IPv6 - Cisco
IPv6 Preserve, Prepare, & Prosper #CiscoPlus
Reference materials What is driving IPv6 deployment? IPv6 Deployment Options Summary 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Deploying IPv6 in Campus Networks (Just updated): se/Campus/CampIP v6.html Deploying IPv6 in Branch Networks (Just updated): s742/ns816/landin g br ipv6.html New/Updated IPv6 Cisco Sites: http://www.cisco.com/go/ipv6 http://www.cisco.gom/go/entipv6 Cisco Network Designs: http://www.cisco.com/go/designzone Smart Business Architecture – IPv6 Guides http://www.cisco.com/en/US/netsol/ns982/networking solutions program home. html 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Recommended Reading Deploying IPv6 in Broadband Networks - Adeel Ahmed, Salman Asadullah ISBN0470193387, John Wiley & Sons Publications 2010 Cisco and/or its affiliates. All rights reserved. Available NowHardcover/eBook Cisco Public 4
Estimated Registry Exhaustion Dates 100 90 80 Probability (%) 70 We already know this is too conservative: APNIC went into “Stage 3” in mid-April 2011 60 50 40 30 20 10 0 Jan 2011 Jul 2011 IANA 2010 Cisco and/or its affiliates. All rights reserved. Jan 2012 Jul 2012 APNIC Jan 2013 RIPENCC Jul 2013 ARIN Source: Geoff Huston, APNIC Jan 2014 Jul 2014 Jan 2015 LACNIC Jul 2015 AFRINIC Cisco Public 5
100 Registry Exhaustion Dates April 2011 http://www.potaroo.net/tools/ipv4/rir.jpg 90 80 Probability (%) 70 60 50 40 30 20 10 0 Jan 2011 Jul 2011 IANA 2010 Cisco and/or its affiliates. All rights reserved. Jan 2012 APNIC Jul 2012 Jan 2013 RIPENCC Jul 2013 ARIN Jan 2014 Jul 2014 Jan 2015 LACNIC Jul 2015 AFRINIC Cisco Public 6
Growth/Protection Enterprise that is or will be expanding into new markets IPv4 Address Exhaustion Partnership Enterprise that partners with other companies/organizations doing IPv6 Governments, enterprise partners, contractors External Pressure OS/Apps Internal Pressure Fixing Old Problems New Technologies 2010 Cisco and/or its affiliates. All rights reserved. Microsoft Windows 7, Server 2008 Microsoft DirectAccess Mergers & Acquisitions NAT Overlap High Density Virtual Machine environments (Server virtualization, VDI) SmartGrid Cisco Public 7
Deploying IPv6 Architectural Scope and Deployment Options 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
DEPLOYMENT SCENARIOS Translation Services Servers Clients Printers Collaboration Devices Sensors Applications DHCP DNS Load Balancing Content Switching Content Distribution WAAS Firewall/IPS VPN IP Addressing Hardware Connectivity Mobility Multicast QoS NETWORK DEVICES NETWORK SERVICES NETWORK INFRASTRUCTURE 2010 Cisco and/or its affiliates. All rights reserved. Routing Protocols IMPLEMENTATION & OPERATION Tunnel Services PLANNING & TRAINING Dual Stack Cisco Public 9
IPv6 addresses are 128 bits long Segmented into 8 groups of four HEX characters Separated by a colon (:) 50% for network ID, 50% for interface ID Network portion is allocated by Internet registries 2 64 (1.8 x 1019) Still leaves us with 3 billion network prefixes for each person on earth Global Unicast Identifier Example Network Portion Interface ID gggg:gggg:gggg:ssss: ssss: xxxx:xxxx:xxxx:xxxx Global Routing Prefix n 48 bits Subnet ID 64 – n bits Host 2001:0000:0000:00A1: 00A1: 0000:0000:0000:1E2A 2001:0:0: A1: ::1E2A 2010 Cisco and/or its affiliates. All rights reserved. Full Format Abbreviated Format Cisco Public 10
Provider Assigned Provider Independent 2000::/3 /48 2010 Cisco and/or its affiliates. All rights reserved. IPv4 Pool Empty 2000::/3 Registries /12 /32 IANA ISP /12 Org /48 Level Four Enterprise ARIN NRPM: https://www.arin.net/policy/nrpm.html#six58 Cisco Public 11
