Professional Documents
Culture Documents
Session ID-BRKRST-2301
Reference Materials
New/Updated IPv6 Cisco Sites: http://www.cisco.com/go/ipv6 http://www.cisco.gom/go/entipv6
Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterpri se/Campus/CampIPv6.html Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/solutions/ns340/ns414/ ns742/ns816/landing_br_ipv6.html
BRKRST-2301
Cisco Public
Recommended Reading
Deploying IPv6 in Broadband Networks - Adeel Ahmed, Salman Asadullah ISBN0470193387, John Wiley & Sons Publications
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Available Now!!
3
Agenda
IPv6 Activity in the Enterprise
Planning and Deployment Summary IPv6 Address Considerations
Growth/Protection Partnership
Enterprise that is or will be expanding into new markets Address exhaustion Enterprise that partners with other companies/organizations doing IPv6 Governments, enterprise partners, contractors
Internal Pressure
Mergers & Acquisitions NAT Overlap High Density Virtual Machine environments (Server virtualization, VDI) SmartGrid
BRKRST-2301
Cisco Public
We already know this is too conservative: APNIC went into Stage 3 mid-April 2011
20
10 0
Jan 2011 Jul 2011 IANA Jan 2012 Jul 2012 Jan 2013 RIPENCC Jul 2013 ARIN Jan 2014 Jul 2014 Jan 2015 AFRINIC Jul 2015
APNIC
LACNIC
This is a growing issue and IPv6 ends up being a perfect tool for resolving the technical issues
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sub-Company 1
.3
IPv6 enables the network to provide access to services between sites 10.0.0.0 address space
Corp HQ
2001:DB8:1:2::3 10.0.0.0 address space .21 .3
Corporate Backbone
Sub-Company 2
2001:DB8:1:3::21
2001:DB8:1:1::3
Build an overlay network to encapsulate IPv6 over IPv4 IPv6 is deployed only at those sites and for specific hosts that need end-to-end routability between entities Can be very operationally difficult to maintain in large environments May be a show stopper if you have to get a lot of tunnels past a bunch of IPv4 NAT
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Sub-Company 1
10.0.0.0 address space
.3
Corp HQ
2001:DB8:1:2::3 Dual 10.0.0.0 address space .21 .3
Stack
Corporate Backbone
Sub-Company 2
2001:DB8:1:3::21
Dual Stack
2001:DB8:1:1::7
Combine overlay network with dual stack Build as much dual stack as you can tunnel only when you have to You wont want to keep this up forever goal is dual stack to all places that need end-to-end connectivity between sites/orgs
BRKRST-2301
Cisco Public
11
Sub-Company 1
10.0.0.0 address space
Corporate Backbone
Sub-Company 2 Dual Stack Dual Stack Dual Stack Dual stack everywhere there is nothing else to say ;-) We will discuss the deployment of dual stack and other end-to-end considerations for the rest of this talk
BRKRST-2301
Cisco Public
12
Preliminary Research
Pilot/Early Deployment
Is it real? Do I need to deploy everywhere? Equipment status? SP support? Addressing What does it cost?
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Still fighting vendors Content and wide-scale app deployment Review operational cost of 2 stacks Competitive/Strategic advantages of new environment
14
Optimize
Plan
Operate
Design
Implement
15
Deployment Phases
Transport considerations for integration Internet Edge (ISP, Apps) Campus IPv6 integration options Data Center integration options WAN IPv6 integration options Execute on gaps found in assessment
BRKRST-2301
Cisco Public
16
Where do I start?
Based on Timeframe/Use case Core-to-Edge Fewer things to touch
Campus Block
WAN
Servers
Branch
Branch
BRKRST-2301
Cisco Public
17
IPv6 Addresses
IPv6 addresses are 128 bits long
Segmented into 8 groups of four HEX characters Separated by a colon (:)
Global Unicast Identifier Example
Network Portion
Interface ID
gggg:gggg:gggg:ssss: ssss:
Global Routing Prefix n <= 48 bits Subnet ID 64 n bits
xxxx:xxxx:xxxx:xxxx
Host Full Format
Abbreviated Format
BRKRST-2301
Cisco Public
19
2000::/3
2000::/3
/12
Registries
/12
/32
ISP
Org
/48
/48
BRKRST-2301
Cisco Public
20
ISP
2001:DB8:0002:0001::/64 2001:DB8:0002:0002::/64
2001:DB8:0001::/48 Site 2
2001:DB8:0002::/48
Default is /48 can be larger: https://www.arin.net/resources/request/ipv6_add_assign.html Provider independent See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html
BRKRST-2301
Cisco Public
21
ULA + Global allows for the best of both worlds but at a price much more address management with DHCP, DNS, routing and securitySAS does not always work as it should Global-onlyRecommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option
BRKRST-2301
Cisco Public
22
Routing/security control
You must always implement filters/ACLs to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range today this is the only way the ULA scope can be enforced
23
ULA-Only
Internet Branch 1
Global 2001:DB8:CAFE::/48
NAT66 Required
Corp HQ
FD9C:58ED:7D73:2800::/64
Branch 2
Corporate Backbone
ULA Space FD9C:58ED:7D73::/48
FD9C:58ED:7D73:3000::/64
FD9C:58ED:7D73::2::/64
Everything internal runs the ULA space A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the internet Is there a NAT66? draft-mrw-nat66-xx (Network Prefix Translation (NPTv6) Removes the advantages of not having a NAT (i.e. application interoperability, global multicast, end-to-end connectivity)
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Not Recommended
ULA + Global
Internet Branch 1
Global 2001:DB8:CAFE::/48
Corp HQ
FD9C:58ED:7D73:2800::/64 2001:DB8:CAFE:2800::/64
Branch 2
Corporate Backbone
ULA Space FD9C:58ED:7D73::/48 Global 2001:DB8:CAFE::/48
FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/64 2001:DB8:CAFE:2::/64
Both ULA and Global are used internally except for internal-only hosts Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally In theory, ULA talks to ULA and Global talks to GlobalSAS should work this out ULA-only and Global-only hosts can talk to one another internal to the network Define a filter/policy that ensures your ULA prefix does not leak out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields Management NIGHTMARE for DHCP, DNS, routing, security, etc
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
ConsiderationsULA + Global
Use DHCPv6 for ULA and Globalapply different policies for both (lifetimes, options, etc..) Check routability for bothcan you reach an AD/DNS server regardless of which address you have? Any policy using IPv6 addresses must be configured for the appropriate range (QoS, ACL, load-balancers, PBR, etc.) If using SLAAC for bothMicrosoft Windows allows you to enable/disable privacy extensions globallythis means you are either using them for both or not at all!!! One option is to use SLAAC for the Global range and enable privacy extensions and then use DHCPv6 for ULA with another IID value (EUI-64, reserved/admin defined, etc.)
Temporary Dhcp Other Preferred Preferred Preferred 6d23h59m55s 23h59m55s 2001:db8:cafe:2:cd22:7629:f726:6a6b 13d1h33m55s 6d1h33m55s fd9c:58ed:7d73:1002:8828:723c:275e:846d infinite infinite fe80::8828:723c:275e:846d%8
Unlike Global and link-local scopes ULA is not automatically controlled at the appropriate boundaryyou must prevent ULA prefix from going out or in at your perimeter SAS behavior is OS dependent and there have been issues with it working reliably
BRKRST-2301
Cisco Public
26
interface Vlan2 description ACCESS-DATA-2 ipv6 address 2001:DB8:CAFE:2::D63/64 ipv6 address FD9C:58ED:7D73:1002::D63/64 ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:11::9
DHCPv6 Server 2001:DB8:CAFE:11::9
BRKRST-2301
Cisco Public
27
Recommended
Global-Only
Internet Branch 1
Global 2001:DB8:CAFE::/48
Corp HQ
2001:DB8:CAFE:2800::/64
Branch 2
Corporate Backbone
Global 2001:DB8:CAFE::/48
2001:DB8:CAFE:3000::/64
2001:DB8:CAFE:2::/64
Global is used everywhere No issues with SAS No requirements to have NAT for ULA-to-Global translationbut, NAT may be used for other purposes
28
Alternatively, use DHCP (see later) to a specific pool Randomized address are generated for non-temporary autoconfigured addresses including public and link-local used instead of EUI-64 addresses Randomized addresses engage Optimistic DADlikelihood of duplicate LL address is rare so RS can be sent before full DAD completion Windows Vista/W7/W7/2008 send RS while DAD is being performed to save time for interface initialization (read RFC4862 on why this is ok) Privacy extensions are used with SLAAC
BRKRST-2301
Cisco Public
29
64 bits
Recommended by RFC3177 and IAB/IESG
> 64 bits
Address space conservation Special cases: /126valid for p2p /127valid for p2p if you are careful (draft-kohno-ipv6prefixlen-p2p-xx/(RFC3627)) /128loopback Must avoid overlap with specific addresses: Router Anycast (RFC3513) Embedded RP (RFC3956) ISATAP addresses
Cisco Public
/64 + /126
64 on host networks
126 on P2P
/64 + /127
64 on host networks 127 on P2P
BRKRST-2301
What happens to route filters? ACLs?Nothing, unless you are blocking to/from the router itself Stuff to think about:
Always use a RID Some Cisco devices require ipv6 enable on the interface in order to generate and use a link-local address
Enable the IGP on each interface used for routing or that requires its prefix to be advertised
BRKRST-2301
Cisco Public
31
ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:DB8:CAFE:998::1/128 ipv6 eigrp 10 ! interface Vlan200 ipv6 address 2001:DB8:CAFE:200::1/64 ipv6 eigrp 10 ! interface GigabitEthernet1/1 ipv6 enable ipv6 eigrp 10 !
ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:DB8:CAFE:998::2/128 ipv6 eigrp 10 ! interface GigabitEthernet3/4 ipv6 eigrp 10 !
interface GigabitEthernet1/2
ipv6 eigrp 10 ! ipv6 router eigrp 10 router-id 10.99.8.2
no shutdown
IPv6-EIGRP neighbors for process 10 Link-local address: FE80::212:D9FF:FE92:DE77 Gi1/2
BRKRST-2301
Cisco Public
32
BRKRST-2301
Cisco Public
33
34
Solicit(IA_NA)
Relay-Forw(Solicit(IA_NA)) Relay-Repl(Advertise(IA_NA(addr)))
Advertise(IA_NA(addr)) Request(IA_NA)
Relay-Forw(Request(IA_NA)) Relay-Repl(Reply(IA_NA(addr)))
Reply(IA_NA(addr))
Reply(IA_NA(addr))
Reply(IA_NA(addr))
BRKRST-2301
Cisco Public
35
CNR/W2K8DHCPv6
BRKRST-2301
Cisco Public
36
BRKRST-2301
Cisco Public
37
BRKRST-2301
Cisco Public
38
Enable IPv6 on the recursive resolver so that it responds to DNS requests over IPv6 as well as IPv4.
Enable IPv6 on the node that sends queries so that it can send DNS requests to the recursive resolver.
Configure the stub resolver on the node that sends queries so that it uses IPv6 to send DNS queries, either statically or using Dynamic Host Configuration Protocol Version 6 (DHCPv6). Review policies for flows and make sure that both TCP/53 and UDP/53 can be accessed over IPv4 and IPv6
BRKRST-2301
Cisco Public
39
HSRP Active
HSRP Standby
track 2 interface FastEthernet0/0 line-protocol interface FastEthernet0/1 ipv6 address 2001:DB8:66:67::2/64 standby version 2 standby 2 ipv6 autoconfig standby 2 timers msec 250 msec 800 standby 2 preempt standby 2 preempt delay minimum 180 standby 2 authentication cisco standby 2 track 2 decrement 10
UGDA
1024
0 eth2
BRKRST-2301
Cisco Public
41
PIM Group Modes: Sparse Mode, Bidirectional and Source Specific Multicast RP Deployment: Static, Embedded
S
DR RP DR
BRKRST-2301
Cisco Public
42
MLD snooping
BRKRST-2301
Cisco Public
43
Additional support for IPv6 does not always require new Command Line Interface (CLI)
ExampleWRED
BRKRST-2301
Cisco Public
44
000d.6084.2c7a
16 000d.6084.2c7a 16 000d.6084.2c7a
Full internet route tablesensure to account for TCAM/memory requirements for both IPv4/IPv6not all vendors can properly support both Multiple routing protocolsIPv4 and IPv6 will have separate routing protocols. Ensure enough CPU/Memory is present Control plane impact when using tunnelsterminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/thousands of tunnels)
BRKRST-2301
Cisco Public
45
Infrastructure Deployment
Start Here: Cisco IOS Software Release Specifics for IPv6 Features http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6roadmap.html
Tunneling Services
IPv4 over IPv6 IPv6 over IPv4
Translation Services
IPv4
IPv6
Business Partners Government Agencies International Sites Remote Workers Internet consumers
47
Campus
Deploying IPv6 in Campus Networks: http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf
HybridDual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear
ProLeverage existing gear and network design (traditional L2/L3 and routed access) ConTunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast
IPv6 Service BlockA new network block used for interim connectivity for IPv6 overlay network
ProSeparation, control and flexibility (still supports traditional L2/L3 and routed access) ConCost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast
BRKRST-2301
Cisco Public
49
Access Layer
L2/L3
Distribution Layer
Dual Stack
Dual Stack
v6Enabled
v6Enabled
Core Layer
v6-Enabled
v6-Enabled
Expect to run the same IGPs as with IPv4 *check HW limitations in non-E/X/C series
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dual-stack Server 50
BRKRST-2301
Cisco Public
51
BRKRST-2301
Cisco Public
52
BRKRST-2301
Cisco Public
53
ipv6 router ospf 1 auto-cost reference-bandwidth 10000 router-id 10.122.0.25 log-adjacency-changes area 2 stub no-summary passive-interface Vlan2 area 2 range 2001:DB8:CAFE:xxxx::/xx timers spf 1 5
Cisco Public
54
Legacy Design
Access Layer
L2/L3
NOT v6Enabled
ISATAP
ISATAP
Leverages existing network Offers natural progression to full dual-stack design May require tunneling to less-than-optimal layers (i.e. core layer) Any sizable deployment will be an operational management challenge ISATAP creates a flat network (all hosts on same tunnel are peers) Provides basic HA of ISATAP tunnels via old Anycast-RP idea
NOT v6Enabled
Distribution Layer
v6Enabled
v6Enabled
Core Layer
Dual Stack
Dual Stack
v6-Enabled
v6-Enabled
BRKRST-2301
Cisco Public
55
2.
1
Access Block
2
Data Center Block
BRKRST-2301
Cisco Public
56
In the presented design the static configuration option is used to ensure each host is associated with the correct ISATAP tunnel Can conditionally set the ISATAP router per host based on subnet, userid, department and possibly other parameters such as role
BRKRST-2301
Cisco Public
57
NOT v6Enabled
NOT v6Enabled
Distribution Layer
Use IGP to prefer one core switch over another (both v4 and v6 routes)deterministic
Preference is important due to the requirement to have traffic (IPv4/IPv6) route to the same interface (tunnel) Works like Anycast-RP with IPmc
v6Enabled
v6Enabled
Core Layer
Dual Stack
Dual Stack
v6-Enabled
v6-Enabled
BRKRST-2301
Cisco Public
58
ISATAP Secondary
interface Tunnel2 ipv6 address 2001:DB8:CAFE:2::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback2 tunnel mode ipv6ip isatap ! interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback2 ip address 10.122.10.102 255.255.255.255 delay 1000 ! interface Loopback3 ip address 10.122.10.103 255.255.255.255 delay 1000
Cisco Public
59
To influence IPv4 routing to prefer one ISATAP tunnel source over anotheralter delay/cost or mask length Lower timers (timers spf, hello/hold, dead) to reduce convergence times Use recommended summarization and/or use of stubs to reduce routes and convergence times
Set RID to ensure redundant loopback addresses do not cause duplicate RID issues
Cisco Public
IPv4EIGRP
router eigrp 10 eigrp router-id 10.122.10.3
IPv6OSPFv3
ipv6 router ospf 1 router-id 10.122.10.3
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved.
60
Before Failure
dist-1#show ip route | b 10.122.10.102/32 D 10.122.10.102/32 [90/130816] via 10.122.0.41, 00:09:23, GigabitEthernet1/0/27
After Failure
dist-1#show ip route | b 10.122.10.102/32 D 10.122.10.102/32 [90/258816] via 10.122.0.49, 00:00:08, GigabitEthernet1/0/28
BRKRST-2301
Cisco Public
61
10.120.3.101
IP Address. . . . . . . . . . . . : 2001:db8:cafe:3:0:5efe:10.120.3.101
IP Address. . . . . . . . . . . . : fe80::5efe:10.120.3.101%2 Default Gateway . . . . . . . . . : fe80::5efe:10.122.10.103%2
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
Access
Distribution
Tunnel
Tunnel
Core
Aggregation
ipv6 eigrp 10
tunnel source Loopback3 tunnel destination 172.16.2.1 tunnel mode ipv6ip
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved.
ipv6 cef
! interface Loopback3 ip address 172.16.1.1 255.255.255.252
Cisco Public
63
64
Provides ability to rapidly deploy IPv6 services without touching existing network Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations) Get lots of operational experience with limited impact to existing environment Ideal for Pilot Similar challenges as Hybrid Model Lots of tunneling Configurations are very similar to the Hybrid Model
ISATAP tunnels from PCs in access layer to service block switches (instead of core layerHybrid)
Access Layer
ISATAP
Dedicated FW
2
Internet
Core Layer
1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6Can use IOS Zone FW or ASA
IOS FW
1
WAN/ISP Block Data Center Block
Cisco Public
65
Service Block Use VSS as the SB pair again, GREATLY simplified configuration and decrease convergence times!!
BRKRST-2301
Cisco Public
66
Internet-facing Data Center Most of the internal and Internet DC considerations are the same
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
68
IP-is-IP minor syntax changes based on different platforms between campus & data center
Check for the features you need, platform support, performance capabilities Same stuff you do for any new platform you invest in
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
69
BRKRST-2301
Cisco Public
70
vsan 1
zone default-zone permit vsan 1 zone name iscsi-zone vsan 1 member symbolic-nodename iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com member pwwn 21:00:00:10:86:10:46:9c member pwwn 24:01:00:0d:ec:24:7c:42 member symbolic-nodename iscsi-atto-target zone name Generic vsan 1 member pwwn 21:00:00:10:86:10:46:9c zoneset name iscsi_zoneset vsan 1 member iscsi-zone zoneset name Generic vsan 1 member Generic
BRKRST-2301
Cisco Public
71
MDS-2
interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::6/64 no shutdown
vrrp ipv6 1
address 2001:db8:cafe:12::5 no shutdown
mds-2# show vrrp ipv6 vr 1 Interface GigE2/1 VR IpVersion Pri 1 IPv6 100 Time Pre State 100cs backup VR IP addr 2001:db8:cafe:12::5 ------------------------------------------------------------------
BRKRST-2301
Cisco Public
72
TYPE N N
PWWN 21:00:00:10:86:10:46:9c
--------------------------------------------------------------------24:01:00:0d:ec:24:7c:42 (Cisco)
Cisco Public
SAN-OS 3.xFCIP(v6)
fcip profile 100 ip address 2001:db8:cafe:50::1 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100 use-profile 100 peer-info ipaddr 2001:db8:cafe:50::2
use-profile 100
peer-info ipaddr 2001:db8:cafe:50::1 ! interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::2/64
!
interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::1/64
BRKRST-2301
Cisco Public
74
Static configuration
netsh interface ipv6> add address "Local Area Connection" 2001:db8:cafe:10::7
Ok.
netsh interface ipv6>sh add Querying active state... Interface 10: Local Area Connection
Addr Type
--------Manual Public
DAD State
Duplicate Preferred
Valid Life
infinite 29d23h59m21s
Pref. Life
Address
75
Intel now supports IPv6 with Express, ALB, and AFT deployments
Intel statement of support for RLBReceive Load Balancing (RLB) is not supported on IPv6 network connections. If a team has a mix of IPv4 and IPv6 connections, RLB will work on the IPv4 connections but not on the IPv6 connections. All other teaming features will work on the IPv6 connections.
BRKRST-2301
Cisco Public
76
Microsoft Vista/W7/Server 2008 allows for a command line change to reduce the DAD transmits value from 1 to 0
netsh interface ipv6 set interface 19 dadtransmits=0
Linux
# sysctl -w net/ipv6/conf/bond0/dad_transmits=0 net.ipv6.conf.eth0.dad_transmits = 0
BRKRST-2301
Cisco Public
77
. :
Autoconfiguration IP Address. . . : 169.254.25.192 Subnet Mask . . . . . . . . . . . : 255.255.0.0 IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d7%11 Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%11 Ethernet adapter LAN: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.89.4.230 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 2001:db8:cafe:1::2 IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d6%12 Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%12
BRKRST-2301
Cisco Public
78
Interface 13: TEAM-1 Addr Type --------Public Link DAD State Preferred Preferred Valid Life 4m11s infinite Pref. Life Address
BRKRST-2301
Cisco Public
79
Deployment of translation
NAT64 (Stateful for most enterprises) Apache Reverse Proxy Windows Port Proxy 3rd party proxy solutions
80
Virtualization & Applications VMware vSphere 4.1 Microsoft Exchange 2007 SP1/2010 Apache/IIS Web Services Windows Media Services
Red Hat
Ubuntu The list goes on
81
v6
v6
v6
v6
v4
v4
v6 v4
v4 server
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
82
NAT64
Lots of RFCs to check out:
RFC 6144 Framework for IPv4/IPv6 Translation RFC 6052 IPv6 Addressing of IPv4/IPv6 Translators RFC 6145 IP/ICMP Translation Algorithm RFC 6146 Stateful NAT64 RFC 6147 DNS64
Stateful What we are after for translating IPv6-only hosts to IPv4-only host(s)
It is what it sounds like keeps state between translated hosts Several deployment models (PAT/Overload, Dynamic 1:1, Static, etc) This is what you will use to translate from IPv6 hosts (internal or Internet) to IPv4-only servers (internal DC or Internet Edge)
BRKRST-2301
Cisco Public
83
10.121.12.70
interface GigabitEthernet0/0/0 description to 6k-dmz-1 Outside no ip address ipv6 address 2001:DB8:CAFE:5555::1/64 ipv6 eigrp 10 nat64 enable ! interface GigabitEthernet0/0/1 description to 6k-dmz-1 Inside ip address 10.121.220.1 255.255.255.0 nat64 enable
BRKRST-2301
ipv6 ASR access-list EDGE_ACL permit ipv6 any host 2001:DB8:CAFE:BEEF::46 permit ipv6 any host 2001:DB8:CAFE:BEEF::48 !
Cisco Public
84
NAT64 Translations
ASR1k#sh nat64 translations Proto Original IPv4 Translated IPv6 ----tcp tcp tcp tcp tcp tcp 10.121.13.52 --10.121.12.70 --10.121.12.70:443 10.121.55.1:1030 10.121.12.70:443 10.121.55.1:1029 10.121.12.70:443 10.121.55.1:1028 10.121.12.70:443 10.121.55.1:1024 10.121.12.70:443 10.121.55.1:1025 10.121.12.70:443 10.121.55.1:1026 Translated IPv4 Original IPv6 2001:db8:cafe:beef::48 --2001:db8:cafe:beef::46 --[2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53601 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53600 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53599 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53593 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53596 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53597
Reference
----------------------------------------------------------------------------
Static Entries
tcp
10.121.12.70:80
10.121.55.1:1027
[2001:db8:cafe:beef::46]:80
[2001:db8:cafe:10::16]:53598
BRKRST-2301
Cisco Public
85
ASR1k#show nat64 statistics Sessions found: 171 Sessions created: 3 Global Stats:
NAT64 Statistics
Reference
Packets translated (IPv4 -> IPv6) Stateless: 0 Stateful: 100 Packets translated (IPv6 -> IPv4) Stateless: 0 Stateful: 74 Interface Statistics GigabitEthernet0/0/0 (IPv4 not configured, IPv6 configured): Packets translated (IPv6 -> IPv4) Stateless: 0 Stateful: 74 GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured): Packets translated (IPv4 -> IPv6) Stateful: 100 Dynamic Mapping Statistics v6v4
Netstat - Proxy
2001:db8:cafe:12::5 Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.121.11.125:40475 10.121.11.60:80 ESTABLISHED tcp 0 0 10.121.11.125:40476 10.121.11.60:80 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED
10.121.11.125 Apache One-Arm Apache DualAttached TCP TCP IPv4-only Web Server <VirtualHost *:80> ProxyPass / http://10.121.11.60:80/ ProxyPassReverse / 2011 Cisco and/or its affiliates. All rights reserved. http://10.121.11.60:80/ BRKRST-2301
Cisco Public
Netstat - Server
10.121.11.125:40475 10.121.11.125:40476 ESTABLISHED ESTABLISHED
10.121.11.60:80 10.121.11.60:80
87
Outside traffic comes in on IPv6PortProxy to v4 (VIP address on ACE) Traffic is IPv4 to server
BRKRST-2301
Cisco Public
88
PortProxy Configuration/Monitoring
netsh interface portproxy>sh all Listen on ipv6: Address Port Connect to ipv4: Address 10.121.5.20 Port 80
adsf
--------------- ----------
Foreign Address
State
TCP
TCP
10.121.12.25:58141
10.121.5.20:http
ESTABLISHED
ESTABLISHED
[2001:db8:cafe:12::25]:80
[2001:db8:cafe:10::17]:52047
conn-id 14 13
BRKRST-2301
Cisco Public
89
PortProxy Performance
Throughput Example
HTTP Throughput Comparison - Direct vs. PortProxy
247.2
250
200
192
206.4
Throughput (Mbps)
Direct v6-v6
150
100
50
download-1gig (1.2G)
BRKRST-2301
Cisco Public
90
PortProxy Performance
CPU Utilization on PortProxy Server
BRKRST-2301
Cisco Public
91
Dual stack the same network you have If not, do just enough IPv6-only to get you going Most design elements should be the same as with IPv4 (minus pure NAT/PAT)
Edge Router
ISP 1
ISP 2
Outer Switch
Security Services
Enterprise Core
DMZ/Server Farm
Internal Enterprise
BRKRST-2301
Cisco Public
92
Stateful NAT64
IPv6 Internet
IPv6 -Apache -MSFT PortProxy
Proxy
IPv6 Internet
IPv6
IPv4
IPv4
IPv4
IPv4-only Host
IPv4-only Host
IPv4-only Host
BRKRST-2301
Cisco Public
93
Multi-Homed Multi-Region
USA ISP 1 ISP2
Default Route
IPv4-only
BGP
IPv6 Tunnel
BGP
Enterprise
Enterprise
Enterprise
ISP3
ISP4 Europe
94
Your ISP may not have IPv6 at the local POP BRKRST-2044 Enterprise Multi-homed Internet Architectures
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN/Branch
Deploying IPv6 in Branch Networks: http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf
WAN/Branch Deployment
Cisco routers have supported IPv6 for a long time Dual-stack should be the focus of your implementationbut, some situations still call for tunneling Support for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc.)
Corporate Network
SP Cloud
Dual Stack
Dual Stack
BRKRST-2301
Cisco Public
96
Branch Multi-Tier
HQ
SP support for port-toport IPv6?
HQ
MPLS
HQ
Internet
Frame
Internet
Headquarters
Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64 2001:DB8:CAFE:202::/64
BR1-1 ::2
::1 HE1
::2 ::3
BR1-LAN-SW
WAN
::5 ::3 BR1-2 ::3 ::1 HE2
HSRP for IPv6 VIP Address - FE80::5:73FF:FEA0:2
::3
VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer
BRKRST-2301
Cisco Public
98
BR1-1 ::2
::1 HE1
::2 ::3
WAN
BR1-2 ::3
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved.
::1
Cisco Public
HE2
99
100
101
Branch LAN
Connecting Hosts
ipv6 dhcp pool DATA_W7 dns-server 2001:DB8:CAFE:102::8 domain-name cisco.com ! interface GigabitEthernet0/0 description to BR1-LAN-SW no ip address duplex auto speed auto ! interface GigabitEthernet0/0.104 description VLAN-PC encapsulation dot1Q 104 ip address 10.124.104.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:1004::1/64 ipv6 nd other-config-flag ipv6 dhcp server DATA_W7 ipv6 eigrp 10 ! interface GigabitEthernet0/0.105 description VLAN-PHONE encapsulation dot1Q 105 ip address 10.124.105.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:1005::1/64 ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:102::9 ipv6 eigrp 10
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
BR1-LAN
BR1-LAN-SW
VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer
102
Remote Access
Client-based SSL
Internet
BRKRST-2301
Cisco Public
104
none
Cisco ASA
105
Outside
2001:db8:cafe:101::ffff
Inside
Cisco Public
106
Multi-Homing
Provisioning
BRKRST-2301
Cisco Public
108
Port-to-Port Access
Port to Port Access IPv6 Content Provisioning Multi-Homing
Dual-stack or native IPv6 at each POP SLA driven just like IPv4 to support VPN, content access
IPv6 access to hosted content Cloud migration (move data from Ent DC to Hosted DC)
Cisco Public
109
Multi-Homing
Port to Port Access IPv6 Content Provisioning Multi-Homing
PA is no good for customers with multiple providers or change them at any pace PI is new, constantly changing expectations and no guarantee an SP wont do something stupid like not route PI space Customers fear that RIR will review existing IPv4 space and want it back if they get IPv6 PI Religious debate about the security exposure not a multi-homing issue If customer uses NAT like they do today to prevent address/policy exposure, where do they get the technology from no scalable IPv6 NAT exists today Is it really different from what we do today with IPv4? Is this policy stuff? Guidance on prefixes per peering point, per theater, per ISP, ingress/egress rules, etc.. this is largely missing today
Cisco Public
110
Content
Port to Port Access IPv6 Content Provisioning Multi-Homing
IPv6 provisioning and access to hosted or cloud-based services today (existing agreements) Salesforce.com, Microsoft BPOS (Business Productivity Online Services), Amazon, Google Apps Movement from internal-only DC services to hosted/cloud-based DC Provisioning, data/network migration services, DR/HA
Third-party marketing, business development, outsourcing Existing contracts connect over IPv6
Cisco Public
111
Provisioning
Port to Port Access IPv6 Content Provisioning Multi-Homing
Not a lot of information from accounts on this but it does concern them How can they provision their own services (i.e. cloud) to include IPv6 services and do it over IPv6
More of a management topic but the point here is that customers want the ability to alter their services based on violations, expiration or restrictions on the SLA Again, how can they do this over IPv6 AND for IPv6 services
Cisco Public
112
Planning and coordination is required from many across the organisation, including Network engineers & operators Security engineers Application developers Desktop (Office Automation) / Server engineers Web hosting / content developers Business development managers
Moreover, training will be required for all involved in supporting the various IPv6 based network services
BRKRST-2301
Cisco Public
113
Conclusion
Dual stack where you can Tunnel where you must Translate when you have a gun to your head Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management Now is your time to build a network your way dont carry the IPv4 mindset forward with IPv6 unless it makes sense Deploy it at least in a lab IPv6 wont bite "If you don't like change, you're going to like irrelevance even less." - Gen. Shinseki, Chief of Staff, U.S. Army
BRKRST-2301
Cisco Public
114
Presentation_ID
Cisco Public
115
Thank you.
BRKRST-2301
Cisco Public
116
Reference Slides
ANY application built on the Peer-to-Peer Framework REQUIRES IPv6 and will NOT function over IPv4 http://www.microsoft.com/technet/network/p2p/defa ult.mspx
BRKRST-2301
Cisco Public
119
1. 2. 3.
Unspecified address :: Solicited node address NS/DAD Looking for a local router ff02::2 RS Looking for MLD enabled routers ff02::16 MLDv2 report
4.
5. 6. 7. 8.
fe80::80aa:fd5:f7ae:4361
120
Protocol Info DNS Standard query A isatap.cisco.com Protocol Info DNS Standard query A teredo.ipv6.microsoft.com Protocol Info TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8 TCP epmap > 49211 [SYN, ACK] Seq=0 Ack=1 Win=2097152 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0 DCERPC Bind: call_id: 1, 2 context items, 1st IOXIDResolver V0.0
IPv4-only Router
10.120.2.2 ISATAP?? Teredo??
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.120.3.2
121
What Is Teredo?
RFC4380 Tunnel IPv6 through NATs (NAT types defined in RFC3489)
Full Cone NATs (aka one-to-one)Supported by Teredo Restricted NATsSupported by Teredo Symmetric NATsSupported by Teredo with Vista/W7/Server 2008 if only one Teredo client is behind a Symmetric NATs
BRKRST-2301
Cisco Public
122
Teredo Components
Teredo ClientDual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay)
Teredo ServerDual-stack node connected to IPv4 Internet and IPv6 Internet. Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hostsListens on UDP port 3544 Teredo RelayDual-stack router that forwards packets between Teredo clients and IPv6-only hosts Teredo Host-Specific RelayDual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay
BRKRST-2301
Cisco Public
123
Teredo Overview
IPv6 or IPv6 over IPv4 traffic IPv6 over IPv4 traffic Teredo host-specific relay IPv6-only host
Teredo client
IPv4 Internet
NAT
Teredo server
IPv6 Internet
Teredo relay NAT IPv6 traffic Teredo client *From Microsoft Teredo Overview paper
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
124
Teredo Address
32 bits 32 bits 16 bits 16 bits 32 bits
Teredo prefix
Flags
Teredo IPv6 prefix (2001::/32previously was 3FFE:831F::/32) Teredo Server IPv4 address: global address of the server
125
7.
6 5 3 1
Teredo Server 2
Teredo Client
7 2001:0:4136:e37e:0:fbaa:b97e:fe4e
Teredo Prefix Teredo Server v4 Flags Ext. UDP External v4 Port v4 address
NAT
IPv4 Internet
4 2
Teredo Server 1
BRKRST-2301
Cisco Public
126
netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.ipv6.microsoft.com Client Refresh Interval : default Client Port : default State : probe(cone) Type : teredo client Network : unmanaged NAT : cone netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.ipv6.microsoft.com Client Refresh Interval : default Client Port : default State : qualified Type : teredo client Network : unmanaged NAT : restricted
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
127
128
No. Time Source Destination Protocol Info 96 148.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 Echo request Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source 97 149.405579 fe80::8000:5445:5245:444f
Destination Protocol Info 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next header Relay sends Bubble Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103) Teredo IPv6 over UDP tunneling packet to Teredo Origin Indication header client via Origin UDP port: 50206 serverclient Origin IPv4 address: 66.117.47.227 (66.117.47.227) No. Time Source 98 149.405916 172.16.1.103 No. Time Source 99 149.463719 66.117.47.227 No. Time Source 100 149.464100 172.16.1.103 No. Time Source 101 149.789493 66.117.47.227 Destination 66.117.47.227 Destination 172.16.1.103 Destination 66.117.47.227 Destination 172.16.1.103 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109
receives relay address-port Packets to/from IPv6 host and client traverse relay
According to MSFT, if Teredo is the only IPv6 path, AAAA query should not be sentbeing researched: http://msdn2.microsoft.com/en-us/library/aa965910.aspx
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
129
C:\>ping www.kame.net Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data Reply Reply Reply Reply from from from from 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: time=829ms time=453ms time=288ms time=438ms
BRKRST-2301
Cisco Public
130
Frame 35 (82 bytes on wire, 82 bytes captured) Ethernet II, Src: Foxconn_2d:a1:4e (00:15:58:2d:a1:4e), Dst: 01:00:5e:00:00:fd (01:00:5e:00:00:fd) Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 224.0.0.253 (224.0.0.253) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) Teredo IPv6 over UDP tunneling Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 0 Next header: IPv6 no next header (0x3b) Hop limit: 21 Source address: 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination address: ff02::1
BRKRST-2301
Cisco Public
131
BRKRST-2301
Cisco Public
133
0000:5EFE:
32-bit
IPv4 Address
32-bit
ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network
Supported in Windows XP Pro SP1 and others
BRKRST-2301
Cisco Public
134
ICMPv6 Type 133 (RS) IPv4 Source: 206.123.20.100 IPv4 Destination: 206.123.31.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix
ICMPv6 Type 134 (RA) IPv4 Source: 206.123.31.200 IPv4 Destination: 206.123.20.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64
BRKRST-2301
Cisco Public
135
ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1
When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host A encapsulates IPv6 packets in IPv4. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
136
IPv4 Solution 32-bit, Class D Protocol Independent, All IGPs and MBGP PIM-DM, PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR IGMPv1, v2, v3 Boundary, Border MSDP Across Independent PIM Domains
Cisco Public
Routing
Protocol Independent, All IGPs and MBGP with v6 mcast SAFI PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR
MLDv1, v2 Scope Identifier Single RP Within Globally Shared Domains
138
Forwarding
BRKRST-2301
H1
H2
1
1
Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131
2 2 Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131 FE80::207:85FF:FE80:692
1 2
rtr-a
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
139
H1
3 REPORT to group
1 1 Destination:
FF02::2 ICMPv6 Type: 132 ICMPv6 Type: 131
H2
2 Destination:
1 H1 sends DONE to FF02::2 2 RTR-A sends Group-Specific Query 3 H2 sends REPORT for the group
rtr-a
FE80::207:85FF:FE80:692
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
BRKRST-2301
Cisco Public
140
BRKRST-2301
Cisco Public
141
BRKRST-2301
Cisco Public
142
Corporate Network
Source
L0
RP
DR
143
One receive only for decapsulation of incoming registers from remote designated routers
No one-to-one relationship between virtual tunnels on designated routers and RP!
BRKRST-2301
Cisco Public
144
Corporate Network
Source
Tu
RP
L0
145
Tunneling v6 Multicast
v6 in v4
v6 in v4 most widely used
tunnel mode ipv6ip <----- IS-IS cannot traverse
v6 in v6 GRE
tunnel mode gre ipv6
BRKRST-2301
Cisco Public
146
SSM group ranges are automatically defined Requires MLDv2 on host or SSM Mapping feature
BRKRST-2301
Cisco Public
147
SSM-Mapping
Delay in SSM deployment (both IPv4 and IPv6) is based mainly on lack of IGMPv3 and MLDv2 availability on the endpoints
SSM-Mapping allows for the deployment of SSM in the network infrastructure without requiring MLDv2 (for IPv6) on the endpoint SSM-Mapping enabled router will map MLDv1 reports to a source (which do not natively include the source like with MLDv2)
Range of groups can be statically defined or used with DNS
BRKRST-2301
Cisco Public
148
SSM-Mapping
core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11 (2001:DB8:CAFE:11::11, FF33::DEAD), 00:01:20/00:03:06, flags: sT Incoming interface: GigabitEthernet3/3 RPF nbr: FE80::20E:39FF:FEAD:9B00 Immediate Outgoing interface list: GigabitEthernet5/1, Forward, 00:01:20/00:03:06 2001:DB8:CAFE:11::11
FF33::DEAD
Corporate Network
Source
Static Mapping:
ipv6 multicast-routing ! ipv6 mld ssm-map enable ipv6 mld ssm-map static MAP 2001:DB8:CAFE:11::11 no ipv6 mld ssm-map query dns ! ipv6 access-list MAP permit ipv6 any host FF33::DEAD
SSM
MLDv1
149
RP IP WAN
BRKRST-2301
Cisco Public
150
RP2001:DB8:C003:1116::2
Corporate Network IP WAN
Source
RP2001:DB8:C003:110A::1
wan-bottom#sh run | incl ipv6 pim bsr ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1 ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1
BRKRST-2301
Cisco Public
151
BRKRST-2301
Cisco Public
152
BRKRST-2301
Cisco Public
153
Embedded-RP
PIM-SM protocol operations with embedded-RP:
Intradomain transition into embedded-RP is easy:
Non-supporting routers simply need to be configured statically or via BSR for the embedded-RPs!
BRKRST-2301
Cisco Public
154
Source
L0
RP
IP WAN
ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP ! ipv6 access-list ERP permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96
BRKRST-2301
Cisco Public
155
IP WAN
To RP
branch#show ipv6 mroute active Active IPv6 Multicast Sources - sending >= 4 kbps Group: FF7E:140:2001:DB8:C003:111D:0:1112 Source: 2001:DB8:C003:1109::2 Rate: 21 pps/122 kbps(1sec), 124 kbps(last 100 sec) branch#show ipv6 pim range | include Embedded
BRKRST-2301
Cisco Public
156
BRKRST-2301
Cisco Public
157