Solved: Guestshell on ISR - Receive IPv6 traffic

kasper123 · ‎08-24-2020

Hi, I'm experimenting with guestshell on ISR routers (1111, 4221 etc) and from the information I found I need to configure NAT in order to access the outside network from within the virtual environment and also through NAT I'm able to receive traffic inside the virtual machine.

So far I was able to run applications like iperf from inside the virtual environment and to also send and receive traffic from the outside network.
But this is only for IPv4. For instance to send traffic to an app running in the guestshell I can configure static nat to forward a port from the outside network.

But what about IPv6? How can I send IPv6 traffic that will be received by an application running in the guestshell?
Ideally I would like to send UDP traffic to a link local IP address and receive this traffic in an application (or a python script) running inside the guestshell.

Francesco Molino · ‎08-26-2020

On the example below, it's a lab router where we have both ipv4 and ipv6 assigned. the ipv6 is dynamically assigned as you can't setup both ipv4 and ipv6 in the app-hosting section.

CSR-1#sh run | sec app-h
app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.35.2 netmask 255.255.255.0
app-default-gateway 192.168.35.1 guest-interface 0
name-server0 8.8.8.8
name-server1 8.8.4.4
CSR-1#sh run int virtualpo
CSR-1#sh run int virtualportGroup 0
Building configuration...

Current configuration : 227 bytes
!
interface VirtualPortGroup0
ip address 192.168.35.1 255.255.255.0
ip nat inside
ipv6 address C1C0:123::1/64
ipv6 ospf 10 area 0
no mop enabled
no mop sysid
end

CSR-1#

[root@guestshell guestshell]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
88: eth0@if89: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 52:54:dd:c0:ca:86 brd ff:ff:ff:ff:ff:ff
inet 192.168.35.2/24 brd 192.168.35.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 c1c0:123::5054:ddff:fec0:ca86/64 scope global dynamic
valid_lft 2591945sec preferred_lft 604745sec
inet6 fe80::5054:ddff:fec0:ca86/64 scope link
valid_lft forever preferred_lft forever

And pinging from a host on the network routed over OSPF (tcpdump from guestshell):

[root@guestshell guestshell]# tcpdump -i eth0 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:53:41.140010 IP6 gateway > ff02::1:ffc0:ca86: ICMP6, neighbor solicitation, who has guestshell, length 32
01:53:41.140031 IP6 guestshell > gateway: ICMP6, neighbor advertisement, tgt is guestshell, length 32
01:53:41.141544 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 1, length 64
01:53:41.141557 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 1, length 64
01:53:42.138076 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 2, length 64
01:53:42.138097 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 2, length 64
01:53:43.139577 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 3, length 64
01:53:43.139597 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 3, length 64
01:53:43.630091 IP6 gateway > ff02::5: OSPFv3, Hello, length 36
01:53:44.133813 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 4, length 64
01:53:44.133834 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 4, length 64
01:53:45.135094 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 5, length 64
01:53:45.135114 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 5, length 64

The default LXC has only 1 interface. You can deploy your own LXC machine or docker with multiple IPs.

If I recall, only working with /64 on the default guestshell

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-25-2020

Hi

Not sure I get your point. If you configure an IPv6 on your virtualportGroup and you define the IPv6 on your app-hosting, your Linux container will get an IPv6. Then, if you have an infrastructure running IPv6 with routing, anyone can access this machine without issues.
I have a CSR working with guestshell and ipv6 on my linux container. IPv6 is enabled on my LAN and I can reach this machine without any issues.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

kasper123 · ‎08-26-2020

Hi Francesco,

Maybe I'm missing simething obvious. I thought since the connection is not bridged and the only way to reach the guestshell with IPv4 is through NAT then I won't be able to reach it directly with IPv6.

My goal is to be able to send traffic to the link local address of the guestshell. Or if that's not possible then to a regular IPv6 address.

Do you mind sharing a sample config for running IPv6 in the guestshell?

kasper123 · ‎08-26-2020

I think I understand your point now. Correct me if I got it wrong: You are talking about a separate IPv6 network for the guestshell that would be routed through the router and in that way accessible from other machines (that would have to be in a different IPv6 network).

I tried to configure IPv6 for the guestshell but so far I was unsucsessful. I found no guide or material discussing the use of IPv6 for guestshell.

My configuration is this:

interface VirtualPortGroup0
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ipv6 address 10:68:30::1/48
 ipv6 enable

app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 10:68:30::11 netmask 10:68:30::
app-default-gateway 10:68:30::1 guest-interface 0
end

But I don't see the configured IPv6 address in the guestshell.

Can you please share a working config to set IPv6 address for the guestshell?

Also is it possible to use both IPv4 and IPv6? I see that I can set either one or the other in the app-hosting

Br.

Francesco Molino · ‎08-26-2020

On the example below, it's a lab router where we have both ipv4 and ipv6 assigned. the ipv6 is dynamically assigned as you can't setup both ipv4 and ipv6 in the app-hosting section.

CSR-1#sh run | sec app-h
app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.35.2 netmask 255.255.255.0
app-default-gateway 192.168.35.1 guest-interface 0
name-server0 8.8.8.8
name-server1 8.8.4.4
CSR-1#sh run int virtualpo
CSR-1#sh run int virtualportGroup 0
Building configuration...

Current configuration : 227 bytes
!
interface VirtualPortGroup0
ip address 192.168.35.1 255.255.255.0
ip nat inside
ipv6 address C1C0:123::1/64
ipv6 ospf 10 area 0
no mop enabled
no mop sysid
end

CSR-1#

[root@guestshell guestshell]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
88: eth0@if89: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 52:54:dd:c0:ca:86 brd ff:ff:ff:ff:ff:ff
inet 192.168.35.2/24 brd 192.168.35.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 c1c0:123::5054:ddff:fec0:ca86/64 scope global dynamic
valid_lft 2591945sec preferred_lft 604745sec
inet6 fe80::5054:ddff:fec0:ca86/64 scope link
valid_lft forever preferred_lft forever

And pinging from a host on the network routed over OSPF (tcpdump from guestshell):

[root@guestshell guestshell]# tcpdump -i eth0 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:53:41.140010 IP6 gateway > ff02::1:ffc0:ca86: ICMP6, neighbor solicitation, who has guestshell, length 32
01:53:41.140031 IP6 guestshell > gateway: ICMP6, neighbor advertisement, tgt is guestshell, length 32
01:53:41.141544 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 1, length 64
01:53:41.141557 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 1, length 64
01:53:42.138076 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 2, length 64
01:53:42.138097 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 2, length 64
01:53:43.139577 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 3, length 64
01:53:43.139597 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 3, length 64
01:53:43.630091 IP6 gateway > ff02::5: OSPFv3, Hello, length 36
01:53:44.133813 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 4, length 64
01:53:44.133834 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 4, length 64
01:53:45.135094 IP6 c1c0:124::3 > guestshell: ICMP6, echo request, seq 5, length 64
01:53:45.135114 IP6 guestshell > c1c0:124::3: ICMP6, echo reply, seq 5, length 64

The default LXC has only 1 interface. You can deploy your own LXC machine or docker with multiple IPs.

If I recall, only working with /64 on the default guestshell

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

kasper123 · ‎08-27-2020

Thank you @Francesco Molino

If I recall, only working with /64 on the default guestshell

This was the critical missing information. I was trying with /48 and that didn't work.

Is it possible to fix the IPv6 address in the guestshell? It work's now but the address is random. I need it to be fixed if possible.

Francesco Molino · ‎08-28-2020

With default guestshell you can't fix it, it won't take it.

However, if you deploy your own LXC, you will be able to do it.

You can try with a DHCP address to see if it works.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

kasper123 · ‎08-28-2020

Thank you Francesco.

Francesco Molino · ‎09-01-2020

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question