Session ID-BRKRST-2301
Enterprise IPv6 Deployment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 2
Reference Materials
New/Updated IPv6 Cisco Sites: http://www.cisco.com/go/ipv6http://www.cisco.gom/go/entipv6
Deploying IPv6 in Campus Networks:http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html
Deploying IPv6 in Branch Networks:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns816/landing_br_ipv6.html
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 3
Recommended Reading
Deploying IPv6 in Broadband
Networks - Adeel Ahmed, Salman
Asadullah ISBN0470193387, John
Wiley & Sons Publications®
Available
Now!!
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 4
Agenda
IPv6 Activity in the Enterprise
Planning and Deployment Summary
IPv6 Address Considerations
General Network Considerations
Infrastructure Deployment
Campus/Data Center
WAN/Branch
Remote Access
Communicating with the Service Providers
Appendix—For Reference Only
IPv6 Activity in the Enterprise
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 6
Dramatic Increase in Enterprise ActivityWhy?
• Enterprise that is or will be expanding into new markets
• Address exhaustionGrowth/Protection
• Enterprise that partners with other companies/organizations doing IPv6
• Governments, enterprise partners, contractorsPartnership
• Microsoft Windows 7, Server 2008
• Microsoft DirectAccessOS/Apps
• Mergers & Acquisitions
• NAT Overlap
Fixing Old Problems
• High Density Virtual Machine environments (Server virtualization, VDI)
• SmartGridNew Technologies
Exte
rnal
Pre
ssure
Inte
rnal
Pre
ssure
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 7
100
90
80
70
60
50
40
30
20
10
0Jan 2011 Jul 2011 Jan 2012 Jul 2012 Jan 2013 Jul 2013 Jan 2014 Jul 2014 Jan 2015 Jul 2015
IANA APNIC RIPENCC ARIN LACNIC AFRINIC
Pro
babili
ty (
%)
Estimated Registry Exhaustion Dates
IANA/RIR IPv4 Exhaustion
Source: Geoff Huston, APNIC
We already know this is too conservative:
APNIC went into ―Stage 3‖ mid-April 2011
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 8
Innocent W2K3 -to- W2K8 Upgrade
Can happen if the circumstances are right
http://technet.microsoft.com/en-us/library/bb878128.aspx
C:\>ping svr-01
Pinging svr-01.example.com [10.121.12.25] with 32 bytes of data:Reply from 10.121.12.25: bytes=32 time<1ms TTL=128Reply from 10.121.12.25: bytes=32 time<1ms TTL=128Reply from 10.121.12.25: bytes=32 time<1ms TTL=128Reply from 10.121.12.25: bytes=32 time<1ms TTL=128
Windows 2003
C:\>ping svr-01
Pinging svr-01 [fe80::c4e2:f21d:d2b3:8463%15] with 32 bytes of data:Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1msReply from fe80::c4e2:f21d:d2b3:8463%15: time<1msReply from fe80::c4e2:f21d:d2b3:8463%15: time<1msReply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms
Upgraded Host to Windows 2008
No. Time Source Destination Protocol Info
3969 244.938775 fe80::c4e2:f21d:d2b3:8463 ff02::1:3 UDP Source port: 63828 Destination port: llmnr
3970 244.938958 10.121.12.25 224.0.0.252 UDP Source port: 53753 Destination port: llmnr
...........svr-01….....
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 9
Mergers & Acquisitions
Unique blend of technical and business problems
Colliding RFC1918 space
Common options
If you don‘t collide then leave as-is until renumbering is complete
NAT overlap pools (into non-colliding space) until renumbering is complete
IPv6 as an overlay network
IPv6 added as a native protocol (dual stack)
This is a growing issue and IPv6 ends up being a perfect tool for resolving the technical issues
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 10
Corporate
Backbone
Sub-Company 2
Sub-Company 1
Corp HQ
10.0.0.0 address space
NAT Overlap + IPv6 Overlay Network
Build an overlay network to encapsulate IPv6 over IPv4
IPv6 is deployed only at those sites and for specific hosts that need end-to-end routability between entities
Can be very operationally difficult to maintain in large environments
May be a show stopper if you have to get a lot of tunnels past a bunch of IPv4 NAT
10.0.0.0 address space
10.0.0.0 address space
IPv4 static NAT entries for
each server X how
many??
.3
.21
.3
2001:DB8:1:3::21
2001:DB8:1:2::3
2001:DB8:1:1::3
IPv6 enables the network to provide
access to services between sites
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 11
Corporate
Backbone
Sub-Company 2
Sub-Company 1
Corp HQ
10.0.0.0 address space
Partial Overlay + Partial Dual Stack
Combine overlay network with dual stack
Build as much dual stack as you can – tunnel only when you have to
You won‘t want to keep this up forever – goal is dual stack to all places that need end-to-end connectivity between sites/orgs
10.0.0.0 address space
10.0.0.0 address space
.3
.21
.3
Dual Stack
Dual Stack2001:DB8:1:2::3
2001:DB8:1:3::212001:DB8:1:1::7
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 12
Corporate
Backbone
Sub-Company 2
Sub-Company 1
Corp HQ
10.0.0.0 address space
Dual Stack Everywhere
Dual stack everywhere – there is nothing else to say ;-)
We will discuss the deployment of dual stack and other end-to-end considerations for the rest of this talk
10.0.0.0 address space
10.0.0.0 address space
Dual Stack
Dual Stack
Dual Stack Dual Stack
Planning and Deployment Summary
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 14
Enterprise Adoption Spectrum
Preliminary Research
Pilot/Early Deployment
Production/Looking for parity and
beyond
• Is it real?
• Do I need to deploy
everywhere?
• Equipment status?
• SP support?
• Addressing
• What does it cost?
• Mostly or completely
past the ―why?‖ phase
• Assessment (e2e)
• Weeding out vendors
(features and $)
• Focus on training and
filling gaps
• Still fighting vendors
• Content and wide-scale
app deployment
• Review operational cost
of 2 stacks
• Competitive/Strategic
advantages of new
environment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 15
Cisco IPv6 Deployment - A Lifecycle Approach
Coordinated Planning and StrategyMake Sound Financial Decisions
Prepare
Assess ReadinessCan Your Network Support the Proposed System?
Plan
Maintain Network HealthManage, Resolve,
Repair, Replace
Operate
Implement the SolutionIntegrate Without Disruption or Causing Vulnerability
Implement
Design the SolutionProducts, Service, Support Aligned to Requirements
Design
Operational ExcellenceAdapt to Changing
Business RequirementsOptimize
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 16
IPv6 Integration Outline
• Establish the network starting point
• Importance of a network assessment and available tools
• Build a pilot or lab environment
• Obtain addressing or use ULAor documentation prefix (in lab)
• Learn the basics (DNS, routing changes, address assignment)
Pre-Deployment
Phases
Deployment
Phases
• Transport considerations for integration
• Internet Edge (ISP, Apps)
• Campus IPv6 integration options
• Data Center integration options
• WAN IPv6 integration options
• Execute on gaps found in assessment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 17
Where do I start? Based on Timeframe/Use case
Core-to-Edge – Fewer things to touch
Edge-to-Core – Challenging but doable
Internet Edge – Business continuity
Servers
Branch Branch
WAN
DC Access
DC Aggregation
DC/Campus Core
Campus Block
ISP ISP
InternetEdge
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 19
IPv6 Addresses IPv6 addresses are 128 bits long
Segmented into 8 groups of four HEX characters
Separated by a colon (:)
gggg:gggg:gggg:ssss: xxxx:xxxx:xxxx:xxxx
Global Routing Prefix
n <= 48 bits
Subnet ID
64 – n bitsHost
ssss:
2001:0000:0000:00A1: 0000:0000:0000:1E2A00A1:
Network Portion Interface ID
Global Unicast Identifier Example
2001:0:0: ::1E2AA1:
Full Format
Abbreviated Format
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 20
PI and PA Allocation Process
Registries
Level FourEnterprise
IANA
ISP Org
Provider Assigned
2000::/3
/48
2000::/3
/48
/12
/32
/12
Provider Independent
IPv4
Pool Empty
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 21
Hierarchical Addressing and Aggregation
Default is /48 – can be larger: https://www.arin.net/resources/request/ipv6_add_assign.html
Provider independent – See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html
ISP
2001:DB8::/32Site 2
IPv6 Internet
2000::/3
2001:DB8:0002::/48
2001:DB8:0001::/48
Site 1
Only
Announces
the /32 Prefix
2001:DB8:0001:0001::/64
2001:DB8:0001:0002::/64
2001:DB8:0002:0001::/64
2001:DB8:0002:0002::/64
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 22
ULA, ULA + Global or Global
What type of addressing should I deploy internal to my network? It depends:
ULA-only—Today, no IPv6 NAT is useable in production so using ULA-only will not work externally to your network
ULA + Global allows for the best of both worlds but at a price— much more address management with DHCP, DNS, routing and security—SAS does not always work as it should
Global-only—Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option
Let‘s explore these options…
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 23
Unique-Local Addressing (RFC4193) Used for internal communications, inter-site VPNs
Not routable on the internet—basically RFC1918 for IPv6 only better—less likelihood of collisions
Default prefix is /48/48 limits use in large organizations that will need more space
Semi-random generator prohibits generating sequentially ‗useable‘ prefixes—no easy way to have aggregation when using multiple /48s
Why not hack the generator to produce something larger than a /48 or even sequential /48s?
Is it ‗legal‘ to use something other than a /48? Perhaps the entire space? Forget legal, is it practical? Probably, but with dangers—remember the idea for ULA; internal addressing with a slim likelihood of address collisions with M&A. By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A
Routing/security controlYou must always implement filters/ACLs to block any packets going in or out of your
network (at the Internet perimeter) that contain a SA/DA that is in the ULA range—today this is the only way the ULA scope can be enforced
Generate your own ULA: http://www.sixxs.net/tools/grh/ula/
Generated ULA= fd9c:58ed:7d73::/48
* MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard)* EUI64 address=020D9Dfffe93A0C3* NTP date=cc5ff71943807789 cc5ff71976b28d86
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 24
Corporate
BackboneBranch 2
Branch 1Corp HQ
ULA-Only
Everything internal runs the ULA space
A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the internet
Is there a NAT66? draft-mrw-nat66-xx (Network Prefix Translation (NPTv6)
Removes the advantages of not having a NAT (i.e. application interoperability, global multicast, end-to-end connectivity)
ULA Space FD9C:58ED:7D73::/48
FD9C:58ED:7D73:2800::/64
Internet
FD9C:58ED:7D73:3000::/64 FD9C:58ED:7D73::2::/64
Global –
2001:DB8:CAFE::/48
NAT66 Required
Not Recommended
Today
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 25
Corporate
BackboneBranch 2
Branch 1Corp HQ
ULA + Global
Both ULA and Global are used internally except for internal-only hosts
Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally
In theory, ULA talks to ULA and Global talks to Global—SAS ‗should‘ work this out
ULA-only and Global-only hosts can talk to one another internal to the network
Define a filter/policy that ensures your ULA prefix does not ‗leak‘ out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields
Management NIGHTMARE for DHCP, DNS, routing, security, etc…
ULA Space FD9C:58ED:7D73::/48
Global – 2001:DB8:CAFE::/48
FD9C:58ED:7D73:2800::/64
2001:DB8:CAFE:2800::/64
Internet
FD9C:58ED:7D73:3000::/64
2001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/64
2001:DB8:CAFE:2::/64
Global –
2001:DB8:CAFE::/48
Not Recommended
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 26
Considerations—ULA + Global
Use DHCPv6 for ULA and Global—apply different policies for both (lifetimes, options, etc..)
Check routability for both—can you reach an AD/DNS server regardless of which address you have?
Any policy using IPv6 addresses must be configured for the appropriate range (QoS, ACL, load-balancers, PBR, etc.)
If using SLAAC for both—Microsoft Windows allows you to enable/disable privacy extensions globally—this means you are either using them for both or not at all!!!
One option is to use SLAAC for the Global range and enable privacy extensions and then use DHCPv6 for ULA with another IID value (EUI-64, reserved/admin defined, etc.)
Unlike Global and link-local scopes ULA is not automatically controlled at the appropriate boundary—you must prevent ULA prefix from going out or in at your perimeter
SAS behavior is OS dependent and there have been issues with it working reliably
Temporary Preferred 6d23h59m55s 23h59m55s 2001:db8:cafe:2:cd22:7629:f726:6a6b
Dhcp Preferred 13d1h33m55s 6d1h33m55s fd9c:58ed:7d73:1002:8828:723c:275e:846d
Other Preferred infinite infinite fe80::8828:723c:275e:846d%8
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 27
ULA + Global Example
interface Vlan2
description ACCESS-DATA-2
ipv6 address 2001:DB8:CAFE:2::D63/64
ipv6 address FD9C:58ED:7D73:1002::D63/64
ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise
ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:11::9
Network
DHCPv6 Client
DHCPv6 Server2001:DB8:CAFE:11::9
Addr Type DAD State Valid Life Pref. Life Address
--------- ----------- ---------- ---------- ------------------------
Dhcp Preferred 13d23h48m24s 6d23h48m24s 2001:db8:cafe:2:c1b5:cc19:f87e:3c41
Dhcp Preferred 13d23h48m24s 6d23h48m24s fd9c:58ed:7d73:1002:8828:723c:275e:846d
Other Preferred infinite infinite fe80::8828:723c:275e:846d%8
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 28
Corporate
BackboneBranch 2
Branch 1Corp HQ
Global-Only
Global is used everywhere
No issues with SAS
No requirements to have NAT for ULA-to-Global translation—but, NAT may be used for other purposes
Easier management of DHCP, DNS, security, etc.
Only downside is breaking the habit of believing that topology hiding is a good security method
Global – 2001:DB8:CAFE::/48
2001:DB8:CAFE:2800::/64
Internet
2001:DB8:CAFE:3000::/64 2001:DB8:CAFE:2::/64
Global –
2001:DB8:CAFE::/48
Recommended
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 29
Randomized IID and Privacy Extensions
Enabled by default on Microsoft Windows
Enable/disable via GPO or CLI
Alternatively, use DHCP (see later) to a specific pool
Randomized address are generated for non-temporary autoconfigured addresses including public and link-local—used instead of EUI-64 addresses
Randomized addresses engage Optimistic DAD—likelihood of duplicate LL address is rare so RS can be sent before full DAD completion
Windows Vista/W7/W7/2008 send RS while DAD is being performed to save time for interface initialization (read RFC4862 on why this is ok)
Privacy extensions are used with SLAAC
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy state=disabled store=persistent
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 30
Link Level—Prefix Length Considerations
/64 everywhere
/64 + /126
64 on host networks
126 on P2P
/64 + /127
64 on host networks
127 on P2P
Always use /128 on loop
64 bits > 64 bits
Address space conservation
Special cases:/126—valid for p2p/127—valid for p2p if you are careful (draft-kohno-ipv6-prefixlen-p2p-xx/(RFC3627))/128—loopback
Must avoid overlap with specific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses
Recommended by RFC3177 and IAB/IESG
Consistency makes management easy
MUST for SLAAC(MSFT DHCPv6also)
Significant address space loss (18.466 Quintillion)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 31
Using Link-Local for Non-Access ConnectionsUnder Research
What if you did not have to worry about addressing the network infrastructure for the purpose of routing?
IPv6 IGPs use LL addressing
Only use Global or ULA addresses at the edges for host assignment
For IPv6 access to the network device itself use a loopback
What happens to route filters? ACLs?—Nothing, unless you are blocking to/from the router itself
Stuff to think about:
Always use a RID
Some Cisco devices require ―ipv6 enable‖ on the interface in order to generate and use a link-local address
Enable the IGP on each interface used for routing or that requires its prefix to be advertised
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 32
Using LL + Loopback Only
ipv6 unicast-routing
!
interface Loopback0
ipv6 address 2001:DB8:CAFE:998::1/128
ipv6 eigrp 10
!
interface Vlan200
ipv6 address 2001:DB8:CAFE:200::1/64
ipv6 eigrp 10
!
interface GigabitEthernet1/1
ipv6 enable
ipv6 eigrp 10
!
ipv6 router eigrp 10
router-id 10.99.8.1
no shutdown
2001:db8:cafe:200::/642001:db8:cafe:100::/64
998::1/128 998::2/128
ipv6 unicast-routing
!
interface Loopback0
ipv6 address 2001:DB8:CAFE:998::2/128
ipv6 eigrp 10
!
interface GigabitEthernet3/4
ipv6 eigrp 10
!
interface GigabitEthernet1/2
ipv6 eigrp 10
!
ipv6 router eigrp 10
router-id 10.99.8.2
no shutdown
IPv6-EIGRP neighbors for process 10
0 Link-local address: Gi1/2
FE80::212:D9FF:FE92:DE77
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 33
Summary of Address Considerations
Provider Independent and/or Provider Assigned
ULA, ULA + Global, Global only
Prefix-length allocation
/64 everywhere except loopbacks (/128)
/64 on host links, /126 on P2P links, /128 on loopbacks
Variable prefix-lengths on host links
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 34
SLAAC & Stateful/Stateless DHCPv6
StateLess Address AutoConfiguration (SLAAC) – RA-based assignment (a MUST for Mac)
Stateful and stateless DHCPv6 server
Cisco Network Registrar: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/
Microsoft Windows Server 2008: http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true
DHCPv6 Relay—supported on routers and switches
interface FastEthernet0/1
description CLIENT LINK
ipv6 address 2001:DB8:CAFE:11::1/64
ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:10::2
Network
IPv6 Enabled Host
DHCPv6Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 35
Basic DHCPv6 Message Exchange
DHCPv6 ClientDHCPv6 Relay Agent DHCPv6 Server
Request(IA_NA)Relay-Forw(Request(IA_NA))
Relay-Repl(Advertise(IA_NA(addr)))Advertise(IA_NA(addr))
Relay-Repl(Reply(IA_NA(addr)))
Solicit(IA_NA)Relay-Forw(Solicit(IA_NA))
Reply(IA_NA(addr))
Address Assigned
Shutdown , link down , Release
Timer Expiring
Renew(IA_NA(addr))Relay-Forw(Renew(IA_NA(addr)))
Reply(IA_NA(addr))
Release(IA_NA(addr))Relay-Forw(Release(IA_NA(addr)))
Reply(IA_NA(addr))
Relay-Repl(Reply(IA_NA(addr)))
Relay-Repl(Reply(IA_NA(addr)))
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 36
CNR/W2K8—DHCPv6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 37
IPv6 General Prefix
Provides an easy/fast way to deploy prefix changes
Example:2001:db8:cafe::/48 = General Prefix
Fill in interface specific fields after prefix
“ESE ::11:0:0:0:1” = 2001:db8:cafe:11::1/64ipv6 unicast-routing
ipv6 cef
ipv6 general-prefix ESE 2001:DB8:CAFE::/48
!
interface GigabitEthernet3/2
ipv6 address ESE ::2/126
!
interface GigabitEthernet1/2
ipv6 address ESE ::E/126
interface Vlan11
ipv6 address ESE ::11:0:0:0:1/64
!
interface Vlan12
ipv6 address ESE ::12:0:0:0:1/64
Global unicast address(es):
2001:DB8:CAFE:11::1, subnet is 2001:DB8:CAFE:11::/64
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 38
DNS Basic Steps - 1
Add AAAA records in your DNS server for the hostnames of the devices that can be reached through the IPv6 protocol.
Add pointer (PTR) records in your DNS server for the IP addresses of the devices that can be reached through the IPv6 protocol.
Enable IPv6 access to the authoritative DNS servers. Be sure that TCP/53 and UDP/53 can be accessed through IPv6.
Enable IPv6 connectivity to the external full-service resolvers that send DNS queries to authoritative servers in the world.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 39
DNS Basic Steps - 2
Make sure that the full-service resolver is configured with both IPv4 and IPv6 glue for the root servers in the world.
Enable IPv6 on the recursive resolver so that it responds to DNS requests over IPv6 as well as IPv4.
Enable IPv6 on the node that sends queries so that it can send DNS requests to the recursive resolver.
Configure the stub resolver on the node that sends queries so that it uses IPv6 to send DNS queries, either statically or using Dynamic Host Configuration Protocol Version 6 (DHCPv6).
Review policies for flows and make sure that both TCP/53 and UDP/53 can be accessed over IPv4 and IPv6
General Network Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 41
HSRP for IPv6
Many similarities with HSRP for IPv4
Changes occur in Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects
No need to configure GW on hosts (RAs are sent from HSRP active router)
Virtual MAC derived from HSRP group number and virtual IPv6 link-local address
IPv6 Virtual MAC range:0005.73A0.0000 - 0005.73A0.0FFF
(4096 addresses)
HSRP IPv6 UDP Port Number 2029 (IANA Assigned)
track 2 interface FastEthernet0/0 line-protocol
interface FastEthernet0/1
ipv6 address 2001:DB8:66:67::2/64
standby version 2
standby 2 ipv6 autoconfig
standby 2 timers msec 250 msec 800
standby 2 preempt
standby 2 preempt delay minimum 180
standby 2 authentication cisco
standby 2 track 2 decrement 10
HSRP
StandbyHSRP
Active
Host with GW of Virtual IP
#route -A inet6 | grep ::/0 | grep eth2
::/0 fe80::5:73ff:fea0:1 UGDA 1024 0 0 eth2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 42
IPv6 Multicast Availability
Multicast Listener Discovery (MLD)
Equivalent to IGMP
PIM Group Modes: Sparse Mode, Bidirectional and Source Specific Multicast
RP Deployment: Static, Embedded
Host Multicast Control via MLD
RPDR DRS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 43
Multicast Listener Discovery: MLDMulticast Host Membership Control
MLD is equivalent to IGMP in IPv4
MLD messages are transported over ICMPv6
MLD uses link local source addresses
MLD packets use ―Router Alert‖ in extension header (RFC2711)
Version number confusion:
MLDv1 (RFC2710) like IGMPv2 (RFC2236)
MLDv2 (RFC3810) like IGMPv3 (RFC3376)
MLD snooping
Host Multicast Control via MLD
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 44
IPv6 QoS Policy & Syntax
Unified QoS Policy (v4/v6 in same policy) or separate?
IPv4 syntax has used ―ip‖ following match/set statements
Example: match ip dscp, set ip dscp
Modification in QoS syntax to support IPv6 and IPv4
New match criteria
match dscp — Match DSCP in v4/v6
match precedence — Match Precedence in v4/v6
New set criteria
set dscp — Set DSCP in v4/v6
set precedence — Set Precedence in v4/v6
Additional support for IPv6 does not always require new Command Line Interface (CLI)
Example—WRED
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 45
Scalability and Performance
IPv6 Neighbor Cache = ARP for IPv4
In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries
ARP entry for host in the campus distribution layer:
Internet 10.120.2.200 2 000d.6084.2c7a ARPA
Vlan2
IPv6 Neighbor Cache entry:
2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2
2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2
FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2
Full internet route tables—ensure to account for TCAM/memory requirements for both IPv4/IPv6—not all vendors can properly support both
Multiple routing protocols—IPv4 and IPv6 will have separate routing protocols. Ensure enough CPU/Memory is present
Control plane impact when using tunnels—terminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/thousands of tunnels)
Infrastructure DeploymentStart Here: Cisco IOS Software Release Specifics for IPv6 Features
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 47
Tunneling
Services
Connect Islands of IPv6 or IPv4
IPv4 over IPv6 IPv6 over IPv4
IPv6 Co-existence Solutions
Dual Stack
Recommended Enterprise Co-existence strategy
Translation Services
Connect to the IPv6 community
IPv4
IPv6
Business Partners
Internet consumers
Remote Workers
International Sites
Government Agencies
IPv6
IPv4
CampusDeploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 49
Campus IPv6 DeploymentThree Major Options
Dual-stack—The way to go for obvious reasons: performance, security, QoS, multicast and management
Layer 3 switches should support IPv6 forwarding in hardware
Hybrid—Dual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear
Pro—Leverage existing gear and network design (traditional L2/L3 and routed access)
Con—Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast
IPv6 Service Block—A new network block used for interim connectivity for IPv6 overlay network
Pro—Separation, control and flexibility (still supports traditional L2/L3 and routed access)
Con—Cost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 50
Campus IPv6 Deployment OptionsDual-Stack IPv4/IPv6
Dual Stack = Two protocols running at the same time (IPv4/IPv6)
#1 requirement—switching/ routing platforms must support hardware based forwarding for IPv6
3560/3750* +
4500 Sup6E +
6500 Sup32/720 +
IPv6 is transparent on L2 switches but consider:
L2 multicast—MLD snooping
IPv6 management—Telnet/SSH/HTTP/SNMP
Intelligent IP services on WLAN
Expect to run the same IGPs as with IPv4
Dual-stackServer
L2/L3
v6-Enabled
v6-Enabled
v6-Enabled
v6-Enabled
IPv6/IPv4 Dual Stack Hosts
v6-Enabled
v6-Enabled
Aggregation Layer (DC)
Access Layer (DC)
Access Layer
Distribution Layer
Core Layer
Du
al S
tack
Du
al S
tack
*check HW limitations in non-E/X/C series
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 51
Distribution Layer: HSRP, EIGRP and DHCPv6-relay (Layer 2 Access)
ipv6 unicast-routing
!
interface GigabitEthernet1/0/1
description To 6k-core-right
ipv6 address 2001:DB8:CAFE:1105::A001:1010/64
ipv6 eigrp 10
ipv6 hello-interval eigrp 10 1
ipv6 hold-time eigrp 10 3
ipv6 authentication mode eigrp 10 md5
ipv6 authentication key-chain eigrp 10 eigrp
!
interface GigabitEthernet1/0/2
description To 6k-core-left
ipv6 address 2001:DB8:CAFE:1106::A001:1010/64
ipv6 eigrp 10
ipv6 hello-interval eigrp 10 1
ipv6 hold-time eigrp 10 3
ipv6 authentication mode eigrp 10 md5
ipv6 authentication key-chain eigrp 10 eigrp
interface Vlan4
description Data VLAN for Access
ipv6 address 2001:DB8:CAFE:4::2/64
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:10::2
ipv6 eigrp 10
standby version 2
standby 2 ipv6 autoconfig
standby 2 timers msec 250 msec 750
standby 2 priority 110
standby 2 preempt delay minimum 180
standby 2 authentication ese
!
ipv6 router eigrp 10
no shutdown
router-id 10.122.10.10
passive-interface Vlan4
passive-interface Loopback0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 52
Distribution Layer: Example with ULAand General Prefix feature
ipv6 general-prefix ULA-CORE FD9C:58ED:7D73::/53
ipv6 general-prefix ULA-ACC FD9C:58ED:7D73:1000::/53
ipv6 unicast-routing
!
interface GigabitEthernet1/0/1
description To 6k-core-right
ipv6 address ULA-CORE ::3:0:0:0:D63/64
ipv6 eigrp 10
ipv6 hello-interval eigrp 10 1
ipv6 hold-time eigrp 10 3
ipv6 authentication mode eigrp 10 md5
ipv6 authentication key-chain eigrp 10 eigrp
ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53
!
interface GigabitEthernet1/0/2
description To 6k-core-left
ipv6 address ULA-CORE ::C:0:0:0:D63/64
ipv6 eigrp 10
ipv6 hello-interval eigrp 10 1
ipv6 hold-time eigrp 10 3
ipv6 authentication mode eigrp 10 md5
ipv6 authentication key-chain eigrp 10 eigrp
ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53
interface Vlan4
description Data VLAN for Access
ipv6 address ULA-ACC ::D63/64
ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp relay destination fd9c:58ed:7d73:811::9
ipv6 eigrp 10
standby version 2
standby 2 ipv6 autoconfig
standby 2 timers msec 250 msec 750
standby 2 priority 110
standby 2 preempt delay minimum 180
standby 2 authentication ese
!
ipv6 router eigrp 10
no shutdown
router-id 10.122.10.10
passive-interface Vlan4
passive-interface Loopback0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 53
Access Layer: Dual Stack (Routed Access)
ipv6 unicast-routing
ipv6 cef
!
interface GigabitEthernet1/0/25
description To 6k-dist-1
ipv6 address 2001:DB8:CAFE:1100::CAC1:3750/64
no ipv6 redirects
ipv6 nd suppress-ra
ipv6 ospf network point-to-point
ipv6 ospf 1 area 2
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
ipv6 cef
!
interface GigabitEthernet1/0/26
description To 6k-dist-2
ipv6 address 2001:DB8:CAFE:1101::CAC1:3750/64
no ipv6 redirects
ipv6 nd suppress-ra
ipv6 ospf network point-to-point
ipv6 ospf 1 area 2
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
ipv6 cef
interface Vlan2
description Data VLAN for Access
ipv6 address 2001:DB8:CAFE:2::CAC1:3750/64
ipv6 ospf 1 area 2
ipv6 cef
!
ipv6 router ospf 1
router-id 10.120.2.1
log-adjacency-changes
auto-cost reference-bandwidth 10000
area 2 stub no-summary
passive-interface Vlan2
timers spf 1 5
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 54
Distribution Layer: Dual Stack (Routed Access)
ipv6 unicast-routing
ipv6 multicast-routing
ipv6 cef distributed
!
interface GigabitEthernet3/1
description To 3750-acc-1
ipv6 address 2001:DB8:CAFE:1100::A001:1010/64
no ipv6 redirects
ipv6 nd suppress-ra
ipv6 ospf network point-to-point
ipv6 ospf 1 area 2
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
ipv6 cef
!
interface GigabitEthernet1/2
description To 3750-acc-2
ipv6 address 2001:DB8:CAFE:1103::A001:1010/64
no ipv6 redirects
ipv6 nd suppress-ra
ipv6 ospf network point-to-point
ipv6 ospf 1 area 2
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
ipv6 cef
ipv6 router ospf 1
auto-cost reference-bandwidth 10000
router-id 10.122.0.25
log-adjacency-changes
area 2 stub no-summary
passive-interface Vlan2
area 2 range 2001:DB8:CAFE:xxxx::/xx
timers spf 1 5
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 55
Campus IPv6 Deployment OptionsHybrid Model
Plan ―B‖ if Layer 3 device can‘t support IPv6 but you have to get IPv6 over it
Offers IPv6 connectivity via multiple options
Dual-stack
Configured tunnels—L3-to-L3
ISATAP—Host-to-L3
Leverages existing network
Offers natural progression to full dual-stack design
May require tunneling to less-than-optimal layers (i.e. core layer)
Any sizable deployment will be an operational management challenge
ISATAP creates a flat network (all hosts on same tunnel are peers)
Provides basic HA of ISATAP tunnels via old Anycast-RP idea
Dual-stackServer
L2/L3
v6-Enabled
NOT v6-Enabled
v6-Enabled
NOT v6-Enabled
IPv6/IPv4 Dual Stack Hosts
v6-Enabled
v6-Enabled
ISA
TA
P
ISA
TA
P
Aggregation Layer (DC)
Access Layer (DC)
Access Layer
Distribution Layer
Core Layer
Du
al S
tack
Du
al S
tack
Legacy Design
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 56
DistributionLayer
AccessLayer
CoreLayer
AggregationLayer (DC)
AccessLayer (DC)
IPv6/IPv4Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
Data CenterBlock
AccessBlock
IPv6 and IPv4 Enabled
1
1
2
2
Campus Hybrid Model 1QoS
1. Classification and marking of IPv6 is done on the egress interfaces on the core layer switches because packets have been tunneled until this point—QoS policies for classification and marking cannot be applied to the ISATAP tunnels on ingress
2. The classified and marked IPv6 packets can now be examined by upstream switches (e.g. aggregation layer switches) and the appropriate QoS policies can be applied on ingress. These polices may include trust (ingress), policing (ingress) and queuing (egress)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 57
IPv6 ISATAP ImplementationISATAP Host Considerations
ISATAP is available on Windows XP, Windows 2003, Vista/W7/Server 2008, port for Linux
If Windows host does not detect IPv6 capabilities on the physical interface then an effort to use ISATAP is started
Can learn of ISATAP routers via DNS ―A‖ record lookup ―isatap‖ or via static configuration
If DNS is used then Host/Subnet mapping to certain tunnels cannot be accomplished due to the lack of naming flexibility in ISATAP
Two or more ISATAP routers can be added to DNS and ISATAP will determine which one to use and also fail to the other one upon failure of first entry
If DNS zoning is used within the enterprise then ISATAP entries for different routers can be used in each zone
In the presented design the static configuration option is used to ensure each host is associated with the correct ISATAP tunnel
Can conditionally set the ISATAP router per host based on subnet, userid, department and possibly other parameters such as role
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 58
Highly Available ISATAP DesignTopology
ISATAP tunnels from PCs in access layer to core switches
Redundant tunnels to core or service block
Use IGP to prefer one core switch over another (both v4 and v6 routes)—deterministic
Preference is important due to the requirement to have traffic (IPv4/IPv6) route to the same interface (tunnel)
Works like Anycast-RP with IPmc
Primary ISATAP Tunnel
Secondary ISATAP Tunnel
IPv6 Server
v6-Enabled v6-Enabled
NOT v6-Enabled
v6-Enabled
v6-Enabled
PC1 - Red VLAN 2 PC2 - Blue VLAN 3
NOT v6-Enabled
Du
al S
tack
Du
al S
tack
Aggregation Layer (DC)
Access Layer (DC)
Access Layer
Distribution Layer
Core Layer
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 59
IPv6 Campus ISATAP ConfigurationRedundant Tunnels
interface Tunnel2
ipv6 address 2001:DB8:CAFE:2::/64 eui-64
no ipv6 nd suppress-ra
ipv6 ospf 1 area 2
tunnel source Loopback2
tunnel mode ipv6ip isatap
!
interface Tunnel3
ipv6 address 2001:DB8:CAFE:3::/64 eui-64
no ipv6 nd suppress-ra
ipv6 ospf 1 area 2
tunnel source Loopback3
tunnel mode ipv6ip isatap
!
interface Loopback2
description Tunnel source for ISATAP-VLAN2
ip address 10.122.10.102 255.255.255.255
!
interface Loopback3
description Tunnel source for ISATAP-VLAN3
ip address 10.122.10.103 255.255.255.255
interface Tunnel2
ipv6 address 2001:DB8:CAFE:2::/64 eui-64
no ipv6 nd suppress-ra
ipv6 ospf 1 area 2
ipv6 ospf cost 10
tunnel source Loopback2
tunnel mode ipv6ip isatap
!
interface Tunnel3
ipv6 address 2001:DB8:CAFE:3::/64 eui-64
no ipv6 nd suppress-ra
ipv6 ospf 1 area 2
ipv6 ospf cost 10
tunnel source Loopback3
tunnel mode ipv6ip isatap
!
interface Loopback2
ip address 10.122.10.102 255.255.255.255
delay 1000
!
interface Loopback3
ip address 10.122.10.103 255.255.255.255
delay 1000
ISATAP Primary ISATAP Secondary
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 60
IPv6 Campus ISATAP ConfigurationIPv4 and IPv6 Routing—Options
To influence IPv4 routing to prefer one ISATAP tunnel source over another—alter delay/cost or mask length
Lower timers (timers spf, hello/hold, dead) to reduce convergence times
Use recommended summarization and/or use of stubs to reduce routes and convergence times
router eigrp 10
eigrp router-id 10.122.10.3
ipv6 router ospf 1
router-id 10.122.10.3
IPv4—EIGRP
IPv6—OSPFv3
interface Loopback2
ip address 10.122.10.102 255.255.255.255
delay 1000
interface Loopback2
ip address 10.122.10.102 255.255.255.254
ISATAP Secondary—Bandwidth adjustment
Set RID to ensure
redundant loopback
addresses do not cause
duplicate RID issues
ISATAP Secondary—Longest-match adjustment
interface Loopback2
ip address 10.122.10.102 255.255.255.255
ISATAP Primary—Longest-match adjustment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 61
Distribution Layer RoutesPrimary/Secondary Paths to ISATAP Tunnel Sources
acc-2
acc-1
dist-2
dist-1
core-2
core-1
VLAN 210.120.2.0/24
Loopback 2—10.122.10.102Used as SECONDARY ISATAP tunnel source
Loopback 2—10.122.10.102Used as PRIMARY ISATAP tunnel source
Preferred route to 10.122.10.102
dist-1#show ip route | b 10.122.10.102/32
D 10.122.10.102/32 [90/130816] via 10.122.0.41, 00:09:23, GigabitEthernet1/0/27
Before Failure
Preferred route to 10.122.10.102 on FAILURE
dist-1#show ip route | b 10.122.10.102/32
D 10.122.10.102/32 [90/258816] via 10.122.0.49, 00:00:08, GigabitEthernet1/0/28
After Failure
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 62
IPv6 Campus ISATAP ConfigurationISATAP Client Configuration
C:\>netsh int ipv6 isatap set router 10.122.10.103
Ok.
int lo310.122.10.103
int tu3
int lo310.122.10.103
10.120.3.101
int tu3
Tunnel adapter Automatic Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 2001:db8:cafe:3:0:5efe:10.120.3.101
IP Address. . . . . . . . . . . . : fe80::5efe:10.120.3.101%2
Default Gateway . . . . . . . . . : fe80::5efe:10.122.10.103%2
interface Tunnel3
ipv6 address 2001:DB8:CAFE:3::/64 eui-64
no ipv6 nd suppress-ra
ipv6 eigrp 10
tunnel source Loopback3
tunnel mode ipv6ip isatap
!
interface Loopback3
description Tunnel source for ISATAP-VLAN3
ip address 10.122.10.103 255.255.255.255
New tunnel comes up
when failure occurs
Windows XP/Vista/W7 Host
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 63
IPv6 Configured TunnelsThink GRE or IP-in-IP Tunnels
Encapsulating IPv6 into IPv4
Used to traverse IPv4 only devices/links/networks
Treat them just like standard IP links (only insure solid IPv4 routing/HA between tunnel interfaces)
Provides for same routing, QoS, multicast as with dual-stack
In HW, performance should be similar to standard tunnels Aggregation
Core
Distribution
Access
Tu
nn
el
Tu
nn
el
interface Tunnel0
ipv6 cef
ipv6 address 2001:DB8:CAFE:13::1/127
ipv6 eigrp 10
tunnel source Loopback3
tunnel destination 172.16.2.1
tunnel mode ipv6ip
interface GigabitEthernet1/1
ipv6 address 2001:DB8:CAFE:13::4/127
ipv6 eigrp 10
ipv6 cef
!
interface Loopback3
ip address 172.16.1.1 255.255.255.252
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 64
mls ipv6 acl compress address unicast
mls qos
!
class-map match-all CAMPUS-BULK-DATA
match access-group name BULK-APPS
class-map match-all CAMPUS-TRANSACTIONAL-DATA
match access-group name TRANSACTIONAL-APPS
!
policy-map IPv6-ISATAP-MARK
class CAMPUS-BULK-DATA
set dscp af11
class CAMPUS-TRANSACTIONAL-DATA
set dscp af21
class class-default
set dscp default
!
ipv6 access-list BULK-APPS
permit tcp any any eq ftp
permit tcp any any eq ftp-data
!
ipv6 access-list TRANSACTIONAL-APPS
permit tcp any any eq telnet
permit tcp any any eq 22
ipv6 access-list BULK-APPS
permit tcp any any eq ftp
permit tcp any any eq ftp-data
!
ipv6 access-list TRANSACTIONAL-APPS
permit tcp any any eq telnet
permit tcp any any eq 22
!
interface GigabitEthernet2/1
description to 6k-agg-1
mls qos trust dscp
service-policy output IPv6-ISATAP-MARK
!
interface GigabitEthernet2/2
description to 6k-agg-2
mls qos trust dscp
service-policy output IPv6-ISATAP-MARK
!
interface GigabitEthernet2/3
description to 6k-core-1
mls qos trust dscp
service-policy output IPv6-ISATAP-MARK
Campus Hybrid Model 1QoS Configuration Sample—Core Layer
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 65
Campus IPv6 Deployment OptionsIPv6 Service Block—Rapid Deployment/Pilot
Provides ability to rapidly deploy IPv6 services without touching existing network
Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations)
Get lots of operational experience with limited impact to existing environment – Ideal for Pilot
Similar challenges as Hybrid Model –Lots of tunneling
Configurations are very similar to the Hybrid Model
ISATAP tunnels from PCs in access layer to service block switches (instead of core layer—Hybrid)
1) Leverage existing ISP block for both IPv4 and IPv6 access
2) Use dedicated ISP connection just for IPv6—Can use IOS Zone FW or ASA
Primary ISATAP Tunnel
Secondary ISATAP Tunnel
ISATAP
IPv6 Service Block
Inte
rne
t
Dedicated FW
IOS FW
Data Center Block
VLAN 2
WAN/ISP Block
IPv4-onlyCampusBlock
AggLayer
VLAN 3
2
1
AccessLayer
Dist.Layer
CoreLayer
AccessLayer
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 66
Cisco VSS – DSM / Hybrid / Service Block
Cisco VSS offers a greatly simplified configuration and extremely fast convergence for IPv6 deployment
Dual stack – Place VSS pair in distribution and/or core layers – HA and simplified/reduced IPv6 configuration
Hybrid model – If terminating tunnels against VSS (i.e. VSS at core layer), MUCH easier to configure tunnels for HA as only one tunnel configuration is needed
Service Block – Use VSS as the SB pair – again, GREATLY simplified configuration and decrease convergence times!!
Data Center/Internet Edge
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 68
IPv6 Data Center Integration
Route/Switch design will be similar to campus based on feature, platform and connectivity similarities – Nexus, 6500 4900M
The single most overlooked and potentially complicated area of IPv6 deployment
IPv6 for SAN (FCIP, iSCSI, Management)
Stuff people don‘t think about:
NIC Teaming, iLO, DRAC, IP KVM, Clusters
Innocent looking Server OS upgrades – Windows Server 2008 - Impact on clusters – Microsoft Server 2008 Failover clusters full support IPv6 (and L3)
Internet-facing Data Center
Most of the internal and Internet DC considerations are the same
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 69
IPv6 Configuration on Nexus
IP-is-IP – minor syntax changes based on different platforms between campus & data center
Check for the features you need, platform support, performance capabilities
Same stuff you do for any new platform you invest in
interface Vlan114
no shutdown
description Outside FW VLAN
ipv6 address 2001:0db8:cafe:0114::0002/64
hsrp version 2
hsrp 114 ipv6
preempt delay minimum 180
timers 1 3
ip autoconfig
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 70
iSCSI/VRRP for IPv6 Same configuration requirements and operation as with IPv4
Can use automatic preemption—configure VR address to be the same as physical interface of ―primary‖
Host-side HA uses NIC teaming (see slides for NIC teaming)
Support for iSCSI with IPsec
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 71
iSCSI IPv6 Example—MDSInitiator/Target
iscsi virtual-target name iscsi-atto-target
pWWN 21:00:00:10:86:10:46:9c
initiator iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com permit
iscsi initiator name iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com
static pWWN 24:01:00:0d:ec:24:7c:42
vsan 1
zone default-zone permit vsan 1
zone name iscsi-zone vsan 1
member symbolic-nodename iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com
member pwwn 21:00:00:10:86:10:46:9c
member pwwn 24:01:00:0d:ec:24:7c:42
member symbolic-nodename iscsi-atto-target
zone name Generic vsan 1
member pwwn 21:00:00:10:86:10:46:9c
zoneset name iscsi_zoneset vsan 1
member iscsi-zone
zoneset name Generic vsan 1
member Generic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 72
interface GigabitEthernet2/1
ipv6 address 2001:db8:cafe:12::5/64
no shutdown
vrrp ipv6 1
address 2001:db8:cafe:12::5
no shutdown
interface GigabitEthernet2/1
ipv6 address 2001:db8:cafe:12::6/64
no shutdown
vrrp ipv6 1
address 2001:db8:cafe:12::5
no shutdown
MDS-1 MDS-2
mds-1# show vrrp ipv6 vr 1
Interface VR IpVersion Pri Time Pre State VR IP addr
------------------------------------------------------------------
GigE2/1 1 IPv6 255 100cs master 2001:db8:cafe:12::5
mds-2# show vrrp ipv6 vr 1
Interface VR IpVersion Pri Time Pre State VR IP addr
------------------------------------------------------------------
GigE2/1 1 IPv6 100 100cs backup 2001:db8:cafe:12::5
iSCSI/VRRP IPv6 Example—MDSInterface
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 73
iSCSI Initiator Example—W2K8 IPv6
iscsi initiator name iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com
interface GigabitEthernet2/1
ipv6 address 2001:db8:cafe:12::5/64
mds9216-1# show fcns database vsan 1
VSAN 1:
---------------------------------------------------------------------
FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
---------------------------------------------------------------------
0x670400 N 21:00:00:10:86:10:46:9c scsi-fcp:target
0x670405 N 24:01:00:0d:ec:24:7c:42 (Cisco) scsi-fcp:init isc..w
1
2
3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 74
SAN-OS 3.x—FCIP(v6)
fcip profile 100
ip address 2001:db8:cafe:50::1
tcp max-bandwidth-mbps 800 min-available-bandwidth-mbps 500 round-trip-time-us 84
!
interface fcip100
use-profile 100
peer-info ipaddr 2001:db8:cafe:50::2
!
interface GigabitEthernet2/2
ipv6 address 2001:db8:cafe:50::1/64
fcip profile 100
ip address 2001:db8:cafe:50::2
tcp max-bandwidth-mbps 800 min-available-bandwidth-mbps 500 round-trip-time-us 84
!
interface fcip100
use-profile 100
peer-info ipaddr 2001:db8:cafe:50::1
!
interface GigabitEthernet2/2
ipv6 address 2001:db8:cafe:50::2/64
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 75
Data Center NIC Teaming IssueWhat Happens If IPv6 Is Unsupported?
Interface 10: Local Area Connection #VIRTUAL TEAM INTERFACE
Addr Type DAD State Valid Life Pref. Life Address
--------- ---------- ------------ ------------ -----------------------------
Public Preferred 29d23h58m41s 6d23h58m41 2001:db8:cafe:10:20d:9dff:fe93:b25d
netsh interface ipv6> add address "Local Area Connection" 2001:db8:cafe:10::7
Ok.
netsh interface ipv6>sh add
Querying active state...
