IPv6 on Zen Internet with Cisco 887VA

I have used Zen Internet for my broadband service for over eight years and they have been very reliable and efficient.  Zen are not a “bucket shop” cheap ISP but they are a good ISP!

The main reason that I use Zen is that they provide a /29 of IPv4 public addresses which means that I can have servers at home on the real public internet… however, IPv6 support has been available to all customers since August 2015 and I now wanted to enable this as well.

Limitations of IPv4

The IPv4 address space is limited to 32-bit addresses and as most people know was invented back in the 1970s before the internet boom and everybody wanting a bit of IP address space.

With Zen’s IPv4 implementation the /29 they give you provides 5 usable addresses since one is lost as the subnet/network address, one is used as the broadcast address and one is used by the router itself.

As IPv4 is running out it is clearly time to switch to IPv6.

Zen IPv6 support

Zen are providing each customer with a complete /48 prefix – this allows you to have millions of machines with millions of addresses!  Yes, you effectively can have 65536 separate routed networks or subnets each with a 64-bit address space aggregated (routed) over your FTTC or FTTP connection.

First, you need to get Zen to enable IPv6 for you, to do this send an email to ipv6@zen.co.uk entitled “Request for IPv6” and provide your Zen details (phoneline and zen123456@zen login name) where 123456 is the 6-digit number that you use on your Zen connection.

You should get an email back within 48 hours with your Neighbour Detection (ND) address/netmask and your Prefix Delegation (PD) address/netmask.

Once you have this information you’re set to go with IPv6… this rest of this article is about configuring a Cisco 887VA router in “dual stack” (IPv4 and IPv6) mode.

Dual stack IPv4 and IPv6 operation

With your IPv4 address space your router is effectively “flattened” since the router doesn’t have an “outside” address on a point-to-point connection with a /30 or /31 sub-set and a separate IP address range for the “inside”. Instead the router configuration uses a trick to combine the IP address assigned to the Ethernet interface with the IP address used on the PPPoE connection.

With IPv6 you get an IP address on the “outside” and a set of addresses for the “inside” – here’s how it works:

Neighbour Discovery (ND) address range

The Neighbour Discovery (ND) address range is, in IPv6 terms, a single subnet or /64 over which the PPPoE between your router and Zen runs – this is effectively on the “outside” or WAN side of your router and looks like this:


Prefix Delegation (PD) address range

The Prefix Delegation (PD) address range is the IPv6 that Zen delegate you you for use on your network(s) and in my case looks like this:


Configuring your Cisco 887VA

I am going to assume that you have basic connectivity already established using your 887VA in VDSL mode, in summary this means that:

  • you are running IOS 15.4(3)M4 on the router
  • you have the ATM0 controller shutdown
  • the VDSL is on the Ethernet0 controller
  • your using Ethernet0.101 as 802.11.1q VLAN 101 with BT Wholesale
  • you have PPPoE enabled in client mode on Dialler1
  • you have interface VLAN1 configured with your IPv4 address/netmask
  • you are connected to the internet

Upgrade your firmware

If you’re not already running IOS 15.4(3)M4 on your 887VA stop and upgrade it first. Several earlier releases of IOS didn’t have DHCPv6 working correctly and this is a requirement for this configuration.

To upgrade:

  • Obtain the IOS image from your CCO login (or elsewhere on the internet)
  • Place the IOS image on a TFTP server
  • Use the exec command “copy tftp: flash:” and fill in the blanks
  • Add the line “boot system flash c880data-universalk9-mz.154-3.M4.bin” to your configuration to ensure it boots the right image

Enable IPv6 on the router

Add the following global configuration items:

ipv6 source-route
ipv6 unicast-routing
ipv6 cef
ipv6 multicast-routing
ipv6 multicast rpf use-bgp

Enable IPv6 on VLAN1 interface

Update your VLAN1 interface to include the IPv6 settings shown below (but use your addresses; not mine):

 interface Vlan1
  description *** Zen internet /29 at TubbyLand(tm) ***
  ip address 82.68.xx.xx
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no autostate
  ipv6 address 2A02:8010:7010::1/64
  ipv6 address ZEN-PD ::/64
  ipv6 enable

Enable IPv6 on Dialer1 interface

 interface Dialer1
  description *** PPP dialler interface for Zen ***
  ip unnumbered Vlan1
  ip access-group 101 in
  ip access-group 102 out
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ipv6 address FE80::1 link-local
  ipv6 address ZEN-ND 2A02:8010:700F::/64
  ipv6 address ZEN-PD 2A02:8010:7010::/64
  ipv6 enable
  ipv6 mtu 1500
  ipv6 tcp adjust-mss 1440
  ipv6 dhcp client pd ZEN-PD
  ppp authentication chap callin
  ppp chap hostname zen<Zen number>@zen
  ppp chap password 7 <hidden password>
  ppp direction callout
  ppp ipcp dns request
  no cdp enable

Add IPv6 default route

Add the default route via Dialler1 interface:

 ipv6 route ::/0 Dialer1

Add additional IPv6 routes (optional)

Add static routes to other parts of your infrastructure, networks, etc. for example this adds my whole internal network ‘2600’ via a firewall whose outside address is 2a02:8010:7010::666 and connectdd to VLAN1 (ie. the “outside”):

 ipv6 route 2A02:8010:7010:2600::/64 2A02:8010:7010::666

 Test your new connection

Perform some IPv6 connectivity tests:

Ping Google from the router

router-zen#ping ipv6.google.com
 Translating "ipv6.google.com"...domain server ( [OK]
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 2A00:1450:4009:80A::200E, timeout is 2 seconds:
 Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/20 ms

Ping an internal host from the router

router-zen#ping ipv6.tubby.org
 Translating "ipv6.tubby.org"...domain server ( [OK]
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 2A02:8010:7010::1010, timeout is 2 seconds:
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Ping Google from an internal host

root@public:/etc/init.d# ping6 -n ipv6.google.com
 PING ipv6.google.com(2a00:1450:4001:804::1008) 56 data bytes
 64 bytes from 2a00:1450:4001:804::1008: icmp_seq=1 ttl=52 time=26.3 ms
 64 bytes from 2a00:1450:4001:804::1008: icmp_seq=2 ttl=52 time=26.2 ms
 64 bytes from 2a00:1450:4001:804::1008: icmp_seq=3 ttl=52 time=26.0 ms
 64 bytes from 2a00:1450:4001:804::1008: icmp_seq=4 ttl=52 time=25.9 ms
 --- ipv6.google.com ping statistics ---
 4 packets transmitted, 4 received, 0% packet loss, time 3004ms
 rtt min/avg/max/mdev = 25.967/26.168/26.383/0.205 ms