IPv6 in Campus Networks Dave Twinam Manager, Technical Marketing Engineering Internet Systems Business Unit dtwinam@cisco.com Cisco Twinam IPv6 Summit 2003 Cisco Systems, Inc. All rights reserved. 1
IPv6 A Key Driver for the e-economy O.S. & Applications Restoring an environment for Innovation Mobile Networking The Ubiquitous Internet Agriculture/Wildlife Medical Transportation Consumer & Services Manufacturing e-nations Services on the edge of the Network Higher Ed./Research Government (Federal/Public Sector) 2
How Do we Get There from Here? IT Departments must include IPv6 as a core element of their IT strategy. Applications must become protocol agnostic IPv4 & IPv6 will coexist for the foreseeable future No D-Day / Flag Day. Education & Careful Planning are crucial. How long does it take in your environment? IPv4 & IPv6 implementations must be scalable, reliable, secure and feature rich. Strategy that reflects this Starting with Edge upgrades enable IPv6 service offerings now 3
IPv6 Integration Many ways to deliver IPv6 services to End Users, Most important is End to End IPv6 traffic forwarding Service Providers and Enterprises may have different deployment needs and mechanisms but basic steps are common Definition of an IPv6 addressing scheme Selection of the IPv6 routing protocol(s) DNS server ready to register AAAA record IPv6 devices management rules over an IPv4 transport? Security rules for IPv6 access 4
IPv6 Deployment Scenario for Enterprises Environment Scenario Cisco IOS support WAN IPv6 services available from ISP Dual Stack Yes Dedicated Data Link layers, eg. LL, ATM & FR PVC, dwdm Lambda No IPv6 services from ISP or experimentation few sites No IPv6 services from ISP or experimentation many sites, any to any communication Dual Stack Configured Tunnels 6to4 Yes Yes Yes Campus L3 infrastructure IPv6 capable Dual Stack Yes L3 infrastructure not IPv6 capable, or sparse IPv6 hosts population ISATAP Yes 5
IPv6 over WAN Presentation_ID 2003, Cisco Systems, Inc. All rights reserved. Cisco Twinam IPv6 Summit 6
IPv6 over WAN Configured Tunnels IPv6 Header Transport Header Data IPv4 Header IPv6 Header Transport Header Data IPv6 site (dual stack) Cisco IOS 12.3M/T and 12.2S Cat.6500 & 12.0S on C12000 IPv4 Internet IPv6 site (dual stack) Manually Configured tunnels RFC 2893 or GRE IS-IS for IPv6 can only be configured over GRE tunnels Tunnel source and destination (IPv4) explicitly configured at end nodes Requires dual-stack router nodes or other end point (IPv4 and IPv6) As number of sites grows - manageability 7
IPv6 over WAN 6to4 Tunnels 2002 Public IPv4 address SLA Interface ID 6to4 relay Anycast IPv6 Internet IPv6 site (dual stack) IPv4 Internet 2001::/16 address space Cisco IOS 12.3M/T and 12.2S Cat.6500 12.0S on C12000 6to4 Tunnels (RFC 3056) Automatic tunnel method Tunnels created dynamically based upon embedded IPv4 addresses NOT reliant upon a IPv6 ready Provider. Router tunnels IPv6 packets on 6to4 tunnel whenever the next-hop IPv6 address is non-local and its prefix is 2002::/16 Encapsulated packet gets its IPv4 destination address from the IPv4 address embedded in the next-hop IPv6 address 6to4 Relay to be configured as default route to reach the IPv6 Internet Anycast (RFC 3068) to handle several relays IPv6 site (dual stack) 8
IPv6 on a Campus Presentation_ID 2003, Cisco Systems, Inc. All rights reserved. Cisco Twinam IPv6 Summit 9
IPv6 on a Campus ISATAP Tunnels Native IPv6 IPv6 in IPv4 ISATAP IPv6 Prefix ::/64 0000:5EFE: IPv4 Addr. 32-bit 32-bit Interface ID IPv6 Data Center IPv6 Internet/Intranet ISATAP router Cisco IOS 12.3M/T 12.2S Cat.6500 IPv4 + IPv6 ISATAP Network Dual-Stack Host Dual-Stack Host Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) IETF Draft Automatic Tunnels created dynamically based on embedded IPv4 addresses IPv6 Unicast only Primarily intended for communication between [sparse] IPv6 hosts within a site with no native IPv6 infrastructure but an ISATAP router IPv6 hosts connect to virtual IPv6 link that may spread several IPv4 subnets to directly communicate between each others. IPv6 hosts reach the IPv6 Internet through an ISATAP router 10
IPv6 on a Campus Dual-Stack IPv4-IPv6 Requires Switching / Routing Platforms to support hardware based forwarding for IPv4 & IPv6 IPv6 is transparent on L2 switches but for Multicast MLD snooping Requires Robust Control Plane for both IPv4 & IPv6 Stateless Autoconfiguration Routing protocols IPv6 Multicast and other Advanced Services such a QoS Security through IPv6 Access Control Capabilities Including option headers IPv4 & IPv6 Control Planes & Data Planes must not impact each other 10 GE core WAN & Internet Access Data Center 11
IPv6 on a Campus Data Center NAT-PT IPv4 Server Dual Stack Campus 10 GE core Dual Stack Server 10Mb/s to 10GE link Dual Stack Mainframe Cisco Catalyst 6500 IPv6 HW FW on Supervisor Engine 720: 200+ Mpps 10Mb/s to 10Gb/s Ethernet ports Cisco IOS NAT-PT : to enable IPv6 clients to access an IPv4 server that can t be upgraded to dual stack 12
Catalyst 6500 Series - IPv6 Hardware Forwarding Shipping Production Hardware & Software for IPv6 Hardware IPv6 support for: IPv6 unicast Forwarding IPv6 tunneling Configured, automatic, 6to4, and ISATAP tunnels IPv6 ACLs Extended and reflexive ACLs IPv6 NetFlow statistics IPv6 over VLAN Key Control Plane Features: Static, RIPv6, OSPFv3, IS-IS for v6, MP-BGP for v6 ICMPv6, Neighbor discovery (ND) and stateless autoconfiguration Management and troubleshooting: Ping, Traceroute, Telnet and SSH, TFTP, DNS Hardware Based Network Analysis Module IPv6 QoS and IPv6 multicast in trials 13
Catalyst 6500 Series NAM Introducing IPv6 Network Management capabilities IPv6 monitoring and decodes with NAM Can set up alarms with IPv6 addresses Can configure an easy IPv6 capture filter and IPv6- historical reports 14
Cisco Catalyst 6500 - IPv6 Switching Solutions In July 2003, Cisco Systems commissioned the European Advanced Networking Test Center (EANTC) to verify Catalyst 6500 performance numbers Showed 200+ Mpps of IPv6 Throughput Showed no performance degradation with advanced features enabled: -Netflow Statistic s Collection -Access Control Lists -QoS http://www.eantc.com/ The Catalyst 6500 equipped with the new Supervisor Engine 720 and populated with 3 rd Generation Gigabit Ethernet Cards. Achieved or in many cases exceeded, Cisco s performance claims for the switch Performance was unaffected by very significant quantities of value added features and the Catalyst and the Catalyst Demonstrated massive Multicast scalability. 15
Catalyst 3750 Series IPv6 Hardware Forwarding Shipping Production Hardware IPv6 software in Q3 CY04 Hardware IPv6 support for: IPv6 unicast Forwarding IPv6 over VLAN Key Control Plane Features: Static, RIPv6, OSPFv3 ICMPv6, Neighbor discovery (ND) and stateless autoconfiguration Management and troubleshooting: Ping, Traceroute, Telnet and SSH, TFTP, DNS IPv6 across Cisco StackWise Technology Embedded management with CMS for IPv6 basic Support 16
Conclusion Cisco has a large suite of products which are IPv6 ready and driving the adoption of IPv6 today. The Applications and OS s are rapidly becoming more prevalent to enable production deployments to occur. Your Cisco infrastructure is IPv6 ready. The Time is NOW! www.cisco.com/ipv6 17
Presentation_ID 2003, Cisco Systems, Inc. All rights reserved. 18
IPv6 over WAN Securing IPv6 Tunnels Manual IPv6 over IPv4 Tunnels can be secured using IPv4 IPsec 6to4 tunnels between remote sites from an enterprise can be secured using IPv4 IPsec and could take benefits of key distribution mechanisms for sites from a corporate network Remote sites that only get an IPv4 dynamic address can still re-negotiate the tunnel endpoint with a central site and secure the connection using IPv4 Dynamic IPsec on Cisco IOS Securing IPv6 over IPv4 tunnels with IPv4 IPsec over UDP on Cisco IOS enables NAT and Firewall traversal in a secure way IPv6 ACL must be applied to the tunnel endpoints to secure the IPv6 traffic 19
Industry s Broadest Platform Support Cisco IOS 12.0S 2001 Cisco 12000 Series Routers Cisco 10720 Series Cisco IOS 12.3 2003 Cisco 800 Series Routers Cisco 1700 Series Routers Cisco 2600 Series Routers Cisco 3600 Series Routers Cisco 3700 Series Routers Cisco 7200 Series Routers Cisco 7300 Series Routers Cisco 7500 Series Routers Cisco IOS 12.2S 2004 Cisco 72/7300 Series Routers Cisco 75/7600 Series Routers Cisco 10000 Series Routers Cisco 12000 Series Routers Catalyst 3750 Series Catalyst 4500 Series Catalyst 6500 Series Cisco Product Portfolio PIX Firewall 2004 Mobile Wireless, Home Networking IP Telephony - Radar 20
Cisco IPv6 Firewall Statement of Direction Cisco s firewall technology portfolio will support IPv6 firewall implementations to ensure secure deployment of IPv6 networks commencing in 2004. http://www.cisco.com/en/us/products/hw/vp ndevc/ps2030/prod_white_papers_list.html 21