How to Configure IPv6 Networking in CentOS/RHEL 7

This post will touch base on how to conﬁgure IPv6 networking using nmcli and conﬁguration ﬁles in the /etc/sysconfig/network-scripts directory

NetworkManager and IPv6

To work with IPv6 addresses using NetworkManager, all the commands that are used with IPv4 networking work with IPv6 networking. There are some different settings that are relevant for connections, but most commands will be similar for IPv6 conﬁguration.

Adding an IPv6 Network Connection

The nmcli con add command is used to add new network connections.

The following command, “nmcli con add”, will add a new connection for the interface eno2, which will autoconnect at startup, getting IPv4 networking information using DHCPv4. It will also get IPv6 networking settings by listening for router advertisements on the local link.

# nmcli con add con-name eno2 type ethernet ifname eno2

The next example conﬁgures the eno2 interface statically instead, using the IPv6 address and network preﬁx 2001:db8:0:1::c000:207/64 and default IPv6 gateway 2001:db8:0:1::1, and the IPv4 address and network preﬁx 192.0.2.7/24 and default IPv4 gateway 192.0.2.1, but still autoconnects at startup and saves its conﬁguration into /etc/sysconfig/network-scripts/ifcfg-eno2.

# nmcli con add con-name eno2 type ethernet ifname eno2 ip6 2001:db8:0:1::c000:207/64 gw6 2001:db8:0:1::1 ip4 192.0.2.7/24 gw4 192.0.2.1

Modifying Network Connection Settings for IPv6

The nmcli con show name command, where name is the name of the connection, can be used to view IPv6-related settings:

# nmcli con show static-eth0 | grep ipv6
ipv6.method:                  manual
ipv6.dns:                     2001:4860:4860::8888
ipv6.dns-search:              example.com
ipv6.addresses:               { ip = 2001:db8:0:1::7/64, gw = 2001:db8:0:1::1 } ipv6.routes:
ipv6.ignore-auto-routes:      no
ipv6.ignore-auto-dns:         no
ipv6.never-default:           no
ipv6.may-fail:                yes
ipv6.ip6-privacy:             -1 (unknown)
ipv6.dhcp-hostname:           -
#

Likewise, nmcli con mod name can be used to adjust how connections set IPv6 addresses To set the IPv6 address to 2001:db8:0:1::a00:1/64 and default gateway to 2001:db8:0:1::1 for the connection static-eth0:

# nmcli con mod static-eth0 ipv6.address "2001:db8:0:1::a00:1/64 2001:db8:0:1::1"

Note: If a connection that got its IPv6 information by SLAAC or a DHCPv6 server is being changed to get it from static conﬁguration ﬁles only, the setting ipv6.method should also be changed from auto or dhcp to manual. Otherwise, the connection may hang or not complete successfully when it is activated, or it may get an IPv6 address from SLAAC or DHCPv6 in addition to the static address.

A number of settings may have multiple values. A speciﬁc value can be added to the list or deleted from the list for a setting by adding a + or - symbol to the start of the setting name. To add the DNS server 2001:4860:4860::8888 to the list of nameservers to use with the connection static-eth0:

# nmcli con mod static-eth0 +ipv6.dns 2001:4860:4860::8888

Note: Static IPv4 and IPv6 DNS settings all end up as nameserver directives in /etc/resolv.conf. It may be a good idea to ensure that there is, at minimum, an IPv4reachable nameserver (assuming a dual-stack system) and preferably at least one nameserver using each protocol in case of connectivity issues with either IPv4 or IPv6 networking.

Remember that the ﬁle /etc/sysconfig/network-scripts/ifcfg-name can be directly edited, and that nmcli con reload must be run after saving so that NetworkManager reads the conﬁguration changes. The following table maps some of the key NetworkManager setting names relevant to IPv6 connections to ifcfg-* directives.

