dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1160
shadedmagus
join:2014-09-05
Tempe, AZ

1 edit

1 recommendation

shadedmagus

Member

[Config] Questions IPv6 config with PD, DHCP and ZBFW

Hello all! This is my first post on these forums, and there is an awesome collection of technical knowledge here. I hope some of it can answer my questions.

I'm trying to draft my IPv6 config in anticipation of when Cox will finally roll it out, and address management has been giving me the biggest headache - ironic, I know, considering it's supposed to be brainless in IPv6.

I'm using a Cisco 891 on a Cox business account with a static IP. My first IPv6-capable config draft was assuming that I would be getting a static /56 or /60 prefix from them, and I was just going to insert the prefix into my DHCP pools and be good. That was before reading »www.kloepfer.org/ipv6-ho ··· net.html and realizing that Cox might do the same thing that TWC did, and use prefix delegation instead of a static prefix. Now I'm all turned around on how to get the config straight.

My current design is this:
*891 router, 2960G 8-port switch, and 1252 WAP in autonomous mode
*Two networks (internal and DMZ, for testing and guest wifi) connected by router-on-a-stick
*ZBFW with INSIDE, DMZ, OUTSIDE and self zones
*DHCP giving out addresses for internal and guest wifi

Here is my current draft config:
!
version 15.3
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service linenumber
!
hostname <redacted>
!
boot-start-marker
boot system flash c890-universalk9-mz.153-3.M3.bin
boot-end-marker
!
!
logging buffered 32768 informational
logging console critical
!
aaa new-model
!
!
aaa group server radius <network>
!
aaa authentication login default group radius local
aaa authentication login VPN-USERS group radius local
aaa authorization exec default group radius local
aaa authorization network VPN-USERS local
aaa accounting network VPN-USERS
 action-type start-stop
 group radius
!
!
!
!
!
!
aaa session-id common
!
clock timezone MST -7 0
crypto pki token default removal timeout 0
!
!
no dot11 syslog
no ipv6 source-route
!
! ULA DHCPv6 STATEFUL POOLS
!
ipv6 dhcp pool DHCP6_TEK-NATIVE
 address prefix FDAB::7718:2164:FADE:7700/120
 domain-name tekmagery.net
 dns-server FDAB::7718:2164:FADE:7701
!
ipv6 dhcp pool DHCP6_TEK-DMZ
 address prefix FDAB::7718:2164:FADE:6900/120
 domain-name tekmagery.net
 dns-server FDAB::7718:2164:FADE:6901
!
!
!
ip cef
ip domain-name tekmagery.net
ip name-server 2001:4860:4860::8888
ip name-server 2001:4860:4860::8844
!
ipv6 cef
login block-for 120 attempts 5 within 60
login on-failure log
!
multilink bundle-name authenticated
!
parameter-map type inspect default
 max-incomplete low 1750
 max-incomplete high 2000
 one-minute low 1750
 one-minute high 2000
 udp idle-time 15
 tcp idle-time 1800
 tcp finwait-time 1
 tcp synwait-time 15
 tcp max-incomplete host 500 block-time 0
!
license udi pid CISCO1811/K9 sn <redacted>
archive
 log config
  logging enable
  logging size 255
  hidekeys
username <redacted> privilege 15 secret 4 <redacted>
!
!
ip ssh version 2
!
!
class-map type inspect match-any CMAP_ALLOWED-DMZ
 match access-group name ACL6_ALLOWED-DMZ
class-map type inspect match-any CMAP_ALLOWED-PROTOCOLS
