Final Project Report - IPV6
Final Project Report - IPV6
Project Report
Project Report
on
Internet protocol version 6
(IPv6) Deployment
Submitted by:
Shodhana Tumma (19839745)
Sai Praneeth Koka(19813326)
Challa Laxman Reddy (19892136)
Sudheer Kakollu(20095385)
i
IPv6 Deployment
ABSTRACT
With the rapid growth of the Internet there is an urgency to expand the address space
available to users of the Internet. The current version of the Internet Protocol, IPv4, is slowly
losing position because of its various limitations such as limited address space, lack of
functionality and inadequate security features. The intent of this paper is to deploy both IPv6
and IPv4 (dual stack) over Latrobe University Network. In dual-stack architecture, all the
components of the network system should support the both protocols. Applications must
choose either IPv4 or IPv6, by selecting the correct address based on the type of IP traffic and
requirements of the communication.
In dual-stack architecture, all the components of the network system should support the both
protocols. Applications must choose either IPv4 or IPv6, by selecting the correct address based
on the type of IP traffic and requirements of the communication
We have considered different VLAN’s students, staff, management, guest as end hosts and are
connected to access switch through another two switches. We have considered three switches
were considered taking growth of the network and redundancy into consideration. We have
considered three routers named as distribution, core and internet routers. Distribution router is
connected to end hosts through the access switch. For inter VLAN communication trunk is
created and for intra VLAN communication router on stick is implemented on distribution
router. DHCP is implemented on distribution router for assigning the end hosts with IPv4 and
IPv6 addresses automatically. Core router connected to both distribution and internet router.
Internet router is connected to DMZ, External network and to the internal network through core
router. OSPF protocol is implemented on all the routers to advertise their directly connected
networks to their neighbour routers. PAT, NAT are implemented on the internet router to
translate the IP addresses traversing the network. Access- Controlled lists were created on the
internet router to ensure the traffic is not entering the inside network. Finally, as per the project
requirement outbound connectivity for both IPv4 and IPv6 was established externally and no
inbound connections to the inside network are allowed.
ii
IPv6 Deployment
Acknowledgement
We are sincerely thankful to Latrobe University (Bundoora campus) for providing us
with the opportunity to implement “IPV6 Deployment networking project” as part of
CSE5ITP.
We are thankful to our course co-ordinator Dr. Prakash Veeraraghavan for providing us
insights and expertise that greatly assisted the project.
We thank Dr Miro for providing comments and suggesting better options during mid-term
presentation related to the devices we used for implementation which further greatly helped us
in proceeding further.
We would also like to show our gratitude to Dheeraj Sudarsanam, for continuous guidance
throughout the project and sharing his knowledge. We are grateful for his comments and inputs
in earlier version of our project.
We hereby acknowledge that the results, observations provided are solely our own effort.
iii
IPv6 Deployment
Table of contents:
I. Title ………………………………………………………………………….. i
II. Abstract ………………………………………………………………………ii
III. Acknowledgement …………………………………………………………...iii
IV. Table of contents ……………………………………………………………..iv
1. Introduction ………………………………………………………………….1
2. Network Topology..…………………………………………………...……...2
3. Implementation ………………………………………………………………3
3.1. VLANs …………………………………………………………...………3
3.1.1. Port Assignments and Trunking ……………………...………...3
3.2. Subnetting Scheme ……………………………………………...………5
3.2.1. IPv4 Subnetting Scheme .………………………………..………5
3.2.2. IPv6 Subnetting Scheme …………………………………..…….7
3.3. Devices and Roles ……………………………………………….………9
3.4. Router on Stick ………………………………………………….……...11
3.5. Dynamic Host Configuration Protocol (DHCP) ………………….…..14
3.6. Open Short Path First (OSPF) ……………………………….………..22
3.7. Network Address Translation (NAT) ……………………….………...28
3.8. Demilitarized Zone (DMZ) ………………………………….…………32
3.9. Access-control lists (ACLs) …………………………………….………33
3.9.1. Standard Access-control lists ………………………….....……..33
3.9.2. Extended Access-control lists ………………………….………..33
3.10 . Context-Based Access Control (CBAC) ……………………..………..34
4. Costing ……………………………………………………………….………36
5. Appendix …………………………………………………….…....………….38
5.1. Switch1 configuration ………………………………………….……….38
5.2. Switch2 configuration …………………………………………………..40
5.3. Access switch configuration ……………………………………………42
5.4. Distribution router configuration ……………………………………..44
5.5. Core router configuration ……………………………………….……..48
5.6. Internet router configuration ………………………….……….………50
5.7. Configuration results ………………………….……...………………...53
iv
IPv6 Deployment
1.Introduction
IP - Internet Protocol is the most widely used communication protocol. Internet protocol
version 6 is the replacement for Internet protocol version 4. Some of the deficiencies of IPV4
and the way it handles the hosts is corrected by IPV6.
