Home

IPv6 Anycast

July 10, 2015

Miftah Rahman Config Router 1 Comment

According to Cisco: “An anycast address is an address that is assigned to a set of interfaces that typically belong to different nodes. A packet sent to an anycast address is delivered to the closest interface (as defined by the routing protocols in use) identified by the anycast address. Anycast addresses are syntactically indistinguishable from unicast addresses, because anycast addresses are allocated from the unicast address space. Assigning a unicast address to more than one interface makes a unicast address an anycast address. Nodes to which the anycast address is assigned must be explicitly configured to recognize that the address is an anycast address.

According to Wikipedia: “Anycast is a network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers, though it may be sent to several nodes, all identified by the same destination address.

According to Me: “metode pengalamatan jaringan (network addressing) dan routing jaringan dimana setiap akses pengguna akan di routing menuju titik (node) terdekat dari kumpulan beberapa node yang aktif (one-to-one-of-many).

Melemparkan akses ke node yang paling dekat…

————————————

Well, berawal dari keingintahuan tentang mengapa IPv6 meninggalkan broadcast dan menggantinya menjadi Anycast, I made this article…hope its helps

Pengganti dari broadcast adalah Multicast dan Anycast, why broadcast disappear in IPv6?? Because not bandwidth friendly and not processor friendly (link)

Multicast…you guys already knows this…

But anycast?…let me give you an example

Klo kita mau internetan…pasti pake DNS (siapa yang mau ngapalin IP address 112.215.88.25 atau 173.252.120.6?!?!)

Apa lagi pake IPv6…mau lu ngapain ip 2a03:2880:2130:cf05:face:b00c:0:1 hanya untuk ke facebook aja?

Untuk itu ada DNSv6 untuk IPv6, nah…Anycast di IPv6 bisa bikin 2 Server DNS punya IPv6 address yang sama persis

Dari arah Router R1…traffic ke DNS akan diarahkan ke SERVER_DNS1, sedangkan dari R3 akan diarahkan ke SERVER_DNS2

Jadi klo interface fa0/0 di R1 yang kearah DNS1 mati…otomatis traffic DNS dari R1 akan diarahkan ke SERVER_DNS2 yang ada di R3

———————————

Anycast Configuration

First…lets do some routing, we use OSPFv3 for all connection

In R1 and R3

The requirement for Anycast is:

  • Pake IPv6 IP Address network (1234::/64) for interface (jgn HOST address kek 1234::1234/64)
  • Defaultnya klo kita pake network address…akan dianggap anycast juga
  • Kenapa dipake juga keyword anycast…untuk bilang ke router secara spesifik address mana yang jadi Anycast

DNS1 and DNS2 you can config on your own like this

See…same IPv6 for those 2 DNS

———————————

Lets verify

Dari R1…kita cek ping dan trace ke 1234::1234

Lets bring Fa0/0 on R1 down

Dan R1 masih bisa ping ke 1234::1234 (lemparnya ke DNS2) in case klo fa0/0 yang ke arah DNS1 down

This is the definition of anycast

Trus kok bisa R1 nganterinnya ke DNS1, ga ke DNS2, anggeplah Fa0/0 nya ga mati?

Remember kids…Anycast is one to NEAREST…what nearest in this term is…metrics of course (OSPF cost in this case)

And that’s folks…the configuration of Anycast

———————————-

Reference:

Cbt Nugget IPv6 Video from Keith Barker #6783

http://www.e-tutes.com/lesson5/networking_fundamentals_lesson5_2.htm1

DMVPN Introduction (Dynamic Multipoint VPN)

July 7, 2015

Miftah Rahman Config Router, Network Theory , , , , , , , 5 Comments

Well…its been a while since last time I post something to my beloved blog, and now lets go straight to the topic

What is DMVPN? Why we use it? And How we do it?

Prerequisite for learning:

  • GRE (generic routing encapsulation)
  • knowledge of Routing (Protocol)
  • and….a little bit about CEF

btw…since this is the introduction, I’ll teach you how to develop DMVPN Phase 1

———————————-

Introduction

A problem with GRE…

Klo kita punya kasus kek gambar diatas…bagaimana supaya R2, R3, R4 bisa terkoneksi satu sama lain dengan GRE?

Klo yang pernah nyoba pasti jawabnya…Hub-and-Spoke atau lebih bagus lagi…FULL MESH

Baru 4 node aja…kita harus handle 6 tunnel, bayangin klo 7, 8, sampe 10 router atau kantor cabang

The solution…we will build dynamic tunnel called DMVPN (Dynamic Multipath VPN)

———————————————-

DMVPN…how it works

DMVPN itu terdiri dari 3(5) teknologi:

  1. Multipoint GRE (mGRE)
  2. Next-Hop Resolution Protocol (NHRP)
  3. Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
  4. *Dynamic IPsec encryption
  5. *Cisco Express Forwarding (CEF)

Basic DMVPN cukup pake 3 point diatas…Secure DMVPN baru pake point 4, dan…DMVPN phase 2 & 3 pake point 5

DMVPN phase? Ya…DMVPN VPN dibagi jadi 3 fase

  • Phase 1: Spoke register dynamically to Hub each time they want to do communication between Spoke
  • Phase 2: Spoke-to-Spoke tunnel…using CEF, but still use Hub for NHRP source
  • Phase 3: multiple Hub for scalability

mGRE: daripada gw bikin tunnel static tiap node kek GRE, mending gw bikin hub-and-spoke aja, gw tanyain ke hub…jalan untuk ke tujuan/destination lewat mana, baru gw bikin tunnel kesana

trus nanyainnya pake apa? Pake NHRP (Next-Hop Resolution Protocol)

Apaan itu NHRP? Next Hop Resolution Protocol (NHRP) is a protocol or method that can be used so that a computer sending data to another computer can learn the most direct route (the fewest number of hops) to the receiving computer (RFC 2332)

Kek contoh diatas…tapi mirip kek ARP (Address Resolution Protocol) yah? Ho oh

Bedanya dimana? Ya beda tong…ARP minta tolong switch buat minta next-hop mac-address, NHRP minta tolong router untuk minta next-hop IP

Spoke dalam NHRP disebut NHC (NHRP Client), sedangkan Hub dalam NHRP disebut NHS (NHRP Server)

————————————————

DMVPN Configuration

Pre-config:

  • IP addressing and Default route in each router (except Internet)
  • Klo pake GNS…pake IOS 3725

On Hub (R1)

Penjelasan:

Int tunnel 0 dan tunnel source fa0/0 pretty self-explanatory (and ip address too)

  • Tunnel mode gre multipoint: ini mGRE-nya
  • Tunnel key 1234: security measure buat tunnel (MANDATORY since IOS 12.3(14)T or 12.3(11)T3…klo ga, mGRE ga mau jalan)
  • Ip nhrp network-id: locally significant, biar si router tau dia mau ngirim NHRP ke “domain” mana (jadi 2 tunnel atau lebih bisa join di domain yang sama, lebih dinamis…contoh: buat PT.A pake id 1, buat PT.B pake id 2)
  • Ip nhrp authentication [STRING]: security measure, hanya node2 yang tau yang berhak bikin tunnel via registrasi ke hub
  • Ip nhrp map multicast dynamic: salah satu key component DMVPN, jadi Hub bisa mapping siapa mau bikin tunnel ke siapa, asal ngomong dulu ke dia (mapping-nya kek mac-address Port Security “sticky” di switch)
  • Ip nhrp shortcut: digunakan di DMVPN phase 3, untuk rewrite CEF entry…after getting redirect message? Who gave it?…
  • Ip nhrp redirect: this is the one who gave it, fitur ini mirip ke ICMP Redirect, klo si hub tau best path ke destination yang lebih pendek/cepat…dia akan ngasih tau ke source node-nya “kirim aja ke sono langsung…”

Jadi untuk ip nhrp shortcut and redirect digunakan untuk DMVPN phase 2 dan 3

Penjelasan:

Rata2 sekarang switch/router sudah mendukung jumbo frame (MTU lebih dari 1500), tapi klo engga…dengan path-mtu-discovery, router bisa ngukur besar paket yang akan dikirim supaya ga di fragmentasi (that’s the definition of MTU right?!?)

(kadang2 suka ga jalan ini mtu-discovery, entah karena ICMP nya ke blok makanya “pengukuran” MTU-nya kaga jalan, jadi kasi aja no path-mtu-discovery…). Kita juga bisa kasi manual MTU limiter kek Ip mtu 1400 artinya kita set max MTU 1400, nah MSS (max-segment size) kita kurangin -40 (best practice dr expert gitu, gw juga ga tau kenapa mesti -40) jadi 1360 biar ga kepotong (tindakan preventif kali ya…)

In R2, R3, and R4 (bedain IP-nya aja)

Penjelasan:

Most notable configuration in this router is ip nhrp nhs [destination tunnel ip address], artinya kita ngasi tau ke router ini…klo mau bikin tunnel tolong registrasi ke ip tersebut (NHS)

Emang ip tersebut bisa diraih lewat mana? Untuk bisa ke ip tersebut kita pointing ke ip physical/fisiknya router target, and that’s why ip nhrp map [ip tunnel] [ip physical] placed in CLI

Plus klo mau multicast…kirim aja ke ip physical tersebut juga dengan ip nhrp map multicast [ip physical]

By the way…dalam NHRP…IP Physical tersebut dinamakan NBMA Address

DMVPN is done…anything missing? Yes…now the routing takes place

Masukin ip network tunnel-nya, masukin juga network 10.0.0.0-nya (di R2, R3, dan R4 juga sama)

Don’t forget….EIGRP is DISTANCE VECTORthere is SPLIT HORIZON (jalan keluar DAN masuknya Cuma 1…interface tunnel 0), so disabling split-horizon (no ip split-horizon) and next-hop-self (no ip next-hop-self) will do the wonder

————————————————

The Verification

Dari sini kita bisa liat…R1 dynamically learn about others tunnel via NHRP

And lets check out the routing table

Lets check in R2 pinging and tracing to R3

Lets check the wireshark…(coba ping dari R4 ke R2, trus cek di R1…jgn di cek sama yang udah tunneling kek R2 ke R4 misalkan)

Anddd…R1 correctly redirect to 172.16.0.2 which is R2 tunnel IP

————————————————

Reference:

DMVPN Explained by Petr Lapukhov #16379 @http://blog.ine.com/2008/08/02/dmvpn-explained/

DMVPN Type by by Petr Lapukhov #16379 @http://blog.ine.com/2008/12/23/dmvpn-phase-3/#more-400

NHRP by IETF RFC 2332 @http://www.ietf.org/rfc/rfc2332.txt?number=2332

NHRP Network-id https://supportforums.cisco.com/discussion/12075461/dmvpn-ip-nhrp-network-id

Adjust MSS https://learningnetwork.cisco.com/thread/40703

Older Entries Newer Entries