Archive for the 'ipv6' Category

static ipv6 address on solaris 10

Published on May 28, 2011 in Solaris and ipv6. 0 Comments

This seems silly, but it took quite a while to get a static ipv6 address to configure itself properly on solaris ten.

There were loads of errors, mainly like

  • Failed to configure IPv6 interfaces(s): e1000g0
  • t_optmgmt: System error: Cannot assign requested address

If you read the various versions of the documentation, they suggest you add the following to /etc/hostname6.e1000g0

inet6 ipv6-address up
addif inet6 ipv6-address up
...

But this actually doesn’t seem to work. :-(

This seems to work though

bash-3.00$ cat /etc/inet/ndpd.conf
if-variable-name StatelessAddrConf false
bash-3.00$ cat /etc/hostname6.e1000g0
addif 2001:8e3:ee12:2::36/64 up
bash-3.00$

Putting inet6 into the hostname file seems to be the main issue, and it works just fine without it.

Interestingly, you still get the various address you would normally expect (local and global), so the static address will appear as a sub interface rather than an IP on the primary interface

$ /usr/sbin/ifconfig -a
lo0: flags=2002000849 mtu 8252 index 1
        inet6 ::1/128
e1000g0: flags=2000841 mtu 1500 index 2
        inet6 fe80::20c:23df:fe61:e321/10
e1000g0:1: flags=2000841 mtu 1500 index 2
        inet6 2001:8e3:ee12:2::36/64
e1000g0:2: flags=2080841 mtu 1500 index 2
        inet6 2001:8e3:ee12:2:20c:23df:fe61:e321/64
$

IPv6 BGP between Cisco router and Juniper SSG firewall

Published on September 6, 2010 in ipv6 and networking. 0 Comments

When I signed up with my ISP, I received a /48 of ipv6 address space along with it. I managed to find some time the other day to try set it up. The equipment in use is cisco routers and a juniper SSG firewall. For what its worth I though I would just document what was need to get it working.

I use VRF’s (Virtual Route Forwarders – effectively virtual route tables) a lot on the Cisco routers – they really are quite neat. The VRF’s are ipv4 by default. The ISP connection on the router is inside a VRF, so the first thing to do is to enable ipv6 on the VRF.

vrf upgrade-cli multi-af-mode common-policies

I have only just started looking at ipv6, so I spent some time looking for the address range I should use on the link between myself and the ISP (as I would with ipv4).  I finally worked out that I just need to use an automatically link local address.

This config lives on a PPPoE dialer

!
interface Dialer1
vrf forwarding my-vrf
bandwidth inherit
bandwidth receive inherit
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ipv6 address autoconfig default
no cdp enable
ppp chap hostname my-uid
ppp chap password 7 my-hash
!

Which looks like this when it comes up

router# show ipv6 int brie
Dialer1                    [up/up]
    FE80::213:C3FF:FEE7:9FF0

The ipv6 addresses look somewhat complicated at first glance, but they are quite tidy when you play with them a bit, and they are easy carve up if you wish to do so. I started cutting the block into /64 LAN segments.

If you were allocated 2001:8b0:ff00::/48, you can subnet it as

2001:8b0:ff00:1::/64, and make your router 2001:8b0:ff00:1::1 and a host can be statically defined as 2001:8b0:ff00:1::21.

The next subnet could be 2001:8b0:ff00:2::/64 etc

On the router I created the first ipv6 segment for between the router and the SSG firewall.

!
interface FastEthernet0/1.98
 description dirty-net
 vrf forwarding my-vrf
 encapsulation dot1Q 98
 ipv6 address 2001:8B0:FF00:1::1/64
!

the BGP configuration was relatively simple.

!
router bgp 64512
!
address-family ipv4 vrf my-vrf
no synchronization
exit-address-family
!
!
address-family ipv6 vrf my-vrf
neighbor my-vrf peer-group
neighbor my-vrf remote-as 64513
neighbor my-vrf default-originate
neighbor 2001:8B0:FF00:1::2 peer-group my-vrf
neighbor 2001:8B0:FF00:1::2 activate
redistribute connected
no synchronization
exit-address-family
!

On the SSG firewall, I added additional addresses to existing ipv4 interfaces, but first you have to enable ipv6 on the firewall.

set envar ipv6=yes

Now I can configure the interface

set interface "ethernet0/1.1" tag 98 zone "dirty-net"
set interface "ethernet0/1.1" ipv6 mode "router"
set interface "ethernet0/1.1" ipv6 ip 2001:8b0:ff00:1::2/64
set interface "ethernet0/1.1" ipv6 enable
set interface ethernet0/1.1 ipv6 ra link-address
set interface ethernet0/1.1 ipv6 nd nud
set interface ethernet0/1.1 protocol bgp

And then configure BGP (and advertised the /48 block to the cisco router

my-ssg(trust-vr)-> get config
set router-id 10.12.10.3
set adv-inact-interface
set protocol bgp 64513
set neighbor 2001:8b0:ff00:1::1 remote-as 64512 local-ip 2001:8b0:ff00:1::2/64 outgoing-interface ethernet0/1.1
set neighbor 2001:8b0:ff00:1::1 enable
set neighbor 2001:8b0:ff0:1::1 hold-time 10
unset ipv6 synchronization
set ipv6 neighbor 2001:8b0:ff00:1::1 activate
set ipv6 network 2001:8b0:ff00::/48 no-check
pe1-cf-01a(trust-vr)->

On the inside of the firewall I configured the second subnet 2001:8b0:ff00:2/64 and set the interface type to ipv6 router

set interface "ethernet0/1.3" ipv6 mode "router"
set interface "ethernet0/1.3" ipv6 ip 2001:8b0:ff00:3::1/64
set interface "ethernet0/1.3" ipv6 enable

Now all the hosts on the internal network will quite happily pickup an ipv6 address. You can make sure its working by pinging google.

boo:~ pete$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:8b0:ff00:2:226:8ea:bea3:e9c5 --> 2a00:1450:8006::63
16 bytes from 2a00:1450:8006::63, icmp_seq=0 hlim=55 time=23.909 ms
16 bytes from 2a00:1450:8006::63, icmp_seq=1 hlim=55 time=23.401 ms
^C
--- ipv6.l.google.com ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 23.401/23.655/23.909/0.254 ms

Not exactly an early adopter, but hopefully that helps someone get started

Cheers
Pete