Posts Tagged ‘ipv6’

I Tried to Make a Fancy IP Calculator

Friday, February 27th, 2009

Heyhey, I have been playing around with Ajax and Javascript and I made a more fancy IP Calculator.

I have one available on this site (in the menu to the right, use it in case you don’t have javascript enabled).
If you want to try out my fancy version just go to ipv6calculator.net.

I haven’t had the chance to try the design in Internet Explorer, so if anyone can email me a screenshot or something it would be just awesome! (It is probably totally broken, because I am not a designer.)

Well, that’s that, enjoy it!

IPv4 and IPv6 Access Control Lists In Cisco IOS

Wednesday, November 5th, 2008

Do you feel like you are comfortable with writing ACLs? This will be refreshing!

I’ll get to IPv6 in the bottom of this, it might prove extremely useful to understand the concept at first.

What are Access Control Lists?
ACLs are simple rulesets, they can be used to filter network traffic, routing updates, matching packets and a lot of different uses. The most common and basic usage must be to restrict network traffic to your router by applying it on the vty lines.

The access control lists have numbers and can also have text as identifiers, each number or string represents a specific access control list.

There are several “classes” of Access Control Lists, the most common ones are

  1. IP Standard Access List
    List numbers 1-99, can only define source or destination, not source and destination.
  2. IP Extended Access List
    List numbers 100-199, can define both source and destination as well as port and protocol numbers.

Okay, I understand…. but how do I configure it?

A IP standard access control list with two entries is configured like this

Router#conf t
Router(config)#ip access-list standard 5
Router(config-std-nacl)#5 permit 192.168.0.0 0.0.0.255
Router(config-std-nacl)#10 permit 192.168.1.0 0.0.0.255

To apply this inbound on an interface, just use

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ip access-group 5 in

The alternative way to define an access list number 5 with two entries is

Router#conf t
Router(config)#access-list 5 permit 192.168.0.0 0.0.0.255
Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255
Router(config)#

To apply this one inbound on a line interface

Router#conf t
Router(config)#line vty 1
Router(config-line)#access-class 5 in

Nice, now I have a lot of ACLs configured in my network for all the IPv4 traffic, mon ami! But IPv6 traffic still seems to keep flowing right through, thought you said you were supposed to make sense of all this in the end?

Yeah, I know I promised that and as long as you understand the IPv4 basics you will understand IPv6 pretty well. You will need to understand basic IPv6 subnetting theory to be able to filter subnets (obviously), if anyone wants me to write an article about it, just comment about it and I will get on to it ASAP. When you learn that, you will see that IPv6 access control lists are pretty much the same as for IPv4.

Anyways, I take for granted you understand IPv6 subnetting by now so I will just get right on to the configuration, an example for an IPv6 access list in Cisco IOS follows

Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any

To verify the access-lists just look at this

Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#

To apply this IPv6 Access Control List to an interface, just do as follows

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in

To apply this IPv6 access control list to a line

Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in

Configuring IPv6 BGP Peering Sessions on Cisco IOS

Sunday, November 2nd, 2008

The future is closer than you think, are you ready?

Here is a little tutorial on configuring IPv6 BGP peering sessions on Cisco IOS.

First set the IP address on the interface, if this is a private peering session you can use a small network from your own PA block, on an exchange this IP address should be assigned by the exchange administrators.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int fa 0/0
Router(config-if)#ipv6 address 3ffe:1234:1234::1/64

Then, it can be an idea to nullroute the prefix you are going to announce, I think it is good practice because it will also effectively blackhole traffic destined to unexisting networks. This will be announced into BGP with the redistribute static configuration item.

