Transcript
Page 1: How to Convince Your Boss to Deploy Ipv6

Session ID-BRKRST-2301

Enterprise IPv6 Deployment

Page 2: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 2

Reference Materials

New/Updated IPv6 Cisco Sites: http://www.cisco.com/go/ipv6http://www.cisco.gom/go/entipv6

Deploying IPv6 in Campus Networks:http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html

Deploying IPv6 in Branch Networks:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns816/landing_br_ipv6.html

Page 3: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 3

Recommended Reading

Deploying IPv6 in Broadband

Networks - Adeel Ahmed, Salman

Asadullah ISBN0470193387, John

Wiley & Sons Publications®

Available

Now!!

Page 4: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 4

Agenda

IPv6 Activity in the Enterprise

Planning and Deployment Summary

IPv6 Address Considerations

General Network Considerations

Infrastructure Deployment

Campus/Data Center

WAN/Branch

Remote Access

Communicating with the Service Providers

Appendix—For Reference Only

Page 5: How to Convince Your Boss to Deploy Ipv6

IPv6 Activity in the Enterprise

Page 6: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 6

Dramatic Increase in Enterprise ActivityWhy?

• Enterprise that is or will be expanding into new markets

• Address exhaustionGrowth/Protection

• Enterprise that partners with other companies/organizations doing IPv6

• Governments, enterprise partners, contractorsPartnership

• Microsoft Windows 7, Server 2008

• Microsoft DirectAccessOS/Apps

• Mergers & Acquisitions

• NAT Overlap

Fixing Old Problems

• High Density Virtual Machine environments (Server virtualization, VDI)

• SmartGridNew Technologies

Exte

rnal

Pre

ssure

Inte

rnal

Pre

ssure

Page 7: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 7

100

90

80

70

60

50

40

30

20

10

0Jan 2011 Jul 2011 Jan 2012 Jul 2012 Jan 2013 Jul 2013 Jan 2014 Jul 2014 Jan 2015 Jul 2015

IANA APNIC RIPENCC ARIN LACNIC AFRINIC

Pro

babili

ty (

%)

Estimated Registry Exhaustion Dates

IANA/RIR IPv4 Exhaustion

Source: Geoff Huston, APNIC

We already know this is too conservative:

APNIC went into ―Stage 3‖ mid-April 2011

Page 8: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 8

Innocent W2K3 -to- W2K8 Upgrade

Can happen if the circumstances are right

http://technet.microsoft.com/en-us/library/bb878128.aspx

C:\>ping svr-01

Pinging svr-01.example.com [10.121.12.25] with 32 bytes of data:Reply from 10.121.12.25: bytes=32 time<1ms TTL=128Reply from 10.121.12.25: bytes=32 time<1ms TTL=128Reply from 10.121.12.25: bytes=32 time<1ms TTL=128Reply from 10.121.12.25: bytes=32 time<1ms TTL=128

Windows 2003

C:\>ping svr-01

Pinging svr-01 [fe80::c4e2:f21d:d2b3:8463%15] with 32 bytes of data:Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1msReply from fe80::c4e2:f21d:d2b3:8463%15: time<1msReply from fe80::c4e2:f21d:d2b3:8463%15: time<1msReply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms

Upgraded Host to Windows 2008

No. Time Source Destination Protocol Info

3969 244.938775 fe80::c4e2:f21d:d2b3:8463 ff02::1:3 UDP Source port: 63828 Destination port: llmnr

3970 244.938958 10.121.12.25 224.0.0.252 UDP Source port: 53753 Destination port: llmnr

...........svr-01….....

Page 9: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 9

Mergers & Acquisitions

Unique blend of technical and business problems

Colliding RFC1918 space

Common options

If you don‘t collide then leave as-is until renumbering is complete

NAT overlap pools (into non-colliding space) until renumbering is complete

IPv6 as an overlay network

IPv6 added as a native protocol (dual stack)

This is a growing issue and IPv6 ends up being a perfect tool for resolving the technical issues

Page 10: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 10

Corporate

Backbone

Sub-Company 2

Sub-Company 1

Corp HQ

10.0.0.0 address space

NAT Overlap + IPv6 Overlay Network

Build an overlay network to encapsulate IPv6 over IPv4

IPv6 is deployed only at those sites and for specific hosts that need end-to-end routability between entities

Can be very operationally difficult to maintain in large environments

May be a show stopper if you have to get a lot of tunnels past a bunch of IPv4 NAT

10.0.0.0 address space

10.0.0.0 address space

IPv4 static NAT entries for

each server X how

many??

.3

.21

.3

2001:DB8:1:3::21

2001:DB8:1:2::3

2001:DB8:1:1::3

IPv6 enables the network to provide

access to services between sites

Page 11: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 11

Corporate

Backbone

Sub-Company 2

Sub-Company 1

Corp HQ

10.0.0.0 address space

Partial Overlay + Partial Dual Stack

Combine overlay network with dual stack

Build as much dual stack as you can – tunnel only when you have to

You won‘t want to keep this up forever – goal is dual stack to all places that need end-to-end connectivity between sites/orgs

10.0.0.0 address space

10.0.0.0 address space

.3

.21

.3

Dual Stack

Dual Stack2001:DB8:1:2::3

2001:DB8:1:3::212001:DB8:1:1::7

Page 12: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 12

Corporate

Backbone

Sub-Company 2

Sub-Company 1

Corp HQ

10.0.0.0 address space

Dual Stack Everywhere

Dual stack everywhere – there is nothing else to say ;-)

We will discuss the deployment of dual stack and other end-to-end considerations for the rest of this talk

10.0.0.0 address space

10.0.0.0 address space

Dual Stack

Dual Stack

Dual Stack Dual Stack

Page 13: How to Convince Your Boss to Deploy Ipv6

Planning and Deployment Summary

Page 14: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 14

Enterprise Adoption Spectrum

Preliminary Research

Pilot/Early Deployment

Production/Looking for parity and

beyond

• Is it real?

• Do I need to deploy

everywhere?

• Equipment status?

• SP support?

• Addressing

• What does it cost?

• Mostly or completely

past the ―why?‖ phase

• Assessment (e2e)

• Weeding out vendors

(features and $)

• Focus on training and

filling gaps

• Still fighting vendors

• Content and wide-scale

app deployment

• Review operational cost

of 2 stacks

• Competitive/Strategic

advantages of new

environment

Page 15: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 15

Cisco IPv6 Deployment - A Lifecycle Approach

Coordinated Planning and StrategyMake Sound Financial Decisions

Prepare

Assess ReadinessCan Your Network Support the Proposed System?

Plan

Maintain Network HealthManage, Resolve,

Repair, Replace

Operate

Implement the SolutionIntegrate Without Disruption or Causing Vulnerability

Implement

Design the SolutionProducts, Service, Support Aligned to Requirements

Design

Operational ExcellenceAdapt to Changing

Business RequirementsOptimize

Page 16: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 16

IPv6 Integration Outline

• Establish the network starting point

• Importance of a network assessment and available tools

• Build a pilot or lab environment

• Obtain addressing or use ULAor documentation prefix (in lab)

• Learn the basics (DNS, routing changes, address assignment)

Pre-Deployment

Phases

Deployment

Phases

• Transport considerations for integration

• Internet Edge (ISP, Apps)

• Campus IPv6 integration options

• Data Center integration options

• WAN IPv6 integration options

• Execute on gaps found in assessment

Page 17: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 17

Where do I start? Based on Timeframe/Use case

Core-to-Edge – Fewer things to touch

Edge-to-Core – Challenging but doable

Internet Edge – Business continuity

Servers

Branch Branch

WAN

DC Access

DC Aggregation

DC/Campus Core

Campus Block

ISP ISP

InternetEdge

Page 18: How to Convince Your Boss to Deploy Ipv6

IPv6 Address Considerations

http://bit.ly/IPv6addrplan

Page 19: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 19

IPv6 Addresses IPv6 addresses are 128 bits long

Segmented into 8 groups of four HEX characters

Separated by a colon (:)

gggg:gggg:gggg:ssss: xxxx:xxxx:xxxx:xxxx

Global Routing Prefix

n <= 48 bits

Subnet ID

64 – n bitsHost

ssss:

2001:0000:0000:00A1: 0000:0000:0000:1E2A00A1:

Network Portion Interface ID

Global Unicast Identifier Example

2001:0:0: ::1E2AA1:

Full Format

Abbreviated Format

Page 20: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 20

PI and PA Allocation Process

Registries

Level FourEnterprise

IANA

ISP Org

Provider Assigned

2000::/3

/48

2000::/3

/48

/12

/32

/12

Provider Independent

IPv4

Pool Empty

Page 21: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 21

Hierarchical Addressing and Aggregation

Default is /48 – can be larger: https://www.arin.net/resources/request/ipv6_add_assign.html

Provider independent – See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html

ISP

2001:DB8::/32Site 2

IPv6 Internet

2000::/3

2001:DB8:0002::/48

2001:DB8:0001::/48

Site 1

Only

Announces

the /32 Prefix

2001:DB8:0001:0001::/64

2001:DB8:0001:0002::/64

2001:DB8:0002:0001::/64

2001:DB8:0002:0002::/64

Page 22: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 22

ULA, ULA + Global or Global

What type of addressing should I deploy internal to my network? It depends:

ULA-only—Today, no IPv6 NAT is useable in production so using ULA-only will not work externally to your network

ULA + Global allows for the best of both worlds but at a price— much more address management with DHCP, DNS, routing and security—SAS does not always work as it should

Global-only—Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option

Let‘s explore these options…

Page 23: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 23

Unique-Local Addressing (RFC4193) Used for internal communications, inter-site VPNs

Not routable on the internet—basically RFC1918 for IPv6 only better—less likelihood of collisions

Default prefix is /48/48 limits use in large organizations that will need more space

Semi-random generator prohibits generating sequentially ‗useable‘ prefixes—no easy way to have aggregation when using multiple /48s

Why not hack the generator to produce something larger than a /48 or even sequential /48s?

Is it ‗legal‘ to use something other than a /48? Perhaps the entire space? Forget legal, is it practical? Probably, but with dangers—remember the idea for ULA; internal addressing with a slim likelihood of address collisions with M&A. By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A

Routing/security controlYou must always implement filters/ACLs to block any packets going in or out of your

network (at the Internet perimeter) that contain a SA/DA that is in the ULA range—today this is the only way the ULA scope can be enforced

Generate your own ULA: http://www.sixxs.net/tools/grh/ula/

Generated ULA= fd9c:58ed:7d73::/48

* MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard)* EUI64 address=020D9Dfffe93A0C3* NTP date=cc5ff71943807789 cc5ff71976b28d86

Page 24: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 24

Corporate

BackboneBranch 2

Branch 1Corp HQ

ULA-Only

Everything internal runs the ULA space

A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the internet

Is there a NAT66? draft-mrw-nat66-xx (Network Prefix Translation (NPTv6)

Removes the advantages of not having a NAT (i.e. application interoperability, global multicast, end-to-end connectivity)

ULA Space FD9C:58ED:7D73::/48

FD9C:58ED:7D73:2800::/64

Internet

FD9C:58ED:7D73:3000::/64 FD9C:58ED:7D73::2::/64

Global –

2001:DB8:CAFE::/48

NAT66 Required

Not Recommended

Today

Page 25: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 25

Corporate

BackboneBranch 2

Branch 1Corp HQ

ULA + Global

Both ULA and Global are used internally except for internal-only hosts

Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally

In theory, ULA talks to ULA and Global talks to Global—SAS ‗should‘ work this out

ULA-only and Global-only hosts can talk to one another internal to the network

Define a filter/policy that ensures your ULA prefix does not ‗leak‘ out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields

Management NIGHTMARE for DHCP, DNS, routing, security, etc…

ULA Space FD9C:58ED:7D73::/48

Global – 2001:DB8:CAFE::/48

FD9C:58ED:7D73:2800::/64

2001:DB8:CAFE:2800::/64

Internet

FD9C:58ED:7D73:3000::/64

2001:DB8:CAFE:3000::/64

FD9C:58ED:7D73::2::/64

2001:DB8:CAFE:2::/64

Global –

2001:DB8:CAFE::/48

Not Recommended

Page 26: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 26

Considerations—ULA + Global

Use DHCPv6 for ULA and Global—apply different policies for both (lifetimes, options, etc..)

Check routability for both—can you reach an AD/DNS server regardless of which address you have?

Any policy using IPv6 addresses must be configured for the appropriate range (QoS, ACL, load-balancers, PBR, etc.)

If using SLAAC for both—Microsoft Windows allows you to enable/disable privacy extensions globally—this means you are either using them for both or not at all!!!

One option is to use SLAAC for the Global range and enable privacy extensions and then use DHCPv6 for ULA with another IID value (EUI-64, reserved/admin defined, etc.)

Unlike Global and link-local scopes ULA is not automatically controlled at the appropriate boundary—you must prevent ULA prefix from going out or in at your perimeter

SAS behavior is OS dependent and there have been issues with it working reliably

Temporary Preferred 6d23h59m55s 23h59m55s 2001:db8:cafe:2:cd22:7629:f726:6a6b

Dhcp Preferred 13d1h33m55s 6d1h33m55s fd9c:58ed:7d73:1002:8828:723c:275e:846d

Other Preferred infinite infinite fe80::8828:723c:275e:846d%8

Page 27: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 27

ULA + Global Example

interface Vlan2

description ACCESS-DATA-2

ipv6 address 2001:DB8:CAFE:2::D63/64

ipv6 address FD9C:58ED:7D73:1002::D63/64

ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise

ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise

ipv6 nd managed-config-flag

ipv6 dhcp relay destination 2001:DB8:CAFE:11::9

Network

DHCPv6 Client

DHCPv6 Server2001:DB8:CAFE:11::9

Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- ------------------------

Dhcp Preferred 13d23h48m24s 6d23h48m24s 2001:db8:cafe:2:c1b5:cc19:f87e:3c41

Dhcp Preferred 13d23h48m24s 6d23h48m24s fd9c:58ed:7d73:1002:8828:723c:275e:846d

Other Preferred infinite infinite fe80::8828:723c:275e:846d%8

Page 28: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 28

Corporate

BackboneBranch 2

Branch 1Corp HQ

Global-Only

Global is used everywhere

No issues with SAS

No requirements to have NAT for ULA-to-Global translation—but, NAT may be used for other purposes

Easier management of DHCP, DNS, security, etc.

Only downside is breaking the habit of believing that topology hiding is a good security method

Global – 2001:DB8:CAFE::/48

2001:DB8:CAFE:2800::/64

Internet

2001:DB8:CAFE:3000::/64 2001:DB8:CAFE:2::/64

Global –

2001:DB8:CAFE::/48

Recommended

Page 29: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 29

Randomized IID and Privacy Extensions

Enabled by default on Microsoft Windows

Enable/disable via GPO or CLI

Alternatively, use DHCP (see later) to a specific pool

Randomized address are generated for non-temporary autoconfigured addresses including public and link-local—used instead of EUI-64 addresses

Randomized addresses engage Optimistic DAD—likelihood of duplicate LL address is rare so RS can be sent before full DAD completion

Windows Vista/W7/W7/2008 send RS while DAD is being performed to save time for interface initialization (read RFC4862 on why this is ok)

Privacy extensions are used with SLAAC

netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

netsh interface ipv6 set privacy state=disabled store=persistent

Page 30: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 30

Link Level—Prefix Length Considerations

/64 everywhere

/64 + /126

64 on host networks

126 on P2P

/64 + /127

64 on host networks

127 on P2P

Always use /128 on loop

64 bits > 64 bits

Address space conservation

Special cases:/126—valid for p2p/127—valid for p2p if you are careful (draft-kohno-ipv6-prefixlen-p2p-xx/(RFC3627))/128—loopback

Must avoid overlap with specific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses

Recommended by RFC3177 and IAB/IESG

Consistency makes management easy

MUST for SLAAC(MSFT DHCPv6also)

Significant address space loss (18.466 Quintillion)

Page 31: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 31

Using Link-Local for Non-Access ConnectionsUnder Research

What if you did not have to worry about addressing the network infrastructure for the purpose of routing?

IPv6 IGPs use LL addressing

Only use Global or ULA addresses at the edges for host assignment

For IPv6 access to the network device itself use a loopback

What happens to route filters? ACLs?—Nothing, unless you are blocking to/from the router itself

Stuff to think about:

Always use a RID

Some Cisco devices require ―ipv6 enable‖ on the interface in order to generate and use a link-local address

Enable the IGP on each interface used for routing or that requires its prefix to be advertised

Page 32: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 32

Using LL + Loopback Only

ipv6 unicast-routing

!

interface Loopback0

ipv6 address 2001:DB8:CAFE:998::1/128

ipv6 eigrp 10

!

interface Vlan200

ipv6 address 2001:DB8:CAFE:200::1/64

ipv6 eigrp 10

!

interface GigabitEthernet1/1

ipv6 enable

ipv6 eigrp 10

!

ipv6 router eigrp 10

router-id 10.99.8.1

no shutdown

2001:db8:cafe:200::/642001:db8:cafe:100::/64

998::1/128 998::2/128

ipv6 unicast-routing

!

interface Loopback0

ipv6 address 2001:DB8:CAFE:998::2/128

ipv6 eigrp 10

!

interface GigabitEthernet3/4

ipv6 eigrp 10

!

interface GigabitEthernet1/2

ipv6 eigrp 10

!

ipv6 router eigrp 10

router-id 10.99.8.2

no shutdown

IPv6-EIGRP neighbors for process 10

0 Link-local address: Gi1/2

FE80::212:D9FF:FE92:DE77

Page 33: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 33

Summary of Address Considerations

Provider Independent and/or Provider Assigned

ULA, ULA + Global, Global only

Prefix-length allocation

/64 everywhere except loopbacks (/128)

/64 on host links, /126 on P2P links, /128 on loopbacks

Variable prefix-lengths on host links

Page 34: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 34

SLAAC & Stateful/Stateless DHCPv6

StateLess Address AutoConfiguration (SLAAC) – RA-based assignment (a MUST for Mac)

Stateful and stateless DHCPv6 server

Cisco Network Registrar: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/

Microsoft Windows Server 2008: http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true

DHCPv6 Relay—supported on routers and switches

interface FastEthernet0/1

description CLIENT LINK

ipv6 address 2001:DB8:CAFE:11::1/64

ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise

ipv6 nd managed-config-flag

ipv6 dhcp relay destination 2001:DB8:CAFE:10::2

Network

IPv6 Enabled Host

DHCPv6Server

Page 35: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 35

Basic DHCPv6 Message Exchange

DHCPv6 ClientDHCPv6 Relay Agent DHCPv6 Server

Request(IA_NA)Relay-Forw(Request(IA_NA))

Relay-Repl(Advertise(IA_NA(addr)))Advertise(IA_NA(addr))

Relay-Repl(Reply(IA_NA(addr)))

Solicit(IA_NA)Relay-Forw(Solicit(IA_NA))

Reply(IA_NA(addr))

Address Assigned

Shutdown , link down , Release

Timer Expiring

Renew(IA_NA(addr))Relay-Forw(Renew(IA_NA(addr)))

Reply(IA_NA(addr))

Release(IA_NA(addr))Relay-Forw(Release(IA_NA(addr)))

Reply(IA_NA(addr))

Relay-Repl(Reply(IA_NA(addr)))

Relay-Repl(Reply(IA_NA(addr)))

Page 36: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 36

CNR/W2K8—DHCPv6

Page 37: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 37

IPv6 General Prefix

Provides an easy/fast way to deploy prefix changes

Example:2001:db8:cafe::/48 = General Prefix

Fill in interface specific fields after prefix

“ESE ::11:0:0:0:1” = 2001:db8:cafe:11::1/64ipv6 unicast-routing

ipv6 cef

ipv6 general-prefix ESE 2001:DB8:CAFE::/48

!

interface GigabitEthernet3/2

ipv6 address ESE ::2/126

!

interface GigabitEthernet1/2

ipv6 address ESE ::E/126

interface Vlan11

ipv6 address ESE ::11:0:0:0:1/64

!

interface Vlan12

ipv6 address ESE ::12:0:0:0:1/64

Global unicast address(es):

2001:DB8:CAFE:11::1, subnet is 2001:DB8:CAFE:11::/64

Page 38: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 38

DNS Basic Steps - 1

Add AAAA records in your DNS server for the hostnames of the devices that can be reached through the IPv6 protocol.

Add pointer (PTR) records in your DNS server for the IP addresses of the devices that can be reached through the IPv6 protocol.

Enable IPv6 access to the authoritative DNS servers. Be sure that TCP/53 and UDP/53 can be accessed through IPv6.

Enable IPv6 connectivity to the external full-service resolvers that send DNS queries to authoritative servers in the world.

Page 39: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 39

DNS Basic Steps - 2

Make sure that the full-service resolver is configured with both IPv4 and IPv6 glue for the root servers in the world.

Enable IPv6 on the recursive resolver so that it responds to DNS requests over IPv6 as well as IPv4.

Enable IPv6 on the node that sends queries so that it can send DNS requests to the recursive resolver.

Configure the stub resolver on the node that sends queries so that it uses IPv6 to send DNS queries, either statically or using Dynamic Host Configuration Protocol Version 6 (DHCPv6).

Review policies for flows and make sure that both TCP/53 and UDP/53 can be accessed over IPv4 and IPv6

Page 40: How to Convince Your Boss to Deploy Ipv6

General Network Considerations

Page 41: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 41

HSRP for IPv6

Many similarities with HSRP for IPv4

Changes occur in Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects

No need to configure GW on hosts (RAs are sent from HSRP active router)

Virtual MAC derived from HSRP group number and virtual IPv6 link-local address

IPv6 Virtual MAC range:0005.73A0.0000 - 0005.73A0.0FFF

(4096 addresses)

HSRP IPv6 UDP Port Number 2029 (IANA Assigned)

track 2 interface FastEthernet0/0 line-protocol

interface FastEthernet0/1

ipv6 address 2001:DB8:66:67::2/64

standby version 2

standby 2 ipv6 autoconfig

standby 2 timers msec 250 msec 800

standby 2 preempt

standby 2 preempt delay minimum 180

standby 2 authentication cisco

standby 2 track 2 decrement 10

HSRP

StandbyHSRP

Active

Host with GW of Virtual IP

#route -A inet6 | grep ::/0 | grep eth2

::/0 fe80::5:73ff:fea0:1 UGDA 1024 0 0 eth2

Page 42: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 42

IPv6 Multicast Availability

Multicast Listener Discovery (MLD)

Equivalent to IGMP

PIM Group Modes: Sparse Mode, Bidirectional and Source Specific Multicast

RP Deployment: Static, Embedded

Host Multicast Control via MLD

RPDR DRS

Page 43: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 43

Multicast Listener Discovery: MLDMulticast Host Membership Control

MLD is equivalent to IGMP in IPv4

MLD messages are transported over ICMPv6

MLD uses link local source addresses

MLD packets use ―Router Alert‖ in extension header (RFC2711)

Version number confusion:

MLDv1 (RFC2710) like IGMPv2 (RFC2236)

MLDv2 (RFC3810) like IGMPv3 (RFC3376)

MLD snooping

Host Multicast Control via MLD

Page 44: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 44

IPv6 QoS Policy & Syntax

Unified QoS Policy (v4/v6 in same policy) or separate?

