HardCore IPv6 Routing

HardCore IPv6 Routing - No Fear
BRKCRT-2000
Donnie Moss, Global Solutions Architect

CCIE#14074
Agenda
Introduction
IPv6 Basics
IPv6 Addressing Best Practices
IPv6 Network Side

IPv6 Routing Protocol Configuration
What Next?
Conclusion
BRKCRT-2000
2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
IPv6 Certification Agenda

CCNA
Describe the technological requirements for running IPv6 in conjunction with
IPv4 (including: protocols, dual stack, tunneling, etc.).
Describe IPv6 addresses
BRKCRT-2000
Cisco Public

CCNP
Implement an IPv6 based solution, given a network design and a set of requirements
Determine network resources needed for implementing IPv6 on a network

Create an IPv6 implementation plan
Create an IPv6 verification plan
Configure IPv6 routing
Configure IPv6 interoperation with IPv4
Verify IPv6 solution was implemented properly using show and debug commands
Document verification results for an IPv6 implementation plan
Implement an IPv4 or IPv6 based redistribution solution
Create a redistribution implementation plan based upon the results from a redistribution analysis
Create a redistribution verification plan
Configure a redistribution solution
Verify that a redistribution was implemented
Document results of a redistribution implementation and verification plan
Identify the differences between implementing an IPv4 and IPv6 redistribution solution
BRKCRT-2000
Cisco Public

CCIE
Implement IPv6
Implement IP version 6 (IPv6) addressing and different addressing types
Implement IPv6 neighbor discovery
Implement basic IPv6 functionality protocols
Implement tunneling techniques
Implement OSPF version 3 (OSPFv3)
Implement EIGRP version 6 (EIGRPv6)
Implement filtering and route redistribution
Implement IPv6 multicast, PIM, and related multicast protocols, such as
Multicast Listener Discovery (MLD)
BRKCRT-2000
Cisco Public
IPv6 Basics
Short History Of IP
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
BRKCRT-2000
Prediction of the exhaustion of IPv4 Class B by 1994.

ROAD group formed to address routing.
Prediction of the exhaustion of IPv4 addresses by 2005-2011.
IPng Proposals solicitation (RFC 1550).
CATNIP, SIPP, TUBA analyzed. SIPP+ chosen. IPng wg started.
First specification: RFC 1883.
6bone started.
First attempt for provider-based address format.
First IPv6 exchange: 6tap.
Registries assign IPv6 prefixes. IPv6Forum formed.
Major vendors bundle IPv6 in their mainstream product line.
Cisco Public
What is an IPv6 address?

IPv6 Address are 128 Bits (IPv4 was 32)
Each Address is Broken into 16 Octets
Each Pair of Octets is called a group
Address numbers are HEX
Valid Characters are 0-9 and A-F

Lower case is used to avoid confusion
Addresses are 4 Hex Characters per Group
Each Group is Seperated by a :
Example: abf1:dc71:0000:0000:0000:8375:7887:1109:0510
BRKCRT-2000
Cisco Public
10
IPv6 Addresses
IPv6 addresses are 128 bits long
8 groups of four HEX characters
Separated by a colon (:)

50% for networks, 50% for interfaces(To support future EUI-64 MAC functionality)
Global Unicast Identifier Example
Interface ID
Network Portion
nnnn:nnnn:nnnn: ssss:
Global Routing Prefix
3 bits
48 bits
2400:0000:134A:
xxxx:xxxx:xxxx:xxxx
Subnet ID
48 64
bits
00A1:
Host
0000:0000:0000:8A21
2400:0:134A:: A1: :8A21

BRKCRT-2000
Cisco Public
11
Abbreviated Format
What is an IPv6 address?

When noting an IPv6 Address with a port number [square brackets] go
around the address
Example: [d3f1:0071:0000:0000:0000:8375:7887:1109:0510]:80
Those are long address?

To shorten address the longest run of all zeros can be shorted to ::
That reduces our example to : d3f1:0071::8375:7887:1109:0510/128
To shorten more leading zeros from each group can be omitted

That reduces our example to: d3f1:0071::8375:7887:1109:510/128
BRKCRT-2000
Cisco Public
12
Are all addresses created equal?

Types of IPv6 Address
Unicast
One to one communication
Ex: Client to Server
Multicast
One to many (assigned grouping)
Example: Video Server to a group of clients
Anycast
One to many (assigned grouping)
Could be used to find nearest service
NO BROADCAST IN IPv6
BRKCRT-2000
Cisco Public
14
Special IPv6 Address

Default Route
IPv4: 0.0.0.0/0
IPv6: ::/0
Unspecified SRC
Loopback
Loop Back Address
IPv4: 127.0.0.1
IPv6: ::1/128
Multicast
Link-local unicast
Unique local unicast
Global unicast
BRKCRT-2000
Binary Prefix
IPv6 Notation
00 0 (128 bits)
::/128
00 1 (128 bits)
::1/128
1111 1111
FF00::/8
1111 1110 10
FE80::/10
1111 110
FC00::/7
Everything else
Currently allocated space is

2000::/3
Cisco Public
15
Multiple Addresses Per Interface

An IPv6 host interface requires the following IPv6 addresses for proper
operation:
A link-local address
Loopback address
All-nodes multicast address
Any additional Global and or ULA unicast and anycast addresses (configured
automatically or manually)
One Solicited-node multicast address for each of its unicast and anycast
addresses
Multicast addresses of any other groups to which the host belongs
BRKCRT-2000
Cisco Public
16
IPv6 Privacy Extensions (RFC 3041/4941)

/12
2400
:0xxx
/32
:xxxx
/48
/64
:ssss
Interface ID
IEEE 24 bits OUI can be used to identify hardware

http://standards.ieee.org/regauth/oui/oui.txt
Temporary addresses for IPv6 host client application, e.g. web browser
Inhibit device/user tracking
Random 64 bit interface ID, then run Duplicate Address Detection
before using it
Rate of change based on local policy (recommended is 1 day default min is 7 days)
Now on By default in Win 7/8 and supported in OS X 10.8 Mountain Lion
Recommendation: Use Privacy Extensions for

External Communication but not for Internal
Networks (Troubleshooting and Attack Trace Back)
BRKCRT-2000
Cisco Public
17
RFC4941
Address Allocation
ISP are being allocated /32s
Customer are being allocated /48s
Same as /16 in v4 terms
Residential Customers are being assigned a /56

256 networks per home
BRKCRT-2000
Cisco Public
18
Allocated Real World Usage

2^128 addresses total
2000::/3 is actually allocated
That means 2^125 addresses for Global Unicast Addressing
All networks are at least /64s per standard
125 64 = 61. So 2^61 possible networks in the currently allocated global
space.
2^61 = 2,305,843,009,213,693,952 or 2.3 QUINTILLION networks.
/48 is typical allocation to enterprise customer (-3 for set bits)
2^45 = 35,184,372,088,832 or 35 TRILLION enterprises
In comparison, the current IPv4 BGP table is ONLY 400,000 routes and
people complain!
BRKCRT-2000
Cisco Public
19
PA and PI Allocation Process

Provider Assigned
IANA
2000::/3
/48
BRKCRT-2000
2000::/3
Registries
/12
/32
Provider Independent
ISP
Org
Level Four
Enterprise
Cisco Public
/12
20
/48
IPv6 Aggregation
Customer A
ASEAN ISP
2401:04A0:0001:/48
2401:04A0::/32
Customer B
2401:04A0:0002:/48
Larger address space enables:
BRKCRT-2000
Only
announces
the /32
prefix
APNIC
Region of the
IPv6 Internet
2400::/12
Aggregation of prefixes announced in the global routing table

Efficient and scalable routing In theory! (In 1995 Theory!)
Cisco Public
21
IPv6 Multihoming
BRKCRT-2000
Cisco Public
22
LIR Allocation Strategies (ISPs)

Your LIR (ISP) is assigned 2401:04FF::/32
We wish to allocate /48s out of the /32.
Which are available:
2401:E4FF:0000 through
2401:E4FF:f f f f
Recall the the bit structure is:

0010 0100 0000 0001: 1110 0100 1111 1111:| 0000 0000 0000 0000
0010 0100 0000 0001: 1110 0100 1111 1111:| 1111 1111 1111 1111
So there are 65,535 /48s in a /32
Same thought process as IPv4 subnetting!

