Case Study: Professional Services Firm Ensures Secure and Successful IPv6 Deployments for Customers with the OptiView XG Network Analysis Tablet

Similar documents
IPv6 Feature Facts

IPv6 Enablement for Enterprises. Waliur Rahman Managing Principal, Global Solutions April, 2011

Transitioning to IPv6

IPv6 Implementation Best Practices For Service Providers

Federal Agencies and the Transition to IPv6

Planning for Information Network

CSCI-1680 Network Layer:

IPv6 Technical Challenges

IPv6 Addressing. There are three types of IPV6 Addresses. Unicast:Multicast:Anycast

IPv6 migration challenges and Security

Expert Reference Series of White Papers. IP Version 6 Address Types

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

Comcast IPv6 Trials NANOG50 John Jason Brzozowski

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

Sony Adopts Cisco Solution for Global IPv6 Project

MIGRATION OF INTERNET PROTOCOL V4 TO INTERNET PROTOCOL V6 USING DUAL-STACK TECHNIQUE

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

How Cisco IT Is Accelerating Adoption of IPv6

Lecture 7 Overview. IPv6 Source: Chapter 12 of Stevens book Chapter 31 of Comer s book

OSI Data Link & Network Layer

IPv4/v6 Considerations Ralph Droms Cisco Systems

Internet of Things (IOT) Things that you do not know about IOT

Guide to TCP/IP Fourth Edition. Chapter 11: Deploying IPv6

ProDeploy Suite. Accelerate enterprise technology adoption with expert deployment designed for you

IP version 6. The not so new next IP version. dr. C. P. J. Koymans. Informatics Institute University of Amsterdam.

MUM Lagos Nigeria Nov 28th IPv6 Demonstration By Mani Raissdana

Carl Harris Chief Technology Officer Virginia Tech IT

IPv6 tutorial. RedIRIS Miguel Angel Sotos

Migration to IPv6 from IPv4. Is it necessary?

Accelerate Your Enterprise Private Cloud Initiative

IPv6 in Campus Networks

IPv6 Migration Framework Case of Institutions in Ethiopia

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

IPv6 Next generation IP

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

Chapter 7: IP Addressing CCENT Routing and Switching Introduction to Networks v6.0

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

6421A: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

FUNDAMENTALS OF IPV6. June 18, 2014

OSI Data Link & Network Layer

Encouraging the deployment of IPv6 in the developing countries

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

Executive Summary...1 Chapter 1: Introduction...1

DATA SHEETS. Unpublished. Datasheet: OneTouch AT 10G Network Assistant Performance Testing

IPv6. Dispelling the Magic

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

IPv6 Addressing Guide. Revision: H2CY10

Deploy CGN to Retain IPv4 Addressing While Transitioning to IPv6

OSI Data Link & Network Layer

IPv6: The Ins and Outs. Chris Buechler

VMware Cloud Operations Management Technology Consulting Services

Networking for a dynamic infrastructure: getting it right.

Performance Comparison of Internet Protocol v4 with Internet Protocol v6

Chapter 15 IPv6 Transition Technologies

Cisco Data Center Network Manager 5.1

Insights on IPv6 Security

Market Viability of IPv6 Revisited

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

MIPv6: New Capabilities for Seamless Roaming Among Wired, Wireless, and Cellular Networks

CCNA Routing and Switching Courses. Scope and Sequence. Target Audience. Curriculum Overview. Last updated August 22, 2018

Impact of IPv6 to an NGN and Migration Strategies. Gyu Myoung Lee ETRI

Radware ADC. IPV6 RFCs and Compliance

Avaya Networking IPv6 Using Fabric Connect to ease IPv6 Deployment. Ed Koehler Director DSE Ron Senna SE Avaya Networking Solutions Architecture

Enterprise IPv6, Affecting Positive Change

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

12.1. IPv6 Feature. The Internet Corporation for Assigned Names and Numbers (ICANN) assigns IPv6 addresses based on the following strategy:

Course 20741B: Networking with Windows Server 2016

Managing Network Bandwidth to Maximize Performance

IPv6 Deployment at the University of Pennsylvania

VXLAN Overview: Cisco Nexus 9000 Series Switches

10/4/2016. Advanced Windows Services. IPv6. IPv6 header. IPv6. IPv6 Address. Optimizing 0 s

IPv6 Transition Technologies (TechRef)

Practical IPv6 for Windows Administrators

IPv6 Deployment Experiences. John Jason Brzozowski

IPv6 Transition Mechanisms

Cisco Director Class SAN Planning and Design Service

Predictive Insight, Automation and Expertise Drive Added Value for Managed Services

Windows 7 on the 2009 A+ Exams

Insights on IPv6 Security

EMBRACE CHANGE Computacenter s Global Solutions Center helps organizations take the risk out of business transformation and IT innovation

AC : TEACHING A LABORATORY-BASED IPV6 COURSE IN A DISTANCE EDUCATION ENVIRONMENT

IPv6 Deployment Planning

IPv6 support. Chris Mitchell. Program Manager Microsoft Corporation Windows Networking & Communications IPv6

ENTERPRISE. Brief selected topics. Jeff Hartley, SP ADP SE

Finding IPv6 Where You Least Expect It Using LiveAction Software to Visualize and Troubleshoot IPv6 on Your Network

SWITCH Implementing Cisco IP Switched Networks

Internet Protocol, Version 6

World IPv6 Launch and Penn

Migration Technologies. Dual Stack and Tunneling Using GRE, 6to4, and 6in4.

Experience working with Windows Server 2008 or Windows Server Experience working in a Windows Server infrastructure enterprise environment

CompTIA Network+ Study Guide Table of Contents

Necessity to Migrate to IPv6

Security in an IPv6 World Myth & Reality

IPv6 Bootcamp Course (5 Days)

Beyond the IPv4 Internet. Geoff Huston Chief Scientist, APNIC

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

IP Addressing Modes for Cisco Collaboration Products

Chapter 10: Review and Preparation for Troubleshooting Complex Enterprise Networks

Best practices in IT security co-management

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

Transcription:

CASE STUDY Case Study: Professional Services Firm Ensures Secure and Successful IPv6 Deployments for Customers with the OptiView XG Network Analysis Tablet At a Glance: Customer: Nephos6 Industry: Professional Services Location: Raleigh, NC Challenge: Quickly build a network capable of demonstrating multiple key IPv6 technologies in support of customer training and transaction programs. Result: The OptiView XG Network Analysis Tablet reduced deployment time by providing fast and accurate device discovery, identification of tunneling protocols, and easy-touse tools for troubleshooting integration issues. Product: OptiView XG Network Analysis Tablet Click to View 1 of 5

Overview IPv6 adoption is accelerating globally. Integrators, long bereft of adequate IPv6 support in IT infrastructure, are demanding feature parity to support nextgeneration network rollouts. In addition to routers, operating systems, and other standard IT infrastructure, network engineers and technicians need IPv6- capable monitoring and analysis tools. NETSCOUT OptiView XG Network Analysis Tablet, already a staple tool in many organizations, is ready. With capabilities for IPv6 network discovery, tunneling protocol identification, router advertisement analysis, and IPv6 services detection, OptiView XG is an invaluable aid in supporting IPv6 deployment, troubleshooting integration issues, and helping identify unintentional IPv6 deployment. The Review In February 2011, the Internet Assigned Numbers Authority (IANA) distributed the last five /8 (historically referred to as Class A ) IPv4 address blocks to the Regional Internet Registries (RIR). This event signaled the beginning of the end for the IPv4-based Internet and heralded the start of the global transition to the next generation Internet protocol, IPv6. Standardized in 1995, IPv6 is designed to enhance the Internet protocol and address the issue of IP resource exhaustion, but had never found significant purchase in the marketplace for a variety of economic and technology reasons. While some technology camps believed Network Address Translation (NAT) would suffice, Internet scalability requirements and the ever increasing complexity of multiple NATted environments make a compelling case for IPv6 adoption now. Despite a lack of widespread interest in IPv6, numerous organizations, including world governments, large IT product companies, major service providers, and some early adopters blazed the trail of IPv6 adoption. The Internet Engineering Task Force (IETF) developed mechanisms to support the co-existence of IPv4 and IPv6 and to mitigate some of the financial burden of migration. IT vendors incorporated support for IPv6 in many of their mainstream products. Emerging from this collective effort of the early adopters are methodologies and best practices for the secure and efficient deployment of IPv6. Nephos6, Inc. is an IPv6 and Cloud Computing Professional Services firm located in Raleigh, NC. The company was founded by a number of industry experts with significant deployment experience in IPv6 (and cloud computing). The company uses a five-stage methodology to manage the IPv6 integration effort for enterprises and service providers. The first four stages involve cultivating a common understanding of the current environment, aligning business and technical drivers, assessing the IT infrastructure and support systems for IPv6 support capability, and developing architectures and plans for deployment. The fifth stage, Implementation, sees the rollout of IPv6, in a controlled but progressive manner. The ultimate goal environment for any IPv6 adoption program is to enabled dual stack (both IPv4 and IPv6 running concurrently on the same device) on all devices throughout the organization. But the path to achieving a dual stack installation is rarely the same from organization to organization. Despite different approaches to the end state, all well-managed deployments embody these approaches: 1. Validate and test designs configurations and architectures are evaluated in isolated labs first and then systematically deployed in the production environment. 2. Manage and troubleshoot deployments nothing ever goes perfectly the first time. Invariably equipment malfunctions, human error, or Murphy s Law interfere during deployments and require systematic troubleshooting to correct. 3. Monitor for unauthorized/rogue IPv6 Devices IPv6 is supported in most modern IT devices and operating systems, enabled by default in some cases. Unintentional deployment is a security issue and needs to be monitored and managed. A critical element of the implementation process is effective tools to support these key activities. Nephos6 uses packet capture software and network analysis tools but wanted to see if the market offered a comprehensive, portable, and remotely accessible tool. Yurie Rich, chief operating officer of Nephos6 recalls, It was interesting. I interacted with NETSCOUT all the way back in 2000 when I started working with IPv6, then again sometime in 2007 or 2008 as their OptiView team was working towards JITC [Joint Interoperability Test Command] IPv6 certification. I guess it was kismet when they reached out to our CEO, Ciprian (Chip) Popoviciu, to see if we d be interested in evaluating the XG. After reviewing the OptiView XG s capabilities on paper, John Spence, vice president of IP Services at Nephos6, developed a series of trials to test OptiView XG s capabilities. John recalls, Chip, Yurie and I spent some time thinking about the commonality of the deployments we d been involved with. No two are the same, but generally you see testing in the lab, a controlled rollout (or prototype or pilot or all of these) into the production environment using one or more transition technologies, then testing and remediation of any problems. That process is continuously evolved until the organization ends up with the optimal target architecture that is operationally sound and dual-stack enabled. The OptiView XG contains a robust discovery capability, the ability to capture IPv6 tunnel traffic and identify the type of transition mechanism being used. It can also identify a number of IPv6 services types a node is offering, and an analysis of router advertisements. Collectively these features provided a valuable tool chest to support Nephos6 common requirements. 2 of 5

Leveraging the Network and Device Discovery Feature Figure 1 is a very simplified diagram of a typical enterprise environment. It consists of three disparate campus environments, a data center, and centralized access to the Internet. John developed a lab environment that mirrored this architecture and identified touch points to connect the OptiView XG. Most IPv6 deployments start with a prototype conducted in a lab. The first step was to leverage its discovery capability. Figure 1: Example Enterprise Architecture The lab started as IPv4-only and then IPv6 is enabled on a few devices. The OptiView XG allows both onsubnet device discovery, and through some configuration parameters, discovery of off-subnet devices as well. In IPv6 deployments, most enterprises (and service providers) will likely want a managed IPv6 address space - meaning the use of DHCPv6. Information provided by the Discovery process will verify that nodes are using properly obtained IPv6 address configuration information. The Discovery process also categorizes discovered nodes as a router, server, switch, or end node. Figure 2 is a sample screen capture of the OptiView XG Discovery user interface from the lab on one subnet. Figure 2: OptiView XG Network and Device Discovery Interface 3 of 5

