Embed Size (px)
Citation preview
IPv6 deployment at Oslo and
Akershus University College of
Applied Sciences (HiOA)
GN3 Campus Workshop 2012 – The last IPv6 workshop?
2012-10-05
Harald Terkelsen [email protected]
Overview
— About Oslo and Akershus University College of
Applied Sciences (Høgskolen i Oslo and Akershus -
HiOA)
— History and status of IPv6 at HiOA
— Configuration and addresses
— Challenges and problems
— Wireless
— CPU utilization on the router
— other
IPv6 deployment at HiOA
About HiOA
— Merger of the former Oslo University College and
Akershus University College in 2011
— Two main campuses:
— Pilestredet in Oslo
— Kjeller in Akershus
— 16000 students
— 1600 employees
IPv6 deployment at HiOA
IPv6 timeline at HiOA
January 2001 — First request for IPv6 from department of engineering
— Request forwarded to Uninett
June 2001 — 2001:700:700::/48 prefix is assigned
— A PC running Linux installed as IPv6 router
— Enabled on two network segments
— Sendmail is the first service with IPv6
LDAP, IMAP, some WEB servers and SSH follows later
February 2004 — Most network segments in Pilestredet have IPv6 enabled. Still few clients
with IPv6 enabled and no wireless IPv6
IPv6 deployment at HiOA
IPv6 timeline at HiOA
August 2006 — IPv6 on the wireless network
January 2007 — Routing moved to Cisco Catalyst 6500 Sup 720
February 2010 — Whitelisted to receive AAAA records from Google
2010-2011 — Windows 7 deployed with IPv6 enabled
— Internal file servers get IPv6
IPv6 deployment at HiOA
Status today
— ~200 static IPv6 addresses in DNS
— SMTP, IMAP, Samba file servers, many web applications,
SQL, parts of Windows infrastructure, Exchange using load
balancers
— No IPv6 only services, yet
— ~10000 hosts in the network
— ~75 percent of hosts IPv6 enabled
IPv6 deployment at HiOA
Host configuration
— Tunnel protocols, privacy extension and randomized
address disabled on managed hosts
— Servers mostly use static addressing. SLAAC is
disabled on new server installations
— Client subnets use SLAAC
— Supported on all platforms
— Stateless DHCPv6 for DNS information
— IPv6 firewall
IPv6 deployment at HiOA
Host configuration
Why not statefull DHCPv6?
— Enabled by default only on Windows 7 when we looked at it (and Vista?) — Still not enabled by default on all platforms?
— RA configuration still needed for default gateway
— Tested DHCPv6 and SLAAC enabled at the same time — SLAAC with privacy extension was preferred for outbound
traffic
— Have not tested lately with current OS versions
— Will probably look at DHCPv6 again later
IPv6 deployment at HiOA
Address plan
— We started before there were many recommendations
— Really simple: increment the prefix number for each
new VLAN or network.
— One exception: A part of the prefix set aside for
internal networks.
— Only /64
— Static addresses inherit their last IPv4 octet
— Will look into a more practical IPv6 address plan when
enabling IPv6 at campus Kjeller and to use when
implementing a new network and security architecture.
IPv6 deployment at HiOA
Resources
— Initial deployment was done by one person
— 2-3 persons involved in managing it part time when
needed
— Day to day administration takes little time
— Known preferred configuration is easy for
administrators to deploy
— Training, finding preferred configuration and
debugging problems can take time
IPv6 deployment at HiOA
Wireless
— Installed a Cisco wireless controller summer 2010 — AAA override with IPv6 enabled did not work
— IPv6 prefix always from default VLAN
— Disable IPv6 or use without AAA override
— Supported in 7.2 released march 2012 on WISM2/WLC 5508. No fix for WISM 1! — Had to enable RA throttling to get IPv6 address because of a
configuration problem
— Receives incorrect RA from WLAN’s default VLAN when reauthenticating using cached credentials after roaming.
— Assigned VLAN and solicited RAs still correct after roaming.
— Result: client configured an extra IPv6 address belonging in another network segment
— Confirmed by Cisco. Fix in progress.
IPv6 deployment at HiOA
Wireless
IPv6 deployment at HiOA
— Cause: Multicast configured as multicast and APs unable to join IPv4 multicast group because of an IPv4 ACL on the router interface of the APs management VLAN blocking multicast
— But why do we see solicited RAs with RA throttling enabled? Cisco: RA throttle converts solicited RA to unicast
— Conclusion: AAA override does not currently work well when RA throttling is enabled. Make sure IPv4 multicast works for AP to controller communication or configure multicast as unicast on controller.
RA throttle Receive solicited RA Receive unsolicited RA
Disabled (default) NO NO
Enabled YES NO
Configuration problem:
Router CPU utilization
— All campus VLANs routed on a Cisco Catalyst 6500
Supervisor 720
— Many IPv6 functions are software processed Cisco document ID:63992: Catalyst 6500/6000 Switch high CPU Utilization
— August 2011: IPv6 unicast reverse path forwarding
— “Solution”: disable IPv6 URPF
— August 2012: IPv6 ND (40%) and IPv6 INPUT (20%)
— Solution: Upgrade IOS and tune IPv6 ND
— 12.2(33)SXI7: Enhanced IPv6 Neighbor Discovery cache
management
IPv6 deployment at HiOA
Router CPU utilization
Configuration changes that reduced the IPv6 ND and IPv6 INPUT CPU usage:
From a Cisco example. Probably needs more tuning.
IPv6 deployment at HiOA
Configuration Default value
ipv6 nd reachable-time 2700000
Advertise 0, uses 30000 itself
ipv6 nd na glean
Disabled
ipv6 nd cache expire 7200
14400
Other challenges
— Windows servers on IPv4 only networks register their 6to4 address in dynDNS. — Train administrators and manage the servers
— 6to4 traffic on networks with native IPv6 — Firewalls on unmanaged student clients?
— IPv6 traffic to internal DNS servers from external Teredo relays — We suspect clients moving from our network without rebooting keeps IPv6
DNS resolvers on new IPv4-only network
— Discovered recently, needs more investigation
— Sites with IPv6 internally but no route to the Internet see our AAAA records
— Sites testing IPv6 on web servers serving different pages for IPv6 and IPv4
IPv6 deployment at HiOA
Summary of experiences
— We started early and small scale, got experience!
— The experience makes it easier to quickly understand new
problems today
— Most basic services work well if properly configured
— Don’t be surprised if not all IPv4 functionality is
implemented for IPv6 in network systems
— Tuning may be needed with large ND tables
— Teredo and 6to4 is problematic
IPv6 deployment at HiOA
