IPv6 LAB 1 Deployment (CCNP level)
Previous Next
Download Lab: GNS3
Prerequisites:
Cisco IOSv (vios-adventerprisek9-m.vmdk.SPA.156-2.T)
Introduction:
In this lab, you will be a network engineer who has been asked to help, the small company AI10 with a transition to IPv6 environment. IT manager contacted the company’s ISP to obtain IPv6 prefix and ISP gladly assigned 2019:A100:D000::/48 global routing prefix, access to the outside world will be provided via the default route. You will perform multiple tasks, design IPV6 addressing scheme, assign prefixes to the router’s interfaces, configuring RIPng in the topology, enable different IPV6 services including DHCPv6, ACLs, etc. Also for your information PCs in the topology are cisco IOS routers acting as hosts. Despite this lab is aiming at the CCNP level learners, anyone who wants to try is welcome.
Topology:
Lab procedure:
Step1: Before transitioning to the IPv6 any network infrastructure has to be ready and verified, it will give you a sense of assurance that new configurational changes related to IPv6 migration did not cause any problems. That is why it is good to check if you have current IPv4 connectivity. From all PC’s ping this domain name to verify that SRV1 server is reachable:
PC1#ping ipv4-dnstest.local
Translating "ipv4-dnstest.local"...domain server (10.10.10.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 7/7/9 ms
PC1# ipv4-dnstest.local
Repeat this test on every PC in the diagram.
Step2: Open text editor then use future IPv6 diagram to design addressing scheme for IPv6 topology. Take the /48 global routing prefix and extend it to the /64 subnet prefix for each required end-to-end link and LAN interfaces. To make the /64 subnet prefix, you need to come up with any number for the fourth quartet then add that to the existing global prefix.
Example:
Subnet0 - 2019:A100:D000:2000::/64
Subnet1 - 2019:A100:D000:2001::/64
Keep going until you satisfy the requirements of the topology.
Step3: Design Link-local address allocation scheme for the routers’ interfaces, use the same address per one router. Use the first letter of the name and the number of the router to come up with Link-local address. For example for the router Core1 address will be FE80::C1 and for the router ER1 address is FE80::E1, complete the list of the Link-local address in the separate text file for the rest of the routers.
Example:
Router hostname: Link-local:
Core1 FE80::C1
Core2
ER1
ISP
Step4: Assign link-local addresses to the routers’ interfaces, start with ISP interface facing ER1, for the sake of monotony perform this step with step 5 simultaneously.
Example:
ISP(config)#interface g0/0
ISP(config-if)#ipv6 address FE80::A link-local
ISP(config-if)#
Step5: Using the list of subnet prefixes and topology information, properly assign IPv6 global addresses to the router's interface, starting with the link between ISP and ER1. First IPv6 address allocated to the ER1 g0/2, second to the ISP G0/0. For the rest of the routers in the topology, assign IPv6 addresses according to seniority, core routers getting the first IP’s in the subnet then distribution and finally access. For example on the link between Core1 and Core2, Core1 has priority, for the link between Core2 and DR1, Core2 has to have a first address set to the interface.
Example: (here step4 and 5 combined together).
ISP(config)#interface g0/0
ISP(config-if)#ipv6 address FE80::A link-local
ISP(config-if)#ipv6 address 2019:A100:D000:2000::2/64
ISP(config-if)#exit
Complete configuration on the opposite side then proceeds to the next step.
Step6: After you configure both sides of the link with appropriate IPv6 addresses, it is a good idea to verify that you able to ping the opposite side, it helps you reduce the time you spend on the troubleshooting effort if there would be some issues later on.
Example:
ER1#ping FE80::A source gigabitEthernet 0/2
Output Interface: gigabitEthernet 0/2
% Invalid interface. Use full interface name without spaces (e.g. Serial0/1)
Output Interface: gigabitEthernet0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::A, timeout is 2 seconds:
Packet sent with a source address of FE80::E1%GigabitEthernet0/2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms
ER1#ping 2019:A100:D000:2000::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:D000:2000::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
As you can see that now layer 3 IPv6 connectivity has been established between ISP and ER1 routers. Complete all IPv6 address assignment on the routers in the topology by repeating steps 4 to 6.
Step7: Now you complete assignment of IPV6 addresses, it is time to verify that all addresses have been allocated properly, assume that you have open console to all the routers in the topology, issue show ipv6 interface brief command on all routers then correlate information in the output of the command to the IPv6 diagram, verify that everything looks fine. At this moment you can also save the configuration to make sure that your effort will not be lost by accident.
Core1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::C1
2019:A100:D000:2003::1
GigabitEthernet0/1 [up/up]
FE80::C1
2019:A100:D000:2004::1
GigabitEthernet0/2 [up/up]
FE80::C1
2019:A100:D000:2005::1
GigabitEthernet0/3 [up/up]
FE80::C1
2019:A100:D000:2001::1
As you can see every active interface has the same Link-local address unique to this router and global address assigned according to the information in topology. For example interface, G0/0 has IPv6 address 2019:A100:D000:2003::1 which corresponds to Subnet3 in the topology.
