Archive
IPv6 operation and best practices – documents to read
Unfortunately I don’t get to do much v6 at my job yet but I still like to stay updated on
what is happening. Do you run any v6 in your network? If so, do you run it native or tunneled
or something like 6PE?
Here are some interesting sources for operation of v6.
draft-matthews-v6ops-design-guidelines-01
This document discusses if IPv4 and IPv6 traffic
should be mixed on the same interface or should different interfaces be used? Should
link local or global addressing be used for routing? Should v6 routes be transferred
over v4 in BGP sessions?
draft-ietf-v6ops-enterprise-incremental-ipv6-01
This document is for deploying v6 in an enterprise network. Things like security policy,
addressing plan and IPv6 myths are brought up.
This document is purely about the advantages and disadvantages of only running link local
addresses.
Also, don’t miss out on information that is freely available at Cisco Live. Here are
some interesting sessions on IPv6 from Melbourne.
BRKRST-2301 – Enterprise IPv6 Deployment (2013 Melbourne)
BRKRST-1069 – Understanding IPv6 (2013 Melbourne)
ITMGEN-1313 – Preparing for IPv6 in the Enterprise (2013 Melbourne)
BRKRST-2311 – IPv6 Planning, Deployment and Troubleshooting (2013 Melbourne)
BRKSEC-2003 – IPv6 Security Threats and Mitigations (2013 Melbourne)
COCRST-2464 – Inside Cisco IT: Making The Leap To IPv6 (2013 Melbourne)
As you can see. IPv6 is a pretty big deal these days at Cisco Live. Then you also have
books, configuration guides etc but this should give you a good start to see what challenges
and considerations you should have when deploying IPv6.
EIGRP named configuration
You might think that EIGRP being around for so long is not getting any attention from
Cisco, not true. EIGRP is still being developed and in later releases you can run what
is called named configuration. Doing this you can put all EIGRP config under one named
instance, even v6 which is different from the old syntax. If you are on Twitter you should
follow Donnie Savage @diivious. He works for Cisco and is usually present at Cisco Live
presenting on the development of EIGRP.
We start out with the following topology.
So we start out by defining our instance and calling it corp
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#router eigrp corp
From there we have the following options:
R2(config-router)#? Router configuration commands: address-family Enter Address Family command mode default Set a command to its defaults exit Exit from routing protocol configuration mode no Negate a command or set its defaults service-family Enter Service Family command mode shutdown Shutdown this instance of EIGRP
From here we can shutdown the process or configure different address families.
We start by setting up IPv4 in the global table.
R2(config-router)#address-family ipv4 autonomous-system 12 R2(config-router-af)#? Address Family configuration commands: af-interface Enter Address Family interface configuration default Set a command to its defaults eigrp EIGRP Address Family specific commands exit-address-family Exit Address Family configuration mode help Description of the interactive help system maximum-prefix Maximum number of prefixes acceptable in aggregate metric Modify metrics and parameters for address advertisement neighbor Specify an IPv4 neighbor router network Enable routing on an IP network no Negate a command or set its defaults shutdown Shutdown address family timers Adjust peering based timers topology Topology configuration mode R2(config-router-af)#network 12.12.12.0 255.255.255.0
From here we define networks, setup static neighbors and configure EIGRP parameters.
We will use regular syntax on R2 for setting up EIGRP.
R2(config-if)#router eigrp 12 R2(config-router)#no auto R2(config-router)#net 12.12.12.0 0.0.0.255
The session comes up.
%DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.2 (FastEthernet1/0) is up: new adjacency
R2 is announcing it’s loopback. Lets see if we receive that.
R1#sh ip route eigrp | be Gateway
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/2662400] via 12.12.12.2, 00:00:23, FastEthernet1/0
What more can we configure under the address-family?
R1(config-router-af)#af-interface f1/0 R1(config-router-af-interface)#? Address Family Interfaces configuration commands: authentication authentication subcommands bandwidth-percent Set percentage of bandwidth percentage limit bfd Enable Bidirectional Forwarding Detection dampening-change Percent interface metric must change to cause update dampening-interval Time in seconds to check interface metrics default Set a command to its defaults exit-af-interface Exit from Address Family Interface configuration mode hello-interval Configures hello interval hold-time Configures hold time next-hop-self Configures EIGRP next-hop-self no Negate a command or set its defaults passive-interface Suppress address updates on an interface shutdown Disable Address-Family on interface split-horizon Perform split horizon summary-address Perform address summarization
We configure all EIGRP interface commands under the af-interface. We can setup
authentication of the peering.
R1(config-router-af)#af-interface f1/0 R1(config-router-af-interface)#authentication mode ? hmac-sha-256 HMAC-SHA-256 Authentication md5 Keyed message digest R1(config-router-af-interface)#authentication mode md5 R1(config-router-af-interface)#authentication key-chain EIGRP %DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.2 (FastEthernet1/0) is down: authentication mode changed %DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.2 (FastEthernet1/0) is up: new adjacency
What’s new here is that sha-256 is now also supported. From this af-interface mode
we can configure timers and BFD as well.
Now we will configure IPv4 in a VRF called 13.
R1(config)#vrf definition 13 R1(config-vrf)#rd 13:13 R1(config-vrf)#int f1/1 R1(config-if)#no sh R1(config-if)#vrf forwarding 13 R1(config-if)#ip add 13.13.13.1 255.255.255.0 R1(config-router)#address-family ipv4 vrf 13 autonomous-system 13 R1(config-router-af)#net 13.13.13.0 0.0.0.255 %DUAL-5-NBRCHANGE: EIGRP-IPv4 13: Neighbor 13.13.13.3 (FastEthernet1/1) is up: new adjacency
Do we receive any prefixes?
R1#sh ip route vrf 13 | be Gate
Gateway of last resort is not set
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/2662400] via 13.13.13.3, 00:00:31, FastEthernet1/1
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.13.13.0/24 is directly connected, FastEthernet1/1
L 13.13.13.1/32 is directly connected, FastEthernet1/1
Which we do. Nothing strange here, just a new syntax for defining VRFs compared
to the old ip vrf syntax.
Finally we will configure IPv6 peering as well. Because EIGRP sends packets from
link local address we don’t even need to configure a global IPv6 address.
R1(config-router)#int f2/0 R1(config-if)#ipv6 enable R1(config-if)#no sh R1(config-if)#router eigrp corp R1(config-router)#address-family ipv6 autonomous-system 14 R1(config-router-af)#af-interface default R1(config-router-af-interface)#no shut
Only difference here is that instead of defining network we use the interface command
instead to enable it on all active IPv6 interfaces.
R1#sh ipv6 route eigrp
IPv6 Routing Table - default - 2 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
D 2001::/64 [90/2662400]
via FE80::C803:82FF:FE80:1C, FastEthernet2/0
And that’s about it. Named configuration is made to unify configuration under
one instance and remove the commands that we used to type under the interface
like authentication and such. It’s now all done under the address-family.
In future posts I will look at Multi Topology Routing (MTR).
Tiebreakers with routes from different OSPF processes
This post is inspired by a discussion at Twitter with Ivan Pepelnjak and
Nicolas Michel. Nicolas asked what happens when there is the same route from two
different OSPF processes. Which one will be selected? Ivan explained how
to use the distance command. First before I show how it works and why we
need to get some few basic concepts explained.
LSDB – Link State Database – All OSPF LSAs populate the LSDB
RIB – Routing Information Base – The best routes from every protocol
compete to get installed to the RIB
FIB – Forwarding Information Base – Routes are copied from the RIB
and used for forwarding (CEF)
CEF – Cisco Express Forwarding – The algorithm that Cisco uses for
the forwarding (FIB)
If we have for example OSPF, this is how a route gets selected to the RIB(global).
The routers exchange LSAs with each other. Within an area every router has the same
view of the network. These LSAs populate the LSDB. If there are multiple paths to
a destination they will compete with each other unless they are of same type and equal
cost. Intra area is preferred first, then inter and finally external routes. There is no
way of modifying this behaviour. The best route then goes to the OSPF RIB, could be several
if they are equal. From there this route will compete with other routing protocols and the
AD will decide which one is installed. If the OSPF one is best then that one goes to the global
RIB. Then finally the RIB populates FIB with this information and forwarding can ensue.
This is a picture I made that describes the process.
We start out with a very basic topology looking like this.
R1 and R3 will announce the same network 1.1.1.1/32. R2 will use two different OSPF processes.
We start out with the basic configuration:
R1
R1(config)#int f1/0 R1(config-if)#ip add 12.12.12.1 255.255.255.0 R1(config-if)#no sh R1(config-if)#ip ospf 1 area 0 R1(config-if)#int lo0 R1(config-if)#ip add 1.1.1.1 255.255.255.255 R1(config-if)#ip ospf 1 area 0
R2
R2(config)#int f1/0 R2(config-if)#ip add 12.12.12.2 255.255.255.0 R2(config-if)#no sh R2(config-if)#ip ospf 1 area 0 R2(config-if)#int f1/1 R2(config-if)#ip add 23.23.23.2 255.255.255.0 R2(config-if)#no sh R2(config-if)#ip ospf 3 area 0 %OSPF-5-ADJCHG: Process 1, Nbr 12.12.12.1 on FastEthernet1/0 from LOADING to FULL, Loading Done
We see the session coming up immediately. Now lets bring up R3 as well.
R3
R3(config)#int f1/0 R3(config-if)#ip add 23.23.23.3 255.255.255.0 R3(config-if)#no sh R3(config-if)#ip ospf 3 area 0 R3(config-if)#int lo0 R3(config-if)#ip add 1.1.1.1 255.255.255.255 R3(config-if)#ip ospf 3 area 0 %OSPF-5-ADJCHG: Process 3, Nbr 23.23.23.2 on FastEthernet1/0 from LOADING to FULL, Loading Done
Both OSPF peerings are up. Now lets follow the steps that was shown in
the picture above starting by looking at the database.
R2#sh ip ospf data router 12.12.12.1
OSPF Router with ID (23.23.23.2) (Process ID 3)
OSPF Router with ID (12.12.12.2) (Process ID 1)
Router Link States (Area 0)
LS age: 184
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 12.12.12.1
Advertising Router: 12.12.12.1
LS Seq Number: 80000003
Checksum: 0xF78
Length: 48
Number of Links: 2
Link connected to: a Stub Network
(Link ID) Network/subnet number: 1.1.1.1
(Link Data) Network Mask: 255.255.255.255
Number of MTID metrics: 0
TOS 0 Metrics: 1
Link connected to: a Transit Network
(Link ID) Designated Router address: 12.12.12.1
(Link Data) Router Interface address: 12.12.12.1
Number of MTID metrics: 0
TOS 0 Metrics: 1
We see that R1 is announcing 1.1.1.1/32 and we have a metric of 2 to it.
Do we see R3 announcing that as well?
R2#sh ip ospf data router 23.23.23.3
OSPF Router with ID (23.23.23.2) (Process ID 3)
Router Link States (Area 0)
LS age: 148
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 23.23.23.3
Advertising Router: 23.23.23.3
LS Seq Number: 80000003
Checksum: 0x54A7
Length: 48
Number of Links: 2
Link connected to: a Stub Network
(Link ID) Network/subnet number: 1.1.1.1
(Link Data) Network Mask: 255.255.255.255
Number of MTID metrics: 0
TOS 0 Metrics: 1
Link connected to: a Transit Network
(Link ID) Designated Router address: 23.23.23.2
(Link Data) Router Interface address: 23.23.23.3
Number of MTID metrics: 0
TOS 0 Metrics: 1
Yes, it’s there. Now we take a look at the OSPF RIB. Which ones do we see there?
R2#sh ip ospf rib
OSPF Router with ID (23.23.23.2) (Process ID 3)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
* 1.1.1.1/32, Intra, cost 2, area 0
via 23.23.23.3, FastEthernet1/1
* 23.23.23.0/24, Intra, cost 1, area 0, Connected
via 23.23.23.2, FastEthernet1/1
OSPF Router with ID (12.12.12.2) (Process ID 1)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
*> 1.1.1.1/32, Intra, cost 2, area 0
via 12.12.12.1, FastEthernet1/0
* 12.12.12.0/24, Intra, cost 1, area 0, Connected
via 12.12.12.2, FastEthernet1/0
The greater than sign indicates that the one from OSPF process 1 was selected.
Why? When running multiple OSPF processes the one that first installs to the
RIB will be selected to the global RIB. Now we confirm by looking in the
global RIB.
R2# show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 12.12.12.1, 00:06:35, FastEthernet1/0
Yes, that looks correct. Final step is to verify that FIB is also updated.
R2#sh ip cef 1.1.1.1/32 1.1.1.1/32 nexthop 12.12.12.1 FastEthernet1/0
So the one that first writes to the global RIB wins. Now lets bring down the
process that is currently winning.
R2(config)#int f1/0 R2(config-if)#sh R2(config-if)#
The OSPF RIB and global RIB should now be updated.
R2#show ip ospf rib
OSPF Router with ID (23.23.23.2) (Process ID 3)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
*> 1.1.1.1/32, Intra, cost 2, area 0
via 23.23.23.3, FastEthernet1/1
* 23.23.23.0/24, Intra, cost 1, area 0, Connected
via 23.23.23.2, FastEthernet1/1
OSPF Router with ID (12.12.12.2) (Process ID 1)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
R2#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 23.23.23.3, 00:00:42, FastEthernet1/1
Now if we bring back OSPF process 1, what will happen? Process 3 should still be
winning since it installed to global RIB first.
R2(config)#int f1/0 R2(config-if)#no sh
R2#sh ip ospf rib
OSPF Router with ID (2.2.2.2) (Process ID 11)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
OSPF Router with ID (23.23.23.2) (Process ID 3)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
* 1.1.1.1/32, Intra, cost 2, area 0
via 23.23.23.3, FastEthernet1/1
* 23.23.23.0/24, Intra, cost 1, area 0, Connected
via 23.23.23.2, FastEthernet1/1
OSPF Router with ID (12.12.12.2) (Process ID 1)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
*> 1.1.1.1/32, Intra, cost 2, area 0
via 12.12.12.1, FastEthernet1/0
* 12.12.12.0/24, Intra, cost 1, area 0, Connected
via 12.12.12.2, FastEthernet1/0
Now process 1 is winning, which is odd. Lets debug ip routing to see what is
really happening. We shutdown interface in process 1.
*Mar 14 23:26:36.555: RT: del 1.1.1.1 via 12.12.12.1, ospf metric [110/2]
*Mar 14 23:26:36.559: RT: delete subnet route to 1.1.1.1/32
*Mar 14 23:26:36.579: RT: updating ospf 1.1.1.1/32 (0x0):
via 23.23.23.3 Fa1/1
*Mar 14 23:26:36.583: RT: add 1.1.1.1/32 via 23.23.23.3, ospf metric [110/2]
Now we bring back process 1.
*Mar 14 23:29:04.163: RT: updating ospf 1.1.1.1/32 (0x0):
via 12.12.12.1 Fa1/0
*Mar 14 23:29:04.171: RT: closer admin distance for 1.1.1.1, flushing 1 routes
*Mar 14 23:29:04.175: RT: add 1.1.1.1/32 via 12.12.12.1, ospf metric [110/2]
We can see that IOS is claiming that distance is lower which it is clearly not.
What happens if we change process 1 to process 11 and we shutdown the interface
in process 3?
R2(config)#int f1/1 R2(config-if)#sh R2(config-if)#int f1/0 R2(config-if)#ip ospf 11 area 0
Now we look at the output from the debug.
*Mar 14 23:33:27.615: RT: updating ospf 1.1.1.1/32 (0x0):
via 12.12.12.1 Fa1/0
*Mar 14 23:33:27.619: RT: add 1.1.1.1/32 via 12.12.12.1, ospf metric [110/2]
*Mar 14 23:33:39.927: RT: updating connected 23.23.23.0/24 (0x0):
via 0.0.0.0 Fa1/1
*Mar 14 23:33:39.931: RT: add 23.23.23.0/24 via 0.0.0.0, connected metric [0/0]
*Mar 14 23:33:39.939: RT: interface FastEthernet1/1 added to routing table
*Mar 14 23:33:39.947: RT: updating connected 23.23.23.2/32 (0x0):
via 0.0.0.0 Fa1/1
*Mar 14 23:33:39.951: RT: network 23.0.0.0 is now variably masked
*Mar 14 23:33:39.951: RT: add 23.23.23.2/32 via 0.0.0.0, connected metric [0/0]
*Mar 14 23:33:55.447: RT: updating ospf 1.1.1.1/32 (0x0):
via 23.23.23.3 Fa1/1
*Mar 14 23:33:55.455: RT: closer admin distance for 1.1.1.1, flushing 1 routes
*Mar 14 23:33:55.455: RT: add 1.1.1.1/32 via 23.23.23.3, ospf metric [110/2]
We can see that first process 11 is the only option available so the 1.1.1.1/32
route is installed via f1/0. Then f1/1 comes back up and now 1.1.1.1/32 is reachable
via f1/1 and is chosen because of “closer admin distance” which is not true. This must
mean that the OSPF process number is the tie breaker.
We take a look at the OSPF RIB and global RIB to verify once more.
R2#sh ip ospf rib
OSPF Router with ID (22.22.22.22) (Process ID 11)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
* 1.1.1.1/32, Intra, cost 2, area 0
via 12.12.12.1, FastEthernet1/0
* 12.12.12.0/24, Intra, cost 1, area 0, Connected
via 12.12.12.2, FastEthernet1/0
OSPF Router with ID (23.23.23.2) (Process ID 3)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
*> 1.1.1.1/32, Intra, cost 2, area 0
via 23.23.23.3, FastEthernet1/1
* 23.23.23.0/24, Intra, cost 1, area 0, Connected
via 23.23.23.2, FastEthernet1/1
OSPF Router with ID (12.12.12.2) (Process ID 1)
Base Topology (MTID 0)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB
R2#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 23.23.23.3, 00:09:02, FastEthernet1/1
What if we change the AD of process 11?
R2(config)#router ospf 11 R2(config-router)#distance ospf intra-area 100
*Mar 14 23:43:31.315: RT: updating ospf 1.1.1.1/32 (0x0):
via 12.12.12.1 Fa1/0
*Mar 14 23:43:31.319: RT: closer admin distance for 1.1.1.1, flushing 1 routes
*Mar 14 23:43:31.323: RT: add 1.1.1.1/32 via 12.12.12.1, ospf metric [100/2]
That makes process 11 win again. So these tests seems to indicate that if everything
is the same then the tiebreaker is the lowest process number. For EIGRP it is the
lowest AS number so maybe Cisco chose to make it comparable.
Also take a look at what Ivan is saying at IOS hints
Some interesting RFCs
To stay updated what’s happening in the network industry it doesn’t hurt to
read some RFCs and IETF drafts. Here are two I recommend that you read.
A comparison of IPv6 tunneling mechanisms- draft-steffann-tunnels-00
It describes different ways of tunneling v6. Could be very useful for a
CCIE candidate as well if you want to experiment with deploying v6 and can’t
dual stack yet.
This one describes how IP has evolved and some of the “networking truths” that
may not be true.
I recommend you read both of them.
Daniels networking blog 