Now with version 9 of the ASA code set , we get the dynamic routing protocol OSPF. RIPnG is not in version 9.0.1 btw and it's unclear if cisco has this on the milestone or a TBD, with regards to supporting RIP.
1st let's look at my simple lab ASA5505 device;
asaken# show ipv6 interface br
Ethernet0/0 [up/up]
unassigned
Ethernet0/1 [down/down]
unassigned
Ethernet0/2 [down/down]
unassigned
Ethernet0/3 [down/down]
unassigned
Ethernet0/4 [up/up]
unassigned
Ethernet0/5 [down/down]
unassigned
Ethernet0/6 [down/down]
unassigned
Ethernet0/7 [down/down]
unassigned
inside [up/up]
fe80::21f:caff:fef3:2111
2002:100::1
outside [up/up]
fe80::21f:caff:fef3:2111
And here's the interfaces current configurations;
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
ipv6 address 2002:100::1/64
ipv6 nd reachable-time 3000
ipv6 nd ns-interval 1200
ipv6 nd dad attempts 2
ospf cost 10
asaken# show run int vlan 2
!
interface Vlan2
description outside interface external
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 1
As you can see, we have an basic 2 interface model, using a simple inside/outside security interfaces. We are going to enable ipv6 routing on my existing ipv6 enable interface.
1st you need to build a ipv6 router process. Just like with ipv4, this process is configured globally, but the router-id has to be a ipv4 address in a x.x.x.x format. You have to define this router-id for this to properly work.
!
ipv6 router ospf 10
router-id 192.168.110.254
passive-interface default
no passive-interface outside
log-adjacency-changes
!
note: I also set passive globally for all interfaces to be disable. We need to enable ipv6 ospf routing per-interfaces.
asaken# show ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.110.1 255.255.255.0 CONFIG
Vlan2 outside 72.xx.x.105 255.255.255.0 DHCP
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.110.1 255.255.255.0 CONFIG
Vlan2 outside 72.xx.x.105 255.255.255.0 DHCP
asaken#
So vlan 1 is going to have some simple ospf-routing command issued. This configuration step is similar if not 100% identical to a cisco ISR/ASR router.
config t
asaken(config-if)# int vlan 1
asaken(config-if)# ipv6 ospf 10 area 0
asaken(config-if)#
asaken# sh run int vlan 1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
ipv6 address 2002:100::1/64
ipv6 nd reachable-time 3000
ipv6 nd ns-interval 1200
ipv6 nd dad attempts 2
ospf cost 10
ipv6 ospf 10 area 0
asaken#
note: if you enable a ipv6 router process on a interface with no ipv6 enabled, you will get a friendly reminder; INFO: IPV6 not enabled on this interface. Router process not started. To validate the interface is setup for OSPFv3, we can deploy the following show command asaken# show ipv6 ospf int outside is up, line protocol is up Link Local Address fe80::21f:caff:fef3:2111, Interface ID 15 Area 0, Process ID 10, Instance ID 0, Router ID 192.168.110.254 Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State WAITING, Priority 1 No designated router on this network No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:08 Wait time before Designated router selection 0:00:29 Graceful restart helper support disabled Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) I hope you find this post helpful. I will next explore OPSFv3 authentication support on cisco NX-OS routers. Please stay tuned ;) Ken Felix your freelance Network and Security Engineer kfelix "a@t" hyperfeed.com
No comments:
Post a Comment