BRKCRT-2000
Cisco Public
23
Sub Allocation Strategies (ISPs)

Some ISPs want to allocate smaller blocks to residential & or SMEs
We wish to allocate /56s out of some /48s.
What could this look like?
2401:E4FF:1xxx to 1fff for residential customers
Sums to 2401:E4FF:1000/36 for router advertisement
Recall the the bit structure is:
0010 0100 0000 0001: 1110 0100 1111 1111:| 0001 0000 0000 0000
0010 0100 0000 0001: 1110 0100 1111 1111:| 0001 1111 1111 1111
i.e. There are, 65,535/48s in a /32 and 256/56's in a single /48

You can sub-allocate some /48's as /56s for residential use and some full /48s for corporate
customer use
If you only wanted to support residential customers there are aprox.16,7 Million /56s in
an entire /32 LIR allocation(24 bits)
BRKCRT-2000
Cisco Public
24
Enterprise Allocation Strategy

Suppose you wish to give out /52s from the /48 for regions
2401:04A8:0000 : 0 | 000 : 0000 0000 or 2401:04A8::/52
2401:04A8:0000 : F | fff :0000 0000 or 2401:04A8:1f00::/52
/32
/48
/52
4096
subnets
Then you wish to divide out /56s from the /52 for departments
2401:04A8:0000 : 00 | 00 : 0000 0000 or 2401:04A8::/5
2401:04A8:0000 : FF | ff : 0000 0000 or 2401:04A8:1f00::/56
/32
/48
/56 256
subnets
8 bits for local subnets per department gives 256 networks per department of
a nearly unlimited # of hosts (64bits for hosts!)
BRKCRT-2000
Cisco Public
25
Subnets longer then /64

/126 or /127 for P2P links
2401:0468:1FE::1/126 & 2401:0468:1FE::2/126
2401:0468:1FE::149/127
2401:0468:1FE:1921:6801:5201::/96 for NAT64 Mapping (example)
BRKCRT-2000
Cisco Public
26
Address Types Summary (review)

Binary Prefix
IPv6 Notation
Unspecified
00 0 (128 bits)
::/128
Loopback
00 1 (128 bits)
::1/128
Multicast
1111 1111
FF00::/8
1111 1110 10
FE80::/10
1111 110
FC00::/7
Everything else
Currently allocated space is

2000::/3
Link-local unicast
Unique local unicast
Global unicast
BRKCRT-2000
Cisco Public
27
Required Router Addresses

An IPv6 router interface is required to identify the following IPv6 addresses
for proper operation:
All valid host addresses
All-Routers multicast addresses
Subnet-router anycast addresses for all interfaces for which it is configured to act as
a router (prefix:: ; interface id=0)
Other unicast or anycast configured addresses
All other Anycast addresses with which the router has been configured.
All-Routers Multicast Addresses
Multicast Addresses of all other groups to which the router belongs.
BRKCRT-2000
Cisco Public
28
IPv6 Addresses Examples

CR-6500-1>sh ipv6 int vlan 200
Vlan200 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::2D0:D3FF:FE81:9000
Description: --- To Core --Global unicast address(es):
2001:DB8:12::1, subnet is 2001:DB8:12::/64
Joined group address(es):
FF02::1
All nodes
FF02::2
FF02::5
All routers
FF02::D
FF02::16
OSPF Routers
FF02::1:FF00:1
FF02::1:FF81:9000
All PIM Routers
Link-Local
Global
Solicited Node Multicast All MLDv2 capable Routers
BRKCRT-2000
Cisco Public
29
IPv6 Interface Identifier

CR-IT-SW3#sh int gi 1/0/3 | in bia
GigabitEthernet1/0/3 is up, line protocol is up
Hardware is Gigabit Ethernet, address is 000c.3a3e.82de (bia
000c.3a3e.82de)
CR-IT-SW3#
CR-IT-SW3#sh run int gi 1/0/3
!
interface GigabitEthernet1/0/3
no switchport
ip address 10.149.24.1 255.255.255.0
ipv6 address 2001:DB8:24::/64 eui-64
!
CR-IT-SW3#sh ipv6 interface gi 1/0/3

GigabitEthernet1/0/3 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::20C:3aFF:FE3E:82DE [TEN]
Global unicast address(es):
2001:DB8:24:0:20C:3aFF:FE3E:82DE, subnet is 2001:DB8:24::/64 [EUI/TEN]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF3E:82DE
CR-IT-SW3#
BRKCRT-2000
Cisco Public
30
Multicast Assigned Addresses

FF0x:: is reserved (x = 0..F).
Inside this range, the following are assigned:
BRKCRT-2000
Meaning
Scope
FF02::1
All nodes
Link-local
FF02::2
All routers
Link-local
FF02::9
All RIP routers
Link-local
FF02::1:FFXX:XXXX
Solicited-node
Link-local
FF05::101
All NTP servers
Site-local
FF05::1:3
All-DHCP servers
Site-local
Cisco Public
31
IPv6 Multicast MAC Address Conversion

IPv6 Multicast
Address
FF02 0000 0000 0000 0000 0001 BAD BEEF

Corresponding
Ethernet Address
33
33
0B
AD
Multicast Prefix
for Ethernet
Multicast
IPv6 multicast address to MAC address:

33:33:(least significant 32 bits from IPv6)
BRKCRT-2000
Cisco Public
32
BE
EF
Subnetting Techniques
Similar to IPv4 Subnetting
Make address meaningful!
Base Address on Location
Type of Service
User community
Now we are working with 128 bits instead of 32

We are also using HEX not BINARY!
BRKCRT-2000
Cisco Public
33
Subneting Example
We are assigned 2011:0524:0000:0000::/48
Goal: Divide this into eight subnets.
Solution use bits 49, 50, and 51 as the subnet bits
First Three Bits of the first character in the fourth group
2011:0524:0000:0000::/48
BRKCRT-2000
Cisco Public
34
Subnet
BRKCRT-2000
Subnet
Binary
Group
Binary
HEX
000
0000
001
0010
010
0100
011
0110
100
1000
Cisco Public
35
Address Break Down

Subnet
2011:0524:0000:0000::/48
2011:0524:0000:2000::/48
2011:0524:0000:4000::/48
2011:0524:0000:6000::/48
2011:0524:0000:8000::/48
2011:0524:0000:A000::/48
2011:0524:0000:C000::/48
2011:0524:0000:E000::/48
BRKCRT-2000
Cisco Public
36
Host Focused IPv6
ICMPv6
Required for IPv6 to work properly - MUST NOT BE FILTERED!!!!
Completely Changed note new header type
Now includes IGMP
Types organized as follows 0-127 error messaging and 128-255
informational messaging
1 4 Error messages
128 129 Ping
130 132 Group membership
133 137 Neighbor discovery
BRKCRT-2000
Cisco Public
38
ICMPv6 (Type Codes)

Type
Description
Destination Unreachable
Packet Too Big
Time Exceeded
Parameter Problem
128
Echo Request
129
Echo Reply
130
Group Membership Query
131
Group Membership Report
132
Group Membership Reduction
133
Router Solicitation
134
Router Advertisement
135
Neighbor Solicitation
136
Neighbor Advertisement
137
Redirect
BRKCRT-2000
Cisco Public
39
Neighbor Discovery & ICMPv6

Neighbor Discovery Types that use ICMPv6
DAD
Router Discovery
Neighbor Discovery
NUD
Redirects
Address Resolution (equivalent to ARP)
BRKCRT-2000
Cisco Public
40
Neighbor Discovery& ICMPv6 (cont.)

