ipv6 inspect name IPv6-INSPECT tcp
ipv6 inspect name IPv6-INSPECT udp
ipv6 inspect name IPv6-INSPECT ftp
ipv6 inspect name IPv6-INSPECT icmp
!
! Apply the IPv6 inspect to the outbound traffic and allow the return traffic
! to what you originated to pas. The IPv6-FILTER ACL will block all
! other traffic other than ICMP.
!
interface tunnel0
ipv6 traffic-filter IPv6-FILTER in
ipv6 inspect IPv6-INSPECT out
!
ipv6 access-list IPv6-FILTER
permit icmp any any
deny ipv6 any any log

To look at how the IPv6 inspect is working, you can start with sh ipv6 inspect all. By doing a debug ipv6 inspect events will show you in realtime the Cisco IOS firewall events. If you want to see a little more detail, you can use debug ipv6 inspect detailed. Remember to do a term mon so that you can see the messages on the console as they come in.

This is what the debug output should like -

Feb 4 19:19:05: FIREWALL* FUNC: ipv6_insp_inspect_pak — session = 85527CA8, L4 = tcp, L7 =
Feb 4 19:19:05: FIREWALL: Session does not exist, hash now
Feb 4 19:19:05: FIREWALL* FUNC: ipv6_insp_inspect_pak — session = 85527CA8, L4 = tcp, L7 =
Feb 4 19:19:05: FIREWALL: Session does not exist, hash now
Feb 4 19:19:05: FIREWALL* FUNC: ipv6_insp_inspect_pak — session = 85527CA8, L4 = tcp, L7 =
Feb 4 19:19:05: FIREWALL: Hash Bucket: 73
Feb 4 19:19:05: FIREWALL:Sid matches
Feb 4 19:19:05: FIREWALL: insp_sis already set
Feb 4 19:19:05: FIREWALL* FUNC: ipv6_insp_inspect_pak — session = 85527CA8, L4 = tcp, L7 =
Feb 4 19:19:10: FIREWALL: Hash on addresses 22001:0db8:3100:A006:1:: 2001:0db8:1F11:102:5AB0:35FF:FE88:D4C6
Feb 4 19:19:10: FIREWALL: Protocol: tcp Src Hash Bucket: 73

I ran into one problem putting in the https lines with the embedded ? on line. Had to put the following lines into a text file -

ip ddns update method HE_Tunnel
HTTP
add https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID
interval maximum 0 2 0 0

Since I was using a MacBook Pro, none of my normal tricks worked. I found a Mac app called Plain Text Editor and created the text file. I tftp’d it to the router into the flash memory. I then did copy filename system:running-config to merge the file into the running config.

Here is what you should see see when doing a debug ip ddns update and all goes well -

.Feb 3 20:10:51: HTTPDNSUPD: DATA END, Status is Response data recieved, successfully
.Feb 3 20:10:51: HTTPDNSUPD: Call returned SUCCESS, update of IPv6_Tunnel.mydomain.com <=> 172.28.141.149 succeeded
.Feb 3 20:10:51: DYNDNSUPD: Another update completed (outstanding=0, total=0)
.Feb 3 20:10:51: HTTPDNSUPD: Clearing all session 3 info

A couple of things to remember on putting in the configuration from the HE Tunnel Broker website. You will want to use the Client IPv6 on the Tunnel interface on your router. The Client IPv4 address will be for your WAN port on the router. One of the next things I will be working on will be getting Dynamic DNS updating to work with Hurricane Electric and Tunnel Broker service they have to save on the costs of paying extra each month for a static ip address. For the Vlan 1 interface, you will use the address range that is assigned to you in the Router IPv6 Prefixes section of the configuration.

In an earlier post, I talked about Hurricane Electric and the IPv6 certification. I am working through that process as a way of validating that what I am doing is working. When I brought up the configuration you see below, the HE IPv6 Certification site automatically sensed that I was talking to them over an IPv6 connection and automatically raised me to IPv6 Explorer. If you look at my earlier post on this, you will see that the certificate now says Explorer.

!
! Config I used for IP6to4 tunnel to Hurricane.net on 1811W
!
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
!
! This will be the client address on the HE Tunnel Broker website
!
ipv6 address 2001:0db8:1F10:102::2/64
ipv6 enable
tunnel source FastEthernet1
tunnel destination 209.51.181.2
tunnel mode ipv6ip
!
interface FastEthernet1
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description LAN
ip address 192.168.1.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
! This will be the routable /64 segment on the HE Tunnel Broker site when you have created the Tunnel
!
ipv6 address 2001:0db8:1F11:102::1/64
ipv6 enable
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
ip nat inside source list 1 interface FastEthernet1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
ipv6 route ::/0 Tunnel0
!

Once you have the configuration in place, you should be able ping an IPv6 address somewhere on the Internet. By using the debug command debug tunnel, you will be able to see the traffic going to/from the tunnel broker. If you only see one way traffic from you to the tunnel broker, that is a pretty good indication of a configuration problem. Look carefully at the debug output, you will want to see the alternating exchange of encapsulated and decapsulated packets. This is an indication of good two way traffic between you and the Tunnel Broker.

! Ping outside host on IPv6
!
IPv6_Tunnel#ping ipv6 2001:470:1f10:102::1
!
! do a debug tunnel and term mon to see the following output
!
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:1F10:102::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/80/80 ms
IPv6_Tunnel#
Feb 1 22:48:42: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 22:48:42: Tunnel0 count tx, adding 20 encap bytes
Feb 1 22:48:42: Tunnel0: IPv6/IP to classify 209.51.181.2->72.128.41.109 (tbl=0,”IPv4:Default” len=120 ttl=247 tos=0×0) ok, oce_rc=0×0
Feb 1 22:48:42: Tunnel0: IPv6/IP (PS) to decaps 209.51.181.2->72.128.41.109 (tbl=0, “default”, len=120,ttl=247)
Feb 1 22:48:42: Tunnel0: decapsulated IPv6/IP packet
Feb 1 22:48:42: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 22:48:42: Tunnel0 count tx, adding 20 encap bytes
Feb 1 22:48:42: Tunnel0: IPv6/IP to classify 209.51.181.2->72.128.41.109 (tbl=0,”IPv4:Default” len=120 ttl=247 tos=0×0) ok, oce_rc=0×0
Feb 1 22:48:42: Tunnel0: IPv6/IP (PS) to decaps 209.51.181.2->72.128.41.109 (tbl=0, “default”, len=120,ttl=247)
Feb 1 22:48:42: Tunnel0: decapsulated IPv6/IP packet
Feb 1 22:48:42: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 22:48:42: Tunnel0 count tx, adding 20 encap bytes
Feb 1 22:48:42: Tunnel0: IPv6/IP to classify 209.51.181.2->72.128.41.109 (tbl=0,”IPv4:Default” len=120 ttl=247 tos=0×0) ok, oce_rc=0×0
Feb 1 22:48:42: Tunnel0: IPv6/IP (PS) to decaps 209.51.181.2->72.128.41.109 (tbl=0, “default”, len=120,ttl=247)
Feb 1 22:48:42: Tunnel0: decapsulated IPv6/IP packet
Feb 1 22:48:42: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 22:48:42: Tunnel0 count tx, adding 20 encap bytes
Feb 1 22:48:42: Tunnel0: IPv6/IP to classify 209.51.181.2->72.128.41.109 (tbl=0,”IPv4:Default” len=120 ttl=247 tos=0×0) ok, oce_rc=0×0
Feb 1 22:48:42: Tunnel0: IPv6/IP (PS) to decaps 209.51.181.2->72.128.41.109 (tbl=0, “default”, len=120,ttl=247)
Feb 1 22:48:42: Tunnel0: decapsulated IPv6/IP packet
Feb 1 22:48:42: Tunnel0: IPv6/IP encapsulated 72.128.41.109->209.51.181.2 (linktype=79, len=120)
Feb 1 22:48:42: Tunnel0 count tx, adding 20 encap bytes
Feb 1 22:48:43: Tunnel0: IPv6/IP to classify 209.51.181.2->72.128.41.109 (tbl=0,”IPv4:Default” len=120 ttl=247 tos=0×0) ok, oce_rc=0×0
Feb 1 22:48:43: Tunnel0: IPv6/IP (PS) to decaps 209.51.181.2->72.128.41.109 (tbl=0, “default”, len=120,ttl=247)
Feb 1 22:48:43: Tunnel0: decapsulated IPv6/IP packet

If you want to be able to markup or make notations beyond with GoodReader, you have the ability with Ghostwriter to import a PDF and make your notations. Each PDF will be its own notebook and each page in the pdf will become its own page in the notebook. A challenge with some of the other note taking apps was that you had to be careful where you rested your hand on the screen or you might find that random marks would start appearing in your notes. Ghostwriter has a wrist guard function built-in that prevents this from happening.

You will need one more piece to be able to use Ghostwriter and for now, that is a capacitive stylus. There are several to choose from. They all pretty much serve the same function by electrically extending your hand so that ghostwriter sees something that it things is your finger on the screen. I found several to choose from on Amazon’s site and they are all pretty reasonable priced.

There is an update that could be coming in the next few days from the folks at Cregle. They have created a product called the iPen that is currently working its way through the hardware approval process at Apple. From the limited information currently available, you plug-in a small receiver to the serial/sync port on the bottom of the iPad which picks up the signal from the accompanying pen. No pricing information is currently available but the form factor is very attractive and the much smaller stylus would definitely appear to just the specific area to be worked with instead of having to use the much broader brush stroke that you will find when using a capacitive stylus. Hopefully I will get a chance to work with one and share with you my findings in a future post.

For those that grew up with the Original Star Trek series in the 60′s, you have very similar functionality to what were then just wood and plastic props. By itself, GhostWriter is a very useful application. When you add the functionality of using either Dropbox or Evernote, you get an almost unbeatable application. I don’t use GhostWriter as much as I could because of the sometimes “clunky” operation of the capacitive stylus. That is not the fault of Ghostwriter, just the method of the input. The new iPen offering has the potential to make quite a difference.

The name of this book was a very interesting choice. There is something in this book for everyone. The first part of the book goes deep into the background of what led up to IPv6. There are several case studies how early implementations went as well. Being a student of history, I was very interested to read this kind of background that I hadnt seen in this detail anywhere else. To fully appreciate what you are being asked to do and to better understand why things work the way they do.

This is one book that you dont necessarily have to read from the first page to the last. If this is your first exposure to IPv6, you will probably feel overwhelmed very quickly. You can pick and choose what to read and help ease your way into increasing your knowledge about IPv6. For example, reading about the structure of different IPv6 overwhelmed me when I first started reading the book. I started passing over some of that granular detail to help build the overall platform that I needed. In time, when I have a better overall understanding of IPv6, I know that knowing more about the making of the different packet structures will mean even more at that point.

There is a lot of information that you wouldn’t expect to be in such a small book. The range of topics from ICMPv6, Security with IPv6, and Quality of Service are just a few of the topics that you will be exposed to. Even if you haven’t been told that you will be implementing IPv6 in the near future, the more you know about it now will serve you well when the time does come. Concepts such as Mobile IPv6 and Tunnel Broker are some of the areas where you will need to build your awareness.

With this book, I took a departure from previous books I had acquired in the past. I received this book in PDF format and was very glad that I did. Using the GoodReader App on my iPad that you have seen me write about elsewhere on this site, I have the flexibility of marking up/highlighting what initially I decide that is important and have the flexibility of changing those highlights at a later point, something that I wouldnt be able to do with a paper book. O’Reilly, to their credit, has released this book on several different ePub platforms. I also tried this book on the Kindle App on my iPad but kept going back to the GoodReader version because of what I was able to do with marking up the book to help my re-reading of the book over time. Either way, as you build your IPv6 library, this book should get an early spot on the shelf.

Keeping with various RSS feeds coming out a Cisco used to mean that I had to use yet another App. With the Cisco Technical Support app, I can now keep up with those and hopefully avoid some of the problems that I see being discussed before they become serious. If there are documents that you want to keep track of that are posted by others that may be periodically updated, you can keep track of those within this same App. With Cisco periodically releasing support or instruction videos on YouTube, you have the ability watch those on your iPad/iPhone.

It is hard to give you a sense of what this app can but I think you will find that you will use it more than you might initially anticipate. Unlike some of the apps where you have to pay for it up front before you really know how useful it will be, this app wont be one of them. If you dont already have a CCO login account, now would be a good time to get one and be able to reach out to a community of folks that are dealing with some of the same issues you have or have already experienced.

The power of ScanSnap is that it has the ability to directly send what it is scanning directly directly into your choice of Notebooks in Evernote. Once the scanned document is in Evernote, all that you need to do is to change the name of the Notebook on the properties page that the output of the scanner will be shown on the screen of the computer the scanner is connected to. To make things a little faster, you can modify the properties of how the scanner works and have it only scan one side of the paper or only in black and white if there are no color images present.

To make things are portable as possible, you have the ability with the S1300 to power it from a second USB port instead of using the AC power supply that comes with the scanner. The trade-off is that the scanner will run a little slower. If you are scanning a stack of papers, then that may not be an issue but something that you need to keep in mind. So far, every time I have used the S1300, I have opted to use the external power supply but it is nice to know that I have a backup power option if needed.

I dont know if it is the scanner or the scanning software, but I have had good luck with scanning on the first try. A few times, I have had problems with the document “slipping” or going into the scanner not exactly straight. During the scanning process, I have noticed that the document appeared to “straighten up” for lack of a better phrase much better than I would have expected. For most of the scans I have used it for so far, I have been able to leave the settings to Auto with the exception of single or double sided scanning and have been pleased with the results.

Having used different scanners over the year, I expected there to be a learning curve. The surprising thing is that I used it without ever reading the manual. The only changes I have had to make is enabling or disabling the function that controls if the scanner is scanning one or both sides of the document that is going through the scanner. There is a profile for each way the scanner can be used (scanning to Evernote, PDF, Email, etc). This is the easiest scanner to use that I have had so far. As with Laser Printers, there are “consumables” or items that need to be replaced periodically to keep the scanner running at the top of its game but most users wont need to do that kind of replacement for a long time and the kit isnt that expensive.

Capturing in front of and behind the router that interfaces to your ISP, in front of and behind your firewall and in front of one or more of the servers in your server farm are just some of the locations that you may need to watch on a periodic basis. Moving the TAP from place to place is not only a hassle but keeps a series of outages present on your network. It also draws attention from the users and or management that something is either going on or there is a problem on the network that doesnt seem to go away. In this case, you either need a series of TAP’s to so that you can watch at any of the points you need to when you want to which can be very expensive. If that is the case, you may want to look at a multi-port tap that allows you to watch multiple points on your network without having to move a network cable or a TAP. With a multi-port TAP, you access the TAP using a console session or management program and logically move the “monitoring” port of the TAP to the connection you want to watch without having to be in the room or even in the same building.

When looking at where you may need a TAP, don’t limit yourself to a TAP that monitors a copper connection and sends the data to a copper based monitoring port. When TAP’ing into a fiber port, it isn’t likely that you will be able to monitor the traffic with a fiber network card. In this case, you can look at a TAP that is a combination TAP/Media converter. In this way, you can monitor fiber based connections when you need to but still use a copper based monitoring system. As with all fiber type connections, you will want to make sure that you have the correct fiber tab for the type of fiber that you want to watch. Trying to monitor a long haul fiber connect (Cisco switches use a LH type laser SFP with a SX (short haul) capable fiber tap probably wont get you any data that you can use. If you are surent what type of fiber that you have or what fiber TAP will be best to use, this is a area where the vendor whose fiber TAP’s you want to buy should be more than glad to help.

If you decide to acquire a multi-port TAP, look thoroughly at all the places where you might want to be able to monitor at some point. Prioritize all of the locations in one of three categories – need it now, nice to have and future potential. Try to equally divide the points in the network that you would like to monitor in the different groups. This will help you identify the type of multi-port TAP that you may need to acquire. Another thing to consider is the ability to “grow” the TAP you are looking at. What I mean by that is can you add additional modules or capacity to the multi-port TAP or can you connect an additional chassis to the one that you started out with. With 10 Gig speeds and higher starting to become common on some networks, does the TAP you are looking at have the ability handle those speeds and what type of filtering ability does it have so that you are trying to shove 10 lanes of network traffic down a one lane country road. This is where a multi-port tap such as the NetOptics Director will come in handy. With this type of switch, you can mix and match the types of ports that you need on your network.