IPv6 Planning (Session 9267)

Similar documents
IPv6 Planning. Kevin Manweiler, CCIE 5269 Junnie Sadler, CCIE 7708 Cisco Systems, Inc.

IPv6 Implementation (Session 13234)

Federal Agencies and the Transition to IPv6

Enterprise IPv6, Affecting Positive Change

IPv6 in Campus Networks

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

IPv4/v6 Considerations Ralph Droms Cisco Systems

Case Study: Professional Services Firm Ensures Secure and Successful IPv6 Deployments for Customers with the OptiView XG Network Analysis Tablet

Deploying IPv6 in Campus Networks

Multihoming. Copy Rights

Transitioning to IPv6

Deploying IPv6 in Campus Networks

IPv6 Transition Mechanisms

IPv6 Deployment at the University of Pennsylvania

IPv6 in Internet2. Rick Summerhill Associate Director, Backbone Network Infrastructure, Internet2

IPv6 Transition Mechanisms

IPv6 Deployment Experiences

IPv6 Enablement for Enterprises. Waliur Rahman Managing Principal, Global Solutions April, 2011

TDC 563 Protocols and Techniques for Data Networks

Migration to IPv6 from IPv4. Is it necessary?

Why IPv6? Roque Gagliano LACNIC

Finding IPv6 Where You Least Expect It Using LiveAction Software to Visualize and Troubleshoot IPv6 on Your Network

IPv6 Address Planning

IPv6 Feature Facts

Guide to TCP/IP Fourth Edition. Chapter 11: Deploying IPv6

IPv6 Next generation IP

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

Customer IPv6 Delivery

Migration Technologies. Dual Stack and Tunneling Using GRE, 6to4, and 6in4.

IPv6 Network Management

Internet of Things (IOT) Things that you do not know about IOT

Performance Comparison of Internet Protocol v4 with Internet Protocol v6

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

IPv6. Internet Technologies and Applications

Planning for Information Network

IPv6 Deployment Planning

IPv6 Deployment Planning. Philip Smith PacNOG 10, Nouméa 21 st November 2011

IPv6 Deployment and Considerations

Internet Addresses Reading: Chapter 4. 2/11/14 CS125-myaddressing

Computer Networks and Data Systems

LISP: What and Why. RIPE Berlin May, Vince Fuller (for Dino, Dave, Darrel, et al)

MUM Lagos Nigeria Nov 28th IPv6 Demonstration By Mani Raissdana

COE IPv6 Roadmap Planning. ZyXEL

ENTERPRISE. Brief selected topics. Jeff Hartley, SP ADP SE

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

The future in your hands!!: Deploying IPv6

Insights on IPv6 Security

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

Help I need more IPv6 addresses!

Integrated Security 22

World IPv6 Launch and Penn

Chapter 3 - Implement an IP Addressing Scheme and IP Services to Meet Network Requirements for a Small Branch Office

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

IPv6 Migration - Why do I care anyway? WELCOME Rick Wylie KeyOptions MacSysAdmin 2012

OSI Data Link & Network Layer

IPv6 and IPv4: Twins or Distant Relatives

Inter-Domain Routing: BGP

IPv6: An Introduction

Patrick Grossetete Cisco Systems Cisco IOS IPv6 Product Manager 2003, Cisco Systems, Inc. All rights reserved.

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

IPv6 Bootcamp Course (5 Days)

Insights on IPv6 Security

IPv6 Module 6x ibgp and Basic ebgp

6DISS services. Tim Chown

Radware ADC. IPV6 RFCs and Compliance

MIGRATION OF INTERNET PROTOCOL V4 TO INTERNET PROTOCOL V6 USING DUAL-STACK TECHNIQUE

IPv6: The Ins and Outs. Chris Buechler

Transition To IPv6 October 2011

IP version 6. The not so new next IP version. dr. C. P. J. Koymans. Informatics Institute University of Amsterdam.

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

CCNA Routing and Switching (NI )

Holistic IPv6 Transition Yanick Pouffary HP Distinguished Technologist HP IPv6 Global Leader, HP Technology Services Office of the CTO

But we ve always done it this

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

IPv6 Module 4 OSPF to IS-IS for IPv6

TEXTBOOK MAPPING CISCO COMPANION GUIDES

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Questions for Decision Makers

Exam Name: VMware Certified Associate Network Virtualization

Chapter 19 Network Layer: Logical Addressing 19.1

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

IPv6 Addressing Guide. Revision: H2CY10

Computer Networks and Data Systems

Enterprise IPv6 Deployment. Shannon McFarland CCIE# 5245 Corporate Consulting Engineer Office of the CTO

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

OSI Data Link & Network Layer

SOSPG1: IPv6, Tomorrow s Network Here Today. Session Overview. In the beginning 8/8/2011

IPv6 Addressing. There are three types of IPV6 Addresses. Unicast:Multicast:Anycast

CSE 123b Communications Software

Quick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004

6421A: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

DREN IPv6 Implementation Update

Foreword xxiii Preface xxvii IPv6 Rationale and Features

OSI Data Link & Network Layer

Request for Comments: 5569 Category: Informational January 2010 ISSN:

IPv6 at takeoff speed. Brian Carpenter Distinguished Engineer, IBM Chair, IETF June 2005

Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012)

What Enterprises Should Do About IPv6 In 2012

The Regional Internet Registries

Transcription:

IPv6 Planning (Session 9267) Cisco Systems Inc. Kevin Manweiler, CCIE 5269 kmanweil@cisco.com Junnie Sadler, CCIE 7028 jrsadler@cisco.com Date of Presentation (Wednesday, August 10) Session Number (9267)

Motivation Your boss has just let you know that a customer mandates IPv6 connectivity for future mainframe EE in 6 months. Also, you recently read that the last IPv4 address block was allocated Company X

Advice from the Hitchhikers Guide to Networking Just because the last IPv4 address has been allocated doesn t mean The Internet is coming to a screeching halt No one is going to take your existing IPv4 addresses away Your whole network doesn t have to be configured with IPv6 immediately Other people have made the transition successfully You ve already been through this drill with the SNA to IP migration.

Agenda High Level Migration Steps Infrastructure Assessment Address Considerations Infrastructure Deployment Security Considerations Network Management Considerations SNAv6 Q&A References

IPv6 Planning Steps Business Case Identified/Justified Evaluate effect on business model 1 Establish IPv6 project management team 2 Assess network hardware and software 3 IPv6 Training strategy 4 Obtain IPv6 prefix(es) 5 Decide IPv6 architectural solution 6 Test application software and services 7 Develop security policy 8 Develop procurement plan 9 Develop IPv6 exception strategy 10

Public Service Announcement It s not required but advised to enlist outside aid How do you know what you don t know? Workshops Consultants Labs Training (in-side and out-side)

Major Design Decisions Addressing Subnetting Scheme Address Distribution Co-existence Methodology Migration Strategy Tunneling methods Provider Assigned (PA) /64 subnet everywhere Statically assigned Dual Stack Internet facing ISATAP Provider Independent (PI) /48 block (/44 if you can) Multiple /48 blocks (per region) Unique-local addressing /64 with /127 infrastructure /64 with link local infrastructure Stateless Autoconfiguration (SLAC) Tunneling Core outwards Toredo DHCP Translation Edge inward 6to4 Separate Infrastructure Combinations/ permutations Forklift / Everywhere at once

IPv6 Readiness Assessment Gives a high level view of IPv6 capability in the network Some device may just need a software upgrade others may never be capable of supporting IPv6

Infrastructure Assessment Cisco s IPv6 Network Readiness Assessment The assessment examines Cisco IOS based routers and Catalyst Operating System (CatOS) and IOS based switches. This assessment provides a capability assessment from a 3 point view. Hardware Can it support IPv6. Software -- Does it support IPv6. Feature Does it support what you are looking to use in your network. Devices Currently IPv6 Capable Devices Requiring Only Software Upgrade Hardware IPv6 Capable, requires IOS and FLASH Upgrade Hardware IPv6 Capable, requires IOS and DRAM Upgrade Hardware IPv6 Capable, requires IOS, DRAM and FLASH Upgrade Not IPv6 Capable Devices Requiring Further Analysis

Platform Considerations Scalability can play a big role in IPv6 deployments Dual stack can have 2x route table size, ARP cache, etc. Some platforms perform ASIC-based hardware packet forwarding. If traffic can t be forwarded in hardware it is punted to the Route Processor (RP). The RP has at least an order of magnitude less forwarding capability and induces delay. Feature Parity - basic IPv6 forwarding may exist but security and high availability features may not exist or be at that level of software.

Address Considerations Provider Independent or Provider Assigned Global, ULA, ULA + Global Prefix-length allocation Subnet length Address allocation method IP Address Management (IPAM)

RIRs Regional Internet Registries Apply for Provider Independent address space from appropriate RIR www.afrinic.net www.arin.net www.apnic.net www.lacnic.net www.ripe.net 12

Address Allocation Process Provider Assigned 2000::/3 IANA Provider Independent 2000::/3 /12 Registries /12 /32 ISP Org /48 /48 Enterprise 13

14 IPv6 Address Allocation Process Partition of Allocated IPv6 Address Space (example)

Hierarchical Addressing and Aggregation 2001:DB8:0001:0001::/64 2001:DB8:0001:0002::/64 Customer 1 ISP Only Announces the /32 Prefix 2001:DB8:0002:0001::/64 2001:DB8:0002:0002::/64 Customer 2 2001:DB8::/32 IPv6 Internet 2000::/3 Default is /48 can be larger End-user Additional Assignment https://www.arin.net/resources/request/ipv6_add_assign.html Provider independent See Number Resource Policy Manual (NRPM) https://www.arin.net/policy/nrpm.html 15

Network Level Considerations Global Unique Addresses Commonly referred to as Global IPv6 addresses Assigned by upstream provider A multi-homed site may have one or more available IPv6 address ranges The IPv6 address selection algorithm is key for good operation (RFC3484) 17

Unique-Local Addressing (RFC4193) Used for internal communications, inter-site VPNs Not routable on the internet basically RFC1918 for IPv6 only better less likelihood of collisions Default prefix is /48 /48 limits use in large organizations that will need more space Semi-random generator prohibits generating sequentially useable prefixes no easy way to have aggregation when using multiple /48s Why not hack the generator to produce something larger than a /48 or even sequential /48s? Is it legal to use something other than a /48? Perhaps the entire space? Forget legal, is it practical? Probably, but with dangers remember the idea for ULA; internal addressing with a slim likelihood of address collisions with M&A. By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A Routing/security control You must always implement filters/acls to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range today this is the only way the ULA scope can be enforced Generate your own ULA: https://www.arin.net/policy/nrpm.html Generated ULA= fd9c:58ed:7d73::/48 18 * MAC address=00:0d:9d:93:a0:c3 (Hewlett Packard) * EUI64 address=020d9dfffe93a0c3 * NTP date=cc5ff71943807789 cc5ff71976b28d86

ULA, ULA + Global or Global What type of addressing should I deploy internal to my network? It depends: ULA-only Today, no IPv6 NAT is useable in production so using ULA-only will not work externally to your network ULA + Global allows for the best of both worlds but at a price much more address management with DHCP, DNS, routing and security Global-only Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option 19

Global-Only Recommended Internet Branch 1 Global 2001:DB8:CAFE::/48 Corp HQ 2001:DB8:CAFE:2800::/64 Branch 2 Corporate Backbone Global 2001:DB8:CAFE::/48 2001:DB8:CAFE:3000::/64 2001:DB8:CAFE:2::/64 Global is used everywhere No requirements to have NAT for ULA-to-Global translation but, NAT may be used for other purposes Easier management of DHCP, DNS, security, etc. Only downside is breaking the habit of believing that topology hiding is a good security method 20

Where do I start? Based on Timeframe/Use case Mainframe Internet Edge/DMZ Edge-to-Edge Labs & islands of IPv6 Core-to-Edge - Ideal Edge-to-Core Challenging but doable DC Access DC Aggregation DC/Campus Core Campus Block WAN Servers Branch Branch

IPv6 Deployment Three Major Options Dual-stack The way to go for obvious reasons: performance, security, QoS, multicast and management Layer 3 switches should support IPv6 forwarding in hardware Hybrid Dual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear Pro Leverage existing gear and network design (traditional L2/L3 and routed access) Con Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast IPv6 Service Block A new network block used for interim connectivity for IPv6 overlay network Pro Separation, control and flexibility (still supports traditional L2/L3 and routed access) Con Cost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast 23

IPv6 Deployment Options Dual-Stack IPv4/IPv6 IPv6/IPv4 Dual Stack Hosts #1 requirement switching/ routing platforms must support hardware based forwarding for IPv6 IPv6 is transparent on L2 switches but L2 multicast MLD snooping v6- Enabled L2/L3 v6- Enabled Access Layer Distribution Layer IPv6 management Telnet/SSH/HTTP/SNMP Intelligent IP services on WLAN Expect to run the same IGPs as with IPv4 v6- Enabled v6-enabled Dual Stack Dual Stack v6- Enabled v6-enabled Core Layer Aggregation Layer (DC) Access Layer (DC) Dual-stack Server 24

IPv6 Deployment Options Hybrid Model Offers IPv6 connectivity via multiple options Dual-stack Configured tunnels L3-to-L3 ISATAP Host-to-L3 Leverages existing network Offers natural progression to full dual-stack design May require tunneling to less-than-optimal layers (i.e. core layer) ISATAP creates a flat network (all hosts on same tunnel are peers) Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today) Provides basic HA of ISATAP tunnels via old Anycast-RP idea IPv6/IPv4 Dual Stack Hosts NOT v6- Enabled v6- Enabled v6-enabled ISATAP Dual Stack Dual-stack Server ISATAP Dual Stack L2/L3 NOT v6- Enabled v6- Enabled v6-enabled Access Layer Distribution Layer Core Layer Aggregation Layer (DC) Access Layer (DC) 25

Campus IPv6 Deployment Options IPv6 Service Block an Interim Approach Provides ability to rapidly deploy IPv6 services without touching existing network Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations) Offers the same advantages as Hybrid Model without the alteration to existing code/configurations Configurations are very similar to the Hybrid Model ISATAP tunnels from PCs in access layer to service block switches (instead of core layer Hybrid) 1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6 Can use IOS FW or PIX/ASA appliance Access Layer Dist. Layer Core Layer VLAN 2 Agg Layer Access Layer VLAN 3 IPv4-only Campus Block ISATAP IPv6 Service Block Dedicated FW IOS FW 2 Internet Primary ISATAP Tunnel Secondary ISATAP Tunnel Data Center Block 1 WAN/ISP Block 26

Security Considerations A lot of early docs touted IPv6 s inherent security and IPSec use. This is a false sense of security What s old is new: old exploits re-introduced with a v6 at the end. IPv6 is enabled by default on Windows Vista and 7. IPv6 Bogon list- http://www.cymru.com/bogons/ipv6.txt 27

Network Management Considerations Do your NMS tools understand IPv6 addresses? IPv6 specific MIBs Don t necessarily have to use IPv6 transport to manage IPv6 networks - many NMS tools (and network devices) don t support polling, etc. via IPv6 today Netflow version 9 for IPv6 support IP-SLAs support IPv6 28

Conclusion Dual stack where you can Tunnel where you must Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management Microsoft Windows Vista, 7 and Server 2008 will have IPv6 enabled by default understand what impact any OS has on the network Deploy it at least in a lab IPv6 won t bite Things to consider: Focus on what you must have in the near-term (lower your expectations) but pound your vendors and others to support your long-term goals Don t be too late to the party anything done in a panic is likely going to go badly 29

30 Q&A

Reference Materials 31 Deploying IPv6 in Campus Networks: http://www.cisco.com/en/us/docs/solutions/enterprise/campus/campipv6.html Deploying IPv6 in Branch Networks: http://www.cisco.com/en/us/solutions/ns340/ns414/ns742/ns816/landing_br_ipv6.html CCO IPv6 Main Page: http://www.cisco.com/go/ipv6 Cisco Network Designs: http://www.cisco.com/go/designzone ARIN IPv6 Wiki: http://www.getipv6.info/index.php/main_page World IPv6 Day (June 8, 2011): http://isoc.org/wp/worldipv6day/ IPv6 at IBM http://www-01.ibm.com/software/info/ipv6/index.jsp IBM IPv6 Compliance http://www-01.ibm.com/software/info/ipv6/compliance.jsp Security for IPv6 Routers www.nsa.gov/ia/_files/routers/i33-002r-06.pdf

32 End of Session

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback