|
Subnetting ipv6?
![[gb]](/s/countries/gb.gif) Shadow Hawkins on Saturday, 14 April 2007 13:35:59
Ok, I've got my ipv6 static tunnel all set up and running, and my NAT router (cisco 837) is advertising my ipv6 subnet fine to my hosts.
Now, I've actually got a setup where I have more than one network behind the NAT router, but not directly connected to the router. Here's a diagram:
Internet -> Cisco 837 (192.168.0.1) -> DMZ network (192.168.0.0/24) -> central router (linuxbox) -> core networks (192.168.1.0/24, 192.168.2.0/24 etc).
Therefore, any host on a core network has to hop over the linuxbox router through to the cisco 837 and then out to the internet.
Any box in the DMZ has good ipv6 access, their default router is the cisco and they pick up their addresses fine. However, I'd like for the core network hosts to also be able to get ipv6 addresses and access. I realise that this might just be a case of splitting my subnet up into smaller subnets and assigning them to the appropriate routers and setting up the appropriate routes, but how do I decide how to split the subnet up? How would I configure the advertisement daemons appropriately?
Thanks :)
Subnetting ipv6?
What about reading the FAQ ?
Subnetting ipv6?
Shadow Hawkins on Saturday, 14 April 2007 16:05:23
See, I read the FAQ, and just wanted clarification that I was doing the right thing.
I have 2001:770:161::/48, so i'm guessing I need to split that into three separate /64s, one for each network...? I suppose I could just fiddle around until I find something that works.
Subnetting ipv6?
Aha. Misunderstood your question.
Well, lets write this out, I'll add this in the FAQ in a few, as I guess it might be handy for others:
IPv6 is 128 bits, the IPv6 address is written down by grouping these bits into 16bit groups of numbers in hexadecimal notation. We thus get 8 of these 16 bit groups.
This all looks a bit like:
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 = 8 * 16 bit group = 128 bits
16| 32| 48| 64| EUI-64 interface = grouped per 16 bits
| | | | | | |
| | 1 | | 2| | | 3
1234|5678|9012|3456|7890|1234|5678|9012 = 32 * 4 bit = 128bits
| | | | | | |
200.................................... = 2000::/3 = IPv6 Global Unicast
2001:0db8.............................. = 2001:db8::/32 = IPv6 Documentation Prefix, the LIR block
2001:0db8:0161:........................ = 2001:db8:161::/48 = Site
2001:0db8:0161:0000:................... = 2001:db8:161::/64 = Subnet 0
2001:0db8:0161:0001:................... = 2001:db8:161:1::/64 = Subnet 1
2001:0db8:0161:1234:................... = 2001:db8:161:1234::/64 = Subnet 4660
2001:0db8:0161:ffff:................... = 2001:db8:161:ffff::/64 = Subnet 65535
Thus to answer your question, per subnet you use a /64 and you can pick any of them from the above 65536 Subnets. aka you can have 65k ethernets or wireless networks in a single site.
Generally the first 32bits indicate which ISP the block belongs to, the ones who delegate the prefix to others. The first 48bits define a "site", a single location between administrative borders. Bits 48 - 64 can be used inside each site for defining 65536 subnets inside a site.
Note that a site might get a /32-48 from a RIR directly or from their ISP.
Do also note that nobody owns these blocks of addresses, sites have them on loan from their ISP (actually LIR, Local Internet Registry) and LIR's in return have them on loan from the RIR's (Regional Internet Registries) who in turn have them on loan from IANA, who do 'own' them.
Subnetting ipv6?
Shadow Hawkins on Saturday, 14 April 2007 18:36:31
Thanks for that, I understand a bit better now.
So, I believe I'm assigned 2001:770:161::/48 from Sixxs. My cisco router is then advertising 2001:770:161::/64, which is the same as 2001:770:161:0:/64? All of my clients addresses look like 2001:770:161:0:x:x:x:x. Similarly, as routing goes, the cisco router believes that 2001:770:161::/64 is directly connected, which is true.
Now, I've a number of issues when it comes to my other (linux) router to my other network. Say I want my other network to be 2001:770:161:1:/64. I've statically assigned 2001:770:161:1:a:a:a:6 (bear with me) to the right interface on the router, but for some strange reason, the interface facing the cisco router refuses to pick up an autoconfigured address. If I set a static address (2001:770:161:0:a:a:a:6), the cisco router can't find it. So something's being weird there.
However, I'm assuming that once I can get that working, I'd just need to tell the cisco to route 2001:770:161:1/64 to whatever ip address the linux router has, and to tell the linux router to route everything ipv6 that isn't local to the cisco router.
I just checked the cisco, and it claims to have an address of 2001:770:161:: - Surely that's a subnet address rather than an actual address (which would be 2001:770:161:::::1)? So I'm still a bit confused about how a router can hold an address which isn't a host address, but a network address.
Subnetting ipv6?
My cisco router is then advertising 2001:770:161::/64, which is the same as 2001:770:161:0:/64?
Yes, the same as 2001:770:161:0::/64 (mind the double colon at the end ;)
Routers do not per default accept Router Advertisements. Linux even disables it on some kernel versions.
... I'd just need to tell the cisco to route 2001:770:161:1/64 ...
Correct, routers have to be statically configured. So set a static /64 on the interface and all should be fine.
I just checked the cisco, and it claims to have an address of 2001:770:161:: - Surely that's a subnet address rather than an actual address (which would be 2001:770:161:::::1)?
Show the command and the output you are using, can't tell much otherwise.
If you mean really "2001:770:161::", that is correct. That is the subnet anycast address and a router will have that for itself. This is the reason why /127's can't work, unless one hardcodes two /128 routes.
Subnetting ipv6?
Shadow Hawkins on Saturday, 14 April 2007 19:13:17
Ok, I'll have to figure out the autoconfigure thing at a later date. For the moment, I've changed the static address of the linux router on the cisco side to 2001:770:161:0:0:0:0:6 (abbreviates to 2001:770:161::6?). Now, I can ping other hosts in the dmz, and get a reply from them. This makes sense as the route for 2001:770:161:: is out to ethernet0.2 (where it should be). However, if I try and ping the cisco router (from the linux router), I get the following:
PING 2001:770:161::(2001:770:161::) 56 data bytes
64 bytes from 2001:770:161::6: icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from 2001:770:161::6: icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from 2001:770:161::6: icmp_seq=3 ttl=64 time=0.028 ms
Now, clearly, that's just a reply from the local router itself, rather than the cisco router. I have no idea why this is. Looking at the routing table, there's an unreachable default route to lo, so I figure it's this doing the replying.
Here's the two static routes I've got set up on the cisco:
ipv6 route 2001:770:161:1::/64 2001:770:161::6
ipv6 route 2000::/3 2001:770:100:C1::1
So, to summarise:
1) Cisco router can't ping linux router
2) Linux router gets reply from itself when it tries to ping cisco router
3) linux router can see dmz hosts.
4) linux router can't ping internet ipv6 hosts (unreachable network).
Subnetting ipv6?
Show the full ip address dumps and routing tables on the components involved. Also try traceroutes etc. Never use '2001:770:161::' as it is local to that router, thus if you have two routers in the same /64, both will have XXXX::/64 as a local IP address.
Subnetting ipv6?
Shadow Hawkins on Saturday, 14 April 2007 20:27:22
I'm starting to think that it is a linux autoconfig problem, as all problems seem to stem from the fact that the linux router can't communicate with the cisco router. Also, I'm running things on VLAN's, hence the eth0.2, eth0.3 etc. Suffice to say, eth0.2 is the DMZ which the cisco router is connected to (Ethernet 0), and eth0.3 and eth0.4 are two core networks. eth0 actually isn't connected to anything, so ignore that.
Your comment about both routers having 2001:770:161::/64 as the local ip address, are you suggesting that I set the dmz interface of the linux router ip to just be 2001:770:161::/64? If so, how do I tell the cisco router to route 2001:770:161:1::/64 through to that router if it's just got the same ip address?
This is going to be long:
cisco 837 router:
sh ipv6 route
IPv6 Routing Table - 8 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S 2000::/3 [1/0]
via 2001:770:100:C1::1
C 2001:770:100:C1::/64 [0/0]
via ::, Tunnel0
L 2001:770:100:C1::2/128 [0/0]
via ::, Tunnel0
C 2001:770:161::/64 [0/0]
via ::, Ethernet0
L 2001:770:161::/128 [0/0]
via ::, Ethernet0
S 2001:770:161:1::/64 [1/0]
via 2001:770:161::6
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
sh ipv6 interface ethernet 0
Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::20B:46FF:FEE2:F851
Global unicast address(es):
2001:770:161::, subnet is 2001:770:161::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:0
FF02::1:FFE2:F851
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 60 seconds
ND router advertisements live for 180 seconds
Hosts use stateless autoconfig for addresses.
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
ipv6 address 2001:770:161::/64
ipv6 enable
ipv6 nd ra-interval 60
ipv6 nd ra-lifetime 180
ipv6 nd prefix 2001:770:161::/64 360 60
no cdp enable
hold-queue 100 out
end
linux router (Ubuntu 6.10):
ip -6 route show
2001:770:161::/64 dev eth0.2 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
2001:770:161:1::/64 dev eth0.3 metric 256 expires 21328595sec mtu 1500 advmss 1440 hoplimit 4294967295
2001:770:161:2::/64 dev eth0.4 metric 256 expires 21328596sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0.2 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0.3 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0.4 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0.2 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0.3 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0.4 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0 metric 256 expires 21328565sec mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo proto none metric -1 error -101 hoplimit 255
ip -6 addr
1: lo: <LOOPBACK,UP,10000> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qlen 100
inet6 fe80::20d:60ff:fe77:85e9/64 scope link
valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:770:161::6/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20d:60ff:fe77:85e9/64 scope link
valid_lft forever preferred_lft forever
7: eth0.3@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:770:161:1:a:a:a:6/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20d:60ff:fe77:85e9/64 scope link
valid_lft forever preferred_lft forever
8: eth0.4@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:770:161:2:a:a:a:6/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20d:60ff:fe77:85e9/64 scope link
valid_lft forever preferred_lft forever
Subnetting ipv6?
I'm starting to think that it is a linux autoconfig problem,
As you are talking about 'routers' and especially forwarding traffic, autoconfig is not enabled on those interfaces. As such autoconfig has nothing to do with this problem.
Your comment about both routers having 2001:770:161::/64 as the local ip address, are you suggesting that I set the dmz interface of the linux router ip to just be 2001:770:161::/64
No, au contraire. I mean that you always should use different addresses than that.
Commonly people tend to use ::1 for the outbound link (closest to the internet) and ::2 for the inner link.
Looking at your outputs you definitely have to configure a 2001:770:161::1/64 on the Cisco, then 2001:770:161::2/64, or the ::6 that you use now, on the Linux machine. This will enable them to chat with each other. Then a static route for the other subnet from the Cisco to the Linux box and you are done.
Subnetting ipv6?
Shadow Hawkins on Saturday, 14 April 2007 21:11:44
It's coming together, I can ping the cisco router and the ipv6 internet from the linux router now - I can't ping the linux router from the cisco router though for some reason. I'm thinking it's just a few routing issues now - I'll double check and make sure everything's set up correctly.
|
![[ch]](/s/countries/ch.gif)
on Saturday, 14 April 2007 15:19:53
Posting is only allowed when you are