Step8: Before configuring IPV6 routing protocols you need to verify that routers are capable of doing so, by default IPv6 routing is disabled.
Example:
Core1#show ipv6 interface g0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C1
No Virtual link-local address(es):
Description: Link to Core2 int g0/0
Global unicast address(es):
2019:A100:D000:2003::1, subnet is 2019:A100:D000:2003::/64
Joined group address(es):
FF02::1
FF02::1:FF00:1
FF02::1:FF00:C1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND NS retransmit interval is 1000 milliseconds
As you can see that in the section of output “Joined group addresses” multicast address for all IPV6 routers is missing, which is FF02::2, this indicates that NDP RA and RS messages will not be exchanged between routers. You can confirm this by typing command which displays IPV6 routers:
Core1#show ipv6 routers
Core1#
There is nothing in the output. Also, another method is to see if there is “ipv6 unicast-routing” line in the running-config, the absence of this line indicates the same result.
Core1#show running-config | section ipv6 unicast-routing
Core1#
Step9: Enable Ipv6 routing on all routers in the topology, except ISP router, it already has been enabled.
Example:
ER1(config)#ipv6 unicast-routing
ER1(config)#
Step10: Verify that IPv6 routing has been enabled.
ER1#show ipv6 routers
Router FE80::A on GigabitEthernet0/2, last update 2 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2019:A100:D000:2000::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
ER1#show running-config | section ipv6 unicast-routing
ipv6 unicast-routing
ER1#show ipv6 interface g0/2
GigabitEthernet0/2 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::E1
No Virtual link-local address(es):
Description: Link to ISP int g0/0
Global unicast address(es):
2019:A100:D000:2000::1, subnet is 2019:A100:D000:2000::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF00:E1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
Step11: Configure RIPng using RIP10 as the name for the rip process in the global configuration mode and enable RIPng on all interfaces that have to participate in the IPV6 routing. Start with ER1 then continue until you are done with the rest of the routers. You can use the interface range command to speed up the process.
Example:
ER1(config)#ipv6 router rip RIP10
ER1(config-rtr)#exit
ER1(config)#interface range g0/0-2
ER1(config-if-range)#ipv6 rip RIP10 enable
Step12: Verify RIPng.
List of show commands you can use to determine if RIPng has proper configurations.
show ipv6 protocols - identifies rip enabled interface and redistribution
show ipv6 rip - shows detailed information about RIP, multicast-group,AD,Split Horizon
show ipv6 rip next-hops - Displays routers from which RIP updates were received
show ipv6 rip database - RIP routes will be installed in the routing table
show ipv6 route rip - RIP routes in the routing table
debug ipv6 rip events - Observe as RIP updates are exchanged
Step13: Access routers AR1, AR2, and AR3 should have IPv6 RIP routes in their routing tables but when you attempt to reach SRV1 ping fails.
AR1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
% No valid route for destination
Success rate is 0 percent (0/1)
It indicates that there is no route to the destination, the reason for this is because the SRV1’s address is on the remote network and you do not have a default route.
Step 14: Propagate default route. ER1 should be configured to advertise a quad-zero route to the rest of routers in the topology except to the ISP router. Since ER1 has multiple connections to downstream routers its necessary to enable default route propagation on both interfaces.
ER1(config)#interface range g0/0-1
ER1(config-if-range)#ipv6 rip RIP10 default-information originate
To verify that ER1 enabled to propagate default route use this command:
ER1#show ipv6 rip
RIP process "RIP10", port 521, multicast-group FF02::9, pid 370
Administrative distance is 120. Maximum paths is 16
Updates every 30 seconds, expire after 180
Holddown lasts 0 seconds, garbage collect after 120
Split horizon is on; poison reverse is off
Default routes are generated
Periodic updates 366, trigger updates 5
Full Advertisement 1, Delayed Events 0
Interfaces:
GigabitEthernet0/2
GigabitEthernet0/1
GigabitEthernet0/0
Redistribution:
None
Also, check if access routers have a default route in their routing tables.
AR1#show ipv6 route rip
IPv6 Routing Table - default - 23 entries
--Output partially displayed--
R ::/0 [120/4]
via FE80::D1, GigabitEthernet0/0
via FE80::D2, GigabitEthernet0/1
R 2019:A100:D000:2000::/64 [120/4]
Step 15: Attempt to ping SRV1 address again from access routers.
AR1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
As you can see from the result that now destination is unreachable, it means that somewhere along the path to SRV1 there is a router which does not have a route to the network where SRV1 resides on.
Step 16: To further investigate this lack of communication you can use traceroute to troubleshoot the potential cause of the problem.
AR1#traceroute 2019:A100:1000:1::10
Type escape sequence to abort.
Tracing the route to 2019:A100:1000:1::10
1 2019:A100:D000:200C::1 4 msec
2019:A100:D000:2009::1 3 msec
2019:A100:D000:200C::1 3 msec
2 2019:A100:D000:2006::1 5 msec
2019:A100:D000:2007::1 4 msec
2019:A100:D000:2006::1 3 msec
3 2019:A100:D000:2002::2 !U !U !U
The output indicates that there is a problem at the router with ip address 2019:A100:D000:2002::2, consult the topology to find out which router has this ip address assigned. According to the IPv6 diagram and the IPv6 address scheme design, this ip address belongs to subnet 2 which has been allocated to the link between ER1 and Core2 and the address ends with 2 which is probably has been assigned to ER1’s g0/1 interface.
