IPv6 Design and Transition Mechanisms BRKSPG-2067
|
|
- Carol Carr
- 6 years ago
- Views:
Transcription
1 Design and Transition Mechanisms BRKSPG-2067
2 World Launch As the successor to the current Internet Protocol,, is critical to the Internet's continued growth as a platform for innovation and economic development. 6 th June Get involved BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 2
3 The Prize
4 The Buddy Throughout the presentation there will be 3 clues Answer will only be accepted at the end of the presentation First correct answer wins BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 4
5 The Question What is the length of a 1500 byte packet transmitted over Gigabit Ethernet? First bit Last bit????? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6 Agenda Planning Integration Deployment Dual Stack Tunnelling Techniques MPLS Solutions NAT Protocol Translation Addressing Security Shared Issues with Unique Issues to Enforcing Policy Best Practices Summary BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 Planning Integration
8 Integration or Migration? Application Migration + Integration Application Migration PE P P PE CE + Core CE Some applications at the edge will MIGRATE to Network infrastructures will INTEGRATE will be around for a very long time Networks will support both protocols Many hardware components will be dual-stack capable (+) is a gradual and controlled process of INTEGRATION BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 8
9 Planning Steps Evaluate effect on business model 1 Establish project team 2 Assess network hardware and software readiness 3 Establish training strategy 4 Obtain prefixes 5 Decide architectural solution 6 Test application software and services 7 Develop procurement plan 8 Develop exception strategy 9 Develop security policy 10 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 9
10 Planning Integration (1) Evaluate affect on business operation/model New applications, opportunities, threats/issues To maximise ROI effect - must minimise disruption Do you need to do it? (Most likely!) Establish project management team Help from partners (Cisco, Microsoft, SIs) Project Management Office Establish goals, critical path and timelines Network Hardware & Software assessment Check Cisco + 3rd party hardware for correct memory/software Use Cisco Network Assessor Tool Ensure any new hardware/software is compliant/capable Establish upgrade plan BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 10
11 Planning Integration (2) Create training strategy and plan Operations staff need to know how to manage Design architects must understand capabilities Security architects must understand risks and mitigation Obtain an prefix Can be Provider Assigned (PA) Or Provider Independent (PI) Decide on architectural solution Native, Dual Stack, 4to6 tunnels, 6PE, 6VPE Develop addressing plan How will the addresses be distributed to customers? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12 Planning Integration (3) Test/identify application software and services Establish a lab for testing applications and services Check NMS and billing systems Test interoperability Develop security policy has same security threats as Protect against threats that may arise during transition Develop procurement plan All future hardware, software and applications should be compliant Develop exception strategy Identify components that will remain on Could be for many reasons technical, business or cost BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13 Deployment
14 Deployment Options Dual Stack (in devices/hosts and networks) and operate in tandem over shared or dedicated links Applications Dual Stack Aware Shared Links Tunnelling over or MPLS confined to the edge of the / MPLS core /MPLS Tunnel Only is the only protocol operating in the network Dedicated Links /MPLS 6to4 Protocol Translation (BEHAVE IETF Working Group) Allow -only devices to communicate with -only devices BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15 Where do I start? Based on Timeframe/Use case Campus Block Core-to-Edge Fewer things to touch Edge-to-Core Challenging but doable Internet Edge Business continuity DC Access DC Aggregation DC/Campus Core Internet Edge ISP ISP WAN Servers Branch Branch BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 15
16 Dual Stack Technique
17 using Dual Stack Backbone Dual Stack App + Edge + Core and/or edge CE PE P P PE CE / Core configured interface All P + PE routers are capable of + support Two IGPs supporting and Memory considerations for larger routing tables Native multicast support Some or all interfaces in cloud dual configured All traffic routed in global space configured interface Good for content distribution and global services (Internet) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 Dual Stack Configuration The Basics Dual Stack App + Edge + Core and/or edge Interface Ethernet0/0 CE PE P P PE CE / Core! ipv6 unicast-routing ipv6 cef! interface Ethernet0/0 ip address ipv6 address 2001:db8:213:1::1/64! BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 Dual Stack Configuration More Realistic Dual Stack App + Edge + Core and/or edge Interface Ethernet0/0 CE s1/0 s2/0 PE P P PE CE / Core! interface Ethernet0/0 ip address ipv6 address 2001:db8:213:1::1/64 ospfv3 1 area 0 ipv6! interface Serial 1/0 ip address ipv6 address 2001:db8:ffff:1::1/64! interface Serial 2/0 ip address ipv6 address 2001:db8:ffff:2::1/64! router ospfv3 1 address-family ipv6 unicast exit-address-family! router bgp address-family ipv4 neighbor activate neighbor activate! address-family ipv6 neighbor 2001:db8:ffff:1::2 activate neighbor 2001:db8:ffff:2::2 activate... BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20 Application Dual Stack Approach Application Enabled Application TCP UDP TCP UDP 0x0800 0x86dd 0x0800 0x86dd Frame Protocol ID Data Link (Ethernet) Data Link (Ethernet) Dual stack in a device means Both and stacks enabled Applications can talk to both Choice of the IP version is based on DNS and application preference Dual stack at edge does not necessarily mean dual stack backbone BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 Dual Stack Approach & DNS = *? DNS Server www IN A www IN AAAA 2001:db8:1::1 2001:db8:1::1 In a dual stack network an application that is and -enabled: Can query the DNS for records (A) and/or (AAAA) records The transport used for the lookup is not related to the resource record required. e.g. Use transport to ask for AAAA records Chooses one address and, for example, connects to the address BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22 DNS query in IOS Query= TYPE= AAAA Resp= 2001:db8:1::1 Type= AAAA Router A OR Resp= NONE B DNS server Query= TYPE= A Resp= Type= A DNS resolver picks AAAA record first stacks on Windows XP, W7, Linux, FreeBSD, MacOS etc also pick address before address if both exist BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 22
23 DNS Query on Windows 7 (Dual Stack) msecs between last packet sent Domain name with address only msecs Source Destination Prot Info DNS Standard query A ipv6.google.com DNS Standard query response CNAME ipv6.l.google.com Initial Query over for A record DNS response refers to an alias/canonical address DNS Standard query AAAA ipv6.google.com Host immediately sends a request for AAAA record (original FQDN) address of canonical name returned DNS Standard query response CNAME ipv6.l.google.com AAAA 2404:6800:8004::68 msecs Source Destination Prot Info Domain name with both addresses DNS Standard query A DNS Standard query response A DNS Standard query AAAA DNS Standard query response AAAA 2001:dc0:2001:11:: :420:1:fff:2 2001:dc0:2001:11::211 ICMPv6 Echo request (Unknown (0x00)) Initial Query over for A record address returned Host immediately sends a request for AAAA record address of FQDN returned Hosts prefers address (configurable) :dc0:2001:11:: :420:1:fff::2 ICMPv6 Echo reply (Unknown (0x00)) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 Tunnelling Techniques
25 Clue 1 The speed of light is 299,792,458 m/s Though data transmission is ~2/3 the speed of light. So let s say 200,000,000 m/s BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 Using Tunnels for Deployment Tunnelling encapsulates an packet into an packet Host to Router, Router to Router, Router to Host, or Host to Host Manually configured tunnels Manual Tunnel (RFC 2893) over GRE (RFC 2473) Semi-automated tunnels Tunnel broker (RFC 3053) Automatic tunnels 6to4 (RFC 3056) ISATAP (RFC 5214) Dynamic Multipoint VPN 6rd (RFC5969) LISP (IETF Working Group & Internet Draft) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 Manual Tunnel (RFC 2893) Header Customer Network :db8:a:b::1/64 One of the first transition mechanisms developed for Static P2P tunnel, IP protocol type = 41, no additional header, NAT breaks Terminates on dual stack end points end point address must be routable prefix configured on tunnel interface CE Access Network Difficult to scale and manage For link few sites in fixed long term topology Use across access network to reach Provider PE Access Network P Manual Tunnel P PE CE Provider Network :db8:a:b::2/64 Dual Stack BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29 Manual Tunnel Configuration Header Customer Network Access Network Provider Network :db8:a:b::1/ :db8:a:b::2/64 PE Access Network Manual Tunnel PE CE P P CE Dual Stack interface tunnel 100 ipv6 address 2001:db8:a:b::1/64 tunnel source tunnel destination tunnel mode ipv6ip interface tunnel 100 ipv6 address 2001:db8:a:b::2/64 tunnel source tunnel destination tunnel mode ipv6ip Only supports routing protocols that use IP encapsulation ISIS is itself a network layer protocol (not dependant upon IP) Therefore will not work over IP Protocol-Type=41 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 30
31 over GRE Tunnel GRE Header Header Network Backbone Network Network (e0/0) 2001:db8:a:b::1/64 CE PE Backbone Network P GRE Tunnel P PE CE (e0/0) 2001:db8:a:b::2/64 Similar to Manual Tunnel (RFC 2893) But can transport non IP packets Hence can be used to support ISIS across the tunnel GRE header uses 0x86DD to identify payload Similar scale and management issues L2TPv3 is another tunnelling option BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32 over GRE Tunnel Configuration GRE Header Header Network Backbone Network Network (e0/0) 2001:db8:a:b::1/64 CE PE Backbone Network P GRE Tunnel P PE CE (e0/0) 2001:db8:a:b::2/64 interface tunnel 100 ipv6 address 2001:db8:a:b::1/64 tunnel source e0/0 tunnel destination tunnel mode gre ip ipv6 router isis interface tunnel 100 ipv6 address 2001:db8:a:b::2/64 tunnel source e0/0 tunnel destination tunnel mode gre ip ipv6 router isis BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 ISATAP Overview (RFC 5214) Intra Site Automatic Tunnel Addressing Protocol Tunnel from a dual stack HOST PC to an gateway Operates within single administrative domain Primarily for Corporate and Academic networks Creates a virtual link over an backbone network treated as an NBMA link layer Routers provide ISATAP service DNS may hold potential router list or ISATAP gateways Caveat: DNS entry can be automatically found by hosts and used To control access use static configuration ISATAP does not currently support multicast NAT is not supported BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 ISATAP Address Format ISATAP hosts use a special IPV6 address format Interface ID carries information Rightmost 32 bits contains the host address Leftmost 32 bits contains 0000:5efe Global prefix provided by ISATAP router Interface ID portion remain static for all packets Link-Local addresses used for solicitation of global address Interface ID Host Address Unicast Prefix 0000:5efe: c0a8:0201 ISATAP Address Can be Link-local or Global ISATAP ID Address of Host BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 ISATAP prefix advertisement Header Dual Stack Host ( Mode) Enterprise Network Network DNS Query ISATAP Reply ISATAP Host PE Source: Dest: Source: Dest: Corporate Network P ISATAP Tunnel Router Solicitation fe80::5efe:c0a8:0201 fe80::5efe:c0a8:0401 P PE Encaps in :db8:face:2::5efe:c0a8:0401 ISATAP Router Network Request: ISATAP Prefix? Encaps in Source: Dest: Source: Dest: Router Advertisement fe80::5efe:c0a8:0401 fe80::5efe:c0a8:0201 Reply: 2001:db8:face:2/64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 ISATAP Nodes Use 3 Addresses Header Dual Stack Host Enterprise Network Network PE Corporate Network ISATAP Tunnel PE :db8:face:2::5efe:c0a8:0401 Network ISATAP Host P P ISATAP Router Address Value Address Value : Link-Local: Global: fe80::5efe:c0a8: :db8:face::5efe:c0a8:0201 : Link-Local: Global: fe80::5efe:c0a8: :db8:face::5efe:c0a8:0401 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 ISATAP Configuration (Windows) Header Dual Stack Host Enterprise Network Network XP ISATAP Host PE Corporate Network P ISATAP Tunnel P PE :db8:face:2::5efe:c0a8:0401 ISATAP Router Network netsh interface ipv6 install netsh interface ipv6 isatap set router PC config does not use DNS EUI-64 allows router to generate Link ID portion of address Turn off ND message suppression interface Ethernet0 ip address ! interface Tunnel0 ipv6 address 2001:db8:face:2::/64 eui-64 no ipv6 nd suppress-ra tunnel source Ethernet0 tunnel mode ipv6ip isatap BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 38
39 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 39
40 Rapid Deployment (6rd) Overview 6rd is a tunnelling method specified in RFC 5969 Superset of 6to4 tunnelling [RFC3056] 6rd utilises an SP's own address prefix - avoids well-known prefix (2002::/16) Method of incrementally deploying to end sites in an SP network SP access and aggregation infrastructure remains End site is provided a dual stack service Access/Aggregation between SP and end sites looks like multipoint network End sites share a common prefix allocated by SP 6rd primarily supports deployment to A customer site (residential gateway) To an individual host acting as a CE. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41 6rd Tunnels (RFC 5969) Header 6rd End Site Access Network Internet 2001:db8:0f01 6rd Tunnel Service Provider 2001:db8:0f :db8:0d01 CE PE Tunnel between CPEs P 6rd Relay/CPE Tunnels P 6rd Border Relay Native dual-stack IP service to the end site Simple, stateless, automatic -in- encap and decap functions Embedded address needs to match address in Tunnel header for security traffic automatically follows Routing ( address used as tunnel endpoint) BRs placed at edge, addressed via anycast for load-balancing and resiliency BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 41
42 6rd Logical NBMA Behaviour Header 6rd End Site Access Network Internet 2001:db8:0f01 Service Provider Single multipoint tunnel interface 2001:db8:0f :db8:0d01 CE PE 6rd Tunnel P P 6rd Border Relay 6rd views the network as an NBMA link layer for Border Relay serves has a single multipoint interface No per user state, serves all users in 6rd domain 6rd Domain (All use same configured 6rd prefix :db8) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43 6rd Delegated Prefix Every customer site is assigned a 6rd delegated prefix Delegated prefix is created by Combining the SP s 6rd prefix and all or part of the CE address Not all 32 bits of address need be carried Common prefix and suffix can be pre-configured 0-64 bits 0-32 bits 0-16 bits 128 other fields 6rd Prefix Fragment Subnet Interface ID Delegated Prefix 0-32 bits 0-32 bits Common Prefix Fragment Common Suffix Complete address Pre configured on router Optional Cisco specific implementation BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44 Destination Dynamically Computed Example Header 6rd End Site Access Network 6rd End Site 2001:db8:0f01::/ (e0/0) PE Backbone Network 6rd Tunnel PE (e0/0) 2001:db8:0f07::/ :db8:0f01::2 (Host) CE 2001:db8:0f01::1 (e0/1) P P CE 2001:db8:0f07::1 (e0/1) 2001:db8:0f07::2 (Server) 6rd Parameter Value 6rd Prefix 2001:db8::/32 Common Prefix /16 Common Suffix 0/0 (Cisco specific) 6rd Prefix 32 bits 16 bits Subnet 16 bits Interface ID 2001:0db8: 0f07: 0000: 0000:0000:0000:0002 Server Address Common Prefix (16bits) 6rd tunnel end point in Network (Src) 2001:0db8:0f01::2 Header Header (Dst) 2001:0db8:0f07::2 (Src) (Dst) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45 6rd CE Configuration (IOS) Header 6rd End Site Backbone Network 6rd End Site (e0/0) 2001:db8:0f01::/48 PE Backbone Network 6rd Tunnel PE (e0/0) 2001:db8:0f07::/ :db8:0f01::2 (Host) CE 2001:db8:0f01::1 (e0/1) P P CE 2001:db8:0f07::1 (e0/1) 2001:db8:0f07::2 (Server)! ipv6 general-prefix 6rd-prefix 6rd Tunnel1 ipv6 unicast-routing ipv6 cef! interface Tunnel1 ipv6 enable tunnel source Ethernet0/0 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:db8::/32 tunnel 6rd ipv4 prefix-len16 tunnel 6rd br Config to Border Relay! interface Ethernet0/0 description Shared infrastructure ip address ! interface Ethernet1/0 description End Site LAN ipv6 address 6rd-prefix ::1/64! ipv6 route 2001:db8::/32 tunnel1 ipv6 route ::/0 Tunnel1 2001:db8:1:: Default to BR BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 45
46 Internet Access through 6rd Border Relay Header Network Backbone Network Network 2001:db8:0f01::2 (Host) (e0/0) 2001:db8:0f01 CE PE 6rd tunnel to closest BR Backbone Network P PE /32 (lo0) 2001:db8:1::/64 (e0/0) P 6rd Border Relay 6rd Border Relay Internet 2000::/ /32 (lo0) 2001:db8:1::/64 (e0/0) Receive packet at CE from LAN side 6rd Border Relay allows access to global Internet If destination outside of 6rd prefix then tunnel packet to border relay Can use tunnel pre-provisioned Anycast address 6rd CE router finds closest 6rd BR router based on IGP Default route to Internet, usually pre-provisioned by the ISP Y Extract destination from header Does DEST contain 2001:db8:: N Use 6rd Border Relay ADDR Destination is CE Destination is BR BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47 6rd Border Relay Configuration (IOS) Header Network Backbone Network Network 2001:db8:0f01::2 (Host) (e0/0) 2001:db8:0f01 CE! ipv6 unicast-routing ipv6 cef! interface Tunnel1 ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:db8::/32 tunnel 6rd ipv4 prefix-len16 PE 6rd tunnel to closest BR Backbone Network P PE /32 (lo0) 2001:db8:1::/64 (e0/0) P 6rd Border Relay 6rd Border Relay Internet 2000::/ /32 (lo0) 2001:db8:1::/64 (e0/0) interface Ethernet0/0 description Internet ipv6 address 2001:db8:1::/64! interface Loopback0 description Shared infrastructure ip address ! ipv6 route 2001:db8::/32 tunnel1 ipv6 route ::/0 2001:db8:2::! Or use routing protocol BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49 LISP Overview Locator/Identity Split creates a Level of indirection by using two namespaces EID and RLOC EID = Endpoint Identifier RLOC = Routing Locator LISP creates two Name Spaces: EID (Endpoint Identifier) is the host IP address Same as today it s what is used in DNS In LISP, the EID can move independently of the RLOC. RLOC (Routing Locator) is the infrastructure IP address of the LISP router Routed in the Internet just like today! Globally routed and aggregated along Internet connectivity topology EID packets are encapsulated inside RLOC packets and forwarded over the RLOC infrastructure (Internet / WAN cloud / Enterprise) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50 LISP Overview Only affects edge devices LISP ITR = LISP Ingress Tunnel Router LISP ETR = LISP Egress Tunnel Router Devices that undertake both roles are termed LISP xtr Map Server (MS) ETRs register EID prefixes with the MS (just like authoritative DNS) Map Resolver (MR) ITRs send LISP Map Requests to the MR to be resolved (just like a DNS resolver) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51 LISP Network Topology (EID) (EID) RLOC (EID) Private Network Public Network Private Network 2001:db8:beef:1::/ PE Network PE :db8:f00d:1::/64 SPOKE1-LISP CE (xtr) SPOKE P PE P CE (xtr) SPOKE SPOKE2-LISP MS/MR Mapping Database CE HUB 2001:db8:cafe:1::/ HQ-LISP BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52 LISP Mapping Database vrf definition lisp rd 1:1! interface LISP0! lisp site HQ-LISP description LISP HQ Site authentication-key s3cr3t-hq eid-prefix 2001:db8:cafe:1::/48 lisp site Spoke1-LISP description LISP Spoke Site 1 authentication-key s3cr3t-1 eid-prefix 2001:db8:beef:1::/48 lisp site Spoke2-LISP description LISP Spoke Site 2 authentication-key s3cr3t-2 eid-prefix 2001:db8:f00d:1::/48! ipv6 lisp map-server ipv6 lisp map-resolver ipv6 lisp alt-vrf lisp! BRKSPG-2067 MS/MR Mapping Database Network PE 2001:db8:cafe:1::/64 HQ-LISP CE (xtr)hub ipv6 lisp database-mapping 2001:db8:cafe:1::/ priority 1 weight 100 ipv6 lisp itr map-resolver ipv6 lisp itr ipv6 lisp etr map-server key s3cr3t-hq ipv6 lisp etr! 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 LISP Spoke Setup 2001:db8:beef:1::/ PE Network SPOKE1-LISP CE (xtr) SPOKE! ipv6 unicast routing ipv6 cef! interface LISP0! ipv6 lisp database-mapping 2001:db8:beef:1::/ priority 1 weight 100! ipv6 lisp itr map-resolver ipv6 itr ipv6 etr map-server key s3cr3t-1 ipv6 lisp etr! ipv6 route ::/0 Null0 Same config would be applied to SPOKE2-LISP Only change of prefix & map-server key BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 53
54 LISP Traffic Flow (EID) (EID) RLOC (EID) Private Network Public Network Private Network 2001:db8:beef:1::/ PE DNS Network Dynamic Spoke to Spoke Tunnel PE :db8:f00d:1::/64 CE (xtr) SPOKE P PE P CE (xtr) SPOKE :db8:f00d:1::ff Mapping Database CE (xtr) HUB 2001:db8:cafe:1::/ DNS Lookup ( AAAA reply (2001:db8:f00d:1::ff) dst:2001:db8:f00d:1::ff MR Lookup RLOC for EID MR Reply : RLOC = Dynamically tunnel to RLOC dst:2001:db8:f00d:1::ff BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55 Solutions using MPLS
56 over MPLS over MPLS Pseudowires Transparent to service provider over tunnels over MPLS (Manual Tunnels) PE must be aware, core remains Transit using MPLS 6PE PE must be aware, core remains VPN using MPLS 6VPE PE provide VPN services for, core remains No LDPv6 available as yet Core control plane must be MPLS+LDP using IGP Previous solutions discussed can also work over MPLS ISATAP, Manual Tunnels, GRE, 6 to 4, 6rd BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57 over MPLS Agenda Transit using MPLS 6PE VPN using MPLS 6VPE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 57
58 Transit using MPLS 6PE (RFC 4798) BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE MPLS 2001:db8:f00d:: CE1 6PE1 P ibgp P 6PE2 exchange CE2 2001:db8:cafe:: 6PEs must support dual stack + (acts as normal PE) packets transported from 6PE to 6PE over Label Switch Path addresses exist in global table of PE routers only addresses exchanged between 6PE using MP-BGP session Core uses control plane (LDPv4, TEv4, IGPv4, MP-BGP) Benefits from MPLS features such as FRR, TE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 58
59 Services using MPLS 6PE BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE MPLS 2001:db8:f00d:: CE1 6PE1 P ibgp P 6PE2 exchange CE2 2001:db8:cafe:: Connects islands over MPLS core (Transits edge to edge) Transition mechanism for providing unicast access Coexistence mechanism for combining and services As other tunnel technologies, enables services such as Internet Access Peer-to-peer connectivity Access to services supplied by the SP itself BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60 6PE Notes LDP Label Outer label that provides connectivity to the destination 6PE MP-BGP Label Inner label used by egress 6PE for forwarding Older IOS use pool of 16 labels shared amongst all prefixes P routers hash this label if payload is not for load balancing IOS that support MPLS Forwarding Infrastructure (MFI) [12.4(20)T & XR] use per prefix labels Some code also allows P routers to hash addresses This label is needed to avoid PHP dropping packet BGP Label also referred to as Aggregate Label Aggregate labels execute pop label + lookup at egress 6PE BGP NH is a Special Use to Mapped Address ::ffff: A.B.C.D ::ffff: Fixed Value Loopback of 6PE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61 6PE Routing And Label Distribution Example BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE MPLS CE1 2001:db8:f00d:: ebgp 6PE1 P ibgp P 6PE2 exchange ebgp CE2 2001:db8:cafe:: IGPv4 IGPv4 IGPv reachable reachable reachable LDPv4 {Pop} Binds label {Pop} to LDPv4 {27} LDPv4 {48} Binds label {27} to Binds label {48} to BRKSPG-2067 MP-eBGP Advertises 2001:db8:f00d:: to 6PE1 MP-iBGP Advertises 2001:db8:f00d:: to 6PE2 BGP Next Hop ::ffff: Label Binding {65} MP-eBGP Advertises 2001:db8:f00d:: to CE Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 6PE Label Forwarding LDP Label BGP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE MPLS CE1 2001:db8:f00d:: 6PE1 P P 6PE2 CE2 2001:db8:cafe:: Item Value Prefix: BGP Label: BGP NH: NH: LDP Label: 2001:db8:f00d:: {65} ::ffff: {48} MPLS MPLS MPLS {27} {48} LDP Label {65} {65} {65} BGP Label 2001:f00d:: 2001:f00d:: 2001:f00d:: 2001:f00d:: 2001:f00d:: Prefix BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 6PE Configuration BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE4 as MPLS as65015 CE1 2001:db8:f00d:: 6PE1 P P 6PE2 CE2 2001:db8:cafe:: ipv6 unicast-routing! interface loopback0 ip address ! router bgp neighbor 2001:db8:f00d:1::1 remote-as neighbor remote-as neighbor update-source lo0! address-family ipv6 neighbor activate 6PE2 neighbor send-label neighbor 2001:db8:f00d:1::1 activate CE1 ipv6 unicast-routing! interface loopback0 ip address ! router bgp neighbor 2001:db8:cafe:1::1 remote-as neighbor remote-as neighbor update-source lo0! address-family ipv6 neighbor activate 6PE1 neighbor send-label neighbor 2001:db8:cafe:1::1 activate CE2 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 63
64 6PE Route BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE4 as MPLS as65015 CE1 2001:db8:f00d:: 6PE1 P P 6PE2 CE2 2001:db8:cafe:: 6PE-2#show ipv6 route B 2001:db8:f00d::/48 [200/0] via ::ffff: , -mpls 6PE-1#show ipv6 cef internal [snip] 2001:F00D::/64, nexthop ::ffff: LDP BGP fast tag rewrite with F0/1, , tags imposed {48 65} BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 64
65 over MPLS Agenda Transit using MPLS 6PE VPN using MPLS 6VPE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66 VPN 6VPE (RFC 4659) VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 P P / :db8:cafe:3::/64 6VPE uses existing MPLS infrastructure to provide VPN Core uses control plane (LDPv4, TEv4, IGPv4) PEs must support dual stack + Offers same architectural features as MPLS-VPN for RTs, VRFs, RDs are appended to to form VPNv6 address MP-BGP distributed both VPN address families BGP NH uses to mapped address format ::ffff:a.b.c.d VRF can contain both VPNv4 and VPNv6 routes BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67 Services Using 6VPE VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 P P / :db8:cafe:3::/64 For VPN customers, VPN service is exactly as VPN service 6PE is like VPN but prefixes are in global table, 6VPE is true VPN 6VPE enables services such as VPN Access Carriers Supporting Carrier Access to services supplied by the SP itself BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68 CE1 Configuration VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 ipv6 unicast-routing ipv6 cef! interface Ethernet0/0 description Link to PE1 ip address ipv6 address 2001:db8:cafe:1::1/64! interface Ethernet1/0 description to GREEN LAN ip address ipv6 address 2001:db8:beef:1::1/64 ipv6 rip GREEN enable P / :db8:cafe:3::/64 router bgp 500 neighbor 2001:db8:cafe:1::2 remote-as 100 neighbor remote-as 100! address-family ipv4 redistribute eigrp 100 neighbor activate 6VPE1 exit-address-family! address-family ipv6 neighbor 2001:db8:cafe:1::2 activate 6VPE1 redistribute rip GREEN exit-address-family BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 68 P
69 New Multi-AF VRF Configuration VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 P P / :db8:cafe:3::/64 vrf definition GREEN rd 200:1! Common RT policies go here address-family ipv4 route-target export 200:1 route-target import 200:1 exit-address-family! address-family ipv6 route-target export 200:1 route-target import 200:1 exit-address-family New VRF AF definition Allows address-families Each with unique or common policies vrf upgrade-cli multi-af-mode {common-policies non-common-policies} [vrf <name>] This command can update existing VRF definitions BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 69
70 6VPE1 General Configuration VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 ipv6 unicast-routing ipv6 cef! interface Loopback0 ip address ! interface Ethernet0/0 Description Link to CE1 vrf forwarding GREEN ip address ipv6 address 2001:db8:cafe:1::2/64 P P / :db8:cafe:3::/64! interface Ethernet2/0 description Link to Core Network ip address mpls ip! router ospf 1 log-adjacency-changes redistribute connected subnets passive-interface Loopback0 network area 0 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 70
71 6VPE1 BGP Configuration VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 router bgp 100 neighbor remote-as 100 neighbor update-source lo0! address-family ipv4 Internet Routes neighbor activate no auto-summary no synchronization exit-address-family! address-family vpnv4 To 6VPE2 neighbor activate neighbor send-community ext exit-address-family P P / :db8:cafe:3::/64 address-family vpnv6 To 6VPE2 neighbor activate neighbor send-community ext exit-address-family! address-family ipv4 vrf GREEN To CE1 redistribute connected neighbor remote-as 500 neighbor activate exit-address-family! address-family ipv6 vrf GREEN To CE1 neighbor 2001:db8:cafe:1::1 remote-as 500 neighbor 2001:db8:cafe:1::1 activate exit-address-family BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 71
72 6VPE2 VRF Routes VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 6VPE2#show ipv6 route vrf GREEN B 2001:db8:beef:1::/64 [200/0] via B 2001:db8:beef:2::/64 [20/0] via FE80::A8BB:CCFF:FE01:FA00, Ethernet1/0 B 2001:db8:cafe:1::/64 [200/0] via C 2001:db8:cafe:3::/64 [0/0] via Ethernet1/0, directly connected L 2001:db8:cafe:3::2/128 [0/0] via Ethernet1/0, receive L FF00::/8 [0/0] via Null0, receive P / :db8:cafe:3::/64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 72 P
73 6VPE1 BGP VPNv6 Table VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 6VPE1#show bgp vpnv6 unicast all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 200:1 (default for vrf GREEN) *> 2001:db8:beef:1::/ :db8:cafe:1::1 Route from CE ? *>i2001:db8:beef:2::/64 ::FFFF: Route from CE2 via 6VPE ? *>i2001:db8:cafe:3::/64 ::FFFF: PE/CE Connected route from 6VPE ? P P / :db8:cafe:3::/64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74 6VPE1 LFIB VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 6VPE1#show mpls forwarding Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 Pop Label /30 0 Et2/ /30 0 Et2/ Pop Label /32 0 Et2/ /32 0 Et2/ /32 0 Et2/ No Label /24[V] 0 Et0/ Aggregate /24[V] 570 GREEN 25 No Label 2001:db8:beef:1::/64[V] \ 570 Et0/0 FE80::A8BB:CCFF:FE01:F Aggregate 2001:db8:cafe:1::/64[V] \ GREEN P P / :db8:cafe:3::/64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 74
75 6VPE Summary RFC4659 BGP-MPLS IP Virtual Private Network (VPN) Extension for VPN 6VPE adds support to MPLS VPN feature For end-users: VPNv6 is same as VPNv4 services QoS, Hub and Spoke, Internet Access, etc For Providers Same configuration operation for VPNv4 and VPNv6 VPN No upgrade of MPLS core ( unaware) Upgrade of affected PE routers BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 75
76 Cisco Carrier-Grade v6
77 Clue 2 Make everything a common unit. Use bits Use seconds Use meters There is no trick with the packet size. I m not expecting pre-amble or L2 headers. It is just 1500 bytes. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 77
78 Cisco Carrier-Grade (CGv6) CGV6 is a Cisco framework for moving to Consisting of three pronged approach Preserve, Prepare, Prosper Preserve investments and assets Objective: Support continued use of after address exhaustion Solutions: Carrier Grade NAT (Millions NAT44, NAT444) This is a short to medium term solution Prepare to deliver interoperable services Objective: Upgrade to whilst co-existing with Solutions: Dual-Stack, 6PE/6VPE, Softwire Mesh, Translation (AFT) Prosper from accelerated growth and innovation Objective: end-to-end for most devices/things Solution: Mostly dual-stack and standalone clouds BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 78
79 Cisco Carrier-Grade (CGv6) Built on carrier-scale address translation and protocol tunnelling capability Preserve By extending Private IP into the IP-NGN for continued growth Private Translation Public Prepare By enabling interoperable / services over existing IP-NGN infrastructure Address Family Translation Public 6over4 / 4over6 Tunnelling Public BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 79
80 Preserve - Double NAT Provides additional space for the short term Subscribers Provider Internet NAT (Private Private) Private Private NAT (Private Public) Private Public Carrier Grade NAT (Private Public) Public NAT and no NAT Private Public BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 80
81 Prepare - Address Family Translation (AFT) Allows access between and networks (IETF BEHAVE) Subscribers Provider Internet only Public IETF BEHAVE working group on AFT for NAT64 and DNS64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 81
82 Prepare - Rapid Deployment (6rd) Tunnel over access network to 6rd gateway Subscribers Provider Internet Tunnelled 6 to 4 Private 6rd Gateway Private Private Public Private 6rd gateway can also perform AFT function for Source/ destination combinations BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 82
83 Prepare - Dual-Stack Lite (4Over6, 4rd) Tunnel over access network to DS gateway (more v6 than v4) Subscribers Provider Internet Tunnelled 4 to 6 Private DS-Lite Gateway BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 83
84 Prosper - All All (some time away?) Subscribers Provider Internet BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 84
85 The Carrier-Grade Services Engine CGSE - engine for massive Cisco CGv6 deployments 20+ million active translations 100s of thousands of subscribers 1+ million connections per second 20Gb/s of throughput per CGSE Cisco CGSE CGN (NAT44/NAT64/6rd) also supported on Cisco ASR1k Cisco CRS ASR1k Cisco CGv6 deployments Assumes ESP40 and RP2 2+ million active translations 200k sessions per second 40G system throughput BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 85
86 NAT64 Summary Translate between and Protocol Translator -only hosts -only hosts Choice of Translation or Tunnelling? Always choose tunnel Translation (NAT) has worse side effects BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 86
87 NAT-PT: The Historic Way to Translate to NAT-PT combined all scenarios to is problematic; space is bigger Broke DNSSEC RFC4966 said / translation causes other side effects But: And some are not solvable addresses near exhaustion Effectively no Internet access and no content anywhere in the world We can t tunnel everywhere BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 87
88 / Translation Stateless Stateful 1:1 translation N:1 translation NAT Any Protocol Helps ensure end-to-end address transparency and scalability No state or bindings created on the translation Session can be initiated from either side Requires -translatable address assignment (mandatory requirement) Requires either manual or Domain Host Configuration Protocol Version 6 (DHCPv6)-based address assignment for hosts No address savings (Just like NAT) NAPT TCP, UDP, ICMP Uses address overloading; hence lacks end-to-end address transparency State or bindings created on every unique translation Session must be initiated from side No requirement for the characteristics of address assignment Capability to choose any mode of address assignment: manual, DHCPv6, or stateless address auto-configuration (SLAAC) Saves addresses BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 88
89 / Translation Framework Scenarios Network Internet stateful stateless Internet Network ** Internet Network Network Internet Not viable because too few addresses **Possible with nat64 v6v4 static mappings BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 89
90 / Translation Framework Scenarios stateful stateless Network Network Network Network ** Internet Internet Cannot be done Internet Internet Cannot be done **Possible with nat64 v6v4 static mappings BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 90
91 / Translation: Two Scenarios Connecting an network to the Internet You built an -only network, and want to access servers on the Internet Example: -only LTE handsets Connecting the Internet to an network You have servers, and want them available to the Internet Example: -only Data Centre (HTTP servers) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 91
92 Connecting an Network to the Internet -only clients DNS64 Protocol Translator (NAT64) An only network Network (Dual Stack) Internet (Dual Stack) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 92
93 DNS64 Synthesises AAAA records when AAAA are not present in the DNS With prefix of NAT64 translator -only host DNS64 Internet AAAA? (sent simultaneously) 2001:db8:6464:: AAAA? Empty answer A? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 93
94 DNS64 flows BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 94
95 DNS64 example Topology Or Network Dual Stack Network Root Name Server Only Network & Network Internet 2001:db8:a:b:: BIND 9.8.x Authoritative Name Server options { dns :db8:6464::/96 { clients { any; }; mapped { any; }; exclude { 64:FF9B::/96; ::ffff:0000:0000/96; }; suffix ::; }; }; The NAT64 Well Known Prefix The address of clients allowed to use DNS64 The list of addresses which can be mapped into AAAA records The list of addresses that should not be mapped The filler after the synthesis point. Only applies where WKP is < 96 bits BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 95
96 DNS64 Works for applications that do DNS queries Well over 80% of applications. Breaks for applications that don t do DNS queries SIP, RTSP, H.323, etc. IP address literals Solutions: Application-level proxy for IP address literals (HTTP proxy) application learns NAT64 s prefix BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 96
97 NAT64 Stateless BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 97
98 Stateless NAT64 example Topology Using CGSE! service cgn CGN service-location preferred-active 0/3/CPU0! service-type nat64 stateless xlat1 ipv6-prefix 2001:db8:6464::/96 address-family ipv4 interface ServiceApp46! address-family ipv6 interface ServiceApp64! interface ServiceApp46 description the side NAT64 interface ipv4 address service cgn CGN service-type nat64 stateless! interface ServiceApp64 description the side NAT64 interface ipv6 address 2001:db8:a:b::1/64 service cgn CGN service-type nat64 stateless! router static address-family ipv4 unicast /24 ServiceApp46! address-family ipv6 unicast 2001:db8:6464::/96 ServiceApp :db8:a:b::2 2a01:db8:6464::/64 <LAN interface> BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 98
99 NAT64 Stateful BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 99
100 Stateful NAT64 example topology Network Network Only Network 2001:db8:cafe:beef:: :db8:cafe:beef:: :db8:cafe:f00d::abc Only Network 2001:db8:cafe:5555:: interface GigabitEthernet0/0/0 description to 6k-dmz-1 side no ip address ipv6 address 2001:db8:1234:abcd::1/64 nat64 enable! interface GigabitEthernet0/0/1 description to 6k-dmz-1 side ip address nat64 enable ipv6 access-list EDGE_ACL permit ipv6 any any! nat64 prefix stateful 2001:db8:cafe:beef::/96 nat64 v4 pool EDGE nat64 v6v4 list EDGE_ACL pool EDGE overload! nat64 v6v4 static 2001:db8:cafe:beef:: nat64 v6v4 static 2001:db8:cafe:beef:: ! nat64 v4v6 static :db8:cafe:f00d::abc BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 100
101 Stateful NAT64 example syntax nat64 v6v4 is used when: translating source to source (the port overload N:1 mappings) translating destination to destination (As per example)! nat64 v6v4 static 2001:db8:cafe:beef:: ! 2001:db8:cafe:beef:: :db8:6464::[] SRC nat64 v4v6 is used when translating source to source translating destination to destination (As per example)! nat64 v4v6 static :db8:cafe:f00d::abc! 2001:db8:cafe:beef::a1 2001:db8:cafe:f00d::abc BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 101
102 / Translation Issues address literals SIP, RTSP, etc. Application Layer Gateway, or application proxy FTP (EPSV, PASV) RTSP in mobile environments (3G) Others applications? draft-ietf-behave-ftp64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 102
103 What if I can t Dual Stack? Server Load Balancer Stateful NAT64 Proxy Internet () Internet () Internet () -Apache, Squid -MSFT PortProxy -only Host -only Host -only Host BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 103
104 NAT64 for Data Centre Makes -only servers accessible on the Internet Requires stateful translation Because Internet is bigger than (can t represent every address in ) All connections come from translator s address Problem for abuse logging Lack of X-Forwarded-For: header Maybe application proxy is superior? e.g., lighthttpd But has poor TLS interaction BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 105
105 Addressing
106 PI and PA Allocation Process Provider Assigned 2000::/3 IANA 2000::/3 Provider Independent /12 Registries /12 /32 ISP Org /48 /48 Clients Level Four BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 108
107 Do I Get PI or PA? It depends PI space is great for RIR controlled space (not all RIRs have approved PI space) PA is a great space if you plan to use the same SP for a very long time Or you plan to NAT everything with (not likely) More important things to consider Do you get a prefix for the entire company Do you get one prefix per site (what defines a site?) Does your company cross international boundaries? Do outposts each need a PI/PA? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 109
108 Link Level Prefix Length Considerations 64 bits > 64 bits Recommended by RFC3177 and IAB/IESG Consistency makes management easy MUST for SLAAC (MSFT DHCPv6 also) Significant address space loss ( Quintillion) Address space conservation Special cases: /126 valid for p2p /127 valid for p2p if you are careful (draft-kohno-ipv6-prefixlen-p2pxx/(rfc3627)) /128 loopback Must avoid overlap with specific addresses: Router Anycast (RFC3513) Embedded RP (RFC3956) ISATAP addresses Allocate /64s everywhere /64 + / on host networks 126 on P2P /64 + / on host networks 127 on P2P Always use /128 on loopbacks BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 110
109 The /127 Issue Originally point to point links were numbered with /64, /96, /112, or /126 /64 simplest /96 allowed 32 bits of address to be used /112 allowed significant 16 bits of IP address to be used /126 emulated the /30 behaviour for Use of ample address space opened networks up to attack (see next slide) Two conflicting RFCs RFC 3627 Use of /127 Prefix Length Between Routers Considered Harmful RFC 6164 Using 127-Bit Prefixes on Inter-Router Links /127 not possible in some implementations due to conflict with the Subnet-router anycast address Cisco IOS does not implement Subnet Router Anycast Issues is with multivendor support Industry is moving towards RFC 6164 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 111
110 Subnets Prefix /64 subnets /32 4,294,967,296 /33 2,147,483,648 /34 1,073,741,824 /35 536,870,912 /36 268,435,456 /38 67,108,864 /40 16,777,216 /44 1,048,576 /48 65,536 /50 16,384 /52 4,096 / BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 113
111 Subnetting references BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 114
112 /32 Addressing Scheme /32 High Level addressing plan. Indicative only. Can be modified to suit needs /34 MW /34 Wired /34 Reserved /34 R&D Assumes a minimum /32 allocation /34 (1 Billion /64 subnets) per network /38 Infra /38 UE /38 UE /38 OAM... /38 WLAN /38 Lab 16 x /38 subnets (67 Million /64 subnets) available for Mobile Wireless network /42 DC /64 Loop /64 /42 GW p2p1 /64 /42 IMS p2p2 /64 p2p3 /64 p2p... /42 LB /64 UE1 /64 UE2 /64 UE3 /64 UE4 /64 UE... UE allocation broken up into catchment zones (16 Million /64 subnets per zone) Each UE will require a /64 prefix Infrastructure networks have access to /56 (256 x /64 subnets) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 115
113 /48 Addressing Scheme /48 High Level addressing plan. Indicative only. Can be modified to suit needs /48 = x /64 /50 Branch /50 DC /50 WAN /50 Lab Break up into functional blocks ( 4 x /50 in this case) /56 Branch 1 /56 Branch 2 /56 Branch 3 /56 Branch4... /56 MGMT Each functional block simplifies security policy /64 Loop /64 WAN /64 DMZ /64 VLAN4 /64 VLAN /64 Loop /64 WAN /64 DMZ /64 VLAN4 /64 VLAN Assumes up to 64 Branch networks Each Branch has access to 256 /64 prefixes for WAN, DMZ, & VLAN use BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 116
114 Allocation vs. Masking Allocate /64 everywhere Ensures simple allocation and no need to maintain /30 style spreadsheets Change the mask to suit purpose /64 for LAN /127 for p2p link /128 for Loopbacks (all sequentially allocated from same /64) Don t use EUI-64 with Global Addresses for network infrastructure Address will change with RMA Will affect DNS Higher Operational overhead BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 117
115 Security
116 Clue 3 Things you need to work out: How long does it take to transmit the packet? How far does light travel in that time? Yes, there are lots of zeros. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 119
117 Shared Issues
118 Innocent W2k3 to W2k8 Upgrade Windows 2003 C:\>ping svr-01 Pinging svr-01.example.com [ ] with 32 bytes of data: Reply from : bytes=32 time<1ms TTL=128 Reply from : bytes=32 time<1ms TTL=128 Reply from : bytes=32 time<1ms TTL=128 Reply from : bytes=32 time<1ms TTL=128 Upgraded Host to Windows 2008 C:\>ping svr-01 Pinging svr-01 [fe80::c4e2:f21d:d2b3:8463%15] with 32 bytes of data: Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Link Local Multicast Name Resolution No. Time Source Destination Protocol Info fe80::c4e2:f21d:d2b3:8463 ff02::1:3 UDP Source port: Destination port: llmnr UDP Source port: Destination port: llmnr Can happen if the circumstances are right BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 121
119 Reconnaissance in Subnet Size Difference Default subnets in have 2 64 addresses 10 Mpps = more than years NMAP doesn t even support ping sweeps on networks reconnaissance attacks will NOT go away in an environment, rather the tactics will be modified passive techniques such as DNS name server resolution, to identify victim networks for more targeted exploitation 18,446,744,073,709,551,616 addresses / 10,000,000 pps = 1,844,674,407,370 seconds = 21,350,398 days = 58,494 years Neighbour discovery-based attacks will also replace counterparts on such as ARP spoofing BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 122
120 Reconnaissance in Public servers will still need to be DNS reachable More information collected by Google... Increased deployment/reliance on dynamic DNS More information will be in DNS Using peer-to-peer clients gives addresses of peers Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0 or simply last octet for dual stack) By compromising hosts in a network, an attacker can learn new addresses to scan Transition techniques (see further) derive address from address Can scan again BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 123
121 Scanning Made Bad for CPU Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Built-in rate limiter but no option to tune it Using a /64 on point-to-point links a lot of addresses to scan! Using /127 could help (RFC 6164) Using infrastructure ACL prevents this scanning iacl: edge ACL denying packets addressed to your routers Easy with because new addressing scheme can be done BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 124
122 Viruses and Worms in Viruses and , IM worms: brings no change Other worms: : reliance on network scanning : not so easy (see reconnaissance) will use alternative techniques Worm developers will adapt to best practices around worm detection and mitigation remain valid BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 125
123 Prefix Exploits Using /127 for Infrastructure point to point links avoids two attack vectors ND Cache exhaustion for ND based media (e.g Ethernet) TTL attack for non ND media (e.g. POS) IOS not affected as it implements RFC :db8:1000::1/64 (e0/0) 2001:db8:1000::2/64 (e0/0) 2001:db8:1000::1/64 (pos1/0) 2001:db8:1000::2/64 (pos1/0) nd 2001:db8:1000::3 nd timeout entry in cache memory exhaustion ping 2001:db8:1000::3 ping 2001:db8:1000::3 Recommendation: Use /127 where possible on P2P links BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 126
124 Routing Header An extension header Processed by the listed intermediate routers Two types Type 0: similar to source routing (multiple intermediate routers) Type 2: used for mobile 43 Next Header basic header Routing Header (43) Next Header Ext Hdr Length RH Type Segments Left Routing Header Data BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 127
125 Type 0 Routing Header Issue: Amplification Attack What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A... will loop multiple time on the link A-B An amplification attack! A Till Hop Limit exhausted B BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 128
126 Preventing Routing Header Attacks Apply same policy for as for Ipv4: Block Routing Header type 0 Prevent processing at the intermediate nodes no ipv6 source-route (in IOS only) Windows, Linux, Mac OS: default setting At the edge With an ACL blocking routing header, specifically type 0 RFC 5095 (Dec 2007) RH0 is deprecated Default IOS changed in 12.4(15)T to ignore and drop RH0 No need to configure no ipv6 source-route BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 129
127 Neighbor Discovery Issue#1 Stateless Autoconfiguration Router Solicitations Are Sent by Booting Nodes to Request Router Advertisements for Stateless Address Auto-Configuring RA/RS w/o Any Authentication Gives Exactly Same Level of Security as ARP for (None) Attack Tool: fake_router6 Can Make Any Address the Default Router RS RA RA Router Solicitation ICMP Type 133 Source Destination Query A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA Router Advertisement ICMP Type 134 Source Destination Data A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 130
128 Neighbor Discovery Issue#2 Neighbor Solicitation No Security Mechanisms Built into Discovery Protocol therefore very similar to ARP Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN... A B NS NA NA Neighbour Solicitation ICMP Type 135 Source Destination Data Query A Unicast B Solicited Node Multicast FE80:: address of A What is B link layer address? Neighbour Advertisement ICMP Type 136 Source Destination Data B Unicast A Unicast FE80:: address of B BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 131
129 ARP Spoofing is now NDP Spoofing: Mitigation SEMI-BAD NEWS: nothing yet like dynamic ARP inspection for First phase (Port ACL & RA Guard) have been available since September SEMI-GOOD NEWS: Secure Neighbor Discovery SEND = NDP + crypto IOS 12.4(24)T But not in Windows Vista, 2008 and 7 Crypto means slower... More GOOD NEWS: Private VLAN works with Port security works with 801.x works with BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 132
130 FHS Current Status Platform Cat6k Cat4k Series Cat 3750 Series Cisco ISR (IOS Train) 12.2SX 12.2SG 12.2SE 12.4T/15M SEND 12.4(24)T Port ACL 12.2(33)SXI4 12.2(54)SG 12.2(46)SE RA Guard 12.2(33)SXI4 12.2(54)SG BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 133
131 ICMPv4 vs. ICMPv6 Significant changes More relied upon ICMP Message Type ICMPv4 ICMPv6 Connectivity Checks X X Informational/Error Messaging X X Fragmentation Needed Notification X X Address Assignment X Address Resolution X Router Discovery X Multicast Group Management X Mobile Support X ICMP policy on firewalls needs to change to support BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 134
132 Equivalent ICMPv6 RFC 4890: Border Firewall Transit Policy For Your Reference Internet Firewall (B) Internal Server (A) Action Src Dst ICMPv6 Type ICMPv6 Code Permit Any A Echo Reply Name Permit Any A Echo Request Permit Any A 1 0 No Route to Dst. Permit Any A 2 0 Too Big Permit Any A 3 0 Time Exceeded Permit Any A 4 0 Parameter Problem BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 135
133 Potential Additional ICMPv6 RFC 4890: Border Firewall Receive Policy For Your Reference Internet Firewall (B) Internal Server (A) Action Src Dst ICMPv6 Type ICMPv6 Code Permit Any B 2 0 too Big Name Permit Any B 4 0 Parameter Problem Permit Any B Multicast Listener For locally generated traffic Permit Any B 133/134 0 NS & NA Deny Any Any BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 136
134 Preventing Routing Attacks Protocol Authentication BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec RIPng, PIM also rely on IPSec routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPSec to secure protocols such as OSPFv3 and RIPng BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 137
135 OSPF or EIGRP Authentication For Your Reference interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md ABCDEF interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string ABCDEF accept-lifetime local 12:00:00 Dec :00:00 Jan send-lifetime local 00:00:00 Jan :59:59 Dec BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 138
136 Attacks with Strong Similarities Sniffing is no more or less likely to fall victim to a sniffing attack than Application layer attacks The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent Rogue devices Rogue devices will be as easy to insert into an network as in Man-in-the-Middle Attacks (MITM) Without strong mutual authentication, any attacks utilising MITM will have the same likelihood in as in Flooding Flooding attacks are identical between and BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 139
137 Specific Issues
138 Privacy Extensions (RFC 3041) >20 bits Prefix Subnet 64 Bits Interface ID MAC Address +EUI-64 Known Identity MAC Address RFC3041 Random Identity Temporary addresses for host client application, e.g. web browser Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 141
139 Disabling Privacy Extension Windows XP,2003,Vista,7,2008 For Your Reference Microsoft Windows Deploy a Group Policy Object (GPO), or Disable with netsh CLI netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent Alternatively Use DHCP to a specific pool Ingress filtering allowing only this pool BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 142
140 Header Manipulation Unlimited size of header chain (spec-wise) can make filtering difficult Potential DoS with poor stack implementations More boundary conditions to exploit Can I overrun buffers with a lot of extension headers? Perfectly Valid According to the Sniffer Header Should only appear once Destination Header which should occur twice at most. Destination Options Header should be the last header See also: BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 143
141 The IPsec Myth: IPsec End-to-End will Save the World mandates the implementation of IPsec does not require the use of IPsec Some organisations believe that IPsec should be used to secure all flows... Interesting scalability issue (n 2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: No IPS, no ACL, & no firewall policy points can be used IOS 12.4(20)T can parse the AH Network telemetry is blinded: NetFlow is of little use Network services hindered: what about QoS? Recommendation: Do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 145
142 to Transition Challenges 16+ methods, possibly in combination Dual stack Consider security for both protocols Cross v4/v6 abuse Resiliency (shared resources) Security Policy is only as good as the weakest protocol Tunnels Bypass firewalls (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 146
143 Enforcing a Security Policy
144 IOS Extended ACL Can match on Upper layers: TCP, UDP, SCTP port numbers TCP flags SYN, ACK, FIN, PUSH, URG, RST ICMPv6 code and type Traffic class (only six bits/8) = DSCP Flow label (0-0xFFFFF) extension header routing matches any RH, routing-type matches specific RH mobility matches any MH, mobility-type matches specific MH dest-option matches any, dest-option-type matches specific destination options auth matches AH Can skip AH (but not ESP) since IOS 12.4(20)T fragments keyword matches Non-initial fragments (same as ) And the first fragment if the L4 protocol cannot be determined undetermined-transport keyword matches (only for deny) Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 148
145 ACL Implicit Rules RFC 4890 Implicit entries exist at the end of each ACL to allow neighbor discovery: permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any Must explicitly deny NS or NA if they are to be filtered. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 149
146 RA Rogue RA & DHCP Port ACL Switch Based Port ACL to protect against Rogue RAs & DHCP ipv6 access-list ACCESS_PORT remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit any any Interface gigabitethernet 1/0/1 switchport ipv6 traffic-filter ACCESS_PORT in Cat6k and 4k have a system macro for RA Guard interface gigabitethernet 1/0/1 switchport ipv6 nd raguard RA RA RA Port ACL replaces Router ACL starting with August 2010 releases onwards interface gigabitethernet 1/0/1 switchport access-group mode prefer port Nexus-7000, Cat (46)SE, Cat (54)SG and Cat (33)SXI4 RA BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 150
147 ACL to Protect VTY For Your Reference Protect VTY access to devices like you would with ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in Assess if access is required in the management plane. Some NMS still only Low priority change for existing networks BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 151
148 Control Plane Policing for Protecting the Router CPU For Your Reference Against DoS with NDP, Hop-by-Hop, Hop Limit Expiration... Software routers (ISR, 7200): works with CoPP (CEF exceptions) policy-map COPP class ICMP6_CLASS police 8000 class OSPF_CLASS police class class-default police 8000! control-plane cef-exception service-policy input COPP Cat 6k & 7600 shares mls rate-limit with for NDP & HL expiration mls rate-limit all ttl-failure 1000 mls rate-limit unicast cef glean 1000 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 152
149 Summary of Cisco Security Products ASA Firewall Since version 7.0 (released 2005) Flexibility: Dual stack, only, only SSL VPN for (ASA 8.0) Stateful-Failover (ASA 8.2.2) Cannot configure extension headers in ACL (but parsing is done) FWSM in software Mbps Not an option (put an -only ASA in parallel) IOS Firewall IOS 12.3(7)T (released 2005) Zone-based firewall on IOS-XE 3.6 (2012) Cisco Security Agent (EOS) IPS Since version for network protection Since 6.2 (released 2008), management over : Q Security Appliance (ESA) under beta testing early 2010, shipping Q Web Security Appliance (WSA) Q BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 153
150 Security Best Practices
151 Candidate Best Practices Train your network operators and security managers on Selectively filter ICMP (RFC 4890) Block Type 0 Routing Header at the edge Copy the Best Common Practices Implement RFC 2827-like filtering If management plane is only,block to the core devices (else infrastructure ACL for ) Determine what extension headers will be allowed through the access control device Deny fragments destined to an internetworking device when possible Use traditional authentication mechanisms on BGP and IS-IS Use IPsec to secure protocols such as OSPFv3 and RIPng Document procedures for last-hop traceback BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 155
152 Candidate Best Practices (Cont.) Mainly for Enterprise Customers Implement privacy extensions carefully Filter internal-use addresses & ULA at the border routers Filter unneeded services at the firewall Maintain host and application security Use cryptographic protections where critical Implement ingress filtering of packets with multicast source addresses Use static tunnelling rather than dynamic tunnelling Implement outbound filtering on firewall devices to allow only authorised tunnelling endpoints BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 156
153 Summary
154 Pv6 Design and Deployment allows you to architect a new network frugally In parallel with and over existing infrastructure Minimal capital outlay Implement where it is needed Consider Routing co-existence Consider addressing How will you allocate your prefixes to customers Consider interoperability between vendors Consider billing systems Watch the standards and policies BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 158
155 Security So, nothing really new in Reconnaissance: address enumeration replaced by DNS enumeration Spoofing & bogons: urpf is our IP-agnostic friend NDP spoofing: RA guard and more feature coming ICMPv6 firewalls need to change policy to allow NDP Extension headers: firewall & ACL can process them Amplification attacks by multicast mostly impossible Potential loops between tunnel endpoints: ACL must be used Lack of operation experience may hinder security for a while: training is required Security enforcement is possible Control your traffic as you do for Leverage IPsec to secure when suitable BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 159
156 Recommended Reading These books are excellent reference material BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 160
157 Recommended Reading (Security) Source: Cisco Press BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 161
158 World Launch As the successor to the current Internet Protocol,, is critical to the Internet's continued growth as a platform for innovation and economic development. 6 th June Get involved BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 162
159 Q & A
160 The Answer 2,400 meters BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 164
161 The Math At 1Gbps a 1500 Byte packet takes seconds to transmit * 8 = 12,000 bits 1Gbps = 1,000,000,000 bps 12,000 / 1,000,000,000 = seconds Distance travelled by light (2/3 speed) during this time is 2.4km 200,000,000 m/s * sec = 2400m = 2.4km So on a LAN there are very few bits on the wire at any given time, on a transpacific cable system there are a few thousand packets BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 165
162 Complete Your Online Session Evaluation Complete your session evaluation: Directly from your mobile device by visiting and login by entering your username and password Visit one of the Cisco Live internet stations located throughout the venue Open a browser on your own computer to access the Cisco Live onsite portal Don t forget to activate your Cisco Live Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit
Tutorial: IPv6 Technology Overview Part II
Tutorial: IPv6 Technology Overview Part II Speaker: Byju Pularikkal, Cisco Systems, Inc Date: 11 th November 2011 1 Structure of IPv6 Protocol IPv4 and IPv6 Header Comparison IPv6 Extension Headers IPv6
More informationIPv6 Switching: Provider Edge Router over MPLS
Multiprotocol Label Switching (MPLS) is deployed by many service providers in their IPv4 networks. Service providers want to introduce IPv6 services to their customers, but changes to their existing IPv4
More informationMPLS VPN--Inter-AS Option AB
The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service provider
More informationIPv6 Switching: Provider Edge Router over MPLS
Multiprotocol Label Switching (MPLS) is deployed by many service providers in their IPv4 networks. Service providers want to introduce IPv6 services to their customers, but changes to their existing IPv4
More informationMPLS VPN Inter-AS Option AB
First Published: December 17, 2007 Last Updated: September 21, 2011 The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol
More informationCisco IOS LISP Application Note Series: Access Control Lists
Cisco IOS LISP Application Note Series: Access Control Lists Version 1.1 (28 April 2011) Background The LISP Application Note Series provides targeted information that focuses on the integration and configuration
More informationSecurizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN MPLS VPN 5-ian-2010 What this lecture is about: IP
More informationLISP Locator/ID Separation Protocol
LISP Locator/ID Separation Protocol Hernán Contreras G. Consulting Systems Engineer hcontrer@cisco.com LISP Next Gen Routing Architecture Locator-ID Separation Protocol (LISP) Elevator Pitch LISP is a
More informationMPLS VPN. 5 ian 2010
MPLS VPN 5 ian 2010 What this lecture is about: IP CEF MPLS architecture What is MPLS? MPLS labels Packet forwarding in MPLS MPLS VPNs 3 IP CEF & MPLS Overview How does a router forward packets? Process
More informationMPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012
MPLS VPN over mgre Last Updated: November 1, 2012 The MPLS VPN over mgre feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity
More informationLocator ID Separation Protocol (LISP) Overview
Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address: Endpoint identifiers (EIDs) assigned to end hosts.
More informationLISP Router IPv6 Configuration Commands
ipv6 alt-vrf, page 2 ipv6 etr, page 4 ipv6 etr accept-map-request-mapping, page 6 ipv6 etr map-cache-ttl, page 8 ipv6 etr map-server, page 10 ipv6 itr, page 13 ipv6 itr map-resolver, page 15 ipv6 map-cache-limit,
More informationCase Study A Service Provider s Road to IPv6
Case Study A Service Provider s Road to IPv6 September 2010 Menog Amir Tabdili UnisonIP Consulting amir@unisonip.com The Scenario Residential Network L3 MPLS VPN Network Public Network The Scenario What
More informationDNA SA Border Node Support
Digital Network Architecture (DNA) Security Access (SA) is an Enterprise architecture that brings together multiple building blocks needed for a programmable, secure, and highly automated fabric. Secure
More informationIPv6 Transition Mechanisms
IPv6 Transition Mechanisms Petr Grygárek rek 1 IPv6 and IPv4 Coexistence Expected to co-exist together for many years Some IPv4 devices may exist forever Slow(?) transition of (part of?) networks to IPv6
More informationIP Routing: LISP Configuration Guide, Cisco IOS Release 15M&T
First Published: 2012-07-27 Last Modified: 2013-03-29 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationDeploy MPLS L3 VPN. APNIC Technical Workshop October 23 to 25, Selangor, Malaysia Hosted by:
Deploy MPLS L3 VPN APNIC Technical Workshop October 23 to 25, 2017. Selangor, Malaysia Hosted by: Issue Date: [201609] Revision: [01] Acknowledgement Cisco Systems Course Outline MPLS L3 VPN Models L3
More informationWAN Edge MPLSoL2 Service
4 CHAPTER While Layer 3 VPN services are becoming increasing popular as a primary connection for the WAN, there are a much larger percentage of customers still using Layer 2 services such Frame-Relay (FR).
More informationMPLS VPN Multipath Support for Inter-AS VPNs
The feature supports Virtual Private Network (VPN)v4 multipath for Autonomous System Boundary Routers (ASBRs) in the interautonomous system (Inter-AS) Multiprotocol Label Switching (MPLS) VPN environment.
More informationIP Mobility Design Considerations
CHAPTER 4 The Cisco Locator/ID Separation Protocol Technology in extended subnet mode with OTV L2 extension on the Cloud Services Router (CSR1000V) will be utilized in this DRaaS 2.0 System. This provides
More informationIPv6 Bootcamp Course (5 Days)
IPv6 Bootcamp Course (5 Days) Course Description: This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain
More informationIPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA
Rapid Deployment () in broadband networks Allen Huotari Technical Leader ahuotari@cisco.com June 14, 2010 NANOG49 San Francisco, CA 1 Why IP Tunneling? IPv4 Tunnel Tunnel IPv4 IPv4 Retains end-end IP semantics
More informationMPLS VPN Carrier Supporting Carrier Using LDP and an IGP
MPLS VPN Carrier Supporting Carrier Using LDP and an IGP Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) Carrier Supporting Carrier (CSC) enables one MPLS VPN-based service provider
More informationInterAS Option B. Information About InterAS. InterAS and ASBR
This chapter explains the different InterAS option B configuration options. The available options are InterAS option B, InterAS option B (with RFC 3107), and InterAS option B lite. The InterAS option B
More informationConfiguring IPv6 VPN Provider Edge over MPLS (6VPE)
Configuring IPv6 VPN Provider Edge over MPLS (6VPE) Finding Feature Information, page 1 Configuring 6VPE, page 1 Finding Feature Information Your software release may not support all the features documented
More informationCCIE R&S Techtorial MPLS
CCIE R&S Techtorial MPLS Ing. Tomáš Kelemen Partner Systems Engineer CCIE #24395 Ing. Peter Mesjar Systems Engineer CCIE #17428 2011 Cisco Systems, Inc. All rights reserved. 1 Agenda Introduction to MPLS
More informationMPLS VPN Carrier Supporting Carrier Using LDP and an IGP
MPLS VPN Carrier Supporting Carrier Using LDP and an IGP Last Updated: December 14, 2011 Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) Carrier Supporting Carrier (CSC) enables one
More informationConfiguring MPLS and EoMPLS
37 CHAPTER This chapter describes how to configure multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) on the Catalyst 3750 Metro switch. MPLS is a packet-switching technology that integrates
More informationPatrick Grossetete Cisco Systems Cisco IOS IPv6 Product Manager 2003, Cisco Systems, Inc. All rights reserved.
Patrick Grossetete Cisco Systems Product Manager pgrosset@cisco.com 1 IPv6 Business Model Integration of IPv6 brings benefits but it has also a cost ROI not yet - easy to evaluate Additional business models
More informationImplementing MPLS VPNs over IP Tunnels
The MPLS VPNs over IP Tunnels feature lets you deploy Layer 3 Virtual Private Network (L3VPN) services, over an IP core network, using L2TPv3 multipoint tunneling instead of MPLS. This allows L2TPv3 tunnels
More informationLISP Parallel Model Virtualization
Finding Feature Information, page 1 Information About, page 1 How to Configure, page 6 Configuration Examples for, page 24 Additional References, page 25 Feature Information for, page 26 Finding Feature
More informationConfiguring IPv6 Provider Edge over MPLS (6PE)
Finding Feature Information, page 1 Configuring 6PE, page 1 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature
More informationCisco IOS LISP Application Note Series: Lab Testing Guide
Cisco IOS LISP Application Note Series: Lab Testing Guide Version 3.0 (28 April 2011) Background The LISP Application Note Series provides targeted information that focuses on the integration configuration
More informationA Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6
IPv6 Standards and RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments RFC 1267 A Border Gateway Protocol 3 (BGP-3) RFC 1305 Network Time Protocol (Version 3) Specification, Implementation
More informationImplementing MPLS Layer 3 VPNs
A Multiprotocol Label Switching (MPLS) Layer 3 Virtual Private Network (VPN) consists of a set of sites that are interconnected by means of an MPLS provider core network. At each customer site, one or
More informationConfiguring MPLS, MPLS VPN, MPLS OAM, and EoMPLS
CHAPTER 43 Configuring MPLS, MPLS VPN, MPLS OAM, and EoMPLS This chapter describes how to configure multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) on the Cisco ME 3800X and ME 3600X
More informationMPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution
MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution This feature lets you configure your carrier supporting carrier network to enable Border Gateway Protocol (BGP) to transport routes and Multiprotocol
More informationVRF, MPLS and MP-BGP Fundamentals
VRF, MPLS and MP-BGP Fundamentals Jason Gooley, CCIEx2 (RS, SP) #38759 Twitter: @ccie38759 LinkedIn: http://www.linkedin.com/in/jgooley Agenda Introduction to Virtualization VRF-Lite MPLS & BGP Free Core
More informationMPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution
MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution This feature enables you to configure your carrier supporting carrier network to enable Border Gateway Protocol (BGP) to transport routes
More informationMultiprotocol Label Switching Virtual Private Network
Anas Al-Selwi Multiprotocol Label Switching Virtual Private Network Helsinki Metropolia University of Applied Sciences Bachelor of Engineering Information Technology Thesis 08 May 2013 Abstract Author(s)
More informationLocation ID Separation Protocol. Gregory Johnson -
Location ID Separation Protocol Gregory Johnson - grjohnso@cisco.com LISP - Agenda LISP Overview LISP Operations LISP Use Cases LISP Status (Standards and in the Community) Summary 2 LISP Overview 2010
More informationMPLS VPN C H A P T E R S U P P L E M E N T. BGP Advertising IPv4 Prefixes with a Label
7 C H A P T E R S U P P L E M E N T This online supplement of Chapter 7 focuses on two important developments. The first one is Inter-Autonomous. Inter-Autonomous is a concept whereby two service provider
More informationCisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6
IP6FD v6 Fundamentals, Design, and Deployment v3.0 Cisco IOS IPv6 Cisco IOS IPv6 IPv6 IPv6 service provider IPv6 IP IPv6 IPv6 data link IPv6 Cisco IOS IPv6 IPv6 IPv6 DHCP DNS DHCP DNS IPv6 IPv4 IPv6 multicast
More informationIPv6 Transition Mechanisms
IPv6 Transition Mechanisms Petr Grygárek rek 1 IPv6 and IPv4 Coexistence Expected to co-exist together for many years Some IPv4 devices may exist forever Slow(?) transition of (part of?) networks to IPv6
More informationCustomer IPv6 Delivery
Customer IPv6 Delivery The Nextgen Experience Chris Chaundy, Nextgen Networks October 2011 Agenda Nextgen Network s strategy Just get a prefix and turn it on!?!? Scope of the project Hardware considerations
More informationForeword xxiii Preface xxvii IPv6 Rationale and Features
Contents Foreword Preface xxiii xxvii 1 IPv6 Rationale and Features 1 1.1 Internet Growth 1 1.1.1 IPv4 Addressing 1 1.1.2 IPv4 Address Space Utilization 3 1.1.3 Network Address Translation 5 1.1.4 HTTP
More informationConfiguring MPLS L3VPN
Contents Configuring MPLS L3VPN 1 MPLS L3VPN overview 1 Introduction to MPLS L3VPN 1 MPLS L3VPN concepts 2 MPLS L3VPN packet forwarding 5 MPLS L3VPN networking schemes 5 MPLS L3VPN routing information
More informationMPLS design. Massimiliano Sbaraglia
MPLS design Massimiliano Sbaraglia - MPLS layer 2 VPN diagram flowchart - MPLS layer 2 VPN pseudowire VPWS diagram - MPLS layer 2 VPN VPLS diagram - MPLS layer 2 EVPN diagram - MPLS layer 3 VPN diagram
More informationMPLS опорни мрежи MPLS core networks
MPLS опорни мрежи MPLS core networks Николай Милованов/Nikolay Milovanov http://niau.org Objectives Identify the drawbacks of traditional IP routing Describe basic MPLS concepts and LSR types. MPLS Labels
More informationBGP-MVPN SAFI 129 IPv6
Subsequent Address Family Identifier (SAFI) 129, known as VPN Multicast SAFI, provides the capability to support multicast routing in the service provider's core IPv6 network. Border Gateway Protocol (BGP)
More informationLARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF
LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 07 - MPLS BASED LAYER 2 SERVICES 1 by Xantaro MPLS BASED LAYER 2 VPNS USING MPLS FOR POINT-TO-POINT LAYER 2 SERVICES 2 by Xantaro Why are Layer-2
More informationIPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network
White Paper IPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network What You Will Learn IPv6 Rapid Deployment (6rd) (RFC 5969) 6rd is a stateless tunneling mechanism which allows
More informationConfiguring Virtual Private LAN Services
Virtual Private LAN Services (VPLS) enables enterprises to link together their Ethernet-based LANs from multiple sites via the infrastructure provided by their service provider. This module explains VPLS
More information26 CHAPTER Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer
More informationNAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1
NAT Tutorial Dan Wing, dwing@cisco.com IETF77, Anaheim March 21, 2010 V2.1 1 Agenda NAT and NAPT Types of NATs Application Impact Application Layer Gateway (ALG) STUN, ICE, TURN Large-Scale NATs (LSN,
More informationConfiguring Multicast VPN Inter-AS Support
Configuring Multicast VPN Inter-AS Support Last Updated: December 23, 2011 The Multicast VPN Inter-AS Support feature enables Multicast Distribution Trees (MDTs) used for Multicast VPNs (MVPNs) to span
More informationConfiguring MPLS L3VPN
Contents Configuring MPLS L3VPN 1 MPLS L3VPN overview 1 MPLS L3VPN concepts 2 MPLS L3VPN packet forwarding 4 MPLS L3VPN networking schemes 5 MPLS L3VPN routing information advertisement 8 Inter-AS VPN
More informationMPLS VPN Carrier Supporting Carrier
MPLS VPN Carrier Supporting Carrier Feature History Release 12.0(14)ST 12.0(16)ST 12.2(8)T 12.0(21)ST 12.0(22)S 12.0(23)S Modification This feature was introduced in Cisco IOS Release 12.0(14)ST. Support
More informationDeploying MPLS-based IP VPNs
Deploying MPLS-based IP VPNs Rajiv Asati, Distinguished Engineer, Cisco Rajiv_cisco BRKMPL-2102 Abstract This session describes the implementation of IP Virtual Private Networks (IP VPNs) using MPLS. It
More informationThis document is not restricted to specific software and hardware versions.
Contents Introduction Prerequisites Requirements Components Used Background Information Configure Network Diagram Configuration DN Bit Verify Troubleshoot Related Cisco Support Community Discussions Introduction
More informationLISP Multicast. Finding Feature Information. Prerequisites for LISP Multicast
The feature introduces support for carrying multicast traffic over a Locator ID Separation Protocol (LISP) overlay. This support currently allows for unicast transport of multicast traffic with head-end
More informationPlanning for Information Network
Planning for Information Network Lecture 7: Introduction to IPv6 Assistant Teacher Samraa Adnan Al-Asadi 1 IPv6 Features The ability to scale networks for future demands requires a limitless supply of
More informationMPLS VPN Half-Duplex VRF
The feature provides scalable hub-and-spoke connectivity for subscribers of an Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service. This feature addresses the limitations of hub-and-spoke
More informationMPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses
MPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses The Multiprotocol Label Switching (MPLS) VPN Inter-AS with Autonomous System Boundary Routers (ASBRs) Exchanging VPN-IPv4 Addresses feature allows
More informationTutorial: IPv6 Technology Overview Part II
Tutorial: IPv6 Technology Overview Part II Speaker: Byju Pularikkal, Cisco Systems, Inc Date: 01/30/2011 1 DOCSIS = Data-Over-Cable Service Interface Specification CMTS = Cable Modem Termination System
More informationYasuo Kashimura Senior Manager, Japan, APAC IPCC Alcatel-lucent
Yasuo Kashimura Senior Manager, Japan, APAC IPCC Alcatel-lucent Agenda 1. 1. Current status of / internet 2. 2. continuity 3. 3. continuity over network 4. 4. rapid deployment 5. 6. Wider deployment 6.
More informationWORKSHOP MPLS.
WORKSHOP MPLS fbolanos@cisco.com 2001, Cisco Systems, Inc. All rights reserved. 1 MPLS Concepts Label Structure Label assignment and distribution ATM LSRs Loop prevention RD, RT and VRF instances Service
More informationCCIE Service Provider Sample Lab. Part 2 of 7
CCIE Service Provider Sample Lab Part 2 of 7 SP Sample Lab Main Topology R13 S2/1.135.13/24 Backbone Carrier SP AS 1002 S2/1 PPP E0/1.69.6/24 R6 Customer Carrier SP ABC Site 5 AS 612 E1/0 ISIS.126.6/24
More informationMPLS L3VPN. The MPLS L3VPN model consists of three kinds of devices: PE CE Site 2. Figure 1 Network diagram for MPLS L3VPN model
is a kind of PE-based L3VPN technology for service provider VPN solutions. It uses BGP to advertise VPN routes and uses to forward VPN packets on service provider backbones. provides flexible networking
More information"Charting the Course... IPv6 Bootcamp Course. Course Summary
Course Summary Description This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain a thorough understanding
More informationIPv6 in Campus Networks
IPv6 in Campus Networks Dave Twinam Manager, Technical Marketing Engineering Internet Systems Business Unit dtwinam@cisco.com Cisco Twinam IPv6 Summit 2003 Cisco Systems, Inc. All rights reserved. 1 IPv6
More informationIPv6 Transition Strategies
IPv6 Transition Strategies Philip Smith MENOG 14 Dubai 1 st April 2014 Last updated 5 th March 2014 1 Presentation Slides p Will be available on n http://thyme.apnic.net/ftp/seminars/
More informationImplementing MPLS Forwarding
All Multiprotocol Label Switching (MPLS) features require a core set of MPLS label management and forwarding services; the MPLS Forwarding Infrastructure (MFI) supplies these services. Feature History
More informationLISP: What and Why. RIPE Berlin May, Vince Fuller (for Dino, Dave, Darrel, et al)
LISP: What and Why RIPE Berlin May, 2008 Vince Fuller (for Dino, Dave, Darrel, et al) http://www.vaf.net/prezos/lisp-ripe-long.pdf Agenda What is the problem? What is LISP? Why Locator/ID Separation? Data
More informationDeploying MPLS L3VPN. Apricot Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying MPLS L3VPN 1 Abstract This session describes the implementation of IP Virtual Private Networks (IP VPNs) using MPLS. It is the most common Layer 3 VPN technology, as standardized by IETF RFC2547/4364,
More informationTransition To IPv6 October 2011
Transition To IPv6 October 2011 Fred Bovy ccie #3013 fred@fredbovy.com 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 1 1st Generation: The IPv6 Pioneers Tunnels for Experimental testing or Enterprises
More informationCisco BGP Overview. Finding Feature Information. Prerequisites for Cisco BGP
Border Gateway Protocol (BGP) is an interdomain routing protocol designed to provide loop-free routing between separate routing domains that contain independent routing policies (autonomous systems). The
More informationIntroduction to Segment Routing
Segment Routing (SR) is a flexible, scalable way of doing source routing. Overview of Segment Routing, page 1 How Segment Routing Works, page 2 Examples for Segment Routing, page 3 Benefits of Segment
More informationNetwork Configuration Example
Network Configuration Example Configuring Dual-Stack Lite for IPv6 Access Release NCE0025 Modified: 2016-10-12 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
More informationIPv6 Module 6 ibgp and Basic ebgp
ISP Workshop Lab IPv6 Module 6 ibgp and Basic ebgp Objective: Using IPv6, simulate four different interconnected ISP backbones using a combination of ISIS, internal BGP, and external BGP. Prerequisites:
More informationIPv6 Module 6x ibgp and Basic ebgp
IPv6 Module 6x ibgp and Basic ebgp Objective: Using IPv6, simulate four different interconnected ISP backbones using a combination of IS-IS, internal BGP, and external BGP. Topology : Figure 1 BGP AS Numbers
More informationBGP Best External. Finding Feature Information
The feature provides the network with a backup external route to avoid loss of connectivity of the primary external route. The feature advertises the most preferred route among those received from external
More informationRemote Access MPLS-VPNs
First Published: August 12, 2002 Last Updated: May 4, 2009 The feature allows the service provider to offer a scalable end-to-end Virtual Private Network (VPN) service to remote users. This feature integrates
More informationMPLS Introduction. (C) Herbert Haas 2005/03/11
MPLS Introduction MPLS (C) Herbert Haas 2005/03/11 Terminology LSR LER FEC LSP FIB LIB LFIB TIB PHP LDP TDP RSVP CR-LDP Label Switch Router Label Edge Router Forwarding Equivalent Class Label Switched
More informationCOURSE OUTLINE: Course: CCNP Route Duration: 40 Hours
COURSE OUTLINE: Course: CCNP Route 300-101 Duration: 40 Hours CCNP Route Training Day 1: Connecting Remote Locations Principles of Static Routing Configuring an IPv4 Static Route Configuring a Static Default
More informationBGP mvpn BGP safi IPv4
The BGP mvpn BGP safi 129 IPv4 feature provides the capability to support multicast routing in the service provider s core IPv4 network This feature is needed to support BGP-based MVPNs BGP MVPN provides
More informationMultiprotocol BGP 1 MPLS VPN. Agenda. Multiprotocol BGP 2
Multiprotocol BGP 1 MPLS VPN Peer to Peer VPN s BGP-4 (RFC 1771) is capable of carrying routing information only for IPv4 The only three pieces of information carried by BGP-4 that are IPv4 specific are
More information6RD. IPv6 Rapid Deployment. Version Fred Bovy. Chysalis6 6RD 1-1
6RD IPv6 Rapid Deployment Version 1.0 2012 Fred Bovy. Chysalis6 6RD 1-1 About the Author Fred Bovy 15 years experience in IPv6 IPv6 Forum Certified Gold Engineer IPv6 Forum Certified Gold Trainer 7 years
More informationUnit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6
5.1 Tunneling 5.1.1 Automatic Tunneling 5.1.2 Configured Tunneling 5.2 Dual Stack 5.3 Translation 5.4 Migration Strategies for Telcos and ISPs Introduction - Transition - the process or a period of changing
More informationAgenda DUAL STACK DEPLOYMENT. IPv6 Routing Deployment IGP. MP-BGP Deployment. OSPF ISIS Which one?
DUAL STACK DEPLOYMENT Alvaro Retana (alvaro.retana@hp.com) Distinguished Technologist 2010 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
More informationZero To Hero CCIE CCNP
Zero To Hero CCIE CCNP CCIE CCNP CCIE CCNP Week 1 Simple Network Design Understanding the Host-to-Host Communications Model Understanding the TCP/IP Internet Layer Addresses in a Network Introduction to
More informationComputer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS
Computer Network Architectures and Multimedia Guy Leduc Chapter 2 MPLS networks Chapter based on Section 5.5 of Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley,
More informationConcepts and Operation of MPLS VPNs. Francisco Bolanos
Concepts and Operation of MPLS VPNs Francisco Bolanos fbolanos@cisco.com 2001, Cisco Systems, Inc. All rights reserved. 1 Agenda MPLS Concepts Label Structure Label assignment and distribution RD, RT and
More informationIPv6 Transition Strategies
IPv6 Transition Strategies Philip Smith APNIC 36 Xi an 20 th -30 th August 2013 Last updated 25 July 2013 1 Presentation Slides p Will be available on n http://thyme.apnic.net/ftp/seminars/apnic36-
More informationImplementing Cisco IP Routing (ROUTE)
Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide Foundation learning for the ROUTE 642-902 Exam Diane Teare Cisco Press 800 East 96th Street Indianapolis, IN 46240 Implementing Cisco IP
More informationImplementing Tunneling for IPv6
Implementing Tunneling for IPv6 Last Updated: July 31, 2012 This module describes how to configure overlay tunneling techniques used by the Cisco IOS software to support the transition from IPv4-only networks
More informationMultiprotocol Label Switching
This module describes and how to configure it on Cisco switches. Restrictions for, page 1 Information about, page 1 How to Configure, page 3 Verifying Configuration, page 6 Restrictions for (MPLS) fragmentation
More informationMapping of Address and Port (MAP) an ISPs Perspective. E. Jordan Gottlieb Principal Engineer Charter Communications
Mapping of Address and Port () an ISPs Perspective E. Jordan Gottlieb Principal Engineer Charter Communications jordan.gottlieb@charter.com Agenda What is? Benefits of in Action Algorithms in Action Deployment
More informationCCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.
Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B. 191.2.1.2:2:11.1 C. 2001::98 D. 2002:c0a8:101::42 E. :2001:: F. 2002.cb0a:3cdd:1::1 Answer: C, D. 2013 1 Which method
More informationLARGE SCALE IP ROUTING
Building ISP Networks Xantaro Page 1 / 18 TABLE OF CONTENTS 1. LAB ACCESS 4 1.1 Accessing the Jumphost... 4 1.2 Access to your routers... 4 1.3 Local Network Topology... 5 1.4 Global Network Topology...
More information