Let’s keep going and finish IPv6 introduction.

Multicast

A multicast address identifies a group of interfaces. Traffic, that is sent to a multicast address, is sent to multiple destinations at the same time. An interface may belong to any number of multicast groups. Multicast addresses are defined by the prefix FF00::/8.

The second octet defines the flags and the scope of the multicast address. Flags can be defined as:

• 0 is reserved and must equal 0
• R indicates rendezvous point and is almost always set to 0
• P indicates prefix dependency and is almost always set to 0
• T is the temporary bit. For a temporary multicast address T equals 1; for a permanent multicast address T equals 0.

Scope can be defined as:

• 1 – interface-local, for the scope of the interface (loopback transmission)
• 2 – link-local, for the link scope
• 3 – subnet-local, for the subnet-local scope (subnet can span multiple links)
• 4 – admin-local, for the administrative-local scope (administratively configured)
• 5 – site-local, for the site scope
• 8 – organization, for the organizational scope (multiple sites)
• E – global, for the global scope

The multicast addresses FF00:: to FF0F:: are reserved. Inside this range, the following addresses are assigned:

Anycast

An IPv6 anycast address is assigned to an interface on more than one node. Packet sent to an anycast address is routed to the nearest interface that has that address. The nearest interface is found according to the measure of distance of the routing protocol. For IPv6, anycast is defined as a way to send a packet to the nearest interface, that is a member of the anycast group. Anycast addresses are allocated from the unicast address space, so they are indistinguishable from the regular unicast address space.

To start using IPv6 in our labs, I decided to prepare a short introduction of it. As it is a broad topic I had to split it into several parts. Let’s start from the beginning.

Short IPv6 history

First IPv6 protocol specification was introduced in late 1995 in RFC1883, so it was 18 years ago! About one year later 6bone network was started as a virtual network over the IPv4-based Internet (using IPv6 over IPv4 tunneling). The mission of the 6bone was to establish the IPv6 environment for testing purposes.  In 1999 IPv6 Forum was founded and registries started assigning IPv6 prefixes to ISPs. In 2000, many vendors began to bundle IPv6 into their mainstream product lines. 2009 – first serious IPv4 address shortage in developed countries.

What about IPv5?

IPv5 was an experimental Resource Reservation Protocol, intended to provide QoS for multimedia and defined as the Internet Stream Protocol version 2 (ST2). It was designed to coexist with IPv4 and use the same addressing scheme, not as a replacement of IPv4. ST2 was designed to coexist with IPv4 on each node. The main role of the ST2 was to transfer a real-time multimedia, where IPv4 could be used for the transfer of traditional data and control information. ST2 is described in RFC1819.

IPv6 benefits

There are several features, that make it attractive, for building global-scale networks:

• Larger address space. IPv6 address is 128-bit, 4 times larger than IPv4. It allows to address ~3,4*10³⁸ nodes. It gives 340282366920938463463374607431768211456 possible addressable nodes.
• Global reachability. IPv6 enables to use of a global and reachable address for almost every kind of device, such as computers, IP phones, tablets, PDAs, TVs, vehicles.
• Autoconfiguration. Enables “plug-and-play”. IPv6 host can autoconfigure itself with a complete 128-bit globally unique address.
• Simpler header and simpler processing in hardware. Half of the previous IPv4 header fields were removed. All IPv6 header fields are aligned to 64 bits, which allows easier storage and access in memory.
• End-to-end security. IPsec is mandatory in IPv6, every node will have IPsec enabled.
• Mobility built in IPv6.

IPv6 address formats

IPv6 addresses are represented as a series of eight 16-bit hexadecimal fields, that are separated by colons:

X:X:X:X:X:X:X:X, where X is a 16-bits hexadecimal field, for example:

2013:AB10:010F:0001:0000:0000:0000:FFFF

Leading zeros in a field are optional. Successive fields of zeros can be represented as a double colon (::), but this can be used only once in an address. Using these techniques, IPv6 addresses can be very small. Our address mentioned above, can be written as:

2013:AB10:10F:1::FFFF

Other examples of IPv6 addressess:

FF02:0000:0000:0000:0000:0000:0000:0001 can be represented as FF02::1
0000:0000:0000:0000:0000:0000:0000:0000 can be represented as ::

IPv6 address types

There are three main types of addresses supported by IPv6:

• Unicast

1. Global unicast
2. Link-local
3. Unique local
4. Special-purpose: Unspecified, Loopback, IPv4-mapped

• Multicast
• Anycast

There is no broadcast address, in the way, it is used in IPv4. Its function is superseded by multicast addresses.

IPv6 global unicast address

Global unicast address space corresponds to the principal use of IPv6 addresses, for generic global IPv6 traffic. These addresses can be allocated by registries only from the range of addresses, that start with binary value 001 (2000::/3). The structure of this address is as follows:

• A global routing prefix assigned to a site, typically /48
• A subnet identifier, used to identify links within a site, typically 16-bit long
• A 64-bit interface identifier

Example of a global unicast address:

2013:AB01:0000:0000:DC10:B210:5C13:4512 or simply 2013:AB01::DC10:B210:5C13:4512

For more information about IPv6 global unicast addresses see RFC3587, IPv6 Global Unicast Address Format.

IPv6 link-local address

IPv6 link local address must be assigned to every IPv6 enabled interface. The scope of this address is limited to the link. Link-local addresses are automatically created, using a specific prefix, FE80::/10 and a 64-bit interface identifier. This type of IPv6 address can be used to connect devices on the same link or local network, where global or unique local addressing is not a requirement. Routing protocols use this address type as a next-hop address.

Example of a link-local address:

FE80::215:60FF:FE00:F126

IPv6 unique local address

Local unicast addresses are defined in RFC4193, Unique Local IPv6 Unicast Addresses. Prefixes start with FC00::/7, where:

• FC00::/8 is planned to be globally managed
• FD00::/8 can be assigned locally by administrator (L bit set to 1)

Unique local address space has a local site scope. It can be used by organizations that prefer a concept of private address space for internal communication. Unique local address space can be used independently of any provider-based IPv6 unicast address allocation.

40-bit global ID field is a pseudo-random and must not be assigned sequentially or with well-known numbers. It gives an assurance that any network numbered, using such a prefix, is highly unlikely to have that address space clash with any other network, that has another locally assigned prefix, allocated to it. This is particularly useful in case of network merge, because allows sites to be combined, without creating any address conflicts or renumbering of interfaces.

Special purpose addresses

Loopback

The loopback address identifies a local interface in the IP stack. It is the IPv6 equivalent of the IPv4 127.0.0.1 loopback. In IPv6 world the address is 0:0:0:0:0:0:0:1, or simply ::1

Unspecified address

This address is used, when no address is available, for example it can be used as a source address, when a host requests an address to a DHCP server. This address is 0:0:0:0:0:0:0:0, or simply “::”.  It indicates the absence of an address and must not be used as a destination address.

Next time I will try describe multicast and anycast IPv6 addressing concepts.

Do you have any experience in the IPv6 implementation? Would you like to express your opinion? Feel invited to comment.

If you don’t want to miss a new post, join our Facebook community or click “Sign me up!” button on the blog.

Let’s assume that you have U2000 NMS server to monitor Huawei devices. We can manage these devices in 2 ways: outband or inband management. Outband management means that you have a separate DCN network to manage devices. It is commonly used for critical nodes, for example for backbone routers. Unlike to backbone network, it is difficult to implement DCN for mobile backhaul networks, where the number of devices reaches hundreds or even thousands. In such situation inband management is implemented to reduce cost. Then the decision how to send SNMP packets to the NMS server is based on routing protocols. The packets travel through the monitored network and are susceptible to all turbulences, which can appear in the network. This may lead to the fact that some SNMP packets may be lost by the network.

Let’s imagine such case. A link between a router and NMS is “DOWN”. No redundant link is established. The router sends SNMP trap to the NMS server but the server is not available. The SNMP packet is lost. Then the link is going to “UP” state and the router send SNMP trap to U2000. This trap is then dropped by U2000 because there is not related “DOWN” trap, which was lost before.

And what’s next?

U2000 synchronizes alarms with devices every 30 minutes and NMS server receives “DOWN” trap from the router, which was lost earlier. As the clearing trap was dropped, this “DOWN” alarm will not be cleared anymore. Then we have “DOWN” hanging (not cleared) alarm in U2000.

How to cope with this problem?

The first solution is to implement inform mode for SNMP packets:

snmp-agent target-host inform …

Managed devices require an acknowledgement from the NM server, after sending inform packets. If a managed device does not receive the acknowledgement, it will resend the inform packet to the NM station and generate alarm logs. If the managed device does not receive an acknowledgement from the NM station, it will store the inform packets in its memory. Anyway using inform mode may consume lots of system resources.

The next solution is to configure private-netmanager option to trap mode:

snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number | { public-net | vpn-instance vpn-instance-name } ] * params securityname security-string [ { v3 [ authentication | privacy ] | v2c | v1 } | notify-filter-profile profile-name | private-netmanager | ext-vb ] *

When a Huawei NMS is deployed and this parameter is configured, a trap message, sent to the NMS, contains more information, such as the trap type, sequence of the trap, and sending time.
In such situation, even U2000 receives a trap from synchronization, it will compare the sequence of the trap and sending time. Then we avoid problems of not cleared alarms in network management system. We have implemented such solution in our customer’s network and it works really fine.

Our blog topics touched access lists ACLs, used on Huawei devices. We talked about ACLs in traffic policies, ACLs and their matching order, ACLs in PBR and so on and so forth.

As ACLs are widely used, I decided to prepare a simple cheat sheet, that describes three kinds of ACLs (the most often used) and their usage scenarios.

Additionally a new page has been opened. I will upload new cheat sheets there, when they are ready.

Have a suggestion for a cheat sheet? Create your own? Let us know in comments.

We have to remember that traffic policy consists of 3 parts:

• Classifier
• Behavior
• Traffic-policy

In brief, to configure a traffic policy:

• define traffic class
• define action to be applied to the traffic class
• associate traffic classifiers and behaviors
• apply the traffic policy to an interface.

Let’s start from ACL.

We have possibility to configure many rules in an ACL. If the ACL is specified in if-match clause, then a packet is matched against multiple rules. If the packet matches a rule in the ACL, then it stops checking against the next rules.

• In a case of DENY action in the ACL, the matched packet is denied, regardless of what traffic behavior defines.
• When PERMIT action is defined in the ACL, then traffic behavior is applied to the matched packet.

Let’s focus on if-match clauses now and matching order between them.

We have 2 possibilities to configure a traffic classifier:

• With logic OR relationship between multiple matching rules
• With logic AND relationship between multiple matching rules.

In the flowchart you can see traffic policy implementation with logic OR:

Notice that traffic behavior is applied for the packets that match any one of the if-match clauses. In this situation, packet is matched against If-match clauses, in the order of the If-match clauses configuration. This kind of traffic classifier is commonly used.

In logic AND implementation, the device combines all if-match clauses and then processes the combination of if-match clauses according to the procedure of logic OR. If one of the if-match clauses is applied with ACL, each rule of the ACL is combined with all of the other if-match clauses. In this situation, the order of if-match clauses does not impact on the final matching result.

As you know, one or more classifiers and behaviors can be configured in a traffic policy. A packet is matched against traffic classifiers in the order, in which those classifiers have been configured. If the packet matches a traffic classifier, no further match operation is performed. If not, the packet is matched against the following traffic classifiers one by one. If the packet does not match traffic classifiers at all, the packet is forwarded with no traffic policy executed.

Anyway, the order of traffic classifier can be changed by the following command:

classifier classifier-name behavior behavior-name precedence precedence

Let’s try to configure a traffic policy as follows:

• packets coming from source IP address 10.1.1.0/24, with DSCP 18, are then remarked as AF31
• packets coming from source IP address 172.16.1.0/24, with DSCP 18, are discarded
• other packets are forwarded directly.

#
acl number 3000  
 rule 5 permit ip source 10.1.1.0 0.0.0.255 dscp af21 
 rule 10 deny ip source 172.16.1.0 0.0.0.255 dscp af21 
#
traffic classifier labnario operator or
 if-match acl 3000
#
traffic behavior labnario
 remark dscp af31
#
traffic policy labnario
 classifier labnario behavior labnario
#
interface GigabitEthernet0/0/0
 traffic-policy labnario inbound

I have a home task for you. Try to configure the same policy but using logic AND. Your traffic policy must do the same like the one configured.

Unfortunately, awards are not provided 😉

I will publish the solution soon on Facebook.

All comments (solutions) are welcome.