New Office, New Network. Questions.
Hello NANOG, I am Nikolai and I am a Network Administrator in a Russian middle-sized company. We do not have a large list with Networks in Russia so I am using the American list. I hope you can help me with some problems that I have. We are moving to our new offices in two months and I have access to the building already. My task is to set up the entire network for the company. The previous administrator has left the company and I thought of taking the chance to remove some "technical debt" and make everything from scratch again. I am alone in the network administration and about one month ago I got an intern to help me but she is a student so she doesn't know much. I was told to move the networks this week and I have spent a lot of time thinking about how I should do it. I am sitting here with an initial plan but I have some questions that I did not manage to find complete information about. I would like your help if you can give it. I summarized my questins below and no matter how much I looked I could not find a lot of inromation and I am still confused. 1. Currently we do not have IPv6 in our network but I have seen the ISP is giving us a "/56 Block" which from what I understand is a couple hundred "/64 Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we have 32 addresses, four of which I will use for NAT and the remaining needed for online services and servers. In IPv6 we have a lot of addresses but I am not sure whether I should give an address of the ISP to every device. I found that there is an organization that can help avoid collisions in private IPs: https://www.sixxs.net/tools/grh/ula/ . From what I can tell it is just a registry, but I am thinking of registering the ranges there and then use these subnets and NAT them to the IPv6 address of the router. However, I noticed something strange. The WAN port of our router gets a /64 IPv6 address which is not in our IPv6. Should I use this for NAT or one of "our" addresses? 2. The previous administrator did some bad job in some parts of the network. We have an internal router protocol to move traffic between routers, but in some cases he used NAT instead of adding these subnets to the router protocol. Everything works and all things that have to be reached are reachable, however I think this is bad and we should use the router protocol for all parts of the network. I have found two protocols in our router that are good and support IPv6 and they are OSPF and BGP. I did not manage to have BGP work and it is slow so I am thinking of OSPF. Do uou think it is a good choice for IPv6 and IPv4? If I have two separate paths of 1 Gb/s, will I transfer files at 2 Gb/s? 3. In our old network we use "VRRP" which from what I know is a system for routers to shae IPs and load balance or "failover" the traffic. I have seen that IPv6 has a built-in system which is similar and has something like priorities, etc. What happens if I have two routers with same priority? Whic is used as default gateway? Is it load balancing? Also, can I use "VRRP" to load balance traffic to our DNS look-up "recursor"? Thank you for your answers, Nikolai.
On Sun, 10 Jul 2016 21:53:52 +0300, Nikolai Petrov said:
1. Currently we do not have IPv6 in our network but I have seen the ISP is giving us a "/56 Block" which from what I understand is a couple hundred "/64 Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we
You can have other sized subnets, but 64 is very handy if you intend to use SLAAC auto-configure. There's also the danger of running into broken equipment that doesn't understand other sized subnets (similar to very old IPv4 gear that understood a /24, but exploded if told about a /23 or /25).
have 32 addresses, four of which I will use for NAT and the remaining needed for online services and servers. In IPv6 we have a lot of addresses but I am not sure whether I should give an address of the ISP to every device. I found
Assign a /64 to everyplace that you would assign a subnet in IPv4. Give each device on that subnet its own address. Use DHCPv6 or SLAAC or both, whatever gets the job done in your situation. Don't worry about NAT anymore, you have enough addresses.
that there is an organization that can help avoid collisions in private IPs: https://www.sixxs.net/tools/grh/ula/ . From what I can tell it is just a registry, but I am thinking of registering the ranges there and then use these subnets and NAT them to the IPv6 address of the router.
Don't do that. NAT was invented to fix a problem that IPv6 doesn't have. Feel free to give every single device a global address. (You'll still want a stateful firewall someplace, but it doesn't have to do NAT, it just has to keep track of legitimate versus malicious traffic). And don't freak out if a device has more than one address. As I'm writing this from the sofa in my living room, my laptop wireless has: ra0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.150 netmask 255.255.255.224 broadcast 192.168.1.159 inet6 2601:5c0:c100:6431:cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x0<global> inet6 2601:5c0:c100:6431:c01:a589:19a4:236e prefixlen 64 scopeid 0x0<global> inet6 2601:5c0:c100:6431::d67 prefixlen 128 scopeid 0x0<global> inet6 2601:5c0:c100:6431:1dc3:657:eda6:8abf prefixlen 64 scopeid 0x0<global> inet6 fe80::cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x20<link> inet6 2601:5c0:c100:6431:ad68:c60c:583:19e9 prefixlen 64 scopeid 0x0<global> ether c8:d7:19:37:0c:02 txqueuelen 1000 (Ethernet) (One DHCPv6 - ::d67. One SLAAC - the one with ff:fe in it. And 4 different RFC3041 privacy addresses that it's chunked out over the weekend. It works just fine that way - and it's *designed* to do so. (Of course, in a corporate environment, you may want to turn the privacy addresses off, and only use one of DHCPv6/SLAAC - I do it this way because it tests for broken software...) Oh, and don't block ICMPv6. :)
something strange. The WAN port of our router gets a /64 IPv6 address which is not in our IPv6. Should I use this for NAT or one of "our" addresses?
You use it for the IP address of the provider-facing interface of your router. Assign the "inside" interface(s) addresses on the appropriate /64 subnet that they will be on.
hi nikolai - oops.. this got long based on my experiences/opinions :-) On 07/10/16 at 09:53pm, Nikolai Petrov wrote:
We are moving to our new offices in two months and I have access to the building already. My task is to set up the entire network for the company. The previous administrator has left the company and I thought of taking the chance to remove some "technical debt" and make everything from scratch again.
all good ...
I was told to move the networks this week
do you have the routers, switches, cables, few servers for testing ? has your ISP installed their internet uplink connectivity to the bldg ? if so, than the above management is on their toes otherwise, you'd need to rattle some $$$ loose to buying missing hw :-)
and I have spent a lot of time thinking about how I should do it.
good ... now's the chance to fix the problems if any ..
1. Currently we do not have IPv6 in our network
implies a learning IPv6 curve ( red flag for possible time-wasting hogs ) if the task is to mvoe the entire "mid-sized" from current bldg to new bdlg, i'd suggest use "known/good/working/best-practices" methodology to move the company. first get the new bldg with new test servers working with IPv4 ( the way you want it done ) and "working" the current bldg which should take a few hours :-) than work with IPv6 issues
but I have seen the ISP is giving us a "/56 Block"
good
which from what I understand is a couple hundred "/64 Subnets". I think you can only have /64 subnets in IPv6.
nah ... you can subnet your /56 into whatever you want
In our IPv4 setup we have 32 addresses, four of which I will use for NAT and the remaining needed for online services and servers.
good ... use that to test everything since you want or going to use NAT, you have the standard internal LAN for the bldg can use the standard 10/8 or 192.168/16 or 172.16/12 so far.. nothing new/special/problematic
In IPv6 we have a lot of addresses but I am not sure whether I should give an address of the ISP to every device.
why would you want to complicate time-restricted ( 1month ) to get the new bldg working with IPv6 w/out having prior IPv6 experience ? remember, "all eyes" will be looking to you to move the whole company from current bldg to new bldg without delay
I found that there is an organization that can help avoid collisions in private IPs: https://www.sixxs.net/tools/grh/ula/ .
there should never be any collision in IP#, ipv4 or ipv6
From what I can tell it is just a registry, but I am thinking of registering the ranges there and then use these subnets and NAT them to the IPv6 address of the router.
the ISP provides you the range of IPv6 assigned to you if your current bldg does NOT have IPv6, you might not be able to easily test the new IPv6 stuff in the new bldg you might be able to test your new IPv6 connections at the local coffee shop or other public places but that's a major security violation since your new IPv6 has no security pre-cautions installed yet you should be paranoid about trojans/worms/mailware piggie backing into your new un-secured new bldg IPv6 infrastructure or IPv4 infrastructure
However, I noticed something strange. The WAN port of our router gets a /64 IPv6 address which is not in our IPv6.
why strange ?? routers get its IP# from dhcpv6 or statically assigned
Should I use this for NAT or one of "our" addresses?
you need to fix this problem before continuing .. ( explain why the IPv6/64 is not what you're expecting ) NAT is NOT the solution ...
2. The previous administrator did some bad job in some parts of the network.
:-) that will always be true 90% of the time :-) some things are always gonna be "bad"
We have an internal router protocol to move traffic between routers, but in some cases he used NAT instead of adding these subnets to the router protocol. Everything works and all things that have to be reached are reachable,
if it works .. why is is "bad" ?? there might be dozens of different ways to make things work ( "things that have to be reachable are reachable" )
however I think this is bad
not necessarily a bad thing
and we should use the router protocol for all parts of the network.
why ?
I have found two protocols in our router that are good and support IPv6 and they are OSPF and BGP.
there might be more :-)
I did not manage to have BGP work
what part is not working ? google/yahoo the error messages :-)
and it is slow so I am thinking of OSPF.
sometimes, which works first/better/easiest might be a good option, thus trying other things is good, but that can also create more headaches too .. more problems to (fun) solve
Do uou think it is a good choice for IPv6 and IPv4?
i'd work with IPv4 first ... and more importantly... there is NO excuse why IPv4 doesn't or cannot work in the new bldg after IPv4 works in the new bldg as good as it does in the current bldg, you have time for "( IPv6 ) learning experiements"
If I have two separate paths of 1 Gb/s, will I transfer files at 2 Gb/s?
no ... you will be able to transfer 1Gb/s each .. if you "channel bond" the two 1Gb/s into "one link", than you might be able to see 1.9Gb/s uplinks .. never 2G/s if you have 2 1G/s uplinks ... you should have the 2 routers crosslinked for failover unless uplink speed is more important than failover
3. In our old network we use "VRRP" which from what I know is a system for routers to shae IPs and load balance or "failover" the traffic.
good
I have seen that IPv6 has a built-in system which is similar and has something like priorities, etc. What happens if I have two routers with same priority?
same rules/issues apply to IPv4 one router/path should always have priority over the other depending on destinations .... lots of testing to see which packets goes thru which uplinks
Whic is used as default gateway?
depends.. engineering/manufacturing uses router1 hr/accting uses router2 or public DMZ uses router1 corp LAN uses router2 but in either case, router1 and rotuer2 should be crosslinked if failover is important
Is it load balancing? Also, can I use "VRRP" to load balance traffic to our DNS look-up "recursor"?
dozen ways to do load balancing ... more problems to resolvea and prioritize based on your company visibility online load balancing should be worried about: - dns, www traffic, email traffic, DVD/video/music downloading, also always have 3 hot-swap complete infrastrucure and backups fw1 + dns1 + www1 + mail1 + NAT1 fw2 + dns2 + www2 + mail2 + NAT2 fw3 + dns3 + www3 + mail3 + NAT3 fw only runs iptables for inline fw for entire dmz/localLan dns only runs bind and iptables and nothing else www only runs apache and iptables and nothing else mail only runs sendmail and iptables and nothing else nat only runs NAT + iptables each backup its bind/sendmail/apache data to the other 2 boxes, but bind/sendmail/apache itself is turned off on the other hot backups magic pixie dust alvin # # DDoS-Mitigator.net #
On Sun, Jul 10, 2016 at 2:53 PM, Nikolai Petrov <prnpetrov@yandex.com> wrote:
I thought of taking the chance to remove some "technical debt" and make everything from scratch again.
Hi Nikolai, This is a rookie mistake. Every in-place system encodes business knowledge, most of it forgotten and much of it still relevant. From your comments I infer that you haven't been doing the job long enough to know where the skeletons are buried.
1. Currently we do not have IPv6 in our network but I have seen the ISP is giving us a "/56 Block" which from what I understand is a couple hundred "/64 Subnets".
Good for you! We've been urging folks to deploy IPv6 for years and you're taking the advice to heart. Now stop. IPv6 has enough inherent issues and problems that you'll want to deploy it when your configuration is otherwise quiescent. If you do it while also making other large changes, you're begging to get hurt.
2. The previous administrator did some bad job in some parts of the network. We have an internal router protocol to move traffic between routers, but in some cases he used NAT instead of adding these subnets to the router protocol.
I urge you to tread lightly. You don't know what business knowledge was encoded in this configuration. Maybe the servers respond differently depending on whether the source is internal or external and some of the origins should be treated to the external rules.
I have found two protocols in our router that are good and support IPv6 and they are OSPF and BGP.
OSPF is an interior gateway protocol. Use between routers within your network. BGP is an exterior gateway protocol. Use it when you want to talk to multiple ISPs at the same time.
3. In our old network we use "VRRP" which from what I know is a system for routers to shae IPs and load balance or "failover" the traffic. I have seen that IPv6 has a built-in system which is similar and has something like priorities, etc. What happens if I have two routers with same priority?
If the guy who wrote the stack wasn't asleep at the switch, the host will pick one and use it as long as the router keeps advertising it. But it's not a good idea to tempt fate - set each router at a different priority. IPv6 router advertisements are nothing like IPv4 VRRP. In IPv4, hosts receive a single default gateway. VRRP lets two or more routers decide among themselves who will serve up the IP address for that default gateway. And then swap it when the router serving the address breaks. IPv6 hosts can have more than one default gateway. Each router with a path to the Internet can offer act as a default gateway and hosts will accept and use it. Preventing machines which should not act as default gateways from making offers that the hosts hear and use is one of the many idiosyncrasies you'll enjoy debugging when you first deploy IPv6.
Also, can I use "VRRP" to load balance traffic to our DNS look-up "recursor"?
No. VRRP is a failover system. It has nothing to do with load balancing. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
participants (4)
-
alvin nanog -
Nikolai Petrov -
Valdis.Kletnieks@vt.edu -
William Herrin