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any CMAP_ALLOWED-TRAFFIC
 match access-group name ACL6_ALLOWED-TRAFFIC
class-map type inspect match-any CMAP_BLOCK-DMZ
 match access-group name ACL6_BLOCK-DMZ
class-map type inspect match-any CMAP_BLOCK-BOGONS
 match access-group name ACL6_BLOCK-BOGONS
class-map type inspect match-any CMAP_BLOCK-JUNK
 match access-group name ACL6_BLOCK-JUNK
class-map type inspect match-any CMAP_BLOCK-ULA
 match access-group name ACL6_BLOCK-ULA
class-map type inspect match-any CMAP_DHCP
 match protocol bootpc
 match protocol bootps
class-map type inspect match-any CMAP_DMZ-BLOCKED-PROTOCOLS
 match access-group name ACL6_DMZ-BLOCKED-PROTOCOLS
class-map type inspect match-all CMAP_VPN
 match access-group name ACL6_VPN
class-map type inspect match-any CMAP_WORK-IP
 match access-group name ACL6_WORK-IP
!
!
policy-map type inspect PMAP_SELF-to-OUTSIDE
 class type inspect CMAP_ALLOWED-PROTOCOLS
  inspect 
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class type inspect CMAP_BLOCK-ULA
  drop
 class class-default
  drop
policy-map type inspect PMAP_SELF-to-DMZ
 class type inspect CMAP_DHCP
  pass
 class type inspect CMAP_DMZ-BLOCKED-PROTOCOLS
  drop
 class type inspect CMAP_ALLOWED-PROTOCOLS
  inspect
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class class-default
  drop
policy-map type inspect PMAP_OUTSIDE-to-SELF
 class type inspect CMAP_WORK-IP
  inspect 
 class type inspect CMAP_VPN
  inspect 
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class type inspect CMAP_BLOCK-ULA
  drop
 class class-default
  drop
policy-map type inspect PMAP_OUTSIDE-to-INSIDE
 class type inspect CMAP_ALLOWED-TRAFFIC
  pass
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class type inspect CMAP_BLOCK-ULA
  drop
 class class-default
  drop
policy-map type inspect PMAP_OUTSIDE-to-DMZ
 class type inspect CMAP_ALLOWED-DMZ
  pass
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class type inspect CMAP_BLOCK-ULA
  drop
 class class-default
  drop
policy-map type inspect PMAP_INSIDE-to-OUTSIDE
 class type inspect CMAP_ALLOWED-TRAFFIC
  pass
 class type inspect CMAP_ALLOWED-PROTOCOLS
  inspect 
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class type inspect CMAP_BLOCK-ULA
  drop
 class class-default
  drop
policy-map type inspect PMAP_INSIDE-to-DMZ
 class type inspect CMAP_ALLOWED-PROTOCOLS
  inspect 
 class class-default
  drop
policy-map type inspect PMAP_DMZ-to-SELF
 class type inspect CMAP_ALLOWED-PROTOCOLS
  drop
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class class-default
  drop
policy-map type inspect PMAP_DMZ-to-OUTSIDE
 class type inspect CMAP_ALLOWED-DMZ
  pass
 class type inspect CMAP_ALLOWED-PROTOCOLS
  inspect 
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class type inspect CMAP_BLOCK-ULA
  drop
 class class-default
  drop
policy-map type inspect PMAP_DMZ-to-INSIDE
 class type inspect CMAP_BLOCK-DMZ
  drop
 class type inspect CMAP_BLOCK-BOGONS
  drop
 class type inspect CMAP_BLOCK-JUNK
  drop
 class class-default
  drop
!
zone security OUTSIDE
zone security INSIDE
zone security DMZ
zone-pair security SELF-to-OUTSIDE source self destination OUTSIDE
 service-policy type inspect PMAP_SELF-to-OUTSIDE
zone-pair security SELF-to-DMZ source self destination DMZ
 service-policy type inspect PMAP_SELF-to-DMZ
zone-pair security OUTSIDE-to-SELF source OUTSIDE destination self
 service-policy type inspect PMAP_OUTSIDE-to-SELF
zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect PMAP_OUTSIDE-to-INSIDE
zone-pair security OUTSIDE-to-DMZ source OUTSIDE destination DMZ
 service-policy type inspect PMAP_OUTSIDE-to-DMZ
zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect PMAP_INSIDE-to-OUTSIDE
zone-pair security INSIDE-to-DMZ source INSIDE destination DMZ
 service-policy type inspect PMAP_INSIDE-to-DMZ
zone-pair security DMZ-to-SELF source DMZ destination self
 service-policy type inspect PMAP_DMZ-to-SELF
zone-pair security DMZ-to-OUTSIDE source DMZ destination OUTSIDE
 service-policy type inspect PMAP_DMZ-to-OUTSIDE
zone-pair security DMZ-to-INSIDE source DMZ destination INSIDE
 service-policy type inspect PMAP_DMZ-to-INSIDE
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key <redacted> address ipv6 ::/0 ::/0
!
crypto isakmp client configuration group GROUP_VPN-SPLIT
 key <redacted>
 dns 2001:4860:4860::8888 2001:4860:4860::8844
 domain tekmagery.net
 pool IP6-POOL_VPN
 acl ACL6_VPN-SPLIT-TUNNEL
 max-users 4
 netmask ipv6 /124
crypto isakmp profile IKE-PROFILE_SPLIT
   match identity group GROUP_VPN-SPLIT
   client authentication list VPN-USERS
   isakmp authorization list VPN-USERS
   client configuration address initiate
   client configuration address respond
   keepalive 60 retry 30
   virtual-template 1
!
crypto ipsec security-association idle-time 1800
!
crypto ipsec transform-set TSET_VPN esp-aes 256 esp-sha-hmac 
!
crypto ipsec profile IPSEC-PROFILE_SPLIT
 set transform-set TSET_VPN 
 set isakmp-profile IKE-PROFILE_SPLIT
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 no ip address
 shutdown
!
interface FastEthernet5
 no ip address
 shutdown
!
interface FastEthernet6
 no ip address
 shutdown
!
interface FastEthernet7
 no ip address
 shutdown
!
interface FastEthernet8
 description TRUNK_2960SW
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet8.1
 description VLAN_1-NATIVE
 encapsulation dot1Q 1 native
 ipv6 enable
 ipv6 address FDAB::7718:2164:FADE:7701/120
 ipv6 address COX-PREFIX ::77:0:0:0:1/64
 ipv6 flow ingress
 ipv6 flow egress
 ipv6 virtual-reassembly in
 zone-member security INSIDE
 ip tcp adjust-mss 1300
 ipv6 dhcp server DHCP6_TEK-NATIVE
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
!
interface FastEthernet8.69
 description VLAN_69-DMZ
 encapsulation dot1Q 69
 ipv6 enable
 ipv6 address FDAB::7718:2164:FADE:6901/120
 ipv6 address COX-PREFIX ::69:0:0:0:1/64
 ipv6 flow ingress
 ipv6 flow egress
 ipv6 virtual-reassembly in
 zone-member security DMZ
 ip tcp adjust-mss 1300
 ipv6 dhcp server DHCP6_TEK-WIFI
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
!
interface GigabitEthernet0
 description WAN-LINK_COX-BUSINESS
 ipv6 enable
 ipv6 address <supplied IP/dhcp>
 no ipv6 unreachables
 no ipv6 redirects
 ipv6 flow ingress
 ipv6 flow egress
 ipv6 virtual-reassembly in
 ipv6 nd autoconfig default-route
 ipv6 dhcp client pd hint ::/56
 ipv6 dhcp client pd COX-PREFIX
 zone-member security OUTSIDE
 speed auto
 duplex auto
 no cdp enable
!
interface Virtual-Template1 type tunnel
 description VPN-to-INSIDE
 ip unnumbered FastEthernet8.1