Router#conf t
Router(config)#ipv6 route 3ffe:2000::/32 null 0

Now we create a prefix list that permits only this network, this is very important to avoid leaks of prefixes to your peers. This prefix list is going to be applied outbound on to the BGP peering.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ipv6 prefix-list announceAS65001-ipv6 seq 5 permit 3FFE:2000::/32
! better safe than sorry
Router(config)#ipv6 prefix-list announceAS65001-ipv6 seq 5000 deny ::/0 le 128

Now we are ready to configure the BGP peering session, this is just a simple example and most of these commands can be applied to peer groups, so that each configuration gets easier.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp 65001
Router(config-router)#redistribute static
Router(config-router)#neighbor 3ffe:1234:1234::2 remote-as 65002
Router(config-router)#address-family ipv6 unicast
Router(config-router-af)#neighbor 3ffe:1234:1234::2 activate
Router(config-router-af)#neighbor 3ffe:1234:1234::2 soft-reconfiguration inbound
Router(config-router-af)#redistribute static
Router(config-router-af)#neighbor 3ffe:1234:1234::2 prefix-list announceAS65001-ipv6 out

This will redistribute the static nullroute we made earlier to the peer at 3ffe:1234:1324::2, and the peering session should be up by now.

I can verify it on the other end:

Router2#sh ip bgp ipv6 unicast
BGP table version is 8, local router ID is 10.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 3FFE:1234:1234::1
0 0 65001 ?

As you can see, the network 3ffe:2000::/32 is now announced on this peering session, the route is sourced from AS65001. You can also get this on the summary:

Router2#sh ip bgp ipv6 unicast summary
BGP router identifier 10.0.0.1, local AS number 65002
BGP table version is 8, main routing table version 8
1 network entries using 152 bytes of memory
1 path entries using 76 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 500 total bytes of memory
BGP activity 2/1 prefixes, 4/3 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3FFE:1234:1234::1
4 65001 26 23 8 0 0 00:05:54 1

If you want to see the prefixes announced to a peer or received from a peer. (This requires soft reconfiguration inbound configured on the peering session, neighbor 3ffe:1234:1234::2 soft-reconfiguration inbound in configuration.

Router2#sh ip bgp ipv6 unicast neighbors 3ffe:1234:1234::1 received-routes
BGP table version is 8, local router ID is 10.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 3FFE:1234:1234::1
0 0 65001 ?

Total number of prefixes 1

The prefix 3ffe:2000::/32 is received from 3ffe:1234:1234::1.

Router#sh ip bgp ipv6 unicast neighbors 3ffe:1234:1234::2 advertised-routes
BGP table version is 3, local router ID is 10.0.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 :: 0 32768 ?

Total number of prefixes 1

Voila, a better understanding and some real life examples of IPv6 BGP peering in Cisco IOS.

Understanding and Configuring IPv6 Routing on a Cisco Router

Saturday, September 27th, 2008

You do have a backup plan for IP addressing, now that we are running out of IPv4 space, right?

IPv6 isn’t something awfully new, but some of the ideas can be hard to grasp.
To understand IPv6 routing, I had to learn how to do subnetting of IPv6 address space.

Subnetting basics
To understand IPv6 subnetting, I took it from what I had learned about the basics of subnetting IPv4 addresses.

IPv4: The number 192.168.0.1 only represents a 32-bit number, split into 4 ‘octets’, which are groupings of 8 bits (256 combinations 0 – 255), each octet is separated with a dot ‘.’.
The network mask represents the subnet size, because the network mask eventuallyl decides who you can talk to (for example 255.255.255.0 means that all bits in the last octet can be freely manipulated, hence a subnet mask of 255.255.0.0 means you can change the tweak last octets to your hearts content.

IPv6 addresses and subnetting
This is basically just the same as for IPv4, except the address is now 128 bits compared to 32.
This makes room for 2^128 addresses while IP version 4 was limited to 2^32.
Just a little calculation, for the fun of it:

(2^128)-(2^32) = 340282366920938463463374607427473244160

This is how many MORE addresses the IP version 6 will give us.

In IPv6 the octets we all know from IPv4 are 8 groupings of 16 bits, and instead of being written in decimal format – they are written in hex.
So a valid IPv6 address could be 3ffe:1000:0000:0000:0000:0000:0000:0001/126.
How does this work?
/126 indicates that 2 bits left from the mask for host addressing, this will give four host addresses.

One thing you should notice is that while it can feel natural, it will not work to use addresses such as ::9, ::10, ::11, and ::12 for the same subnet.

