Docstoc

6rd BR Template

Document Sample
6rd BR Template Powered By Docstoc
					                        Comcast 6rd Border Relay
                    Architecture and Config Template
                               Version 1.1

Overview

Comcast is deploying a trial of 6rd, or IPv6 “Rapid Deployment”, to a
select set of friendly subscribers. 6rd is a mechanism of stateless
IPv6-over-IPv4 tunneling, similar to 6to4 but using the service
provider’s own IPv6 prefix. Because IPv6 is tunneled over IPv4, IPv6
functionality is not needed in the service provider’s core or access
networks. The operational domain of 6rd is limited to the service
provider’s network and under its direct control.

More information on the functionality of 6rd can be found in the IETF
Softwires project, see draft-ietf-softwire-ipv6-6rd-09 (W. Townsley, O.
Troan).

The Comcast trial will involve the deployment of two 6rd Border Relay
routers. These routers will initially be Cisco 7206VXR’s with NPE-G2
routing engines, running an engineering build of Cisco IOS 15.1. The
BR’s will be located in a physical site determined by Comcast.
Approximately 25 friendly subscribers will be issued a 6rd enabled CPE
device. This device is a Linksys home router running a special
engineering build of the operating system with 6rd functionality. The
focus of this document is on the Cisco IOS configuration for the Border
Relay.

Functional Design

The 6rd BR will be connected via two single GigabitEthernet links to a
neighboring router. One interface will be exclusive to IPv4, while the
other is exclusive to IPv6.

In the Comcast CRAN network, OSPFv2 is used for IPv4 links and loops,
and ISIS is used for IPv6 links and loops. An OSPF adjacency will
exist on the IPv4 interface only, and an ISIS adjacency will exist on
the IPv6 interface.

The BR will peer via IPv4 and IPv6 BGP to the CRAN “AR”, which
functions as the v4/v6 route-reflector. The BR will announce via IPv4
BGP the 6rd “Anycast” /32 host address, and will announce via IPv6 BGP
the 6rd “tunnel prefix” ::/32 network. The 6rd BR should learn both an
IPv4 and IPv6 default route via BGP.

Following the Comcast DSCP network architecture enforces security. An
ingress access control list on each interface restricts access to the
BR to HSD (CS1), management (CS2) and routing protocols / neighbor
discovery (CS6, CS7). All other traffic is dropped. A set of service
policies exist to ensure that HSD ingress traffic as IPv4 CS1 will
egress as IPv6 CS1 and vice versa.

What is not in this config template

Comcast will need to modify this template as follows:
 -   IP Addresses
        o IPv4 /32 host address to be IPv4 anycasted via BGP. This IP
           should NOT be aggregated when crossing into the iBone, it
           should appear as a /32 in the iBone and all Comacst CRAN BGP
           tables. Aggregation of this IP will break IP Anycast.
        o IPv6 ::/32 network for 6rd tunnel interface. This is
           tentatively planned to be 2001:55C::/32.
        o IPv4 and IPv6 point to point and loopback interface addresses
 -   Comcast AAA policy and configuration
 -   Comcast control plane policing (if desired)

Config Template

This template has been annotated with comments.