IPv4 uses ARP to resolve local addresses
Relies on broadcasts
IPv6 does not have the concept of broadcasts

Still need a method to resolve local addresses
Use solicited-node multicast instead
IPv6 uses ICMPv6 the following types of message:

Neighbor solicitation
Neighbor advertisement
Router solicitation
Router advertisement
BRKCRT-2000
Cisco Public
41
Autoconfiguration
IPv6 hosts can configure their own addresses automatically
Similar in function to IPv4 DHCP
Two methods:
Stateless autoconfiguration
Stateful autoconfiguration
Common ICMPv6 messages to both:

Router advertisements
Router solicitations
BRKCRT-2000
Cisco Public
42
Router Advertisement
Used to configure hosts
Periodically sent to the all-nodes multicast group
Also sent in response to a router solicitation message
Options can contain:
Layer 2 address of the advertising router
On-link prefixes and lifetimes
MTU
Type=134
Code
Checksum
Hop Limit M O RSV
Router lifetime
Reachable Time
Retransmit Timer
Options
32 bits
BRKCRT-2000
Cisco Public
43
Router Solicitation
Sent by hosts to locate on-link routers
Usually sent to the all-routers multicast group
Source address can be:
Unspecified
Local address
Router solicitation message consists of five fields

Type=133
Code
Checksum
Reserved
Options
32 bits
BRKCRT-2000
Cisco Public
44
Stateless Autoconfiguration
Host 1
Build link-local address

Join all-nodes multicast group
Join solicited node multicast group
Send NS
My address is unique!
Send RS
No routers!
Try stateful configuration
Link-local only
BRKCRT-2000
Cisco Public
45
Stateless Autoconfiguration
Send NS
Send RS
Send RA
Build on-link addresses
BRKCRT-2000
Cisco Public
46
Stateful Autoconfiguration (1 of 2)
Send own NS
Send RS
Send RA
(M bit = 0, O bit = 1)
Build on-link addresses
BRKCRT-2000
Cisco Public
47
Stateful Autoconfiguration (2 of 2)
Send DHCP request
to FF05::1:3 (All DHCP Servers)
Send DHCP reply
(Unicast)
Read options and configure
parameters
BRKCRT-2000
Cisco Public
48
Windows 7
Windows 7 Microsoft rebuilt the IPv6 stack for this release
Supports:
Selects IPv6 by default
Neighbor discovery
DHCPv6
Tunneling: ISATAP, Teredo, 6to4
Privacy Extensions enabled by default

Firewall supports statefull IPv6 filtering
DHCPv6 Client only additional support via external packages
For More info please see:

http://technet.microsoft.com/en-us/network/bb530961.aspx
BRKCRT-2000
Cisco Public
49
Windows 7 Temporary Interface Identifier
Windows 7 doesnt use the EUI-64 technique by default when forming its interface identifier, but
uses their randomly-generated interface identifiers
C:\>netsh int ipv6 sh addr
Interface 1: Loopback Pseudo-Interface 1
Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- -----------------------Other
Preferred infinite infinite ::1
Interface 12: isatap.{7218C71C-E509-4EF9-AB57-C08863056588}

--------- ----------- ---------- ---------- -----------------------Other
Deprecated infinite infinite fe80::5efe:10.109.109.6%12
Interface 13: Local Area Connection* 9

--------- ----------- ---------- ---------- -----------------------Public Preferred infinite infinite 2001:0:5ef5:73bc:a2:3ac1:f592:92f9
Other
Preferred infinite infinite fe80::a2:3ac1:f592:92f9%13
Interface 11: Local Area Connection

--------- ----------- ---------- ---------- -----------------------Temporary Preferred 6d23h49m31s 6d23h49m31s 2001:db8:9:cafe:a133:5fb8:31df:864a
Public Preferred 29d23h59m49s 6d23h59m49s 2001:db8:9:cafe:b407:e685:fb14:c12d
Other
Preferred infinite infinite fe80::b407:e685:fb14:c12d%11
50
BRKCRT-2000
Cisco Public
MAC OS X
Mac OS X 10.7 (supported from 10.4 onwards)
Mac OS X IPv6 stack is based on the KAME project (http://www.kame.net/)
Supports:
IPv6 enabled by default
GUI preferences tool or /usr/sbin/ip6 # ip6 a | # ip6 x
To accept Router Advertisements
sysctl -w net.inet6.ip6.accept_rtadv=1
BRKCRT-2000
Privacy addresses and EUI-64 Host addresses enabled by default

FreeBSDs IPFW supports stafeful and stateless filtering # ip6fw
Mail, Perl, Apache, PHP, BIND,(on Server ver.) all default IPv6 support
Tunnel support for IPIP, 6to4
DHCPv6 client mode only (hidden behind automatic config in GUI
No Server side direct solutions at this time (FreeBsd port is possible)
Cisco Public
51
DUAL STACK (Default) BEHAVIOR

Unconditional (default) preference of IPv6 over IPv4
If the local Host client has an active IPv6 Interface:
Client Performs both an A and an AAAA record query
Wait for both to reply or timeout
If the AAAA query succeeds then initiate the browser
connection via IPv6
If the AAAA query fails or times out then initiate the
browser connection via IPv4
Sounds perfectly sane right? But,

BRKCRT-2000
Cisco Public
52
DUAL STACK BEHAVIOR ISSUES

We must accept FOR NOW that the dual stack world is broken!
Failure of one or the other protocol to respond causes a variety
of different broken behaviors
How long will you wait before you fall back to IPv4?
Windows: 3 SYN Packets= Failure, 19 seconds

Mac OS X 7: 11 SYN Packets=Failure, 75 Seconds
Linux: 11 SYN Packets = Failure, between 75 Seconds and 180
Seconds
This is BAD! But stack tuning has its own issues
For a full explanation and lots of options germane to these issues please see:
Analyzing Dual Stack Behavior and IPv6 Quality

By Geoff Huston & George Michaelson of APNIC
https://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdf
BRKCRT-2000
Cisco Public
53
Concluding Thoughts
IPv6 is simply an address change at layer-3. So why is it so
complicated?
This stuff was supposedly finalized in 2000. So why are their new
RFCs and working groups forming every day to figure this stuff out?
Most OSs (x)NIXs implemented SLACC and thought they were
done. Not enough great support yet for DHCPv6
We will have to suffer through behavior changes until the end of
IPv4. My prediction is 10 yrs from now we will be about 85-95% fully
converted to IPv6
BTW we will have another round of issues to fight when we start
trying to reach IPv4 legacy resources via IPv6 only hosts at the tail
end of this decade of conversion
BRKCRT-2000
Cisco Public
54
IPv6 Network Side
IPv6 Multicast
IPv4 and IPv6 Multicast Comparison

Service
IPv4 Solution
IPv6 Solution
32-bit, Class D
128-bit (112-bit Group)
Protocol Independent, All IGPs and

MBGP
Protocol Independent, All IGPs and

MBGP with v6 mcast SAFI
PIM-DM, PIM-SM,
PIM-SSM, PIM-bidir, PIM-BSR
PIM-SM, PIM-SSM,
PIM-bidir, PIM-BSR
IGMPv1, v2, v3
MLDv1, v2
Boundary, Border
Scope Identifier
MSDP across Independent PIM

Domains
Single RP within Globally Shared

Domains
Addressing Range
Routing
Forwarding
Group Management
Domain Control
Interdomain Solutions
Static RP, BSR, No Auto-RP
Embedded RP
BRKCRT-2000
Cisco Public
57
PIMv6
Ipv6 multicast-routing
Ipv6 pim rp-address (ipv6#)
Ipv6 pim anycast-rp address (anycast#) (peer addr#)
BRKCRT-2000
Cisco Public
58
IPv6 Quality of Service
Quality of Service
IPv6 QoS
Same architectural models as IPv4
Differentiated Services (Traffic Class field)
Integrated Services (RSVP)
Version
Traffic Class
Payload Length
IPv6 traffic class

Value defined per applications, same DSCP for
applications over both IPv4 and IPv6 decision to
differentiate per protocol is an operational one
Flow Label
Next Header
Source Address
IPv6 flow label (RFC 3697)

A new 20-bit field in the IPv6 basic header
Its value cannot be changed by intermediate devices
No RFC regarding flow label usage yet
Transition
Mapping between IPv6 DSCP & IPv4 ToS or MPLS EXP
BRKCRT-2000
Cisco Public
60
Destination Address
Hop Limit
Exercise with QoS

IPv6 QoS
This is an excellent opportunity to look at QoS as it stands currently within your
network
What will change with IPv6 deployment?
What needs to change with IPv6 deployment?
All of life is merely a matter of perspective!

Match/set for dscp/precedence now v4/v6 agnostic
Match ipv6 address is new
BRKCRT-2000
Cisco Public
61
IPv6 Security:
Access-List Filtering
Cisco IOS IPv6 Extended Access Control Lists

Very much like in IPv4
Filter traffic based on
Source and destiion addresses

Next header presence
Layer 4 information
Implicit deny all at the end of ACL

Empty ACL means traffic allowed
Reflexive and time based ACL
Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned
until:
Layer 4 header found
Unknown extension header is found
Side note for 7600 & other switches:
No VLAN ACL
Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (12.2(54)SG),
Cat 6K (12.2(33)SXI4)
BRKCRT-2000
Cisco Public
63
IOS IPv6 Extended ACL

Can match on
Upper layers: TCP, UDP, SCTP port numbers

TCP flags SYN, ACK, FIN, PUSH, URG, RST
ICMPv6 code and type
Traffic class (only six bits/8) = DSCP
Flow label (0-0xFFFFF)
IPv6 extension header
routing matches any RH, routing-type matches specific RH

mobility matches any MH, mobility-type matches specific MH
dest-option matches any, dest-option-type matches specific destination options
auth matches AH
Can skip AH (but not ESP) since IOS 12.4(20)T
fragments keyword matches

Non-initial fragments (same as IPv4)
And the first fragment if the L4 protocol cannot be determined
undetermined-transport keyword matches (only for deny)

Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header
BRKCRT-2000
Cisco Public
64
Cisco IOS IPv6 ACL

Filtering Inbound Traffic to one Specific Destination Address
2001:db8:2c80:1000::1
others
ipv6 access-list MY_ACL
remark basic anti-spoofing
permit any 2001:db8:2c80:1000::1/128
deny 2001:db8:2c80:1000::/64 any
interface Serial 0
ipv6 traffic-filter MY_ACL in
IPv6 Internet
Serial 0
Prefix: 2001:db8:2c80:1000::/64
BRKCRT-2000
Cisco Public
65
IPv6 ACL Implicit Rules - RFC 4890

Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
Nexus 7000 also allows RS & RA
BRKCRT-2000
Cisco Public
66
IPv6 ACL Implicit Rules

The beginners mistake is to add a deny log at the end of IPv6 ACL
! Now log all denied packets
deny IPv6 any any log
! Hey . . . I forget about these implicit lines
deny ipv6 any any
Solution, explicitly add the implicit ACE
. . .
! Now log all denied packets
deny ipv6 any any log
BRKCRT-2000
Cisco Public
67
Example: Rogue RA & DHCP Port ACL

ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement

permit any any
Interface gigabitethernet 1/0/1
switchport
ipv6 traffic-filter ACCESS_PORT in
Note: Nexus-7000 and Cat 3750 12.2(46)SE,

Catalyst 6500 12.2(33)SXI4, Catalyst 4500 12.2(54)SG
BRKCRT-2000
Cisco Public
68
IPv6 Routing Protocol Configuration
Concept
IPv6 uses a separate routing table than IPv4
Routed vs- Routing Protocols
Routed Protocols transmit Payload
Routing Protocols transmit Path
Routed Protocols do not change
Example: HTTP and SMTP
Routing Protocols do change!

Some are unique to IPv6 (Ex: RIPMG)
Some like ISIS are the same
BRKCRT-2000
Cisco Public
70
Basic IPv6 Commands

R1(config)# ipv6 unicast-routing
R1(config-if)# ipv6 address (#)
Ipv6 enable
Ipv6 address 3ffe:b00:c18:1:260:3eff:fe47:1500/64
Ipv6 address 3ffe:b00:c18:1::/64 eui-64
Link Local Only

Full Address
Auto Assign on Net
R1(config)# ipv6 route (net/vlsm) (node#)

Ipv6 route ::/0 3ffe:b00:c18:1:260:3eff:fe47:1530
Show ipv6 neighbors
Ping (ipv6-addr)
BRKCRT-2000
Cisco Public
71
L2 to L3 Mapping
Dont forget that this is another protocol!
Any interface using manual mapping needs to be updated

Frame-relay map ipv6
Dialer map ipv6
Etc.
BRKCRT-2000
Cisco Public
72
First Hop Router Redundancy

HSRP for v6
HSRP
Active
HSRP
Standby
Modification to Neighbor Advertisement, Router

Advertisement, and ICMPv6 redirects
Virtual MAC derived from HSRP group number
and virtual IPv6 link-local address
GLBP for v6
GLBP
AVG,
AVF
GLBP
AVF,
SVF
Modification to Neighbor Advertisement, Router

AdvertisementGW is announced via RAs
Virtual MAC derived from GLBP group number and
virtual IPv6 link-local address
Neighbor Unreachability Detection (NUD)

RA Sent
Reach-time =
5,000 msec
BRKCRT-2000
For rudimentary HA at the first HOP

Hosts use NUD reachable time to cycle to next
known default gateway (30s by default)
Cisco Public
73
Static Name to Host Address Entries

Name to address resolution just like IPv4
Ipv6 host (name) (ipv6-address)
Can specify up to four addresses

You can run DHCP server and DNS server in IPv6
No concept of secondary addresses in IPv6, all are valid options
BRKCRT-2000
Cisco Public
74
Neighbor Discovery Configuration

IPv6 Internet
RA
interface FastEthernet0/0
R1
ipv6 nd prefix 3000:b00:c18:1::/64
Fa0/0
LAN1: 3000:b00:c18:1::/64
Fa0/0
RA
BRKCRT-2000
43200 43200
ipv6 nd prefix 3000:b00:c18:1::/64 43200 43200
ipv6 nd ra-lifetime 0
R2
ipv6 nd prefix 3000:b00:c18:2::/64
Fa0/1
LAN2: 3000:b00:c18:2::/64
Cisco Public
75
43200 43200
Prefix Renumbering
Router configuration after renumbering:
ipv6 nd prefix 3ffe:b00:c18:1::/64 43200 0
ipv6 nd prefix 3ffe:b00:c18:2::/64 43200
OR:
ipv6 nd prefix 3ffe:b00:c18:1::/64 at Sep 1 2012 23:59 Sep 1 2012 23:59
ipv6 nd prefix 3ffe:b00:c18:2::/64 43200 43200
NEW network prefix: 3ffe:b00:c18:2::/64

Deprecated prefix: 3ffe:b00:c18:1::/64
Hosts:
Router advertisements
with expiration dates
deprecated address 3ffe:b00:c18:1:260:8ff:fede:8fbe

preferred address 3ffe:b00:c18:2:260:8ff:fede:8fbe
Autoconfigured
IPv6 hosts
BRKCRT-2000
Cisco Public
76
Concluding Thoughts
Subnetting in IPv6 is actually easier than IPv4
Only a few Bit boundaries to worry about:
/32 LIR (ISP) allocations
/48 Enterprise allocations
/56 Residential allocations
Valid subnet range /48 - /64

/126, /127, & /96 Special Subnets
BRKCRT-2000
Cisco Public
77
Routing: The IPv4 IPv6 Parallel

RIP
OSPF
IS-IS
EIGRP
BGP
RIPv2 for IPv4

RIPng for IPv6
Distinct but similar protocols with RIPng taking advantage of IPv6 specificities
OSPFv2 for IPv4
OSPFv3 for IPv6
Distinct but similar protocols with OSPFv3 being a cleaner implementation that takes advantage of IPv6
specificities
Extended to support IPv6

Natural fit to some of the IPv6 foundational concepts
Supports Single and Multi Topology operation
Extended to support IPv6
(IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE ) Some changes reflecting
IPv6 characteristics
New MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for Unicast/
/Label/VPN
Peering over IPv6 or IPv4 (route maps)
For all intents and purposes, IPv6 IGPs are similar to their IPv4 counterparts
IPv6 IGPs have additional features that could lead to new designs
BRKCRT-2000
Cisco Public
78
Routing Protocols
Static Routes
Multitopology IS-IS
Unicast
Multicast
BGP
Authentication
BGP peering to IPv6 endpoints
IPv6 routes over IPv4 peering
IPv6 Prefix Limits
Interface counters
Graceful Restart and NSR
BGPv6 supported families:

family inet6 unicast
family inet6 multicast
family inet6 labeled-unicast
Inet4 unicast (not supported)
Routing Policy
IPv6 multicast scoping
IPv6 address family
IPv6 prefixes
IPv6 route destination address
BFD
RIPng
OSPFv3
IPv6 EH authentication
IPSec encryption (ESP Header)
Overloading
BFD (9.3)
P2P interface (9.4)
OSPF Rib-group for IPv6
Realm support (IPv4 support) but without TE support
IS-IS
Authentication
Unicast Mesh Groups
Multicast Mesh Groups
BFD for dual stack interface (not for v6-only)
ISIS Rib-groups for ipv6
BRKCRT-2000
Cisco Public
79
Routing Protocols
MPLS Protocols
IPv6 Tunneling over MPLS LSPs
RSVP-TE for IPv6 (not scheduled yet)
LDP for IPv6 (not scheduled yet)
IPv6 PIM
Multicast Address Support

PIMv2
PIM Anycast RP
Statically Defined RP
Embedded RP Addresses
Source-Specific Multicast (SSM)
Multicast Listener Discovery (v1 and
v2)
Bootstrap Router (BSR) for IPv6
Disable IPv6 PIM independently from
IPv4 (9.6)
MPLS VPNs
6PE, 6VPE
VRF Table-label
L3VPN Multicast
NG MVPN: IPv6 multicast (2H2009)
BRKCRT-2000
Cisco Public
80
IPv6 Routing Protocols:

Static Routes
Static Route Example

R1(config)# ipv6 route fde7:0e06:ef31::/48 null0
R1#sh ipv6 route static
IPv6 Routing Table - Default - 2 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S
FDE7:E06:EF31::/48 [1/0]
via Null0, directly connected
R1#
R1(config)# ipv6 route 2300:0106:aa23::/48 fa0/0
R1(config)#do sh ipv6 route static | begin ^S
S
2300:106:AA23::/48 [1/0]
via FastEthernet0/0, directly connected
S
FDE7:E06:EF31::/48 [1/0]
via Null0, directly connected
R1(config)#
BRKCRT-2000
Cisco Public
82
Static Options
All static parameters are optional
Parameters are like any other static route
R1(config)#ipv6 route 2300:0106:aa23::/48 fa0/0 ?
<1-254>
Administrative distance
X:X:X:X::X
IPv6 address of next-hop
multicast
Route only usable by multicast
nexthop-vrf
Nexthop IPv6 VRF
tag
Tag value
unicast
Route only usable by unicast
<cr>
BRKCRT-2000
Cisco Public
83
Routing Policy
Configured in the same way as routing policy for IPv4
Similar match conditions and actions
Create policy first
then apply to inteface (PBR), neighbor (BGP), or routing protocol
One new match condition

Match protocol ipv6
Routing table built the same as always!

Nothing new to learn for IPv6 though process
BRKCRT-2000
Cisco Public
84

OSPFv3
OSPFv3
Changes from OSPFv2
Per Link Processing

Addition of flooding scope
New Link LSA
Handling of unknown LSA types
Virtual Link Changes
Authentication changes
BRKCRT-2000
Cisco Public
86
OSPFv3
Per Link Processing
IPv6 uses the term link instead of network or subnet to indicate communication
Interfaces connect to links
Adjacencies are formed on link local addresses
Multiple IPv6 subnets can be assigned to a single link

Two nodes can talk directly over a single link, even if they do not share a common IPv6 subnet
Network address and mask do not impact the formation of adjacencies
BRKCRT-2000
Cisco Public
87
OSPFv3
Flooding Scope
Each LSA now contains two bits indicating the flooding scope
AS scope, LSA is flooded throughout the AS
Area scope, LSA is flooded only within an area
Link-local scope, LSA is flooded only on the local link
These changes also impact the names of the LSAs

Type 3 (Summary LSA) is now called the inter-area-prefix-LSA
Type 4 (Autonomous System Border LSA) is now called the inter-area-router-LSA
Other new LSAs have been added
BRKCRT-2000
Cisco Public
88
OSPFv3
Flooding Scope
BRKCRT-2000
LSA Name
LS Type code
Flooding scope
LSA Function code
Router LSA
0x2001
Area scope
Network LSA
0x2002
Area scope
Inter-Area-Prefix-LSA
0x2003
Area scope
Inter-Area-Router-LSA
0x2004
Area scope
AS-External-LSA
0x4005
AS scope
Group-membership-LSA
0x2006
Area scope
Type-7-LSA
0x2007
Area scope
Link-LSA
0x0008
Link-local scope
Intra-Area-Prefix-LSA
0x2009
Area scope
Cisco Public
89
OSPFv3
Handling Unknown LSA Types
Each LSA now contains an unknown LSA bit
0: Treat this LSA as a link local
1: Store and flood this LSA even if you dont understand it
This allows the deployment of new features in the future

Routers that dont understand the new feature will simply store and forward the LSA
Features can be deployed at edges, within a flooding domain, etc., without the need to upgrade
all routers
BRKCRT-2000
Cisco Public
90
OSPFv3
Virtual Link Requirements
At least one global/unique local IPv6 address in the transit area
OSPFv3 normally sends LSAs with a link local source address
This wont work over a virtual link the packet needs to be forwarded through the intervening area
Advertisement of a /128 prefix

If no /128 is available in the table, a /128 from within an existing prefix space will be used
This provides most-specific reachability between the endpoints of the virtual link
BRKCRT-2000
Cisco Public
91
OSPFv3
Authentication
OSPFv3 currently only supports IPsec for authentication
Group keying is painful for IPsec
There is current work in GDOI and other spaces to make group keying work better for this space
There is current work in the OSPF working group to allow HMAC-SHA and other forms
of in packet authentication
BRKCRT-2000
Cisco Public
92
OSPFv3
Configuration & Show Example
Router1#
interface POS1/1
ipv6 address 2001:410:FFFF:1::1/64
ipv6 enable
ipv6 ospf 100 area 0
Area 1
interface POS2/0
ipv6 address 2001:B00:FFFF:1::2/64
ipv6 enable
ipv6 router ospf 100
router-id 10.1.1.3
Router2#
interface POS3/0
ipv6 address 2001:B00:FFFF:1::1/64
ipv6 enable
Cisco Public
2001:b00:ffff:1::2/64
POS 2/0
POS 1/1
2001:410:ffff:1::1/64
Area 0
ipv6 router ospf 100

router-id 10.1.1.4
BRKCRT-2000
POS 3/0
2001:b00:ffff:1::1/64
93
OSPFv3

Router2#sh ipv6 ospf int pos 3/0
POS3/0 is up, line protocol is up
Link Local Address FE80::290:86FF:FE5D:A000, Interface ID 7
Area 1, Process ID 100, Instance ID 0, Router ID 10.1.1.4
Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5
Hello due in 00:00:02
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 3, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.1.1.3
Suppress hello for 0 neighbor(s)
BRKCRT-2000
Cisco Public
94
Area 1
POS 3/0
2001:b00:ffff:1::1/64
2001:b00:ffff:1::2/64
POS 2/0
POS 1/1
2001:410:ffff:1::1/64
Area 0
OSPFv3

Area 1
Router2#sh ipv6 ospf neighbor detail

Neighbor 10.1.1.3
In the area 1 via interface POS3/0
Neighbor: interface-id 8, link-local address
FE80::2D0:FFFF:FE60:DFFF
Neighbor priority is 1, State is FULL, 12 state changes
Options is 0x630C34B9
Dead timer due in 00:00:33
Neighbor is up for 00:49:32
Index 1/1/1, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 2, maximum is 2
Last retransmission scan time is 0 msec, maximum is 0 msec
Cisco Public
95
2001:b00:ffff:1::2/64
POS 2/0
POS 1/1
2001:410:ffff:1::1/64
Area 0
BRKCRT-2000
POS 3/0
2001:b00:ffff:1::1/64
OSPFv3

Area 1
Router2#sh ipv6 route
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP,
B BGP, U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1,
OE2 - OSPF ext 2
OI 2001:410:FFFF:1::/64 [110/2]
via FE80::2D0:FFFF:FE60:DFFF, POS3/0
C
2001:B00:FFFF:1::/64 [0/0]
via ::, POS3/0
L
2001:B00:FFFF:1::1/128 [0/0]
via ::, POS3/0
L
FE80::/10 [0/0]
via ::, Null0
L
FF00::/8 [0/0]
via ::, Null0
BRKCRT-2000
Cisco Public
96
POS 3/0
2001:b00:ffff:1::1/64
2001:b00:ffff:1::2/64
POS 2/0
POS 1/1
2001:410:ffff:1::1/64
Area 0
Same As OSPFv2
Similarities:
One of the similarities is the RID

OSPFv3 maintains a 32-bit RID that represents the router in the link-state database
The RID is not related to an IPv6 address like it is in IPv4
Requires explicit configuration (assuming no IPv4 addresses are present) because
IPv6 addressing cannot be used
BRKCRT-2000
Cisco Public
97
Cisco IPv6 and OSPF

Customized globally
R1(config)# ipv6 router ospf (#)
R1(config-router)# area (#) range ..
Enabled on an interface
R1(config-if)# ipv6 ospf (#) area-id (#)
R1(config-if)# ipv6 ospf (#) neighbor (addr)
BRKCRT-2000
Cisco Public
98
IPv6 and OSPF

Authentication is interesting
Requires IPSec be used by OSPF
Authentication fields are no longer part of OSPF packet, but signaled to IPv6 security
BRKCRT-2000
Cisco Public
99
IPv6 and OSPF - Security

Two methods, AH or ESP
Ipv6 ospf authentication
Ipv6 ospf encryption
Examples (interface config)

Ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef
Ipv6 ospf encryption ipsec spi 1001 esp null sha1
123456789A123456789B123456789C123456789D
Examples (area config encryption same format)

Area 0 authentication ipsec spi 422 md5 1234567890abcdef1234567890abcdef
BRKCRT-2000
Cisco Public
100
Router ID Selection
Router ID selection:
IPv6 networks preserve the 32-bit router ID
This is not an IPv4 address, it just looks like one!
You can set RID manually under routing-options, although an existing IPv4 address
can be used
The Junos OS uses the first non-127/8 address it finds as the RID
lo0 is the first interface activated, so a non-127/8 configured here serves as the RID
If the Junos software does not find a suitable address on lo0, it examines the next interface
activated (normally fxp0)
IPv6 functionality should not depend on another protocol being configured, so set RID
manually!
BRKCRT-2000
Cisco Public
101

MBGP
MP-BGP Basics
Si
Si
AS 101
Peering
Si
AS 201
Si
Si
AS 301
Path Vector Protocol
Carries sequence of AS numbers indicating path
Ties Autonomous Systems together via Peering

Multiple address families: ipv4, ipv6, unicast, multicast
BRKCRT-2000
Cisco Public
103
BGP-4 Extensions for IPv6

TCP Interaction
BGP-4 runs on top of TCP
This connection could be setup either over IPv4 or IPv6
Router ID
When no IPv4 is configured, an explicit bgp router-id needs to be configured
This is needed as a BGP Identifier, this is used as a tie breaker, and is sent within the
OPEN message
BRKCRT-2000
Cisco Public
104
Non Link Local Peering

network 2003:3:2::/64
network 2003:3:3::/64
A
AS 1
Router A
:1
router bgp 1
no bgp default ipv4 unicast
bgp router-id 1.1.1.1

neighbor 2001:db8:ffff:2::2 remote-as 2
address-family ipv6
neighbor 2001:db8:ffff:2::2 activate
network 2003:3:2::/64
network 2003:3:3::/64
2001:db8:ffff:2/64
:2
AS 2
B
BRKCRT-2000
Cisco Public
105
BGP-4 Extensions for IPv6 (RFC 2545)

BGP-4 carries only 3 pieces of information which is truly IPv4 specific:
NLRI in the UPDATE message contains an IPv4 prefix
NEXT_HOP path attribute in the UPDATE message contains a IPv4 address
BGP Identifier is in the OPEN message & AGGREGATOR attribute
To make BGP-4 available for other network layer protocols, RFC 2858
(obsoletes RFC 2283) defines multi-protocol extensions for BGP-4
Enables BGP-4 to carry information of other protocols e.g MPLS,IPv6
New BGP-4 optional and non-transitive attributes:
MP_REACH_NLRI
MP_UNREACH_NLRI
Protocol independent NEXT_HOP attribute

Protocol independent NLRI attribute
BRKCRT-2000
Cisco Public
106

Address Family Information (AFI) for IPv6
AFI = 2 (RFC 1700)

Sub-AFI = 1 Unicast
Sub-AFI = 2 (Multicast for RPF check)
Sub-AFI = 3 for both Unicast and Multicast
Sub-AFI = 4 Label
Sub-AFI= 128 VPN
BRKCRT-2000
Cisco Public
107

Next-hop contains a global IPv6 address or potentially a link local (for iBGP
update this has to be changed to global IPv6 address with route-map)
The value of the length of the next hop field on MP_REACH_NLRI attribute is
set to 16 when only global is present and is set to 32 if link local is present as
well
Link local address as a next-hop is only set if the BGP peer shares the subnet
with both routers (advertising and advertised)
A
B
AS1 AS2
BRKCRT-2000
Cisco Public
108
BGP Overview
Path-vector EGP that uses multiple path attributes to select the active route
Originally designed for IPv4
Extended to carry additional information
Multicast
VPNs
IPv6
MBGP specifications
Multiprotocol extensions for BGP-4
RFC 4760January 2007
Use of BGP-4 multiprotocol extensions for IPv6 interdomain routing

RFC 2545
BRKCRT-2000
Cisco Public
109
MP-BGP and IPv6

Multiprotocol extensions for BGP4:
Adds new fields to identified the type of route being advertised
Make it possible to carry IPv6 routes on top of IPv4 BGP sessions
IPv6-specific extensions:
Scoped addresses: NEXT_HOP contains a global IPv6 address and potentially a linklocal address (only when there is link-local reachability with the peer)
NEXT_HOP and NLRI are expressed as IPv6 addresses and prefixes in the
multiprotocol attributes
BRKCRT-2000
Cisco Public
110
Address-Families are new RIBs

Address families began with MBGP to separate RIB entries
Common address-families are
IPv6 (unicast | multicast)

Nsap
IPv4 Multicast
Vpnv4
Vpnv6
Ipv4 unicast vrf (name)
Default is IPv4 Unicast
BRKCRT-2000
Cisco Public
111
Prior to Address Families

Router bgp 1001
Neighbor 10.1.1.4 remote-as 1001
Neighbor 10.1.1.4 update-source loopback 0
Neighbor 10.1.1.4 route-map Bob in
Neighbor 10.1.1.4 send-community

Network 10.1.100.0 mask 255.255.255.0
Network 10.1.101.0 mask 255.255.255.0
Redistribute static
BRKCRT-2000
Cisco Public
112
Way to Think About the Old Way

Router bgp 1001
[Connections]
Neighbor 10.1.1.4 remote-as 1001
Neighbor 10.1.1.4 update-source loopback 0
address-family ipv4
Neighbor 10.1.1.4 route-map Bob in
Neighbor 10.1.1.4 activate
Neighbor 10.1.1.4 send-community
Network 10.1.100.0 mask 255.255.255.0
Network 10.1.101.0 mask 255.255.255.0
Redistribute static
BRKCRT-2000
Cisco Public
113
Activate Each Neighbor

Multiple neighbors can carry some or all of the supported families
Activate each one
Each RIB filters separately
Each RIB name is important for NLRI information to be kept correctly
Each RIB/Family information is separate

Useful for running separate info over separate links/peering information
BRKCRT-2000
Cisco Public
114
MBGP Configuration
Router1
Router2
AS 65001
AS 65002
3ffe:b00:c18:2:1::F
3ffe:b00:c18:2:1::1
Router1#
ipv6 address 3FFE:B00:C18:2:1::F/64
router bgp 65001
no bgp default ipv4-unicast
neighbor 3FFE:B00:C18:2:1::1 remote-as 65002
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1 activate
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out
exit-address-family
BRKCRT-2000
Cisco Public
115
MBGP Prefix Bidirectional Filtering

Filtering BGP routing updates
Router1
3ffe:b00::/24
3ffe:b00:c18:2:1::F
3FFE:0B00:0001::/48
3FFE:0300::/32
3FFE:0B00::/24
Router1#
router bgp 65001
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out
network 3FFE:B00::/24
exit-address-family
ipv6 prefix-list bgp65002in seq 5 permit 3FFE::/16 le 24
ipv6 prefix-list bgp65002out seq 5 permit 3FFE::/16 le 24
BRKCRT-2000
Cisco Public
116
Router2
3ffe:b00:c18:2:1::1
MBGP Config with Inbound Filtering

Configure BGP to accept legal prefixes only (prefix-list)
3ffe:b00:c18:2:1::f
AS
router bgp 65001
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1 prefix-list Legal in
neighbor 3FFE:B00:C18:2:1::2 prefix-list Legal in
network 3FFE:B00::/24
exit-address-family
ipv6 prefix-list
ipv6 prefix-list
ipv6 prefix-list
ipv6 prefix-list
BRKCRT-2000
Cisco Public
117
AS 65002
65001
Legal seq 5 permit 2001::/16 le 35

Legal seq 10 permit 3FFE::/17 ge 24 le 24
Legal seq 15 permit 3FFE:8000::/17 ge 28 le 28
Legal seq 20 permit 2002::/16
3ffe:b00:c18:2:1::1
AS 65003
3ffe:b00:c18:2:1::2
Configuration EIGRP
hostname R1
!
ipv6 unicast-routing
!
interface Loopback0
no ip address
ipv6 address 1010:AB8::/64 eui-64
ipv6 enable
ipv6 eigrp 1
!
ipv6 router eigrp 1
router-id 2.2.2.2
no shutdown
!
BRKCRT-2000
Cisco Public
118
Troubleshooting
show ipv6 eigrp events
show ipv6 eigrp interfaces
show ipv6 eigrp neighbors
show ipv6 interface

show ipv6 ospf
show ipv6 route
show ipv6 route bgp
BRKCRT-2000
Cisco Public
119
IPv6 Whats Next?
IPv4 to IPv6 Transition Challenges

16+ methods, possibly in combination
Dual stack
Consider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)
Tunnels
Bypass firewalls (protocol 41 or UDP)
Can cause asymmetric traffic (hence breaking stateful firewalls)
BRKCRT-2000
Cisco Public
121
Dual Stack Host Considerations

Host security on a dual-stack device
Applications can be subject to attack on both IPv6 and IPv4
Fate sharing: as secure as the least secure stack...
Host security controls should block and inspect traffic from both IP versions
Host intrusion prevention, personal firewalls, VPN
clients, etc.
IPv4 IPsecVPN with No

Split Tunneling
Dual Stack Client
IPv6 HDR
IPv6 Exploit
Does the IPsec Client Stop an

Inbound IPv6 Exploit?
BRKCRT-2000
Cisco Public
122
IPv6 Tunneling Summary

RFC 1933/2893 configured
and automatic tunnels
Only allow authorized endpoints

to establish tunnels
RFC 2401 IPSec tunnel
Static tunnels are deemed as more

secure, but less scalable
RFC 2473 IPv6 generic

packet tunnel
Automatic tunneling mechanisms

are susceptible to packet forgery
and DoS attacks
RFC 2529 6over4 tunnel
RFC 3056 6to4 tunnel
These tools have the same risk

as IPv4, just new avenues of exploitation
RFC 5214 ISATAP tunnel

MobileIPv6 (uses RFC2473)
Automatic IPv6 over IPv4 tunnels could

be secured by IPv4 IPSec
RFC 4380 Teredo tunnels

RFC5569 6RD
BRKCRT-2000
Cisco Public
123
DNS: Basic Ideas
DNS in IPv6 is much like DNS in IPv4

Keep files and delegations as simple as possible.
Can use IPv4 as transport for DNS for now.
Modern versions of Bind will work Bind9 is stable and works with IPv6.
There is work on dynamic DNS in progress, but we dont need to worry about
that for now.
BRKCRT-2000
Cisco Public
124
IPv6 and DNS

IPv4
Hostname
to
IP address
IP address
to
hostname
BRKCRT-2000
IPv6
A record:
AAAA record:
www.abc.test. A
192.168.30.1
www.abc.test. AAAA
2001:db8:C18:1::2
PTR record:
PTR record:
1.30.168.192.in-addr.arpa.
PTR
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.
1.c.0.
8.b.d.0.1.0.0.2.ip6.arpa. PTR
www.abc.test.
www.abc.test.
Cisco Public
125
DNS Example (IPv4-Only)

IPv4-Only Host
DNS Server
DNS Request (h.root-servers.net) (QTYPE=A)
IPv4 A Response (128.63.2.53)
H.ROOT-SERVERS.NET. 210892
IN
Sample DNS Response
BRKCRT-2000
Cisco Public
126
128.63.2.53
DNS Example (IPv6-Only)

IPv4-Only Host
DNS Server
DNS Request (h.root-servers.net) (QTYPE=AAAA)
IPv6 AAAA Response (2001:500:1::803f:235 )
IN
AAAA
Sample DNS Response
BRKCRT-2000
Cisco Public
127
2001:500:1::803f:235
DNS Example (Dual-Stack)

DNS Request (h.root-servers.net) (QTYPE=AAAA, A)
Dual-Stack Host
I prefer IPv6
addresses
IPv6 AAAA Response (2001:500:1::803f:235 )

IPv4 A Response (128.63.2.53)
IN
IN
AAAA
A
2001:500:1::803f:235
128.63.2.53
Sample DNS Response
BRKCRT-2000
Cisco Public
128
DNS
Server
DNS Capture Default IPv6 init
A and AAAA Queries

for www.google.com
Response IPv4 and
IPv6 Addresses
IPv6 Transport Preferred
BRKCRT-2000
Cisco Public
129
DNS Enhancements for IPv6

RFC 3596
DNS extensions to support IP version 6
Name to address records

AAAA record type (equivalent to IPv4 A record)
Example record
host1.microsoft.com
IN
AAAA
2001:DB8::1:DD48:AB34:D07C:3914
Address to name records

New reverse domain called IP6.ARPA.
Example record for 2001:DB8::1:DD48:AB34:D07C:3914 (or
2001:0DB8:0000:0001:DD48:AB34:D07C:3914)
4.1.9.3.C.7.0.D.4.3.B.A.8.4.D.D.1.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA.
host1.microsoft.com
BRKCRT-2000
Cisco Public
130
IN
PTR
Name Resolution Support in Windows

Resolution Options:
1.
Entries in the Hosts file
2.
DNS resolver support
3.
DNS Server service support
4.
DNS dynamic update
5.
DNS zone transfers
6.
Source and destination address selection
7.
LLMNR support
8.
Support for ipv6-literal.net names
9.
Peer Name Resolution Protocol
10. Name Resolution Policy Table

11. DNS Security Extensions (DNSSEC)
BRKCRT-2000
Cisco Public
131
DNS Issues
Upgrade DNS servers to support IPv6
Adding AAAA record for a specific server to the DNS Server requires ALL
services to be IPv6 aware
LDAP or AD IPv6 Aware
All Services running on the Server
Interim solution is to use a temporary name (see Google IPv6 start in

2008)
ipv6.google.com vs. www.google.com
This practice helps reduce the issue of unhappy dual-stack hosts by eliminating
the multiprotocol response to DNS requests
BRKCRT-2000
Cisco Public
132
Forward Lookups
Uses AAAA records for assign IPv6 addresses to names.
Multiple addresses possible for any given name for example, in a multihomed situation.
Can assign A records and AAAA records to a given name/domain.
(Once IPv6 is more stable globally)
Can also assign separate domains for IPv6 and IPv4.