The key here is hex, which ranges from 0 – 9 and a – f, so it’s counted like 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d,e and f.

To be certain, use the Online IPv4 and IPv6 calculator, it will calculate the subnets for you.
Just enter an IPv6 or IPv4 address with the corresponding CIDR (for example /24) and it will return the network range.

Enable forwarding of IPv6 Unicast Packets in Cisco IOS

Router(config)# ipv6 unicast-routing

Configure a static IPv6 default gateway/route

Router(config)# ipv6 route ::/0 3ffe:1::1

This would configure a default route to 3ffe:1::1.

Configuring an IPv6 address on an interface

Router(config-if)# ipv6 address 3ffe:1::1/64

Verifying configuration
Verify IPv6 Routing Table

Router# show ipv6 route

Pinging over IPv6 from Cisco IOS

Router# ping ipv6

Also check out these featured articles
Configuring IPv6 OSPF Routing In Cisco IOS

Get Support for IPv6 Rouing on the 3750 Platform

Route overlaps, it’s dangerous!

Sunday, September 14th, 2008

Just wanted to tell you that I added a new page, it’s aIP subnet calculator tool.

It works with IPv4 and IPv6 addresses, just remember to add the network length in the end (/24) for a 255.255.255.0

The danger with dynamic routing is the possibility of route overlaps, by this I mean having the same subnet defined on two routers announcing it in a dynamic routing protocol like for example OSPF.

Let us say you have configured a customer as 10.0.0.48/28 and he uses 10.0.0.49 and 10.0.0.50

Then you get a new customer and configure for example a new subnet 10.0.0.48/30, which is a more specific route (CIDR wise).

You might end up effectively blackholing the old customers traffic, this is something one should consider.

Use my IP subnet calculator tool to be sure not to overlap networks!

Configuring IPv6 OSPF routing in Cisco IOS

Wednesday, September 10th, 2008

Hi guys! it’s time for me to write about configuration of OSPF IPv6 routing in Cisco IOS.
I will use example addresses from my workplace for this tutorial.
This is really simple, first configure the IPv6 addresses on the interfaces.

Router1
Router1(config)# interface fastethernet 0/0
Router1(config-if)#ipv6 address 2001:1ad8::1/126

Router2
Router2(config)#int fa 0/0
Router2(config-if)#ipv6 address 2001:1ad8::2/126

Verify the IPv6 connectivity with ping:
Router2#ping ipv6 2001:1ad8::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1AD8::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/20 ms

Set a nullroute to redistribute to IPv6 OSPF, and configure IPv6 OSPF routing on Router1:
Router1(config)#ipv6 route 2001:1ad8:500::/64 null 0
Router1(config)# interface fa 0/0
Router1(config-if)#ipv6 ospf 1 area 0
Router1(config-if)#ipv6 router ospf 1
Router1(config-rtr)#redistribute static

Do the same thing on Router2, except for the static route and redistribution.
Router2(config)#int fastethernet 0/0
Router2(config-if)#ipv6 ospf 1 area 0

Now verify the IPv6 OSPF router neighborship
Router2#show ipv6 ospf neighbor
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
172.16.1.1        1   FULL/BDR        00:00:31    4               FastEthernet0/0

Check for the route
Router2#sh ipv6 route ospf  | include ^O
OE2  2001:1AD8:500::/64 [110/20]

As always, seems like you are afraid of the comment box, I know you’re there, now speak! 😉

Working with SDM templates on Cisco 3750 or 3560

Friday, September 5th, 2008

Sometimes we want different functionality from our layer 3 switches, someone may want a lot of VLANS, someone wants the switch to be able to have lots of routes, and someone wants to do IPv6 routing.

Luckily, Cisco have thought about this. You are able to use different SDM templates to achieve different usage of the memory.

To change the SDM template on the 3750, just use the following command:
switch(config)# sdm prefer (default|routing|vlan)
Here is a link to the specs: Table

On the 3560 you can also choose from access and dual-ipv4-and-ipv6
Link to specs here: Table

What you want to choose depends on what you want to do, now you know there exists a choice!