nice to share a basic Cisco SoHo IPv6 configuration. I am using a PPPoE connection over VDSL2+ on a Cisco 800 series router.
As for you, for me, security always comes first. So, let us configure an Access List to permit the right packages and block the rest of the incoming IPv6 traffic. The Access List is pretty basic. It allows all established TCP traffic, DHCPv6 client (to obtain a IPv6 address from the ISP) and ICMPv6. The rest will be denied.
ipv6 access-list IPv6-IN sequence 10 permit tcp any any established sequence 20 permit udp any any eq 546 sequence 30 permit icmp any any sequence 99 deny ipv6 any any
Unicast Routing is essential to route IPv6 packets. IPv6 unicast routing is disabled by default, so we have to enable it.
The next step is to enable IPv6 on the interface facing your ISP. In this example, it is the Dialer 1 interface. Further, the DHCP client needs to be configured to obtain an IPv6 address. The Access List we created before also needs to be applied.
interface dialer 1 ipv6 enable ipv6 dhcp client pd IPv6_Prefix rapid-commit ipv6 traffic-filter IPv6-IN in
Since we do not use dynamic routing we need to create a static route. In this case all IPv6 traffic will be routed over Dialer1 to our ISP.
ipv6 route ::/0 Dialer1
The next steps are enabling IPv6 in the LAN, configuring the /64 network and setting an DNS server. In this case the IPv6 address 2606:4700:4700::1111 (220.127.116.11 Cloudflare DNS) is used.
interface Vlan1 ipv6 address IPv6_Prefix ::1/64 ipv6 enable ipv6 nd ra dns server 2606:4700:4700::1111
In case there are multiple VLANs you can apply another IPv6 /64 network like the following.
interface Vlan2 ipv6 address IPv6_Tele2 ::3:0:0:0:1/64 ipv6 enable ipv6 nd ra dns server 2620:FE::FE