Tuesday, January 30, 2018

update on the certification

Here is an update - few years later I still haven't received my number. I tried to pass the lab few times (was it 2 or 3?) but it was quite obvious to me that I have to type faster - every time I was running out of time. And at this point I ran out of money for this hobby project.

Today, I prefer to learn more useful skills such as programming, software architecture and related disciplines. I don't feel that there is any drastic change in the way how we operate networks: routing protocols are still the same, network hardware works in the same way as before - everything gets bigger and faster. You can probably disagree and say: "Look! There are so many SDN projects around!" - but I'll reply: "Yes, but what exactly do they change?" By moving complexity to the different place in the network you will probably make it look more novel... But based on the history we just repeating the pattern: centralized vs distributed architecture and control. While we, network engineers, were building distributed networks, the mobile industry were building very centralized instead. Now, traditional packet networking is switching to centralized (with all kinds of controllers) and mobile industry is switching to distributed because packet gateways cannot handle so much traffic in the central location. So, what exactly have we accomplished, as an industry, in the last 5 years?

Just my .05 cents.

Thanks for reading.

Monday, January 29, 2018

Cisco Configuration for Comcast IPv6

Looking for IPv6 config for the Cisco IOS router? Here it is!

Here is an example of Comcast IPv6 config I have at home. I have the router with 3 GigE interfaces: g0/0 is LAN, g0/2 is Comcast Cable modem connected in the bridge mode.

The router gets /56 IPv6 prefix assigned through DHCP-Prefix Delegation and use it to assign the address on the internal g0/0 interface. Also, it assigns a separate /64 subnet on the g0/1 interface where all of my IPv6 servers are connected. I rely on Google DNS instead of Comcast.

Basic management access list prevents ingress ssh connections from non-whitelisted subnets.

router#show running-config
Building configuration...

Current configuration : 3497 bytes
!
upgrade fpd auto
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <my-router>
!
boot-start-marker
boot system disk0:/ciscoXXXX.bin
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$secret
!
aaa new-model
!
!
!
!
aaa session-id common
no ip source-route
ip cef
!
!
!
ip dhcp pool homenet
   network 10.0.1.0 255.255.255.0
   domain-name domain.net
   dns-server 8.8.8.8 8.8.4.4
   default-router 10.0.1.1
!
!
ip domain name domain.net
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool homenet6
 dns-server 2001:4860:4860::8888
 dns-server 2001:4860:4860::8844
 domain-name domain.net
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$adminpassword//
archive
 log config
  hidekeys
!
!
!
!
!
ip tcp ecn
ip tcp path-mtu-discovery
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
 description <<home network>>
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
 ipv6 address comcast ::1/64
 ipv6 nd other-config-flag
 ipv6 dhcp server homenet6
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
 ipv6 address comcast ::1:0:0:0:1/64
!
interface GigabitEthernet0/2
 description <<comcast cable modem>>
 ip address dhcp
 ip access-group internet_in in
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
 ipv6 address dhcp rapid-commit
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd hint ::/60
 ipv6 dhcp client pd comcast rapid-commit
 no cdp enable
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex half
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet0/2 overload
!
ip access-list standard remote_management
 permit 10.0.1.0 0.0.0.255 log
 deny   any log
!
ip access-list extended internet_in
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 100.64.0.0 0.63.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.0.0.0 0.0.0.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 198.18.0.0 0.1.255.255 any
 deny   ip 198.51.100.0 0.0.0.255 any
 deny   ip 203.0.113.0 0.0.0.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   icmp any any echo log
 deny   icmp any any redirect log
 deny   icmp any any timestamp-request log
 deny   icmp any any information-request log
 deny   icmp any any mask-request log
 permit ip any any
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.1.0 0.0.0.255
!
!
!
!
!
!
ipv6 access-list remote_mangement_v6
 permit ipv6 dead:beef:c0ff:D0::/64 any
 deny ipv6 any any log
!
control-plane
!
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 transport output all
 stopbits 1
line aux 0
 transport output all
 stopbits 1
line vty 0 4
 access-class remote_management in
 ipv6 access-class remote_mangement_v6 in
 transport input ssh
 transport output all
line vty 5 15
 access-class remote_management in
 ipv6 access-class remote_mangement_v6 in
 transport input ssh
 transport output all
!
end