How To Convince Your Boss To Deploy Ipv6

Enterprise IPv6 Deployment
Session ID-BRKRST-2301
Reference Materials
New/Updated IPv6 Cisco Sites: http://www.cisco.com/go/ipv6 http://www.cisco.gom/go/entipv6
Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterpri se/Campus/CampIPv6.html Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/solutions/ns340/ns414/ ns742/ns816/landing_br_ipv6.html
BRKRST-2301
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Recommended Reading
Deploying IPv6 in Broadband Networks - Adeel Ahmed, Salman Asadullah ISBN0470193387, John Wiley & Sons Publications
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Available Now!!
3
Agenda
IPv6 Activity in the Enterprise
Planning and Deployment Summary IPv6 Address Considerations
General Network Considerations

Infrastructure Deployment
Campus/Data Center WAN/Branch Remote Access
Communicating with the Service Providers
AppendixFor Reference Only

IPv6 Activity in the Enterprise
Dramatic Increase in Enterprise Activity

Why?
External Pressure
Growth/Protection Partnership
Enterprise that is or will be expanding into new markets Address exhaustion Enterprise that partners with other companies/organizations doing IPv6 Governments, enterprise partners, contractors
Internal Pressure
OS/Apps Fixing Old Problems

New Technologies
Microsoft Windows 7, Server 2008 Microsoft DirectAccess
Mergers & Acquisitions NAT Overlap High Density Virtual Machine environments (Server virtualization, VDI) SmartGrid
BRKRST-2301
Cisco Public
IANA/RIR IPv4 Exhaustion

Estimated Registry Exhaustion Dates
100 90 80 70 Probability (%) 60 50 40 30
We already know this is too conservative: APNIC went into Stage 3 mid-April 2011
20
10 0
Jan 2011 Jul 2011 IANA Jan 2012 Jul 2012 Jan 2013 RIPENCC Jul 2013 ARIN Jan 2014 Jul 2014 Jan 2015 AFRINIC Jul 2015
APNIC
LACNIC
Source: Geoff Huston, APNIC

Innocent W2K3 -to- W2K8 Upgrade

Windows 2003
C:\>ping svr-01 Pinging svr-01.example.com [10.121.12.25] with 32 bytes of data: Reply from 10.121.12.25: bytes=32 time<1ms TTL=128 Reply from 10.121.12.25: bytes=32 time<1ms TTL=128 Reply from 10.121.12.25: bytes=32 time<1ms TTL=128 Reply from 10.121.12.25: bytes=32 time<1ms TTL=128
Upgraded Host to Windows 2008

C:\>ping svr-01 Pinging svr-01 [fe80::c4e2:f21d:d2b3:8463%15] with 32 bytes of data: Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms No. Time 3969 244.938775 3970 244.938958 ...........svr-01..... Source Destination fe80::c4e2:f21d:d2b3:8463 ff02::1:3 10.121.12.25 224.0.0.252 Protocol UDP UDP Info Source port: 63828 Destination port: llmnr Source port: 53753 Destination port: llmnr
Can happen if the circumstances are right http://technet.microsoft.com/enus/library/bb878128.aspx

Mergers & Acquisitions

Unique blend of technical and business problems
Colliding RFC1918 space Common options
If you dont collide then leave as-is until renumbering is complete
NAT overlap pools (into non-colliding space) until renumbering is complete IPv6 as an overlay network IPv6 added as a native protocol (dual stack)
This is a growing issue and IPv6 ends up being a perfect tool for resolving the technical issues
NAT Overlap + IPv6 Overlay Network

10.0.0.0 address space
Sub-Company 1
.3
IPv6 enables the network to provide access to services between sites 10.0.0.0 address space
Corp HQ
2001:DB8:1:2::3 10.0.0.0 address space .21 .3
Corporate Backbone
Sub-Company 2
2001:DB8:1:3::21
IPv4 static NAT entries for each server X how many??
2001:DB8:1:1::3
Build an overlay network to encapsulate IPv6 over IPv4 IPv6 is deployed only at those sites and for specific hosts that need end-to-end routability between entities Can be very operationally difficult to maintain in large environments May be a show stopper if you have to get a lot of tunnels past a bunch of IPv4 NAT
10
Partial Overlay + Partial Dual Stack

Sub-Company 1
.3
Corp HQ
2001:DB8:1:2::3 Dual 10.0.0.0 address space .21 .3
Stack
Corporate Backbone
Sub-Company 2
2001:DB8:1:3::21
Dual Stack
2001:DB8:1:1::7
Combine overlay network with dual stack Build as much dual stack as you can tunnel only when you have to You wont want to keep this up forever goal is dual stack to all places that need end-to-end connectivity between sites/orgs
BRKRST-2301
Cisco Public
11
Dual Stack Everywhere

Sub-Company 1
Corp HQ Dual Stack

Corporate Backbone
Sub-Company 2 Dual Stack Dual Stack Dual Stack Dual stack everywhere there is nothing else to say ;-) We will discuss the deployment of dual stack and other end-to-end considerations for the rest of this talk
BRKRST-2301
Cisco Public
12
Planning and Deployment Summary
Enterprise Adoption Spectrum

Mostly or completely past the why? phase Assessment (e2e) Weeding out vendors (features and $) Focus on training and filling gaps
Preliminary Research
Production/Looking for parity and beyond
Pilot/Early Deployment
Is it real? Do I need to deploy everywhere? Equipment status? SP support? Addressing What does it cost?
Still fighting vendors Content and wide-scale app deployment Review operational cost of 2 stacks Competitive/Strategic advantages of new environment
14
Cisco IPv6 Deployment - A Lifecycle Approach

Coordinated Planning and Strategy Make Sound Financial Decisions
Prepare
Operational Excellence Adapt to Changing Business Requirements
Optimize
Plan
Assess Readiness Can Your Network Support the Proposed System?
Maintain Network Health Manage, Resolve, Repair, Replace
Operate
Design
Design the Solution Products, Service, Support Aligned to Requirements
Implement
Implement the Solution Integrate Without Disruption or Causing Vulnerability

15
IPv6 Integration Outline

Pre-Deployment Phases
Establish the network starting point Importance of a network assessment and available tools Build a pilot or lab environment Obtain addressing or use ULA or documentation prefix (in lab) Learn the basics (DNS, routing changes, address assignment)
Deployment Phases
Transport considerations for integration Internet Edge (ISP, Apps) Campus IPv6 integration options Data Center integration options WAN IPv6 integration options Execute on gaps found in assessment
BRKRST-2301
Cisco Public
16
Where do I start?
Based on Timeframe/Use case Core-to-Edge Fewer things to touch
Campus Block
Edge-to-Core Challenging but doable

Internet Edge Business continuity DC/Campus DC Core Aggregation DC Access Internet Edge
ISP ISP
WAN
Servers
Branch
Branch
BRKRST-2301
Cisco Public
17
IPv6 Address Considerations

http://bit.ly/IPv6addrplan
IPv6 Addresses
IPv6 addresses are 128 bits long
Segmented into 8 groups of four HEX characters Separated by a colon (:)
Global Unicast Identifier Example
Network Portion
Interface ID
gggg:gggg:gggg:ssss: ssss:
Global Routing Prefix n <= 48 bits Subnet ID 64 n bits
xxxx:xxxx:xxxx:xxxx
Host Full Format
2001:0000:0000:00A1: 0000:0000:0000:1E2A 00A1:
2001:0:0: A1: ::1E2A
Abbreviated Format
BRKRST-2301
Cisco Public
19
PI and PA Allocation Process

Provider Assigned Provider Independent
IANA
IPv4 Pool Empty
2000::/3
2000::/3
/12
Registries
/12
/32
ISP
Org
/48
/48
Level Four Enterprise
BRKRST-2301
Cisco Public
20
Hierarchical Addressing and Aggregation

Site 1
2001:DB8:0001:0001::/64 2001:DB8:0001:0002::/64
ISP
2001:DB8:0002:0001::/64 2001:DB8:0002:0002::/64
Only Announces the /32 Prefix
2001:DB8:0001::/48 Site 2
2001:DB8::/32 IPv6 Internet 2000::/3
2001:DB8:0002::/48
Default is /48 can be larger: https://www.arin.net/resources/request/ipv6_add_assign.html Provider independent See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html
BRKRST-2301
Cisco Public
21
ULA, ULA + Global or Global

What type of addressing should I deploy internal to my network? It depends:
ULA-onlyToday, no IPv6 NAT is useable in production so using ULA-only will not work externally to your network
ULA + Global allows for the best of both worlds but at a price much more address management with DHCP, DNS, routing and securitySAS does not always work as it should Global-onlyRecommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option
Lets explore these options
BRKRST-2301
Cisco Public
22
Unique-Local Addressing (RFC4193)

Used for internal communications, inter-site VPNs
Not routable on the internetbasically RFC1918 for IPv6 only betterless likelihood of collisions
Default prefix is /48

/48 limits use in large organizations that will need more space Semi-random generator prohibits generating sequentially useable prefixesno easy way to have aggregation when using multiple /48s Why not hack the generator to produce something larger than a /48 or even sequential /48s? Is it legal to use something other than a /48? Perhaps the entire space? Forget legal, is it practical? Probably, but with dangersremember the idea for ULA; internal addressing with a slim likelihood of address collisions with M&A. By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A
Routing/security control
You must always implement filters/ACLs to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range today this is the only way the ULA scope can be enforced
Generate your own ULA: http://www.sixxs.net/tools/grh/ula/

Generated ULA= fd9c:58ed:7d73::/48 * MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard) * EUI64 address=020D9Dfffe93A0C3 * NTP date=cc5ff71943807789 cc5ff71976b28d86
23
ULA-Only
Internet Branch 1
Global 2001:DB8:CAFE::/48
Not Recommended Today
NAT66 Required
Corp HQ
FD9C:58ED:7D73:2800::/64
Branch 2
Corporate Backbone
ULA Space FD9C:58ED:7D73::/48
FD9C:58ED:7D73:3000::/64
FD9C:58ED:7D73::2::/64
Everything internal runs the ULA space A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the internet Is there a NAT66? draft-mrw-nat66-xx (Network Prefix Translation (NPTv6) Removes the advantages of not having a NAT (i.e. application interoperability, global multicast, end-to-end connectivity)
24
Not Recommended
ULA + Global
Internet Branch 1
Corp HQ
FD9C:58ED:7D73:2800::/64 2001:DB8:CAFE:2800::/64
Branch 2
Corporate Backbone
ULA Space FD9C:58ED:7D73::/48 Global 2001:DB8:CAFE::/48
FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/64 2001:DB8:CAFE:2::/64
Both ULA and Global are used internally except for internal-only hosts Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally In theory, ULA talks to ULA and Global talks to GlobalSAS should work this out ULA-only and Global-only hosts can talk to one another internal to the network Define a filter/policy that ensures your ULA prefix does not leak out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields Management NIGHTMARE for DHCP, DNS, routing, security, etc
25
ConsiderationsULA + Global
Use DHCPv6 for ULA and Globalapply different policies for both (lifetimes, options, etc..) Check routability for bothcan you reach an AD/DNS server regardless of which address you have? Any policy using IPv6 addresses must be configured for the appropriate range (QoS, ACL, load-balancers, PBR, etc.) If using SLAAC for bothMicrosoft Windows allows you to enable/disable privacy extensions globallythis means you are either using them for both or not at all!!! One option is to use SLAAC for the Global range and enable privacy extensions and then use DHCPv6 for ULA with another IID value (EUI-64, reserved/admin defined, etc.)
Temporary Dhcp Other Preferred Preferred Preferred 6d23h59m55s 23h59m55s 2001:db8:cafe:2:cd22:7629:f726:6a6b 13d1h33m55s 6d1h33m55s fd9c:58ed:7d73:1002:8828:723c:275e:846d infinite infinite fe80::8828:723c:275e:846d%8
Unlike Global and link-local scopes ULA is not automatically controlled at the appropriate boundaryyou must prevent ULA prefix from going out or in at your perimeter SAS behavior is OS dependent and there have been issues with it working reliably
BRKRST-2301
Cisco Public
26
ULA + Global Example

Addr Type --------Dhcp Dhcp Other DAD State Valid Life Pref. Life Address ----------- ---------- ---------- -----------------------Preferred 13d23h48m24s 6d23h48m24s 2001:db8:cafe:2:c1b5:cc19:f87e:3c41 Preferred 13d23h48m24s 6d23h48m24s fd9c:58ed:7d73:1002:8828:723c:275e:846d Preferred infinite infinite fe80::8828:723c:275e:846d%8
interface Vlan2 description ACCESS-DATA-2 ipv6 address 2001:DB8:CAFE:2::D63/64 ipv6 address FD9C:58ED:7D73:1002::D63/64 ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise
DHCPv6 Client Network
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:11::9
DHCPv6 Server 2001:DB8:CAFE:11::9
BRKRST-2301
Cisco Public
27
Recommended
Global-Only
Internet Branch 1
Corp HQ
2001:DB8:CAFE:2800::/64
Branch 2
Corporate Backbone
2001:DB8:CAFE:3000::/64
2001:DB8:CAFE:2::/64
Global is used everywhere No issues with SAS No requirements to have NAT for ULA-to-Global translationbut, NAT may be used for other purposes
Easier management of DHCP, DNS, security, etc.

Only downside is breaking the habit of believing that topology hiding is a good security method
28
Randomized IID and Privacy Extensions

Enabled by default on Microsoft Windows Enable/disable via GPO or CLI
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent
Alternatively, use DHCP (see later) to a specific pool Randomized address are generated for non-temporary autoconfigured addresses including public and link-local used instead of EUI-64 addresses Randomized addresses engage Optimistic DADlikelihood of duplicate LL address is rare so RS can be sent before full DAD completion Windows Vista/W7/W7/2008 send RS while DAD is being performed to save time for interface initialization (read RFC4862 on why this is ok) Privacy extensions are used with SLAAC
BRKRST-2301
Cisco Public
29
Link LevelPrefix Length Considerations

/64 everywhere
64 bits
Recommended by RFC3177 and IAB/IESG
> 64 bits
Address space conservation Special cases: /126valid for p2p /127valid for p2p if you are careful (draft-kohno-ipv6prefixlen-p2p-xx/(RFC3627)) /128loopback Must avoid overlap with specific addresses: Router Anycast (RFC3513) Embedded RP (RFC3956) ISATAP addresses
Cisco Public
/64 + /126
64 on host networks
Consistency makes management easy

MUST for SLAAC (MSFT DHCPv6 also) Significant address space loss (18.466 Quintillion)
126 on P2P
/64 + /127
64 on host networks 127 on P2P
Always use /128 on loop

30
BRKRST-2301
Using Link-Local for Non-Access Connections

Under Research
What if you did not have to worry about addressing the network infrastructure for the purpose of routing?
IPv6 IGPs use LL addressing Only use Global or ULA addresses at the edges for host assignment
For IPv6 access to the network device itself use a loopback
What happens to route filters? ACLs?Nothing, unless you are blocking to/from the router itself Stuff to think about:
Always use a RID Some Cisco devices require ipv6 enable on the interface in order to generate and use a link-local address
Enable the IGP on each interface used for routing or that requires its prefix to be advertised
BRKRST-2301
Cisco Public
31
Using LL + Loopback Only

2001:db8:cafe:200::/64 2001:db8:cafe:100::/64 998::1/128 998::2/128
ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:DB8:CAFE:998::1/128 ipv6 eigrp 10 ! interface Vlan200 ipv6 address 2001:DB8:CAFE:200::1/64 ipv6 eigrp 10 ! interface GigabitEthernet1/1 ipv6 enable ipv6 eigrp 10 !
ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:DB8:CAFE:998::2/128 ipv6 eigrp 10 ! interface GigabitEthernet3/4 ipv6 eigrp 10 !
interface GigabitEthernet1/2
ipv6 eigrp 10 ! ipv6 router eigrp 10 router-id 10.99.8.2
ipv6 router eigrp 10

router-id 10.99.8.1 no shutdown 0
no shutdown
IPv6-EIGRP neighbors for process 10 Link-local address: FE80::212:D9FF:FE92:DE77 Gi1/2
BRKRST-2301
Cisco Public
32
Summary of Address Considerations

Provider Independent and/or Provider Assigned
ULA, ULA + Global, Global only Prefix-length allocation
/64 everywhere except loopbacks (/128)
/64 on host links, /126 on P2P links, /128 on loopbacks Variable prefix-lengths on host links
BRKRST-2301
Cisco Public
33
SLAAC & Stateful/Stateless DHCPv6

StateLess Address AutoConfiguration (SLAAC) RAbased assignment (a MUST for Mac) Stateful and stateless DHCPv6 server
Cisco Network Registrar: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/ Microsoft Windows Server 2008: http://technet2.microsoft.com/windowsserver2008/en/library/bab0f 1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true
DHCPv6 Relaysupported on routers and switches

interface FastEthernet0/1 description CLIENT LINK ipv6 address 2001:DB8:CAFE:11::1/64 ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 DHCPv6 Server
IPv6 Enabled Host Network
34
Basic DHCPv6 Message Exchange

DHCPv6 Client DHCPv6 Relay Agent DHCPv6 Server
Solicit(IA_NA)
Relay-Forw(Solicit(IA_NA)) Relay-Repl(Advertise(IA_NA(addr)))
Advertise(IA_NA(addr)) Request(IA_NA)
Relay-Forw(Request(IA_NA)) Relay-Repl(Reply(IA_NA(addr)))
Reply(IA_NA(addr))
Address Assigned Timer Expiring

Renew(IA_NA(addr)) Relay-Forw(Renew(IA_NA(addr))) Relay-Repl(Reply(IA_NA(addr)))
Reply(IA_NA(addr))
Shutdown , link down , Release

Release(IA_NA(addr)) Relay-Forw(Release(IA_NA(addr))) Relay-Repl(Reply(IA_NA(addr)))
Reply(IA_NA(addr))
BRKRST-2301
Cisco Public
35
CNR/W2K8DHCPv6
BRKRST-2301
Cisco Public
36
IPv6 General Prefix

Provides an easy/fast way to deploy prefix changes Example:2001:db8:cafe::/48 = General Prefix Fill in interface specific fields after prefix
ESE ::11:0:0:0:1 = 2001:db8:cafe:11::1/64

ipv6 unicast-routing ipv6 cef ipv6 general-prefix ESE 2001:DB8:CAFE::/48 ! interface GigabitEthernet3/2 ipv6 address ESE ::2/126 ! interface GigabitEthernet1/2 ipv6 address ESE ::E/126 interface Vlan11 ipv6 address ESE ::11:0:0:0:1/64 ! interface Vlan12 ipv6 address ESE ::12:0:0:0:1/64
Global unicast address(es): 2001:DB8:CAFE:11::1, subnet is 2001:DB8:CAFE:11::/64
BRKRST-2301
Cisco Public
37
DNS Basic Steps - 1

Add AAAA records in your DNS server for the hostnames of the devices that can be reached through the IPv6 protocol.
Add pointer (PTR) records in your DNS server for the IP addresses of the devices that can be reached through the IPv6 protocol. Enable IPv6 access to the authoritative DNS servers. Be sure that TCP/53 and UDP/53 can be accessed through IPv6. Enable IPv6 connectivity to the external full-service resolvers that send DNS queries to authoritative servers in the world.
BRKRST-2301
Cisco Public
38
DNS Basic Steps - 2

Make sure that the full-service resolver is configured with both IPv4 and IPv6 glue for the root servers in the world.
Enable IPv6 on the recursive resolver so that it responds to DNS requests over IPv6 as well as IPv4.
Enable IPv6 on the node that sends queries so that it can send DNS requests to the recursive resolver.
Configure the stub resolver on the node that sends queries so that it uses IPv6 to send DNS queries, either statically or using Dynamic Host Configuration Protocol Version 6 (DHCPv6). Review policies for flows and make sure that both TCP/53 and UDP/53 can be accessed over IPv4 and IPv6
BRKRST-2301
Cisco Public
39
General Network Considerations
HSRP for IPv6

Many similarities with HSRP for IPv4 Changes occur in Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects No need to configure GW on hosts (RAs are sent from HSRP active router) Virtual MAC derived from HSRP group number and virtual IPv6 linklocal address IPv6 Virtual MAC range:
0005.73A0.0000 - 0005.73A0.0FFF (4096 addresses)
HSRP Active
HSRP Standby
track 2 interface FastEthernet0/0 line-protocol interface FastEthernet0/1 ipv6 address 2001:DB8:66:67::2/64 standby version 2 standby 2 ipv6 autoconfig standby 2 timers msec 250 msec 800 standby 2 preempt standby 2 preempt delay minimum 180 standby 2 authentication cisco standby 2 track 2 decrement 10
HSRP IPv6 UDP Port Number 2029 (IANA Assigned)
Host with GW of Virtual IP
#route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1
UGDA
1024
0 eth2
BRKRST-2301
Cisco Public
41
IPv6 Multicast Availability

Multicast Listener Discovery (MLD)
Equivalent to IGMP
PIM Group Modes: Sparse Mode, Bidirectional and Source Specific Multicast RP Deployment: Static, Embedded
S
DR RP DR
Host Multicast Control via MLD
BRKRST-2301
Cisco Public
42
Multicast Listener Discovery: MLD

Multicast Host Membership Control
MLD is equivalent to IGMP in IPv4 MLD messages are transported over ICMPv6 MLD uses link local source addresses MLD packets use Router Alert in extension header (RFC2711) Version number confusion:
MLDv1 (RFC2710) like IGMPv2 (RFC2236) MLDv2 (RFC3810) like IGMPv3 (RFC3376)
Host Multicast Control via MLD
MLD snooping
BRKRST-2301
Cisco Public
43
IPv6 QoS Policy & Syntax

Unified QoS Policy (v4/v6 in same policy) or separate? IPv4 syntax has used ip following match/set statements
Example: match ip dscp, set ip dscp
Modification in QoS syntax to support IPv6 and IPv4

New match criteria
match dscp Match DSCP in v4/v6 match precedence Match Precedence in v4/v6 New set criteria set dscp Set DSCP in v4/v6 set precedence Set Precedence in v4/v6
Additional support for IPv6 does not always require new Command Line Interface (CLI)
ExampleWRED
BRKRST-2301
Cisco Public
44
Scalability and Performance

IPv6 Neighbor Cache = ARP for IPv4
In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries ARP entry for host in the campus distribution layer: Internet Vlan2 10.120.2.200 2 000d.6084.2c7a ARPA
IPv6 Neighbor Cache entry: 2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1

2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC FE80::7DE5:E2B0:D4DF:97EC
000d.6084.2c7a
STALE Vl2 STALE Vl2 STALE Vl2
16 000d.6084.2c7a 16 000d.6084.2c7a
Full internet route tablesensure to account for TCAM/memory requirements for both IPv4/IPv6not all vendors can properly support both Multiple routing protocolsIPv4 and IPv6 will have separate routing protocols. Ensure enough CPU/Memory is present Control plane impact when using tunnelsterminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/thousands of tunnels)
BRKRST-2301
Cisco Public
45
Infrastructure Deployment
Start Here: Cisco IOS Software Release Specifics for IPv6 Features http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6roadmap.html
IPv6 Co-existence Solutions