IPv4 syntax has used ―ip‖ following match/set statements

Example: match ip dscp, set ip dscp

Modification in QoS syntax to support IPv6 and IPv4

New match criteria

match dscp — Match DSCP in v4/v6

match precedence — Match Precedence in v4/v6

New set criteria

set dscp — Set DSCP in v4/v6

set precedence — Set Precedence in v4/v6

Additional support for IPv6 does not always require new Command Line Interface (CLI)

Example—WRED

Page 45: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 45

Scalability and Performance

IPv6 Neighbor Cache = ARP for IPv4

In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries

ARP entry for host in the campus distribution layer:

Internet 10.120.2.200 2 000d.6084.2c7a ARPA

Vlan2

IPv6 Neighbor Cache entry:

2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2

2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2

FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2

Full internet route tables—ensure to account for TCAM/memory requirements for both IPv4/IPv6—not all vendors can properly support both

Multiple routing protocols—IPv4 and IPv6 will have separate routing protocols. Ensure enough CPU/Memory is present

Control plane impact when using tunnels—terminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/thousands of tunnels)

Page 46: How to Convince Your Boss to Deploy Ipv6

Infrastructure DeploymentStart Here: Cisco IOS Software Release Specifics for IPv6 Features

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html

Page 47: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 47

Tunneling

Services

Connect Islands of IPv6 or IPv4

IPv4 over IPv6 IPv6 over IPv4

IPv6 Co-existence Solutions

Dual Stack

Recommended Enterprise Co-existence strategy

Translation Services

Connect to the IPv6 community

IPv4

IPv6

Business Partners

Internet consumers

Remote Workers

International Sites

Government Agencies

IPv6

IPv4

Page 48: How to Convince Your Boss to Deploy Ipv6

CampusDeploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf

Page 49: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 49

Campus IPv6 DeploymentThree Major Options

Dual-stack—The way to go for obvious reasons: performance, security, QoS, multicast and management

Layer 3 switches should support IPv6 forwarding in hardware

Hybrid—Dual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear

Pro—Leverage existing gear and network design (traditional L2/L3 and routed access)

Con—Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast

IPv6 Service Block—A new network block used for interim connectivity for IPv6 overlay network

Pro—Separation, control and flexibility (still supports traditional L2/L3 and routed access)

Con—Cost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast

Page 50: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 50

Campus IPv6 Deployment OptionsDual-Stack IPv4/IPv6

Dual Stack = Two protocols running at the same time (IPv4/IPv6)

#1 requirement—switching/ routing platforms must support hardware based forwarding for IPv6

3560/3750* +

4500 Sup6E +

6500 Sup32/720 +

IPv6 is transparent on L2 switches but consider:

L2 multicast—MLD snooping

IPv6 management—Telnet/SSH/HTTP/SNMP

Intelligent IP services on WLAN

Expect to run the same IGPs as with IPv4

Dual-stackServer

L2/L3

v6-Enabled

v6-Enabled

v6-Enabled

v6-Enabled

IPv6/IPv4 Dual Stack Hosts

v6-Enabled

v6-Enabled

Aggregation Layer (DC)

Access Layer (DC)

Access Layer

Distribution Layer

Core Layer

Du

al S

tack

Du

al S

tack

*check HW limitations in non-E/X/C series

Page 51: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 51

Distribution Layer: HSRP, EIGRP and DHCPv6-relay (Layer 2 Access)

ipv6 unicast-routing

!

interface GigabitEthernet1/0/1

description To 6k-core-right

ipv6 address 2001:DB8:CAFE:1105::A001:1010/64

ipv6 eigrp 10

ipv6 hello-interval eigrp 10 1

ipv6 hold-time eigrp 10 3

ipv6 authentication mode eigrp 10 md5

ipv6 authentication key-chain eigrp 10 eigrp

!

interface GigabitEthernet1/0/2

description To 6k-core-left

ipv6 address 2001:DB8:CAFE:1106::A001:1010/64

ipv6 eigrp 10

ipv6 hello-interval eigrp 10 1

ipv6 hold-time eigrp 10 3

ipv6 authentication mode eigrp 10 md5

ipv6 authentication key-chain eigrp 10 eigrp

interface Vlan4

description Data VLAN for Access

ipv6 address 2001:DB8:CAFE:4::2/64

ipv6 nd managed-config-flag

ipv6 dhcp relay destination 2001:DB8:CAFE:10::2

ipv6 eigrp 10

standby version 2

standby 2 ipv6 autoconfig

standby 2 timers msec 250 msec 750

standby 2 priority 110

standby 2 preempt delay minimum 180

standby 2 authentication ese

!

ipv6 router eigrp 10

no shutdown

router-id 10.122.10.10

passive-interface Vlan4

passive-interface Loopback0

Page 52: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 52

Distribution Layer: Example with ULAand General Prefix feature

ipv6 general-prefix ULA-CORE FD9C:58ED:7D73::/53

ipv6 general-prefix ULA-ACC FD9C:58ED:7D73:1000::/53

ipv6 unicast-routing

!

interface GigabitEthernet1/0/1

description To 6k-core-right

ipv6 address ULA-CORE ::3:0:0:0:D63/64

ipv6 eigrp 10

ipv6 hello-interval eigrp 10 1

ipv6 hold-time eigrp 10 3

ipv6 authentication mode eigrp 10 md5

ipv6 authentication key-chain eigrp 10 eigrp

ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53

!

interface GigabitEthernet1/0/2

description To 6k-core-left

ipv6 address ULA-CORE ::C:0:0:0:D63/64

ipv6 eigrp 10

ipv6 hello-interval eigrp 10 1

ipv6 hold-time eigrp 10 3

ipv6 authentication mode eigrp 10 md5

ipv6 authentication key-chain eigrp 10 eigrp

ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53

interface Vlan4

description Data VLAN for Access

ipv6 address ULA-ACC ::D63/64

ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise

ipv6 nd managed-config-flag

ipv6 dhcp relay destination fd9c:58ed:7d73:811::9

ipv6 eigrp 10

standby version 2

standby 2 ipv6 autoconfig

standby 2 timers msec 250 msec 750

standby 2 priority 110

standby 2 preempt delay minimum 180

standby 2 authentication ese

!

ipv6 router eigrp 10

no shutdown

router-id 10.122.10.10

passive-interface Vlan4

passive-interface Loopback0

Page 53: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 53

Access Layer: Dual Stack (Routed Access)

ipv6 unicast-routing

ipv6 cef

!

interface GigabitEthernet1/0/25

description To 6k-dist-1

ipv6 address 2001:DB8:CAFE:1100::CAC1:3750/64

no ipv6 redirects

ipv6 nd suppress-ra

ipv6 ospf network point-to-point

ipv6 ospf 1 area 2

ipv6 ospf hello-interval 1

ipv6 ospf dead-interval 3

ipv6 cef

!

interface GigabitEthernet1/0/26

description To 6k-dist-2

ipv6 address 2001:DB8:CAFE:1101::CAC1:3750/64

no ipv6 redirects

ipv6 nd suppress-ra

ipv6 ospf network point-to-point

ipv6 ospf 1 area 2

ipv6 ospf hello-interval 1

ipv6 ospf dead-interval 3

ipv6 cef

interface Vlan2

description Data VLAN for Access

ipv6 address 2001:DB8:CAFE:2::CAC1:3750/64

ipv6 ospf 1 area 2

ipv6 cef

!

ipv6 router ospf 1

router-id 10.120.2.1

log-adjacency-changes

auto-cost reference-bandwidth 10000

area 2 stub no-summary

passive-interface Vlan2

timers spf 1 5

Page 54: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 54

Distribution Layer: Dual Stack (Routed Access)

ipv6 unicast-routing

ipv6 multicast-routing

ipv6 cef distributed

!

interface GigabitEthernet3/1

description To 3750-acc-1

ipv6 address 2001:DB8:CAFE:1100::A001:1010/64

no ipv6 redirects

ipv6 nd suppress-ra

ipv6 ospf network point-to-point

ipv6 ospf 1 area 2

ipv6 ospf hello-interval 1

ipv6 ospf dead-interval 3

ipv6 cef

!

interface GigabitEthernet1/2

description To 3750-acc-2

ipv6 address 2001:DB8:CAFE:1103::A001:1010/64

no ipv6 redirects

ipv6 nd suppress-ra

ipv6 ospf network point-to-point

ipv6 ospf 1 area 2

ipv6 ospf hello-interval 1

ipv6 ospf dead-interval 3

ipv6 cef

ipv6 router ospf 1

auto-cost reference-bandwidth 10000

router-id 10.122.0.25

log-adjacency-changes

area 2 stub no-summary

passive-interface Vlan2

area 2 range 2001:DB8:CAFE:xxxx::/xx

timers spf 1 5

Page 55: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 55

Campus IPv6 Deployment OptionsHybrid Model

Plan ―B‖ if Layer 3 device can‘t support IPv6 but you have to get IPv6 over it

Offers IPv6 connectivity via multiple options

Dual-stack

Configured tunnels—L3-to-L3

ISATAP—Host-to-L3

Leverages existing network

Offers natural progression to full dual-stack design

May require tunneling to less-than-optimal layers (i.e. core layer)

Any sizable deployment will be an operational management challenge

ISATAP creates a flat network (all hosts on same tunnel are peers)

Provides basic HA of ISATAP tunnels via old Anycast-RP idea

Dual-stackServer

L2/L3

v6-Enabled

NOT v6-Enabled

v6-Enabled

NOT v6-Enabled

IPv6/IPv4 Dual Stack Hosts

v6-Enabled

v6-Enabled

ISA

TA

P

ISA

TA

P

Aggregation Layer (DC)

Access Layer (DC)

Access Layer

Distribution Layer

Core Layer

Du

al S

tack

Du

al S

tack

Legacy Design

Page 56: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 56

DistributionLayer

AccessLayer

CoreLayer

AggregationLayer (DC)

AccessLayer (DC)

IPv6/IPv4Dual-stack

Server

IPv6/IPv4 Dual-stack Hosts

Data CenterBlock

AccessBlock

IPv6 and IPv4 Enabled

1

1

2

2

Campus Hybrid Model 1QoS

1. Classification and marking of IPv6 is done on the egress interfaces on the core layer switches because packets have been tunneled until this point—QoS policies for classification and marking cannot be applied to the ISATAP tunnels on ingress

2. The classified and marked IPv6 packets can now be examined by upstream switches (e.g. aggregation layer switches) and the appropriate QoS policies can be applied on ingress. These polices may include trust (ingress), policing (ingress) and queuing (egress)

Page 57: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 57

IPv6 ISATAP ImplementationISATAP Host Considerations

ISATAP is available on Windows XP, Windows 2003, Vista/W7/Server 2008, port for Linux

If Windows host does not detect IPv6 capabilities on the physical interface then an effort to use ISATAP is started

Can learn of ISATAP routers via DNS ―A‖ record lookup ―isatap‖ or via static configuration

If DNS is used then Host/Subnet mapping to certain tunnels cannot be accomplished due to the lack of naming flexibility in ISATAP

Two or more ISATAP routers can be added to DNS and ISATAP will determine which one to use and also fail to the other one upon failure of first entry

If DNS zoning is used within the enterprise then ISATAP entries for different routers can be used in each zone

In the presented design the static configuration option is used to ensure each host is associated with the correct ISATAP tunnel

Can conditionally set the ISATAP router per host based on subnet, userid, department and possibly other parameters such as role

Page 58: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 58

Highly Available ISATAP DesignTopology

ISATAP tunnels from PCs in access layer to core switches

Redundant tunnels to core or service block

Use IGP to prefer one core switch over another (both v4 and v6 routes)—deterministic

Preference is important due to the requirement to have traffic (IPv4/IPv6) route to the same interface (tunnel)

Works like Anycast-RP with IPmc

Primary ISATAP Tunnel

Secondary ISATAP Tunnel

IPv6 Server

v6-Enabled v6-Enabled

NOT v6-Enabled

v6-Enabled

v6-Enabled

PC1 - Red VLAN 2 PC2 - Blue VLAN 3

NOT v6-Enabled

Du

al S

tack

Du

al S

tack

Aggregation Layer (DC)

Access Layer (DC)

Access Layer

Distribution Layer

Core Layer

Page 59: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 59

IPv6 Campus ISATAP ConfigurationRedundant Tunnels

interface Tunnel2

ipv6 address 2001:DB8:CAFE:2::/64 eui-64

no ipv6 nd suppress-ra

ipv6 ospf 1 area 2

tunnel source Loopback2

tunnel mode ipv6ip isatap

!

interface Tunnel3

ipv6 address 2001:DB8:CAFE:3::/64 eui-64

no ipv6 nd suppress-ra

ipv6 ospf 1 area 2

tunnel source Loopback3

tunnel mode ipv6ip isatap

!

interface Loopback2

description Tunnel source for ISATAP-VLAN2

ip address 10.122.10.102 255.255.255.255

!

interface Loopback3

description Tunnel source for ISATAP-VLAN3

ip address 10.122.10.103 255.255.255.255

interface Tunnel2

ipv6 address 2001:DB8:CAFE:2::/64 eui-64

no ipv6 nd suppress-ra

ipv6 ospf 1 area 2

ipv6 ospf cost 10

tunnel source Loopback2

tunnel mode ipv6ip isatap

!

interface Tunnel3

ipv6 address 2001:DB8:CAFE:3::/64 eui-64

no ipv6 nd suppress-ra

ipv6 ospf 1 area 2

ipv6 ospf cost 10

tunnel source Loopback3

tunnel mode ipv6ip isatap

!

interface Loopback2

ip address 10.122.10.102 255.255.255.255

delay 1000

!

interface Loopback3

ip address 10.122.10.103 255.255.255.255

delay 1000

ISATAP Primary ISATAP Secondary

Page 60: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 60

IPv6 Campus ISATAP ConfigurationIPv4 and IPv6 Routing—Options

To influence IPv4 routing to prefer one ISATAP tunnel source over another—alter delay/cost or mask length

Lower timers (timers spf, hello/hold, dead) to reduce convergence times

Use recommended summarization and/or use of stubs to reduce routes and convergence times

router eigrp 10

eigrp router-id 10.122.10.3

ipv6 router ospf 1

router-id 10.122.10.3

IPv4—EIGRP

IPv6—OSPFv3

interface Loopback2

ip address 10.122.10.102 255.255.255.255

delay 1000

interface Loopback2

ip address 10.122.10.102 255.255.255.254

ISATAP Secondary—Bandwidth adjustment

Set RID to ensure

redundant loopback

addresses do not cause

duplicate RID issues

ISATAP Secondary—Longest-match adjustment

interface Loopback2

ip address 10.122.10.102 255.255.255.255

ISATAP Primary—Longest-match adjustment

Page 61: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 61

Distribution Layer RoutesPrimary/Secondary Paths to ISATAP Tunnel Sources

acc-2

acc-1

dist-2

dist-1

core-2

core-1

VLAN 210.120.2.0/24

Loopback 2—10.122.10.102Used as SECONDARY ISATAP tunnel source

Loopback 2—10.122.10.102Used as PRIMARY ISATAP tunnel source

Preferred route to 10.122.10.102

dist-1#show ip route | b 10.122.10.102/32

D 10.122.10.102/32 [90/130816] via 10.122.0.41, 00:09:23, GigabitEthernet1/0/27

Before Failure

Preferred route to 10.122.10.102 on FAILURE

dist-1#show ip route | b 10.122.10.102/32

D 10.122.10.102/32 [90/258816] via 10.122.0.49, 00:00:08, GigabitEthernet1/0/28

After Failure

Page 62: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 62

IPv6 Campus ISATAP ConfigurationISATAP Client Configuration

C:\>netsh int ipv6 isatap set router 10.122.10.103

Ok.

int lo310.122.10.103

int tu3

int lo310.122.10.103

10.120.3.101

int tu3

Tunnel adapter Automatic Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 2001:db8:cafe:3:0:5efe:10.120.3.101

IP Address. . . . . . . . . . . . : fe80::5efe:10.120.3.101%2

Default Gateway . . . . . . . . . : fe80::5efe:10.122.10.103%2

interface Tunnel3

ipv6 address 2001:DB8:CAFE:3::/64 eui-64

no ipv6 nd suppress-ra

ipv6 eigrp 10

tunnel source Loopback3

tunnel mode ipv6ip isatap

!

interface Loopback3

description Tunnel source for ISATAP-VLAN3

ip address 10.122.10.103 255.255.255.255

New tunnel comes up

when failure occurs

Windows XP/Vista/W7 Host

Page 63: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 63

IPv6 Configured TunnelsThink GRE or IP-in-IP Tunnels

Encapsulating IPv6 into IPv4

Used to traverse IPv4 only devices/links/networks

Treat them just like standard IP links (only insure solid IPv4 routing/HA between tunnel interfaces)

Provides for same routing, QoS, multicast as with dual-stack

In HW, performance should be similar to standard tunnels Aggregation

Core

Distribution

Access

Tu

nn

el

Tu

nn

el

interface Tunnel0

ipv6 cef

ipv6 address 2001:DB8:CAFE:13::1/127

ipv6 eigrp 10

tunnel source Loopback3

tunnel destination 172.16.2.1

tunnel mode ipv6ip

interface GigabitEthernet1/1

ipv6 address 2001:DB8:CAFE:13::4/127

ipv6 eigrp 10

ipv6 cef

!

interface Loopback3

ip address 172.16.1.1 255.255.255.252

Page 64: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 64

mls ipv6 acl compress address unicast

mls qos

!

class-map match-all CAMPUS-BULK-DATA

match access-group name BULK-APPS

class-map match-all CAMPUS-TRANSACTIONAL-DATA

match access-group name TRANSACTIONAL-APPS

!

policy-map IPv6-ISATAP-MARK

class CAMPUS-BULK-DATA

set dscp af11

class CAMPUS-TRANSACTIONAL-DATA

set dscp af21

class class-default

set dscp default

!

ipv6 access-list BULK-APPS

permit tcp any any eq ftp

permit tcp any any eq ftp-data

!

ipv6 access-list TRANSACTIONAL-APPS

permit tcp any any eq telnet

permit tcp any any eq 22

ipv6 access-list BULK-APPS

permit tcp any any eq ftp

permit tcp any any eq ftp-data

!

ipv6 access-list TRANSACTIONAL-APPS

permit tcp any any eq telnet

permit tcp any any eq 22

!

interface GigabitEthernet2/1

description to 6k-agg-1

mls qos trust dscp

service-policy output IPv6-ISATAP-MARK

!

interface GigabitEthernet2/2

description to 6k-agg-2

mls qos trust dscp

service-policy output IPv6-ISATAP-MARK

!

interface GigabitEthernet2/3

description to 6k-core-1

mls qos trust dscp

service-policy output IPv6-ISATAP-MARK

Campus Hybrid Model 1QoS Configuration Sample—Core Layer

Page 65: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 65

Campus IPv6 Deployment OptionsIPv6 Service Block—Rapid Deployment/Pilot

Provides ability to rapidly deploy IPv6 services without touching existing network

Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations)

Get lots of operational experience with limited impact to existing environment – Ideal for Pilot

Similar challenges as Hybrid Model –Lots of tunneling

Configurations are very similar to the Hybrid Model

ISATAP tunnels from PCs in access layer to service block switches (instead of core layer—Hybrid)

1) Leverage existing ISP block for both IPv4 and IPv6 access

2) Use dedicated ISP connection just for IPv6—Can use IOS Zone FW or ASA

Primary ISATAP Tunnel

Secondary ISATAP Tunnel

ISATAP

IPv6 Service Block

Inte

rne

t

Dedicated FW

IOS FW

Data Center Block

VLAN 2

WAN/ISP Block

IPv4-onlyCampusBlock

AggLayer

VLAN 3

2

1

AccessLayer

Dist.Layer

CoreLayer

AccessLayer

Page 66: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 66

Cisco VSS – DSM / Hybrid / Service Block

Cisco VSS offers a greatly simplified configuration and extremely fast convergence for IPv6 deployment

Dual stack – Place VSS pair in distribution and/or core layers – HA and simplified/reduced IPv6 configuration

Hybrid model – If terminating tunnels against VSS (i.e. VSS at core layer), MUCH easier to configure tunnels for HA as only one tunnel configuration is needed

Service Block – Use VSS as the SB pair – again, GREATLY simplified configuration and decrease convergence times!!

Page 67: How to Convince Your Boss to Deploy Ipv6

Data Center/Internet Edge

Page 68: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 68

IPv6 Data Center Integration

Route/Switch design will be similar to campus based on feature, platform and connectivity similarities – Nexus, 6500 4900M

The single most overlooked and potentially complicated area of IPv6 deployment

IPv6 for SAN (FCIP, iSCSI, Management)

Stuff people don‘t think about:

NIC Teaming, iLO, DRAC, IP KVM, Clusters

Innocent looking Server OS upgrades – Windows Server 2008 - Impact on clusters – Microsoft Server 2008 Failover clusters full support IPv6 (and L3)

Internet-facing Data Center

Most of the internal and Internet DC considerations are the same

Page 69: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 69

IPv6 Configuration on Nexus

IP-is-IP – minor syntax changes based on different platforms between campus & data center

Check for the features you need, platform support, performance capabilities

Same stuff you do for any new platform you invest in

interface Vlan114

no shutdown

description Outside FW VLAN

ipv6 address 2001:0db8:cafe:0114::0002/64

hsrp version 2

hsrp 114 ipv6

preempt delay minimum 180

timers 1 3

ip autoconfig

Page 70: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 70

iSCSI/VRRP for IPv6 Same configuration requirements and operation as with IPv4

Can use automatic preemption—configure VR address to be the same as physical interface of ―primary‖

Host-side HA uses NIC teaming (see slides for NIC teaming)

Support for iSCSI with IPsec

Page 71: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 71

iSCSI IPv6 Example—MDSInitiator/Target

iscsi virtual-target name iscsi-atto-target

pWWN 21:00:00:10:86:10:46:9c

initiator iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com permit

iscsi initiator name iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com

static pWWN 24:01:00:0d:ec:24:7c:42

vsan 1

zone default-zone permit vsan 1

zone name iscsi-zone vsan 1

member symbolic-nodename iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com

member pwwn 21:00:00:10:86:10:46:9c

member pwwn 24:01:00:0d:ec:24:7c:42

member symbolic-nodename iscsi-atto-target

zone name Generic vsan 1

member pwwn 21:00:00:10:86:10:46:9c

zoneset name iscsi_zoneset vsan 1

member iscsi-zone

zoneset name Generic vsan 1

member Generic

Page 72: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 72

interface GigabitEthernet2/1

ipv6 address 2001:db8:cafe:12::5/64

no shutdown

vrrp ipv6 1

address 2001:db8:cafe:12::5

no shutdown

interface GigabitEthernet2/1

ipv6 address 2001:db8:cafe:12::6/64

no shutdown

vrrp ipv6 1

address 2001:db8:cafe:12::5

no shutdown

MDS-1 MDS-2

mds-1# show vrrp ipv6 vr 1

Interface VR IpVersion Pri Time Pre State VR IP addr

------------------------------------------------------------------

GigE2/1 1 IPv6 255 100cs master 2001:db8:cafe:12::5

mds-2# show vrrp ipv6 vr 1

Interface VR IpVersion Pri Time Pre State VR IP addr

------------------------------------------------------------------

GigE2/1 1 IPv6 100 100cs backup 2001:db8:cafe:12::5

iSCSI/VRRP IPv6 Example—MDSInterface

Page 73: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 73

iSCSI Initiator Example—W2K8 IPv6

iscsi initiator name iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com

interface GigabitEthernet2/1

ipv6 address 2001:db8:cafe:12::5/64

mds9216-1# show fcns database vsan 1

VSAN 1:

---------------------------------------------------------------------

FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE

---------------------------------------------------------------------

0x670400 N 21:00:00:10:86:10:46:9c scsi-fcp:target

0x670405 N 24:01:00:0d:ec:24:7c:42 (Cisco) scsi-fcp:init isc..w

1

2

3

Page 74: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 74

SAN-OS 3.x—FCIP(v6)

fcip profile 100

ip address 2001:db8:cafe:50::1

tcp max-bandwidth-mbps 800 min-available-bandwidth-mbps 500 round-trip-time-us 84

!

interface fcip100

use-profile 100

peer-info ipaddr 2001:db8:cafe:50::2

!

interface GigabitEthernet2/2

ipv6 address 2001:db8:cafe:50::1/64

fcip profile 100

ip address 2001:db8:cafe:50::2

tcp max-bandwidth-mbps 800 min-available-bandwidth-mbps 500 round-trip-time-us 84

!

interface fcip100

use-profile 100

peer-info ipaddr 2001:db8:cafe:50::1

!

interface GigabitEthernet2/2

ipv6 address 2001:db8:cafe:50::2/64

Page 75: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 75

Data Center NIC Teaming IssueWhat Happens If IPv6 Is Unsupported?

Interface 10: Local Area Connection #VIRTUAL TEAM INTERFACE

Addr Type DAD State Valid Life Pref. Life Address

--------- ---------- ------------ ------------ -----------------------------

Public Preferred 29d23h58m41s 6d23h58m41 2001:db8:cafe:10:20d:9dff:fe93:b25d

netsh interface ipv6> add address "Local Area Connection" 2001:db8:cafe:10::7

Ok.

netsh interface ipv6>sh add

Querying active state...

