Skip to main content

 

Cisco Meraki Documentation

IPv6 Transition Mechanisms Configuration Guide

  1. Last updated
  2. Save as PDF

Overview and Purpose 

IPv6 transition or IPv4aaS (IPv4 as a Service) mechanisms are set of technologies that enable service providers to deliver IPv4 connectivity over an IPv6 only network infrastructure. This article provides an overview of the supported IPv6 transition mechanisms and describes how to configure and troubleshoot IP-in-IP and Dual-Stack Lite (DS-Lite) when using devices connected to the Meraki dashboard. 

As support for additional technologies are added into the dashboard, this document will be updated. 

Prerequisites and Limitations 

Before configuring any IPv6 Transition Mechanisms, ensure the following requirements are met: 

Licensing Requirements 

  • Per-Device Licensing: Enterprise licensing on all MX/Z 

  • Co-Termination Licensing: Enterprise licensing organization-wide on MX/Z  

Hardware Requirements   

IPv6 Transition Mechanisms is available on the following models: 

  • Secure Routers 8000 series G2 –MX Variant: All Models 

  • MX/Z: All Models that can run 26.2 firmware 

Firmware Requirements 

IPv6 Transition Mechanisms are available on devices with the following firmware versions: 

  • MX26.2 

Note: MX19.2 is required for a device to check into the dashboard with only an IPv4 address. If a node that is online is downgraded past this point, it will need to be moved to another network with IPv4 connectivity to be brought online.  

Limitations  

  • Maximum Transmission Unit or MTU is automatically configured by the dashboard when IPv6 transition mechanisms are enabled. The IPv4 MTU will inherit a given uplinks configured MTU, with an additional reduction based on the protocol being used. For encapsulation technologies, the MTU of an interface will be further reduced by 40 bytes.  

Definitions 

Border Router (BR) or an IPv4 edge router or exit point node. A router that has connectivity to both IPv4 and IPv6 address families, generally this sits within your ISP core. We will refer to this as the Border Router or BR to keep references protocol agnostic. 

Configuration Steps 

Encapsulation Technologies Summary 

Encapsulation is one of the two parent IPv6 transition technologies. It works by encapsulating the originating IPv4 packet within an IPv6 packet to traverse the underlay, once it reaches the IPv4 edge, the border router decapsulates the packet and forwards it onwards. When the traffic returns, the border router will match the return traffic to the source IPv6 address, encapsulate the traffic and send it back to the router that initiated the traffic.  

 

 

 

There are two key components to this technology, based on the technologies they may have different names, but they are functionally the same.  

Tunnel Entry Point Node:  
Receives original IPv4 packets, decrements TTL, encapsulates them by adding an IPv6 header with source and destination IPv6 tunnel endpoint addresses. 

Tunnel Exit Point Node:  
Receives IPv6 tunnel packets, processes IPv6 headers and extension headers, de-encapsulates to extract the original IPv4 packet, and forwards it. 

IPinIP  

IPinIP or 4in6 encapsulation is used when the router has the full IPv4 address available. 

Configuration  

  1. Enable IPv6 Transition Mechanism on the uplink 

  1. Select IP-in-IP 

  1. Input public IPv4 address assigned to service 

  1. Specify FQDN or IPv6 address of tunnel 

 

DS-Lite 

DS-Lite uses the same encapsulation as 4in6, but devices aren't directly assigned a public IPv4 address. Instead, the router uses an IP address in a reserved IP range, and traffic is tunneled to another endpoint that then performs CG-NAT before it traverses out into the public Internet. 

DS-Lite behaves like a typical CG-NAT connection, as support for inbound connections will be limited, please see Carrier Grade NAT and Meraki Auto VPN for more information. 

Configuration  

  1. Enable IPv6 Transition Mechanism on the uplink 

  1. Select DS-Lite 

  1. Specify FQDN or IPv6 address of tunnel or select Auto 

 

Additional Resources 

HTTP Authentication 

Select internet service providers require routers to authenticate against a server to ensure service continuity in the event of prefix change. If your ISP requires this and is supported, they will be listed as an option in the configuration drop down box. 

Troubleshooting 

Border Relay Health 

In addition to the Connection Monitoring for WAN Failover that happens per uplink, there is an additional health check that will be displayed in the dashboard tracking the BR. 

 

 If connection monitor marks the uplink failed, it will then report on the BR in one of the following states: 

Degraded: We are sending traffic and are not receiving the expected amount of traffic back 
Stalled: We are sending traffic, but not receiving traffic back 
High Errors: We are unable to process and dropping the packet 

If you are seeing any of these states, you may need to raise an issue with your ISP to assist in troubleshooting.  

If using HTTP authentication, you may see one additional status: 
Unable to Authenticate service: Authentication failed due to credentials, DNS resolution or reachability. You may need to verify each of these stages and escalate to your ISP if there are any further issues. Any errors will be logged in the event log. 

 

Packet captures 

When preforming a packet capture, select the desired uplink as per normal, no special interface is required to capture packets that processed by the configured IPv6 Transition mechanism.

When using encapsulation technologies, the IPv4 payload within the IPv6 packet is unencrypted and will be visible on the wire. 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Stage
    Draft
  2. Tags
    This page has no tags.