Comparison of nm-settings and ifcfg-* Directives

NMCLI CON MOD	IFCFG-* FILE	EFFECT
ipv6.method manual	IPV6_AUTOCONF=no	IPv6 addresses conﬁgured statically
ipv6.method auto	IPV6_AUTOCONF=yes	Will conﬁgure network settings using SLAAC from router advertisements.
ipv6.method dhcp	IPV6_AUTOCONF=no DHCPV6C=yes	Will conﬁgure network settings by using DHCPv6, but not SLAAC.
ipv6.addresses “2001:db8::a/64 2001:db8::1”	IPV6ADDR=2001:db8::a/64 IPV6_DEFAULTGW=2001:db8	:1 Sets static IPv4 address, network preﬁx, and default gateway. If more than one address is set for the connection, IPV6_SECONDARIES takes a double-quoted list of spacedelimited address/preﬁx deﬁnitions.
ipv6.dns . . .	DNS0= . . .	Modify /etc/resolv.conf to use this nameserver. Exactly the same as IPv4
ipv6.dns-search example.com	DOMAIN=example.com	Modify /etc/resolv.conf to use this domain in the search directive. Exactly the same as IPv4
ipv6.ignore-auto-dns true	IPV6_PEERDNS=no	Ignore DNS server information from the DHCP server.
connection.autoconnect yes	ONBOOT=yes	Automatically activate this connection at boot
connection.id eth0	NAME=eth0	The name of this connection
connection.interfacename eth0	DEVICE=eth0	The connection is bound to network interface with this name
network interface with this name	HWADDR= . . .	The connection is bound to the network interface with this MAC address

Viewing IPv6 Networking Information

Both nmcli dev status to show the NetworkManager status of all network devices and nmcli con show to show the list of available connections work exactly as they do for IPv4.

The ip addr show command still displays the current conﬁguration of network interfaces on the system. The example that follows calls out some items relevant to IPv6.

 [geek@demo ~]$ ip addr show eth0
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:00:00:0b brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.2/24 brd 192.0.2.255 scope global eth0
    valid_lft forever preferred_lft forever
    inet6 2001:db8:0:1:5054:ff:fe00:b/64 scope global
     valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe00:b/64 scope link
     valid_lft forever preferred_lft forever

An active interface is UP.
The link/ether line speciﬁes the hardware (MAC) address of the device.
The inet line shows an IPv4 address, its network preﬁx length, and scope.
The
inet6
line shows an IPv6 address, its network preﬁx length, and scope. This address is of global scope and is normally used.
This inet6 line is for an address of link scope and can only be used for communication on the local Ethernet link.

The ip -6 route show command displays the IPv6 routing table for the system:

 # ip -6 route show
unreachable ::/96 dev lo  metric 1024  error -101
unreachable ::ffff:0.0.0.0/96 dev lo  metric 1024  error -101
2001:db8:0:1::/64 dev eth0  proto kernel  metric 256
unreachable 2002:a00::/24 dev lo  metric 1024  error -101
unreachable 2002:7f00::/24 dev lo  metric 1024  error -101
unreachable 2002:a9fe::/32 dev lo  metric 1024  error -101
unreachable 2002:ac10::/28 dev lo  metric 1024  error -101
unreachable 2002:c0a8::/32 dev lo  metric 1024  error -101
unreachable 2002:e000::/19 dev lo  metric 1024  error -101
unreachable 3ffe:ffff::/32 dev lo  metric 1024  error -101
fe80::/64 dev eth0  proto kernel  metric 256
default via 2001:db8:0:1::ffff dev eth0  proto static  metric 1024

In the previous example, ignore the unreachable routes, which point at networks which are never to be used. That leaves three routes:

To the 2001:db8:0:1::/64 network using the eth0 interface (which presumably has an address on that network).
To the fe80::/64 network using the eth0 interface, for the link-local address. On a system with multiple interfaces, there will be a route to fe80::/64 out each interface for each link-local address.
A default route to all networks on the IPv6 Internet (the ::/0 network) that don’t have a more speciﬁc route on the system, through the router at 2001:db8:0:1::ffff, reachable with the eth0 device.

IPv6 Troubleshooting Tools

Connectivity

The ping6 command is the IPv6 version of ping in CentOS/RHEL. It communicates over IPv6 and can take IPv6 addresses, but otherwise works like ping.