Interface 10: Local Area Connection

Addr Type DAD State Valid Life Pref. Life Address

--------- ---------- ------------ ------------ -----------------------------

Manual Duplicate infinite infinite 2001:db8:cafe:10::7

Public Preferred 29d23h59m21s 6d23h59m21s 2001:db8:cafe:10:20d:9dff:fe93:b25d

Auto-configuration

Static configuration

Note: Same Issue Applies to Linux

Page 76: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 76

Intel ANS NIC Teaming for IPv6

Intel IPv6 NIC Q&A—Product support

http://www.intel.com/support/network/sb/cs-009090.htm

Intel now supports IPv6 with Express, ALB, and AFT deployments

Intel statement of support for RLB—―Receive Load Balancing (RLB) is not supported on IPv6 network connections. If a team has a mix of IPv4 and IPv6 connections, RLB will work on the IPv4 connections but not on the IPv6 connections. All other teaming features will work on the IPv6 connections.‖

Page 77: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 77

Interim Hack for Unsupported NICs

Main issue for NICs with no IPv6 teaming support is DAD—Causes duplicate checks on Team and Physical even though the physical is not used for addressing

Set DAD on Team interface to ―0‖—Understand what you are doing

Microsoft Vista/W7/Server 2008 allows for a command line change to reduce the ―DAD transmits‖ value from 1 to 0

netsh interface ipv6 set interface 19 dadtransmits=0

Microsoft Windows 2003—Value is changed via a creation in the registry

\\HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\(InterfaceGUID)\DupAddrDetectTransmits - Value ―0‖

Linux# sysctl -w net/ipv6/conf/bond0/dad_transmits=0

net.ipv6.conf.eth0.dad_transmits = 0

Page 78: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 78

Intel NIC Teaming—IPv6 (Pre Team)

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :

Autoconfiguration IP Address. . . : 169.254.25.192

Subnet Mask . . . . . . . . . . . : 255.255.0.0

IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d7%11

Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%11

Ethernet adapter LAN:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 10.89.4.230

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 2001:db8:cafe:1::2

IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d6%12

Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%12

Page 79: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 79

Intel NIC Teaming—IPv6 (Post Team)

Ethernet adapter TEAM-1:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 10.89.4.230

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 2001:db8:cafe:1::2

IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d6%13

Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%13

Interface 13: TEAM-1

Addr Type DAD State Valid Life Pref. Life Address

--------- ---------- ------------ ------------ -----------------------------

Public Preferred 4m11s 4m11s 2001:db8:cafe:1::2

Link Preferred infinite infinite fe80::204:23ff:fec7:b0d6

Page 80: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 80

IPv6 in the Enterprise Data CenterBiggest Challenges Today

Application support for IPv6 – Know what you don‘t know

If an application is protocol centric (IPv4):

Needs to be rewritten

Needs to be translated until it is replaced

Wait and pressure vendors to move to protocol agnostic framework

Deployment of translation

NAT64 (Stateful for most enterprises)

Apache Reverse Proxy

Windows Port Proxy

3rd party proxy solutions

Network services above L3 (A short-term challenge)

SLB, SSL-Offload, application monitoring (probes)

Application Optimization

High-speed security inspection/perimeter protection

Page 81: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 81

Commonly Deployed IPv6-enabled OS/Apps

Operating Systems

Windows 7

Windows Server 2008/R2

SUSE

Red Hat

Ubuntu

The list goes on

Virtualization & Applications

VMware vSphere 4.1

Microsoft Hyper-V

Microsoft Exchange 2007 SP1/2010

Apache/IIS Web Services

Windows Media Services

Multiple Line of Business apps

Most commercial applications won‘t be your problem

– it will be the custom/home-grown apps

Page 82: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 82

ACE + IPv6 / ASR + NAT64

ACE SLB66v6

v6

SW coming (ACE30, ACE4710)

v6 v6

v4 server

v6

v4

Stateful NAT64 + SLB44

ACE SLB64

SW coming (ACE30, ACE4710)

v6 v4v4

v4

Page 83: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 83

NAT64

Lots of RFCs to check out:

RFC 6144 – Framework for IPv4/IPv6 Translation

RFC 6052 – IPv6 Addressing of IPv4/IPv6 Translators

RFC 6145 – IP/ICMP Translation Algorithm

RFC 6146 – Stateful NAT64

RFC 6147 – DNS64

Stateless – Not your friend in the enterprise (corner case deployment)

1:1 mapping between IPv6 and IPv4 addresses (i.e. 254 IPv6 hosts-to-254 IPv4 hosts)

Requires the IPv6-only hosts to use an ―IPv4 translatable‖ address format

Stateful – What we are after for translating IPv6-only hosts to IPv4-only host(s)

It is what it sounds like – keeps state between translated hosts

Several deployment models (PAT/Overload, Dynamic 1:1, Static, etc…)

This is what you will use to translate from IPv6 hosts (internal or Internet) to IPv4-only servers (internal DC or Internet Edge)

Page 84: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 84

Stateful NAT64 – Example TopologyStatic Example

8

4

IPv6 Host:

2001:db8:c150:10::16

10.121.12.70

DMZ/DC

ASR

G0/0/0:

2001:DB8:CAFE:5555::1/64

G0/0/1:

10.121.220.1/24

interface GigabitEthernet0/0/0

description to 6k-dmz-1 Outside

no ip address

ipv6 address 2001:DB8:CAFE:5555::1/64

ipv6 eigrp 10

nat64 enable

!

interface GigabitEthernet0/0/1

description to 6k-dmz-1 Inside

ip address 10.121.220.1 255.255.255.0

nat64 enable

ipv6 access-list EDGE_ACL

permit ipv6 any host 2001:DB8:CAFE:BEEF::46

permit ipv6 any host 2001:DB8:CAFE:BEEF::48

!

nat64 prefix stateful 2001:DB8:CAFE:BEEF::/96

nat64 v4 pool EDGE 10.121.55.1 10.121.55.1

nat64 v4v6 static 10.121.12.70 2001:DB8:CAFE:BEEF::46

nat64 v4v6 static 10.121.13.52 2001:DB8:CAFE:BEEF::48

nat64 v6v4 list EDGE_ACL pool EDGE overload

Internet

10.121.13.52

Page 85: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 85

NAT64 TranslationsASR1k#sh nat64 translations

Proto Original IPv4 Translated IPv4

Translated IPv6 Original IPv6

----------------------------------------------------------------------------

--- 10.121.13.52 2001:db8:cafe:beef::48

--- ---

--- 10.121.12.70 2001:db8:cafe:beef::46

--- ---

tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443

10.121.55.1:1030 [2001:db8:cafe:10::16]:53601

tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443

10.121.55.1:1029 [2001:db8:cafe:10::16]:53600

tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443

10.121.55.1:1028 [2001:db8:cafe:10::16]:53599

tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443

10.121.55.1:1024 [2001:db8:cafe:10::16]:53593

tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443

10.121.55.1:1025 [2001:db8:cafe:10::16]:53596

tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443

10.121.55.1:1026 [2001:db8:cafe:10::16]:53597

tcp 10.121.12.70:80 [2001:db8:cafe:beef::46]:80

10.121.55.1:1027 [2001:db8:cafe:10::16]:53598

Total number of translations: 9

Static

Entries

Dynamic

Overloaded

Entries

Reference

Page 86: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 86

NAT64 StatisticsASR1k#show nat64 statistics

Total active translations: 6 (3 static, 3 dynamic; 3 extended)

Sessions found: 171

Sessions created: 3

Global Stats:

Packets translated (IPv4 -> IPv6)

Stateless: 0

Stateful: 100

Packets translated (IPv6 -> IPv4)

Stateless: 0

Stateful: 74

Interface Statistics

GigabitEthernet0/0/0 (IPv4 not configured, IPv6 configured):

Packets translated (IPv6 -> IPv4)

Stateless: 0

Stateful: 74

GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured):

Packets translated (IPv4 -> IPv6)

Stateful: 100

Dynamic Mapping Statistics

v6v4

access-list EDGE_ACL pool EDGE refcount 3

pool EDGE:

start 10.121.55.1 end 10.121.55.1

total addresses 1, allocated 1 (100%)*Output reduced for clarity

Reference

Page 87: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 87

Apache2 Reverse Proxy

<VirtualHost *:80>

ProxyPass / http://10.121.11.60:80/

ProxyPassReverse / http://10.121.11.60:80/

IPv4-only Web Server

Apache One-Arm

2001:db8:cafe:12::5

10.121.11.125

Apache Dual-Attached

TCP [2001:db8:beef:10::16]:54640 [2001:db8:cafe:12::5]:80 ESTABLISHED

TCP [2001:db8:beef:10::16]:54641 [2001:db8:cafe:12::5]:80 ESTABLISHED

Netstat - Client

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 10.121.11.125:40475 10.121.11.60:80 ESTABLISHED

tcp 0 0 10.121.11.125:40476 10.121.11.60:80 ESTABLISHED

tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED

tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED

Netstat - Proxy

TCP 10.121.11.60:80 10.121.11.125:40475 ESTABLISHED

TCP 10.121.11.60:80 10.121.11.125:40476 ESTABLISHED

Netstat - Server

2001:db8:beef:10::16

Page 88: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 88

Microsoft Windows PortProxy

Can be treated like an appliance

One-arm

Dual-attached (better perf)

Outside traffic comes in on IPv6—PortProxy to v4 (VIP address on ACE)

Traffic is IPv4 to serverIPv4-only Web Server

PortProxy One-Arm

2001:db8:cafe:12::25

10.121.12.25

ACE PortProxy Dual-Attached

VIP=10.121.5.20

Page 89: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 89

PortProxy Configuration/Monitoring

adsfnetsh interface portproxy>sh all

Listen on ipv6: Connect to ipv4:

Address Port Address Port

--------------- ---------- --------------- ----------

2001:db8:cafe:12::25 80 10.121.5.20 80

Active Connections

Proto Local Address Foreign Address State

TCP 10.121.12.25:58141 10.121.5.20:http ESTABLISHED

TCP [2001:db8:cafe:12::25]:80 [2001:db8:cafe:10::17]:52047 ESTABLISHED

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

14 1 in TCP 5 10.121.12.25:58573 10.121.5.20:80 ESTAB

13 1 out TCP 5 10.121.14.15:80 10.121.5.12:1062 ESTAB

Page 90: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 90

PortProxy PerformanceThroughput Example

0

50

100

150

200

250

download-1gig (1.2G)

247.2

192206.4

Thro

ugh

pu

t (M

bp

s)

HTTP Throughput Comparison - Direct vs. PortProxy

Direct v6-v6

PortProxy v6v4

PortProxy v6v6

Page 91: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 91

PortProxy PerformanceCPU Utilization on PortProxy Server

Page 92: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 92

Dual Stack the Internet Edge

Dual stack the same network you have

If not, do just enough IPv6-only to get you going

Most design elements should be the same as with IPv4 (minus pure NAT/PAT)

You may have to embrace SLB64/Proxy/NAT64 for IPv4-only apps

ISP 1 ISP 2

Internet

Enterprise Core

DMZ/Server Farm

Web, Email, Other

Internal Enterprise

Edge Router

Outer Switch

Security Services

Inner switching/ SLB/Proxy/ Compute

Page 93: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 93

What if I Can‘t Dual Stack My Edge?

IPv6

Internet

IPv4-only Host

Server Load Balancer Stateful NAT64

IPv6

IPv4

IPv6

Internet

IPv4-only Host

IPv6

IPv4

IPv6

Internet

IPv4-only Host

Proxy

IPv6

IPv4

-Apache

-MSFT

PortProxy

Page 94: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 94

Internet Edge - to - ISPBoatloads of optionsSingle Link

Single ISPDual Links

Single ISP

Multi-Homed

Multi-Region

Enterprise

ISP 1

Default

Route

Enterprise

POP1 POP2

ISP 1

Enterprise

ISP 1 ISP2

USA

ISP4

Europe

ISP3

BGP BGPIPv6

TunnelIPv4-only

Your ISP may not have

IPv6 at the local POP

BRKRST-2044 Enterprise Multi-homed Internet Architectures

Page 95: How to Convince Your Boss to Deploy Ipv6

WAN/BranchDeploying IPv6 in Branch Networks: http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf

Page 96: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 96

DualStack

SP

Cloud

Corporate

Network

WAN/Branch Deployment

Cisco routers have supported IPv6 for a long time

Dual-stack should be the focus of your implementation—but, some situations still call for tunneling

Support for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc.)

Don‘t assume all features for every technology are IPv6-enabled

Better feature support in WAN/branch than in campus/DC

Dual

Stack

Dual

Stack

Page 97: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 97

IPv6 Enabled BranchFocus more on the provider and less on the gear

Internet

HQ

Dual-Stack

IPSec VPN (IPv4/IPv6)

Firewall (IPv4/IPv6)

Integrated Switch

(MLD-snooping)

Branch

Single Tier

HQ

Internet Frame

Branch

Dual Tier

Dual-Stack

IPSec VPN or Frame Relay

Firewall (IPv4/IPv6)

Switches (MLD-snooping)

Branch

Multi-Tier

Dual-Stack

IPSec VPN or

MPLS (6PE/6VPE)

Firewall (IPv4/IPv6)

Switches (MLD-snooping)

HQ

MPLS

SP

support

for port-to-

port IPv6?

SP

support

for various

WAN

types?

Page 98: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 98

Hybrid Branch Example

Mixture of attributes from each profile

An example to show configuration for different tiers

Basic HA in critical roles is the goal

HeadquartersBranch

HSRP for IPv6 VIP Address

- FE80::5:73FF:FEA0:2

Primary DMVPN Tunnel

2001:DB8:CAFE:20A::/64

Backup DMVPN Tunnel (dashed)

2001:DB8:CAFE:20B::/64

2001:DB8:CAFE:1000::/642001:DB8:CAFE:202::/64

WAN

::1::2

::3 ::1

::2

::3

::4

VLAN 101:

2001:DB8:CAFE:1002::/64

::1

VLAN Interfaces:

104 - 2001:DB8:CAFE:1004::/64 – PC

105 - 2001:DB8:CAFE:1005::/64 – Voice

106 - 2001:DB8:CAFE:1006::/64 – Printer

::2

::3

Enterprise

Campus

Data Center

HE2

HE1

BR1-2

BR1-1ASA-1

BR1-LAN

::5::2

::3BR1-LAN-SW

Page 99: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 99

DMVPN with IPv6 Hub Configuration Example

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key CISCO address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac

!

crypto ipsec profile HUB

set transform-set HUB

interface Tunnel0

description DMVPN Tunnel 1

ip address 10.126.1.1 255.255.255.0

ipv6 address 2001:DB8:CAFE:20A::1/64

ipv6 mtu 1416

ipv6 eigrp 10

ipv6 hold-time eigrp 10 35

no ipv6 next-hop-self eigrp 10

no ipv6 split-horizon eigrp 10

ipv6 nhrp authentication CISCO

ipv6 nhrp map multicast dynamic

ipv6 nhrp network-id 10

ipv6 nhrp holdtime 600

ipv6 nhrp redirect

tunnel source Serial1/0

tunnel mode gre multipoint

tunnel key 10

tunnel protection ipsec profile HUBPrimary DMVPN Tunnel

2001:DB8:CAFE:20A::/64

Backup DMVPN Tunnel (dashed)

2001:DB8:CAFE:20B::/64

WAN

::1::2

::3 ::1

::2

::3

HE2

HE1

BR1-2

BR1-1

Page 100: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 100

DMVPN with IPv6 Spoke Configuration Example

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key CISCO address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac

!

crypto ipsec profile SPOKE

set transform-set SPOKE

interface Tunnel0

description to HUB

ip address 10.126.1.2 255.255.255.0

ipv6 address 2001:DB8:CAFE:20A::2/64

ipv6 mtu 1416

ipv6 eigrp 10

ipv6 hold-time eigrp 10 35

no ipv6 next-hop-self eigrp 10

no ipv6 split-horizon eigrp 10

ipv6 nhrp authentication CISCO

ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1

ipv6 nhrp map multicast 172.16.1.1

ipv6 nhrp network-id 10

ipv6 nhrp holdtime 600

ipv6 nhrp nhs 2001:DB8:CAFE:20A::1

ipv6 nhrp shortcut

tunnel source Serial1/0

tunnel mode gre multipoint

tunnel key 10

tunnel protection ipsec profile SPOKE

Primary DMVPN Tunnel

2001:DB8:CAFE:20A::/64

Backup DMVPN Tunnel (dashed)

2001:DB8:CAFE:20B::/64

WAN

::1::2

::3 ::1

::2

::3

HE2

HE1

BR1-2

BR1-1

Page 101: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 101

ASA with IPv6 Snippet of full config – examples of IPv6 usage

name 2001:db8:cafe:1003:: BR1-LAN description VLAN on EtherSwitch

name 2001:db8:cafe:1004:9db8:3df1:814c:d3bc Br1-v6-Server

!

interface GigabitEthernet0/0

description TO WAN

nameif outside

security-level 0

ip address 10.124.1.4 255.255.255.0 standby 10.124.1.5

ipv6 address 2001:db8:cafe:1000::4/64 standby 2001:db8:cafe:1000::5

!

interface GigabitEthernet0/1

description TO BRANCH LAN

nameif inside

security-level 100

ip address 10.124.3.1 255.255.255.0 standby 10.124.3.2

ipv6 address 2001:db8:cafe:1002::1/64 standby 2001:db8:cafe:1002::2

!

ipv6 route inside BR1-LAN/64 2001:db8:cafe:1002::3

ipv6 route outside ::/0 fe80::5:73ff:fea0:2

!

ipv6 access-list v6-ALLOW permit icmp6 any any

ipv6 access-list v6-ALLOW permit tcp 2001:db8:cafe::/48 host Br1-v6-Server object-group RDP

!

failover

failover lan unit primary

failover lan interface FO-LINK GigabitEthernet0/3

failover interface ip FO-LINK 2001:db8:cafe:1001::1/64 standby 2001:db8:cafe:1001::2

access-group v6-ALLOW in interface outside

Page 102: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 102

Branch LANConnecting Hosts

ipv6 dhcp pool DATA_W7

dns-server 2001:DB8:CAFE:102::8

domain-name cisco.com

!

interface GigabitEthernet0/0

description to BR1-LAN-SW

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.104

description VLAN-PC

encapsulation dot1Q 104

ip address 10.124.104.1 255.255.255.0

ipv6 address 2001:DB8:CAFE:1004::1/64

ipv6 nd other-config-flag

ipv6 dhcp server DATA_W7

ipv6 eigrp 10

!

interface GigabitEthernet0/0.105

description VLAN-PHONE

encapsulation dot1Q 105

ip address 10.124.105.1 255.255.255.0

ipv6 address 2001:DB8:CAFE:1005::1/64

ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig

ipv6 nd managed-config-flag

ipv6 dhcp relay destination 2001:DB8:CAFE:102::9

ipv6 eigrp 10

VLAN Interfaces:

104 - 2001:DB8:CAFE:1004::/64 – PC

105 - 2001:DB8:CAFE:1005::/64 – Voice

106 - 2001:DB8:CAFE:1006::/64 – Printer

BR1-LAN

BR1-LAN-SW

Page 103: How to Convince Your Boss to Deploy Ipv6

Remote Access

Page 104: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 104

AnyConnect Client 2.x and higherSSL/TLS or DTLS (datagram TLS = TLS over UDP)

Tunnel transports both IPv4 and IPv6 and the packets exit the tunnel at the hub ASA as native IPv4

and IPv6.

InternetClient-based SSL

Cisco Remote VPN – IPv6

Page 105: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 105

AnyConnect 2.x—SSL VPN

Dual-Stack Host

AnyConnect Client

Cisco ASA

asa-edge-1#show vpn-sessiondb svc

Session Type: SVC

Username : ciscoese Index : 14

Assigned IP : 10.123.2.200 Public IP : 10.124.2.18

Assigned IPv6: 2001:db8:cafe:101::101

Protocol : Clientless SSL-Tunnel DTLS-Tunnel

License : SSL VPN

Encryption : RC4 AES128 Hashing : SHA1

Bytes Tx : 79763 Bytes Rx : 176080

Group Policy : AnyGrpPolicy Tunnel Group: ANYCONNECT

Login Time : 14:09:25 MST Mon Dec 17 2007

Duration : 0h:47m:48s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

Page 106: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 106

AnyConnect 2.x—Summary Configuration

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.123.1.4 255.255.255.0

ipv6 enable

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.123.2.4 255.255.255.0

ipv6 address 2001:db8:cafe:101::ffff/64

!

ipv6 local pool ANYv6POOL 2001:db8:cafe:101::101/64 200

webvpn

enable outside

svc enable

tunnel-group-list enable

group-policy AnyGrpPolicy internal

group-policy AnyGrpPolicy attributes

vpn-tunnel-protocol svc

default-domain value cisco.com

address-pools value AnyPool

tunnel-group ANYCONNECT type remote-access

tunnel-group ANYCONNECT general-attributes

address-pool AnyPool

ipv6-address-pool ANYv6POOL

default-group-policy AnyGrpPolicy

tunnel-group ANYCONNECT webvpn-attributes

group-alias ANYCONNECT enable

Outside

Inside 2001:db8:cafe:101::ffff

http://www.cisco.com/en/US/docs/security/vp

n_client/anyconnect/anyconnect20/administra

tive/guide/admin6.html#wp1002258

Page 107: How to Convince Your Boss to Deploy Ipv6

Communicating with the Service Provider

Page 108: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 108

Top SP Concerns for Enterprise Accounts

Port to Port Access

Multi-Homing

Content Provisioning

IPv6

Page 109: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 109

Port-to-Port Access

Port to Port Access Multi-Homing

Content Provisioning

IPv6

• Dual-stack or native IPv6 at each POP

• SLA driven just like IPv4 to support VPN, content accessBasic Internet

• 6VPE

• IPv6 Multicast

• End-to-End traceability MPLS

• IPv6 access to hosted content

• Cloud migration (move data from Ent DC to Hosted DC)

Hosted (see content)

*

* = most common issue

Page 110: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 110

Multi-Homing

Port to Port Access Multi-Homing

Content Provisioning

IPv6

• PA is no good for customers with multiple providers or change them at any pace

• PI is new, constantly changing expectations and no ―guarantee‖ an SP won‘t do something stupid like not route PI space

• Customers fear that RIR will review existing IPv4 space and want it back if they get IPv6 PI

PI/PA Policy Concerns

• Religious debate about the security exposure – not a multi-homing issue

• If customer uses NAT like they do today to prevent address/policy exposure, where do they get the technology from – no scalable IPv6 NAT exists today

NAT

• Is it really different from what we do today with IPv4? Is this policy stuff?

• Guidance on prefixes per peering point, per theater, per ISP, ingress/egress rules, etc.. – this is largely missing today

Routing

*

Page 111: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 111

Content

Port to Port Access Multi-Homing

Content Provisioning

IPv6

• IPv6 provisioning and access to hosted or cloud-based services today (existing agreements)

• Salesforce.com, Microsoft BPOS (Business Productivity Online Services), Amazon, Google Apps

Hosted/Cloud Apps today

• Movement from internal-only DC services to hosted/cloud-based DC

• Provisioning, data/network migration services, DR/HA

Move to Hosted/Cloud

• Third-party marketing, business development, outsourcing

• Existing contracts – connect over IPv6

Contract/Managed Marketing/Portals

*

Page 112: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 112

Provisioning

Port to Port Access Multi-Homing

Content Provisioning

IPv6

• Not a lot of information from accounts on this but it does concern them

• How can they provision their own services (i.e. cloud) to include IPv6 services and do it over IPv6

SP Self-Service Portals

• More of a management topic but the point here is that customers want the ability to alter their services based on violations, expiration or restrictions on the SLA

• Again, how can they do this over IPv6 AND for IPv6 services

SLA*

Page 113: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 113

IPv6 integration should be managed from a broad architectural / ‗systems-wide‘ perspective…

IPv6 integration is not ‗just a network upgrade‘ but complex endeavour, involving many elements

and capabilities which evolve over time, rather than changing all at once.

Planning and coordination is required from many

across the organisation, including …

Network engineers & operators

Security engineers

Application developers

Desktop (Office Automation) / Server engineers

Web hosting / content developers

Business development managers

Moreover, training will be required for all involved

in supporting the various IPv6 based network services

Page 114: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 114

• ―Dual stack where you can – Tunnel where you must – Translate when you have a gun to your head‖

• Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management

• Now is your time to build a network your way – don‘t carry the IPv4 mindset forward with IPv6 unless it makes sense

• Deploy it – at least in a lab – IPv6 won‘t bite

"If you don't like change, you're going to like irrelevance even less." - Gen. Shinseki, Chief of Staff, U.S. Army

Conclusion

Page 115: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1151

1

Receive 25 Cisco Preferred Access points for each session evaluation you complete.

Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don‘t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

Complete Your Online Session Evaluation

Page 116: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 116

Thank you.

Page 117: How to Convince Your Boss to Deploy Ipv6

Reference Slides

Page 118: How to Convince Your Boss to Deploy Ipv6

Reference Slides: Microsoft Windows Vista/Windows 7/Server 2008

Page 119: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 119

Understand the Behavior of Vista/W7

IPv6 is preferred over IPv4Vista/W7 sends IPv6 NA/NS/RS upon link-up

Attempts DHCP for IPv6

If no DHCP or local RA received with Global or ULA, then try ISATAP

If no ISATAP, then try Teredo

Become familiar with Teredohttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx

ANY application built on the Peer-to-Peer Framework REQUIRES IPv6 and will NOT function over IPv4—http://www.microsoft.com/technet/network/p2p/default.mspx

Page 120: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 120

In More Detail—Vista/W7 on Link-UpNo Network Services

1. Unspecified address :: Solicited node address NS/DAD

2. Looking for a local router ff02::2 RS

3. Looking for MLD enabled routers ff02::16 MLDv2 report

4. LLMNR for IPv6—ff02::1:3—advertise hostname

5. LLMNR for IPv4—224.0.0.252 from RFC 3927 address

6. No global or ULA received via step 1/2—Try ISATAP

7. Try DHCP for IPv6—ff02::1:2

8. Try DHCP for IPv4

No. Time Source Destination Protocol Info1 0.000000 :: ff02::1:ffae:4361 ICMPv6 Neighbor solicitation2 0.000030 fe80::80aa:fd5:f7ae:4361 ff02::2 ICMPv6 Router solicitation3 0.000080 fe80::80aa:fd5:f7ae:4361 ff02::16 ICMPv6 Multicast Listener Report Message v24 1.155917 fe80::80aa:fd5:f7ae:4361 ff02::1:3 UDP Source port: 49722 Destination port: 53555 1.156683 169.254.67.97 224.0.0.252 UDP Source port: 49723 Destination port: 53556 3.484709 169.254.67.97 169.254.255.255 NBNS Name query NB ISATAP<00>7 126.409530 fe80::80aa:fd5:f7ae:4361 ff02::1:2 DHCPv6 Information-request8 128.886397 0.0.0.0 255.255.255.255 DHCP DHCP Discover—Transaction ID 0x6c8d6efa

fe80::80aa:fd5:f7ae:4361

Page 121: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 121

IPv4 Network—No IPv6 Network ServicesWhat Does Vista/W7 Try to Do?

No. Time Source Destination Protocol Info13 8.813509 10.120.2.1 10.120.2.2 DHCP DHCP ACK - Transaction ID 0x2b8af443

....Bootstrap Protocol

...Your (client) IP address: 10.120.2.2 (10.120.2.2)...Option: (t=3,l=4) Router = 10.120.2.1Option: (t=6,l=4) Domain Name Server = 10.121.11.4Option: (t=15,l=9) Domain Name = "cisco.com"..

No. Time Source Destination Protocol Info70 13.360756 10.120.2.2 10.121.11.4 DNS Standard query A isatap.cisco.com

No. Time Source Destination Protocol Info138 25.362181 10.120.2.2 10.121.11.4 DNS Standard query A teredo.ipv6.microsoft.com

No. Time Source Destination Protocol Info580 296.686197 10.120.2.2 10.120.3.2 TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8581 296.687721 10.120.3.2 10.120.2.2 TCP epmap > 49211 [SYN, ACK] Seq=0 Ack=1 Win=2097152 582 296.687794 10.120.2.2 10.120.3.2 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0583 296.687913 10.120.2.2 10.120.3.2 DCERPC Bind: call_id: 1, 2 context items, 1st IOXIDResolver V0.0

10.120.2.2 10.120.3.2

ISATAP??

Teredo??

IPv4-only Router

Page 122: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 122

What Is Teredo?

RFC4380

Tunnel IPv6 through NATs (NAT types defined in RFC3489)Full Cone NATs (aka one-to-one)—Supported by Teredo

Restricted NATs—Supported by Teredo

Symmetric NATs—Supported by Teredo with Vista/W7/Server 2008 if only one Teredo client is behind a Symmetric NATs

Uses UDP port 3544

Is complex—many sequences for communication and has several attack vectors

Available on:Microsoft Windows XP SP1 w/Advanced Networking Pack

Microsoft Windows Server 2003 SP1

Microsoft Windows Vista/W7 (enabled by default—inactive until application requires it)

Microsoft Server 2008http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx

Linux, BSD and Mac OS X—―Miredo‖http://www.simphalempin.com/dev/miredo/

Page 123: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 123

Teredo Components

Teredo Client—Dual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay)

Teredo Server—Dual-stack node connected to IPv4 Internet and IPv6 Internet. Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hosts—Listens on UDP port 3544

Teredo Relay—Dual-stack router that forwards packets between Teredo clients and IPv6-only hosts

Teredo Host-Specific Relay—Dual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay

Page 124: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 124

Teredo Overview

Teredo server

Teredo relay

NAT

IPv6 over IPv4 traffic

IPv6 traffic

NAT

Teredo client

Teredo

host-specific relay

IPv6-only host

IPv6 or IPv6

over IPv4 traffic

Teredo client

*From Microsoft ―Teredo Overview‖ paper

IPv4 Internet IPv6 Internet

Page 125: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 125

Teredo Address

Teredo IPv6 prefix (2001::/32—previously was 3FFE:831F::/32)

Teredo Server IPv4 address: global address of the server

Flags: defines NAT type (e.g. Cone NAT)

Obfuscated External Port: UDP port number to be used with the IPv4 address

Obfuscated External Address: contains the global address of the NAT

Teredo prefix

32 bits

Teredo Server IPv4 Address

32 bits

Flags

16 bits

ObfuscatedExternal Address

32 bits

ObfuscatedExternal

Port

16 bits

Page 126: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 126

Initial Configuration for Client

1. RS message sent from Teredo client to server—RS from LL address with Cone flag set

2. Server responds with RA—RS has Cone flag set—server sends RA from alternate v4 address—if client receives the RA, client is behind cone NAT

3. If RA is not received by client, client sends another RA with Cone flag not set

4. Server responds with RA from v4 address = destination v4 address from RS—if client receives the RA, client is behind restricted NAT

5. To ensure client is not behind symmetric NAT, client sends another RS to secondary server

6. 2nd server sends an RA to client—client compares mapped address and UDP ports in the Origin indicators of the RA received by both servers. If different, then the NAT is mapping same internal address/port to different external address/port and NAT is a symmetric NAT

7. Client constructs Teredo address from RAFirst 64 bits are the value from prefix received in RA (32 bits for IPv6 Teredo prefix + 32 bits of hex representation of IPv4 Teredo

server address)

Next 16 bits are the Flags field (0x0000 = Restricted NAT, 0x8000 = Cone NAT)

Next 16 bits are external obscured UDP port from Origin indicator in RA

Last 32 bits are obscured external IP address from Origin indicator in RA

7 2001:0:4136:e37e:0:fbaa:b97e:fe4e

TeredoPrefix

TeredoServer v4

Flags Ext. UDPPort v4

External v4address

TeredoClient NAT

IPv4Internet

1

2

3

4

5

6

TeredoServer 1

TeredoServer 2

Page 127: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 127

What Happens on the Wire—1No. Time Source Destination Protocol Info

15 25.468050 172.16.1.103 151.164.11.201 DNS Standard query A teredo.ipv6.microsoft.com

No. Time Source Destination Protocol Info16 25.481609 151.164.11.201 172.16.1.103 DNS Standard query response A 65.54.227.126 A

65.54.227.127 A 65.54.227.120 A 65.54.227.124

netsh interface ipv6>sh teredoTeredo Parameters---------------------------------------------Type : clientServer Name : teredo.ipv6.microsoft.comClient Refresh Interval : defaultClient Port : defaultState : qualifiedType : teredo clientNetwork : unmanagedNAT : restricted

netsh interface ipv6>sh teredoTeredo Parameters---------------------------------------------Type : clientServer Name : teredo.ipv6.microsoft.comClient Refresh Interval : defaultClient Port : defaultState : probe(cone)Type : teredo clientNetwork : unmanagedNAT : cone

Page 128: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 128

What Happens on the Wire—2No. Time Source Destination Protocol Info

28 33.595460 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitationInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)

No. Time Source Destination Protocol Info29 37.593598 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation

Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)

No. Time Source Destination Protocol Info31 45.546052 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation

Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.127 (65.54.227.127)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)

No. Time Source Destination Protocol Info32 46.039706 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement

Internet Protocol, Src: 65.54.227.127 (65.54.227.127), Dst: 172.16.1.103 (172.16.1.103)User Datagram Protocol, Src Port: 3544 (3544), Dst Port: 1109 (1109)Teredo Origin Indication header

Origin UDP port: 1109Origin IPv4 address: 70.120.2.1 (70.120.2.1)

Prefix: 2001:0:4136:e37e::

No. Time Source Destination Protocol Info33 46.093832 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation

Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)

No. Time Source Destination Protocol Info34 46.398745 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement

Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103)Teredo Origin Indication header

Origin UDP port: 1109Origin IPv4 address: 70.120.2.1 (70.120.2.1)

Prefix: 2001:0:4136:e37e::

Send RS Cone Flag=1 (Cone NAT), every 4 seconds

If no reply, send Flag=0 (restricted NAT)

Receive RA with Origin header and prefix

Send RS to 2nd

server to check for symmetric NAT

Compare 2nd

RA—Origin port/address from 2nd server

Page 129: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 129

What Happens on the Wire—3No. Time Source Destination Protocol Info82 139.258206 172.16.1.103 151.164.11.201 DNS Standard query AAAA www.kame.net

No. Time Source Destination Protocol Info83 139.530547 151.164.11.201 172.16.1.103 DNS Standard query response AAAA2001:200:0:8002:203:47ff:fea5:3085

No. Time Source Destination Protocol Info96 148.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 Echo requestInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)

No. Time Source Destination Protocol Info97 149.405579 fe80::8000:5445:5245:444f 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next header

Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103)Teredo IPv6 over UDP tunneling

Teredo Origin Indication headerOrigin UDP port: 50206Origin IPv4 address: 66.117.47.227 (66.117.47.227)

No. Time Source Destination Protocol Info98 149.405916 172.16.1.103 66.117.47.227 UDP Source port: 1109 Destination port: 50206

No. Time Source Destination Protocol Info99 149.463719 66.117.47.227 172.16.1.103 UDP Source port: 50206 Destination port: 1109

No. Time Source Destination Protocol Info100 149.464100 172.16.1.103 66.117.47.227 UDP Source port: 1109 Destination port: 50206

No. Time Source Destination Protocol Info101 149.789493 66.117.47.227 172.16.1.103 UDP Source port: 50206 Destination port: 1109………

DNS lookup

Response

ICMP to host via Teredo Server

Relay sends Bubble packet to client via server—client receives relay address-port

Packets to/from IPv6 host and client traverse relay

According to MSFT, if Teredo is the only IPv6 path, AAAA query should not be sent—being researched:

http://msdn2.microsoft.com/en-us/library/aa965910.aspx

Page 130: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 130

What Happens on the Wire—3 (Cont.)

Interface 7: Teredo Tunneling Pseudo-Interface

Addr Type DAD State Valid Life Pref. Life Address--------- ---------- ------------ ------------ -----------------------------Public Preferred infinite infinite 2001:0:4136:e37e:0:fbaa:b97e:fe4eLink Preferred infinite infinite fe80::ffff:ffff:fffd

C:\>ping www.kame.net

Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data

Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=829msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=453msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=288msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=438ms

Page 131: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 131

Maintaining NAT Mapping

Every 30 seconds (adjustable) clients send a single bubble packet to Teredo server to refresh NAT state

Bubble packet = Used to create and maintain NAT mapping and consists of an IPv6 header with no IPv6 payload (Payload 59—No next header)

No. Time Source Destination Protocol Info35 46.399072 2001:0:4136:e37e:0:fbaa:b97e:fe4e ff02::1 IPv6 IPv6 no next header

Frame 35 (82 bytes on wire, 82 bytes captured)Ethernet II, Src: Foxconn_2d:a1:4e (00:15:58:2d:a1:4e), Dst: 01:00:5e:00:00:fd (01:00:5e:00:00:fd)Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 224.0.0.253 (224.0.0.253)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)Teredo IPv6 over UDP tunnelingInternet Protocol Version 6

Version: 6Traffic class: 0x00Flowlabel: 0x00000Payload length: 0Next header: IPv6 no next header (0x3b)Hop limit: 21Source address: 2001:0:4136:e37e:0:fbaa:b97e:fe4eDestination address: ff02::1

Page 132: How to Convince Your Boss to Deploy Ipv6

Reference Slides: ISATAP Overview

Page 133: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 133

Intrasite Automatic Tunnel Address Protocol

RFC 4214

This is for enterprise networks such as corporate and academic networks

Scalable approach for incremental deployment

ISATAP makes your IPv4 infratructure as transport (NBMA) network

Page 134: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 134

Intrasite Automatic Tunnel Address Protocol

ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network

Supported in Windows XP Pro SP1 and others

Interface

Identifier

(64 bits)

IPv4 Address64-bit Unicast Prefix 0000:5EFE:

32-bit32-bit

Use IANA‘s OUI 00-00-5E and Encode IPv4 Address as Part of EUI-64

Page 135: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 135

IPv6

Network

IPv4 Network ISATAP Router 1

E0

Automatic Advertisement of ISATAP Prefix

ISATAP Tunnel

ISATAP Host A

ICMPv6 Type 133 (RS)

IPv4 Source: 206.123.20.100

IPv4 Destination: 206.123.31.200

IPv6 Source: fe80::5efe:ce7b:1464

IPv6 Destination: fe80::5efe:ce7b:1fc8

Send me ISATAP Prefix ICMPv6 Type 134 (RA)

IPv4 Source: 206.123.31.200

IPv4 Destination: 206.123.20.100

IPv6 Source: fe80::5efe:ce7b:1fc8

IPv6 Destination: fe80::5efe:ce7b:1464

ISATAP Prefix: 2001:db8:ffff :2::/64

Page 136: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 136

Automatic Address Assignment of Host and Router

ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1

When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host A encapsulates IPv6 packets in IPv4. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.

206.123.20.100

fe80::5efe:ce7b:1464

2001:db8:ffff:2::5efe:ce7b:1464

206.123.31.200

fe80::5efe:ce7b:1fc8

2001:db8:ffff:2::5efe:ce7b:1fc8

IPv6

Network

IPv4 Network ISATAP Router 1

E0ISATAP Tunnel

ISATAP Host A

Page 137: How to Convince Your Boss to Deploy Ipv6

Reference Slides: Multicast

Page 138: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 138

IPv4 and IPv6 Multicast Comparison

Service IPv4 Solution IPv6 Solution

Addressing Range 32-bit, Class D 128-bit (112-bit Group)

RoutingProtocol Independent, All IGPs and MBGP

Protocol Independent, All IGPs and MBGP with v6 mcast SAFI

ForwardingPIM-DM, PIM-SM,

PIM-SSM, PIM-bidir, PIM-BSR

PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR

Group Management IGMPv1, v2, v3 MLDv1, v2

Domain Control Boundary, Border Scope Identifier

Interdomain SolutionsMSDP Across Independent

PIM DomainsSingle RP Within Globally

Shared Domains

Page 139: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 139

MLDv1: Joining a Group (REPORT)

Destination:

FF3E:40:2001:DB8:C003:1109:1111:1111

ICMPv6 Type: 131

FE80::207:85FF:FE80:692

FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE

rtr-a

Source

Group:FF3E:40:2001:DB8:C003:1109:1111:1111

H1

1

1 Destination:

FF3E:40:2001:DB8:C003:1109:1111:1111

ICMPv6 Type: 131

2

2

H1 sends a REPORT for the group

H2 sends a REPORT for the group

1

2

H2

Page 140: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 140

H1 sends DONE to FF02::2

RTR-A sends Group-Specific Query

H2 sends REPORT for the group 3

1

1 2

MLDv1: Host Management (Group-Specific Query)

FE80::207:85FF:FE80:692

FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE

rtr-a

Group:FF3E:40:2001:DB8:C003:1109:1111:1111

H1

3 REPORT to group

ICMPv6 Type: 131

1

2

Destination:

FF02::2

ICMPv6 Type: 132

Destination:

FF3E:40:2001:DB8:C003:1109:1111:1111

ICMPv6 Type: 130

H2

Source

Page 141: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 141

Other MLD Operations

Leave/DONE

Last host leaves—sends DONE (Type 132)

Router will respond with group-specific query (Type 130)

Router will use the last member query response interval (Default=1 sec) for each query

Query is sent twice and if no reports occur then entry is removed (2 seconds)

General Query (Type 130)

Sent to learn of listeners on the attached link

Sets the multicast address field to zero

Sent every 125 seconds (configurable)

Page 142: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 142

A Few Notes on Tunnels—

PIM uses tunnels when RPs/sources are known

Source registering (on first-hop router)

Uses virtual tunnel interface (appear in OIL for [S,G])

Created automatically on first-hop router when RP is known

Cisco IOS® keeps tunnel as long as RP is known

Unidirectional (transmit only) tunnels

PIM Register-Stop messages are sent directly from RP to registering router (not through tunnel!)

Page 143: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 143

PIM Tunnels (DR-to-RP)

branch#show interface tunnel 1

Tunnel1 is up, line protocol is up

Hardware is Tunnel

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 2001:DB8:C003:111E::2 (Serial0/2),

destination 2001:DB8:C003:1116::2

Tunnel protocol/transport PIM/IPv6, key disabled,

sequencing disabled

Checksumming of packets disabled

Tunnel is transmit only

Last input never, output never, output hang never

Last clearing of "show interface" counters never

… output truncated…

branch#show ipv6 pim tunnel

Tunnel1*

Type : PIM Encap

RP : 2001:DB8:C003:1116::2

Source: 2001:DB8:C003:111E::2

RP

L0

Corporate

Network

Source

DR

Page 144: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 144

PIM Tunnels (RP)

Source registering (on RP) two virtual tunnels are created

One transmit only for registering sources locally connected to the RP

One receive only for decapsulation of incoming registers from remote designated routers

No one-to-one relationship between virtual tunnels on designated routers and RP!

Page 145: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 145

PIM Tunnels (RP-for-Source)

RP-router#show interface tunnel 1

Tunnel1 is up, line protocol is up

Hardware is Tunnel

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 2001:DB8:C003:1116::2

(FastEthernet0/0), destination 2001:DB8:C003:1116::2

Tunnel protocol/transport PIM/IPv6, key disabled,

sequencing disabled

Checksumming of packets disabled

Tunnel is receive only

… output truncated…

RP-router#show ipv6 pim tunnel

Tunnel0*

Type : PIM Encap

RP : 2001:DB8:C003:1116::2

Source: 2001:DB8:C003:1116::2

Tunnel1*

Type : PIM Decap

RP : 2001:DB8:C003:1116::2

Source: - RP

L0

Corporate

Network

SourceTu

Page 146: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 146

Tunneling v6 Multicast

v6 in v4

v6 in v4 most widely usedtunnel mode ipv6ip <----- IS-IS cannot traverse

v6 in v4 GRE (IS-IS can traverse)tunnel mode gre ip

ISATAP/6to4 do not support IPv6 multicast

v6 in v6

v6 in v6 tunnel mode ipv6

v6 in v6 GREtunnel mode gre ipv6

Page 147: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 147

Source Specific Multicast (SSM)

No configuration required other than enabling

ipv6 multicast-routing

SSM group ranges are automatically defined

Requires MLDv2 on host or SSM Mapping feature

router#show ipv6 pim range-list

config SSM Exp: never Learnt from : ::

FF33::/32 Up: 1d00h

FF34::/32 Up: 1d00h

FF35::/32 Up: 1d00h

FF36::/32 Up: 1d00h

FF37::/32 Up: 1d00h

FF38::/32 Up: 1d00h

FF39::/32 Up: 1d00h

FF3A::/32 Up: 1d00h

FF3B::/32 Up: 1d00h

FF3C::/32 Up: 1d00h

FF3D::/32 Up: 1d00h

FF3E::/32 Up: 1d00h

FF3F::/32 Up: 1d00h

Page 148: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 148

SSM-Mapping

Delay in SSM deployment (both IPv4 and IPv6) is based mainly on lack of IGMPv3 and MLDv2 availability on the endpoints

SSM-Mapping allows for the deployment of SSM in the network infrastructure without requiring MLDv2 (for IPv6) on the endpoint

SSM-Mapping enabled router will map MLDv1 reports to a source (which do not natively include the source like with MLDv2)

Range of groups can be statically defined or used with DNS

Wildcards can be used to define range of groups

Page 149: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 149

SSM-Mapping

Corporate

Network

2001:DB8:CAFE:11::11

ipv6 multicast-routing

!

ipv6 mld ssm-map enable

ipv6 mld ssm-map static MAP 2001:DB8:CAFE:11::11

no ipv6 mld ssm-map query dns

!

ipv6 access-list MAP

permit ipv6 any host FF33::DEAD

MLDv1

Source

FF33::DEAD

SSM

core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11

(2001:DB8:CAFE:11::11, FF33::DEAD), 00:01:20/00:03:06, flags: sT

Incoming interface: GigabitEthernet3/3

RPF nbr: FE80::20E:39FF:FEAD:9B00

Immediate Outgoing interface list:

GigabitEthernet5/1, Forward, 00:01:20/00:03:06

ipv6 multicast-routing

!

ipv6 mld ssm-map enable

!

ip domain multicast ssm-map.cisco.com

ip name-server 10.1.1.1

Static Mapping:

DNS Mapping (the default):

Page 150: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 150

RP

IP

WAN

L0

Corporate

Network

Source

ipv6 multicast-routing

!

ipv6 pim rp-address 2001:DB8:C003:110A::1/64

IPv6 Multicast Static RP

Easier than before as PIM is auto-enabled on every interface

ipv6 multicast-routing

!

interface Loopback0

description IPV6 IPmc RP

no ip address

ipv6 address 2001:DB8:C003:110A::1/64

!

ipv6 pim rp-address 2001:DB8:C003:110A::1/64

Page 151: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 151

IPv6 Multicast PIM BSR: Configuration

RP—2001:DB8:C003:1116::2

Source

Corporate

NetworkIP

WAN

RP—2001:DB8:C003:110A::1

wan-bottom#sh run | incl ipv6 pim bsr

ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1

ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1

wan-top#sh run | incl ipv6 pim bsr

ipv6 pim bsr candidate-bsr 2001:DB8:C003:1116::2

ipv6 pim bsr candidate-rp 2001:DB8:C003:1116::2

Page 152: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 152

Bidirectional PIM (Bidir)

The same many-to-many model as before

Configure Bidir RP and range via the usual ip pim rp-address syntax with the optional bidir keyword

!

ipv6 pim rp-address 2001:DB8:C003:110A::1 bidir

!

#show ipv6 pim range | include BD

Static BD RP: 2001:DB8:C003:110A::1 Exp: never Learnt from : ::

Page 153: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 153

Embedded-RP Addressing Overview

RFC 3956

Relies on a subset of RFC3306—IPv6 unicast-prefix-based multicast group addresses with special encoding rules:

Group address carries the RP address for the group!

8 4 4 4 4 8 64 32

FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID

New Address format defined :

Flags = 0RPT, R = 1, P = 1, T = 1=> RP address embedded

(0111 = 7)

Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112

Embedded RP: 2001:0DB8:C003:111D::1

Page 154: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 154

Embedded-RP

PIM-SM protocol operations with embedded-RP:

Intradomain transition into embedded-RP is easy:

Non-supporting routers simply need to be configured statically or via BSR for the embedded-RPs!

Embedded-RP is just a method to learn ONE RP address for a multicast group:

It can not replace RP-redundancy as possible with BSR or MSDP/Anycast-RP

Embedded-RP does not (yet) support Bidir-PIM

Simply extending the mapping function to define Bidir-PIM RPs is not sufficient:

In Bidir-PIM routers carry per-RP state (DF per interface) prior to any data packet arriving; this would need to be changed in Bidir-PIM if Embedded-RP was to be supported

Page 155: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 155

RP

L0

Corporate

Network

Source

IP

WAN

Embedded-RP Configuration Example

RP to be used as an Embedded-RP needs to be configured with address/group range

All other non-RP routers require no special configuration

ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP

!

ipv6 access-list ERP

permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96

Page 156: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 156

Embedded RP—Does It Work?

branch#show ipv6 pim range | include Embedded

Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : ::

FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24

IP

WAN

To RP

ReceiverSendsReport

branch#show ipv6 pim group

FF7E:140:2001:DB8:C003:111D ::/96*

RP : 2001:DB8:C003:111D::1

Protocol: SM

Client : Embedded

Groups : 1

Info : RPF: Se0/0.1,FE80::210:7FF:FEDD:40

branch#show ipv6 mroute active

Active IPv6 Multicast Sources - sending >= 4 kbps

Group: FF7E:140:2001:DB8:C003:111D:0:1112

Source: 2001:DB8:C003:1109::2

Rate: 21 pps/122 kbps(1sec), 124 kbps(last 100 sec)

Page 157: How to Convince Your Boss to Deploy Ipv6

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 157


Recommended