IPV6 Deployment

Project Report

CSE5ITP 28/10/2019 MICT

 IPv6 Deployment

Project Report
on
Internet protocol version 6
(IPv6) Deployment

Submitted as per requirement of ITP Project

Towards partial fulfillment of

Masters in Information and communication technology

Submitted by:
Shodhana Tumma (19839745)
Sai Praneeth Koka(19813326)
Challa Laxman Reddy (19892136)
Sudheer Kakollu(20095385)

Latrobe University, Plenty Rd & Kingsbury Dr, Bundoora, VIC-3085.

i
 IPv6 Deployment

ABSTRACT

With the rapid growth of the Internet there is an urgency to expand the address space
available to users of the Internet. The current version of the Internet Protocol, IPv4, is slowly
losing position because of its various limitations such as limited address space, lack of
functionality and inadequate security features. The intent of this paper is to deploy both IPv6
and IPv4 (dual stack) over Latrobe University Network. In dual-stack architecture, all the
components of the network system should support the both protocols. Applications must
choose either IPv4 or IPv6, by selecting the correct address based on the type of IP traffic and
requirements of the communication.
In dual-stack architecture, all the components of the network system should support the both
protocols. Applications must choose either IPv4 or IPv6, by selecting the correct address based
on the type of IP traffic and requirements of the communication
We have considered different VLAN’s students, staff, management, guest as end hosts and are
connected to access switch through another two switches. We have considered three switches
were considered taking growth of the network and redundancy into consideration. We have
considered three routers named as distribution, core and internet routers. Distribution router is
connected to end hosts through the access switch. For inter VLAN communication trunk is
created and for intra VLAN communication router on stick is implemented on distribution
router. DHCP is implemented on distribution router for assigning the end hosts with IPv4 and
IPv6 addresses automatically. Core router connected to both distribution and internet router.
Internet router is connected to DMZ, External network and to the internal network through core
router. OSPF protocol is implemented on all the routers to advertise their directly connected
networks to their neighbour routers. PAT, NAT are implemented on the internet router to
translate the IP addresses traversing the network. Access- Controlled lists were created on the
internet router to ensure the traffic is not entering the inside network. Finally, as per the project
requirement outbound connectivity for both IPv4 and IPv6 was established externally and no
inbound connections to the inside network are allowed.

ii
 IPv6 Deployment

Acknowledgement
We are sincerely thankful to Latrobe University (Bundoora campus) for providing us
with the opportunity to implement “IPV6 Deployment networking project” as part of
CSE5ITP.

We are thankful to our course co-ordinator Dr. Prakash Veeraraghavan for providing us
insights and expertise that greatly assisted the project.

We thank Dr Miro for providing comments and suggesting better options during mid-term
presentation related to the devices we used for implementation which further greatly helped us
in proceeding further.

We would also like to show our gratitude to Dheeraj Sudarsanam, for continuous guidance
throughout the project and sharing his knowledge. We are grateful for his comments and inputs
in earlier version of our project.

We hereby acknowledge that the results, observations provided are solely our own effort.

iii
 IPv6 Deployment

Table of contents:

I. Title ………………………………………………………………………….. i
II. Abstract ………………………………………………………………………ii
III. Acknowledgement …………………………………………………………...iii
IV. Table of contents ……………………………………………………………..iv
1. Introduction ………………………………………………………………….1
2. Network Topology..…………………………………………………...……...2
3. Implementation ………………………………………………………………3
3.1. VLANs …………………………………………………………...………3
3.1.1. Port Assignments and Trunking ……………………...………...3
3.2. Subnetting Scheme ……………………………………………...………5
3.2.1. IPv4 Subnetting Scheme .………………………………..………5
3.2.2. IPv6 Subnetting Scheme …………………………………..…….7
3.3. Devices and Roles ……………………………………………….………9
3.4. Router on Stick ………………………………………………….……...11
3.5. Dynamic Host Configuration Protocol (DHCP) ………………….…..14
3.6. Open Short Path First (OSPF) ……………………………….………..22
3.7. Network Address Translation (NAT) ……………………….………...28
3.8. Demilitarized Zone (DMZ) ………………………………….…………32
3.9. Access-control lists (ACLs) …………………………………….………33
3.9.1. Standard Access-control lists ………………………….....……..33
3.9.2. Extended Access-control lists ………………………….………..33
3.10 . Context-Based Access Control (CBAC) ……………………..………..34
4. Costing ……………………………………………………………….………36
5. Appendix …………………………………………………….…....………….38
5.1. Switch1 configuration ………………………………………….……….38
5.2. Switch2 configuration …………………………………………………..40
5.3. Access switch configuration ……………………………………………42
5.4. Distribution router configuration ……………………………………..44
5.5. Core router configuration ……………………………………….……..48
5.6. Internet router configuration ………………………….……….………50
5.7. Configuration results ………………………….……...………………...53

iv
 IPv6 Deployment

1.Introduction
IP - Internet Protocol is the most widely used communication protocol. Internet protocol
version 6 is the replacement for Internet protocol version 4. Some of the deficiencies of IPV4
and the way it handles the hosts is corrected by IPV6.

IPV4 which is a fourth version of Internet protocol handles 4.3 billion unique IP addresses with
its 32- bit address format. But, for the rapidly rising growth of the Internet it is not enough to
sustain.

Hence, the implementation of IPV6 is introduced which supports 3.4 x 1038

Unique IP addresses with its 128-bit address format. Apart from handling limitless unique IP
addresses, IPV6 had many advantages as: efficient packet handling with its simplified header
format, routing efficiency, increased throughput etc.

While a lot of carriers now a days are proceeding with IPV6network for future generation
services, current practical implementations still need the ipv4 devices and other handsets. Here
comes the support of dual stack.

Dual stack: In this project, we are implementing dual stack which means both IPV6 and IPV4
addresses exits on the same platform and supports both hosts.

IPV4 Addressing: IPV4ues hierarchical addressing scheme. It is a 32-bit address which

contains information regarding host and network.

In our project we have been given IPv4 192.168.[Y0-Y9].0/24 private address range (Y (7) is
our POD number). We have used 192.168.[70-79].0/24 as per requirements. Similarly,
2400:13c0:177::ffe8::/62 for IPV6.

Next segments in this project document describes the clear explanation regarding topology, IP
addressing schemes, Protocols and ACLS implemented in this project.

1
 IPv6 Deployment

2.Network Topology

Topology:

Justification of Topology:

Above network topology is built as per the requirements provided in IPV6 project
implementation guide in lab environment.

As per the availability of the lab resources and considering the growth and redundancy of the
network, we have considered three cisco switches.

We have considered different VLANS as end host devices named student, staff, management
and guest. These VLANS are connected to switch1 and switch2 simultaneously.
Third switch, which is considered as access switch is connected to the switch1 and switch2 via
trunk link. IPV6 and IPV4 is deployed.

DHCP is implemented on the distribution router for both IPV6 and IPV4 which makes the end
users acquire the IPV6 and IPV4 addresses automatically as per the VLANS connected.

2
 IPv6 Deployment

The protocol we have implemented for IPV4 and IPV6 is OSPFv2 and OSPFv3 respectively.
This OSPF routing protocols enables IPV4 and IPV6 to advertise their directly connected
networks to the other networks which are not directly connected in the topology.

The core router is connected to the distribution router mentioned above with a point to point
link. OSPF version2 and version3 are configured in Core router to advertise their directly
connected networks.

Internet router is connected to Core router using point to point link. Internet router is also
connected to DMZ (Demilitarized Zone) using point to point link. Internet router is also
connected to LTU Network using point to point link. OSPF version2 and version3 are
configured in Internet router to advertise their directly connected networks.
Protocols OSPF and DHCP are explained in detail in the OSPF and DHCP justification.

3
 IPv6 Deployment

3.Implementation
3.1 VLANs:

VLAN VLAN NAME

Vlan10 Students
Vlan 20 Staff
Vlan 30 Management
Vlan 40 guest
Vlan 50 Vlan50(configured for using serial port G 0/0/0 on
internet router to connect to DMZ)
3.1.1 Port Assignments and Trunking:

Switch 1

Ports Assignment Network in IPv4 Network in IPv6

G1/0/1 – G1/0/4 Trunks (Native 192.168.72.0/24 2400:13c0:177:ffea::/64
VLAN 30)
G1/0/5 – G1/0/6 VLAN 10 - Students 192.168.70.0/24 2400:13c0:177:ffe8::/64
G1/0/7 – G1/0/8 VLAN 20 - Staff 192.168.71.0/24 2400:13c0:177:ffe9::/64
G1/0/9 – VLAN 40 - Guest 192.168.73.0/24 2400:13c0:177:ffeb:3fff:/66
G1/0/10
Switch 2

Ports Assignment Network in IPv4 Network in IPv6

G1/0/1 – G1/0/4 Trunks (Native 192.168.72.0/24 2400:13c0:177:ffea::/64
VLAN 30)
G1/0/5 – G1/0/6 VLAN 10 - 192.168.70.0/24 2400:13c0:177:ffe8::/64
Students
G1/0/7 – G1/0/8 VLAN 20 - Staff 192.168.71.0/24 2400:13c0:177:ffe9::/64
G1/0/9 – G1/0/10 VLAN 40 - Guest 192.168.73.0/24 2400:13c0:177:ffeb:3fff:/66
Access switch:

Ports Assignment Network in IPv4 Network in IPv6

G1/0/1 – G1/0/4 and Trunks(Native 192.168.72.0/24 2400:13c0:177:ffea::/64
G1/0/14 VLAN 30)

4
 IPv6 Deployment

3.2 Subnetting Scheme:

3.2.1 IPv4 Subnetting Scheme:

Device Interface IPV6 Address Subnet Prefix Default

Length Gateway
Distribution Gi 0/1 192.168.75.1 255.255.255.252 N/A
Router Gi 0/0.10 192.168.70.254 255.255.255.0 N/A
Gi 0/0.20 192.168.71.254 255.255.255.0 N/A
Gi 0/0.30 192.168.72.254 255.255.255.0 N/A
Gi 0/0.40 192.168.73.254 255.255.255.0 N/A
Access Vlan10(Students) 192.168.70.1 255.255.255.0 192.168.70.254
Switch Vlan20(Staff) 192.168.71.1 255.255.255.0 192.168.71.254
Vlan30(Management) 192.168.72.1 255.255.255.0 192.168.72.254
Vlan40(Guest) 192.168.73.1 255.255.255.0 192.168.73.254
Core Router Gi 0/0 192.168.75.2 255.255.255.252 N/A
Gi 0/1 192.168.75.5 255.255.255.252 N/A
Internet Gi 0/0 192.168.75.6 255.255.255.252 N/A
Router Gi 0/1 131.172.254.26 255.255.255.252 N/A
Gi 0/0/0 192.168.74.254 255.255.255.0 N/A
DMZ 192.168.74.1 255.255.255.0 192.168.74.254
Students PCs NIC DHCP DHCP DHCP
Staff PCs NIC DHCP DHCP DHCP

5
 IPv6 Deployment

Networks Addresses
Student 192.168.70.0/24
Staff 192.168.71.0
Management 192.168.72.0
Guest 192.168.73.0
Distribution – core 192.168.75.0/30.
Core- internet 192.168.75.4/30
Internet – DMZ 192.168.74.0/29
Default gateway to DMZ 192.168.74.254/24
Internet Router to LTU switch 131.172.254.26/30

Four samples of VLANs are created. Network Students is accessed by students of university.
This network would be getting IP address from the network 192.168.70.0/24

Network staff is accessed by Staff of university. This network would be getting IP address from
the network 192.168.71.0/24.

Network Guest is accessed by Guests. This network would be getting IP address from the
network 192.168.73.0/24.

Network 192.168.72.0/24 is reserved which is a management VLAN. This makes switches to

communicate with other VLANs.

Distribution router has an IP address of 192.168.70.254/24 on its sub- interface Gi0/0.10 as

default gateway for VLAN 10.
G0/0.20 sub-interface has an IP address of 192.168.71.254/24 as default gateway for VLAN20.
G0/0.30 sub-interface has an IP address of 192.168.72.254/24 as default gateway for VLAN30.
G0/0.40 sub-interface has an IP address of 192.168.73.254/24 as default gateway for VLAN40.
Distribution router and core router has a point to point connection with the network address of
192.168.75.0/30.
Internet router and core router are connected using network 192.168.75.4/30.
DMZ and internet router have related to the network 192.168.74.0/24

Default gateway and DMZ are connected using network 192.168.74.254/24

6
 IPv6 Deployment

LTU switch and internet router is connected using network 131.172.254.26/30.

The above IPV4 subnetting scheme is built with private subnetting scheme and designed as per
the need of Lab topology.
The VLANS which are Student, staff, Management and Guest networks are designed with
subnet mask of /24 so that it can accommodate up to more than 200 users per each network.

3.2.2 IPv6 Subnetting Scheme:

Subnet Prefix Default

Device Interface IPV6 Address
Length Gateway
Gi 0/1 2400:13c0:177:ffeb:8000::2 /126 N/A
Gi 0/0.10 2400:13c0:177:ffe8::fffe /64 N/A
Distribution
Gi 0/0.20 2400:13c0:177:ffe9::fffe /64 N/A
Router
Gi 0/0.30 2400:13c0:177:ffea::fffe /64 N/A
Gi 0/0.40 2400:13c0:177:ffeb:3fff::fffe /66 N/A
Access Switch Vlan10
2400:13c0:177:ffe8:: /64 N/A
(Students)
Vlan20
2400:13c0:177:ffe9:: /64 N/A
(Staff)
Vlan30
2400:13c0:177:ffea:: /64 N/A
(Management)
Vlan40
2400:13c0:177:ffeb:: /66 N/A
(Guest)
Core Router Gi 0/0 2400:13c0:177:ffeb:8000::3 /126 N/A
Gi 0/1 2400:13c0:177:ffeb:8000::5 /126 N/A
Internet Router Gi 0/0 2400:13c0:177:ffeb:8000::6 /126 N/A
Gi 0/1 2400:13C0:254:24::2 /66 N/A
Gi 0/0/0 2400:13c0:177:ffeb:4000::fffe /66 N/A
DMZ 2400:13c0:177:ffeb:4000:: /66 N/A

7
 IPv6 Deployment

Networks Addresses
Student 2400:13c0:177:ffe8::/64
staff 2400:13c0:177:ffe9::/64
Management 2400:13c0:177:ffea::/64
Guest 2400:13c0:177:ffeb:3fff:/66
Distribution - core 2400:13c0:177:ffe8:8000::/126
Core- internet 2400:13c0:177:ffe8:8000::4/126
Internet - DMZ 2400:13c0:177:ffeb:4000::/66
Default gateway to DMZ 2400:13c0:177:ffeb:4000::fffe/66
Internet Router to LTU switch 2400:13C0:254:24::2/66
Four samples of VLANs are created. Network - Students is accessed by students of university.
This network would be getting IP address from the 2400:13c0:177:ffe8::/64.

Network staff is accessed by Staff of university. This network would be getting IP address from
the network 2400:13c0:177:ffe9::/64 Network Guest is accessed by Guests. This network
would be getting IP address from the network 2400:13c0:177:ffeb:3fff:/66. Network
2400:13c0:177:ffea::/64 is reserved which is a management VLAN. This makes switches to
communicate with other VLANs.

Distribution router has an IP address of 2400:13c0:177:ffe8::fffe /64 on its sub- interface

Gi0/0.10 as default gateway for VLAN 10.
G0/0.20 sub-interface has an IP address of 2400:13c0:177:ffe9::fffe /64 as default gateway for
VLAN20.
G0/0.30 sub-interface has an IP address of 2400:13c0:177:ffea::fffe /64 as default gateway for
VLAN30.
G0/0.40 sub-interface has an IP address of 2400:13c0:177:ffeb:3fff::fffe/66 as default gateway
for VLAN40.
Distribution router and core router has a point to point connection with the network address of
2400:13c0:177:ffe8:8000::/126. Internet router and core router are connected using network
2400:13c0:177:ffe8:8000::4/126. DMZ and internet router have been connected with the
network 2400:13c0:177:ffeb:4000::/66. Default gateway and DMZ are connected using
network 2400:13c0:177:ffeb:4000::fffe/66. LTU switch and internet router is connected using
network 2400:13C0:254:24::2/66.

8
 IPv6 Deployment

3.3 Devices and roles:

Distribution Router:

This router is used for inter-VLAN routing. In this router, IPV4 and IPV6 addresses are
assigned automatically to end devices.

Services performed on distribution router are:

Router on stick:

For inter VLAN communication to take place, router on stick is implemented on distribution
router. Sub-Interfaces are created on the distribution router and is assigned to each VLAN for
inter VLAN communication using router on stick.
DHCP and SLAAC:

For the end host devices to acquire IPV4 and IPV6 addresses automatically as per their
VLANS, DHCP is implemented for IPV4 and stateless DHCPV6 is implemented for IPV6 on
distribution router.

OSPF:

OSPFv2 and OSPFv3 is configure on distribution router for both IPV6 and IPV4 so that they
advertise their directly connected networks to their neighbour routers.

Core Router:

Core router resides within the middle of the network. Core router is designed in such a way
that it forwards IP packets at full speed between the networks.

Services performed on internet router are as follows:

OSPF:

OSPFV2 and OSPFv3 is configure on Core router for both IPV4 and IPV6 so that they advertise
their directly connected networks to their neighbour routers.

Internet Router:

Internet router is used to forward the packets in between the core router, DMZ and LTU switch.
Any communication with the exterior networks is done through Internet router.

9
 IPv6 Deployment

Services performed on internet router are as follows:

OSPF: OSPFV2 and OSPFv3 is configure on Internet router for both IPV6 and IPV4 so that
they advertise their directly connected networks to their neighbour routers.

PAT: To translate the Private IP addresses on to public IP addresses, PAT is implemented.

NAT: Static NAT is implemented on this Router statically to map the Private IPv4 address with
the public address of the interface. With this implementation DMZ can be accessed by using
public address from Internet.
Access control List: To filter the data traffic on the internet. ACL is implemented.
ACL is also implemented to identify the traffic needs that are to be permitted and those that
need to be restricted and to filter routing updates.

Switch1 and Switch2:

These two switches are used to connect end host devices which are in different VLANs.
Depending on the ports assigned to respective VLANs, network is accessed accordingly.

Access switch:

Access switch is the main switch which interconnects Both switch1 and switch2. This
interconnection takes place using trunk links so that Intra VLAN and Inter VLAN
communication takes place.

10
 IPv6 Deployment

3.4 Router on Stick:

It is a type of router configuration in which a single physical interface routes traffic
between multiple VLANs on a network. The router interface is configured to operate as a trunk
link and is connected to a switchport configured in trunk mode. The router performs the inter
VLAN routing by accepting VLAN tagged traffic to the trunk interface coming from the
adjacent switch and internally routing between the VLANs using sub interfaces. The routers
then forward the routed traffic-VLAN tagged for the destination VLAN out the same physical
interface. Sub-interfaces are multiple virtual interfaces associated with one physical interface.
Sub interfaces are configured for different subnets corresponding to their VLAN assignment
to facilitate logical routing before the data frames are VLAN tagged and sent back out the
physical interface

ADVANTAGES OF ROUTER ON A STICK:

- Port limits: physical interfaces are configured to have one interface per VLAN, using
single router to perform inter-VALN routing is not possible
- Sub-interfaces allow a router to scale to accommodate more VLANs then physical
interfaces permit
- Performance: Because there is no contention for bandwidth on physical interfaces,
physical interfaces have better performance for inter-VLAN routing. When sub -
interfaces are used for inter-VLAN routing, the traffic being routed competes for
bandwidth on the single physical interface. On a busy network, this could cause a
bottleneck for communication.
- Access ports and trunk ports: connecting physical interfaces for inter- VALN routing
Requires that the switch ports be configured as access ports. Sub-interfaces require the
switch port to be configured as a trunk port so that it can accept VLAN tagged traffic
on the trunk link
- Cost: Routers with many physical interfaces cost more than routers with single
interface, financially it is more cost effective to use sub-interfaces over separate
physical interfaces
- Complexity: Using sub interfaces for inter-VLAN routing results in a less complex
physical configuration than using separate physical interfaces. On the other hand, using
sub interfaces with a trunk port results in a more complex software configuration, which
can be difficult to troubleshoot. If one VLAN is having trouble routing to other VLANs,

11
 IPv6 Deployment

you cannot simply trace the cable to see if the cable is plugged into the correct port.
You need to check to see if the switch port is configured to be a trunk and verify that
the VLAN is not being filtered on any of the trunk links before it reaches the router
interface.

DISADVANTAGES OF ROUTER ON A STICK:

The disadvantages of router on stick network are it is more complex to set up compared to
other networks. traffic VLAN goes into the router and out of the router through the same port.
the trunk is the major source of congestion

IMPLEMENTATION:

To implement the router on stick on the distribution router we had divided the gi0/0 interface
into four sub-interfaces as, i.e, Gi0/0.10, Gi0/0.20, Gi0/0.30, Gi0/0.40.

Gi0/0.10 for the VLAN students with ipv4 address of 192.168.70.254/24 and with ipv6 address
of 2400:13C0:177:ffe8::fffe/64.

Gi0/0.20 for VLAN 20 for staff with ipv4 address of 192.168.71.254/24 and with ipv6 address
of 2400:13C0:177:ffe9::fffe/64.

Gi0/0.30 for VALN 30 as management with ip address of ipv4 192.168.72.254/24 and with
ipv6 address 2400:13C0:177:ffea::fffe/64.

Gi0/0.40 for VLAN 40 as guest with ipv4 address of 192.168.73.254/24 and with ipv6 address
of 2400:13C0:177:ffeb::fffe/66.

Before assigning an IP address to a sub-interface, the sub-interface needs to be configured to

operate on a specific VLAN using the encapsulation dot1q VLAN id command.

CONFIGURATION ON ROUTER ON A STICK:

interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.70.254 255.255.255.0
ipv6 address 2400:13C0:177:FFe8::FFFE/64
ipv6 enable
no shutdown

12
 IPv6 Deployment

interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.71.254 255.255.255.0
ipv6 address 2400:13C0:177:FFe9::FFFE/64
ipv6 enable
no shutdown

interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.72.254 255.255.255.0
ipv6 address 2400:13C0:177:FFea::fffe/64
ipv6 enable
no shutdown

interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.73.254 255.255.255.0
ipv6 address 2400:13C0:177:FFeb:3fff::FFFE/66
ipv6 enable
no shutdown

13
 IPv6 Deployment

3.5 Dynamic Host Configuration Protocol (DHCP):

DHCP is a protocol used for assigning dynamic IP addresses to devices on a network
with dynamic addressing, a device can have a different IP address every time it connects to the
network. in some systems the devices IP address can even change while it is still connected.
DHCP also supports a mix of static and dynamic IP addresses

Components of DHCP:

DHCP server: A network device running the DHCP service that holds IP addresses and
related configuration information of the devices. these most typically will be a server or a router
or it could be anything that acts as a host.ie such as a SD-WAN appliance

DHCP client: The endpoint that receives configuration information from a DHCP server. this
can be any device example a mobile, computer, IoT endpoint or can be anything else that
requires a connection to the network. Most networks are configured to receive the DHCP
information by default.

IP address pool: Range of IP address that are available to the DHCP clients. Address are
sequentially handed from lowest to highest

Subnet: IP address are partitioned in to small segments known a subnet. subnets help to keep
the network manageable

Lease: Length of time for which the DHCP client holds the IP address information. when a
lease expires the client must renew it

DHCP replay: A router or host that listens for client messages being broadcast on the network
and forwards to a configured server. The server then sends response back to the replay agent
which passes them along the clients. this can be used to centralize DHCP servers instead of
having a server on each subnet.

Advantages of DHCP server:

Simplified management by using the DHCP server we can provide very simplified
management of network

Reduced IP address conflicts: Each connected device must have an IP address. However,
each address can only be used once, and a duplicate address will result in a conflict where one
or both devices cannot be connected. This can happen when addresses are assigned manually,

14
 IPv6 Deployment

particularly when there are many endpoints that only connect periodically, such as mobile
devices. The use of DHCP ensures that each address is only used once.

Automation of IP addressing: Without DHCP, network administrators would need to

assign, and revoke addresses manually. Keeping track of which device has what address can
be an exercise in futility as it’s nearly impossible to understand when devices require access to
the network and when they leave. DHCP allows this to be automated and centralized so
network professionals can manage all locations from a single location.

Efficient change management: Using DHCP makes it very simple to change address, scopes
or end points.

Disadvantages of DHCP:

DHCP poses security risks DHCP protocol requires no authentication so any client can join the
network quickly. Because of these it opens to a number of security risks, including
unauthorized servers that hands bad information to clients, by giving IP address and IP address
depletion from unauthorized or malicious clients

How do avoid DHCP security poses: by using the 802.1X authentication otherwise known as
network access control (NAC), can be used to secure DHCP

SLAAC:

To perform address configuration on IPv6 there are a couple of familiar methods and a few
additional methods, including: static addressing, static addressing with DHCPv6 (stateless),
dynamic addressing via DHCPv6 (Stateful), SLAAC alone, or SLAAC with DHCPv6
(Stateless).

SLAAC is a method in which the host or router interface is assigned a 64-bit prefix, and then
the last 64 bits of its address are derived by the host or router with help of EUI-64 process

SLAAC provides the ability to address a host based on a network prefix that is advertised from
a local network router via Router Advertisements (RA). RA messages are sent by default by
most IPV6 routers; these messages are sent out periodically by the router and include
information including:

• One or more IPv6 prefixes (Link-local scope)

• Prefix lifetime information
• Flag information
15
 IPv6 Deployment

• Default device information (Default router to use and its lifetime)

SLAAC is implemented on the IPv6 client by listening for these local RA’s and then taking the
prefix that is advertised to form a unique address that can be used on the network. For this to
work, the prefix that is advertised must advertise a prefix length of 64 bits (i.e., /64); SLAAC
will then dynamically form a host identifier that is 64 bits long and will be suffixed to the end
of the advertised prefix to form an IPv6 address.

To give an idea as to how this works, the example topology shown in figure is used.

If the hosts (H1-H4) shown in figure were using the EUI-64 method of host identification, the
IPv6 addresses created using SLAAC would be:

• H1 – 2000:1234:5678::12FF:FE34:5678
• H2 – 2000:1234:5678::EBFF:FEA4:C1AE
• H3 – 2000:1234:5678::BAFF:FE24:C4AE
• H4 – 2000:1234:5678::84FF:FE67:AEFC

To be thorough, the EUI-64 process will be outlined for H1 as follows:

The prefix 2000:1234:5678::/64 will be learned from R1’s RA messages and will be the initial
prefix.

The client identifier would then be created from the MAC address that is assigned to H1, in
this case 0200:1234:5678. The first step of EUI-64 conversion is to split the MAC address in
half and place FF:FE in the middle, which results in 0200:12FF:FE34:5678. Then the seventh

16
 IPv6 Deployment

bit will be flipped, in this case the first 8 bits is 00000010 (0x02). Next, the seventh bit is
flipped and the bit becomes 0, resulting in 00000000 (0x00); this gives a final host identifier
result of 0000:12FF:FE34:5678. When the prefix and the host identifier are brought together,
it results in an IPv6 address that is used for H1 of
2000:1234:5678:0000:0000:12FF:FE34:5678, which can be shortened to
2000:1234:5678::12FF:FE34:5678.

DHCP Justification:

Dynamic host configuration protocol is implemented on distribution server, so that end host
devices can acquire IP addresses automatically depending on which network they are in. DHCP
is implemented for IPv4 addresses and Stateless DHCPv6 is implemented for IPv6 addresses.
The purpose of implementing stateless DHCPv6 is so that IPv6 addresses can be acquired by
router advertisements and there is no need of DHCP server for that. The end hosts in student
VLAN would be acquiring the IPv4 addresses from the network address 192.168.70.0/24 and
IPv6 address from the network 2400:13C0:177:ffe8::/64. The end hosts in staff VLAN would
be acquiring the IPv4 addresses from the network address 192.168.71.0/24 and IPv6 address
from the network 2400:13C0:177:ffe9::/64.the end hosts of the guest VLAN would be
acquiring the IPv4 addresses form the network address 192.168.73.0/24 and IPv6 address from
the network 2400:13C0:177:ffeb::/66

There are four pools created in DHCP named as VLAN10, VLAN20, VLAN30, VLAN40 for
student, staff, management, guest networks respectively. The naming convention could be
anything, so the names defined for pools are the supposed names. The VLAN10 is used for
Students network (192.168.70.0/24 & 2400:13C0:177:ffe8::/64). The VLAN20 is used for
Staff network (192.168.71.0/24 & 2400:13C0:177:ffe9::/64). The VLAN30 is used for
Management network (192.168.72.0/24 & 2400:13C0:177:ffea::/64) The VLAN40 is used for
Guest network (192.168.73.0/24 & 2400:13C0:177:ffeb::/66)

The addresses that are statically assigned to sub-interfaces of the Gi 0/0 of distribution router,
are excluded from the pools created so that these addresses cannot be automatically assigned
to end host devices, avoiding IP address conflict.

17
 IPv6 Deployment

DHCP syntax for IPv4

Step 1 enable Enables privileged EXEC

mode.
Example: • Enter your password if
Device> enable prompted.

Step 2 configure terminal Enters global configuration

mode.
Example:
Device# configure terminal

Step 3 ip dhcp excluded-address low- Specifies IP addresses that

address [high-address] the DHCP server should not
assign to DHCP clients.
Example:
Device(config)# ip dhcp excluded-address
172.16.1.100 172.16.1.103

Step 4 ip dhcp pool name Creates a name for the

DHCP server address pool
and enters DHCP pool
Example: configuration mode.
Device(config)# ip dhcp pool 1

Step 5 domain-name domain Specifies the domain name

for the client.
Example:
Device(dhcp-config)# domain-name
cisco.com

Step 6 dns-server address [address2 ... address8] Specifies the IP address of a

DNS server that is available
to a DHCP client.
Example:
Device(dhcp-config)# dns • One IP address is required;
server
172.16.1.103 172.16.2.103 however, you can specify
up to eight IP addresses in
one command.
• Servers should be listed in
order of preference.
Step 7 End Returns to privileged EXEC
mode.
Example:
Device(dhcp-config)# end

18
 IPv6 Deployment

DHCP syntax for IPv6

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 ipv6 dhcp pool poolname Configures a DHCPv6 configuration

Example: information pool and enters DHCPv6
Router(config)# ipv6 dhcp pool dhcp- pool configuration mode.
pool

Step 4 dns-server ipv6-address Specifies the DNS IPv6 servers

Example: available to a DHCPv6 client.
Router(config-dhcp) dns-server
2001:DB8:3000:3000::42

Step 5 domain-name domain Configures a domain name for a

Example: DHCPv6 client.
Router(config-dhcp)# domain-name
domain1.com
Step 6 exit Exits DHCPv6 pool configuration
Example: mode, and returns the router to global
Router(config-dhcp)# exit configuration mode.

Step 7 interface type number Specifies an interface type and number,

Example: and places the router in interface
Router(config)# interface serial 3 configuration mode.

Step 8 ipv6 dhcp server poolname [rapid- Enables DHCPv6 on an interface.

commit] [preference value] [allow-

19
 IPv6 Deployment

hint]
Example:
Router(config-if)# ipv6 dhcp server
dhcp-pool
Step 9 ipv6 nd other-config-flag Sets the "other stateful configuration"
Example: flag in IPv6 RAs.
Router(config-if)# ipv6 nd other-
config-flag

Step 10 end Returns to privileged EXEC mode.

Example:
Router(config-if)# end

DHCP implementation in our Project:

IPV4:

ip dhcp excluded-address 192.168.70.254

ip dhcp excluded-address 192.168.71.254

ip dhcp excluded-address 192.168.72.1 192.168.72.5

ip dhcp excluded-address 192.168.73.254

ip dhcp pool vlan10

network 192.168.70.0 255.255.255.0

default-router 192.168.70.254

dns-server 131.172.2.2
ip dhcp pool vlan20
network 192.168.71.0 255.255.255.0

default-router 192.168.71.254
dns-server 131.172.2.2

ip dhcp pool vlan30

network 192.168.72.0 255.255.255.0
default-router 192.168.72.254

20
 IPv6 Deployment

dns-server 131.172.2.2
ip dhcp pool vlan40

network 192.168.73.0 255.255.255.0

default-router 192.168.73.254

dns-server 131.172.2.2
IPV6:

ipv6 dhcp pool vlan10

dns-server 2400:13C0:177:FFE8::FFFE
ipv6 dhcp pool vlan20

dns-server 2400:13C0:177:FFE9::FFFE
ipv6 dhcp pool vlan30
dns-server 2400:13C0:177:FFEA::FFFE
ipv6 dhcp pool vlan40

address prefix 2400:13C0:177:FFEB::/66

dns-server 2400:13C0:177:FFEB:3FFF::FFFE

21
 IPv6 Deployment

3.6 Open Short Path First (OSPF):

OSPF is an IGP Protocol (interior gateway protocol) which is used to route packets in between
a single AS (autonomous system). It uses a link-state information to make routing decisions. It
makes route calculations using SPF (shortest path first) algorithm. This algorithm is also
referred as Dijkstra algorithm. Link state advertisements are flood by OSPF running routers
throughout the Autonomous systems or the area that has the information about attached
interfaces of routers and includes metrics related to routing.

The information present in the link state advertisements are used by the routers to calculate the
cost path which is less and create a routing table for the protocol.

The OSPF protocol was designed for TCP/IP environment and as a result, it exteriorly supports
IPO subnetting and tagging of routing information that is derived. Authentication of routing
updates is also provided by OSPF protocol. OSPF routes IP packets depending upon the
destination IP address which is present in the packet header.

The best advantage of OSPF is it quickly detects the topology changes. These changes include
the sudden unavailability of router etc.

