DHCP Guest Range on a Single Subnet

At my new job, we needed to deny unregistered devices access to the internet by default. Normally this should be done via NAC, but all I had available was a Windows DHCP Server, a single subnet (and VLAN), and a perimeter firewall. Upgrading to NAC wasn’t an option at the time.

I wanted to configure the DHCP server so that whitelisted clients would get a DHCP IP Address lease in a different range than guest clients. This way, I can block all traffic to/from the guest client IP range at the firewall. This isn’t at all a robust security solution, but it was good enough for the specific application.

Here’s how you can configure Windows DHCP Server to put whitelisted machines in a specific IP range, and guest machines in a separate IP range.

  1. Create a ‘DHCP Scope’ in DHCP that constitutes the entire IP address range you’d like to use for DHCP. The scope should include both whitelisted PC’s and guests.
  2. Create an ‘exclusion range’ in the main scope created in the previous step. The exclusion range will be the ‘guest’ range.
  3. Create a ‘DHCP Policy’ in the main scope.
    Policy Name: “Guest Devices Get Blocked Pool”
  4. Edit the new policy.
  5. On the ‘Conditions’ tab, add a new condition.
    Criteria: MAC Address
    Operator: Not Equals
  6. Populate the policy’s new condition “Values” with your MAC address whitelist.
  7. Back on the Policy Properties window (conditions tab), make sure that the ‘AND’ radio button is selected.

An important note is that each condition can only hold about 20 MAC addresses. When you want to whitelist more devices past the limit, just create another ‘condition’ in the same policy. As long as ‘AND’ is the operator on the ‘Conditions’ tab, it’ll work great.

Another important note is that when running a DHCP fail-over partner, create the policy on a source member, and then replicate it to the partner. Every time you whitelist a new machine, you need to initiate a replication.

Here’s some PowerShell to help.

#Get all current reservation mac addresses:
Get-DhcpServerV4Lease -ScopeID 192.168.1.0 | Select ClientId

#Get all whitelisted machines:
(Get-DhcpServerV4Policy -ScopeID 192.168.1.0 -Name “Guest Devices Get Blocked Pool”).MacAddress

Thanks for reading :).

SCVMM 2012 R2 – Using Mac Address Pools

I had the weirdest thing happen the other day. I created a VM and migrated it to second host. I created a new VM, and had trouble accessing the first VM. What gives! Well, I ran into a MAC address duplication issue.

To avoid this, first configure your Hosts and VM’s to use Logical Switches. Once configured, set all of your VM’s to the static MAC address of ’00:00:00:00:00:00′ using SCVMM console. Once you hit ‘Apply’ and ‘OK’ to close the properties window, SCVMM will give the VM a new MAC address from the MAC address pool. No more duplicates!

For the Logical Switch configuration, see my post ‘SCVMM 2012 R2 – Logical Switches‘.

SCVMM 2012 R2 – Logical Switches

OK, logical switches are pretty sweet. Like a lot of things, it took me a little while to wrap my head around the concepts and terminology. The SCVMM concept of a logical switch is very similar to VMWare’s Distributed Virtual Switch. It’s all about finding novel ways to map your networking hardware to virtual abstractions, to hopefully make things easier to manage.

This post will cover one of the most basic configurations. Creating a simple logical network which will connect to both your hosts and VM’s.

Step One – Logical Network

This is where you tell SCVMM how you want to present the physical network to the virtual machine hosts.

  1. Open SCVMM Console -> Fabric -> Networking -> Logical Networks.
  2. Create a ‘Logical Network’.
  3.  You’ll see three options. Choose ‘One Connected Network’ and check both boxes, then click ‘Next’.
  4. On the ‘Network Sites’ page, click ‘Add’.
  5. Check the box next to ‘All Hosts’.
  6. Under the section ‘Associated VLANs and IP subnets’, click ‘Insert Row’.
  7. Change the new row’s VLAN to “0” and make the IP Subnet blank, then click ‘Next’.
  8. On the summary page, click ‘Finish’.

By choosing ‘One Connected Network’, we instruct SCVMM that the sites specified in the ‘Network Sites’ page are all part of the same routable network. This is this simplest way to start.

By adding the new associated VLAN “0” with no subnet, we instruct this logical switch to transmit to and from any IP subnet on the default untagged VLAN.

Step Two – Uplink Profile

When we create a logical switch, we need to define physical ports on the VM hosts that will be designated as ‘uplinks’ to this logical switch. To do this, we need to create a ‘Port Profile’ that describes the uplinks.

  1. Open SCVMM Console -> Fabric -> Networking -> Port Profiles
  2. Create a Hyper-V Port Profile.
  3. On the ‘General’ tab, choose ‘Uplink Port Profile’ and click ‘Next’.
  4. On the ‘Network Configuration’ tab, click the checkbox next to your logical network, then click ‘Next’.
  5. On the ‘Summary’ tab, click ‘Finish’.

Notice that you can change the load balancing algorithm on the ‘General’ tab. Lots of fun stuff available there.

Step Three – Logical Switch

Now, we can create the logical switch!

  1. Open SCVMM Console -> Fabric -> Networking -> Logical Switches
  2. Create a logical switch.
  3. On the ‘Uplink’ page, add your uplink profile.
  4. On the ‘Virtual Ports’ page, add the ‘Host Management’ and ‘High Bandwidth’ profiles.

It’s worth looking into the virtual port profiles. You can do some cool stuff like manage the security settings and QoS.

Step Four – Assign the Logical Switch to Hosts

This can get tricky, and you can end up disconnecting your host from the network. I recommend that you shut down all VM’s on the host, and try this on a host where you have physical access in case things don’t work out quite right.

  1. Open SCVMM Console -> VMs and Services -> All Hosts.
  2. Right-click your host and choose ‘Properties’.
  3. Click the ‘Virtual Switches’ page.
  4. Delete the current standard switch, but don’t click ‘Apply’ yet or the host will become unreachable.
  5. Add your new logical switch, but don’t click ‘Apply’ yet or the host will become unreachable.
  6. Click the new logical switch, and then click ‘New virtual network adapter’ with the following settings, then click ‘Apply’.
    name: mgmt
    port classification: Host Management
  7. Wait a few minutes, then right-click the host and choose ‘Refresh’.

Step Five – Assign the Logical Switch to your VM’s

Alright! Now we can finally use the new-fangled virtual switch.

  1. Right-click a VM on the host and choose ‘Properties’ -> ‘Hardware Configuration’ -> ‘Network Adapter’.
  2. Connect your VM’s Network Adapter to the ‘VM Network’ that matches the ‘Logical Network’ name created in Step 1.
  3. Connect your VM to the ‘Logical Switch’ and assign it a port classification (probably ‘High Bandwidth’).

And congrats! You’ve made it through configuring a SCVMM Logical Switch.

 

 

Learning ISATAP – Part 3 – ISATAP Configuration

Now that we have a test lab from parts 1 and 2, we can get to the business of actual ISATAP configuration.

Overview

  1. Configure ISATAP Server
  2. Configure Routes
  3. Configure DNS

Configure ISATAP Server

Here’s what we’ll need to do:

  1. Configure the name and interfaces
  2. Enable the ISATAP interface.
  3. Configure the Routes.

Configure ISATAP1

This is no biggie. Run this code on isatap1.

Rename-NetAdapter -Name "Ethernet" -NewName "net1"
New-NetIPAddress -IPAddress 10.10.10.25 -PrefixLength 24 -InterfaceAlias net1
New-NetIPAddress -IPAddress fd1a:6cf8:7eeb:401::25 -PrefixLength 64 -InterfaceAlias net1
New-Netroute -InterfaceAlias "net1" -DestinationPrefix 0.0.0.0/0 -NextHop 10.10.10.1
netsh interface ipv4 add dnsservers net1 10.10.10.10 index=1
Add-Computer contoso.com -newname isatap1 -restart

Enable the ISATAP Interface

A lot of people configure a DNS record to enable ISATAP, which is fine. However, you want the ISATAP router to continue to have ISATAP enabled even if DNS is down. To do this, we’ll add a host entry on isatap1 itself.

echo isatap.contoso.com 10.10.10.25 >> C:\windows\system32\drivers\etc\hosts
echo isatap 10.10.10.25 >> C:\windows\system32\drivers\etc\hosts

Now, if you disable and enable the network adapter, and then run ipconfig, you’ll see that the ISATAP adapter has switched from ‘Media Disconnected’ to online.

You need to reboot the ISATAP router at this point to make sure that the ISATAP interface is online and working properly, and that the routing tables have been updated.

Configure the Routes

First, we need to choose a prefix for our ISATAP addresses. For our lab, I chose fd1a:6cf8:7eeb:500::/64.

Next comes the tricksy part. Code:

#first, find the interface name of your LAN adapter and your ISATAP adapter
Get-NetAdapter

#after the following commands, clients will have an ISATAP address enabled, but they'll have no default gateway.
#in this configuration, ISATAP is technically enabled and hosts and communicate, but they cannot reach other native ipv6 links.
netsh interface ipv6 set interface [#-of-isatap-adapter] advertise=enabled
netsh interface ipv6 add route fd1a:6cf8:7eeb:500::/64 [#-of-isatap-adapter] publish=yes

#after the following commands, clients will have a default gateway for their isatap interface and be able to use it.
netsh interface ipv6 set interface [#-0f-LAN-adapter] forwarding=enabled
netsh interface ipv6 set interface [#-0f-isatap-adapter] forwarding=enabled
netsh interface ipv6 add route ::/0 [#-of-LAN-adapter] nexthop=fd1a:6cf8:7eeb:400:: publish=yes

There’s only one problem left. Since rras1 doesn’t have a route to fd1a:6cf8:7eeb:500::/64, clients on net1 and net2 won’t be able to ready clients on net3. To fix this, login to rras1 and run the following code:

#get the network interface numbers
Get-NetAdapter

netsh interface ipv6 add route fd1a:6cf8:7eeb:500::/64 [#-of-net1] nexthop=fd1a:6cf8:7eeb:401::25

Now, you’re golden. The ISATAP router should be up and running.

Configure DNS

To enable ISATAP site-wide, we need to do some work on adds1:

set-dnsserverglobalqueryblocklist -list wpad
add-dnsserverresourcerecordcname -zonename contoso.com -name isatap -hostnamealias isatap1.contoso.com

Alright. To test things out, reboot your clients to ensure that the ISATAP interface comes online. Next, try to ping the ISATAP interface of client3 from client1 and client2, and vice versa. Everything should work at this point.

Enjoy!

Learning ISATAP 2 – Lab Configuration

In this post, we’ll configure a test-lab. By the end of this post, you’ll have an IPv6\IPv4 dual-stack network configured. You will also have an IPv4-only island that we will use for testing ISATAP.

Overview:

  1. Create VM’s
  2. Create VM Switches
  3. Configure Routers
  4. Configure Network Services

Create VM’s

We can create all the VM’s we need using PowerShell (assumes Hyper-V).

##code assumes you have sysprep'd server 2012 r2 and windows 8.1 template VHDs. Change the first 2 lines as necessary.
$svrVmParentVhd = "C:\vm\vhdtmpl\svr2012r2-tmpl.vhdx"
$clientVmParentVhd = "C:\vm\vhdtmpl\win81-template.vhdx"
$svrVMs = @("isatap1","adds1","rras1","rras2")
$clientVMs = @("client1","client2","client3")

$svrVMs | %{New-VHD -ParentPath $svrVmParentVhd -Path ("C:\VM\VHD\" + $_ + ".vhdx") -Differencing}
$clientVMs | %{New-VHD -ParentPath $clientVmParentVhd -Path ("C:\VM\VHD\" + $_ + ".vhdx") -Differencing}

($svrVMs + $clientVMs) | %{New-VM -Name $_ -VHDPath ("C:\VM\VHD\" + $_ + ".vhdx") -Generation 2 -MemoryStartupBytes 1024MB}

Get-VM | Set-VM -DynamicMemory

Create VM Switches

More PowerShell:

#Build VMSwitches
#Change the first line to match the name of your public internet adapter.
$inetAdapterName = "Wi-Fi"
$privNets = @("net2","net3","inter-router-link")
New-VMSwitch -Name internet -NetAdapterName $inetAdapterName
New-VMSwitch -Name net1 -switchType internal
$privNets | % {New-VMSwitch -Name $_ -SwitchType private}

#Map VM Switches to VMs
Connect-VMNetworkAdapter -vmname isatap1 -SwitchName "net1"
Connect-VMNetworkAdapter -vmname adds1 -SwitchName "net1"
Connect-VMNetworkAdapter -vmname client1 -SwitchName "net1"

Connect-VMNetworkAdapter -vmname rras1 -SwitchName "internet"
Add-VMNetworkAdapter -vmname rras1 -SwitchName "net1"
Add-VMNetworkAdapter -vmname rras1 -SwitchName "net2"
Add-VMNetworkAdapter -vmname rras1 -SwitchName "inter-router-link"

Connect-VMNetworkAdapter -vmname rras2 -SwitchName "net3"
Add-VMNetworkAdapter -vmname rras2 -SwitchName "inter-router-link"

Connect-VMNetworkAdapter -vmname client2 -SwitchName "net2"
Connect-VMNetworkAdapter -vmname client3 -SwitchName "net3"

#start vm's
Get-VM | Start-VM -AsJob

Configure Routers

rras1

First, we need to install the RAS service. Then, configure the router’s name and interfaces. Start with the server rras1. Powershell incoming:

Install-WindowsFeature Routing -IncludeManagementTools -IncludeAllSubFeatures
#open firewall for testing
Get-NetFirewallRule | ?{$_.name -like "*icmp*"} | Enable-NetFirewallRule

#Configure RRAS1 Interfaces
#note -- you will need to figure out this mapping, probably by disconnecting the interfaces
#   in hyper-v manager, then connecting them one-at-a-time to see which interfaces are which.
Rename-NetAdapter -Name "Ethernet" -NewName "internet"
Rename-NetAdapter -Name "Ethernet 4" -NewName "net1"
Rename-NetAdapter -Name "Ethernet 3" -NewName "net2"
Rename-NetAdapter -Name "Ethernet 2" -NewName "inter-router-link"

#note: in the following lines, the address fd1a:6cf8:7eeb:400::64 was picked randomly. Nothing special about it.
New-NetIPAddress -IPAddress 10.10.10.1 -PrefixLength 24 -InterfaceAlias "net1"
New-NetIPAddress -IPAddress fd1a:6cf8:7eeb:401:: -PrefixLength 64 -InterfaceAlias "net1"
New-NetIPAddress -IPAddress 10.20.20.1 -PrefixLength 24 -InterfaceAlias "net2"
New-NetIPAddress -IPAddressfd1a:6cf8:7eeb:402:: -PrefixLength 64 -InterfaceAlias "net2"
New-NetIPAddress -IPAddress 172.24.0.2 -PrefixLength 24 -InterfaceAlias "inter-router-link"

#Configure a route for 10.30.30.0/24 from rras1 to rras2 via inter-router-link
#We will need this later.
New-NetRoute -InterfaceIndex [inter-router-link interface #] -DestinationPrefix "10.30.30.0/24" -Nexthop=172.24.0.3

Rename-Computer rras1
Restart-Computer

Now that we have the interfaces configured, we need to enable Routing, NAT, and the DHCP Relay Agent.

  1. Login and launch Routing and Remote Access.
  2. Right-click the host and choose ‘Configure’.
  3. Choose custom configuration.
  4. When presented, choose the ‘LAN Routing’ and ‘NAT’ checkboxes.
  5. Finish the configuration wizard.
  6. Navigate to Routing -> IPv4 -> NAT.
  7. Right-click and Choose ‘New Interface’.
  8. Add all available interfaces to the NAT section.
  9. Ensure that the internet interface is being used as the public internet-facing interface, and the rest as private. Do this by looking at the properties of each interface in the NAT section.
  10. Navigate to ‘Router -> IPv4 -> General’.
  11. Right-click ‘General’ and choose ‘New Routing Protocol’.
  12. Choose ‘DHCP Relay Agent’ and click ‘OK.
  13. Right-click ‘DHCP Relay Agent’ and choose ‘Properties’.
  14. Add the DHCP server address (in our test lab, this will be 10.10.10.10) and click ‘OK’.
  15. Add all interfaces except ‘internet’ and ‘net1’ to the DHCP Agent Relay Agent section.

rras2

Now, let’s configure our second router. This one will use an inter-router-link to connect to rras1, and will serve an IPv4-only link (island) that we’ve named net3.

First, the Install the RAS service, then configure the interfaces.

Install-WindowsFeature Routing -IncludeManagementTools -IncludeAllSubFeatures
#open firewall for testing
Get-NetFirewallRule | ?{$_.name -like "*icmp*"} | Enable-NetFirewallRule

#Interfaces
#note -- you will need to figure out this mapping, probably by disconnecting the interfaces
#   in hyper-v manager, then connecting them one-at-a-time to see which interfaces are which.
Rename-NetAdapter -Name "Ethernet" -NewName "net3"
Rename-NetAdapter -Name "Ethernet 2" -NewName "inter-router-link"

New-NetIPAddress -IPAddress 10.30.30.1 -PrefixLength 24 -InterfaceAlias "net3"
New-NetIPAddress -IPAddress 172.24.0.3 -PrefixLength 24 -InterfaceAlias "inter-router-link"
New-NetRoute -InterfaceAlias "inter-router-link" -DestinationPrefix "0.0.0.0/0" -nexthop=172.24.0.2

#Name
Rename-Computer rras2
Restart-Computer

Now, let’s configure Routing and the DHCP Relay Agent.

  1. Launch Routing and Remote Access
  2. Right-click the host and choose ‘Configure’.
  3. Choose custom configuration.
  4. Choose the ‘LAN Routing’ checkbox.
  5. Finish the wizard
  6. Navigate to ‘Router -> IPv4 -> General’.
  7. Right-click ‘General’ and choose ‘New Routing Protocol’.
  8. Choose ‘DHCP Relay Agent’ and click ‘OK.
  9. Right-click ‘DHCP Relay Agent’ and choose ‘Properties’.
  10. Add the DHCP server address and click ‘OK’.
  11. Add the interface ‘net3’ to the DHCP Agent Relay Agent section.

Configure Network Services

At this point, our routing is all configured properly. Now we just need to install DNS and DHCP. I’m also going to install ADDS.

Run the following code on ADDS1:

#Configure ADDS1
Rename-Computer adds1
restart-computer

#Configure Interface
New-NetIPAddress -IPAddress 10.10.10.10 -PrefixLength 24 -InterfaceAlias "ethernet"
New-NetRoute -InterfaceIndex 15 -destinationPrefix "0.0.0.0/0" -NextHop 10.10.10.1

Install-WindowsFeature AD-Domain-Services,DHCP,DNS -IncludeManagementTools -IncludeAllSubFeatures
Install-ADForest -DomainName contoso.com -InstallDNS
##take a break here; you'll need to manually enter the "SafeModeAdministratorPassword"

Once adds1 reboots, continue its configuration with this code:

#configure dhcp
Add-DhcpServerV4Scope -Name 10.10.10.0 -StartRange 10.10.10.50 -EndRange 10.10.10.100 -SubnetMask 255.255.255.0 -State Active
Set-DhcpServerv4OptionValue -ScopeId 10.10.10.0 -DnsDomain contoso.com -DnsServer 10.10.10.10 -Router 10.10.10.1
Add-DhcpServerV4Scope -Name 10.20.20.0 -StartRange 10.20.20.50 -EndRange 10.20.20.100 -SubnetMask 255.255.255.0 -State Active
Set-DhcpServerv4OptionValue -ScopeId 10.20.20.0 -DnsDomain contoso.com -DnsServer 10.10.10.10 -Router 10.20.20.1
Add-DhcpServerV4Scope -Name 10.30.30.0 -StartRange 10.30.30.50 -EndRange 10.30.30.100 -SubnetMask 255.255.255.0 -State Active
Set-DhcpServerv4OptionValue -ScopeId 10.30.30.0 -DnsDomain contoso.com -DnsServer 10.10.10.10 -Router 10.30.30.1

#authorize dhcp
Add-DhcpServerInDc

#add dns forwarders
Add-DnsServerForwarder -IPAddress 8.8.8.8

At this point, you probably want to check the host OS (the ‘parent partition’). I’m guessing that your host internet access is dead, since your parent partition will now have two interfaces which both have default gateways.

To fix this, login to adds1, open the DHCP snap-in, and convert your parent partition’s lease into a reservation. Then, configure the reservation such that it’s router and dns server options are blank. Then, perform an ipconfig /renew on your host system.

Verify IPv4 Connectivity

At this point, all of your clients should be able to access the internet, though they may need a reboot or an ipconfig /renew. Make sure every host can ping every other host in our test network. Do this by first running the following PowerShell command on every system to enable ICMP. Then, run the ping command.

Powershell to Enable ICMP echo’s:

Get-NetFirewallRule | ?{$_.name -like "*icmp*"} | Enable-NetFirewallRule

If you’re not able to ping hosts, check the ip addresses and gateways of all nodes. You can also try restarting the rras servers.

Configure Native IPv6

Next step, configuring IPv6. We want net1 and net2 to have native IPv6. Later, we’ll configure ISATAP so that net3 can use IPv6 even though rras2 doesn’t have IPv6 enabled.

To configure IPv6, we just need to pick a network prefix, then configure router advertisements on rras1. For our test lab, I’ve chosen the following network prefixes:

  • net1: fd1a:6cf8:7eeb:401::/64
  • net2: fd1a:6cf8:7eeb:402::/64

Here’s the overview:

  1. Configure RRAS1’s net1 and net2 interfaces to advertise as an ipv6 default gateway, and to forward.
  2. Publish the appropriate routes on rras1.

First, let’s configure general IPv6 routing. It’s actually pretty easy:

  1. Login to RRAS 1 and launch ‘Routing and Remote Access’.
  2. Right-click the host and choose ‘Properties’.
  3. Check the box on the general tab next to ‘IPv6 Router’ and click ‘OK’.

Next, let’s do some command-line magic on rras1 (works in powershell too).

#first, get the names and numbers of your interfaces
Get-NetAdapter

#We need to configure the net1 and net2 to broadcast RA's. This will cause all of your net1 and net2 hosts to see an IPv6 'default gateway'. The default gateway will be set to the link-local address of the rras1 interface that's on their respective link.
netsh interface ipv6 set interface [#-of-net1] advertise=enabled forwarding=enabled advertisedefaultroute=enabled
netsh interface ipv6 set interface [#-of-net2] advertise=enabled forwarding=enabled advertisedefaultroute=enabled

#Next, we need to instruct hosts to use the prefix we want. After this command, you will see a new IPv6 address on net1 and net2 hosts beginning with our prefix (use ipconfig to verify). Sometimes you need to disable and re-enable the adapter to see a host pick up its new address.
netsh interface ipv6 set route fd1a:6cf8:7eeb:401::/64 [#-of-net1] publish=yes
netsh interface ipv6 set route fd1a:6cf8:7eeb:402::/64 [#-of-net2] publish=yes

At this point, you should be able to ping client1’s IPv6 address from client2 and vice-versa. Congrats, you have enabled native IPv6 on the links net1 and net2.

Enabling ISATAP

The next blog post will cover configuring a new server named isatap1 as an isatap router, and with it connecting our ipv4 island like ‘net3’ to ipv6.

Learning ISATAP – Part 1 – Overview

IPv6 Transition technologies are pretty cool, now that I understand them. It took a _long_ time for me to wrap my head around ISATAP. Like everything else though, it’s a pretty simple concept once you understand what’s going on.

What Is ISATAP and why do I care?

When implementing IPv6, you will sometimes have routers or network links which don’t support IPv6. This can be a real problem when rolling out an IPv6-based service (say…DirectAccess). This is where IPv6 transition technologies come into play. They try to bridge these ‘gaps’ in your IPv6 roll-out.

There are three major IPv6 Transition Technologies

  1. 6to4 – works with public IPv4 addresses.
  2. Isatap – works with private IPv4 addresses.
  3. Teredo – works when both hosts are behind their own separate NAT.

OK, but what does it like…do?

On a high level, enabling ISATAP on a system gives the system a virtual interface with an IPv6 address. When an application on the system tries to send an IPv6 packet, the networking stack sends the packet to the ISATAP virtual interface. The ISATAP virtual interface then wraps the outgoing IPv6 packet in IPv4 headers, and sends it out via the ‘real’ IPv4 interface.

Similarly, if the system receives an IPv4 packet that looks like it has an IPv6 packet wrapped inside, the ‘real’ IPv4 interface on the system unpacks the IPv6 packet and forwards it to the ISATAP virtual interface. The ISATAP virtual interface then processes the IPv6 packet normally, and sends it on to any listening applications.

Sounds a bit complicated, right? But it lets your IPv4-only hosts communicate over IPv6.

OK, but I’m still not sure how it works…

Here’s some background on the magic of ISATAP.

Addressing

ISATAP gives your systems an address that looks like the following:

(IPv6 Site Prefix) + 0:5efe: + (System IPv4 Address)

For example, here’s an example ISATAP IPv6 Address: fd1a:6cf8:7eeb:400:0:5efe:10.10.10.2.

You might also see the last 32 bits in hex format: fd1a:6cf8:7eeb:400:0:5efe:a0a:a02.

Now you might be asking, where do we get that “IPv6 Site Prefix”? Great question. You can either make one that’s ‘site-local’ (like private ipv4 address space), or you can request one from your ISP.

There’s a really important subtlety here to understand. ISATAP implementation in an organization is designed to take your entire IPv4 network, and make it one big IPv6 logical link. You don’t “subnet” ISATAP networks. By convention, all of your IPv4 becomes one large IPv6 subnet as far as ISATAP is concerned. This isn’t a big deal for two reasons. First, ISATAP doesn’t support multicast. Second, all of your IPv4 firewall and routing rules still apply since ISATAP is 100% dependent on IPv4. If you are sitting on a workstation named ‘ClientA’, and you are prevented from pinging a host named “ClientB” at it’s IPv4 address, you will also be prevented from pinging ClientB on it’s ISATAP address.

The cool part of this is that, once configured, ISATAP host-to-host communication is not directly dependent on an ISATAP router.

You’ll notice that the last 32-bits of an ISATAP address represent the actual IPv4 address of your ISATAP host. This is how all of the ISATAP adapters across your organization will function. They key part to understand is that the prefix for your entire organization is going to be the same for all ISATAP addresses.

ISATAP Routing

You might be asking: if ISATAP communication between hosts doesn’t need an ISATAP router, what is an ISATAP router used for? Two things:

  1. Publishing a prefix for ISATAP IPv6 auto-addressing.
  2. Routing from an ISATAP network to native IPv6 networks.

Finding the Router

When a host auto-configures it’s ISATAP address, it first contacts the ISATAP router to learn it’s prefix. Normally, a native IPv6 interface does this also by listening to Router Advertisements, or sending out an ICMP6 ‘Router Solicitation’ packet. Since the IPv4 routers would not be sending out RA’s, and ISATAP doesn’t support broadcasts, we need another way to find the ISATAP router. Windows uses DNS to accomplish this.

Here’s the process:

  1. A windows host comes online.
  2. It tries to lookup the address ISATAP.[dns-suffix].
  3. If a lookup succeeds, the ISATAP router is contacted and the interface is configured. Otherwise, the ISATAP virtual interface is set to ‘Media Disconnected’.

ISATAP-to-Native Communication

When an ISATAP host wants to communicate with another host on the ISATAP logical link, the IPv4 infrastructure handles everything. However, when an ISATAP host wants to communicate with a native IPv6 host, it needs to contact the ISATAP router. The ISATAP router takes the wrapped IPv4 packet, extracts the IPv6 packet, then sends the packet through it’s native IPv6 interface (and vice-versa).

In my next post, I’ll cover configuring a semi-complex IPv4 network. In my third post, we’ll enable ISATAP routing together.

Getting Started with IPv6

It took me a -long- time to wrap my head around IPv6. It wasn’t for lack of trying — a lot of the documentation is difficult. Here’s my quick IPv6 primer:

Address Types

There are a few types of addresses, you’ll have to memorize them.

  • Link-Local – Starts with “fe80”
    • This is equivalent to the IPv4’s 169.254 range.
    • It’s auto-generated per interface, based off of the mac address.
    • Computers connected to the same network segment can communicate via link-local addresses. A ‘Neighbor Detection’ service helps nodes find each other locally.
    • Unlink IPv4, this address is mandatory (every IPv6 interface has one).
  • Site-Local – Starts with “fc00” or “fd00”
    • This is equivalent to the IPv4’s private address range (10.0.0.0, 192.168.0.0, and 172.16.0.0).
    • Internet routers will refuse to route these addresses by convention.
  • Global-Unique
    • This is the equivalent to globally unique IPv4 addresses.

You’ll also hear about ‘Anycast’ addresses. These aren’t a big deal. An anycast address is just a regular address, but by convention it’s allowed to be assigned to multiple servers. When you request the address from a client, the router that your packets will go to will decide to route you to the nearest server matching that address.

As an example, say your network spans the globe. You want to configure a bunch of DNS servers. You might give all of your DNS servers the same ‘anycast’ address, and configure your routers around the world such that when a client requests that anycast address, the router sends the packets to the closest DNS server.

Subnetting

Subnetting IPv6 is pretty similar to subnetting IPv4, except that you have to wrap your head around hex. Let’s go through some examples:

Turning slash notation into an IPv6 range.

Here are the steps:

  1. Write the IPv6 address out in binary.
  2. Write a line of “one” characters corresponding with the IPv6 slash number.
  3. Find the starting address by performing an ‘and’ operation between the binary  IPv6 address and line of “ones”.
  4. Find the ending address by performing an ‘or’ operation between the binary IPv6 address and the inverse of the line of “ones”.

Example time!

What’s the starting and ending address for fd54:4f72:cfcb::/48?

Step 1

Write the address out in binary. Each character of the IPv6 address requires 4 bits.

Here’s a handy hex to binary chart:

0 = 0000
1 = 0001
2 = 0010
3 = 0011
4 = 0100
5 = 0101
6 = 0110
7 = 0111
8 = 1000
9 = 1001
10 (a) = 1010
11 (b) = 1011
12 (c) = 1100
13 (d) = 1101
14 (e) = 1110
15 (f) = 1111

fd54 = 1111,1101,0101,0100
4f72 = 0100,1111,0111,0010
cfcb = 1100,1111,1100,1011
so, the binary representation is:
1111 1101 0101 0100 : 0100 1111 0111 0010 : 1100 1111 1100 1011 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000

Step 2
Write out the binary prefix underneath the binary network address. In our case, this will be 48 “ones”.
1111 1101 0101 0100 : 0100 1111 0111 0010 : 1100 1111 1100 1011 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000
1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000

Step 3
Perform an ‘And’ operation to find the starting address
1111 1101 0101 0100 : 0100 1111 0111 0010 : 1100 1111 1100 1011 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000

AND

1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000

Result:
1111 1101 0101 0100 : 0100 1111 0111 0010 : 1100 1111 1100 1011 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000

Convert to hex:
Our starting address is: fd54:4f72:cfcb::

Step 4
Perform an ‘Or’ operation on the binary address and inverse of the prefix.

1111 1101 0101 0100 : 0100 1111 0111 0010 : 1100 1111 1100 1011 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000

OR

0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111

Results:

1111 1101 0101 0100 : 0100 1111 0111 0010 : 1100 1111 1100 1011 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111

Convert to hex:
Our ending address is fd54:4f72:cfcb:ffff:ffff:ffff:ffff:ffff

Your First IPv6 Network

Let’s pretend we’re setting up a simple IPv6 network. What could our addresses look like? Let’s assume that your ISP gave you fd54:4f72:cfcb::/48. We want to subnet that into a /64 for our first network. How do we do that?

To be simple, let’s configure the default gateway of our first subnet as fd54:4f72:cfcb::1.

Let’s find our ending address.

Binary Network Address:

1111 1101 0101 0100 : 0100 1111 0111 0010 : 1100 1111 1100 1011 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000

OR (inverse of /64 prefix)

0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111

Results:

1111 1101 0101 0100 : 0100 1111 0111 0010 : 1100 1111 1100 1011 : 0000 0000 0000 0000 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111 : 1111 1111 1111 1111

Convert to hex:
Our ending address is fd54:4f72:cfcb:0000:ffff:ffff:ffff:ffff.

So, for our first /64, we can use the range fd54:4f72:cfcb:: through fd54:4f72:cfcb:0000:ffff:ffff:ffff:ffff for clients. Don’t forget that we’re already using fd54:4f72:cfcb::1 for the gateway though.

Here’s an example:

Router Interfaces:
eth0 (internet uplink to ISP) <Upstream IP address assigned by ISP>
eth1 (our first /64 network) fd54:4f72:cfcb::1

Client Interfaces (made these up):
adds1.testnet.local – fd54:4f72:cfcb::2
fileserver1.testnet.local – fd54:4f72:cfcb::3
win8-desktop.testnet.local – fd54:4f72:cfcb::4

Hopefully that gets you started. I’ll talk about transition technologies next. Here’s a cool page to help you generate site-local addresses to play with.

Unique Local IPv6 Generator