CCNP Route - 300-101 - Sub-Topics - IPv4&IPv6 + Dual Stack + Tunneling + NAT-PT

[LynK]

---------------------------------------------------------------------------------------------------

IPv4 & IPv6

---------------------------------------------------------------------------------------------------

With the ever-changing IT field, and adoption of IPv6 there arises a big question. Is there any way to run IPv4 and IPv6 together? No organization is going to decide one day that they are going to kill all IPv4, and switch to IPv6 overnight, so how can we (if at all) run IPv4 and IPv6 together?
Well good news, there are multiple options out there, and we are going to discuss what these options are:

1)   Dual Stack Method
2)   Tunneling
3)   NAT-PT

---------------------------------------------------------------------------------------------------

Dual Stack

---------------------------------------------------------------------------------------------------

Lets start with dual-stack. Well what is it? Dual stack is a method of running IPv4 and IPv6 simultaneously. If I have a computer and I run dual-stack mode, I need IPv4 and IPv6 turned on and they need both IPs on a single interface.
This lets IPv4 talk to IPv4 and IPv6 talk to IPv6. But what about v4 to v6? NOPE. EVERYTHING needs to have both. So how is this configured:

Code Select Expand


Interface gi0/0
   Ip address 10.0.0.1 255.255.255.0
   Ipv6 address 2001:1111:1111::1/64


This presents one problem. What if we have networks that ONLY support IPv4 (legacy gear, or maybe the vendor just doesn't support the features yet)? That is where we get into tunneling.

---------------------------------------------------------------------------------------------------

Tunneling Basics

---------------------------------------------------------------------------------------------------

Tunneling in relation to this topic takes IPv6 packets and puts them inside and IPv4 packet. Pretty cool huh? So as not to bore you lets get into the types of tunnels that we can utilize.

There are two categories of tunnels, (think dmvpn). Point to point, and multi-point tunnels. I am not going to get into the details of these, because we will cover this in more detail in the DMVPN section, but this is what you need to know.

-   Point to point tunnels:
-   Acts like a directly connected link (think of like a VPN, or an OSPF virtual-link)
-   You need to configure a 'tunnel interface' for this to work
-   You can also run IGPs over this virtual tunnel (HECK YEAH!)
-   Multipoint tunnels:
-   One to many transmission
-   Forwarding decisions are based on destination address (or possibly next-hop)

Cisco recommends that if you are using IPv6 communication frequently use point-to-point, and multipoint for less frequent traffic.

Before we jump into the tunnels, I need to explain NAT-PT. NAT Protocol Translator takes IPv6 and translates the devices to ipv4. But there are some limitations:
   The biggest limitations are:
   -No CEF Support
   -No end-to-end security
   -Single point of failure
   
So what are the tunneling options? Well there are 4:
   -MCT (Manually Configured Tunnels)
   -GRE
   -6to4
  -ISATAP

---------------------------------------------------------------------------------------------------

Tunneling: MCT & GRE

---------------------------------------------------------------------------------------------------

Lets start with the easiest, MCT. MCT is a point-to-point tunnel that is configured manually. Here are some of the features with MCT:
   -IGP support
   -Less overhead than other options (GRE)
   -IP PROTOCOL 41

To configure MCT:

Code Select Expand


interface Tunnel0
    ipv6 address 2011:1111:1111:1111::1/64
    tunnel source GigabitEthernet0/0
    ipv6 eigrp 100
    tunnel mode ipv6ip
    tunnel destination 10.0.0.1


I want you to notice three things here that we just discussed above.
   -First notice the ipv6 IGP running on the tunnel interface.
   -Secondly notice the tunnel mode (ipv6ip), this means we are running MCT.
   -Lastly notice the tunnel destination. IPV4!

Now look at GRE:

Code Select Expand


interface Tunnel0
    ipv6 address 2011:1111:1111:1111::1/64
    tunnel source GigabitEthernet0/0
    ipv6 eigrp 100
    tunnel mode gre ip
    tunnel destination 10.0.0.1


Notice anything unique? The tunnel mode. That is the only thing different here. (We will discuss GRE thoroughly in DMVPN section).

---------------------------------------------------------------------------------------------------

Tunneling: 6to4

---------------------------------------------------------------------------------------------------

Lets have a look at 6to4, this is where things get interesting. 6to4 supports dynamic multipoint IPv6 tunnels. Woah that seems like a mouthful at first, but it isn't anything crazy.  One of the major disadvantages to 6to4 is that it does not support IGPs. You must use static routes (blah) or BGP.

One of the unique things about 6to4 is that it gives you options (and we like options). You can choose your addressing options. What do you mean by choose your addressing options? This is IPv6. IPv6 is IPv6. Well... yes while that IS true, you can EMBED information into your IPv6 address.

Here are your options:
   -Embed IPv4 address into IPv6 address (must be behind a 2002 prefix)
   -Just use global prefixes

So you are thinking... okay. How do we do this? Well... first, start with a prefix (needs to be /48):

2002:/16

Done. Now, that the initial prefix is out of the way, we need to add our 16 MAC of the router. For example, if R1's IP was 10.0.0.1 (HEX = 0A.00.00.01), Now we add the subnet identifier:

2002:A00:1:0000 = Site 1 Subnet 1
2002:A00:2:0001 = Site 1  Subnet 2 (goes all the way to FFFF)

We are going to use 0 for our site identifier. Then we lastly add the IPv6 address we want to give to the router (0001) to the end: 2002:0A00:1:0::1/64

If we add a PC, lets say we give him the ip of 99. Here is the IP if he is behind R1: 2002:A00:1:0::99/64

To configure the 6to4 tunnel:

Code Select Expand


interface tunnel 0
   ipv6 address: 2002:A00:1:0::1/64
   tunnel source gi0/0
   tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 tunnel 0


---------------------------------------------------------------------------------------------------

Tunneling: ISATAP

---------------------------------------------------------------------------------------------------

ISATAP
    -ISATAP stands for Intra-Site Automatic Tunnel Addressing Protocol

There are some requirements that are needed for ISATAP tunnels, such as:
   -Clients MUST be dual-stacked

The purpose of ISATAP is to allows dual stack clients within a network to communication with other hosts on the same virtual link. Just like above when we were discussing 6to4's unique addressing structure, ISATAP also has a unique addressing structure.
ISATAP also uses a unique addressing structure in which the first 64 bits are normally any unicast address, so lets use:

2002:1111:AAAA:2222::/64

Then the first 32 bits after the 64-bit network identifies contain the value 0000:5EFE. This is used to indicate that this address is an IPv6 ISATAP address. So, slap that on:

2002:1111:AAAA:2222:0:5EFE::/96 – THIS INDICATES AN ISATAP IP.

Lastly, we need to take the remaining 32 bits and put in the IPv4 address of the host (10.0.0.1), we get:

2002:1111:AAAA:2222:0:5EFE:0A00:0001/64 – A COMPLETE ISATAP ADDRESS! WOHO!

One more unique think about ISATAP is its ability on windows machines. ISATAP can create a link-local address automatically when IPv6 is enabled on a windows host.

To configure ISATAP:

Code Select Expand


Interface tunnel 0
   Ipv6 address 2001:1111:AAAA:2222::/64 equ-64
   No ipv6 nd suppress-ra
   Tunnel source 1.1.1.1
   Tunnel mode ipv6ip isatap
!
Interface Gi0/0
   Ip address 1.1.1.1 255.255.255.0


---------------------------------------------------------------------------------------------------

NAT64

---------------------------------------------------------------------------------------------------

NAT64 is a variant of traditional NAT (known as NAT44). NAT 64's primary function is to translate IPv4 to IPv6 or IPv6 to IPv4.

There are two types of NAT64:
   -Stateless
   -Stateful

Stateless NAT64
   -Does not keep state information (IP source, IP translated, lease/expire timers)
   -Embeds IPv4 addresses into IPv6 address (this allows bidirectional communication)

There are four parts to a NAT64 address:
   -Prefix
   -U-bit
   -v4 address field
   -Suffix

The interesting part about NAT64, is that the IPv4 address mapping is unique depending upon the prefix size. For example, if I take IP 1.1.1.1 (01.01.01.01), let me show you how this breaks down with different subnets:

If a /32: 2002:AAAA:0101:0101:[00 - ubit][Remaining bits = Suffix]
If a /40: 2002:AAAA:BB01:0101:[00 – ubit]01:[Remaining bits = Suffix]
If a /48: 2002:AAAA:BBBB:0101:[00 – ubit]01:01[Remaining bits = Suffix]
If a /56: 2002:AAAA:BBBB:CC01:[00 – ubit]01:0101:[Remaining bits = Suffix]
If a /64: 2002:AAAA:BBBB:CCCC: [00 – ubit]01:0101:01[Remaining bits = Suffix]
If a /96: 2002:AAAA:BBBB:CCCC:DDDD:EEEE:0101:0101

Notice a few different things here, notice how the u-bit is always zero. Also notice how certain subnets are much easier to read than others (/96, /64, /32). This is because the IP is not segmented between the U-bit.

We have host: 192.168.0.10 (HEX = C0.A8.00.0A), with a global prefix of: 2001:1111:AAAA:2222/64
      Make this into a NAT64 address: 2001:1111:AAAA:2222:C0:A800:A00:1/64

How about if I give you this one: 2999::/96 with an IP of 10.1.1.1?
      Here is the answer: 2999::0A01:0101/96

If we have two machines, host 0 and host 1. Host 0 connects to Gig0/0 on RTR-99. Host 1 connects to Gig0/1 on RTR-99. Host 0 is IPv6 only, with the IP of: 2999::10:1010:1000:0000. Host 1 has an IPv4 address of 1.1.1.1.

Here is the NAT configuration on RTR-99:

Code Select Expand


Interface Gi0/0
   Nat64 enable
Interface Gi0/1
   Nat64 enable
   Nat64 prefix stateless 2999::/64
   Nat64 route 1.1.1.0/24 Gi0/0


Stateful NAT64

-Stateful NAT64 keeps session information
-Stateful NAT64 works much more like traditional NAT in that you do not need to embed IPv4 addresses, it takes IPv6 addresses, and does a one-to-one or one-to-many translation.
-One key thing to remember is that NAT64 and DNS64 are separate functions. DNS take AAAA records and proxies them to A records to IPv4 resolution (and vice versa).
-An AAAA record is an ipv6 dns record, while and A record is an IPv4 record.

To configure Stateful NAT64:

Code Select Expand


Interface gi0/0
   Ipv6 address 2999:AAAA:BBBB::1/64
   Nat64 enable
!
Interface Gi0/1
   Ip address 9.9.9.1 255.255.255.0
   Nat64 enable
!
Ipv6 access-list ALLOW_IPV6_NAT
   Permit ipv6 2999:AAAA:BBBB::/48 any
!
Nat64 prefix Stateful 2999:AAAA:BBBB:F::/64
Nat64 v4 pool IPV4_POOL 9.9.9.20 9.9.9.200
Nat64 v6v4 list ALLOW_IPV6_NAT overload


---------------------------------------------------------------------------------------------------

NPTv6

---------------------------------------------------------------------------------------------------

NTPv6 – Network Prefix Translation (NPTv6)

Okay cool, I know what it stands for, but what does it do? Well my friends, lets say you have an IPv6 network that you may need to convert to a different IPv6 network. Then this is the solution for you. It is a stateless solution so there is not a lot of overhead to run this process, plus NPTv6 does NOT REWRITE HIGHER LAYER HEADERS. It also provides a lot of benefits, such as:
   -Checksum-neutral
   -Does not map ports
   -No need for a NTPv6 translator (to re-write headers)
   -Does not interfere with encryption

Some big CAVEATS to remember about NTPv6:
   -Does not support IPsec
   -There are some significant security concerns because it does not function truly as a NAT like NAT44 did (reference RFC 6296)

To configure NPTv6:

Code Select Expand


interface GigabitEthernet0/0
   nat66 inside
!
interface GigabitEthernet0/1
   nat66 outside
!
nat66 prefix inside 2002:FFF1::/64 outside 2002:FFF2::/64


---------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------

PRACTICE QUESTIONS:

---------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------

1)   What tunneling method would you choose, if you needed a permanent solution?
2)   What are two benefits of using NPTv6?
3)   What technology would you use for intra-site automatic tunneling?
4)   True or False: ISATAP provides 1-to-1 IPv6 to IPv6 translations.
5)   Which protocols allow for the integration of IPv4 address into IPv6 addresses?
6)   True or False: Stateless NAT64 provides integrated DNS services.
7)   Which Type of tunnel is preferred for temporary solutions?
8.)   Using ISATAP addressing convert 10.4.5.1 to an IPv6 address with global prefix of 2001::/64.
9)   Which tunneling Methods allow for the using of IGPs?
10)   Using 6to4 addressing convert 1.1.1.1 to an IPv6 address with global prefix 2244::1/64.
11)   What is dual-stack?
12)   What is the function on DNS64 in relation to NAT64?

---------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------

PRACTICE ANSWERS:

---------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------

[spoiler]1)   MCT
2)   Checksum Neutral. Does not rewrite higher level headers.
3)   ISATAP
4)   True
5)   6to4, ISATAP, Stateless NAT64
6)   False
7)   Automatic Tunnels
8.)   2001::0:5EFE:A04:501
9)   MCT & GRE
10)   2244:101:101::1/64
11)   When a device is running both IPv4 and IPv6
12)   NAT64 performs address translations, while DNS64 maintains address records[/spoiler]

[icecream-guy]

you might want to hide the answers,  or maybe base64 encode them, so that are not so easily available right under the questions

MSkgICBNQ1QNCjIpICAgQ2hlY2tzdW0gTmV1dHJhbC4gRG9lcyBub3QgcmV3cml0ZSBoaWdoZXIgbGV2ZWwgaGVhZGVycy4NCjMpICAgSVNBVEFQDQo0KSAgIFRydWUNCjUpICAgNnRvNCwgSVNBVEFQLCBTdGF0ZWxlc3MgTkFUNjQNCjYpICAgRmFsc2UNCjcpICAgQXV0b21hdGljIFR1bm5lbHMNCjguKSAgIDIwMDE6OjA6NUVGRTpBMDQ6NTAxDQo5KSAgIE1DVCAmIEdSRQ0KMTApICAgMjI0NDoxMDE6MTAxOjoxLzY0DQoxMSkgICBXaGVuIGEgZGV2aWNlIGlzIHJ1bm5pbmcgYm90aCBJUHY0IGFuZCBJUHY2DQoxMikgICBOQVQ2NCBwZXJmb3JtcyBhZGRyZXNzIHRyYW5zbGF0aW9ucywgd2hpbGUgRE5TNjQgbWFpbnRhaW5zIGFkZHJlc3MgcmVjb3Jkcw==

[deanwebb]

I edited the answers to make use of the spoiler tags. If you're in edit mode (not quick edit), it's the Sp button in the editing fields.

[LynK]

good idea, I have added that to all of the threads that have questions.

@dean, @ristau

how is the content? I think it is turning out pretty well. I have four more topics to cover, which include: IPsec, DMVPN (will probably be together),  NTP, and SNMP. Then I will go over the exam topics and look for other things to cover as well. I am most likely not going to go the routing protocols because they are covered more than sufficiently in exam materials.

[deanwebb]

This is good content, what we're looking for!

[icecream-guy]

This is good content, what we're looking for!

agree