1. Configure a VLAN and subnet to use as the local IPv4 endpoint for the tunnel using VLAN context commands (See VLAN and Subnet Commands). Note the following:

• The IPv4 address assigned to the subnet must either be a routable IPv4 address or resolve to a routable IPv4 address via Network Address Translation (NAT) on another device.
• The routable IPv4 address associated with this VLAN is the one that is supplied to the tunnel broker as the local endpoint of the tunnel. Changes to this address must be coordinated with the tunnel broker.
• The ports (both tagged and untagged) that are assigned to this VLAN are the ports on which the IPv6 address block assigned by the tunnel broker will be accessible.

2. Request a "regular" tunnel using Hurricane Electric’s website at:

http://www.tunnelbroker.net

When providing the local IPv4 endpoint address, use the IPv4 address assigned to the VLAN subnet created in Step 1, or its routable NAT address.

Hurricane Electric will set up the tunnel and provide you with the following information:

• The IPv4 and IPv6 addresses for the Hurricane Electric tunnel endpoint.
• The IPv6 address of the default route for the tunnel.
• The IPv6 address block assigned by Hurricane Electric (a /64 prefix subnet).
• The IP addresses of Hurricane Electric's IPv6 and IPv4 DNS servers. (See below)

3. Create the tunnel on FortiADC using the information from the previous step. [For illustration, we use the multi-line command format below; the tunnel command can also be entered on a single line.] Enter:

eqcli> tunnel HE1 eqcli tl-HE1> type ipip eqcli tl-HE1> local_endpoint ipv4_addr eqcli tl-HE1> remote_endpoint ipv4_addr eqcli tl-HE1> local_address ipv6_addr eqcli tl-HE1> remote_address ipv6_addr eqcli tl-HE1> commit

The parameter arguments are as follows:

type	Currently, ipip is the only permitted tunnel type.
local_endpoint -	The IPv4 address provided to the tunnel broker as the FortiADC endpoint for the tunnel. It is the IP address that the tunnel broker will use to reach FortiADC. This is either ’s VLAN IP on the subnet created in Step 1 or the IP address with which FortiADC’s VLAN IP is associated via Network Address Translation (NAT).
remote_endpoint -	The IPv4 address of the tunnel broker side of the tunnel as provided by the tunnel broker.
local_address	The IPv6 address of the FortiADC side of the tunnel; this is assigned by the user and must be within the address range provided by the tunnel broker.
remote_address	The IPv6 address of the tunnel broker side of the tunnel as provided by the tunnel broker.

4. If it does not already exist, configure the VLAN presence on the FortiADC for this tunnel:

eqcli> vlan vlan_name vid VLAN_ID flags tunnel

eqcli> vlan vlan_name subnet subnet_name ip local_address default_route ipv6_addr

Note the following:

• You can choose any names for the VLAN and subnet.
• The VLAN ID (vid) supplied must be appropriate for your network configuration.
• The IPv6 address used for the subnet ip parameter must be the same as the local_address specified for the tunnel command in the previous step.
• The default_route parameter must be set to the IPv6 address provided by the tunnel broker as the default tunnel route.
• The VLAN parameters untagged_ports and tagged_ports are not required when the tunnel flag is specified on the vlan command line. If they are specified, they will be ignored. [The front panel ports on which the tunnel is accessible are the ports defined for the VLAN that we set up in Step 1.]

You should now be able to assign IPv6 addresses from the tunnel’s IPv6 address block as cluster IP addresses on FortiADC, and clients from the IPv6 Internet should be able to connect to them using the cluster’s IPv6 address.

The Domain Name System (DNS) is used by both IPv4 and IPv6 systems to provide name to address mapping, and address to name mapping. Systems that support both IPv4 and IPv6 will require DNS entries that describe the mappings for each protocol.

A new DNS record type, AAAA (sometime referred to as "quad-A"), has been defined for IPv6 name to address mappings (see RFC 3596). AAAA records contain a single IPv6 address mapped to a fully qualified domain name (FQDN). The assigned value for this record type is 28 (decimal). You will need to create AAAA records on your authoritative DNS server in order to access IPv6-enabled systems using their FQDN.

In addition, a special domain rooted at “.IP6.ARPA” is defined in RFC 3596 to provide a way of mapping an IPv6 address to a host name. This is commonly called "DNS reverse lookup", and is specified in your authoritative DNS server’s reverse lookup files using PTR (or "pointer") records.

Please refer to the DNS documentation appropriate for your network configuration for more information on adding IPv6 AAAA and PTR records.