IPv6 各隧道Tunnel使用Lab

最近看了很多关于 IPv6 的内容。老早前，大概2000年前后运营商就开始研究推进发展 IPv6 网络技术了，可能是是由于某些我等不知道的原因，这个推进的进程所演化出的表象让我等普通网民没什么感觉。部分科研机构、高校、金融、IT 大厂已经在使用了，一个比较大的使用群体也就是家用部分普及的不大开（我猜的，没有依据）。

IPv6 相对于 IPv4 有种种的优势，我最有印象的几个是没有广播这个概念、“真万物互联”、良好的包扩展结构，相对于 IPv4 不存在把什么什么封装进 IPv4 头部后面的字节……巴拉巴拉

既然是实验，先上图：

Start

介绍一下这个拓扑包含的内容：

A head 部分
- 从运营商处申请到 240E:0:0:1500::/60 前缀，互联地址为静态 IPv6 ：240E:0:0:15::
- PC 网关在 SW19 / SW20，配置负载分担（HSRP）；使用 MST ；PC 地址为无状态获取，同时获取除地址外的其他 DHCP 参数
- 核心交换机与 R5 运行 OSPFv3,
- A head 和 A branch1 / A branch2 组建基于 IPv6 的 DMVPN (mGRE)
A branch1 部分
- 从运营商处申请到 2409:0:0:2600::/60 前缀，互联地址为静态 IPv6 2409:0:0:26::
A branch2 / B head 部分
- 使用 PPPOE 拨号接入 ISP ，WAN 动态 IPv6 地址，并且获取到 PD 用于内部网络
其他站点如图所示
- R3 为 ISP IPv4 接入路由器，连接 R3 的三个站点除配置了 Tunnel 外，还支持 NAT 访问互联网
- 为什么是就配置了这三个站点的 NAT，因为本人电脑内存不够（运行 NAT 的路由器要分配更多内存）
- 6RD 的站点内部为 IPv6 网络
- IPv6 Over IPv4 的站点互通配置了静态或者动态路由协议
为了测试，ISP 网络中均配置了环回接口的 IPv4/IPv6 地址，例如：
- R2
  interface Loopback0 ip address 10.2.2.2 255.255.255.255 ipv6 address 2008::2/128
除 Manual 和 GRE Tunnel 外，站点所有 IPv6 地址均可互通

Design & Configuration

Note：ISP Network 内部运行 OSPF/OSPFv3，不展开说明。

A head 配置

! -- R5
!
interface Loopback0
 ip address 10.5.5.5 255.255.255.255
 ipv6 address FD00::5/128 // 惟一本地地址，不可在互联上路由
 ipv6 enable
 ipv6 ospf 100 area 0
! 
interface Ethernet0/0
 ipv6 address 240E:0:0:15::5/64 // 与 ISP 互联地址
 ipv6 enable
!
interface Ethernet0/1
 ipv6 enable
 ipv6 ospf 100 area 0
 ipv6 ospf network point-to-point
!
interface Ethernet0/2
 ipv6 enable
 ipv6 ospf 100 area 0
 ipv6 ospf network point-to-point
! 
ipv6 router ospf 100
 router-id 10.5.5.5
 default-information originate // OSPFv3 下发默认路由
!
ipv6 route ::/0 240E:0:0:15::1 // 指向 ISP 的默认路由
! -- DMVPN 
interface Tunnel1
 description DMVPN_HUB
 no ip address
 ipv6 address FD00:A::1/64
 ipv6 eigrp 90
 ipv6 nhrp network-id 100
 tunnel source Ethernet0/0
 tunnel mode gre multipoint ipv6
!
ipv6 router eigrp 90 // HUB 与 SPOKE 之间运行 EIGRP,IPv6 multicast over mGRE tunnel is not supported.
 neighbor FE80::A8BB:CCFF:FE00:600 Tunnel1 // 手动指邻居
 neighbor FE80::A8BB:CCFF:FE00:700 Tunnel1 // 手动指邻居
 eigrp router-id 10.5.5.5
 redistribute ospf 100 metric 10000 100 255 1 1500 // 重分布 OSPF 进 EIGRP 便于分支站点访问总部网络
!

! -- SW19
!
ipv6 dhcp pool O-POOL // DHCP 参数 
 dns-server 2008::1
 dns-server 2008::2
 domain-name a.com
!
spanning-tree mode mst // mst 配置
spanning-tree mst configuration 
 name a.com.hub
 revision 2
 instance 10 vlan 10
 instance 20 vlan 20
!
spanning-tree mst 10 priority 24576 // 实例 10 的主根桥
spanning-tree mst 20 priority 28672 // 实例 20 的备根桥
!
interface Loopback0
 ip address 10.19.19.19 255.255.255.255
 ipv6 address FD00::19/128
 ipv6 ospf 100 area 0
!         
interface Port-channel1 // SW19 SW20 之间的端口聚合
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/0
 switchport access vlan 519 // 与 R5 互联端口
!
interface Ethernet0/1
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode active
!
interface Ethernet0/3
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode active
!
interface Vlan10
 no ip address
 standby version 2 // HSRP 配置
 standby 10 ipv6 autoconfig
 standby 10 priority 120 // 优先级120，设置为 Active 端
 standby 10 preempt delay minimum 30 // 抢占延迟 30s
 ipv6 address 240E:0:0:1501::1/64
 ipv6 enable
 ipv6 nd other-config-flag // O 位
 ipv6 dhcp server O-POOL // 分配给终端 DHCP 其他参数
 ipv6 ospf 100 area 0
 ipv6 ospf network point-to-point
!
interface Vlan20
 no ip address
 standby version 2
 standby 20 ipv6 autoconfig
 standby 20 preempt delay minimum 30
 ipv6 address 240E:0:0:1502::1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server O-POOL
 ipv6 ospf 100 area 0
 ipv6 ospf network point-to-point
!
interface Vlan519 // 与 R5 互联建立 OSPFV4 邻居
 no ip address
 ipv6 enable
 ipv6 ospf 100 area 0
 ipv6 ospf network point-to-point
!
ipv6 router ospf 100
 router-id 10.19.19.19       
!

! -- SW20
!
ipv6 dhcp pool O-POOL
 dns-server 2008::1
 dns-server 2008::2
 domain-name a.com
!
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
 name a.com.hub
 revision 2
 instance 10 vlan 10
 instance 20 vlan 20
!
spanning-tree mst 10 priority 28672
spanning-tree mst 20 priority 24576
!
interface Loopback0
 ip address 10.20.20.20 255.255.255.255
 ipv6 address FD00::20/128
 ipv6 ospf 100 area 0
!
interface Port-channel1
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/0
 switchport access vlan 520
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode passive
!
interface Ethernet0/3
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode passive
!
interface Vlan10
 no ip address
 standby version 2
 standby 10 ipv6 autoconfig
 standby 10 preempt delay minimum 30
 ipv6 address 240E:0:0:1501::2/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server O-POOL
 ipv6 ospf 100 area 0
 ipv6 ospf network point-to-point
!
interface Vlan20
 no ip address
 standby version 2 // HSRP 配置
 standby 20 ipv6 autoconfig
 standby 20 priority 120 // 优先级120，设置为 Active 端
 standby 20 preempt delay minimum 30  // 抢占延迟 30s
 ipv6 address 240E:0:0:1502::2/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server O-POOL
 ipv6 ospf 100 area 0
 ipv6 ospf network point-to-point
!
interface Vlan520
 no ip address
 ipv6 enable
 ipv6 ospf 100 area 0
 ipv6 ospf network point-to-point
!
ipv6 router ospf 100
 router-id 10.20.20.20
!

! -- SW21
!
spanning-tree mode mst
spanning-tree mst configuration
 name a.com.hub
 revision 2
 instance 10 vlan 10
 instance 20 vlan 20
!
interface Ethernet0/0
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/1
 switchport trunk allowed vlan 10,20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 20
!

A branch1 配置

! -- R6
!
ipv6 dhcp pool O-POOL
 dns-server 2008::1
 dns-server 2008::2
 domain-name a.com
!
interface Tunnel1 // DMVPN
 description DMVPN_BRANCH_1
 no ip address
 ipv6 address FD00:A::2/64
 ipv6 eigrp 90 // EIGRP 启用
 ipv6 nhrp map FD00:A::1/64 240E:0:0:15::5 // 映射 FD00:A::1 R5 的公网 IPv6 地址
 ipv6 nhrp map multicast 240E:0:0:15::5
 ipv6 nhrp network-id 100
 ipv6 nhrp nhs FD00:A::1
 tunnel source Ethernet0/0
 tunnel mode gre multipoint ipv6
!
interface Ethernet0/0
 no ip address
 duplex auto
 ipv6 address 2409:0:0:26::6/64
 ipv6 address autoconfig default //生成指向 ISP 默认路由
 ipv6 enable
!
interface Ethernet0/1
 no ip address
 duplex auto
 ipv6 address 2409:0:0:2600::6/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 eigrp 90 // EIGRP 启用
 ipv6 dhcp server O-POOL
!
ipv6 router eigrp 90 //运行 EIGRP,IPv6 multicast over mGRE tunnel is not supported.
 neighbor FE80::A8BB:CCFF:FE00:500 Tunnel1  // 手动指邻居
 neighbor FE80::A8BB:CCFF:FE00:700 Tunnel1  // 手动指邻居
 eigrp router-id 10.6.6.6
!

A branch2 / B head 配置

! -- R7
!
ipv6 dhcp pool O-POOL
 dns-server 2008::1
 dns-server 2008::2
 domain-name a.com
!
interface Tunnel1 // DMVPN
 description DMVPN_BRANCH_2
 no ip address
 ipv6 address FD00:A::3/64
 ipv6 eigrp 90  // EIGRP 启用
 ipv6 nhrp map FD00:A::1/64 240E:0:0:15::5
 ipv6 nhrp map multicast 240E:0:0:15::5
 ipv6 nhrp network-id 100
 ipv6 nhrp nhs FD00:A::1
 tunnel source Dialer1 // 出接口为 Dialer 
 tunnel mode gre multipoint ipv6
!
interface Ethernet0/0
 no ip address
 duplex auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Ethernet0/1
 no ip address
 duplex auto
 ipv6 address INTRA_PD ::7/64 // 使用获取到的前缀配置接口IPv6地址
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 eigrp 90  // EIGRP 启用
 ipv6 dhcp server O-POOL // DHCP 参数下发
!
interface Dialer1 // PPPOE 拨号
 mtu 1492
 no ip address
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ipv6 address dhcp
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 mtu 1492
 ipv6 dhcp client pd INTRA_PD //获取前缀，命名 INTRA_PD
 ppp authentication pap callin
 ppp pap sent-username user1 password 0 user1
!
ipv6 router eigrp 90 // 运行 EIGRP,IPv6 multicast over mGRE tunnel is not supported.
 neighbor FE80::A8BB:CCFF:FE00:500 Tunnel1  // 手动指邻居
 neighbor FE80::A8BB:CCFF:FE00:600 Tunnel1  // 手动指邻居
 eigrp router-id 10.7.7.7
!
-----------------------------------------------------------------------------------------
! -- R8
ipv6 dhcp pool O-POOL
 dns-server 2008::1
 dns-server 2008::2
 domain-name b.com
!
interface Ethernet0/0
 no ip address
 duplex auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Ethernet0/1
 no ip address
 duplex auto
 ipv6 address INTRA_PD ::8/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server O-POOL // DHCP 参数下发
!
interface Dialer1
 mtu 1492
 no ip address
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ipv6 address dhcp
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 mtu 1492
 ipv6 dhcp client pd INTRA_PD
 ppp authentication pap callin
 ppp pap sent-username user2 password 0 user2
!

! -- R2 PPPOE SERVER
!
ipv6 dhcp pool DHCPV6POOL //配置 PD 池
 prefix-delegation pool POOL-2
!
username user1 password 0 user1  // 用于 PPPOE 拨号认证
username user2 password 0 user2  // 用于 PPPOE 拨号认证
!
bba-group pppoe GROUP-1
 virtual-template 1 // 绑定模版1
!
interface Loopback11  // 这个地址用于复用，不知道Cisco为什么这般设计，直接在模版下配不就行了
 no ip address
 ipv6 address 2409:0:0:2::2/60
 ipv6 enable
!
interface Ethernet0/1
 no ip address
 duplex auto
 ipv6 enable
 pppoe enable group GROUP-1 // 调用
!
interface Virtual-Template1
 description PPPOE-GROUP-1
 mtu 1492
 no ip address
 peer default ipv6 pool PPPOE-PEER-POOL // 为拨号客户端对端配置 IPv6 的地址
 ipv6 unnumbered Loopback11 // 复用
 ipv6 enable
 ipv6 mtu 1492
 ipv6 nd managed-config-flag
 no ipv6 nd ra suppress 
 ipv6 dhcp server DHCPV6POOL // PD 下发
 ppp authentication pap
!
ipv6 local pool POOL-2 2409:0:0:2780::/60 64
ipv6 local pool PPPOE-PEER-POOL 2409:0:0:2220::/60 64
!

ISATAP Tunnel

! -- R9
!
interface Tunnel1 // ISATAP Tunnel
 no ip address
 no ip redirects
 ipv6 address 2409:0:0:2900::/64 eui-64
 ipv6 enable
 no ipv6 nd ra suppress
 tunnel source Ethernet0/1
 tunnel mode ipv6ip isatap
!
interface Ethernet0/0
 no ip address
 duplex auto
 ipv6 address 2409:0:0:29::9/64
 ipv6 enable
!         
interface Ethernet0/1
 ip address 192.168.9.254 255.255.255.0
 duplex auto
!
ipv6 route ::/0 2409:0:0:29::2
!

GRE Tunnel

! -- R15
!
interface Tunnel1 // GRE Tunnel
 no ip address
 ipv6 enable
 ipv6 ospf 100 area 0
 tunnel source Ethernet0/0
 tunnel destination 200.1.103.10  // R10 WAN 地址
!
interface Ethernet0/0
 ip address 200.1.154.15 255.255.255.0
 duplex auto
!
interface Ethernet0/1
 ip address 192.168.15.254 255.255.255.0
 duplex auto
 ipv6 address FD00:F::F/64 // 惟一本地地址
 ipv6 enable
 ipv6 ospf 100 area 0
!
ip route 0.0.0.0 0.0.0.0 200.1.154.4
!
ipv6 router ospf 100
 router-id 10.15.15.15
!

! -- R10
! 
interface Tunnel1  // GRE Tunnel
 no ip address
 ipv6 enable
 ipv6 ospf 100 area 0
 tunnel source Ethernet0/0
 tunnel destination 200.1.154.15  // R15 WAN 地址
!
interface Ethernet0/0
 ip address 200.1.103.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
!
interface Ethernet0/1
 ip address 192.168.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 ipv6 address FD00:A::A/64  // 惟一本地IPv6地址
 ipv6 enable
 ipv6 ospf 100 area 0
!
ip nat inside source list 10 interface Ethernet0/0 overload // IPv4 NAT
ip route 0.0.0.0 0.0.0.0 200.1.103.3
!
ipv6 router ospf 100
 router-id 10.10.10.10
!
access-list 10 permit 192.168.10.0 0.0.0.255
!

6to4 Tunnel and Realy

! -- R14 
!
interface Tunnel1 // 6to4 Tunnel 
 no ip address
 no ip redirects
 ipv6 unnumbered Ethernet0/0
 ipv6 enable
 tunnel source Ethernet0/0
 tunnel mode ipv6ip 6to4
!
interface Ethernet0/0
 ip address 200.1.144.14 255.255.255.0
 duplex auto
 ipv6 address 2408:0:0:E4::E/64 // 与 R4 互联的 IPv6 地址
!
interface Ethernet0/1
 no ip address
 duplex auto
 ipv6 address 2002:C801:900E::E/64 // 6to4 地址
 ipv6 enable
!
ip route 0.0.0.0 0.0.0.0 200.1.144.4
!
ipv6 route 2002::/16 Tunnel1 // 站点互通
ipv6 route ::/0 2408:0:0:E4::4 // 访问 ISP IPv6 网络
!

! -- R11
!
interface Tunnel1  // 6to4 Tunnel 
 no ip address
 no ip redirects
 ipv6 enable
 tunnel source Ethernet0/0
 tunnel mode ipv6ip 6to4
!
interface Ethernet0/0
 ip address 200.1.113.11 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
!
interface Ethernet0/1
 ip address 192.168.11.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 ipv6 address 2002:C801:710B::B/64  // 6to4 地址
 ipv6 enable
!
ip nat inside source list 10 interface Ethernet0/0 overload // IPv4 NAT
ip route 0.0.0.0 0.0.0.0 200.1.113.3
!
ipv6 route 2002::/16 Tunnel1 // 站点互通
ipv6 route ::/0 2002:C801:900E::E // 访问IPv6 互联 下一跳 到 R14 中继 转发
!
access-list 10 permit 192.168.11.0 0.0.0.255
!

Manual Tunnel

! -- R13
!
interface Tunnel1 // Manual Tunnel
 no ip address
 ipv6 enable
 ipv6 rip RIPNG enable // 启用 RIPNG
 tunnel source Ethernet0/0
 tunnel mode ipv6ip
 tunnel destination 200.1.123.12
!
interface Ethernet0/0
 ip address 200.1.134.13 255.255.255.0
 duplex auto
!
interface Ethernet0/1
 no ip address
 duplex auto
 ipv6 address FC00:D::D/64 // 惟一本地IPv6地址
 ipv6 enable
 ipv6 rip RIPNG enable // 启用 RIPNG
!
ip route 0.0.0.0 0.0.0.0 200.1.134.4
!
ipv6 router rip RIPNG // 站点互通 RIPNG
!

