Random Cisco geekery, issue 3: What’s your favourite IPv6 subnetting scheme?

Before you skip this with a tl;dr, here’s the long story short:

  1. If you want to make your life easy, just use /64 subnets for everything, nuff said;
  2. If you really want to make things exact, in the original old-school “save-precious-IP-addresses” way that you have continuously experienced while using IPv4, then use /112 subnets when working on point-to-point links between two routers, and not /126 or /127, as this interferes with some logic internal to IPv6. However, generally speaking, this hardcore approach is not advisable.

Quick review of IPv6 addressing.

If you’re really reading this article, then it probably means that you hardly need to understand how IPv6 addressing is different than IPv4. However, I’ll try to make it as simple as possible.

All the fuss about IPv6 goes around the fact that 30 years ago nobody would have probably ever imagined that 4.3 billion (yes, billion) IP addresses would have been really used completely at some point. There were few computers, the Internet was almost nothing, and it looked like it was going to be like that for a very long time. The reason why soon we moved from classful IP networks to CIDR was that whole Class A networks (now known as /8 subnets) were given to institutions like MIT and Stanford University just like offering peanuts: do you really need 16 million (yes, million) unique IP addresses, especially since NAT and VPN tunnelling can make 1 IP address quite enough for a quite reasonable number of users?

IPv6 was a radical solution: free unique global addresses for everyone, no more frustrations configuring NAT! When you read that a 128-bit IP address can offer a staggering number of unique combinations (think about 3 followed by 38 zeros), this is really a dream coming true.

An IPv6 address doesn’t even consider classful IP routing, doesn’t have subnet-zero issues, doesn’t need NAT (even if it still exists), makes configuration pretty easy with some mechanisms that assign unique IP addresses and get most of the info a host normally needs just automagically (kinda).

One of the most useful mechanisms is certainly EUI-64. How does it work? In short, it takes the MAC address, adds and changes bits here and there and – voilà! – you get 64 bits that are pretty guaranteed to be unique inside your subnet. Think about it as an evolution of the APIPA algorithm, the one that works as a failover for DHCP (or, more simply, the one that generates a hideous 169.254.0.0/16 address when you less expect it).

EUI-64 on P2P links.

Let’s calculate a little bit what we got exactly:

  1. IANA assigned only 2000::/3 to be used for unicast. This lowers the number from the original 2128 down to 2125 (which is still a lot, a number 37 zeros);
  2. At the moment what is being really used is 2001::/16, which brings the total down to 2112 (still awesome, 33 zeros);

Now here we got the tricky part. It seems that the main advice on implementing an IPv6 network, regardless of its size, is to get a /48 network (which can give you 264 networks, which is 2 followed by just 19 zeros) and split it in /64 networks (65536 networks), regardless of how big is the subnet.

Yes, this means that even a point-to-point network, with just 2 routers, will actually lay into an address space that could host an incredible number of more hosts. Why this? It’s because of EUI-64. Thanks to this, a configuration gets pretty easier: you just need to write something like ipv6 address 2001:db8:0:0:x::/64 eui-64, and just care about assigning a unique x for each subnet.

Adieu to the IPv4 mindset?

Now, is this a waste or an advantage? My first thought when I’ve seen half IP address wasted in automatic addressing was, obviously, the MIT & Standford effect, i.e.: what if we’re giving out IPv6 addresses too easily and one day we’ll run out of them too?

But then I’ve realized this. While point-to-point links really need a global IP address (because a local IP address wouldn’t show up in a traceroute and make troubleshooting even more problematic), it’s quite hard that even the largest company would have more than 65536 subnets, counting both P2P links and LANs; even in that case, they can still request an additional /48, which wouldn’t hurt considered how many /48 are available in the address space (264).

Plus, while we’re witnessing a moment in which really everything is getting connected to the global network, even imagining a worst case scenario of a future where there will be, say, 10 billion people, and each person will have 50 devices connected to the network between mobile phones, TVs, computers, tablets, routers, switches, and whatever you could think of (intelligent washing machines?), and each device will have its own global unicast IPv6 address, we’re still talking about a demand of billions and billions against an offer of billions of billions.

