Posts Tagged ‘Juniper’

Never thought I would be writing about how to utilize IPv6 in 2017 because of all the excellent material on the Internet; however, I have discovered a few things:

  1. There are still technologies which have horrible support for IPv6 (including new stuff)
  2. There are people still resistant to implementing it
  3. There is material on the Internet which shows up early in Google searches which references deprecated standards

Without any further delay, I am going to outline a few items you should keep in mind when deploying your IPv6 network:

Subnet mask size

In IPv6, barring a few exceptions like point-to-point links, you should always utilize a /64 for each deployed subnet. Why? Well, if you wanted to use DHCPv6 you’ll find Microsoft’s implementation won’t even allow you to change from a /64 and even a DHCPv6 server in Linux, while it will actually run with a mask larger than a /64, it will only hand out a /64. Also, you’ll find the use of anything larger than a /64 breaks a lot of the auto-discovery mechanisms in the switch/router, namely around EUI-64, and just doesn’t make sense.

What subnet size should I get from ISP/provider/administrator?

If you’re not going to “own” your IPv6 network, that is you’re not getting an assignment with an ASN to advertise, you’re either looking to obtain a public block of addresses for use and/or you’re internal and need your networking administrators to assign you a prefix which you can further subnet yourself. There is a standard most follow to assign prefixes to “customers”.

An ISP, for instance, may have numerous /32’s (or maybe a bit larger) assigned to them for their use to distribute to customers. Lets call them ISP and you work for “company” and you’re an internal IT organization within “company” who uses “ISP”. Your company would request from the ISP an IPv6 block assignment. From one of the ISP’s /32’s you’ll get, lets say, a /48 just for the hell of it. This is how your company can break it down internally for assignment:

  • 65,536 =  /64’s
  • 32,768 = /63’s
  • 16,384 = /62’s
  • 8192 = /61’s
  • 4096 = /60’s
  • 2048 = /59’s
  • 1024 = /58’s
  • 512 = /57’s
  • 256 = /56’s
  • 128 = /55’s
  • 64 = /54’s
  • 32 = /53’s
  • 16 = /52’s
  • 8 = /51’s
  • 4 = /50’s
  • 2 = /49’s

How your company doles these out, is up to them. However, almost no one is going to just directly carve out /64’s from the assigned /48 block, that is stupid. Generally, you’re looking to summarize and aggregate where possible throughout your network and we’ll assume you’re in location “A” at “company”.

We’ll go ahead and assume the company has decided each location is assigned a /58, which gives each location a total of 64 available /64’s to use. As you see, no different than standard IPv4 in the sense of ensuring proper aggregation, except now you’re no longer having to worry about the size of a VLAN’s subnet mask, you’ll always use /64.

What about private IPv6 address space?

If you do not want a Globally Unique IPv6 address you can indeed have what is called a “Unique Local IPv6 address = ULA”. There is a guide on how to properly generate these addresses, which includes a variable which references the time and date, along with other factors to ensure absolute uniqueness.

Why does this matter with private address space? Have you ever been involved with a merger/acquisition, or having to aggregate two offices together which use the same private IPv4 subnet range? I need not say anymore because this can be a PITA! Thus, ULA, when done right, ensures this will never happen; however, there is absolutely nothing stopping you from selecting your own, basic, prefix.

IPv6 ULA uses the FC00::/7 prefix, divided into two groups:

  1. fc00::/8 – The idea for this prefix is to be administered by some authority, but no one can agree to it, so just forget about it
  2. fd00::/8 – Is defined for the generation of /48 prefixes only, using the last 40 bits to generate a random, unique, prefix, according to the algorithm in RFC4193

You will want to use option 2 and you can use online generation tools like those from SiXXs or use a tool from another resource, either way, make sure it generates a proper /48 prefix for you and is, by some degree, RFC4193 compliant.

Finally, your company’s IT department is likely to have this /48 already and is almost very likely to have assigned you a prefix according to the same standards for which they’ll dole out their Globally Unique IPv6 addresses; thus, no additional explanation needed.

Get your DNS infrastructure setup for IPv6 AAAA and PTR-record resolution

I won’t delve into this much more other than you absolutely must make sure your DNS infrastructure is setup for IPv6 AAAA-record and IPv6 PTR-record solution or you WILL have issues!

One area to ponder is the hostnames that’ll resolve when you’re in a dual-stack environment. Do you want the same hostname to return on both a A-record and AAAA-record? Well, some say no, some say yes. Me? I say you should discuss this with your vendor to ensure their solution doesn’t have a problem with this, especially in a dual-stack environment. I was told, by co-workers who know more about Vmware vCenter than I do right now, this is a problem and the returned hostnames must be different when using dual-stack based environments.

Always research and question IPv6 support on your devices

This goes for hardware and software vendors, many have made claims their stuff works with IPv6; however, what, if any, testing was done isn’t known and there are a variety of scenarios to consider. For instance:

  • Does it support native IPv6 from installation-to-operation?
  • Does it support dual-stack, from installation-to-operation?
  • How does it handle DNS requests in dual stack?
    • Does the system start with IPv6 AAAA requests and then fails over to IPv4 A-record requests?
    • If so, what is the timeout if a AAAA record is not available and it must try for an IPv4 A-record?
    • Is the order of DNS resolution preference configurable? (Can you choose to have IPv4 A-records first?)
  • What forms of address configuration are available for IPv6? (SLAAC, static, DHCPv6?)
  • What IPv6 address types are supported? (Globally Unique and/or ULA?)
  • Are there specific “sections” of configuration which cannot support IPv6?
    • For instance, in Cisco NX OS, you cannot reference an IPv6 address for use on a vPC peer keep-alive link.

