IPV6+DDNS+DHCPv6 and Cisco routers Lab

Any copyright material exchange is strictly forbidden. Any member violate this rule will be banned without warning.

Moderator: mike

Post Reply
msarmien
Posts: 5
Joined: Mon Mar 12, 2018 9:26 pm

IPV6+DDNS+DHCPv6 and Cisco routers Lab

Post by msarmien » Fri Jun 08, 2018 8:05 pm

This is a LAB that uses IPV6 and DDNS using Bind and the ISC DHCPv6 server.

The lab shows how to set a Cisco switch so it will do RA on a couple of segments but use DHCPv6 to dynamically add AAAA and PTR records.

The Cisco devices are standard images. The Switch is configured so it uses DHCPv6 as a relay so it will assign IPV6 addresses using VLANS. In addition the switch contains the relevant commands to do RA advertisements only and let the DHCPv6 server do the rest.

The e0 interfaces on the workstations and computers are connected to the local LAN so you can manage them via IPV4, this is just for convenience.

The topology is shown on below.
DDNS.png
For the router below are are the relevant snippets of the configuration.

Code: Select all

ipv6 unicast-routing

interface Loopback0
 no ip address
 ipv6 address 2012:AA::4/127
 ipv6 enable
!
interface Ethernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2012:AA::2/127
 ipv6 enable

router bgp 100
 no synchronization
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 2012:AA::3 remote-as 100
 neighbor 2012:AA::3 next-hop-self
 neighbor 2012:AA::3 soft-reconfiguration inbound
 no auto-summary
 !
 address-family ipv6
  neighbor 2012:AA::3 activate
  neighbor 2012:AA::3 default-originate
  redistribute connected
  no synchronization
 exit-address-family

For the switch the relevant configuration is below.

Code: Select all

ipv6 unicast-routing

interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2012:AA::3/127
 ipv6 enable

interface FastEthernet2/14
 switchport access vlan 10

interface Vlan1
 no ip address
 ipv6 address 2012:AA:0:1::1/64
 ipv6 enable
 ipv6 nd prefix 2012:AA:0:1::/64 no-advertise
 ipv6 nd managed-config-flag
!
interface Vlan10
 no ip address
 ipv6 address 2012:AA:0:2::1/64
 ipv6 enable
 ipv6 nd prefix 2012:AA:0:2::/64 no-advertise
 ipv6 nd managed-config-flag
 ipv6 dhcp relay destination 2012:AA:0:1::10 Vlan1
!
router bgp 100
 no synchronization
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 neighbor 2012:AA::2 remote-as 100
 neighbor 2012:AA::2 next-hop-self
 neighbor 2012:AA::2 soft-reconfiguration inbound
 no auto-summary
 !
 address-family ipv6
  neighbor 2012:AA::2 activate
  redistribute connected
  no synchronization
 exit-address-family
Notice I use BGP as the dynamic routing protocol, any such protocol can be used if you wish (EIGRP, OSPF) for example.

The server is a Ubuntu 17.04.

Configure the server with a static IPv6 address: 2012:aa:0:1::10/64

And set a default route to 2012:aa:0:1::1

The relevant configuration is below.

DHCPv6

Code: Select all

#
# DHCPv6 Server Configuration file.
#   see /usr/share/doc/dhcp-server/dhcpd6.conf.example
#   see dhcpd.conf(5) man page
#
# DDNS statements
ddns-updates on;           # default but good practice
ddns-update-style interim; # only supported active option
allow client-updates;      # default but good practice
#do-forward-updates;        # default but good practice
authoritative;
option dhcp6.name-servers 2012:aa:0:1::10;
# zone clauses are optional and required
# only to define params for DDNS
# may be one or more zone clauses
zone example.com {
  primary ns1.example.com;
  # uses name format could use IPv6 address format
}
zone 1.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa. {
  primary ns1.example.com;
  # the above can use a dns name, instead of an IP
  # which is probably more flexible
  # primary ns1.example.com.
  # and for IPv6 can be much shorter
}
zone 2.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa. {
  primary ns1.example.com;
  # the above can use a dns name, instead of an IP
  # which is probably more flexible
  # primary ns1.example.com.
  # and for IPv6 can be much shorter
}
# must be at least one subnet clause
# in a dhcpd.conf file
subnet6 2012:aa:0:1::/64 {
  # useable IP addresses in this subnet
  # can be range or /prefix format (used in example)
  #range6 2001:db8::/112;
  # optional use of temporary IPv6 addresses will not update
  # forward or reverse maps as defined by RFC 4941
  range6 2012:aa:0:1::100 2012:aa:0:1::200;
  #range6 2001:db8:0:0:1::/104 temporary;
  #subnet statements
  # DDNS statements
  ddns-domainname "example.com.";
  # use this domain name to update AAAA RR (forward map)
  ddns-rev-domainname "ip6.arpa.";
  # use this domain name to update PTR RR (reverse map)
}
subnet6 2012:aa:0:2::/64 {
  # useable IP addresses in this subnet
  # can be range or /prefix format (used in example)
  #range6 2001:db8::/112;
  # optional use of temporary IPv6 addresses will not update
  # forward or reverse maps as defined by RFC 4941
  range6 2012:aa:0:2::100 2012:aa:0:2::105;
  #range6 2001:db8:0:0:1::/104 temporary;
  #subnet statements
  # DDNS statements
  ddns-domainname "example.com.";
  # use this domain name to update AAAA RR (forward map)
  ddns-rev-domainname "ip6.arpa.";
  # use this domain name to update PTR RR (reverse map)
}
BIND

Code: Select all

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { localhost; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        allow-query-cache {any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;


        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        /* In case you want to use ISC DLV, please uncomment the following line. */
        //bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

 zone "example.com" IN {
 type master;
 file "example.com.zone";
 allow-update { any; };
 };

 zone "1.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa" {
 type master;
 file "reverse.zone";
 allow-update { any; };
 };

 zone "2.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa" {
 type master;
 file "reverse2.zone";
 allow-update { any; };
 };

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

example.com.zone
$ORIGIN .
$TTL 86400      ; 1 day
example.com             IN SOA  ns1.example.com. hostmaster.example.com. (
                                66         ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.example.com.
$ORIGIN example.com.
ns1                     AAAA    2012:aa:0:1::10
r1                      AAAA    2012:aa:0:1::

reverse.zone
$ORIGIN .
$TTL 3600       ; 1 hour
1.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa IN SOA ns1.example.com. hostmaster.example.com. (
                                56         ; serial
                                3600       ; refresh (1 hour)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.example.com.

reverse2.com
$ORIGIN .
$TTL 3600       ; 1 hour
2.0.0.0.0.0.0.0.a.a.0.0.2.1.0.2.ip6.arpa IN SOA ns1.example.com. hostmaster.example.com. (
                                57         ; serial
                                3600       ; refresh (1 hour)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.example.com.
The workstations are standard Windows and Ubuntu images setup to do DHCPv6, no special configuration needed.

Things to note:
  • The IPv6 prefixes of course are just for the lab. They should not be used in the real world.
  • Linux devices do not send the HOSTNAME when requesting an IPv6 address.
  • To fix above modify the dhclient or NetworkManager (whichever you use) and set the HOSTNAME variable.
  • Another solution would be to use nsupdate to add the corresponding records. There are scripts on the wild that accomplish this.
  • Finally when testing connectivity using FQDN on the Linux workstation, disable the e0 interface. This forces the device to use IPv6 and correctly resolve AAAA records.
Hopefully the lab will be instructional to people.

Cheers,
Miguel.
You do not have the required permissions to view the files attached to this post.

Post Reply