upgrade fpd auto
version 15.1
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
! Change this to a Comcast hostname
hostname r7200e-G2
!
boot-start-marker
! Special engineering build of IOS 15
boot system flash disk2:c7200p-adventerprisek9-mz.151-0.0.15.PIL14
boot-end-marker
!
!
logging console notifications
enable password cisco
!
no aaa new-model
!
no ip source-route
ip spd mode aggressive
! Ensure IPv4 and IPv6 CEF is enabled and IPv6 unicast-routing
ip cef
ip cef accounting non-recursive
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name comcast.net
ip name-server 68.87.64.164
ip name-server 68.87.66.164
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
key chain ISIS
  key 1
   key-string CISCO
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
redundancy
!
!
ip tcp window-size 65535
ip tcp path-mtu-discovery
ip telnet source-interface Loopback1
ip tftp source-interface Loopback1
!
! Config uses QOS Groups to preserve DSCP when changing address
! families through the BR. Set QOS Group 8 on ingress, match
! QOS Group 8 on egress and set DSCP CS1.
!
class-map match-all QOS_GROUP_8
  match qos-group 8
class-map match-all HSD
  match dscp cs1
!
!
policy-map 6RD_V4_INGRESS
  class HSD
   set qos-group 8
  class class-default
policy-map 6RD_V6_INGRESS
  class HSD
   set qos-group 8
  class class-default
policy-map 6RD_V6_EGRESS
  class QOS_GROUP_8
   set dscp cs1
  class class-default
policy-map 6RD_V4_EGRESS
  class QOS_GROUP_8
   set dscp cs1
  class class-default
!
!
!
!
! Primary IPv4 loopback for BGP & management
! This is UNIQUE per BR
!
interface Loopback1
  ip address 1.1.1.166 255.255.255.255
!
!
! Primary IPv6 loopback for BGP & management
! This is UNIQUE per BR
!
interface Loopback6
  no ip address
  ipv6 address 2001:ABCD:1111:0:1:1:1:166/128
  ipv6 router isis CISCO
!
! 6rd Tunnel Loopback
! This is COMMON on every BR
! And announced via BGP
!
interface Loopback50
  description 6rdBR Loopback
  ip address 6.6.6.6 255.255.255.255
!
! The 6rd Tunnel Interface
! The ipv6 address is constructed from the 6rd prefix and the
! source address of the tunnel (Loopback50). 606:606 is
! 6.6.6.6 in hex. This is COMMON on every BR. The IPv6 network
! is announced via BGP.
!
interface Tunnel6
  no ip address
  no ip redirects
  ipv6 address 2001:C3C1:606:606::1/128
  ipv6 verify unicast source reachable-via rx
  tunnel source Loopback50
  tunnel mode ipv6ip 6rd
  tunnel 6rd prefix 2001:C3C1::/32
!
interface FastEthernet0/0
  description Management network
  ip address 11.0.0.151 255.0.0.0
  duplex auto
  speed auto
!
interface FastEthernet0/1
  no ip address
  duplex auto
  speed auto
!
! IPv4 access to Comcast network
! The ACL permits only authorized DSCP codepoints to enter the router.
! The ingress and egress service-policy preserves DSCP between
! address families
!
interface GigabitEthernet0/1
  description 6rdBR IPv4
  ip address 151.0.44.2 255.255.255.0
  ip access-group V4_INGRESS_FILTER_DSCP in
  no ip redirects
 no ip proxy-arp
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 CISCO
 ip ospf network point-to-point
 ip ospf cost 1
 ip ospf hello-interval 1
 load-interval 30
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
 service-policy input 6RD_V4_INGRESS
 service-policy output 6RD_V4_EGRESS
!
interface FastEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
!
!
! IPv6 access to Comcast network
! The ACL permits only authorized DSCP codepoints to enter the router
! service-policy’s preserve DSCP between address families
!
interface GigabitEthernet0/2
  description 6rdBR IPv6
  no ip address
  load-interval 30
  duplex auto
  speed auto
  media-type rj45
  negotiation auto
  ipv6 address 2001:C3C0:1::2/64
  ipv6 enable
  ipv6 router isis CISCO
  ipv6 verify unicast source reachable-via rx
  ipv6 traffic-filter V6_INGRESS_FILTER_DSCP in
  isis circuit-type level-2-only
  isis network point-to-point
