IPv6 enterprise-public-tmv8
Upcoming SlideShare
Loading in...5
×
 

IPv6 enterprise-public-tmv8

on

  • 779 views

Latest "brief" version of IPv6 enterprise strategies

Latest "brief" version of IPv6 enterprise strategies

Statistics

Views

Total Views
779
Views on SlideShare
779
Embed Views
0

Actions

Likes
1
Downloads
47
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IPv6 enterprise-public-tmv8 IPv6 enterprise-public-tmv8 Presentation Transcript

  • Enterprise IPv6 Deployment Strategies Tim Martin CCIE #2020 Solutions Architect @bckcntryskr tjmartin2020
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Reference Materials 2 §  IPv6 Knowledge Base Portal: http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html §  Deploying IPv6 in the Internet Edge: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Internet_Edge/ InternetEdgeIPv6.html §  Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html §  Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/BrchIPv6.html §  Smart Business Architecture – IPv6 Guides: http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Recommended Reading 3 View slide
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Agenda §  Planning and Deployment Summary §  Design Considerations –  Dual Stack Mode –  Hybrid Mode –  Service Block Mode §  Host Configuration & Behavior §  Infrastructure Deployment –  Campus –  Data Center –  Internet Edge 4 View slide
  • Planning and Deployment Summary
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Architectural Scope of IPv6 Deployment Planning and coordination is required from many across the organization, including … ü Network engineers & operators ü Security engineers ü Application developers ü Desktop / Server engineers ü Web hosting / content developers ü Business development managers ü … Moreover, training will be required for all involved in supporting the various IPv6 based network services Build your IPv6 Transition Team
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Where do I start? §  Core-to-Access – Gain experience with v6 §  Turn up your servers – Enable the experience §  Access-to-Core – Securing and monitoring §  Internet Edge – Business continuity Servers Branch Access WAN Campus Core ISP ISP Internet Edge
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Prefix Length Considerations 8 §  /64 everywhere a host §  /127 Point to Point –  out of a single /64 –  1&2 not in same subnet §  /128 Loopback –  out of a single /64 §  /64, /64, /64 Pt 2 Pt /127 WAN Core /64 or /127 Servers /64 Hosts /64 Loopback /128
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv4 & IPv6 Combined 9 OSPFv3 EIGRP Internet 2001:db8:1:1::/64 198.51.100.0/24 §  Should we use both on the same link at Layer 3? §  Possibly to collect protocol specific statistics §  Routing protocols OSPFv3, EIGRP combined or separate? §  Fate sharing between the data and control planes per protocol IPv4 & IPv6 IPv4 & IPv6 2001:db8:4:4::/64 203.0.113.0/24
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Infrastructure with Link Local on Links 10 WAN/MAN Internet FE80::/64 FE80::/64 ULA/GUA FE80::/64 §  Topology hiding, Interfaces cannot be seen by off link devices §  Reduces routing table prefix count, Less configuration §  Need to use ULA or GUA for management and troubleshooting §  What about DNS?, WAN connections and more ULA/GUA ULA/GUA ULA/GUA ULA/GUA
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Unique Local Address (ULA) & Global 11 §  Both ULA and Global are used except for Internal only hosts §  Semi random generator requires non sequential /48’s, avoid M&A challenges §  Need to use Global for troubleshooting beyond the internal network §  Multiple policies to maintain (ACL, QoS, Routing, etc..) Corporate Backbone Branch 2 Branch 1 Corp HQ ULA Space fd9c:58ed:7d73::/48 Global – 2001:db8:cafe::/48 fd9c:58ed:7d73:2800::/64 2001:db8:cafe:2800::/64 Internet fd9c:58ed:7d73:3000::/64 2001:db8:cafe:3000::/64 fd9c:58ed:7d73::2::/64 2001:db8:cafe:2::/64
