Enterprise IPv6 Deployment CLEUR

50 %
50 %
Information about Enterprise IPv6 Deployment CLEUR
Technology

Published on February 15, 2014

Author: tjmartin2020

Source: slideshare.net

Description

CiscoLive in Milan, Italy (Feb 2014)

Enterprise IPv6 Deployment Strategies BRKRST-2301 Tim Martin CCIE #2020 Solutions Architect @bckcntryskr

Reference Materials §  IPv6 Knowledge Base Portal: http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html §  Deploying IPv6 in the Internet Edge: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Internet_Edge/ InternetEdgeIPv6.html §  Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html §  Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/BrchIPv6.html §  Smart Business Architecture – IPv6 Guides: http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Recommended Reading BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

IPv6-Related Sessions Session Title BRKRST-2301 Enterprise IPv6 Deployment BRKRST-2311 IPv6 Planning, Deployment and Operation Considerations BRKRST-2022 IPv6 Routing Protocols BRKRST-2044 Enterprise Multi-Homed Internet Edge Architectures BRKRST-2304 Hitchhiker’s Guide to Troubleshooting IPv6 BRKSEC-2003 IPv6 Security Threats and Mitigations BRKSEC-3003 Advanced IPv6 Security: Securing Link Operations at First Hop TECMPL-2192 IPv6 for Dummies PNLCRS-2303 Experiences with Deploying IPv6 COCRST-3464 Inside Cisco IT: Making the Leap to IPv6 LTRSEC-3033 IPv6 Network Threat Defense, Countermeasures and Controls BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers BRKSPG-2603 How to Securely Operate an IPv6 Network BRKSPG-2606 IPv6 Strategies for Addressing IPv4 Address Exhaustion BRKEWN-2010 Design and Deployment of Enterprise WLANs BRKUCC-2699 BRKRST-2301 IPv6 SIP Dual Stack End Noderights reserved. for UCM Support © 2014 Cisco and/or its affiliates. All Cisco Public 5

Agenda §  Why are we here? §  IPv6 Address Considerations §  Planning and Deployment Summary §  Infrastructure Deployment –  Access Layer –  Multicast –  Data Center –  Internet Edge BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Why are we here?

The Internet of Everything BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Market Factors Driving IPv6 Adoption National IPv6 Strategies IPv4 Address Depletion 2011 Mandate IPv6 IPv6 OS, Content & Applications Infrastructure Evolution Pref. by App’s in W7, S2008, OSX 4G, DOCSIS 3.0, CGN RFC 6540 - IPv6 support is no longer considered optional. BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

IPv6 Address Considerations http://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf

IPv6 Address Family IPv6 Address Family Unicast Multicast Assigned Well Known Anycast Solicited Node Temp Unique Local Link Local Global Special *IPv6 does not use broadcast addressing BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public Embedded

Unicast IPv6 Address Types Link-Local – Non routable within layer 2 domain (FE80::/10) FE80:0000:0000:0000::HHHH:HHHH:HHHH:HHHH Unique-Local – Routable within administrative domain (FC00::/7) FC0G:GGGG:GGGG:SSSS::HHHH:HHHH:HHHH:HHHH FD0G:GGGG:GGGG:SSSS::HHHH:HHHH:HHHH:HHHH Global – Routable across the Internet (2000::/3) 2000:NNNN:NNNN:SSSS::HHHH:HHHH:HHHH:HHHH 3FFF:NNNN:NNNN:SSSS::HHHH:HHHH:HHHH:HHHH BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

IANA & Regional Internet Registries PA PI 2000::/3 IANA 2000::/3 Registries /12 /12 /32 /32 •  •  •  •  ISP Org /48 Level Four Entity Recommended  Alloca,ons   /48 Consumer,  SMB  /56  /60  /64   Municipal  Government,  Enterprise,  Single  AS  /48   State  Governments,  Universi,es  (LIR)  /32  /36  /40  /44  /48   BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

IPv4 and IPv6 Header Comparison IPv4 Header (20) Version Type of Service IHL Identification Time to Live Protocol IPv6 Header (40) Total Length Flags Fragment Offset Version Header Checksum Source Address Destination Address Options Padding Traffic Class Payload Length Flow Label Next Header Hop Limit Source Address •  Length is constant in IPv6 •  Fragmentation occurs in (EH) Destination Address •  Option’s occur in (EH) •  UDP must have valid Checksum, unlike v4. •  Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

ICMPv6 58 Next Header 58 1 Destination Unreachable 2 Packet Too Big 3 Time Exceeded ICMPv6 Header Type Code 4 Parameter Problem Checksum Data §  Neighbor Discovery, Router Discovery, Path MTU Discovery and (MLD) –  Type – (1-127) = Error Messages, (128-255) = Informational Messages –  Code – More Granularity within the Type –  Checksum – computed over the entire ICMPv6 –  Data - Original Header Return (8 bytes), then fill to Min MTU (1280) BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Solicited-Node Multicast Address §  Every Unicast and Anycast address has a corresponding solicited-node multicast §  Multicast for resolution, Unicast for reachability §  Solicited-node multicast consists of FF02::1:FF/104 {lower 24 bits from IPv6 Unicast interface ID} FE80 FF02 0000 0000 0000 0000 0000 0000 1234 0000 5678 0001 9ABC FC0F FFBC FC0F 2001 FF02 0DB8 0000 4646 0000 0000 0000 0400 0000 56FF 0001 FE23 FF23 BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3544 3544

Neighbor Solicitation & Advertisement §  Local Link only, Not Routed §  ARP replacement, Map’s L3 to L2. §  Multicast for resolution, Unicast for reachability ICMP Type 135 NS ICMP Type 136 NA IPv6 Source FE80::A IPv6 Source FE80::B IPv6 Destination B Solicited Node Multicast FF02::1:FF00:B Target Address 2001:db8:1:46::B Code 0 (need link layer) Query IPv6 Destination FE80::A What is B link layer address? A! BRKRST-2301 Target Type 2 Data Link Layer address of B NS © 2014 Cisco and/or its affiliates. All rights reserved. *Flags R = Router S = Response to Solicitation O = Override cache information NA B! Cisco Public

Planning and Deployment Summary

IPv6 Integration Outline Pre-Deployment Phases •  Establish the network starting point •  Importance of a network assessment and available tools •  Obtain addressing •  Build initial addressing architecture •  What content are you serving? BRKRST-2301 Deployment Phases •  Peering capabilities •  Internet Edge (ISP, Apps) •  Campus IPv6 integration options •  Data Center integration options •  WAN IPv6 integration options •  Execute on gaps found in assessment © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Architectural Scope of IPv6 Deployment Planning and coordination is required from many across the organization, including … ü Network engineers & operators ü Security engineers ü Application developers ü Desktop / Server engineers ü Web hosting / content developers ü Business development managers ü … Moreover, training will be required for all involved in supporting the various IPv6 based network services BRKRST-2301 Build your IPv6 Transition Team © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Building the IPv6 Address Plan §  Methods –  Follow IPv4 (/24 only), Organizational, Location, Function based §  Hierarchy is key (using 16 bits for subnetting) –  8 bits = (256) Regions (states, counties, agencies, etc..) –  4 more bits = (16) Sub Levels within those Regions –  4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..) §  Cisco IPv6 Addressing White Paper –  http://www.cisco.com/go/IPv6 §  Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 ) BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Prefix Length Considerations §  /64 everywhere a host §  /127 Point to Point Hosts /64 Core /64 or /127 –  out of a single /64 –  1&2 not in same subnet §  /128 Loopback –  out of a single /64 §  /64, /64, /64 BRKRST-2301 Pt 2 Pt /127 Servers /64 © 2014 Cisco and/or its affiliates. All rights reserved. Loopback /128 Cisco Public WAN 22

ULA, ULA or LL + Global, Global-only LL – Topology Hiding, Reduces Prefix Count, Need ULA or Global to Manage Devices ULA – Topology Hiding, No External Troubleshooting w/o Global Loopbacks Global – Enablement of Applications & Management, Requires Good FW Skills Internet Branch 1 Corp HQ Global – 2001:DB8:CAFE::/48 FD9C:58ED:7D73:2800::/64 2001:DB8:CAFE:2800::/64 Branch 2 FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64 BRKRST-2301 Corporate Backbone ULA Space FD9C:58ED:7D73::/48 Global – 2001:DB8:CAFE::/48 © 2014 Cisco and/or its affiliates. All rights reserved. FD9C:58ED:7D73::2::/64 2001:DB8:CAFE:2::/64 Cisco Public 23

RFC 6724 – Default Address Selection §  Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public §  Must support application override API, Choice of v6 or v4 is application dependent §  Network Connection Status Indicator (NCSI) Application Layer TCP/UDP RFC 6555 IPv6 IPv4 Network Interface Card Temporary DHCP Link BRKRST-2301 Preferred Preferred Preferred 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 2001:0db8:2301:1:202:8a34:bead:a136 fe80::202:8a34:bead:a136 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

IGP’s RIPng – UDP 521, 15 hops FE80::/64 Source à FF02::9 Destination IS-IS – CLNS, Wide Metric Support IPv4 & IPv6 (2 new TLV’s added) Single Topology, Multi Topology, Multi Instance OSPFv3 – IP 89 FE80::/64 Source à FF02::5 (all), FF02::6 (DR’s) Link-LSA (8) – Local Scope, NH Intra-Area-LSA (9) – Routers Prefix’s Use Inter-Area-Prefix (3) – Between ABR’s EIGRP – IP 88 FE80::/64 Source à FF02::A Destination 2 New TLV’s – internal-type & external-type No Split Horizon, Auto Summary Disabled BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

IPv6 Deployment Options IPv4 IPv6 Dual Stack Recommended Enterprise Co-existence Strategy Tunneling Services IPv4 over IPv6 Translation Services BRKRST-2301 IPv6 over IPv4 IPv4 © 2014 Cisco and/or its affiliates. All rights reserved. IPv6 Cisco Public

Where do I start? §  Core-to-Access – Gain experience with v6 §  Turn up your servers – Enable the experience Internet Edge §  Access-to-Core – Securing and monitoring §  Internet Edge – Business continuity Campus Core ISP WAN Servers Branch BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Access Cisco Public ISP

Access Layer

IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6 Manually configured State Less Address Auto Configuration SLAAC EUI64 Assigned via DHCPv6 SLAAC Ephemeral Addressing *Secure Neighbor Discovery SeND BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Router Solicitation and Advertisement §  Router solicitations (RS) are sent by nodes at boot up §  Host needs an RA to finish building it’s Address’s RS RA ICMP Type 133 ICMP Type 134 IPv6 Source FE80::A IPv6 Source FE80::2 IPv6 Destination FF02::2 IPv6 Destination FE80::A Option 1 SRC Link Layer Address Data Options, subnet prefix, lifetime, autoconfig flag A RA RS BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

RA Message §  M-Flag – Stateful DHCPv6 to acquire an IPv6 address §  O-Flag – Stateless DHCPv6 in addition to SLAAC §  H-Flag – Mobile IP home agent §  Preference Bits – Low, Med, High §  Router Lifetime – Must be >0 for Default §  Options - Prefix Information, Prefix Length §  L bit – Only way a host get a On Link Prefix §  A bit – Set to 0 for DHCP to work properly RA BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: 1800 Reachable time: 60000 Retrans timer: 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .0.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234:: Cisco Public

Disabling Ephemeral Addressing §  §  §  §  Enable DHCPv6 via the M flag Disable auto configuration via the A bit in option 3 Enable Router preference to high Enable DHCPv6 relay ipv6 unicast-routing ! interface fastEthernet 0/0 ipv6 address 2001:db8:6666:acc1::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd prefix 2001:db8:6666:acc1::/64 no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1 BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

IPv6 First Hop Security (FHS) IPv6 FHS RA Guard Protection: •  Rouge or malicious RA •  MiM attacks DHCPv6 Guard Protection: •  Invalid DHCP Offers •  DoS attacks •  MiM attacks Core Features Source/Prefix Guard Protection: •  Invalid source address •  Invalid prefix •  Source address spoofing Destination Guard Protection: •  DoS attacks •  Scanning •  Invalid destination address Advance Features RA Throttler ND Multicast Suppress Facilitates: •  Scale converting multicast traffic to unicast Reduces: •  Control traffic necessary for proper link operations to improve performance Scalability & Performance IPv6 Snooping BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

First Hop Security for Wireless IPv6 Clients §  §  §  §  RA Guard - enabled at AP by default, always on at the controller DHCPv6 Guard – blocks client side DHCPv6 Advertise packets Source Guard – prevents client spoofing, enabled at controller by default Address Accounting – RADIUS “Framed-IP-Address” attribute IPv6 802.11 IPv6 VLAN Ethernet IPv6 RA 802.11 BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Access Layer Configuration Example §  RA Guard Host & Router §  IPv6 ND Inspection –  Incl. RA/DHCP Guard, Src/Dst Gaurd –  Host = RA/DHCP Guard, no Redirect ipv6 nd raguard policy HOST ipv6 nd raguard policy ROUTER device-role router ipv6 snooping policy HOST tracking enable limit address-count 2 ! ! interface vlan 200 ipv6 nd raguard attach-policy HOST interface GigabitEthernet1/0/2 switchport access vlan 200 switchport mode access ipv6 snooping attach-policy HOST ! interface GigabitEthernet1/0/0 description Router Port ipv6 nd raguard attach-policy ROUTER BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

RA Throttler §  §  §  §  Scaling the 802.11 multicast reliability issues NDP process is multicast “chatty”, consumes airtime Rate limit RA’s from the legitimate router Inspect the RS, convert the responding RA to L2 Unicast Periodic (RA’s) Triggered (RA) Router Solicitation (RS) BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

ND Multicast Suppression §  §  §  §  Scaling the 802.11 multicast reliability issues NDP process is multicast “chatty”, consumes airtime Caching allows the Controller to “proxy” the NA, based on gleaning Intercepting the NS and unicasting it over L2 to the target 00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4 2 (Unicast NA) 4 (NS) BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

How Does Cisco Solve IPv6 Mobility? §  §  §  §  Roaming client must be able to receive the original router advertisement Controllers must be part of the same mobility group domain The anchor controller sends the RA to the foreign in the mobility tunnel AP convert’s multicast RA to an L2 unicast (MC2UC) Anchor R1 Mcast RA Roaming Client Mobility Tunnel Foreign R2 Unicast RA BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

First Hop Router Redundancy Options Neighbor Unreachability Detection •  For rudimentary HA at the first HOP, that is slow to detect RA Reach-time failures •  Hosts use NUD “reachable time”.to cycle next known default Default Gateway . . . . . . . . : 10.121.10.1 GW fe80::211:bcff:fec0:d000%4 fe80::211:bcff:fec0:c800%4 HSRP for IPv6 HSRP Active HSRP Standby §  Modification to Neighbor Advertisement, router Advertisement, and ICMPv6 redirects §  Virtual MAC derived from HSRP group # and virtual IPv6 LLA GLBP for IPv6 GLBP AVG AVF GLBP AVG AVF •  Modification to Neighbor Advertisement, Default Gateway is announced via RA’s from Virtual MAC •  Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF) BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Multicast

Well Known Multicast Addresses §  FF02, is a permanent address and has link scope §  Link Operations, Routing Protocols, Streaming Services Address Scope Meaning FF01::1 Node-Local This Node FF05::2 Site-Local All Routers FF02::1 Link-Local All Nodes FF02::2 Link-Local All Routers FF02::5 Link-Local OSPFv3 Routers FF02::6 Link-Local OSPFv3 DR Routers FF02::9 Link-Local RIPng BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

IPv6 over Ethernet §  IPv6 has a specific Ethernet Protocol ID §  IPv6 relies heavily on Multicast Destination Ethernet Address! Source Ethernet Address! Destination Ethernet Address! Source Ethernet Address! ! 0x0800 ! IPv4 Header and Payload ! ! 0x86DD ! 33 IPv6 Header and Payload ! 33 xx xx xx 0000 00IL I bit = Local Admin, L bit = Multicast/Broadcast BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public xx

Multicast Mapping over Ethernet (RFC 2464) §  IPv6 multicast address to Ethernet mapping §  Destination address based mechanism IPv6 Solicited Node Multicast Address FF02:0000:0000:0000:0000:0001:FF17:FC0F Corresponding Ethernet Address IPv6 Temporary Multicast Address 33 FF 17 FC 0F FF3E:0040:2001:0DB8:CAFE:0001:11D7:4CD3 Corresponding Ethernet Address BRKRST-2301 33 33 33 © 2014 Cisco and/or its affiliates. All rights reserved. 11 D7 Cisco Public 4C D3

IPv6 Multicast Address (RFC 4291) §  Prefix FF00::/8 8-bit 4-bit 4-bit 112-bit 1111 1111 0RPT Scope Variable format Scope Flags O 1 R=0 R=1 P=0 P=1 T=0 T=1 BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Subnet 4 Admin 5 Site 8 Organization E Cisco Public Link 3 No embedded RP Embedded RP Without Prefix Address based on Prefix Well Known Address (IANA assigned) Temporary address (local assigned) Node 2 Reserved Global

IPv6 Multicast Address – Unicast Based (RFC 3306) §  Every Unicast prefix can build custom multicast addresses §  Last 32 bits of unicast address mapped into Group ID (112 Bits) 8 Bits 4 Bits 4 Bits 8 Bits 8 Bits 64 Bits 32 Bits 1111 1111 0011 1110 Rsvd plen Unicast Prefix Group ID Example plen 40 = 64 bits Prefix 2001:db8:cafe:1:: Group ID 11d7:4cd3 FF3E:0040:2001:DB8:CAFE:1:11D7:4CD3 BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

IPv6 Embedded RP Multicast Address (RFC 3956) §  Static mapping of RP into Multicast group §  Solves MSDP and scaling issues 8 Bits 4 Bits 4 Bits 4 Bits 4 Bits 8 Bits 64 Bits 32 Bits 1111 1111 0111 1110 Rsvd RPid plen Unicast Prefix Group ID Example Rsvd/RPid Prefix Group ID 0000 | 0101 2001:db8:cafe:1:: FF7E:540:2001:db8:cafe:1::645 645 2001:db8:cafe:1::5 FF7E:0540:2001:DB8:CAFE:1:0000:0645 BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

IPv6 Multicast Listener Discovery (MLD) §  MLD uses LL source addresses MLD snooping §  3 msg types: Query, Report, Done §  MLD packets use “Router Alert” in HBH §  MLDv1 = (*,G) shared, MLDv2 = (S,G) source BRKRST-2301 IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) Function Listener Query 130 Used to find out if there are any multicast listeners 131 Response to a query, joins a group 132 Sent by node to report it has stopped listening Listener Query 130 Used to find out if there are any multicast listeners Listener Report MLDv2 (RFC 3810) IGMP ICMPv6 Type Listener Done MLDv1 (RFC2710) Message Type Listener Report MLD 143 Enhanced reporting, multiple groups and sources © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

MLDv1 Joining a Group (REPORT) A B MLD Report MLD Report (S, G) ICMP Type 131 IPv6 Source FE80::A IPv6 Destination FF38::276 FE80::B Hop Limit 1 Group Address FF38::276 Group Address FF38::276 Hop-by-Hop Header BRKRST-2301 IPv6 Source 131 IPv6 Destination FF38::276 Hop Limit 1 Router Alert Yes ICMP Type HBH Extension Header Source FF38::276 © 2014 Cisco and/or its affiliates. All rights reserved. Router Alert Yes Cisco Public

MLDv1 Leaving a Group (Done) A B MLD Done MLD Report IPv6 Source FE80::A C Query ICMP Type 132 IPv6 Dst. FF02::2 Hop Limit 1 Group FF38::276 Hop-by-Hop Header Router Alert Yes ICMP Type 131 IPv6 Source FE80::B IPv6 Dst. FF38::276 ICMP Type 130 Hop Limit 1 Group FF38::276 IPv6 Source FE80::C IPv6 Dst. FF38::276 Hop Limit 1 Hop-by-Hop Header Router Alert Yes Hop-by-Hop Header Router Alert Yes BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

MLDv2 Joining a Group (Report) I wish to receive FF38:4000:BA11 A MLD Report IPv6 Source FE80::A (S, G) ICMP Type 143 IPv6 Destination FF02::16 Hop Limit 1 # of Records Include/exclude Group Address FF38::4000:BA11 Hop-by-Hop Header Source FF38::4000:BA11 Router Alert Yes BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

MLD Multicast Maintenance (Query) §  General Query §  FF02::1 §  Group list empty, who’s listening? A §  Group Specific Query FF38::4000:BA11 Anyone still interested in this stream? Query §  §  §  Group & Source Specific Query §  2001:DB8:CAFÉ::1, FF38::4000:BA11 §  Filter Mode, Change Record §  Multiple routers on link §  Lowest address value assumes Querier role BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

IPv6 Anycast RP Redundancy §  Designate a primary and a secondary RP for the Anycast group. §  Configure Primary RP with longest prefix, secondary has the shorter prefix §  Distribute loopback interfaces routes into IGP Loopback 1 2001:db8:fab0::1/48 Primary RP BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Loopback 1 2001:db8:fab0::1/47 Secondary RP Cisco Public

Zeroconf over IPv6 §  Apple (Bonjour) has a light weight approach, adopted quicker §  FF02::FB – Multicast DNS – mDNS §  Microsoft (Rally) has a more robust, heavier implementation, has moved slower §  FF02::C – Simple Service Discovery Protocol – SSDP, UPnP §  FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing enabled) Personal Computer Operating Systems Appliances & Networking •  Windows •  Mac OS X •  Linux •  •  •  •  BRKRST-2301 Printers Access Points Switches Routers © 2014 Cisco and/or its affiliates. All rights reserved. AV Equipment •  •  •  •  Speakers Cameras Displays AV Receivers Cisco Public

Why Service Discovery Gateway Same L2 Domain Where’s my Printer? BRKRST-2301 Different L2 Domain I’m here! Talk to me... © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Why Service Discovery Gateway L2 Domain Where’s my Printer? BRKRST-2301 Different L2 Domain Service Browsing Nobody's talking to me!? © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Service Discovery GW §  Cached at Gateway. Service, Type, Location §  Service Discovery & Access Control = Better Together VLAN ATV Training 200 RAOP VLAN 100 VLAN 100 CTO Office IPP VLAN 200 name Other VLAN XYZ BRKRST-2301 IPP! RAOP! VLAN 200 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Data Center

Migrating Applications to IPv6 §  If an application is protocol centric (IPv4): §  Needs to be rewritten – Probably not going to happen §  Pressure vendors to move to protocol agnostic framework §  RFC 3493 – Open Socket Call, 64 bit structure align to HW §  RFC 3542 – Raw Socket, ping, Traceroute, r commands §  Know whether your app displays or accept an IPv6 address §  198.51.100.44:8080 à [2001:db8:café:64::26]:8080 BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

NDP Scaling Issues in the DC §  Large DCs with very dense hosts populations can cause severe performance problems on the control plane of switches due to IPv4 and IPv6 ‘control’ traffic §  NDP scaling paper (Lessons learned from production deployments) §  NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds §  NUD Retry Interval: ipv6 nd nud retry base interval-in-milliseconds max-attempts §  Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds §  Unsolicited NA Glean: ipv6 nd na glean §  Glean rate limiter: mls rate-limit unicast cef glean <pps> <burst> BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

DHCPv6 Protocol Details §  §  §  §  §  FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) FF05::1:3 = All DHCP Servers (Site-local scope) Clients listen on UDP port 546; Servers/relays on UDP port 547 Rapid Commit, 2 packet exchange. Solicit/Reply, client sets for options ipv6 dhcp relay destination replaces ip helper address DHCP Messages Client à Server (1) Server à Client (2) Client à Server (3) Server à Client (4) BRKRST-2301 IPv4 DISCOVER OFFER REQUEST ACK © 2014 Cisco and/or its affiliates. All rights reserved. IPv6 SOLICIT ADVERTISE REQUEST REPLY Cisco Public

IPv6 and DNS §  Add AAAA records in DNS server for hostnames that have IPv6 enabled §  Automatically generate accompanying (PTR) records §  Enable IPv6 access to the authoritative DNS servers §  Be sure that TCP/53 and UDP/53 can be accessed through IPv6 §  Enable IPv6 connectivity to external resolvers that send DNS queries Function IPv4 IPv6 Hostname to IP Address A Record AAAA Record (Quad A) www.abc.test. A 192.168.30.1 www.abc.test AAAA 2001:db8:C18:1::2 IP Address To Hostname PTR Record PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c. 0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test. BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

FCIPv6 §  Tunnel Protocol for Fiber Channel over an IP infrastructure §  RFC 4404 – Entity Address Size IPv4 (4) or IPv6 (16) §  MDS 9x00 Series –  out-of-order delivery, jumbo frames, traffic shaping, TCP optimization BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

iSCSI/VRRP for IPv6 §  Same configuration requirements and operation as with IPv4 §  Configure VRRP address to be the same as physical interface of “primary” BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network Management §  §  §  §  SNMPv3 over IPv6 and managing IPv6 MIB’s Protocol Version Independent (PVI) manage the same OID’s (RFC’s 4292, 4293) NetFlow, Deep Packet Inspection, IPSLA, all work with IPv6 Wireshark, Packet analysis, MRTG, Netflow collectors, etc.. DHCP •  Server supports IPv4 and IPv6 •  Internal & external BRKRST-2301 DNS •  Server supports IPv4 & IPv6 •  Standards compliant IPAM DNS Caching •  Integrated DNS and DHCP •  Configuration and reporting © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public •  DNSSEC caching •  DNS64 support

Internet Edge

Internet Edge to ISP ISP-B ISP-A §  §  §  §  Do you support dual stack peering? Do you have a separate (SLA) for IPv6? Do you support BGP peering over IPv6? What is the maximum prefix length? Routing Switching §  What about DNS… Services Hosted Cloud Service §  Maximum prefix length offered by the cloud provider? §  Access to provisioning and billing portal over IPv6? §  Global IPv6 addressing for VM’s in your environment? BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Internet Edge to ISP Single Link Single ISP ISP 1 Default Route Enterprise Dual Links Single ISP Multi-Homed Multi-Region ISP 1 POP1 IPv4-only USA POP2 BGP ISP 1 IPv6 Tunnel Enterprise ISP2 BGP Enterprise ISP3 Your ISP may not have IPv6 at the local POP BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. ISP4 Europe Cisco Public 67

Dual Stack the Internet Edge Internet ISP 1 ISP 2 §  Most design elements should be like IPv4 §  No translation in this design Edge Router §  Single ISP or multi-ISP will change BGP slightly §  Keep a careful eye out on limitations in SW/HW and/ or security details §  You may have to embrace SLB64/Proxy/NAT64 for IPv4-only apps Outer Switch Security Services §  Dual stack along the traffic flow from client-to-server Inner switching/ SLB/Proxy/ Compute §  LISP (Locator/ID Separation Protocol) as a means to deal with non-IPv6 capable ISPs BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Enterprise Core Web, Email, Other Cisco Public Internal Enterprise

Translation Techniques Server Load Balancer Stateful NAT64 IPv4 Internet IPv6 Internet IPv6 Application Support IPv6 Internet IPv4 IPv4 BRKRST-2301 Proxy IPv6 IPv4 IPv6 Client Visibility © 2014 Cisco and/or its affiliates. All rights reserved. SW = Poor Performance Cisco Public 69

IPv6/IPv4 Translation Stateful NAT64 §  Easy to get – Router, Firewall, SLB, Proxies §  Instantly hooked – Fastest path to delivering apps over IPv6 v6 v4 §  Both methods are useful with caution §  Need to examine the best location for translation §  Put translation as deep into DC/IE as possible (get full visibility of IPv6) BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. NAT64 – Routers/ASA SLB64 v6 v4 v4 v4 v4 Cisco Public 70

SLB64 – Citrix Netscaler ISP-A §  OS/App dictate design parameters ISP-B §  Time to deploy Enterprise Core §  IPv6 North SLB Boundary §  IPv4 South N5k §  Translation & SLB are done on same platform BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. UCS Servers Servers WWW Cisco Public

X-Forwarded-For (XFF) §  Source IP of client requests will be logged as the SNAT or other NAT’ed address §  You want to log the real source address – X-Forwarded-For (XFF) in HTTP cisco@ie-web-01:/$ tail -f /var/log/apache2/access.log 10.140.19.250 - - [25/Oct/2011:11:41:03 -0600] "GET / HTTP/1.1" 304 210 "-" "Mozilla/ 4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)” serverfarm WEB_V6_V4_SF insert-http x-forward header-value "%is" ACE Policy Map – “is” = Source IP Address Hypertext Transfer Protocol GET / HTTP/1.1rn x-forward: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5rn BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

NAT64 Version IHL Type of Service Identification Time to Live §  Stateless NAT (~ASA static) Total Length Flags Protocol Fragment Offset Versio n Traffic Class Payload Length Flow Label Next Header Hop Limit Header Checksum Source Address Source Address Destination Address –  RFC 6145 (IP/ICMP Translation Algorithm) –  Consumes an IPv4 address for each IPv6-only device Destination Address §  Stateful NAT (~ASA dynamic) –  RFC 6146 (Framework for IPv4/IPv6 Translation) –  Can aggregate many IPv6 users to single (or more) IPv4 address –  Used mainly where IPv6-only clients need to access IPv4 servers –  Only supports IPv6-initiated flows –  Similar as IPv4-to-IPv4 PAT works, a translation table is required §  TCP/UDP/ICMP Unicast traffic only BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

To NAT or NOT §  Today, NAT44 & RFC1918 §  All PA or all PI and peering in multiple regions –  PI from one region and run it everywhere? –  ISP in one region reject PI block from another? –  What about translation? Some enterprises are getting a prefix per RIR and only deploying one. Building backup plans with the others §  NPTv6 – Translating your prefix for multi-homing Available on ASR, ISR G2 and more in the future –  RFC6296 – IPv6-to-IPv6 Network Prefix Translation –  STUN, TURN, ICE will all be used like with IPv4 §  NAT ≠ Firewall – RFC 4864 (Local Network Protection) §  NAT ≠ Firewall – RFC 7021 (Impact of CGN on Applications) Firewall+NAT BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Internet Cisco Public 74

IPv6 Bogon and Anti-Spoofing Filtering §  Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt §  Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84) §  uRPF – Unicast Reverse Path Forwarding IPv6 Intranet Inter-Networking Device with uRPF Enabled X IPv6 Intranet/Internet No Route to SrcAddr => Drop BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

Securing the Edge, FW and/or Perimeter Router §  Address Range –  Source of 2000::/3 at minimum vs. “any” §  ICMPv6 –  Error types thru, NDP too, RFC 4890 §  Extension Headers –  Allow Fragmentation, block HBH, block RH type 0, others as needed §  Ingress Filter –  RFC 2827, BCP 38 §  IPv6 ACL’s BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Key Take Away §  Gain Operational Experience now §  Security enforcement is possible §  Control IPv6 traffic as you would IPv4 §  “Poke” your Provider’s §  IPv6 is here now are you? BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Call to Action… §  Visit the Cisco Campus at the World of Solutions to experience the following demos/solutions in action: Speaker to add relevant demos/areas to visit from the campus demos list §  Get hands-on experience with the following Walk-in Labs Speaker to add the relevant walk in labs from the list §  Meet the Engineer Speaker to specify when will they be available for ad-hoc meetings at the MTE village, and provide other recommended names… §  Discuss your project’s challenges at the Technical Solutions Clinics §  Attend one of the Lunch Time Table Topics, held in the main Catering Hall §  Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014 §  CL365 -Visit us online after the event for updated PDFs and on-demand session videos. www.CiscoLiveEU.com BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Complete Your Online Session Evaluation §  Complete your session evaluation online now through either the mobile app or internet kiosk stations. Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in. BRKRST-2301 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

Add a comment

Related presentations

Related pages

Enterprise IPv6 Deployment - Cisco Systems

Enterprise IPv6 Deployment Shannon McFarland CCIE# 5245, VCP ... use IPv6 (larger enterprise, located in emerging markets, government, service providers)
Read more

IPv6.com - How Enterprise is gearing up for IPv6 to build ...

IPv6 Deployment in North ... How Enterprise is gearing up for IPv6 to build ... cost-effective enterprise IPv6 solution with low total cost of ...
Read more

Enterprise IPv6 Deployment - Cisco Systems

Enterprise IPv6 Deployment Gunter Van de Velde CCIE# 3741 Technical Leader ... IPv6 Coexistence in the Enterprise IPv6 Network IPv6 Network IPv6 Host ...
Read more

Enterprise IPv6 Deployment Guidelines

Enterprise IPv6 Deployment Guidelines (RFC 7381, October 2014) ... and while introducing IPv6 access within the enterprise IT network.
Read more

Enterprise IPv6 Deployment Summary

Enterprise IPv6 Deployment Summary Shannon McFarland CCIE# 5245 Corporate Consulting Engineer ... Enterprise Adoption Planning and Deployment Summary
Read more

Enterprise IPv6 Deployment

Enterprise IPv6 Deployment Michael De Leo – mdeleo@cisco.com ... IPv6 can be deployed to enable service access per site and/or per application
Read more

Enterprise IPv6 Deployment - Technology - documents.mx

This session focuses on IPv6 deployment options for the enterprise and commercial network manager, with in-depth information about IPv6 configuration and ...
Read more

heise Netze - Enterprise IPv6 Deployment Guidelines

RFC 7381: Enterprise IPv6 Deployment Guidelines Autor(en): E. Vyncke, T. Chown, Y. Pouffary, L. Howard, V. Kuarsingh, K. Chittimaneni. Enterprise network ...
Read more

Enterprise IPv6 Deployment - Rocky Mountain IPv6 Task Force

Enterprise IPv6 Deployment Shannon McFarland ... Cisco Live Tweet Chat on Enterprise IPv6: ... Campus IPv6 Deployment Options
Read more

An IPv6 Deployment Guide - 6NET

An IPv6 Deployment Guide ... 12.5.2 Implementation Details of CsC/6PE Deployment ... CHAPTER 13 IPV6 IN THE CAMPUS/ENTERPRISE ...
Read more