Friday, November 16, 2012

ASA 9.0.1 and IPV6 ospf routing

In this post, we will explain the very basics of ipv6  ospfv3 routing & enabling for the ASA 9.X code. If you have any  farmilarity with ipv6 and the cisco  ASA firewalls, you will recall they did not  supported ipv6-ospf, in the 8.X codeset

Now with version 9 of the ASA code set , we get the dynamic routing protocol OSPF. RIPnG is not in version 9.0.1 btw and it's unclear if cisco has this on the milestone or a TBD, with regards to supporting RIP.

1st let's look at my simple lab ASA5505 device;


asaken# show ipv6 interface  br
Ethernet0/0 [up/up]
    unassigned
Ethernet0/1 [down/down]
    unassigned
Ethernet0/2 [down/down]
    unassigned
Ethernet0/3 [down/down]
    unassigned
Ethernet0/4 [up/up]
    unassigned
Ethernet0/5 [down/down]
    unassigned
Ethernet0/6 [down/down]
    unassigned
Ethernet0/7 [down/down]
    unassigned
inside [up/up]
    fe80::21f:caff:fef3:2111
    2002:100::1
outside [up/up]
    fe80::21f:caff:fef3:2111

And here's the interfaces current configurations;

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.110.1 255.255.255.0
 ipv6 address 2002:100::1/64
 ipv6 nd reachable-time 3000
 ipv6 nd ns-interval 1200
 ipv6 nd dad attempts 2
 ospf cost 10


asaken# show  run int vlan 2
!
interface Vlan2
 description outside interface external
 nameif outside
 security-level 0
 ip address dhcp setroute
 ospf cost 1

As you can see, we have an basic  2 interface model, using a simple inside/outside security interfaces. We are going to enable ipv6 routing on my existing ipv6 enable interface.

1st you need to build a  ipv6  router process. Just like with ipv4, this process is configured globally, but the router-id has to be a ipv4 address in a x.x.x.x format. You have to define this router-id for this to properly work.


!
ipv6 router ospf 10
 router-id 192.168.110.254
 passive-interface default
 no passive-interface outside
 log-adjacency-changes
!

note: I also set  passive globally for all interfaces to be disable. We need to enable ipv6  ospf routing per-interfaces.



asaken# show ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 192.168.110.1   255.255.255.0   CONFIG
Vlan2                    outside                72.xx.x.105     255.255.255.0   DHCP 
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 192.168.110.1   255.255.255.0   CONFIG
Vlan2                    outside                72.xx.x.105     255.255.255.0   DHCP 
asaken#


So vlan 1 is going to have some simple ospf-routing command issued. This configuration step is similar if not 100% identical to a cisco ISR/ASR router.


config t
 
 
asaken(config-if)# int vlan 1        
asaken(config-if)# ipv6 ospf 10 area 0
asaken(config-if)#
asaken# sh run int vlan 1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.110.1 255.255.255.0
 ipv6 address 2002:100::1/64
 ipv6 nd reachable-time 3000
 ipv6 nd ns-interval 1200
 ipv6 nd dad attempts 2
 ospf cost 10
 ipv6 ospf 10 area 0
asaken#

note: if you enable a ipv6 router process on a interface with no ipv6 enabled, you will get a friendly reminder;

INFO: IPV6 not enabled on this interface. Router process not started.

To validate the  interface is setup for OSPFv3, we can deploy the following show command


asaken# show ipv6 ospf int

outside is up, line protocol is up  
  Link Local Address fe80::21f:caff:fef3:2111, Interface ID 15
  Area 0, Process ID 10, Instance ID 0, Router ID 192.168.110.254
  Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State WAITING, Priority 1
  No designated router on this network
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 0:00:08
    Wait time before Designated router selection 0:00:29
  Graceful restart helper support disabled
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0 
  Suppress hello for 0 neighbor(s)


I hope you find this post helpful. I will next explore  OPSFv3 authentication support on cisco NX-OS routers. Please stay tuned ;)

Ken Felix
your freelance Network and Security Engineer
kfelix "a@t" hyperfeed.com

No comments:

Post a Comment