ER1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::E1
2019:A100:D000:2001::2
GigabitEthernet0/1 [up/up]
FE80::E1
2019:A100:D000:2002::2
GigabitEthernet0/2 [up/up]
FE80::E1
2019:A100:D000:2000::1
GigabitEthernet0/3 [administratively down/down]
Step 17: Since you determine that ER1 the cause of the problem you need to investigate why ER1 is unable to reach SRV1. Starting with the routing table you see that there is no route to the network where SRV1 resides.
ER1#show ipv6 route 2019:A100:1000:1::10
% Route not found
Also, the default route pointing to ISP is missing too.
ER1#show ipv6 route ::/0
% Route not found
Step 18: Check if there are any misconfigured ipv6 static routes in the running configuration.
ER1#show running-config | section ipv6 route
The result returns nothing in the output, meaning that you have to configure ipv6 default static route.
ER1(config)# ipv6 route ::/0 2019:A100:D000:2000::2
Verify that ER1 is able to ping SRV1.
ER1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Step 19: Back on the access routers attempt to ping SRV1.
AR1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
.....
Now ping is timing out and you know that ER1 is able to reach SRV1 but AR1 is not, you can conclude that SRV1 or any router on the return path back does not have a proper route to reach AR1.
To verify this theory, you can traceroute ip of AR1 from SRV1 and see what happens.
AR1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::A1
2019:A100:D000:2009::2
GigabitEthernet0/1 [up/up]
FE80::A1
2019:A100:D000:200C::2
GigabitEthernet0/2 [up/up]
FE80::A1
2019:A100:D000:200F::1
From SRV1 traceroute AR1’s g0/0 ip address.
SRV1#traceroute 2019:A100:D000:2009::2
Type escape sequence to abort.
Tracing the route to 2019:A100:D000:2009::2
1 2019:A100:1000:1::1 !U !U !U
SRV1#
From the result of traceroute, you can conclude that the ISP router probably does not know how to reach any subnets in the RIPng domain and further configurations require on the ISP router.
Step 20: Determined from overview topology that ISP router suppose to have a static route pointing towards ER1 to reach any AI10 networks, you should verify ISP’s routing table for the presence of that type of reachability information.
ISP#show ipv6 route static
Absence of the static route in the routing table of the ISP router indicates the reason why AR1’s ping was timing out, you have to configure a static route to 2019:A100:D000::/48 network.
ISP(config)#ipv6 route 2019:A100:D000::/48 2019:A100:D000:2000::1
Step 21: Back on the access routers attempt to ping SRV1.
AR1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms
AR1#
One more thing to check, verify that AR1, AR2, and AR3 are able to ping SRV1 from their LAN interfaces.
AR1#ping 2019:A100:1000:1::10 source g0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
Packet sent with a source address of 2019:A100:D000:200F::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
AR1#
Step 22: All networking devices in the topology now have been transitioned to IPv6 environment, it's time to configure hosts, all three PCs have to be able to ping domain name ipv6-dnstest.local. Let's start with the configuration of PC1. For this host, you should be assigned all IPv6 parameters manually.
PC1(config)#interface g0/0
PC1(config-if)#ipv6 address fe80::10 link-local
PC1(config-if)#ipv6 address 2019:A100:D000:200F::10/64
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#ip name-server 2019:A100:1000:1::1
Verify if PC1 able to ping domain name.
PC1#ping ipv6-dnstest.local
Translating "ipv6-dnstest.local"...domain server (10.10.10.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/13 ms
Notice that domain name was resolved by IPv4 DNS server it because the ip name-server command for Ipv4 was entered first. Remove this command and you will see that PC1 uses IPv6 DNS server address.
PC1(config)#no ip name-server 10.10.10.1
PC1#ping ipv6-dnstest.local
Translating "ipv6-dnstest.local"...domain server (2019:A100:1000:1::1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms
Step 23: PC2 has to obtain its IPv6 information via stateless auto-configuration and DNS server
IP address via stateless DHCPv6. Configure stateless DHCPv6 on the AR2 the proceed to PC2.
AR2(config)#ipv6 dhcp pool DHCP_STATELESS
AR2(config-dhcpv6)#dns-server 2019:A100:1000:1::1
AR2(config-dhcpv6)#domain-name ipv6stateless.local
AR2(config-dhcpv6)#exit
AR2(config)#interface g0/2
AR2(config-if)#ipv6 nd other-config-flag
AR2(config-if)#ipv6 dhcp server DHCP_STATELESS
AR2(config-if)# end
AR2#copy running-config startup-config
PC2(config)#interface g0/0 PC2(config-if)#ipv6 address fe80::10 link-local
PC2(config-if)#ipv6 address autoconfig
PC2(config-if)#no shutdown
Verify that PC2 received DNS server information via stateless DHCPv6.
PC2#show ipv6 dhcp interface
GigabitEthernet0/0 is in client mode
Prefix State is IDLE (0)
Information refresh timer expires in 23:58:27
Address State is IDLE
List of known servers:
Reachable via address: FE80::A2
DUID: 000300010C0F940B6B00
Preference: 0
Configuration parameters:
DNS server: 2019:A100:1000:1::1
Domain name: ipv6stateless.local
Information refresh time: 0
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
Remove IPv4 DNS server from PC2 configuration then ping domain name ipv6-dnstest.local
PC2(config)#no ip name-server 10.10.10.1
PC2#ping ipv6-dnstest.local
Translating "ipv6-dnstest.local"...domain server (2019:A100:1000:1::1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
PC2#
Step 24: PC3 has to obtain its IPV6 information via stateful DHCPv6. Configure AR3 to act as stateful DHCP the proceed to PC3.
AR3(config)#ipv6 dhcp pool DHCP_STATEFUL
AR3(config-dhcpv6)#address prefix 2019:A100:D000:2011::/64
AR3(config-dhcpv6)#dns-server 2019:A100:1000:1::1
AR3(config-dhcpv6)#domain-name ipv6stateful.local
AR3(config-dhcpv6)#exit
AR3(config)#interface g0/2
AR3(config-if)#ipv6 nd managed-config-flag
AR3(config-if)#ipv6 dhcp server DHCP_STATEFUL
AR3(config-if)#exit
AR3(config)#
PC3(config)#interface g0/0
PC3(config-if)#ipv6 address fe80::10 link-local
PC3(config-if)#ipv6 address dhcp
PC3(config-if)#no shutdown PC3(config-if)# exit
Verify DHCPv6 client configuration on PC3.
PC3#show ipv6 dhcp interface
GigabitEthernet0/0 is in client mode
Prefix State is IDLE
Address State is OPEN
Renew for address will be sent in 11:58:34
List of known servers:
Reachable via address: FE80::A3
DUID: 000300010C0F94D0CD00
Preference: 0
Configuration parameters:
IA NA: IA ID 0x00020001, T1 43200, T2 69120
Address: 2019:A100:D000:2011:35F1:CC5:7AB6:ECD1/128
preferred lifetime 86400, valid lifetime 172800
expires at Jul 29 2019 06:45 PM (172715 seconds)
DNS server: 2019:A100:1000:1::1
Domain name: ipv6stateful.local
Information refresh time: 0
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
Remove IPv4 DNS server from PC3 configuration then ping domain name ipv6-dnstest.local
PC2(config)#no ip name-server 10.10.10.1
PC3#ping ipv6-dnstest.local
Translating "ipv6-dnstest.local"...domain server (2019:A100:1000:1::1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
PC3#
Step 25: Company’s IT manager made the decision to change all networking devices access from IPv4 to IPv6 using loopback interfaces, subnet prefix 2019:A100:D000:5555::/64 has been assigned for management purpose. Loopback interface 5555 has to be configured on all routers in the RIP10 domain, using the same principle of link-local address scheme, allocate IPv6 addresses with a prefix length of /128 to the routers. Make sure that the interface included in the RIP10 routing process.
Example:
Core1 - 2019:A100:D000:5555::C1/64
Step 26: On all routers in the RIP10 domain configure enable secret and user gns3 with privilege 15. Adjust vty lines to accept all possible connections.
ER1(config)#enable secret gns3
ER1(config)#username gns3 privilege 15 secret gns3
ER1(config)#line vty 0 15
ER1(config-line)#login local
ER1(config-line)#transport input all
Test telnet connection from SRV1 to any router in the RIP domain using IPv6 management address.
SRV1# telnet 2019:A100:D000:5555::C1
Trying 2019:A100:D000:5555::C1 ... Open
User Access Verification
Username:
Step 27: Leveraging IPv6 ACL block outside world, to access routers in rip domain using telnet, the rest of the traffic should be permitted. ER1 has to host ACL configuration, applied inbound direction on the outside interface.
ER1(config)#ipv6 access-list NO_TELNET
ER1(config-ipv6-acl)#deny tcp any 2019:A100:D000:5555::/64 eq telnet
ER1(config-ipv6-acl)#permit ipv6 any any
ER1(config-ipv6-acl)#exit
ER1(config)#interface g0/2
ER1(config-if)#ipv6 traffic-filter NO_TELNET in
ER1(config-if)#end
Attempt telnet to AR1 at 2019:A100:D000:5555::A1, access should be denied.
SRV1#telnet 2019:A100:D000:5555::A1
Trying 2019:A100:D000:5555::A1 ...
% Destination unreachable; gateway or host down
Verify ACL counters on the ER1, it shows that access-list works as intended.