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public To NAT or NOT 12 §  Today, NAT44 & RFC1918 §  All PA or all PI and peering in multiple regions –  PI from one region and run it everywhere? –  ISP in one region reject PI block from another? –  What about translation? §  NPTv6 – Translating your prefix for multi-homing –  RFC6296 – IPv6-to-IPv6 Network Prefix Translation –  IETF does NOT recommend the use of NAT66 w/IPv6 §  NAT ≠ Firewall – RFC 4864 (Local Network Protection) §  NAT ≠ Firewall – RFC 7021 (Impact of CGN on Applications) Firewall+NAT Internet Some enterprises are getting a prefix per RIR and only deploying one. Building backup plans with the others Available on ASR, ISR G2 and more in the future
  • Design Considerations
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 Deployment Options Translation Services IPv4 IPv6 Tunneling Services IPv4 over IPv6 IPv6 over IPv4 Dual Stack Recommended Enterprise Co-existence Strategy IPv6 IPv4
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Dual Stack Mode Distribution Layer Access Layer Core Layer Aggregation Layer (DC) Access Layer (DC) IPv6/IPv4 Dual-stack Server IPv6/IPv4 Dual-stack Hosts Data Center Block Access Block 15 §  Preferred Method, Versatile, Scalable and Highest Performance §  No Dependency on IPv4, runs in parallel on dedicated HW §  No tunneling, NAT or other performance degrading technologies §  Does require IPv6 support on all devices
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Hybrid Mode Distribution Layer Access Layer Core Layer Aggregation Layer (DC) Access Layer (DC) IPv6/IPv4 Dual-stack Server IPv6/IPv4 Dual-stack Hosts Data Center Block Access Block §  Leverages existing IPv4 infrastructure §  Allows “slower” roll into IPv6 deployment §  Poor scalability and overall performance, no Multicast support §  Tunneling everywhere, “flattens” the network you have built
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Service Block Mode ISATAP IPv6 Service Block DA Data Center Block WAN/ISP Block Access Layer Dist. Layer Core Layer IPv4-only Campus Block Server Internet §  Provides tighter control of where IPv6 is deployed §  Allows for reduced time to deliver IPv6 services §  Cost of SB equipment and it’s reuse in the network §  Eventually hits scalability and overall performance, no Multicast support
  • Host Configuration & Behavior
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6 Manually configured State Less Address Auto Configuration SLAAC EUI64 SLAAC Ephemeral Addressing Assigned via DHCPv6
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public RA Message §  M-Flag – Stateful DHCPv6 to acquire an IPv6 address §  O-Flag – Stateless DHCPv6 in addition to SLAAC §  H-Flag – Mobile IP home agent §  Preference Bits – Low, Med, High §  Router Lifetime – Must be >0 for Default §  Options - Prefix Information, Prefix Length §  L bit – Only way a host get a On Link Prefix §  A bit – Set to 0 for DHCP to work properly Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: (s)1800 Reachable time: (ms) 3600000 Retrans timer: 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::RA
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public C:Documents and Settings>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8aff:fead:a136 Link Preferred infinite infinite fe80::202:8aff:fead:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9 iPad & iPhone get a new temporary address per association IPv6 on SLAAC
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 on DHCP mymac:# ifconfig -a en1: 8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV> ether 68:5b:35:88:53:74 inet6 fe80::6a5b:35ff:fe88:5374%en1 prefixlen 64 scopeid 0x6 inet 10.130.31.112 netmask 0xffffff00 broadcast 10.130.31.255 inet6 2001:db8:4646:420:91d1:66f6:9913:4163 prefixlen 128 nd6 options=1<PERFORMNUD> mymac:# netstat –r Destination Gateway Flags Netif default fe80::5:73ff:fea0:d523 UGc en1 2001:db8:4646:420:68:5b:35:88:53:74 UHL lo0 Windows 7, Mac OSX use pseudo random by default.
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public MSFT Transitional Adapters C: >ipconfig Tunnel adapter ISATAP Adapter ß Used within administrative domain (IP41) Media State . . . . . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix : foo.com Tunnel adapter Teredo Adapter ß Used with RFC 1918 address’s (UDP3544) Media State . . . . . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix : Tunnel adapter 6TO4 Adapter: ß Used with global IPv4 address’s (IP41) Media State . . . . . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix : Can be disabled via Registry, GPO, Powershell, etc.
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public RFC 6724 – Default Address Selection §  Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public §  Must support application override API, Choice of v6 over v4 is application dependent §  Give IPv6 300ms Head Start Pv6/IPv4 Lookup & Connect Retrieve and Display Application Layer TCP/UDP IPv6 IPv4 Network Interface Card NCSI – Network Connection Status Indicator Temporary Preferred 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Public Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Link Preferred fe80::202:8a34:bead:a136 RFC 6555
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Disabling Ephemeral Addressing 25 §  Enable DHCPv6 via the M flag §  Disable auto configuration via the A bit in option 3 §  Enable Router preference to high §  Enable DHCPv6 relay ipv6 unicast-routing ! interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1
  • Campus
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public RIPng – UDP 521, 15 hops FE80::/64 Source à FF02::9 Destination IS-IS – CLNS, Wide Metric Support IPv4 & IPv6 (2 new TLV’s added) Single Topology, Multi Topology, Multi Instance OSPFv3 – IP 89 FE80::/64 Source à FF02::5 (all), FF02::6 (DR’s) Link-LSA (8) – Local Scope, NH Intra-Area-LSA (9) – Routers Prefix’s Use Inter-Area-Prefix (3) – Between ABR’s EIGRP – IP 88 FE80::/64 Source à FF02::A Destination 2 New TLV’s – internal-type & external-type No Split Horizon, Auto Summary Disabled IGP’s 27
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public HSRP for IPv6 First Hop Router Redundancy Options §  Modification to Neighbor Advertisement, router Advertisement, and ICMPv6 redirects §  Virtual MAC derived from HSRP group # and virtual IPv6 LLA HSRP Standby HSRP Active Neighbor Unreachability Detection •  For rudimentary HA at the first HOP, that is slow to detect failures •  Hosts use NUD “reachable time” to cycle next known default GW RA Reach-time GLBP for IPv6 •  Modification to Neighbor Advertisement, Default Gateway is announced via RA’s from Virtual MAC •  Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF) GLBP AVG AVF GLBP AVG AVF Default Gateway . . . . . . . . . : 10.121.10.1 fe80::211:bcff:fec0:d000%4 fe80::211:bcff:fec0:c800%4
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 QoS Policy & Syntax §  IPv4 syntax has used “ip” following match/set statements –  Example: match ip dscp, set ip dscp §  Modification in QoS syntax to support IPv6 and IPv4 § New match criteria match dscp match precedence § New set criteria set dscp set precedence § No change for IPv6 WRED, WRR, Policing Data Voice Video Internet
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 Multicast Listener Discovery (MLD) § MLD uses LL source addresses § 3 msg types: Query, Report, Done § MLD packets use “Router Alert” in HBH §  MLDv1 = (*,G) shared, MLDv2 = (S,G) source MLD snooping MLD IGMP Message Type ICMPv6 Type Function MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query Listener Report Listener Done 130 131 132 Used to find out if there are any multicast listeners Response to a query, joins a group Sent by node to report it has stopped listening MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query Listener Report 130 143 Used to find out if there are any multicast listeners Enhanced reporting, multiple groups and sources
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Zeroconf over IPv6 §  Apple (Bonjour) has a light weight approach, adopted quicker §  FF02::FB – Multicast DNS – mDNS §  Microsoft (Rally) has a more robust, heavier implementation, has moved slower §  FF02::C – Simple Service Discovery Protocol – SSDP, UPnP §  FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing enabled) Personal Computer Operating Systems •  Windows •  Mac OS X •  Linux Appliances & Networking •  Printers •  Access Points •  Switches •  Routers AV Equipment •  Speakers •  Cameras •  Displays •  AV Receivers
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 Snooping IPv6 First Hop Security (FHS) IPv6 FHS RA Guard DHCPv6 Guard Source/Prefix Guard Destination Guard Protection: •  Rouge or malicious RA •  MiM attacks Protection: •  Invalid DHCP Offers •  DoS attacks •  MiM attacks Protection: •  Invalid source address •  Invalid prefix •  Source address spoofing Protection: •  DoS attacks •  Scanning •  Invalid destination address RA Throttler ND Multicast Suppress Reduces: •  Control traffic necessary for proper link operations to improve performance Core Features Advance Features Scalability & Performance Facilitates: •  Scale converting multicast traffic to unicast
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public First Hop Security for IPv6 Clients 33 IPv6 VLAN Ethernet IPv6 802.11 IPv6 RA 802.11 §  RA Guard - enabled at AP by default, always on at the controller §  DHCPv6 Guard – blocks client side DHCPv6 Advertise packets §  Source Guard – prevents client spoofing, enabled at controller by default §  Address Accounting – RADIUS “Framed-IP-Address” attribute
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public ipv6 snooping policy HOST tracking enable limit address-count 2 ! interface GigabitEthernet1/0/2 switchport access vlan 200 switchport mode access ipv6 snooping attach-policy HOST Access Layer Configuration Example 34 ipv6 nd raguard policy HOST ipv6 nd raguard policy ROUTER device-role router ! interface vlan 200 ipv6 nd raguard attach-policy HOST ! interface GigabitEthernet1/0/0 description Router Port ipv6 nd raguard attach-policy ROUTER § RA Guard Host & Router –  Host = RA/DHCP Guard, no Redirect § IPv6 ND Inspection –  Incl. RA/DHCP Guard, Src/Dst Gaurd
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public RA Throttle & ND Multicast Suppression (NS) 00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4 (Unicast NA) (NS)(Unicast NA) §  Scaling the 802.11 multicast reliability issues §  NDP process is multicast “chatty”, consumes airtime §  Controller rate limits the period RA’s, while allowing RS to flow §  Caching allows the Controller to “proxy” the NA, based on gleaning 2 4 Periodic (RA’s)
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 Mobility 36 R1 R2 Anchor Foreign Mobility Tunnel Unicast RA Mcast RA Roaming Client §  Roaming client must be able to receive the original router advertisement §  Controllers must be part of the same mobility group domain §  The anchor controller sends the RA to the foreign in the mobility tunnel §  AP convert’s multicast RA to an L2 unicast (MC2UC)
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public MPLS VPN 2001:db8:café:1::/64 2001:db8:babe:1::/64 2001:db8:d00d:1::/64 2001db8:café:4::/64 2001:db8:babe:4::/64 2001:db8:dood:4::/64 R1 R4 §  6PE (RFC 4798) –  Utilizes existing core with dual stack PE’s –  Uses global route table for IPv6, interim step §  6VPE (RFC 4659) –  Utilizes AF within the VRF context allowing VPN functionality –  Equal architectural advantages with IPv4-VPN IPv4 core, LDP, IGP, TE, etc.
  • Data Center
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Migrating Applications to IPv6 39 §  Home grown App’s may only support IPv4 §  Some App’s to be rewritten – Probably not going to happen §  Pressure vendors to move to protocol agnostic framework §  RFC 3493 – Open Socket Call, 64 bit structure align to HW §  RFC 3542 – Raw Socket, ping, Traceroute, r commands §  Know whether your app displays or accept an IPv6 address §  198.51.100.44:8080 à [2001:db8:café:64::26]:8080
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 Readiness: Servers §  Hosts are ready –  Since Windows Vista: enabled by default, disabling it = no more support from Microsoft –  Mac OS X, iOS, Android, Linux, */BSD: enabled by default §  File & Print –  Dual stacked –  No WINS or NetBios over IPv6 §  SQL Server –  IPv6 preferred –  Watch for v4 socket calls §  Server 2008/R2 –  Needs Unified Access Server §  Server 2012 –  Includes NAT64/DNS64
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public NDP Scaling Issues in the DC §  Large DCs with very dense hosts populations can cause severe performance problems on the control plane of switches due to IPv4 and IPv6 ‘control’ traffic §  One size will not fit all, tuning will require experimentation 41 §  NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds §  NUD Retry Interval: ipv6 nd nud retry base interval-in-milliseconds max-attempts §  Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds §  Unsolicited NA Glean: ipv6 nd na glean §  Glean rate limiter: mls rate-limit unicast cef glean <pps> <burst>
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public FCIPv6 42 §  Tunnel Protocol for Fiber Channel over an IP infrastructure §  RFC 4404 – Entity Address Size IPv4 (4) or IPv6 (16) §  MDS 9x00 Series –  out-of-order delivery, jumbo frames, traffic shaping, TCP optimization
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public iSCSI/VRRP for IPv6 §  Same configuration requirements and operation as with IPv4 §  Configure VRRP address to be the same as physical interface of “primary”
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public •  Server supports IPv4 and IPv6 •  Internal & external •  Server supports IPv4 & IPv6 •  Standards compliant •  Integrated DNS and DHCP •  Configuration and reporting •  DNSSEC caching •  DNS64 support DHCP DNS IPAM DNS Caching §  SNMPv3 over IPv6 and managing IPv6 MIB’s §  Protocol Version Independent (PVI) manage the same OID’s (RFC’s 4292, 4293) §  NetFlow, Deep Packet Inspection, IPSLA, all work with IPv6 §  Wireshark, Packet analysis, MRTG, Netflow collectors, etc.. Network Management
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Anycast Address DNS1 2001:db8:aa::21 2001:db8:aa::21 2001:db8:aa:: Cost 10 §  Servers also have a management IP address for other L3 functions §  Uses the same address in multiple locations §  Usually dual stacked and DHCP capable §  DNS server injects /128 via OSPF I pick DNS1 closest metric 2001:db8:aa:: Cost 30 2001:db8:aa:: Cost 20 DNS2 2001:db8:aa::21 DNS3 2001:db8:aa::21
  • Internet Edge
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Internet Edge to ISP 47 Single Link Single ISP Dual Links Single ISP Multi-Homed Multi-Region Enterprise ISP 1 Default Route Enterprise POP1 POP2 ISP 1 Enterprise ISP 1 ISP2 USA ISP4ISP3 BGP BGP IPv6 TunnelIPv4-only Your ISP may not have IPv6 at the local POP Europe
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Internet Edge to ISP §  Do you support dual stack peering? §  Do you have a separate (SLA) for IPv6? §  Do you support BGP peering over IPv6? §  Do you have a FULL IPV6 route table? §  What is the maximum prefix length? §  What about DNS… Hosted Cloud Service §  Maximum prefix length offered by the cloud provider? §  Access to provisioning and billing portal over IPv6? §  Global IPv6 addressing for VM’s in your environment? ISP-A ISP-B Routing Switching Services
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Edge Peering BGP §  BGP peering requires explicit configuration §  Use a /127 on pt-2-pt, /64 on multipoint §  MD5 shared secret’s, IPSec could be used §  Controlling TTL, accepting >254 only (allow -1) §  Path, prefix size limits and filtering ISP-A :2 :3 :1 :3 2001:db8:cafe:102::/127 2001:db8:cafe:103::/64 ISP-A ::6 ::7 :4 :5 :2 :4 49 router&bgp&200&&& bgp&router,id&2.2.2.2&& neighbor&2001:DB8:cafe:102::2&remote,as&2112&& neighbor&2001:DB8:cafe:102::2&ttl,security&hops&1&&& neighbor&2001:DB8:cafe:102::2&password&cisco123&
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Dual Stack the Internet Edge §  Most design elements should be like IPv4 §  No translation in this design §  Single ISP or multi-ISP will change BGP slightly §  Keep a careful eye out on limitations in SW/HW and/ or security details §  You may have to embrace SLB64/Proxy/NAT64 for IPv4-only apps §  Dual stack along the traffic flow from client-to-server §  LISP (Locator/ID Separation Protocol) as a means to deal with non-IPv6 capable ISPs ISP 1 ISP 2 Internet Enterprise Core Web, Email, Other Internal Enterprise Edge Router Outer Switch Security Services Inner switching/ SLB/Proxy/ Compute
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Translation Techniques 51 Application Support Server Load Balancer Stateful NAT64 IPv6 IPv4 Client Visibility IPv4 IPv6 SW = Poor Performance Proxy IPv6 IPv4 IPv6 Internet IPv4 Internet IPv6 Internet
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6/IPv4 Translation 52 § Easy to get – Router, Firewall, SLB, Proxies § Instantly hooked – Fastest path to delivering apps over IPv6 § Both methods are useful with caution § Need to examine the best location for translation § Put translation as deep into DC/IE as possible (get full visibility of IPv6) SLB64 v6 v4 v4 v4 v4 v6 v4 Stateful NAT64 NAT64 – Routers/ASA
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public ISP-A Enterprise Core N5k Servers WWW ISP-B UCS Servers SLB64 – Citrix Netscaler §  OS/App dictate design parameters §  Time to deploy §  IPv6 North SLB Boundary §  IPv4 South §  Translation & SLB are done on same platform
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public X-Forwarded-For (XFF) 54 §  Source IP of client requests will be logged as the SNAT or other NAT’ed address §  You want to log the real source address – X-Forwarded-For (XFF) in HTTP cisco@ie-web-01:/$ tail -f /var/log/apache2/access.log 10.140.19.250 - - [25/Oct/2011:11:41:03 -0600] "GET / HTTP/1.1" 304 210 "-" "Mozilla/ 4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)” Hypertext Transfer Protocol GET / HTTP/1.1rn x-forward: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5rn serverfarm WEB_V6_V4_SF insert-http x-forward header-value "%is" ACE Policy Map – “is” = Source IP Address
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public NAT64 55 §  Stateless NAT (~ASA static) –  RFC 6145 (IP/ICMP Translation Algorithm) –  Consumes an IPv4 address for each IPv6-only device §  Stateful NAT (~ASA dynamic) –  RFC 6146 (Framework for IPv4/IPv6 Translation) –  Can aggregate many IPv6 users to single (or more) IPv4 address –  Used mainly where IPv6-only clients need to access IPv4 servers –  Only supports IPv6-initiated flows –  Similar as IPv4-to-IPv4 PAT works, a translation table is required Version IHL Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address Versio n Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address §  TCP/UDP/ICMP Unicast traffic only
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public IPv6 Bogon and Anti-Spoofing Filtering 56 §  Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt §  Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84) §  uRPF – Unicast Reverse Path Forwarding IPv6 Intranet Inter-Networking Device with uRPF Enabled X IPv6 Intranet/Internet No Route to SrcAddr => Drop
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Securing the Edge, FW and/or Perimeter Router §  Address Range –  Source of 2000::/3 at minimum vs. “any”, permit assigned space §  ICMPv6 –  Error types thru, NDP to, RFC 4890 §  Extension Headers –  Allow Fragmentation, others as needed. Block HBH & RH type 0 §  IPv6 ACL’s
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public Key Take Away 58 §  Gain Operational Experience now §  Security enforcement is possible §  Control IPv6 traffic as you would IPv4 §  “Poke” your Provider’s §  IPv6 is here now are you?
  • © 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2301 Cisco Public