Skip to main content

Some IPv6 Basics

IPv6 is one of my favorite topics as it looks very complex but it is really nice and easy.

  • easy deployed
  • easy to manage

IPv6 Header as you can see constructed of

8 bit – Version 8 bit - Traffic Class (also known as TOS byte) 20 bit – Flow Label 20 bit - Payload Length 8 bit – Next Header 8 bit – Hop Limit (similar to TTL idea) 128 bit – S. Address 128 bit – D. Address

Total 40byte header

image

Compare it to the IPv4 Header:

image

You can see a smaller header 20byte but much more complex and with the options it can be extended up to 60byte so that is much more then IPv6 Ok now I would like to get to some demonstration of how easy just to get you the taste of IPv6 On my PC (OS-Win7) i didn't configure any IPv6 manually, by default OS win7 and most linux distributions are IPv6 enabled once installed, what that mean you ask?! It mean ipv6 link local address is configured automatically, now for those of you that are new to IPv6 you will ask me, what is link local IPv6 address?! Link Local – it is a non routable ipv6 address that is unique to the local segment, a link local address start with the following FE80::/10 in Cisco the link local address is created from FE80:: + MAC address after taking the 7th bit and converting it (if it was 0 –> 1 and if 1 –>0) so example from my router

HOME-GUEZ(config-if)#do sh int vl16 Vlan16 is up, line protocol is up Hardware is EtherSVI, address is 0017.5922.8114 (bia 0017.5922.8114)

Take 0017.5922.8114 7th bit is 0 change it to 1 makes it 0217.5922.8114 and in the middle inserting 0xFFFE so the full address should look like:

FE80:0000:0000:0000:0217:59FF:FE22:8114 = 128 bit or in short FE80::217:59FF:FE22:8114 and as you can see from the show bellow I was correct :-)

HOME-GUEZ(config-if)#do sh ipv6 int vl16 Vlan16 is up, line protocol is up IPv6 is enabled, link-local address is FE80::217:59FF:FE22:8114

Now I would like to show you something, I have enabled debug of ipv6 packets and under my vlan interface I have added a unicast global ipv6 address and at that moment like magic you can see the router starting working automaticly

HOME-GUEZ#debug ipv6 packet detail IPv6 unicast packet debugging is on (detailed) HOME-GUEZ#term mon HOME-GUEZ# HOME-GUEZ#conf t Enter configuration commands, one per line. End with CNTL/Z. HOME-GUEZ(config)#int vl16 HOME-GUEZ(config-if)#ipv6 address 2001::1/64 HOME-GUEZ(config-if)# Mar 2 21:05:53.956: IPV6: source :: (local) Mar 2 21:05:53.956: dest FF02::1:FF22:8114 (Vlan16) #### prot 58 is ICMPv6, Routers with IPv6 use ICMPv6 control messages to solicit and advertise neighbors, also notice to the use of the last 24 bits 22:8114 at the end of the destination address, the router is sending his own link local last 24 bits to verify that he is the only one of the link local with such address, also called DAD (Duplicate Address Detection) #### I didnt mention this before as I wanted to show you before I talk about it, but the next headed filed job in the ipv6 header is to indicate what is coming after the ipv6 header #### In the first packet you so prot 58 witch is ICMPv6, but in the next you can see prot 0 and that mean hop by hop option is directly after the ipv6 header, #### unlike the ipv4 the ipv6 options are not really part of the ipv6 header, the hop by hop header job is informative extension that each routing node should know about #### not very interesting to us now. Mar 2 21:05:53.956: traffic class 224, flow 0x0, len 64+16, prot 58, hops 255, originating Mar 2 21:05:53.956: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.964: IPv6: Sending on Vlan16 Mar 2 21:05:54.456: IPV6: source :: (local) Mar 2 21:05:54.456: dest FF02::16 (Vlan16) Mar 2 21:05:54.456: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:54.456: IPv6: Sending on Vlan16 #### Here is neighbor advertisement Mar 2 21:05:54.956: IPV6: source FE80::217:59FF:FE22:8114 (local) Mar 2 21:05:54.956: dest FF02::1 (Vlan16) Mar 2 21:05:54.956: traffic class 224, flow 0x0, len 72+8, prot 58, hops 255, originating Mar 2 21:05:54.956: IPv6: Sending on Vlan16 #### And that is a Router Advertisement after my PC had received the router advertisement it already configured him self with a global unicast ipv6 address #### IPv6 Address. . . . . . . . . . . : 2001::6df4:5c91:aac1:9a36(Preferred) Mar 2 21:05:54.956: IPV6: source FE80::217:59FF:FE22:8114 (local) Mar 2 21:05:54.956: dest FF02::1 (Vlan16) Mar 2 21:05:54.956: traffic class 224, flow 0x0, len 104+1396, prot 58, hops 255, originating

And you can see I could ping my router IPv6 global unicast ipv6 address

C:\Users\shiran>ping 2001::1

Pinging 2001::1 with 32 bytes of data: Reply from 2001::1: time=4ms Reply from 2001::1: time=1ms Reply from 2001::1: time=1ms Reply from 2001::1: time=1ms

Ping statistics for 2001::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 4ms, Average = 1ms

Now I made the debugging shorter then it is but let me show you how dose the router advertisement look like and that will be the last for this post:

image

Now I know that this post is not very organized and it should contain much more explanation but I wanted to give you some 10000 feet view on how it looks complex but at the end I did on my router only 2 commands and I had my home network running IPv6

ipv6 unicast-routing <under the interface> ipv6 address 2001::1/64

Now yes that is not a grand design but think what you had to do if you wanted the same simple network for ipv4….

5 comments

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…