leander
Author Archives: leander
- Home → Author's archive:
leander
DHCPv6 and SLAAC
Lately, I've been playing around with DHCPv6 and SLAAC on my home network.
When configuring IPv6 addresses on the network interfaces there are three ways of doing this. We can use Stateless address autoconfiguration (SLAAC), DHCPv6 (statefull) or we can configure the address manually. SLAAC is by far the easiest way to configure IPv6 addresses, simply because you don't have to configure any IPv6 address. The way it works is that the router on your network will advertise the IPv6 prefix (/64) using multicast (remember that with IPv6 there is no such thing as broadcast). The host will receive/request this prefix advertisement and will auto generate the last 64 bits to make a fully working IPv6 address. When auto generating the address the host will use it's mac address (which is 48 bits) and insert "ff:fe" in the middle of it. This is also known as EUI-64. One drawback of EUI-64 is that you're trackable on the Internet because the mac address will normally not change when using the same host (e.g. laptop, smartphone, tablet, etc..). To overcome this issue SLAAC has been extended with something called Privacy Extensions. When this is enabled the host part (last 64 Continue reading
GRE Tunneling and Recursive Routing
When using a routing protocol over GRE tunnels you might end up learning the tunnel endpoint via the routing protocol. When the tunnel endpoint is preferred using the route learned from the routing protocol you end up with a flapping tunnel.
The router will detect this and generates a message:
%TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
The easiest way to solve this is by using a static route to the tunnel endpoint.
If this is not allowed you can also use a prefix filter. This filter should block the advertisement of the tunnel endpoint prefix via the GRE tunnel. For example:
ip prefix-list FILTER_TUNNEL_ENDPOINT seq 5 deny 150.1.10.0/24
ip prefix-list FILTER_TUNNEL_ENDPOINT seq 10 permit 0.0.0.0/0 le 32
This will match the tunnel endpoint address (150.1.10.0/24), but allow the other prefixes.
Use this prefix-list to filter the outgoing advertisements on the tunnel interface.
router rip
distribute-list prefix FILTER_TUNNEL_ENDPOINT out Tunnel1
Local Policy Routing
To use policy routing for locally generated packets use the statement in global config:
ip local policy route-map <route-map>
Reliable Policy Routing
Reliable Policy Routing can be configured by using the "set ip next-hop verify-availability" statement in a route-map. There are two ways to verify the availability of the next-hop. One way is to use CDP. The other way is to use a tracked object (e.g. IP SLA).
Verify availability of next-hop using CDP:
route-map PBR_FROM_R3 permit 10
match ip address FROM_R3_TO_R4
set ip next-hop 155.1.0.5
set ip next-hop verify-availability
set ip default next-hop 155.1.146.4
Verify availability using a tracked object:
route-map PBR_FROM_R3 permit 20
match ip address FROM_R3_TO_R5
set ip next-hop verify-availability 155.1.146.4 1 track 1
set ip default next-hop 155.1.0.5
Policy Routing
Create one or more access-lists that specify what traffic should use policy routing.
ip access-list extended FROM_R4
permit ip host 155.1.146.4 any
ip access-list extended FROM_R6
permit ip host 155.1.146.6 any
Then create a route-map that will match the defined access-lists and specify an action.
route-map PBR permit 10
match ip address FROM_R4
set ip next-hop 155.1.13.3
route-map PBR permit 20
match ip address FROM_R6
set ip next-hop 155.1.0.5
route-map PBR permit 30
# will match any other traffic
Tie the route-map to an interface to enable policy routing.
interface FastEthernet0/0
ip policy route-map PBR
Usefull debug commands:
#debug ip policy
IP SLA & Enhanced object tracking
Create a SLA object to schedule a ping test
ip sla 1
icmp-echo <ip address>
frequency <in seconds>
ip sla schedule 1 life forever start-time now
Enable Enhanced Object tracking on the SLA
track 1 ip sla 1 reachability
Tie the tracked object to a static route
ip route 150.1.1.0 255.255.255.0 155.1.146.1 track 1
As soon as the ping test fails the static route will be removed from the routing table.
When there is another static route with a higher Administrative Distance this route will be injected into the routing table.
Once the ping test is successfull again the original static route will be injected again.
Usefull show commands:
#sh track 1
Track 1
IP SLA 1 reachability
Reachability is Up
3 changes, last change 00:21:42
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
#sh ip sla statistics 1
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Type of operation: icmp-echo
Latest RTT: 1 milliseconds
Latest operation start time: *20:39:26.283 UTC Wed Jul 13 2011
Latest operation return code: OK
Number of successes: 417
Number of failures: 13
Operation time to live: Forever
Usefull debug commands:
#debug track
#debug ip routing
CCIE Home Lab inventory
For reference here is the complete list of Cisco devices, including RAM, Flash, installed modules and IOS versions that I’ve used to build my home lab.
| Device | Platform | RAM | Flash | Modules | IOS |
|---|---|---|---|---|---|
| SW1 | WS-C3560-24TS | 128MB | 32MB | n/a | c3560-advipservicesk9-mz.122-44.SE.bin |
| SW2 | WS-C3550-24 | 64MB | 16MB | n/a | c3550-ipservicesk9-mz.122-25.sec2.bin |
| SW3 | WS-C3550-24 | 64MB | 16MB | n/a | c3550-ipservicesk9-mz.122-25.sec2.bin |
| SW4 | WS-C3550-48 | 64MB | 16MB | n/a | c3550-ipservicesk9-mz.122-25.sec2.bin |
| R1 | 2610XM | 128MB | 32MB | WIC-2T= | c2600-adventerprisek9-mz.124-25d.bin |
| R2 | 2610XM | 128MB | 32MB | WIC-2T= | c2600-adventerprisek9-mz.124-25d.bin |
| R3 | 2651XM | 160MB | 32MB | 2x WIC-2T= | c2600-adventerprisek9-mz.124-25d.bin |
| R4 | 2801 | 256MB | 64MB | WIC-2T= | c2801-adventerprisek9-mz.124-24.T4.bin |
| R5 | 1841 | 384MB | 128MB | WIC-2T= | c1841-adventerprisek9-mz.124-24.T4.bin |
| R6 | 2691 | 256MB | 64MB | WIC-2T= | c2691-adventerprisek9-mz.124-15.T14.bin |
| R7 | 3725 | 256MB | 128MB | 2x WIC-1T=, NM-2FE2W-V2= | c3725-adventerprisek9-mz.124-15.T14.bin |
| BB1 | 2522 | 16MB | 16MB | n/a | c2500-is-l.122-15.T17.bin |
| BB2 | 2520 | 16MB | 16MB | n/a | c2500-is-l.122-15.T17.bin |
| BB3 | 2520 | 16MB | 16MB | n/a | c2500-is-l.122-15.T17.bin |
| CON | 2610 | 64MB | 16MB | NM-16A=, WIC-1T= | c2600-ik9o3s3-mz.123-26.bin |
Building the lab – part 2
With all the equipment in the rack it is time to connect everything together. I’ve used a total of 11 back-to-back serial, 12 router-to-switch ethernet and 18 switch-to-switch ethernet connections. All together that makes almost a spaghetti of cabling 
CCIE Home Lab cabling
But with some Rip-Tie strap cable I could organize the cabling in a pretty decent way. Below is the end result, without the console connections.
CCIE Lab Rack
Building the lab – part 1
I finally have all the equipment I need to build the lab. I also managed to get a Skeletek C24U rack, and it looks really nice. The fun already starts with assembling the rack as it comes in a relatively small box, including 6 pieces and a whole bunch of nuts and bolts.
Skeletek C24U
After 45 minutes or so the rack is fully assembled and ready to rack the first pieces of Cisco gear.
Assembled Skeletek Rack
After about two hours later I also racked all the Cisco equipment I have into the rack, including two PDU’s for some power juice.
Skeletek CCIE Home Lab Rack
Next step will be to put all the cabling in place. And hopefully the two octal cables (cab-octal-async) I ordered will arrive shortly, so I can also connect all the console outputs to the terminal server/router.
Lab almost complete
I’ve almost acquired all equipment that I need to build my CCIE home lab. I only have to pickup a 3725 router and a 2610.
Looks pretty impressive if you ask me