IPV4 which is a fourth version of Internet protocol handles 4.3 billion unique IP addresses with
its 32- bit address format. But, for the rapidly rising growth of the Internet it is not enough to
sustain.
Unique IP addresses with its 128-bit address format. Apart from handling limitless unique IP
addresses, IPV6 had many advantages as: efficient packet handling with its simplified header
format, routing efficiency, increased throughput etc.
While a lot of carriers now a days are proceeding with IPV6network for future generation
services, current practical implementations still need the ipv4 devices and other handsets. Here
comes the support of dual stack.
Dual stack: In this project, we are implementing dual stack which means both IPV6 and IPV4
addresses exits on the same platform and supports both hosts.
In our project we have been given IPv4 192.168.[Y0-Y9].0/24 private address range (Y (7) is
our POD number). We have used 192.168.[70-79].0/24 as per requirements. Similarly,
2400:13c0:177::ffe8::/62 for IPV6.
Next segments in this project document describes the clear explanation regarding topology, IP
addressing schemes, Protocols and ACLS implemented in this project.
1
IPv6 Deployment
2.Network Topology
Topology:
Justification of Topology:
Above network topology is built as per the requirements provided in IPV6 project
implementation guide in lab environment.
As per the availability of the lab resources and considering the growth and redundancy of the
network, we have considered three cisco switches.
We have considered different VLANS as end host devices named student, staff, management
and guest. These VLANS are connected to switch1 and switch2 simultaneously.
Third switch, which is considered as access switch is connected to the switch1 and switch2 via
trunk link. IPV6 and IPV4 is deployed.
DHCP is implemented on the distribution router for both IPV6 and IPV4 which makes the end
users acquire the IPV6 and IPV4 addresses automatically as per the VLANS connected.
2
IPv6 Deployment
The protocol we have implemented for IPV4 and IPV6 is OSPFv2 and OSPFv3 respectively.
This OSPF routing protocols enables IPV4 and IPV6 to advertise their directly connected
networks to the other networks which are not directly connected in the topology.
The core router is connected to the distribution router mentioned above with a point to point
link. OSPF version2 and version3 are configured in Core router to advertise their directly
connected networks.
Internet router is connected to Core router using point to point link. Internet router is also
connected to DMZ (Demilitarized Zone) using point to point link. Internet router is also
connected to LTU Network using point to point link. OSPF version2 and version3 are
configured in Internet router to advertise their directly connected networks.
Protocols OSPF and DHCP are explained in detail in the OSPF and DHCP justification.
3
IPv6 Deployment
3.Implementation
3.1 VLANs:
Switch 1
4
IPv6 Deployment
5
IPv6 Deployment
Networks Addresses
Student 192.168.70.0/24
Staff 192.168.71.0
Management 192.168.72.0
Guest 192.168.73.0
Distribution – core 192.168.75.0/30.
Core- internet 192.168.75.4/30
Internet – DMZ 192.168.74.0/29
Default gateway to DMZ 192.168.74.254/24
Internet Router to LTU switch 131.172.254.26/30
Four samples of VLANs are created. Network Students is accessed by students of university.
This network would be getting IP address from the network 192.168.70.0/24
Network staff is accessed by Staff of university. This network would be getting IP address from
the network 192.168.71.0/24.
Network Guest is accessed by Guests. This network would be getting IP address from the
network 192.168.73.0/24.
6
IPv6 Deployment
7
IPv6 Deployment
Networks Addresses
Student 2400:13c0:177:ffe8::/64
staff 2400:13c0:177:ffe9::/64
Management 2400:13c0:177:ffea::/64
Guest 2400:13c0:177:ffeb:3fff:/66
Distribution - core 2400:13c0:177:ffe8:8000::/126
Core- internet 2400:13c0:177:ffe8:8000::4/126
Internet - DMZ 2400:13c0:177:ffeb:4000::/66
Default gateway to DMZ 2400:13c0:177:ffeb:4000::fffe/66
Internet Router to LTU switch 2400:13C0:254:24::2/66
Four samples of VLANs are created. Network - Students is accessed by students of university.
This network would be getting IP address from the 2400:13c0:177:ffe8::/64.
