Monday, March 16, 2009

IPv6 From the Ground Up : Part - II

ICMPv6
ICMP for IPv6 is identified by a header value of 58 in the IPv6 next header field. ICMPv6 is used to report errors and perform internet layer functions eg ping for diagnostics. It's the base protocol for IPv6 and has to be fully implemented and understood by aspiring engineers.

Diagram used for this article is:



IPv6 Neighbor discovery and unicast routing.

Unicast routing is off by default, remember to enable it to allow ICMpv6 neighbor discovery that replaces ARP.

Router0(config)#ipv6 unicast-routing
Router0(config)#int f0/0
Router0(config-if)#ipv6 enable
Router0(config-if)#no shutdown

Router0#sh int f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is cc00.1368.0000 (bia cc00.1368.0000)

Router0#sh ipv6 interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::CE00:13FF:FE68:0
No global unicast address is configured
Joined group address(es):
FF02::1
FF02::1:FF68:0
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds

Router0#ping FE80::CE01:13FF:FE68:0
Output Interface: FastEthernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::CE01:13FF:FE68:0, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/40/164 ms

note the expanded 0's (zeroes below), they mean the same thing.

Router0#ping FE80:0000:0000:0000:CE01:13FF:FE68:0
Output Interface: FastEthernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::CE01:13FF:FE68:0, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/32/96 ms

note similar commands have to be run on router 1.
Now lets take some debug to observe this process of enabling th elink local address, but first cover a few basics:
  • IPv6 host adresses are generated from interface mac addresses. from the previouse post (partI), mac addresses are 48 bits and need conversion to 64bit to make a EUI-64 address.
  • ICMPv6 Neighbor discovery is used to resolve layer 3 address to Layer 2 address. in case of ethernet, that would be a mac address to an IP address, or frame relay dlci to an address, or pvc to an ip address etc etc...
  • This is not necessary for point to point links. the router knows that any traffic resolving/recursing to the interface based on the routing table will use whatever layer 2 circuit is assigned to the circuit.
  • no inverse neighbor discovery yet. so all routes should be mapped incase of frame relay (frame relay map ipv6).
ICMPv6 replaces IPV4 ARP for neighbor discovery.
  1. Solicitations - asking other neighbors for info.
  • Neighbor Solicitations - By any general hosts eg desktops and other hosts.
  • Router Solicitations - Devices routing IPV6 eg a default gateway. eg router to router segments.
  • Used to decide what the remote L2 address is of hosts and routers. The two types are there because there is additional info apart from the L2 address. eg routers can tell hosts the network prefix - this way a host just needs to enable IPV6, start sending neighbor solicitations to find out the neighbor, and router solicitation to find out the routers. The router sends back the network bit and the host - stateless autoconfiguration is built into ipv6 protocol stack.
  1. Advertisements - sending informations.

  • Neighbor advertisements
  • Router Advertisemens.
debug ipv6 packets and ipv6nd
Router0(config)#
ICMPv6: Received ICMPv6 packet from ::, type 135
ICMPv6: Received ICMPv6 packet from FE80::CE00:13FF:FE68:0, type 136
ICMPv6-ND: Sending NS for FE80::CE01:16FF:FE0C:0 on FastEthernet0/0
!note the NS (neighbor solicitation) this is basically like asking' can I use this address?"
IPV6: source :: (local)
dest FF02::1:FF0C:0 (FastEthernet0/0)
!solicited node multicast address...used for duplicate address detection (DAD). ie essentially we ask 'is anyone using this address? in the segment.)
traffic class 224, flow 0x0, len 64+16, prot 58, hops 255, originating
IPv6: Sending on FastEthernet0/0
ICMPv6-ND: DAD: FE80::CE01:16FF:FE0C:0 is unique.

!Note chances of having a conflict are rare in this case since the address is derived from your mac address.and ICMPv6 acknowledges that the address is indeed unique.

ICMPv6-ND: Sending NA for FE80::CE01:16FF:FE0C:0 on FastEthernet0/0
!next we are advertising that we're an IPV6 neighbor with the address above.

