IPv6 and Comcast

I’ve been a happy Comcast Internet customer for a while, now. I have the 100Mb package. It screams.

The one thing I’ve not been the biggest fan of is, of course, their default CPE. It’s a Technicolor something or other than has a modem, a firewall, a router, a wireless access point, and probably something that makes your clothing smell laundry fresh all week long. In other words, too many things to do any of them terribly well.

You can take care of most of their issues by turning off the wireless and setting the thing into “Bridge Mode”. This turns it back into being just a cable modem, which it is passably good at. This of course requires that you have a router, wireless AP, and firewall of your own to connect the thing to, but of course you have those.

One of the cool things about taking the thing into bridge mode is that Comcast’s network is IPv6 enabled. Since I work for Cisco, I have a real Cisco router to play with, not a consumer grade plastic box thing. Here’s how to get it going for yourself.

First things first, of course – get everything working with IPv4. Then you can work on the IPv6 stuff and still be able to get to the Internet to research and troubleshoot.

Next, it’s time to get things going on IPv6. First off, enter these into global config mode:

ipv6 unicast-routing

ipv6 multicast-routing

ipv6 cef

Turn on routing, turn on multicast, and turn on CEF which is generally a good thing.

Then, on your WAN interface:

interface GigabitEthernet0/0

ipv6 address dhcp rapid-commit

ipv6 enable

ipv6 nd autoconfig prefix

ipv6 nd autoconfig default-route

ipv6 dhcp client pd comcast-ipv6 rapid-commit

ipv6 traffic-filter v6inbound in

ipv6 traffic-filter v6outbound out

IPv6 enable turns IPv6 on at the interface level. This immediately makes the router generate a link-local address (FE80:: subnet).

IPv6 address dhcp rapid-commit tells the router to use DHCPv6 to get an address for the interface itself.

IPv6 nd autoconfig prefix tells the router to ask for a prefix via IPv6 router advertisements; the next line tells it to ask for a default route as well.

Next is some of the cool magic of IPv6. This tells the router to request an IPv6 subnet via DHCPv6 prefix delegation and give it the name “comcast-ipv6″. We will be using this again in a bit.

Finally, ACLs for the interface, because that is the bare minimum amount of security you should feel OK about having in place.

Now on your LAN interface:

interface GigabitEthernet0/1

ipv6 address comcast-ipv6 eui-64

ipv6 enable

How easy is that? No NAT, no foolishness. This tells the router to use that named IPv6 subnet we requested from the ISP, use one of those addresses for itself, and hand out the rest of them via SLAAC to our clients.

Finally, of course, those ACLs:

ipv6 access-list v6inbound

evaluate v6reflect

permit udp any any eq 546

permit tcp any any established

permit udp any eq ntp any eq ntp

permit udp any eq domain any

permit icmp any any

deny ipv6 any any

!

ipv6 access-list v6outbound

permit icmp any any

permit ipv6 any any reflect v6reflect

Simple stuff, set up reflexive ACLs, allow in a few things unsolicited, and deny everything else.

That’s it. You are now on the IPv6 Internet.

As an advanced topic, I have mine set up to request a /60 rather than a /64 and split that up across multiple VLANs internally. Ask for that in a comment and I’ll write it up.

XBox 360 Controllers on the Mac, Part 2

I was approved by Apple to sign kexts. Which means I can make device drivers. So yay for that.

Github project for the updated drivers: https://github.com/sluzynsk/360Controller

As of right now, it builds correctly and works with a wired controller. That is all I have tested so far. I cannot distribute it until 10.10 goes gold, as I cannot distribute product built with a beta Xcode release. So watch this space for an update.

In the meantime, if you have the ability and desire to help out on the project I’m more than willing to accept patches.

XBox 360 Controllers on the Mac

You really can’t beat the Xbox controller for gaming. FPS PC gamers, yes, I know, you can kill me dead with your keyboard and mouse. You could do so anyway, I suck at FPS games.

Anyway.

So the definitive way to get an Xbox controller to work on the Mac has been, for quite some time, a GPL’ed OSS driver from http://tattiebogle.net. It works with Steam Big Picture Mode, and works with the couple of games I have that actually support controllers.

The bad news is that as of OS X Yosemite 10.10, kexts (device drivers in this case) must be signed by a developer ID with kext signing permissions in order to be loaded. Said driver is not signed, hasn’t been updated in over a year, and therefore is not workable under OS X Yosemite.

I have attempted to contact the author with no response. Since it’s open source, and since he looks to have abandoned it, I’ve decided to fork the driver, update it for 10.10, sign it, and distribute it. I am currently awaiting the upgrade of my developer ID to include kext signing permissions; once I get that then I will get a repo set up and get my changes uploaded. I won’t be able to distribute it until 10.10 releases but that’s not far off at this point anyway and there is substantial work to be done to get it ready for release.

Comments welcome. I’ll dedicate a page here as well once I’m ready to go.

Cisco ISE + Meraki, part 2

It works!

Specifically, I now have ISE authenticating users for my Meraki AP. Given membership in the appropriate AD group, ISE pushes an “Airespace-ACL-Name” that matches a group policy on the Meraki side. That group policy changes the users’s VLAN to one with WCCP redirect to a Cisco vWSA, and boom, web filtering!

I’ll post pics of the configuration at some point. Said point will likely happen sooner upon request, otherwise just know that’s is possible and I’ll put details up as soon as I can.

Studying for the CCIE

After taking that practice test, I realized that I need some study on a bunch of the RF parts of wireless. I can make it go, no problem, but can I tell you what a beacon frame contains? Apparently not.

I went to Barnes & Noble and was disappointed to find that their computer book section is now a shelf (not an aisle, a shelf), and it contains mostly Photoshop books. I really wanted to flip through one before I bought it; surfing on Amazon just isn’t the same.

So no book.

I talked to a friend that is also working on his and we are going to share lab equipment, at least. So that’s some progress.