  isis authentication mode md5
  isis authentication key-chain ISIS
  isis three-way-handshake ietf
  isis ipv6 metric 1
  service-policy input 6RD_V6_INGRESS
  service-policy output 6RD_V6_EGRESS
!
interface GigabitEthernet0/3
  no ip address
  duplex auto
  speed auto
  media-type rj45
  negotiation auto
!
interface GigabitEthernet4/0
  no ip address
  shutdown
  negotiation auto
!
! OSPF IGP
! Announce Loopback 1 and IPv4 interface only
!
router ospf 1
  router-id 1.1.1.166
  max-metric router-lsa on-startup wait-for-bgp
  log-adjacency-changes detail
  area 0 authentication message-digest
  timers throttle spf 400 400 4000
  passive-interface default
  no passive-interface GigabitEthernet0/1
  network 1.1.1.166 0.0.0.0 area 0
  network 151.0.44.2 0.0.0.0 area 0
!
! ISIS IGP
! Only used for IPv6
!
router isis CISCO
  net 50.0011.0001.0166.00
  is-type level-2-only
  metric-style wide
  max-lsp-lifetime 4000
  lsp-refresh-interval 3600
  log-adjacency-changes all
  distance 250 ip
  !
  address-family ipv6
    multi-topology
    set-overload-bit on-startup wait-for-bgp
    maximum-paths 6
  exit-address-family
!
! BGP
! Change AS to Comcast CRAN AS number
! Two adjancencies to RR, one via IPv4, one via IPv6. Both
! are activated.
!
router bgp 100
  bgp router-id 1.1.1.166
  bgp log-neighbor-changes
  neighbor 1.1.1.6 remote-as 100
  neighbor 1.1.1.6 password CISCO
  neighbor 1.1.1.6 update-source Loopback1
  neighbor 2001:ABCD:1111:0:1:1:1:6 remote-as 100
  neighbor 2001:ABCD:1111:0:1:1:1:6 password CISCO
  neighbor 2001:ABCD:1111:0:1:1:1:6 update-source Loopback6
  !
  address-family ipv4
    ! Announce IPv4 Anycast BR loopback via BGP
    network 6.6.6.6 mask 255.255.255.255
    neighbor 1.1.1.6 activate
    no neighbor 2001:ABCD:1111:0:1:1:1:6 activate
    no auto-summary
  exit-address-family
  !
 address-family ipv6
  ! Announce IPv6 6rd tunnel address via BGP
  network 2001:C3C1::/32
  neighbor 2001:ABCD:1111:0:1:1:1:6 activate
 exit-address-family
!
ip local policy route-map router-originated-traffic
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip bgp-community new-format
!
!
! ACL to control IPv4 access to 6rd BR
!
ip access-list extended V4_INGRESS_FILTER_DSCP
  remark HSD - CS1
  permit ip any any dscp cs1
  remark Network Management - CS2
  permit ip any any dscp cs2
  remark BGP - CS6
  permit ip any any dscp cs6
  remark Drop anything else
  deny   ip any any
ip access-list extended router-originated-traffic
  permit tcp any any eq tacacs
  permit udp any any eq ntp
  permit udp any eq snmp any
  permit udp any any eq snmptrap
  permit udp any any eq syslog
  permit udp any any eq tacacs
  permit udp any any eq tftp
  permit gre any any
  remark Radius Auth Port udp 1645 accounting udp 1646
  permit udp any any eq 1645
  permit udp any any eq 1646
!
logging esm config
logging alarm informational
logging trap debugging
logging 11.0.0.253
!
! Static IPv6 route for the 6rd tunnel interface
! This is important!
!
ipv6 route 2001:C3C1::/32 Tunnel6
!
!
!
!
route-map router-originated-traffic permit 10
  match ip address router-originated-traffic
  set ip precedence immediate
!
!
!
! IPv6 ACL to control access to 6rd BR
!
ipv6 access-list V6_INGRESS_FILTER_DSCP
  remark HSD - CS1
  permit ipv6 any any dscp cs1
  remark Network Management - CS2
  permit ipv6 any any dscp cs2
  remark BGP - CS6
  permit ipv6 any any dscp cs6
  remark IPv6 Router Advertisement / Neighbor Solicitation
  permit ipv6 any any dscp cs7
  remark Drop anything else
  deny ipv6 any any
!
control-plane
!
!
!
!
!
line con 0
  exec-timeout 0 0
  stopbits 1
line aux 0
  exec-timeout 0 0
  stopbits 1
line vty 0 4
  exec-timeout 0 0
  password cisco
  login
  transport input all
!
exception data-corruption buffer truncate
ntp server 11.0.0.253
end

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:10/26/2011
language:English
pages:8