IPv6 Intelligence – MrLooquer

Please, allow us to introduce MrLooquer -> https://www.mrlooquer.com

 

MrLooquer combines open source intelligence techniques with heuristic and data mining to perform one of the first attempts to create a real map about

IPv6 deployment and its relationship with current networks and protocols.

 

MrLooquer is born as an open initiative with Creative Commons license focused on:

– Data discovery

– Visual intelligence

– Relationship

 

Our main goal is to provide a useful tool for security analysts around the world. MrLooquer allows users to make advanced queries through our big data infrastructure to obtain datasets with relationships between domains, IPv4, IPv6, service informations, geolocation, etc…

 

We’ve released the first version recently. It’s just the bread and butter… We are developing a roadmap that includes, among other things,  threat indicator based on relationships and patterns.

 

Please, feel free to start using it and we would be thankful for any type of feedback.

 

Best regards,

MrLooquer team.

 

Web: https://www.mrlooquer.com

Twitter: https://twitter.com/mrlooquer

Blog: http://blog.mrlooquer.com/

IPv6 HSRP Config

Interface vlan777

ipv6 enable

 

 

Otherwise, the config looks spot on

 

Our config looks like:

 

interface Vlan110

standby version 2

standby 110 ipv6 FE80::1

standby 110 timers 1 3

standby 110 priority 110

standby 110 preempt delay minimum 180

standby 110 authentication xxxx

ipv6 address dead:beef:1::FFFE/64

ipv6 enable

ipv6 nd other-config-flag

ipv6 nd router-preference High

ipv6 pim dr-priority 4294967295

ipv6 dhcp relay destination dead:beef:0::1

ipv6 dhcp relay destination dead:beef:0::2

NAT DS-Lite

Ended up with the following for DSL customers using DS-Lite:

 

block size 512

max blocks per user 16

block timeout 120

address-sharing-ratio 8:1

 

avg usage is 34 ports per block and 1,3 blocks per address, but the top 1% are at least x10.

 

Some years ago we had started with more relaxed numbers (to be on the safe side), but last year we squeezed them a little. No complaints until now.

 

Mon Feb 29 14:25:16.812 CST

Building configuration…

!! IOS XR Configuration 5.3.1

service cgn cgn1

service-location preferred-active 0/3/CPU0  service-type nat44 nat1

portlimit 5000

alg ActiveFTP

inside-vrf six

!

!

!

end

 

RP/0/RSP0/CPU0:eng-lab-9k-1(config-cgn-invrf)#bulk-port-alloc ?

size  Bulk size for allocation.

Should be greater or equal to one fourth of the port limit

and less than twice the port limit.

For optimum results, should be close to half the port limit RP/0/RSP0/CPU0:eng-lab-9k-1(config-cgn-invrf)#bulk-port-alloc size ?

none  No bulk allocation

8     Allocate 8 ports in bulk

16    Allocate 16 ports in bulk

32    Allocate 32 ports in bulk

64    Allocate 64 ports in bulk

128   Allocate 128 ports in bulk

256   Allocate 256 ports in bulk

512   Allocate 512 ports in bulk

1024  Allocate 1024 ports in bulk

2048  Allocate 2048 ports in bulk

4096  Allocate 4096 ports in bulk

IOS XR vrf export route-policy

vrf export route-policy doesn’t seem to directly deny prefixes from advertisement… but according to this one site you can indirectly deny prefixes… it seems that vrf export route-policy is mainly used to more granularly assign rt’s and add rt’s to rt’s (additive).

http://www.akbintel.com/mediawiki/index.php/VRF/Config#export_map

http://nagendrakumar-nagendra.blogspot.com/2011/09/mpls-vpn-vrf-export-map.html

Thought it was pretty clever to not put a route-target export x:x and then whichever prefixes are denied in the export route-policy will drop out of the route-map logic, and this will not be advertised since there isn’t a route-target export statement in the vrf.  Cool.

ASR1001 vs 1001-X PPP

Based on understanding, the CPU on 1001-X is more powerful and can handle more concurrent session establishments. It also has 2 10G interfaces which can come in handy. However, the queue-count is considerably lower in the 1001s which makes QoS difficult, depending on your policies. I would recommend a 1002-X if you are looking at ASR 1K.

 

Have a look at this document here for more details:

 

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731640.html

Trunked VLANs over FTTC VDSL2

This is a live working 897 using QinQ over VDSL:

 

 

interface Ethernet0

no ip address

!

interface Ethernet0.400

encapsulation dot1Q 101 second-dot1q 400  ip vrf forwarding test  ip address 1.1.1.2 255.255.255.252 !

interface Ethernet0.401

encapsulation dot1Q 101 second-dot1q 401  ip vrf forwarding test-2  ip address 2.2.2.2 255.255.255.252

 

 

#show ver | i IOS

Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.5(3)M, RELEASE SOFTWARE (fc1)

 

#show ver | i C897

Cisco C897VA-K9

 

#show license

Index 1 Feature: advipservices

Period left: Life time

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

 

 

#show controllers VDSL 0 | i VDSL

Controller VDSL 0 is UP

Trained Mode:   G.993.2 (VDSL2) Profile 17a

1 4 5 6 7 8