Dual Stack
IPv4 IPv6
Recommended Enterprise Co-existence strategy
Tunneling Services
IPv4 over IPv6 IPv6 over IPv4
Connect Islands of IPv6 or IPv4
Translation Services
IPv4
IPv6
Business Partners Government Agencies International Sites Remote Workers Internet consumers
Connect to the IPv6 community

47
Campus
Deploying IPv6 in Campus Networks: http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf
Campus IPv6 Deployment

Three Major Options
Dual-stackThe way to go for obvious reasons: performance, security, QoS, multicast and management
Layer 3 switches should support IPv6 forwarding in hardware
HybridDual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear
ProLeverage existing gear and network design (traditional L2/L3 and routed access) ConTunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast
IPv6 Service BlockA new network block used for interim connectivity for IPv6 overlay network
ProSeparation, control and flexibility (still supports traditional L2/L3 and routed access) ConCost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast
BRKRST-2301
Cisco Public
49
Campus IPv6 Deployment Options

Dual-Stack IPv4/IPv6
Dual Stack = Two protocols running at the same time (IPv4/IPv6) #1 requirementswitching/ routing platforms must support hardware based forwarding for IPv6
3560/3750* + 4500 Sup6E + 6500 Sup32/720 +
v6Enabled v6Enabled
IPv6/IPv4 Dual Stack Hosts
Access Layer
L2/L3
Distribution Layer
Dual Stack
Dual Stack
IPv6 is transparent on L2 switches but consider:

L2 multicastMLD snooping IPv6 management Telnet/SSH/HTTP/SNMP Intelligent IP services on WLAN
v6Enabled
v6Enabled
Core Layer
v6-Enabled
v6-Enabled
Aggregation Layer (DC)
Expect to run the same IGPs as with IPv4 *check HW limitations in non-E/X/C series
Access Layer (DC)
Dual-stack Server 50
Distribution Layer: HSRP, EIGRP and DHCPv6-relay (Layer 2 Access)

ipv6 unicast-routing interface Vlan4 ! description Data VLAN for Access interface GigabitEthernet1/0/1 ipv6 address 2001:DB8:CAFE:4::2/64 description To 6k-core-right ipv6 nd managed-config-flag ipv6 address 2001:DB8:CAFE:1105::A001:1010/64 ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 ipv6 eigrp 10 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 standby version 2 ipv6 hold-time eigrp 10 3 standby 2 ipv6 autoconfig ipv6 authentication mode eigrp 10 md5 standby 2 timers msec 250 msec 750 ipv6 authentication key-chain eigrp 10 eigrp standby 2 priority 110 ! standby 2 preempt delay minimum 180 interface GigabitEthernet1/0/2 standby 2 authentication ese description To 6k-core-left ! ipv6 address 2001:DB8:CAFE:1106::A001:1010/64 ipv6 router eigrp 10 ipv6 eigrp 10 no shutdown ipv6 hello-interval eigrp 10 1 router-id 10.122.10.10 ipv6 hold-time eigrp 10 3 passive-interface Vlan4 ipv6 authentication mode eigrp 10 md5 passive-interface Loopback0 ipv6 authentication key-chain eigrp 10 eigrp
BRKRST-2301
Cisco Public
51
Distribution Layer: Example with ULA and General Prefix feature

ipv6 general-prefix ULA-CORE FD9C:58ED:7D73::/53 ipv6 general-prefix ULA-ACC FD9C:58ED:7D73:1000::/53 ipv6 unicast-routing ! interface GigabitEthernet1/0/1 description To 6k-core-right ipv6 address ULA-CORE ::3:0:0:0:D63/64 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 ipv6 hold-time eigrp 10 3 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 eigrp ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53 ! interface GigabitEthernet1/0/2 description To 6k-core-left ipv6 address ULA-CORE ::C:0:0:0:D63/64 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 ipv6 hold-time eigrp 10 3 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 eigrp ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53 interface Vlan4 description Data VLAN for Access ipv6 address ULA-ACC ::D63/64 ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise ipv6 nd managed-config-flag ipv6 dhcp relay destination fd9c:58ed:7d73:811::9 ipv6 eigrp 10 standby version 2 standby 2 ipv6 autoconfig standby 2 timers msec 250 msec 750 standby 2 priority 110 standby 2 preempt delay minimum 180 standby 2 authentication ese ! ipv6 router eigrp 10 no shutdown router-id 10.122.10.10 passive-interface Vlan4 passive-interface Loopback0
BRKRST-2301
Cisco Public
52
Access Layer: Dual Stack (Routed Access)

ipv6 unicast-routing ipv6 cef ! interface GigabitEthernet1/0/25 description To 6k-dist-1 ipv6 address 2001:DB8:CAFE:1100::CAC1:3750/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef ! interface GigabitEthernet1/0/26 description To 6k-dist-2 ipv6 address 2001:DB8:CAFE:1101::CAC1:3750/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef interface Vlan2 description Data VLAN for Access ipv6 address 2001:DB8:CAFE:2::CAC1:3750/64 ipv6 ospf 1 area 2 ipv6 cef ! ipv6 router ospf 1 router-id 10.120.2.1 log-adjacency-changes auto-cost reference-bandwidth 10000 area 2 stub no-summary passive-interface Vlan2 timers spf 1 5
BRKRST-2301
Cisco Public
53
Distribution Layer: Dual Stack (Routed Access)

ipv6 unicast-routing ipv6 multicast-routing ipv6 cef distributed ! interface GigabitEthernet3/1 description To 3750-acc-1 ipv6 address 2001:DB8:CAFE:1100::A001:1010/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef ! interface GigabitEthernet1/2 description To 3750-acc-2 ipv6 address 2001:DB8:CAFE:1103::A001:1010/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef
BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved.
ipv6 router ospf 1 auto-cost reference-bandwidth 10000 router-id 10.122.0.25 log-adjacency-changes area 2 stub no-summary passive-interface Vlan2 area 2 range 2001:DB8:CAFE:xxxx::/xx timers spf 1 5
Cisco Public
54
Legacy Design

Hybrid Model
Plan B if Layer 3 device cant support IPv6 but you have to get IPv6 over it Offers IPv6 connectivity via multiple options
Dual-stack Configured tunnelsL3-to-L3 ISATAPHost-to-L3
IPv6/IPv4 Dual Stack Hosts
Access Layer
L2/L3
NOT v6Enabled
ISATAP
ISATAP
Leverages existing network Offers natural progression to full dual-stack design May require tunneling to less-than-optimal layers (i.e. core layer) Any sizable deployment will be an operational management challenge ISATAP creates a flat network (all hosts on same tunnel are peers) Provides basic HA of ISATAP tunnels via old Anycast-RP idea
NOT v6Enabled
Distribution Layer
v6Enabled
v6Enabled
Core Layer
Dual Stack
Dual Stack
v6-Enabled
v6-Enabled
Access Layer (DC)

Dual-stack Server
BRKRST-2301
Cisco Public
55
Campus Hybrid Model 1

QoS
1. Classification and marking of IPv6 is done on the egress interfaces on the core layer switches because packets have been tunneled until this point QoS policies for classification and marking cannot be applied to the ISATAP tunnels on ingress The classified and marked IPv6 packets can now be examined by upstream switches (e.g. aggregation layer switches) and the appropriate QoS policies can be applied on ingress. These polices may include trust (ingress), policing (ingress) and queuing (egress)
Access Layer IPv6/IPv4 Dual-stack Hosts Distribution Layer Core Layer Aggregation Layer (DC) Access Layer (DC) IPv6/IPv4 Dual-stack Server
2.
1
Access Block
2
Data Center Block
BRKRST-2301
Cisco Public
IPv6 and IPv4 Enabled
56
IPv6 ISATAP Implementation

ISATAP Host Considerations
ISATAP is available on Windows XP, Windows 2003, Vista/W7/Server 2008, port for Linux If Windows host does not detect IPv6 capabilities on the physical interface then an effort to use ISATAP is started Can learn of ISATAP routers via DNS A record lookup isatap or via static configuration
If DNS is used then Host/Subnet mapping to certain tunnels cannot be accomplished due to the lack of naming flexibility in ISATAP Two or more ISATAP routers can be added to DNS and ISATAP will determine which one to use and also fail to the other one upon failure of first entry If DNS zoning is used within the enterprise then ISATAP entries for different routers can be used in each zone
In the presented design the static configuration option is used to ensure each host is associated with the correct ISATAP tunnel Can conditionally set the ISATAP router per host based on subnet, userid, department and possibly other parameters such as role
BRKRST-2301
Cisco Public
57
Highly Available ISATAP Design

Topology
PC1 - Red VLAN 2 PC2 - Blue VLAN 3
ISATAP tunnels from PCs in access layer to core switches

Access Layer
Redundant tunnels to core or service block
NOT v6Enabled
NOT v6Enabled
Distribution Layer
Use IGP to prefer one core switch over another (both v4 and v6 routes)deterministic
Preference is important due to the requirement to have traffic (IPv4/IPv6) route to the same interface (tunnel) Works like Anycast-RP with IPmc
v6Enabled
v6Enabled
Core Layer
Dual Stack
Dual Stack
v6-Enabled
v6-Enabled
Access Layer (DC)

IPv6 Server
Primary ISATAP Tunnel Secondary ISATAP Tunnel
BRKRST-2301
Cisco Public
58
IPv6 Campus ISATAP Configuration

Redundant Tunnels
ISATAP Primary
interface Tunnel2 ipv6 address 2001:DB8:CAFE:2::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 tunnel source Loopback2 tunnel mode ipv6ip isatap ! interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback2 description Tunnel source for ISATAP-VLAN2 ip address 10.122.10.102 255.255.255.255 ! interface Loopback3 description Tunnel source for ISATAP-VLAN3 ip address 10.122.10.103 255.255.255.255
ISATAP Secondary
interface Tunnel2 ipv6 address 2001:DB8:CAFE:2::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback2 tunnel mode ipv6ip isatap ! interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback2 ip address 10.122.10.102 255.255.255.255 delay 1000 ! interface Loopback3 ip address 10.122.10.103 255.255.255.255 delay 1000
Cisco Public
59

IPv4 and IPv6 RoutingOptions
ISATAP SecondaryBandwidth adjustment
interface Loopback2
ip address 10.122.10.102 255.255.255.255

delay 1000
To influence IPv4 routing to prefer one ISATAP tunnel source over anotheralter delay/cost or mask length Lower timers (timers spf, hello/hold, dead) to reduce convergence times Use recommended summarization and/or use of stubs to reduce routes and convergence times
Set RID to ensure redundant loopback addresses do not cause duplicate RID issues
Cisco Public
ISATAP PrimaryLongest-match adjustment

interface Loopback2
ip address 10.122.10.102 255.255.255.255
ISATAP SecondaryLongest-match adjustment

interface Loopback2 ip address 10.122.10.102 255.255.255.254
IPv4EIGRP
router eigrp 10 eigrp router-id 10.122.10.3
IPv6OSPFv3
ipv6 router ospf 1 router-id 10.122.10.3
60
Distribution Layer Routes

Primary/Secondary Paths to ISATAP Tunnel Sources
acc-2 dist-2 core-2
Loopback 210.122.10.102 Used as SECONDARY ISATAP tunnel source VLAN 2 10.120.2.0/24
acc-1 dist-1 core-1
Loopback 210.122.10.102 Used as PRIMARY ISATAP tunnel source
Preferred route to 10.122.10.102 Preferred route to 10.122.10.102 on FAILURE
Before Failure
dist-1#show ip route | b 10.122.10.102/32 D 10.122.10.102/32 [90/130816] via 10.122.0.41, 00:09:23, GigabitEthernet1/0/27
After Failure
dist-1#show ip route | b 10.122.10.102/32 D 10.122.10.102/32 [90/258816] via 10.122.0.49, 00:00:08, GigabitEthernet1/0/28
BRKRST-2301
Cisco Public
61

ISATAP Client Configuration
Windows XP/Vista/W7 Host C:\>netsh int ipv6 isatap set router 10.122.10.103 Ok.
interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 eigrp 10 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback3 description Tunnel source for ISATAP-VLAN3
10.120.3.101
New tunnel comes up when failure occurs
int tu3 int lo3 10.122.10.103
int tu3 int lo3 10.122.10.103
ip address 10.122.10.103 255.255.255.255
Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 2001:db8:cafe:3:0:5efe:10.120.3.101
IP Address. . . . . . . . . . . . : fe80::5efe:10.120.3.101%2 Default Gateway . . . . . . . . . : fe80::5efe:10.122.10.103%2
62
IPv6 Configured Tunnels

Think GRE or IP-in-IP Tunnels
Encapsulating IPv6 into IPv4 Used to traverse IPv4 only devices/links/networks Treat them just like standard IP links (only insure solid IPv4 routing/HA between tunnel interfaces) Provides for same routing, QoS, multicast as with dual-stack In HW, performance should be similar to standard tunnels
interface Tunnel0 ipv6 cef ipv6 address 2001:DB8:CAFE:13::1/127
Access
Distribution
interface GigabitEthernet1/1 ipv6 address 2001:DB8:CAFE:13::4/127 ipv6 eigrp 10
Tunnel
Tunnel
Core
Aggregation
ipv6 eigrp 10
tunnel source Loopback3 tunnel destination 172.16.2.1 tunnel mode ipv6ip
ipv6 cef
! interface Loopback3 ip address 172.16.1.1 255.255.255.252
Cisco Public
63
Campus Hybrid Model 1

QoS Configuration SampleCore Layer
mls ipv6 acl compress address unicast mls qos ! class-map match-all CAMPUS-BULK-DATA match access-group name BULK-APPS class-map match-all CAMPUS-TRANSACTIONAL-DATA match access-group name TRANSACTIONAL-APPS ! policy-map IPv6-ISATAP-MARK class CAMPUS-BULK-DATA set dscp af11 class CAMPUS-TRANSACTIONAL-DATA set dscp af21 class class-default set dscp default ! ipv6 access-list BULK-APPS permit tcp any any eq ftp permit tcp any any eq ftp-data ! ipv6 access-list BULK-APPS permit tcp any any eq ftp permit tcp any any eq ftp-data ! ipv6 access-list TRANSACTIONAL-APPS permit tcp any any eq telnet permit tcp any any eq 22 ! interface GigabitEthernet2/1 description to 6k-agg-1 mls qos trust dscp service-policy output IPv6-ISATAP-MARK ! interface GigabitEthernet2/2 description to 6k-agg-2 mls qos trust dscp service-policy output IPv6-ISATAP-MARK ! interface GigabitEthernet2/3 description to 6k-core-1 mls qos trust dscp service-policy output IPv6-ISATAP-MARK
Cisco Public
ipv6 access-list TRANSACTIONAL-APPS

permit tcp any any eq telnet permit tcp any any eq 22
64

IPv6 Service BlockRapid Deployment/Pilot
VLAN 2 VLAN 3
Provides ability to rapidly deploy IPv6 services without touching existing network Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations) Get lots of operational experience with limited impact to existing environment Ideal for Pilot Similar challenges as Hybrid Model Lots of tunneling Configurations are very similar to the Hybrid Model
ISATAP tunnels from PCs in access layer to service block switches (instead of core layerHybrid)
IPv4-only Campus Block
Access Layer
ISATAP
IPv6 Service Block

Dist. Layer
Dedicated FW
2
Internet
Core Layer
1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6Can use IOS Zone FW or ASA
Agg Layer Access Layer
IOS FW
Primary ISATAP Tunnel

Secondary ISATAP Tunnel
1
WAN/ISP Block Data Center Block
Cisco Public
65
Cisco VSS DSM / Hybrid / Service Block

Cisco VSS offers a greatly simplified configuration and extremely fast convergence for IPv6 deployment
Dual stack Place VSS pair in distribution and/or core layers HA and simplified/reduced IPv6 configuration Hybrid model If terminating tunnels against VSS (i.e. VSS at core layer), MUCH easier to configure tunnels for HA as only one tunnel configuration is needed
Service Block Use VSS as the SB pair again, GREATLY simplified configuration and decrease convergence times!!
BRKRST-2301
Cisco Public
66
Data Center/Internet Edge
IPv6 Data Center Integration

Route/Switch design will be similar to campus based on feature, platform and connectivity similarities Nexus, 6500 4900M The single most overlooked and potentially complicated area of IPv6 deployment IPv6 for SAN (FCIP, iSCSI, Management) Stuff people dont think about:
NIC Teaming, iLO, DRAC, IP KVM, Clusters Innocent looking Server OS upgrades Windows Server 2008 - Impact on clusters Microsoft Server 2008 Failover clusters full support IPv6 (and L3)
Internet-facing Data Center Most of the internal and Internet DC considerations are the same
68
IPv6 Configuration on Nexus

interface Vlan114 no shutdown description Outside FW VLAN ipv6 address 2001:0db8:cafe:0114::0002/64 hsrp version 2 hsrp 114 ipv6 preempt delay minimum 180 timers 1 3 ip autoconfig
IP-is-IP minor syntax changes based on different platforms between campus & data center
Check for the features you need, platform support, performance capabilities Same stuff you do for any new platform you invest in
69
iSCSI/VRRP for IPv6

Same configuration requirements and operation as with IPv4 Can use automatic preemptionconfigure VR address to be the same as physical interface of primary Host-side HA uses NIC teaming (see slides for NIC teaming) Support for iSCSI with IPsec
BRKRST-2301
Cisco Public
70
iSCSI IPv6 ExampleMDS

Initiator/Target
iscsi virtual-target name iscsi-atto-target pWWN 21:00:00:10:86:10:46:9c initiator iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com permit iscsi initiator name iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com static pWWN 24:01:00:0d:ec:24:7c:42
vsan 1
zone default-zone permit vsan 1 zone name iscsi-zone vsan 1 member symbolic-nodename iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com member pwwn 21:00:00:10:86:10:46:9c member pwwn 24:01:00:0d:ec:24:7c:42 member symbolic-nodename iscsi-atto-target zone name Generic vsan 1 member pwwn 21:00:00:10:86:10:46:9c zoneset name iscsi_zoneset vsan 1 member iscsi-zone zoneset name Generic vsan 1 member Generic
BRKRST-2301
Cisco Public
71
iSCSI/VRRP IPv6 ExampleMDS

Interface
MDS-1
interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::5/64 no shutdown vrrp ipv6 1 address 2001:db8:cafe:12::5 no shutdown mds-1# show vrrp ipv6 vr 1 Interface GigE2/1 VR IpVersion Pri 1 IPv6 255 Time Pre State 100cs master VR IP addr 2001:db8:cafe:12::5 ------------------------------------------------------------------
MDS-2
interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::6/64 no shutdown
vrrp ipv6 1
address 2001:db8:cafe:12::5 no shutdown
mds-2# show vrrp ipv6 vr 1 Interface GigE2/1 VR IpVersion Pri 1 IPv6 100 Time Pre State 100cs backup VR IP addr 2001:db8:cafe:12::5 ------------------------------------------------------------------
BRKRST-2301
Cisco Public
72
iSCSI Initiator ExampleW2K8 IPv6

1
iscsi initiator name iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com
interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::5/64
mds9216-1# show fcns database vsan 1

VSAN 1: --------------------------------------------------------------------FCID 0x670400 0x670405
TYPE N N
PWWN 21:00:00:10:86:10:46:9c
(VENDOR) FC4-TYPE:FEATURE scsi-fcp:target scsi-fcp:init isc..w 73
--------------------------------------------------------------------24:01:00:0d:ec:24:7c:42 (Cisco)
Cisco Public
SAN-OS 3.xFCIP(v6)
fcip profile 100 ip address 2001:db8:cafe:50::1 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100 use-profile 100 peer-info ipaddr 2001:db8:cafe:50::2
fcip profile 100

ip address 2001:db8:cafe:50::2 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100
use-profile 100
peer-info ipaddr 2001:db8:cafe:50::1 ! interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::2/64
!
interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::1/64
BRKRST-2301
Cisco Public
74
Data Center NIC Teaming Issue

What Happens If IPv6 Is Unsupported?
Auto-configuration
Interface 10: Local Area Connection #VIRTUAL TEAM INTERFACE Addr Type --------Public DAD State Preferred Valid Life 29d23h58m41s Pref. Life Address
---------- ------------ ------------ ----------------------------6d23h58m41 2001:db8:cafe:10:20d:9dff:fe93:b25d
Static configuration
netsh interface ipv6> add address "Local Area Connection" 2001:db8:cafe:10::7
Ok.
netsh interface ipv6>sh add Querying active state... Interface 10: Local Area Connection
Addr Type
--------Manual Public
DAD State
Duplicate Preferred
Valid Life
infinite 29d23h59m21s
Pref. Life
Address
---------- ------------ ------------ ----------------------------infinite 2001:db8:cafe:10::7 6d23h59m21s 2001:db8:cafe:10:20d:9dff:fe93:b25d
Note: Same Issue Applies to Linux

75
Intel ANS NIC Teaming for IPv6

Intel IPv6 NIC Q&AProduct support
http://www.intel.com/support/network/sb/cs009090.htm
Intel now supports IPv6 with Express, ALB, and AFT deployments
Intel statement of support for RLBReceive Load Balancing (RLB) is not supported on IPv6 network connections. If a team has a mix of IPv4 and IPv6 connections, RLB will work on the IPv4 connections but not on the IPv6 connections. All other teaming features will work on the IPv6 connections.
BRKRST-2301
Cisco Public
76
Interim Hack for Unsupported NICs

Main issue for NICs with no IPv6 teaming support is DAD Causes duplicate checks on Team and Physical even though the physical is not used for addressing
Set DAD on Team interface to 0Understand what you are doing
Microsoft Vista/W7/Server 2008 allows for a command line change to reduce the DAD transmits value from 1 to 0
netsh interface ipv6 set interface 19 dadtransmits=0
Microsoft Windows 2003Value is changed via a creation in the registry

\\HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces \(InterfaceGUID)\DupAddrDetectTransmits - Value 0
Linux
# sysctl -w net/ipv6/conf/bond0/dad_transmits=0 net.ipv6.conf.eth0.dad_transmits = 0
BRKRST-2301
Cisco Public
77
Intel NIC TeamingIPv6 (Pre Team)

Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix
. :
Autoconfiguration IP Address. . . : 169.254.25.192 Subnet Mask . . . . . . . . . . . : 255.255.0.0 IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d7%11 Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%11 Ethernet adapter LAN: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.89.4.230 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 2001:db8:cafe:1::2 IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d6%12 Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%12
BRKRST-2301
Cisco Public
78
Intel NIC TeamingIPv6 (Post Team)

Ethernet adapter TEAM-1: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.89.4.230 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 2001:db8:cafe:1::2 IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d6%13 Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%13
Interface 13: TEAM-1 Addr Type --------Public Link DAD State Preferred Preferred Valid Life 4m11s infinite Pref. Life Address
---------- ------------ ------------ ----------------------------4m11s 2001:db8:cafe:1::2 infinite fe80::204:23ff:fec7:b0d6
BRKRST-2301
Cisco Public
79
IPv6 in the Enterprise Data Center

