Addressing and Address Types
Types
- Aggregatable Global Unicast - 2000::/3 - host-to-host communication
- Multicast - FF00::/8 - one-to-many and many-to-many communication
- Anycast - same as unicast - application based, including load balancing
- Link-Local Unicast - FE80::/10 - connected link communications
- Solicited-Node Multicast - FF02::1::FF00:0/104 - neighbor solicitation
Aggregatable Global Address
- begins with binary 001 - 2000:/3
- next 45 bits represent global routing prefix
- last 16 bits (preceding Interface ID) are Site Level Aggregator (SLA)
- also known as Subnet ID
- last 64 bits make up the Interface ID
Link-Local Address
- begin with FE80::/10
- Interface ID is derived using modified EUI-64 format
- remaining 54 bits of prefix are always set to 0
- ethernet uses 802 MAC address for the Interface ID
- other interfaces use pool of virtual MAC addresses
IPv4-Compatible IPv6 Addresses
- first 96 bits are 0s
- IPv4 10.10.100.16
- 0:0:0:0:0:10:10:100:16
- ::10:10:100:16
- ::A:A:64:10
Assigning Unicast Address to Router Interface
- config# ipv6 unicast-routing
- config-if# ipv6 address 2001:128:ab2e:1a::1/64
- config-if# ipv6 address fe80::1 link-local
Multicast Format
- begins with FF or FF00::/8 (first octet)
- specifies lifetime and scope (second octet)
- lifetime can be permanent (0000) or temporary (0001)
- scope can be
- Node - 0001
- Link - 0010
- Site - 0101
- Organization - 1000
- Global - 1110
Well-Known
- all hosts - FF02::1 - subnet broadcast
- all routers - FF02::2 - 224.0.0.2
- OSPFv3 routers - FF02::5 - 224.0.0.5
- OSPFv3 designated routers - FF02::6 - 224.0.0.6
- EIGRP routers - FF02::A - 224.0.0.10
- PIM routers - FF02::D - 224.0.0.13
Solicited-Node Group
- each router must join for each of it's unicast and anycast addresses
- FF02::1:FF00:0000/104
- Example
- 2001:1AB:2003:1::CBAC:DF01 becomes FF02::1:FFAC:DF01
- used in Neighbor Discovery (ND) process
Anycast
- drawn from the IPv6 unicast address pool
- config-if# ipv6 address 3001:FFFE::104/64 anycast
Address Autoconfiguration
Methods
- Stateful autoconfiguration - assigns 128 bit address using DHCP
- Stateless autoconfiguration - assigns 64 bit prefix
- EUI-64 - host derives last 64 bits
EUI-64 Address Format
- Interface ID is configured locally by host
- uses 48 bit MAC address as the seed
- hex value FFFE is placed in the center of the MAC
- sets the universal/local bit in the MAC
- 7th bit in Interface ID, indicates global scope
- config-if# ipv6 address 2001:128:1F:633::/64 eui-64
Protocols
Neighbor Discovery Protocol (NDP)
- uses ICMPv6 messages and solicited-node multicast address
Major Roles
- stateless address autoconfiguration
- duplicated address detection (DAD)
- router discovery
- prefix discovery
- parameter discovery (link MTU, hop limits, ...)
- neighbor discovery
- neighbor address resolution (replaces ARP)
- neighbor and router reachability verification
Message Types
- Router Advertisement (RA) - ICMP 134; source is the link local; destination is FF02::1
- Router Solicitation (RS) - ICMP 133; source is the interface; destinationis FF02::2
- Neighbor Solicitation (NS) - ICMP 135; source the interface; destination is multicast address
- Neighbor Advertisement (NA) - ICMP 136; destination is address of requester
- Redirect - ICMP 137; source is link local; destination is the source of the requesting node
Neighbor Advertisements
- sent periodically to inform other hosts of their presence and link-layer address
Neighbor Solicitation
- duplicate address detection
- neighbor reachability verification
- layer 3 and layer 2 address resolution
Advertisement and Solicitation
- Advertisements
- include all 64 bit IPv6 prefixes configured on the interface
- includes link MTU, hop limits and if it is a candidate for the default router
- config# ipv6 nd ra-interval <seconds> (200 default)
- config# ipv6 nd ra-lifetime 0 (make this not a candidate for default router)
- config# ipv6 nd supress-ra (disable advertisements)
- Advertisements
Duplicate Address Detection
- a function of neighbor solicitation
- to verify that an autoconfigured address is unique
- sends NS message to it's own address's corresponding solicited-node multicast address
- sourced from ::
Neighbor Unreachability Detection
- not defined as presence of advertisements from a router
- two ways to confirm reachability
- host sends a probe to the desired host's solicited-node multicast address
- receives RA or NA in response
- host receives a clue form a high-layer protocol
- possible a TCP ACK
- only connection oriented protocols
- host sends a probe to the desired host's solicited-node multicast address
ICMPv6
Unicast Reverse Path Forwarding
Configure
- config-if# ipv6 verify unicast reverse-path
- Example
- will drop the packet if the check fails or the source address is within 2007::/64 range
- config# ipv6 access-list WORD
- config-ipv6-acl# deny ipv6 2007::/64 any
- config-ipv6-acl# permit ipv6 any any
- config-if# ipv6 verify unicast reverse-path WORD
Dynamic Host Configuration Protocol (DHCP)
- stateful autoconfiguration
- two conditions
- host is explicitly configured to use DHCPv6
- IPv6 router advertises in RA messages
- routers set M flag (Managed Address Configuration) in RAs
- hosts send DHCP request using multicast address on UDO port 547
- FF02::1:2 - all DHCP relay agents and servers
- FF02::1:3 - all DHCP servers
- config-if# ipv6 dhcp server <pool-name>
Access Lists
- implicit permit for Network Discovery Protocol
- config# ipv6 traffic-filter WORD [in | out]
- lists are always named
Configuration
- config# ipv6 access-list WORD
- config-ipv6-acl# permit tcp any 2001:1:2:3::/64 eq telnet dscp cs1 log
- config-ipv6-acl# deny tcp any any log-input
- config# line vty 0 4
- config-line# access-class WORD in
Traffic Filtering
- config# ipv6 access-list WORD
- config-ipv6-acl# deny tcp any eq www 2001:DB8:128::/64
- config-ipv6-acl# permit ipv6 any any
- config# interface FastEthernet0/0
- config-if# ipv6 traffic-filter WORD in
Static Routes
- static route to an interface has an administrative distance of 1 (ipv4 is 0)
- static route to next-hop IP has an administrative distance of 1 (just like ipv4)
- static route to a broadcast interface, such as ethernet, must specify the next-hop
- because ipv6 does not use ARP
Tip
- debug ipv6 routing
- show ipv6 route
- config# ipv6 route 2001:129::/64 2001::207:85FF:FE80:7208
Unicast Routing Protocols
OSPFv3
- differences from version 2
- configured using interface commands
- config-if# ipv6 ospf 1 area 2
- will automatically "ipv6 router ospf 1" globally
- if multiple IPv6 address are on an interface, all of them are advertised
- RID must be set
- would usually use IPv4, bur if it's not configured then the RID is not generated
- Flooding Scopes
- link-local scope - used by new LSA type, Link LSA
- area scope - for LSAs flooded throughout a single area
- AS scope - flooded throughout the routing domain, for External LSAs
- multiple instances per link
- config-if# ipv6 ospf 1 area 0 session 33
- Terminology
- OSPFv2 "network" is now called OSPFv3 "link"