Network staff is accessed by Staff of university. This network would be getting IP address from
the network 2400:13c0:177:ffe9::/64 Network Guest is accessed by Guests. This network
would be getting IP address from the network 2400:13c0:177:ffeb:3fff:/66. Network
2400:13c0:177:ffea::/64 is reserved which is a management VLAN. This makes switches to
communicate with other VLANs.
8
IPv6 Deployment
Distribution Router:
This router is used for inter-VLAN routing. In this router, IPV4 and IPV6 addresses are
assigned automatically to end devices.
Router on stick:
For inter VLAN communication to take place, router on stick is implemented on distribution
router. Sub-Interfaces are created on the distribution router and is assigned to each VLAN for
inter VLAN communication using router on stick.
DHCP and SLAAC:
For the end host devices to acquire IPV4 and IPV6 addresses automatically as per their
VLANS, DHCP is implemented for IPV4 and stateless DHCPV6 is implemented for IPV6 on
distribution router.
OSPF:
OSPFv2 and OSPFv3 is configure on distribution router for both IPV6 and IPV4 so that they
advertise their directly connected networks to their neighbour routers.
Core Router:
Core router resides within the middle of the network. Core router is designed in such a way
that it forwards IP packets at full speed between the networks.
OSPF:
OSPFV2 and OSPFv3 is configure on Core router for both IPV4 and IPV6 so that they advertise
their directly connected networks to their neighbour routers.
Internet Router:
Internet router is used to forward the packets in between the core router, DMZ and LTU switch.
Any communication with the exterior networks is done through Internet router.
9
IPv6 Deployment
OSPF: OSPFV2 and OSPFv3 is configure on Internet router for both IPV6 and IPV4 so that
they advertise their directly connected networks to their neighbour routers.
These two switches are used to connect end host devices which are in different VLANs.
Depending on the ports assigned to respective VLANs, network is accessed accordingly.
Access switch:
Access switch is the main switch which interconnects Both switch1 and switch2. This
interconnection takes place using trunk links so that Intra VLAN and Inter VLAN
communication takes place.
10
IPv6 Deployment
- Port limits: physical interfaces are configured to have one interface per VLAN, using
single router to perform inter-VALN routing is not possible
- Sub-interfaces allow a router to scale to accommodate more VLANs then physical
interfaces permit
- Performance: Because there is no contention for bandwidth on physical interfaces,
physical interfaces have better performance for inter-VLAN routing. When sub -
interfaces are used for inter-VLAN routing, the traffic being routed competes for
bandwidth on the single physical interface. On a busy network, this could cause a
bottleneck for communication.
- Access ports and trunk ports: connecting physical interfaces for inter- VALN routing
Requires that the switch ports be configured as access ports. Sub-interfaces require the
switch port to be configured as a trunk port so that it can accept VLAN tagged traffic
on the trunk link
- Cost: Routers with many physical interfaces cost more than routers with single
interface, financially it is more cost effective to use sub-interfaces over separate
physical interfaces
- Complexity: Using sub interfaces for inter-VLAN routing results in a less complex
physical configuration than using separate physical interfaces. On the other hand, using
sub interfaces with a trunk port results in a more complex software configuration, which
can be difficult to troubleshoot. If one VLAN is having trouble routing to other VLANs,
11
IPv6 Deployment
you cannot simply trace the cable to see if the cable is plugged into the correct port.
You need to check to see if the switch port is configured to be a trunk and verify that
the VLAN is not being filtered on any of the trunk links before it reaches the router
interface.
The disadvantages of router on stick network are it is more complex to set up compared to
other networks. traffic VLAN goes into the router and out of the router through the same port.
the trunk is the major source of congestion
IMPLEMENTATION:
To implement the router on stick on the distribution router we had divided the gi0/0 interface
into four sub-interfaces as, i.e, Gi0/0.10, Gi0/0.20, Gi0/0.30, Gi0/0.40.
Gi0/0.10 for the VLAN students with ipv4 address of 192.168.70.254/24 and with ipv6 address
of 2400:13C0:177:ffe8::fffe/64.
Gi0/0.20 for VLAN 20 for staff with ipv4 address of 192.168.71.254/24 and with ipv6 address
of 2400:13C0:177:ffe9::fffe/64.
Gi0/0.30 for VALN 30 as management with ip address of ipv4 192.168.72.254/24 and with
ipv6 address 2400:13C0:177:ffea::fffe/64.
Gi0/0.40 for VLAN 40 as guest with ipv4 address of 192.168.73.254/24 and with ipv6 address
of 2400:13C0:177:ffeb::fffe/66.
