And we have 2014 …

I hope you are doing well.

First of all, I’d like to thank you for your comments and suggestions. Not always I have time to respond for all your emails or comments but believe that all are appreciated. I maintain this blog after work but having 2 small absorbing children, it is not easy to reply for all your emails or even prepare a new post. I’ll do my best to publish new interesting and informative articles in the new year.

I believe that this year will be better for all of us.

So, let’s start 2014 with a new Huawei eNSP release:

Some time ago we talked about a basic configuration of BGP/MPLS VPNs. Let’s go on with hub&spoke networking today. Such solution can be adopted to control the mutual access of users, when an access control device is set. In this case no direct route exists between spoke sites. A spoke site advertises routes to a hub site and then the hub site advertises the routes to other spoke sites. Thus, communication between spoke sites is controlled by hub site.

Let’s look at our topology:

Configuration roadmap:

1. Configure IP addresses (omitted here).
2. Configure IGP protocol between PE routers (omitted here).
3. Configure MPLS and LDP on PE routers (omitted here).
4. Configure MP-BGP relationship between spoke PEs and hub PE (omitted here).
5. Create VPN instance on spoke PEs and set different vpn-targets for export and import.
6. Create two VPN instances on hub PE.
7. Configure static routes between spoke PEs and spoke CEs.
8. Configure EBGP between hub PE and hub CE (the hub PE must be configured to permit the existence of repeated local AS numbers).

Create VPN instance on spoke PEs:

spoke_PE1
#
ip vpn-instance labnario
 ipv4-family
  route-distinguisher 500:1
  vpn-target 200:1 export-extcommunity
  vpn-target 300:1 import-extcommunity
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance labnario
 ip address 110.1.1.2 255.255.255.0

spoke_PE2
#
ip vpn-instance labnario
 ipv4-family
  route-distinguisher 500:2
  vpn-target 300:1 200:1 export-extcommunity
  vpn-target 200:1 300:1 import-extcommunity
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance labnario
 ip address 120.1.1.2 255.255.255.0

Create VPN instances on hub PE:

#
ip vpn-instance labnario_in
 ipv4-family
  route-distinguisher 500:500
  vpn-target 200:1 import-extcommunity
#
ip vpn-instance labnario_out
 ipv4-family
  route-distinguisher 500:510
  vpn-target 300:1 export-extcommunity
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance labnario_in
 ip address 150.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance labnario_out
 ip address 150.2.2.1 255.255.255.0

The configuration of a VPN target on a PEs must comply with the following rules:

• The export target of spoke PE must be equal to the import target of hub PE. The import target of spoke PE must be equal to the export target of hub PE. The import route target of a spoke PE is different from the export route targets of other spoke PEs.
• A hub PE requires two interfaces or sub-interfaces. One for receiving routes from spoke PEs, and the import target of the VPN instance on the interface is spoke. The other advertises the routes to spoke PEs, and the export target of the VPN instance on the interface is hub.

Configure static routes between spoke PEs and spoke CEs:

[spoke_PE1]ip route-static vpn-instance labnario 1.1.1.1 255.255.255.255 110.1.1.1
[spoke_PE2]ip route-static vpn-instance labnario 2.2.2.2 255.255.255.255 120.1.1.1

Configure EBGP between hub PE and hub CE:

hub_PE
#
ipv4-family vpn-instance labnario_in
  import-route direct
  peer 150.1.1.2 as-number 200
 #
 ipv4-family vpn-instance labnario_out
  import-route direct
  peer 150.2.2.2 as-number 200
  peer 150.2.2.2 allow-as-loop

hub_CE
#
bgp 200
 peer 150.1.1.1 as-number 100
 peer 150.2.2.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 150.1.1.1 enable
  peer 150.2.2.1 enable

If EBGP runs between a hub PE and a hub CE, the hub PE performs the AS-Loop detection on the route. If the hub PE detects its own AS number in the route, it discards the route. In this case, to implement the hub&spoke networking, the hub PE must be configured to permit the existence of repeated local AS numbers. We don’t have such situation in case of IGB connection between hub PE and hub CE.

Let’s look how it works.

Check communication between spoke PEs (use Ping and tracert command):

[spoke_CE1]ping 2.2.2.2
  PING 2.2.2.2: 56  data bytes, press CTRL_C to break
    Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=250 time=390 ms
    Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=250 time=170 ms
    Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=250 time=120 ms
    Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=250 time=180 ms
    Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=250 time=160 ms

  --- 2.2.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 120/204/390 ms

[spoke_CE1]tracert 2.2.2.2
 traceroute to  2.2.2.2(2.2.2.2), max hops: 30 ,packet length: 40,press CTRL_C to break 
 1 110.1.1.2 130 ms  40 ms  70 ms 
 2 150.2.2.1 90 ms  60 ms  80 ms 
 3 150.2.2.2 90 ms  80 ms  80 ms 
 4 150.1.1.1 90 ms  80 ms  80 ms 
 5 120.1.1.2 110 ms  120 ms  130 ms 
 6 120.1.1.1 170 ms  220 ms  140 ms 

[spoke_CE2]ping 1.1.1.1
  PING 1.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=250 time=170 ms
    Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=250 time=180 ms
    Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=250 time=140 ms
    Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=250 time=190 ms
    Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=250 time=130 ms

  --- 1.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 130/162/190 ms

[spoke_CE2]tracert 1.1.1.1
 traceroute to  1.1.1.1(1.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break 
 1 120.1.1.2 70 ms  40 ms  50 ms 
 2 150.2.2.1 80 ms  110 ms  70 ms 
 3 150.2.2.2 100 ms  110 ms  90 ms 
 4 150.1.1.1 80 ms  80 ms  110 ms 
 5 110.1.1.2 140 ms  150 ms  130 ms 
 6 110.1.1.1 170 ms  170 ms  170 ms

Display routing for each VPN instance on hub PE:

[hub_PE]dis ip rout vpn-instance labnario_in
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: labnario_in
         Destinations : 8        Routes : 8        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  IBGP    255  0          RD   3.3.3.3         GigabitEthernet0/0/1
        2.2.2.2/32  IBGP    255  0          RD   4.4.4.4         GigabitEthernet0/0/0
        6.6.6.6/32  EBGP    255  0           D   150.1.1.2       GigabitEthernet0/0/2
      110.1.1.0/24  IBGP    255  0          RD   3.3.3.3         GigabitEthernet0/0/1
      120.1.1.0/24  IBGP    255  0          RD   4.4.4.4         GigabitEthernet0/0/0
      150.1.1.0/24  Direct  0    0           D   150.1.1.1       GigabitEthernet0/0/2
      150.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2
      150.2.2.0/24  EBGP    255  0           D   150.1.1.2       GigabitEthernet0/0/2

[hub_PE]dis ip rout vpn-instance labnario_out
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: labnario_out
         Destinations : 8        Routes : 8        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
        2.2.2.2/32  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
        6.6.6.6/32  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
      110.1.1.0/24  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
      120.1.1.0/24  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
      150.1.1.0/24  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
      150.2.2.0/24  Direct  0    0           D   150.2.2.1       GigabitEthernet0/0/3
      150.2.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/3

Comparing these outputs we can notice that the routing information, advertised by a spoke CE, is forwarded to the hub CE and hub PE, before being transmitted to other spoke PEs.

Let’s keep going and finish IPv6 introduction.

Multicast

A multicast address identifies a group of interfaces. Traffic, that is sent to a multicast address, is sent to multiple destinations at the same time. An interface may belong to any number of multicast groups. Multicast addresses are defined by the prefix FF00::/8.

The second octet defines the flags and the scope of the multicast address. Flags can be defined as:

• 0 is reserved and must equal 0
• R indicates rendezvous point and is almost always set to 0
• P indicates prefix dependency and is almost always set to 0
• T is the temporary bit. For a temporary multicast address T equals 1; for a permanent multicast address T equals 0.

Scope can be defined as:

• 1 – interface-local, for the scope of the interface (loopback transmission)
• 2 – link-local, for the link scope
• 3 – subnet-local, for the subnet-local scope (subnet can span multiple links)
• 4 – admin-local, for the administrative-local scope (administratively configured)
• 5 – site-local, for the site scope
• 8 – organization, for the organizational scope (multiple sites)
• E – global, for the global scope

The multicast addresses FF00:: to FF0F:: are reserved. Inside this range, the following addresses are assigned:

Anycast

An IPv6 anycast address is assigned to an interface on more than one node. Packet sent to an anycast address is routed to the nearest interface that has that address. The nearest interface is found according to the measure of distance of the routing protocol. For IPv6, anycast is defined as a way to send a packet to the nearest interface, that is a member of the anycast group. Anycast addresses are allocated from the unicast address space, so they are indistinguishable from the regular unicast address space.

To start using IPv6 in our labs, I decided to prepare a short introduction of it. As it is a broad topic I had to split it into several parts. Let’s start from the beginning.

Short IPv6 history

First IPv6 protocol specification was introduced in late 1995 in RFC1883, so it was 18 years ago! About one year later 6bone network was started as a virtual network over the IPv4-based Internet (using IPv6 over IPv4 tunneling). The mission of the 6bone was to establish the IPv6 environment for testing purposes.  In 1999 IPv6 Forum was founded and registries started assigning IPv6 prefixes to ISPs. In 2000, many vendors began to bundle IPv6 into their mainstream product lines. 2009 – first serious IPv4 address shortage in developed countries.

What about IPv5?

