Ipv6 Lab Guide

IPv6 Lab Guide:
Lab 1: Ipv6 address

Lab 2: Neighbor Discovery
Lab3 : Static Routing
Lab 4: Routing with Ospf V3
Lab 5: Routing with BGP
Lab 6: Manual Tunnel with IPv6
Lab 7: IPv6 Prefix delegation
Lab 8: Ipv6 Multicast
Lab 9 : IPv6 zone Based FW
Lab 10: IPv6 with PE and VPE
TECRST-2300
14448_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
Network Diagram—IPv6 Lab
Sample Topology for a Single Pod
Network A Network B
g0/0
G0/0
g0/1 g0/2 g0/3 H2
H1
R2 R3 R4
R1 g0/1 g0/2 g0/3 g0/0
g0/0
TECRST-2300
All Routers/Hosts Basic Configuration
Configure the Following on Your Router and Host:

 For example: R1 and H1
hostname R1 / H1
!
no ip domain-lookup
!
line con 0
no login
exec-timeout 0 0
privilege level 15
TECRST-2300
Lab 1: IPv6 Addressing
TECRST-2300
Lab 1: Task Summary
 Enable IPv6 on all four routers (R1 to R4)

 Configure hosts (H1 and H2) to use stateless address
auto-configuration for IPv6
 Configure IPv6 addresses on Ethernet and serial
interfaces using addresses listed in Table 1
 Use show commands to view IPv6 configuration
and addresses
 Use ping to verify IPv6 connectivity
TECRST-2300
Lab 1: Configuring IPv6 Interfaces (1)
Table 1: IPv6 Prefixes

Router Unique-Local
Global IPv6 Prefix
Number IPv6 Prefix
R1 (g0/1) 2001:DB8:1122:12::1/64 fc00:1:2:12::1/64
R1 (g0/0) 2001:DB8:1234:1::/64 eui-64
R2 (g0/1) 2001:DB8:1122:12::2/64 fc00:1:2:12::2/64
R2 (g0/2) 2004:DB8:2233:23::2/64
R3 (g0/3) 2001:DB8:3344:34::3/64 fc00:3:4:34::3/64
R3 (g0/2) 2004:DB8:2233:23::3/64
R4 (g0/0) 2001:DB8:1234:4::/64 eui-64
R4 (g0/3) 2001:DB8:3344:34::4/64 fc00:3:4:34::4/64
TECRST-2300
Task: Configuring the IPv6 Ethernet Interface
 On routers R1 and R2, go to global configuration mode
#configure terminal
 Enable IPv6 unicast routing on the router
(config)#ipv6 unicast-routing
 Configure the g0/0 interface
(config)#interface g0/0
 Enable IPv6 on the interface
(config-if)#ipv6 enable
(config-if)#no shutdown
 Quit the configure mode
(config-if)#end
 Verify that the Ethernet interface is configured
#show ipv6 interface g0/0
 Identify the type of addresses that are configured
TECRST-2300
Task: Finding the Link-Local Address of a Host
 On hosts H1 and H2, go to global configuration mode
#configure terminal
 Configure the host g0/0 interface
 Enable IPv6 on the interface
(config-if)#ipv6 enable
(config-if)#ipv6 address autoconfig
 Quit the configure mode
(config-if)#end
 Verify that the interface is configured
TECRST-2300
Task: Verifying IPv6 Link-Local Connectivity
 On routers R1 and R4, enable console debugging of ICMP
and Neighbor Discovery (ND) IPv6 packets
#debug ipv6 icmp
#debug ipv6 nd
 On the router, ping the local Ethernet interface of host

specifying the link-local address in the ping command
destination address
#ping fe80::<link local address of Host>
#ping ipv6 fe80::<link local address of Host>
 On the router, verify the list of IPv6 neighbors

#show ipv6 neighbors
TECRST-2300
Task: Configuring a Static IPv6 Address with EUI-64
 On routers R1 and R4, configure a global IPv6 address on
g0/0 interface using the /64 prefix of your subnet and the
EUI-64 format
 Subnet = router number, e.g., R1 = 2001:DB8:1234:1::/64 &
R4 = 2001:DB8:1234:4::/64)
#configure terminal
(config)#interface
g0/0
(config-if)#ipv6 address 2001:DB8:1234:<router #>::/64 eui-64
(config)#end
 Verify the configuration
 On the routers, disable all console debugging
TECRST-2300
#undebug all
TECRST-2300
Task: Configuring IPv6 addresses.
 On all four routers, configure a global and unique-local address on
other interfaces by using the IPv6 prefix assigned. Use the router
number for the host part. (Refer to table 1 for details)
 For example, on R1:
#configure terminal
(config)#interface g
0/1 (config-if)#ipv6
enable
(config-if)#ipv6 address fc00:1:2:12::<router #>/64
(config-if)#ipv6 address 2001:DB8:1122:12::<router #>/64
 Verify connectivity by using ping to next-hop router
#ping <global or unique-local address of next-hop router>
#show ipv6 neighbors
TECRST-2300
Lab 2: Using
Neighbor Discovery
TECRST-2300
Lab 2: Task Summary
 Enable Router Advertisements (RA) for global and

unique-local IPv6 prefixes on g0/0 (R1 and R2)
 Use show commands and debugs (debug ipv6 nd) to
view IPv6 configuration
 Use ping to verify IPv6 connectivity
 Renumber the g0/0 interfaces on R1 and R2 by
deprecating the old IPv6 prefixes and announcing a
new IPv6 prefix
Pick a new IPv6 global prefix (2003:DB8:ffff:<router #>::/64)
Deprecate the old prefix; hint: change the valid and
preferred lifetimes
TECRST-2300
Lab 2: Using Neighbor Discovery (1)
Task: Configuring Router Advertisements for Global Addresses
 Look at the configuration of hosts H1 and H2 and determine if they have received a
global address?
 Enable the debugging mode for IPv6 Neighbor Discovery (ND)
#debug ipv6 nd
 On routers R1 and R4, go to configuration mode and then under Ethernet
0/0 interface
#configure terminal
 Enable RAs by using the ND command with the subnet prefix assigned to your
LAN. Because infinite lifetime is not desired, use five minutes (120 seconds) for
lifetime (both preferred and valid).
(config-if)#ipv6 nd prefix 2001:DB8:1234:<router #>::/64 120 120
 Verify that the hosts now have an IPv6 address that was automatically configured
with this subnet prefix. Note that the previously configured link-local address is still
present and valid. Also look at the valid and preferred lifetimes, are they
decrementing?
 Verify connectivity using the ping command on the router to the host using the
newly assigned address of the host as the ping destination
#ping <global address of Host>
TECRST-2300
Task: Configuring Router Advertisements for Unique-Local Addresses
 Configure a unique-local address on g0/0 interface of Routers R1 and
R4 by using the subnet prefix for your LAN. Use EUI-64 format.
#configure terminal
(config-if)#ipv6 address fc00:0:0:<router #>::/64 eui-64
 Enable RAs by using the ND command with subnet prefix assigned to
your LAN for unique-local addresses. Use five minutes (120 seconds)
for the lifetime.
(config-if)# ipv6 nd prefix fc00:0:0:<router #>::/64 120 120
 Change the RA interval to 30 seconds
(config-if)# ipv6 nd ra interval 30
 Verify that hosts H1 and H2 now have an IPv6 address configured with
this subnet prefix
 Verify connectivity to the host using the ping command on the router to
the host using the newly assigned address of the host as the ping
destination address
#ping <unique-local address of Host>
TECRST-2300
Task: Renumbering the Local Network on the Router
 On routers R1 and R2, configure the new address of
workgroup g0/0 interface by using the new global
subnet prefix assigned to your LAN. Use EUI-64 format.
#configure terminal
(config-if)#ipv6 address 2003:DB8:ffff:<router #>::/64 eui-64
 Enable RAs by using the ND command with the new subnet
prefix assigned to your LAN. Use five minutes (240 seconds)
for the lifetime.
(config-if)# ipv6 nd prefix 2003:DB8:ffff:<router #>::/64 240 240
 Verify that hosts H1 and H2 have a new address with the
new prefix
TECRST-2300
 Modify the Neighbor Advertisement (NAs) for
2001:DB8:1234:<router #>::/64 (the old prefix) by making
the valid and preferred lifetimes equal to 60 and 0
respectively
#configure terminal
(config-if)# ipv6 nd prefix 2001:DB8:1234:<router #>::/64 20 0
 Verify that the hosts deprecate the use of the “old” prefix and
prefers the “new” one
 Verify connectivity to the host by using the ping command on
the router using the new assigned address of host
#ping <new global address of Host>
#undebug all
TECRST-2300
Lab 3: IPv6
Static Routing
TECRST-2300
Lab 3: Task Summary
 Configure IPv6 default static routes on R1 and R4

 Configure IPv6 static routes on R3 and R4
 Use ping to verify IPv6 connectivity between R1 and R4
 Use show commands to view IPv6 routing table
TECRST-2300
Lab 3: IPv6 Static Routing (1)
Task: Configuring IPv6 Static Routing on Routers
 Configure static default routes on R1 and R4 pointing to R2
and R3 respectively (see table 1 for addressing details)
 On R1:
(config)#ipv6 route ::/0 2001:DB8:1122:12::2
 On R4:
(config)#ipv6 route ::/0 2001:DB8:3344:34::3
Configure static routes on R2 pointing to R4’s network; R3 pointing
to R1’s network. (see table 1 for addressing details)
 On R2:
(config)#ipv6 route 2001:DB8:3344:34::/64 2004:DB8:2233:23::3
 On R3:
(config)#ipv6 route 2001:DB8:1122:12::/64 2004:DB8:2233:23::2
TECRST-2300
Lab 3: IPv6 Static Routing (2)
Task: Verifying IPv6 Connectivity Using Static Routes