OSPF Autonomous system can be divide d into multiple areas or it can also consist of a single
area. Each OSPF area is named using a 32-bit identifier which in most cases is written in the
same dotted-decimal notation as an IP4 address. For example, Area 0 is usually written as
0.0.0.0.

In single area topology. Each router maintains database which contains the information of
respective AS. Link state information is flooded through AS. Where as in multi area OSPF
topology, data base is maintained by each router, but it contains the information of that area.
Link state information is also flooded through that area. Each area has identical topology
databases. With the changes in topology, OSPF ensures that the data is converged quickly in
all the databases.

All OSPF version 2 protocol exchanges can be authenticated. OSPF version 3 mainly relies
on IPsec to provide this functionality. Which means the routers that can be trusted are the only
routers that participate in AS’s routing. Single authentication is implemented in each area. This
enables some areas to use strict authentication than others.

22
 IPv6 Deployment

Default route preference values:

Routing protocol assigns a default preference value to each route. This value depends on the
source route. Th preference value ranges from 0 to 4,294,967,295 (232 – 1). Lower value
indicates preferable route.

Route id:

By the OSPF Router ID, any router is known to OSPF process

To distinguish one OSPF router to another LSDBs use the OSPF router ID.

On an active interface, router ID is the highest IP address at the moment OSPF process
start-up by default.

OSPF Working algorithm:

As we learned from that OSPF used SPF algorithm, when the device starts, it initializes OSPF
and waits for indication that router is function from lower level protocols. The routing devices
to acquire neighbours, uses hello protocol. It sends its hello packets and receives the same from
neighbours. OSPF hello protocol elects a designated router for the network. This device now
will be responsible to advertise link state advertisements. This reduces the network traffic and
reduces the size of database.

Now, the routing device forms the adjacencies with its newly acquired neighbours. Distribution
of routing protocol packets is determined by the adjacencies. Through these adjacencies the
routing packets are been sent. When these adjacencies are establishes, then the routers start
synchronizing their topological databases.

The device now sends the LSA packets to advertise respective state periodically, when n it
starts changing. Routing device adjacency information is present in LSA packets so that it
allows the detection of routing devices which are non-operatable currently.

By using the reliable algorithm, the routing device floods the information throughout the area
and ensures that all routing devices database contains the same information and updated.

With the information present in the database, each routing device calculates the shortest path
tree with itself as the root. The routing devices use these paths to route the traffic.

23
 IPv6 Deployment

OSPF version3:

OSPF version3 is a modified version of OSPF version 2 that supports IP version 6(IPV6)
addressing. OSPF version3 has the following differences with version2.

- Rather per subnet, OSPFv3 runs based on links.

- All the neighbour id information is based on 32-bit router ID.
- Network and router link state advertisements do not carry prefix information.
- For all neighbour exchanges link local addresses are used except for the virtual links.
- IPV6 authentication header relies on the IP layer.
- Hello messages do not carry address.

Advantages of OSPF:

- OSPF is a loop free routing protocol.

- OSPF supports VLSM (variable length subnet mask).
- Convergence is very fast. Change sin route can b e transmitted and converged quickly.
- With the concept of area division, it also makes routing information to not to expand
rapidly with increase in network scale.
- OSPF minimizes the overhead.

24
 IPv6 Deployment

- Through strict division if level of routing, it provides more reliable routing.

- OSPF supports interface-based plaintext ad MD5 authentication.

Disadvantages of OSPF:

- CPU utilization is high as the calculations using SPF are more.

- With the increase in topology and increase in routers the database becomes large and
uses large amount of memory which effects the integrity.

OSPF Justification:

Open Shortest Path First protocol is implemented as a routing protocol to dynamically route
the network addresses in between the connected routers.

Distribution router has ospfv2 implemented for ipv4 networks while ospfv3 is implemented for
ipv6 networks. The distribution router then advertises its directly connected networks
192.168.70.0/24, 192.168.71.0/24, 192.168.72.0/24, 192.168.73.0/24, 192.168.75.0/30,
192.168.75.4/30. This information is obtained by Core router as it is directly connected to
distribution router.

Secondly, the core router then advertises its directly connected networks 192.168.75.0/30,
192.168.75.0/30 to distribution router and internet router.

Lastly, the internet router advertises its directly connected networks 192.168.75.4/30, to core
router and LTU switch.

RIP, OSPF and EIGRP are the three most common dynamic routing protocols.

Among all three protocols when initializing, recovering and failing, EIGRP is the fastest
routing protocol as per convergence. Compare to EIGRP, OSPF is slow as it needs to let all
other routers know each other during initialization.

RIP performance is near to EIGRP performance but when it comes to Large networks,
Convergence speed of RIP is slow.

As per the traffic sent in bytes/sec, EIGRP an OSPF benefit from the bandwidth whereas RIP
wastes bandwidth by sending the complete information to flood the network.

25
 IPv6 Deployment

Comparison with EIGRP:

Though EIGRP has fast convergence than OSPF, it is more versatile, and adaptable. But EIGRP
I specific to cisco devices, it is a cisco proprietary. We choose OSPF as it is open standard and
supports multiple vendors. Also, OSPF uses areas which segments the network more logically.

OSPF Configuration:
Below table shows the steps that are involved to configure a basic OSPF network:

1 Enter global configuration mode. router#configure terminal

2 Create an OSPF routing process and enter router(config)#router ospf process-id

router configuration mode.

3 Router ID router(config)#router-id id-of-the-router

4 Configure the interfaces that OSPF will be router(config-router)#network network

enabled on. wildcard-mask area area-id

IPV6:

Verification of OSPF implementation commands:

# show ip ospf neighbor

# show ip ospf database

# show ip ospf

26
 IPv6 Deployment

OSPF configuration at distribution Router:

IPV4:

router ospf 1
router-id 1.1.1.1
network 192.168.70.0 0.0.0.255 area 0
network 192.168.71.0 0.0.0.255 area 0
network 192.168.72.0 0.0.0.255 area 0
network 192.168.73.0 0.0.0.255 area 0
network 192.168.75.0 0.0.0.3 area 0
IPV6:

IPV6 router ospf 1

router-id 1.1.1.1
ipv6 unicast
interface GigabitEthernet0/1
ipv6 ospf 1 area 0
interface GigabitEthernet0/0.10
ipv6 ospf 1 area 0
interface GigabitEthernet0/0.20
ipv6 ospf 1 area 0
interface GigabitEthernet0/0.30
ipv6 ospf 1 area 0
interface GigabitEthernet0/0.40
ipv6 ospf 1 area 0
OSPF configuration at Internet Router:

IPV6
Ipv6 router ospf1
router-id 3.3.3.3
ipv6 unicast
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
interface GigabitEthernet0/1

27
 IPv6 Deployment

ipv6 ospf 1 area 0

interface Vlan50
ipv6 ospf 1 area 0

IPV4:

router ospf 1
router-id 3.3.3.3
network 131.172.254.24 0.0.0.3 area 0
network 192.168.74.0 0.0.0.255 area 0
network 192.168.75.4 0.0.0.3 area 0

OSPF configuration at Core Router:

IPv4:
router ospf 1
router-id 2.2.2.2
network 192.168.75.0 0.0.0.3 area 0
network 192.168.75.4 0.0.0.3 area 0

IPV6:
IPV6 router ospf 1
router-id 2.2.2.2
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
interface GigabitEthernet0/1
ipv6 ospf 1 area 0

28
 IPv6 Deployment

3.7 Network Address Translation (NAT):

Network Address Translation – NAT is a method which allows the

modification(translation) of IP addresses. This translation takes place while packets are
traversing the network. NAT enables private IP internetworks that use non-registered IP
addresses to connect to the internet.

NAT Overload, which is also known as port address translation (PAT) is essentially NAT with
the added extra feature of TCP and UDP ports translation.

The main purpose of NAT is to hide the IP address (usually Private IP address) of the end host
in order to reserve the public address space. For instance, a complete network with 50 hosts
have 50 private addresses and can be made visible to outside world which is Internet as a single
IP address.

Advantages of NAT:

- Advantages of NAT includes economical usage of the IP address ranges at hand.

- NAT provides an additional layer of security by hiding the original source and
destination address.
- It increases the flexibility while connecting to public internet.
- NAT allows us to use our own private address preventing the internal address changes
even if we change the service provider.

Below steps explain basic NAT overload configuration. NAT is the most common operation
used in today’s business around the world. As NAT enables the whole network making it access
the Internet using single IP address.

Configuring NAT overload:

Overloading: This means a single IP address (public IP address) assigned to our router can be
used by many internal hosts concurrently. This is done by translating TCP/UDP ports in the
packets. These packets are kept in track within the translation table in the Router. This would
be the general NAT implementation in today’s networks.

Initially, in NAT configuration is to define the interfaces inside (step 6-8).

In next step outside interfaces are defined. (step10-12)

29
 IPv6 Deployment

We also need to create and access list (ACL) which includes our private hosts or networks.
This defined ACL is later applied to the service command of NAT, which further controls the
hosts that will be able to access the Internet. (step4 in syntax). NAT overload is enabled and
bind it to outside interface which is created using NAT implementation (step 5)

NAT Implementation in our project:

ip nat inside source list internet interface GigabitEthernet0/1 overload

ip nat inside source static 192.168.74.1 131.172.254.26
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip access-list standard internet
permit 192.168.0.0 0.0.255.255
interface GigabitEthernet0/1
ip address 131.172.254.26 255.255.255.252
ip nat outside
interface GigabitEthernet0/0
ip address 192.168.75.6 255.255.255.252
ip access-group deny_all out
ip nat inside

30
 IPv6 Deployment

Verification of NAT is done by using the below commands:

# show ip nat translations

# show ip nat statistics

Disadvantages of NAT:

- NAT consumes memory and processor resource, this is because NAT need to translate
all incoming and outgoing datagrams and store the details in memory.
- NAT causes delay in IPv4 communication.
- Loss of end to end traceability.

31
 IPv6 Deployment

3.8 Demilitarized Zone (DMZ):

Demilitarized Zone is a perimeter network consisting of information and services that need to
be accessed by external users. It is generally placed between Internet (Untrusted network) and
Internal Network (Trusted network). By creating DMZ, we are adding additional security by
restricting all the external traffic entering into internal network.

All the services providing servers/systems such as company website, support services are
needed to be accessed by external users if they are placed inside the trusted network will make
the whole network vulnerable to attack. So, placing them in a separate network between
firewalls will be easy to protect the trusted network without being attacked.

Justification:

In our network we have placed our web server in the demilitarized zone by connecting it to the
Interface Gi0/0/0 of the Internet Router. 192.168.74.0/24, 2400:13c0:177:ffeb:4000:: are IPv4
and IPv6 addresses dedicated to DMZ network.

We are using Apache 2.4 http server for creating and managing our web server which consists
of the basic information.

32
 IPv6 Deployment

3.9 Access-control lists (ACLs):

Access Control Lists are list of arguments which are used to control the flow of traffic
in and out of the network interface. They are named by number or word. They can be
configured in routers and switches for meeting basic security requirements. There are two types
of ACLs standard acls and extended acls.

3.9.1 Standard Access-control lists:

Standard Acls are numbered between 1 and 99. They check for the source address and will be
filtering the packets. Standard acls will permit or deny protocols.
3.9.2 Extended Access-control lists:

Extended Acls are numbered between 100 to 199 and can be named with words. Unlike
standard acls extended acls check for source and destination address while filtering the packets.
They permit or deny specific protocols i.e TCP, UDP with source and destination ports and
ICMP, IP by name or protocol numbers. Comparing to standard acls, extended acls have more
features. In our network topology we need to restrict traffic from entering internal network
connected to interface gi0/0, while internal traffic needs to access internet and dmz information.
By implementing extended acls we cannot restrict external traffic and allow internal user to use
internet simultaneously. We are going for advanced security protocols.

Acl Implementation:

ipv6 access-list inbound

permit icmp any any
deny tcp any any eq telnet
permit ipv6 any any
ipv6 access-list outbound
sequence 70 permit udp any host 2400:13C0:177:FFEB:4000::FFFE eq domain
sequence 90 permit tcp any host 2400:13C0:177:FFEB:4000::1
deny icmp host 2400:13C0:177:FFEB:4000::1 any echo-request
permit ipv6 any any
interface Vlan50
ipv6 traffic-filter outbound in
interface GigabitEthernet0/0
ipv6 traffic-filter inbound in

33
 IPv6 Deployment

3.10 Context-Based Access Control (CBAC):

As per our requirement we need to use cbac along with acls. In cbac we can inspect the packets
which are travelling from firewall and allow them back into the network. Like acls we can
inspect in-bound and out-bound traffic of specific interface. CBAC supports TCP, TFTP, UDP,
HTTP, FTP and more protocols.

Lets assume 2 networks 131.172.254.24/30 on Interface G0/1 and 192.168.75.0/30 on Interface

G0/0 in above image.

We need to restrict the traffic which flow outbound from G0/0. For which we will use extended
acl to deny all traffic and implement it on Gi0/0 towards out. And the traffic condition will be
as below.

Now we need to inspect the required packet that flow from Interface G0/0 inorder to allow
them back into the internal network.

34
 IPv6 Deployment

By enabling CBAC, the router will inspect the packets from trusted host and deny all extended
acl is modified automatically by allowing reply packets to trusted network.

CBAC Justification:

As per requirement in our topology we are restricting the outbound traffic from entering
internal network and internal network should access information in DMZ and also access
internet.

So we will be implementing CBAC as above in Interface G0/0 and inspect http, https, dns, udp
packets which flow inbound to interface.

CBAC Configuration:

ip inspect name png http

ip inspect name png https
ip inspect name png icmp
ip inspect name png dns
interface GigabitEthernet0/0
ip access-group deny_all out
ip inspect png in
ip access-list extended deny_all
deny ip any any

35
 IPv6 Deployment

4. Costing
The costing mentioned here is confined to the lab environment for one POD as per
given instructions. Through this estimate, cost of labor, software and hardware can be quoted
for entire La Trobe university network.

Here are the costs mentioned below in AUD:

Wire costing (CAT-6)

Around 100meter wire is required to attach in between LTU Switch and the installation point.
The average cost for RJ45 CAT6 for 1 meter is $2.2. So, the total cost of wire here for
connecting between LTU Switch and installation point would be $220. Another 200meter wire
which is further cut into around 55 small ethernet cables are required for interconnectivity
between routers and switches. So, the overall cost for CAT6 wire would be around $660.
Moreover, the associated cost for this project is roughly $3000 for the materials and installation
(mainly wiring).
Material

The cabling itself is one part of the network when installing an ethernet cable in Lab. For the
system to run properly there some other materials involved which are necessary and others are
optional.

We also need an Ethernet switch or central hub to plug electronics to capture the Ethernet.
These typically cost under $20 each and also to complete the installation, gang retrofit box for
each line is needed. These cost roughly $2 each.

Optional materials

• Patch panel: a switchboard that connects multiple devices, ($30 and up).
• Plastic grommets: if necessary, for retrofitting cables ($5 and up).
• Plugs: which may also be necessary for retrofitting or finishing cables ($2 and up).
• Short patch cables: if you are moving from one setup to another within the same lab
($0.80 and up).

36
 IPv6 Deployment

Labor cost:
For wiring every lab takes approximately 3 hours, so the labor cost would be between
$1000 - $1500 to have a Cat 6 network professionally installed. Apart from this material costs
are an additional $1300 - $1500 depending on how many computers are in the room.
Timeline of the completion of installation of project is around 4 months. The price charged by
the professionals is around $50/hr. So, it would be around $48000 for labor. Professionals will
be a team of 3 members for installation of the project, working around 20 hours per week for
16 weeks.

Hardware Cost:
S.no Item Description Qty/Length Unit Price Amount
1 Routers CISCO1941/K9 3 A$2997.68 A$8993.04
Cisco 1941
Router ISR G2
2 Switches WS-C2960G- 3 A$3653.30 A$10959.9
24TC-L
Catalyst 2960
24
3 Wire RJ45 CAT6 300m $2.2/meter $660
4 Connectors RJ45 12 A$2 A$24
connectors
Pack of 20
5 Rack 19" Server 1 A$358.02 A$358.02
Rack Cabinet,
20U
6 HTTP HP Pavilion i5 1 A$1500 A$1500
Server
(PC)
Total $22494.96

Total Cost of the project would be around $80,000.