12
IPv6 Deployment
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.71.254 255.255.255.0
ipv6 address 2400:13C0:177:FFe9::FFFE/64
ipv6 enable
no shutdown
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.72.254 255.255.255.0
ipv6 address 2400:13C0:177:FFea::fffe/64
ipv6 enable
no shutdown
interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.73.254 255.255.255.0
ipv6 address 2400:13C0:177:FFeb:3fff::FFFE/66
ipv6 enable
no shutdown
13
IPv6 Deployment
Components of DHCP:
DHCP server: A network device running the DHCP service that holds IP addresses and
related configuration information of the devices. these most typically will be a server or a router
or it could be anything that acts as a host.ie such as a SD-WAN appliance
DHCP client: The endpoint that receives configuration information from a DHCP server. this
can be any device example a mobile, computer, IoT endpoint or can be anything else that
requires a connection to the network. Most networks are configured to receive the DHCP
information by default.
IP address pool: Range of IP address that are available to the DHCP clients. Address are
sequentially handed from lowest to highest
Subnet: IP address are partitioned in to small segments known a subnet. subnets help to keep
the network manageable
Lease: Length of time for which the DHCP client holds the IP address information. when a
lease expires the client must renew it
DHCP replay: A router or host that listens for client messages being broadcast on the network
and forwards to a configured server. The server then sends response back to the replay agent
which passes them along the clients. this can be used to centralize DHCP servers instead of
having a server on each subnet.
Simplified management by using the DHCP server we can provide very simplified
management of network
Reduced IP address conflicts: Each connected device must have an IP address. However,
each address can only be used once, and a duplicate address will result in a conflict where one
or both devices cannot be connected. This can happen when addresses are assigned manually,
14
IPv6 Deployment
particularly when there are many endpoints that only connect periodically, such as mobile
devices. The use of DHCP ensures that each address is only used once.
Efficient change management: Using DHCP makes it very simple to change address, scopes
or end points.
Disadvantages of DHCP:
DHCP poses security risks DHCP protocol requires no authentication so any client can join the
network quickly. Because of these it opens to a number of security risks, including
unauthorized servers that hands bad information to clients, by giving IP address and IP address
depletion from unauthorized or malicious clients
How do avoid DHCP security poses: by using the 802.1X authentication otherwise known as
network access control (NAC), can be used to secure DHCP
SLAAC:
To perform address configuration on IPv6 there are a couple of familiar methods and a few
additional methods, including: static addressing, static addressing with DHCPv6 (stateless),
dynamic addressing via DHCPv6 (Stateful), SLAAC alone, or SLAAC with DHCPv6
(Stateless).
SLAAC is a method in which the host or router interface is assigned a 64-bit prefix, and then
the last 64 bits of its address are derived by the host or router with help of EUI-64 process
SLAAC provides the ability to address a host based on a network prefix that is advertised from
a local network router via Router Advertisements (RA). RA messages are sent by default by
most IPV6 routers; these messages are sent out periodically by the router and include
information including:
SLAAC is implemented on the IPv6 client by listening for these local RA’s and then taking the
prefix that is advertised to form a unique address that can be used on the network. For this to
work, the prefix that is advertised must advertise a prefix length of 64 bits (i.e., /64); SLAAC
will then dynamically form a host identifier that is 64 bits long and will be suffixed to the end
of the advertised prefix to form an IPv6 address.
To give an idea as to how this works, the example topology shown in figure is used.
If the hosts (H1-H4) shown in figure were using the EUI-64 method of host identification, the
IPv6 addresses created using SLAAC would be:
• H1 – 2000:1234:5678::12FF:FE34:5678
• H2 – 2000:1234:5678::EBFF:FEA4:C1AE
• H3 – 2000:1234:5678::BAFF:FE24:C4AE
• H4 – 2000:1234:5678::84FF:FE67:AEFC
The prefix 2000:1234:5678::/64 will be learned from R1’s RA messages and will be the initial
prefix.
The client identifier would then be created from the MAC address that is assigned to H1, in
this case 0200:1234:5678. The first step of EUI-64 conversion is to split the MAC address in
half and place FF:FE in the middle, which results in 0200:12FF:FE34:5678. Then the seventh
16
IPv6 Deployment
bit will be flipped, in this case the first 8 bits is 00000010 (0x02). Next, the seventh bit is
flipped and the bit becomes 0, resulting in 00000000 (0x00); this gives a final host identifier
result of 0000:12FF:FE34:5678. When the prefix and the host identifier are brought together,
it results in an IPv6 address that is used for H1 of
2000:1234:5678:0000:0000:12FF:FE34:5678, which can be shortened to
2000:1234:5678::12FF:FE34:5678.
