Hi Peter,

nice to hear from you too ! I'm all the time around, lately spent more time with Wireshark to get a better understanding how TCP/IP works. 

Thank you for your comment, as always very informative and clear :) ! 

Can you please help me to answer the following question. I believe that with IPv6 (like with IPv4) we will have some type of hosts (servers) that will preferably be configured with a static IPv6 address and clients that will get an IPv6 either by SLAAC or DHCPv6.  What I'm trying to understand, what will be the approach? How they can coexist with each other ? 

Say, our hosts behave in the following way (with the exception that we do have a properly configured router):  

"By default, a Windows Vista client will configure its local IPv6 address based on what a local IPv6 router instructs it to do.  If you don't have a properly configured router in your environment, a Windows Vista client will not contact a DHCP server for an address even if the settings on the network interface are configured to "Obtain an IPv6 address automatically", but will instead automatically configure an address. " 

Do I want my servers to get another IPv6 address ? I mean I could implement:

https://support.microsoft.com/en-us/kb/961433

but is there any way to define "scopes" within the router itself (I'm thinking of a similar function like the one in DHCP that allowed us to exclude the static IP addresses). Do I really want routers to handle address assignments on my network ?   Maybe it's just my misunderstanding the concepts (most probably still missing lot's of information to fully understand it) but almost everyone, every book I came across etc. they say "we HAVE to go for IPv6 there's no way around", but are today's technologies   really ready for it ? From my personal perspective, of course IPv6 has it's strong sides without question, but I get the filling it's more complex and requires to pay attention to looot's of things even when it go to "simply" topics like addressing, because if I'm using routers RA messages to propagate the prefix, prefix length, default gateway etc. the only way (that I see ight now) to prevent getting another IPv6 address to be assigned, would be to change settings on the guest OS.  

I hope I was able to put it in a logical way together :-) if not, will try to make it more clear.

Best Regards

Adam ! 

Hi Adam,

Can you please help me to answer the following question. I believe that with IPv6 (like with IPv4) we will have some type of hosts (servers) that will preferably be configured with a static IPv6 address and clients that will get an IPv6 either by SLAAC or DHCPv6.  What I'm trying to understand, what will be the approach? How they can coexist with each other ? 

I am not entirely sure whether you are asking about both static and automatically assigned IPv6 addresses coexisting on a single host, or about multiple hosts coexisting in the same network, some having static address, some others using automatic address configuration (SLAAC or DHCPv6).

With regard to a host having both a static and an automatically obtained IPv6 address, this does not really make any difference to the way the host operates. As you know, in IPv6, a single interface can have multiple addresses, and it does not matter where they came from. Thus, it is perfectly possible for a host to be configured with a static IPv6 address and yet have another address obtained via, say, SLAAC. In fact, to my best knowledge, this is what some Linux-based hosts would do by default - on them, configuring a static IPv6 address does not prevent the kernel from further processing Router Advertisements and creating an additional SLAAC-derived address. Of course, this can be deactivated easily, but I am saying this to show that it is not an exception to see a device that has been assigned a static IPv6 address, yet using SLAAC to obtain yet another address.

With regard to multiple hosts in a single network, some having static addresses and some of them using SLAAC/DHCPv6, again, this is nothing special. For the hosts with static addresses, you would normally make sure they do not use SLAAC/DHCPv6 in addition to their IPv6 address, while the dynamically configured hosts would use any of these dynamic mechanisms you intend to use in your network. If the DHCPv6 server you are using allows excluding a range of addresses then obviously, you would want to exclude the statically used subrange of addresses from the assignment. Obviously, for SLAAC, there is no option of excluding any ranges, as this configuration is purely host-driven, but in IPv6, every host is required to test each to-be-used address against duplicity (Duplicate Address Detection, or DAD). If a host found out that its SLAAC or DHCPv6-derived address was in conflict, it would attempt to obtain a new address.

Do I really want routers to handle address assignments on my network ?

This is a very broad question. To put things simply, if your network is small, like a home or a small office network, then using SLAAC is perfectly okay, as everything you want to do is get some workable IPv6 address and start accessing the internet (handing DNS settings over through SLAAC is still only rarely supported, though). If you need to do more sophisticated things, or you have a larger network to maintain then DHCPv6 would be preferable, and you would use the Managed flag sent in Router Advertisements to indicate to hosts that if they need to get their address automatically, they should ignore SLAAC and use DHCPv6 instead.

You can not turn off Router Advertisements entirely on your routers, because the hosts then would have no way of discovering their gateway. This is a most peculiar thing in IPv6: There is no "default gateway" option in DHCPv6! The only way IPv6 hosts can currently learn about their default gateway is by receiving a Router Advertisement from it.

the only way (that I see ight now) to prevent getting another IPv6 address to be assigned, would be to change settings on the guest OS.

There is an option of suppressing (i.e. not advertising) the network's prefix in Router Advertisements but have the Router Advertisements still sent so that the hosts can at least learn about their default gateway. Suppressing the prefix advertisement would be done using the per-interface ipv6 nd prefix default no-advertise command.

From my personal perspective, of course IPv6 has it's strong sides without question, but I get the filling it's more complex and requires to pay attention to looot's of things even when it go to "simply" topics like addressing

You have a valid point. IPv6 has more things running under the hood than IPv4. It may be very simple to get it running once configured properly on routers, but troubleshooting it efficiently requires knowing much more than what's necessary to simply use it.

Best regards,
Peter

Hi Peter,

thank you for your answers. It makes definitely more sense now! 

"you would use the Managed flag sent in Router Advertisements to indicate to hosts that if they need to get their address automatically, they should ignore SLAAC and use DHCPv6 instead."

Could you please provide my any document on how to manage / configure the Managed flags in Router Advertisement messages (I could "google" by myself but would prefer to trust your expertise rather my searching skills ). 

Also,  I would (if possible of course ) like to have your advice on the following. After spending some time with  Packet Tracer, GNS3 I'm thinking about to build / buy my own physical lab (to master at least CCNA but this is not the goal I'm focusing on! I mean I don't chase the paper I want to take as much time as I need to really understand the concepts and with time I think this is hard to archive without hands-on experience). Could you please give me any tips ? What would be best to start with ? 

I sincerely appreciate any help from you Peter ! 

Best Regards and have a great day ! 

Adam ! 

Hi Adam,

Could you please provide my any document on how to manage / configure the Managed flags in Router Advertisement messages

Sure. The commands to control the Managed and Other flags in Router Advertisements are the ipv6 nd managed-config-flag and ipv6 nd other-config-flag interface-level commands. If the Managed flag is set then this is an indication to the host that it should ignore SLAAC and obtain its entire configuration via DHCPv6. Instead, if the Other flag is set then the host is supposed to get its own address using SLAAC but other configuration shall be obtained from DHCPv6.

Please note that both these flags present in ICMPv6 RA messages are only hints to the host but the host may choose to ignore them and attempt to bring its IPv6 up in a different way.

After spending some time with  Packet Tracer, GNS3 I'm thinking about to build / buy my own physical lab (to master at least CCNA but this is not the goal I'm focusing on! I mean I don't chase the paper I want to take as much time as I need to really understand the concepts and with time I think this is hard to archive without hands-on experience). Could you please give me any tips ? What would be best to start with ?

Not an easy question, to be sure.

For routers, quite honestly, using GNS3 and/or Dynamips+Dynagen is still superior to purchasing a set of physical routers. With these tools, you can build topologies that are far more complex than those required for CCNA, and also, the IOSes that can be run in these tools are usually more feature-rich that physical routers you can afford. So if you're interested in learning all things about routing, GNS3 is actually a perfect tool - depending on the IOSes you're using of course.

For switches, frankly, nothing beats the real gear. As opposed to virtual routers that run just fine, switches are different because many of their features are hardware-based, and this hardware - the ASICs - is usually not available for emulation in software beacause its operation is a closely guarded secret (it's what makes the switches tick). To learn for CCNA, you could consider obtaining Catalyst 2950 and 3550 switches which have been end-of-sale for a long time and could therefore be relatively affordable, yet they support the majority of features you will need to learn about for the CCNA level. However, ideally, you should be trying to get Catalyst 2960 and 3560 as these are the ones that support everything covered under the CCNA blueprint.

There is also an option of purchasing Cisco-authored virtual network environment that runs real IOSes and even emulates switches (to a certain degree). It is called VIRL and you can learn more about it at http://virl.cisco.com. You will need a powerful PC to run it comfortably but it gives you a flexibility and access to the most recent IOSes that are not available for GNS3 anymore.

Feel welcome to ask further.

Best regards,
Peter

Hi Peter,

thank your taking time to answer my questions!

I see your point. You are completely right. GNS3 provides great flexibility and it is super useful without any question. What I'm personally missing, I cannot (from what I know ) put any network/packet sniffer in between to analyze the traffic. I saved some money lately and I would kindly ask you if you have some free time to evaluate the following combination (if I would be able to do all that's required for CCNA, maybe even beyond after some time...).  so I was thinkg about getting something like :

3 x CISCO 2811 (all 3 would run with iOS 15.1 Advanced Security). 

2 x CISCO 3560

1 x CISCO 2950

The approximately price calculated from my local currency to euro would by around = 564.22 EURO. 

I would like to hear you opinion.

PS. I was also attending to classes in my home town at a official CISCO academy but the time we were given to learn on the devices itself was not satisfying me at all and probably you can imagine with a class full of students it's was on daily basis that someone disconnected you, changed/ moved the cables etc. so it was a complete mess :/  

Looking forward to hear from you Peter.

Best Regards

Adam  

Hi Adam,

I apologize for responding somewhat late, it's been busy in the last days.

GNS3 provides great flexibility and it is super useful without any question. What I'm personally missing, I cannot (from what I know ) put any network/packet sniffer in between to analyze the traffic.

Oh, I am sure you can. I am not using GNS3 myself as I was, for some reason, uncomfortable with using it, but GNS3 itself is built on top of Dynamips and Dynagen, and these tools allow you to capture almost any type of traffic between a pair of interconnected devices. I am absolutely sure you can capture Ethernet traffic and also traffic on serial interfaces using HDLC, PPP or Frame Relay framing. In fact, this is a rare possibility of truly sniffing serial interfaces - there's no common way of doing that on real gear because you would need some kind of a serial tap/probe, and I've never seen such a thing in my life. So to go back to the original topic - yes, I am pretty sure you can do packet capture on any link in a GNS3 topology. Perhaps right-clicking a link or an interface in a running GNS3 would provide an option of capturing traffic? Try having a good look into all the features - I am sure it's hidden there somewhere.

Regarding the device set you are considering - I would say it is very good. You will most probably be able to do everything the current CCNA R&S blueprint requires, perhaps with some minor compromises on the Cat2950, but otherwise, it looks like a good choice. Regarding the price - I am not the right person to judge, and this is not a proper forum in which we should be discussing these things, but as far as I can tell, the price looks reasonable.

By the way, what Cisco academy were you attending? How many devices were in a classroom, and how many students per classroom were there (I'd like to know the device-to-student ratio)? In our academy, we always build our topologies from scratch but we try to be tidy so it does not matter whether the devices are being disconnected and reconnected twice a day, as there is no stable topology to keep.

Best regards,
Peter

Hi Peter,

no problem at all! Please excuse, I was not able to response earlier.

Maybe you are right, I did some reading and in fact GNS3 supports capturing! I think I'll give it first a try to explore the full functionality and wait for now with the physical lab. 

I was attending the Cisco academy at the Warsaw University of Technology. Unfortunately I do not recall the hardware we used, I attended the course last winter  (2 semesters, because I started at a new project and had to focus on it) and we were around 12 - 15 people. The hardware was stored in 22 rack, so each and everyone was able to go pick any device and that's were the mess came from (so we ended up with about 10 people in front of the rack doing something)  Probably this could be handled differently but anyway, at this time my  approach was not the best one because just attended the classes without putting extra time and energy to learn the covered topics but fortunately I'm (at least I think) I'm on the right track :)! 

Thank you Peter again for your expertise and help! As always professional and informative! 

Best Regards 

Adam 

PS. If you with to comment so I'll wait few hours else I'll close the thread by tomorrow. 

Hi Adam,

No real additions here. Keep in mind that GNS3 is very good for routers and routed topologies, but for switches and switched topologies, it will most probably be inadequate when compared to real switches. Depending on how professional and deep you will want to go, you may at one point want to purchase your own lab. Till then, however, the GNS3 can be of immense help.

And also, have you had a look at the VIRL website at http://virl.cisco.com?

Best regards,
Peter

Hi Peter,

The problem with GNS3 from what i see is the IOS itself. Can you please tell me whether the ISO mentioned can be used to prepare for CCNA:

https://learningnetwork.cisco.com/thread/73110

Is this VIRL better than GNS3 ?

Best Regards

Adam 

Hi Adam

I just came across this discussion whilst searching for a solution to replicate a particular issue in VIRL concerning SLAAC. I see this is quite an old post so not sure if I might reach you on this.

I have two IOSv routers separated by a switch, both connecting to it via their Gi0/1 interface. One of the routers I am pretending is a PC, and the other is the router. Interface Gi0/1 on the 'PC' router (PC1), is configured with SLAAC enabled so it will auto-config a global unicast address provided it receives a prefix from the router's (R1) Gi0/1.

I've deliberately placed R1's Gi0/1 interface in shutdown mode so that the PC shouldn't be able to auto-config itself with an global unicast address, however running 'show ipv6 int gi0/1' on the 'PC' shows it does.

This doesn't seem to reflect real-world scenario and I was wondering if there is a way I can replicate the issue in VIRL?

Below is the config of PC1's Gi0/1 interface:

interface GigabitEthernet0/1

description Link to SW1

 ip address 10.1.1.10 255.255.255.0

 no ip route-cache

 ipv6 address autoconfig default

 no cdp enable

The following config is present in global configuration on PC1

ipv6 unicast-routing
ipv6 cef
ipv6 multicast rpf use-bgp

Below is the config of R1's Gi0/1 interface:

interface GigabitEthernet0/1

 description Link to SW1

 ip address 10.1.1.1 255.255.255.0

 shutdown

 ipv6 address 2001:DB8:0:2::1/64

The following is present globally on R1:

ipv6 unicast-routing
ipv6 cef
ipv6 multicast rpf use-bgp

Below shows presence of global unicast address on PC1 interface, despite the interface on the router being disabled (all other interfaces on router also disabled):

PC1>show ipv6 int gi0/1

GigabitEthernet0/1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::F816:3EFF:FE25:7276
No Virtual link-local address(es):
Description: Link to SW2
Stateless address autoconfig enabled
Global unicast address(es):
2001:DB8:0:1:F816:3EFF:FE25:7276, subnet is 2001:DB8:0:1::/64 [EUI/CAL/PRE]
valid lifetime 2591997 preferred lifetime 604797

Is there a way to truly disable the router interface in VIRL to end up with no configured global unicast on the PC1? I've even right-clicked on the end of the connector connecting to the router and clicked Disable but still end up with a global unicast address on PC1.