The highlighted device is a server on this particular LAN segment. The IPv6 address space is highly diversified. In addition to having a number of address types (unicast, multicast, anycast - like IPv4), there are address scopes (such as link local - identifiable here as fe80::82c:6ff:fe55:1c2b). And, just to make things a bit more interesting, IPv6 addresses can be derived through a number of processes. Here, the upstream router is configured to use address autoconfiguration and send router advertisements to the node, which is properly configuring its IPv6 address based partly on information contained in the RA. The preference in this case is an address configured using the Extended Unique Identifier (EUI-64) process. This is verified by examining the last 64 bits, which have the hex characters FF FE placed in the middle of the MAC address. Combined with the prefix of 2001:db8:ff:70::/64,the interface created 2001:db8:ff:70:82c:6ff:fe55:1c 2b as its IPv6 address The Nephos6 team quickly recognized several benefits of the OptiView s Discovery capability: 1. Validation of on-link device IPv6 configuration recall that one of the common requirements of all IPv6 integration processes is the need to test and validate deployments. The information supplied by the OptiView XG clearly yields solid information to verify IPv6 connectivity, IPv6 address information, and, with further analysis, what specific nodes are doing in terms of open ports and service offerings. 2. Identification of rogue or unintentional IPv6 deployment certainly anytime the discovery process is run and IPv6 devices are present on the link, the OptiView XG will find and report them. 3. Remote access means remote expertise IPv6 skill sets take some time to accrue. It is not uncommon for field personnel, who do much of the heavy lifting in the IPv6 integration process, to be last on the list for IPv6 training. The remote access capability of the OptiView XG means that IPv6 savvy engineers can collaborate with field engineers to not only conduct testing and validation exercises, but also continue the IPv6 knowledge transfer process. Integrating IPv6 Once base configurations are implemented and the environment is operating as predicted, the next step is to expand the deployment to other areas of the network. In the lab example, as shown in Figure 3, IPv6 is deployed in another section of the campus and the two islands are connected with a manually configured tunnel, commonly known as a 6in4 tunnel. At each tunnel end point, the routers are dual stacked - supporting both IPv4 and IPv6 simultaneously. The IPv6-in-IPv4 tunnels are manually configured on each router. The OptiView XG is a very effective IPv6 tunneling identification tool. Figure 4 shows a screen capture of the IPv6 Tunneling Protocol user interface, which is found under the Traffic Analysis tab. In this particular example, John was able to place the OptiView XG discovery interface on a SPAN (monitor) port over which the IPv6 tunneled traffic was passing. Monitoring the traffic on that port, the OptiView XG automatically identifies the tunnel type at 6in4. The capture also identifies the tunnel end points, which is extremely important in the Figure 4: IPv6 Tunneling Protocol Screen Ca detecting and eliminating rogues scenario. With the information provided on this screen, I can identify this traffic as one of my intended deployments. If I don t recognize those endpoints, it is easy to track them down through the DDI (DHCP, DNS, IP Address Management) infrastructure and work with IT to bring those deployments under control commented John. The OptiView XG s IPv6 Discovery capability is not limited to 6in4 tunnels. It supports identification of the most widely utilized tunnels leveraged in industry today (See table below). This is exceptionally important as most modern operating systems have IPv6 enabled by default and the stacks are aggressive about obtaining IPv6 connectivity via established transition mechanisms. As an example, Windows 7 has IPv6 enabled by default and in IPv4-only environment will attempt to establish IPv6 capability via 6to4, ISATAP, and Teredo transition mechanisms. 4 of 5

2017 NETSCOUT. Rev: 02/02/2017 9:43 am 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback