Monthly Archives: March 2016

Test AAA Server on Cisco ASA and IOS Devices

March 29, 2016AAA, Cisco, Cisco ASA, SecurityAAA, Cisco ASA, Cisco IOSAmolak

When We configure AAA on Cisco ASA or any IOS device (Router/Switch), it is always a good practice to confirm that the configuration is good and the server is available and responding correctly.

Cisco IOS:

Radius Server IP Address: 10.1.2.3
Username: amolak
Password: password123

ROUTER-1#test aaa group radius server 10.1.2.3 amolak password123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

ROUTER-1#test aaa group radius server 10.1.2.3 amolak wrongpassword legacy
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.

Cisco ASA:

Radius Servers Group Name: RADIUS-SERVERS
Radius Server IP Address: 10.1.2.3
Username: amolak
Password: password123

ASA-1# test aaa-server authentication RADIUS-SERVERS
Server IP Address or name: 10.1.2.3
Username: amolak
Password: password123
INFO: Attempting Authentication test to IP address <10.1.2.3> (timeout: 12 seconds)
INFO: Authentication Successful

ASA-1# test aaa-server authentication RADIUS-SERVERS
Server IP Address or name: 10.1.2.3
Username: amolak
Password: wrongpassword
INFO: Attempting Authentication test to IP address <10.1.2.3> (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure

Note that you can choose the group, or specific server in the group. This makes it possible to check all servers in the group are working.

Self Signed Certificate for WebVPN on ASA

March 29, 2016Cisco ASA, Security, VPNAnyConnect, ASA, WebVPNAmolak

We will configure self signed certificate on Cisco ASA for AnyConnect (WebVPN).

1.Generate an RSA key for the certificate. The name should be unique. For example, sslvpnkeypair.

ASA-1(config)#crypto key generate rsa label sslvpnkeypair modulus 1024
INFO: The name for the keys will be: sslvpnkeypair
Keypair generation process begin. Please wait…

2. Create a trustpoint for the self-issued certificate.

ASA-1(config)#crypto ca trustpoint self

3. The fully qualified domain name is used for both fqdn and CN. The name should resolve to the ASA outside interface IP address.

ASA-1(config-ca-trustpoint)#enrollment self
ASA-1(config-ca-trustpoint)#fqdn vpn.amolak.net
ASA-1(config-ca-trustpoint)#subject-name CN=vpn.amolak.net

4. The RSA key is assigned to the trustpoint for certificate creation.

ASA-1(config-ca-trustpoint)#keypair sslvpnkeypair

5. Assign the trustpoint to be used for SSL connections on the outside interface.

ASA-1(config-ca-trustpoint)#crypto ca enroll self noconfirm
% The fully-qualified domain name in the certificate will be: vpn.amolak.net
ASA-1(config)# ssl trust-point self outside

Final Configuration:

crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint self
 enrollment self
 fqdn vpn.amolak.net
 subject-name CN=vpn.amolak.net
 keypair sslvpnkeypair
!
crypto ca enroll self noconfirm
!
ssl trust-point self outside

BGP Default Route

March 24, 2016BGP, Cisco, Service ProviderBGP, Default RouteAmolak

We will discuss the different ways to advertise a default route in BGP. We will use following network topology for the same.

1. default-information originate

A default route can be injected into BGP with the command ‘default-information originate’. Following conditions must be fulfilled to use this method.

– A default route must be in the local routing table.
– The default route must be redistributed into the BGP
– Add ‘default-information originate’ under router bgp <ASN>

Here is the initial configuration and BGP status on all routers.

Let’s first try to add a static default route and redistribute it into BGP on R1.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip route 0.0.0.0 0.0.0.0 null0
R1(config)#router bgp 100
R1(config-router)#redistribute static
R1(config-router)#
R1(config-router)#do sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 redistribute static
 neighbor 12.12.12.2 remote-as 200
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
R1(config-router)#do sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "static", distance 1, metric 0 (connected), candidate default path
  Redistributing via bgp 100
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1
R1(config-router)#
R1(config-router)#do sh ip bgp
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i
R1(config-router)#

R1 is not yet advertising default route into BGP. It shows that simply redistributing a default route into BGP would not help. Let’s add a ‘default-information originate’ under BGP.

