Posts Tagged ‘Networking’

Never thought I would be writing about how to utilize IPv6 in 2017 because of all the excellent material on the Internet; however, I have discovered a few things:

  1. There are still technologies which have horrible support for IPv6 (including new stuff)
  2. There are people still resistant to implementing it
  3. There is material on the Internet which shows up early in Google searches which references deprecated standards

Without any further delay, I am going to outline a few items you should keep in mind when deploying your IPv6 network:

Subnet mask size

In IPv6, barring a few exceptions like point-to-point links, you should always utilize a /64 for each deployed subnet. Why? Well, if you wanted to use DHCPv6 you’ll find Microsoft’s implementation won’t even allow you to change from a /64 and even a DHCPv6 server in Linux, while it will actually run with a mask larger than a /64, it will only hand out a /64. Also, you’ll find the use of anything larger than a /64 breaks a lot of the auto-discovery mechanisms in the switch/router, namely around EUI-64, and just doesn’t make sense.

What subnet size should I get from ISP/provider/administrator?

If you’re not going to “own” your IPv6 network, that is you’re not getting an assignment with an ASN to advertise, you’re either looking to obtain a public block of addresses for use and/or you’re internal and need your networking administrators to assign you a prefix which you can further subnet yourself. There is a standard most follow to assign prefixes to “customers”.

An ISP, for instance, may have numerous /32’s (or maybe a bit larger) assigned to them for their use to distribute to customers. Lets call them ISP and you work for “company” and you’re an internal IT organization within “company” who uses “ISP”. Your company would request from the ISP an IPv6 block assignment. From one of the ISP’s /32’s you’ll get, lets say, a /48 just for the hell of it. This is how your company can break it down internally for assignment:

  • 65,536 =  /64’s
  • 32,768 = /63’s
  • 16,384 = /62’s
  • 8192 = /61’s
  • 4096 = /60’s
  • 2048 = /59’s
  • 1024 = /58’s
  • 512 = /57’s
  • 256 = /56’s
  • 128 = /55’s
  • 64 = /54’s
  • 32 = /53’s
  • 16 = /52’s
  • 8 = /51’s
  • 4 = /50’s
  • 2 = /49’s

How your company doles these out, is up to them. However, almost no one is going to just directly carve out /64’s from the assigned /48 block, that is stupid. Generally, you’re looking to summarize and aggregate where possible throughout your network and we’ll assume you’re in location “A” at “company”.

We’ll go ahead and assume the company has decided each location is assigned a /58, which gives each location a total of 64 available /64’s to use. As you see, no different than standard IPv4 in the sense of ensuring proper aggregation, except now you’re no longer having to worry about the size of a VLAN’s subnet mask, you’ll always use /64.

What about private IPv6 address space?

If you do not want a Globally Unique IPv6 address you can indeed have what is called a “Unique Local IPv6 address = ULA”. There is a guide on how to properly generate these addresses, which includes a variable which references the time and date, along with other factors to ensure absolute uniqueness.

Why does this matter with private address space? Have you ever been involved with a merger/acquisition, or having to aggregate two offices together which use the same private IPv4 subnet range? I need not say anymore because this can be a PITA! Thus, ULA, when done right, ensures this will never happen; however, there is absolutely nothing stopping you from selecting your own, basic, prefix.

IPv6 ULA uses the FC00::/7 prefix, divided into two groups:

  1. fc00::/8 – The idea for this prefix is to be administered by some authority, but no one can agree to it, so just forget about it
  2. fd00::/8 – Is defined for the generation of /48 prefixes only, using the last 40 bits to generate a random, unique, prefix, according to the algorithm in RFC4193

You will want to use option 2 and you can use online generation tools like those from SiXXs or use a tool from another resource, either way, make sure it generates a proper /48 prefix for you and is, by some degree, RFC4193 compliant.

Finally, your company’s IT department is likely to have this /48 already and is almost very likely to have assigned you a prefix according to the same standards for which they’ll dole out their Globally Unique IPv6 addresses; thus, no additional explanation needed.

Get your DNS infrastructure setup for IPv6 AAAA and PTR-record resolution

I won’t delve into this much more other than you absolutely must make sure your DNS infrastructure is setup for IPv6 AAAA-record and IPv6 PTR-record solution or you WILL have issues!

One area to ponder is the hostnames that’ll resolve when you’re in a dual-stack environment. Do you want the same hostname to return on both a A-record and AAAA-record? Well, some say no, some say yes. Me? I say you should discuss this with your vendor to ensure their solution doesn’t have a problem with this, especially in a dual-stack environment. I was told, by co-workers who know more about Vmware vCenter than I do right now, this is a problem and the returned hostnames must be different when using dual-stack based environments.

Always research and question IPv6 support on your devices

This goes for hardware and software vendors, many have made claims their stuff works with IPv6; however, what, if any, testing was done isn’t known and there are a variety of scenarios to consider. For instance:

  • Does it support native IPv6 from installation-to-operation?
  • Does it support dual-stack, from installation-to-operation?
  • How does it handle DNS requests in dual stack?
    • Does the system start with IPv6 AAAA requests and then fails over to IPv4 A-record requests?
    • If so, what is the timeout if a AAAA record is not available and it must try for an IPv4 A-record?
    • Is the order of DNS resolution preference configurable? (Can you choose to have IPv4 A-records first?)
  • What forms of address configuration are available for IPv6? (SLAAC, static, DHCPv6?)
  • What IPv6 address types are supported? (Globally Unique and/or ULA?)
  • Are there specific “sections” of configuration which cannot support IPv6?
    • For instance, in Cisco NX OS, you cannot reference an IPv6 address for use on a vPC peer keep-alive link.

More questions will come to mind, but these are from experience and I can promise you are a lot of reasons why most IPv6 implementations in the enterprise, and data center, fail. Question all vendors!

This is it for now, hope this clears up some stuff for you out there who’re thinking about their IPv6 implementation


There has been some slight confusion and ambiguity around the “single-connection” configuration statement provided by Cisco switches and routers, including SAN MDS switches. As of this writing, Cisco Nexus 9000 NXOS switches on 7.0.3.I5.1 code do not support single-connection in their tacacs host configuration; however, certain MDS switches do. In either case, if you do find yourself wondering here for the answer, let me elaborate for you.

The purpose of single-connection is to multiplex all of your TACACS authentication requests using a single TCP oriented connection from the switch to the TACACS server. Using tac_plus, an open source TACACS server, you can absolutely set the single-connection bit from say, a Cisco 9706 MDS switch; however, upon packet analysis of any TACACS authentication requests you may discover the single-connection bit is set to 0.

Refer to draft-grant-tacacs-02 and scroll to the FLAGS section for an explanation of where you will, and should, see the single-connection bit set in the TACACS flag. Basically, you’ll only ever find the bit set in the initial setup of the connection so both the TACACS server and the client agree on single-connection TCP. Thus, instead of each and every TACACS request coming through as a unique TCP connection (essentially having to use multiple sockets, sockets being the 4-tuple of SRC IP, DST IP, SRC port, and DST port) the TACACS query and response messages are just carried over the single TCP connection.

If your system supports this, its worth attempting to see if it works as it can save some resources; however, your mileage may vary.


Let’s just get down to business, we all use it but few of us understand what any of it means. The documentation is a little, well, complicated for some people so I aim to give you a better understanding of the Cisco configuration register, also known as the config register or config-reg. Read the rest of this entry »


Let me start with something from a distant memory. I knew a principal of a school and I asked “What qualifications does a person need to be a principal”? I remember the answer was “just a master’s degree” and I responded “no experience needed?” and he replied “yes, but that creates problems because principals with no experience teaching have high turnover, low morale, and have pitiful results in their school”. It was then and there I knew one thing mattered most to me over anything, experience and a variety of it; however, this “variety” can harm and help you at the same time, it just depends on how you go about it and that brings me into a new chapter into my life… Read the rest of this entry »


I have seen a lot of these courses go up online and you find people flocking to them for this super easy way into a big salary IT networking job overnight. I don’t believe one can go from the skills of a CCNA to a CCNP in X number of weeks. The vast difference between the skills you’ll need in the CCNP is so far from the CCNA concept it isn’t funny. In fact, I have long said I would love to see Frame Relay disappear in favor of configuring for more real world scenarios like: MPLS and Metro-E. However, they keep churning out Frame Relay information because it is easy to learn. Perhaps this is the reason why we have so many white board interviews that can last hours upon hours because we’re churning out CCNA/P certified engineers with little to no real world experience. I believe in the long term approach by gaining valuable work experience and studying along the way. If you’re looking to get ahead you should also purchase lab equipment and learn at home when you can, nothing at all replaces learning the hard way by trying to build it yourself and test all kinds of scenarios. If you’re looking for a quick way to get certified without experience these classes will help you get there, just don’t expect to do that well in white board interviews. If you’re a seasoned vet and just want to make sure you pass the first time because you’re a busy IT professional, these are good too.


I see a lot of confusion about the Type-4 LSA and what it does. This confusion is high in the CCNA world because little is explained about it and one might think it is useless; however, this is valuable when you’re learning or doing route redistributing into OSPF using External type-2 redistributed routes with multple ASBRs redistributing the same external routes. Read more… Read the rest of this entry »


Spanning-tree is the red headed step child of networking and I firmly believe it is not spanning-trees fault, I blame ignorance of the engineer. Spanning-tree is a tool and like any tool it is typically designed with a specific purpose; however, like most tools in life, you can apply the tool against something else not intended to get desired results. The ignorance people have for spanning-tree causes a lot of issues on networks I have had to resolve in the past and they were relatively easy to resolve. I will explain the single most forgotten configuration parameter: bridge priority: Read the rest of this entry »


Quite often I hear people reference the Native VLAN and they’re unsure what exactly they’re talking about. In the RFC standards “Native” is considered an “Untagged” VLAN on a port and that is the preferred terminology. So, this is really simple, “native” means “Untagged” because on each Cisco “Trunk” port you can have a different native VLANs on each Cisco “Trunk” port. Thus, the concept of a native VLAN isn’t always VLAN 1 it is just a convenience that VLAN 1 is the default VLAN on Cisco switches when they’re unpacked and that confuses most people. In reality, you won’t have an untagged port on a Cisco trunk because you’d rather have all inter-switch traffic tagged to prevent VLAN-hopping.


http://www.linkedin.com/today/post/article/20130125105449-107961-why-i-cheer-when-my-employees-leave

Funny how this article appeared on LinkedIN on my last day here at the City of Durham. While the ride here has been a great one and I have worked with some awesome technology it was clearly my time to move on with life. I am grateful to have worked with the individuals who welcomed me here on day 1 and are celebrating my departure at lunch today. Their mentality rings true to the article I posted because they are sad to see me go; however, they are also happy to see me advance in life and take a job that fulfills a dream.


A quick tidbit of information useful in troubleshooting and interviewing and reviewing the logs (if you can) before you start hacking away at the issue. It makes no sense to start diagnosing an issue if you have logs that can, hopefully, tell you what was going on before and after an event that caused an outage. For instance, if your wireless just decides to go down you may want to look at the lgos in the AP (autonomous mode) or the controller (Controller mode) and see what was happening. Given there is enough verbosity in the logs it should tell you what happened and you can take corrective measures. This applies to interviews because people always ask “What are your steps to figuring out what happened?” I always start with: I check the logs.