Two sites, one LAN

Scenario

This lab extends a LAN over VPN link to two different sites. These sites will be connected to the Internet and routed with BGP.

eBGP to “ISP router” and iBGP between the sites.

The two “sites” are my laptops and the hosts and routers running in these “sites” are Virtualbox guests. Router guests are Vyatta 6.5, servers guests Bodhi Linux.

All the routers have an IPv4 connection to “ISP-router” which is a Cisco.

IPv6 from r1a and r2b is tunneled over IPv4 link.
L2VPN between the sites is done over IPv4 link.

The end result should be that you can connect a host to either site, using the LAN prefix 2001:98:0013:004f::/64 and that host gets IPv6 Internet-connection. The connection should have automatic failover using the other link to the “ISP router”.

Network Diagram

two-sites-one-lan

I apologise for the crappy network diagram. I drew it as Google docs presentation and it felt a bit clumsy.

Set up the Lab

Install guests (the routers) on the two hosts.
Give routers IPv4 address.
Configure IPv4 routing so that guest routers can see each other, 0/0 points to the “ISP router”.
Try that all routers can ping each other with IPv4 addresses.

L2VPN

Create L2VPN between r3a and r4b, using the IPv4 network as transport.

generate openvpn key r3a-r4b

r3a
set interfaces bridge br2
set interfaces ethernet eth4 bridge‐group bridge br2
commit
set interfaces openvpn vtun2 mode site‐to‐site
set interfaces openvpn vtun2 remote‐host 10.1.4.2
set interfaces openvpn vtun2 shared‐secret‐key‐file /home/user/r3a-r4b
set interfaces openvpn vtun2 bridge‐group bridge br2
commit

r4b
set interfaces bridge br2
set interfaces ethernet eth5 bridge‐group bridge br2
commit
set interfaces openvpn vtun2 mode site‐to‐site
set interfaces openvpn vtun2 remote‐host 10.1.3.2
set interfaces openvpn vtun2 shared‐secret‐key‐file /home/user/r3a-r4b
set interfaces openvpn vtun2 bridge‐group bridge br2

commit

Give the lab-routers their IPv6 addresses

set interfaces ethernet eth4 ipv6 address eui64 2001:98:13:4f::/64
set interfaces ethernet eth4 ipv6 router-advert prefix 2001:98:13:4f::/64
set interfaces ethernet eth4 ipv6 router-advert other-config-flag true

IPv6 tunnels

If your virtualization software and network environment allows, you may skip this phase and give r1a and r2b their IPv6 link addresses directly. In my system I have VirtualBox and the link is over wifi. It will not allow me to directly use IPv6 in this interface.

That is why I use tunnels.

Create IPv6-over-IPv4 tunnels between

“ISP-router” – r1a
“ISP-router” – r2b

IPv6 addresses for the tunnels

“ISP-router” Cisco
2001:98:0013:004e::1/126
r1a
2001:98:0013:004e::2/126

“ISP-router” Cisco
2001:98:0013:004e::5/126
r2b
2001:98:0013:004e::6/126

Cisco config
interface Tunnel3
description IPv6 tunnel to r1a
no ip address
ipv6 address 2001:98:0013:004e::1/126
ipv6 enable
tunnel source 10.1.1.1
tunnel destination 10.1.1.2
tunnel mode ipv6ip

Vyatta config for r1a
edit interfaces tunnel tun3
set address 2001:98:0013:004e::2/126
set encapsulation sit
set local-ip 10.1.1.2
set remote-ip 10.1.1.1
set description "IPv6 tunnel to cisco"
exit
commit

Adjust accordingly for r2b.

Routing

Configure IPv6 eBGP from r1a and r2b to Internet-router.

r1a
set protocols bgp 65502 neighbor 2001:98:13:4e::1 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:98:13:4e::1 remote-as 65501
set protocols bgp 65502 parameters router-id 10.1.1.2

cisco
router bgp 65501
no synchronization
bgp log-neighbor-changes
neighbor 2001:98:13:4E::2 remote-as 65502
no auto-summary
!
address-family ipv6
neighbor 2001:98:13:4E::2 activate
neighbor 2001:98:13:4E::2 next-hop-self
neighbor 2001:98:13:4E::2 soft-reconfiguration inbound
redistribute static
default-information originate
no synchronization
exit-address-family
!

Adjust accordingly for r2b

Configure IPv6 iBGP r1a – r2b

r2b
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 remote-as 65502
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 address-family ipv6-unicast nexthop-self
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 update-source 2001:98:13:4f:a00:27ff:fe97:1e3c

Adjust accordingly for r1a.
Inject the LAN prefix into BGP

r1a & r2b
set protocols bgp 65502 address-family ipv6-unicast network 2001:98:0013:004f::/64

Testing

Set up a host on both “sites”
Bring down routers, links, or the connection between sites. What happens?

My observations:

1. When I turn off routers, the routing changes to the other link immediately.

2. When I put down the main WAN link, it takes time to reroute. About a minute or two.

3. From my two “servers” the other one changes the first-hop immediately and automatically. The other one does not. Don’t know why. Both hosts are with automatic configs.

BGP AS-path prepending

BGP has its ways to choose a link to use. Which route did your routers choose to be the active one? Now we want to tell it that we would prefer to pass traffic via r1a. So put this configuration in r2b to make its path appear longer.

r2b
set policy route-map prepend-secondary rule 10 action permit
set policy route-map prepend-secondary rule 10 set as-path-prepend "65502 65502"
set protocols bgp 65502 neighbor 2001:98:13:4E::5 address-family ipv6-unicast route-map export prepend-secondary

IPv6 Vyatta Lab – Part V; New site via eBGP

[Originally posted Jun 3, 2012 4:31 AM by Antti Uitto   [ updated Jun 3, 2012 10:05 AM ]]

In this part we are going to connect a new “customer” to our network. Previous episode featured a user connected directly to one of the core routers.  This time there will be CE-routers. There will be two of them, attached to two different core nodes and configured with sufficient services to handle failover in case the main connection breaks down.

vyatta-lab-with-loopacks3

IPv6 address allocation

Allocate a new prefix 2001:99:13:4c::/64, route it from the Internet router to FW and from FW to the first LAB router. This will be the IPv6 prefix used in the customer’s LAN.

Then allocate two more nets to be used as link addresses between our core routers and CE-routers:  2001:99:13:4d::/64 and 2001:99:13:4e::/64. Route them as well.

Connections and topology

Connect the new customer routers to your network. I connect these two via R6 and R8.
Configure the interfaces and define IPv6 BGP neighbors.
Our core network has ASN 65501 and this new site is going to be in ASN 65502.

cust2-gw1 (connected to R6)
set interfaces ethernet eth4 address 2001:99:0013:004d::2/64
set protocols bgp 65502 neighbor 2001:99:0013:004d::1 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:99:0013:004d::1 remote-as 65501
set protocols bgp 65502 parameters router-id 172.2.2.1

Just make something up for router-id.

R6 (connected to cust2-gw1)
set interfaces ethernet eth5 address 2001:99:0013:004d::1/64
set protocols bgp 65501 neighbor 2001:99:0013:004d::2 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65501 neighbor 2001:99:0013:004d::2 remote-as 65502

Create the links and bgp relationships between cust2-gw2 and R8 in similar way, using link network 2001:99:13:4e::/64.

Make sure you add these new link interfaces to your IGP (OSPF) in the core network so that your next-hop addresses will be available.

Create the LAN interface and turn on router advert

cust2-gw1
set interfaces ethernet eth5 ipv6 address eui64 2001:99:13:4c::/64
set interfaces ethernet eth5 ipv6 router-advert send-advert true
set interfaces ethernet eth5 ipv6 router-advert prefix 2001:99:13:4c::/64

Advertise the customer prefix into BGP.

cust2-gw1 & gw2
set protocols bgp 65502 address-family ipv6-unicast network 2001:99:13:4c::/64

Manipulate your routing

In my network gw1 was chosen as the primary route to the new customer site. This may be just fine but for the fun of doing so, I wanted to change this.

