IPv6 Implementation (Session 13234)

Similar documents
IPv6 Planning (Session 9267)

IPv6 Planning. Kevin Manweiler, CCIE 5269 Junnie Sadler, CCIE 7708 Cisco Systems, Inc.

Federal Agencies and the Transition to IPv6

Enterprise IPv6, Affecting Positive Change

IPv6 in Campus Networks

IPv4/v6 Considerations Ralph Droms Cisco Systems

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Multihoming. Copy Rights

IPv6 Transition Mechanisms

IPv6 Deployment at the University of Pennsylvania

Case Study: Professional Services Firm Ensures Secure and Successful IPv6 Deployments for Customers with the OptiView XG Network Analysis Tablet

Transitioning to IPv6

IPv6 Transition Mechanisms

TDC 563 Protocols and Techniques for Data Networks

IPv6 Address Planning

IPv6 in Internet2. Rick Summerhill Associate Director, Backbone Network Infrastructure, Internet2

Why IPv6? Roque Gagliano LACNIC

Deploying IPv6 in Campus Networks

Guide to TCP/IP Fourth Edition. Chapter 11: Deploying IPv6

Deploying IPv6 in Campus Networks

IPv6 Next generation IP

IPv6 Enablement for Enterprises. Waliur Rahman Managing Principal, Global Solutions April, 2011

IPv6 Deployment Experiences

Customer IPv6 Delivery

Migration to IPv6 from IPv4. Is it necessary?

Planning for Information Network

IPv6 Feature Facts

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

IPv6 Deployment Planning

Internet of Things (IOT) Things that you do not know about IOT

Migration Technologies. Dual Stack and Tunneling Using GRE, 6to4, and 6in4.

Finding IPv6 Where You Least Expect It Using LiveAction Software to Visualize and Troubleshoot IPv6 on Your Network

IP version 6. The not so new next IP version. dr. C. P. J. Koymans. Informatics Institute University of Amsterdam.

IPv6 Network Management

IPv6 Deployment Planning. Philip Smith PacNOG 10, Nouméa 21 st November 2011

Integrated Security 22

The future in your hands!!: Deploying IPv6

LISP: What and Why. RIPE Berlin May, Vince Fuller (for Dino, Dave, Darrel, et al)

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

MUM Lagos Nigeria Nov 28th IPv6 Demonstration By Mani Raissdana

Performance Comparison of Internet Protocol v4 with Internet Protocol v6

IPv6. Internet Technologies and Applications

Insights on IPv6 Security

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

IPv6 Deployment and Considerations

Inter-Domain Routing: BGP

Internet Addresses Reading: Chapter 4. 2/11/14 CS125-myaddressing

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

Computer Networks and Data Systems

Patrick Grossetete Cisco Systems Cisco IOS IPv6 Product Manager 2003, Cisco Systems, Inc. All rights reserved.

COE IPv6 Roadmap Planning. ZyXEL

IPv6 Addressing case studies. Athanassios Liakopoulos

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

IPv6 Module 6x ibgp and Basic ebgp

Radware ADC. IPV6 RFCs and Compliance

ENTERPRISE. Brief selected topics. Jeff Hartley, SP ADP SE

6DISS services. Tim Chown

IPv6 Bootcamp Course (5 Days)

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

World IPv6 Launch and Penn

Help I need more IPv6 addresses!

IPv6 Migration - Why do I care anyway? WELCOME Rick Wylie KeyOptions MacSysAdmin 2012

IPv6 Module 4 OSPF to IS-IS for IPv6

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

OSI Data Link & Network Layer

IPv6 and IPv4: Twins or Distant Relatives

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

IPv6: An Introduction

Insights on IPv6 Security

IPv6 Deployment Strategies. IPv6 Training Day 18 th September 2012 Philip Smith APNIC

Enterprise IPv6 Deployment. Shannon McFarland CCIE# 5245 Corporate Consulting Engineer Office of the CTO

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

Voice of the Customer First American Title SD-WAN Transformation

Foreword xxiii Preface xxvii IPv6 Rationale and Features

Chapter 3 - Implement an IP Addressing Scheme and IP Services to Meet Network Requirements for a Small Branch Office

India Operator BNG and IP Router

3/10/2011. Copyright Link Technologies, Inc.

SOSPG1: IPv6, Tomorrow s Network Here Today. Session Overview. In the beginning 8/8/2011

Migrating from OSPF to IS-IS

IPv6: The Ins and Outs. Chris Buechler

IPv6 Module 2 OSPF Areas

Transition To IPv6 October 2011

The Regional Internet Registries

MIGRATION OF INTERNET PROTOCOL V4 TO INTERNET PROTOCOL V6 USING DUAL-STACK TECHNIQUE

2009/10/01. Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Obsoleted by RFC3596 [7] RFC 1887

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

Zero To Hero CCIE CCNP

IPv6 migration challenges and Security

IPv6 Neighbor Discovery (ND) Problems with Layer-2 Multicast State

Holistic IPv6 Transition Yanick Pouffary HP Distinguished Technologist HP IPv6 Global Leader, HP Technology Services Office of the CTO

IPv6 Module 1 Basic Topology and Router Setup

CCNA Routing and Switching (NI )

But we ve always done it this

SD-Access Wireless: why would you care?

IPv6 Security. Pedro Lorga - WALC 2006 (Quito, Ecuador July 06)

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

TEXTBOOK MAPPING CISCO COMPANION GUIDES

ELEC / COMP 177 Fall 2015

IPv6 Basics. APNIC Training Bali, Indonesia February, Jordi Palet - 1

Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN

Transcription:

IPv6 Implementation (Session 13234) Kevin Manweiler, CCIE 5269 kmanweil@cisco.com Junnie Sadler, CCIE 7708 jrsadler@cisco.com Date of Presentation Wednesday, August 14, 9:30 AM to 10:30 AM Session Number (13234)

Motivation Wednesday, August 14, 2013: 9:30 AM- 10:30 AM This session will use WEBEX to show a live IPv6 network composed of several components. Your boss has just let you know that a customer mandates IPv6 connectivity for future mainframe EE in 6 months. Also, you recently read that the last IPv4 address block was allocated Company X

Key Question: Where do I Start? Based on Timeframe/Use case Core-to-Edge Fewer things to touch Edge-to-Core Challenging but doable Internet Edge Business continuity DC Access DC Aggregati on DC/Campu s Core Internet Edge ISP ISP WAN Servers Branch Branch 3

Internet Edge - to ISP Single Link Single ISP Dual Links Single ISP Multi-Homed Multi-Region ISP 1 POP1 ISP 1 POP2 ISP 1 USA ISP2 Default Route IPv4-only BGP IPv6 Tunnel BGP Enterprise Enterprise Enterprise Your ISP may not have IPv6 at the local POP ISP3 ISP4 Europe 4

5 IPv6 Topo:

Advice from the Hitchhikers Guide to Networking Just because the last IPv4 address has been allocated doesn t mean The Internet is coming to a screeching halt No one is going to take your existing IPv4 addresses away Your whole network doesn t have to be configured with IPv6 immediately Other people have made the transition successfully You ve already been through this drill with the SNA to IP migration.

Agenda High Level Migration Steps Infrastructure Assessment Address Considerations Infrastructure Deployment Security Considerations Network Management Considerations SNAv6 Q&A References

IPv6 Planning Steps Business Case Identified/Justified Evaluate effect on business model 1 Establish IPv6 project management team 2 Assess network hardware and software 3 IPv6 Training strategy 4 Obtain IPv6 prefix(es) 5 Decide IPv6 architectural solution 6 Test application software and services 7 Develop security policy 8 Develop procurement plan 9 Develop IPv6 exception strategy 10

Public Service Announcement It s not required but advised to enlist outside aid How do you know what you don t know? Workshops Consultants Labs Training (in-side and out-side)

Major Design Decisions Addressing Subnetting Scheme Address Distribution Co-existence Methodology Migration Strategy Tunneling methods Provider Assigned (PA) /64 subnet everywhere Statically assigned Dual Stack Internet facing ISATAP Provider Independent (PI) /48 block (/44 if you can) Multiple /48 blocks (per region) Unique-local addressing /64 with /127 infrastructure /64 with link local infrastructure Stateless Autoconfiguration (SLAC) Tunneling Core outwards Toredo DHCP Translation Edge inward 6to4 Separate Infrastructure Combinations/ permutations Forklift / Everywhere at once

IPv6 Readiness Assessment Gives a high level view of IPv6 capability in the network Some device may just need a software upgrade others may never be capable of supporting IPv6

Platform Considerations Scalability can play a big role in IPv6 deployments Dual stack can have 2x route table size, ARP cache, etc. Some platforms perform ASIC-based hardware packet forwarding. If traffic can t be forwarded in hardware it is punted to the Route Processor (RP). The RP has at least an order of magnitude less forwarding capability and induces delay. Feature Parity - basic IPv6 forwarding may exist but security and high availability features may not exist or be at that level of software.

Address Considerations Provider Independent or Provider Assigned Global, ULA, ULA + Global Prefix-length allocation Subnet length Address allocation method IP Address Management (IPAM)

RIRs Regional Internet Registries Apply for Provider Independent address space from appropriate RIR www.afrinic.net www.arin.net www.apnic.net www.lacnic.net www.ripe.net 14

Address Allocation Process Provider Assigned 2000::/3 IANA Provider Independent 2000::/3 /12 Registries /12 /32 ISP Org /48 /48 Enterprise 15

16 IPv6 Address Allocation Process Partition of Allocated IPv6 Address Space (example)

Hierarchical Addressing and Aggregation Site 1 2001:DB8:0001:0001::/64 2001:DB8:0001:0002::/64 2001:DB8:0002:0001::/64 2001:DB8:0002:0002::/64 2001:DB8:0001::/48 Site 2 2001:DB8:0002::/48 ISP 2001:DB8::/32 Only Announces the /32 Prefix IPv6 Internet 2000::/3 Default is /48 can be larger End-user Additional Assignment https://www.arin.net/resources/request/ipv6_add_assign.html Provider independent See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html 17

Network Level Considerations Global Unique Addresses Commonly referred to as Global IPv6 addresses Assigned by upstream provider A multi-homed site may have one or more available IPv6 address ranges The IPv6 address selection algorithm is key for good operation (RFC3484) 19

Unique-Local Addressing (RFC4193) Used for internal communications, inter-site VPNs Not routable on the internet basically RFC1918 for IPv6 only better less likelihood of collisions Default prefix is /48 /48 limits use in large organizations that will need more space Semi-random generator prohibits generating sequentially useable prefixes no easy way to have aggregation when using multiple /48s Why not hack the generator to produce something larger than a /48 or even sequential /48s? Is it legal to use something other than a /48? Perhaps the entire space? Forget legal, is it practical? Probably, but with dangers remember the idea for ULA; internal addressing with a slim likelihood of address collisions with M&A. By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A Routing/security control You must always implement filters/acls to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range today this is the only way the ULA scope can be enforced Generate your own ULA: http://www.sixxs.net/tools/grh/ula/ Generated ULA= fd9c:58ed:7d73::/48 20 * MAC address=00:0d:9d:93:a0:c3 (Hewlett Packard) * EUI64 address=020d9dfffe93a0c3 * NTP date=cc5ff71943807789 cc5ff71976b28d86

ULA, ULA + Global or Global What type of addressing should I deploy internal to my network? It depends: ULA-only Today, no IPv6 NAT is useable in production so using ULA-only will not work externally to your network ULA + Global allows for the best of both worlds but at a price much more address management with DHCP, DNS, routing and security Global-only Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option 21

Global-Only Recommended Internet Branch 1 Global 2001:DB8:CAFE::/48 Corp HQ 2001:DB8:CAFE:2800::/64 Branch 2 Corporate Backbone Global 2001:DB8:CAFE::/48 2001:DB8:CAFE:3000::/64 2001:DB8:CAFE:2::/64 Global is used everywhere No requirements to have NAT for ULA-to-Global translation but, NAT may be used for other purposes Easier management of DHCP, DNS, security, etc. Only downside is breaking the habit of believing that topology hiding is a good security method 22

Where do I start? Based on Timeframe/Use case Mainframe Internet Edge/DMZ Edge-to-Edge Labs & islands of IPv6 Core-to-Edge - Ideal Edge-to-Core Challenging but doable DC Access DC Aggregation DC/Campus Core Campus Block WAN Servers Branch Branch

IPv6 Deployment Three Major Options Dual-stack The way to go for obvious reasons: performance, security, QoS, multicast and management Layer 3 switches should support IPv6 forwarding in hardware Hybrid Dual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear Pro Leverage existing gear and network design (traditional L2/L3 and routed access) Con Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast IPv6 Service Block A new network block used for interim connectivity for IPv6 overlay network Pro Separation, control and flexibility (still supports traditional L2/L3 and routed access) Con Cost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast 25

IPv6 Deployment Options Dual-Stack IPv4/IPv6 IPv6/IPv4 Dual Stack Hosts #1 requirement switching/ routing platforms must support hardware based forwarding for IPv6 IPv6 is transparent on L2 switches but L2 multicast MLD snooping v6- Enabled L2/L3 v6- Enabled Access Layer Distribution Layer IPv6 management Telnet/SSH/HTTP/SNMP Intelligent IP services on WLAN Expect to run the same IGPs as with IPv4 v6- Enabled v6-enabled Dual Stack Dual Stack v6- Enabled v6-enabled Core Layer Aggregation Layer (DC) Access Layer (DC) Dual-stack Server 26

IPv6 Deployment Options Hybrid Model Offers IPv6 connectivity via multiple options Dual-stack Configured tunnels L3-to-L3 ISATAP Host-to-L3 Leverages existing network Offers natural progression to full dual-stack design May require tunneling to less-than-optimal layers (i.e. core layer) ISATAP creates a flat network (all hosts on same tunnel are peers) Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today) Provides basic HA of ISATAP tunnels via old Anycast-RP idea IPv6/IPv4 Dual Stack Hosts NOT v6- Enabled v6- Enabled v6-enabled ISATAP Dual Stack Dual-stack Server ISATAP Dual Stack L2/L3 NOT v6- Enabled v6- Enabled v6-enabled Access Layer Distribution Layer Core Layer Aggregation Layer (DC) Access Layer (DC) 27

Campus IPv6 Deployment Options IPv6 Service Block an Interim Approach Provides ability to rapidly deploy IPv6 services without touching existing network Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations) Offers the same advantages as Hybrid Model without the alteration to existing code/configurations Configurations are very similar to the Hybrid Model ISATAP tunnels from PCs in access layer to service block switches (instead of core layer Hybrid) 1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6 Can use IOS FW or PIX/ASA appliance Access Layer Dist. Layer Core Layer VLAN 2 Agg Layer Access Layer VLAN 3 IPv4-only Campus Block ISATAP IPv6 Service Block Dedicated FW IOS FW 2 Internet Primary ISATAP Tunnel Secondary ISATAP Tunnel Data Center Block 1 WAN/ISP Block 28

Security Considerations A lot of early docs touted IPv6 s inherent security and IPSec use. This is a false sense of security What s old is new: old exploits re-introduced with a v6 at the end. IPv6 is enabled by default on Windows Vista and 7. IPv6 Bogon list- http://www.cymru.com/bogons/ipv6.txt 29

Network Management Considerations Do your NMS tools understand IPv6 addresses? IPv6 specific MIBs Don t necessarily have to use IPv6 transport to manage IPv6 networks - many NMS tools (and network devices) don t support polling, etc. via IPv6 today Netflow version 9 for IPv6 support IP-SLAs support IPv6 30

Conclusion Dual stack where you can Tunnel where you must Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management Microsoft Windows Vista, 7 and Server 2008 will have IPv6 enabled by default understand what impact any OS has on the network Deploy it at least in a lab IPv6 won t bite Things to consider: Focus on what you must have in the near-term (lower your expectations) but pound your vendors and others to support your long-term goals Don t be too late to the party anything done in a panic is likely going to go badly 31

Q&A Infrastructure Deployment Internet facing DMZ DNS Core/Infrastructure DC1 DC2 Branch / Access Networks 32

Reference Materials 33 Deploying IPv6 in Campus Networks: http://www.cisco.com/en/us/docs/solutions/enterprise/campus/campipv6.html Deploying IPv6 in Branch Networks: http://www.cisco.com/en/us/solutions/ns340/ns414/ns742/ns816/landing_br_ipv6.html CCO IPv6 Main Page: http://www.cisco.com/go/ipv6 Cisco Network Designs: http://www.cisco.com/go/designzone ARIN IPv6 Wiki: http://www.getipv6.info/index.php/main_page World IPv6 Day (June 8, 2011): http://isoc.org/wp/worldipv6day/ IPv6 at IBM http://www-01.ibm.com/software/info/ipv6/index.jsp IBM IPv6 Compliance http://www-01.ibm.com/software/info/ipv6/compliance.jsp Security for IPv6 Routers www.nsa.gov/ia/_files/routers/i33-002r-06.pdf

34 End of Session

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback