Lately I discovered that my ISP is providing IPv6 addresses via DHCPv6. So, I thought it would be nice to share a basic Cisco SoHo IPv6 configuration. I am using a PPPoE connection over VDSL2+ on a Cisco 800 series router.

Security First

As for you, for me, security always comes first. So, let us configure an Access List to permit the right packages and block the rest of the incoming IPv6 traffic. The Access List is pretty basic. It allows all established TCP traffic, DHCPv6 client (to obtain a IPv6 address from the ISP) and ICMPv6. The rest will be denied.

ipv6 access-list IPv6-IN
 sequence 10 permit tcp any any established
 sequence 20 permit udp any any eq 546
 sequence 30 permit icmp any any
 sequence 99 deny ipv6 any any

Unicast Routing

Unicast Routing is essential to route IPv6 packets. IPv6 unicast routing is disabled by default, so we have to enable it.

ipv6 unicast-routing

WAN Interface

The next step is to enable IPv6 on the interface facing your ISP. In this example, it is the Dialer 1 interface. Further, the DHCP client needs to be configured to obtain an IPv6 address. The Access List we created before also needs to be applied.

interface dialer 1
 ipv6 enable
 ipv6 dhcp client pd IPv6_Prefix rapid-commit
 ipv6 traffic-filter IPv6-IN in

Routing

Since we do not use dynamic routing we need to create a static route. In this case all IPv6 traffic will be routed over Dialer1 to our ISP.

ipv6 route ::/0 Dialer1

LAN Interfaces

The next steps are enabling IPv6 in the LAN, configuring the /64 network and setting an DNS server. In this case the IPv6 address 2606:4700:4700::1111 (1.1.1.1 Cloudflare DNS) is used.

interface Vlan1
 ipv6 address IPv6_Prefix ::1/64
 ipv6 enable
 ipv6 nd ra dns server 2606:4700:4700::1111

In case there are multiple VLANs you can apply another IPv6 /64 network like the following.

interface Vlan2
 ipv6 address IPv6_Prefix ::3:0:0:0:1/64
 ipv6 enable
 ipv6 nd ra dns server 2620:FE::FE