Hello all! This is my first post on these forums, and there is an awesome collection of technical knowledge here. I hope some of it can answer my questions.
I'm trying to draft my IPv6 config in anticipation of when Cox will finally roll it out, and address management has been giving me the biggest headache - ironic, I know, considering it's supposed to be brainless in IPv6.
I'm using a Cisco 891 on a Cox business account with a static IP. My first IPv6-capable config draft was assuming that I would be getting a static /56 or /60 prefix from them, and I was just going to insert the prefix into my DHCP pools and be good. That was before reading »
www.kloepfer.org/ipv6-ho ··· net.html and realizing that Cox might do the same thing that TWC did, and use prefix delegation instead of a static prefix. Now I'm all turned around on how to get the config straight.
My current design is this:
*891 router, 2960G 8-port switch, and 1252 WAP in autonomous mode
*Two networks (internal and DMZ, for testing and guest wifi) connected by router-on-a-stick
*ZBFW with INSIDE, DMZ, OUTSIDE and self zones
*DHCP giving out addresses for internal and guest wifi
Here is my current draft config:
!
version 15.3
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service linenumber
!
hostname <redacted>
!
boot-start-marker
boot system flash c890-universalk9-mz.153-3.M3.bin
boot-end-marker
!
!
logging buffered 32768 informational
logging console critical
!
aaa new-model
!
!
aaa group server radius <network>
!
aaa authentication login default group radius local
aaa authentication login VPN-USERS group radius local
aaa authorization exec default group radius local
aaa authorization network VPN-USERS local
aaa accounting network VPN-USERS
action-type start-stop
group radius
!
!
!
!
!
!
aaa session-id common
!
clock timezone MST -7 0
crypto pki token default removal timeout 0
!
!
no dot11 syslog
no ipv6 source-route
!
! ULA DHCPv6 STATEFUL POOLS
!
ipv6 dhcp pool DHCP6_TEK-NATIVE
address prefix FDAB::7718:2164:FADE:7700/120
domain-name tekmagery.net
dns-server FDAB::7718:2164:FADE:7701
!
ipv6 dhcp pool DHCP6_TEK-DMZ
address prefix FDAB::7718:2164:FADE:6900/120
domain-name tekmagery.net
dns-server FDAB::7718:2164:FADE:6901
!
!
!
ip cef
ip domain-name tekmagery.net
ip name-server 2001:4860:4860::8888
ip name-server 2001:4860:4860::8844
!
ipv6 cef
login block-for 120 attempts 5 within 60
login on-failure log
!
multilink bundle-name authenticated
!
parameter-map type inspect default
max-incomplete low 1750
max-incomplete high 2000
one-minute low 1750
one-minute high 2000
udp idle-time 15
tcp idle-time 1800
tcp finwait-time 1
tcp synwait-time 15
tcp max-incomplete host 500 block-time 0
!
license udi pid CISCO1811/K9 sn <redacted>
archive
log config
logging enable
logging size 255
hidekeys
username <redacted> privilege 15 secret 4 <redacted>
!
!
ip ssh version 2
!
!
class-map type inspect match-any CMAP_ALLOWED-DMZ
match access-group name ACL6_ALLOWED-DMZ
class-map type inspect match-any CMAP_ALLOWED-PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any CMAP_ALLOWED-TRAFFIC
match access-group name ACL6_ALLOWED-TRAFFIC
class-map type inspect match-any CMAP_BLOCK-DMZ
match access-group name ACL6_BLOCK-DMZ
class-map type inspect match-any CMAP_BLOCK-BOGONS
match access-group name ACL6_BLOCK-BOGONS
class-map type inspect match-any CMAP_BLOCK-JUNK
match access-group name ACL6_BLOCK-JUNK
class-map type inspect match-any CMAP_BLOCK-ULA
match access-group name ACL6_BLOCK-ULA
class-map type inspect match-any CMAP_DHCP
match protocol bootpc
match protocol bootps
class-map type inspect match-any CMAP_DMZ-BLOCKED-PROTOCOLS
match access-group name ACL6_DMZ-BLOCKED-PROTOCOLS
class-map type inspect match-all CMAP_VPN
match access-group name ACL6_VPN
class-map type inspect match-any CMAP_WORK-IP
match access-group name ACL6_WORK-IP
!
!
policy-map type inspect PMAP_SELF-to-OUTSIDE
class type inspect CMAP_ALLOWED-PROTOCOLS
inspect
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class type inspect CMAP_BLOCK-ULA
drop
class class-default
drop
policy-map type inspect PMAP_SELF-to-DMZ
class type inspect CMAP_DHCP
pass
class type inspect CMAP_DMZ-BLOCKED-PROTOCOLS
drop
class type inspect CMAP_ALLOWED-PROTOCOLS
inspect
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class class-default
drop
policy-map type inspect PMAP_OUTSIDE-to-SELF
class type inspect CMAP_WORK-IP
inspect
class type inspect CMAP_VPN
inspect
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class type inspect CMAP_BLOCK-ULA
drop
class class-default
drop
policy-map type inspect PMAP_OUTSIDE-to-INSIDE
class type inspect CMAP_ALLOWED-TRAFFIC
pass
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class type inspect CMAP_BLOCK-ULA
drop
class class-default
drop
policy-map type inspect PMAP_OUTSIDE-to-DMZ
class type inspect CMAP_ALLOWED-DMZ
pass
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class type inspect CMAP_BLOCK-ULA
drop
class class-default
drop
policy-map type inspect PMAP_INSIDE-to-OUTSIDE
class type inspect CMAP_ALLOWED-TRAFFIC
pass
class type inspect CMAP_ALLOWED-PROTOCOLS
inspect
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class type inspect CMAP_BLOCK-ULA
drop
class class-default
drop
policy-map type inspect PMAP_INSIDE-to-DMZ
class type inspect CMAP_ALLOWED-PROTOCOLS
inspect
class class-default
drop
policy-map type inspect PMAP_DMZ-to-SELF
class type inspect CMAP_ALLOWED-PROTOCOLS
drop
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class class-default
drop
policy-map type inspect PMAP_DMZ-to-OUTSIDE
class type inspect CMAP_ALLOWED-DMZ
pass
class type inspect CMAP_ALLOWED-PROTOCOLS
inspect
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class type inspect CMAP_BLOCK-ULA
drop
class class-default
drop
policy-map type inspect PMAP_DMZ-to-INSIDE
class type inspect CMAP_BLOCK-DMZ
drop
class type inspect CMAP_BLOCK-BOGONS
drop
class type inspect CMAP_BLOCK-JUNK
drop
class class-default
drop
!
zone security OUTSIDE
zone security INSIDE
zone security DMZ
zone-pair security SELF-to-OUTSIDE source self destination OUTSIDE
service-policy type inspect PMAP_SELF-to-OUTSIDE
zone-pair security SELF-to-DMZ source self destination DMZ
service-policy type inspect PMAP_SELF-to-DMZ
zone-pair security OUTSIDE-to-SELF source OUTSIDE destination self
service-policy type inspect PMAP_OUTSIDE-to-SELF
zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PMAP_OUTSIDE-to-INSIDE
zone-pair security OUTSIDE-to-DMZ source OUTSIDE destination DMZ
service-policy type inspect PMAP_OUTSIDE-to-DMZ
zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE-to-OUTSIDE
zone-pair security INSIDE-to-DMZ source INSIDE destination DMZ
service-policy type inspect PMAP_INSIDE-to-DMZ
zone-pair security DMZ-to-SELF source DMZ destination self
service-policy type inspect PMAP_DMZ-to-SELF
zone-pair security DMZ-to-OUTSIDE source DMZ destination OUTSIDE
service-policy type inspect PMAP_DMZ-to-OUTSIDE
zone-pair security DMZ-to-INSIDE source DMZ destination INSIDE
service-policy type inspect PMAP_DMZ-to-INSIDE
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key <redacted> address ipv6 ::/0 ::/0
!
crypto isakmp client configuration group GROUP_VPN-SPLIT
key <redacted>
dns 2001:4860:4860::8888 2001:4860:4860::8844
domain tekmagery.net
pool IP6-POOL_VPN
acl ACL6_VPN-SPLIT-TUNNEL
max-users 4
netmask ipv6 /124
crypto isakmp profile IKE-PROFILE_SPLIT
match identity group GROUP_VPN-SPLIT
client authentication list VPN-USERS
isakmp authorization list VPN-USERS
client configuration address initiate
client configuration address respond
keepalive 60 retry 30
virtual-template 1
!
crypto ipsec security-association idle-time 1800
!
crypto ipsec transform-set TSET_VPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC-PROFILE_SPLIT
set transform-set TSET_VPN
set isakmp-profile IKE-PROFILE_SPLIT
!
!
!
!
!
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
description TRUNK_2960SW
no ip address
duplex auto
speed auto
!
interface FastEthernet8.1
description VLAN_1-NATIVE
encapsulation dot1Q 1 native
ipv6 enable
ipv6 address FDAB::7718:2164:FADE:7701/120
ipv6 address COX-PREFIX ::77:0:0:0:1/64
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
zone-member security INSIDE
ip tcp adjust-mss 1300
ipv6 dhcp server DHCP6_TEK-NATIVE
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
!
interface FastEthernet8.69
description VLAN_69-DMZ
encapsulation dot1Q 69
ipv6 enable
ipv6 address FDAB::7718:2164:FADE:6901/120
ipv6 address COX-PREFIX ::69:0:0:0:1/64
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
zone-member security DMZ
ip tcp adjust-mss 1300
ipv6 dhcp server DHCP6_TEK-WIFI
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
!
interface GigabitEthernet0
description WAN-LINK_COX-BUSINESS
ipv6 enable
ipv6 address <supplied IP/dhcp>
no ipv6 unreachables
no ipv6 redirects
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
ipv6 nd autoconfig default-route
ipv6 dhcp client pd hint ::/56
ipv6 dhcp client pd COX-PREFIX
zone-member security OUTSIDE
speed auto
duplex auto
no cdp enable
!
interface Virtual-Template1 type tunnel
description VPN-to-INSIDE
ip unnumbered FastEthernet8.1
ipv6 flow ingress
ipv6 flow egress
zone-member security INSIDE
tunnel mode ipsec ipv6
tunnel protection ipsec profile IPSEC-PROFILE_SPLIT
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
shutdown
!
ipv6 unicast-routing
!
ipv6 local pool IP6-POOL_VPN FDAB::7718:2164:FADE:AAA0/124 4
ipv6 route ::/0 <COX next hop> global
!
no ip http server
no ip http secure-server
!
!
ip dns server
!
ipv6 access-list ACL6_ACCESS-NTP
permit ip host <NTP1 IP> any
permit ip host <NTP2 IP> any
permit ip host <NTP3 IP> any
ipv6 access-list ACL6_ACCESS-VTY
permit ip FDAB::7718:2164:FADE:7700/120 any
permit ip FDAB::7718:2164:FADE:AAA0/124 any
ipv6 access-list ACL6_ALLOWED-DMZ
permit tcp any host FDAB::7718:2164:FADE:6904 eq 3389
permit tcp host FDAB::7718:2164:FADE:6904 eq 3389 any
permit tcp any host FDAB::7718:2164:FADE:6904 eq 25565
permit tcp host FDAB::7718:2164:FADE:6904 eq 25565 any
permit tcp any host FDAB::7718:2164:FADE:6904 eq 25566
permit tcp host FDAB::7718:2164:FADE:6904 eq 25566 any
ipv6 access-list ACL6_ALLOWED-TRAFFIC
permit tcp any host FDAB::7718:2164:FADE:770F eq 21333
permit tcp host FDAB::7718:2164:FADE:770F eq 21333 any
ipv6 access-list ACL6_BLOCK-BOGONS
deny ip ::/96 any
deny ip ::/128 any
deny ip ::FFFF:0.0.0.0/96 any
deny ip ::224.0.0.0/100 any
deny ip ::127.0.0.0/104 any
deny ip ::0.0.0.0/104 any
deny ip ::225.0.0.0/104 any
deny ip 0000::/8 any
