Friday, October 9, 2015

Forming EIGRP adjaceny with secondary IP addresses!

IS THIS POSSIBLE?!


Per Cisco...

"Routers do not form EIGRP neighbors over secondary networks."

Here's a quick dirty little test..using the following topology:


They are all connected via their respective f0/0 interfaces.  

R1 and R2 have primary and secondary IP addresses in the 10.0.118.0/24 and 10.0.117.0/24 subnets, respectively.  The last octet is their router number (R1 is 10.0.118.1/24).  

R3 and R4 have only primary IP addresses in the 10.0.117.0/24 subnet, with the last octet being their respective router numbers (R3 is 10.0.117.3/24).



Now, I've enabled router EIGRP instance 100 on all available interfaces (network 0.0.0.0).  What do we expect to happen?  Willl R1 and R2 use their secondary IP addresses to form an adjacency with R3 and R4 who ONLY have IP addresses in the 10.0.117.0/24 subnet?



Hmm.....R4 is barking at us..Why?




EIGRP sources hello messages from ONLY the primary interface IP address!  If you were to get a packet capture between R2 and R4, you'd see that the hello message used to initiate EIGRP adjacency would be sourced from 10.0.118.2/24.  

Can we trick EIGRP into using the secondary IP address by modifying our EIGRP network statement?  What if on R2 we were to use "network 10.0.117.2 0.0.0.0" instead of "network 0.0.0.0?" 



No bueno!



By using the "network 10.0.117.2 0.0.0.0" statement, we've essentially enabled EIGRP on the interface that has an IP address of 10.0.117.2/24.  BUT the hello message is STILL sourced from the primary IP address of that interface!!

Is this an issue?  Well..everyone's favorite answer: "It depends."  It depends on the design that has been implemented.

HOLD THE PHONE YES YOU CAN!...kind of!

If you have the same topology as previously mentioned, lets switch around the interface configs a bit:

R1#
interface FastEthernet0/0
ip address 10.150.116.3 255.255.255.0
duplex full
 
R2#
interface FastEthernet0/0
ip address 10.150.117.3 255.255.255.0
duplex full
 
R3#
interface FastEthernet0/0
ip address 10.150.118.3 255.255.255.0
duplex full
 
We will obviously still see failures after we modify the EIGRP network statements (different subnets).

But what if we configure the following secondary IP addresses:

R1 has 2 secondary IP addresses (one in the 117 and one in the 118 subnet).
R2 has 2 secondary IP addresses (one in the 116 and one in the 119 subnet).
R3 has 2 secondary IP addresses (one in the 116 and one in the 119 subnet).

What do we expect to see?

(Hint) R1 forms adjacency with R1 and R2 even though the interface primary IP addresses are different!  R1 sends hellos to R2 and R3 with the source of 10.150.116.3.  R2 receives these hellos and recognizes that it shares the subnet using the secondary IP addresses of the interface.  R2 and R3 send hellos to R1 using the primary IP address of the interface (10.150.117.3 and 10.150.118.3), respectively.  R1 receives these hellos and recognizes that they both share the same interface, using the different secondary IP addresses!

But that is where it stops.  R2 and R3 will NOT form an adjacency with one another.  Why?  Well, they do not have a primary, or secondary IP address that shares the same subnet as the received hello.

For example, R2 sends a hello to R3 with an IP address of 10.150.117.3.  R3 looks this up and realizes it does not have an IP address that shares this subnet and will begin to present the message "Blocked: Not on common subnet."  The same will happen with R3.  In this scenerio, R2 and R3 can pass traffic..but it will need to traverse R1 to do so.  They will not form a direct EIGRP adjacency with one another.

  


Thursday, October 1, 2015

Getting my home 2811 ready for IPv6...finally!

IT'S ABOUT TIME I KNOW.

Ok.  Now that we've determined that I'm a lazy-ass..lets get started.

First things first...we need to get IPv6 enabled globally:



That was easy!  Now we need to get an IPv6 address from my ISP..and hopefully a block.  I've HEARD that you can get a /60 from Comcast.  Why is this significant?

For simplicity and route summarisation purposes...the longest subnet prefix length is /64.  That means if we were to get a /64 from Comcast...we'd be limited to only a single subnet.  If we get....a /60, for example..then we'd have 4 hexadecimals to play with!  That means 16 /64 subnets....each with 18,446,744,073,709,551,616..or a total of 2.9514791e+20.  Just barely enough for my home network!

So now to get an IPv6 address to peer with Comcast.  Since I have no idea what to use..I obviously can't use a static..so I need to get one from them..via DHCP.

Problem is.."ipv6 address dhcp" is not even an option on my current version of code.  Assuming this to be a code issue...I upgraded from 12.4 to 15.1(4).  After a quick reboot I verified..voila!  The command is available!

But we want to influence the carrier to give us something other than a /64 prefix...how can we approach this?  IPv6 has something called "prefix-delegation" to simplify delegation of prefixes from a delegating router (Comcast) to requesting routers (My 2811).  Comcast will support a /60..should the device on the other end be "smart" enough enough to request one (via PD!).  By using the command "ipv6 dhcp client pd hint ::/60" we can let Comcast know that we're ready to receive a /60..should they be willing!  We can then assign a name to whatever prefix they are kind enough to give out...so should it change..we can dynamically change the configuration on our 2811 to match it!  While we could assign this statically....we may find ourselves in a situation where the prefix has changed and our addresses no longer work.

Here is the config I currently have on my WAN interface:






Note: In addition to the commands I reviewed...I ALSO have "ipv6 address autoconfig default" enabled.  All this does is install a default route (::/0) to the link-local address of my ISP.  I could have done this statically...but for residential purposes (I don't own anything IP/IPv6 wise)..I'd rather it happen dynamically.















Lets do some verification!


Awesome!  We got an IPv6 address from Comcast!  Can we ping the other side?



Awesome!  Lets see if we got a prefix from Comcast!






This gives us a bunch of sexy information!

1.  We see the hint we sent them (::/60)
2.  We see that Comcast has granted us the prefix 2601:282:4100:A2B0::/60!
3.  We see the prefix name "COMCAST" is associated with the /60 they gave us.






Now to try and use this /60 they gave us...I intend to carve out the 2601:282:4100:A2B0::/60 into 16 /64 prefixes:

2601:0282:4100:a2b0:0000:0000:0000:0000/64
2601:0282:4100:a2b1:0000:0000:0000:0000/64
2601:0282:4100:a2b2:0000:0000:0000:0000/64
2601:0282:4100:a2b3:0000:0000:0000:0000/64
2601:0282:4100:a2b4:0000:0000:0000:0000/64
2601:0282:4100:a2b5:0000:0000:0000:0000/64
2601:0282:4100:a2b6:0000:0000:0000:0000/64
2601:0282:4100:a2b7:0000:0000:0000:0000/64
2601:0282:4100:a2b8:0000:0000:0000:0000/64
2601:0282:4100:a2b9:0000:0000:0000:0000/64
2601:0282:4100:a2ba:0000:0000:0000:0000/64
2601:0282:4100:a2bb:0000:0000:0000:0000/64
2601:0282:4100:a2bc:0000:0000:0000:0000/64
2601:0282:4100:a2bd:0000:0000:0000:0000/64
2601:0282:4100:a2be:0000:0000:0000:0000/64
2601:0282:4100:a2bf:0000:0000:0000:0000/64

As I said before...this MAY change, so we want to build out our config to allow this.




By using the syntax "IPv6 address COMCAST ::1/64," we're telling the SVI to use the address 2601:0282:4100:a2b0::1/64.












As you could probably see in the config, I've also told our SVI to act as DHCP server.  I created a DHCP pool called "COMCASTPOOL" to do one thing: Assign DNS to connecting hosts.






Furthermore, I've enabled IPv6 with the "ipv6 enable."

The hosts connected to this VLAN will get their prefix information from the network.  They will then use their MAC addresses to automagically create an IPv6 address.


You'll note that this host as an IP address with the same prefix as the SVI (2601:282:4100:A2B0::/64) and a gateway of the link-local address of the SVI (FE80::21E:F7FF:FE9E:6C98).

Also, the DNS servers I confiured in my DHCP pool are available!

Yay!  But what if we want a second subnet?

The syntax I used on the second SVI was similar: "ipv6 address COMCAST ::1:0:0:0:1/64"  This should make the 4th 16-bit segment "A2B1."


Yayyy!




One last helpful command (in my opinion)

This will show us the prefix we received...and where it is applied (on the 2 SVIs)!



Now lets see if this is working!





Testing using the site test-ipv6.com








Testing with Google




Testing with Facebook






Cool!