Enterprise IPv6 Deployment Strategies
 

Enterprise IPv6 Deployment Strategies

on

  • 1,578 views

Enterprise IPv6 Deployment Strategies presented at go6.

Enterprise IPv6 Deployment Strategies presented at go6.

Statistics

Views

Total Views
1,578
Views on SlideShare
1,578
Embed Views
0

Actions

Likes
2
Downloads
110
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Enterprise IPv6 Deployment Strategies Enterprise IPv6 Deployment Strategies Presentation Transcript

  • Enterprise IPv6 deployment strategiesAndrew YourtchenkoTechnical Leaderayourtch@cisco.com7th Slovenian IPv6 summit, 18-19 Oct 2012http://go6.si/7-slo-ipv6-summit/
  • IPv6 Estimated Adoption Timeframes 2012 2012 2014•  2012: Low Impact – Buying behavior shift IPv4/IPv6 limited to mandated and early adopters Co-existence IPv6 Government Globalization Mandate Deadlines Early •  2012: Mandates take effect – Globalization - Adopters WorldIPv6Launch - Massive Mobile deployment. Transition Transition to IPv6 forces customers to acquire Planning product or managed services to sustain business and customer reach •  2014: IPv6 is mainstream – customers without transition infrastructure experience reduced service levels, diminished customer reach IPv6 Business Impact – The Cost of Waiting Goes Up Low Risk© 2012 Cisco and/or its affiliates. All rights reserved. Moderate Risk High Risk 2
  • 6lab.cisco.com/statsInternet Transit Content Users© 2012 Cisco and/or its affiliates. All rights reserved. 3
  • !"#$%"$#&%$($")$& 1(#234)# %5#6.*)#47*#8(9#:*23(8;)<# =>?+#;)#27(:9@A()# &0#,()-./# %&,()-./# +,()-./# ()*# !"# $"# %!"# %$"# &!"# &$"# 65% of Cisco Enterprise Technology Advisory Board members will have IPv6 WEB sites by Q2 2013© 2012 Cisco and/or its affiliates. All rights reserved. 4
  • ?*F+,# E+48+,6F5G# &H#IF4*#4,+#J.G##8,5-+,6#K# Internet Business D4)84*+# Continuity <+-5=+>?9#@AB?<C# B2C, B2B 7+)8.,#9*,4*+:;# 2/.34/5641.)# ()*+,)+*#+-./01.)# !"# $"# %!"# %$"# &!"# &$"# !"#© 2012 Cisco and/or its affiliates. All rights reserved. 5
  • Outside – In•  Internet Evolution•  Business Continuity•  B2C, B2B IPv4 Enterprise IPv6 InternetInside – Out•  Globalization•  Technology Leadership•  Industry mandate•  BYOD-Security-Visibility•  Flatten management plane Dual-Stack Enterprise IPv4 Internet http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html © 2012 Cisco and/or its affiliates. All rights reserved. 6
  • a) Server Load Balancer b) Software Proxy c) Stateful NAT64 http reverse proxy Web Tier IPv4 IPv4 IPv4 IPv6 IPv6 IPv6 Internet Internet Internet IPv6 IPv6 IPv6 DMZ DMZ DMZ Apache ACE30 MSFT PortProxy ASR1000 ASA IPv4 IPv4 IPv4 Email Back-End WEB WEB VPN WEB IPv4-only Server IPv4-only Server IPv4-only Server © 2012 Cisco and/or its affiliates. All rights reserved. 7
  • •  Life-Cycle management, depends on Timing and Use case •  Native/Dual-Stack where you can, Tunnels where you must IPv4 •  Security – Visibility – Management IPv6 •  IPv6 Host Configuration. Internet Branch Core - WAN DMZ WEB Services Email ..etc.. Services Campus Block Datacenter Block© 2012 Cisco and/or its affiliates. All rights reserved. 8
  • Orderly Transition – Slow to dual-Stack all the way to user •  Dual-Stack Core – Network based Tunnel to connect island IPv4 •  ISATAP for IPv6 services to users… Design gotchas IPv6 •  Dual-Stack selected part of DC (server front-end) Internet Branch Core - WAN DMZ WEB Services Email ..etc.. Services ISATAP Campus Block Datacenter Block© 2012 Cisco and/or its affiliates. All rights reserved. 9
  • End User and Service first - Challenging but Doable •  First Hop Security IPv4 •  Network based Tunnel to connect Islands IPv6 •  Dual-Stack selected part of DC (server front-end) Internet Branch Core - WAN DMZ AnyConnect WEB Services Email ..etc.. Services Campus Block Datacenter Block© 2012 Cisco and/or its affiliates. All rights reserved. 10
  • 802.1x and Port ACL IPv6/IPv4 Dual Stack Hosts•  Authorize Device•  Filter traffic on Layer 2 ports Access LayerPort Security:•  Prevents TCAM overflow L2NDP Address Gleaning•  Discover Address binding WLC 7.2•  Audit Trail IPv6 First Hop Security Suite•  Revoke inactive devices L3 Distribution LayerIPv6 NDP inspection•  Enforce Mac/IPv6 binding•  Prevents Neighbor Discovery spoofing Core Layer attacksIPv6 RA Guard / Throttler•  Stops Rogue Router Advertisement threats Dual-StackDHCP Guard WAN•  Prevent rogue DHCP server IPv6 uRPFSource Guard: Blocks spoofed traffic in hardware•  Stops traffic from un-authorized sources. © 2012 Cisco and/or its affiliates. All rights reserved. 11
  • IPv6 MIBs and host support IPv6/IPv4 Dual Stack Hosts NAM Traffic AnalyzerIntegrated Management & Reporting Console L2 Campus L3IPv6 Traffic Metering with NAM and IPv6 overFlexible Netflow, including tunnel IPv4 tunnel(export over IPv4)IPv6 SLA: E2E test, measurement IPv4(UDP-Jitter, UDP-Echo, ICMP Echo,TCP Connect) WANIPv6 Apps and Tunnel detectionwith NBAR2 ASA and IOS Tunnel Filtering© 2012 Cisco and/or its affiliates. All rights reserved. 12
  • © 2012 Cisco and/or its affiliates. All rights reserved. 13
  • © 2012 Cisco and/or its affiliates. All rights reserved. 14
  • •  Do not jeopardize existing IPv4 services and applications, such as cisco.com and the internal corporate network•  Preserve the cisco.com brand and control over the cisco.com experience•  Do not compromise the corporate security posture•  Re-use existing infrastructure, capabilities, content, and application environments whenever possible•  Compile lessons learned to share with customers© 2012 Cisco and/or its affiliates. All rights reserved. 15
  • © 2012 Cisco and/or its affiliates. All rights reserved. 16
  • © 2012 Cisco and/or its affiliates. All rights reserved. 17
  • © 2012 Cisco and/or its affiliates. All rights reserved. 18
  • Model 1 - Proxy at Model 2 – SLB64 Model 3 – Dual Stack Internet Edge Web Servers Internet Internet Internet IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 www.cisco.com www.cisco.com www.cisco.com www.cisco.com www.cisco.com www.cisco.com AKAMAI AKAMAI AKAMAI DMZ Network, Security, Proxy DMZ Network, Security DMZ Network, Security Assurance Svc Assurance Svc Data Center Network Data Center Network Server Load Balancer (ACE) Server Load Balancer (ACE) Data Center Network Cisco.com Web Servers Server Load Balancer (ACE) Assurance Cisco.com Web Servers Cisco.com Web Servers Svc Assurance IdM, Authz Content IdM, Authz Content IdM, Authz Content Assurance Svc Svc Middleware App Platforms Middleware App Platforms Middleware App Platforms Database Database Database© 2012 Cisco and/or its affiliates. All rights reserved. 19
  • Cisco’s IPv6 Web Presence Design for www.cisco.com 5<A35A<& (C,& (C*& 7778$"#$%8$%9& 7778$"#$%8$%9& Model 2 – SLB64 !"#$%&.)/&0--+& Internet IPv6 IPv4 Si !"#$%&()& om www.cisco.c om www.cisco.c *+,-& !"#$%&!;<;=>#<& AKAMAI ,?--& Assurance DMZ Network, Security Svc Data Center Network Server Load Balancer (ACE) !"#$%&.).& ??@?& Cisco.com Web Servers Assurance IdM, Authz Content (C*& Svc App Platforms !"#$%&.!1&2-& !"#$%&.!1&+-& Middleware Database (C,& %3"4"567778$"#$%8$%9& %3"4"567778$"#$%8$%9& +--0:*+-:00-0:0::;& B+80,28*80,0& Presentation_ID © 2012 Cisco and/or its affiliates. All rights reserved. Cisco© 2012 Cisco and/or its affiliates. All rights reserved. 20
  • Cisco’s IPv6 Web Presence Security for www.cisco.com 5<A35A<& (C,& (C*& Firewall Policy !"#$%&.)/&0--+& Anti-Spoofing V6-only signatures NetFlow v9 (forensic records V4+V6 signatures !"#$%&()&*+,-& Si BGP Blackhole (mitigation) !"#$%&!;<;=>#<&,?--& Arbor Firewall Policy (Anomaly Detection) !"#$%&.).&??@?& Logging !"#$%&.!1&2-& !"#$%&.!1&+-& %3"4"567778$"#$%8$%9& %3"4"567778$"#$%8$%9& +--0:*+-:00-0:0::;& B+80,28*80,0& Presentation_ID © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 21
  • www.cisco.com www.webex.com home.cisco.com© 2012 Cisco and/or its affiliates. All rights reserved. 22
  • © 2012 Cisco and/or its affiliates. All rights reserved. 23
  • © 2012 Cisco and/or its affiliates. All rights reserved. 24
  • Technology Refresh CDO / Vendor Product Readiness IT Design and Certification IT IPv6 Readiness Assessment Limited Deployment Pilot Post Production Production Assessment Deployment Partnership with AS and CDO, Leverage NDCS Fleet Program Approx. 5400 Out of 8800 Network Devices Required Upgrades or Refresh © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16© 2012 Cisco and/or its affiliates. All rights reserved. 25
  • •  Anycast-based ISATAP since 2003•  Dualstack on the wired on selected sites•  Dualstack on the wireless•  DHCPv6 support for printers => static addresses© 2012 Cisco and/or its affiliates. All rights reserved. 26
  • •  Catalyst 6k & Nexus 7000 based => same as backbone•  Limited dualstacking in FY12 on systems, primarily Management systems for monitoring of IPv6 web presence IPv6 services to enable desktop operation, e.g. DHCPv6 on CNR 7.2© 2012 Cisco and/or its affiliates. All rights reserved. 27
  • “  Khalid Jawaid, Network Engineer, Cisco IT© 2012 Cisco and/or its affiliates. All rights reserved. 28
  • •  100% of the core network is IPv6-enabled•  IPv6 interconnect between WebEx datacenter & Cisco network•  ± 30% of Cisco’s global offices are dualstack 80+ new global sites by the end of FY13© 2012 Cisco and/or its affiliates. All rights reserved. 29
  • •  Engage early with IT teams outside the core networking team.•  Consider the implications of IPv6 addresses with external parties.•  Account for lead time from vendors in your project plans.•  Realize that end-device operating systems behave differently with IPv6.•  Tuning of hardware•  Cross functional testing•  Freeze Periods© 2012 Cisco and/or its affiliates. All rights reserved. 30
  • Winston Churchill What have you enabled IPv6 on today ?© 2012 Cisco and/or its affiliates. All rights reserved. 31
  • •  IPv6 Education •  Training: IPv6 FD •  Certified Pro. CCIE/CCDE/CCDP/CCNA/CCNP •  CiscoLive, Conferences & Webinars •  Cisco Press •  IPv6 Knowledge Portal •  Comprehensive Advanced Services •  IPv6 Support Community •  IPV6 adoption Statistics •  Leading in Certification www.cisco.com/go/ipv6© 2012 Cisco and/or its affiliates. All rights reserved. 32
  • Hurricane Electric, IPv4 exhaust http://ipv6.he.net/statistics/ IPv6 adoption statistics http://6lab.cisco.com/stats/ ISOC, World IPv6 Launch www.worldipv6launch.org Cisco IPv6 home page www.cisco.com/go/ipv6 Cisco IPv6 Knowledge portal http://www.cisco.com/web/solutions/netsys/ipv6/ knowledgebase/index.html Cisco IPv6 Support community https://supportforums.cisco.com/community/netpro/ network-infrastructure/ipv6-transition Cisco Blog IPv6 Tag blogs.cisco.com/tag/ipv6 Lippis Report Podcast http://lippisreport.com/2012/07/world-ipv6-day-marks- Interview - Alain Fiocco massive-transition-in-ip-addressing-what-it-means-to-you/ Certification, USGv6/IPV6RL Ph2 https://www.iol.unh.edu/services/testing/ipv6/ usgv6tested.php Twittter #IPv6, @alainfiocco, @Deploy360, @TeamARIN LinkedIn Group http://www.linkedin.com Groups: IPv6, IPv6 Enthusiasts, IPv6Security© 2012 Cisco and/or its affiliates. All rights reserved. 33