IPv6 Planning. Kevin Manweiler, CCIE 5269 Junnie Sadler, CCIE 7708 Cisco Systems, Inc.

Similar documents
IPv6 Planning (Session 9267)

IPv6 Implementation (Session 13234)

Federal Agencies and the Transition to IPv6

Enterprise IPv6, Affecting Positive Change

IPv6 in Campus Networks

IPv4/v6 Considerations Ralph Droms Cisco Systems

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Case Study: Professional Services Firm Ensures Secure and Successful IPv6 Deployments for Customers with the OptiView XG Network Analysis Tablet

IPv6 Deployment at the University of Pennsylvania

IPv6 Deployment Experiences

Multihoming. Copy Rights

Deploying IPv6 in Campus Networks

Deploying IPv6 in Campus Networks

Transitioning to IPv6

IPv6 Transition Mechanisms

IPv6 Feature Facts

TDC 563 Protocols and Techniques for Data Networks

IPv6 Address Planning

Guide to TCP/IP Fourth Edition. Chapter 11: Deploying IPv6

IPv6 Enablement for Enterprises. Waliur Rahman Managing Principal, Global Solutions April, 2011

IPv6 Next generation IP

IPv6 in Internet2. Rick Summerhill Associate Director, Backbone Network Infrastructure, Internet2

IPv6 Transition Mechanisms

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Why IPv6? Roque Gagliano LACNIC

ENTERPRISE. Brief selected topics. Jeff Hartley, SP ADP SE

Planning for Information Network

Internet of Things (IOT) Things that you do not know about IOT

LISP: What and Why. RIPE Berlin May, Vince Fuller (for Dino, Dave, Darrel, et al)

Inter-Domain Routing: BGP

IPv6 and IPv4: Twins or Distant Relatives

IPv6. Internet Technologies and Applications

IPv6 Deployment Planning

Performance Comparison of Internet Protocol v4 with Internet Protocol v6

IPv6 Module 6x ibgp and Basic ebgp

CCNA Routing and Switching (NI )

Customer IPv6 Delivery

IPv6 Module 4 OSPF to IS-IS for IPv6

Enterprise IPv6 Deployment Security and other topics

IPv6 Module 2 OSPF Areas

Help I need more IPv6 addresses!

IPv6 Implementation Best Practices For Service Providers

TEXTBOOK MAPPING CISCO COMPANION GUIDES

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Chapter 3 - Implement an IP Addressing Scheme and IP Services to Meet Network Requirements for a Small Branch Office

Migration Technologies. Dual Stack and Tunneling Using GRE, 6to4, and 6in4.

Migration to IPv6 from IPv4. Is it necessary?

IPv6 Deployment and Considerations

IPv6 Bootcamp Course (5 Days)

The future in your hands!!: Deploying IPv6

Finding IPv6 Where You Least Expect It Using LiveAction Software to Visualize and Troubleshoot IPv6 on Your Network

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

World IPv6 Launch and Penn

OSI Data Link & Network Layer

IP version 6. The not so new next IP version. dr. C. P. J. Koymans. Informatics Institute University of Amsterdam.

Integrated Security 22

IPv6 Network Management

But we ve always done it this

Insights on IPv6 Security

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

IPv6 Deployment Planning. Philip Smith PacNOG 10, Nouméa 21 st November 2011

IPv6 tutorial. RedIRIS Miguel Angel Sotos

DREN IPv6 Implementation Update

Patrick Grossetete Cisco Systems Cisco IOS IPv6 Product Manager 2003, Cisco Systems, Inc. All rights reserved.

IPv6: The Ins and Outs. Chris Buechler

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

IPv6 Module 1 Basic Topology and Router Setup

IPv6 Addressing. There are three types of IPV6 Addresses. Unicast:Multicast:Anycast

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

Transition To IPv6 October 2011

Using IPv6. Daniel Hagerty

IPv6 Module 1a OSPF. Prerequisites: IPv4 Lab Module 1, knowledge of Cisco router CLI, and previous hands on experience.