deny ip 0200::/7 any
denyip 2001:DB8::/32 any
denyip 2002:0000::/24 any
denyip 2002:0A00::/24 any
denyip 2002:7F00::/24 any
denyip 2002:AC10::/28 any
denyip 2002:C0A8::/32 any
denyip 2002:E000::/20 any
denyip 2002:FF00::/24 any
deny ip 3FFE::/16 any
denyip FC00::/7 any
denyip FE80::/10 any
denyip FEC0::/10 any
denyip FF00::/8 any
ipv6 access-list ACL6_BLOCK-DMZ
deny ip FDAB::7718:2164:FADE:6900/120 FDAB::7718:2164:FADE:7700/120
ipv6 access-list ACL6_BLOCK-JUNK
denyicmp any any echo
deny icmp any any echo-reply
deny icmp any any time-exceeded
deny icmp any any parameter-problem
deny icmp any any packet-too-big
deny icmp any any source-quench
deny ip udp any any range netbios-ns netbios-dgm
deny ip tcp any any eq telnet
deny ip tcp any any eq 139
deny ip tcp any any eq 445
deny ip tcp any any range 1433 1434
deny ip udp any any range 1433 1434
ipv6 access-list ACL6_BLOCK-ULA
deny ip FD00::/8
ipv6 access-list extended ACL_DMZ-BLOCKED-PROTOCOLS
deny tcp any any eq 22
deny tcp any any eq telnet
deny tcp any any eq 123
deny tcp any any eq ftp
deny udp any any eq non500-isakmp
deny udp any any eq isakmp
deny esp any any
deny ahp any any
deny udp any any eq tftp
ipv6 access-list ACL6_INTERNAL-IP
permit ip FDAB::7718:2164:FADE:6900/120 any
permit ip FDAB::7718:2164:FADE:7700/120 any
ipv6 access-list ACL_VPN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
ipv6 access-list ACL6_VPN-SPLIT-TUNNEL
deny ip FDAB::7718:2164:FADE:6900/120 FDAB::7718:2164:FADE:AAA0/124
deny ip FDAB::7718:2164:FADE:7700/120 FDAB::7718:2164:FADE:AAA0/124
!
!
!
!
!
!
!
radius server <network>
address ipv6 FDAB::7718:2164:FADE:7704 auth-port 1812 acct-port 1813
key 7 <redacted>
!
!
!
control-plane
!
!
banner login ^C
#####################################################
# #
# UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. #
# #
#####################################################
^C
configuration mode exclusive
!
line con 0
exec-timeout 0 0
password
logging synchronous
no modem enable
line aux 0
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
transport input ssh
ipv6 access-class ACL6_ACCESS-VTY in
!
ntp source FastEthernet8.1
ntp access-group peer ACL6_ACCESS-NTP
ntp access-group serve ACL6_INTERNAL-IP
ntp server ipv6 <NTP1 IP/DNS>
ntp server ipv6 <NTP2 IP/DNS>
ntp server ipv6 <NTP3 IP/DNS>
!
end
Assumptions:
*Cox will be handling prefix delegation the way Comcast does
*Global address autoconfig will handle address requests from the two VLANs
Now, to my questions.
1) I can see that using PD hint and prefix-name (I chose COX-PREFIX), I can assign global addresses to my dot1Q sub-interfaces. But can hosts pull addresses with these prefixes with just this config, or is more needed?
2) I want to be able to serve ULA addresses to my hosts via stateful DHCPv6 and just give them autoconfigured global addresses. If the autoconfig global assignment won't work with config from question 1, would it be possible to have more than one DHCP server on an interface? If yes, can you have one stateful server and one stateless server on an interface?
3) Is it advisable to put my internal domain name on DHCP servers giving out global addresses? If so, are there any security considerations?
4) If I do end up getting my global address range via PD, is there any way I could write my ACLs so that they take into account a prefix change?
Thanks in advance for any answers!