Tuesday, February 28, 2017

A Complete Note on IPv6 Addressing

IP addressing format we use currently in most networks is IPv4 which uses 32 bit IP addresses written in dotted decimal format.
Ex- 192.168.10.1
Each octet contains a 1 Byte (8 bits).  All the possible IP addresses in IPv4 are 232 = 4,294,967,296
Actually usable amount is much lesser than the above number because of the private address ranges and other reservations. Because the internet is running out of IP addresses, IPv6 was introduced.

IPv6 addressing format uses 128 bits for an IP address which is written in hexadecimal numbers separated by colons. Therefore the IP addresses available are 2128 = 3.4 x 1038
Address format is as following,

XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX

Where an "X" is a hexadecimal number.. Ex:- 1,2,3,4,5,6,7,8,9,A,B,C,D,E
There are 8 groups of 4 hexadecimal numbers..
Each group represents 16 bits (4 hexa digits x 4 bits)

Real world example address: 2001:034A:32D0:0000:0000:009C:0000:067F

You can simplify the address by eliminating all zero hex digit groups and replace them with double colon "::". But you can use it once for an address. Also you can eliminate leading zeros of a hexa digit group. So the above real world address can be written as following.

2001:34A:32D0::9C:0:67F

Prefix & Interface ID

Addresses are allocated based on the physical location. Jut like in IPv4 subnet mask, IPv6 also has prefix mask. The prefix includes the global routing information & the subnet address. More than one address can be assigned to an interface of a host.
An interface assigned IPv6 address has 64 bits for the prefix and the other 64 bits for the interface ID.


Normal addresses will be written as Address/Prefix-length. Prefix length is written in decimal.
If we take the above real world example address,  2001:34A:32D0::9C:0:67F/64 is how we normally
write it. Prefix is 2001:034A:32D0:0000 and the interface ID is 0000:009C:0000:067F

1st 3 hex-digits (1st 12 bits) represent Regional Internet Registrar (RIR)
Next 5 hex-digits (1st 32 bits) represent ISP
Next 4 hex-digits (1st 48 bits) represent the site
Next 4 hex-digits (1st 64 bits) represent the subnet


1st 12 hex-digits / 48 bits (RIR + ISP + Site ID) represent the global routing prefix. All the above 64 bits represent the prefix of an IPv6 address. Rest of the 16 hex-digits (64-bits) is the interface ID.

Following diagram explains how the real world IP 2001:034A:32D0:0000:0000:009C:0000:067F is assigned to a host with it's 64-bit prefix 2001:034A:32D0:0000::/64





































IPv6 Address Types

Unicast : One-to-One (Global, Link Local, Unique Local)
This kind of addresses are destined for a single interface

Multicast : One-to-Many
This kind of addresses are destined for a set of interfaces
Delivered to a group of interfaces identified by that address
Broadcast of IPv4 is replaced by this..

Anycast : One-to-Nearest (Allocated from Unicast)
Delivered to the closest interface as determined by the IGP

A single interface may be assigned multiple IPv6 addresses from any of the types above..

IPv6 Unicast Address Scopes

Link Local Addresses

Only used for communications within the local subnet, routers do not forward packets with this scope..
It is configured automatically and used for neighbor discovery, router discovery etc by many routing protocols..
Starts from FE80 and has the /64 prefix..
Somewhat similar behavior to the 169.254.X.X in IPv4 which is self originated when the host cannot contact a DHCP server..
Interface ID is created using the 48-bit MAC address of the interface hardware which is then called an EUI-64 type interface ID..

To create an EUI-64 type interface ID from a 48-bit MAC address,
1) Invert the 7th most significant bit
2) Insert FF:FE in the middle

Ex:-  Let's go to a Cisco router and see how it calculates it's Link Local Addresses..









You can see the interface MAC address is AABB.CC00.1000
If we write the 1st group of hex-digits in binary format it will be like the following..

AABB = 1010 1010 1011 1011

Red colored bit is the 7th bit from the left which must be inverted..

1010 1000 1011 1011 = A8BB

So after the inversion, the MAC will be like A8BB.CC00.1000
After the FFFE is squeezed in to the middle, the EUI-64 format will be;

A8BB:CCFF:FE00:1000

Now this will be assigned to the interface along with the IPv6 prefix FE80::/64..

Now let's enable IPv6 in interface e0/0 and see what the IPv6 Link Local Address will be..














Now let's see it in your Windows machine.. Enter ipconfig /all in command prompt..




