! -- R12
!
interface Tunnel1  // Manual Tunnel
 no ip address
 ipv6 enable
 ipv6 rip RIPNG enable  // 启用 RIPNG
 tunnel source Ethernet0/0
 tunnel mode ipv6ip
 tunnel destination 200.1.134.13
!
interface Ethernet0/0
 ip address 200.1.123.12 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
!
interface Ethernet0/1
 ip address 192.168.12.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 ipv6 address FC00:C::C/64 // 惟一本地IPv6地址
 ipv6 enable
 ipv6 rip RIPNG enable
!
ip nat inside source list 10 interface Ethernet0/0 overload  // IPv4 NAT
ip route 0.0.0.0 0.0.0.0 200.1.123.3
!
ipv6 router rip RIPNG  // 站点互通 RIPNG
!
access-list 10 permit 192.168.12.0 0.0.0.255
!

6RD Tunnel

! -- R16
!
ipv6 general-prefix 6RD 6rd Tunnel1 // 从Tunnel 1 获取 ISP 通用前缀 命名为6RD
!
interface Tunnel1 // 6RD Tunnel
 no ip address
 no ip redirects
 ipv6 address 6RD ::/128 // 通过命名为6RD 的通用前缀构建 IPv6 地址
 ipv6 enable
 tunnel source Ethernet0/0
 tunnel mode ipv6ip 6rd  // 模式
 tunnel 6rd ipv4 prefix-len 16 // IPv4 通用前缀 ，不设置通用后缀
 tunnel 6rd prefix 2408:1617::/32 //ISP 设定的 IPv6 前缀
 tunnel 6rd br 200.1.4.4 // BR 地址，位于 ISP
!
interface Ethernet0/0
 ip address 200.1.164.16 255.255.255.0
 duplex auto
!
interface Ethernet0/1
 no ip address
 duplex auto
 ipv6 address 2408:1617:A410:F::F/64 // 通过 ISP 设定的前缀 + IPv4 通用前缀构造，IPv4通用前缀占去16位，而通用后缀没有设置，所以就是164.16，转16进制
 ipv6 enable
!
ip route 0.0.0.0 0.0.0.0 200.1.164.4
!
ipv6 route 2408:1617::/32 Tunnel1 // 站点互访
ipv6 route ::/0 Tunnel1 2408:1617:404:: // 访问 IPv6 互联网
!

! -- R17
!
ipv6 general-prefix 6RD 6rd Tunnel1
!
interface Tunnel1
 no ip address
 no ip redirects
 ipv6 address 6RD ::/128
 ipv6 enable
 tunnel source Ethernet0/0
 tunnel mode ipv6ip 6rd
 tunnel 6rd ipv4 prefix-len 16
 tunnel 6rd prefix 2408:1617::/32
 tunnel 6rd br 200.1.4.4
!
interface Ethernet0/0
 ip address 200.1.174.17 255.255.255.0
 duplex auto
!
interface Ethernet0/1
 no ip address
 duplex auto
 ipv6 address 2408:1617:AE11:11::11/64 // // 通过 ISP 设定的前缀 + IPv4 通用前缀构造，IPv4通用前缀占去16位，而通用后缀没有设置，所以就是174.17，转16进制
 ipv6 enable
!
ip route 0.0.0.0 0.0.0.0 200.1.174.4
!
ipv6 route 2408:1617::/32 Tunnel1
ipv6 route ::/0 Tunnel1 2408:1617:404::
!

! -- R4
!
ipv6 general-prefix 6RD 6rd Tunnel1
!
interface Loopback1
 ip address 200.1.4.4 255.255.255.255
!
interface Tunnel1
 no ip address
 no ip redirects
 ipv6 address 6RD ::/128
 ipv6 enable
 tunnel source Loopback1 // 指定源，6RD 网络 IPv4 可达，还有一种说法是，可以配置anycast，6RD 网络就近访问
 tunnel mode ipv6ip 6rd
 tunnel 6rd ipv4 prefix-len 16
 tunnel 6rd prefix 2408:1617::/32
!
ipv6 route 2408:1617::/32 Tunnel1 // 站点访问IPv6 网络 返回流量
!