37
 IPv6 Deployment

5. Appendix

5.1 Switch1 configuration:

hostname S1 switchport trunk native vlan 30

! switchport mode trunk
boot-start-marker !
boot-end-marker interface GigabitEthernet1/0/5
! switchport access vlan 10
enable secret 5 switchport mode access
$1$HsF8$9mzU37G5j/7FlIV5Br5I30
!
!
interface GigabitEthernet1/0/6
no aaa new-model
switchport access vlan 10
switch 1 provision ws-c3560cx-12pd-s
switchport mode access
system mtu routing 1500
!
!
interface GigabitEthernet1/0/7
spanning-tree mode rapid-pvst
switchport access vlan 20
spanning-tree extend system-id
switchport mode access
!
!
vlan internal allocation policy ascending
interface GigabitEthernet1/0/8
!
switchport access vlan 20
interface GigabitEthernet1/0/1
switchport mode access
switchport trunk native vlan 30
!
switchport mode trunk
interface GigabitEthernet1/0/9
!
switchport access vlan 40
interface GigabitEthernet1/0/2
switchport mode access
switchport trunk native vlan 30
!
switchport mode trunk
interface GigabitEthernet1/0/10
!
switchport access vlan 40
interface GigabitEthernet1/0/3
switchport mode access
switchport trunk native vlan 30
!
switchport mode trunk
interface GigabitEthernet1/0/11
!
!
interface GigabitEthernet1/0/4
38
 IPv6 Deployment

interface GigabitEthernet1/0/12 password cisco

! login
interface GigabitEthernet1/0/13 line vty 5 15
! password cisco
interface GigabitEthernet1/0/14 login
! !
interface GigabitEthernet1/0/15 !
! end
interface GigabitEthernet1/0/16
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
no ip address
!
interface Vlan30
ip address 192.168.72.1 255.255.255.0
ipv6 address 2400:13C0:177:FFEA::1/64
ipv6 enable
!
ip forward-protocol nd
ip http server
ip http secure-server
!
no vstack
!
line con 0
password cisco
login
line vty 0 4

39
 IPv6 Deployment

5.2 Switch2 configuration: switchport mode trunk

!
hostname switch2
interface GigabitEthernet1/0/5
!
switchport access vlan 10
boot-start-marker
switchport mode access
boot-end-marker
!
!
interface GigabitEthernet1/0/6
enable secret 5
$1$7H21$EYycFGaS1QVd6QNgPKYrE. switchport access vlan 10

! switchport mode access

no aaa new-model !

switch 1 provision ws-c3560cx-12pd-s interface GigabitEthernet1/0/7

system mtu routing 1500 switchport access vlan 20

! switchport mode access

spanning-tree mode rapid-pvst !

spanning-tree extend system-id interface GigabitEthernet1/0/8

! switchport access vlan 20

vlan internal allocation policy ascending switchport mode access

! !

interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/9

switchport trunk native vlan 30 switchport access vlan 40

switchport mode trunk switchport mode access

! !

interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/10

switchport trunk native vlan 30 switchport access vlan 40

switchport mode trunk switchport mode access

! !

interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/11

switchport trunk native vlan 30 !

switchport mode trunk interface GigabitEthernet1/0/12

! !

interface GigabitEthernet1/0/4 interface GigabitEthernet1/0/13

switchport trunk native vlan 30 !

40
 IPv6 Deployment

interface GigabitEthernet1/0/14 ip http server

! ip http secure-server
interface GigabitEthernet1/0/15 !
! no vstack
interface GigabitEthernet1/0/16 !
! line con 0
interface TenGigabitEthernet1/0/1 password cisco
! login
interface TenGigabitEthernet1/0/2 line vty 0 4
! password cisco
interface Vlan1 login
no ip address line vty 5 15
! password cisco
interface Vlan30 login
ip address 192.168.72.2 255.255.255.0
ipv6 address 2400:13C0:177:FFEA::2/64 !
ipv6 enable end
!
ip forward-protocol nd

41
 IPv6 Deployment

5.3 Access switch configuration: !

interface GigabitEthernet1/0/4
hostname accessswitch
switchport trunk native vlan 30
!
switchport mode trunk
boot-start-marker
!
boot-end-marker
interface GigabitEthernet1/0/5
!
switchport access vlan 10
enable secret 5
$1$BzH/$p7JejfQoUAQYW5oll3CJz/ switchport mode access

! !

no aaa new-model interface GigabitEthernet1/0/6

switch 1 provision ws-c3560cx-12pd-s switchport access vlan 10

system mtu routing 1500 switchport mode access

! !

spanning-tree mode rapid-pvst interface GigabitEthernet1/0/7

spanning-tree extend system-id switchport access vlan 20

! switchport mode access

vlan internal allocation policy ascending !

! interface GigabitEthernet1/0/8

interface GigabitEthernet1/0/1 switchport access vlan 20

switchport trunk native vlan 30 switchport mode access

switchport mode trunk !

! interface GigabitEthernet1/0/9

interface GigabitEthernet1/0/2 switchport access vlan 40

switchport trunk native vlan 30 switchport mode access

switchport mode trunk !

! interface GigabitEthernet1/0/10

interface GigabitEthernet1/0/3 switchport access vlan 40

switchport trunk native vlan 30 switchport mode access

switchport mode trunk !

42
 IPv6 Deployment

interface GigabitEthernet1/0/11 ip http server

! ip http secure-server

interface GigabitEthernet1/0/12 !
! no vstack

interface GigabitEthernet1/0/13 !
! line con 0

interface GigabitEthernet1/0/14 password cisco

switchport access vlan 30 login

switchport trunk native vlan 30 line vty 0 4

switchport mode trunk password cisco

spanning-tree portfast edge trunk login

! line vty 5 15
interface GigabitEthernet1/0/15 password cisco

! login
interface GigabitEthernet1/0/16 !

! !
interface TenGigabitEthernet1/0/1 end

!
interface TenGigabitEthernet1/0/2

!
interface Vlan1

no ip address
!
interface Vlan30

ip address 192.168.72.3 255.255.255.0

ipv6 address 2400:13C0:177:FFEA::3/64

ipv6 enable
!
ip forward-protocol nd

43
 IPv6 Deployment

5.4 Distribution router configuration dns-server 131.172.2.2

!
hostname distribution
ip dhcp pool vlan40
!
network 192.168.73.0 255.255.255.0
boot-start-marker
default-router 192.168.73.254
boot-end-marker
dns-server 131.172.2.2
!
!
enable secret 5
$1$f8g/$4y0bTlE0zc82D4tstPUMW0 ip cef
! ipv6 unicast-routing
no aaa new-model ipv6 dhcp pool vlan10
ethernet lmi ce dns-server 2400:13C0:177:FFE8::FFFE
memory-size iomem 5 !
! ipv6 dhcp pool vlan20
ip dhcp excluded-address 192.168.70.254 dns-server 2400:13C0:177:FFE9::FFFE
ip dhcp excluded-address 192.168.71.254 !
ip dhcp excluded-address 192.168.72.1 ipv6 dhcp pool vlan30
192.168.72.5
dns-server 2400:13C0:177:FFEA::FFFE
ip dhcp excluded-address 192.168.73.254
!
!
ipv6 dhcp pool vlan40
ip dhcp pool vlan10
address prefix 2400:13C0:177:FFEB::/66
network 192.168.70.0 255.255.255.0
dns-server
default-router 192.168.70.254 2400:13C0:177:FFEB:3FFF::FFFE
dns-server 131.172.2.2 !
! ipv6 cef
ip dhcp pool vlan20 multilink bundle-name authenticated
network 192.168.71.0 255.255.255.0 !
default-router 192.168.71.254 license udi pid CISCO1941/K9 sn
FGL171211FW
dns-server 131.172.2.2
!
!
redundancy
ip dhcp pool vlan30
!
network 192.168.72.0 255.255.255.0
interface Embedded-Service-Engine0/0
default-router 192.168.72.254
no ip address

44
 IPv6 Deployment

shutdown interface GigabitEthernet0/0.30

! encapsulation dot1Q 30 native
interface GigabitEthernet0/0 ip address 192.168.72.254 255.255.255.0
no ip address ip nat inside
duplex auto ip virtual-reassembly in
speed auto ipv6 address
2400:13C0:177:FFEA::FFFE/64
!
ipv6 enable
interface GigabitEthernet0/0.10
ipv6 nd other-config-flag
encapsulation dot1Q 10
ipv6 dhcp server vlan30
ip address 192.168.70.254 255.255.255.0
ipv6 ospf 1 area 0
ip nat inside
!
ip virtual-reassembly in
interface GigabitEthernet0/0.40
ipv6 address FE80::1 link-local
encapsulation dot1Q 40
ipv6 address 2400:13C0:177:FFE8::1/64
ip address 192.168.73.254 255.255.255.0
ipv6 address
2400:13C0:177:FFE8::FFFE/64 ip nat inside
ipv6 enable ip virtual-reassembly in
ipv6 nd other-config-flag ipv6 address FE80::1 link-local
ipv6 dhcp server vlan10 ipv6 address 2400:13C0:177:FFEB::1/66
ipv6 ospf 1 area 0 ipv6 address
2400:13C0:177:FFEB:3FFF::FFFE/66
!
ipv6 enable
interface GigabitEthernet0/0.20
ipv6 nd managed-config-flag
encapsulation dot1Q 20
ipv6 nd other-config-flag
ip address 192.168.71.254 255.255.255.0
ipv6 dhcp server vlan40
ip nat inside
ipv6 ospf 1 area 0
ip virtual-reassembly in
!
ipv6 address
2400:13C0:177:FFE9::FFFE/64 interface GigabitEthernet0/1
ipv6 enable ip address 192.168.75.1 255.255.255.252
ipv6 nd other-config-flag duplex auto
ipv6 dhcp server vlan20 speed auto
ipv6 ospf 1 area 0 ipv6 address
2400:13C0:177:FFEB:8000::2/126
!

45
 IPv6 Deployment

ipv6 enable exit-address-family

ipv6 ospf 1 area 0 !
! router ospf 1
interface Serial0/1/0 router-id 1.1.1.1
no ip address network 192.168.70.0 0.0.0.255 area 0
shutdown network 192.168.71.0 0.0.0.255 area 0
clock rate 2000000 network 192.168.72.0 0.0.0.255 area 0
! network 192.168.73.0 0.0.0.255 area 0
interface Serial0/1/1 network 192.168.75.0 0.0.0.3 area 0
no ip address !
shutdown ip forward-protocol nd
! !
interface GigabitEthernet0/0/0 no ip http server
no ip address no ip http secure-server
! !
interface GigabitEthernet0/0/1 ip dns server
no ip address ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
! !
interface GigabitEthernet0/0/2 ipv6 route ::/0 GigabitEthernet0/1
no ip address !
! control-plane
interface GigabitEthernet0/0/3 !
no ip address line con 0
! password cisco
interface Vlan1 login
no ip address line aux 0
! line 2
router ospfv3 1 no activation-character
router-id 1.1.1.1 no exec
! transport preferred none
address-family ipv6 unicast transport output pad telnet rlogin lapb-ta
mop udptn v120 ssh
router-id 1.1.1.1

46
 IPv6 Deployment

stopbits 1
line vty 0 4
password cisco
login
transport input none
line vty 5 15
password cisco
login
transport input none
!
scheduler allocate 20000 1000
!
end

47
 IPv6 Deployment

5.5 Core Router configuration: ipv6 enable

ipv6 ospf 1 area 0
hostname corerouter
!
!
interface GigabitEthernet0/1
boot-start-marker
ip address 192.168.75.5 255.255.255.252
boot-end-marker
duplex auto
!
speed auto
enable secret 5
$1$3/7O$nUiIrNFVJaGgWy6TVSoO40 ipv6 address
2400:13C0:177:FFEB:8000::5/126
!
ipv6 enable
no aaa new-model
ipv6 ospf 1 area 0
ethernet lmi ce
!
memory-size iomem 5
interface Serial0/1/0
!
no ip address
ip cef
shutdown
ipv6 unicast-routing
!
ipv6 cef
interface Serial0/1/1
multilink bundle-name authenticated
no ip address
!
shutdown
license udi pid CISCO1941/K9 sn
FGL171227WY clock rate 2000000

! !

redundancy interface GigabitEthernet0/0/0

! no ip address

interface Embedded-Service-Engine0/0 !

no ip address interface GigabitEthernet0/0/1

shutdown no ip address

! !

interface GigabitEthernet0/0 interface GigabitEthernet0/0/2

ip address 192.168.75.2 255.255.255.252 no ip address

duplex auto !

speed auto interface GigabitEthernet0/0/3

ipv6 address no ip address
2400:13C0:177:FFEB:8000::3/126
48
 IPv6 Deployment

! no exec
interface Vlan1 transport preferred none
no ip address transport output pad telnet rlogin lapb-ta
mop udptn v120 ssh
!
stopbits 1
router ospfv3 1
line vty 0 4
router-id 2.2.2.2
password cisco
!
login
address-family ipv6 unicast
transport input none
router-id 2.2.2.2
line vty 5 15
exit-address-family
password cisco
!
login
router ospf 1
transport input none
router-id 2.2.2.2
!
network 192.168.75.0 0.0.0.3 area 0
scheduler allocate 20000 1000
network 192.168.75.4 0.0.0.3 area 0
!
!
end
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ipv6 route ::/0 GigabitEthernet0/1
!
control-plane
!
line con 0
password cisco
line aux 0
line 2
no activation-character

49
 IPv6 Deployment

5.6 Internet Router configuration: ip address 192.168.75.6 255.255.255.252

ip access-group deny_all out
hostname Internetrouter
ip nat inside
!
ip inspect png in
boot-start-marker
ip virtual-reassembly in
boot-end-marker
duplex auto
!
speed auto
no aaa new-model
ipv6 address
ethernet lmi ce 2400:13C0:177:FFEB:8000::6/126
memory-size iomem 5 ipv6 enable
! ipv6 traffic-filter inbound in
ip inspect name png http ipv6 ospf 1 area 0
ip inspect name png https !
ip inspect name png icmp interface GigabitEthernet0/1
ip inspect name png dns ipaddress131.172.254.26 255.255.255.252
ip cef ip nat outside
ipv6 unicast-routing ip virtual-reassembly in
ipv6 cef duplex auto
! speed auto
multilink bundle-name authenticated ipv6 address 2400:13C0:254:24::2/66
! ipv6 enable
license udi pid CISCO1941/K9 sn ipv6 ospf 1 area 0
FGL171227WG
!
license boot module c1900 technology-
package securityk9 interface Serial0/1/0

! no ip address

redundancy shutdown

! clock rate 2000000

interface Embedded-Service-Engine0/0 !

no ip address interface Serial0/1/1

shutdown no ip address

! shutdown
interface GigabitEthernet0/0 !

50
 IPv6 Deployment

interface GigabitEthernet0/0/0 !
switchport access vlan 50 router ospf 1
no ip address router-id 3.3.3.3
! network 131.172.254.24 0.0.0.3 area 0
interface GigabitEthernet0/0/1 network 192.168.74.0 0.0.0.255 area 0
no ip address network 192.168.75.4 0.0.0.3 area 0
! !
interface GigabitEthernet0/0/2 ip forward-protocol nd
no ip address !
! no ip http server
interface GigabitEthernet0/0/3 no ip http secure-server
no ip address !
! ip nat inside source list internet interface
GigabitEthernet0/1 overload
interface Vlan1
ip nat inside source static 192.168.74.1
no ip address 131.172.254.26
! ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
interface Vlan50 !
ip address 192.168.74.254 255.255.255.0 ip access-list standard internet
ip nat inside permit 192.168.0.0 0.0.255.255
ip virtual-reassembly in !
ipv6 address ip access-list extended deny_all
2400:13C0:177:FFEB:4000::FFFE/66
deny ip any any
ipv6 enable
ip access-list extended dmz_png
ipv6 traffic-filter outbound in
permit tcp any host 131.172.2.2 eq www
ipv6 ospf 1 area 0
!
!
ipv6 route ::/0 2400:13C0:254:24::1
router ospfv3 1
!
router-id 3.3.3.3
ipv6 access-list inbound
!
permit icmp any any
address-family ipv6 unicast
deny tcp any any eq telnet
router-id 3.3.3.3
permit ipv6 any any
exit-address-family
!

51
 IPv6 Deployment

ipv6 access-list outbound

sequence 70 permit udp any host
2400:13C0:177:FFEB:4000::FFFE eq
domain
sequence 90 permit tcp any host
2400:13C0:177:FFEB:4000::1
deny icmp host
2400:13C0:177:FFEB:4000::1 any echo-
request
permit ipv6 any any
!
control-plane
!
line con 0
password cisco
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta
mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

52
 IPv6 Deployment

5.7 Configuration results:

DHCP :

#show ip dhcp pool

53
 IPv6 Deployment

Verification Results:
OSPF – Verification results

# show ip ospf database

# show ip ospf neighbour

Internetrouter :

DistributionRouter–OSPF

54
 IPv6 Deployment

CoreRouter–OSPF

Trunk Interfaces in all Switches:

55
 IPv6 Deployment

VLAN information in all switches:

56
 IPv6 Deployment

Firewall Rules:

57
 IPv6 Deployment

DHCP output:

host to host: student to staff:

58
 IPv6 Deployment

Host to distribution Router:

59
IPv6 Deployment

60
 IPv6 Deployment

Host to core router:

Host to DMZ- IPV4:

61
 IPv6 Deployment

HOST to DMZ -IPV6:

62
 IPv6 Deployment

Host to Internet router:

Host to DMZ:

63
 IPv6 Deployment

Host to Latrobe:

DMZ to Host:

64
 IPv6 Deployment

DMZ to Latrobe:

External Network to DMZ:

65
IPv6 Deployment

66