IPv6 – Reserved IPv6 Address Ranges

Posted on January 27, 2012 by Ronald Nutter

This is the list of reserved IPv6 address ranges that I have been building since I started reading the IPv6 RFC’s that I have been going through. As I find others, I will add them to this list. If you see one that is missing, please send me the info and support RFC # and I will add it to the list. My goal is to make this a reliable piece of information that will help all of us.

Address Range Description
0000::/8 Reserved by IETF – RFC4291
0100::/8 Reserved by IETF – RFC4291
0200::/7 Reserved by IETF – RFC4291
0400::/6 Reserved by IETF – RFC4291
0800::/5 Reserved by IETF – RFC4291
1000::/4 Reserved by IETF – RFC4291
2000::/3 Global Unicast – RFC4291
2001:db8:/32 Documentation – RFC3849
2002::/24 6to4 0.0.0.0/8
2002:0a00::/24 6to4 10.0.0.0/8
2002:7f00::/24 6to4 127.0.0.0/8
2002:a9fe::/32 6to4 169.254.0.0/16
2002:ac10::/28 6to4 172.16.0.0/12
2002:c000::/40 6to4 192.0.0.0/24
2002:c0a8::/32 6to4 192.168.0.0/16
2002:c612::/31 6to4 198.18.0.0/15
2002:c633:6400::/40 6to4 198.51.100.0/24
2002:cb00:7100::/40 6to4 203.0.113.0/24
2002:e000::/20 6to4 224.0.0.0/4
2002:e000::/20 6to4 224.0.0.0/4
4000::/3 Reserved by IETF – RFC4291
6000::/3 Reserved by IETF – RFC4291
8000::/3 Reserved by IETF – RFC4291
A000::/3 Reserved by IETF – RFC4291
C000::/3 Reserved by IETF – RFC4291
E000::/4 Reserved by IETF – RFC4291
F000::/5 Reserved by IETF – RFC4291
F800::/6 Reserved by IETF – RFC4291
FC00::/7 Unique Local Unicast – RFC4193
FE00::/9 Reserved by IETF – RFC4291
FE80::/10 Link Local Unicast – RFC4291
FEC0::/10 Site Local Prefix – RFC3879
FF00::/8 Multicast – RFC4291
Posted in Blog Entries | Tagged | Leave a comment

Network Toolkit – Where to place taps, multiple single taps or a single tap with multiple ports to use

Posted on January 26, 2012 by Ronald Nutter

The downside to using a Ethernet TAP is that you have to have a momentary disruption on a network when you install or remove a TAP. If you need to use one in a longer term situation, an outage shouldnt be a problem. For long term situations such as putting in an IDS or IPS you probably wont be moving the tap. Where to place the TAP will depend on what you need to watch. Monitoring the traffic crossing a Trunk connection may be a bit overwhelming because of the amount of traffic that you will have to filter through. You will also need a very clean laptop in terms of install applications to keep as much of the CPU free as possible to allow it to capture as efficiently as possible. If you have to capture large amounts of data and dont have the most powerful of laptops, you may want to look at learning the cli version of Wireshark so you can reduce as much of the overhead normally associated with the GUI so that it can capture as much of the traffic on the wire as possible.

Capturing in front of and behind the router that interfaces to your ISP, in front of and behind your firewall and in front of one or more of the servers in your server farm are just some of the locations that you may need to watch on a periodic basis. Moving the TAP from place to place is not only a hassle but keeps a series of outages present on your network. It also draws attention from the users and or management that something is either going on or there is a problem on the network that doesnt seem to go away. In this case, you either need a series of TAP’s to so that you can watch at any of the points you need to when you want to which can be very expensive. If that is the case, you may want to look at a multi-port tap that allows you to watch multiple points on your network without having to move a network cable or a TAP. With a multi-port TAP, you access the TAP using a console session or management program and logically move the “monitoring” port of the TAP to the connection you want to watch without having to be in the room or even in the same building.

When looking at where you may need a TAP, don’t limit yourself to a TAP that monitors a copper connection and sends the data to a copper based monitoring port. When TAP’ing into a fiber port, it isn’t likely that you will be able to monitor the traffic with a fiber network card. In this case, you can look at a TAP that is a combination TAP/Media converter. In this way, you can monitor fiber based connections when you need to but still use a copper based monitoring system. As with all fiber type connections, you will want to make sure that you have the correct fiber tab for the type of fiber that you want to watch. Trying to monitor a long haul fiber connect (Cisco switches use a LH type laser SFP with a SX (short haul) capable fiber tap probably wont get you any data that you can use. If you are surent what type of fiber that you have or what fiber TAP will be best to use, this is a area where the vendor whose fiber TAP’s you want to buy should be more than glad to help.

