ipv6 troubleshootingd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/brkrst-2302.pdf · brkrst-2302 ©...

© 2012 Cisco and/or its affiliates. All rights reserved. BRKRST-2302 Cisco Public

IPv6 Troubleshooting

BRKRST-2302


Agenda

Definition

Service Level Agreement – 5 9s 4 9s 3 9s

IPv6 addressing refresher

Troubleshooting approach in LAN/WAN environment

Troubleshooting FHRP

Troubleshooting IPv6 routing—OSPFv3,EIGRPv6,mBGP

Troubleshooting tunnels

Troubleshooting 6PE,6VPE

2


Definition and Purpose

A systematic search for the source of a problem so that it can be solved

To ensure that the system is available and operating in an effective and efficient manner as required in accomplishing its specified objective

3


Prerequisites

OSI stack

Hexadecimal numbering system—0 through F

Example A is decimal 10

IPv6 Addressing

IPv6 Routing

Tunneling TCP UDP

IPv4 IPv6

Data Link (Ethernet) 0x0800 0x86dd Protocol ID

4


Availability Down time / yr. Down time /month Down time / week

90% ("one nine") 36.5 days 72 hours 16.8 hours

99.9% ("three nines") 8.76 hours 43.2 minutes 10.1 minutes

99.95% 4.38 hours 21.56 minutes 5.04 minutes

99.99% ("four nines") 52.56 minutes 4.32 minutes 1.01 minutes

99.999% ("five nines") 5.26 minutes 25.9 seconds 6.05 seconds

99.9999% ("six nines") 31.5 seconds 2.59 seconds 0.605 seconds

High Availability - challenges

http://en.wikipedia.org/wiki/High_availability

5


Back 2 the Hex - IPv6 addressing refresher

6


Aggregatable Global Unicast Address Allocation Mechanism The strip from 0000:: to ffff::—

The first 16 bits of the total 128 bits

0000:: - loopback and unspecified

0001 IANA Registry ISP

0010 - 2000::/3 - 2001::/16 - 2001::/23 - 2001::/32 - 2001::/48

0011

0100

0101

ffff::

Typical site prefix allocation from ISP

Allocation from Registries to ISP

ARIN APNIC AFRINIC LACNIC RIPE

Note – Enterprises can get PI prefix from ARIN

7


IPv6 Site Addressing Common Misconception

Example—Allocated prefix is 2001:0db8:1234::/48

That means 16 bits are available to generate 64 K subnets from the allocated prefix

You have 2001:0db8:1234:0001::/64, 2001:0db8:1234:0002::/64, etc as your subnet prefixes

2001:0db8:1234::/48 - 2001:0db8:1234:0000::/64

to

2001:0db8:1234:ffff::/64

65535 subnets Not hosts

8


A Typical IPv6 Interface on a Router

R1#sh ipv6 interface

Ethernet0/0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:A00

Global unicast address(es):

2001:DB8:1234:5678:A8BB:CCFF:FE00:A00

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF00:A00

All Nodes Multicast Address—Node scope

All Routers Multicast Address—Link scope

Solicited Node Multicast Address

Valid only on the link

Reachable Globally

9


Dual Stack—IPv4 and IPv6

IPv6-router#sh run int gigabitEthernet 2/2

Building configuration...

interface GigabitEthernet2/2

ip address 192.168.1.1 255.0.0.0

ipv6 address 2001:DB8:1234:5678::/64 eui-64

end

Nodes supporting IPv4 and IPv6 is Dual Stack

Note – Nexus OS follows secondary address CLI for now. Multiple addresses can be assigned to a single interface. In IPv6 no concept of secondary address.

10


Let The Trouble Shooting Begin

Connectivity

11


A Peek Inside the IPv6 Basic Header

Next Header

Hop Limit

Flow Label Traffic Class

Destination Address

Source Address

Payload Length

Version

R10#debug ipv6 icmp R10#ping 2001:DB8:ABCD:BCDF:A8BB:CCFF:FE00:3200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:ABCD:BCDF:A8BB:CCFF:FE00:3200, timeout is 2 seconds !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/53/72 ms Mar 23 20:31:28.495: IPv6: nexthop FE80::A8BB:CCFF:FE00:1400, Mar 23 20:31:28.495: IPV6: source 2001:DB8:1020:1020:A8BB:CCFF:FE00:A00 (local) Mar 23 20:31:28.495: dest 2001:DB8:ABCD:BCDF:A8BB:CCFF:FE00:3200 (Ethernet0/0) Mar 23 20:31:28.495: traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating

12


ICMPv6 ND Message Types Captured

Router solicitation (ICMPv6 type 133) ‒Mar 24 23:07:32.721: ICMPv6-ND: Received RS on Ethernet1/0 from FE80::A8BB:CCFF:FE00:2801

Router advertisement (ICMPv6 type 134) ‒Mar 24 22:59:17.205: ICMPv6-ND: Sending RA to FF02::1 on Ethernet1/0

Neighbor solicitation (ICMPv6 type 135) ‒Mar 24 22:58:29.417: ICMPv6-ND: Received NS for FE80::A8BB:CCFF:FE00:A00 on Ethernet0/0 from FE80::A8BB:CCFF:FE00:1400

Neighbor advertisement (ICMPv6 type 136) ‒Mar 24 22:58:29.417: ICMPv6-ND: Sending NA for FE80::A8BB:CCFF:FE00:A00 on Ethernet0/0

13


Stateless Address Assignment Through RA (Router Advertisement)

R20#sh run Building configuration... Current configuration : 89 bytes ! interface Ethernet0/0 no ip address ipv6 address 2001:DB8:1234:5678::/64 eui-64 end

R10#sh run Building configuration... Current configuration interface Ethernet0/0 no ip address ipv6 address autoconfig ipv6 enable end

What is missing

Router R20 Will Not Send Any Prefix and as a Result Router R10 Will Not Receive Any Global Prefix

R20

R10

14


IPv6 Unicast Address Configuration

1. Configure IPv6 unicast routing globally

IPv6-router(config)#ipv6 unicast-routing

2. On the interface, a global unicast address can be configured using stateless (router advertisements), stateful (DHCP) or administrator assigned

stateless IPv6-router(config-if)#ipv6 address autoconfig admin assigned IPv6-router(config)#int gigabitEthernet 2/2 IPv6-router(config-if)#ipv6 address 2001:0db8:1234:5678::/64 eui-64 IPv6-router(config-if)#end

Yes, you have to configure

Required Steps

15


Debug Captures of SLAAC

R10#

*Feb 2 22:18:25.455: ICMPv6-ND: Sending RS on Ethernet0/0

*Feb 2 22:18:25.475: ICMPv6-ND: Received RA from FE80::A8BB:CCFF:FE00:1400 on Ethernet0/0

*Feb 2 22:18:25.475: ICMPv6-ND: Sending NS for 2001:DB8:1234:5678:A8BB:CCFF:FE00:A00 on Ethernet0/0

*Feb 2 22:18:25.475: ICMPv6-ND: Autoconfiguring 2001:DB8:1234:5678:A8BB:CCFF:FE00:A00 on Ethernet0/0

R20#

*Feb 2 22:14:01.107: ICMPv6-ND: Sending RA to FF02::1 on Ethernet0/0

*Feb 2 22:14:01.107: ICMPv6-ND: MTU = 1500

*Feb 2 22:14:01.107: ICMPv6-ND: prefix = 2001:DB8:1234:5678::/64 onlink autoconfig

PPPOE - IPv6CP does not support negotiating addresses. you have to use SLAAC or DHCPv6

16


Interface Now Has a Global Address R10#show ipv6 interface ethernet 0/0

Ethernet0/0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:A00

Global unicast address(es):

2001:DB8:1234:5678:A8BB:CCFF:FE00:A00, subnet is 2001:DB8:1234:5678::/64 [PRE]

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF00:A00

MTU is 1500 bytes

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND advertised reachable time is 0 milliseconds

ND advertised retransmit interval is 0 milliseconds

ND router advertisements are sent every 200 seconds

ND router advertisements live for 1800 seconds

Hosts use stateless autoconfig for addresses.

On P2P serial links, when looped DAD kicks in and interface does not process IPv6 packets. You may disable DAD to get around

17


/64 Requirement for autoconfig

R10# Mar 17 19:28:45.119: ICMPv6-ND: Sending RA to FF02::1 on Ethernet1/0 Mar 17 19:28:45.119: ICMPv6-ND: MTU = 1500 Mar 17 19:28:45.119: ICMPv6-ND: prefix = 2001:DB8:1040:1040::/96 onlink autoconfig

*Mar 1 18:28:24.775: ICMPv6: Received ICMPv6 packet from FE80::A8BB:CCFF:FE00:A01, type 134 R40#show ipv6 interface eth 1/0 Ethernet1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:2801 No Virtual link-local address(es): No global unicast address is configured

RA

R10 e1/0

e1/0

R40

18


/64 Requirement for autoconfig R10#sh run int eth 1/0

Building configuration... interface Ethernet1/0 no ip address no ip directed-broadcast ipv6 address 2001:DB8:1040:1040::/96 end R10(config-if)#ipv6 address 2001:DB8:1040:1040::/64 eui

R10(config-if)# Mar 17 19:37:44.795: ICMPv6-ND: Adding prefix 2001:DB8:1040:1040::/64 to Ethernet1/0 Mar 17 19:37:44.795: ICMPv6-ND: Sending NS for 2001:DB8:1040:1040:A8BB:CCFF:FE00:A01 on Ethernet1/0 Mar 17 19:37:45.815: ICMPv6-ND: DAD: 2001:DB8:1040:1040:A8BB:CCFF:FE00:A01 is unique. Mar 17 19:37:45.815: ICMPv6-ND: Sending NA for 2001:DB8:1040:1040:A8BB:CCFF:FE00:A01 on Ethernet1/0 Mar 17 19:37:45.815: ICMPv6-ND: Address 2001:DB8:1040:1040:A8BB:CCFF:FE00:A01/64 is up on Ethernet1/0

ICMPv6 Type 135

R40# *Mar 1 18:43:56.427: ICMPv6: Received ICMPv6 packet from FE80::A8BB:CCFF:FE00:1400, type 134 R40#show ipv6 interface eth1/0 Ethernet1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:2801 No Virtual link-local address(es): Global unicast address(es): 2001:DB8:1040:1040:A8BB:CCFF:FE00:2801, subnet is 2001:DB8:1040:1040::/64

R10 e1/0 e1/0

R40

19


Neighbor Relationship Using Link Local Addresses

R20#sh ipv6 routers

Router FE80::A8BB:CCFF:FE00:A00 on Ethernet0/0, last update 1 min

Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500

Reachable time 0 msec, Retransmit time 0 msec

Router FE80::A8BB:CCFF:FE00:2800 on Ethernet0/0, last update 1 min

Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500

Reachable time 0 msec, Retransmit time 0 msec

R20#

20


Neighbor cache

21

Router# show ipv6 neighbors ethernet 2 IPv6 Address Age Link-layer Addr State Interface 2000:0:0:4::2 0 0003.a0d6.141e REACH Ethernet2 FE80::203:A0FF:FED6:141E 0 0003.a0d6.141e REACH Ethernet2 3001:1::45a - 0002.7d1a.9472 REACH Ethernet2


show ipv6 neighbors

Age Time (in minutes) since the address was confirmed to be reachable. A hyphen (-) indicates a static entry. Link-layer Addr MAC address. If the address is unknown, a hyphen (-) is displayed. State The state of the neighbor cache entry. Following are the states for dynamic entries in the IPv6 neighbor discovery cache:

22


show ipv6 neighbors (continued)

•INCMP (Incomplete)—Address resolution is being performed on the entry. A neighbor solicitation message has been sent to the solicited-node multicast address of the target, but the corresponding neighbor advertisement message has not yet been received. •REACH (Reachable)—Positive confirmation was received within the last ReachableTime milliseconds that the forward path to the neighbor was functioning properly. While in REACH state, the device takes no special action as packets are sent. •STALE—More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. While in STALE state, the device takes no action until a packet is sent.

23


Show ipv6 neighbors (continued)

•DELAY—More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. A packet was sent within the last DELAY_FIRST_PROBE_TIME seconds. If no reachability confirmation is received within DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a neighbor solicitation message and change the state to PROBE. •PROBE—A reachability confirmation is actively sought by resending neighbor solicitation messages every RetransTimer milliseconds until a reachability confirmation is received •????—Unknown state.

24


Show ipv6 neighbors (static entries)

25

Following are the possible states for static entries in the IPv6 neighbor discovery cache: •INCMP (Incomplete)—The interface for this entry is down. •REACH (Reachable)—The interface for this entry is up. Note Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache; therefore, the descriptions for the INCMP (Incomplete) and REACH (Reachable) states are different for dynamic and static cache entries.


Neighbor stats = arp sum

R10#sh ipv6 neigh stat IPv6 ND Statistics Entries 1, High-water 2, Gleaned 0, Scavenged 1, Static 0 Entry States INCMP 0 REACH 1 STALE 0 GLEAN 0 DELAY 0 PROBE 0 Resolutions Requested 2, timeouts 0, resolved 1, failed 0 In-progress 0, High-water 1, Throttled 0, Data discards 0 NUD Requested 0, timeouts 0, resolved 0, failed 0 in-progress 1, high-water 2, throttled 0, current queue 0, queue high-water 0

26


Good Neighbors

27

Nx7010-# show ipv6 neighbor vrf CiscoLive_2012 Flags: # - Adjacencies Throttled for Glean G - Adjacencies of vPC peer with G/W bit IPv6 Adjacency Table for VRF CiscoLive_2012 Total number of entries: 10 Address Age MAC Address Pref Source Interface fe80::222:55ff:fe79:2c42 2d02h 0022.5579.1c42 50 icmpv6 Vlan351 fe80::20c:bdff:fe02:abf1 1d21h 000c.bd02.abf1 50 icmpv6 Vlan201 2106:abbc:d00d:801::2 2d02h 0022.4579.1c42 50 icmpv6 Vlan501

For cache use N7K-7009-3# show ipv6 icmp neighbor Flags: + - Adjacencies synced via CFSoE # - Adjacencies Throttled for Glean ICMPv6 Adjacency Table for VRF default Address Age MAC Address State Interface


Common issue – Router Hardening ?

28

6CE_1#show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface 2001:DB8:1234:5678:A8BB:CCFF:FE00:1400 0 - INCMP Et0/0

6VPE_1#sh run int eth 0/0 Building configuration... Current configuration : 187 bytes ! interface Ethernet0/0 no ip address ipv6 address 2001:DB8:1234:5678::/64 eui-64 ipv6 traffic-filter ciscolive2012 in ipv6 traffic-filter ciscolive2012 out ipv6 nd ra suppress End


ICMPv6 needs free but controlled flow

29

6VPE_1#show ipv6 access-list IPv6 access list ciscolive2012 deny icmp any any (114 matches) sequence 50 permit ipv6 any any (3 matches) sequence 60 6CE_1# *Mar 29 19:00:12.415: ICMPv6: Received ICMP unreachable code 1 from FE80::A8BB:CCFF:FE00:1400 6VPE_1(config-ipv6-acl)#no deny icmp any any 6CE_1#show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface 2001:DB8:1234:5678:A8BB:CCFF:FE00:1400 0 aabb.cc00.1400 REACH Et0/0 FE80::A8BB:CCFF:FE00:1400 0 aabb.cc00.1400 REACH Et0/0


Testing Connectivity on Link Local Address Directly connected IPv6 hosts do not need global unicast prefixes assigned and can “talk” to

each other on link local addresses (FE80::/10). However, an output interface needs to be specified as all the interfaces have the same fe80::/10 prefix

FE80::A8BB:CCFF:FE00:A00

FE80::A8BB:CCFF:FE00:1400

R1#ping FE80::A8BB:CCFF:FE00:1400 Output Interface: ethernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::A8BB:CCFF:FE00:1400, timeout is 2 seconds: Packet sent with a source address of FE80::A8BB:CCFF:FE00:A00 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms R1#

R2

No packet loss as in IPv4. FF02:0:0:0:0:1:FF/104 based Neighbor discovery

R1

30


Testing Connectivity on Global Prefixes

Global prefixes reachability does not need output interface specified

R1

R2

2001:DB8:1234:5678:A8BB:CCFF:FE00:1400

2001:DB8:1234:5678:A8BB:CCFF:FE00:A00

R1#ping 2001:DB8:1234:5678:A8BB:CCFF:FE00:1400 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:1234:5678:A8BB:CCFF:FE00:1400, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/32 ms R1#

"Unreach" counter corresponds to "Destination Unreachable Message"

31

R1


Testing Connectivity on Global Prefixes

IPv6: Packets addressed to unused addresses in P2P links are pingponged)

R1

R2 ping-pong issue identified in RFC 6164. for XR See CSCtf64096 . IOS/XE are fine.

/127 issue

:0 and :1 are the addresses – Not :1 and :2

32

/126 issue


Anycast Prefixes

R10

R20

R30

R20#sh run int eth 0/0 Building configuration... Current configuration : 129 bytes ! interface Ethernet0/0 ipv6 address 2001:DB8:1230:1230::/64 anycast

R30#sh run int eth 0/0 Building configuration... Current configuration : 129 bytes ! interface Ethernet0/0 ipv6 address 2001:DB8:1230:1230::/64 anycast

Anycast suffix required

Anycast address will never be the source. Assigned on Routers only

33


Anycast Behavior

R10#ping 2001:DB8:1230:1230:: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:1230:1230::, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/44/132 ms R10# R10#ping 2001:DB8:1230:1230:: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:1230:1230::, timeout is 2 seconds: ....! Success rate is 20 percent (1/5), round-trip min/avg/max = 1060/1060/1060 ms R10#ping 2001:DB8:1230:1230:: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:1230:1230::, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/45/128 ms R10#

R10

R20

R30

Initially only R30 responds

R20 responds only after R30 fails to

Neighbor Discovery Based in LAN

34


Anycast Interfaces – back to back

35

6CE_1#sh run int eth 0/0 Building configuration... Current configuration : 90 bytes ! interface Ethernet0/0 no ip address ipv6 address 2001:DB8:1234:5678::/64 anycast end

6VPE_1#show ipv6 interface Ethernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:1400 No Virtual link-local address(es): Global unicast address(es): 2001:DB8:1234:5678::, subnet is 2001:DB8:1234:5678::/64 [ANY] ND DAD is enabled, number of DAD attempts: 1


Anycast Neighbor Cache struggle

36

6CE_1#show ipv6 neighbors IPv6 Address Link-layer Addr State Interface 2001:DB8:1234:5678:A8BB:CCFF:FE00:1400 0 - INCMP Et0/0 *Mar 28 22:20:30.971: ICMPv6-ND: INCMP -> DELETE: 2001:DB8:1234:5678:A8BB:CCFF:FE00:1400 6CE_1#show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::A8BB:CCFF:FE00:1400 7 aabb.cc00.1400 STALE Et0/0


FHRP Diving Catches

37


FHRP: HSRP The Required Steps

Gateway R10

R20

IPv6 hosts learn of available IPv6 routers through IPv6 neighbor discovery RA messages. These are multicast periodically, or may be solicited by hosts. HSRP is designed to provide only a virtual first hop for IPv6 hosts.