 Verify the routing table
#show ipv6 route
 Verify IPv6 connectivity using the ping command using

the peer’s IPv6 address
#ping <your peer’s Global IPv6 Address>
 Can you ping from R1 to R4 and vice versa? If not,

troubleshoot why the ping is not working.
 Hint: use “debug ipv6 icmp” and “debug ipv6 packet”
on R2 and R3 to see if traffic is being forwarded
TECRST-2300
Lab 4: Routing
with OSPFv3
TECRST-2300
Lab 4: Task Summary
 Enable debugs for IPv6 routing and IPv6 OSPFv3
#debug ipv6 routing
#debug ipv6 ospf event
 Configure OSPFv3 on all four routers
Look at topology diagram for details
Use 192.168.30.xx for router-id (where xx is the router number)
 Remove all IPv6 static and default routes on all routers
 Use ping to verify IPv6 connectivity between H1 and H2
 Use show commands to view IPv6 routing table
#show ipv6 route
#show ipv6 ospf neighbor
#show ipv6 ospf database
 Answer review questions at the end of this section
TECRST-2300
OSPFv3 Configuration Example
Network A Network B
g/0
g0/0
g0/1 g0/2 g03 H2
H1
R2 R3 R4
R1 g0/1 g0/2 g0/3 g/0
g0/0 …
Area 10 Area 0 Area 20
TECRST-2300
Lab 4: Routing with OSPFv3 (1)
Task: Configuring OSPFv3
 Enable the debugging mode for IPv6 routing and
IPv6 OSPFv3
#debug ipv6 routing
#debug ipv6 ospf event
 Configure an OSPFv3 process 1 on the routers with a router-ID

(config)#ipv6 router ospf 1
(config-rtr)#router-id 192.168.30.xx (where xx is your router #)
 Enable OSPFv3 on each interface on all four routers

For example on R1:
(config)#interface ethernet0/0
(config-if)#ipv6 ospf 1 area 10
(config-if)#interface g0/1
(config-if)#ipv6 ospf 1 area 10
TECRST-2300
OSPFv3 Configuration—Router R1 (2)
Router R1
ipv6 unicast-routing
interface g0/0
no ip address
ipv6 ospf 1 area 10
interface g0/1
no ip address
ipv6 ospf 1 area 10
ipv6 router ospf 1

router-id 192.168.30.1
TECRST-2300
OSPFv3 Configuration—Router R2 (3)
Router R2
interface g0/1
no ip address
ipv6 ospf 1 area 10
interface g0/2
no ip address
ipv6 ospf 1 area 0
ipv6 router ospf 1

router-id 192.168.30.2
TECRST-2300
Lab 4: Routing with OSPFv3 (4)
Task: Configuring OSPFv3
 Verify that the routing table is updated by entries coming from the other workgroup
routers, OSPFv3 Neighbor, OSPFv3 database
#show ipv6 route
#show ipv6 ospf neighbor
#show ipv6 ospf database
 Do you see the OSPFv3 routes in the routing table on R2 and R3? Why or why not?
 Remove the static routes on all 4 routers
#no ipv6 route <network> <next hop>
 Verify IPv6 connectivity using the ping command on Host. Use the remote host’s
global IPv6 address as the destination address of the ping command
#ping <Global IPv6 address of the remote host>
#undebug all
 On R4 define a loopback4 with address 2040::4/64 and do a redistribute connected

