OSPFv3 for IPv6 Lab: Cisco, Fortinet, Juniper, Palo Alto, Quagga

Similar to my test lab for OSPFv2, I am testing OSPFv3 for IPv6 with the following devices: Cisco ASA, Cisco Router, Fortinet FortiGate, Juniper SSG, Palo Alto, and Quagga Router. I am showing my lab network diagram and the configuration commands/screenshots for all devices. Furthermore, I am listing some basic troubleshooting commands. In the last section, I provide a Tcpdump/Wireshark capture of an initial OSPFv3 run.

I am not going into deep details of OSPFv3 at all. But this lab should give basic hints/examples for configuring OSPFv3 for all of the listed devices.

Lab

This is my test lab. All devices are directly connected via a layer 2 switch:

OSPFv3 Lab

General Information

  • Everything takes place in area 0.0.0.0 (backbone area)
  • Juniper SSG should be the DR: interface priority set to 100.
  • Palo Alto should be the BDR: interface priority set to 50.
  • Router-ID is always set manually according to my IPv4 sheme: 172.16.1.x, where x = the interface-ID from the IPv6 addresses (from ::1 to ::6).
  • Cost for the interfaces as seen in the figure.
  • Passive-interface on all user/access interfaces.
  • Redistribution of the remote access VPN clients on the Cisco ASA (AnyConnect).
  • No authentication is used .

The following devices are in alphabetic order. Beneath each screenshot is a detailed description of the the configuration that is shown.

During the tests, a single Cisco AnyConnect client was connected and therefore redistributed with a /128 IPv6 address prefix. The Quagga router was added to this lab after most of the listings were saved. That is: The Quagga router (172.16.1.8) is not shown on any other firewalls/routers.

Cisco ASA

The Cisco ASA 5505 is running version 9.2(4). Following are the configuration and monitoring screenshots:

This are the relevant CLI commands for the OSPFv3 config:

While this CLI commands can be used to show the OPSFv3 runtime values:

 

Cisco Router

I am running a Cisco 2811 router with version 15.1(4)M9. The configuration commands are the following: (Just for fun I set the OSPF process to “17”.)

And the show commands:

 

Fortinet FortiGate

Unfortunately the FortiGate has no possibility to configure anything of OSPFv3 via the GUI. Everything must be done via the CLI. (And this is called a “Next-Generation Firewall”???)

These are the configuration commands for my lab:

And the following shows the get commands:

 

Furthermore, the GUI can at least show the routing table:

FortiGate Routing Monitor.

 

Juniper ScreenOS

My SSG 5 runs at version 6.3.0r19. Unlike OSPF for IPv4, in which the “enable” checkmark for each interface is inside the interface configuration section, OSPFv3 is completely configured inside the virtual routers menu:

The config commands via the CLI are the following:

And the get commands for displaying the runtime values are this:

 

Palo Alto

This is the Palo Alto guide. I am using a PA-200 with version 7.0.2. To my mind, this is the best OSPFv3 GUI from all firewalls in my lab. Here we go:

To show some runtime stats on the CLI, use this show commands:

 

Quagga Router

Finally, I plugged in a Quagga router into my lab. It is running on a Ubuntu 14.04.3 LTS 64-bit server with version 0.99.22.4.

The configuration commands inside the ospf6d are the following (I have not found the “auto-cost reference-bandwidth” command, though it is listed in the official documentation.):

The show commands are listed below. Note that all OSPFv3 related commands are executed inside the ospf6d instance, while the routing table is shown inside the zebra instance:

 

Wireshark Dump

I captured all OSPF packets while I restarted (reload) the Cisco router. The pcapng therefore contains all five types of OSPFv3 packets (Hello, DBD, LSR, LSU, LSAack). Here it is for download:

download-buttons02

As an example, these are the messages after the Cisco router has booted (red marked area). After some database description packets (DBD), the router requested (LSR) many details. After that, the designated router (DR) sent many link-state updates (LSU) which contain the link-state advertisements (LSA). The yellow highlighted section shows a LSA for one of the intra-area-prefix LSAs:

OSPFv3 Wireshark Dump: Hello, DBD, LSR, LSU (with LSA), LSAack

Featured image “Tiger & Turtle – Magic Mountain” by Uwe licensed under CC BY-NC-ND 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *