Hitchhikers Guide to Ipv6 - Cisco Live

Nicole Wajer – Chiefstroopwafel Officer

BRKRST-3304

Hitchhikers Guide to Ipv6

@Vlinder_NL

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

1

2

3

4

3

cs.co/ciscolivebot#BRKRST-3304

BRKRST-3304


Nicole

4BRKRST-3304

Nicole Wajer Technical Solutions Architect

@vlinder_nl


The Hitchhiker's Guide to the Galaxy

“Space,” it says, “is big. Really big. You just won’t believe how vastly hugely

mindboggingly big it is. I mean you may think it’s a long way down the road to the chemist, but that’s just peanuts to

space. Listen …” and so on.

5BRKRST-3304


This Session….

6BRKRST-3304


This Session….

7BRKRST-3304


Don’t Panic

8BRKRST-3304

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

• Easy to miss – Warm up your brain

• Neighbor And Router Discovery

• Addressing

• IPv4 Coexistence And Transition

• IPv6-centric Deployments

Encyclopaedia Galactica

BRKRST-3304

Easy-to-miss configuration knobs


EIGRP IPv6 needs “no shutdown”

11BRKRST-3304

ipv6 router eigrp 1 router-id 192.0.2.1 no shutdown


VRRPv3: default is VRRPv2 => no IPv6 support

12BRKRST-3304

R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#int e0/1R1(config-if)# ipv6 address 2001:DB8:CAFE::1/64R1(config-if)#vrrp 101 ?

authentication Authenticationdescription Group specific descriptionip Enable Virtual Router Redundancy Protocol (VRRP) for IPpreempt Enable preemption of lower priority Masterpriority Priority of this VRRP groupshutdown Disable VRRP Configurationtimers Set the VRRP timerstrack Event Tracking

R1(config-if)#vrrp 101


VRRPv3: enabling it + successful configuration

13BRKRST-3304

interface Ethernet0/1no ip addressipv6 address 2001:DB8:CAFE::1/64vrrp 101 address-family ipv6address FE80::1 primaryexit-vrrp

!

fhrp version vrrp v3




• Addressing




BRKRST-3304


FF02::1:FFCC:CCCCFF02::1:FFBB:BBBBFF02::1:FFAA:AAAA

Neighbor Discovery: Solicited Node Multicatscast

15BRKRST-3304

2001:db8::0000:0001

Solicited node multicast groups: FF02::1:FF00:0000 /104

FF0

2::1

:FF

00

:00

01

2001:db8::0000:0002

FF0

2::1

:FF

00

:00

02

ACL

1

6

BRKRST-3304


Beware the ACL “tightening”

17BRKRST-3304

ipv6 access-list ingresspermit tcp host 2001:db8::1 eq 80 anydeny ipv6 any any log

deny ipv6 any any implicit

permit icmp any any nd-ns implicitpermit icmp any any nd-na


IPv6 ACL Implicit Rules

• IPv6 ACLs configure like “extended named”• Matching, SRC, DST, next header

• Applying the ACL uses ipv6 traffic-filter command

• IPv6 ACLs have multiple implicit rules

• Similar to deny ip any any

• IOS has 3 implicit IPv6 ACL rules

• NXOS has 5 implicit IPv6 ACL rules

• IOS-XE has no implicit IPv6 ACL rules

18BRKRST-3304

ipv6 access-list NXOSpermit icmp any any nd-napermit icmp any any nd-nspermit icmp any any router-advertisepermit icmp any any router-solicitationdeny ipv6 any any

ipv6 access-list IOSpermit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any

interface GigabitEthernet 0/2ipv6 address 2001:db8:50:31::1/64ipv6 traffic-filter BLOCK-BAD in


NIST guidelines for secure IPv6 deployment; RFC4890

19BRKRST-3304

http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdfhttp://www.ietf.org/rfc/rfc4890.txt

See BRKSEC-2003


Ducks in a Row

• Code paths of requests/replies may differ

• Multicast and Unicast processing can differ

• Neighbor Solicitation contains Link-Layer address

• May populate the cache without explicit request

• Beware of defaults

20BRKRST-3304

Neighbors


Neighbor Cache State Machine

• Incomplete – Pending address resolution, NS message outstanding

• Reachable – Recently used mapping, Can be refreshed by ULP

• Stale – Not currently communicating, waiting for next queued packet

• Delay –Using stale binding, awaiting (ULP) return traffic

• Probe – Sending Unicast NS to node (after Delay timer, 3x1 sec)

Reachable

IncompleteNo Entry

DelayStale Probe

NS

NA

time expiredNA

send packet

ULP


0.5x 1.5x

BASE_REACHABLE_TIME

ReachableTime: How Long Is It ?

23BRKRST-3304

• BASE_REACHABLE_TIME

• Sent in RA or taken from default

• Value in milliseconds

• Random(0.5 .. 1.5) * BASE_REACHABLE_TIME

• Chosen every few hours or when BASE… changes

BASE_REACHABLE_TIME

RANDOM (0.5x .. 1.5x)

milliseconds

BASE_REACHABLE_TIME

default: 30000 msec

ReachableTime


Neighbor Table Maintenance

24BRKRST-3304

Active

Standby


Neighbor Table Maintenance Can Burden The CPU

25BRKRST-3304

Active

Standby

Newly active


DC ND Tuning

26BRKRST-3304

• If FHRP is present or single gateway: increase reachable time

• Pre-populate and maintain the neighbor table

• Rate-limit the address resolution traffic

• Start with this configuration and adjust depending on the site

• Wrong values can impact the neighbor resolution times!

ipv6 nd cache expire 14400 refreshipv6 nd na glean

mls rate-limit unicast cef glean 1000 10

PPS

Burst size

TEST !

ipv6 nd reachable-time 600000 ! 10 minutes

Expiry

BASE_REACHABLE_TIME


Ducks in a Row

• ND has more states than ARP

• Having “STALE” Neighbor Entry is ok!

• Even in a connected Nespresso machine

• Reachable interval is in milliseconds

• Remember when adjusting

• Adjust the Reachable timer up

27BRKRST-3304

Router Advertisements and Battery Life


The model of measurements

• Three levels:

• Device – level behavior

• Network-wide behavior

• Traffic on the network

• Power consumption ~ F(number of hosts on segment, network volatility)

• Two main sources of multicast traffic

• IPv6 Neighbor Discovery protocol

• Service Advertisements

• More information on the power consumption model from the author directly:

• http://tools.ietf.org/html/draft-desmouceaux-ipv6-mcast-wifi-power-usage-01

• Disclaimer: use this model as a guidance/basis only, verify your network telemetry!

BRKRST-3304 29

http://tools.ietf.org/html/draft-desmouceaux-ipv6-mcast-wifi-power-usage-01


Power Consumption On A Smartphone

30BRKRST-3304

t

sleeping

sleeping

awake

10 mA

40 mA

CPU awake 150 mA

I(t)


Experimental Measurements: Per Device

joins

When joining the network• At least 4 multicast packets issued (RS +

3DAD)• Possibly more than 20 (MLD, mDNS)

Once connected• ~0.021

packets/device/second


Data Analysis From A Real Network (~600 nodes)

32BRKRST-3304

• Arrival rates: exponential(λ) • Connection durations: ?

• Model: power multiplier is K = 1 + (0.03 + 28/Tc)*N

• 27 nodes, 1 hour average connection time K = 2 (!)

• Here 600 hosts: 1/λ = 6 s (small)! • Average connection time = 55 min


Why Multicast Solicited RAs ?

RFC4861, 6.2.6. Processing Router Solicitations

In addition to sending periodic, unsolicited advertisements, a routersends advertisements in response to valid solicitations received onan advertising interface. A router MAY choose to unicast theresponse directly to the soliciting host's address (if thesolicitation's source address is not the unspecified address), butthe usual case is to multicast the response to the all-nodes group.

33BRKRST-3304


Tcpdump On A Host In A Large WiFi Network

34BRKRST-3304


WLC Sends RAs Reliably: Can Reduce Frequency!

35BRKRST-3304

APc47a.fe34.1cc9#show capwap mcast mgid all | begin RA MGID RA MGID InformationMGID = 8341IPv6 mc2uc Clients = 1

MGID = 8343IPv6 mc2uc Clients = 1

APc47a.fe34.1cc9#show capwap mcast mgid id 8343Normal Mcast Clients:Reliable Mcast Clients:Client: 14cf.929d.740c --- Qos User Priority: 3 State: ADMITTED

History – Retry Pct: 0 0 0 0 Rate )500Kbps): 0 65535 65535APc47a.fe34.1cc9#


RA throttle

36BRKRST-3304


IOS vs. NX-OS Default Solicited RA Behavior

• NX-OS sends unicast solicited RA packets

• Periodic RA still sent multicast as expected

• Easy (Less need for RA-throttle), but may be harder to debug (unicast vs. multicastcast)

38BRKRST-3304


IOS IPv6 ND RA suppress

• Periodic Router Advertisements: suppressed

• Solicited Router Advertisements: unicast

• Problem: maximum connection time limited by 9000 sec.

39BRKRST-3304

interface Vlan100ipv6 nd ra suppress


IOS Solicited RA Unicast: CSCul29450

• Periodic Router Advertisements sent as Multicast

• Solicited Router Advertisements sent as Unicast

• 15.4(03)S, 15.4(02)T01

40BRKRST-3304

interface Vlan100ipv6 nd ra solicited unicast


RFC7772: Do Not Send RA Too Frequently !

41BRKRST-3304


Ducks in a Row

• Router Advertisements require processing

• Do not blindly send them too frequently

• Router Solicitation triggers Router Advertisement

• Adjusting the interval alone is not enough

• There are many tools to control the RAs

• Send Solicited RA unicast

• RA Throttler

• Work in progress in IETF to further improve in his are

42BRKRST-3304




• Addressing




BRKRST-3304


DAD (Duplicate Address Detection)

• Neighbor Solicitation from Unspecified ( :: ) address

• At least 1 second delay

• Rfc4429 - Optimistic DAD

• No delay

• Rfc7527 - Enhanced DAD

• Improved loopback detection

• Self-healing

44BRKRST-3304


IPv6 Host Attachment Procedure

45BRKRST-3304

Router Solicitation

IPv6 g.a. DAD NS

DHCPv6 inf req

DHCPv6 req

IPv6 g.a. DAD NS

DHCPv6 reply (DNS)

DHCPv6 reply (address)

IPv6 LL DAD NSAnyone with this addr ?

RtrAdv“M”Pref; “A” “O”

Host Attachment In The WildWireshark “Sniffer” Time!


Host State Post-Attachment

66BRKRST-3304


M-, O-, A- flags: (Too) Many To Choose From ?

67BRKRST-3304

https://tools.ietf.org/html/draft-ietf-v6ops-dhcpv6-slaac-problem

Host State Input Behavior

Host has not acquired any addresses

No RA Some OS perform DHCPv6, some do not

Host has not acquired any addresses

RA with M=0, O=1 Some OS acquire info only if A=1

Host has acquired DHCPv6 addresses (M=1, A=0)

RA with M=0 Some OS releaseDHCPv6 addresses immediately, some not

Host has acquiredSLAAC-only addresses (A=1, M=0)

RA with M=1 Some OS acquire DHCPv6 address immediately, some not

For Your

Reference


To SLAAC or not to SLAAC ?

• Pros of using SLAAC

• No need to do stateful DHCP

• Wide device support (Android!)

• “IPv6 way”

68BRKRST-3304

• Cons of using SLAAC

• Some stacks (iOS) are very aggressive with temp. addresses

• More volatility in the binding table/ND

• Address tracing is harder

Question: Would you run both

SLAAC and DHCPv6 and why ?


SLAAC, Stationary Hosts, and Temporary Addresses

69BRKRST-3304

ayourtch@mcnano:~$ ip -6 addr1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536

inet6 ::1/128 scope host valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000inet6 2001:470:1f13:62e:90f8:5341:15d:e733/64 scope global temporary dynamic

valid_lft 601936sec preferred_lft 82936secinet6 2001:470:1f13:62e:1d4d:4d2b:129e:13b8/64 scope global temporary deprecated dynamic

valid_lft 516139sec preferred_lft 0secinet6 2001:470:1f13:62e:bc4e:defa:819f:fb40/64 scope global temporary deprecated dynamic

valid_lft 430342sec preferred_lft 0secinet6 2001:470:1f13:62e:517:5a87:6d1c:618e/64 scope global temporary deprecated dynamic

valid_lft 344544sec preferred_lft 0secinet6 2001:470:1f13:62e:1cd:10de:7ec0:889e/64 scope global temporary deprecated dynamic

valid_lft 258747sec preferred_lft 0secinet6 2001:470:1f13:62e:11c9:c1a4:952c:d327/64 scope global temporary deprecated dynamic

valid_lft 172949sec preferred_lft 0secinet6 2001:470:1f13:62e:59f5:704b:a59a:4f13/64 scope global temporary deprecated dynamic

valid_lft 87151sec preferred_lft 0secinet6 2001:470:1f13:62e:6a5b:35ff:fed0:8d7c/64 scope global dynamic

valid_lft forever preferred_lft 86307secinet6 fe80::6a5b:35ff:fed0:8d7c/64 scope link

valid_lft forever preferred_lft foreverayourtch@mcnano:~$


To SLAAC or not to SLAAC ?

70BRKRST-3304

interface Vlan102ip address 10.2.1.1 255.255.255.0ipv6 address FE80::1 link-localipv6 address 2001:db8::1/64ipv6 nd prefix default 86400 3600 no-autoconfigipv6 nd managed-config-flagipv6 nd other-config-flagipv6 nd router-preference Highipv6 nd ra mtu suppressipv6 nd ra interval 300ipv6 dhcp server DUALSTACKend


MAC Address Randomization in Windows 10

71BRKRST-3304

https://www.ietf.org/proceedings/93/slides/slides-93-intarea-5.pdf


Quiz: “No valid route for destination” – why ?

72BRKRST-3304

R1#show run interface Gig0/1Interface GigabitEthernet1/0

no ip addressnegotiation autoipv6 address FE80::1 link-localipv6 address 2001:DB8::1/64

R1#

R1#ping 2001:db8::2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:DB8::2, timeout is 2 seconds:

% No valid route for destinationSuccess rate is 0 percent (0/1)

What’s the problem ?


Ducks in a Row

• Modern hosts implement optimizations

• Optimistic DAD

• Attempt to use old IPv6 address

• DHCPv6 – more “traditional”

• Allows the control of addresses (DUID may not be known in advance)

• DHCPv6-PD allows prefix allocation

• SLAAC

• Device-centric model

• Decentralized

• No influence over the Interface ID used by a host

73BRKRST-3304




• Addressing




BRKRST-3304


Dualstack: Always remember both protocols

75BRKRST-3304

Type “example.com” and press Enter

GET / HTTP/1.1Host: example.com

A? “example.com”

connect 192.0.43.10

AAAA? “example.com”

connect 2001:500:88:200::10


Retrieve and display

The problem: RFC3484, if IPv6 connection fails

76BRKRST-3304

User: “example.com”

getaddrinfo(“example.com”)

Attempt IPv6 connect

Attempt IPv4 connect

Connection failure

Time


RFC6555: Happy Eyeballs: Success with Dual-Stack Hosts

77BRKRST-3304

Internet Engineering Task Force (IETF) D. WingRequest for Comments: 6555 A.YourtchenkoCategory: Standards Track CiscoISSN: 2070-1721 April 2012

Happy Eyeballs: Success with Dual-Stack Hosts

Abstract

When a server's IPv4 path and protocol are working, but the server'sIPv6 path and protocol are not working, a dual-stack clientapplication experiences significant connection delay compared to anIPv4-only client. This is undesirable because it causes the dual-stack client to have a worse user experience. This documentspecifies requirements for algorithms that reduce this user-visible delay and provides an algorithm.


RFC6555 in a nutshell

78BRKRST-3304

Attempt IPv6 lookup and connect

Attempt IPv4 lookup and connect

User: “example.com”

~300ms

Retrieve and display

Time


Happy eyeballs - happy admin ?

• Dualstack selection service may not be deterministic

• Add two hostnames, one IPv4-only and one IPv6-only – retest with them if in doubt.

79BRKRST-3304

dhcp-10-149-4-30:~ ayourtch$ host stdio.bestdio.be has address 188.40.136.148stdio.be has IPv6 address 2a01:4f8:101:3245::cafestdio.be mail is handled by 10 mail.stdio.be.dhcp-10-149-4-30:~ ayourtch$ host ipv6.stdio.beipv6.stdio.be has IPv6 address 2a01:4f8:101:3245::cafedhcp-10-149-4-30:~ ayourtch$ host ipv4.stdio.beipv4.stdio.be has address 188.40.136.148dhcp-10-149-4-30:~ ayourtch$


IPv6 troubleshooting for Helpdeskshttp://isp.testipv6.com

80BRKRST-3304

https://www.ripe.net/ripe/groups/tf/bcop/ipv6-troubleshooting-for-residential-isp-helpdesks

http://isp.test-ipv6.com/


Ducks in a Row

• Instrument for monitoring of both address families

• The good tooling end education are there

• There are established procedures for first-level troubleshooting

• Use Them!

81BRKRST-3304




• Addressing




BRKRST-3304


Do they exist, IPv6-only clients ?

83BRKRST-3304

Picture: http://en.wikipedia.org/wiki/File:Oftheunicorn.jpg


Unicorns in the wild

84BRKRST-3304

Ron Broersma Sander Steffann


IPv6-only clients: yes, they do exist!

85BRKRST-3304

Picture source: http://en.wikipedia.org/wiki/Rhinoceros search: “deploy360 t-mobile case study”

http://www.internetsociety.org/deploy360/resources/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/


Sebastien Marineau, VP of Core OS, Apple (June 2015)

Because IPv6 support is so critical to ensuring your applications work across the world for every customer, we are

making it an AppStore submission requirement, starting with iOS 9.”

86BRKRST-3304


Mobile Provider Using IPv6 Only

• Legacy applications using embedded literals in their code

• RFC6877 464xLAT, “fixes” broken code for now

Legacy

Application

Intelligent

Application

4CLAT

6

4PLAT

6

IPv4

Edge

Services

IPv6

InternetHandset Carrier Network

IPv6

only

87BRKRST-3304


464XLAT: legacy apps "just work"

88BRKRST-3304

IPv4IPv6

IPv4 trafficIPv6 traffic


https://developer.apple.com/support/ipv6/

“Starting June 1, 2016 all apps submitted to the App Store must support IPv6-only networking.”

89BRKRST-3304


Ducks in a Row

• Different OS use different approaches for legacy apps

• Higher-level API’s provide better coexistence support

• Any new applications MUST be designed with IPv6-only/NAT64 in mind

90BRKRST-3304


IPv6-only deployments: it's a reality

• IPV6-only clients

• T-Mobile USA

• http://www.internetsociety.org/deploy360/resources/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/

• Orange Poland

• https://www.youtube.com/watch?v=Y0G5PTtZjTM (Polish language)

• Telenor Norway (opt-in)

• http://blog.toreanderson.no/2015/09/20/ipv6-mobile-roaming-possible-or-not.html

• IPv6-only servers

• Redpill Linpro

• http://blog.ipspace.net/2012/05/ipv6-only-data-center-built-by-tore.html

BRKRST-3304 91


Conclusions and Takeaways

92

• Main changes are at First Hop

• Prolonged use of dualstack introduces complexity

• Keep sunsetting IPv4 in mind from the start IPv6-only is your goal

• IPv6-only requirements from endpoint vendors pave the way to future single-stack deployments

• Don’t panic!

BRKRST-3304


Shameless self promotion of my own Quotes - Nicole Wajer

"IPv6 is Internet broccoli. Good for us in the long run but no

immediate sugar rush from deploying it"

93BRKRST-3304


Future IPv6 this week in Barcelona

94BRKRST-3304

CLEUR


When Session Title

29 Jan 2019 / 14:15 LABSPG-3122 Advanced IPv6 Routing and services lab

29 Jan 2019 / 14:30 BRKIP6-2616 Beyond Dual-Stack: Using IPv6 like you’ve never imagined

30 Jan 2019 / 11:00 BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers

30 Jan 2019 / 14:30 BRKIP6-2301 Intermediate - Enterprise IPv6 Deployment

31 Jan 2019 / 08:30 BRKRST-3304 Hitchhiker's Guide to Troubleshooting IPv6 - Advanced

31 Jan 2019 / 11:00 BRKRST-2619 IPv6 Deployment: Developing an IPv6 Addressing Plan and Deploying IPv6

31 Jan 2019 / 11:00 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation

31 Jan 2019 / 14:00 LTRIPV-2494 IPv6 Transformation Lab

31 Jan 2019 / 14:00 LABSPG-3122 Advanced IPv6 Routing and services lab

LABIPV-2261 IPv6 planning, deployment and transition

LABCRS-1000 Intro IPv6 Addressing and Routing Lab

More IPv6 Sessions

95BRKRST-3304


Key Take Away

• Gain Operational Experience now

• IPv6, the time is now.

• Control IPv6 traffic as you would IPv4

BRKRST-3304 96


Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

1

2

3

4

97

cs.co/ciscolivebot#BRKRST-3304

BRKRST-3304


Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Complete your online session survey

98BRKRST-3304


Demos in the Cisco Showcase

Walk-in self-paced

labs

Meet the engineer

1:1 meetings

Related sessions

Continue Your Education

99BRKRST-3304

Thank you

Backup/bonus slides


Nexus7000 not passing IPv6 traffic

• On M1, M2 and M3 modules, you must disable IGMP optimized multicast flooding (OMF) on all VLANs that require IPv6 multicast packet forwarding.

• On F2 modules, you must disable IGMP optimized multicast flooding (OMF) on all VLANs that require IPv6 packet forwarding (unicast or multicast). IPv6 neighbor discovery only functions in a VLAN with the OMF feature disabled.

103BRKRST-3304

• http://tinyurl.com/mld-nexus7K

no ip igmp snooping optimise-multicast-flood

http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/multicast/configuration/guide/b_multicast_chapter_0100.html#concept_4401AA5D7477469E9208FCE766906395


NDP Scaling Techniques

• ND cache sizing - ipv6 nd cache interface-limit• Need to account for link local addresses

• NUD Reachable Time: ipv6 nd reachable-time • Using a FHRP, move from 30 sec (default) to 10 minutes

• Scavenge and Refresh Timer: ipv6 nd cache expire• Using a FHRP, use refresh in conjunction with NA glean

• Unsolicited NA Glean: ipv6 nd na glean• Create neighbor entries from unsolicited NA’s received

• Router Advertisements: ipv6 nd ra interval • IOS = 200 Sec, NXOS = 600 Sec• Router lifetime = 3x RA interval

104BRKRST-3304

WARNINGMUST USE

WITH CAUTION

For YourReference


Enhancements to Router Discovery/Maintenance

• draft-ietf-6man-maxra

• increase max router lifetime from 9000 to 65535

• draft-ietf-6man-rs-refresh-01

• client-initiated RA refresh

• RFC7559

• resilient (re)-transmission of initial RS

105BRKRST-3304

Troubleshooting Missing RAon WiFi


ND: Router Maintenance

107BRKRST-3304

RA

IPv6

IPv6

IPv6

RARARA

RA Sent

Every 200sec

+/- jitter

Lifetime

Lifetime

Lifetime

Lifetime--

Lifetime--

Lifetime--


Multicast multicast mode

108BRKRST-3304


Multicast CAPWAP packet

109BRKRST-3304


PIM SSM configuration

110BRKRST-3304

ip pim rp-address 172.16.10.50ip pim ssm default

interface GigabitEthernet1ip address 172.17.1.1 255.255.255.0ip pim sparse modeip igmp version 3


Output “show ip mroute” on the router

111BRKRST-3304

Outgoing interface flags: H - Hardware switched, A – Assert Timers: Uptime/ExpiresInterface state: Interface, Next-Hop or VCD, State/Mode

(172.17.1.20, 232.1.1.2), 00:12:36/00:02:23, flags: sTIIncoming interface: GigabitEthernet1, RPF nbr 0.0.0.0Outgoing interface list:GigabitEthernet1.118, Forward/Sparse, 00:12:36/00:02:23

(*, 224.0.1.40), 00:24:39/00:02:53, RP 172.16.10.50, flags: SJCLIncoming interface: Null, RPF nbr 0.0.0.0Outgoing interface list:GigabitEthernet1, Forward/Sparse, 00:24:39/00:02:53


Multicast at a glance on the AP

112BRKRST-3304

APc47a.fe34.1cc9#show capwap mcastCAPWAP MULTICAST

Multicast Group: 232.1.1.2, Source: 172.17.1.20V1 Rpt Sent: 0; V2 Rpt Sent: 2V3 Rpt Sent: 189; Leave Sent: 1V1 Query Rcvd: 0; V2 Query Rcvd: 0V3 Query Rcvd: 188; V1 Rpt Rcvd: 0V2 Rpt Rcvd: 0; V3 Rpt Rcvd: 0APc47a.fe34.1cc9#


Check Clients in Reliable Multicast Groups

APc47a.fe34.1cc9#show capwap mcast mgid all | begin RA MGID RA MGID Information



APc47a.fe34.1cc9#show capwap mcast mgid id 8343Normal Mcast Clients:Reliable Mcast Clients:Client: 14cf.929d.740c --- Qos User Priority: 3 State: ADMITTED

History – Retry Pct: 0 0 0 0 Rate )500Kbps): 0 65535 65535APc47a.fe34.1cc9#


Since WLC 8.0: Multicast Packet Counters

114BRKRST-3304

APc471.fe34.1cc9#show capwap mcast mgid id 8343rx pkts = 4 tx packets:wlan : 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 slots0 : 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 slots1 : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Normal Mcast Clients: Reliable Mcast Clients:Client: 14cf.929d.740c --- SlotId: 0 WlanId: 1 --- Qos User Priority: 3 State: ADMITTED

History - Retry Pct: 0 0 0 0 Rate (500 Kbps): 0 65535 65535 65535Client: 14cf.923c.117c --- SlotId: 0 WlanId: 1 --- Qos User Priority: 3 State: ADMITTED

History - Retry Pct: 0 0 0 0 Rate (500 Kbps): 0 65535 65535 65535APc471.fe34.1cc9##

SUP720 TCAM Customization


C6500/C7600 SUP720 TCAM Customization

116BRKRST-3304

7600# show mls cef summary

Total routes: 513525IPv4 unicast routes: 513507

IPv4 non-vrf routes: 513507 IPv4 vrf routes: 0

IPv4 Multicast routes: 3 MPLS routes: 1IPv6 unicast routes: 5

IPv6 non-vrf routes: 5 IPv6 vrf routes: 0

IPv6 multicast routes: 3 EoM routes: 1

7600#

Default is 512K IPv4 routes


C6500/C7600 SUP720 TCAM Customization

117BRKRST-3304

7600# show mls cef maxFIB TCAM maximum routes :=======================Current :--------IPv4 + MPLS - 512k (default)IPv6 + IP Multicast - 256k (default)

7600#

https://supportforums.cisco.com/discussion/11333356/cisco-7609-rsp720-3cxl-ge-mls-cef-maximum-routes

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html

Changing the TCAM layout requires a reboot

Sup2T has a shared pool of TCAM for IPv4 and IPv6 no customization needed

mls cef maximum-routes ip 768

Not 1000! Leave some space for

IPv6 routes!

https://supportforums.cisco.com/discussion/11333356/cisco-7609-rsp720-3cxl-ge-mls-cef-maximum-routes

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html

IPv6 front-end for IPv4 servers with NetScaler


Netscaler: Need IPv6 Protocol Translation “on”

119BRKRST-3304


Backend services configuration: as usual

120BRKRST-3304


NetScaler VIP configuration

121BRKRST-3304


NetScaler: “Use Source IP” needs to be unchecked

122BRKRST-3304


Service Properties: “Use Source IP” Must Be Unchecked

123BRKRST-3304


It works!

124BRKRST-3304


Working captures from client side and server side

125BRKRST-3304


VIP Statistics

126BRKRST-3304


VIP statistics services

127BRKRST-3304


Nexus 1000V flow vPath

128BRKRST-3304

cdn-nexus1k-4# show vservice connection Actions(Act):d - drop s - resetp - permit t - passthroughr - redirect e - errorn - not processed upper case - offloadedFlags:A - seen ack for syn/fin from src a - seen ack for syn/fin from dstE - tcp conn established (SasA done)F - seen fin from src f - seen fin from dstR - seen rst from src r - seen rst from dstS - seen syn from src s - seen syn from dstT - tcp conn torn down (FafA done) x - IP-fragment connection

#Port-Profile:Access_vlan1353 Node:ns1000v#Module 3Proto SrcIP[:Port] SAct DstIP[:Port] DAct Flags Bytesicmp 192.168.37.1 192.168.37.32 p 546icmp 192.168.37.1 192.168.37.31 p 546tcp 192.168.37.1:1805 192.168.37.32:80 p E 1255

cdn-nexus1k-4#


NetScaler CLI outputs

129BRKRST-3304

> show ipIpaddress TD Type Mode Arp Icmp Vserver State--------- -- ---- ---- --- ---- ------- ------

1) 10.48.62.6 0 NetScaler IP Active Enabled Enabled NA Enabled2) 10.48.62.8 0 SNIP Active Enabled Enabled NA Enabled3) 192.168.37.1 0 SNIP Active Enabled Enabled NA Enabled4) 192.168.35.2 0 SNIP Active Enabled Enabled NA Enabled5) 192.168.35.20 0 VIP Active Enabled Enabled Enabled Enabled>



130BRKRST-3304

> show ip6IPv6 Address TD Vlan Type Scope State ------------ -- ---- ---- ----- -----

1) fe80::202:3dff:fe70:6605/64 0 1 NSIP link-local ACTIVE 2) 2001:db8:1::1/64 0 NA SNIP global ACTIVE 3) 2001:db8:1::10/128 0 NA VIP global ACTIVE Done>



131BRKRST-3304

> show nd6Neighbor MAC-Address(Vlan, Interface) TD State TIME -------- ---------------------------- -- ----- --------

1) ::1 00:02:3d:70:66:05( 1, LO/1) 0 REACHABLE PERMANENT2) fe80::202:3dff:fe70:6605 00:02:3d:70:66:05( 1, LO/1) 0 REACHABLE PERMANENT3) 2001:db8:1::1000 00:50:56:b8:9d:4d(1351, 1/1) 0 REACHABLE 00:00:214) fe80::38b8:1c9:2338:e677 00:50:56:b8:9d:4d(1351, 1/1) 0 STALE 00:04:39Done>



132BRKRST-3304

> show lb vserver static_VIP_vlan_1351_v6static_VIP_vlan_1351_v6 (2001:db8:1::10.80) - HTTP Type: ADDRESS State: UPLast state change was at Thu Jan 16 08:52:56 2014Time since last state change: 0 days, 00:04:11.900Effective State: UPClient Idle Timeout: 180 secDown state flush: ENABLEDDisable Primary Vserver On Down : DISABLEDAppflow logging: ENABLEDPort Rewrite : DISABLEDNo. of Bound Services : 2 (Total) 2 (Active)Configured Method: LEASTCONNECTIONCurrent Method: Round Robin, Reason: Bound service's state changed to UPMode: IPPersistence: NONEVserver IP and Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NOPush Label Rule: noneL2Conn: OFFSkip Persistency: NoneIcmpResponse: PASSIVENew Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0TD: 0Mac mode Retain Vlan: DISABLEDDBS_LB: DISABLEDDNS64 Synth: DISABLEDBypass AAAA: NO

1) HTTP_vm-31 (192.168.37.31: 80) - HTTP State: UP Weight: 12) HTTP_vm-32 (192.168.37.32: 80) - HTTP State: UP Weight: 1

DHCPv6


DHCPv6

• Defined in RFC3315

• Multiple enhancements/additions

• DHCPv6-PD, Stateless DHCPv6…

• Work In Progress: “draft-3315-bis”

• DHCPv6-PD (RFC3633)

• Stateless DHCPv6 extensions (RFC3736)

• Interaction between the mechanisms (RFC7550)

• https://tools.ietf.org/html/draft-ietf-dhc-rfc3315bis

134BRKRST-3304

Sniffer on Mobile devices


Capture Packets on iOS Devices

136BRKRST-3304

SLB setup


SLB setup

138BRKRST-3304

IPv6

IPv4

IPv6 Internet

IPv4internet

Back-End

IPv4

Client leg Server leg


MTU “impedance mismatch”

139BRKRST-3304

IPv6

IPv4

IPv6 hdrTCP hdr

Data

40 bytes 20 bytesN bytes

IPv4 hdrTCP hdr

Data

20 bytes 20 bytesN bytes

MTU4MTU6

MTU4 = 20+20+NMTU6 = 40+20+N

MTU6 = MTU4 + 20


SSL/TLS Offload and MTU

140BRKRST-3304

IPv6

IPv4 IPv4

IPv6 TCP Data

40 20 N bytes

MTU

TLS

21..35

IPv4 TCP Data

20 20 N bytes

MTU

TLS

21..35

IPv4 TCP Data

20 20 N bytes

MTU

MTU6tls = MTU4 + (41..55)

MTU4tls = MTU4 + (21..35)

IPv6

TCP Data

40 20 N bytes

MTU

IPv6


RFC2460

“IPv6 requires that every link in the internet have an MTU of 1280 octets or greater. On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6.”

141BRKRST-3304


PMTUD: review of the mechanism

142BRKRST-3304

Data

3

Data

4

Data

1

ICMP PTB

2MTU=1280


“Naïve” PMTUD with SSL offload

143BRKRST-3304

Data

5

Data

1

Data

2

TLS

ICMP PTB

3

ICMP PTB”

4

6

TLS Data

MT

U h

ere

1280 Spot the problem!

IPv4 has min MTU of 68, IPv6 has min MTU of 1280


PMTUD: Not New, But Well Forgotten

• Test with different client MTUs

• 1280 (Minimal IPv6 MTU, set on some tunnels)

• 1480 (IPv6-in-IPv4)

• 1500 (standard Ethernet)

• Keep ICMPv6 in mind when designing the network

144BRKRST-3304


NAT64 Setup

145BRKRST-3304

IPv6

IPv4

IPv6 Internet

IPv4internet

Back-End

IPv4

Client leg Server leg

1

s: [2607:f128:42:73::2]:37897

d: [2610:d0:1208:cafe::72.163.4.161]:80

2

asr1knat64-xtr#sh nat64 trans

tcp 72.163.4.161:80 [2610:d0:1208:cafe::48a3:4a1]:80153.16.17.82:1056 [2607:f128:42:73::2]:37897

3

s: 153.17.16.82:1056

d: 72.163.4.161:80

s: 72.163.4.161:80

d: 153.17.16.82:10565

s: [2610:d0:1208:cafe::72.163.4.161]:80

d: [2607:f128:42:73::2]:37897


Symptom: IPv6 clients can not connect

146BRKRST-3304

%NAT64-6-ADDR_ALLOC_FAILURE: Address allocation failed; pool 1 may be exhausted

asr1knat64-xtr#show nat64 stat | beg DynamicDynamic Mapping Statistics

v6v4access-list NAT64 pool TEST refcount 2

pool TEST:start 153.16.17.84 end 153.16.17.84total addresses 1, allocated 1 (100%)address exhaustion packet count 0

Limit Statistics

asr1knat64-xtr#


Verify the translation table

147BRKRST-3304

asr1knat64-xtr#show nat64 trans

Proto Original IPv4 Translated IPv4Translated IPv6 Original IPv6

--------------------------------------------------------------- --- ---

153.16.17.84 2a01:4f8:101:3245::fafa--- 192.0.2.2 2610:d0:1208:cafe::c000:202

153.16.17.84 2a01:4f8:101:3245::fafa

Total number of translations: 2

asr1knat64-xtr#


Problem: Address pool exhausted due to 1:1 NAT

148BRKRST-3304

IPv6 hosts

IPv4 hostsGig0/0/0

Gig0/0/1

nat64 prefix stateful 2610:D0:1208:CAFE::/96nat64 v4 pool TEST 153.16.17.84 153.16.17.84nat64 v6v4 list NAT64 pool TEST overloadipv6 access-list NAT64

permit ipv6 any 2610:D0:1208:CAFE::/96


Solution: be more specific on the NAT[46]4 ACLs!

149BRKRST-3304

IPv6 hosts

IPv4 hostsGig0/0/0

Gig0/0/1

ipv6 access-list NAT64no permit ipv6 any 2610:D0:1208:CAFE::/96permit tcp any 2610:D0:1208:CAFE::/96permit udp any 2610:D0:1208:CAFE::/96permit icmp any 2610:D0:1208:CAFE::/96


Verify the translation table

150BRKRST-3304

asr1knat64-xtr#clear nat64 trans allasr1knat64-xtr#sh nat64 trans

Proto Original IPv4 Translated IPv4Translated IPv6 Original IPv6

----------------------------------------------------------------

tcp 192.0.2.2:80 [2610:d0:1208:cafe::c000:202]:80 153.16.17.84:1024 [2a01:4f8:101:3245::cafe]:12345

udp 192.0.2.2:53 [2610:d0:1208:cafe::c000:202]:53 153.16.17.84:512 [2a01:4f8:101:3245::cafe]:53

Total number of translations: 2

asr1knat64-xtr#


Happy Eyeballs ( RFC6555 )

• Chrome/Firefox: use the “backup thread” mechanism, 300ms delay

• iOS / MacOS X: 25ms preference for IPv6; connect-by-name proprietary API; re-sorting by the order of received replies if using getaddrinfo()

• Windows 8: perform a connectivity check, and if does not work, change sorting order in rfc3484 getaddrinfo() call to prefer IPv4, cache the result.

• http://support.microsoft.com/kb/2750841

151BRKRST-3304

Testing Your Applications


Testing NAT64 client applications

153BRKRST-3304

http://docwiki.cisco.com/wiki/IPv6_only_setup_with_NAT64

ipv6 access-list NAT64permit tcp 2001:DB8::/64 64:FF9B::/64permit udp 2001:DB8::/64 64:FF9B::/64permit icmp 2001:DB8::/64 64:FF9B::/64!!nat64 v4 pool NAT64-IPv4 192.0.2.1 192.0.2.1nat64 v6v4 list NAT64 pool NAT64-IPv4 overload!


Have A Mac (with 10.11) ? Have IPv6-Only Network!

154BRKRST-3304

Alt-Click


OS X El Capitan (10.11) as access gateway

155BRKRST-3304


IPv6-only deployments: it's a reality

• IPV6-only clients

• T-Mobile USA

• http://www.internetsociety.org/deploy360/resources/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/

• Orange Poland

• https://www.youtube.com/watch?v=Y0G5PTtZjTM (Polish language)

• Telenor Norway (opt-in)

• http://blog.toreanderson.no/2015/09/20/ipv6-mobile-roaming-possible-or-not.html

• IPv6-only servers

• Redpill Linpro

• http://blog.ipspace.net/2012/05/ipv6-only-data-center-built-by-tore.html

156BRKRST-3304


IPv6-only: Not Just For Networking Geeks!

157BRKRST-3304

http://www.slideshare.net/yuyarin/janog37-ltcedecnet2015-en-57359924

Testing Your Applications


Testing NAT64 client applications

159BRKRST-3304

http://docwiki.cisco.com/wiki/IPv6_only_setup_with_NAT64

ipv6 access-list NAT64permit tcp 2001:DB8::/64 64:FF9B::/64permit udp 2001:DB8::/64 64:FF9B::/64permit icmp 2001:DB8::/64 64:FF9B::/64!!nat64 v4 pool NAT64-IPv4 192.0.2.1 192.0.2.1nat64 v6v4 list NAT64 pool NAT64-IPv4 overload!


Have A Mac (with 10.11) ? Have IPv6-Only Network!

160BRKRST-3304

Alt-Click


OS X El Capitan (10.11) as access gateway

161BRKRST-3304


NAT64 for an IPv6-only client

162BRKRST-3304

Address from IPv4 pool Map into IPv6 /96

IPv4IPv6

IPv6 traffic IPv4 traffic


IPv4-embedded syntax for IPv6

• 2001:db8:aaaa:aaaa::192.0.2.1

• 2001:db8:aaaa:aaaa::c000:201

163BRKRST-3304

IPv6

IPv4IPv4


DNS64 – Synthesize the addresses

164BRKRST-3304

IPv4

IPv6

IPv4

Recursive Resolver

Authoritative Name Server

Resolving Host


IPv4-only Site Is Broken For NAT64+DNS64 Clients

165BRKRST-3304

• Beware IPv4 Literals !

Andrews-MacBook-Air:~ ayourtch$ curl -v http://cs.co/6011pZiX* About to connect() to cs.co port 80 (#0)* Trying 67.192.93.178...* connected* Connected to cs.co (67.192.93.178) port 80 (#0)> GET /6011pZiX HTTP/1.1> User-Agent: curl/7.28.1> Host: cs.co> Accept: */*> < HTTP/1.1 301 Moved Permanently< Date: Fri, 07 Dec 2012 01:59:02 GMT< Server: Apache/2.2.3 (Red Hat)< Location: http://184.72.243.192//6011pZiX< Keep-Alive: timeout=15, max=99< Content-Type: text/html; charset=iso-8859-1< Content-Length: 310< Via: 1.1 ams3-dmz-wsa-1.cisco.com:80 (WSA/x)< Connection: keep-alive< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://184.72.243.192//6011pZiX">here</a>.</p><hr><address>Apache/2.2.3 (Red Hat) Server at cs.co Port 80</address></body></html>* Connection #0 to host cs.co left intact

Location: http://184.72.243.192//6011pZiX


FQDN in Redirect NAT64+DNS64 Works!

166BRKRST-3304

Andrews-MacBook-Air:~ ayourtch$ curl -v http://cs.co/6011pZiX* About to connect() to cs.co port 80 (#0)* Trying 67.192.93.178...* connected* Connected to cs.co (67.192.93.178) port 80 (#0)> GET /6011pZiX HTTP/1.1> User-Agent: curl/7.28.1> Host: cs.co> Accept: */*> < HTTP/1.1 301 Moved Permanently< Date: Tue, 08 Jan 2013 00:54:25 GMT< Server: Apache/2.2.3 (Red Hat)< Location: http://ec2-184-72-243-192.compute-1.amazonaws.com//6011pZiX< Keep-Alive: timeout=15, max=99< Content-Type: text/html; charset=iso-8859-1< Content-Length: 338< Via: 1.1 ams3-dmz-wsa-4.cisco.com:80 (WSA/x)< Connection: keep-alive< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://ec2-184-72-243-192.compute-1.amazonaws.com//6011pZiX">here</a>.</p><hr><address>Apache/2.2.3 (Red Hat) Server at cs.co Port 80</address></body></html>* Connection #0 to host cs.co left intact* Closing connection #0Andrews-MacBook-Air:~ ayourtch$

Location: http://ec2-184-72-243-192.compute-1.amazonaws.com//6011pZiX

http://cs.co/6011pZiX


If IPv6 broken, 4... 21… 75... 189… seconds delay…

167BRKRST-3304

http://www.ietf.org/proceedings/80/slides/v6ops-11.pdf


Browser extensions: browser may cache documents

168BRKRST-3304


Free eBook: IPv6 for IPv4 Experts

169BRKRST-3304

• https://sites.google.com/site/yartikhiy/home/ipv6book

Hitchhikers Guide to Ipv6 - Cisco Live

Documents

Transcript of Hitchhikers Guide to Ipv6 - Cisco Live