Adding Global IPv6 to Your Lab via Tunnel
This article will explore a fast and easy way to access an IPv6 block that can be used in a lab environment. This process divides home and lab networks while allowing the individual to understand a few additional concepts surrounding the setup.
The Unsung Hero: Hurricane Electric
Hurricane Electric Internet Services is the entity that will bring this possibility to life. For the unaware, Hurricane Electric or HE (https://bgp.tools/as/6939#asinfo) is a massive transit provider. Through their IPv6 Tunnel Broker service, you can spin up an IPv4 tunnel to various points of presence worldwide to transport IPv6 on top. Hurricane Electric will also go as far as to provide a global /48 prefix to use as you please. I used this to explore the 6PE protocol, which will not be explained in this article but will serve as one of the many reasons one may need IPv6 in a lab environment. With that brief introduction, we can dive into the process.
Step 1: Broker account and tunnel initiation
You will first need an IPv4 address for your end of the tunnel. You can find this information on various sites or from your edge router. https://bgp.tools/ has a section labeled "You are connecting from" on the homepage that will also provide this information (*Disclaimer: I have not tried to utilize this solution behind a Carrier-grade NAT (CGNAT)). With that information, you can head to the Hurricane Electric tunnel broker site https://tunnelbroker.net/ . Here, you will need to create an account and select "Create Regular Tunnel."
On the next page, you will be presented with all of the tunneling endpoint options. At the time of writing, there are 36 available locations to terminate the tunnel. In my lab, I have chosen to send my traffic down to Miami, Florida. The IP you will use as your endpoint must be able to respond to pings before the tunnel broker will allow the creation of the tunnel.
After you create the tunnel, you will be presented with all the details needed. I have used an AWS IP for this tunnel example, so I do not need to conceal any information.
Step 2: Terminating the tunnel
At this stage, Hurricane has created the tunnel on its tunnel server and is ready to provide service. Now, you will need a device which allows IPv4 tunneling. In my example, I will utilize a Cisco XRv9000 running version 24.3.2. Port forwarding will also be necessary if you are like me and live behind the single NAT'd IP provided by your ISP.
I have not specified down to a port level but have opted for a simple IP-based NAT rule and left the port selection to be retained.
nat (SPNG-iNET,INT-OUTSIDE) source static XRv6 interface destination static HE-MIA HE-MIA
With the NAT configured, I can verify via pings that two-way communication exists between the devices.
RP/0/RP0/CPU0:XRV-v6#ping 209.51.161.58 source GigabitEthernet 0/0/0/0
Wed Jan 8 23:32:14.384 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.51.161.58 timeout is 2 seconds:
!!!!!
At this point, the lab is ready to construct the tunnel. On an IOS-XR device, this will be achieved via a tunnel-IP interface with the mode of IPv4
RP/0/RP0/CPU0:XRV-v6#sh run int tunnel-ip6
Wed Jan 8 23:32:05.039 UTC
interface tunnel-ip6
ipv6 address 2001:470:4:101::2/64
ipv6 enable
tunnel mode ipv4
tunnel source GigabitEthernet0/0/0/0
tunnel destination 209.51.161.58
!
The tunnel function can be verified by checking the status and demonstrating IPv6 communication.
RP/0/RP0/CPU0:XRV-v6#sh int tunnel-ip6
Wed Jan 8 23:38:51.164 UTC
tunnel-ip6 is up, line protocol is up
Interface state transitions: 1
Hardware is Tunnel
Internet address is Unknown
MTU 1500 bytes, BW 100 Kbit (Max: 100 Kbit)
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation TUNNEL_IP, loopback not set,
Last link flapped 2d21h
Tunnel TOS 0
Tunnel mode IPV4
Keepalive is disabled.
Tunnel source 10.33.33.6 (GigabitEthernet0_0_0_0), destination 209.51.161.58/32
Tunnel TTL 255
Last input 00:00:00, output 00:00:00
Last clearing of "show interface" counters 00:00:21
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5 packets input, 500 bytes, 0 total input drops
Unknown drops for unrecognized upper-level protocol
Received Unknown broadcast packets, Unknown multicast packets
5 packets output, 500 bytes, 0 total output drops
Output Unknown broadcast packets, Unknown multicast packets
RP/0/RP0/CPU0:XRV-v6#ping 2001:470:4:101::1
Wed Jan 8 23:39:15.765 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:4:101::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/46/49 ms
The last thing you will want to do is if you have no other IPv6 active in the lab that needs consideration, you can place a default route toward the Hurricane Electric server.
!
router static
address-family ipv6 unicast
::/0 2001:470:4:101::1
!
Step 3: Assign /48
With the tunnel broker service, you can receive a /48 IPv6 block to use as you please. Hurricane will place a route toward your client IPv6 Address as the next hop for this address space.
Once you've received your allocation, you can place it where needed. Given the correct internal routing toward your tunnel-terminating device, you should now have global IPv6 ready for your lab environment. In my lab, this has been propagated via BGP into a container lab deployment.
RP/0/RP0/CPU0:10200-pe11#show route ipv6 ::
Wed Jan 8 15:13:22.030 UTC
Routing entry for ::/0
Known via "bgp 10200", distance 20, metric 0, candidate default path
Tag 4200000006
Local Label 24013, type external
Installed Jan 7 20:23:07.948 for 18:50:14
Routing Descriptor Blocks
fe80::20c:29ff:fe99:100d, from 2001:----:----:179::1,
via GigabitEthernet0/0/0/0.2006, BGP external
Route metric is 0
No advertising protos.
*Now taken from my home lab and have redacted IP information
After assigning a few additional subnets from the /48 and configuring 6PE, I now have full reachability from my lab devices to the global IPv6 realm.
RP/0/RP0/CPU0:10200-pe13#traceroute 2001:4860:4860::8888
Wed Jan 8 15:18:18.880 UTC
Type escape sequence to abort.
Tracing the route to 2001:4860:4860::8888
1 ::ffff:10.200.0.4 [MPLS: Labels 16011/24013 Exp 0] 11 msec 9 msec 10 msec
2 2001:172:20:20::b [MPLS: Labels 16011/24013 Exp 0] 12 msec 9 msec 9 msec
3 2001:---:----:179::11 [MPLS: Label 24013 Exp 0] 10 msec 10 msec 10 msec
4 2001:---:----:179::1 10 msec 11 msec 11 msec
5 tunnel948072.tunnel.tserv12.mia1.ipv6.he.net (2001:470:4:bd::1) 76 msec 77 msec 77 msec
6 * * *
7 2001:504:40:108::1:12 106 msec
2001:504:40:108::1:95 56 msec
2001:504:0:6:0:1:5169:2 58 msec
8 2001:4860:0:1::8095 54 msec
2001:4860:0:1::8047 55 msec
2001:4860:0:1::8095 57 msec
9 2001:4860:0:1::d87 54 msec
2001:4860:0:1::26a5 52 msec
2001:4860:0:1::5beb 52 msec
10 dns.google (2001:4860:4860::8888) 53 msec 54 msec 53 msec
Summary
This was a brief look at how you can expand your lab into the "real world." You can expand upon this and utilize something like EC2 instances to have further external nodes reach into your lab environment. The possibilities are endless and can be tailored to many different scenarios. Please let me know if you found this quick write-up/tip/knowledge share useful, as I want to set my sights on more regular and easily consumable formats. Thank you for your time and attention!