R1(config-router)#router bgp 100
R1(config-router)#default-information originate
R1(config-router)#do sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 redistribute static
 neighbor 12.12.12.2 remote-as 200
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
 default-information originate
R1(config-router)#do sh ip bgp
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 ?
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i
R1(config-router)#

Now you can see all BGP peers (iBGP and eBGP) are receiving default route information from R1.

R2#sh ip bgp
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          12.12.12.1               0             0 100 ?
 *>  1.1.1.0/24       12.12.12.1               0             0 100 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  3.3.3.0/24       12.12.12.1                             0 100 300 i
 *>  4.4.4.0/24       12.12.12.1                             0 100 i
R2#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 200", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 12.12.12.1 00:02:25 ago
  Routing Descriptor Blocks:
  * 12.12.12.1, from 12.12.12.1, 00:02:25 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none
R2#

R3#sh ip bgp
BGP table version is 8, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          13.13.13.1               0             0 100 ?
 *>  1.1.1.0/24       13.13.13.1               0             0 100 i
 *>  2.2.2.0/24       13.13.13.1                             0 100 200 i
 *>  3.3.3.0/24       0.0.0.0                  0         32768 i
 *>  4.4.4.0/24       13.13.13.1                             0 100 i
R3#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 300", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 13.13.13.1 00:04:36 ago
  Routing Descriptor Blocks:
  * 13.13.13.1, from 13.13.13.1, 00:04:36 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none
R3#

R4#sh ip bgp
BGP table version is 8, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 0.0.0.0          14.14.14.1               0    100      0 ?
 r>i 1.1.1.0/24       14.14.14.1               0    100      0 i
 *>i 2.2.2.0/24       14.14.14.1               0    100      0 200 i
 *>i 3.3.3.0/24       14.14.14.1               0    100      0 300 i
 *>  4.4.4.0/24       0.0.0.0                  0         32768 i
R4#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 100", distance 200, metric 0, candidate default path, type internal
  Last update from 14.14.14.1 00:05:21 ago
  Routing Descriptor Blocks:
  * 14.14.14.1, from 14.14.14.1, 00:05:21 ago
      Route metric is 0, traffic share count is 1
      AS Hops 0
      MPLS label: none

2. network 0.0.0.0

A default route can be injected into BGP with configuration of ‘network 0.0.0.0’ under BGP if a default route is available in the local routing table of a router.

Following conditions must be fulfilled to use this method.

– A default route must be in the local routing table.
– Add ‘network 0.0.0.0’ under router bgp <ASN>

Let’s remove previously configured ‘default-information originate’ and ‘redistribute static’ commands and use ‘network 0.0.0.0’.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router bgp 100
R1(config-router)#no default-information originate
R1(config-router)#no redistribute static
R1(config-router)#network 0.0.0.0
R1(config-router)#do sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 0.0.0.0
 network 1.1.1.0 mask 255.255.255.0
 neighbor 12.12.12.2 remote-as 200
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
R1(config-router)#end
R1#sh ip
*Mar 24 11:42:36.623: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip bgp
BGP table version is 13, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i
R1#

Let’s verify BGP table and default route on peer routers.

R2#sh ip bgp
BGP table version is 12, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          12.12.12.1               0             0 100 i
 *>  1.1.1.0/24       12.12.12.1               0             0 100 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  3.3.3.0/24       12.12.12.1                             0 100 300 i
 *>  4.4.4.0/24       12.12.12.1                             0 100 i
R2#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 200", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 12.12.12.1 00:01:54 ago
  Routing Descriptor Blocks:
  * 12.12.12.1, from 12.12.12.1, 00:01:54 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none

R3#sh ip bgp
BGP table version is 10, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          13.13.13.1               0             0 100 i
 *>  1.1.1.0/24       13.13.13.1               0             0 100 i
 *>  2.2.2.0/24       13.13.13.1                             0 100 200 i
 *>  3.3.3.0/24       0.0.0.0                  0         32768 i
 *>  4.4.4.0/24       13.13.13.1                             0 100 i
R3#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 300", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 13.13.13.1 00:02:17 ago
  Routing Descriptor Blocks:
  * 13.13.13.1, from 13.13.13.1, 00:02:17 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none

R4#sh ip bgp
BGP table version is 10, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 0.0.0.0          14.14.14.1               0    100      0 i
 r>i 1.1.1.0/24       14.14.14.1               0    100      0 i
 *>i 2.2.2.0/24       14.14.14.1               0    100      0 200 i
 *>i 3.3.3.0/24       14.14.14.1               0    100      0 300 i
 *>  4.4.4.0/24       0.0.0.0                  0         32768 i
R4#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 100", distance 200, metric 0, candidate default path, type internal
  Last update from 14.14.14.1 00:03:06 ago
  Routing Descriptor Blocks:
  * 14.14.14.1, from 14.14.14.1, 00:03:06 ago
      Route metric is 0, traffic share count is 1
      AS Hops 0
      MPLS label: none

3. neighbor x.x.x.x default-originate

If you want to advertise default route to a specific peer, this is the method for that requirement.

– Add ‘neighbor x.x.x.x default-originate’ under router bgp <ASN>
– It does not even check for the existence of a default route in the IP routing table
– The ‘default-information originate’ command should not be configured with the ‘neighbor x.x.x.x default-originate’ command on the same router

Let’s remove previously configured commands.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip route 0.0.0.0 0.0.0.0 Null0
R1(config)#router bgp 100
R1(config-router)#no  network 0.0.0.0
R1(config-router)#end
R1#sh run
*Mar 24 11:50:22.479: %SYS-5-CONFIG_I: Configured from console by console
R1#sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 12.12.12.2 remote-as 200
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
R1#sh ip route 0.0.0.0
% Network not in table
R1#sh ip bgp
BGP table version is 14, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i

Now advertise default route only to R2.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router bgp 100
R1(config-router)#neighbor 12.12.12.2 default-originate
R1(config-router)#end
R1#s
*Mar 24 11:53:46.471: %SYS-5-CONFIG_I: Configured from console by consoleh
R1#sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 12.12.12.2 remote-as 200
 neighbor 12.12.12.2 default-originate
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
R1#clear ip bgp 12.12.12.2 soft
R1#sh ip bgp
BGP table version is 15, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
     0.0.0.0          0.0.0.0                                0 i
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i
R1#sh ip route 0.0.0.0
% Network not in table
R1#

Notice there is no default route available in local routing table of R1 and bgp table also shows there is no best route (no *> status) for 0.0.0.0 network.

Let’s verify what R1 is advertising to its peers.

R1#sh ip bgp neighbors 12.12.12.2 advertised-routes
BGP table version is 15, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Originating default network 0.0.0.0

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i

Total number of prefixes 3

R1#sh ip bgp neighbors 13.13.13.3 advertised-routes
BGP table version is 15, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i

Total number of prefixes 4

## No default route advertised to R3(13.13.13.3)

Finally, verify BGP table and routing table on all peer routers.

R2#sh ip bgp
BGP table version is 14, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          12.12.12.1                             0 100 i
 *>  1.1.1.0/24       12.12.12.1               0             0 100 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  3.3.3.0/24       12.12.12.1                             0 100 300 i
 *>  4.4.4.0/24       12.12.12.1                             0 100 i
R2#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 200", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 12.12.12.1 00:08:27 ago
  Routing Descriptor Blocks:
  * 12.12.12.1, from 12.12.12.1, 00:08:27 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none

R3#sh ip bgp
BGP table version is 11, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       13.13.13.1               0             0 100 i
 *>  2.2.2.0/24       13.13.13.1                             0 100 200 i
 *>  3.3.3.0/24       0.0.0.0                  0         32768 i
 *>  4.4.4.0/24       13.13.13.1                             0 100 i
R3#sh ip route 0.0.0.0
% Network not in table

R4#sh ip bgp
BGP table version is 11, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 r>i 1.1.1.0/24       14.14.14.1               0    100      0 i
 *>i 2.2.2.0/24       14.14.14.1               0    100      0 200 i
 *>i 3.3.3.0/24       14.14.14.1               0    100      0 300 i
 *>  4.4.4.0/24       0.0.0.0                  0         32768 i
R4#sh ip route 0.0.0.0
% Network not in table

IPv6 Address Types

March 21, 2016IPv6IPv6Amolak

::/128 – Unspecified Address

This address may only be used as a source address by an initializing host before it has learned its own address.

IPv4 Equivalent – 0.0.0.0

::1/128 – Loopback Address

This address is used when a host talks to itself over IPv6. This often happens when one program sends data to another.

IPv4 Equivalent – 127.0.0.1

::ffff/96 – IPv4-Mapped Address

Example ::ffff:123.4.5.67

These addresses are used to embed IPv4 addresses in an IPv6 address. One use for this is in a dual stack transition scenario where IPv4 addresses can be mapped into an IPv6 address. See RFC 4038 for more details – https://www.ietf.org/rfc/rfc4038.txt

fc00::/7 – Unique Local Addresses (ULAs)

Example: fc00:1234:5678::99

These addresses are reserved for local use in home and enterprise environments and are not public address space. These addresses might not be unique, and there is no formal address registration. Packets with these addresses in the source or destination fields are not intended to be routed on the public Internet but are intended to be routed within the enterprise or organization.
See RFC 4193 for more details – https://www.ietf.org/rfc/rfc4193.txt

IPv4 Equivalent – Private or RFC1918 Addresses: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

fe80::/10 – Link-Local Addresses

Example: fe80::1234:5678:9abc:1234

These addresses are used on a single link or a non-routed common access network, such as an Ethernet LAN. They do not need to be unique outside of that link.
Link-local addresses may appear as the source or destination of an IPv6 packet. Routers must not forward IPv6 packets if the source or destination contains a link local address.
See RFC 4193 for more details – https://www.ietf.org/rfc/rfc4193.txt

IPv4 Equivalent – 169.254.0.0/16

2001:0000::/32 – Teredo

Example: 2001:0000:4136:e378:8000:63bf:3fff:fdd2

This is a mapped address allowing IPv6 tunneling through IPv4 NATs. The address is formed using the Teredo prefix, the server’s unique IPv4 address, flags describing the type of NAT, the obfuscated client port and the client IPv4 address, which is probably a private address. It is possible to reverse the process and identify the IPv4 address of the relay server, which can then be looked up in the relevant RIR’s Whois database.

You can do this on the following webpage:
http://www.potaroo.net/cgi-bin/ipv6addr

2001:0002::/48 – Benchmarking

Example: 2001:2::1234

These addresses are reserved for use in documentation. They should not be used as source or destination addresses.

IPv4 Equivalent – 198.18.0.0/15

2001:0010::/28 – Orchid

Example: 2001:10::1234

These addresses are used for a fixed-term experiment. They should only be visible on an end-to-end basis and routers should not see packets using them as source or destination addresses.

2002::/16 – 6to4

Example: 2002::1234

A 6to4 gateway adds its IPv4 address to this 2002::/16, creating a unique /48 prefix. As the IPv4 address of the gateway router is used to compose the IPv6 prefix, it is possible to reverse the process and identify the IPv4 address, which can then be looked up in the relevant RIR’s Whois database.

You can do this on the following webpage:
http://www.potaroo.net/cgi-bin/ipv6addr

IPv4 Equivalent – There is no equivalent but 192.88.99.0/24 has been reserved as the 6to4 relay anycast address prefix by the IETF.

2001:db8::/32 – Documentation

Example: 2001:db8::1234

These addresses are used in examples and documentation. They should never be source or destination addresses.

IPv4 Equivalent – 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24

2000::/3 – Global Unicast

Example: 2000::1234

Other than the exceptions documented in this table, the operators of networks using these addresses can be found using the Whois servers of the RIRs listed in the registry at:
http://www.iana.org/assignments/ipv6-unicast-address-assignments

IPv4 Equivalent – No equivalent single block

ff00::/8 – Multicast

Example: ff00::1234

These addresses are used to identify multicast groups. They should only be used as destination addresses, never as source addresses.

IPv4 Equivalent – 224.0.0.0/4

Amolak Networks

Stay Hungry Stay Foolish