# ping6 2001:db8:0:1::1
PING 2001:db8:0:1::1(2001:db8:0:1::1) 56 data bytes
64 bytes from 2001:db8:0:1::1: icmp_seq=1 ttl=64 time=18.4 ms
64 bytes from 2001:db8:0:1::1: icmp_seq=2 ttl=64 time=0.178 ms
64 bytes from 2001:db8:0:1::1: icmp_seq=3 ttl=64 time=0.180 ms ^C
 --- 2001:db8:0:1::1 ping statistics --
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.178/6.272/18.458/8.616 ms
#

Link-local addresses and the link-local all-nodes multicast group (ff02::1) can be pinged, but the network interface to use must be speciﬁed explicitly with a scope zone identiﬁer (such as ff02::1%eth0). If this is left out, the error connect: Invalid argument will be displayed.

Pinging ff02::1 can be useful for ﬁnding other IPv6 nodes on the local network.

 [root@rhel7 ~]# ping6 ff02::1%eth1
PING ff02::1%eth1(ff02::1) 56 data bytes
64 bytes from fe80::78cf:7fff:fed2:f97b: icmp_seq=1 ttl=64 time=22.7 ms
64 bytes from fe80::f482:dbff:fe25:6a9f: icmp_seq=1 ttl=64 time=30.1 ms (DUP!)
64 bytes from fe80::78cf:7fff:fed2:f97b: icmp_seq=2 ttl=64 time=0.183 ms
64 bytes from fe80::f482:dbff:fe25:6a9f: icmp_seq=2 ttl=64 time=0.231 ms (DUP!) ^C
--- ff02::1%eth1 ping statistics --
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.183/13.320/30.158/13.374 ms
[root@rhel7 ~]# ping6 -c 1 fe80::f482:dbff:fe25:6a9f%eth1
 PING fe80::f482:dbff:fe25:6a9f%eth1(fe80::f482:dbff:fe25:6a9f) 56 data bytes
64 bytes from fe80::f482:dbff:fe25:6a9f: icmp_seq=1 ttl=64 time=22.9 ms
--- fe80::f482:dbff:fe25:6a9f%eth1 ping statistics --
1 packets transmitted, 1 received, 0% packet loss, time 0ms
min/avg/max/mdev = 22.903/22.903/22.903/0.000 ms

Remember that IPv6 link-local addresses can be used by other hosts on the same link, just like normal addresses.

 [geek@demo ~]$ ssh fe80::f482:dbff:fe25:6a9f%eth1 geek@fe80::f482:dbff:fe25:6a9f%eth1's password:
Last login: Thu Jun  5 15:20:10 2014 from demo.example.com
[geek@server ~]$

Routing

The tracepath6 and traceroute -6 commands are the equivalent to tracepath and traceroute for IPv6.

# tracepath6 2001:db8:0:2::451
1?: [LOCALHOST]                        0.091ms pmtu 1500
1:  2001:db8:0:1::ba                   0.214ms
2:  2001:db8:0:1::1                    0.512ms
3:  2001:db8:0:2::451   0.559ms reached
    Resume: pmtu 1500 hops 3 back 3

Ports and services

Either the ss command or the netstat command can display information about network sockets, and they take almost identical options.

 # ss -A inet -n
Netid State      Recv-Q Send-Q       Local Address:Port          Peer Address:Port

tcp   ESTAB      0      0           192.168.122.98:22
  192.168.122.1:35279
tcp   ESTAB      0      0         2001:db8:0:1::ba:22
  2001:db8:0:1::1:40810

# netstat -46n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address        Foreign Address        State
tcp        0      0 192.168.122.98:22    192.168.122.1:35279    ESTABLISHED
tcp6       0      0 2001:db8:0:1::ba:22  2001:db8:0:1::1:40810  ESTABLISHED

Options for ss and netstat

OPTION	DESCRIPTION
-n	Show numbers instead of names for interfaces and ports
-t	Show TCP sockets.
-u	Show UDP sockets.
-l	Show only listening sockets.
-a	Show all (listening and established) sockets
-p	Show the process using the sockets.
-A inet	Display active connections (but not listening sockets) for the inet address family. That is, ignore local UNIX domain sockets. For ss, both IPv4 and IPv6 connections will be displayed. For netstat, only IPv4 connections will be displayed. (netstat -A inet6 will display IPv6 connections, and netstat -46 will display IPv4 and IPv6 at the same time.)

How to Configure Networking Using nmcli and configuration files in CentOS/RHEL 7