Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipv6 tunnel zbfw inspect q

Quick question, or more so looking for confirmation of my assumptions about IPv6 tunnel and zbfw, i couldn’t find any information so i thought i would ask here. I hope this is the appropriate forum (verse the ipv6 one). TIA

Router in question is setup as a typical broadband router: NAT and ZBFW. using an ipv6 tunnelbroker on outside interface. Working like a charm.

(its my home router - who doesn’t use a cisco device for their home broadband rtr anyway?? lol)

Here are my assumptions that i hope someone can verify for me.

1) I picture the ZBFW inspect as something that dynamically creates the established acl, in other words if traffic goes out, there is a way to come back in.

With that said, i assume the same concept applies to the tunnel traffic(protocol 41, not the actual ipv6 traffic) since it uses the outside interface for tunnel. so that if tunnel traffic (proto 41) goes out from my router, it can come back in. but not the other way around.

Based on assumption 1 comes assumption 2, that if my router has not initiated the tunnel (proto 41 to the tunnelbroker) then the tunnel broker cant send any traffic to me (until i initiate the tunnel first) since the tunnel goes through the outside interface.

If that is absolutely the case, that can be remedied by adding the following to the ACL applied to the zone pair self to outside policy/class map

permit 41 host 209.51.xxx.xxx any

(209.51.xxx.xxx = ip of tunnel broker, any because dynamic ip)

2) I think to verify that assumption i need to know how an ipv6ip tunnel is initiated, who initiates the tunnel? source/destination or both try to initiate and whoever’s packet gets there first wins?

Right now i assume that both try to initiate the tunnel because i dont have that ACL and the tunnel has been working.

I would rather confirm that than just assume.

I hope that is clear, attached are relevant parts of config.

lease let me know if you would like me clearify anything!

T

hank you Thank you

Matt

Everyone's tags (3)
364
Views
0
Helpful
0
Replies
CreatePlease login to create content