Tuesday, February 22, 2011

Useful Windows 7 IPv6 netsh commands

I finally have taken time to gather together some useful netsh commands and their output that can be used in Windows 7 and Server 2008 for learning your IPv6 configuration information. This is partly inspired by Chris Vashel who kindly posted a comment on my previous IPv6 post regarding Windows 7 and Server 2008 R2 and provided some quick netsh commands to turn off some automatic tunneling behavior of Windows.

I want to cover a bit more then just turning off the IPv6 tunneling as Chris outlined (and I am including here again for reference) but also show the other fantastic IPv6 support that Microsoft has built into Windows 7 and Server 2008 R2. There is too much for one post so this will likely take a few, keep any eye out for updates.

So, what important netsh commands should you know about? I think the first ones would be "show" commands. You can get a lot of the basics from existing commands you already know like:
C:\Users\Ed>ipconfig /all
<... omitted for brevity...>
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
   Physical Address. . . . . . . . . : 00-16-41-E6-E9-C3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:db8:7:7:b9f7:e225:37d0:960f(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:db8:7:7:41b9:cf5b:e4d5:7392(Preferred)
   Link-local IPv6 Address . . . . . : fe80::b9f7:e225:37d0:960f%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.7.0.23(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
<... omitted for brevity...>
   Default Gateway . . . . . . . . . : fe80::215:63ff:fe88:4bdc%11
                                       10.7.0.1
   DHCP Server . . . . . . . . . . . : 10.7.0.1
   DNS Servers . . . . . . . . . . . : 10.7.0.10

   NetBIOS over Tcpip. . . . . . . . : Enabled
<... omitted for brevity...>

So first lets determine the actual interface ID's that are used, to see those use:
C:\Users\Ed>netsh interface ipv6 show interface

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
 12          25        1500  connected     Wireless Network Connection
<... omitted for brevity...>
 11          20        1500  connected     Local Area Connection
 15          50        1280  disconnected  Teredo Tunneling Pseudo-Interface
<... omitted for brevity...>
 25          50        1280  disconnected  6TO4 Adapter
<... omitted for brevity...>
 29          50        1280  disconnected  Reusable Microsoft 6To4 Adapter
<... omitted for brevity...>

I highlighted the interface I am interested in getting more information about, my wired port which is ID 11. To get details from netsh for all interfaces we would issue:
C:\Users\Ed>netsh interface ipv6 show address
<... omitted for brevity...>
 Interface 11: Local Area Connection

Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Temporary  Preferred        3m16s      3m16s 2001:db8:7:7:41b9:cf5b:e4d5:7392
Public     Preferred        3m16s      3m16s 2001:db8:7:7:b9f7:e225:37d0:960f
Other      Preferred     infinite   infinite fe80::b9f7:e225:37d0:960f%11
<... omitted for brevity...>

To get details from netsh for a specific interface (11 is the wired port, we got that earlier) we would issue:
C:\Users\Ed>netsh interface ipv6 show address 11

Address 2001:db8:7:7:41b9:cf5b:e4d5:7392 Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.0
Valid Lifetime     : 4m18s
Preferred Lifetime : 4m18s
DAD State          : Preferred
Address Type       : Temporary

Address 2001:db8:7:7:b9f7:e225:37d0:960f Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.0
Valid Lifetime     : 4m18s
Preferred Lifetime : 4m18s
DAD State          : Preferred
Address Type       : Public

Address fe80::b9f7:e225:37d0:960f%11 Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.11
Valid Lifetime     : infinite
Preferred Lifetime : infinite
DAD State          : Preferred
Address Type       : Other

The next useful show command is to know how things are routing:
C:\Users\Ed>netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::/0                       11  fe80::215:63ff:fe88:4bdc
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    8    2001:db8:7:7::/64       11  Local Area Connection
No       Manual    256  2001:db8:7:7:41b9:cf5b:e4d5:7392/128   11  Local Area Connection
No       Manual    256  2001:db8:7:7:b9f7:e225:37d0:960f/128   11  Local Area Connection
No       Manual    256  fe80::/64                  15  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::/64                  11  Local Area Connection
<... omitted for brevity...>
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       Manual    256  ff00::/8                   15  Teredo Tunneling Pseudo-Interface
No       Manual    256  ff00::/8                   11  Local Area Connection
<... omitted for brevity...>

So if you want to see your specific routes per interface you can do that using:
C:\Users\Ed>netsh interface ipv6 show route verbose

Destination Prefix:     ::/0
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: fe80::215:63ff:fe88:4bdc
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           1755
PreferredLifeTime       1755

Destination Prefix:     ::1/128
Source Prefix:          ::/0
Interface Index:        1
Gateway/Interface Name: Loopback Pseudo-Interface 1
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite

Destination Prefix:     2001:db8:7:7::/64
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 8
SitePrefixLength        0
ValidLifeTime           255
PreferredLifeTime       255

Destination Prefix:     2001:db8:7:7:41b9:cf5b:e4d5:7392/128
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite

Destination Prefix:     2001:db8:7:7:b9f7:e225:37d0:960f/128
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite
 <... omitted for brevity...>

 To check if you have a working IPv6 DNS server you would issue:
C:\Users\Ed>netsh interface ipv6 show dns
 <... omitted for brevity...>
Configuration for interface "Local Area Connection"
    DNS servers configured through DHCP:  None
    Register with which suffix:           Primary only
<... omitted for brevity...>

So in this particular case I am not being provided any IPv6 DNS name servers via DHCPv6 or statically on that interface. Alternately, as an example output if you had an IPv6 DNS server statically entered (like with the gogoClient) it would show:
<... omitted for brevity...>
    Statically Configured DNS Servers:    2001:5c0:1000:11::2
    Register with which suffix:           Primary only
<... omitted for brevity...>

From the above information I can determine that I am getting my IPv6 address via SLAAC, no DHCPv6 is running and I am getting an RA from the router and it is providing me with a default gateway that is using its link local address and not it's global unicast prefix address, which is the default behavior expected.

Now lets actually do something interesting next and use Chris' examples of netsh to shutoff Windows from doing 6to4 automatic tunneling. To do this you would issue:
C:\Users\Ed>netsh interface ipv6 6to4 set state state=disabled
Ok.

The netsh command provides confirmation that the command worked so if you are scripting you can parse the output to validate the change. Remember that 6to4 tunnel only happens if the Windows platform has a public IPv4 address assigned to it's interface and no other native IPv6 option is available. You will most commonly see 6to4 traffic in cases where servers are in a public DMZ with public IPv4 addresses and in cases where Windows clients are in "guest" networks where they are also provided public IPv4 addresses.

A more common scenario is wanting to disable Teredo tunneling since it is explicitly designed to work on devices that have IPv4 addresses behind a NAT device and with an RFC 1918 IP address. The majority of SMB and Enterprise networks are built this way today so the concern is valid.

Teredo can also be a problem for Windows 2008 deployments if the servers are in the DMZ or Inside network and functioning as stand alone devices that are not joined to an Active Directory domain. When Windows 7 and Server 2008 are NOT domain joined and have a valid RFC 1918 IPv4 address only, the OS's will attempt to run IPv6 on ISATAP first, if no DNS entry exist for ISATAP then they will attempt to use Teredo. So, Teredo is enabled by default but not necessarily active. Furthermore, if Teredo is the only IPv6 available the OS will NOT send AAAA queries in DNS by default - a good default protection behavior as it is unlikely the Teredo server you are connecting to is also a Teredo relay server which will forward traffic to the bigger IPv6 Internet on your behalf.

So, to keep your non-domain joined OS from randomly joining teredo.ipv6.microsoft.com (the default Teredo server entry in the OS) and happily exchanging traffic with others who do the same you can simply turn Teredo off with the following command:
C:\Users\Ed>netsh interface ipv6 set teredo disable
Ok.

As a final measure you can turn off ISATAP. This will prevent the OS from building out an IPv6 tunnel utilizing ISATAP which would be advertised in DNS. The alternate way of controlling this is by poisoning the isatap. entry in your DNS. Remember, ISATAP is typically deployed for a transition service so the nice thing about having ISATAP enabled in the network is that it prevents Teredo from running as ISATAP is preferred.
C:\Users\Ed>netsh interface ipv6 isatap set state state=disabled
Ok.

As a final thought, the nice thing about doing these commands is that you can still leave IPv6 enabled on the OS. This allows for supporting native IPv6 in a dual stack configuration in the future without breaking IPv6 completely. So when the time comes to start turning on IPv6 (Global or ULA) in your network the servers will behave properly. Remember, the rule of thumb for IPv6 is go native where you can, tunnel where you must. Take a look at Scott Hogg's blog post for a great write up on why going "Native" is important. Plus his daughter's artwork is awesome!
- Ed

6 comments:

us vpn said...
This comment has been removed by a blog administrator.
double glazed doors said...

Very nice work Ed. I commend the dedication to test these IPv6 netsh commands out.

Unknown said...

I am new to system administration and this was such big help! Please keep updating..bookmarked.Sample CV

vpn service said...

Great guide. Thank you.

Abonk said...

Great article, i was tested an ipv6 tunnel from tunnelbroker and get error with netsh, and in your article i found the solution, bookmarked mate. thanks

Anonymous said...

I'm wondering is there a command that I can write to view all ipv6 addresses on a network. for ipv4 I would type "net view" and everyone on the network would show up.