- sources packets from link-local address
- besides virtual links
- uses link-local address for all communications between neighbors
- Authentication
- is not provided since IPv6 covers this requirement
- Networks in LSAs
- expressed as a prefix and a prefix length
- default routes are expressed with a prefix length of 0
- configured using interface commands
LSA Types
- 1 - router LSA - describes a router's link states and costs - area scope
- 2 - network LSA - generated by DR, describes aggregated link state and costs for routers - area scope
- 3 - inter-area prefix LSA for ABRs - describes interarea networks to routers in other area - area scope
- 4 - inter-area router LSA for ASBRs - advertise the ABSR location - as scope
- 5 - as external LSA - describes the networks learned by other protocols - area scope
- 8 - link LSA - advertises link-local address and prefix(es) to other routers - link scope
- 9 - intra-area prefix LSA - area scope
NBMA Networks
- config-if# ipv6 ospf neighbor 3003::1
- "nonbroadcast needs neighbors"
Frame Relay
- mapping IP to DLCI
- requires two map statements
- one points to link local (broadcast)
- one points to unicast of next-hop
- config# frame-relay map ipv6 FE80::207:85FF:FE80:7208 101 broadcast
- config# frame-relay map ipv6 2001::207:85FF:FE80:7208 101
- requires two map statements
- mapping IP to DLCI
Authentication and Encryption
- uses IPv6's native authentication support
- uses Authentication Header (AH)
- uses Encapsulating Security Payload (ESP)
- config# ipv6 ospf authentication (AH)
- config# ipv6 ospf encryption (ESP)
- ESP provides both encryption and authentication
- differences from version 2
EIGRP
Differences
- configured on the interface
- config-if# ipv6 eigrp 100
- must "no shut" the routing process
- Router ID
- requires 32 bit router ID before it starts
- Passive Interfaces
- configured in routing process only
- Router Filtering
- only using distributed-list and prefix-list
- Automatic Summarization
- does not have "no auto-summary" command
- no concept of classful routing in IPv6
- config-if# ipv6 next-hop-self eigrp <as>
- configured on the interface
Configuration
- config-if# ipv6 address 3001:0:4::/64 eui-64
- config-if# ipv6 address autoconfig
- config-if# ipv6 eigrp 100
- config# ipv6 router eigrp 100
- config-router# router-id 192.0.0.1
- config-router# no shutdown
- config-router# passive-interface loopback 3
- config-router# redistribute connected metric 100000 100 255 10 1500 route-map WORD
- config-router# ipv6 summary-address eigrp 100 3001:0:4:4::/63
Route Redistribution
- configured as part of the routing process of the destination routing protocol
- can apply tags, manipulate metrics and filter routes
- route maps can be applied which call access lists or prefix lists or perform other actions
- into EIGRP or RIPng requires setting a metric
Protocol Combinations
- RIPng - one process to another
- OSPFv3 - one process to another
- EIGRP - one As to another
- EIGRP to OSPFv3 - and vice-versa
- EIGRP to RIPng - and vice-versa
- OSPFv3 to RIPng - and vice-versa
Configuration
- config# ipv6 router ospf 1
- config-rtr# redistribute rip RIPng route-map WORD1 [include-connected]
- config# ipv6 prefix-list WORD2 seq 5 permit 3009:128:1::/48 ge 64 le 64
- config# route-map WORD1 permit 10
- config-route-map# match ipv6 address prefix-list WORD2
- config-route-map# set metric-type type-1
- config-route-map# set tag 32767
QoS
- features not available in version 6
- Network Based Application Recognition (NBAR)
- Compressed Real-Time Protocol (cRTP)
- Committed Access Rate (CAR)
- Priority Queuing (PQ)
- Custom Queuing (CQ)
Classification, Marking and Queuing
- config-cmap# match protocol [ip | ipv6]
- Differences
- no "match ip rtp"
- "match cos" and "set cos"
- support only CEF
- does not support process-switched or router-originated
- does not support ISL interfaces, even for CEF
Traffic Shaping and Policing
- uses flow-based queuing by default
- can use Class-Based WFQ to manage congestion
- features not available in version 6
Tunneling
- tunneling refers to the process of encapsulating traffic at an OSI layer with another protocol in the same layer
Methods
- Automatic 6to4 - point-to-multipoint; 2002::/16; isolated IPv6 island networks
