How to Configure IPv6 Networking in CentOS/RHEL 7

This post will touch base on how to configure IPv6 networking using nmcli and configuration files in the /etc/sysconfig/network-scripts directory

NetworkManager and IPv6

To work with IPv6 addresses using NetworkManager, all the commands that are used with IPv4 networking work with IPv6 networking. There are some different settings that are relevant for connections, but most commands will be similar for IPv6 configuration.

Adding an IPv6 Network Connection

The nmcli con add command is used to add new network connections.

The following command, “nmcli con add”, will add a new connection for the interface eno2, which will autoconnect at startup, getting IPv4 networking information using DHCPv4. It will also get IPv6 networking settings by listening for router advertisements on the local link.

# nmcli con add con-name eno2 type ethernet ifname eno2

The next example configures the eno2 interface statically instead, using the IPv6 address and network prefix 2001:db8:0:1::c000:207/64 and default IPv6 gateway 2001:db8:0:1::1, and the IPv4 address and network prefix and default IPv4 gateway, but still autoconnects at startup and saves its configuration into /etc/sysconfig/network-scripts/ifcfg-eno2.

# nmcli con add con-name eno2 type ethernet ifname eno2 ip6 2001:db8:0:1::c000:207/64 gw6 2001:db8:0:1::1 ip4 gw4

Modifying Network Connection Settings for IPv6

The nmcli con show name command, where name is the name of the connection, can be used to view IPv6-related settings:

# nmcli con show static-eth0 | grep ipv6
ipv6.method:                  manual
ipv6.dns:                     2001:4860:4860::8888
ipv6.addresses:               { ip = 2001:db8:0:1::7/64, gw = 2001:db8:0:1::1 } ipv6.routes:
ipv6.ignore-auto-routes:      no
ipv6.ignore-auto-dns:         no
ipv6.never-default:           no
ipv6.may-fail:                yes
ipv6.ip6-privacy:             -1 (unknown)
ipv6.dhcp-hostname:           -

Likewise, nmcli con mod name can be used to adjust how connections set IPv6 addresses To set the IPv6 address to 2001:db8:0:1::a00:1/64 and default gateway to 2001:db8:0:1::1 for the connection static-eth0:

# nmcli con mod static-eth0 ipv6.address "2001:db8:0:1::a00:1/64 2001:db8:0:1::1"

A number of settings may have multiple values. A specific value can be added to the list or deleted from the list for a setting by adding a + or - symbol to the start of the setting name. To add the DNS server 2001:4860:4860::8888 to the list of nameservers to use with the connection static-eth0:

# nmcli con mod static-eth0 +ipv6.dns 2001:4860:4860::8888

Remember that the file /etc/sysconfig/network-scripts/ifcfg-name can be directly edited, and that nmcli con reload must be run after saving so that NetworkManager reads the configuration changes. The following table maps some of the key NetworkManager setting names relevant to IPv6 connections to ifcfg-* directives.

Comparison of nm-settings and ifcfg-* Directives

ipv6.method manual IPV6_AUTOCONF=no IPv6 addresses configured statically
ipv6.method auto IPV6_AUTOCONF=yes Will configure network settings using SLAAC from router advertisements.
ipv6.method dhcp IPV6_AUTOCONF=no DHCPV6C=yes Will configure network settings by using DHCPv6, but not SLAAC.
ipv6.addresses “2001:db8::a/64 2001:db8::1” IPV6ADDR=2001:db8::a/64 IPV6_DEFAULTGW=2001:db8 :1 Sets static IPv4 address, network prefix, and default gateway. If more than one address is set for the connection, IPV6_SECONDARIES takes a double-quoted list of spacedelimited address/prefix definitions.
ipv6.dns . . . DNS0= . . . Modify /etc/resolv.conf to use this nameserver. Exactly the same as IPv4
ipv6.dns-search Modify /etc/resolv.conf to use this domain in the search directive. Exactly the same as IPv4
ipv6.ignore-auto-dns true IPV6_PEERDNS=no Ignore DNS server information from the DHCP server.
connection.autoconnect yes ONBOOT=yes Automatically activate this connection at boot eth0 NAME=eth0 The name of this connection
connection.interfacename eth0 DEVICE=eth0 The connection is bound to network interface with this name
network interface with this name HWADDR= . . . The connection is bound to the network interface with this MAC address

Viewing IPv6 Networking Information

Both nmcli dev status to show the NetworkManager status of all network devices and nmcli con show to show the list of available connections work exactly as they do for IPv4.

The ip addr show command still displays the current configuration of network interfaces on the system. The example that follows calls out some items relevant to IPv6.

 [geek@demo ~]$ ip addr show eth0
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:00:00:0b brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
    valid_lft forever preferred_lft forever
    inet6 2001:db8:0:1:5054:ff:fe00:b/64 scope global
     valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe00:b/64 scope link
     valid_lft forever preferred_lft forever
  1. An active interface is UP.
  2. The link/ether line specifies the hardware (MAC) address of the device.
  3. The inet line shows an IPv4 address, its network prefix length, and scope.
  4. The
  5. inet6
  6. line shows an IPv6 address, its network prefix length, and scope. This address is of global scope and is normally used.
  7. This inet6 line is for an address of link scope and can only be used for communication on the local Ethernet link.