So, answering the question: yes, I think that we can actually forget about the IPv4 “spacesaving” mindset we got used to and embrace this new hideously wasting way of allocating IP addresses.

Still into the old-skool addressing?

There are reasons for which you might want to ration IP addresses anyway. One of the reasons might be that you’ve been allocated a single /64 addresses. Another one might be that you’re really into static addressing for some reason. Another one can be that just like pain.

Since in IPv4 we got used to /30 links, giving you just 2 usable IP addresses, you might want to do something similar in IPv6 and use /127 as a prefix. Well, there are some caveats in this case. Some have been summed up in RFC 3627, which is bearing a quite explicitly Dijkstra-ish title: Use of /127 Prefix Length Between Routers Considered Harmful. An even easier document is IPv6 address architecture on point-to-point links by M. Yoshinobu (you may want to jump to page 25).

In very short terms, if you really want to do this, better find a compromise and use a /112 instead. There’s still waste of IP addresses, but this would give less routing issues and it’s still easier to configure.

Valse mélancolique et langoureux vertige.

– Ho fatto un nuovo sogno.
– Nuovo?
– Nuovo.
– I sogni son sempre nuovi.
– No, io faccio sempre lo stesso sogno da anni. A parte ieri.
– E cosa sognavi?
– No, non importa. Il mio nuovo sogn–
– No, ‘spè, voglio sapere cosa sognavi.
– Ma che ti frega?
– Mi frega. Racconta.
– Va bene. Sono in un pub, ordino un bicchiere di vino rosso, nel vino trovo un dado. Ma non un dado di quelli normali eh. Uno con delle lettere. Ogni volta le lettere sul dado cambiano. Il barista mi guarda e mi dice “tira”. Alla fine, a furia di tirare, le lettere fanno una qualche parola. E quale che sia la parola, si materializza.
– Tipo?
– Non so… l’altra settimana vien fuori “Ducati”.
– Fico!
– Fico un cazzo, non sapevo come guidarla e mi son schiantato contro un muro, e sono morto, e mi sono svegliato di soprassalto con un mal di testa atroce.
– E che altro è uscito?
– Dipende, a volte cose belle, a volte no.
– Muori spesso?
– No, solo quella volta e un’altra.
– E sogni robe zozze?
– Ma la smetti di fare domande idiote?
– E dì.
– No. Però c’è sempre una tizia nel sogno.
– E chi è?
– Mai vista. Eppure ogni volta è lì, e sta insieme a me tipo marito e moglie.
– Ed è bella?
– Ma chi se ne frega che è bell–
– A me frega.
– Ok, sì, è bella… ok, dài, in realtà è meravigliosa. Dolce, sensuale… e innamorata. Ogni volta mi prendo una cotta, peggio di un adolescente.
– E fate pure robe zozze?
– Animale.
– Allora le fate…
– È successo una volta sola. Ma non ricordo niente…
– Certo, certo…
– No, dài, dico davvero, l’ho sognata così tante volte, e ogni volta è così bello e così dolce, che di scopare mi frega poco. Lei è con me in ogni istante, mi vuole bene, mi cerca, mi sostiene. Una volta, ero inseguito dalla polizia…
– E–
– No zitto non mi chiedere perché.
– Che palle.
– Dicevo, poi arriva lei, con un qualche rottame di macchina tipo Fiat Duna e semina tutti facendo delle robe tipo Speed, manco fosse una Ferrari. Io, ovviamente, cagato sotto, e lei invece che mi guarda con questo sorriso… Diosanto, me lo ricordo ancora quel sorriso.
– Che cosa stucchevole.
– Sei un cretino. È che queste cose a te non sono mai capitate. Se ti capitasse capiresti che voglio dire. Ogni volta mi sveglio così felice che mi manca stare lì con lei.
– Hai già qualcuno che ti dovrebbe mancare.
– Sì, ma non puoi desiderare quello che hai già.