You can see it also starts with FE80::/64 but the interface ID is completely different. This is because it does not use the EUI-64 format to assign the Link Local Addresses in windows.
Because the users can be tracked, sniffed by the well known EUI-64 format, Microsoft and other vendors has decided to use their own methods / algorithms to create theese IPv6 temporary Link Local Addresses..

Site Local Addresses (no longer used)

Starts with FEC0::/10
Originally designed as the equivalent for the IPv4 private address range.
Now these scope is no longer supported globally, therefore if you see an IP starting from "FECO" it is no longer a valid address.. Succeeded by the Unique Local Addresses..

Unique Local Addresses

It is like the private range of IPv4 Addresses (10.x.x.x, 172.16.x.x, 192.168.x.x)
Starts with FC00::/7
Likely unique but not routable via global BGP..
You have to use NAT if you are going to use this range..
Until you are applying for an IPv6 range,you can use these addresses in your design..

Global Unicast Addresses

All the other addresses in IPv6 are globally routable IPv6 Global Unicast Addresses..
Up to today the addresses with 2000::/3 which means any address starts with 2 or 3 are releasing to the public these days and can be found on the internet..

-------------------------------------------------------------------------------------------------------------------

Side Note:-
Special Addresses used in IPv6 are stated in the following chart..











Special Addresses used in IPv6 multicast applications are stated in the following chart..







Tuesday, February 21, 2017

Installing Cisco ACS on VMware Workstation

You need to have an ISO image of Cisco ACS before you start. I am using ACS 5.8 on VMware Workstation.

Start from File > New Virtual Machine
Select Typical & hit Next..
Select I will install the OS later & hit Next..
Select Linux 6 - 64bit..
Give a Name & the Location and & hit Next..
Give the disk size to be about 250GBs and select store virtual disk as a single file & hit Next..
Now go to Customize Hardware..

Memory should be more than 4 GB..
Give number of processors to 2 and number of cores per processor to 2..
On CD/DVD; use ISO image > give location and tick Connect at power on..


Before Finish, the settings will be somewhat similar to this capture.


Now you can power up the VM..

















The 1st dialog box appear will be like the following..


You can give 1 and hit Enter..














Now it will show an error message indicating "unsupported hardware detected"
Just hit Enter for Ok.
After a long auto installation process it will reboot and prompt a new dialog box like the following.


Type "setup" as the login name & it will direct you to a setup wizard..
After giving your settings to wizard, it will continue with the installation and reboot..

Now if your given IP is reachable, you can log in to ACS via a web browser. 

You may need to login to the CLI 1st.. 
Don't forget to give https://<ip>

Default Username: acsadmin
Default Password: default

In the 1st time login you will be asked to reset the password, and log again using the new password..

Then you will be asked to enter license key. Without a valid license you will not be able to use ACS



















If you don't know how to get an evaluation license from Cisco.com refer this post.. 

How to Get Cisco Demo / Evaluation Licenses for Labs

Log in to your Cisco account & go to the following link.

You may see something like following. (click on the images to see in full)

If this appears you can close the advertisement and click "Get Other Licenses" and click "Demo and Evaluation"..

You can select what you need here and continue with download after filling the wizard..








Sunday, February 19, 2017

Put Your Website Online from Home with Port Forwarding & DDNS

You can use any web server or even a PC if you can afford it for your web host. This is just how I did it with my Raspberry Pi..

Start with giving your server a static IP address from your private home network. I gave 192.168.1.254 to my Pi and connected it to my home router.

If your server is a Debian based like mine, you can enter the exact commands I enter from here, or you must find alternatives from online to do what I do here..

Enter following commands to install Apache and PHP modules..
sudo apt-get install apache2
sudo apt-get install php5 libapache2-mod-php5 -y

May be you need to restart the Apache server; Enter following command
sudo service apache2 restart

Now Enter your IP address on a webserver; It will point to the default landing page of Apache. 

Now navigate to the default hosting page directory by entering the following command..
cd /var/www/html

Now if you hit ls you can see the index.html page which is the default landing page of Apache.
You can delete this by entering the following command..
sudo rm -f index.html

Now you can replace contents of your website here. I am just creating a default simple page by entering the following commands..
sudo nano index.html

Now hit Ctrl+X, Y & Enter to save it.

If the static IP of the server is entered on the web browser, you can see the home page of your website now..








Now it is the time to create a DDNS account from a service provider. There are plenty of DDNS service providers out there. I created an account on no-ip.com

It is very simple to get a web address through your DDNS service provider online. Just use common IT sense..













You can see the IP address assigned to your web address. Now you need to install the Dynamic Update Client of your DDNS service provider on your server..

Enter the following commands to create a folder, download and unzip the Client..
sudo mkdir /home/pi/noip
cd /home/pi/noip
sudo wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
sudo tar vzxf noip-duc-linux.tar.gz

Now hit ls to view the contents of the folder.





Now you can see the folder is noip-2.1.9-1
Enter following commands to compile the Client..
cd noip-2.1.9-1
sudo make
sudo make install























By entering the following command you can run the Client;
sudo /usr/local/bin/noip2

Finally you need to set Port Forwarding on your home router.

How you do it depends on the type of your router. My home router is a TP-Link one. On it's administration page, there is an option named "NAT" and under that there is another option named "Virtual Server" to setup port forwarding. Following capture shows you all the configuration..





















Now everything is done. You can type the URL you got from your DDNS provider and enter it on your web browser to see whether your website is online or not..


Wednesday, February 8, 2017

First Hands on Experience with Cisco IOS-XRv, Exploring the XR..

Today I'm going to explore the IOS-XR, Cisco's extreme / high end operating system designed for service provider networks. I'm not doing it on an actual box, this is the IOS-XRv which runs in a virtual environment. Mostly everything is same here, except few differences related to actual hardware line cards. Operating System version I am using is 5.2.2

After few minutes of boot up process, it will ask you to press RETURN to get started, just like in regular IOS. As soon as you hit Enter, it will ask you to enter root-system username.
(click on the images to view in full size)








In this version of XRv, default root-system usernames are locked. You have to create your own username to unlock those root-system usernames.

In XRv, there are few preconfigured root-system user names. One is cisco with a password of cisco which I used to login.

In actual hardware box, you will have to go through the initial configuration like in regular IOS and setup an admin user before doing level 15 privileged work.

Let's see the usernames created by administrator. (non default usernames)
To do that, you have to go to the admin mode and issue a show run.. This mode is not available in regular IOS..
RP/0/0/CPU0:ios#admin
RP/0/0/CPU0:ios(admin)#show run

group root-system group is equal to the level 15 of regular IOS.









Let's create a new user for TAC support.. Examine the commands I have entered..












1st I went to config mode. Then I typed username TAC and I assigned him to the pre-configured group called cisco-support and then I gave him a password.

Not like in regular IOS, here you have to commit every change to get it effected. If you don't commit your changes, nothing will happen. This is a security feature in IOS-XR. The commands you type is stored in a separate config file. When you hit commit, the commands in that config file will be added to the running config file. No need to enter "write" to save config in NVRAM like in regular IOS.

As you can see, I have encountered a problem while committing the changes I have made and It says me to see the configuration failed file to determine what the problem is.












XR is intelligently analyzing the commands and if it is not correct it says how to correct it. You can see that it says "a user who belongs to cisco-support group must be also in the group of root-system".
So here I make the change..
Because I am still in the username configuration mode, I can just do it in one command..

Now let's see what is in the config file by entering show config.








You can also see what will happen if I commit the changes by entering show config merge command.













Now you can see the commit works and what will be the running config after committing the changes made..

So the commands to create a user for Cisco Support is like the following..
RP/0/0/CPU0:ios(admin)#config
RP/0/0/CPU0:ios(admin-config)#username TAC
RP/0/0/CPU0:ios(admin-config-un)#group root-system
RP/0/0/CPU0:ios(admin-config-un)#group cisco-support
RP/0/0/CPU0:ios(admin-config-un)#secret <pw>
RP/0/0/CPU0:ios(admin-config-un)#commit



Note:- If there is something wrong in your config; it will reject all the uncommitted changes when you are going to commit them. Even the correct configuration parts will be rejected. You can enter commit best-effort to commit the correct changes ignoring wrong configurations.

Note:- You can create users in normal exec-config mode (not in admin-config mode) like in regular IOS but that user will be shown in the show run command in exec mode.

Other normal IOS comands like show ip int br, show inventory etc will be there in the privileged exec mode like in regular IOS..


























Running config is so small because nothing is configured yet. MgmtEth is the interface which will be used for out of band management of the box..

Also ip routing & ipv6 unicast routing enabled by default..

Let's see a sub interface configuration now..

All the regular IOS commands are working fine in IOS-XR for interface & sub interface configurations. But you can see some native IOS-XR commands exists to do the same job too. Which means encapsulation dot1q 111 & ip address 10.1.11.11 255.255.255.0 commands also work here.

If you want to see what was the configuration before my last commit; enter
RP/0/0/CPU0:ios#show config rollback changes last 1

To rollback changes to last commit;
RP/0/0/CPU0:ios#rollback config last 1

Not only last 1, you can rollback to last 2 , 3 etc or even to a last commit point using the commit ID which is automatically assigning to the commits you made.





















You can set commit labels as well. But as soon as you give a label by entering commit label MYCOMMIT command it will apply the config to running config too. To view all the commits done by all the users; enter following commands
RP/0/0/CPU0:ios#show config commit list 
or

RP/0/0/CPU0:ios#show config commit list detail

You can set commit to auto rollback unless you give a confirmed commit within a specific time by issuing the following command..
RP/0/0/CPU0:ios(config)#commit confirmed 30

30 is the time in seconds.  To view these type of log messages in console; you would have to increase logging level to debugging by issuing following commands..
RP/0/0/CPU0:ios(config)#logging console debugging 
RP/0/0/CPU0:ios(config)#commit

You can completely replace your running config with your candicate config file by issuing the following command..
RP/0/0/CPU0:ios(config)#commit replace

But if you do not have any uncommitted changes in config file, this will delete all the running config by replacing empty config file..

Tuesday, February 7, 2017

Deploy vWLC on EVE / UNL

Deploying a WLC with initial configuration wizard is very simple in any environment (WLC appliance or in virtual environment). Here is how I did it in Emulated Virtual Environment (EVE).
Wizard will be same even in actual physical hardware.

There is something you should know if you are going to do it using the vWLC (Virtual WLC) software. You should understand how the Service Port and the Management Port is represented in the EVE workspace, otherwise you will not be able to get connectivity to other network devices and even to an Access Point. Service Port is used for out of band management of the box while the primary access method / port which will be connected to switches and APs will be the Management Port. Primary difference of these 2 ports is that the Management Port is the only port which can be configured with a default gateway. This is true for physical WLC as well. The problem is; you can only see 2 Gig interfaces when you drag a vWLC to the working space. But there is no Gig interface configuration in vWLC.

You should consider;
G0/0/0 = Service Port
G0/0/1 = Management Port

Configuration is done through a wizard.. You can see what I have entered in the following capture.
vWLC version I am using is 8.1.111.0




































In EVE, you can use cloud devices to connect to external devices. This is important because you cannot emulate access points. You will have to connect your vWLC in EVE to a POE switch and connect an actual AP. If you don't know how to do it please read Connect Virtual Devices in UNL/EVE to External Physical Devices

In the questions of the wizard, what is in the square brackets is the default answer. Which means if your answer is the answer in the brackets, you can simply hit Enter. You can see whether I have typed a different answer other than the default on the capture if the answer field is not empty. If it is empty, I have given the default answer by hitting Enter..

My EVE is configured with the pnet0 connecetd to the NAT (VMnet8) network and the pnet1 connecetd to the VMnet0 (Bridged to the physical NIC).
Therefore; for the Service Port, I gave an IP in the range of VMnet8 network. (NAT). So I can use that IP to access the web GUI of WLC from my native PC easily.

Remember to configure the Management VLAN ID correctly in the physical switch.
Virtual Gateway IP is used for Mobility Features and Web Authentication of guest SSIDs.
Other features are just simple wireless networking features..

After the installation is successful, go to a web browser and type https://<service interface IP>
It will show a SSL certificate warning, just ignore it and proceed with advanced options.

Deploying Cisco ISE on VMware Workstation

You need to have an ISO image of Cisco ISE before you start. I am using ISE 2.0 on VMware Workstation.

Start from File > New Virtual Machine
Select Typical & hit Next..
Select I will install the OS later & hit Next..
Select Linux 7 - 64bit..
Give a Name & the Location and & hit Next..
Give the disk size to be about 250GBs and select store virtual disk as a single file & hit Next..
Now go to Customize Hardware..

Memory should be more than 4 GB..
Give number of processors to 2 and number of cores per processor to 2..
On CD/DVD; use ISO image > give location and tick Connect at power on..

Before Finish, the settings will be somewhat similar to this capture.


Now you can power up the VM..

















The 1st dialog box appear will be like the following..

You can give 1 and hit Enter..











Now it will show an error message indicating "unsupported hardware detected"
Just hit Enter for Ok.
After a long auto installation process it will reboot and prompt a new dialog box like the following.

Type "setup" as the login name & it will direct you to a setup wizard..



After giving your settings to wizard, it will continue with the installation and reboot..

Now if your given IP is reachable, you can log in to ISE via a web browser. The best supporting web browser for ISE 1.2 will be Firefox..