The ip -6 route show command displays the IPv6 routing table for the system:

 # ip -6 route show
unreachable ::/96 dev lo  metric 1024  error -101
unreachable ::ffff: dev lo  metric 1024  error -101
2001:db8:0:1::/64 dev eth0  proto kernel  metric 256
unreachable 2002:a00::/24 dev lo  metric 1024  error -101
unreachable 2002:7f00::/24 dev lo  metric 1024  error -101
unreachable 2002:a9fe::/32 dev lo  metric 1024  error -101
unreachable 2002:ac10::/28 dev lo  metric 1024  error -101
unreachable 2002:c0a8::/32 dev lo  metric 1024  error -101
unreachable 2002:e000::/19 dev lo  metric 1024  error -101
unreachable 3ffe:ffff::/32 dev lo  metric 1024  error -101
fe80::/64 dev eth0  proto kernel  metric 256
default via 2001:db8:0:1::ffff dev eth0  proto static  metric 1024

In the previous example, ignore the unreachable routes, which point at networks which are never to be used. That leaves three routes:

  1. To the 2001:db8:0:1::/64 network using the eth0 interface (which presumably has an address on that network).
  2. To the fe80::/64 network using the eth0 interface, for the link-local address. On a system with multiple interfaces, there will be a route to fe80::/64 out each interface for each link-local address.
  3. A default route to all networks on the IPv6 Internet (the ::/0 network) that don’t have a more specific route on the system, through the router at 2001:db8:0:1::ffff, reachable with the eth0 device.

IPv6 Troubleshooting Tools


The ping6 command is the IPv6 version of ping in CentOS/RHEL. It communicates over IPv6 and can take IPv6 addresses, but otherwise works like ping.

# ping6 2001:db8:0:1::1
PING 2001:db8:0:1::1(2001:db8:0:1::1) 56 data bytes
64 bytes from 2001:db8:0:1::1: icmp_seq=1 ttl=64 time=18.4 ms
64 bytes from 2001:db8:0:1::1: icmp_seq=2 ttl=64 time=0.178 ms
64 bytes from 2001:db8:0:1::1: icmp_seq=3 ttl=64 time=0.180 ms ^C
 --- 2001:db8:0:1::1 ping statistics --
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.178/6.272/18.458/8.616 ms

Link-local addresses and the link-local all-nodes multicast group (ff02::1) can be pinged, but the network interface to use must be specified explicitly with a scope zone identifier (such as ff02::1%eth0). If this is left out, the error connect: Invalid argument will be displayed.

Pinging ff02::1 can be useful for finding other IPv6 nodes on the local network.

 [root@rhel7 ~]# ping6 ff02::1%eth1
PING ff02::1%eth1(ff02::1) 56 data bytes
64 bytes from fe80::78cf:7fff:fed2:f97b: icmp_seq=1 ttl=64 time=22.7 ms
64 bytes from fe80::f482:dbff:fe25:6a9f: icmp_seq=1 ttl=64 time=30.1 ms (DUP!)
64 bytes from fe80::78cf:7fff:fed2:f97b: icmp_seq=2 ttl=64 time=0.183 ms
64 bytes from fe80::f482:dbff:fe25:6a9f: icmp_seq=2 ttl=64 time=0.231 ms (DUP!) ^C
--- ff02::1%eth1 ping statistics --
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.183/13.320/30.158/13.374 ms
[root@rhel7 ~]# ping6 -c 1 fe80::f482:dbff:fe25:6a9f%eth1
 PING fe80::f482:dbff:fe25:6a9f%eth1(fe80::f482:dbff:fe25:6a9f) 56 data bytes
64 bytes from fe80::f482:dbff:fe25:6a9f: icmp_seq=1 ttl=64 time=22.9 ms
--- fe80::f482:dbff:fe25:6a9f%eth1 ping statistics --
1 packets transmitted, 1 received, 0% packet loss, time 0ms
min/avg/max/mdev = 22.903/22.903/22.903/0.000 ms

Remember that IPv6 link-local addresses can be used by other hosts on the same link, just like normal addresses.

 [geek@demo ~]$ ssh fe80::f482:dbff:fe25:6a9f%eth1 geek@fe80::f482:dbff:fe25:6a9f%eth1's password:
Last login: Thu Jun  5 15:20:10 2014 from
[geek@server ~]$


The tracepath6 and traceroute -6 commands are the equivalent to tracepath and traceroute for IPv6.

# tracepath6 2001:db8:0:2::451
1?: [LOCALHOST]                        0.091ms pmtu 1500
1:  2001:db8:0:1::ba                   0.214ms
2:  2001:db8:0:1::1                    0.512ms
3:  2001:db8:0:2::451   0.559ms reached
    Resume: pmtu 1500 hops 3 back 3

Ports and services

Either the ss command or the netstat command can display information about network sockets, and they take almost identical options.

 # ss -A inet -n
Netid State      Recv-Q Send-Q       Local Address:Port          Peer Address:Port

tcp   ESTAB      0      0 
tcp   ESTAB      0      0         2001:db8:0:1::ba:22
# netstat -46n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address        Foreign Address        State
tcp        0      0    ESTABLISHED
tcp6       0      0 2001:db8:0:1::ba:22  2001:db8:0:1::1:40810  ESTABLISHED

Options for ss and netstat

-n Show numbers instead of names for interfaces and ports
-t Show TCP sockets.
-u Show UDP sockets.
-l Show only listening sockets.
-a Show all (listening and established) sockets
-p Show the process using the sockets.
-A inet Display active connections (but not listening sockets) for the inet address family. That is, ignore local UNIX domain sockets. For ss, both IPv4 and IPv6 connections will be displayed. For netstat, only IPv4 connections will be displayed. (netstat -A inet6 will display IPv6 connections, and netstat -46 will display IPv4 and IPv6 at the same time.)