R10(config-if)#standby ipv6 ? X:X:X:X::X IPv6 link-local address autoconfig Obtain address using autoconfiguration R10(config-if)#standby ipv6 FE80::A8BB:CCFF:FE00:A00 % HSRP version 2 is required for IPv6 support R10(config-if)#standby ipv6 FE80::A8BB:CCFF:FE00:A00

% Address already in-use

Use a different Link Local address or use the autoconfig option

38


FHRP: HSRP R10

R20

R10#sh run int eth 0/0 Building configuration... Current configuration : 191 bytes ! interface Ethernet0/0 ipv6 address 2001:DB8:1230:1230::/64 eui-64 ipv6 enable standby version 2 standby 0 ipv6 autoconfig standby 0 priority 200 standby 0 preempt end

R20#sh run int eth 0/0 Building configuration... Current configuration : 191 bytes ! interface Ethernet0/0 no ip address ipv6 address 2001:DB8:1230:1230::/64 eui-64 ipv6 enable standby version 2 standby 0 ipv6 autoconfig standby 0 priority 150 standby 0 preempt end

R10(config-if)# 00:11:40: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 0 state Speak -> Standby 00:11:40: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 0 state Standby -> Active

Gateway

39


R10#show standby Ethernet0/0 - Group 0 (version 2) State is Active 4 state changes, last state change 01:00:16 Virtual IP address is FE80::5:73FF:FEA0:0 Active virtual MAC address is 0005.73a0.0000 Local virtual MAC address is 0005.73a0.0000 (v2 IPv6 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.820 secs Preemption enabled Active router is local Standby router is FE80::A8BB:CCFF:FE00:1400, priority 150 (expires in 8.920 sec) Priority 200 (configured 200) IP redundancy name is "hsrp-Et0/0-0" (default)

FHRP: HSRP Validation R10

R20

Gateway

40


FHRP: HSRP Validation

R10

R20

R30#ping ipv6 Target IPv6 address: FE80::5:73FF:FEA0:0 Repeat count [5]: 10000 Datagram size [100]: Timeout in seconds [2]: Extended commands? [no]: Sweep range of sizes? [no]: Output Interface: ethernet0/0 Type escape sequence to abort. Sending 10000, 100-byte ICMP Echos to FE80::5:73FF:FEA0:0, timeout is 2 seconds: Packet sent with a source address of FE80::A8BB:CCFF:FE00:1E00 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! R10(config)#int eth 0/0 R10(config-if)#shut R10(config-if)# 00:25:42: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 0 state Active -> Init R10(config-if)# 00:25:44: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down 00:25:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down R10(config-if)#no shut R10(config-if)# 00:25:58: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up 00:25:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up 00:26:00: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 0 state Listen -> Active

Virtual IPv6 address

Gateway

Global VIP HSRP 11/12

41


OSPFv3 Pit Falls

42


OSPFv3 Header and Hello Packet

Rtr Pri

Neighbor ID

HelloInterval RouterDeadIntervalDesignated Router

Backup Designated Router

Interface IDOptions

Version Type

Instance ID 0

Router IDArea ID

Packet Length

Checksum

Basic Header 16 Bytes

Hello Packet

32 Bit RID

Not Network Mask

43


e0/0 e0/0

OSPFv3 Configuration Needs

R10#sh run int Building configuration... Current configuration : 137 bytes ipv6 unicast-routing ! interface Ethernet0/0 ipv6 address 2001:DB8:1240:1240::/64 eui-64 ipv6 ospf 124 area 0 ipv6 router ospf 124 router-id 0.0.10.0 log-adjacency-changes

R20#sh run int eth 0/0 Building configuration… Current configuration : 137 bytes ipv6 unicast-routing ! interface Ethernet0/0 ipv6 address 2001:DB8:1240:1240::/64 eui-64 ipv6 ospf 124 area 0 ipv6 router ospf 124 router-id 0.0.20.0 log-adjacency-changes

R20(config)#ipv6 router ospf 124 *Feb 5 04:06:07.314: %OSPFv3-4-NORTRID: OSPFv3 process 124 could not pick a router-id, please configure manually R20(config-rtr)#router-id 0.0.20.0

Process ID need not match between Neighbors

R10 e0/0 e0/0

R20

44


OSPFv3-Related Multicast Group

R10#sh ipv6 interface eth 0/0

Ethernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:A00 Global unicast address(es): 2001:DB8:1240:1240:A8BB:CCFF:FE00:A00, subnet is 2001:DB8:1240:1240::/64 [EUI]

Joined group address(es): FF02::1 FF02::2 FF02::5 FF02::6

AllSPFRouters

AllDRouters

45


Common Indicators

R20#sh ipv6 ospf interface Ethernet0/0 is up, line protocol is up Link Local Address FE80::A8BB:CCFF:FE00:1400, Interface ID 2 Area 0, Process ID 124, Instance ID 0, Router ID 20.20.20.20 Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 10.10.10.10, local address FE80::A8BB:CCFF:FE00:A00 Backup Designated router (ID) 20.20.20.20, local address FE80::A8BB:CCFF:FE00:1400 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:00 Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 0, maximum is 2 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 40.40.40.40 Adjacent with neighbor 10.10.10.10 (Designated Router) Suppress hello for 0 neighbor(s)

Remember OSPFv3 can run multiple instances on a interface and 0 is the default instance ID

Timers should match between neighbors

46


show ipv6 ospf

R20#show ipv6 ospf Routing Process "ospfv3 124" with ID 0.0.20.0 It is an area border router SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0. Checksum Sum 0x0 Number of areas in this router is 2. 2 normal 0 stub 0 nssa Area BACKBONE(0) Number of interfaces in this area is 1 SPF algorithm executed 11 times Number of LSA 10. Checksum Sum 0x567F6 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0

47


database database: Summary Process 124 database summary

LSA Type Count Delete Maxage

Router 6 0 0 Network 1 0 0 Link 7 0 0 Prefix 4 0 0 Inter-area Prefix 4 0 0 Inter-area Router 0 0 0 Type-7 External 0 0 0 Unknown 0 0 0 Type-5 Ext 0 0 0 Unknown AS 0 0 0 Total 22 0 0

48


Mismatched Hello Parameters

R50 S3/0 S2/0

R20#sh run int serial 3/0 Building configuration... Current configuration : 137 bytes ipv6 unicast-routing ! interface serial3/0 ipv6 address 2001:DB8:1223:1223::/64 eui-64 ipv6 ospf 124 area 0 Ipv6 ospf network point-to-multipoint R20#

R30#sh run int serial 3/0 Building configuration... Current configuration : 177 bytes ipv6 unicast-routing ! interface serial0/0 ipv6 address 2001:DB8:1223:1223::/64 eui-64 ipv6 ospf 124 area 0 R30#

R20#sh ipv6 ospf interface ser 3/0 Serial2/0 is up, line protocol is up Link Local Address FE80::A8BB:CCFF:FE00:1400, Interface ID 4 Area 1, Process ID 124, Instance ID 0, Router ID 20.20.20.20 Network Type POINT_TO_MULTIPOINT, Cost: 48 Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT, Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in 00:00:20 Index 1/1/2, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s)

Interface- Network type mismatch

R20

49


R20# *Feb 5 20:47:21.205: OSPFv3: Rcv hello from 50.50.50.50 area 1 from Serial3/0 FE80::A8BB:CCFF:FE00:3200 interface ID 10 *Feb 5 20:47:21.205: OSPFv3: Mismatched hello parameters from FE80::A8BB:CCFF:FE00:3200

After matching/rectifying the network types on the interfaces R20# *Feb 5 20:52:35.369: %OSPFv3-5-ADJCHG: Process 124, Nbr 50.50.50.50 on Serial3/0 from DOWN to INIT, Received Hello R20# *Feb 5 20:52:38.961: %OSPFv3-5-ADJCHG: Process 124, Nbr 50.50.50.50 on Serial3/0 from INIT to 2WAY, 2-Way Received *Feb 5 20:52:38.961: %OSPFv3-5-ADJCHG: Process 124, Nbr 50.50.50.50 on Serial3/0 from 2WAY to EXSTART, AdjOK? *Feb 5 20:52:38.981: %OSPFv3-5-ADJCHG: Process 124, Nbr 50.50.50.50 on Serial3/0 from EXSTART to EXCHANGE, Negotiation Done *Feb 5 20:52:39.105: %OSPFv3-5-ADJCHG: Process 124, Nbr 50.50.50.50 on Serial3/0 from EXCHANGE to LOADING, Exchange Done *Feb 5 20:52:39.105: %OSPFv3-5-ADJCHG: Process 124, Nbr 50.50.50.50 on Serial3/0 from LOADING to FULL, Loading Done

Mismatched Hello Parameters

50


IP MTU Mismatch

interface Ethernet0/0 ipv6 address 2001:DB8:1020:1020::/64 eui-64 ipv6 mtu 1400 ipv6 ospf 124 area 0

*Feb 15 18:20:04.332: OSPFv3: Rcv DBD from 40.40.40.40 on Ethernet0/0 seq 0x2693 opt 0x0013 flag 0x7 len 28 mtu 1400 state EXCHANGE *Feb 15 18:20:04.332: OSPFv3: Nbr 40.40.40.40 has smaller interface MTU

Ensure identical MTU on both ends of the link

*Feb 15 18:31:56.888: %OSPFv3-5-ADJCHG: Process 124, Nbr 40.40.40.40 on Ethernet0/0 from EXSTART to EXCHANGE, Negotiation Done R20(config-if)# *Feb 15 18:32:01.916: %OSPFv3-5-ADJCHG: Process 124, Nbr 40.40.40.40 on Ethernet0/0 from EXCHANGE to LOADING, Exchange Done *Feb 15 18:32:01.916: %OSPFv3-5-ADJCHG: Process 124, Nbr 40.40.40.40 on Ethernet0/0 from LOADING to FULL, Loading Done

R40 e0/0 e0/0

R10

51


passive-interface Default

ipv6 router ospf 124 router-id 0.0.0.10 log-adjacency-changes passive-interface default

R40 e1/0 e1/0

R10(config-rtr)#no passive-interface ethernet 1/0 R10(config-rtr)# *Feb 8 18:28:08.757: %OSPFv3-5-ADJCHG: Process 124, Nbr 40.40.40.40 on Ethernet1/0 from LOADING to FULL, Loading Done

R10

52


Area Type Mismatch

R10#

ipv6 router ospf 124 router-id 10.10.10.10 log-adjacency-changes area 2 nssa

R40 e1/0 e1/0

R40# ipv6 router ospf 124 router-id 40.40.40.40 log-adjacency-changes area 2 nssa

*Feb 8 18:32:20.237: OSPFv3: Hello from FE80::A8BB:CCFF:FE00:2801 with mismatched NSSA option bit

*Feb 8 18:35:29.268: %OSPFv3-5-ADJCHG: Process 124, Nbr 40.40.40.40 on Ethernet1/0 from LOADING to FULL, Loading Done

Change area type

ABR

R10

53


The Routing Table

R10#sh ipv6 route ospf IPv6 Routing Table - 13 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

OI 2001:DB8:2030:2030::/64 [110/122] via FE80::A8BB:CCFF:FE00:1400, Ethernet0/0 OI 2001:DB8:2050:2050::/64 [110/58] via FE80::A8BB:CCFF:FE00:1400, Ethernet0/0 OI 2001:DB8:2323:2323::/64 [110/122] via FE80::A8BB:CCFF:FE00:1400, Ethernet0/0

Link local next hop

54


Loopback Interface Behavior R50#show ipv6 ospf interface lo 0

Loopback0 is up, line protocol is up Link Local Address FE80::A8BB:CCFF:FE00:3200, Interface ID 20 Area 1, Process ID 124, Instance ID 0, Router ID 50.50.50.50 Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host

O 2001:DB8:ABCD:BCDF:A8BB:CCFF:FE00:3200/128 [110/10]

R50# R50(config-if)#ipv6 ospf network point-to-point R50(config-if)#end R50#show ipv6 ospf interface lo 0 Loopback0 is up, line protocol is up Link Local Address FE80::A8BB:CCFF:FE00:3200, Interface ID 20 Area 1, Process ID 124, Instance ID 0, Router ID 50.50.50.50 Network Type POINT_TO_POINT, Cost: 1

OI 2001:DB8:ABCD:BCDF::/64 [110/59]

Routing table extract

55


Instance ID: No Support at This Time

Router#sh run interface ethernet 0/0 Building configuration... Current configuration : 156 bytes! interface Ethernet0/0 ipv6 address 2001:DB8:1234:5678::/64 eui-64 ipv6 ospf 1 area 0 instance 1 Router(config)#int eth 0/0 Router(config-if)#ipv6 ospf 2 area 0 instance 2

Router#sh run interface ethernet 0/0 Building configuration... Current configuration : 156 bytes ! interface Ethernet0/0 ip address 12.12.12.1 255.255.255.0 ipv6 address 2001:DB8:1234:5678::/64 eui-64 ipv6 ospf 2 area 0 instance 2

Just over writes the configuration

56


EIGRPv6 challenges

57


Prerequisites for EIGRPv6

EIGRPv6 available since 02/06 in 12.4.x.T trains

FF02::A multicast address is used for updates

A 32 bit IPv4 router ID must be defined

No Shut command applied to EIGRP process

Interfaces need to be applied with IPv6 EIGRP <as-num> command to be advertised in to EIGRPv6

Recall – Hex A is Decimal 10

58


Neighbor Process R10#sh run

Building configuration... Current configuration : 127 bytes

ipv6 router eigrp 124 router-id 10.10.10.10 shutdown ! interface Ethernet0/0 ipv6 address 2001:DB8:1020:1020::/64 eui-64 ipv6 eigrp 124 ipv6 ospf 124 area 0 end

R40#sh run Building configuration... Current configuration : 127 bytes

ipv6 router eigrp 124 router-id 10.10.10.10 no shutdown interface Ethernet0/0 ipv6 address 2001:DB8:4012:4012::/64 eui-64 ipv6 eigrp 124 end R40#

R10(config)#ipv6 router eigrp 124 R10(config-rtr)#no shut R10(config-rtr)# *Feb 12 20:16:22.640: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 124: Neighbor FE80::A8BB:CCFF:FE00:2800 (Ethernet0/0) is up: new adjacency

Interfaces need not be on the same subnet

R40 e0/0 e0/0

Hello

R10

59


EIGRPv6-Enabled Interface

R40#show ipv6 interface ethernet 0/0 Ethernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:2800 No Virtual link-local address(es): Global unicast address(es): 2001:DB8:1240:1240:A8BB:CCFF:FE00:2800, subnet is 2001:DB8:1240:1240::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::5 FF02::A FF02::1:FF00:2800

This interface has joined the EIGRPv6 multicast group

60


R40# show ipv6 eigrp neighbors

IPv6-EIGRP neighbors for process 124 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 Link-local address: Et0/0 12 00:03:01 23 200 0 3 FE80::A8BB:CCFF:FE00:A00

Count down before declaring neighbor down

Neighbor Discovered Since

Neighbor Response Time

Wait time before next Xmission if no ACK

EIGRPv6 Neighbor

61


Neighbor-Changes Messages- What Do They Mean?

Peer restarted—neighbor reset relationship; why did relationship bounce?

New adjacency—new neighbor relationship with this neighbor at initial startup or after recovering from a neighbor that went down

Holding time expired—No EIGRP packets from this neighbor for the duration of the hold time; typically 15 seconds (180 seconds for low-speed NBMA)

Retry limit exceeded—neighbor didn’t acknowledge a reliable packet after at least 16 retransmissions

62


R10#show ipv6 eigrp topology IPv6-EIGRP Topology Table for AS(124)/ID(10.10.10.10) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 2001:DB8:1010:1010::/64, 1 successors, FD is 128256 via Connected, Loopback0 P 2001:DB8:4012:4012::/64, 1 successors, FD is 307200 via FE80::A8BB:CCFF:FE00:2800 (307200/281600), Ethernet0/0

EIGRP Topology

Feasible distance

Computed distance

Reported distance

Successor

63


Multiple Addresses on an Interface

R50#sh run int ser 2/0 Building configuration... Current configuration : 228 bytes ! interface Serial2/0 no ip address ipv6 address 2001:DB8:2050:2050::/64 eui-64 ipv6 address 2001:DB8:ABCD:ABCD::/64 eui-64 ipv6 eigrp 124 serial restart-delay 0 end

No concept of Primary/Secondary— all prefixes are advertised by default

R40 e0/0 e0/0

R50 R10

64


Routing Table for Multiple Prefixes Received from the Same Interface

R40#show ipv6 route eigrp IPv6 Routing Table - 16 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 D - EIGRP, EX - EIGRP external D 2001:DB8:1010:1010::/64 [90/409600] via FE80::A8BB:CCFF:FE00:A00, Ethernet0/0 D 2001:DB8:2050:2050::/64 [90/2195456] via FE80::A8BB:CCFF:FE00:1400, Ethernet0/0 D 2001:DB8:ABCD:ABCD::/64 [90/2707456] via FE80::A8BB:CCFF:FE00:1400, Ethernet0/0

R40#ping 2001:DB8:2050:2050:A8BB:CCFF:FE00:3200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:2050:2050:A8BB:CCFF:FE00:3200, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/32 ms R40#

65


Expired Hold Timer

The hold time expires when an EIGRP packet is not received during hold time

‒Typically caused by congestion or physical errors Router crash, powered off, disconnected, etc.

‒Link issues (input/output queue drops, etc.)

‒Network between us may be dropping packets (CRC errors, frame errors, excessive collisions)

e0/0 R40

e0/0 R10

66


Ping to Verify

Ping the multicast address FF02::A from the other router

R40#ping ff02::a Output Interface: ethernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FF02::A, timeout is 2 seconds: Packet sent with a source address of FE80::A8BB:CCFF:FE00:2800

Reply to request 0 received from FE80::A8BB:CCFF:FE00:1400, 16 ms Reply to request 1 received from FE80::A8BB:CCFF:FE00:1400, 0 ms Reply to request 2 received from FE80::A8BB:CCFF:FE00:1400, 4 ms Reply to request 3 received from FE80::A8BB:CCFF:FE00:1400, 0 ms Reply to request 4 received from FE80::A8BB:CCFF:FE00:A00, 0 ms Success rate is 100 percent (5/5), round-trip min/avg/max = 0/4/16 ms 5 multicast replies and 0 errors. R40#

Ensure you ping for the correct neighbor

67


MPBGP – Multiple Guards

68


Multiprotocol BGP

Multiprotocol BGP is an enhanced BGP that carries routing information for multiple network layer protocol address families, for example, IPv6 address family and for IP multicast routes. All BGP commands and routing policy capabilities can be used with multiprotocol BGP.

69


Address Family Information/Sub-AFI

(Capability) len 6 *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 OPEN has CAPABILITY code: 1, length 4 *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 OPEN has MP_EXT CAP for afi/safi: 2/1 *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 rcvd OPEN w/ optional parameter type 2 (Capability) len 2 *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 OPEN has CAPABILITY code: 128, length 0 *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 OPEN has ROUTE-REFRESH capability(old) for all address-families *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 rcvd OPEN w/ optional parameter type 2 (Capability) len 2 *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 OPEN has CAPABILITY code: 2, length 0 *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 OPEN has ROUTE-REFRESH capability for all address-families BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 rcvd OPEN w/ remote AS 65535 *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 went from OpenSent to OpenConfirm *Feb 21 01:23:26.511: BGP: 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 went from OpenConfirm to Established

AFI 2 - IPv6 and SAFI – IPv6 unicast 70


Remember the 32-Bit router-id

R20#sh ip bgp sum % BGP cannot run because the router-id is not configured BGP router identifier 0.0.0.0, local AS number 65535 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2001:DB8:1020:1020:A8BB:CCFF:FE00:A00 4 65535 0 0 0 0 0 never Idle R20# *Feb 20 20:45:48.665: %BGP-4-NORTRID: BGP could not pick a router-id.

Please configure manually.

Where there is no IPv4 address configured on a device

71


Peering on Loopback Interface Addresses

router bgp 65535 bgp router-id 20.20.20.20 bgp log-neighbor-changes neighbor 2001:DB8:1020:1020:A8BB:CCFF:FE00:A00 remote-as 65535 neighbor 2001:DB8:1020:1020:A8BB:CCFF:FE00:A00 update-source Loopback0 address-family ipv6 neighbor 2001:DB8:1020:1020:A8BB:CCFF:FE00:A00 activate

R10 R20 e0/0 e0/0

*Feb 20 23:15:03.091: BGP: 2001:DB8:1020:1020:A8BB:CCFF:FE00:A00 passive open failed - 2001:DB8:1020:1020:A8BB:CCFF:FE00:1400 is not update-source Loopback0's address (2001:2020:2020:0:A8BB:CCFF:FE00:1400)

One of the most common mistakes. Use loopback addresses to peer. Not default interface address

72


Do Not Peer on Loopback Link Local Addresses

R10 R20 e0/0 e0/0

R20#show ipv6 interface lo 0 Loopback0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:1400 No Virtual link-local address(es):

R10#show bgp ipv6 sum BGP router identifier 10.10.10.10, local AS number 65535 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd FE80::A8BB:CCFF:FE00:1400 4 65535 8 8 1 0 0 00:00:45 0 R10# Everything looks

fine right? 73


Peer Address Down but Session Up—Not Really

R20#sh ipv6 int lo 0 Loopback0 is administratively down, line protocol is down IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:1400 [TEN]

R10#show bgp ipv6 sum BGP router identifier 10.10.10.10, local AS number 65535 BGP table version is 2, main routing table version 2 1 network entries using 149 bytes of memory 1 path entries using 76 bytes of memory 2/1 BGP path/bestpath attribute entries using 264 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 489 total bytes of memory BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd FE80::A8BB:CCFF:FE00:1400 4 65535 22 21 2 0 0 00:03:57 1 R10#

74


Last One on Link Local Addresses Based iBGP

router bgp 65535 no synchronization bgp router-id 10.10.10.10 bgp log-neighbor-changes neighbor FE80::A8BB:CCFF:FE00:1400 remote-as 65535 neighbor FE80::A8BB:CCFF:FE00:1400 update-source Loopback0 neighbor FE80::A8BB:CCFF:FE00:1E00 remote-as 65535 neighbor FE80::A8BB:CCFF:FE00:1E00 update-source Loopback0 no auto-summary ! address-family ipv6 neighbor FE80::A8BB:CCFF:FE00:1400 activate neighbor FE80::A8BB:CCFF:FE00:1E00 activate exit-address-family

R10 R20 e0/0

e0/0

R40

75


Link Local Addresses Cannot Be Reached Beyond the Connected Neighbor

R10#show bgp ipv6 summary BGP router identifier 10.10.10.10, local AS number 65535 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd FE80::A8BB:CCFF:FE00:1400 4 65535 77 76 2 0 0 00:58:44 1 FE80::A8BB:CCFF:FE00:1E00 4 65535 0 0 0 0 0 never Active R10#

R10#ping FE80::A8BB:CCFF:FE00:1E00 Output Interface: ethernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::A8BB:CCFF:FE00:1E00, timeout is 2 seconds: Packet sent with a source address of FE80::A8BB:CCFF:FE00:A00 ..... Success rate is 0 percent (0/5)

R10 R20 e0/0

e0/0

R40

76


Always Use Global Prefix for iBGP Peering router bgp 65535

no synchronization bgp router-id 10.10.10.10 bgp log-neighbor-changes neighbor 2001:db8:2020:0:A8BB:CCFF:FE00:1400 remote-as 65535 neighbor 2001:db8:2020:0:A8BB:CCFF:FE00:1400 update-source Loopback0 no auto-summary ! address-family ipv6 neighbor 2001:db8:2020:0:A8BB:CCFF:FE00:1400 activate exit-address-family

R10 R20 e0/0 e0/0

router bgp 65535 no synchronization bgp router-id 20.20.20.20 bgp log-neighbor-changes neighbor 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 remote-as 65535 neighbor 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 update-source Loopback0 no auto-summary ! address-family ipv6 neighbor 2001:DB8:1010:1010:A8BB:CCFF:FE00:A00 activate network 2001:2121:2121::/64 no synchronization exit-address-family

Here is where you advertise prefixes to BGP

77


? Routing Table Has an Entry- Where Is the Prefix

R10#show ip bgp sum BGP router identifier 10.10.10.10, local AS number 65535 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2001:db8:2020:0:A8BB:CCFF:FE00:1400 4 65535 90 89 1 0 0 0 1:26:54 0 R10#

R10#show ipv6 route bgp IPv6 Routing Table - 18 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 B 2001:db8:2121::/64 [200/0] via 2001:db8:2020:0:A8BB:CCFF:FE00:1400 R10#

78


Use IPv6 Specific Commands

R10#show bgp ipv6 unicast summary BGP router identifier 10.10.10.10, local AS number 65535 BGP table version is 2, main routing table version 2 1 network entries using 161 bytes of memory 1 path entries using 76 bytes of memory 2/1 BGP path/bestpath attribute entries using 248 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 485 total bytes of memory BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2001:db8:2020:0:A8BB:CCFF:FE00:1400 4 65535 15 14 2 0 0 00:11:42 1 R10# R10#ping 2001:db8:2121:0:A8BB:CCFF:FE00:1400 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:db8:2121:0:A8BB:CCFF:FE00:1400, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/20 ms R10#

79


Migration Bumps

80


Manual Tunnel

R20#sh run int tunnel 0 Building configuration... Current configuration : 188 bytes ! interface Tunnel0 no ip address ipv6 address 2001:DB8:2424:2424::/64 eui-64 ipv6 ospf 12345 area 0 tunnel source 23.23.23.20 tunnel destination 34.34.34.40 tunnel mode ipv6ip

R40#sh run int tun 0 Building configuration... Current configuration : 188 bytes ! interface Tunnel0 no ip address ipv6 address 2001:DB8:2424:2424::/64 eui-64 ipv6 ospf 12345 area 0 tunnel source 34.34.34.40 tunnel destination 23.23.23.20 tunnel mode ipv6ip

IPv4 IPv6

IPv6

R20 R40

81


Sanity Check for Manual Tunnels

R20#ping Protocol [ip]: Target IP address: 34.34.34.40 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 23.23.23.20 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.34.34.40, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/100 ms R20#

IPv4 IPv6

IPv6

R20 R40

Tunnel destination

Tunnel source

82


Tunnel Configuration Mismatch

R20#show int tun 0 Tunnel0 is up, line protocol is down Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, rely 255/255, load 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 23.23.23.20, destination 34.34.34.40 Tunnel protocol/transport IPv6, sequencing disabled

R40#show int tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, rely 255/255, load 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 34.34.34.40, destination 23.23.23.20 Tunnel protocol/transport IPv6/IP, sequencing disabled

IPv4 IPv6

IPv6

R20 R40

83


Tunnel Configuration Mismatch

R20#sh run int tun 0 Building configuration... Current configuration : 188 bytes ! interface Tunnel0 no ip directed-broadcast ipv6 address 2001:DB8:2424:2424::/64 eui-64 tunnel source 23.23.23.20 tunnel destination 34.34.34.40 tunnel mode ipv6 end

R20(config-if)#tunnel mode ipv6ip R20(config-if)# R20(config-if)# *Mar 12 03:18:20.787: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *Mar 12 03:18:20.827: IPV6: source :: (local) *Mar 12 03:18:20.827: dest FF02::16 (Tunnel0) *Mar 12 03:18:20.827: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating

IPv4 IPv6

IPv6

R20 R40

84


A Working Tunnel 2001:DB8:5050:5050:A8BB:CCFF:FE00:3201

R10#ping 2001:DB8:5050:5050:A8BB:CCFF:FE00:3201 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:5050:5050:A8BB:CCFF:FE00:3201, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/98/152 ms R10 *Mar 13 18:00:37.262: Tunnel0: IPv6/IP encapsulated 23.23.23.20->34.34.34.40 (linktype=79, len=100) *Mar 13 18:00:37.822: Tunnel0: to decaps IPv6/IP packet 34.34.34.40->23.23.23.20 (len=100, ttl=253) *Mar 13 18:00:37.822: Tunnel0: decapsulated IPv6/IP packet *Mar 13 18:00:37.822: FE80::2222:2228 -> FF02::5 (len=40 ttl=1) *Mar 13 18:00:38.890: Tunnel0: IPv6/IP encapsulated 23.23.23.20->34.34.34.40 (linktype=79, len=120) *Mar 13 18:00:38.950: Tunnel0: to decaps IPv6/IP packet 34.34.34.40->23.23.23.20 (len=120, ttl=253) *Mar 13 18:00:38.950: Tunnel0: decapsulated IPv6/IP packet *Mar 13 18:00:38.950: 2001:DB8:5050:5050:A8BB:CCFF:FE00:3201 -> 2001:DB8:1020:1020:A8BB:CCFF:FE00:A00 (len=60 ttl=63)

IPv4 R40

IPv6 R20

IPv6

85

R40


OSPFv3 Network Across the Tunnel

R20#show ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 40.40.40.40 1 FULL/ - 00:00:37 20 Tunnel0 10.10.10.10 1 FULL/BDR 00:00:37 2 Ethernet0/0 R20# *Mar 10 00:10:45.575: Tunnel0: IPv6/IP encapsulated 23.23.23.20->34.34.34.40 (linktype=79, len=120)

*Mar 10 00:10:45.583: Tunnel0: IPv6/IP to classify 34.34.34.40->23.23.23.20 (len=120 ttl=253 tos=0x0) *Mar 10 00:10:45.623: Tunnel0: to decaps IPv6/IP packet 34.34.34.40->23.23.23.20 (len=120, ttl=253) *Mar 10 00:10:45.623: Tunnel0: decapsulated IPv6/IP packet *Mar 10 00:10:45.623:

2001:DB8:5050:5050:A8BB:CCFF:FE00:3200 -> 2001:DB8:1020:1020:A8BB:CCFF:FE00:A00 (len=60 ttl=63) *Mar 10 00:10:43.363: Tunnel0: decapsulated IPv6/IP packet *Mar 10 00:10:43.363: FE80::2222:2228 -> FF02::5 (len=40 ttl=1)

IPv4 IPv6 R20

IPv6 R40

86


6to4 Automatic Tunnels

IPv4 IPv6

IPv6

R20 R40

R20#sh run int tunnel 0 Building configuration... Current configuration : 122 bytes ! interface Tunnel0 no ip address no ip directed-broadcast ipv6 unnumbered Ethernet0/0 tunnel source Ethernet1/0 tunnel mode ipv6ip 6to4 end

R40#sh run int tunnel 0 Building configuration... Current configuration : 122 bytes ! interface Tunnel0 no ip address no ip directed-broadcast ipv6 unnumbered Ethernet1/0 tunnel source Ethernet0/0 tunnel mode ipv6ip 6to4 end

87


Use the Correct Prefix of 2002::/16

R20#sh run int eth 0/0 Building configuration... Current configuration : 116 bytes ! interface Ethernet0/0 no ip address no ip directed-broadcast ipv6 address 2001:1717:1714:2020::/64 eui-64

R20#sh run int eth 1/0 Building configuration... Current configuration : 93 bytes ! interface Ethernet1/0 ip address 23.23.23.20 255.255.255.0 no ip directed-broadcast

IPv4 IPv6

IPv6

R20 R40

e 1/0 e 0/0

Should be 2002

R20#ping 2001:2222:2228:4040:A8BB:CCFF:FE00:2801 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:2222:2228:4040:A8BB:CCFF:FE00:2801, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/61/140 ms R20#

2001:2222:2228:4040:A8BB:CCFF:FE00:2801

Works in spite of the wrong prefix

88


Common Mistake in Automatic Tunnels

R40#sh run int eth 1/0 Building configuration... Current configuration : 136 bytes ! interface Ethernet1/0 no ip address no ip directed-broadcast ipv6 address 2002:DB8:4545:4545::/64 eui-64 ipv6 ospf 45 area 0 end R40# R40#sh run int eth 0/0 Building configuration... Current configuration : 93 bytes ! interface Ethernet0/0 ip address 34.34.34.40 255.255.255.0 no ip directed-broadcast end

R20#sh run int eth 1/0 Building configuration… Current configuration : 93 bytes ! interface Ethernet1/0 ip address 23.23.23.20 255.255.255.0 no ip directed-broadcast end R20#sh run int eth 0/0 Building configuration… Current configuration : 136 bytes ! interface Ethernet0/0 no ip address no ip directed-broadcast ipv6 address 2002:DB8:1212:1212::/64 eui-64 ipv6 ospf 12 area 0

Can you spot the mistake—23.23.23.20 in Hex is 1717:1714

IPv4 IPv6

IPv6

R20 R40

E0/0

E1/0

89


All the Required Configs for Automatic Tunnel

R40#sh run

interface Tunnel0 ipv6 unnumbered Ethernet1/0 tunnel source Ethernet0/0 tunnel mode ipv6ip 6to4

interface Ethernet0/0 ip address 34.34.34.40 255.255.255.0

interface Ethernet1/0 ipv6 address 2002:2222:2228:4040::/64 eui-64 ipv6 ospf 45 area 0

ipv6 route 2002::/16 Tunnel0

R20#sh run

interface Tunnel0 ipv6 unnumbered Ethernet0/0 tunnel source Ethernet1/0 tunnel mode ipv6ip 6to4

interface Ethernet1/0 ip address 23.23.23.20 255.255.255.0 interface Ethernet0/0 ipv6 address 2002:1717:1714:2020::/64 eui-64 ipv6 ospf 12 area 0

ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:2222:2228:4040:A8BB:CCFF:FE00:2801

IPv6 IPv4 T0 R20 IPv6

E 0/0 E 1/0 E 0/0

E 1/0

T0

23.23.23.20 in Hex is 1717:1714

90

R40


The Automatic Tunnel in Action

R20#debug tunnel Tunnel Interface debugging is on R20#ping 2001:DB8:5050:5050:A8BB:CCFF:FE00:3201 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:5050:5050:A8BB:CCFF:FE00:3201, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/84/152 ms R20# *Mar 15 17:19:24.466: Tunnel0: to decaps IPv6/IP packet 34.34.34.40->23.23.23.20 (len=120, ttl=253) *Mar 15 17:19:24.618: Tunnel0: decapsulated IPv6/IP packet *Mar 15 17:19:24.618: 2001:DB8:5050:5050:A8BB:CCFF:FE00:3201 -> 2002:1 717:1714:2020:A8BB:CCFF:FE00:1400 (len=60 ttl=63)

IPv4 IPv6

IPv6

R20 R40

T0

E 0/0 E 1/0 E 0/0 E 1/0

T0

91


Accessing 2001 Global Prefixes 2001:DB8:6060:6060:9CD7:2EFF:FEF0:99FA

R10#ping 2001:DB8:6060:6060:9CD7:2EFF:FEF0:99FA

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:6060:6060:9CD7:2EFF:FEF0:99FA, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

IPv4 IPv6

IPv6

R20 R40

T0

E 0/0 E 1/0 E 0/0 E 1/0

T0

v6 Internet


Ensure the networks on both sides of the tunnel are aware of a default route to reach the IPv6 internet

92


Accessing 2001 Global Prefixes

R20

IPv4 IPv6

IPv6 R40

T0

E 0/0 E 1/0 E 0/0 E 1/0

T0

v6 Internet

R10#sh ipv6 route IPv6 Routing Table - 8 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 OE2 ::/0 [110/1], tag 12 via FE80::A8BB:CCFF:FE00:1400, Ethernet0/0 OE2 2002::/16 [110/20] via FE80::A8BB:CCFF:FE00:1400, Ethernet0/0

R60#sh ipv6 route bgp IPv6 Routing Table - 8 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 B 2001:DB8:5050:5050::/64 [20/20] via FE80::A8BB:CCFF:FE00:2800, Serial3/0 B 2002::/16 [20/0] via FE80::A8BB:CCFF:FE00:2800, Serial3/0

R10#ping 2001:DB8:6060:6060:9CD7:2EFF:FEF0:99FA Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to

2001:DB8:6060:6060:9CD7:2EFF:FEF0:99FA, timeou t is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/96/108 ms R10#

93

R20



Automatic Tunnels Are Point to Multipoint

R70

IPv6

v6 Internet

R50

T0

E 0/0 E 1/0 E 0/0

T0 IPv4

IPv6 IPv6

R20 R40

R10 T0 E 0/0

IPv6

R80

On every 6to4 PE

94


IPv6 2001:db8:0b01

6rd Tunnels (RFC 5969)

Native dual-stack IP service to the end site

Simple, stateless, automatic IPv6-in-IPv4 encap and decap functions

Embedded IPv4 address needs to match IPv4 address in Tunnel header for security

IPv6 traffic automatically follows IPv4 Routing (IPv4 address used as tunnel endpoint)

BRs placed at IPv6 edge, addressed via anycast for load-balancing and resiliency

Service Provider IPv6 2001:db8:0f01

PE P P

6rd Tunnel

IPv4 Header

IPv6 Packet

IPv6 Packet

IPv6 Packet

IPv4 Access Network 6rd IPv6 End Site IPv6 Internet

IPv6 2001:db8:0d01

CE Tunnel between CPEs

6rd Relay/CPE Tunnels

6rd Border Relay

95


Destination Dynamically Computed Example

6rd IPv6 Prefix 32 bits Interface ID

2001:0db8: 0000:0000:0000:0002 0000: Server Address 0b01:

IPv4 16 bits

Subnet 16 bits

IPv6 2001:db8:0b01

IPv4 Backbone Network

CE

IPv6 2001:db8:0f01

PE

P P

BR

6rd Tunnel

CE

IPv4 Header

IPv6 Packet

IPv6 Packet

IPv6 Packet

IPv4 Backbone Network 6rd IPv6 End Site 6rd IPv6 End Site

200.15.11.1 (e0/0) 200.15.15.1 (e0/0)

2001:db8:0f01::2 (Host)

2001:db8:0b01::2 (Server)

6rd tunnel end point in IPv4 Network 200.15. 11.1

IPv4 Common Prefix (16bits)

6rd Parameter Value

6rd Prefix 2001:db8::/32

IPv4 Common Prefix 200.15/16

IPv4 Common Suffix 0/0 (Cisco specific)

(Dst) 200.15.11.1

(Src) 200.15.15.1

(Dst) 2001:0db8:0b01::2

(Src) 2001:0db8:0f01::2

IPv6 Header IPv4 Header

2001:db8:0b01::1 (e0/1) 2001:db8:0f01::1 (e0/1)

96


! ipv6 general-prefix 6rd-prefix 6rd Tunnel1 ipv6 unicast-routing ipv6 cef ! interface Tunnel1 ipv6 enable tunnel source Ethernet0/0 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:db8::/32 tunnel 6rd ipv4 prefix-len16 tunnel 6rd br 200.15.0.1 Config to Border Relay

6rd CE Configuration (IOS)

IPv6 2001:db8:0b01


CE

IPv6 2001:db8:0f01

PE

P P

PE

6rd Tunnel

CE

IPv4 Header

IPv6 Packet

IPv6 Packet

IPv6 Packet

IPv4 Backbone Network 6rd IPv6 End Site 6rd IPv6 End Site

200.15.11.1 (e0/0) 200.15.15.1 (e0/0)

! interface Ethernet0/0 description Shared IPv4 infrastructure ip address 200.15.15.1 255.255.255.0 ! interface Ethernet1/0 description End Site LAN ipv6 address 6rd-prefix ::1/64 ! ipv6 route 2001:db8::/32 tunnel1 ipv6 route ::/0 Tunnel1 2001:db8:1:: Default to BR

2001:db8:0f01::2 (Host)

2001:db8:0b01::2 (Server)

2001:db8:0b01::1 (e0/1) 2001:db8:0f01::1 (e0/1)

97


6rd Border Relay Configuration (IOS)


CE

IPv6 2001:db8:0f01

PE

P P PE

IPv6 Packet

IPv4 Backbone Network IPv6 Network

200.15.15.1 (e0/0)

2001:db8:0f01::2 (Host)

IPv4 Header

IPv6 Packet

IPv6 Internet 2000::/3

200.15.0.1/128 (lo0)

2001:db8:1::/128 (e0/0)

6rd Border Relay

6rd Border Relay

200.15.0.1/128 (lo0)

2001:db8:1::/128 (e0/0) 6rd tunnel to closest BR

ipv6 general-prefix 6rd-prefix 6rd Tunnel1 ipv6 unicast-routing ipv6 cef ! interface Tunnel1 ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:db8::/32 tunnel 6rd ipv4 prefix-len16

interface Ethernet0/0 description IPv6 Internet ipv6 address 2001:db8:1::/64 ! interface Loopback0 description Shared IPv4 infrastructure ip address 200.15.0.1 255.255.255.0 ! ipv6 route 2001:db8::/32 tunnel1 ipv6 route ::/0 2001:db8:2:: ! Or use routing protocol

98


6ProviderEdge

PE1

mBGP session

IPv4 MPLS PE2 v6 v6

IPv6 Hosts

IPv6 Hosts

2001:DB8:1234:5678::/64 eui-64

2001:DB8:1234:ABCD::/64 eui-64

PE1#show ipv6 route IPv6 Routing Table - 5 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001:DB8:1234:5678::/64 [0/0] via ::, Loopback10 L 2001:DB8:1234:5678:A8BB:CCFF:FE00:7900/128 [0/0] via ::, FastEthernet0/1 B 2001:DB8:1234:ABCD::/64 [200/0] via ::FFFF:2.2.2.2, IPv6-mpls L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 PE1#

PE1

PE1 learns the prefix through mPBGP session

99

PE1


6ProviderEdge

mBGP session

PE2 v6 PE1 v6

IPv6 Hosts

IPv6 Hosts

2001:DB8:1234:5678::/64 eui-64

2001:DB8:1234:ABCD::/64 eui-64

PE1#sh run Building configuration... hostname PE1 ip cef ipv6 unicast-routing ipv6 cef mpls label protocol ldp mpls ipv6 source-interface FastEthernet0/1 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/1 ipv6 address 2001:DB8:1234:5678::/64 eui-64 ! interface Ethernet0/0 ip address 12.12.12.1 255.255.255.0 mpls ip !

router ospf 12 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 0 network 12.12.12.0 0.0.0.255 area 0 ! router bgp 12 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 12 neighbor 2.2.2.2 update-source Loopback0 ! address-family ipv4 neighbor 2.2.2.2 activate no auto-summary no synchronization exit-address-family ! address-family ipv6 neighbor 2.2.2.2 activate neighbor 2.2.2.2 send-label network 2001:DB8:1234:5678::/64 exit-address-family

IPv4 MPLS

IPv6 CEF must be enabled

PE2

100


6ProviderEdge

IPv4 MPLS

mBGP session

PE1 PE2 v6 v6 IPv6

Hosts

IPv6 Hosts

2001:DB8:1234:5678::/64 eui-64

2001:DB8:1234:ABCD::/64 eui-64

IPv4 MPLS

PE1# show bgp ipv6 unicast BGP table version is 14, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 2001:DB8:1234:5678::/64 :: 0 32768 i *>i2001:DB8:1234:ABCD::/64 ::FFFF:2.2.2.2 0 100 0 I PE1#show mpls forwarding-table Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Pop tag 2.2.2.2/32 0 Et0/0 12.12.12.2 19 Aggregate 2001:DB8:1234:5678::/64 \ 520 PE1#

The required mPBGP session and tags

101


6ProviderEdge

mBGP session

PE2 2001:DB8:1234:5678::/64 eui-64

2001:DB8:1234:ABCD::/64 eui-64

v6

IPv6 Hosts PE1 v6

IPv6 Hosts

IPv4 MPLS

PE2#show bgp ipv6 sum BGP router identifier 2.2.2.2, local AS number 12 BGP table version is 14, main routing table version 14 2 network entries using 298 bytes of memory 2 path entries using 152 bytes of memory 3/2 BGP path/bestpath attribute entries using 396 bytes of memory BGP using 846 total bytes of memory BGP activity 9/7 prefixes, 11/9 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 1.1.1.1 4 12 181 180 14 0 0 00:12:01 1 PE2# PE2# PE2#ping 2001:DB8:1234:5678:A8BB:CCFF:FE00:7900 source 2001:DB8:1234:ABCD:A8BB:CCFF:FE00:7A00 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:1234:5678:A8BB:CCFF:FE00:7900, timeout is 2 seconds: Packet sent with a source address of 2001:DB8:1234:ABCD:A8BB:CCFF:FE00:7A00 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/60 ms PE2#

Good old 32 bit BGP router ID

102

PE2


6ProviderEdge

IPv4 MPLS

mBGP session

PE1 PE2 v6 v6 IPv6

Hosts

IPv6 Hosts

2001:DB8:1234:5678::/64 eui-64 2001:DB8:1234:ABCD::/64 eui-64

IPv4 MPLS

PE2# 01:23:21: IPv6: nexthop ::FFFF:1.1.1.1, 01:23:21: IPV6: source 2001:DB8:1234:ABCD:A8BB:CCFF:FE00:7A00 (local) 01:23:21: dest 2001:DB8:1234:5678:A8BB:CCFF:FE00:7900 (IPv6-mpls) 01:23:21: traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating 01:23:21: IPv6: Sending on Ethernet0/0 01:23:21: IPV6: source 2001:DB8:1234:5678:A8BB:CCFF:FE00:7900 (IPv6-mpls) 01:23:21: dest 2001:DB8:1234:ABCD:A8BB:CCFF:FE00:7A00 01:23:21: traffic class 0, flow 0x0, len 100+18, prot 58, hops 64, forward to ulp 01:23:21: IPv6: nexthop ::FFFF:1.1.1.1, 01:23:21: IPV6: source 2001:DB8:1234:ABCD:A8BB:CCFF:FE00:7A00 (local) 01:23:21: dest 2001:DB8:1234:5678:A8BB:CCFF:FE00:7900 (IPv6-mpls) 01:23:21: traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating 01:23:21: IPv6: Sending on Ethernet0/0 01:23:21: IPV6: source 2001:DB8:1234:5678:A8BB:CCFF:FE00:7900 (IPv6-mpls) 01:23:21: dest 2001:DB8:1234:ABCD:A8BB:CCFF:FE00:7A00 01:23:21: traffic class 0, flow 0x0, len 100+18, prot 58, hops 64, forward to ulp

::FFFF:2.2.2.2 ::FFFF:1.1.1.1

103


IPv4 MPLS

IPv6 VPN 6VPE (RFC 4659)

6VPE uses existing IPv4 MPLS infrastructure to provide IPv6 VPN Core uses IPv4 control plane (LDPv4, TEv4, IGPv4) PEs must support dual stack IPv4+IPv6 Offers same architectural features as MPLS-VPN for IPv4

‒RTs, VRFs, RDs are appended to IPv6 to form VPNv6 address

‒MP-BGP distributed both VPN address families

‒BGP NH uses IPv4 to IPv6 mapped address format ::ffff:A.B.C.D

VRF can contain both VPNv4 and VPNv6 routes

IPv4 IPv6

P P

IPv6 Packet

MPLS IPv4 Backbone IPv6/IPv4 Network IPv6/IPv4 Network

VPN Label

IPv6 Packet

LDP Label

IPv6 Packet

CE1 6VPE1

P P

10.1.1.0/24 2001:db8:beef:1::/64

VRF

200.10.10.1 200.11.11.1

CE2

IPv4 IPv6

VRF

10.1.2.0/24 2001:db8:beef:2::/64

172.16.3.1/30 2001:db8:cafe:3::/64

172.16.1.0.0/30 2001:db8:cafe:1::/64

6VPE2

104


IPv4 MPLS

CE1 Configuration

IPv4 IPv6

P P

IPv6 Packet


VPN Label

IPv6 Packet

LDP Label

IPv6 Packet

CE1 6VPE1

P P

10.1.1.0/24 2001:db8:beef:1::/64

VRF

200.10.10.1 200.11.11.1

CE2

IPv4 IPv6

VRF

10.1.2.0/24 2001:db8:beef:2::/64

172.16.3.1/30 2001:db8:cafe:3::/64

172.16.1.0/30 2001:db8:cafe:1::/64

ipv6 unicast-routing ipv6 cef ! interface Ethernet0/0 description Link to PE1 ip address 172.16.1.1 255.255.255.0 ipv6 address 2001:db8:cafe:1::1/64 ! interface Ethernet1/0 description to GREEN LAN ip address 10.1.1.1 255.255.255.0 ipv6 address 2001:db8:beef:1::1/64 ipv6 rip GREEN enable

router bgp 500 neighbor 2001:db8:cafe:1::2 remote-as 100 neighbor 172.16.1.2 remote-as 100 ! address-family ipv4 redistribute eigrp 100 neighbor 172.16.1.2 activate 6VPE1 exit-address-family ! address-family ipv6 neighbor 2001:db8:cafe:1::2 activate 6VPE1 redistribute rip GREEN exit-address-family

6VPE2

Dual stack

105


ipv6 unicast-routing ipv6 cef ! interface Loopback0 ip address 200.10.10.1 255.255.255.255 ! interface Ethernet0/0 Description Link to CE1 vrf forwarding GREEN ip address 172.16.1.2 255.255.255.0 ipv6 address 2001:db8:cafe:1::2/64

IPv4 MPLS

6VPE1 General Configuration

IPv4 IPv6

P P

IPv6 Packet


VPN Label

IPv6 Packet

LDP Label

IPv6 Packet

CE1 6VPE1

P P

10.1.1.0/24 2001:db8:beef:1::/64

VRF

200.10.10.1 200.11.11.1

CE2

IPv4 IPv6

VRF

10.1.2.0/24 2001:db8:beef:2::/64

172.16.3.1/30 2001:db8:cafe:3::/64

172.16.1.0/30 2001:db8:cafe:1::/64

! interface Ethernet2/0 description Link to Core Network ip address 192.168.1.1 255.255.255.252 mpls ip ! router ospf 1 log-adjacency-changes redistribute connected subnets passive-interface Loopback0 network 192.168.1.0 0.0.0.255 area 0

6VPE2

106


router bgp 100 neighbor 200.11.11.1 remote-as 100 neighbor 200.11.11.1 update-source lo0 ! address-family ipv4 Internet Routes neighbor 200.11.11.1 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 To 6VPE2 neighbor 200.11.11.1 activate neighbor 200.11.11.1 send-community ext exit-address-family

IPv4 MPLS

6VPE1 BGP Configuration

IPv4 IPv6

P P

IPv6 Packet


VPN Label

IPv6 Packet

LDP Label

IPv6 Packet

CE1 6VPE1

P P

10.1.1.0/24 2001:db8:beef:1::/64

VRF

200.10.10.1 200.11.11.1

CE2

IPv4 IPv6

VRF

10.1.2.0/24 2001:db8:beef:2::/64

172.16.3.1.0/30 2001:db8:cafe:3::/64

172.16.1.0/30 2001:db8:cafe:1::/64

address-family vpnv6 To 6VPE2 neighbor 200.11.11.1 activate neighbor 200.11.11.1 send-community ext exit-address-family ! address-family ipv4 vrf GREEN To CE1 redistribute connected neighbor 172.16.1.1 remote-as 500 neighbor 172.16.1.1 activate exit-address-family ! address-family ipv6 vrf GREEN To CE1 neighbor 2001:db8:cafe:1::1 remote-as 500 neighbor 2001:db8:cafe:1::1 activate exit-address-family

6VPE2

107


IPv4 MPLS

6VPE2 IPv6 VRF Routes

IPv4 IPv6

P P

IPv6 Packet


VPN Label

IPv6 Packet

LDP Label

IPv6 Packet

CE1 6VPE1

P P

10.1.1.0/24 2001:db8:beef:1::/64

VRF

200.10.10.1 200.11.11.1

CE2

IPv4 IPv6

VRF

10.1.2.0/24 2001:db8:beef:2::/64

172.16.3.1.0/30 2001:db8:cafe:3::/64

172.16.1.0/30 2001:db8:cafe:1::/64

6VPE2#show ipv6 route vrf GREEN B 2001:db8:beef:1::/64 [200/0] via 200.10.10.1 B 2001:db8:beef:2::/64 [20/0] via FE80::A8BB:CCFF:FE01:FA00, Ethernet1/0 B 2001:db8:cafe:1::/64 [200/0] via 200.10.10.1 C 2001:db8:cafe:3::/64 [0/0] via Ethernet1/0, directly connected L 2001:db8:cafe:3::2/128 [0/0] via Ethernet1/0, receive L FF00::/8 [0/0] via Null0, receive

6VPE2

108


IPv4 MPLS

6VPE1 BGP VPNv6 Table

IPv4 IPv6

P P

IPv6 Packet


VPN Label

IPv6 Packet

LDP Label

IPv6 Packet

CE1 6VPE1

P P

10.1.1.0/24 2001:db8:beef:1::/64

VRF

200.10.10.1 200.11.11.1

CE2

IPv4 IPv6

VRF

10.1.2.0/24 2001:db8:beef:2::/64

172.16.3.1.0/30 2001:db8:cafe:3::/64

172.16.1.0/30 2001:db8:cafe:1::/64

6VPE1#show bgp vpnv6 unicast all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 200:1 (default for vrf GREEN) *> 2001:db8:beef:1::/64 2001:db8:cafe:1::1 Route from CE1 0 0 500 ? *>i2001:db8:beef:2::/64 ::FFFF:200.11.11.1 Route from CE2 via 6VPE2 0 100 0 506 ? *>i2001:db8:cafe:3::/64 ::FFFF:200.11.11.1 PE/CE Connected route from 6VPE2 0 100 0 ?

6VPE2

Recall the v4 mapped v6 address

109


IPv4 MPLS

6VPE1 LFIB

IPv4 IPv6

P P

IPv6 Packet


VPN Label

IPv6 Packet

LDP Label

IPv6 Packet

CE1 6VPE1

P P

10.1.1.0/24 2001:db8:beef:1::/64

VRF

200.10.10.1 200.11.11.1

CE2

IPv4 IPv6

VRF

10.1.2.0/24 2001:db8:beef:2::/64

172.16.3.1.0/30 2001:db8:cafe:3::/64

172.16.1.0/30 2001:db8:cafe:1::/64

6VPE1#show mpls forwarding Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 Pop Label 192.168.1.4/30 0 Et2/0 192.168.1.2 17 16 192.168.1.8/30 0 Et2/0 192.168.1.2 18 Pop Label 200.12.12.1/32 0 Et2/0 192.168.1.2 19 18 200.13.13.1/32 0 Et2/0 192.168.1.2 20 19 200.11.11.1/32 0 Et2/0 192.168.1.2 21 No Label 10.1.1.0/24[V] 0 Et0/0 172.16.1.1 22 Aggregate 172.16.1.0/24[V] 570 GREEN 25 No Label 2001:db8:beef:1::/64[V] \ 570 Et0/0 FE80::A8BB:CCFF:FE01:F400 26 Aggregate 2001:db8:cafe:1::/64[V] \ 35456 GREEN

6VPE2

110


IPv6 Related Sessions at Cisco Live Session Title

BRKRST-2044 Enterprise Multi-Homed Internet Edge Architectures

BRKCRS-2301 Enterprise IPv6 Deployment

BRKCRT-9344 IPv6 for Cert Nuts

BRKRST-2311 IPv6 Planning, Deployment and Operation Considerations

BRKSEC-2003 IPv6 Security Threats and Mitigations

BRKRST-2302 IPv6 Troubleshooting

BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for SPs

BRKSPG-2603 How to Securely Operate an IPv6 Network

BRKUCC-2061 IPv6 in UC Networks

LTRRST-1301, LTRSEC-3033 IPv6 Hands-on Lab, IPv6 Network Threat, Defense, Countermeasures and Controls

BRKEWN-2010 Design and Deployment of Ent. WLAN

BRKCCIE-9492 IPv6 for Route & Switching CCIE Candidates

BRKRST-3300 Service Provider IPv6 Deployment

BRKSPG-2604 Deploying Carrier Grade IPv6 using CGSE

COCRST-3464 Cisco on Cisco: Making the Leap to IPv6

Search Session Catalog: “ipv6”

111


Complete Your Online Session Evaluation Give us your feedback and you

could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.

113


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!

Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

114

ipv6 troubleshootingd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/brkrst-2302.pdf · brkrst-2302 ©...

Documents