BCP today.
Dont be afraid to experiment!
BRKCRT-2000
Cisco Public
133
Upstream Support
How to get IPv6?
Tunnel Brokers
Hurricane Electric
RoutintHouse.com
SixXS
Others: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
6 to 4 Gateway
BRKCRT-2000
Cisco Public
134
Participate in the My Favorite Speaker Contest

Promote Your Favorite Speaker and You Could be a Winner
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
Send a tweet and include
Your favorite speakers Twitter handle @CiscoKid14074
Two hashtags: #CLUS #MyFavoriteSpeaker
You can submit an entry for more than one of your favorite speakers
Dont forget to follow @CiscoLive and @CiscoPress
View the official rules at http://bit.ly/CLUSwin
BRKCRT-2000
Cisco Public
135
SP Related Official Cisco Training Offerings

Course
Description
Cisco Certification
Building Cisco Service Provider

Next-Generation Networks, Part 1
(SPNGN1), and Part 2 (SPNGN2)
These courses introduce Cisco SP IP Next-Generation Network

technologies and solutions, including OSI and TCP/IP models, IPv4/v6
addressing, switching, routing, transport types, security, network
management, and Cisco operating systems.
CCNA Service Provider
Deploying Cisco Service Provider

Network Routing (SPROUTE)
This course covers the implementation of routing protocols (OSPF, ISIS, BGP), route manipulations, and high availability routing features
within SP IP NGN environments.
CCNP Service Provider
Deploying Cisco Service Provider

Advanced Network Routing
(SPADVROUTE)
This course covers advanced routing topics in BGP, as well as

multicast services including PIM-SM, and IPv6 within SP IP NGN
environments.
Implementing Cisco Service

Provider Next-Generation Core
Network Services (SPCORE)
This course covers core network services, including MPLS-LDP

features, MPLS traffic engineering, QoS queuing mechanisms, and
transport technologies within SP IP NGN environments.
Implementing Cisco Service

Provider Next-Generation Edge
Network Services (SPEDGE)
This course covers edge network services, including MPLS Layer 3

VPNs, Layer 2 VPNs, and Carrier Ethernet services within SP IP NGN
environments.
For more details please visit : http://learningnetwork.cisco.com

Questions: Visit the Learning@Cisco Booth
BRKCRT-2000
Cisco Public
136
R&S Related Official Cisco Training Offerings

Course
Description
Cisco Certification
CCIE R&S Advanced Workshops

(CIERS-1 & CIERS-2) plus
Self Assessments, Workbooks & Labs
Expert level trainings including: instructor led workshops,

self assessments, and practice labs to prepare candidates
for the CCIE R&S practical exam.
CCIE Routing & Switching
Implementing Cisco IP Routing

Implementing Cisco IP Switched
Networks
Troubleshooting and Maintaining
Cisco IP Networks
Professional level instructor led trainings to prepare

candidates for the CCNP R&S exams (ROUTE, SWITCH
and TSHOOT). Also available in self study eLearning
formats with Cisco Learning Labs.
CCNP Routing & Switching
Interconnecting Cisco Networking

Devices: Part 2 (or combined)
Configure, implement and troubleshoot local and widearea IPv4 and IPv6 networks. Also available in self study
eLearning format with Cisco Learning Lab.
CCNA Routing & Switching
Interconnecting Cisco Networking

Devices: Part 1
Installation, configuration, and basic support of a branch

network. Also available in self study eLearning format with
Cisco Learning Lab.
CCENT Routing & Switching
For more details please visit : http://learningnetwork.cisco.com

Questions: Visit the Learning@Cisco Booth
BRKCRT-2000
Cisco Public
137
Complete Your Online Session Evaluation

Give us your feedback and you could
win fabulous prizes. Winners
announced daily.
Complete your session evaluation
through the Cisco Live mobile app or
visit one of the interactive kiosks
located throughout the convention
center.
Dont forget: Cisco Live sessions will

be available for viewing on-demand
after the event at ciscolive.com/online
BRKCRT-2000
Cisco Public
138
Continue Your Education

Demos in the Cisco Campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
BRKCRT-2000
Cisco Public
139

HardCore IPv6 Routing

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

HardCore IPv6 Routing

Hochgeladen von

Copyright:

Verfügbare Formate

HardCore IPv6 Routing - No Fear

Donnie Moss, Global Solutions Architect

IPv6 Network Side

2014 Cisco and/or its affiliates. All rights reserved.

IPv6 Certification Agenda

2014 Cisco and/or its affiliates. All rights reserved.

IPv6 Certification Agenda

Determine network resources needed for implementing IPv6 on a network

Implement an IPv4 or IPv6 based redistribution solution

2014 Cisco and/or its affiliates. All rights reserved.

IPv6 Certification Agenda

2014 Cisco and/or its affiliates. All rights reserved.

Prediction of the exhaustion of IPv4 Class B by 1994.

2014 Cisco and/or its affiliates. All rights reserved.

What is an IPv6 address?

Address numbers are HEX

Valid Characters are 0-9 and A-F

2014 Cisco and/or its affiliates. All rights reserved.

Separated by a colon (:)

2400:0:134A:: A1: :8A21

2014 Cisco and/or its affiliates. All rights reserved.

What is an IPv6 address?

Those are long address?

To shorten more leading zeros from each group can be omitted

2014 Cisco and/or its affiliates. All rights reserved.

Are all addresses created equal?

2014 Cisco and/or its affiliates. All rights reserved.

Special IPv6 Address

2014 Cisco and/or its affiliates. All rights reserved.

Currently allocated space is

Multiple Addresses Per Interface

2014 Cisco and/or its affiliates. All rights reserved.

IPv6 Privacy Extensions (RFC 3041/4941)

IEEE 24 bits OUI can be used to identify hardware

Recommendation: Use Privacy Extensions for

2014 Cisco and/or its affiliates. All rights reserved.

Residential Customers are being assigned a /56

2014 Cisco and/or its affiliates. All rights reserved.

Allocated Real World Usage

2014 Cisco and/or its affiliates. All rights reserved.

PA and PI Allocation Process

2014 Cisco and/or its affiliates. All rights reserved.

Larger address space enables:

Aggregation of prefixes announced in the global routing table

2014 Cisco and/or its affiliates. All rights reserved.

2014 Cisco and/or its affiliates. All rights reserved.

LIR Allocation Strategies (ISPs)

Recall the the bit structure is:

So there are 65,535 /48s in a /32

Same thought process as IPv4 subnetting!

2014 Cisco and/or its affiliates. All rights reserved.

Sub Allocation Strategies (ISPs)

Sums to 2401:E4FF:1000/36 for router advertisement

Recall the the bit structure is:

i.e. There are, 65,535/48s in a /32 and 256/56's in a single /48

2014 Cisco and/or its affiliates. All rights reserved.

Enterprise Allocation Strategy

2014 Cisco and/or its affiliates. All rights reserved.

Subnets longer then /64

2401:0468:1FE:1921:6801:5201::/96 for NAT64 Mapping (example)

2014 Cisco and/or its affiliates. All rights reserved.

Address Types Summary (review)

Currently allocated space is

2014 Cisco and/or its affiliates. All rights reserved.