Aaron's Worthless Words

I was studying via Google+ Hangout the other day with CJ and Rob, and one of the topics that came up was that OSPFv2 advertises all loopbacks as 32-bit no matter what the configured mask is.  I rarely use loopbacks outside of a lab and had no idea it did that, so I set up a quick lab to see for myself.  Sure enough!  That’s exactly what I saw.

Of course, being the inquisitive network guys that we are, we went on to discuss methods for making OSPF advertise the configured network instead of the single IP.  The guys mentioned two methods – to redistribute the connected interfaces and to manually set the OSPF network type on the loopback.  We were using IPv4 during the session, but I went back and added some IPv6 addresses and processes to compare.

The Basics

The whole lab consisted of R101 and R102 connected via their e0/0 interfaces; R101 also has a loopback interface as the guinea pig.  Here are the interesting lines of config on R101; I think you can figure out the configs on R102.

interface Loopback0
 ip address 172.16.0.1 255.255.255.0
 ipv6 address 2001:DB8:101::1/64
 ipv6 ospf 1 area 0
!
interface Ethernet0/0
 ip address 10.0.0.101 255.255.255.0
 ipv6 enable
 ipv6 ospf 1 area 0
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 0
 network 172.16.0.0 0.0.0.255 area 0
!
ipv6 router ospf 1
 router-id 192.0.2.101
 log-adjacency-changes

So, what would I expect to see in the routing table on R102?  From our discussions, I would guess that 172.16.0.1/32 and 2001:db8:101::1/128 would show up.

R102#sh ip route
[ SNIP ]
172.16.0.0/32 is subnetted, 1 subnets
O        172.16.0.1 [110/11] via 10.0.0.101, 00:00:03, Ethernet0/0
R102#show ipv6 route
[ SNIP ]
O   2001:DB8:101::1/128 [110/10]
     via FE80::A8BB:CCFF:FE00:6500, Ethernet0/0

Hey!  I’m right for once.  Of course, that’s not really “right” (for definitions of the word). What if I have a service module on my router with an unnumbered IP address bound to the loopback interface. I’m thinking of something like a Unity Express (!).  You want to advertise the whole network or else you can’t get to the module. Let’s look at our two options to fix that.

Redistribute Connected

I removed the loopback interface from both OSPFv2 and OSPFv3 processes and redistributed the connected interfaces (don’t forget the subnets option in OSPFv2).  Here’s what the routing tables on R102 look like now.

R102#sh ip route
[ SNIP ]
172.16.0.0/24 is subnetted, 1 subnets
O E2     172.16.0.0 [110/20] via 10.0.0.101, 00:00:06, Ethernet0/0
R102#sh ipv6 route
[ SNIP ]
OE2 2001:DB8:101::/64 [110/20]
     via FE80::A8BB:CCFF:FE00:6500, Ethernet0/0

We can now see the network as an E2 route with a proper mask in both routing protocols.  I don’t like this solution, though, because I have a serious obsessive-compulsive disorder that won’t let me settle with having an internal route show up as external in OSPF.  Let’s try the other solution and see if we have any better luck.

OSPF Network-type

For this part of the experiment, I removed the redistribute commands and added the looback interface back into the routing processes.   When I manually configured the loopback interface as an OSPF point-to-point network, the networks were advertised as the network without being external.  No more nervous ticks caused by my OCD!

! R101 config
interface Loopback0
 ip address 172.16.0.1 255.255.255.0
 ip ospf network point-to-point
 ipv6 address 2001:DB8:101::1/64
 ipv6 ospf network point-to-point
 ipv6 ospf 1 area 0
end

R102#sh ip route
[ SNIP ]
172.16.0.0/24 is subnetted, 1 subnets
O        172.16.0.0 [110/11] via 10.0.0.101, 00:01:04, Ethernet0/0
R102#sh ipv6 route
[ SNIP ]
O   2001:DB8:101::/64 [110/11]
     via FE80::A8BB:CCFF:FE00:6500, Ethernet0/0

Send any type-2002 LSAs questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

ACLs in IPv6 aren’t that different from what you’re used to dealing with in the IPv4 world.  You create a list of denies and permits for use with some other structure like filtering, PBR, and all sorts of other stuff.  Let’s take a look at building an ACL and filtering traffic with it.