If you decide to acquire a multi-port TAP, look thoroughly at all the places where you might want to be able to monitor at some point. Prioritize all of the locations in one of three categories – need it now, nice to have and future potential. Try to equally divide the points in the network that you would like to monitor in the different groups. This will help you identify the type of multi-port TAP that you may need to acquire. Another thing to consider is the ability to “grow” the TAP you are looking at. What I mean by that is can you add additional modules or capacity to the multi-port TAP or can you connect an additional chassis to the one that you started out with. With 10 Gig speeds and higher starting to become common on some networks, does the TAP you are looking at have the ability handle those speeds and what type of filtering ability does it have so that you are trying to shove 10 lanes of network traffic down a one lane country road. This is where a multi-port tap such as the NetOptics Director will come in handy. With this type of switch, you can mix and match the types of ports that you need on your network.

Posted in Blog Entries | Tagged | Leave a comment

iPad for Engineers – FileApp

Posted on January 25, 2012 by Ronald Nutter

FileAppWhat brought FileApp to my attention was when I starting storing files in Evernote but needed a way to view Word and Excel files on my iPad/iPhone while in Evernote. The integration is very seamless. When I tap on a non pdf while in Evernote, I am present with a list of installed applications that may or may not be able to open and display the file. So far, I havent had any problems with reading either of the two document types I have mentioned. I have an excel spreadsheet that has multiple tabs that FileApp puts all on one page. Very minor issue and one that will probably get addressed in a future release of the product. I am currently using v2.5.4. The product page on iTunes indicates that version 3 is coming soon.

Posted in Blog Entries | Tagged | Leave a comment

Network Toolkit – SPAN vs RPSAN vs ERSPAN

Posted on January 24, 2012 by Ronald Nutter

If you have been working with Cisco switches for any period of time, you are familiar with the SPAN process and what it takes to get it working. There are two other SPAN options that you may not have heard about RSPAN and ERSPAN. While related, they are enough different to warrant a little bit of discussion and planning.

With SPAN, it is pretty straight forward to setup. The main thing you need to keep in mind is the possibility of overrunning the data backplane on the switch which might cause some of the traffic you are watching and other traffic that you arent to get dropped on the switch. I havent had this happen to me yet, but it is a possibility. Earlier versions of IOS for some switches had a two SPAN session limit. Later versions dont see to have this limit but if you start going past one SPAN session that is always running, it might be a good time to consider buying a TAP and putting it in service.

RSPAN allows you to create a SPAN session on one switch but have the destination of the SPAN be on another switch entirely that is on the same network. Basically what happens is that you create a special VLAN intended only for transporting SPAN traffic across switches. This comes in handy when the problem you are working on is on a switch in another part of the building or campus that you are in versus where you are at. Doing this type of spanning is where you need to be a little more careful than when you SPAN traffic from one port to another on the same switch. The reason is that it is entirely possible that you can saturate the trunk connection between the remote switch and one or more downstream switches that are between you and the switch where the source port resides. When spanning just a port that a client is on, you should have a problem with saturating the trunk link but you do need to keep this in mind when doing a SPAN across switches.

ERSPAN is RSPAN on steroids. You also have fewer platforms that support this. According to the information I read, only 6509 chassis’s running a SUP720 switch fabric. The main reason for this is that the remotely SPAN’d traffic is sent over an encapsulated that switches such as the 3750 family simply dont have the resources to handle because they need to be able to support a Layer 3 GRE tunnel. I have seen references to the ASR 1000 router being able to support this but I dont have one in the lab to be able to confirm that.

From a previous post, you have seen me recommend the use of a TAP. While a brief outage is needed to put the device inline, the advantage is that you lessen the CPU overhead in the switch while traffic on the source port/vlan is being SPAN’d. For short term/one off situations, SPAN will probably be simpler to use. For longer term situations or where you dont want to advertise to a user or users that you are watching traffic on the port they are connected to, a TAP will be the more prudent option to use. If you would like more information about setting up SPAN or RSPAN, I will be glad to post information in a future post on the website. Click on the Contact Us button at the top of the page and sent me a note and I will get it on the schedule.

Posted in Blog Entries | Tagged | Leave a comment

IPv6 – RFC’s to read and review

Posted on January 23, 2012 by Ronald Nutter

As I read more and more about IPv6, I have been coming across different RFC’s that have helped me to learn more. I am creating a post here that has those along with links to get to those RFC’s. The RFC you click on will open up in a new browser window, so you shouldn’t loose the link you are using from my site.