ER1#show ipv6 access-list
IPv6 access list NO_TELNET
deny tcp any 2019:A100:D000:5555::/64 eq telnet (1 match) sequence 10
permit ipv6 any any (5 matches) sequence 20
Download Lab: GNS3
Prerequisites:
Cisco IOSv (vios-adventerprisek9-m.vmdk.SPA.156-2.T)
Introduction:
In this lab, you will be a network engineer who has been asked to help, the small company AI10 with a transition to IPv6 environment. IT manager contacted the company’s ISP to obtain IPv6 prefix and ISP gladly assigned 2019:A100:D000::/48 global routing prefix, access to the outside world will be provided via the default route. You will perform multiple tasks, design IPV6 addressing scheme, assign prefixes to the router’s interfaces, configuring RIPng in the topology, enable different IPV6 services including DHCPv6, ACLs, etc. Also for your information PCs in the topology are cisco IOS routers acting as hosts. Despite this lab is aiming at the CCNP level learners, anyone who wants to try is welcome.
Topology:
Lab procedure:
Step1: Before transitioning to the IPv6 any network infrastructure has to be ready and verified, it will give you a sense of assurance that new configurational changes related to IPv6 migration did not cause any problems. That is why it is good to check if you have current IPv4 connectivity. From all PC’s ping this domain name to verify that SRV1 server is reachable:
PC1#ping ipv4-dnstest.local
Translating "ipv4-dnstest.local"...domain server (10.10.10.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 7/7/9 ms
PC1# ipv4-dnstest.local
Repeat this test on every PC in the diagram.
Step2: Open text editor then use future IPv6 diagram to design addressing scheme for IPv6 topology. Take the /48 global routing prefix and extend it to the /64 subnet prefix for each required end-to-end link and LAN interfaces. To make the /64 subnet prefix, you need to come up with any number for the fourth quartet then add that to the existing global prefix.
Example:
Subnet0 - 2019:A100:D000:2000::/64
Subnet1 - 2019:A100:D000:2001::/64
Keep going until you satisfy the requirements of the topology.
Step3: Design Link-local address allocation scheme for the routers’ interfaces, use the same address per one router. Use the first letter of the name and the number of the router to come up with Link-local address. For example for the router Core1 address will be FE80::C1 and for the router ER1 address is FE80::E1, complete the list of the Link-local address in the separate text file for the rest of the routers.
Example:
Router hostname: Link-local:
Core1 FE80::C1
Core2
ER1
ISP
Step4: Assign link-local addresses to the routers’ interfaces, start with ISP interface facing ER1, for the sake of monotony perform this step with step 5 simultaneously.
Example:
ISP(config)#interface g0/0
ISP(config-if)#ipv6 address FE80::A link-local
ISP(config-if)#
Step5: Using the list of subnet prefixes and topology information, properly assign IPv6 global addresses to the router's interface, starting with the link between ISP and ER1. First IPv6 address allocated to the ER1 g0/2, second to the ISP G0/0. For the rest of the routers in the topology, assign IPv6 addresses according to seniority, core routers getting the first IP’s in the subnet then distribution and finally access. For example on the link between Core1 and Core2, Core1 has priority, for the link between Core2 and DR1, Core2 has to have a first address set to the interface.
Example: (here step4 and 5 combined together).
ISP(config)#interface g0/0
ISP(config-if)#ipv6 address FE80::A link-local
ISP(config-if)#ipv6 address 2019:A100:D000:2000::2/64
ISP(config-if)#exit
Complete configuration on the opposite side then proceeds to the next step.
Step6: After you configure both sides of the link with appropriate IPv6 addresses, it is a good idea to verify that you able to ping the opposite side, it helps you reduce the time you spend on the troubleshooting effort if there would be some issues later on.
Example:
ER1#ping FE80::A source gigabitEthernet 0/2
Output Interface: gigabitEthernet 0/2
% Invalid interface. Use full interface name without spaces (e.g. Serial0/1)
Output Interface: gigabitEthernet0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::A, timeout is 2 seconds:
Packet sent with a source address of FE80::E1%GigabitEthernet0/2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms
ER1#ping 2019:A100:D000:2000::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:D000:2000::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
As you can see that now layer 3 IPv6 connectivity has been established between ISP and ER1 routers. Complete all IPv6 address assignment on the routers in the topology by repeating steps 4 to 6.
Step7: Now you complete assignment of IPV6 addresses, it is time to verify that all addresses have been allocated properly, assume that you have open console to all the routers in the topology, issue show ipv6 interface brief command on all routers then correlate information in the output of the command to the IPv6 diagram, verify that everything looks fine. At this moment you can also save the configuration to make sure that your effort will not be lost by accident.
Core1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::C1
2019:A100:D000:2003::1
GigabitEthernet0/1 [up/up]
FE80::C1
2019:A100:D000:2004::1
GigabitEthernet0/2 [up/up]
FE80::C1
2019:A100:D000:2005::1
GigabitEthernet0/3 [up/up]
FE80::C1
2019:A100:D000:2001::1
As you can see every active interface has the same Link-local address unique to this router and global address assigned according to the information in topology. For example interface, G0/0 has IPv6 address 2019:A100:D000:2003::1 which corresponds to Subnet3 in the topology.
Step8: Before configuring IPV6 routing protocols you need to verify that routers are capable of doing so, by default IPv6 routing is disabled.
Example:
Core1#show ipv6 interface g0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C1
No Virtual link-local address(es):
Description: Link to Core2 int g0/0
Global unicast address(es):
2019:A100:D000:2003::1, subnet is 2019:A100:D000:2003::/64
Joined group address(es):
FF02::1
FF02::1:FF00:1
FF02::1:FF00:C1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND NS retransmit interval is 1000 milliseconds
As you can see that in the section of output “Joined group addresses” multicast address for all IPV6 routers is missing, which is FF02::2, this indicates that NDP RA and RS messages will not be exchanged between routers. You can confirm this by typing command which displays IPV6 routers:
Core1#show ipv6 routers
Core1#
There is nothing in the output. Also, another method is to see if there is “ipv6 unicast-routing” line in the running-config, the absence of this line indicates the same result.
Core1#show running-config | section ipv6 unicast-routing
Core1#
Step9: Enable Ipv6 routing on all routers in the topology, except ISP router, it already has been enabled.
Example:
ER1(config)#ipv6 unicast-routing
ER1(config)#
Step10: Verify that IPv6 routing has been enabled.
ER1#show ipv6 routers
Router FE80::A on GigabitEthernet0/2, last update 2 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2019:A100:D000:2000::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
ER1#show running-config | section ipv6 unicast-routing
ipv6 unicast-routing
ER1#show ipv6 interface g0/2
GigabitEthernet0/2 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::E1
No Virtual link-local address(es):
Description: Link to ISP int g0/0
Global unicast address(es):
2019:A100:D000:2000::1, subnet is 2019:A100:D000:2000::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF00:E1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
Step11: Configure RIPng using RIP10 as the name for the rip process in the global configuration mode and enable RIPng on all interfaces that have to participate in the IPV6 routing. Start with ER1 then continue until you are done with the rest of the routers. You can use the interface range command to speed up the process.
Example:
ER1(config)#ipv6 router rip RIP10
ER1(config-rtr)#exit
ER1(config)#interface range g0/0-2
ER1(config-if-range)#ipv6 rip RIP10 enable
Step12: Verify RIPng.
List of show commands you can use to determine if RIPng has proper configurations.
show ipv6 protocols - identifies rip enabled interface and redistribution
show ipv6 rip - shows detailed information about RIP, multicast-group,AD,Split Horizon
show ipv6 rip next-hops - Displays routers from which RIP updates were received
show ipv6 rip database - RIP routes will be installed in the routing table
show ipv6 route rip - RIP routes in the routing table
debug ipv6 rip events - Observe as RIP updates are exchanged
Step13: Access routers AR1, AR2, and AR3 should have IPv6 RIP routes in their routing tables but when you attempt to reach SRV1 ping fails.
AR1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
% No valid route for destination
Success rate is 0 percent (0/1)
It indicates that there is no route to the destination, the reason for this is because the SRV1’s address is on the remote network and you do not have a default route.
Step 14: Propagate default route. ER1 should be configured to advertise a quad-zero route to the rest of routers in the topology except to the ISP router. Since ER1 has multiple connections to downstream routers its necessary to enable default route propagation on both interfaces.
ER1(config)#interface range g0/0-1
ER1(config-if-range)#ipv6 rip RIP10 default-information originate
To verify that ER1 enabled to propagate default route use this command:
ER1#show ipv6 rip
RIP process "RIP10", port 521, multicast-group FF02::9, pid 370
Administrative distance is 120. Maximum paths is 16
Updates every 30 seconds, expire after 180
Holddown lasts 0 seconds, garbage collect after 120
Split horizon is on; poison reverse is off
Default routes are generated
Periodic updates 366, trigger updates 5
Full Advertisement 1, Delayed Events 0
Interfaces:
GigabitEthernet0/2
GigabitEthernet0/1
GigabitEthernet0/0
Redistribution:
None
Also, check if access routers have a default route in their routing tables.
AR1#show ipv6 route rip
IPv6 Routing Table - default - 23 entries
--Output partially displayed--
R ::/0 [120/4]
via FE80::D1, GigabitEthernet0/0
via FE80::D2, GigabitEthernet0/1
R 2019:A100:D000:2000::/64 [120/4]
Step 15: Attempt to ping SRV1 address again from access routers.
AR1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
As you can see from the result that now destination is unreachable, it means that somewhere along the path to SRV1 there is a router which does not have a route to the network where SRV1 resides on.
Step 16: To further investigate this lack of communication you can use traceroute to troubleshoot the potential cause of the problem.
AR1#traceroute 2019:A100:1000:1::10
Type escape sequence to abort.
Tracing the route to 2019:A100:1000:1::10
1 2019:A100:D000:200C::1 4 msec
2019:A100:D000:2009::1 3 msec
2019:A100:D000:200C::1 3 msec
2 2019:A100:D000:2006::1 5 msec
2019:A100:D000:2007::1 4 msec
2019:A100:D000:2006::1 3 msec
3 2019:A100:D000:2002::2 !U !U !U
The output indicates that there is a problem at the router with ip address 2019:A100:D000:2002::2, consult the topology to find out which router has this ip address assigned. According to the IPv6 diagram and the IPv6 address scheme design, this ip address belongs to subnet 2 which has been allocated to the link between ER1 and Core2 and the address ends with 2 which is probably has been assigned to ER1’s g0/1 interface.
ER1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::E1
2019:A100:D000:2001::2
GigabitEthernet0/1 [up/up]
FE80::E1
2019:A100:D000:2002::2
GigabitEthernet0/2 [up/up]
FE80::E1
2019:A100:D000:2000::1
GigabitEthernet0/3 [administratively down/down]
Step 17: Since you determine that ER1 the cause of the problem you need to investigate why ER1 is unable to reach SRV1. Starting with the routing table you see that there is no route to the network where SRV1 resides.
ER1#show ipv6 route 2019:A100:1000:1::10
% Route not found
Also, the default route pointing to ISP is missing too.
ER1#show ipv6 route ::/0
% Route not found
Step 18: Check if there are any misconfigured ipv6 static routes in the running configuration.
ER1#show running-config | section ipv6 route
The result returns nothing in the output, meaning that you have to configure ipv6 default static route.
ER1(config)# ipv6 route ::/0 2019:A100:D000:2000::2
Verify that ER1 is able to ping SRV1.
ER1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Step 19: Back on the access routers attempt to ping SRV1.
AR1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
.....
Now ping is timing out and you know that ER1 is able to reach SRV1 but AR1 is not, you can conclude that SRV1 or any router on the return path back does not have a proper route to reach AR1.
To verify this theory, you can traceroute ip of AR1 from SRV1 and see what happens.
AR1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::A1
2019:A100:D000:2009::2
GigabitEthernet0/1 [up/up]
FE80::A1
2019:A100:D000:200C::2
GigabitEthernet0/2 [up/up]
FE80::A1
2019:A100:D000:200F::1
From SRV1 traceroute AR1’s g0/0 ip address.
SRV1#traceroute 2019:A100:D000:2009::2
Type escape sequence to abort.
Tracing the route to 2019:A100:D000:2009::2
1 2019:A100:1000:1::1 !U !U !U
SRV1#
From the result of traceroute, you can conclude that the ISP router probably does not know how to reach any subnets in the RIPng domain and further configurations require on the ISP router.
Step 20: Determined from overview topology that ISP router suppose to have a static route pointing towards ER1 to reach any AI10 networks, you should verify ISP’s routing table for the presence of that type of reachability information.
ISP#show ipv6 route static
Absence of the static route in the routing table of the ISP router indicates the reason why AR1’s ping was timing out, you have to configure a static route to 2019:A100:D000::/48 network.
ISP(config)#ipv6 route 2019:A100:D000::/48 2019:A100:D000:2000::1
Step 21: Back on the access routers attempt to ping SRV1.
AR1#ping 2019:A100:1000:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms
AR1#
One more thing to check, verify that AR1, AR2, and AR3 are able to ping SRV1 from their LAN interfaces.
AR1#ping 2019:A100:1000:1::10 source g0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
Packet sent with a source address of 2019:A100:D000:200F::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
AR1#
Step 22: All networking devices in the topology now have been transitioned to IPv6 environment, it's time to configure hosts, all three PCs have to be able to ping domain name ipv6-dnstest.local. Let's start with the configuration of PC1. For this host, you should be assigned all IPv6 parameters manually.
PC1(config)#interface g0/0
PC1(config-if)#ipv6 address fe80::10 link-local
PC1(config-if)#ipv6 address 2019:A100:D000:200F::10/64
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#ip name-server 2019:A100:1000:1::1
Verify if PC1 able to ping domain name.
PC1#ping ipv6-dnstest.local
Translating "ipv6-dnstest.local"...domain server (10.10.10.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/13 ms
Notice that domain name was resolved by IPv4 DNS server it because the ip name-server command for Ipv4 was entered first. Remove this command and you will see that PC1 uses IPv6 DNS server address.
PC1(config)#no ip name-server 10.10.10.1
PC1#ping ipv6-dnstest.local
Translating "ipv6-dnstest.local"...domain server (2019:A100:1000:1::1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms
Step 23: PC2 has to obtain its IPv6 information via stateless auto-configuration and DNS server
IP address via stateless DHCPv6. Configure stateless DHCPv6 on the AR2 the proceed to PC2.
AR2(config)#ipv6 dhcp pool DHCP_STATELESS
AR2(config-dhcpv6)#dns-server 2019:A100:1000:1::1
AR2(config-dhcpv6)#domain-name ipv6stateless.local
AR2(config-dhcpv6)#exit
AR2(config)#interface g0/2
AR2(config-if)#ipv6 nd other-config-flag
AR2(config-if)#ipv6 dhcp server DHCP_STATELESS
AR2(config-if)# end
AR2#copy running-config startup-config
PC2(config)#interface g0/0 PC2(config-if)#ipv6 address fe80::10 link-local
PC2(config-if)#ipv6 address autoconfig
PC2(config-if)#no shutdown
Verify that PC2 received DNS server information via stateless DHCPv6.
PC2#show ipv6 dhcp interface
GigabitEthernet0/0 is in client mode
Prefix State is IDLE (0)
Information refresh timer expires in 23:58:27
Address State is IDLE
List of known servers:
Reachable via address: FE80::A2
DUID: 000300010C0F940B6B00
Preference: 0
Configuration parameters:
DNS server: 2019:A100:1000:1::1
Domain name: ipv6stateless.local
Information refresh time: 0
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
Remove IPv4 DNS server from PC2 configuration then ping domain name ipv6-dnstest.local
PC2(config)#no ip name-server 10.10.10.1
PC2#ping ipv6-dnstest.local
Translating "ipv6-dnstest.local"...domain server (2019:A100:1000:1::1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
PC2#
Step 24: PC3 has to obtain its IPV6 information via stateful DHCPv6. Configure AR3 to act as stateful DHCP the proceed to PC3.
AR3(config)#ipv6 dhcp pool DHCP_STATEFUL
AR3(config-dhcpv6)#address prefix 2019:A100:D000:2011::/64
AR3(config-dhcpv6)#dns-server 2019:A100:1000:1::1
AR3(config-dhcpv6)#domain-name ipv6stateful.local
AR3(config-dhcpv6)#exit
AR3(config)#interface g0/2
AR3(config-if)#ipv6 nd managed-config-flag
AR3(config-if)#ipv6 dhcp server DHCP_STATEFUL
AR3(config-if)#exit
AR3(config)#
PC3(config)#interface g0/0
PC3(config-if)#ipv6 address fe80::10 link-local
PC3(config-if)#ipv6 address dhcp
PC3(config-if)#no shutdown PC3(config-if)# exit
Verify DHCPv6 client configuration on PC3.
PC3#show ipv6 dhcp interface
GigabitEthernet0/0 is in client mode
Prefix State is IDLE
Address State is OPEN
Renew for address will be sent in 11:58:34
List of known servers:
Reachable via address: FE80::A3
DUID: 000300010C0F94D0CD00
Preference: 0
Configuration parameters:
IA NA: IA ID 0x00020001, T1 43200, T2 69120
Address: 2019:A100:D000:2011:35F1:CC5:7AB6:ECD1/128
preferred lifetime 86400, valid lifetime 172800
expires at Jul 29 2019 06:45 PM (172715 seconds)
DNS server: 2019:A100:1000:1::1
Domain name: ipv6stateful.local
Information refresh time: 0
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
Remove IPv4 DNS server from PC3 configuration then ping domain name ipv6-dnstest.local
PC2(config)#no ip name-server 10.10.10.1
PC3#ping ipv6-dnstest.local
Translating "ipv6-dnstest.local"...domain server (2019:A100:1000:1::1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2019:A100:1000:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
PC3#
Step 25: Company’s IT manager made the decision to change all networking devices access from IPv4 to IPv6 using loopback interfaces, subnet prefix 2019:A100:D000:5555::/64 has been assigned for management purpose. Loopback interface 5555 has to be configured on all routers in the RIP10 domain, using the same principle of link-local address scheme, allocate IPv6 addresses with a prefix length of /128 to the routers. Make sure that the interface included in the RIP10 routing process.
Example:
Core1 - 2019:A100:D000:5555::C1/64
Step 26: On all routers in the RIP10 domain configure enable secret and user gns3 with privilege 15. Adjust vty lines to accept all possible connections.
ER1(config)#enable secret gns3
ER1(config)#username gns3 privilege 15 secret gns3
ER1(config)#line vty 0 15
ER1(config-line)#login local
ER1(config-line)#transport input all
Test telnet connection from SRV1 to any router in the RIP domain using IPv6 management address.
SRV1# telnet 2019:A100:D000:5555::C1
Trying 2019:A100:D000:5555::C1 ... Open
User Access Verification
Username:
Step 27: Leveraging IPv6 ACL block outside world, to access routers in rip domain using telnet, the rest of the traffic should be permitted. ER1 has to host ACL configuration, applied inbound direction on the outside interface.
ER1(config)#ipv6 access-list NO_TELNET
ER1(config-ipv6-acl)#deny tcp any 2019:A100:D000:5555::/64 eq telnet
ER1(config-ipv6-acl)#permit ipv6 any any
ER1(config-ipv6-acl)#exit
ER1(config)#interface g0/2
ER1(config-if)#ipv6 traffic-filter NO_TELNET in
ER1(config-if)#end
Attempt telnet to AR1 at 2019:A100:D000:5555::A1, access should be denied.
SRV1#telnet 2019:A100:D000:5555::A1
Trying 2019:A100:D000:5555::A1 ...
% Destination unreachable; gateway or host down
Verify ACL counters on the ER1, it shows that access-list works as intended.
ER1#show ipv6 access-list
IPv6 access list NO_TELNET
deny tcp any 2019:A100:D000:5555::/64 eq telnet (1 match) sequence 10
permit ipv6 any any (5 matches) sequence 20
Oh man this is in GNS3? Do you have it in EVE-NG.? I would like to download and work them all. I stopped using GNS3 every time I updated it I broke it
ReplyDelete{"name":"NotFound","message":"Requested Resource Not Found"}
ReplyDelete