IPv5 was an experimental Resource Reservation Protocol, intended to provide QoS for multimedia and defined as the Internet Stream Protocol version 2 (ST2). It was designed to coexist with IPv4 and use the same addressing scheme, not as a replacement of IPv4. ST2 was designed to coexist with IPv4 on each node. The main role of the ST2 was to transfer a real-time multimedia, where IPv4 could be used for the transfer of traditional data and control information. ST2 is described in RFC1819.

IPv6 benefits

There are several features, that make it attractive, for building global-scale networks:

• Larger address space. IPv6 address is 128-bit, 4 times larger than IPv4. It allows to address ~3,4*10³⁸ nodes. It gives 340282366920938463463374607431768211456 possible addressable nodes.
• Global reachability. IPv6 enables to use of a global and reachable address for almost every kind of device, such as computers, IP phones, tablets, PDAs, TVs, vehicles.
• Autoconfiguration. Enables “plug-and-play”. IPv6 host can autoconfigure itself with a complete 128-bit globally unique address.
• Simpler header and simpler processing in hardware. Half of the previous IPv4 header fields were removed. All IPv6 header fields are aligned to 64 bits, which allows easier storage and access in memory.
• End-to-end security. IPsec is mandatory in IPv6, every node will have IPsec enabled.
• Mobility built in IPv6.

IPv6 address formats

IPv6 addresses are represented as a series of eight 16-bit hexadecimal fields, that are separated by colons:

X:X:X:X:X:X:X:X, where X is a 16-bits hexadecimal field, for example:

2013:AB10:010F:0001:0000:0000:0000:FFFF

Leading zeros in a field are optional. Successive fields of zeros can be represented as a double colon (::), but this can be used only once in an address. Using these techniques, IPv6 addresses can be very small. Our address mentioned above, can be written as:

2013:AB10:10F:1::FFFF

Other examples of IPv6 addressess:

FF02:0000:0000:0000:0000:0000:0000:0001 can be represented as FF02::1
0000:0000:0000:0000:0000:0000:0000:0000 can be represented as ::

IPv6 address types

There are three main types of addresses supported by IPv6:

• Unicast

1. Global unicast
2. Link-local
3. Unique local
4. Special-purpose: Unspecified, Loopback, IPv4-mapped

• Multicast
• Anycast

There is no broadcast address, in the way, it is used in IPv4. Its function is superseded by multicast addresses.

IPv6 global unicast address

Global unicast address space corresponds to the principal use of IPv6 addresses, for generic global IPv6 traffic. These addresses can be allocated by registries only from the range of addresses, that start with binary value 001 (2000::/3). The structure of this address is as follows:

• A global routing prefix assigned to a site, typically /48
• A subnet identifier, used to identify links within a site, typically 16-bit long
• A 64-bit interface identifier

Example of a global unicast address:

2013:AB01:0000:0000:DC10:B210:5C13:4512 or simply 2013:AB01::DC10:B210:5C13:4512

For more information about IPv6 global unicast addresses see RFC3587, IPv6 Global Unicast Address Format.

IPv6 link-local address

IPv6 link local address must be assigned to every IPv6 enabled interface. The scope of this address is limited to the link. Link-local addresses are automatically created, using a specific prefix, FE80::/10 and a 64-bit interface identifier. This type of IPv6 address can be used to connect devices on the same link or local network, where global or unique local addressing is not a requirement. Routing protocols use this address type as a next-hop address.

Example of a link-local address:

FE80::215:60FF:FE00:F126

IPv6 unique local address

Local unicast addresses are defined in RFC4193, Unique Local IPv6 Unicast Addresses. Prefixes start with FC00::/7, where:

• FC00::/8 is planned to be globally managed
• FD00::/8 can be assigned locally by administrator (L bit set to 1)

Unique local address space has a local site scope. It can be used by organizations that prefer a concept of private address space for internal communication. Unique local address space can be used independently of any provider-based IPv6 unicast address allocation.

40-bit global ID field is a pseudo-random and must not be assigned sequentially or with well-known numbers. It gives an assurance that any network numbered, using such a prefix, is highly unlikely to have that address space clash with any other network, that has another locally assigned prefix, allocated to it. This is particularly useful in case of network merge, because allows sites to be combined, without creating any address conflicts or renumbering of interfaces.

Special purpose addresses

Loopback

The loopback address identifies a local interface in the IP stack. It is the IPv6 equivalent of the IPv4 127.0.0.1 loopback. In IPv6 world the address is 0:0:0:0:0:0:0:1, or simply ::1

Unspecified address

This address is used, when no address is available, for example it can be used as a source address, when a host requests an address to a DHCP server. This address is 0:0:0:0:0:0:0:0, or simply “::”.  It indicates the absence of an address and must not be used as a destination address.

Next time I will try describe multicast and anycast IPv6 addressing concepts.

Do you have any experience in the IPv6 implementation? Would you like to express your opinion? Feel invited to comment.

If you don’t want to miss a new post, join our Facebook community or click “Sign me up!” button on the blog.