Samstag, 7. August 2010

IPv6 - Routing Protocols

Zusammenfassung Chapter 4 Deploying IPv6 Networks - IPv6 Routing Protocols

Refresher
Distance Vector - RIP, EIGRP - Route Selection anhand der Metric, Bandbreite....
Link-State Protocols - OSPF, IS-IS - komplette Sicht der Links, Rout Selection anhand von Dijkstra Algo
Path Vector Protocols - BGP - Route Selection anhand des kompletten Wegs (Paths) einer Route

RIPng
Hopcount 15 wie IPv4, split-horizon und poison-reverse wie IPv4.
RIPng announced eigenes Subnetz auf Interface
Da es im IPv6 keinen Broadcast gibt wird link-local-all-Router-Multicast verwednet (FF02::9)
RIPng Security via ESP,AH
Mehre RIPng Prozesse auf einem Interface müssen mit unterschiedlichem UDP-Port gefahren werden, es gibt keine Prozess-ID oder ähnliches
Rack1R5(config)#ipv6 router rip SHIT
Rack1R5(config-rtr)#port 5000 multicast-group ff02::9
Rack1R5#sh ipv6 rip | incl port
RIP process "SHIT", port 5000, multicast-group FF02::9, pid 277
Config 
Rack1R5(config)#ipv6 unicast-routing
Rack1R5(config)#int fa 0/0
Rack1R5(config-if)#ipv6 address 2001:200::1/64
Rack1R5(config-if)#ipv6 rip SHIT enable

Show-Commands
Rack1R5#sh ipv6 rip
RIP process "SHIT", port 521, multicast-group FF02::9, pid 277
     Administrative distance is 120. Maximum paths is 16
     Updates every 30 seconds, expire after 180
     Holddown lasts 0 seconds, garbage collect after 120
     Split horizon is on; poison reverse is off
     Default routes are not generated
     Periodic updates 1, trigger updates 0
  Interfaces:
    FastEthernet0/0
  Redistribution:
    None
Rack1R5#
Metric und Summary-Infos per Interface, Redistribution etc. im router-Sub-Config-Mode
RIP-Database


Rack1R5#sh ipv6 rip database
RIP process "SHIT", local RIB
 2001:100::/64, metric 2, installed
     FastEthernet0/0/FE80::221:D8FF:FE39:41EE, expires in 179 secs
Rack1R5#

RIP-Routing-Table
Rack1R4#sh ipv6 route rip
IPv6 Routing Table - Default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R   2001:200::/64 [120/2]
     via FE80::21A:2FFF:FE87:5C62, FastEthernet0/0
Rack1R4#


EIGRP
DUAL-Algorithmus -  Loop-free und alternative Pfade, Active Query, Reliable Transport, Hellos für schnellere Konvergenz
Support for Appletalk, IPX, neue Protokollerweiterung (TLV)
Source Address EIGRP Hello = link-local-Adress
Destination Address EIGRP Hello  = FF00::A (all EIGRP routers, link-scope)
EIGRP Process ID muss manuell konfiguriert werden wenn keine IPv4-Adresse vorhanden ist (sonst startet der Daemon nicht)
IPv6-EIGRP neighbors for process 1
% EIGRP 1 is in SHUTDOWN
Rack1R4#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES TFTP   up                    up     
FastEthernet0/1            unassigned      YES TFTP   up                    down   
SSLVPN-VIF0                unassigned      NO  unset  up                    up     
Loopback0                  unassigned      YES TFTP   up                    up     
Rack1R4#
Rack1R4(config-rtr)#eigrp router-id 1.1.1.1
Rack1R4(config-rtr)#shutdown
Rack1R4(config-rtr)#no shutdown
Aug  7 19:30:05.535: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 1: Neighbor FE80::21A:2FFF:FE87:5C62 (FastEthernet0/0) is up: new adjacency

EIGRP IPv4 benutzt MD5, EIGRP v6 soll IPSec unterstützen.
Auto-Summary in IPv6 disabled, auch Split-Horizon (da es mehere Prefixe auf einem Interface geben kann)

Config
Rack1R5(config)#int fa 0/1
Rack1R5(config-if)#ipv6 enable
Rack1R5(config-if)#ipv6 eigrp 1


OSPFv3 (RFC2740) - S.154
 Link-state-Protocol, no backward compaibility to OSPFv2 (Authentication),v1, Router und Network LSA enthalten keine Prefixe mehr, Inter-area prefix ersetzt Network Summary (Typ3 LSA), Inter-Area Router ersetzt ASBR summary LSA (Typ 4), OSPFv3 on a "per link" Basis, Source Adresse = link-local-Address. Security wieder über AH und ESP, Instance ID ermöglicht mehere Instanzen auf dem selben Link (Unterscheidung durch Instance ID im LSA)


Config (Unified mit Adress Family lt.Buch - hat auf c1841 / 12.4(24)T IOS nicht funktioniert)
 Rack1R4(config-if)#ospfv3 2 area 0 instance 64 address-family ipv4
 Rack1R4(config-if)#ospfv3 instance 64 cost 32


Config
Rack1R5(config-if)#ipv6 ospf 1 area 0
 
Router-ID weiterhin 32Bit (verfügbare IPv4-Adresse, wenn nicht startet der Prozess nicht)
Rack1R4(config-if)#ipv6 ospf 1 area 0
Aug  8 07:56:21.251: %OSPFv3-4-NORTRID: OSPFv3 process 1 could not pick a router-id,

Rack1R4(config)#ipv6 router ospf 1
Rack1R4(config-rtr)#router-id 1.1.1.4
Aug  8 08:01:16.291: %OSPFv3-5-ADJCHG: Process 1, Nbr 150.1.5.5 on FastEthernet0/0 from LOADING to FULL, Loading Done


Config (Back-to-Back-Encap-Frame-Relay)
Rack1R5#
!
interface Serial0/1/0
 no ip address
 encapsulation frame-relay
 no keepalive
 clock rate 2000000
!
interface Serial0/1/0.1 point-to-point
 ipv6 enable
 ipv6 ospf 1 area
 frame-relay interface-dlci 101  
!
Rack1R1#
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no keepalive
!
interface Serial0/0.1 point-to-point
 ipv6 enable
 ipv6 ospf 1 area 0
 frame-relay interface-dlci 101  
!
Rack1R1#sh ipv6 ospf nei

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
150.1.5.5         1   FULL/  -        00:00:32    17              Serial0/0.1
Rack1R1#
 


Config (NBMA Frame-Relay)
Rack1R5#
!
interface Serial0/0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0/0.1 multipoint
 ipv6 enable
 ipv6 ospf neighbor FE80::20B:FDFF:FEBA:6A40
 ipv6 ospf 1 area 0
 frame-relay map ipv6 FE80::20B:FDFF:FEBA:6A40 501
 frame-relay interface-dlci 501
!
ipv6 router ospf 1
 router-id 0.0.0.5
 log-adjacency-changes
!

Rack1R1#
!
interface Serial0/1
 no ip address
 encapsulation frame-relay
!
interface Serial0/1.1 multipoint
 ipv6 enable
 ipv6 ospf neighbor FE80::21A:2FFF:FE87:5C62
 ipv6 ospf 1 area 0
 frame-relay map ipv6 FE80::21A:2FFF:FE87:5C62 105
 frame-relay interface-dlci 105
!
ipv6 router ospf 1
 router-id 0.0.0.1
 log-adjacency-changes
!
Rack1R5#
*Aug  8 10:21:29.375: %OSPFv3-5-ADJCHG: Process 1, Nbr 0.0.0.1 on Serial0/0/0.1 from LOADING to FULL, Loading Done
Rack1R1#
*Mar  1 01:32:00.313: %OSPFv3-5-ADJCHG: Process 1, Nbr 0.0.0.5 on Serial0/1.1 from LOADING to FULL, Loading Done
Rack1R1#
Rack1R5#sh ipv6 ospf nei

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
0.0.0.1           1   FULL/DR         00:01:39    13              Serial0/0/0.1
Rack1R5#
Rack1R5#sh ipv6 ospf interface ser0/0/0.1
Serial0/0/0.1 is up, line protocol is up
  Link Local Address FE80::21A:2FFF:FE87:5C62, Interface ID 18
  Area 0, Process ID 1, Instance ID 0, Router ID 0.0.0.5
  Network Type NON_BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 0.0.0.1, local address FE80::20B:FDFF:FEBA:6A40
  Backup Designated router (ID) 0.0.0.5, local address FE80::21A:2FFF:FE87:5C62
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    Hello due in 00:00:06
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 3
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 0.0.0.1  (Designated Router)
  Suppress hello for 0 neighbor(s)
Rack1R5#
#Q# : Slow Neighbor adjacency ? why ?



Config OSPF IPSec Auth Option 
Rack1R1(config-rtr)#area 0 authentication ipsec spi 256 md5
Rack1R5#
*Aug  8 10:30:22.747: %OSPFv3-5-ADJCHG: Process 1, Nbr 0.0.0.1 on Serial0/0/0.1 from FULL to DOWN, Neighbor Down: Dead timer expired
Rack1R5(config-rtr)#area 0 authentication ipsec spi 256 md5 FC488E222896E0.......
#Q# : OSPFv3 IPSec funktioniert nicht in NBMA-Netzen ? auf Ethernet (Broadcast) zwischen 1841 und 2611XM auch nicht !?! IOS-Bug ??

IS-IS
OSI Protocol, aufgrund TLV (Type Length Value) leicht erweiterbar, IS-IS LSP (Link-State-Packets) arbeiten auf L2, OSPF DR = IS-IS DIS (designated Intermediate System), kein direkter NBMA Support,
Neue Protokoll-ID IPv6 -> 0x8E -> neue TLVs ->IPv6 Reachability (0XEC)
                                                                   ->IPv6 Interface Address (0XE8) 
Link-Local Address als LSP Source-Adresse
Gleiche Topology für IPv4 und IPv6 im single-topology-Mode (gleiche Metrik, Authentication etc.)
Multitopology (eigene Metrik, Authentication für IPv6 - in Transition-Phase IPv4->IPv6 nutzbar)


Config
Rack1R5#
!
interface FastEthernet0/1
 ipv6 enable
 ipv6 router isis SHIT
!
router isis SHIT
 net 49.0000.0000.0000.0005.00
!
 
Rack1R1#
!
interface FastEthernet0/0
 ipv6 enable
 ipv6 router isis SHIT
!
router isis SHIT
 net 49.0000.0000.0000.0001.00
!
 
Config (Multitopology)
Rack1R1#
!
router isis SHIT
 net 49.0000.0000.0000.0001.00
 metric-style wide transition
 !
 address-family ipv6
 multi-topology
 exit-address-family
!
Rack1R1#show isis database detail | incl Topo
  Topology:     IPv6 (0x2)
  Topology:     IPv6 (0x2)
Rack1R1#                         
!Rack1R1 sendet nun die Multitopology TLVs
Rack1R5#show clns is-neighbors detail | incl Topo
  Topology: IPv6
Rack1R5#

BGP - S.165
Path Vector Protocol, Attribute z.B. AS_PATH, NEXT_HOP
MP-BGP Extension for IPv6 (RFC2858)
-> neue Attribute MP_REACH_NLRI, MP_UNREACH_NLRI
->Attribute fangen mit AFI (16Bit) und SAFI (8Bit) an um das L3-Protokoll zu kennzeichnen
  • AFI:1=IPv4
  • AFI:2=IPv6
  • SAFI:128=MPLS VPN (#F# Fehler im Buch dort steht SAFI 127 = VPN)
  • SAFI:1=unicast
  • SAFI:2=multicast
  • SAFI:4=labeled 
MP-BGP-Capability negotiation via OPEN message
Bei BGP-Peering via IPv4 und Austausch von IPv6-Routen muss per Route-map der Next-hop angepasst werden. Da im IPv6-Prefix der IPv4-Next-Hop gesetzt wird.

Multihoming - mehrere IPv6 Adressen pro Host (von jedem Provider eine)
                   - multihoming in IPv6 würde die aggregation vom ISP zerhauen
                   - keine Lösung derzeit (verschiedene Drafts existieren)


 
Config (Peering with Link-Local-Addresses)
Rack1R1# (Cisco 2611XM)
router bgp 65000
 no synchronization
 bgp router-id 1.0.0.1
 bgp log-neighbor-changes
 neighbor FE80::21A:2FFF:FE87:5C63 remote-as 65000
 no auto-summar
!
Rack1R5# (Cisco 1841)
router bgp 65000
 no synchronization
 bgp router-id 1.0.0.5
 bgp log-neighbor-changes
 neighbor FE80::20B:FDFF:FEBA:6A40 remote-as 65000
 no auto-summary
!
Rack1R1#sh ip bgp summary                    
BGP router identifier 1.0.0.1, local AS number 65000
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
FE80::21A:2FFF:FE87:5C63
                4 65000       0       0        0    0    0 never    Active
Rack1R1# 
no Peering :( Note: Link-Local-Adressen auf einem Router müssen NICHT einzigartig sein !! Sollte die Link-Local-Adresse eines Interfaces außerhalb des selben Interface-Contextes auftauchen, muss beim Peering das Interface mit angegeben werden (Siehe Cisco BGP Peering with Link-Local-Address)
Nachdem auf Rack1R5 das Neighbor-Statement mit Interface angegeben wird, kommt das Peering hoch. !?!
Rack1R5(config)#router bgp 65000
Rack1R5(config-router)#no neighbor FE80::20B:FDFF:FEBA:6A40 remote-as 65000
Rack1R5(config-router)#neighbor FE80::20B:FDFF:FEBA:6A40%FastEthernet0/1 remot$
Rack1R5(config-router)#
Rack1R5#sh run | incl
*Aug  8 14:52:05.203: %SYS-5-CONFIG_I: Configured from console by console
Rack1R5#sh run | incl neigh
 bgp log-neighbor-changes
 neighbor FE80::20B:FDFF:FEBA:6A40%FastEthernet0/1 remote-as 65000
Rack1R5#
*Aug  8 14:52:11.323: %BGP-5-ADJCHANGE: neighbor FE80::20B:FDFF:FEBA:6A40%FastEthernet0/1 Up

Rack1R5#sh ipv6 int brief | incl up
FastEthernet0/1            [up/up]
SSLVPN-VIF0                [up/up]
Loopback0                  [up/up]
Rack1R5#
#Q# : Woran liegt das !?!

Config (IPv6 Peering with Loopbacks, Static Routes)
Rack1R1#
!
ipv6 unicast-routing
!
interface Loopback0
 no ip address
 ipv6 address 2001:5::1/64
 ipv6 enable
!
router bgp 65000
 no synchronization
 bgp router-id 1.0.0.5
 bgp log-neighbor-changes
 neighbor 2001:1::1 remote-as 65000
 neighbor 2001:1::1 update-source Loopback0
 no auto-summary
!
ipv6 route 2001:1::1/128 FastEthernet0/1 FE80::20B:FDFF:FEBA:6A40
!

Rack1R5#
!        
interface Loopback0
 no ip address
 ipv6 address 2001:1::1/64
 ipv6 enable
!
router bgp 65000
 no synchronization
 bgp router-id 1.0.0.1
 bgp log-neighbor-changes
 neighbor 2001:5::1 remote-as 65000
 neighbor 2001:5::1 update-source Loopback0
 no auto-summary
!
ipv6 route 2001:5::1/128 FastEthernet0/0 FE80::21A:2FFF:FE87:5C63
!

Ihr habe ich einen mal einen blöden Fehler drin gehabt.
Rack1R1 fa0/0---------- Rack1R5 fa0/1
Auf R1 war router bgp 65000 und auf R5 router bgp 6500 konfiguriert. Auf den ersten Blick sieht man das nicht.
Es kam natürlich kein Peering zu stande, es kam auch keine Fehlermeldung, da für R5 das neighbor-statement zu R1 eine eBGP-Session darstellt, der TTL auf 1 ist und somit nicht am R1 ankommt. Mit einem neighbor ebgp-multhop hätte man den Fehler am R5 leicht erkannt. Fürs Troubleshooting hilfreich ->
R1#telnet 2001:5::1 179 /ipv6 /source-interface lo0
Trying 2001:5::1, 179 ...
% Connection refused by remote host
 Bzw.
Rack1R5(config)#ipv6 access-list TEST
Rack1R5(config-ipv6-acl)#per
Rack1R5(config-ipv6-acl)#permit tc
Rack1R5(config-ipv6-acl)#permit tcp any any eq bgp
Rack1R5#debug ipv6 packet ac TEST
  IPv6 unicast packet debugging is on for access list TEST
Rack1R5#







 
Eingestellt von um

Keine Kommentare:

Kommentar veröffentlichen

Abonnieren Kommentare zum Post (Atom)