Random Cisco geekery, issue 2: Use one router to console into another, aka Reverse Telnet.

Normally we use our PC to connect to the Console port of a Cisco device. However there’s another thing you can do, which is using the AUX port of a router to connect to the Console port of another router (well, even the same actually, if you really fancy).

There are several reasons why you would learn this. One of this is that there are some devices called Access Servers (such as a Cisco 2509) which can let you connect to up to 8 console ports using so-called Async ports. Alternatively, you can use a network module like NM-16A, which is basically doing the same. Attached to this, you would normally use an octal cable (also called “the octopus” for the naughty ones).

The other reason (my case, coincidentally), is just because your USB-to-Serial dongle works like sh*t.

Step 1: prepare a rollover cable.

You can just buy one, but why? It’s just like an Ethernet cable with a different pinout – which, must say, it’s even easier than T568A/B, as whatever colour order you have chosen on one side, you just need to do exactly the opposite on the other, so that the first coloured wire becomes the last, the second becomes the seventh, the third becomes the sixth and so on.

As far as I know there are no standards on the colour order, so I chose this on the two sides:

  1. Orange, White-orange, Green, White-green, Blue, White-blue, Brown, White-brown;
  2. White-brown, Brown, White-blue, Blue, White-green, Green, White-orange, Orange.

Step 2: learn Reverse Telnet.

Now: how can we use the AUX port?

Cisco devices have some special ports that can be accessed via Telnet. These ports follow the format 2nnn, where nnn stands for the line number. By telnetting into these ports, you’ll get access to the line you need – in this case the AUX port.

First of all we need to tell the router to accept inbound connections on the AUX line:

To get the value for nnn, just issue a show line from the router.
In this case nnn = 065.

Then get the IP of any interface that is not down. In this case, just to be sure that this would work anyway, I have created a loopback interface with IP address = 10.1.255.1, and this is what I’m going to use:

And finally, we combine all these info:

Here we go. R1 has offered its AUX port to let you log into R2 via its console port.
Let’s try to exit, so that we come back to R1.

Hey, something went wrong here. Guess what? As you have probably experienced already, the console port is always up. This means that when you issue the exit command, this actually closes the session, but not the underlying connection, like telnet would do (remember, you’re telnetting into R1 itself now, not R2).

There’s a keystroke that comes into help: press Ctrl+Shift+6 and then x. This keystroke suspends a telnet session and brings you back to the original prompt:

All good then? No. The session is suspended, not closed, and if you will just press Enter you’ll return to R2:

How do we fix this? You need to forcefully shut down the telnet session while being in R1:

Note that, after clearing the line, I can press Enter and I’m still in R1.

But also note that the clear command doesn’t really work like a charm, as often you need to issue the command more several times before actually seeing the line disappear from show users. This is important: as long as the line shows active, any further attempt to reverse telnet will stop with a frustrating message saying “Connection refused by remote host”.

Random Cisco geekery, issue 1: RIP route preference.

Here’s the situation: two routers are connected with two interfaces, one is FastEthernet0/1 and the other one is Dialer1 (which is a bundle of two Serial interfaces).

We’re using RIP to connect these two routers:

Fa0/1 is experiencing some hardware problems, so we want to prefer Di1 instead while we investigate the issue, but still we want to be able to fail over Fa0/1 in the meantime.

Each routing protocol has ways to set “priorities” somehow. Being RIP a vector-distance routing protocol, it makes selections based on how many hops you need, somehow like BGP counting Autonomous Systems in the AS path.

Here’s the solution:

The first command says: “take all the routes received from Fa0/1 and add 1 hop to the count”. The second command does the same when sending other routes to other router over that interface. That 0 in the middle stands for “all routes”, but we can also have the number of an access-list, if you want to alter specific routes instead.

What happens next?
The RIP protocol ends up excluding Fa0/1 at all:

But still, when Di1 goes down, failover works:

Note the two routes showing as “possibly down”, as related to Di1.