Cisco Certified Network Associate ( )

Internet Addresses Reading: Chapter 4. 2/11/14 CS125-myaddressing

IPv6 Addressing Guide. Revision: H2CY10

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

CSE 123A Computer Netwrking

Computer Networks and Data Systems

MUM Lagos Nigeria Nov 28th IPv6 Demonstration By Mani Raissdana

IPv6 Migration - Why do I care anyway? WELCOME Rick Wylie KeyOptions MacSysAdmin 2012

MIGRATION OF INTERNET PROTOCOL V4 TO INTERNET PROTOCOL V6 USING DUAL-STACK TECHNIQUE

Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012)

Securing the Transition Mechanisms

IPv6 Addressing case studies. Athanassios Liakopoulos

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

OSI Data Link & Network Layer

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

COE IPv6 Roadmap Planning. ZyXEL

IPv6: An Introduction

IPv6 on Campus. The stuff you need to know

OSI Data Link & Network Layer

Exam Topics Cross Reference

Insights on IPv6 Security

Enterprise IPv6 Deployment. Shannon McFarland CCIE# 5245 Corporate Consulting Engineer Office of the CTO

ISP Workshop Lab. Module 2 OSPF Areas

6DISS services. Tim Chown

What Enterprises Should Do About IPv6 In 2012

Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN

Radware ADC. IPV6 RFCs and Compliance

Transcription:

IPv6 Planning Kevin Manweiler, CCIE 5269 kmanweil@cisco.com Junnie Sadler, CCIE 7708 jrsadler@cisco.com Cisco Systems, Inc. March 2, 2011 Session 8198

Motivation Your boss has just let you know that a customer mandates IPv6 connectivity for future mainframe EE in 6 months. Also, you recently read that the last IPv4 address block was allocated Company X 2

Advice from the Hitchhikers Guide to Networking Just because the last IPv4 address has been allocated doesn t mean The Internet is coming to a screeching halt No one is going to take your existing IPv4 addresses away Your whole network doesn t have to be configured with IPv6 immediately Other people have made the transition successfully You ve already been through this drill with the SNA to IP migration. 3

Agenda High Level Migration Steps Infrastructure Assessment Address Considerations Infrastructure Deployment Security Considerations Network Management Considerations SNAv6 Q&A References 4

IPv6 Planning Steps Business Case Identified/Justified Evaluate effect on business model 1 Establish IPv6 project management team 2 Assess network hardware and software 3 IPv6 Training strategy 4 Obtain IPv6 prefix(es) 5 Decide IPv6 architectural solution 6 Test application software and services 7 Develop security policy 8 Develop procurement plan 9 Develop IPv6 exception strategy 10 5

Public Service Announcement It s not required but advised to enlist outside aid How do you know what you don t know? Workshops Consultants 6

Major Design Decisions Addressing Subnetting Scheme Address Distribution Co-existence Methodology Migration Strategy Tunneling methods Provider Assigned (PA) /64 subnet everywhere Statically assigned Dual Stack Internet facing ISATAP Provider Independent (PI) /48 block (/44 if you can) Multiple /48 blocks (per region) Unique-local addressing /64 with /127 infrastructure /64 with link local infrastructure Stateless Autoconfiguration (SLAC) Tunneling Core outwards Toredo DHCP Translation Edge inward 6to4 Separate Infrastructure Combinations/ permutations Forklift / Everywhere at once 7

IPv6 Readiness Assessment Gives a high level view of IPv6 capability in the network Some device may just need a software upgrade others may never be capable of supporting IPv6 8

Platform Considerations Scalability can play a big role in IPv6 deployments Dual stack can have 2x route table size, ARP cache, etc. Some platforms perform ASIC-based hardware packet forwarding. If traffic can t be forwarded in hardware it is punted to the Route Processor (RP). The RP has at least an order of magnitude less forwarding capability and induces delay. Feature Parity - basic IPv6 forwarding may exist but security and high availability features may not exist or be at that level of software. 9

Summary of Address Considerations Provider Independent or Provider Assigned Global, ULA, ULA + Global Prefix-length allocation Subnet length Address allocation method IP Address Management (IPAM) 10

RIRs Regional Internet Registries Apply for Provider Independent address space from appropriate RIR www.afrinic.net www.arin.net www.apnic.net www.lacnic.net www.ripe.net 11

Address Allocation Process Provider Assigned 2000::/3 IANA Provider Independent 2000::/3 /12 Registries /12 /32 ISP Org /48 /48 Enterprise 12