RFC Description
2460 IPv6 Specification
3053 IPv6 Tunnel Broker
3056 Connection of IPv6 Domains via IPv4 Clouds
3315 Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
3363 IPv6 Prefix Options for DHCPv6
3849 Reserved Range for documentation
4193 Unique Local IPv6 Unicast Addresses
4443 Internet Control Message Protocol (ICMPv6)
4681 Neighbor Discovery Protocol
4682 IPv6 Stateless Address Autoconfiguration
5072 IP Version 6 over PPP
5569 IPv6 Rapid Deployment on IPv4 Infrastructures
Posted in Blog Entries | Tagged | Leave a comment

iPad for Engineers – Dropbox

Posted on January 22, 2012 by Ronald Nutter

DropboxDropbox is the evolution to the process that us old-timers called the floppy swappy. When I first got started with computers, like a lot of us, I had several wallets of different, sometimes labeled floppy disks, containing a collection of utilities and documentation that I occasionally needed to referred to. The next method of keeping your collection of files handy was the Zip Disk, followed by the CDROM and eventually the USB flash drive.

A little over a year ago, I started using a service called Dropbox (I initially became aware of it by the name dropbox.io, which later became dropbox.com). It is a very useful service that allow you to copy your files to the “cloud”. There are several options on how you can use the service. I started out with using it with just the browser interface. Where you really see the advantage is loading the client software on Mac, Windows, Linux and a collection of mobile platforms. The local client creates a directory on the machine it is installed on where any file/directory placed in that directory is periodically sync’d to your storage on the Dropbox could which is then immediately available to all the other machines on your account.

The advantages to Dropbox dont end there. I am involved in several volunteer organizations where I may take pictures at an event that are needed for the monthly newsletter or local newspaper. I can “share” the directory by sending an email to the person who needs the pictures. Where that comes in handy is that I dont have to try to email the individual pictures which depending on the mail server they may be on might reject the pictures because the size of the attachment is larger than what the email administrator has chosen to allow.

For those of you who are using GoodReader or Evernote, you also have a way to import the PDF’s in Dropbox with either of the applications. If you need for that the storage you start out with, you can either send emails when you need to share something with a friend and have them signup for the service or you can purchase larger storage amounts if you need even more. Check out Dropbox.com, the uses for it are only limited to your imagination.

Posted in Blog Entries | Tagged | Leave a comment

IPv6 – Comparison of IPv4 with IPv6

Posted on January 22, 2012 by Ronald Nutter

This is a table that I have put together based on my IPv6 readings to date. In putting this together, it has helped me get a better understanding of how the two differ. As I find other differences between IPv4 and IPv6, I will look at making changes to this table. I hope it helps others new to IPv6 as it is helping me. In keeping with one of my previous entries, the IPv6 addresses listed in this post are done as outlined in RFC 3849.

IPv4 IPv6
Sample Address 10.1.1.1 2001:0db8:3333:4444:5555:6666:7777:8888
Interface Address 10.1.1.1 255.255.255.0 2001:0db8:3333:4444::1/64
Address Unit Octet Quartet
# Units in Address 4 8
# bits in Address Unit 8 16
Allowed Characters 0 – 9 0 – F (Hex)
Address Length 32 bits 128 bits
Broadcast Address .255 in the subnet Not Used
Loopback Address 127.0.0.1 ::1/128
List of Mac Addresses Arp Table Neighbor Table
DHCP Modes Stateful Only Stateful, Stateless, Autoconfig, Neighbor Discovery
Address Shorthand None :: for not writing a range of consecutive 0′s, dont have to put leading 0 in front of a quartet
Address Assignment By ISP By region, region ISP, local ISP
Address Division Subnet Prefix or Subnet
Private Address Range RFC1918 RFC4193 but not needed
Posted in Blog Entries | Tagged | Leave a comment

iPad for Engineers – Get Console

Posted on January 21, 2012 by Ronald Nutter

Red Park CableI have been using this app more than I would have expected. While there are several apps available that you can Telnet or SSH to your Cisco devices with, this one is the first I have found that lets you plug into the console port and talk directly to the device you are working on. So with one app, you have your choice of all three methods of connecting. This is a multi-platform app that is available on the iPod and iPhone platforms in addition to the iPad/iPad2.

The app is very versatile, While I wouldnt use this for doing a lot of configuring, it is very comfortable for doing minor changes and checking interface status, etc. There is a built-in command manager so that you only have to type the command in once and then it is just a screen tap or to and you have it at the ready. You also have a password manager function built in so that if you are using the strong passwords (like we all should and probably arent), you can keep the mistyping of that to a minimum. If you have other devices you need to console into such as a Sun server or systems that need to have the F keys available, you can quickly make those special keys available just type tapping on the icon you will see that the top of the screen.

If you want to keep track of what you did on a particular device or want to capture the configuration, you can record that information to a log file in Get Console for later transfer to your PC or configuration management system. I had intermittent problems with earlier versions loosing contact with the special cable you need to get from the folks at Redpark. Later versions have havent shown that particular problem nearly as often. One thing I would suggest is to plug in the cable to the iPad/iPhone/iTouch first before starting the app. It is possible that the connector on my iPad might be a little sensitive to movement. One interesting feature that I havent been able to try yet is the option to remotely access the Get Console App from servers that are available from Get-console.com. This will require that you also have Wifi or 3G access available on your iPad/iPhone so you can get access to the gear you are consoled into without being at the iPad/iPhone. If your security folks dont like you going to an external server, you have an option of putting up your own Private server to get this same functionality.

The Get Console app is available on the iTunes store for $10 – http://itunes.apple.com/us/app/get-console/id412067943?mt=8. The cable is available from Red Park for $59 plus shipping – http://www.redpark.com/c2rj45.html.

Posted in Blog Entries | Tagged | Leave a comment

IPv6 – Creating a Tunnel Broker (Part 2)

Posted on January 21, 2012 by Ronald Nutter

Ran a protocol capture and noticed this error in the ASDM log – regular translation creation failed for protocol 41 src Inside:192.168.1.100 dst Outside:209.51.181.2

In looking at the rules, it appears that I need an access rule to allow the protocol 41 traffic to go outbound. There is only an access rule for inbound to outbound to allow IP.

Added these lines to the ASA config -

object-group protocol IPV6inIP
protocol-object 41

access-list inside_access_in line 2 extended permit object-group IPV6inIP any any

Still getting the above error after putting the config lines just listed. Beginning to suspect that the 8.2.5 binary doesn’t support protocol forwarding, either inbound or outbound. I have seen web postings that this did work, possibly due to a bug in the code, in 8.0.3. I am using features in 8.2.5 that I would lose if I go back to 8.0.3. As much I would prefer not to deal with a major rewrite of the ASA binary, looks like I don’t really have a choice. After doing some additional research, I will have to upgrade the ASA binary. General consensus on the Cisco Support Community forums is to go to 8.4 and skip 8.3 altogether. I have ordered the memory (found some new Cisco memory on Amazon) . Will put this in one of my ASA’s. Once this works, I might try some of the $20 bargain memory that I have seen on eBay. Just trying to err on the side of caution. I have used www.ciscomemoryupgrades.com in the past with good results. May go back to them for the memory for the second ASA.

I have checked the available ISP’s in the area, no one is offering IPv6 to residential customers at this time. A couple of them mentioned that they had been getting requests for it or were looking to offer it later this year but no firm date for ordering. Still looking at getting a secondary internet connection that will end up being the link I use the Tunnel Broker router on. Dont expect the memory until later in the week. Will have to get it installed, upgrade the binary in the ASA and verify that everything is working normally before getting back to working on the Tunnel Broker router that I already have in place. To be on the safe side, I will do this work on my backup ASA and keep my primary intact just in case there is a problem during the upgrade process.

Posted in Blog Entries | Tagged | Leave a comment

IPv6 – RFC 3849 – IPv6 Address Prefix Reserved for Documentation

Posted on January 20, 2012 by Ronald Nutter

When I first started reading about IPv6, seeing what appeared to be incomplete addresses where x’s had been put in the address in place of the actual hex address made things a little confusing at times to keep up with. In building up my library of IPv6 reading materials, I came across RFC3849 (http://tools.ietf.org/html/rfc3849), I have read this RFC several times and each time I go over it, I pick up another tidbit or two. The reason behind “reserving” a range or prefix is that if a lesser experienced person is using a configuration example without changing any of the addresses using in the example, they wont cause a problem either on their network or cause one or more routes to flap elsewhere with their provider or on the internet.

The reserved prefix to use when writing documentation is 2001:0db8::/32. For those that are just getting started, the address that you would use might look something like this – 2001:0db8:baba:0000:0000:baba:1310:face. I still think in terms of IPv4 addresses, so learning the “shorthand” used with the longer IPv6 addresses will take some getting used to. Another post I am working on will be a collection of addresses I am building to be able to see on site whether an address is good or not. I have been looking for something like this as I have been reading up on IPv6 and havent quite found what I am looking for, so this will be something that I will contribute to other IPv6 newbies such as myself.

Posted in Blog Entries | Tagged | Leave a comment