- Manually - point-to-point; reuqires dual-stack support on both ends
- IPv6 over IPv4 GRE - point-to-point; unicast address; dual stack
- ISATAP - point-to-multipoint; multicast address; within single site
- Automatic IPv4-Compatible - point-to-multipoint; ::/96 address; dual stack
Modes and Destinations
- Manual - ipv6ip - ipv4 address is the destination
- GRE over IPv4 - gre ip - ipv4 address is the destination
- Automatic 6to4 - ipv6ip 6to4 - auto determined
- ISATAP - ipv6ip isatap - auto determined
- Automatic IPv4-Compatible - ipv6ip auto-tunnel - auto determined
Manually Configured
- config# interface tunnel 0
- config-if# no ip address
- config-if# ipv6 address 2001:DB8::1:1/64
- config-if# tunnel source loopback 0
- config-if# tunnel destination 172.30.20.1
- config-if# tunnel mode ipv6ip
Automatic IPv4-Compatible
- uses IPv4-compatible IPv6 address for tunnel interfaces
- taken from ::/96 address space (first 96 bits are 0s)
- address written as 0:0:0:0:0:0:A.B.C.D
- tunnel destination for IPv4 compatible tunnel is automatically determined
- config-if# tunnel mode ipv6ip auto-tunnel
IPv6 over IPv4 GRE
- Key Features
- encapsulation of traffic other than IPv6
- support for IPsec
- config-if# tunnel mode gre ipv6
- Key Features
Automatic 6to4
- point-to-multipoint
- treats underlying IPv4 network as NBMA cloud
- destination address is IPv6 prefix combined with the destination's IPv4 address
- begins with 2002::/16
- 2002:IPv4::/48
- other 16 bits are for number networks
- IOS only supports one automatic 6to4 tunnel per router
- config-if# tunnel-mode ipv6ip 6to4
- tunnel destination not explicitly configured
- routing needs to be configured
- config# ipv6 route 2002::/16 tunnel 0
ISATAP
- Intra-Site Automatic Tunnel Addressing Protocol
- treat IPv4 network as NBMA cloud
- [64-bit link-local or global unicast prefix]:0000:5EFE:[IPv4 address of ISATAP link]
- Exmaple
- IPv6 prefix - 2001:0DB8:0ABC:0DEF::/64
- IPv4 destination - 172.20.20.1 = AC14:1401
- ISATAP address - 2001:0DB8:0ABC:0DEF:0000:5EFE:AC14:1401
- Exmaple
- config-if# tunnel mode ipv6ip isatap
- must be configured to derive IPv6 using UIE-64
- differs from a non-tunnel interface
- only derives last 32 bits of the Interface ID form the tunnel source interface's IPv4 address
- by default Router Advertisements (RA) are disabled in the tunnel interface
- RAs must be enabled to support client autoconfiguration
- config-if# no ipv6 nd supress-ra
Network Address Translation - Protocol Translation (NAT-PT)
- translated between IPv4 and IPv6
Multicast
Multicast Listener Discovery (MLD)
- based on IGMP from IPv4
- uses ICMPv6
- routers act as MLD queriers to determine who wants traffic
- MLD snooping is the same as IGMP snooping
- can configure an interface to join a multicast group
- config-if# ipv6 mld join-group FF02::FE
- regardless if group members are present on the interface or not
Explicit Tracking
- allows multicast routers to track behaviors of hosts
- supports fast-leave mechanism in MLDv2
- disabled by default
- config-if# ipv6 mld explicit-tracking <acl>
PIM
Modes of Operation
- sparse Mode (SM)
- Source-Specific Multicast (SSM)
- does nt support dense mode
- PIM-SM routers can learn about a RP
- embeds RP info in MLD report messages and PIM messages
Source-Specific Multicast
- derived from sparse mode
- requires MLDv2 to operate
- config# ipv6 mld ssm-map enable
- config# no ipv6 mld ssm-map query dns
- config# ipv6 mld ssm static <acl> <src>
Static Routes
- RPF checks can cause problems with tunnels
- config# ipv6 route ::/0 tunnel 0 multicast
Routing
- config# ipv6 multicast-routing
Basic Configuration
config# ipv6 unicast-routing
config-if# ipv6 address 10:5:1::2/48 [eui-64] (eui-64 will use mac address)
Tunnels
config# interface tunnel 0
config-if# ipv6 address 3ffe:b00:c18:1::3/64
config-if# tunnel source 192.168.99.1
config-if# tunnel destination 192.168.30.1
config-if# tunnel mode ipv6ip
NAT
config-if# ipv6 nat
config-if# ipv6 nat prefix 2010:1111::/96 (must be 96)
config# route-map WORD1
config-route-map# match interface ethernet 0
config# ipv6 nat v6v4 source route-map WORD1
config# ipv6 nat v6v4 pool WORD2 192.168.1.10 192.168.1.50 prefix-length 24
config# ipv6 nat v4v6 source 192.168.1.2 2010:1111::1
No comments:
Post a Comment