13 IPv6 Address Allocation Process Partition of Allocated IPv6 Address Space (example)

Hierarchical Addressing and Aggregation Site 1 2001:DB8:0001:0001::/64 2001:DB8:0001:0002::/64 2001:DB8:0002:0001::/64 2001:DB8:0002:0002::/64 2001:DB8:0001::/48 Site 2 2001:DB8:0002::/48 ISP 2001:DB8::/32 Only Announces the /32 Prefix IPv6 Internet 2000::/3 Default is /48 can be larger End-user Additional Assignment https://www.arin.net/resources/request/ipv6_add_assign.html Provider independent See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html 14

Do I Get PI or PA? It depends PI space is great for ARIN controlled space (not all RIRs have approved PI space) PA is a great space if you plan to use the same SP for a very long time or you plan to NAT everything with IPv6 (not likely) More important things to consider do you get a prefix for the entire company or do you get one prefix per site (what defines a site?) 15

Network Level Considerations Global Unique Addresses Commonly referred to as Global IPv6 addresses Assigned by upstream provider A multi-homed site may have one or more available IPv6 address ranges The IPv6 address selection algorithm is key for good operation (RFC3484) 16

Unique-Local Addressing (RFC4193) Used for internal communications, inter-site VPNs Not routable on the internet basically RFC1918 for IPv6 only better less likelihood of collisions Default prefix is /48 /48 limits use in large organizations that will need more space Semi-random generator prohibits generating sequentially useable prefixes no easy way to have aggregation when using multiple /48s Why not hack the generator to produce something larger than a /48 or even sequential /48s? Is it legal to use something other than a /48? Perhaps the entire space? Forget legal, is it practical? Probably, but with dangers remember the idea for ULA; internal addressing with a slim likelihood of address collisions with M&A. By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A Routing/security control You must always implement filters/acls to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range today this is the only way the ULA scope can be enforced Generate your own ULA: http://www.sixxs.net/tools/grh/ula/ Generated ULA= fd9c:58ed:7d73::/48 17 * MAC address=00:0d:9d:93:a0:c3 (Hewlett Packard) * EUI64 address=020d9dfffe93a0c3 * NTP date=cc5ff71943807789 cc5ff71976b28d86

ULA, ULA + Global or Global What type of addressing should I deploy internal to my network? It depends: ULA-only Today, no IPv6 NAT is useable in production so using ULA-only will not work externally to your network ULA + Global allows for the best of both worlds but at a price much more address management with DHCP, DNS, routing and security Global-only Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option 18

Global-Only Recommended Internet Branch 1 Global 2001:DB8:CAFE::/48 Corp HQ 2001:DB8:CAFE:2800::/64 Branch 2 Corporate Backbone Global 2001:DB8:CAFE::/48 2001:DB8:CAFE:3000::/64 2001:DB8:CAFE:2::/64 Global is used everywhere No requirements to have NAT for ULA-to-Global translation but, NAT may be used for other purposes Easier management of DHCP, DNS, security, etc. Only downside is breaking the habit of believing that topology hiding is a good security method 19

Using Link-Local for Non-Access Connections Under Research What if you did not have to worry about addressing the network infrastructure for the purpose of routing? IPv6 IGPs use LL addressing Only use Global or ULA addresses at the edges for host assignment For IPv6 access to the network device itself use a loopback Reduction in routing table size What happens to route filters? ACLs? Nothing, unless you are blocking to/from the router itself Stuff to think about: Always use a RID Some Cisco devices require ipv6 enable on the interface in order to generate and use a link-local address Enable the IGP on each interface used for routing or that requires its prefix to be advertised Downside: Broken trace route, operational changes, management tools 20

Where do I start? Based on Timeframe/Use case Mainframe Internet Edge/DMZ Edge-to-Edge Labs & islands of IPv6 Core-to-Edge - Ideal Edge-to-Core Challenging but doable DC Access DC Aggregation DC/Campus Core Campus Block WAN Mainframe Servers Branch Branch

IPv6 Deployment Three Major Options Dual-stack The way to go for obvious reasons: performance, security, QoS, multicast and management Layer 3 switches should support IPv6 forwarding in hardware Hybrid Dual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear Pro Leverage existing gear and network design (traditional L2/L3 and routed access) Con Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast IPv6 Service Block A new network block used for interim connectivity for IPv6 overlay network Pro Separation, control and flexibility (still supports traditional L2/L3 and routed access) Con Cost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast 22

IPv6 Deployment Options Dual-Stack IPv4/IPv6 IPv6/IPv4 Dual Stack Hosts #1 requirement switching/ routing platforms must support hardware based forwarding for IPv6 IPv6 is transparent on L2 switches but L2 multicast MLD snooping v6- Enabled L2/L3 v6- Enabled Access Layer Distribution Layer IPv6 management Telnet/SSH/HTTP/SNMP Intelligent IP services on WLAN Expect to run the same IGPs as with IPv4 v6- Enabled v6-enabled Dual Stack Dual Stack v6- Enabled v6-enabled Core Layer Aggregation Layer (DC) Access Layer (DC) Dual-stack Server 23

IPv6 Deployment Options Hybrid Model Offers IPv6 connectivity via multiple options Dual-stack Configured tunnels L3-to-L3 ISATAP Host-to-L3 Leverages existing network Offers natural progression to full dual-stack design May require tunneling to less-than-optimal layers (i.e. core layer) ISATAP creates a flat network (all hosts on same tunnel are peers) Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today) Provides basic HA of ISATAP tunnels via old Anycast-RP idea IPv6/IPv4 Dual Stack Hosts NOT v6- Enabled v6- Enabled v6-enabled ISATAP Dual Stack Dual-stack Server ISATAP Dual Stack L2/L3 NOT v6- Enabled v6- Enabled v6-enabled Access Layer Distribution Layer Core Layer Aggregation Layer (DC) Access Layer (DC) 24

Campus IPv6 Deployment Options IPv6 Service Block an Interim Approach Provides ability to rapidly deploy IPv6 services without touching existing network Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations) Offers the same advantages as Hybrid Model without the alteration to existing code/configurations Configurations are very similar to the Hybrid Model ISATAP tunnels from PCs in access layer to service block switches (instead of core layer Hybrid) 1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6 Can use IOS FW or PIX/ASA appliance Access Layer Dist. Layer Core Layer VLAN 2 Agg Layer Access Layer VLAN 3 IPv4-only Campus Block ISATAP IPv6 Service Block Dedicated FW IOS FW 2 Internet Primary ISATAP Tunnel Secondary ISATAP Tunnel Data Center Block 1 WAN/ISP Block 25

Security Considerations A lot of early docs touted IPv6 s inherent security and IPSec use. This is a false sense of security What s old is new: old exploits re-introduced with a v6 at the end. IPv6 is enabled by default on Windows Vista and 7. IPv6 Bogon list- http://www.cymru.com/bogons/ipv6.txt 26

Network Management Considerations Do your NMS tools understand IPv6 addresses? IPv6 specific MIBs Don t necessarily have to use IPv6 transport to manage IPv6 networks - many NMS tools (and network devices) don t support polling, etc. via IPv6 today Netflow version 9 for IPv6 support IP-SLAs support IPv6 27

Conclusion Dual stack where you can Tunnel where you must Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management Microsoft Windows Vista, 7 and Server 2008 will have IPv6 enabled by default understand what impact any OS has on the network Deploy it at least in a lab IPv6 won t bite Things to consider: Focus on what you must have in the near-term (lower your expectations) but pound your vendors and others to support your long-term goals Don t be too late to the party anything done in a panic is likely going to go badly 28

29 Q&A

Reference Materials 30 Deploying IPv6 in Campus Networks: http://www.cisco.com/en/us/docs/solutions/enterprise/campus/campipv6.html Deploying IPv6 in Branch Networks: http://www.cisco.com/en/us/solutions/ns340/ns414/ns742/ns816/landing_br_ipv6.html CCO IPv6 Main Page: http://www.cisco.com/go/ipv6 Cisco Network Designs: http://www.cisco.com/go/designzone ARIN IPv6 Wiki: http://www.getipv6.info/index.php/main_page World IPv6 Day (June 8, 2011): http://isoc.org/wp/worldipv6day/ IPv6 at IBM http://www-01.ibm.com/software/info/ipv6/index.jsp IBM IPv6 Compliance http://www-01.ibm.com/software/info/ipv6/compliance.jsp Security for IPv6 Routers www.nsa.gov/ia/_files/routers/i33-002r-06.pdf

31 End of Session

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback