Author: Calin

Calin is a network engineer, with more than 20 years of experience in designing, installing, troubleshooting, and maintaining large enterprise WAN and LAN networks.

Cisco: OSPFv3 point-to-point network configuration

In the previous post I explained some basic stuff about IPv6 and how to configure IPv6 addresses on Cisco’s interfaces. Following this subject, I want to explain now how you can configure unicast dynamic routing protocols for IPv6 networks. The same as IPv4, the v6 generation of IP addresses supports routing protocol like OSPF, RIP and EIGRP, just that their names has been adapted to the v6 generation meaning OSPFv3, RIPng and EIGRP for IPv6.

From the routing protocols above I chose for today OSPFv3, because it is quite easy to understand and, why not, it is one my preferred routing protocols. OSPFv2 and OSPFv3 share the same key concepts, so if you understand the version for IPv4 you will have no problems to understand the one for IPv6. However, you should understand the most significant differences as well:
— to enable OSPFv3, you will have to use interface subcommands compared with the “network” statement under “router ospf” process in OSPFv2
— if there are multiple IPv6 addresses configured on a OSPFv3 enabled interface, then OPSFv3 advertise all the related networks
— OSPFv3 router-id (RID) has to be set in order to enable the routing protocol; this can be set automatically like in the OSPFv2 or manually
— OSPFv3 uses IPv4 for RID; if no IPv4 address is present on the router to be used as RID, than the OSPFv3 process cannot choose it’s RID
— OSPFv3 does not provide natively authentication like OSPFv2 does; for OSPFv3, the IPv6 structure covers this with its internal support for AH and ESP.
That’s about enough for you to configure a basic OSPFv3 routing protocol. If you are interested in more details about OSPFv3, you can check OSPFv3 documentation by Jeff Doyle and Jennifer Carroll on NetworkWorld.com

I will use the same topology like in the previous post. You can check here the IPv6 configuration of the routers. Please click below to see the tutorial:

OSPFv3 p2p network configuration

If for some reasons the tutorial above is not available for you, please check this text file which present in text mode everything  needed to enable OSPFv3 point-to-point network configuration between 2 Cisco devices.

Cisco: IPv6 basics and configuration how-to

Today, I had to deal with IPv6 configuration for my CCIE preparation and I said to write a small tutorial about IPv6 for it’s basic stuff. First of all IPv6 is not more complicated that IPv4, it just look like it is. Second, and this is my personal opinion, I think that as long as IPv4 will be on the market and things like NAT can overcome the problem of  IP addresses being exhausted, IPv6 will not be implemented on a large scale. Let’s be honest, I’m more OK in a discussion saying that I had a problem with the IP address 192.168.100.100 than to say 2001:128:1F:633:207:85FF:FE80:71B8 (IPv6).

But what we like and what we have to know as network engineer, that’s a different story. For this reason I said that some information about IPv6 and how to configure it and test a point-to-point connection on a Cisco device, would not hurt anyone.

Some essential points about IPv6 (if you want more there is a lot of information on Internet):
-use of 128 bits compared with 32bits )IPv4
-IPv4 are represented in hexadecimal rather than decimal
-use colon-separated field of 16bits rather than 8 bits decimal points separator
The IPv6 can be write down in different formats. Let’s take:
2001:0001:0000:0000:00A1:0CC0:01AB:397A
this can look like:
2001:1:0:0:A1:CC0:1AB:397A – leading zero in each 16bits group can be eliminated
2001:0001::00A1:0CC0:01AB:397A – two or more 16bits “0000” groups can be write like :: (double colons) one time in the IPv6 address
2001:1::A1:CC0:1AB:397A-the simplest form to write the IPv6 address
A small, but very important hint. Take care of the following common mistake when you are writing IPv6 in short format. Let’s say that we have 2001:0000:0000:0000:00A1:0000:0000:397A and you want to write it in short format with the rule that 2 or more “0000” groups can be write like :: , and you write 2001::A1::397A which is wrong, because after this nobody or no device will know where it was 2  groups of zero and where 3. Taking the wrong format, you want to write the long format back and you can write it as: 2001:0000:0000:00A1:0000:0000:0000:397A, and obvious you can see the mistake.
There are more types of IPv6 address which you can find in the table below:
IPv6 addresses type

There are 3 ways in which you can assign an IPv6 to a Cisco device:
-manual =  just like in the IPv4
-stateful autoconfiguration = you use a DHCP server that will assign and IPv6 address to the interface
-stateless autoconfiguration = the interface ID in IPv6 is configured locally by the host to be globally unique using the EUI-64 procedure

In short terms the EUI-64 procedure is used to autoconfigure the last 64bits of the 128bits IPv6 address, which is the interface ID portion. EUI-64 method take the MAC address of the interface (48 bits) which is unique and derives the interface ID (64bits). You’ll ask probably how come 48bits become 64bits. EUI-64 insert in the middle of the MAC address a 16bits portion equal to FFFE and set the universal/local bit (7th bit) to indicate global scope. More clearly, let’s say that the interface has the MAC address 00:07:88:80:71:b9 and IPv6 apply the EUI-64 method this will become 0207:88FF:FE80:71b9 (last 64bits = interface ID).

After this short information (trust me it is short compared to detailed books) I hope that the things look a little bit more clear to you regarding IPv6 and you understood that this is not an IT network monster of any kind. Let me show you a small example of how you can configure the Cisco interfaces for IPv6 connectivity. Routing and more advanced stuff in a future post maybe.

For this tutorial I will use the same topology like in the previous post, please have a look to it here, but for the IPv6 configuration will only focus on the LAN side, the connection between R1 and R2. There is already a working IPv4 link between this 2 devices. Please click below to see the example:

IPv6 Cisco interface config

If for some reasons the tutorial above is not available for you, please check this text file which consist of the configuration needed to enable IPv6 configuration between 2 Cisco devices.

Cisco Security Manager Vulnerability

Cisco Security AdvisoriesCisco Security Manager contains a vulnerability when it is used with Cisco IPS Event Viewer (IEV) that results in open TCP ports on both the Cisco Security Manager server and IEV client. An unauthenticated, remote attacker could leverage this vulnerability to access the MySQL databases or IEV server.

Reat the full post on cisco.com…

Cisco: Use CBAC to achieve firewall functionality on router device

Sometimes, because of cost saving usually, the network engineers are forced to use a Cisco router as a firewall (instead of Cisco PIX or ASA). One of the big difference between router and firewall devices is that the ports have different characteristics. If on routers, ports are permitting by default traffic of any packets in and out, on the firewall devices, any packets are denied, if not explicit permitted.Also firewalls look at ports as Inbound at Outbound while for routers this has no meaning.

Anyway I don’t want to discuss here the differences between firewalls are routers, but to show you an example of how to achive firewall functionality by using Control-based Access Control (CBAC). CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. (In other words, CBAC can inspect traffic for sessions that originate from the external network).CBAC inspects traffic and manage state information for TCP or UDP sessions, which allow it to create temporary openings in the access-lists, to allow returning traffic. Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer.

The above explanation is a very technical one. Please have a look at the topology, to understand better what I’m explaining here and also to understand the example below. I will use telnet protocol in this tutorial. From the topology, imagine that you allow on the LAN interface of R2 (Fa0/0) telnet traffic to R3 and nothing else. Also to protect your environment on R2 WAN interface S1/0 you drop and inbound connection by using “deny ip any any” in an access-list. Good you are protected now. But what about the telnet connection? It will no work! Why? It is obivious that if the packet leaving from LAN on port 23 is allowed, the response from R3 is automatically dropped on S1/0 of R2 because of the deny anything access-list. By configuring “ip inspect” you enable CBAC which will keep track your session, so when you will open a telnet connection toR3, the return connection on random port (xxxxx) will be automatically opened by CBAC, despite the deny all access-list configured. In this way you are protected from outside (access is deny) but still able to use the connections you defined (open certain ports for certain session by CBAC).

So, to achieve firewall functionality on a router you have to follow some simple steps:
– use access list to deny any traffic on router’s ports (like firewall behavior)
– open in access-list traffic that you want to establish (remember that this line has to be above the deny line in ACL)
– enable ip inspect rules to open the connection back port

Please have a look into the example below for a better understanding:

Context-based Access Control