Interface 10: Local Area Connection
Addr Type DAD State Valid Life Pref. Life Address
--------- ---------- ------------ ------------ -----------------------------
Manual Duplicate infinite infinite 2001:db8:cafe:10::7
Public Preferred 29d23h59m21s 6d23h59m21s 2001:db8:cafe:10:20d:9dff:fe93:b25d
Auto-configuration
Static configuration
Note: Same Issue Applies to Linux
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 76
Intel ANS NIC Teaming for IPv6
Intel IPv6 NIC Q&A—Product support
http://www.intel.com/support/network/sb/cs-009090.htm
Intel now supports IPv6 with Express, ALB, and AFT deployments
Intel statement of support for RLB—―Receive Load Balancing (RLB) is not supported on IPv6 network connections. If a team has a mix of IPv4 and IPv6 connections, RLB will work on the IPv4 connections but not on the IPv6 connections. All other teaming features will work on the IPv6 connections.‖
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 77
Interim Hack for Unsupported NICs
Main issue for NICs with no IPv6 teaming support is DAD—Causes duplicate checks on Team and Physical even though the physical is not used for addressing
Set DAD on Team interface to ―0‖—Understand what you are doing
Microsoft Vista/W7/Server 2008 allows for a command line change to reduce the ―DAD transmits‖ value from 1 to 0
netsh interface ipv6 set interface 19 dadtransmits=0
Microsoft Windows 2003—Value is changed via a creation in the registry
\\HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\(InterfaceGUID)\DupAddrDetectTransmits - Value ―0‖
Linux# sysctl -w net/ipv6/conf/bond0/dad_transmits=0
net.ipv6.conf.eth0.dad_transmits = 0
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 78
Intel NIC Teaming—IPv6 (Pre Team)
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Autoconfiguration IP Address. . . : 169.254.25.192
Subnet Mask . . . . . . . . . . . : 255.255.0.0
IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d7%11
Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%11
Ethernet adapter LAN:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.89.4.230
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 2001:db8:cafe:1::2
IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d6%12
Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%12
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 79
Intel NIC Teaming—IPv6 (Post Team)
Ethernet adapter TEAM-1:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.89.4.230
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 2001:db8:cafe:1::2
IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d6%13
Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%13
Interface 13: TEAM-1
Addr Type DAD State Valid Life Pref. Life Address
--------- ---------- ------------ ------------ -----------------------------
Public Preferred 4m11s 4m11s 2001:db8:cafe:1::2
Link Preferred infinite infinite fe80::204:23ff:fec7:b0d6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 80
IPv6 in the Enterprise Data CenterBiggest Challenges Today
Application support for IPv6 – Know what you don‘t know
If an application is protocol centric (IPv4):
Needs to be rewritten
Needs to be translated until it is replaced
Wait and pressure vendors to move to protocol agnostic framework
Deployment of translation
NAT64 (Stateful for most enterprises)
Apache Reverse Proxy
Windows Port Proxy
3rd party proxy solutions
Network services above L3 (A short-term challenge)
SLB, SSL-Offload, application monitoring (probes)
Application Optimization
High-speed security inspection/perimeter protection
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 81
Commonly Deployed IPv6-enabled OS/Apps
Operating Systems
Windows 7
Windows Server 2008/R2
SUSE
Red Hat
Ubuntu
The list goes on
Virtualization & Applications
VMware vSphere 4.1
Microsoft Hyper-V
Microsoft Exchange 2007 SP1/2010
Apache/IIS Web Services
Windows Media Services
Multiple Line of Business apps
Most commercial applications won‘t be your problem
– it will be the custom/home-grown apps
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 82
ACE + IPv6 / ASR + NAT64
ACE SLB66v6
v6
SW coming (ACE30, ACE4710)
v6 v6
v4 server
v6
v4
Stateful NAT64 + SLB44
ACE SLB64
SW coming (ACE30, ACE4710)
v6 v4v4
v4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 83
NAT64
Lots of RFCs to check out:
RFC 6144 – Framework for IPv4/IPv6 Translation
RFC 6052 – IPv6 Addressing of IPv4/IPv6 Translators
RFC 6145 – IP/ICMP Translation Algorithm
RFC 6146 – Stateful NAT64
RFC 6147 – DNS64
Stateless – Not your friend in the enterprise (corner case deployment)
1:1 mapping between IPv6 and IPv4 addresses (i.e. 254 IPv6 hosts-to-254 IPv4 hosts)
Requires the IPv6-only hosts to use an ―IPv4 translatable‖ address format
Stateful – What we are after for translating IPv6-only hosts to IPv4-only host(s)
It is what it sounds like – keeps state between translated hosts
Several deployment models (PAT/Overload, Dynamic 1:1, Static, etc…)
This is what you will use to translate from IPv6 hosts (internal or Internet) to IPv4-only servers (internal DC or Internet Edge)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 84
Stateful NAT64 – Example TopologyStatic Example
8
4
IPv6 Host:
2001:db8:c150:10::16
10.121.12.70
DMZ/DC
ASR
G0/0/0:
2001:DB8:CAFE:5555::1/64
G0/0/1:
10.121.220.1/24
interface GigabitEthernet0/0/0
description to 6k-dmz-1 Outside
no ip address
ipv6 address 2001:DB8:CAFE:5555::1/64
ipv6 eigrp 10
nat64 enable
!
interface GigabitEthernet0/0/1
description to 6k-dmz-1 Inside
ip address 10.121.220.1 255.255.255.0
nat64 enable
ipv6 access-list EDGE_ACL
permit ipv6 any host 2001:DB8:CAFE:BEEF::46
permit ipv6 any host 2001:DB8:CAFE:BEEF::48
!
nat64 prefix stateful 2001:DB8:CAFE:BEEF::/96
nat64 v4 pool EDGE 10.121.55.1 10.121.55.1
nat64 v4v6 static 10.121.12.70 2001:DB8:CAFE:BEEF::46
nat64 v4v6 static 10.121.13.52 2001:DB8:CAFE:BEEF::48
nat64 v6v4 list EDGE_ACL pool EDGE overload
Internet
10.121.13.52
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 85
NAT64 TranslationsASR1k#sh nat64 translations
Proto Original IPv4 Translated IPv4
Translated IPv6 Original IPv6
----------------------------------------------------------------------------
--- 10.121.13.52 2001:db8:cafe:beef::48
--- ---
--- 10.121.12.70 2001:db8:cafe:beef::46
--- ---
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1030 [2001:db8:cafe:10::16]:53601
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1029 [2001:db8:cafe:10::16]:53600
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1028 [2001:db8:cafe:10::16]:53599
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1024 [2001:db8:cafe:10::16]:53593
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1025 [2001:db8:cafe:10::16]:53596
tcp 10.121.12.70:443 [2001:db8:cafe:beef::46]:443
10.121.55.1:1026 [2001:db8:cafe:10::16]:53597
tcp 10.121.12.70:80 [2001:db8:cafe:beef::46]:80
10.121.55.1:1027 [2001:db8:cafe:10::16]:53598
Total number of translations: 9
Static
Entries
Dynamic
Overloaded
Entries
Reference
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 86
NAT64 StatisticsASR1k#show nat64 statistics
Total active translations: 6 (3 static, 3 dynamic; 3 extended)
Sessions found: 171
Sessions created: 3
Global Stats:
Packets translated (IPv4 -> IPv6)
Stateless: 0
Stateful: 100
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 74
Interface Statistics
GigabitEthernet0/0/0 (IPv4 not configured, IPv6 configured):
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 74
GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured):
Packets translated (IPv4 -> IPv6)
Stateful: 100
Dynamic Mapping Statistics
v6v4
access-list EDGE_ACL pool EDGE refcount 3
pool EDGE:
start 10.121.55.1 end 10.121.55.1
total addresses 1, allocated 1 (100%)*Output reduced for clarity
Reference
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 87
Apache2 Reverse Proxy
<VirtualHost *:80>
ProxyPass / http://10.121.11.60:80/
ProxyPassReverse / http://10.121.11.60:80/
IPv4-only Web Server
Apache One-Arm
2001:db8:cafe:12::5
10.121.11.125
Apache Dual-Attached
TCP [2001:db8:beef:10::16]:54640 [2001:db8:cafe:12::5]:80 ESTABLISHED
TCP [2001:db8:beef:10::16]:54641 [2001:db8:cafe:12::5]:80 ESTABLISHED
Netstat - Client
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.121.11.125:40475 10.121.11.60:80 ESTABLISHED
tcp 0 0 10.121.11.125:40476 10.121.11.60:80 ESTABLISHED
tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED
tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED
Netstat - Proxy
TCP 10.121.11.60:80 10.121.11.125:40475 ESTABLISHED
TCP 10.121.11.60:80 10.121.11.125:40476 ESTABLISHED
Netstat - Server
2001:db8:beef:10::16
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 88
Microsoft Windows PortProxy
Can be treated like an appliance
One-arm
Dual-attached (better perf)
Outside traffic comes in on IPv6—PortProxy to v4 (VIP address on ACE)
Traffic is IPv4 to serverIPv4-only Web Server
PortProxy One-Arm
2001:db8:cafe:12::25
10.121.12.25
ACE PortProxy Dual-Attached
VIP=10.121.5.20
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 89
PortProxy Configuration/Monitoring
adsfnetsh interface portproxy>sh all
Listen on ipv6: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
2001:db8:cafe:12::25 80 10.121.5.20 80
Active Connections
Proto Local Address Foreign Address State
TCP 10.121.12.25:58141 10.121.5.20:http ESTABLISHED
TCP [2001:db8:cafe:12::25]:80 [2001:db8:cafe:10::17]:52047 ESTABLISHED
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
14 1 in TCP 5 10.121.12.25:58573 10.121.5.20:80 ESTAB
13 1 out TCP 5 10.121.14.15:80 10.121.5.12:1062 ESTAB
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 90
PortProxy PerformanceThroughput Example
0
50
100
150
200
250
download-1gig (1.2G)
247.2
192206.4
Thro
ugh
pu
t (M
bp
s)
HTTP Throughput Comparison - Direct vs. PortProxy
Direct v6-v6
PortProxy v6v4
PortProxy v6v6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 91
PortProxy PerformanceCPU Utilization on PortProxy Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 92
Dual Stack the Internet Edge
Dual stack the same network you have
If not, do just enough IPv6-only to get you going
Most design elements should be the same as with IPv4 (minus pure NAT/PAT)
You may have to embrace SLB64/Proxy/NAT64 for IPv4-only apps
ISP 1 ISP 2
Internet
Enterprise Core
DMZ/Server Farm
Web, Email, Other
Internal Enterprise
Edge Router
Outer Switch
Security Services
Inner switching/ SLB/Proxy/ Compute
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 93
What if I Can‘t Dual Stack My Edge?
IPv6
Internet
IPv4-only Host
Server Load Balancer Stateful NAT64
IPv6
IPv4
IPv6
Internet
IPv4-only Host
IPv6
IPv4
IPv6
Internet
IPv4-only Host
Proxy
IPv6
IPv4
-Apache
-MSFT
PortProxy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 94
Internet Edge - to - ISPBoatloads of optionsSingle Link
Single ISPDual Links
Single ISP
Multi-Homed
Multi-Region
Enterprise
ISP 1
Default
Route
Enterprise
POP1 POP2
ISP 1
Enterprise
ISP 1 ISP2
USA
ISP4
Europe
ISP3
BGP BGPIPv6
TunnelIPv4-only
Your ISP may not have
IPv6 at the local POP
BRKRST-2044 Enterprise Multi-homed Internet Architectures
WAN/BranchDeploying IPv6 in Branch Networks: http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 96
DualStack
SP
Cloud
Corporate
Network
WAN/Branch Deployment
Cisco routers have supported IPv6 for a long time
Dual-stack should be the focus of your implementation—but, some situations still call for tunneling
Support for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc.)
Don‘t assume all features for every technology are IPv6-enabled
Better feature support in WAN/branch than in campus/DC
Dual
Stack
Dual
Stack
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 97
IPv6 Enabled BranchFocus more on the provider and less on the gear
Internet
HQ
Dual-Stack
IPSec VPN (IPv4/IPv6)
Firewall (IPv4/IPv6)
Integrated Switch
(MLD-snooping)
Branch
Single Tier
HQ
Internet Frame
Branch
Dual Tier
Dual-Stack
IPSec VPN or Frame Relay
Firewall (IPv4/IPv6)
Switches (MLD-snooping)
Branch
Multi-Tier
Dual-Stack
IPSec VPN or
MPLS (6PE/6VPE)
Firewall (IPv4/IPv6)
Switches (MLD-snooping)
HQ
MPLS
SP
support
for port-to-
port IPv6?
SP
support
for various
WAN
types?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 98
Hybrid Branch Example
Mixture of attributes from each profile
An example to show configuration for different tiers
Basic HA in critical roles is the goal
HeadquartersBranch
HSRP for IPv6 VIP Address
- FE80::5:73FF:FEA0:2
Primary DMVPN Tunnel
2001:DB8:CAFE:20A::/64
Backup DMVPN Tunnel (dashed)
2001:DB8:CAFE:20B::/64
2001:DB8:CAFE:1000::/642001:DB8:CAFE:202::/64
WAN
::1::2
::3 ::1
::2
::3
::4
VLAN 101:
2001:DB8:CAFE:1002::/64
::1
VLAN Interfaces:
104 - 2001:DB8:CAFE:1004::/64 – PC
105 - 2001:DB8:CAFE:1005::/64 – Voice
106 - 2001:DB8:CAFE:1006::/64 – Printer
::2
::3
Enterprise
Campus
Data Center
HE2
HE1
BR1-2
BR1-1ASA-1
BR1-LAN
::5::2
::3BR1-LAN-SW
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 99
DMVPN with IPv6 Hub Configuration Example
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac
!
crypto ipsec profile HUB
set transform-set HUB
interface Tunnel0
description DMVPN Tunnel 1
ip address 10.126.1.1 255.255.255.0
ipv6 address 2001:DB8:CAFE:20A::1/64
ipv6 mtu 1416
ipv6 eigrp 10
ipv6 hold-time eigrp 10 35
no ipv6 next-hop-self eigrp 10
no ipv6 split-horizon eigrp 10
ipv6 nhrp authentication CISCO
ipv6 nhrp map multicast dynamic
ipv6 nhrp network-id 10
ipv6 nhrp holdtime 600
ipv6 nhrp redirect
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile HUBPrimary DMVPN Tunnel
2001:DB8:CAFE:20A::/64
Backup DMVPN Tunnel (dashed)
2001:DB8:CAFE:20B::/64
WAN
::1::2
::3 ::1
::2
::3
HE2
HE1
BR1-2
BR1-1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 100
DMVPN with IPv6 Spoke Configuration Example
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPOKE
set transform-set SPOKE
interface Tunnel0
description to HUB
ip address 10.126.1.2 255.255.255.0
ipv6 address 2001:DB8:CAFE:20A::2/64
ipv6 mtu 1416
ipv6 eigrp 10
ipv6 hold-time eigrp 10 35
no ipv6 next-hop-self eigrp 10
no ipv6 split-horizon eigrp 10
ipv6 nhrp authentication CISCO
ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1
ipv6 nhrp map multicast 172.16.1.1
ipv6 nhrp network-id 10
ipv6 nhrp holdtime 600
ipv6 nhrp nhs 2001:DB8:CAFE:20A::1
ipv6 nhrp shortcut
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile SPOKE
Primary DMVPN Tunnel
2001:DB8:CAFE:20A::/64
Backup DMVPN Tunnel (dashed)
2001:DB8:CAFE:20B::/64
WAN
::1::2
::3 ::1
::2
::3
HE2
HE1
BR1-2
BR1-1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 101
ASA with IPv6 Snippet of full config – examples of IPv6 usage
name 2001:db8:cafe:1003:: BR1-LAN description VLAN on EtherSwitch
name 2001:db8:cafe:1004:9db8:3df1:814c:d3bc Br1-v6-Server
!
interface GigabitEthernet0/0
description TO WAN
nameif outside
security-level 0
ip address 10.124.1.4 255.255.255.0 standby 10.124.1.5
ipv6 address 2001:db8:cafe:1000::4/64 standby 2001:db8:cafe:1000::5
!
interface GigabitEthernet0/1
description TO BRANCH LAN
nameif inside
security-level 100
ip address 10.124.3.1 255.255.255.0 standby 10.124.3.2
ipv6 address 2001:db8:cafe:1002::1/64 standby 2001:db8:cafe:1002::2
!
ipv6 route inside BR1-LAN/64 2001:db8:cafe:1002::3
ipv6 route outside ::/0 fe80::5:73ff:fea0:2
!
ipv6 access-list v6-ALLOW permit icmp6 any any
ipv6 access-list v6-ALLOW permit tcp 2001:db8:cafe::/48 host Br1-v6-Server object-group RDP
!
failover
failover lan unit primary
failover lan interface FO-LINK GigabitEthernet0/3
failover interface ip FO-LINK 2001:db8:cafe:1001::1/64 standby 2001:db8:cafe:1001::2
access-group v6-ALLOW in interface outside
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 102
Branch LANConnecting Hosts
ipv6 dhcp pool DATA_W7
dns-server 2001:DB8:CAFE:102::8
domain-name cisco.com
!
interface GigabitEthernet0/0
description to BR1-LAN-SW
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.104
description VLAN-PC
encapsulation dot1Q 104
ip address 10.124.104.1 255.255.255.0
ipv6 address 2001:DB8:CAFE:1004::1/64
ipv6 nd other-config-flag
ipv6 dhcp server DATA_W7
ipv6 eigrp 10
!
interface GigabitEthernet0/0.105
description VLAN-PHONE
encapsulation dot1Q 105
ip address 10.124.105.1 255.255.255.0
ipv6 address 2001:DB8:CAFE:1005::1/64
ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:102::9
ipv6 eigrp 10
VLAN Interfaces:
104 - 2001:DB8:CAFE:1004::/64 – PC
105 - 2001:DB8:CAFE:1005::/64 – Voice
106 - 2001:DB8:CAFE:1006::/64 – Printer
BR1-LAN
BR1-LAN-SW
Remote Access
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 104
AnyConnect Client 2.x and higherSSL/TLS or DTLS (datagram TLS = TLS over UDP)
Tunnel transports both IPv4 and IPv6 and the packets exit the tunnel at the hub ASA as native IPv4
and IPv6.
InternetClient-based SSL
Cisco Remote VPN – IPv6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 105
AnyConnect 2.x—SSL VPN
Dual-Stack Host
AnyConnect Client
Cisco ASA
asa-edge-1#show vpn-sessiondb svc
Session Type: SVC
Username : ciscoese Index : 14
Assigned IP : 10.123.2.200 Public IP : 10.124.2.18
Assigned IPv6: 2001:db8:cafe:101::101
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 79763 Bytes Rx : 176080
Group Policy : AnyGrpPolicy Tunnel Group: ANYCONNECT
Login Time : 14:09:25 MST Mon Dec 17 2007
Duration : 0h:47m:48s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 106
AnyConnect 2.x—Summary Configuration
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.123.1.4 255.255.255.0
ipv6 enable
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.123.2.4 255.255.255.0
ipv6 address 2001:db8:cafe:101::ffff/64
!
ipv6 local pool ANYv6POOL 2001:db8:cafe:101::101/64 200
webvpn
enable outside
svc enable
tunnel-group-list enable
group-policy AnyGrpPolicy internal
group-policy AnyGrpPolicy attributes
vpn-tunnel-protocol svc
default-domain value cisco.com
address-pools value AnyPool
tunnel-group ANYCONNECT type remote-access
tunnel-group ANYCONNECT general-attributes
address-pool AnyPool
ipv6-address-pool ANYv6POOL
default-group-policy AnyGrpPolicy
tunnel-group ANYCONNECT webvpn-attributes
group-alias ANYCONNECT enable
Outside
Inside 2001:db8:cafe:101::ffff
http://www.cisco.com/en/US/docs/security/vp
n_client/anyconnect/anyconnect20/administra
tive/guide/admin6.html#wp1002258
Communicating with the Service Provider
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 108
Top SP Concerns for Enterprise Accounts
Port to Port Access
Multi-Homing
Content Provisioning
IPv6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 109
Port-to-Port Access
Port to Port Access Multi-Homing
Content Provisioning
IPv6
• Dual-stack or native IPv6 at each POP
• SLA driven just like IPv4 to support VPN, content accessBasic Internet
• 6VPE
• IPv6 Multicast
• End-to-End traceability MPLS
• IPv6 access to hosted content
• Cloud migration (move data from Ent DC to Hosted DC)
Hosted (see content)
*
* = most common issue
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 110
Multi-Homing
Port to Port Access Multi-Homing
Content Provisioning
IPv6
• PA is no good for customers with multiple providers or change them at any pace
• PI is new, constantly changing expectations and no ―guarantee‖ an SP won‘t do something stupid like not route PI space
• Customers fear that RIR will review existing IPv4 space and want it back if they get IPv6 PI
PI/PA Policy Concerns
• Religious debate about the security exposure – not a multi-homing issue
• If customer uses NAT like they do today to prevent address/policy exposure, where do they get the technology from – no scalable IPv6 NAT exists today
NAT
• Is it really different from what we do today with IPv4? Is this policy stuff?
• Guidance on prefixes per peering point, per theater, per ISP, ingress/egress rules, etc.. – this is largely missing today
Routing
*
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 111
Content
Port to Port Access Multi-Homing
Content Provisioning
IPv6
• IPv6 provisioning and access to hosted or cloud-based services today (existing agreements)
• Salesforce.com, Microsoft BPOS (Business Productivity Online Services), Amazon, Google Apps
Hosted/Cloud Apps today
• Movement from internal-only DC services to hosted/cloud-based DC
• Provisioning, data/network migration services, DR/HA
Move to Hosted/Cloud
• Third-party marketing, business development, outsourcing
• Existing contracts – connect over IPv6
Contract/Managed Marketing/Portals
*
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 112
Provisioning
Port to Port Access Multi-Homing
Content Provisioning
IPv6
• Not a lot of information from accounts on this but it does concern them
• How can they provision their own services (i.e. cloud) to include IPv6 services and do it over IPv6
SP Self-Service Portals
• More of a management topic but the point here is that customers want the ability to alter their services based on violations, expiration or restrictions on the SLA
• Again, how can they do this over IPv6 AND for IPv6 services
SLA*
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 113
IPv6 integration should be managed from a broad architectural / ‗systems-wide‘ perspective…
IPv6 integration is not ‗just a network upgrade‘ but complex endeavour, involving many elements
and capabilities which evolve over time, rather than changing all at once.
Planning and coordination is required from many
across the organisation, including …
Network engineers & operators
Security engineers
Application developers
Desktop (Office Automation) / Server engineers
Web hosting / content developers
Business development managers
…
Moreover, training will be required for all involved
in supporting the various IPv6 based network services
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 114
• ―Dual stack where you can – Tunnel where you must – Translate when you have a gun to your head‖
• Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management
• Now is your time to build a network your way – don‘t carry the IPv4 mindset forward with IPv6 unless it makes sense
• Deploy it – at least in a lab – IPv6 won‘t bite
"If you don't like change, you're going to like irrelevance even less." - Gen. Shinseki, Chief of Staff, U.S. Army
Conclusion
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1151
1
Receive 25 Cisco Preferred Access points for each session evaluation you complete.
Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don‘t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
Complete Your Online Session Evaluation
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 116
Thank you.
Reference Slides
Reference Slides: Microsoft Windows Vista/Windows 7/Server 2008
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 119
Understand the Behavior of Vista/W7
IPv6 is preferred over IPv4Vista/W7 sends IPv6 NA/NS/RS upon link-up
Attempts DHCP for IPv6
If no DHCP or local RA received with Global or ULA, then try ISATAP
If no ISATAP, then try Teredo
Become familiar with Teredohttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx
ANY application built on the Peer-to-Peer Framework REQUIRES IPv6 and will NOT function over IPv4—http://www.microsoft.com/technet/network/p2p/default.mspx
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 120
In More Detail—Vista/W7 on Link-UpNo Network Services
1. Unspecified address :: Solicited node address NS/DAD
2. Looking for a local router ff02::2 RS
3. Looking for MLD enabled routers ff02::16 MLDv2 report
4. LLMNR for IPv6—ff02::1:3—advertise hostname
5. LLMNR for IPv4—224.0.0.252 from RFC 3927 address
6. No global or ULA received via step 1/2—Try ISATAP
7. Try DHCP for IPv6—ff02::1:2
8. Try DHCP for IPv4
No. Time Source Destination Protocol Info1 0.000000 :: ff02::1:ffae:4361 ICMPv6 Neighbor solicitation2 0.000030 fe80::80aa:fd5:f7ae:4361 ff02::2 ICMPv6 Router solicitation3 0.000080 fe80::80aa:fd5:f7ae:4361 ff02::16 ICMPv6 Multicast Listener Report Message v24 1.155917 fe80::80aa:fd5:f7ae:4361 ff02::1:3 UDP Source port: 49722 Destination port: 53555 1.156683 169.254.67.97 224.0.0.252 UDP Source port: 49723 Destination port: 53556 3.484709 169.254.67.97 169.254.255.255 NBNS Name query NB ISATAP<00>7 126.409530 fe80::80aa:fd5:f7ae:4361 ff02::1:2 DHCPv6 Information-request8 128.886397 0.0.0.0 255.255.255.255 DHCP DHCP Discover—Transaction ID 0x6c8d6efa
fe80::80aa:fd5:f7ae:4361
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 121
IPv4 Network—No IPv6 Network ServicesWhat Does Vista/W7 Try to Do?
No. Time Source Destination Protocol Info13 8.813509 10.120.2.1 10.120.2.2 DHCP DHCP ACK - Transaction ID 0x2b8af443
....Bootstrap Protocol
...Your (client) IP address: 10.120.2.2 (10.120.2.2)...Option: (t=3,l=4) Router = 10.120.2.1Option: (t=6,l=4) Domain Name Server = 10.121.11.4Option: (t=15,l=9) Domain Name = "cisco.com"..
No. Time Source Destination Protocol Info70 13.360756 10.120.2.2 10.121.11.4 DNS Standard query A isatap.cisco.com
No. Time Source Destination Protocol Info138 25.362181 10.120.2.2 10.121.11.4 DNS Standard query A teredo.ipv6.microsoft.com
No. Time Source Destination Protocol Info580 296.686197 10.120.2.2 10.120.3.2 TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8581 296.687721 10.120.3.2 10.120.2.2 TCP epmap > 49211 [SYN, ACK] Seq=0 Ack=1 Win=2097152 582 296.687794 10.120.2.2 10.120.3.2 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0583 296.687913 10.120.2.2 10.120.3.2 DCERPC Bind: call_id: 1, 2 context items, 1st IOXIDResolver V0.0
10.120.2.2 10.120.3.2
ISATAP??
Teredo??
IPv4-only Router
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 122
What Is Teredo?
RFC4380
Tunnel IPv6 through NATs (NAT types defined in RFC3489)Full Cone NATs (aka one-to-one)—Supported by Teredo
Restricted NATs—Supported by Teredo
Symmetric NATs—Supported by Teredo with Vista/W7/Server 2008 if only one Teredo client is behind a Symmetric NATs
Uses UDP port 3544
Is complex—many sequences for communication and has several attack vectors
Available on:Microsoft Windows XP SP1 w/Advanced Networking Pack
Microsoft Windows Server 2003 SP1
Microsoft Windows Vista/W7 (enabled by default—inactive until application requires it)
Microsoft Server 2008http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx
Linux, BSD and Mac OS X—―Miredo‖http://www.simphalempin.com/dev/miredo/
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 123
Teredo Components
Teredo Client—Dual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay)
Teredo Server—Dual-stack node connected to IPv4 Internet and IPv6 Internet. Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hosts—Listens on UDP port 3544
Teredo Relay—Dual-stack router that forwards packets between Teredo clients and IPv6-only hosts
Teredo Host-Specific Relay—Dual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 124
Teredo Overview
Teredo server
Teredo relay
NAT
IPv6 over IPv4 traffic
IPv6 traffic
NAT
Teredo client
Teredo
host-specific relay
IPv6-only host
IPv6 or IPv6
over IPv4 traffic
Teredo client
*From Microsoft ―Teredo Overview‖ paper
IPv4 Internet IPv6 Internet
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 125
Teredo Address
Teredo IPv6 prefix (2001::/32—previously was 3FFE:831F::/32)
Teredo Server IPv4 address: global address of the server
Flags: defines NAT type (e.g. Cone NAT)
Obfuscated External Port: UDP port number to be used with the IPv4 address
Obfuscated External Address: contains the global address of the NAT
Teredo prefix
32 bits
Teredo Server IPv4 Address
32 bits
Flags
16 bits
ObfuscatedExternal Address
32 bits
ObfuscatedExternal
Port
16 bits
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 126
Initial Configuration for Client
1. RS message sent from Teredo client to server—RS from LL address with Cone flag set
2. Server responds with RA—RS has Cone flag set—server sends RA from alternate v4 address—if client receives the RA, client is behind cone NAT
3. If RA is not received by client, client sends another RA with Cone flag not set
4. Server responds with RA from v4 address = destination v4 address from RS—if client receives the RA, client is behind restricted NAT
5. To ensure client is not behind symmetric NAT, client sends another RS to secondary server
6. 2nd server sends an RA to client—client compares mapped address and UDP ports in the Origin indicators of the RA received by both servers. If different, then the NAT is mapping same internal address/port to different external address/port and NAT is a symmetric NAT
7. Client constructs Teredo address from RAFirst 64 bits are the value from prefix received in RA (32 bits for IPv6 Teredo prefix + 32 bits of hex representation of IPv4 Teredo
server address)
Next 16 bits are the Flags field (0x0000 = Restricted NAT, 0x8000 = Cone NAT)
Next 16 bits are external obscured UDP port from Origin indicator in RA
Last 32 bits are obscured external IP address from Origin indicator in RA
7 2001:0:4136:e37e:0:fbaa:b97e:fe4e
TeredoPrefix
TeredoServer v4
Flags Ext. UDPPort v4
External v4address
TeredoClient NAT
IPv4Internet
1
2
3
4
5
6
TeredoServer 1
TeredoServer 2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 127
What Happens on the Wire—1No. Time Source Destination Protocol Info
15 25.468050 172.16.1.103 151.164.11.201 DNS Standard query A teredo.ipv6.microsoft.com
No. Time Source Destination Protocol Info16 25.481609 151.164.11.201 172.16.1.103 DNS Standard query response A 65.54.227.126 A
65.54.227.127 A 65.54.227.120 A 65.54.227.124
netsh interface ipv6>sh teredoTeredo Parameters---------------------------------------------Type : clientServer Name : teredo.ipv6.microsoft.comClient Refresh Interval : defaultClient Port : defaultState : qualifiedType : teredo clientNetwork : unmanagedNAT : restricted
netsh interface ipv6>sh teredoTeredo Parameters---------------------------------------------Type : clientServer Name : teredo.ipv6.microsoft.comClient Refresh Interval : defaultClient Port : defaultState : probe(cone)Type : teredo clientNetwork : unmanagedNAT : cone
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 128
What Happens on the Wire—2No. Time Source Destination Protocol Info
28 33.595460 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitationInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)
No. Time Source Destination Protocol Info29 37.593598 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation
Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)
No. Time Source Destination Protocol Info31 45.546052 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation
Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.127 (65.54.227.127)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)
No. Time Source Destination Protocol Info32 46.039706 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement
Internet Protocol, Src: 65.54.227.127 (65.54.227.127), Dst: 172.16.1.103 (172.16.1.103)User Datagram Protocol, Src Port: 3544 (3544), Dst Port: 1109 (1109)Teredo Origin Indication header
Origin UDP port: 1109Origin IPv4 address: 70.120.2.1 (70.120.2.1)
Prefix: 2001:0:4136:e37e::
No. Time Source Destination Protocol Info33 46.093832 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation
Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)
No. Time Source Destination Protocol Info34 46.398745 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement
Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103)Teredo Origin Indication header
Origin UDP port: 1109Origin IPv4 address: 70.120.2.1 (70.120.2.1)
Prefix: 2001:0:4136:e37e::
Send RS Cone Flag=1 (Cone NAT), every 4 seconds
If no reply, send Flag=0 (restricted NAT)
Receive RA with Origin header and prefix
Send RS to 2nd
server to check for symmetric NAT
Compare 2nd
RA—Origin port/address from 2nd server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 129
What Happens on the Wire—3No. Time Source Destination Protocol Info82 139.258206 172.16.1.103 151.164.11.201 DNS Standard query AAAA www.kame.net
No. Time Source Destination Protocol Info83 139.530547 151.164.11.201 172.16.1.103 DNS Standard query response AAAA2001:200:0:8002:203:47ff:fea5:3085
No. Time Source Destination Protocol Info96 148.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 Echo requestInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)
No. Time Source Destination Protocol Info97 149.405579 fe80::8000:5445:5245:444f 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next header
Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103)Teredo IPv6 over UDP tunneling
Teredo Origin Indication headerOrigin UDP port: 50206Origin IPv4 address: 66.117.47.227 (66.117.47.227)
No. Time Source Destination Protocol Info98 149.405916 172.16.1.103 66.117.47.227 UDP Source port: 1109 Destination port: 50206
No. Time Source Destination Protocol Info99 149.463719 66.117.47.227 172.16.1.103 UDP Source port: 50206 Destination port: 1109
No. Time Source Destination Protocol Info100 149.464100 172.16.1.103 66.117.47.227 UDP Source port: 1109 Destination port: 50206
No. Time Source Destination Protocol Info101 149.789493 66.117.47.227 172.16.1.103 UDP Source port: 50206 Destination port: 1109………
DNS lookup
Response
ICMP to host via Teredo Server
Relay sends Bubble packet to client via server—client receives relay address-port
Packets to/from IPv6 host and client traverse relay
According to MSFT, if Teredo is the only IPv6 path, AAAA query should not be sent—being researched:
http://msdn2.microsoft.com/en-us/library/aa965910.aspx
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 130
What Happens on the Wire—3 (Cont.)
Interface 7: Teredo Tunneling Pseudo-Interface
Addr Type DAD State Valid Life Pref. Life Address--------- ---------- ------------ ------------ -----------------------------Public Preferred infinite infinite 2001:0:4136:e37e:0:fbaa:b97e:fe4eLink Preferred infinite infinite fe80::ffff:ffff:fffd
C:\>ping www.kame.net
Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data
Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=829msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=453msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=288msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=438ms
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 131
Maintaining NAT Mapping
Every 30 seconds (adjustable) clients send a single bubble packet to Teredo server to refresh NAT state
Bubble packet = Used to create and maintain NAT mapping and consists of an IPv6 header with no IPv6 payload (Payload 59—No next header)
No. Time Source Destination Protocol Info35 46.399072 2001:0:4136:e37e:0:fbaa:b97e:fe4e ff02::1 IPv6 IPv6 no next header
Frame 35 (82 bytes on wire, 82 bytes captured)Ethernet II, Src: Foxconn_2d:a1:4e (00:15:58:2d:a1:4e), Dst: 01:00:5e:00:00:fd (01:00:5e:00:00:fd)Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 224.0.0.253 (224.0.0.253)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)Teredo IPv6 over UDP tunnelingInternet Protocol Version 6
Version: 6Traffic class: 0x00Flowlabel: 0x00000Payload length: 0Next header: IPv6 no next header (0x3b)Hop limit: 21Source address: 2001:0:4136:e37e:0:fbaa:b97e:fe4eDestination address: ff02::1
Reference Slides: ISATAP Overview
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 133
Intrasite Automatic Tunnel Address Protocol
RFC 4214
This is for enterprise networks such as corporate and academic networks
Scalable approach for incremental deployment
ISATAP makes your IPv4 infratructure as transport (NBMA) network
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 134
Intrasite Automatic Tunnel Address Protocol
ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network
Supported in Windows XP Pro SP1 and others
Interface
Identifier
(64 bits)
IPv4 Address64-bit Unicast Prefix 0000:5EFE:
32-bit32-bit
Use IANA‘s OUI 00-00-5E and Encode IPv4 Address as Part of EUI-64
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 135
IPv6
Network
IPv4 Network ISATAP Router 1
E0
Automatic Advertisement of ISATAP Prefix
ISATAP Tunnel
ISATAP Host A
ICMPv6 Type 133 (RS)
IPv4 Source: 206.123.20.100
IPv4 Destination: 206.123.31.200
IPv6 Source: fe80::5efe:ce7b:1464
IPv6 Destination: fe80::5efe:ce7b:1fc8
Send me ISATAP Prefix ICMPv6 Type 134 (RA)
IPv4 Source: 206.123.31.200
IPv4 Destination: 206.123.20.100
IPv6 Source: fe80::5efe:ce7b:1fc8
IPv6 Destination: fe80::5efe:ce7b:1464
ISATAP Prefix: 2001:db8:ffff :2::/64
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 136
Automatic Address Assignment of Host and Router
ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1
When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host A encapsulates IPv6 packets in IPv4. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.
206.123.20.100
fe80::5efe:ce7b:1464
2001:db8:ffff:2::5efe:ce7b:1464
206.123.31.200
fe80::5efe:ce7b:1fc8
2001:db8:ffff:2::5efe:ce7b:1fc8
IPv6
Network
IPv4 Network ISATAP Router 1
E0ISATAP Tunnel
ISATAP Host A
Reference Slides: Multicast
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 138
IPv4 and IPv6 Multicast Comparison
Service IPv4 Solution IPv6 Solution
Addressing Range 32-bit, Class D 128-bit (112-bit Group)
RoutingProtocol Independent, All IGPs and MBGP
Protocol Independent, All IGPs and MBGP with v6 mcast SAFI
ForwardingPIM-DM, PIM-SM,
PIM-SSM, PIM-bidir, PIM-BSR
PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR
Group Management IGMPv1, v2, v3 MLDv1, v2
Domain Control Boundary, Border Scope Identifier
Interdomain SolutionsMSDP Across Independent
PIM DomainsSingle RP Within Globally
Shared Domains
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 139
MLDv1: Joining a Group (REPORT)
Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 131
FE80::207:85FF:FE80:692
FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE
rtr-a
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
H1
1
1 Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 131
2
2
H1 sends a REPORT for the group
H2 sends a REPORT for the group
1
2
H2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 140
H1 sends DONE to FF02::2
RTR-A sends Group-Specific Query
H2 sends REPORT for the group 3
1
1 2
MLDv1: Host Management (Group-Specific Query)
FE80::207:85FF:FE80:692
FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE
rtr-a
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
H1
3 REPORT to group
ICMPv6 Type: 131
1
2
Destination:
FF02::2
ICMPv6 Type: 132
Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 130
H2
Source
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 141
Other MLD Operations
Leave/DONE
Last host leaves—sends DONE (Type 132)
Router will respond with group-specific query (Type 130)
Router will use the last member query response interval (Default=1 sec) for each query
Query is sent twice and if no reports occur then entry is removed (2 seconds)
General Query (Type 130)
Sent to learn of listeners on the attached link
Sets the multicast address field to zero
Sent every 125 seconds (configurable)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 142
A Few Notes on Tunnels—
PIM uses tunnels when RPs/sources are known
Source registering (on first-hop router)
Uses virtual tunnel interface (appear in OIL for [S,G])
Created automatically on first-hop router when RP is known
Cisco IOS® keeps tunnel as long as RP is known
Unidirectional (transmit only) tunnels
PIM Register-Stop messages are sent directly from RP to registering router (not through tunnel!)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 143
PIM Tunnels (DR-to-RP)
branch#show interface tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 2001:DB8:C003:111E::2 (Serial0/2),
destination 2001:DB8:C003:1116::2
Tunnel protocol/transport PIM/IPv6, key disabled,
sequencing disabled
Checksumming of packets disabled
Tunnel is transmit only
Last input never, output never, output hang never
Last clearing of "show interface" counters never
… output truncated…
branch#show ipv6 pim tunnel
Tunnel1*
Type : PIM Encap
RP : 2001:DB8:C003:1116::2
Source: 2001:DB8:C003:111E::2
RP
L0
Corporate
Network
Source
DR
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 144
PIM Tunnels (RP)
Source registering (on RP) two virtual tunnels are created
One transmit only for registering sources locally connected to the RP
One receive only for decapsulation of incoming registers from remote designated routers
No one-to-one relationship between virtual tunnels on designated routers and RP!
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 145
PIM Tunnels (RP-for-Source)
RP-router#show interface tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 2001:DB8:C003:1116::2
(FastEthernet0/0), destination 2001:DB8:C003:1116::2
Tunnel protocol/transport PIM/IPv6, key disabled,
sequencing disabled
Checksumming of packets disabled
Tunnel is receive only
… output truncated…
RP-router#show ipv6 pim tunnel
Tunnel0*
Type : PIM Encap
RP : 2001:DB8:C003:1116::2
Source: 2001:DB8:C003:1116::2
Tunnel1*
Type : PIM Decap
RP : 2001:DB8:C003:1116::2
Source: - RP
L0
Corporate
Network
SourceTu
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 146
Tunneling v6 Multicast
v6 in v4
v6 in v4 most widely usedtunnel mode ipv6ip <----- IS-IS cannot traverse
v6 in v4 GRE (IS-IS can traverse)tunnel mode gre ip
ISATAP/6to4 do not support IPv6 multicast
v6 in v6
v6 in v6 tunnel mode ipv6
v6 in v6 GREtunnel mode gre ipv6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 147
Source Specific Multicast (SSM)
No configuration required other than enabling
ipv6 multicast-routing
SSM group ranges are automatically defined
Requires MLDv2 on host or SSM Mapping feature
router#show ipv6 pim range-list
config SSM Exp: never Learnt from : ::
FF33::/32 Up: 1d00h
FF34::/32 Up: 1d00h
FF35::/32 Up: 1d00h
FF36::/32 Up: 1d00h
FF37::/32 Up: 1d00h
FF38::/32 Up: 1d00h
FF39::/32 Up: 1d00h
FF3A::/32 Up: 1d00h
FF3B::/32 Up: 1d00h
FF3C::/32 Up: 1d00h
FF3D::/32 Up: 1d00h
FF3E::/32 Up: 1d00h
FF3F::/32 Up: 1d00h
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 148
SSM-Mapping
Delay in SSM deployment (both IPv4 and IPv6) is based mainly on lack of IGMPv3 and MLDv2 availability on the endpoints
SSM-Mapping allows for the deployment of SSM in the network infrastructure without requiring MLDv2 (for IPv6) on the endpoint
SSM-Mapping enabled router will map MLDv1 reports to a source (which do not natively include the source like with MLDv2)
Range of groups can be statically defined or used with DNS
Wildcards can be used to define range of groups
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 149
SSM-Mapping
Corporate
Network
2001:DB8:CAFE:11::11
ipv6 multicast-routing
!
ipv6 mld ssm-map enable
ipv6 mld ssm-map static MAP 2001:DB8:CAFE:11::11
no ipv6 mld ssm-map query dns
!
ipv6 access-list MAP
permit ipv6 any host FF33::DEAD
MLDv1
Source
FF33::DEAD
SSM
core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11
(2001:DB8:CAFE:11::11, FF33::DEAD), 00:01:20/00:03:06, flags: sT
Incoming interface: GigabitEthernet3/3
RPF nbr: FE80::20E:39FF:FEAD:9B00
Immediate Outgoing interface list:
GigabitEthernet5/1, Forward, 00:01:20/00:03:06
ipv6 multicast-routing
!
ipv6 mld ssm-map enable
!
ip domain multicast ssm-map.cisco.com
ip name-server 10.1.1.1
Static Mapping:
DNS Mapping (the default):
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 150
RP
IP
WAN
L0
Corporate
Network
Source
ipv6 multicast-routing
!
ipv6 pim rp-address 2001:DB8:C003:110A::1/64
IPv6 Multicast Static RP
Easier than before as PIM is auto-enabled on every interface
ipv6 multicast-routing
!
interface Loopback0
description IPV6 IPmc RP
no ip address
ipv6 address 2001:DB8:C003:110A::1/64
!
ipv6 pim rp-address 2001:DB8:C003:110A::1/64
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 151
IPv6 Multicast PIM BSR: Configuration
RP—2001:DB8:C003:1116::2
Source
Corporate
NetworkIP
WAN
RP—2001:DB8:C003:110A::1
wan-bottom#sh run | incl ipv6 pim bsr
ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1
ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1
wan-top#sh run | incl ipv6 pim bsr
ipv6 pim bsr candidate-bsr 2001:DB8:C003:1116::2
ipv6 pim bsr candidate-rp 2001:DB8:C003:1116::2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 152
Bidirectional PIM (Bidir)
The same many-to-many model as before
Configure Bidir RP and range via the usual ip pim rp-address syntax with the optional bidir keyword
!
ipv6 pim rp-address 2001:DB8:C003:110A::1 bidir
!
#show ipv6 pim range | include BD
Static BD RP: 2001:DB8:C003:110A::1 Exp: never Learnt from : ::
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 153
Embedded-RP Addressing Overview
RFC 3956
Relies on a subset of RFC3306—IPv6 unicast-prefix-based multicast group addresses with special encoding rules:
Group address carries the RP address for the group!
8 4 4 4 4 8 64 32
FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID
New Address format defined :
Flags = 0RPT, R = 1, P = 1, T = 1=> RP address embedded
(0111 = 7)
Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112
Embedded RP: 2001:0DB8:C003:111D::1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 154
Embedded-RP
PIM-SM protocol operations with embedded-RP:
Intradomain transition into embedded-RP is easy:
Non-supporting routers simply need to be configured statically or via BSR for the embedded-RPs!
Embedded-RP is just a method to learn ONE RP address for a multicast group:
It can not replace RP-redundancy as possible with BSR or MSDP/Anycast-RP
Embedded-RP does not (yet) support Bidir-PIM
Simply extending the mapping function to define Bidir-PIM RPs is not sufficient:
In Bidir-PIM routers carry per-RP state (DF per interface) prior to any data packet arriving; this would need to be changed in Bidir-PIM if Embedded-RP was to be supported
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 155
RP
L0
Corporate
Network
Source
IP
WAN
Embedded-RP Configuration Example
RP to be used as an Embedded-RP needs to be configured with address/group range
All other non-RP routers require no special configuration
ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP
!
ipv6 access-list ERP
permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 156
Embedded RP—Does It Work?
branch#show ipv6 pim range | include Embedded
Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : ::
FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24
IP
WAN
To RP
ReceiverSendsReport
branch#show ipv6 pim group
FF7E:140:2001:DB8:C003:111D ::/96*
RP : 2001:DB8:C003:111D::1
Protocol: SM
Client : Embedded
Groups : 1
Info : RPF: Se0/0.1,FE80::210:7FF:FEDD:40
branch#show ipv6 mroute active
Active IPv6 Multicast Sources - sending >= 4 kbps
Group: FF7E:140:2001:DB8:C003:111D:0:1112
Source: 2001:DB8:C003:1109::2
Rate: 21 pps/122 kbps(1sec), 124 kbps(last 100 sec)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKRST-2301 157