Categories R&S

IPv6 – Routing – OSPFv3

Now that the addressing part has been done and that end host also get IPv6 addresses, we must connect things together.

 

IPv6 – Routing – OSPFv3 – Network diagram

IPv6 – Routing - OSPFv3

 

IPv6 – Routing – OSPFv3 – Configuration

 

IPv6 – routing – OSPFv3 – configure core routing:

I’m going to run OSPFv3 between R1 to R5.

 

I will activate OSPFv3 at the interface level.

Because I have no IPv4 address configure, I must set the router ID (32bits) under the OSPFv3 process

Here is the configuration for R1.

R1(config)#router ospfv3 10
R1(config-router)#router-id 1.1.1.1

R1(config)#int eth 0/0
R1(config-if)#ipv6 ospf 10 area 0
R1(config-if)#ipv6 ospf network point-to-point

 

Let’s do the same on the other routers.

Note for R3 I used another command which do the same job.

R3(config)#router ospfv3 10
R3(config-router)#router-id 3.3.3.3

R3(config-router)#int eth0/0
R3(config-if)#ospfv3 10 ipv6 area 0
R3(config-if)#ospfv3 network point-to-point

Let’s check the adjacency on R3.

R3#sh ipv6 ospf neigh
            OSPFv3 Router with ID (3.3.3.3) (Process ID 10)
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
5.5.5.5           0   FULL/  -        00:00:37    4               Ethernet1/0
4.4.4.4           0   FULL/  -        00:00:33    4               Ethernet0/2
2.2.2.2           0   FULL/  -        00:00:32    3               Ethernet0/1
1.1.1.1           0   FULL/  -        00:00:32    4               Ethernet0/0

We see all the expected neighbors.

Here are the routes learned via OSPFv3 on R3.

R3#sh ipv6 route ospf
IPv6 Routing Table - default - 12 entries
O   2001:DB8:1::/126 [110/20]
     via FE80::A8BB:CCFF:FE00:200, Ethernet0/1
     via FE80::A8BB:CCFF:FE00:410, Ethernet0/2
O   2001:DB8:1::10/126 [110/20]
     via FE80::A8BB:CCFF:FE00:410, Ethernet0/2
     via FE80::A8BB:CCFF:FE00:510, Ethernet1/0
O   2001:DB8:1::18/126 [110/20]
     via FE80::A8BB:CCFF:FE00:200, Ethernet0/1
     via FE80::A8BB:CCFF:FE00:310, Ethernet0/0

 

Looks pretty good.

As you can see, there is not too much difference with OSPF for IPv4.

 

Configure IPv6 routing – OSPFv3 encryption, authentication:

Because area 0 is our backbone, I want it secured. With OSPFv3, we can perform authentication and also encryption.

Let’s configure authentication and encryption in area 0.

 

Here is the configuration for R1.

For production network I will use AES, but you have to specify a 64 characters key, so I will use a less secure encryption for this lab.

Same for the authentication key, I prefer to use sha-1 but you need to specify a 40 characters key.

R1(config-if)#ipv6 ospf encryption ipsec spi 300 esp aes-cbc 256 ?
  0           The key is not encrypted (plain text)
  7           The key is encrypted
  Hex-string  256bit key (64 chars)
R1(config-if)#ipv6 ospf encryption ipsec spi 300 esp des 1234567890abcdef sha1 ?
  0           The key is not encrypted (plain text)
  7           The key is encrypted
  Hex-string  SHA-1 key (40 chars)
R1(config)#int eth 0/0
R1(config-if)#ipv6 ospf encryption ipsec spi 300 esp des 1234567890abcdef md5 1234567890abcdef1234567890abcdef

Key must be matching between connected interfaces.

The spi is unique so you need to take a different one for each connection.

 

Let’s verify our OSPFv3 adjacency.

R3#sh ipv6 ospf neigh
            OSPFv3 Router with ID (3.3.3.3) (Process ID 10)
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
5.5.5.5           0   FULL/  -        00:00:33    4               Ethernet1/0
4.4.4.4           0   FULL/  -        00:00:35    4               Ethernet0/2
2.2.2.2           0   FULL/  -        00:00:37    3               Ethernet0/1
1.1.1.1           0   FULL/  -        00:00:38    4               Ethernet0/0

This is still ok, so I haven’t mess up with key and spi combination…

 

If you want to check the details of the encryption/authentication, you must use the crypto ipsec command.