Biggest Challenges Today
Application support for IPv6 Know what you dont know
If an application is protocol centric (IPv4): Needs to be rewritten Needs to be translated until it is replaced
Wait and pressure vendors to move to protocol agnostic framework
Deployment of translation
NAT64 (Stateful for most enterprises) Apache Reverse Proxy Windows Port Proxy 3rd party proxy solutions
Network services above L3 (A short-term challenge)

SLB, SSL-Offload, application monitoring (probes)
Application Optimization High-speed security inspection/perimeter protection
80
Commonly Deployed IPv6-enabled OS/Apps
Operating Systems Windows 7 SUSE
Virtualization & Applications VMware vSphere 4.1 Microsoft Exchange 2007 SP1/2010 Apache/IIS Web Services Windows Media Services
Windows Server 2008/R2 Microsoft Hyper-V
Red Hat
Ubuntu The list goes on
Multiple Line of Business apps

Most commercial applications wont be your problem it will be the custom/home-grown apps
81
ACE + IPv6 / ASR + NAT64

ACE SLB66 v6 ACE SLB64 v4
v6
v6
v6
v6
v4
v4
SW coming (ACE30, ACE4710)
SW coming (ACE30, ACE4710)
Stateful NAT64 + SLB44
v6 v4
v4 server
82
NAT64
Lots of RFCs to check out:
RFC 6144 Framework for IPv4/IPv6 Translation RFC 6052 IPv6 Addressing of IPv4/IPv6 Translators RFC 6145 IP/ICMP Translation Algorithm RFC 6146 Stateful NAT64 RFC 6147 DNS64
Stateless Not your friend in the enterprise (corner case deployment)

1:1 mapping between IPv6 and IPv4 addresses (i.e. 254 IPv6 hosts-to-254 IPv4 hosts) Requires the IPv6-only hosts to use an IPv4 translatable address format
Stateful What we are after for translating IPv6-only hosts to IPv4-only host(s)
It is what it sounds like keeps state between translated hosts Several deployment models (PAT/Overload, Dynamic 1:1, Static, etc) This is what you will use to translate from IPv6 hosts (internal or Internet) to IPv4-only servers (internal DC or Internet Edge)
BRKRST-2301
Cisco Public
83
Stateful NAT64 Example Topology

Static Example
10.121.13.52
DMZ/DC Internet IPv6 Host: 2001:db8:c150:10::16 G0/0/0: 2001:DB8:CAFE:5555::1/64 G0/0/1: 10.121.220.1/24
10.121.12.70
interface GigabitEthernet0/0/0 description to 6k-dmz-1 Outside no ip address ipv6 address 2001:DB8:CAFE:5555::1/64 ipv6 eigrp 10 nat64 enable ! interface GigabitEthernet0/0/1 description to 6k-dmz-1 Inside ip address 10.121.220.1 255.255.255.0 nat64 enable
BRKRST-2301
ipv6 ASR access-list EDGE_ACL permit ipv6 any host 2001:DB8:CAFE:BEEF::46 permit ipv6 any host 2001:DB8:CAFE:BEEF::48 !
nat64 prefix stateful 2001:DB8:CAFE:BEEF::/96

nat64 v4 pool EDGE 10.121.55.1 10.121.55.1 nat64 v4v6 static 10.121.12.70 2001:DB8:CAFE:BEEF::46 nat64 v4v6 static 10.121.13.52 2001:DB8:CAFE:BEEF::48 nat64 v6v4 list EDGE_ACL pool EDGE overload
Cisco Public
84
NAT64 Translations
ASR1k#sh nat64 translations Proto Original IPv4 Translated IPv6 ----tcp tcp tcp tcp tcp tcp 10.121.13.52 --10.121.12.70 --10.121.12.70:443 10.121.55.1:1030 10.121.12.70:443 10.121.55.1:1029 10.121.12.70:443 10.121.55.1:1028 10.121.12.70:443 10.121.55.1:1024 10.121.12.70:443 10.121.55.1:1025 10.121.12.70:443 10.121.55.1:1026 Translated IPv4 Original IPv6 2001:db8:cafe:beef::48 --2001:db8:cafe:beef::46 --[2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53601 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53600 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53599 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53593 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53596 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53597
Reference
----------------------------------------------------------------------------
Static Entries
Dynamic Overloaded Entries
tcp
10.121.12.70:80
10.121.55.1:1027
[2001:db8:cafe:beef::46]:80
[2001:db8:cafe:10::16]:53598
Total number of translations: 9
BRKRST-2301
Cisco Public
85
ASR1k#show nat64 statistics Sessions found: 171 Sessions created: 3 Global Stats:
NAT64 Statistics
Reference
Total active translations: 6 (3 static, 3 dynamic; 3 extended)
Packets translated (IPv4 -> IPv6) Stateless: 0 Stateful: 100 Packets translated (IPv6 -> IPv4) Stateless: 0 Stateful: 74 Interface Statistics GigabitEthernet0/0/0 (IPv4 not configured, IPv6 configured): Packets translated (IPv6 -> IPv4) Stateless: 0 Stateful: 74 GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured): Packets translated (IPv4 -> IPv6) Stateful: 100 Dynamic Mapping Statistics v6v4
access-list EDGE_ACL pool EDGE refcount 3

pool EDGE: start 10.121.55.1 end 10.121.55.1 total addresses 1, allocated 1 (100%)
*Output reduced for clarity

86
Apache2 Reverse Proxy

Netstat - Client
TCP TCP [2001:db8:beef:10::16]:54640 [2001:db8:cafe:12::5]:80 ESTABLISHED [2001:db8:beef:10::16]:54641 [2001:db8:cafe:12::5]:80 ESTABLISHED 2001:db8:beef:10::16
Netstat - Proxy
2001:db8:cafe:12::5 Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.121.11.125:40475 10.121.11.60:80 ESTABLISHED tcp 0 0 10.121.11.125:40476 10.121.11.60:80 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED
10.121.11.125 Apache One-Arm Apache DualAttached TCP TCP IPv4-only Web Server <VirtualHost *:80> ProxyPass / http://10.121.11.60:80/ ProxyPassReverse / 2011 Cisco and/or its affiliates. All rights reserved. http://10.121.11.60:80/ BRKRST-2301
Cisco Public
Netstat - Server
10.121.11.125:40475 10.121.11.125:40476 ESTABLISHED ESTABLISHED
10.121.11.60:80 10.121.11.60:80
87
Microsoft Windows PortProxy

Can be treated like an appliance
One-arm
2001:db8:cafe:12::25 10.121.12.25 PortProxy One-Arm VIP=10.121.5.20 ACE PortProxy Dual-Attached
Dual-attached (better perf)
Outside traffic comes in on IPv6PortProxy to v4 (VIP address on ACE) Traffic is IPv4 to server
IPv4-only Web Server
BRKRST-2301
Cisco Public
88
PortProxy Configuration/Monitoring
netsh interface portproxy>sh all Listen on ipv6: Address Port Connect to ipv4: Address 10.121.5.20 Port 80
adsf
--------------- ---------2001:db8:cafe:12::25 80 Active Connections Proto Local Address
--------------- ----------
Foreign Address
State
TCP
TCP
10.121.12.25:58141
10.121.5.20:http
ESTABLISHED
ESTABLISHED
[2001:db8:cafe:12::25]:80
[2001:db8:cafe:10::17]:52047
conn-id 14 13
np dir proto vlan source 1 1 in TCP 5 5 10.121.12.25:58573 10.121.14.15:80
destination 10.121.5.20:80 10.121.5.12:1062
state ESTAB ESTAB
----------+--+---+-----+----+---------------------+---------------------+------+ out TCP
BRKRST-2301
Cisco Public
89
PortProxy Performance
Throughput Example
HTTP Throughput Comparison - Direct vs. PortProxy
247.2
250
200
192
206.4
Throughput (Mbps)
Direct v6-v6
150
PortProxy v6v4 PortProxy v6v6
100
50
download-1gig (1.2G)
BRKRST-2301
Cisco Public
90
PortProxy Performance
CPU Utilization on PortProxy Server
BRKRST-2301
Cisco Public
91
Dual Stack the Internet Edge

Internet
Dual stack the same network you have If not, do just enough IPv6-only to get you going Most design elements should be the same as with IPv4 (minus pure NAT/PAT)
Edge Router
ISP 1
ISP 2
Outer Switch
You may have to embrace SLB64/Proxy/NAT64 for IPv4only apps
Security Services
Enterprise Core
DMZ/Server Farm
Inner switching/ SLB/Proxy/ Compute
Internal Enterprise
BRKRST-2301
Cisco Public
Web, Email, Other
92
What if I Cant Dual Stack My Edge?

Server Load Balancer
IPv6 Internet
IPv6
Stateful NAT64
IPv6 Internet
IPv6 -Apache -MSFT PortProxy
Proxy
IPv6 Internet
IPv6
IPv4
IPv4
IPv4
IPv4-only Host
IPv4-only Host
IPv4-only Host
BRKRST-2301
Cisco Public
93
Internet Edge - to - ISP

Boatloads of options
Single Link Single ISP
ISP 1
POP1
Dual Links Single ISP

ISP 1 POP2
Multi-Homed Multi-Region
USA ISP 1 ISP2
Default Route
IPv4-only
BGP
IPv6 Tunnel
BGP
Enterprise
Enterprise
Enterprise
ISP3
ISP4 Europe
94
Your ISP may not have IPv6 at the local POP BRKRST-2044 Enterprise Multi-homed Internet Architectures
WAN/Branch
Deploying IPv6 in Branch Networks: http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf
WAN/Branch Deployment
Cisco routers have supported IPv6 for a long time Dual-stack should be the focus of your implementationbut, some situations still call for tunneling Support for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc.)
Corporate Network
Dont assume all features for every technology are IPv6-enabled

Better feature support in WAN/branch than in campus/DC
Dual Stack
SP Cloud
Dual Stack
Dual Stack
BRKRST-2301
Cisco Public
96
IPv6 Enabled Branch

Focus more on the provider and less on the gear
Branch Single Tier
Branch Dual Tier
SP support for various WAN types?
Branch Multi-Tier
HQ
SP support for port-toport IPv6?
HQ
MPLS
HQ
Internet
Frame
Internet
Dual-Stack IPSec VPN (IPv4/IPv6) Firewall (IPv4/IPv6) Integrated Switch (MLD-snooping)

BRKRST-2301
Dual-Stack IPSec VPN or Frame Relay Firewall (IPv4/IPv6) Switches (MLD-snooping)

Cisco Public
Dual-Stack IPSec VPN or MPLS (6PE/6VPE) Firewall (IPv4/IPv6) Switches (MLD-snooping)

97
Hybrid Branch Example

Mixture of attributes from each profile
An example to show configuration for different tiers Basic HA in critical roles is the goal
Branch
VLAN 101: 2001:DB8:CAFE:1002::/64 2001:DB8:CAFE:1000::/64
Headquarters
Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64 2001:DB8:CAFE:202::/64
ASA-1 BR1-LAN ::1 ::2 ::4 ::2
BR1-1 ::2
::1 HE1
::2 ::3
BR1-LAN-SW
WAN
::5 ::3 BR1-2 ::3 ::1 HE2
HSRP for IPv6 VIP Address - FE80::5:73FF:FEA0:2
Enterprise Campus Data Center
::3
VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer
BRKRST-2301
Cisco Public
98
DMVPN with IPv6

Hub Configuration Example
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac ! crypto ipsec profile HUB set transform-set HUB interface Tunnel0 description DMVPN Tunnel 1 ip address 10.126.1.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::1/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp redirect tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile HUB
Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64
BR1-1 ::2
::1 HE1
::2 ::3
WAN
BR1-2 ::3
::1
Cisco Public
HE2
99
DMVPN with IPv6

Spoke Configuration Example
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac ! crypto ipsec profile SPOKE interface Tunnel0 set transform-set SPOKE description to HUB ip address 10.126.1.2 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::2/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 no ipv6 next-hop-self eigrp 10 Backup DMVPN Tunnel (dashed) no ipv6 split-horizon eigrp 10 2001:DB8:CAFE:20B::/64 ipv6 nhrp authentication CISCO BR1-1 ::2 ::1 HE1 ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1 ::2 ipv6 nhrp map multicast 172.16.1.1 ipv6 nhrp network-id 10 WAN ::3 ipv6 nhrp holdtime 600 ipv6 nhrp nhs 2001:DB8:CAFE:20A::1 HE2 ::1 BR1-2 ::3 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile SPOKE
100
ASA with IPv6
Snippet of full config examples of IPv6 usage

name 2001:db8:cafe:1003:: BR1-LAN description VLAN on EtherSwitch name 2001:db8:cafe:1004:9db8:3df1:814c:d3bc Br1-v6-Server ! interface GigabitEthernet0/0 description TO WAN nameif outside security-level 0 ip address 10.124.1.4 255.255.255.0 standby 10.124.1.5 ipv6 address 2001:db8:cafe:1000::4/64 standby 2001:db8:cafe:1000::5 ! interface GigabitEthernet0/1 description TO BRANCH LAN nameif inside security-level 100 ip address 10.124.3.1 255.255.255.0 standby 10.124.3.2 ipv6 address 2001:db8:cafe:1002::1/64 standby 2001:db8:cafe:1002::2 ! ipv6 route inside BR1-LAN/64 2001:db8:cafe:1002::3 ipv6 route outside ::/0 fe80::5:73ff:fea0:2 ! ipv6 access-list v6-ALLOW permit icmp6 any any ipv6 access-list v6-ALLOW permit tcp 2001:db8:cafe::/48 host Br1-v6-Server object-group RDP ! failover failover lan unit primary failover lan interface FO-LINK GigabitEthernet0/3 failover interface ip FO-LINK 2001:db8:cafe:1001::1/64 standby 2001:db8:cafe:1001::2 access-group v6-ALLOW in interface outside
101
Branch LAN
Connecting Hosts
ipv6 dhcp pool DATA_W7 dns-server 2001:DB8:CAFE:102::8 domain-name cisco.com ! interface GigabitEthernet0/0 description to BR1-LAN-SW no ip address duplex auto speed auto ! interface GigabitEthernet0/0.104 description VLAN-PC encapsulation dot1Q 104 ip address 10.124.104.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:1004::1/64 ipv6 nd other-config-flag ipv6 dhcp server DATA_W7 ipv6 eigrp 10 ! interface GigabitEthernet0/0.105 description VLAN-PHONE encapsulation dot1Q 105 ip address 10.124.105.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:1005::1/64 ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:102::9 ipv6 eigrp 10
BR1-LAN
BR1-LAN-SW
VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer
102
Remote Access
Cisco Remote VPN IPv6
Client-based SSL
Internet
AnyConnect Client 2.x and higher

SSL/TLS or DTLS (datagram TLS = TLS over UDP) Tunnel transports both IPv4 and IPv6 and the packets exit the tunnel at the hub ASA as native IPv4 and IPv6.
BRKRST-2301
Cisco Public
104
AnyConnect 2.xSSL VPN

asa-edge-1#show vpn-sessiondb svc Session Type: SVC Username : ciscoese Index : Assigned IP : 10.123.2.200 Public IP : Assigned IPv6: 2001:db8:cafe:101::101 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : SSL VPN Encryption : RC4 AES128 Hashing : Bytes Tx : 79763 Bytes Rx : Group Policy : AnyGrpPolicy Tunnel Group: Login Time : 14:09:25 MST Mon Dec 17 2007 Duration : 0h:47m:48s NAC Result : Unknown VLAN Mapping : N/A VLAN : 14 10.124.2.18
SHA1 176080 ANYCONNECT
none
Cisco ASA
Dual-Stack Host AnyConnect Client

105
AnyConnect 2.xSummary Configuration

interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.123.1.4 255.255.255.0 ipv6 enable ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.123.2.4 255.255.255.0 ipv6 address 2001:db8:cafe:101::ffff/64 ! ipv6 local pool ANYv6POOL 2001:db8:cafe:101::101/64 200 webvpn enable outside svc enable tunnel-group-list enable group-policy AnyGrpPolicy internal group-policy AnyGrpPolicy attributes vpn-tunnel-protocol svc default-domain value cisco.com address-pools value AnyPool tunnel-group ANYCONNECT type remote-access tunnel-group ANYCONNECT general-attributes address-pool AnyPool ipv6-address-pool ANYv6POOL default-group-policy AnyGrpPolicy tunnel-group ANYCONNECT webvpn-attributes group-alias ANYCONNECT enable
Outside
2001:db8:cafe:101::ffff
Inside
http://www.cisco.com/en/US/docs/security/vp n_client/anyconnect/anyconnect20/administra tive/guide/admin6.html#wp1002258
Cisco Public
106
Communicating with the Service Provider
Top SP Concerns for Enterprise Accounts
Port to Port Access IPv6 Content
Multi-Homing
Provisioning
BRKRST-2301
Cisco Public
108
Port-to-Port Access
Port to Port Access IPv6 Content Provisioning Multi-Homing
Basic Internet* MPLS Hosted (see content)

BRKRST-2301
Dual-stack or native IPv6 at each POP SLA driven just like IPv4 to support VPN, content access
6VPE IPv6 Multicast End-to-End traceability
IPv6 access to hosted content Cloud migration (move data from Ent DC to Hosted DC)
Cisco Public
* = most common issue
109
Multi-Homing
PI/PA Policy * Concerns NAT Routing

BRKRST-2301
PA is no good for customers with multiple providers or change them at any pace PI is new, constantly changing expectations and no guarantee an SP wont do something stupid like not route PI space Customers fear that RIR will review existing IPv4 space and want it back if they get IPv6 PI Religious debate about the security exposure not a multi-homing issue If customer uses NAT like they do today to prevent address/policy exposure, where do they get the technology from no scalable IPv6 NAT exists today Is it really different from what we do today with IPv4? Is this policy stuff? Guidance on prefixes per peering point, per theater, per ISP, ingress/egress rules, etc.. this is largely missing today
Cisco Public
110
Content
Hosted/Cloud Apps today Move to Hosted/Cloud Contract/Managed Marketing/Portals

BRKRST-2301
IPv6 provisioning and access to hosted or cloud-based services today (existing agreements) Salesforce.com, Microsoft BPOS (Business Productivity Online Services), Amazon, Google Apps Movement from internal-only DC services to hosted/cloud-based DC Provisioning, data/network migration services, DR/HA
Third-party marketing, business development, outsourcing Existing contracts connect over IPv6
Cisco Public
111
Provisioning
SP SelfService Portals SLA

BRKRST-2301
Not a lot of information from accounts on this but it does concern them How can they provision their own services (i.e. cloud) to include IPv6 services and do it over IPv6
More of a management topic but the point here is that customers want the ability to alter their services based on violations, expiration or restrictions on the SLA Again, how can they do this over IPv6 AND for IPv6 services
Cisco Public
112
IPv6 integration should be managed from a broad architectural / systems-wide perspective

IPv6 integration is not just a network upgrade but complex endeavour, involving many elements and capabilities which evolve over time, rather than changing all at once.
Planning and coordination is required from many across the organisation, including Network engineers & operators Security engineers Application developers Desktop (Office Automation) / Server engineers Web hosting / content developers Business development managers
Moreover, training will be required for all involved in supporting the various IPv6 based network services
BRKRST-2301
Cisco Public
113
Conclusion
Dual stack where you can Tunnel where you must Translate when you have a gun to your head Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management Now is your time to build a network your way dont carry the IPv4 mindset forward with IPv6 unless it makes sense Deploy it at least in a lab IPv6 wont bite "If you don't like change, you're going to like irrelevance even less." - Gen. Shinseki, Chief of Staff, U.S. Army
BRKRST-2301
Cisco Public
114
Complete Your Online Session Evaluation

Receive 25 Cisco Preferred Access points for each session evaluation you complete. Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and ondemand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
Presentation_ID
Cisco Public
115
Thank you.
BRKRST-2301
Cisco Public
116
Reference Slides
Reference Slides: Microsoft Windows Vista/Windows 7/Server 2008
Understand the Behavior of Vista/W7

IPv6 is preferred over IPv4
Vista/W7 sends IPv6 NA/NS/RS upon link-up
Attempts DHCP for IPv6 If no DHCP or local RA received with Global or ULA, then try ISATAP If no ISATAP, then try Teredo
Become familiar with Teredo http://www.microsoft.com/technet/prodtechnol/winx ppro/maintain/teredo.mspx
ANY application built on the Peer-to-Peer Framework REQUIRES IPv6 and will NOT function over IPv4 http://www.microsoft.com/technet/network/p2p/defa ult.mspx
BRKRST-2301
Cisco Public
119
In More DetailVista/W7 on Link-Up

No Network Services
No. Time 1 0.000000 2 0.000030 3 0.000080 4 1.155917 5 1.156683 6 3.484709 7 126.409530 8 128.886397 Source :: fe80::80aa:fd5:f7ae:4361 fe80::80aa:fd5:f7ae:4361 fe80::80aa:fd5:f7ae:4361 169.254.67.97 169.254.67.97 fe80::80aa:fd5:f7ae:4361 0.0.0.0 Destination ff02::1:ffae:4361 ff02::2 ff02::16 ff02::1:3 224.0.0.252 169.254.255.255 ff02::1:2 255.255.255.255 Protocol Info ICMPv6 Neighbor solicitation ICMPv6 Router solicitation ICMPv6 Multicast Listener Report Message v2 UDP Source port: 49722 Destination port: 5355 UDP Source port: 49723 Destination port: 5355 NBNS Name query NB ISATAP<00> DHCPv6 Information-request DHCP DHCP DiscoverTransaction ID 0x6c8d6efa
1. 2. 3.
Unspecified address :: Solicited node address NS/DAD Looking for a local router ff02::2 RS Looking for MLD enabled routers ff02::16 MLDv2 report
4.
5. 6. 7. 8.
LLMNR for IPv6ff02::1:3advertise hostname

LLMNR for IPv4224.0.0.252 from RFC 3927 address No global or ULA received via step 1/2Try ISATAP Try DHCP for IPv6ff02::1:2 Try DHCP for IPv4
fe80::80aa:fd5:f7ae:4361
120
IPv4 NetworkNo IPv6 Network Services

