You are here: Fladi.at>Projects Web>NextGenerationNetwork (31 Aug 2010, fladischermichael)EditAttach

NextGenerationNetwork

Building a Network using IPv6 and taking a lookout one the deployment of SCTP/DCCP.

IPv6

Done

  • Providing IPv6 connectivity through go6.net tunnel and advertising the prefix through OpenVPN? (running over IPv4).
  • Serve DNS AAAA records for uni.fladi.at to make services accessible through IPv6 by their domain names.
  • Configure shorewall6 to secure traffic over OpenVPN? propagated subnet.
  • Generate slightly unique ULA for FladiAt?: fd59:d69b:0869::/48 (generated by script)
  • Set up Cisco 877w router to serve as IPv6 endpoint for a DSL link.

Pending

  • Test various services over IPv6
    • NFSv4
    • CIFS
  • Build IPv6 capable OpenWRT image for SpeedPort W701V?

Failing

Backend

Internal services of FladiAT? could be switched to IPv6-only, disconnecting them from the legacy IPv4 network. Since all servers are connected through IPv6 this should not have any impact on outside services. This could be done in Autumn 2010.
Service Status Comment
DNS choice-yes  
LDAP choice-yes  
MySQL? choice-no Does not support IPv6 at the moment, will be dropped in favor of PostgreSQL soon.
NTP choice-yes Using the ntp.sixxs.net pool which is dual-stack enabled.
PostgresSQL? choice-yes listen_addresses = '*'
Puppet question Unidentified problem with one host at the moment.
SNMP choice-yes Add 'udp6:161' as listening port.

There is one bug in Java at the moment that will block this migration: Debian, SUN

SCTP/DCCP TODO

Cisco 877W

The only routers capable of native IPv6 at this time seem to be the Cisco ones, starting with the 877w (857w is sometimes advertised as IPv6 capable which is a plain marketing-lie).

The 877w seems to have an average power consumption of about 18W.

Flash Upgrade

In order to upgrade the flash capacity for IOS 15 I had to restore the router through ROMMON. The flash filesystem got broken when I removed the 4MB flash module that was inside the router. To remove the existing flash module follow the instructions provided by Cisco.

ALERT! Before attempting to follow any of the steps described here make absolutely sure that you have a backup of all your files from flash! Especially the IOS image! Back it up on a TFTP server or any other remote device. Also make sure to use the serial terminal! You will need it to use ROMMON to reformat the flash filesystem and deploy the new IOS image!

After booting the router with the new flash module inside it refused to load the IOS image from flash and after a few retries brought me to the ROMMON interactive shell. From there I used the following commands to pull the new image from a TFTP server. 
IP_ADDRESS=192.168.0.139
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=192.168.0.1
TFTP_SERVER=192.168.0.1
TFTP_FILE=c870-advipservicesk9-mz.150-1.M.bin
tftpdnld
This led to a complete reformat of my flash (now include the newly installed module) and put the image into place. Now boot the router: 
boot

Configuration 

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 20000
no logging console
enable secret 5 XXXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone MEZ 1
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
!
dot11 ssid Fladi.at
   authentication open 
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXXXXXXXXXXXXXXXX
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool PPP-POOL
   import all
   origin ipcp
   lease 0 0 5
!
ip dhcp pool LAN
   network 192.168.0.0 255.255.255.0
   bootfile pxelinux.0
   next-server 192.168.0.1 
   dns-server 192.168.0.1 82.150.192.2 82.150.192.3 
   default-router 192.168.0.254 
   domain-name home.fladi.at
!
ip dhcp pool WLAN
   network 192.168.1.0 255.255.255.0
   domain-name home.fladi.at
   dns-server 192.168.0.1 82.150.192.2 82.150.192.3 
   default-router 192.168.1.254 
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name home.fladi.at
!
ipv6 unicast-routing
no ipv6 source-route
ipv6 cef
multilink bundle-name authenticated
!
!
!
username admin password XXXXXXXXXXXXXXXXX
username noc password XXXXXXXXXXXXXXXXX
! 
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.848 point-to-point
 pvc 8/48 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 ip address 192.168.1.254 255.255.255.0
 ip helper-address 192.168.0.1
 ip nat inside
 ip virtual-reassembly
 !
 encryption mode ciphers aes-ccm tkip 
 !
 ssid Fladi.at
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 ipv6 address FROM-ISP-V6 ::2/64
 ipv6 enable
 no cdp enable
!
interface Vlan1
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 ip nat inside
 ip virtual-reassembly
 ipv6 address FROM-ISP-V6 ::1/64
 ipv6 enable
 ipv6 nd prefix 2A02:5D8:208:2::/64 2592000 604800
 ipv6 nd ra interval 30
 arp timeout 600
!
interface Dialer1
 bandwidth 10000000
 bandwidth inherit 10000000
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 snmp ifindex persist
 ipv6 address autoconfig
 ipv6 enable
 ipv6 dhcp client pd FROM-ISP-V6
 no cdp enable
 ppp chap hostname XXXXXXXXXXXXXXXXX@tirol-dsl.at
 ppp chap password 7 XXXXXXXXXXXXXXXXX
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp address required
!
no ip forward-protocol nd
ip forward-protocol udp 1900
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.1 22 interface Dialer1 22
ip nat inside source static tcp 192.168.0.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.1 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.1 389 interface Dialer1 389
ip nat inside source static tcp 192.168.0.1 636 interface Dialer1 636
ip nat inside source static tcp 192.168.0.1 3306 interface Dialer1 3306
ip nat inside source static tcp 192.168.0.1 5432 interface Dialer1 5432
ip nat inside source static tcp 192.168.0.1 143 interface Dialer1 143
ip nat inside source static tcp 192.168.0.1 993 interface Dialer1 993
ip nat inside source static tcp 192.168.0.1 5666 interface Dialer1 5666
ip nat inside source static tcp 192.168.0.1 8140 interface Dialer1 8140
ip nat inside source static udp 192.168.0.1 161 interface Dialer1 161
ip nat inside source static udp 192.168.0.1 88 interface Dialer1 88
ip nat inside source static udp 192.168.0.1 464 interface Dialer1 464
ip nat inside source static udp 192.168.0.1 53 interface Dialer1 53
ip nat inside source static tcp 192.168.0.1 53 interface Dialer1 53
ip nat inside source static udp 192.168.0.1 4666 interface Dialer1 4666
ip nat inside source static tcp 192.168.0.1 4001 interface Dialer1 4001
ip nat inside source static tcp 192.168.0.1 4662 interface Dialer1 4662
ip nat inside source static tcp 192.168.0.1 6881 interface Dialer1 6881
ip nat inside source static tcp 192.168.0.1 6882 interface Dialer1 6882
ip nat inside source static tcp 192.168.0.1 14987 interface Dialer1 14987
ip nat inside source static tcp 192.168.0.1 14988 interface Dialer1 14988
!
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit any
access-list 5 remark Access - allowed Hosts
access-list 5 remark r4-ebg-rh.inn.hotze.com - TA LNS1
access-list 5 permit 82.150.197.198
access-list 5 remark picard.srv.hotze.com
access-list 5 permit 82.150.192.240
access-list 5 remark kirk.srv.hotze.com
access-list 5 permit 82.150.193.240
access-list 5 remark hotze.com Office
access-list 5 permit 82.150.198.32 0.0.0.31
access-list 5 remark Kundennetz
access-list 5 permit 82.150.208.108 0.0.0.3
access-list 5 remark home.fladi.at
access-list 5 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
snmp-server community XXXXXXXXXXXXXXXXX RO
snmp-server ifindex persist
snmp-server location Austria, Graz, home.fladi.at
snmp-server contact Michael Fladischer, michael@fladi.at
snmp-server chassis-id router.home.fladi.at 
ipv6 route ::/0 Dialer1
!
!
!
!
!
ipv6 access-list ROUTER-ACCESS
 permit ipv6 2A02:5D8::/48 any
 permit ipv6 2A02:5D8:1::/48 any
 permit ipv6 2A02:5D8:198::/48 any
 permit ipv6 2A02:5D8:192::/48 any
 permit ipv6 2A02:5D8:193::/48 any
 permit ipv6 2A02:5D8:208:1::/64 any
 permit ipv6 2A02:5D8:208:2::/64 any
!
ipv6 access-list INBOUND
 deny ipv6 any any
 permit tcp any eq www host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 22 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 443 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 143 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 993 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq smtp host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq domain host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 4001 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 3306 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 5432 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 5666 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 389 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 636 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit tcp any eq 8140 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit udp any eq snmp host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit udp any eq domain host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit udp any eq 88 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
 permit udp any eq 464 host 2A02:5D8:208:2:92E6:BAFF:FE16:B3B7
!
control-plane
!
!
line con 0
 session-timeout 120 
 exec-timeout 0 0
 login local
 no modem enable
 transport output telnet ssh
line aux 0
line vty 0 4
 access-class 5 in
 ipv6 access-class ROUTER-ACCESS in
 login local
 transport input ssh
 transport output ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

SpeedPort W701V?

Supported by OpenWRT: http://oldwiki.openwrt.org/OpenWrtDocs%282f%29Hardware%282f%29T%282d%29Com%282f%29SpeedportW701V.html
Edit | Attach | Print version | History: r19 < r18 < r17 < r16 | Backlinks | View wiki text | More topic actions
Topic revision: r19 - 31 Aug 2010 - 19:03:06 - fladischermichael
 
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Fladi.at? Send feedback