R1#show crypto ipsec sa
SNIP
interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-OSPF-MAP, local addr FE80::A8BB:CCFF:FE00:300

   IPsecv6 policy name: OSPFv3-312

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (FE80::/10/89/0)
   remote ident (addr/mask/prot/port): (::/0/89/0)
   current_peer FF02::5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
    #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: FE80::A8BB:CCFF:FE00:300,
     remote crypto endpt.: FF02::5
     plaintext mtu 1470, path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb Ethernet0/0
     current outbound spi: 0x138(312)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x138(312)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000001, crypto map: Ethernet0/0-OSPF-MAP
        sa timing: remaining key lifetime (sec): 0
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     outbound esp sas:
      spi: 0x138(312)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000001, crypto map: Ethernet0/0-OSPF-MAP
        sa timing: remaining key lifetime (sec): 0
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

You can also verify that this is turned on with the ospfv3 interface command.

R1#sh ipv6 ospf int eth 0/0
Ethernet0/0 is up, line protocol is up
  Link Local Address FE80::A8BB:CCFF:FE00:300, Interface ID 3
  Area 0, Process ID 10, Instance ID 0, Router ID 1.1.1.1
  Network Type POINT_TO_POINT, Cost: 10
  DES encryption MD5 auth SPI 312, secure socket UP (errors: 0)

 

Configure IPv6 routing – OSPFv3 area types:

We will finish this post by configuring a new area in OSPF 10. So that SW1 and his subnet has connectivity.

 

On R1, we configure the interface to SW1.

R1(config)#int eth 0/2
R1(config-if)#ipv6 ospf 10 area 1

On SW1, we enable OSPFv3, set the router-ID and activate OSPFv3 under the interfaces, note that we will make the vlan interfaces OSPFv3 passive-interface.

SW1(config)#router ospfv3 10
SW1(config-router)#router-id 10.10.10.10
SW1(config-router)#passive-interface default
SW1(config-router)#no passive-interface eth0/0

SW1(config)#int vlan 10
SW1(config-if)#ipv6 ospf 10 area 1
SW1(config-if)#int vlan 11
SW1(config-if)#ipv6 ospf 10 area 1
SW1(config-if)#int vlan 12
SW1(config-if)#ipv6 ospf 10 area 1

Neighbor adjacency is UP, we are also getting OSPF routes.

SW1#sh ipv6 ospf neigh
            OSPFv3 Router with ID (10.10.10.10) (Process ID 10)
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
1.1.1.1           1   FULL/DR         00:00:36    5               Ethernet0/0
SW1#sh ipv6 route ospf
IPv6 Routing Table - default - 16 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
       IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI  2001:DB8:1::/126 [110/30]
     via FE80::A8BB:CCFF:FE00:320, Ethernet0/0
OI  2001:DB8:1::4/126 [110/30]
     via FE80::A8BB:CCFF:FE00:320, Ethernet0/0
OI  2001:DB8:1::8/126 [110/30]
     via FE80::A8BB:CCFF:FE00:320, Ethernet0/0
OI  2001:DB8:1::C/126 [110/30]
     via FE80::A8BB:CCFF:FE00:320, Ethernet0/0
OI  2001:DB8:1::10/126 [110/40]
     via FE80::A8BB:CCFF:FE00:320, Ethernet0/0
OI  2001:DB8:1::14/126 [110/20]
     via FE80::A8BB:CCFF:FE00:320, Ethernet0/0
OI  2001:DB8:1::18/126 [110/20]
     via FE80::A8BB:CCFF:FE00:320, Ethernet0/0

I verified on an end host and I can reach the IPv6 addresses in the network.

 

Because SW1 doesn’t need to get all the routes in his routing table it’s a good candidate to try the stub area command.

Let’s try it.

R1(config)#router ospfv3 10
R1(config-router)#area 1 stub

SW1(config)#router ospfv3 10
SW1(config-router)#area 1 stub

This make no change in the routing table of SW1 as we only have intra area routes at the moment.

Let’s make is totally stub.

R1(config-router)#area 1 stub no-summary

That’s better, now SW1 OSPFv3 routing table only have one entry.

SW1#sh ipv6 route ospf
IPv6 Routing Table - default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
       IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI  ::/0 [110/11]
     via FE80::A8BB:CCFF:FE00:320, Ethernet0/0

 

 

Well this was a long post to cover some basics about OSPFv3, I hope you find it informative.

In the next post we will continue our configuration with some EIGRPv6.

 

Thank you for reading.

Leave a Reply

Your email address will not be published.