For those playing at home, here’s the setup I used to generate the configs and get the output.  Execute some click action for the whole thing.

The first thing you need to know is that all IPv6 ACLs are extended and named.  There’s no concept of numbering and using standard list types that include the destination only.  This is a good thing in my opinion, and I’ve been doing that in my IPv4 ACLs for many years now.  This allows (forces?) you to use descriptive names and very specific entries.  Sometimes my entries are too specific, but that’s usually because people don’t include all the requirements.  I digress.

Creating an IPv6 ACL is so similar to the way you do it IPV4 that I don’t even want to mention it.  I’ll just give an example that we’ll use in a second.  As usual, we’re using IOS on Cisco devices.

ipv6 access-list TRANSIT-ACL
 permit tcp host 2001:DB8:0:1::2 host 2001:DB8::1 eq telnet
 deny ipv6 any any log

No numbers or ACL types means the config is a lot simpler and cleaner.  You can see that TRANSIT-ACL is allowing telnet from 2001:db8:0:1::2 to 2001:db8::1 and denying everything else.  Of course, it’s also logging the denies to  syslog so we know what’s going on.  This shouldn’t be foreign to you at all.  Note:  This is a lab, and we’re just allowing telnet as a demonstration.  You should always yell at people who try to use telnet and show them how to use SSH.  Just sayin’.

On a tangent, I just realized that I actually typed deny any any log in the last line, and the router took it to mean all IPv6.  Cool.

At some point, you’ll want to see what kind of matches you’re getting on the ACL.  You can do a show ipv6 access-list or just a show access-list to see them.  Of course, if you have any IPv4 ACLs configured, those will be included in the latter, bu the output of each is the same in relation to IPv6.

R2#show access-lists
IPv6 access list TRANSIT-ACL
    permit tcp host 2001:DB8:0:1::2 host 2001:DB8::1 eq telnet (24 matches) sequence 10
    deny ipv6 any any log (19 matches) sequence 20

Here you can see the entries of each ACL and see that this ACL has already been applied somewhere since it has hits.  The obvious difference between the output here and that from an IPv4 ACL is the sequence number.  In the IPv4 world, the sequence will come before the function (10 permit tcp …).  Here, it comes afterwards.  I’m not yet sure if this is better or not.  I’ll reserve judgement when I get some more experience with it.

If you’ve done ACLs a lot, you can probably tell that this ACL was meant for filtering traffic on an interface.  Let’s apply it to F0/1 to do such.

interface FastEthernet0/1
 no ip address
 ipv6 address 2001:DB8:0:1::1/64
 ipv6 traffic-filter TRANSIT-ACL in

Make note that we use the traffic-filter directive on the interface along with the ACL name and the direction.  Simple stuff.

There is a problem here, though.  If you remember your extensive IPv6 training, you know that we no longer have the concept of ARP to map layer-3 addresses to layer-2 addresses.  To find layer-2 neighbors, IPv6 devices use neighbor discovery (ND), which itself uses ICMPv6, to look for connected devices.  Since ICMPv6 is a layer-3 protocol like IP, when you apply this ACL as indicated, you’ll not find any new neighbors on F0/1.  If a new router has a route to 2001:db8:0:1::1, there’s no way to discover the layer-2 address, and I’ll let you guess how that works out.  Not very well.  The fix is just to allow ICMPv6 into the interface; the details of that will run away very quickly, so I’ll save it for later.

When one device sends ND packets, it uses it’s link local address as the source and the multicast address of FF01::1 (the all routers group) as the destination.  You can see that in the log from before we fixed our neighbor problem.

*Mar  1 01:10:07.735: %IPV6-6-ACCESSLOGDP: list TRANSIT-ACL/20 denied icmpv6 FE80::C002:15FF:FE58:0 -> FF02::1 (134/0), 2 packets
R2#
*Mar  1 01:15:07.739: %IPV6-6-ACCESSLOGDP: list TRANSIT-ACL/20 denied icmpv6 FE80::C002:15FF:FE58:0 -> FF02::1 (134/0), 2 packets
R2#
*Mar  1 01:21:07.735: %IPV6-6-ACCESSLOGDP: list TRANSIT-ACL/20 denied icmpv6 FE80::C002:15FF:FE58:0 -> FF02::1 (134/0), 1 packet

This look pretty standard, but  you can see that the message content includes the ACL name followed by the sequence number.  Now you can see exactly which entry is denying the traffic instead of having to go through the whole 8482482-line ACL to see what happened.  I’m digging that a lot.

Make sure you check out Packetlife’s post on IPv6 ACLs as well.  As always, there’s good stuff going on there.

Send any Cadbury Creme Eggs questions to me.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

My ISP at home is great.  I have infinite bandwidth because they have no idea how to do any rate limiting.  Heck, they’re not even skilled enough to know that I have several public IP addresses from their DHCP server.  That means, though, that they’re not ready for IPv6.  They’ve ignored my emails and support tickets asking about their deployment strategy, so I gave up and looked at turning up a tunnel with a broker.  I chose Hurricane Electric for no particular reason; they were just the first ones I found.  The setup was super-easy and works flawlessly.

When you add a new tunnel to your account, you are given a 64-bit IPv6 network to use at your local site and you have the option of asking for a 48-bit network as well.  I’m not planning on having more than one IPv6 subnet right now and the number of hosts don’t quite reach 1.84467441 × 10¹⁹, so I opted to stick with the provided network.  HE also provides an IOS configlet for your end of the tunnel.  Here’s the config I’m using sans the default route out Tunnel0.

interface Tunnel0
 description To Hurricane Electric IPv6
 no ip address
 ipv6 address 2001:470:1F0E:446::2/64
 ipv6 traffic-filter ACL-TUN0 in
 ipv6 inspect INSP-OUT out
 tunnel source FastEthernet0/1
 tunnel destination 216.218.224.42
 tunnel mode ipv6ip
end

We’re talking IOS here.  I have an ASA 5505 on the head of my network, and, though it supports IPv6 routing (and filtering), it doesn’t support the manual tunnel used to connect to HE.  I ended up picking an 1841 off of eBay to run parallel to my firewall.  There are other ways to connect the tunnel, though, and HE provides configurations for lots of platforms like Windows and Linux hosts; I’m a network guy, though…why not just install more network gear?

Don’t get caught up in the warm glow of IPv6, though.  This is the open Internet just like when your grandmother plugs the new Macbook Pro you got her directly into the cable modem.  You will need to put in some filtering and inspection to protect yourself at the edge.  Though beyond scope today, take a look at the lines for ipv6 inspect and ipv6 traffic-filter for a starting point.

Send any native IPv6 support questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

Are you sensing a theme lately?  Since we covered the basics of the main IGPs (I'm an enterprise guy, so no IS-IS comments, please.), I thought I'd try to describe the basics of advertising IPv6 routes over BGP.  Yet again, we're not going to do any route manipulation or change any of the 948284928 BGP attributes.  We're just trying to get routes exchanged.

Configuration

There's no new version of BGP for IPv6 here.  It's the standard BGP version 4 that we've all been using for years, but we're going to take advantage of the multiprotocol support (MPBGP, RFC 2858 RFC 4760).  We'll get to the differences in a second, but the first thing to do is to set up the BGP process as normal.  

Just as with the IGPs covered so far, the router ID needs to be set somehow.  Let's just manually set it for now.  We'll be routing on behalf of AS 65001.

Router(config)#router bgp 65001
Router(config-router)#bgp router-id 192.0.2.1

Since we're not using that archaic IPv4 any more, we need to disable IPv4 unicast, which is enabled by default when you configure MPBGP.

Router(config-router)#no bgp default ipv4-unicast

All is good so far?  Now comes the part that's different from your standard BGPv4 deployment with your ISP.  To enable the protocol for IPv6, we need to use the address-family directive.  This tells BGP which of the several protocols that you want to use in MPBGP.  We'll use IPv6, obviously; the others are well beyond our scope.

Router(config-router)#address-family ipv6

This will take your to the address family config mode which is where you can configure your neighbors and network statements just like you did in more traditional configurations of BGP.  A difference here is that you have to activate the neighbor before the address family is enabled for it.  Luckily, that's so easy I won't even explain it; I'm confident you can figure out which command does this.  Heh.  Let's peer with the router at fc00::2 using AS 65002 and advertise fc00:1::/64 to it, shall we?

Router(config-router-af)#neighbor fc00::2 remote-as 65002
Router(config-router-af)#neighbor fc00::2 activate
Router(config-router-af)#network fc00:1::/64

Piece of cake, right?

I've got to note that this is just one way to configure the IPv6 address family under MPBGP; there are other orders of command entry that can be used to get to the same config.  That's actually evident if you look at the config after your'e done.  

router bgp 65001
 bgp router-id 192.0.2.1
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor FC00::2 remote-as 65002
 !
 address-family ipv6
  neighbor FC00::2 activate
  network FC00:1::/64
 exit-address-family

You'll see that config items don't land in the order and place that you configured them.  The end results are the same.

Checking Our Work

First, let's see if we have a neighbor adjacency.  We're all used to running show ip bgp summary, but we're not running IPv4.  The equivalent is show bgp ipv6 unicast summary.  The whole unicast/multicast thing is beyond both the scope of this article and of my comfortable knowledge.  :)

Router#show bgp ipv6 unicast summary
BGP router identifier 192.0.2.1, local AS number 65001
BGP table version is 3, main routing table version 3
2 network entries using 304 bytes of memory
2 path entries using 152 bytes of memory
3/2 BGP path/bestpath attribute entries using 372 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 884 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
FC00::2         4 65002      15      15        3    0    0 00:10:29        1
Router#

We can see the neighbor is up and that we have a single prefix from that guy.  Let's check out exactly which route that is with the show bgp ipv6 unicast neighbor fc00::2 routes command.  That was a mouthful, eh?

Router#show bgp ipv6 unicast neighbors fc00::2 routes
BGP table version is 3, local router ID is 192.0.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> FC00:2::/64      FC00::2                  0             0 65002 i

Total number of prefixes 1
Router#

It looks like we have a route to fc00:2::/64 through that neighbor.  That's a good thing since we're trying to exchange routes.  The next question is whether we are sending any routes to the neighbor.  Run show bgp ipv6 unicast neighbor fc00::2 advertised-routes (even more of a mouthful!) to find out.

Router#show bgp ipv6 unicast neighbors fc00::2 advertised-routes
BGP table version is 3, local router ID is 192.0.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> FC00:1::/64      ::                       0         32768 i

Total number of prefixes 1
Router#

That looks right.  We're advertising the route to fc00:1::/64 just as we configured in our neighbor statement above.  We're on a roll!

Finally, let's check the routing table to make sure that route from the neighbor landed there.  Run show ipv6 route like we've done with the IGPs, and you should see prefix as a "B" like in the old days of IPv4.

Router#show ipv6 route
IPv6 Routing Table - 6 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
C   FC00::/64 [0/0]
     via ::, FastEthernet0/0
L   FC00::1/128 [0/0]
     via ::, FastEthernet0/0
C   FC00:1::/64 [0/0]
     via ::, FastEthernet0/1
L   FC00:1::1/128 [0/0]
     via ::, FastEthernet0/1
B   FC00:2::/64 [20/0]
     via FE80::C001:1FF:FE18:0, FastEthernet0/0
L   FF00::/8 [0/0]
     via ::, Null0
Router#

Well, there it is.  The only thing you may not have see is the concept of address families, but there's not much to that at all.  

Send any as-path prepends questions to me.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

A few hours ago, the last of the IPv4 addresses were allocated by IANA.  Now's the time to learn more about IPv6!  Yesterday, I posted about EIGRP for IPv6, so I think I'll continue the trend by introducing OSPFv3, which is the IPv6 implementation of OSPF.  As always, I'm using Cisco routers here.  Just as yesterday, this is just a guide to the absolutely basics; if you want to do some funky OSPF magic, you won't find it here – perhaps in time, though.

Configuration

As with all IPv6 routing protocols, the first thing we need to do is enable IPv6 unicast routing.

Router(config)#ipv6 unicast-routing

OSPFv3 also has the same router ID problem as EIGRP for IPv6 has, so we have to sort that out.  You can set the router ID either through a loopback interface with an IPv4 address on it or you can set it manually.  I'll just do it manually for now.  Let's use OSPF process ID 100.

Router(config)#ipv6 router ospf 100
Router(config-rtr)#router-id 192.0.2.1

Just like in OSPFv2 and in EIGRP for IPv6, we add interfaces to the routing protocol instead of using network statements; those don't exist in OSPFv3.  Let's assume you already have IPv6 addresses on interface f0/0 and you want that network in area 0.

Router(config)#interface f0/0
Router(config-if)#ipv6 ospf 100 area 0

You can see that it's really easy to add interfaces to different areas as well.

Checking Our Work

Just like we did yesterday, let's check to make sure the right interfaces are participating in the routing protocol.  We can do this with the show ipv6 ospf interface brief command.

Router#show ipv6 ospf interface brief
Interface    PID   Area            Intf ID    Cost  State Nbrs F/C
Fa0/1        100   0               5          10    BDR   1/1
Fa0/0        100   2               4          10    DR    0/0

You can see that we've got two FastEthernet interfaces in two different OSPF areas.  You can even see the state and neighbor count in the output.

That looks good, so let's check to see if we have any neighbors.  Of course, we already saw that we have one off of f0/1 from the output above, but just humor me and run show ipv6 ospf neighbors.

Router#sh ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
192.0.2.2         1   FULL/DR         00:00:31    5               FastEthernet0/1

That looks good to me. The other guy is a DR and is full adjacent with our router. Cool.

One last command shows us the routing table.  Can you guess what that command is without looking at the book?  Very good, class.  It's show ipv6 route.

Router#sh ipv6 route
IPv6 Routing Table - 6 entries
...
C   FC00:1::/64 [0/0]
     via ::, FastEthernet0/1
L   FC00:1::1/128 [0/0]
     via ::, FastEthernet0/1
C   FC00:2::/64 [0/0]
     via ::, FastEthernet0/0
L   FC00:2::1/128 [0/0]
     via ::, FastEthernet0/0
O   FC00:3::/64 [110/20]
     via FE80::C001:1CFF:FED0:1, FastEthernet0/1
OI  FC00:4::/64 [110/30]
     via FE80::C001:1CFF:FED0:1, FastEthernet0/1
L   FF00::/8 [0/0]
     via ::, Null0

Isn't that fancy?  We seem to have both an area router (the O route) and an inter-area route (the OI route).  We are ready for the big time now!

Send any tunnel broker recommendations questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

I'm not going to go all out like Jeremy over at Packetlife.net has, but I'm going to start to discuss a few IPv6 topics.  In time (like in September when APNIC runs out of IPv4 addresses), I'm sure I'll ramp up the IPv6 talk, but let's start easy and get EIGRP for IPv6 up and running.  

Configuration

There are quite a few differences between EIGRP for IPv6 (yes, that's an official name) and the IPv4 version.  First of all, all IPv6 routing is disabled by default on a Cisco router, so, if you're doing any routing in IPv6, you'll want to enable it or risk smashing your head into the desk trying to figure out what's going on.

Router(config)#ipv6 unicast-routing

Next, let's get to configuring EIGRP for IPv6.  By default, IPv6 routing protocols (all of them?) are EIGRP for IPv6 is shut down like Ethernet interfaces, so we'll have to enable it first.  

Router(config)#ipv6 router eigrp 100
Router(config-rtr)#no shutdown

There's also the issue of the router ID.  In IPv4, EIGRP has an method to figure out its router ID, and EIGRP for IPv6 uses that same method.  The problem is that the router ID is still a 32-bit number, but there aren't any 32-bit address on the router if you're pure IPv6.  A dilemma, eh?  There are two way to get around this, though.  First, you can set a loopback interface with an IPv4 address so that EIGRP will have an address to use.

Router(config)#interface lo0
Router(config-if)#ip address 192.0.2.1 255.255.255.255

You can also statically assign a router ID to EIGRP for IPv6.

Router(config)#ipv6 router eigrp 100
Router(config-rtr)#router-id 192.0.2.1

Either method gets the same result.  Of course, you should be careful that all routers have a unique ID.

So now we need to add some network statements, right?  Actually, there are no network statements in EIGRP for IPv6.  The interfaces themselves are where you configure the networks to be included in the routing protocol.  It's kinda like the way you can use the interfaces to configure OSPFv2.

Router(config)#interface f0/0
Router(config-if)#ipv6 eigrp 100

Of course, we're assuming you already have an IPv6 address on f0/0.

Checking our Work

Let's check to see if everything is working the way we think it should be.  First of all, let's make sure all our interfaces are participating as expected with the show ipv6 eigrp interface command.

Router#sh ipv6 eigrp interfaces
IPv6-EIGRP interfaces for process 100

                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0              0        0/0         0       0/1            0           0
Fa0/1              1        0/0        23       0/2           50           0

This output looks a lot like the IPv6 version, and we can see both f0/0 and 0/1 are participating.  That looks right, so let's check for EIGRP neighbors with the show ipv6 eigrp neighbor.  I've got another router off of f0/1, so we should see a neighbor adjacency.

Router#sh ipv6 eigrp neighbors
IPv6-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   Link-local address:     Fa0/1             13 00:02:40   23   200  0  11
    FE80::C001:14FF:FEB0:1

What the heck is FE80::C001:14FF:FEB0:1??!?!?!  That's not a network we configured!  That's actually the link-local address of the other router off of f0/1.  Perhaps I'll discuss IPv6 addressing some day (when I have a firmer grasp on it), but, for now, I'll just say that it's a special address for hosts to talk to one another on a local network.

Finally, let's check for routes.

R1#show ipv6 route eigrp
IPv6 Routing Table - 6 entries
...
D   2002::/64 [90/307200]
     via FE80::C001:14FF:FEB0:1, FastEthernet0/1

Just like in IPv4, EIGRP for IPv6 routes show up with the route code of "D".  It's looks like we have one route to the 2002::/64 network.  Everything seems to be working!

There are obviously a lot of more features and functions to EIGRP for IPv6, but this should get you started in your studies.  I'm sure I'll expound as time and my CCIE studies progress.

Send any 6to4 tunnels questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

Study Questions

• Your boss says that ever host in the network needs to be converted over to IPv6 by the end of the day.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use to help with that conversion?

Native IPv6

• The engineering department wants to permanently use IPv6 on their test boxes in two offices.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use?

Point-to-point tunnels

• A handful of departments want to use IPv6 for testing but have no schedule.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use?

Multipoint tunnels

• You’ve implemented 6to4 tunnels and are turning up another router that should participate.  What do you need to configure on the other routers to support the new one?

Nothing.  The use of 6to4 tunnels requires a strict addressing scheme that is used to determine tunnel endpoints dynamically.

• You’ve implemented ISATAP tunnels and are turning up another router that should participate.  What do you need to configure on the other routers to support the new one?

You need to add static routes pointing the new prefix across the IPv6 address of the new router’s tunnel interface.

• How does a router using 6to4 tunnels determine tunnel endpoints?

The second and third quartet of the destination address are used to figure out what the IPv4 tunnel endpoint is.  For example, a host on 2002:a01:a01::/64 sits behind the tunnel endpoint at 10.1.10.1.

• Don’t you need to have some sort of IPv6 routing enabled to use 6to4 tunnels?

Since 6to4 tunnels use the reserved prefix of 2002::/16, all the routers just have to point that prefix out the tunnel interface.  Since this covers all the networks that 6to4 uses,  no other routes are necessary.

• How does a router using ISATAP tunnels determine tunnel endpoints?

The last two quartets (7 and 8) of the endpoint’s tunnel interface are used to determine the IPv4 tunnel endpoint.  For example, a router with an IPv6 address of 2000::a04:b0b has an IPv4 tunnel endpoint of 10.4.11.11.

• What are the different types of IPv6 tunnels, and what are their tunnel modes?

Manual IPv6 point-to-point – tunnel mode ipv6ip
GRE point-to-point – tunnel mode gre ip
6to4 multipoint – tunnel mode ipv6ip 6to4
ISATAP multipoint – tunnel mode ipv6ip isatap

• Which tunnels types support OSPFv3?

Manual IPv6 and GRE

• How are routes learned on ISATAP tunnels?

Routes aren’t really learned.  ISATAP requires a static route pointing prefixes towards a tunnel address on a distance router.

• How are the local link addresses determined on an ISATAP tunnel?

The local link address, like all local link addresses, starts with fe80 and ends with the IPv4 address of the tunnel source as the last two quartets; quartets 2 through 6 are all zeroes.

• What is required to be configured when using any of the tunnel types?

ipv6 unicast-routing

What Command Was That?

What command…

• …shows the status of an IPv6 tunnel?

show ipv6 interface tunnel X
show ipv6 interface brief
show interfaces tunnel X

• …shows the routes involved with an IPv6 tunnel?

show ipv6 route

• …pings a distant host over an IPv6 tunnel terminated on the router?

ping ipv6 distantaddress source localaddress

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

Study Questions

• Why would anyone develop a version of RIP that supports IPv6?

I have no idea.  Boredom, maybe.  Whatever the case, it works just like RIPv2, which is pretty scary.

• In EIGRP for IPv4, there are several requirements for two routers to neighbor up.  Which of those is not true for EIGRP for IPv6?

The two routers don’t need to be in the same subnet.  The concept of the link local address takes care of that need since neighbors always share a common medium like an Ethernet segment or a serial link.

• I configured EIGRP for IPv6 on my completely IPv6 router, but it’s not working.  Nothing happens.  What’s going on?

For one, you have to do a no shutdown as an EIGRP subcommand; by default, EIGRP for IPv6 is in a shutdown state.  Another reason could be that a router ID hasn’t been set; EIGRP for IPv6 still uses the IPv4 addresses to establish a router ID, so you may have to set one manually.

• I tried to configure EIGRP for IPv6 with the network statements, but it’s not taking the command.  What gives?

You actually configure EIGRP for IPv6 (and RIPng and OSPFv3) the “new way” by using the interfaces.  Try doing a ipv6 eigrp X as an interface subcommand.

• When redistributing one IPv6 IGP into another, what kinds of routes will and won’t be redistributed?

Only routes discovered via the original IGP will be redistributed.  Connected routes, even the ones configured in the original IGP, won’t be redistributed.  Link local addresses and local routes will also NOT be redistributed.

• Show me a simple RIPng config.

R1(config)#ipv6 router rip PROC-NAME
R1(config-rtr)#int f0/0
R1(config-if)#ipv6 rip PROC-NAME enable

• Show me a simple EIGRP for IPv6 config.

R1(config)#ipv6 router eigrp 8
R1(config-rtr)#router-id 1.1.1.1
R1(config-rtr)#no shutdown
R1(config-rtr)#int f0/0
R1(config-if)#ipv6 eigrp 8

• Show me a simple OSPFv3 config.

R1(config)#ipv6 router ospf 4
R1(config-rtr)#router-id 1.1.1.1
R1(config-rtr)#int f0/0
R1(config-if)#ipv6 ospf 4 area 0

• How do you include connected routes when redistributing one IGP into another in IPv6?

Use the include-connected directive in the redistribution command.

• In EIGRP for IPv6, what address shows up as the next hop in the routing table?

The link local address of the advertising router.

What Command Was That

What command is used to…

• …show all the IPv6 routes?

show ipv6 route

• …shows the status of OSPFv3 neighbors?

show ipv6 ospf neighbor

• …shows the status of RIPng neighbors?

There is none; RIPng doesn’t have neighbors.

• …shows a route to a specific prefix?

show ipv6 route prefix::/length

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

Study Notes

• Exactly how big is an IPv6 address?

It’s 128 bits long.

• This shouldn’t be on the test, but how many unique addresses is that?

That’s 2^128 or a “3″ with 38 zeros after it.  That’s also 2^95 addresses for each person on earth.

• Surely we’re not writing in binary, are we?

No way.  IPv6 uses 32 hex characters.  Each character is 4 bits, so we wind up with 128 bits of data.

• Surely all 32 characters aren’t just written out together in one continuous string, are they?

No again.  They’re written in groups of 4 separated by colons.  For example, 2000:1234:0184:AB33:0000:0000:1084:0001 is a valid IPv6 address.

• That’s still a lot of characters; tell me that there’s a shortcut to writing those out.

There are two shortcuts, actually.  First, you can omit leading zeros in an octet (4 hex digits).  You can also replace a single run of octets that are all zeros with a double colon (::).  If we took our example above and shortened it, we would wind up with 2000:1234:184:AB33::1084:1.  Notice that some octets are less than 4 characters longs and that the two octets of zeros are replaced wih the double colon.

• If an implementation plan says that you should statically configure all the IPv6 addresses on a bunch of routers, what should you do?

You should send the plan back for revision since there are two methods to statically configure an IPv6 address – static and static with EUI-64.

• What the heck is EUI-64?

EUI-64 is a IEEE standard for deriving a unique ID from a MAC address.  It splits the MAC address in half, shoves a “FFFE” in the middle (since MACs are 48-bits long and we need 16 more bits to make 64), and toggles the 7th bit in the whole string.

• What are you talking about?

Example time!  Your MAC is 0000.3333.1938.  First, we split the MAC in half and shove in the “FFFE” to give us 0000:03FF:FE33:1938.  Next, we toggle the 7th bit in the string to give us 0200:03FF:FE33:1938.

• What are the two methods for dynamically assigning an IP address?

Stateful DHCP and Stateless autoconfig.

• What’s the difference between stateful and stateless DHCP?

Stateful DHCP functions similarly to the IPv4 version where a DHCP server gives a host and IP address, mask, etc., and keeps a record of the lease.  Stateless DHCP simply tells a host what DNS servers to use without recording the transaction.

• How do I calculate the network and broadcast addresses in IPv6?

You don’t!  There’s no such thing as either.

• That’s cool, but how do I address groups of addresses?

IPv6 makes use of multicasting to do that.  All multicast addresses are in the prefix FF/8, and can serve many purposes.  For example, all hosts on a subnet respond to FF02::1, and all routers respond to FF02::2.

• Your all-knowing Network Architect wants all the IPv6 addresses of the routers to be the lowest in a prefix like you do with IPv4.  How can you assign the addresses like that?

You can statically configure the whole 128-bit address.  You can also set the MAC address to 0000.0000.0001 (or whatever) and use the static with EUI-64 method.

• What’s the better of the two methods?

There is never a better method to use.  You have to figure out what you want to do and which method would be best suited for your situation.

• What risks do you take with changing a MAC address?

If you change two or more routers to the same MAC address, you will have all sorts of problems from IPv6 conflicts down to CAM table flapping.  Be careful!

• What are the different types of IPv6 address and what do they do?

Global unicast – a globally-unique address that can be used throughout the world
Unique local – a site-unique address that can be used throughout your organization (like RFC1918)
Link local – an address that is only addressable on a single segment/subnet/prefix

• For what is the link local address used?

Every host has a link local address that is used to communicate on a link (or subnet).  This address always begins with FE80/10 and uses the EUI-64 technique to generate the full address.

• How does an IPv6 host (like your laptop) get its default gateway?

The host sends a router soliciation (RS) ICMP message sourced from it’s link-local address.  Each router on the subnet then responds with a router advertisement (RA) that says it’s available for use as a gateway.

• What must you configure on your router to allow it to respond to RS messages?

You only need to enable IPv6 and have a global unicast IPv6 address configured.

• My ARP table is empty; why is that?

IPv6 doesn’t use ARP like IPv4 does.  Instead, IPv6 uses neighbor discovery to populate the layer3-to-layer2 mappings.  The process is similar to the router discovery, except that the host suse neighbor soliciation (NS) and neighbor advertisement (NA) packets.

• How does an IPv6 host detect duplicate addresses?

When a host comes up, it calculates an address called the solicited node multicast address, which is a special multicast group in the prefix FF02::1:FF00:0/104.  The last 24 bits of the address are taken off the end of an IPv6 address configured on the device to finish the address.  Each address on the device gets one, so you may have a lot of solicited node multicast addresses.  To the point, when the box is bringing up the interface(s), a NS is sent to the solicited node multicast address (which basically is hosts with somewhat similar IPv6 address configured), and, if a NA is received with the same address that the device has configured, there’s a duplicate IP!¹

• Why doesn’t a host just use FF00::1 to detect duplicates?

This is just an efficiency thing.  There’s no need to ask every node on the segment what address they have when you can just ask a small subset of nodes that have similar addresses.

What Command Was That

What command is used to…

• …show all the IPv6 routes on a router?

show ipv6 route

• …show a brief summary of the IPv6 interfaces?

show ipv6 interface brief

• …show all the multicast groups of which a router is a member?

show ipv6 interface X

• …shows all the neighbors that have been discovered?

show ipv6 neighbor

• …shows all the routers that have been discovered?

show ipv6 routers

1  Thanks to Jochen for clearing that up for me!

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website