/64 64 bits 64 bits everywhere /64 /126 Recommended by RFC3177 and IAB/IESG Consistency makes management easy MUST for SLAAC (MSFT DHCPv6 also) Significant address space loss (18.466 Quintillion) 2010 Cisco and/or its affiliates. All rights reserved. Address space conservation Special cases: /126—valid for p2p /127—valid for p2p if you are careful RFC6164/ (RFC3627) /128—loopback Must avoid overlap with specific addresses: Router Anycast (RFC3513) Embedded RP (RFC3956) ISATAP addresses 64 on host networks 126 on P2P /64 /127 64 on host networks 127 on P2P Always use /128 on loop Cisco Public 12
StateLess Address AutoConfiguration (SLAAC) – RA-based assignment (a MUST for Mac prior to Lion) Stateful and stateless DHCPv6 server Cisco Network Registrar: 1982/ Microsoft Windows Server 2008: spx?mfr true DHCPv6 Relay—supported on routers and switches interface FastEthernet0/1 IPv6 Enabled Host description CLIENT LINK ipv6 address 2001:DB8:CAFE:11::1/64 Network ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 DHCPv6 Server 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Campus Block Core-to-Edge (Ideal) Edge-to-Core (Challenging but doable) Internet Edge (Business Continuity) DC Access DC Aggregation Internet Edge ISP ISP DC/Campus Core WAN Servers Branch 2010 Cisco and/or its affiliates. All rights reserved. Branch Cisco Public 14
IPv4 IPv6 Dual Stack Recommended Enterprise Co-existence Strategy Tunneling Services IPv4 over IPv6 IPv6 over IPv4 Connect Islands of IPv6 or IPv4 Translation Services IPv4 IPv6 Connect to the IPv6 community 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
IPv6/IPv4 Dual Stack Hosts #1 requirement - switching/ routing platforms must support hardware based forwarding for IPv6 Access Layer L2/L3 3560/3750 Series 4500/6500/7600 Series Expect to run the same IGPs as with IPv4 v6Enabled v6-Enabled Dual Stack L2 multicast—MLD snooping IPv6 management Telnet/SSH/HTTP/SNMP Intelligent IP services on WLAN v6Enabled Dual Stack IPv6 is transparent on L2 switches but consider: v6Enabled v6Enabled v6-Enabled Distribution Layer Core Layer Aggregation Layer (DC) Access Layer (DC) VSS supports IPv6 Dual-stack Server 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
interface Vlan4 ipv6 unicast-routing description Data VLAN for Access ! ipv6 address 2001:DB8:CAFE:4::2/64 interface GigabitEthernet1/0/1 ipv6 nd prefix 2001:DB8:CAFE:4::/64 no-advertise description To 6k-core-right ipv6 nd managed-config-flag ipv6 address 2001:DB8:CAFE:1105::A001:1010/64 ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 ipv6 eigrp 10 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 standby version 2 ipv6 hold-time eigrp 10 3 standby 2 ipv6 autoconfig ipv6 authentication mode eigrp 10 md5 standby 2 timers msec 250 msec 750 ipv6 authentication key-chain eigrp 10 eigrp standby 2 priority 110 ! standby 2 preempt delay minimum 180 interface GigabitEthernet1/0/2 standby 2 authentication ese description To 6k-core-left ipv6 address 2001:DB8:CAFE:1106::A001:1010/64 ! ipv6 router eigrp 10 ipv6 eigrp 10 no shutdown ipv6 hello-interval eigrp 10 1 router-id 10.122.10.10 ipv6 hold-time eigrp 10 3 passive-interface Vlan4 ipv6 authentication mode eigrp 10 md5 passive-interface Loopback0 ipv6 authentication key-chain eigrp 10 eigrp Some OS/patches may need “no-autoconfig” 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
IPv6 Service Block—Rapid Deployment/Pilot VLAN 2 IPv4-only Campus Block ISATAP Access Layer IPv6 Service Block Dist. Layer Dedicated FW 2 Core Layer ISATAP tunnels from PCs in access layer to service block switches (instead of core layer—Hybrid) 1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6—Can use IOS FW or PIX/ASA appliance Access Layer 1 Primary ISATAP Tunnel Secondary ISATAP Tunnel 2010 Cisco and/or its affiliates. All rights reserved. IOS FW Agg Layer Internet Provides ability to rapidly deploy IPv6 services without touching existing network Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations) Get lots of operational experience with limited impact to existing environment – Ideal for Pilot Similar challenges as Hybrid Model – Lots of tunneling Configurations are very similar to the Hybrid Model VLAN 3 WAN/ISP Block Data Center Block Cisco Public 18
Route/Switch design will be similar to campus based on feature, platform and connectivity similarities – Nexus, 6500 4900M The single most overlooked and potentially complicated area of IPv6 deployment Stuff people don’t think about: NIC Teaming, iLO, DRAC, IP KVM, Clusters Innocent looking Server OS upgrades – Windows Server 2008 - Impact on clusters – Microsoft Server 2008 Failover clusters full support IPv6 (and L3) Internet-facing Data Center Most of the internal and Internet DC considerations are the same 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
ACE SLB64 ACE SLB66 v6 v6 v4 v6 v6 v4 v6 v4 Proxy Stateful NAT64 IPv6 Internet v6 IPv6 -Apache -MSFT PortProxy v4 v4 server 2010 Cisco and/or its affiliates. All rights reserved. IPv4 IPv4-only Host Cisco Public 20
2001:db8:cafe:10::17 v6 VIP: 2001:db8:cafe:12::ace4 SNAT: 10.121.12.90 v4 10.121.12.25 2010 Cisco and/or its affiliates. All rights reserved. 10.121.12.15 Cisco Public 21
Reference class-map match-all WEB V6 V4 VIP 2 match virtual-address 2001:db8:cafe:12::ace4 tcp eq www probe http WEB V4 PROBE interval 15 passdetect interval 5 request method get url /welcome.png expect status 200 200 policy-map type loadbalance first-match WEB V6 V4 SLB class class-default serverfarm WEB V6 V4 SF nat dynamic 2 vlan 12 serverfarm primary open 1 rserver host WEB V4 1 ip address 10.121.12.25 inservice rserver host WEB V4 2 ip address 10.121.12.15 policy-map multi-match WEB V6 POL class WEB V6 V4 VIP loadbalance vip inservice loadbalance policy WEB V6 V4 SLB loadbalance vip icmp-reply active inservice serverfarm host WEB V6 V4 SF predictor leastconns slowstart 300 probe WEB V4 PROBE rserver WEB V4 1 80 inservice rserver WEB V4 2 80 inservice interface vlan 12 ipv6 enable ip address 2001:db8:cafe:12::ace1/64 ip address 10.121.12.45 255.255.255.0 access-group input EVERYONE access-group input EVERYONE-v6 nat-pool 2 10.121.12.90 10.121.12.90 netmask 255.255.255.0 pat service-policy input MGMT 2010 Cisco and/or its affiliates. All rights reserved. service-policy input WEB V6 POL Cisco Public 22
Lots of RFCs to check out: RFC 6144 – Framework for IPv4/IPv6 Translation RFC 6052 – IPv6 Addressing of IPv4/IPv6 Translators RFC 6145 – IP/ICMP Translation Algorithm RFC 6146 – Stateful NAT64 RFC 6147 – DNS64 Stateless – Not your friend in the enterprise (corner case deployment) 1:1 mapping between IPv6 and IPv4 addresses (i.e. 254 IPv6 hosts-to-254 IPv4 hosts) Requires the IPv6-only hosts to use an “IPv4 translatable” address format Stateful – What we are after for translating IPv6-only hosts to IPv4-only host(s) It is what it sounds like – keeps state between translated hosts Several deployment models (PAT/Overload, Dynamic 1:1, Static, etc ) This is what you will use to translate from IPv6 hosts (internal or Internet) to IPv4-only servers (internal DC or Internet Edge) New Cisco WP: http://bit.ly/poyOey 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Reference 10.121.13.52 DMZ/DC Internet IPv6 Host: 2001:db8:c150:10::16 G0/0/1: 10.121.220.1/24 G0/0/0: 2001:DB8:CAFE:5555::1/64 interface GigabitEthernet0/0/0 description to 6k-dmz-1 Outside no ip address ipv6 address 2001:DB8:CAFE:5555::1/64 ipv6 eigrp 10 nat64 enable 10.121.12.70 ipv6 access-list EDGE ACL ASR permit ipv6 any host 2001:DB8:CAFE:BEEF::46 permit ipv6 any host 2001:DB8:CAFE:BEEF::48 ! nat64 prefix stateful 2001:DB8:CAFE:BEEF::/96 nat64 v4 pool EDGE 10.121.55.1 10.121.55.1 nat64 v4v6 static 10.121.12.70 2001:DB8:CAFE:BEEF::46 ! interface GigabitEthernet0/0/1 description to 6k-dmz-1 Inside nat64 v4v6 static 10.121.13.52 2001:DB8:CAFE:BEEF::48 nat64 v6v4 list EDGE ACL pool EDGE overload ip address 10.121.220.1 255.255.255.0 nat64 enable 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 2
Focus more on the provider and less on the gear Branch Single Tier HQ SP support for port-toport IPv6? Branch Dual Tier SP support for various WAN types? Branch Multi-Tier HQ HQ MPLS Internet Frame Internet Dual-Stack IPSec VPN (IPv4/IPv6) Firewall (IPv4/IPv6) Integrated Switch (MLD-snooping) 2010 Cisco and/or its affiliates. All rights reserved. Dual-Stack IPSec VPN or Frame Relay Firewall (IPv4/IPv6) Switches (MLD-snooping) Dual-Stack IPSec VPN or MPLS (6PE/6VPE) Firewall (IPv4/IPv6) Switches (MLD-snooping) Cisco Public 25
DMVPN over IPv6 now available in 15.2(1)T Hub Configuration Example crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac ! crypto ipsec profile HUB set transform-set HUB Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64 interface Tunnel0 description DMVPN Tunnel 1 ip address 10.126.1.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::1/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp redirect tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile HUB ::1 HE1 BR1-1 ::2 WAN BR1-2 ::3 2010 Cisco and/or its affiliates. All rights reserved. ::2 ::3 ::1 HE2 Cisco Public 26
Spoke Configuration Example crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac ! crypto ipsec profile SPOKE interface Tunnel0 set transform-set SPOKE description to HUB ip address 10.126.1.2 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::2/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 no ipv6 next-hop-self eigrp 10 Backup DMVPN Tunnel (dashed) no ipv6 split-horizon eigrp 10 2001:DB8:CAFE:20B::/64 ipv6 nhrp authentication CISCO BR1-1 ::2 ::1 HE1 ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1 ::2 ipv6 nhrp map multicast 172.16.1.1 ipv6 nhrp network-id 10 WAN ::3 ipv6 nhrp holdtime 600 ipv6 nhrp nhs 2001:DB8:CAFE:20A::1 HE2 ::1 BR1-2 ::3 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile SPOKE 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
name 2001:db8:cafe:1003:: BR1-LAN description VLAN on EtherSwitch name 2001:db8:cafe:1004:9db8:3df1:814c:d3bc Br1-v6-Server ! interface GigabitEthernet0/0 description TO WAN nameif outside security-level 0 ip address 10.124.1.4 255.255.255.0 standby 10.124.1.5 ipv6 address 2001:db8:cafe:1000::4/64 standby 2001:db8:cafe:1000::5 ! interface GigabitEthernet0/1 description TO BRANCH LAN nameif inside security-level 100 ip address 10.124.3.1 255.255.255.0 standby 10.124.3.2 ipv6 address 2001:db8:cafe:1002::1/64 standby 2001:db8:cafe:1002::2 ! ipv6 route inside BR1-LAN/64 2001:db8:cafe:1002::3 ipv6 route outside ::/0 fe80::5:73ff:fea0:2 ! ipv6 access-list v6-ALLOW permit icmp6 any any ipv6 access-list v6-ALLOW permit tcp 2001:db8:cafe::/48 host Br1-v6-Server object-group RDP ! failover failover lan unit primary failover lan interface FO GigabitEthernet0/2 failover link FO-LINK GigabitEthernet0/3 failover interface ip FO 2001:db8:cafe:bad::1/64 standby 2001:db8:cafe:bad::2 failover interface ip FO-LINK 2001:db8:cafe:bad1::1/64 standby 2001:db8:cafe:bad1::2 ! Cisco Public 2010 Cisco and/or its affiliates. All rights reserved. access-group v6-ALLOW in interface outside 28
asa-edge-1#show vpn-sessiondb svc Session Type: SVC Username : ciscoese Index : Assigned IP : 10.123.2.200 Public IP : Assigned IPv6: 2001:db8:cafe:101::101 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : SSL VPN Encryption : RC4 AES128 Hashing : Bytes Tx : 79763 Bytes Rx : Group Policy : AnyGrpPolicy Tunnel Group: Login Time : 14:09:25 MST Mon Dec 17 2007 Duration : 0h:47m:48s NAC Result : Unknown VLAN Mapping : N/A VLAN : 14 10.124.2.18 SHA1 176080 ANYCONNECT none Cisco ASA Dual-Stack Host AnyConnect Client 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
“Dual stack where you can – Tunnel where you must – Translate when you have a gun to your head” Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management Now is your time to build a network your way – don’t carry the IPv4 mindset forward with IPv6 unless it makes sense Deploy it – at least in a lab – IPv6 won’t bite "If you don't like change, you're going to like irrelevance even less." - Gen. Shinseki, Chief of Staff, U.S. Army 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Q&A #CiscoPlus
We value your feedback. Please be sure to complete the Event Eval Form. Access today’s presentations at cisco.com/ca/ciscoplus Follow @CiscoCanada and join the #CiscoPlus conversation #CiscoPlus
ipv6 hello-interval eigrp 10 1. ipv6 hold-time eigrp 10 3. ipv6 authentication mode eigrp 10 md5. ipv6 authentication keychain - eigrp 10 eigrp. interface Vlan4. description Data VLAN for Access: ipv6 address 2001:DB8:CAFE:4::2/64. ipv6 nd prefix 2001:DB8:CAFE:4::/64 no-advertise. ipv6 nd managed-config-flag. ipv6 dhcp relay destination 2001 .
Legacy Applications ported to run over IPv6 – Usable also where there is IPv6 infrastructure New Applications developed for use over IPv4, IPv6 or coupled IPv4/IPv6 infrastructure – Requires transition tools of course New Applications developed for use over IPv4, IPv6 or coupled; uses potential of IPv6, runs over IPv4
Structure of IPv6 Protocol IPv4 and IPv6 Header Comparison IPv6 Extension Headers IPv6 Addressing Addressing Format Types of IPv6 addresses. 3 ICMPv6 and Neighbor Discovery Router Solicitation & Advertisement Neighbor Solicitation & Advertisement Duplicate Address Detection Multicast in IPv6 DHCP & DNS for IPv
7 IPv6 Technology IPv6 Benefits A summary of the Benefits of IPv6 are as follows: Scalability IPv6 has 128-bit address space, which is 4 times wider in bits in compared to IPv4's 32-bit address space. Security IPv6 includes security in the basic specification. IPv6 includes a Flow
2 Mobile Broadband IPv6 Service, MENOG 7 Qtel IPv6 Overview 2 Qtel IPv6 Mobile Broadband Background Building an IPv6 Mobile Broadband Service Lessons Learnt Next Steps IPv6 Mobile Broadband 1 May, 2010 1 Jul, 2010 1 Sep, 2010 1 Nov, 2010 Project Timeline IPv6 Connection to ISP Established 8 Jul, 2010
This document provides IPv6 address planning guidance for public administrations. It is intended to provide a framework that public administrations can use to learn the key differences between IPv6 and IPv4 addressing, design an IPv6 address structure, obtain IPv6 address space, deploy IPv6 addresses and manage IPv6 addresses.
Client IPv6 preference:-hb.db test resulted in client using IPv6 Client IPv6 capable:-h6.d4 test resulted in client using IPv6 Resolver IPv6 capable:-h4.d6 test resulted in DNS resolver using IPv6 AAAA queries seen:-Any test resulted in AAAA queries being directed at measurement DNS server
Over 5.5% of networks on the Internet are IPv6-enabled (and accelerating) At least 23% of IXPs support IPv6 Over 90% of installed OSes are IPv6-ready (and 25% on by default) Approx 1% of DNS (1.5 mil names) has IPv6 Only 0.15% of the top 1 million websites (ranked by Alexa) are IPv6 accessible The top economies with IPv6 presence
Walking is mainly on rough paths, tracks and grass, which may be muddy at times. There are two stiles and four kissing gates and some short steep slopes, but generally gently undulating. The walk starts close to Moor Park station on the Metropolitan line and ends at Hatch End station with trains to Euston and Harrow & Wealdstone. The highlights of this walk are the Old Furze Wood, the 97 .