under ipv6 router ospf. Check the database of R1 and R2 with show ipv6 ospf
database external. Do you see the loopback address?
 On R1 and R2 under ipv6 router ospf configure “area 10 stub”. Do you see the
external routes now? Why not?
TECRST-2300
Lab 5: Routing
with BGP
TECRST-2300
Lab 5: Task Summary
 Enable debugging for BGP
#debug bgp ipv6 unicast
 Configure BGP AS number and router-id on all four routers using table 2
 Activate iBGP peering between R1 and R2 and R3 and R4 using the
interface global IPv6 address. Announce the global prefix and unique-local
prefix.
 Activate eBGP peering between R2 and R3 using their global
IPv6 addresses
 On R2 and R3, filter the unique-local prefix (fc00::/10) so that you do not
receive them from the peers
 Use show commands to view the BGP configuration
#show bgp ipv6 unicast summary
#show bgp ipv6 unicast neighbors <IP address> advertised-routes
#show bgp ipv6 unicast neighbors <IP address> routes
#show ipv6 route bgp
 Use show bgp ipv6 unicast to see the routes in the BGP table
 Answer review questions at the end of this section
TECRST-2300
BGP Configuration Example
iBGP iBGP
Network A Network B
g0/0
g0/0
g0/1 g0/2 g0/3 H2
H1
R2 R3 R4
R1 g0/1 g0/2 g0/3 g0/0
g0/0
AS 65012 EBGP AS 65034
TECRST-2300
Lab 5: Routing with BGP (1)
Task: Configuring BGP
 Refer to table 2 for the router address and autonomous system
(AS) number
 Enable the debugging of BGP
#debug bgp ipv6
 Define your router as a BGP router with your AS number
(config)#router bgp <AS number>
 Because IPv4 has not been configured yet and BGP protocol uses
the IPv4 address as an identifier, a specific command to identify
the router-id is needed. Use table 2 to find the router-id. Then
configure the router BGP router-id.
(config-router)#bgp router-id <your router-id>
 Deactivate the IPv4 default peering
(config-router)#no bgp default ipv4-unicast
TECRST-2300
Table 2: Assigned AS Number and Router ID
Router Number AS Number Router ID
R1 65012 192.168.60.1
R2 65012 192.168.60.2
R3 65034 192.168.60.3
R4 65034 192.168.60.4
TECRST-2300
 Activate iBGP peering between R1 and R2 and R3 and R4 using the
Ethernet 1/0 global IPv6 address. Announce your global prefix and
your unique-local prefix.
(config-router)#neighbor <peer’s global IPv6 address > remote-as <AS number>
(config-router)#neighbor <peer’s global IPv6 address > update-source
(config-router)#address-family ipv6
(config-router-af)#neighbor <peer’s global IPv6 address> activate
(config-router-af)#network global network prefix>/64 R1 and R4
(config-router-af)#network < unique local prefix>/64 only
(config-router-af)#exit
 Look at the BGP routing table to determine if you received BGP routes
from your neighbor
TECRST-2300
 Activate eBGP peering between R2 and R3 using their global
IPv6 addresses
(config-router)#neighbor <peer’s global IPv6 address> remote-as <AS number>
(config-router)#neighbor <peer’s global IPv6 address>
(config-router-af)#neighbor <peer’s global IPv6 address> activate
(config-router-af)#end
 Look at the BGP routing table to determine if you received BGP routes
from your neighbor
TECRST-2300
Task: Filtering BGP Routes
 On R2 and R3, filter the unique-local prefix (fc00::/10) so that you do not
receive them from the peers
(config)#ipv6 prefix-list lab5 deny fc00::/10 le 128
(config)#ipv6 prefix-list lab5 permit ::/0 le 64
(config)#router bgp <your AS number>
(config-router-af)#neighbor <peer’s global IPv6 address> prefix-list lab5 in
(config-router-af)#exit
 On R1 and R4, verify that you do not receive any unique-local routes via
BGP from the remote peer. Only the global IPv6 prefixes should
be received.
#clear bgp ipv6 unicast <peer AS number> in
#show bgp ipv6 unicast
TECRST-2300
Lab 6: Manual
Tunneling in IPv6
TECRST-2300
Lab 6: Task Summary
 Disable IPv6 routing protocols on all routers
 Remove the IPv6 addresses on g0/2 interface of R2 and R3
 Configure IPv4 address on g0/2 interface of R2 and R3, use
192.168.30.<router xx>/24
 Configure tunnel interfaces on R2 and R3 and configure them for
manual tunneling
 Enable RIPng on both tunnel endpoints and other relevant
interfaces on all four routers
 Enable EIGRPv6 over the tunnel
 Enable mutual redistribution between EIGRPv6 and RIPng on
R2 and R3
 Use show commands to view the IPv6 routing table and tunnel
interface statistics
 Use ping to verify IPv6 connectivity between H1 and H2
 Answer review questions at the end of section 7
TECRST-2300
Manual Tunnel Configuration Example
IPv6 IPv4 IPv6
Network A GRE Tunnel Network B
g/0 g0/2 g0/0

g0/1 g0/3
H1 H2
g0/1 R2 R3 g0/3 R4
R1 g0/2
g0/0 g0/0
TECRST-2300
Lab 6: Using Tunnels (Manual-1)
Task: Configuring the Tunnel
 First disable both OSPFv3 and BGP on all routers
 Remove the IPv6 address on g0/2 interface between R2
and R3
(config)#no ipv6 router ospf 1
(config)#no router bgp <your AS>
(config)#interface gxx
(config-if)#no ipv6 address
(config-if)#no ipv6 enable
 Configure IPv4 address on interface between R2 and R3

(config)#interface xxx
(config-if)#ip address 192.168.30.<router #> 255.255.255.0
TECRST-2300
 Configure a tunnel interface using tunnel0
(config)#interface tunnel 0
 Use an IPv6 unnumbered address from the g0/1 @R2, g0/3@R3
(config-if)#ipv6 unnumbered g0/1@R2 (g0/3@R3)
 Identify the source and destination address of the tunnel, followed
by the tunnel mode
(config-if)#tunnel source g0/2@R2 (g0/2@R3)
(config-if)#tunnel destination <peer’s IPv4 address>
(config-if)#tunnel mode gre ip
 Enable RIPng on all four routers
(config)#ipv6 router rip lab
(config-rtr)#redistribute connected
 Enable RIPng 
(config-if)#ipv6 rip lab enable
TECRST-2300
 Configure OSPFv3 on the routers R2 and R3 with a
Router-ID
(config-rtr)#router-id 192.168.30.xx (where xx is your router #)
 Enable OSPFv3 on tunnel interfaces on R2 and R3
(config)#interface tunnel 0
(config-if)#ipv6 ospf 1 are 0
 Enable mutual redistribution on R2 and R3 between
RIPng and OSPFv3
(config)#redistribute rip lab
(config)#ipv6 router rip lab
(config)#redistribute ospf 1
TECRST-2300
 Verify that RIPng updates are carried over the tunnel
#show ipv6 route
 Look at Tunnel 0 debugs and statistics
#debug tunnel
#show interface tunnel 0 accounting
 Verify connectivity between R1 & R4 using the
ping command
#ping <global IPv6 address of peer>
 Verify connectivity between H1 and H2 using the
ping command
#ping <global IPv6 address of peer Host>
TECRST-2300
Lab 7:Prefix Delegation
TASK : CONFIG R2 AS ISP ROUTER FOR

PREFIX DELEGATION.THIS IS CONCEPT
USED SP FOR ALLOCATE GLOBAL PREFIX
TO VARIOUS COUSTOMER.
TECRST-2300
CONFIG : ISP ROUTER(R2)
ipv6 local pool PREFIX 2002:10:10::/48 56……………PREFIX USED BY CUSTOMER
ipv6 dhcp pool PREFIX
prefix-delegation pool PREFIX……………………..ANNOUCE IT CREATING DHCP POOL
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
ipv6 address 2001:DB8:1122:12::2/64
ipv6 dhcp server PREFIX…………………….APPLY THE DHCP POOL.
no shut
R1 CONFIG: THIS IS ACT AS COUSTOMER:
ipv6 cef
ipv6 dhcp pool CLIENT
address prefix 2002:10:10:10::/64
no ip address
duplex auto
TECRST-2300
speed auto
media-type rj45
ipv6 address OK ::10:0:0:0:1/64……………………..IT GETTING /56 FROM ISP….10 IS SUBNET ID.
ipv6 dhcp server CLIENT
!
no ip address
duplex auto
speed auto
media-type rj45
ipv6 address autoconfig default
ipv6 dhcp client pd OK…………………HERE OK IS LOCAL TAG USED BY THIS ROUTER LINK FACING INTERNAL(G0/0)
NO SHUT
H1 CONFIG:……….THIS IS ACT AS END POINT.
no ip address
duplex auto
speed auto
media-type rj45
ipv6 address dhcp
ipv6 enable
VERIFY: HOW ISP SENDING PREFIXES:
ISP#SHOw IPV6 DHcp BInding
Client: FE80::5209:FF:FE03:1
DUID: 00030001500900030000
Username : unassigned
VRF : default
Interface : GigabitEthernet0/1
IA PD: IA ID 0x00030001, T1 302400, T2 483840
Prefix: 2002:10:10::/56
preferred lifetime 604800, valid lifetime 2592000
expires at Mar 13 2021 04:20 AM (2590579 seconds)
VERIFY HOW R1 IS GETTING THIS:
R1#show ipv6 route
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
TECRST-2300
RL - RPL, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
la - LISP alt, lr - LISP site-registrations, ld - LISP dyn-eid
lA - LISP away, a - Application
ND ::/0 [2/0]
via FE80::5209:FF:FE04:1, GigabitEthernet0/1
NDp 2001:DB8:1122:12::/64 [2/0]
via GigabitEthernet0/1, directly connected
L 2001:DB8:1122:12:5209:FF:FE03:1/128 [0/0]
via GigabitEthernet0/1, receive
S 2002:10:10::/56 [1/0]…………….prefix allocate by isp
via Null0, directly connected
C 2002:10:10:10::/64 [0/0]
via GigabitEthernet0/0, directly connected
L 2002:10:10:10::1/128 [0/0]………………..ip config on internal interfaces.
L FF00::/8 [0/0]
via Null0, receive
verify how client is getting ip: H1:
Client#show ipv6 rou
Client#show ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
RL - RPL, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
la - LISP alt, lr - LISP site-registrations, ld - LISP dyn-eid
lA - LISP away, a - Application
ND ::/0 [2/0]
via FE80::5209:FF:FE03:0, GigabitEthernet0/0
LC 2002:10:10:10:4D05:8E15:275A:4898/128 [0/0]…………..prefix from dhcp server.
L FF00::/8 [0/0]
via Null0, receive
H1#show ipv6 interface g0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::5209:FF:FE01:0
TECRST-2300
No Virtual link-local address(es):
Global unicast address(es):
2002:10:10:10:4D05:8E15:275A:4898, subnet is 2002:10:10:10:4D05:8E15:275A:4898/128
Joined group address(es):
FF02::1
FF02::1:FF01:0
FF02::1:FF5A:4898
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND NS retransmit interval is 1000 milliseconds
Default router is FE80::5209:FF:FE03:0 on GigabitEthernet0/0
PING FROM H1 TO ISP ROUTER.
H1#PING 2001:DB8:1122:12::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:1122:12::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/19 ms
TECRST-2300
Lab 8:IPV6 MULTICAST
TECRST-2300
IPV6 MULTICAST WITH EMMBEDED RP
IF RP ADDRESS IS : 2001:DB8:33:3::3/64
THEN ERP IS : FF7E:0340:2001:DB8:33:3:10:10
FF = MULTICAST START
7= FLAG FOR ERP
E= GLOBAL SCOPE
0= FIX
3 IS RP ADDRESS LAST NUMBER:
40 IS /64 HEX NOTATION
2001:DB8:33:3/64 NETWORK PREFIX
10:10 LAST 32 BIT IS GROUP ADDRESSS
TECRST-2300
R1 ,R2,R3,R4 IS CONFIG WITH IP ADDRESS GIVEN IN TABLE AND OSPF 1 AREA 0 IS ENABLE
ENABLE THE IPV6 MULTICAST -ROUTING IN ALL THE DEVICES IN THE TOPOLOGY
ipv6 multicast-routing……………….config in all router and host.in global mode.
R3 IS ACT AS RP:
interface Loopback0
no ip address
ipv6 address 2001:DB8:33:3::3/64
ipv6 ospf 1 area 0
ipv6 pim rp-address 2001:DB8:33:3::3…………………….command to config rp.
He re H1 is receiver and H2 IS SENDER
H1 IS CONFIG WITH IPV6 MLD JOIN ERP GROUP ADDRESS:
no ip address
duplex auto
speed auto
media-type rj45
ipv6 address dhcp
ipv6 address autoconfig default
ipv6 enable
ipv6 mld join-group FF7E:340:2001:DB8:33:3:10:10
end
verification: on R3:
R3#show ipv6 pim range-list
Static SSM Exp: never Learnt from : ::
FF33::/32 Up: 00:31:18
FF34::/32 Up: 00:31:18
FF35::/32 Up: 00:31:18
FF36::/32 Up: 00:31:18
FF37::/32 Up: 00:31:18
FF38::/32 Up: 00:31:18
FF39::/32 Up: 00:31:18
FF3A::/32 Up: 00:31:18
FF3B::/32 Up: 00:31:18
FF3C::/32 Up: 00:31:18
FF3D::/32 Up: 00:31:18
FF3E::/32 Up: 00:31:18
FF3F::/32 Up: 00:31:18
Static SM RP: 2001:DB8:33:3::3 Exp: never Learnt from : ::
TECRST-2300
FF00::/8 Up: 00:28:53
verify on R4:
R4#show ipv6 pim range-list

Static SSM Exp: never Learnt from : ::
FF33::/32 Up: 00:33:16
FF34::/32 Up: 00:33:16
FF35::/32 Up: 00:33:16
FF36::/32 Up: 00:33:16
FF37::/32 Up: 00:33:16
FF38::/32 Up: 00:33:16
FF39::/32 Up: 00:33:16
FF3A::/32 Up: 00:33:16
FF3B::/32 Up: 00:33:16
FF3C::/32 Up: 00:33:16
FF3D::/32 Up: 00:33:16
FF3E::/32 Up: 00:33:16
FF3F::/32 Up: 00:33:16
Embedded SM RP: 2001:DB8:33:3::3 Exp: never Learnt from : ::
FF7E:340:2001:DB8:33:3::/96 Up: 00:00:09
PING FROM H2:
H2#ping ff7e:0340:2001:db8:33:3:10:10
Output Interface: GigabitEthernet0/0
Sending 5, 100-byte ICMP Echos to FF7E:340:2001:DB8:33:3:10:10, timeout is 2 seconds:
Packet sent with a source address of 2001:DB8:1234:4:5209:FF:FE02:0
Reply to request 0 received from 2001:DB8:1234:1:5209:FF:FE01:0, 88 ms

5 multicast replies and 0 errors.
TECRST-2300
Lab 9:IPV6 Zone Based FW
Introduction
The Cisco IOS Zone Based Firewall is one of the most advanced forms of stateful firewall used in the Cisco IOS devices. The zone based
firewall (ZFW) is the successor of Classic IOS firewall or CBAC (Context-Based Access Control). In Zone-Based Policy Firewall, multiple
security zones are defined. Each router interface is configured to be part of one of the zones. The traffic flow is unrestricted between
interfaces belonging to same zone, but traffic flow between two different zones is blocked unless an access policy is defined between
them. In traditional firewall, the policies are applied on the interface itself, whereas in zone-based firewall they are applied between the
zones. Cisco IOS Zone-Based Firewall for IPv6 coexists with Cisco IOS Zone-Based Firewall for IPv4 in order to support IPv6 traffic.
Configuration Example:
The below topology brings a simple network containing two security zones. Host H1 (Client) and H2 (Admin) are connected to inside
interface Gigabit Ethernet 0/1 accessing web server connected to outside interface Gigabit Ethernet 0/0. We will have the goal of allowing
1) Only HTTP and HTTPS traffic for H1 (Client) from the inside to the outside
TECRST-2300
2) HTTP, HTTPS and ICMP for H2 (Admin) from the inside to the outside
All other traffic should drop from inside to outside.
Topology Diagram:
Configuration Steps:
Configuration of Zone based firewall on router consists of 5 steps shown as follows:
Step 1: Create zones:

TECRST-2300
ZFW(config)#zone security INSIDE
ZFW(config-sec-zone)#description inside_zone
ZFW(config-sec-zone)#exit
ZFW(config)#zone security OUTSIDE
ZFW(config-sec-zone)#description outside_zone
ZFW(config-sec-zone)#exit
Step 2: Configure interfaces in the zone you just have created:
ZFW(config)#interface gig0/1
ZFW(config-if)#zone-member security INSIDE
ZFW(config-if)#exit
ZFW(config-if)#interface gig0/0
ZFW(config-if)#zone-member security OUTSIDE
ZFW(config-if)#exit
By default, traffic between interfaces in different zones cannot talk to each other while these in the same zone can.
TECRST-2300
Step 3: Configure the class-maps:
Class maps provide traffic classification and that will reference the traffic to inspect. It is based on one or more match conditions. It can
match based on ACL, protocol or another class map. Conditions can use OR (default), AND, or NOT.
ipv6 access-list IN-TO-OUT-ACL(For allowing ICMPV6 access to H2)
permit icmp host 2001::2 any echo-request sequence 10
class-map type inspect match-any IN-TO-OUT-CLASS
match protocol https
match protocol https
match access-group name IN-TO-OUT-ACL
Step 4: Define the policy for this traffic with a policy map:
Policy maps associate actions with traffic classes. Policy maps determine the firewall policy applied to a class, that can be Pass, drop,
Inspect, Log, Reset. There is always an implicit class-default as the last class in each policy-map. The default action of class-default is
drop.
ZFW(config)#policy-map type inspect IN-TO-OUT-POLICY

TECRST-2300
ZFW(config-pmap)#class type inspect IN-TO-OUT-CLASS
ZFW(config-pmap-c)#inspect
ZFW(config-pmap-c)#exit
ZFW(config-pmap)#class class-default
ZFW(config-pmap-c)#drop
ZFW(config-pmap-c)#exit
You can also configure Parameter maps for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
ZFW(config)#parameter-map type inspect ipv6-header
ZFW(config-profile)#sessions maximum 10000
ZFW(config-profile)#ipv6 routing-header-enforcement loose
ZFW(config-profile)#exit
ZFW(config)#
Step 5: Apply policy-maps to zone pairs:

zone-pairs which essentially define directionality of traffic. Policy map is then applied to each configured zone pair.
TECRST-2300
ZFW(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
ZFW(config-sec-zone-pair)#service-policy type inspect IN-TO-OUT-POLICY
ZFW(config-sec-zone-pair)#exit
ZFW(config)#
Verification:
1) To display zones, descriptions, and interfaces zones are applied to use "show zone security" command.
2) To display zone pairs and service policy associated with each zone pair use "show zone-pair security" command.
TECRST-2300
3) Use "sh policy-map type inspect zone-pair sessions" to displays Cisco stateful packet inspection sessions created because a
policy map is applied on the specified zone pair.
The below output display, when session established by Host H2 (2001::2/128) to Server for HTTP and HTTPS.
4) The default action of class-default is drop and it is configured with log option. From the below output you can see, when Host
H1(2001::3) try to ping S1, firewall drops these packets and display log message on the terminal.
TECRST-2300
Lab 10:IPV6 PE&VPE
TECRST-2300
CONFIG IPV4 ADDRESS AND OSPF AREA 0
AND LDP IN MPLS CLOUD FROM R1 TO R4.
CONFIG BGP BEETWEEN R1 TO R5 AND R4
TO R6.
CONFIG INT LO0 WITH /32 ON R1 TO R4 SEE THE IP GIVEN IN TOPOLOGY
R1 BGP CONFIG :
router bgp 1234
bgp log-neighbor-changes
no bgp default ipv4-unicast
TECRST-2300
neighbor 2001:DB8:1234:1::5 remote-as 5
neighbor 192.168.60.4 remote-as 1234
neighbor 192.168.60.4 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family ipv6
neighbor 2001:DB8:1234:1::5 activate
neighbor 192.168.60.4 activate
neighbor 192.168.60.4 next-hop-self
neighbor 192.168.60.4 send-label
exit-address-family
R4 BGP CONFIG:
router bgp 1234
bgp router-id 192.168.60.4
!
address-family ipv4
exit-address-family
!
address-family ipv6
neighbor 192.168.60.1 send-label
exit-address-family
VERIFY BGP TABLE ON R5
R5#show bgp ipv6 unicast
BGP table version is 9, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
TECRST-2300
Network Next Hop Metric LocPrf Weight Path
*> 2001:DB8:1234:1::/64
:: 0 32768 ?
*> 2001:DB8:1234:4::/64
2001:DB8:1234:1::1
0 1234 6 ?
*> 2005::/64 :: 0 32768 ?
*> 2006::/64 2001:DB8:1234:1::1
0 1234 6 ?
VERIFY BGP TABLE ON R6
R6#show bgp ipv6 unicast
BGP table version is 9, local router ID is 6.6.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path

*> 2001:DB8:1234:1::/64
2001:DB8:1234:4::4
0 1234 5 ?
*> 2001:DB8:1234:4::/64
:: 0 32768 ?
*> 2005::/64 2001:DB8:1234:4::4
0 1234 5 ?
*> 2006::/64 :: 0 32768 ?
R6#
ping from R5 to R6:
R5#ping 2006::6
Sending 5, 100-byte ICMP Echos to 2006::6, timeout is 2 seconds:
!!!!!
TRACE FROM R5 TO R6
R5#TRaceroute 2006::6
Tracing the route to 2006::6
1 2001:DB8:1234:1::1 17 msec 8 msec 4 msec