IPV6: source FE80::CE01:16FF:FE0C:0 (local)
dest FF02::1 (FastEthernet0/0)
traffic class 224, flow 0x0, len 72+8, prot 58, hops 255, originating
IPv6: Sending on FastEthernet0/0
ICMPv6-ND: Address FE80::CE01:16FF:FE0C:0/0 is up on FastEthernet0/0

Router0(config)#
ICMPv6-ND: Sending RA to FF02::1 on FastEthernet0/0
ICMPv6-ND: MTU = 1500
IPV6: source FE80::CE00:16FF:FE0C:0 (local)
dest FF02::1 (FastEthernet0/0)
traffic class 224, flow 0x0, len 72+1428, prot 58, hops 255, originating
IPv6: Sending on FastEthernet0/0

Here - above- R0 sends then sends out an RA - router advertisement

ICMPv6: Received ICMPv6 packet from FE80::CE01:16FF:FE0C:0, type 134
ICMPv6-ND: Received RA from FE80::CE01:16FF:FE0C:0 on FastEthernet0/0
and receives an advertisement from R1. Please note no network addresses are set yet, so what you receive is the routers link local address.
Router0#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
FE80::CE01:16FF:FE0C:0 0 cc01.160c.0000 REACH Fa0/
note the routers above only have link local processing

other commands that show output for different IP versions:
Router0#sh ipv6 int brief
FastEthernet0/0 [up/up]
FE80::CE00:16FF:FE0C:0

!shows the link local addresses on our interfaces.

Router0#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 1.1.1.1 YES manual up up

Router0#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 1.1.1.1 - cc00.160c.0000 ARPA FastEthernet0/0

Router0#sh ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
FE80::CE01:16FF:FE0C:0 2 cc01.160c.0000 STALE Fa0/0
Router0#sh ipv6 route
IPv6 Routing Table - 2 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
!note the Null0, this is because the traffic is local (remember this are not global addresses yet).
FE80::/10 is the entire range of link local addresses.

Router0#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0

Router0#sh ipv6 int
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::CE00:16FF:FE0C:0
No global unicast address is configured
Joined group address(es):
FF02::1
!all host multicast, this is where the advertisements are sent to for autoconfiguration.
FF02::2
FF02::1:FF0C:0
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.

Router0#sh ip int
FastEthernet0/0 is up, line protocol is up
Internet address is 1.1.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
all other commands, telnet etc also work but you need to be specific. Is there get a way to make ipv6 default IPversion

another question:
can you disable IPv4 processing and only have IPV6 processing on a router?


Interesting question came up during this writing:
can you disable IPv4 processing and only have IPV6 processing on a router?




IPv6 From the Ground Up : Part - I Contd.......

From RFC2460, the following information jumps out at you immediately:

- IPv6 is supposedly a succesor to IPv4 (RFC 791). It's uptake (at least in kenya) is a bit discouraging though I get the feeling this will be forced on networks when V4 resources run out.
-Expands the address size from 32 to 128 bits supporting more levels of addressing, more addressable nodes and autoconfiguration. Multicast routing is scaled by using 'scope' and a new address called anycast is defined.
-Header format is simplified to make the packet handling better and limit bandwidth costs.
-Improved support for extensions and other improvements. IPv6 has less stringent limits on length of options.
-another key thing is extension support for authentication and other privacy measures eg confidentiality and integrity can be extended on the header.
-flow labelling capability takes qos to a whole /nother level. eg you can label a flow for which the sender requests special handling eg real time traffic.

IPv6 Header Format as seen on the rfc - modified by my notes:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version-4bits|Traffic Class| Flow Label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload Length | Next Header | Hop Limit |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Source Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Destination Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Extension headers:
Optional information is encoded in separate headers placed between the IPv6 header and the upper layer header. this have to be identified by a distinct header value.
  • Headers are not processed until they reach the destination/s. As such a node has to process extension headers strictly in the order they appear in the packet.
  • if the hop-by-hop header , which must be immeadeately following the IPv6 header is present, then it will be processed by all nodes. its presence is indicated by a value zero (0) in the next field header.
  • ICMP code 1 is sent to a sender if a parameter is not understood ie unrecognized. the same is apparently sent to a packet originator if a value zero is found on any header other than the IPv6 header.
  • If more than one extension header is used, there's a specific order they should appear in. (please read the rfc) i definately don't expect this on an exam. However, IPv6 header, hop by hop options, Destination options, routing and fragmentation followed by authentication, encapsulation and security and a destinations headed then an upper layer header is what's listed.
  • Note the two destinations, one is the final destination and the other is the destination listed in the routing header. ie (once before a Routing header and once before the upper-layer header) That still does confuse me.
  • IPv6 will accept extension headers in any order apart from the hop-by-hop optiones one that has to follow the IPv6 header.
  • A destination header is not examined or processed until it reaches the node identified in the Destination Address field of the IPv6 header.
  • Note, the frgment header is just like in IPv4 used to send a packet larger than the path mtu. However this is only done by the source nodes not routers along the path. the value identifying it is 44.
  • each fragment will have an unfragmentable part, a fragment header and the fragment itself. The unfragmentable part has the payload length of the original v6 header changed to contain the fragmented packet length only, the fragment header id's the first header of the fragmentable header of the original packet. Then obviously the fragment lengths must have a resulting MTU of the path being taken to the destination.
  • For reassembly, the packets must have the same source & destination address and fragment identification
  • note, the fragment header doesn't show up in the final reassembled packet.
  • IPv6 requires that the MTU on each link be either equal to or more than 1280 octets. and fragmentation and or reassembly must be procided by a layer below the IPv6.
  • its recommended that IPv6 nodes implement PMTU.
  • IPv4 ttl is renamed to hop-limit . this is because IPv6 nodes are not required to enforce a packets lifetime. applications curently relyin gon the internet layer for ttl purposes have to be upgraded to have a mechanism to detect and discard obsolete packets
Im not generally a fan of RFC's but for topics I don't understand, I'd rather start from there and work out towards the actual configuration with some sound theories behind me...(there's the added fact that Im out of books budget and RFC's are pretty much the source of most info)

further reading:
Authentication 
Encapsulating Security Payload

Tuesday, March 10, 2009

IPv6 From the Ground Up : Part - I

The Basics

**Please go through rfc2373 in its entirety. Life will be much easier after that.

Our learning topology is a simple: two routers just to show neighbor discovery: This will mainly be used on PartII and any others that follow.


Understanding IPv6 without using it is might not be easy, however playing around with it while planning a CCIE should set you on the right path.

To get a proper grasp of IPv6, you need to understand:
- A link-local address, site-local and global IPv6 address.
- The loopback address (::1) for the loopback interface
- The multicast addresses of joined groups
- Number of bits on an IPv6 address (128 - bits, 16 bytes)

Also very important, what is a modified EUI-address, its purpose and how its generated. I found it also very important to know and understand IEEE 802 addresses.

Basics on MAC addressing:
The IEEE 802 address consist of 24 bit company identifier and a 24 bit extension ID. this is uniquely assigned and gives you a 48-bit address. This 48-bit address is also called the physical, hardware, or media access control (MAC) address.

EUI-64 Addresses
This addressing extends the '24-bit' extension ID on a MAC address to 40 bits. The company/manufacturer ID is still left at 24-bits. This 64 bits are then used to identify the host/node. This is what is called a link local address. Routers do not forward this addresses.

To convert a MAC address to an EUI address, I use the following method. Note this only gives us the link local address, in part 2 or 3 we'll discuss how the rest of the address is completed/generated....lets use an example:

Host X has a MAC address of 12-34-56-78-90-12
on a router, this would be the burnt in address (bia) or the mac address.

First we insert FFFE between the 3rd and 4th bytes ie between the vendor ID and extension ID which results to 12-34-5F-FF-E6-78-90-12/1234-5678-9012. You can easilly do this by slicing the address into two halves.

Next take the first byte (two characters=1 byte) so in our case the first byte is 12 (note this is in hex) and convert it to binary - 0001 0010.. Take the 7th most significant bit and flip it/or invert it, this gives 0001 0000. Convert this back to hex and you get :
10-34-5F-FF-E6-78-90-12
put this in proper notation for IPv6 and get:
1034:56FF:FE78:9012

In case you get hang up on wording

The IEEE now considers the label MAC-48 to be an obsolete term which was previously used to refer to a specific type of EUI-48 identifier used to address hardware interfaces within existing 802-based networking applications and should not be used in the future. Instead, the term EUI-48 should be used for this purpose.

references:
RFC2373 - IP Version 6 Addressing Architecture
My friend tells me most of what he learnt on IPv6 was solidified at an internetwork experts boot camp so go over to their site and grab some work book, have no idea which one in particular.

Part II
IPv6 Neighbor Discovery:

Sunday, March 8, 2009

CCIE motivation

today is a dark dark day, last week was a bit of an anti climax for me, trying to sort things out so I can afford the LAB, figure out the best place to take it (down to brussels, India and or Dubai)... Im thinking some place I havent been and a sibling might be visiting India soon....so hmm why not India for the ccie?

anyway''''my morale is pretty low today, I think its just the thought of getting up to go to work tomorrow, I'm actually starting to look at the CCIE as a means to just switch employers, and do something more intense, challenging...anyway.. cant concentrate much so re-running lord of the rings...hah I also went to an asian fruit market and bought a bunch of froots...., ahh yes also confirmed the order and hopeful delivery of a triathlon kit .

Im done rumbling....oh yes also made payment for the written in April:-)

Tuesday, March 3, 2009

CSM module and a 7613 woes...or fun it depends

So i tried to bring a csm/csg module up on another chassis. All modules, including the Supervisor Engine (if you have redundant Supervisor Engines),
support online insertion and removal (OIR). You can add, replace, or remove modules without interrupting the system power or causing other software
or interfaces to shut down. So no worries there. the colors changed as expected on the LED....then went off........

SUP1234#sh module 13
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
13 4 Content Services Gateway WS-SVC-CSG-1 SAD094906MP

Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
13 0013.c39f.1270 to 0013.c39f.1277 1.5 Unknown Unknown PwrDown

Mod Online Diag Status
---- -------------------
13 Not Applicable


so from the above we can tell there's a problem. Hopefully not too serious.

SUP1234#hw-module module 13 reset
Proceed with reload of module?[confirm]
% module 13 is operationally off (Module Failed SCP dnld)

I only ever had this SCP dnld issue with MWAMS never a CSG/CSM module. I cant even trace back to a bug showing this as a problem...YET.
I tried to power it up manually:

SUP1234#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SUP1234(config)#power enable module 13

still not shows up as failed SCP dnld....
so resetting the module with hw-module module 13 reset and power enable module 13 both fail to power up my module.
If this were an MWAM i'd assume something buggy, but this is a new module, granted the hardware is a bit newer than the other csg's..

Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 000f.342c.5318 to 000f.342c.531f 1.4 3.1(3)C7(7) Ok
2 0011.93b4.5698 to 0011.93b4.569f 1.4 3.1(3)C7(7) Ok
3 0011.5c81.1e6c to 0011.5c81.1e9b 6.1 6.3(1) 8.5(0.46)RFW Ok
4 0011.5c81.157c to 0011.5c81.15ab 6.1 6.3(1) 8.5(0.46)RFW Ok
5 0001.c9dd.0f5e to 0001.c9dd.0f65 1.4 3.1(3)C7(7) Ok
6 0002.fcc1.f844 to 0002.fcc1.f84b 1.4 3.1(3)C7(7) Ok
7 0016.46f9.0c58 to 0016.46f9.0c5b 5.3 8.4(2) 12.2(18)SXF7 Ok
8 0016.c85e.a958 to 0016.c85e.a95b 5.3 8.4(2) 12.2(18)SXF7 Ok
9 0001.c9de.32a0 to 0001.c9de.32a7 1.7 3.1(8) Ok
10 001b.53bc.b038 to 001b.53bc.b03f 6.1 7.2(1) 2.1(3.0) Ok
11 0011.92b7.c748 to 0011.92b7.c74f 4.0 7.2(1) 2.1(3.0) Ok
12 001d.70c4.fc14 to 001d.70c4.fc43 3.0 12.2(18r)S1 12.2(18)SXF7 Ok
13 0013.c39f.1270 to 0013.c39f.1277 1.5 Unknown Unknown PwrDown

so check power:
I have enough power....and its the only one not working....Im out of slots on the chassis so I can't move it around....grrrr.....
I'll move it to a different chassis and see....maybe the module got 'corrupt' while being moved from one chassis to another ( i had it somewhere else before) and wanted to spice up my afternoon.

anyone have a clue on this one? id be interested.

RS blueprint

looking at the Expanded blueprint by IE , I think I understand why multicast is such a pain, I missed out on key areas.....Im re-doing/ re-reading most of th ematerial again.

I could sit for the written any time now but until Im pretty sure of the lab payments there's no need to rush it for now, it how ever means I start preparing for the lab and ensuring nothing gets forgotten.

I have recently renewed two professional certs and while that doesn;t guarantee my written pass all the reading i did after that should get me one...or very very close (its still an exam so I'll keep my fingers crossed:)