What Does Vista/W7 Try to Do?
No. Time Source Destination Protocol Info 13 8.813509 10.120.2.1 10.120.2.2 DHCP DHCP ACK .... Bootstrap Protocol ... Your (client) IP address: 10.120.2.2 (10.120.2.2) ... Option: (t=3,l=4) Router = 10.120.2.1 Option: (t=6,l=4) Domain Name Server = 10.121.11.4 Option: (t=15,l=9) Domain Name = "cisco.com" .. No. Time Source 70 13.360756 10.120.2.2 No. Time Source 138 25.362181 10.120.2.2 No. Time Source 580 296.686197 10.120.2.2 581 296.687721 10.120.3.2 582 296.687794 10.120.2.2 583 296.687913 10.120.2.2 Destination 10.121.11.4 Destination 10.121.11.4 Destination 10.120.3.2 10.120.2.2 10.120.3.2 10.120.3.2 - Transaction ID 0x2b8af443
Protocol Info DNS Standard query A isatap.cisco.com Protocol Info DNS Standard query A teredo.ipv6.microsoft.com Protocol Info TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8 TCP epmap > 49211 [SYN, ACK] Seq=0 Ack=1 Win=2097152 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0 DCERPC Bind: call_id: 1, 2 context items, 1st IOXIDResolver V0.0
IPv4-only Router
10.120.2.2 ISATAP?? Teredo??
10.120.3.2
121
What Is Teredo?
RFC4380 Tunnel IPv6 through NATs (NAT types defined in RFC3489)
Full Cone NATs (aka one-to-one)Supported by Teredo Restricted NATsSupported by Teredo Symmetric NATsSupported by Teredo with Vista/W7/Server 2008 if only one Teredo client is behind a Symmetric NATs
Uses UDP port 3544

Is complexmany sequences for communication and has several attack vectors Available on:
Microsoft Windows XP SP1 w/Advanced Networking Pack Microsoft Windows Server 2003 SP1 Microsoft Windows Vista/W7 (enabled by defaultinactive until application requires it) Microsoft Server 2008 http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx Linux, BSD and Mac OS XMiredo http://www.simphalempin.com/dev/miredo/
BRKRST-2301
Cisco Public
122
Teredo Components
Teredo ClientDual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay)
Teredo ServerDual-stack node connected to IPv4 Internet and IPv6 Internet. Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hostsListens on UDP port 3544 Teredo RelayDual-stack router that forwards packets between Teredo clients and IPv6-only hosts Teredo Host-Specific RelayDual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay
BRKRST-2301
Cisco Public
123
Teredo Overview
IPv6 or IPv6 over IPv4 traffic IPv6 over IPv4 traffic Teredo host-specific relay IPv6-only host
Teredo client
IPv4 Internet
NAT
Teredo server
IPv6 Internet
Teredo relay NAT IPv6 traffic Teredo client *From Microsoft Teredo Overview paper
124
Teredo Address
32 bits 32 bits 16 bits 16 bits 32 bits
Teredo prefix
Teredo Server IPv4 Address
Flags
Obfuscated External Port
Obfuscated External Address
Teredo IPv6 prefix (2001::/32previously was 3FFE:831F::/32) Teredo Server IPv4 address: global address of the server
Flags: defines NAT type (e.g. Cone NAT)

Obfuscated External Port: UDP port number to be used with the IPv4 address
Obfuscated External Address: contains the global address of the NAT

125
Initial Configuration for Client

1. 2. 3. 4. 5. 6. RS message sent from Teredo client to serverRS from LL address with Cone flag set Server responds with RARS has Cone flag setserver sends RA from alternate v4 addressif client receives the RA, client is behind cone NAT If RA is not received by client, client sends another RA with Cone flag not set Server responds with RA from v4 address = destination v4 address from RSif client receives the RA, client is behind restricted NAT To ensure client is not behind symmetric NAT, client sends another RS to secondary server 2nd server sends an RA to clientclient compares mapped address and UDP ports in the Origin indicators of the RA received by both servers. If different, then the NAT is mapping same internal address/port to different external address/port and NAT is a symmetric NAT Client constructs Teredo address from RA
First 64 bits are the value from prefix received in RA (32 bits for IPv6 Teredo prefix + 32 bits of hex representation of IPv4 Teredo server address) Next 16 bits are the Flags field (0x0000 = Restricted NAT, 0x8000 = Cone NAT) Next 16 bits are external obscured UDP port from Origin indicator in RA Last 32 bits are obscured external IP address from Origin indicator in RA
7.
6 5 3 1
Teredo Server 2
Teredo Client
7 2001:0:4136:e37e:0:fbaa:b97e:fe4e
Teredo Prefix Teredo Server v4 Flags Ext. UDP External v4 Port v4 address
NAT
IPv4 Internet
4 2
Teredo Server 1
BRKRST-2301
Cisco Public
126
What Happens on the Wire1

No. Time Source Destination Protocol Info 15 25.468050 172.16.1.103 151.164.11.201 DNS No. Time Source Destination Protocol Info 16 25.481609 151.164.11.201 172.16.1.103 DNS 65.54.227.127 A 65.54.227.120 A 65.54.227.124 Standard query A teredo.ipv6.microsoft.com Standard query response A 65.54.227.126 A
netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.ipv6.microsoft.com Client Refresh Interval : default Client Port : default State : probe(cone) Type : teredo client Network : unmanaged NAT : cone netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.ipv6.microsoft.com Client Refresh Interval : default Client Port : default State : qualified Type : teredo client Network : unmanaged NAT : restricted
127

No. Time Source Destination Protocol Info 28 33.595460 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source Destination Protocol Info 29 37.593598 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) No. Time Source Destination Protocol Info 31 45.546052 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.127 (65.54.227.127) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source Destination Protocol Info 32 46.039706 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement Internet Protocol, Src: 65.54.227.127 (65.54.227.127), Dst: 172.16.1.103 (172.16.1.103) User Datagram Protocol, Src Port: 3544 (3544), Dst Port: 1109 (1109) Teredo Origin Indication header Origin UDP port: 1109 Origin IPv4 address: 70.120.2.1 (70.120.2.1) Prefix: 2001:0:4136:e37e:: No. Time Source Destination Protocol Info 33 46.093832 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source Destination Protocol Info 34 46.398745 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103) Teredo Origin Indication header Origin UDP port: 1109 Origin IPv4 address: 70.120.2.1 (70.120.2.1) Prefix: 2001:0:4136:e37e::
Send RS Cone Flag=1 (Cone NAT), every 4 seconds

If no reply, send Flag=0 (restricted NAT) Receive RA with Origin header and prefix Send RS to 2nd server to check for symmetric NAT Compare 2nd RAOrigin port/address from 2nd server
128

No. Time Source 82 139.258206 172.16.1.103 Destination 151.164.11.201 Protocol Info DNS Standard query AAAA www.kame.net
Protocol Info DNS Standard query response AAAA
DNS lookup Response ICMP to host via Teredo Server
No. Time Source Destination 83 139.530547 151.164.11.201 172.16.1.103 2001:200:0:8002:203:47ff:fea5:3085
No. Time Source Destination Protocol Info 96 148.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 Echo request Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source 97 149.405579 fe80::8000:5445:5245:444f
Destination Protocol Info 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next header Relay sends Bubble Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103) Teredo IPv6 over UDP tunneling packet to Teredo Origin Indication header client via Origin UDP port: 50206 serverclient Origin IPv4 address: 66.117.47.227 (66.117.47.227) No. Time Source 98 149.405916 172.16.1.103 No. Time Source 99 149.463719 66.117.47.227 No. Time Source 100 149.464100 172.16.1.103 No. Time Source 101 149.789493 66.117.47.227 Destination 66.117.47.227 Destination 172.16.1.103 Destination 66.117.47.227 Destination 172.16.1.103 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109
receives relay address-port Packets to/from IPv6 host and client traverse relay
According to MSFT, if Teredo is the only IPv6 path, AAAA query should not be sentbeing researched: http://msdn2.microsoft.com/en-us/library/aa965910.aspx
129
What Happens on the Wire3 (Cont.)

Interface 7: Teredo Tunneling Pseudo-Interface Addr Type --------Public Link DAD State Valid Life Pref. Life ---------- ------------ -----------Preferred infinite infinite Preferred infinite infinite Address ----------------------------2001:0:4136:e37e:0:fbaa:b97e:fe4e fe80::ffff:ffff:fffd
C:\>ping www.kame.net Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data Reply Reply Reply Reply from from from from 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: time=829ms time=453ms time=288ms time=438ms
BRKRST-2301
Cisco Public
130
Maintaining NAT Mapping

Every 30 seconds (adjustable) clients send a single bubble packet to Teredo server to refresh NAT state
Bubble packet = Used to create and maintain NAT mapping and consists of an IPv6 header with no IPv6 payload (Payload 59No next header)
No. Time Source 35 46.399072 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination ff02::1 Protocol Info IPv6 IPv6 no next header
Frame 35 (82 bytes on wire, 82 bytes captured) Ethernet II, Src: Foxconn_2d:a1:4e (00:15:58:2d:a1:4e), Dst: 01:00:5e:00:00:fd (01:00:5e:00:00:fd) Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 224.0.0.253 (224.0.0.253) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) Teredo IPv6 over UDP tunneling Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 0 Next header: IPv6 no next header (0x3b) Hop limit: 21 Source address: 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination address: ff02::1
BRKRST-2301
Cisco Public
131
Reference Slides: ISATAP Overview
Intrasite Automatic Tunnel Address Protocol

RFC 4214
This is for enterprise networks such as corporate and academic networks
Scalable approach for incremental deployment

ISATAP makes your IPv4 infratructure as transport (NBMA) network
BRKRST-2301
Cisco Public
133
Intrasite Automatic Tunnel Address Protocol

Use IANAs OUI 00-00-5E and Encode IPv4 Address as Part of EUI-64
64-bit Unicast Prefix
0000:5EFE:
32-bit
IPv4 Address
32-bit
Interface Identifier (64 bits)
ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network
Supported in Windows XP Pro SP1 and others
BRKRST-2301
Cisco Public
134
Automatic Advertisement of ISATAP Prefix

ISATAP Host A IPv4 Network ISATAP Tunnel ISATAP Router 1 E0 IPv6 Network
ICMPv6 Type 133 (RS) IPv4 Source: 206.123.20.100 IPv4 Destination: 206.123.31.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix
ICMPv6 Type 134 (RA) IPv4 Source: 206.123.31.200 IPv4 Destination: 206.123.20.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64
BRKRST-2301
Cisco Public
135
Automatic Address Assignment of Host and Router

ISATAP Host A IPv4 Network ISATAP Tunnel 206.123.20.100 fe80::5efe:ce7b:1464 2001:db8:ffff:2::5efe:ce7b:1464 ISATAP Router 1 E0 IPv6 Network
206.123.31.200 fe80::5efe:ce7b:1fc8 2001:db8:ffff:2::5efe:ce7b:1fc8
ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1
When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host A encapsulates IPv6 packets in IPv4. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.
136
Reference Slides: Multicast
IPv4 and IPv6 Multicast Comparison
Service Addressing Range
IPv4 Solution 32-bit, Class D Protocol Independent, All IGPs and MBGP PIM-DM, PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR IGMPv1, v2, v3 Boundary, Border MSDP Across Independent PIM Domains
Cisco Public
IPv6 Solution 128-bit (112-bit Group)
Routing
Protocol Independent, All IGPs and MBGP with v6 mcast SAFI PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR
MLDv1, v2 Scope Identifier Single RP Within Globally Shared Domains
138
Forwarding
Group Management Domain Control Interdomain Solutions
BRKRST-2301
MLDv1: Joining a Group (REPORT)

FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE
H1
H2
1
1
Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131
2 2 Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131 FE80::207:85FF:FE80:692
1 2
H1 sends a REPORT for the group

H2 sends a REPORT for the group
rtr-a
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
139
MLDv1: Host Management

(Group-Specific Query)
FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE
H1
3 REPORT to group
1 1 Destination:
FF02::2 ICMPv6 Type: 132 ICMPv6 Type: 131
H2
2 Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 130
1 H1 sends DONE to FF02::2 2 RTR-A sends Group-Specific Query 3 H2 sends REPORT for the group
rtr-a
FE80::207:85FF:FE80:692
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
BRKRST-2301
Cisco Public
140
Other MLD Operations

Leave/DONE
Last host leavessends DONE (Type 132) Router will respond with group-specific query (Type 130) Router will use the last member query response interval (Default=1 sec) for each query Query is sent twice and if no reports occur then entry is removed (2 seconds)
General Query (Type 130)

Sent to learn of listeners on the attached link Sets the multicast address field to zero
Sent every 125 seconds (configurable)
BRKRST-2301
Cisco Public
141
A Few Notes on Tunnels

PIM uses tunnels when RPs/sources are known
Source registering (on first-hop router)
Uses virtual tunnel interface (appear in OIL for [S,G])
Created automatically on first-hop router when RP is known

Cisco IOS keeps tunnel as long as RP is known Unidirectional (transmit only) tunnels PIM Register-Stop messages are sent directly from RP to registering router (not through tunnel!)
BRKRST-2301
Cisco Public
142
PIM Tunnels (DR-to-RP)

branch#show ipv6 pim tunnel Tunnel1* Type : PIM Encap RP : 2001:DB8:C003:1116::2 Source: 2001:DB8:C003:111E::2 branch#show interface tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 2001:DB8:C003:111E::2 (Serial0/2), destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6, key disabled, sequencing disabled Checksumming of packets disabled Tunnel is transmit only Last input never, output never, output hang never Last clearing of "show interface" counters never output truncated
Corporate Network
Source
L0
RP
DR
143
PIM Tunnels (RP)

Source registering (on RP) two virtual tunnels are created
One transmit only for registering sources locally connected to the RP
One receive only for decapsulation of incoming registers from remote designated routers
No one-to-one relationship between virtual tunnels on designated routers and RP!
BRKRST-2301
Cisco Public
144
PIM Tunnels (RP-for-Source)

RP-router#show ipv6 pim tunnel Tunnel0* Type : PIM Encap RP : 2001:DB8:C003:1116::2 Source: 2001:DB8:C003:1116::2 Tunnel1* Type : PIM Decap RP : 2001:DB8:C003:1116::2 Source: RP-router#show interface tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 2001:DB8:C003:1116::2 (FastEthernet0/0), destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6, key disabled, sequencing disabled Checksumming of packets disabled Tunnel is receive only output truncated
Corporate Network
Source
Tu
RP
L0
145
Tunneling v6 Multicast
v6 in v4
v6 in v4 most widely used
tunnel mode ipv6ip <----- IS-IS cannot traverse
v6 in v4 GRE (IS-IS can traverse)

tunnel mode gre ip
ISATAP/6to4 do not support IPv6 multicast v6 in v6 v6 in v6

tunnel mode ipv6
v6 in v6 GRE
tunnel mode gre ipv6
BRKRST-2301
Cisco Public
146
Source Specific Multicast (SSM)

No configuration required other than enabling
ipv6 multicast-routing router#show ipv6 pim range-list config SSM Exp: never Learnt from : ::
FF33::/32 Up: 1d00h

FF34::/32 Up: 1d00h FF35::/32 Up: 1d00h FF36::/32 Up: 1d00h FF37::/32 Up: 1d00h FF38::/32 Up: 1d00h FF39::/32 Up: 1d00h FF3A::/32 Up: 1d00h FF3B::/32 Up: 1d00h FF3C::/32 Up: 1d00h FF3D::/32 Up: 1d00h FF3E::/32 Up: 1d00h FF3F::/32 Up: 1d00h
SSM group ranges are automatically defined Requires MLDv2 on host or SSM Mapping feature
BRKRST-2301
Cisco Public
147
SSM-Mapping
Delay in SSM deployment (both IPv4 and IPv6) is based mainly on lack of IGMPv3 and MLDv2 availability on the endpoints
SSM-Mapping allows for the deployment of SSM in the network infrastructure without requiring MLDv2 (for IPv6) on the endpoint SSM-Mapping enabled router will map MLDv1 reports to a source (which do not natively include the source like with MLDv2)
Range of groups can be statically defined or used with DNS
Wildcards can be used to define range of groups
BRKRST-2301
Cisco Public
148
SSM-Mapping
core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11 (2001:DB8:CAFE:11::11, FF33::DEAD), 00:01:20/00:03:06, flags: sT Incoming interface: GigabitEthernet3/3 RPF nbr: FE80::20E:39FF:FEAD:9B00 Immediate Outgoing interface list: GigabitEthernet5/1, Forward, 00:01:20/00:03:06 2001:DB8:CAFE:11::11
FF33::DEAD
Corporate Network
Source
Static Mapping:
ipv6 multicast-routing ! ipv6 mld ssm-map enable ipv6 mld ssm-map static MAP 2001:DB8:CAFE:11::11 no ipv6 mld ssm-map query dns ! ipv6 access-list MAP permit ipv6 any host FF33::DEAD
SSM
DNS Mapping (the default):

ipv6 multicast-routing ! ipv6 mld ssm-map enable ! ip domain multicast ssm-map.cisco.com ip name-server 10.1.1.1
MLDv1
149
IPv6 Multicast Static RP

Easier than before as PIM is auto-enabled on every interface
Source ipv6 multicast-routing ! interface Loopback0 description IPV6 IPmc RP no ip address ipv6 address 2001:DB8:C003:110A::1/64 ! ipv6 pim rp-address 2001:DB8:C003:110A::1/64 ipv6 multicast-routing ! ipv6 pim rp-address 2001:DB8:C003:110A::1/64
L0 Corporate Network
RP IP WAN
BRKRST-2301
Cisco Public
150
IPv6 Multicast PIM BSR: Configuration

wan-top#sh run | incl ipv6 pim bsr
ipv6 pim bsr candidate-bsr 2001:DB8:C003:1116::2 ipv6 pim bsr candidate-rp 2001:DB8:C003:1116::2
RP2001:DB8:C003:1116::2
Corporate Network IP WAN
Source
RP2001:DB8:C003:110A::1
wan-bottom#sh run | incl ipv6 pim bsr ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1 ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1
BRKRST-2301
Cisco Public
151
Bidirectional PIM (Bidir)

The same many-to-many model as before
Configure Bidir RP and range via the usual ip pim rp-address syntax with the optional bidir keyword
! ipv6 pim rp-address 2001:DB8:C003:110A::1 bidir ! #show ipv6 pim range | include BD Static BD RP: 2001:DB8:C003:110A::1 Exp: never Learnt from : ::
BRKRST-2301
Cisco Public
152
Embedded-RP Addressing Overview

RFC 3956
Relies on a subset of RFC3306IPv6 unicastprefix-based multicast group addresses with special encoding rules:
Group address carries the RP address for the group!
8 4 4 4 4 8 64 32 FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID
New Address format defined :

Flags = 0RPT, R = 1, P = 1, T = 1=> RP address embedded (0111 = 7) Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112
Embedded RP: 2001:0DB8:C003:111D::1
BRKRST-2301
Cisco Public
153
Embedded-RP
PIM-SM protocol operations with embedded-RP:
Intradomain transition into embedded-RP is easy:
Non-supporting routers simply need to be configured statically or via BSR for the embedded-RPs!
Embedded-RP is just a method to learn ONE RP address for a multicast group:

It can not replace RP-redundancy as possible with BSR or MSDP/Anycast-RP
Embedded-RP does not (yet) support Bidir-PIM

Simply extending the mapping function to define Bidir-PIM RPs is not sufficient:
In Bidir-PIM routers carry per-RP state (DF per interface) prior to any data packet arriving; this would need to be changed in Bidir-PIM if Embedded-RP was to be supported
BRKRST-2301
Cisco Public
154
Embedded-RP Configuration Example

Corporate Network
Source
L0
RP to be used as an Embedded-RP needs to be configured with address/group range
RP
All other non-RP routers require no special configuration
IP WAN
ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP ! ipv6 access-list ERP permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96
BRKRST-2301
Cisco Public
155
Embedded RPDoes It Work?

branch#show ipv6 pim group FF7E:140:2001:DB8:C003:111D ::/96* RP : 2001:DB8:C003:111D::1 Protocol: SM Client : Embedded Groups : 1 Info : RPF: Se0/0.1,FE80::210:7FF:FEDD:40
IP WAN
To RP
branch#show ipv6 mroute active Active IPv6 Multicast Sources - sending >= 4 kbps Group: FF7E:140:2001:DB8:C003:111D:0:1112 Source: 2001:DB8:C003:1109::2 Rate: 21 pps/122 kbps(1sec), 124 kbps(last 100 sec) branch#show ipv6 pim range | include Embedded
Receiver Sends Report
Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : ::

FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24
BRKRST-2301
Cisco Public
156
BRKRST-2301
Cisco Public
157

How To Convince Your Boss To Deploy Ipv6

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How To Convince Your Boss To Deploy Ipv6

Uploaded by

Copyright:

Available Formats

Enterprise IPv6 Deployment

2011 Cisco and/or its affiliates. All rights reserved.

General Network Considerations

Communicating with the Service Providers

AppendixFor Reference Only

IPv6 Activity in the Enterprise

Dramatic Increase in Enterprise Activity

OS/Apps Fixing Old Problems

Microsoft Windows 7, Server 2008 Microsoft DirectAccess

2011 Cisco and/or its affiliates. All rights reserved.

IANA/RIR IPv4 Exhaustion

100 90 80 70 Probability (%) 60 50 40 30

Source: Geoff Huston, APNIC

Innocent W2K3 -to- W2K8 Upgrade

Upgraded Host to Windows 2008

Can happen if the circumstances are right http://technet.microsoft.com/enus/library/bb878128.aspx

Mergers & Acquisitions

NAT Overlap + IPv6 Overlay Network

IPv4 static NAT entries for each server X how many??

Partial Overlay + Partial Dual Stack

2011 Cisco and/or its affiliates. All rights reserved.

Dual Stack Everywhere

Corp HQ Dual Stack

2011 Cisco and/or its affiliates. All rights reserved.

Planning and Deployment Summary

Enterprise Adoption Spectrum

Production/Looking for parity and beyond

Cisco IPv6 Deployment - A Lifecycle Approach

Operational Excellence Adapt to Changing Business Requirements

Assess Readiness Can Your Network Support the Proposed System?

Maintain Network Health Manage, Resolve, Repair, Replace

Design the Solution Products, Service, Support Aligned to Requirements

Implement the Solution Integrate Without Disruption or Causing Vulnerability

IPv6 Integration Outline

2011 Cisco and/or its affiliates. All rights reserved.

Edge-to-Core Challenging but doable

2011 Cisco and/or its affiliates. All rights reserved.

IPv6 Address Considerations

2001:0000:0000:00A1: 0000:0000:0000:1E2A 00A1:

2001:0:0: A1: ::1E2A

2011 Cisco and/or its affiliates. All rights reserved.

PI and PA Allocation Process

Level Four Enterprise

2011 Cisco and/or its affiliates. All rights reserved.

Hierarchical Addressing and Aggregation

Only Announces the /32 Prefix

2001:DB8::/32 IPv6 Internet 2000::/3

2011 Cisco and/or its affiliates. All rights reserved.

ULA, ULA + Global or Global

Lets explore these options

2011 Cisco and/or its affiliates. All rights reserved.

Unique-Local Addressing (RFC4193)

Default prefix is /48

Generate your own ULA: http://www.sixxs.net/tools/grh/ula/

Not Recommended Today

2011 Cisco and/or its affiliates. All rights reserved.

ULA + Global Example

DHCPv6 Client Network

2011 Cisco and/or its affiliates. All rights reserved.

Easier management of DHCP, DNS, security, etc.

Randomized IID and Privacy Extensions

2011 Cisco and/or its affiliates. All rights reserved.