More questions will come to mind, but these are from experience and I can promise you are a lot of reasons why most IPv6 implementations in the enterprise, and data center, fail. Question all vendors!

This is it for now, hope this clears up some stuff for you out there who’re thinking about their IPv6 implementation


No doubt every engineer has their own twist on coding something to better automate configurations and deployment on networks; however, with the every increasing pace of release changes to current software sets installed on some vendors hardware, the workload to keep your scripts updated can become your full time job. There will always be two schools of engineer: the home brew and the purchased software schools, each one with their own compelling reason to use the other and why the other is wrong. I, personally, prefer the purchased software route with a small dash of home brew scripts to accomplish my job, very small. I’ll outline some experiences I’ve had in the past where both moving towards the use of purchased software solved the many problems the home brew scripts were giving us and how a small, but powerful, set of home brew scripts gave us complete control over the network from building, deploying, operating, and debugging. Read the rest of this entry »


Yup, they have something similar now, here is the skinny:


archive
path flash1:
maximum 14

Now, before you make a change, issue this command:


configure terminal revert timer <1-120> <--- in minutes

Go ahead and make your changes, if you get disconnected, it will rollback the configuration in the amount of time you selected.

If the configuration works and you want to commit the changes:


configure confirm

That's all folks, a "commit confirmed" for Cisco IOS.


Quite often I hear people reference the Native VLAN and they’re unsure what exactly they’re talking about. In the RFC standards “Native” is considered an “Untagged” VLAN on a port and that is the preferred terminology. So, this is really simple, “native” means “Untagged” because on each Cisco “Trunk” port you can have a different native VLANs on each Cisco “Trunk” port. Thus, the concept of a native VLAN isn’t always VLAN 1 it is just a convenience that VLAN 1 is the default VLAN on Cisco switches when they’re unpacked and that confuses most people. In reality, you won’t have an untagged port on a Cisco trunk because you’d rather have all inter-switch traffic tagged to prevent VLAN-hopping.


A quick tidbit of information useful in troubleshooting and interviewing and reviewing the logs (if you can) before you start hacking away at the issue. It makes no sense to start diagnosing an issue if you have logs that can, hopefully, tell you what was going on before and after an event that caused an outage. For instance, if your wireless just decides to go down you may want to look at the lgos in the AP (autonomous mode) or the controller (Controller mode) and see what was happening. Given there is enough verbosity in the logs it should tell you what happened and you can take corrective measures. This applies to interviews because people always ask “What are your steps to figuring out what happened?” I always start with: I check the logs.


I recently got into a facebook debate with someone about experience versus debate. The opponent was a public sector employee and had been their entire life. However, it got me to thinking about this subject and it brings up a valid point about certifications and real life experience. I have seen first hand, from previous employers, that you can get someone who can sit for classes for a certification and knock out multiple certs in a year; however, are they really useful? In my opinion, probably not because anyone can take a cram class and the next day, or that day, sit for the exam and pass because the answers are fresh in their heads. The question to ask is: do you really understand the material and technology? Read the rest of this entry »


Classful routing/networking is no valid into today’s CIDR (Classes Inter-Domain Routing) networks; however, it seems that people are still over using the classful terminology almost interchangeably. The concept of classes in network is obsolete and should no longer be used when referencing network subnets because classful routing has defined network ranges that make them classful and CIDR does not. Read the rest of this entry »


I get this a lot in my field “I cannot ping the server, it must be down or a network issue”; however, I can log in and telnet to the machine and even RDP/SSH into the machine. Why is this? Simple, the machine is not responding to ICMP ECHO REQUESTS which is default behavior for some systems. Windows 7 and Windows server 2008 DO NOT respond to ping by default because their internal firewalls are set to NOT respond to ICMP ECHO REQUESTS. Therefore, the machine could show as DOWN because it doesn’t respond to ping but the machine could actually be alive and on the network.

I personally recommend allowing your machines to respond to ping because there are no benefits to not allowing it other than confusion that could arise from the unexpected. Hiding a PING response doesn’t provide more security because a TCP SYN scan could prove that your machine is alive and well if there are listening ports, among other methods of host discovery.

To put it simple, DO NOT RELY ON PING as a method of testing connectivity only.


Quite often I run into troubled businesses that are having problems and they’re doing something like a Lan-to-Lan VPN tunnel between offices to route ALL traffic to a central location for processing. In today’s modern age most places have access to numerous link selections for deliver of Internet services and even dedicated Metro-E/T1/MPLS etc. What I find sad are the phone companies trying to sell the scam “Business Class DSL” services for businesses because in reality, unlike Cable DOCSIS, your packets aren’t getting any special treatment compared to a residential circuit. I will explain… Read the rest of this entry »


HP vs Cisco Certifications

Being that I am a dual certification holder (HP and Cisco) I am going to weigh in on the Value of the certifications. Read the rest of this entry »