DHCP Justification:
Dynamic host configuration protocol is implemented on distribution server, so that end host
devices can acquire IP addresses automatically depending on which network they are in. DHCP
is implemented for IPv4 addresses and Stateless DHCPv6 is implemented for IPv6 addresses.
The purpose of implementing stateless DHCPv6 is so that IPv6 addresses can be acquired by
router advertisements and there is no need of DHCP server for that. The end hosts in student
VLAN would be acquiring the IPv4 addresses from the network address 192.168.70.0/24 and
IPv6 address from the network 2400:13C0:177:ffe8::/64. The end hosts in staff VLAN would
be acquiring the IPv4 addresses from the network address 192.168.71.0/24 and IPv6 address
from the network 2400:13C0:177:ffe9::/64.the end hosts of the guest VLAN would be
acquiring the IPv4 addresses form the network address 192.168.73.0/24 and IPv6 address from
the network 2400:13C0:177:ffeb::/66
There are four pools created in DHCP named as VLAN10, VLAN20, VLAN30, VLAN40 for
student, staff, management, guest networks respectively. The naming convention could be
anything, so the names defined for pools are the supposed names. The VLAN10 is used for
Students network (192.168.70.0/24 & 2400:13C0:177:ffe8::/64). The VLAN20 is used for
Staff network (192.168.71.0/24 & 2400:13C0:177:ffe9::/64). The VLAN30 is used for
Management network (192.168.72.0/24 & 2400:13C0:177:ffea::/64) The VLAN40 is used for
Guest network (192.168.73.0/24 & 2400:13C0:177:ffeb::/66)
The addresses that are statically assigned to sub-interfaces of the Gi 0/0 of distribution router,
are excluded from the pools created so that these addresses cannot be automatically assigned
to end host devices, avoiding IP address conflict.
17
IPv6 Deployment
18
IPv6 Deployment
19
IPv6 Deployment
hint]
Example:
Router(config-if)# ipv6 dhcp server
dhcp-pool
Step 9 ipv6 nd other-config-flag Sets the "other stateful configuration"
Example: flag in IPv6 RAs.
Router(config-if)# ipv6 nd other-
config-flag
IPV4:
dns-server 131.172.2.2
ip dhcp pool vlan20
network 192.168.71.0 255.255.255.0
default-router 192.168.71.254
dns-server 131.172.2.2
20
IPv6 Deployment
dns-server 131.172.2.2
ip dhcp pool vlan40
dns-server 131.172.2.2
IPV6:
dns-server 2400:13C0:177:FFE9::FFFE
ipv6 dhcp pool vlan30
dns-server 2400:13C0:177:FFEA::FFFE
ipv6 dhcp pool vlan40
21
IPv6 Deployment
The information present in the link state advertisements are used by the routers to calculate the
cost path which is less and create a routing table for the protocol.
The OSPF protocol was designed for TCP/IP environment and as a result, it exteriorly supports
IPO subnetting and tagging of routing information that is derived. Authentication of routing
updates is also provided by OSPF protocol. OSPF routes IP packets depending upon the
destination IP address which is present in the packet header.
The best advantage of OSPF is it quickly detects the topology changes. These changes include
the sudden unavailability of router etc.
OSPF Autonomous system can be divide d into multiple areas or it can also consist of a single
area. Each OSPF area is named using a 32-bit identifier which in most cases is written in the
same dotted-decimal notation as an IP4 address. For example, Area 0 is usually written as
0.0.0.0.
In single area topology. Each router maintains database which contains the information of
respective AS. Link state information is flooded through AS. Where as in multi area OSPF
topology, data base is maintained by each router, but it contains the information of that area.
Link state information is also flooded through that area. Each area has identical topology
databases. With the changes in topology, OSPF ensures that the data is converged quickly in
all the databases.
All OSPF version 2 protocol exchanges can be authenticated. OSPF version 3 mainly relies
on IPsec to provide this functionality. Which means the routers that can be trusted are the only
routers that participate in AS’s routing. Single authentication is implemented in each area. This
enables some areas to use strict authentication than others.
22
IPv6 Deployment
Routing protocol assigns a default preference value to each route. This value depends on the
source route. Th preference value ranges from 0 to 4,294,967,295 (232 – 1). Lower value
indicates preferable route.
Route id:
To distinguish one OSPF router to another LSDBs use the OSPF router ID.
On an active interface, router ID is the highest IP address at the moment OSPF process
start-up by default.
As we learned from that OSPF used SPF algorithm, when the device starts, it initializes OSPF
and waits for indication that router is function from lower level protocols. The routing devices
to acquire neighbours, uses hello protocol. It sends its hello packets and receives the same from
neighbours. OSPF hello protocol elects a designated router for the network. This device now
will be responsible to advertise link state advertisements. This reduces the network traffic and
reduces the size of database.
Now, the routing device forms the adjacencies with its newly acquired neighbours. Distribution
of routing protocol packets is determined by the adjacencies. Through these adjacencies the
routing packets are been sent. When these adjacencies are establishes, then the routers start
synchronizing their topological databases.
The device now sends the LSA packets to advertise respective state periodically, when n it
starts changing. Routing device adjacency information is present in LSA packets so that it
allows the detection of routing devices which are non-operatable currently.
By using the reliable algorithm, the routing device floods the information throughout the area
and ensures that all routing devices database contains the same information and updated.
With the information present in the database, each routing device calculates the shortest path
tree with itself as the root. The routing devices use these paths to route the traffic.
23
IPv6 Deployment
OSPF version3:
OSPF version3 is a modified version of OSPF version 2 that supports IP version 6(IPV6)
addressing. OSPF version3 has the following differences with version2.
Advantages of OSPF:
24
IPv6 Deployment
Disadvantages of OSPF:
OSPF Justification:
Open Shortest Path First protocol is implemented as a routing protocol to dynamically route
the network addresses in between the connected routers.
Distribution router has ospfv2 implemented for ipv4 networks while ospfv3 is implemented for
ipv6 networks. The distribution router then advertises its directly connected networks
192.168.70.0/24, 192.168.71.0/24, 192.168.72.0/24, 192.168.73.0/24, 192.168.75.0/30,
192.168.75.4/30. This information is obtained by Core router as it is directly connected to
distribution router.
Secondly, the core router then advertises its directly connected networks 192.168.75.0/30,
192.168.75.0/30 to distribution router and internet router.
Lastly, the internet router advertises its directly connected networks 192.168.75.4/30, to core
router and LTU switch.
RIP, OSPF and EIGRP are the three most common dynamic routing protocols.
Among all three protocols when initializing, recovering and failing, EIGRP is the fastest
routing protocol as per convergence. Compare to EIGRP, OSPF is slow as it needs to let all
other routers know each other during initialization.
RIP performance is near to EIGRP performance but when it comes to Large networks,
Convergence speed of RIP is slow.
As per the traffic sent in bytes/sec, EIGRP an OSPF benefit from the bandwidth whereas RIP
wastes bandwidth by sending the complete information to flood the network.
25
IPv6 Deployment
Though EIGRP has fast convergence than OSPF, it is more versatile, and adaptable. But EIGRP
I specific to cisco devices, it is a cisco proprietary. We choose OSPF as it is open standard and
supports multiple vendors. Also, OSPF uses areas which segments the network more logically.
OSPF Configuration:
Below table shows the steps that are involved to configure a basic OSPF network:
IPV6:
# show ip ospf
26
IPv6 Deployment
IPV4:
router ospf 1
router-id 1.1.1.1
network 192.168.70.0 0.0.0.255 area 0
network 192.168.71.0 0.0.0.255 area 0
network 192.168.72.0 0.0.0.255 area 0
network 192.168.73.0 0.0.0.255 area 0
network 192.168.75.0 0.0.0.3 area 0
IPV6:
IPV6
Ipv6 router ospf1
router-id 3.3.3.3
ipv6 unicast
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
interface GigabitEthernet0/1
27
IPv6 Deployment
IPV4:
router ospf 1
router-id 3.3.3.3
network 131.172.254.24 0.0.0.3 area 0
network 192.168.74.0 0.0.0.255 area 0
network 192.168.75.4 0.0.0.3 area 0
IPV6:
IPV6 router ospf 1
router-id 2.2.2.2
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
interface GigabitEthernet0/1
ipv6 ospf 1 area 0
28
IPv6 Deployment
NAT Overload, which is also known as port address translation (PAT) is essentially NAT with
the added extra feature of TCP and UDP ports translation.
The main purpose of NAT is to hide the IP address (usually Private IP address) of the end host
in order to reserve the public address space. For instance, a complete network with 50 hosts
have 50 private addresses and can be made visible to outside world which is Internet as a single
IP address.
Advantages of NAT:
Below steps explain basic NAT overload configuration. NAT is the most common operation
used in today’s business around the world. As NAT enables the whole network making it access
the Internet using single IP address.
Overloading: This means a single IP address (public IP address) assigned to our router can be
used by many internal hosts concurrently. This is done by translating TCP/UDP ports in the
packets. These packets are kept in track within the translation table in the Router. This would
be the general NAT implementation in today’s networks.
29
IPv6 Deployment
We also need to create and access list (ACL) which includes our private hosts or networks.
This defined ACL is later applied to the service command of NAT, which further controls the
hosts that will be able to access the Internet. (step4 in syntax). NAT overload is enabled and
bind it to outside interface which is created using NAT implementation (step 5)
30
IPv6 Deployment
Disadvantages of NAT:
- NAT consumes memory and processor resource, this is because NAT need to translate
all incoming and outgoing datagrams and store the details in memory.
- NAT causes delay in IPv4 communication.
- Loss of end to end traceability.
31
IPv6 Deployment
All the services providing servers/systems such as company website, support services are
needed to be accessed by external users if they are placed inside the trusted network will make
the whole network vulnerable to attack. So, placing them in a separate network between
firewalls will be easy to protect the trusted network without being attacked.
Justification:
In our network we have placed our web server in the demilitarized zone by connecting it to the
Interface Gi0/0/0 of the Internet Router. 192.168.74.0/24, 2400:13c0:177:ffeb:4000:: are IPv4
and IPv6 addresses dedicated to DMZ network.
We are using Apache 2.4 http server for creating and managing our web server which consists
of the basic information.
32
IPv6 Deployment
Access Control Lists are list of arguments which are used to control the flow of traffic
in and out of the network interface. They are named by number or word. They can be
configured in routers and switches for meeting basic security requirements. There are two types
of ACLs standard acls and extended acls.
Standard Acls are numbered between 1 and 99. They check for the source address and will be
filtering the packets. Standard acls will permit or deny protocols.
3.9.2 Extended Access-control lists:
Extended Acls are numbered between 100 to 199 and can be named with words. Unlike
standard acls extended acls check for source and destination address while filtering the packets.
They permit or deny specific protocols i.e TCP, UDP with source and destination ports and
ICMP, IP by name or protocol numbers. Comparing to standard acls, extended acls have more
features. In our network topology we need to restrict traffic from entering internal network
connected to interface gi0/0, while internal traffic needs to access internet and dmz information.
By implementing extended acls we cannot restrict external traffic and allow internal user to use
internet simultaneously. We are going for advanced security protocols.
Acl Implementation:
33
IPv6 Deployment
We need to restrict the traffic which flow outbound from G0/0. For which we will use extended
acl to deny all traffic and implement it on Gi0/0 towards out. And the traffic condition will be
as below.
Now we need to inspect the required packet that flow from Interface G0/0 inorder to allow
them back into the internal network.
34
IPv6 Deployment
By enabling CBAC, the router will inspect the packets from trusted host and deny all extended
acl is modified automatically by allowing reply packets to trusted network.
CBAC Justification:
As per requirement in our topology we are restricting the outbound traffic from entering
internal network and internal network should access information in DMZ and also access
internet.
So we will be implementing CBAC as above in Interface G0/0 and inspect http, https, dns, udp
packets which flow inbound to interface.
CBAC Configuration:
35
IPv6 Deployment
4. Costing
The costing mentioned here is confined to the lab environment for one POD as per
given instructions. Through this estimate, cost of labor, software and hardware can be quoted
for entire La Trobe university network.
The cabling itself is one part of the network when installing an ethernet cable in Lab. For the
system to run properly there some other materials involved which are necessary and others are
optional.
We also need an Ethernet switch or central hub to plug electronics to capture the Ethernet.
These typically cost under $20 each and also to complete the installation, gang retrofit box for
each line is needed. These cost roughly $2 each.
Optional materials
• Patch panel: a switchboard that connects multiple devices, ($30 and up).
• Plastic grommets: if necessary, for retrofitting cables ($5 and up).
• Plugs: which may also be necessary for retrofitting or finishing cables ($2 and up).
• Short patch cables: if you are moving from one setup to another within the same lab
($0.80 and up).
36
IPv6 Deployment
Labor cost:
For wiring every lab takes approximately 3 hours, so the labor cost would be between
$1000 - $1500 to have a Cat 6 network professionally installed. Apart from this material costs
are an additional $1300 - $1500 depending on how many computers are in the room.
Timeline of the completion of installation of project is around 4 months. The price charged by
the professionals is around $50/hr. So, it would be around $48000 for labor. Professionals will
be a team of 3 members for installation of the project, working around 20 hours per week for
16 weeks.
Hardware Cost:
S.no Item Description Qty/Length Unit Price Amount
1 Routers CISCO1941/K9 3 A$2997.68 A$8993.04
Cisco 1941
Router ISR G2
2 Switches WS-C2960G- 3 A$3653.30 A$10959.9
24TC-L
Catalyst 2960
24
3 Wire RJ45 CAT6 300m $2.2/meter $660
4 Connectors RJ45 12 A$2 A$24
connectors
Pack of 20
5 Rack 19" Server 1 A$358.02 A$358.02
Rack Cabinet,
20U
6 HTTP HP Pavilion i5 1 A$1500 A$1500
Server
(PC)
Total $22494.96
37
IPv6 Deployment
5. Appendix
39
IPv6 Deployment
no aaa new-model !
! !
! !
! !
! !
40
IPv6 Deployment
41
IPv6 Deployment
! !
! !
! interface GigabitEthernet1/0/8
! interface GigabitEthernet1/0/9
! interface GigabitEthernet1/0/10
42
IPv6 Deployment
interface GigabitEthernet1/0/12 !
! no vstack
interface GigabitEthernet1/0/13 !
! line con 0
! login
interface GigabitEthernet1/0/16 !
! !
interface TenGigabitEthernet1/0/1 end
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
no ip address
!
interface Vlan30
ipv6 enable
!
ip forward-protocol nd
43
IPv6 Deployment
44
IPv6 Deployment
45
IPv6 Deployment
46
IPv6 Deployment
stopbits 1
line vty 0 4
password cisco
login
transport input none
line vty 5 15
password cisco
login
transport input none
!
scheduler allocate 20000 1000
!
end
47
IPv6 Deployment
! !
! no ip address
interface Embedded-Service-Engine0/0 !
shutdown no ip address
! !
duplex auto !
! no exec
interface Vlan1 transport preferred none
no ip address transport output pad telnet rlogin lapb-ta
mop udptn v120 ssh
!
stopbits 1
router ospfv3 1
line vty 0 4
router-id 2.2.2.2
password cisco
!
login
address-family ipv6 unicast
transport input none
router-id 2.2.2.2
line vty 5 15
exit-address-family
password cisco
!
login
router ospf 1
transport input none
router-id 2.2.2.2
!
network 192.168.75.0 0.0.0.3 area 0
scheduler allocate 20000 1000
network 192.168.75.4 0.0.0.3 area 0
!
!
end
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ipv6 route ::/0 GigabitEthernet0/1
!
control-plane
!
line con 0
password cisco
line aux 0
line 2
no activation-character
49
IPv6 Deployment
! no ip address
redundancy shutdown
interface Embedded-Service-Engine0/0 !
shutdown no ip address
! shutdown
interface GigabitEthernet0/0 !
50
IPv6 Deployment
interface GigabitEthernet0/0/0 !
switchport access vlan 50 router ospf 1
no ip address router-id 3.3.3.3
! network 131.172.254.24 0.0.0.3 area 0
interface GigabitEthernet0/0/1 network 192.168.74.0 0.0.0.255 area 0
no ip address network 192.168.75.4 0.0.0.3 area 0
! !
interface GigabitEthernet0/0/2 ip forward-protocol nd
no ip address !
! no ip http server
interface GigabitEthernet0/0/3 no ip http secure-server
no ip address !
! ip nat inside source list internet interface
GigabitEthernet0/1 overload
interface Vlan1
ip nat inside source static 192.168.74.1
no ip address 131.172.254.26
! ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
interface Vlan50 !
ip address 192.168.74.254 255.255.255.0 ip access-list standard internet
ip nat inside permit 192.168.0.0 0.0.255.255
ip virtual-reassembly in !
ipv6 address ip access-list extended deny_all
2400:13C0:177:FFEB:4000::FFFE/66
deny ip any any
ipv6 enable
ip access-list extended dmz_png
ipv6 traffic-filter outbound in
permit tcp any host 131.172.2.2 eq www
ipv6 ospf 1 area 0
!
!
ipv6 route ::/0 2400:13C0:254:24::1
router ospfv3 1
!
router-id 3.3.3.3
ipv6 access-list inbound
!
permit icmp any any
address-family ipv6 unicast
deny tcp any any eq telnet
router-id 3.3.3.3
permit ipv6 any any
exit-address-family
!
51
IPv6 Deployment
52
IPv6 Deployment
53
IPv6 Deployment
Verification Results:
OSPF – Verification results
Internetrouter :
DistributionRouter–OSPF
54
IPv6 Deployment
CoreRouter–OSPF
55
IPv6 Deployment
56
IPv6 Deployment
Firewall Rules:
57
IPv6 Deployment
DHCP output:
58
IPv6 Deployment
59
IPv6 Deployment
60
IPv6 Deployment
61
IPv6 Deployment
62
IPv6 Deployment
Host to DMZ:
63
IPv6 Deployment
Host to Latrobe:
DMZ to Host:
64
IPv6 Deployment
DMZ to Latrobe:
65
IPv6 Deployment
66