 ipv6 flow ingress
 ipv6 flow egress
 zone-member security INSIDE
 tunnel mode ipsec ipv6
 tunnel protection ipsec profile IPSEC-PROFILE_SPLIT
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
ipv6 unicast-routing
!
ipv6 local pool IP6-POOL_VPN FDAB::7718:2164:FADE:AAA0/124 4
ipv6 route ::/0 <COX next hop> global
!
no ip http server
no ip http secure-server
!
!
ip dns server
!
ipv6 access-list ACL6_ACCESS-NTP
 permit ip host <NTP1 IP> any
 permit ip host <NTP2 IP> any
 permit ip host <NTP3 IP> any
ipv6 access-list ACL6_ACCESS-VTY
 permit ip FDAB::7718:2164:FADE:7700/120 any
 permit ip FDAB::7718:2164:FADE:AAA0/124 any
ipv6 access-list ACL6_ALLOWED-DMZ
 permit tcp any host FDAB::7718:2164:FADE:6904 eq 3389
 permit tcp host FDAB::7718:2164:FADE:6904 eq 3389 any
 permit tcp any host FDAB::7718:2164:FADE:6904 eq 25565
 permit tcp host FDAB::7718:2164:FADE:6904 eq 25565 any
 permit tcp any host FDAB::7718:2164:FADE:6904 eq 25566
 permit tcp host FDAB::7718:2164:FADE:6904 eq 25566 any
ipv6 access-list ACL6_ALLOWED-TRAFFIC
 permit tcp any host FDAB::7718:2164:FADE:770F eq 21333
 permit tcp host FDAB::7718:2164:FADE:770F eq 21333 any
ipv6 access-list ACL6_BLOCK-BOGONS
 deny   ip ::/96 any
 deny   ip ::/128 any
 deny   ip ::FFFF:0.0.0.0/96 any
 deny   ip ::224.0.0.0/100 any
 deny   ip ::127.0.0.0/104 any
 deny   ip ::0.0.0.0/104 any
 deny   ip ::225.0.0.0/104 any
 deny   ip 0000::/8 any
 deny   ip 0200::/7 any
 denyip 2001:DB8::/32 any
 denyip 2002:0000::/24 any
 denyip 2002:0A00::/24 any
 denyip 2002:7F00::/24 any
 denyip 2002:AC10::/28 any
 denyip 2002:C0A8::/32 any
 denyip 2002:E000::/20 any
 denyip 2002:FF00::/24 any
 deny   ip 3FFE::/16 any
 denyip FC00::/7 any
 denyip FE80::/10 any
 denyip FEC0::/10 any
 denyip FF00::/8 any
ipv6 access-list ACL6_BLOCK-DMZ
 deny   ip FDAB::7718:2164:FADE:6900/120 FDAB::7718:2164:FADE:7700/120
ipv6 access-list ACL6_BLOCK-JUNK
 denyicmp any any echo
 deny   icmp any any echo-reply
 deny   icmp any any time-exceeded
 deny   icmp any any parameter-problem
 deny   icmp any any packet-too-big
 deny   icmp any any source-quench
 deny   ip udp any any range netbios-ns netbios-dgm
 deny   ip tcp any any eq telnet
 deny   ip tcp any any eq 139
 deny   ip tcp any any eq 445
 deny   ip tcp any any range 1433 1434
 deny   ip udp any any range 1433 1434
ipv6 access-list ACL6_BLOCK-ULA
 deny   ip FD00::/8
ipv6 access-list extended ACL_DMZ-BLOCKED-PROTOCOLS
 deny   tcp any any eq 22
 deny   tcp any any eq telnet
 deny   tcp any any eq 123
 deny   tcp any any eq ftp
 deny   udp any any eq non500-isakmp
 deny   udp any any eq isakmp
 deny   esp any any
 deny   ahp any any
 deny   udp any any eq tftp
ipv6 access-list ACL6_INTERNAL-IP
 permit ip FDAB::7718:2164:FADE:6900/120 any
 permit ip FDAB::7718:2164:FADE:7700/120 any
ipv6 access-list ACL_VPN
 permit udp any any eq non500-isakmp 
 permit udp any any eq isakmp 
 permit esp any any
 permit ahp any any
ipv6 access-list ACL6_VPN-SPLIT-TUNNEL
 deny   ip FDAB::7718:2164:FADE:6900/120 FDAB::7718:2164:FADE:AAA0/124
 deny   ip FDAB::7718:2164:FADE:7700/120 FDAB::7718:2164:FADE:AAA0/124
!
!
!
!
!
!
!
radius server <network>
 address ipv6 FDAB::7718:2164:FADE:7704 auth-port 1812 acct-port 1813
 key 7 <redacted>
!
!
!
control-plane
!
!
banner login ^C
 
#####################################################
#                                                   #
# UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. #
#                                                   #
#####################################################
 
^C
configuration mode exclusive
!
line con 0
 exec-timeout 0 0
 password 
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 15 0
 privilege level 15
 logging synchronous
 transport input ssh
 ipv6 access-class ACL6_ACCESS-VTY in
!
ntp source FastEthernet8.1
ntp access-group peer ACL6_ACCESS-NTP
ntp access-group serve ACL6_INTERNAL-IP
ntp server ipv6 <NTP1 IP/DNS>
ntp server ipv6 <NTP2 IP/DNS>
ntp server ipv6 <NTP3 IP/DNS>
!
end
 

Assumptions:
*Cox will be handling prefix delegation the way Comcast does
*Global address autoconfig will handle address requests from the two VLANs

Now, to my questions.

1) I can see that using PD hint and prefix-name (I chose COX-PREFIX), I can assign global addresses to my dot1Q sub-interfaces. But can hosts pull addresses with these prefixes with just this config, or is more needed?

2) I want to be able to serve ULA addresses to my hosts via stateful DHCPv6 and just give them autoconfigured global addresses. If the autoconfig global assignment won't work with config from question 1, would it be possible to have more than one DHCP server on an interface? If yes, can you have one stateful server and one stateless server on an interface?

3) Is it advisable to put my internal domain name on DHCP servers giving out global addresses? If so, are there any security considerations?

4) If I do end up getting my global address range via PD, is there any way I could write my ACLs so that they take into account a prefix change?

Thanks in advance for any answers!

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

NetDog

Premium Member

I wouldn't use ULA and Global on the same interface, you get odd results depends on the OS your using..

Here is my config at Comcast:

interface GigabitEthernet0/0
ipv6 address prefix-from-Comcast ::1/64
ipv6 nd other-config-flag

interface GigabitEthernet0/1
ipv6 address prefix-from-Comcast ::1:0:0:0:1/64
ipv6 nd other-config-flag

interface GigabitEthernet0/2
ipv6 address prefix-from-Comcast ::2:0:0:0:1/64
ipv6 nd other-config-flag

interface GigabitEthernet1/0
description Comcast Public
ipv6 address dhcp
ipv6 nd autoconfig default-route
ipv6 dhcp client pd hint ::/60
ipv6 dhcp client pd prefix-from-Comcast
NetDog

NetDog to shadedmagus

Premium Member

to shadedmagus
said by shadedmagus:

4) If I do end up getting my global address range via PD, is there any way I could write my ACLs so that they take into account a prefix change?

My prefix at Comcast has only changed once in 2 1/2 years, so the ACL I have worked great till then.. And that was about 6 months ago, I would like Cisco to add something to correct that.. But now that I think about it some more they should allow the ACL to accept something like

sequence 55 permit ipv6 host prefix-from-Comcast::2:0:0:0:80/128 any

I will put in a Cisco TAC Case on it..
shadedmagus
join:2014-09-05
Tempe, AZ

1 recommendation

shadedmagus to NetDog

Member

to NetDog
said by NetDog:

I wouldn't use ULA and Global on the same interface, you get odd results depends on the OS your using.

From what I understand, RFC 6724 works in Cisco IOS 15, and one thing I want for my network is to have no breaks in internal accessibility if and when the prefix changes. I won't be putting a ULA on the WAN interface, but I'm going to be testing it on every other device to make sure it works. If a device acts weird with a ULA and a global, I'll deal with that as it happens.
said by NetDog:

But now that I think about it some more they should allow the ACL to accept something like

sequence 55 permit ipv6 host prefix-from-Comcast::2:0:0:0:80/128 any

I agree completely. If they're going to allow prefix names, they should have support for those prefix names in the ACLs. Let me know how that TAC case goes!
shadedmagus

1 recommendation

shadedmagus

Member

Can anyone speak to whether it's possible to do stateful DHCP and autoconfig on the same interface?

My plan, if it's possible, is to have a DHCP stateful server for the ULA space, and use autoconfig for the global space, for both of the networks I have currently. I'd rather keep as much of my current architecture as possible.

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

1 recommendation

NetDog

Premium Member

said by shadedmagus:

Can anyone speak to whether it's possible to do stateful DHCP and autoconfig on the same interface?

This would not be a limitation on v6 but the OS your using.. In short sure.. I have done global v6 DHCP, Static and SLAAC on the same interface, but had to hack the OS a little and it was just playing around..