TECRST-2300
2 ::FFFF:192.168.12.2 [MPLS: Labels 200/406 Exp 0] 28 msec 23 msec 17 msec
4 2001:DB8:1234:4::4 [AS 6] [MPLS: Label 406 Exp 0] 23 msec 16 msec 17 msec
5 2001:DB8:1234:4::6 [AS 6] 33 msec 46 msec 19 msec
NOW FOR IPV6 VPE DIFFRENCE IS THAT PE TO CE LINK IS VRF AWARE. ONLY CHANGE IS REQ IN R1 AND R4.
R1 CONFIG :
vrf definition CUS1
rd 1234:14
route-target export 1234:14
route-target import 1234:14
!
address-family ipv6
exit-address-family
!
vrf forwarding CUS1
no ip address
duplex auto
speed auto
media-type rj45
ipv6 address 2001:DB8:1234:1::1/64
router bgp 1234
!
address-family ipv4
exit-address-family
!
address-family vpnv6
neighbor 192.168.60.4 send-community extended
exit-address-family
!
address-family ipv6 vrf CUS1
exit-address-family
TECRST-2300
R4 CONFIG:
router bgp 1234
!
address-family ipv4
exit-address-family
!
exit-address-family
!
exit-address-family
vrf forwarding CUS1
no ip address
duplex auto
speed auto
media-type rj45
ipv6 address 2001:DB8:1234:4::4/64
router bgp 1234
bgp router-id 192.168.60.4
!
address-family ipv4
exit-address-family
!
TECRST-2300
exit-address-family
!
exit-address-family
ping from R6 TO R5
R6#PING 2005::5
Sending 5, 100-byte ICMP Echos to 2005::5, timeout is 2 seconds:
!!!!!
TRACE FROM R6 TO R5
R6#traceroute 2005::5
Tracing the route to 2005::5
1 2001:DB8:1234:4::4 27 msec 14 msec 10 msec

4 2001:DB8:1234:1::1 [AS 5] [MPLS: Label 106 Exp 0] 22 msec 23 msec 22 msec
5 2001:DB8:1234:1::5 [AS 5] 18 msec 29 msec 25 msec
TECRST-2300
TECRST-2300
14448_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Ipv6 Lab Guide

Uploaded by

Copyright:

Available Formats

Ipv6 Lab Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ipv6 Lab Guide

Uploaded by

Copyright:

Available Formats

IPv6 Lab Guide:

Lab 1: Ipv6 address

Configure the Following on Your Router and Host:

 Enable IPv6 on all four routers (R1 to R4)

Table 1: IPv6 Prefixes

 On the router, ping the local Ethernet interface of host

 On the router, verify the list of IPv6 neighbors

 Enable Router Advertisements (RA) for global and

 Configure IPv6 default static routes on R1 and R4

Task: Verifying IPv6 Connectivity Using Static Routes

 Verify IPv6 connectivity using the ping command using

 Can you ping from R1 to R4 and vice versa? If not,

Area 10 Area 0 Area 20

 Configure an OSPFv3 process 1 on the routers with a router-ID

 Enable OSPFv3 on each interface on all four routers

ipv6 router ospf 1

ipv6 router ospf 1

 On R4 define a loopback4 with address 2040::4/64 and do a redistribute connected

AS 65012 EBGP AS 65034

Table 2: Assigned AS Number and Router ID

Router Number AS Number Router ID

IPv6 IPv4 IPv6

Network A GRE Tunnel Network B

g/0 g0/2 g0/0

 Configure IPv4 address on interface between R2 and R3

TASK : CONFIG R2 AS ISP ROUTER FOR

H1 IS CONFIG WITH IPV6 MLD JOIN ERP GROUP ADDRESS:

R4#show ipv6 pim range-list

Reply to request 0 received from 2001:DB8:1234:1:5209:FF:FE01:0, 88 ms

Step 1: Create zones:

ZFW(config)#zone security OUTSIDE

Step 2: Configure interfaces in the zone you just have created:

ZFW(config-if)#zone-member security INSIDE

ZFW(config-if)#zone-member security OUTSIDE

ipv6 access-list IN-TO-OUT-ACL(For allowing ICMPV6 access to H2)

permit icmp host 2001::2 any echo-request sequence 10

class-map type inspect match-any IN-TO-OUT-CLASS

match protocol https

match protocol https

match access-group name IN-TO-OUT-ACL

ZFW(config)#policy-map type inspect IN-TO-OUT-POLICY

ZFW(config)#parameter-map type inspect ipv6-header

ZFW(config-profile)#sessions maximum 10000

ZFW(config-profile)#ipv6 routing-header-enforcement loose

Step 5: Apply policy-maps to zone pairs:

ZFW(config-sec-zone-pair)#service-policy type inspect IN-TO-OUT-POLICY

Network Next Hop Metric LocPrf Weight Path

1 2001:DB8:1234:1::1 17 msec 8 msec 4 msec

1 2001:DB8:1234:4::4 27 msec 14 msec 10 msec

You might also like