This configuration will be inserted into cust2-gw1 and it will prepend the AS PATH announced by this router. This will cause cust2-gw2 to become better than gw1.

set policy route-map as-prepend rule 1 set as-path-prepend “65502 65502”
set policy route-map as-prepend rule 1 action permit
set policy route-map as-prepend rule 1 match ipv6 address prefix-list as-prepend
set policy prefix-list6 as-prepend rule 1 action permit
set policy prefix-list6 as-prepend rule 1 prefix 2001:99:13:4c::/64
set protocols bgp 65502 neighbor 2001:99:13:4d::1 address-family ipv6-unicast route-map export as-prepend

The routing turned  to gw2 but still my computer in the cust2 LAN wanted to use gw1 as it’s primary gateway to the world.  In Cisco you can manipulate this by setting the gw2 router priority to “high”.

I don’t know how to do that in Vyatta at the moment. There is so much to learn.

Add a computer to the LAN

Now it is time to add a “customer’s” computer into this LAN and see if we reach our core network router’s loopbacks and perhaps even the Internet from it.

Check  ip -6 route  on the computer (if Linux). Which gateway it wants to talk to first?

Test your redundancy. Verify which route your computer uses to reach the Internet and then turn off that gw. Put it back on and turn off the other one. What happens? Do you lose many pings?

Check out this Packetlife article for more information on IPv6 ND providing first-hop redundancy.
http://packetlife.net/blog/2011/apr/18/ipv6-neighbor-discovery-high-availability/

More to do

It might be wise to make a prefix-list in the core routers R6 and R8 to prevent other networks than 2001:99:13:4c::/64 being advertised to our network.

I could easily add one here but I will not since there has to be stuff left for future articles!

IPv6 Vyatta LAB – Part IV ; BGP routes and a customer site

[Originally posted May 9, 2012 12:41 PM by Antti Uitto   [ updated May 9, 2012 1:17 PM ]]

In the previous chapter we created BGP connections for our network. In order to avoid configuring full mesh, connecting each router to each router (as iBGP would demand), we used Route Reflectors.

Now we should have all the BGP neighbors up and running but nothing is yet advertised using BGP.

In this exercise we shall inject some routes into this new BGP.

I have earlier configured a static default route in R1. (See the first episode)
Let’s make this ::/0 available to all the other routers as well.

R1
set protocols bgp 65501 neighbor 2001:99:13:4a::2 address-family ipv6-unicast default-originate
set protocols bgp 65501 neighbor 2001:99:13:4a::3 address-family ipv6-unicast default-originate
… etc …

Now you should see IPv6 default route on all the routers and be able to ping6 hosts outside your own lab. (Use loopbacks as source)

“Customer” site and a new prefix

Case study: Fake Ltd

The next job is to add an interface for a bogus client. My customer Fake Ltd has an IPv6 prefix 2001:99:13:4b::/64 and their non-existent main office is located in an made-up Business Center where the connections are provided by the Fairy-Tale ISP’s imaginary core router called R8.

A make-believe port eth6 has been provisioned for this customer.

This is the best thing you get when you want to buy services without using real money.

Route it from the Real World

Route the client’s prefix 2001:99:13:4b::/64  with a static route from Internet gw to FW and from the FW to R1 just like the you did with the lab prefix in the beginning.

Create an interface

R8
set interfaces ethernet eth6 address 2001:099:0013:004b::1/64
set interfaces ethernet eth6 ipv6 router-advert prefix 2001:099:0013:004b::/64
set interfaces ethernet eth6 ipv6 router-advert send-advert true

Now check IPv6 routing table in R8.  You will see it as connected network. Go check from your other routers. No 4b there?

It is not visible yet in the other lab routers because this configuration does not redistribute connected networks. You can either make the connected networks to be redistributed or give a network statement in R8.

We do the latter.

Inject the new prefix into BGP

R8
set protocols bgp 65501 address-family ipv6-unicast network 2001:99:13:4b::/64

After you commit this command in R8, the new network should appear in the routing tables across your lab network.

You can now connect a client computer to this interface. It should get an IPv6 address and default route information from R8. Note that this configuration does not yet give IPv6 DNS addresses. For those you will need DHCPv6 set up and “other-config-flag true” under the router interface.

https://sites.google.com/site/6filesb/home/blog/ipv6basicsaddressingahostandstaticrouting

It was worth every penny!