The lab shows how to set a Cisco switch so it will do RA on a couple of segments but use DHCPv6 to dynamically add AAAA and PTR records.
The Cisco devices are standard images. The Switch is configured so it uses DHCPv6 as a relay so it will assign IPV6 addresses using VLANS. In addition the switch contains the relevant commands to do RA advertisements only and let the DHCPv6 server do the rest.
The e0 interfaces on the workstations and computers are connected to the local LAN so you can manage them via IPV4, this is just for convenience.
The topology is shown on below.
For the router below are are the relevant snippets of the configuration.
Code: Select all
ipv6 unicast-routing
interface Loopback0
no ip address
ipv6 address 2012:AA::4/127
ipv6 enable
!
interface Ethernet0/0
no ip address
duplex auto
speed auto
ipv6 address 2012:AA::2/127
ipv6 enable
router bgp 100
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 2012:AA::3 remote-as 100
neighbor 2012:AA::3 next-hop-self
neighbor 2012:AA::3 soft-reconfiguration inbound
no auto-summary
!
address-family ipv6
neighbor 2012:AA::3 activate
neighbor 2012:AA::3 default-originate
redistribute connected
no synchronization
exit-address-family
Code: Select all
ipv6 unicast-routing
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 2012:AA::3/127
ipv6 enable
interface FastEthernet2/14
switchport access vlan 10
interface Vlan1
no ip address
ipv6 address 2012:AA:0:1::1/64
ipv6 enable
ipv6 nd prefix 2012:AA:0:1::/64 no-advertise
ipv6 nd managed-config-flag
!
interface Vlan10
no ip address
ipv6 address 2012:AA:0:2::1/64
ipv6 enable
ipv6 nd prefix 2012:AA:0:2::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2012:AA:0:1::10 Vlan1
!
router bgp 100
no synchronization
bgp router-id 2.2.2.2
bgp log-neighbor-changes
neighbor 2012:AA::2 remote-as 100
neighbor 2012:AA::2 next-hop-self
neighbor 2012:AA::2 soft-reconfiguration inbound
no auto-summary
!
address-family ipv6
neighbor 2012:AA::2 activate
redistribute connected
no synchronization
exit-address-family
The server is a Ubuntu 17.04.
Configure the server with a static IPv6 address: 2012:aa:0:1::10/64
And set a default route to 2012:aa:0:1::1
The relevant configuration is below.
DHCPv6
Code: Select all
#
# DHCPv6 Server Configuration file.
# see /usr/share/doc/dhcp-server/dhcpd6.conf.example
# see dhcpd.conf(5) man page
#
# DDNS statements
ddns-updates on; # default but good practice
ddns-update-style interim; # only supported active option
allow client-updates; # default but good practice
#do-forward-updates; # default but good practice
authoritative;
option dhcp6.name-servers 2012:aa:0:1::10;
# zone clauses are optional and required
# only to define params for DDNS
# may be one or more zone clauses
zone example.com {
primary ns1.example.com;
# uses name format could use IPv6 address format
}
zone 1.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa. {
primary ns1.example.com;
# the above can use a dns name, instead of an IP
# which is probably more flexible
# primary ns1.example.com.
# and for IPv6 can be much shorter
}
zone 2.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa. {
primary ns1.example.com;
# the above can use a dns name, instead of an IP
# which is probably more flexible
# primary ns1.example.com.
# and for IPv6 can be much shorter
}
# must be at least one subnet clause
# in a dhcpd.conf file
subnet6 2012:aa:0:1::/64 {
# useable IP addresses in this subnet
# can be range or /prefix format (used in example)
#range6 2001:db8::/112;
# optional use of temporary IPv6 addresses will not update
# forward or reverse maps as defined by RFC 4941
range6 2012:aa:0:1::100 2012:aa:0:1::200;
#range6 2001:db8:0:0:1::/104 temporary;
#subnet statements
# DDNS statements
ddns-domainname "example.com.";
# use this domain name to update AAAA RR (forward map)
ddns-rev-domainname "ip6.arpa.";
# use this domain name to update PTR RR (reverse map)
}
subnet6 2012:aa:0:2::/64 {
# useable IP addresses in this subnet
# can be range or /prefix format (used in example)
#range6 2001:db8::/112;
# optional use of temporary IPv6 addresses will not update
# forward or reverse maps as defined by RFC 4941
range6 2012:aa:0:2::100 2012:aa:0:2::105;
#range6 2001:db8:0:0:1::/104 temporary;
#subnet statements
# DDNS statements
ddns-domainname "example.com.";
# use this domain name to update AAAA RR (forward map)
ddns-rev-domainname "ip6.arpa.";
# use this domain name to update PTR RR (reverse map)
}
Code: Select all
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache {any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
/* In case you want to use ISC DLV, please uncomment the following line. */
//bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { any; };
};
zone "1.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa" {
type master;
file "reverse.zone";
allow-update { any; };
};
zone "2.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa" {
type master;
file "reverse2.zone";
allow-update { any; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
example.com.zone
$ORIGIN .
$TTL 86400 ; 1 day
example.com IN SOA ns1.example.com. hostmaster.example.com. (
66 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.example.com.
$ORIGIN example.com.
ns1 AAAA 2012:aa:0:1::10
r1 AAAA 2012:aa:0:1::
reverse.zone
$ORIGIN .
$TTL 3600 ; 1 hour
1.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa IN SOA ns1.example.com. hostmaster.example.com. (
56 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS ns1.example.com.
reverse2.com
$ORIGIN .
$TTL 3600 ; 1 hour
2.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa IN SOA ns1.example.com. hostmaster.example.com. (
57 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS ns1.example.com.
Things to note:
- The IPv6 prefixes of course are just for the lab. They should not be used in the real world.
- Linux devices do not send the HOSTNAME when requesting an IPv6 address.
- To fix above modify the dhclient or NetworkManager (whichever you use) and set the HOSTNAME variable.
- Another solution would be to use nsupdate to add the corresponding records. There are scripts on the wild that accomplish this.
- Finally when testing connectivity using FQDN on the Linux workstation, disable the e0 interface. This forces the device to use IPv6 and correctly resolve AAAA records.
Cheers,
Miguel.