Professional Documents
Culture Documents
Click to Edit Master Subtitle Style Shannon McFarland CCIE# 5245, VCP Corporate Consulting Engineer Office of the CTO shmcfarl@cisco.com
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
Reference Materials
Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns8 CCO IPv6 Main Page: http://www.cisco.com/go/ipv6 Cisco Network Designs: http://www.cisco.com/go/designzone
Presentation_ID
Cisco
Recommended Reading
Deploying IPv6 in Broadband Networks - Adeel Ahmed, Salman Asadullah ISBN0470193387, John Wiley & Sons Publications
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
Coming Soon!!
Agenda
The Need for IPv6 Planning and Deployment Summary Address Considerations General Concepts Infrastructure Deployment
Campus/Data Center WAN/Branch Remote Access
Provider Considerations
Presentation_ID
Cisco
Presentation_ID
Cisco
IPv
IPv6 OS, Content & Applications 6 Infrastructure Evolution
SmartGrid, SmartCities DOCSIS 3.0, 4G/LTE ,IPSO
Higher Education/Research
Consumer
Manufacturing
Health Care
Transportation
Agriculture/ Wildlife
7
Presentation_ID
Cisco
Presentation_ID
Cisco
Is it real? Do I need to deploy everywhere? Equipment status? SP support? Addressing What does it cost?
Still fighting vendors Content and wide-scale app deployment Review operational cost of 2 stacks Competitive/Strategic advantages of new environment
Presentation_ID
Cisco
10
Deployment Phases
Establish the network starting point Importance of a network assessment and available tools Defining early IPv6 security guidelines and requirements Additional IPv6 predeployment tasks needing consideration
Transport considerations for integration Campus IPv6 integration options WAN IPv6 integration options Advanced IPv6 services options
Presentation_ID
Cisco
11
Start dual-stack on the WAN/campus core/edge routers NAT64 for servers/apps only capable of IPv4 (temporary only)
v4 and v6
Edge-to-Core
L 2
v6Enabl ed v6 Only 2001::/64 IPv6 Server IPv4-Only Segment
Presentation_ID
1 3
Dual-Stack IPv4-IPv6 Core and Edge
10.1.4.0/24 2001::/64
2 2
v4 and v6
v4 Only 10.1.2.0/24
NAT64/DNS6 4
12
Address Considerations
Presentation_ID
Cisco
13
2001:DB8:0002:0001::/64 2001:DB8:0002:0002::/64
2001:DB8:0001::/48 Site 2
ISP 2001:DB8::/32
2001:DB8:0002::/48
Default is /48 can be larger End-user Additional Assignment https://www.arin.net/resources/request/ipv6_add_assign.html Provider independent See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html
Presentation_ID
Cisco
14
Presentation_ID
Cisco
15
Do I Get PI or PA?
It depends PI space is great for ARIN controlled space (not all RIRs have approved PI space) PA is a great space if you plan to use the same SP for a very long time or you plan to NAT everything with IPv6 (not likely) More important things to considerdo you get a prefix for the entire company or do you get one prefix per site (what defines a site?)
Presentation_ID
Cisco
16
Presentation_ID
Cisco
17
Routing/security control
You must always implement filters/ACLs to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range today this LA= f can G ener ed U is the only way the ULA scope : 48 enforced at d9c: 58ed: 7d73: / be
Generate your own ULA: http://www.sixxs.net/tools/grh/ula/ * M AC addr ess= 00: : : A0: ( ew l t Packar 0D 9D 93: C3 H et d) * EU I addr 64 ess= 020D 9D f f f e93A0C3
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
18
ULA-Only
Internet Branch 1
Requires NAT for IPv6 Global al xter 2001:DB8:CAFE::/4n Corp HQ bal E Glo 8 nal
Inter ULA
FD9C:58ED:7D73:2800::/64
Branch 2
Corporate Backbone
FD9C:58ED:7D73:3000::/64
FD9C:58ED:7D73::2::/64
Everything internal runs the ULA space A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the internet must run filters to prevent any SA/DA in ULA range from being forwarded Works as it does today with IPv4 except that today, there are no scalable NAT/Proxies for IPv6 Removes the advantages of not having a NAT (i.e. application interoperability, global multicast, end-to-end connectivity)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
19
ULA + Global
Internet Branch 1
Not Recommended
Global 2001:DB8:CAFE::/4 8
Corporate Backbone
Corp HQ
FD9C:58ED:7D73:2800::/64 2001:DB8:CAFE:2800::/64
Branch 2
FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64
Both ULA and Global are used internally except for internal-only hosts Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally In theory, ULA talks to ULA and Global talks to GlobalSAS should work this out ULA-only and Global-only hosts can talk to one another internal to the network Define a filter/policy that ensures your ULA prefix does not leak out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields Management overhead for DHCP, DNS, routing, security, etc
2006 Cisco Systems, Inc. All rights reserved. Cisco
Presentation_ID
20
ConsiderationsULA + Global
Use DHCPv6 for ULA and Globalapply different policies for both (lifetimes, options, etc..) Check routability for bothcan you reach an AD/DNS server regardless of which address you have? Any policy using IPv6 addresses must be configured for the appropriate range (QoS, ACL, load-balancers, PBR, etc.) If using SLAAC for bothMicrosoft Windows allows you to enable/disable privacy extensions globallythis means you are either using them for both or not at all!!! One option is to use SLAAC for the Global range and enable privacy extensions and then use DHCPv6 for ULA with another IID value (EUI-64, reserved/admin defined, etc.)
Tem p orary P referred 6d 23h 59m 55s 23h 59m 55s 2001 : b 8: d cafe: cd 22: 2: 7629: f726: 6a6b D h cp P referred 1 3d 1 h 33m 55s 6d 1 h 33m 55s fd 9c: 58ed : 73: 002: 7d 1 8828: 723c: 275e:846d O th er P referred i fi i n n te i fi i fe80: 8828: n n te : 723c: 275e: 846d % 8
Unlike Global and link-local scopes ULA is not automatically controlled at the appropriate boundaryyou must prevent ULA prefix from going out or in at your perimeter SAS behavior is OS dependent and there have been issues with it working reliably
Presentation_ID
Cisco
21
interface Vlan2 description ACCESS-DATA-2 ipv6 address 2001:DB8:CAFE:2::D63/64 ipv6 address FD9C:58ED:7D73:1002::D63/64 ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:11::9
DHCPv6 Server 2001:DB8:CAFE:11::9 DHCPv6 Client Network
Presentation_ID
Cisco
22
Global-Only
Internet Branch 1
Recommended
Global 2001:DB8:CAFE::/4 8
Corporate Backbone
Corp HQ
2001:DB8:CAFE:2800::/64
Branch 2
Global 2001:DB8:CAFE::/48
2001:DB8:CAFE:3000::/64 2001:DB8:CAFE:2::/64
Global is used everywhere No issues with SAS No requirements to have NAT for ULA-to-Global translationbut, NAT may be used for other purposes Easier management of DHCP, DNS, security, etc. Only downside is breaking the habit of believing that topology hiding is a good security method
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
23
Presentation_ID
Alternatively, use DHCP (see later) to a specific pool Randomized address are generated for non-temporary autoconfigured addresses including public and link-local used instead of EUI-64 addresses Randomized addresses engage Optimistic DADlikelihood of duplicate LL address is rare so RS can be sent before full DAD completion Windows Vista/W7/2008 send RS while DAD is being performed to save time for interface initialization (read RFC4862 on why this
2006 Cisco Systems, Inc. All rights reserved. Cisco
24
< 64 bits
> 64 bits
Recommended by RFC3177 and IAB/IESG Consistency makes management easy MUST for SLAAC (MSFT DHCPv6 also) Significant address space loss (18.466 Quintillion)
Enables more hosts per broadcast domain Considered bad practice 64 bits offers more space for hosts than the media can support efficiently
Address space conservation Special cases: /126valid for p2p /127not valid for p2p (RFC3627) /128loopback Complicates management Must avoid overlap with specific addresses: Router Anycast (RFC3513) Embedded RP (RFC3956) ISATAP addresses
Presentation_ID
Cisco
25
What happens to route filters? ACLs?Nothing, unless you are blocking to/from the router itself Stuff to think about:
Always use a RID Some Cisco devices require ipv6 enable on the interface in order to generate and use a link-local address Enable the IGP on each interface used for routing or that requires its prefix to be advertised
Presentation_ID
Cisco
26
ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:DB8:CAFE:998::1/128 ipv6 eigrp 10 ! interface Vlan200 ipv6 address 2001:DB8:CAFE:200::1/64 ipv6 eigrp 10 ! interface GigabitEthernet1/1 ipv6 enable ipv6 eigrp 10 ! ipv6 router eigrp 10 router-id 10.99.8.1 no shutdown
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:DB8:CAFE:998::2/128 ipv6 eigrp 10 ! interface GigabitEthernet3/4 ipv6 eigrp 10 ! interface GigabitEthernet1/2 ipv6 eigrp 10 ! ipv6 router eigrp 10 router-id 10.99.8.2 no shutdown IPv6-EIGRP neighbors for process 10 0 Link-local address: FE80::212:D9FF:FE92:DE77
27
Gi1/2
Interface-ID Selection
Network Devices Reconnaissance for network devicesthe search for something to attack Use random 64-bit interface-IDs for network devices
2001:DB8:CAFE:2::1/64Common IID 2001:DB8:CAFE:2::9A43:BC5D/64Random IID 2001:DB8:CAFE:2::A001:1010/64Semi-random IID
Presentation_ID
Cisco
28
DHCPv6
Updated version of DHCP for IPv4 Client detects the presence of routers on the link If found, then examines router advertisements to determine if DHCP can or should be used If no router found or if DHCP can be used, then
Using the link-local address as the source address DHCP Solicit message is sent to the All-DHCP-Agents multicast address
Presentation_ID
Cisco
29
DHCPv6 Operation
Client Solicit Relay Relay-Fwd w/Solicit Advertise Request Relay-Fwd w/Request Relay-Reply w/Reply Reply All_DHCP_Relay_Agents_and_Servers (FF02::1:2) All_DHCP_Servers (FF05::1:3) DHCP Messages: clients listen UDP port 546; servers and relay agents listen on UDP port 547
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
Server
Relay-Reply w/Advertise
30
Stateful/Stateless DHCPv6
Stateful and stateless DHCPv6 server
Cisco Network Registrar: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/
Presentation_ID
Cisco
Relay-Forw(Solicit(IA_NA)) Relay-Repl(Advertise(IA_NA(addr)))
Relay-Forw(Request(IA_NA)) Relay-Repl(Reply(IA_NA(addr)))
Presentation_ID
Cisco
32
CNR/W2K8DHCPv6
Presentation_ID
Cisco
33
Presentation_ID
Cisco
34
Presentation_ID
Cisco
35
Modification to Neighbor Advertisement, router Advertisement, and ICMPv6 redirects Virtual MAC derived from HSRP group number and virtual IPv6 link-local address
GLBP for v6
GLBP AVG, AVF GLBP AVF, SVF
Modification to Neighbor Advertisement, Router AdvertisementGW is announced via RAs Virtual MAC derived from GLBP group number and virtual IPv6 link-local address
For rudimentary HA at the first HOP Hosts use NUD reachable time to cycle to next known default gateway (30s by default)
No longer needed
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
36
First-Hop Redundancy
When HSRP,GLBP and VRRP for IPv6 are not available NUD can be used for rudimentary HA at the first-hop (today this only applies to the Campus/DCHSRP is available on routers)
(config-if)#ipv6 nd reachable-time 5000
Hosts use NUD reachable time to cycle to next known default gateway (30 seconds by default) Can be combined with default router preference to determine primary gw:
(config-if)#ipv6 nd router-preference {high | medium | low} Default Gateway . . . . . . . . . : 10.121.10.1 fe80::211:bcff:fec0:d000%4 fe80::211:bcff:fec0:c800%4
: 6s : 5s
Distribution Layer
To Core Layer
37
HSRP IPv6 UDP Port Number 2029 (IANAstandby version 2 Assigned) No HSRP IPv6 secondary address standby 1 ipv6 autoconfig No HSRP IPv6 specific debug
standby 1 preempt
standby 1 timers msec 250 msec 800 standby 1 preempt delay minimum 180
standby 1 track FastEthernet0/0 #route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1 UGDA 1024 0
0 eth2
Presentation_ID
Cisco
38
Virtual MAC derived from GLBP group number and virtual IPv6 link-local address
interface FastEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 cef glbp 1 ipv6 autoconfig glbp 1 timers msec 250 msec 750 glbp 1 preempt delay minimum 180 glbp 1 authentication md5 key-string cisco
39
PIM Group Modes: Sparse Mode, Bidirectional and Source Specific Multicast RP Deployment: Static, Embedded
S Host Multicast Control via MLD
D R R P D R
Presentation_ID
Cisco
40
MLD snooping
Presentation_ID
Cisco
41
S
D R He is the RP
ASM Across Single Shared PIM Domain, One RPEmbeddedRP Alert! I want
GRP=A from RP=B
R
D R
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
S
R P
42
Additional support for IPv6 does not always require new Command Line Interface (CLI)
ExampleWRED
Presentation_ID
Cisco
43
IPv6 Neighbor Cache entry: 2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC FE80::7DE5:E2B0:D4DF:97EC 4 000d.6084.2c7a 16 000d.6084.2c7a 16 000d.6084.2c7a STALE Vl2 STALE Vl2 STALE Vl2
Full internet route tablesensure to account for TCAM/memory requirements for both IPv4/IPv6not all vendors can properly support both Multiple routing protocolsIPv4 and IPv6 will have separate routing protocols. Ensure enough CPU/Memory is present Control plane impact when using tunnelsterminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/thousands of tunnels)
Presentation_ID
Cisco
44
Infrastructure Deployment
Start Here: Cisco IOS Software Release Specifics for IPv6 Features
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_c/ftipv6s.htm
Presentation_ID
Cisco
45
Tunneling Services
IPv4 over IPv6 IPv6 over IPv4
Translation Services
IPv4
IPv6
Business Partners Government Agencies International Sites Remote Workers Internet consumers
46
Campus/Data Center
http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf
http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor2
Presentation_ID
Cisco
47
HybridDual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear
ProLeverage existing gear and network design (traditional L2/L3 and routed access) ConTunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast
IPv6 Service BlockA new network block used for interim connectivity for IPv6 overlay network
ProSeparation, control and flexibility (still supports traditional L2/L3 and routed access)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.
ConCost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not
Cisco
48
Access Layer
Expect to run the same IGPs as with IPv4 VSS supports IPv6
v6Enab led
D u a l S t a c k
D u a l S t a c k
L2/L 3
v6Enab led
Distributio n Layer
v6Enab led
Core Layer
v6Enabled
v6Enabled
Dualstack Server
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
49
Catalyst 3560/3750In order to enable IPv6 functionality the proper SDM template needs to be defined ( http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225 )
Switch(config)#sdm prefer dual-ipv4-and-ipv6 default
If using a traditional Layer-2 access design, the only thing that needs to be enabled on the access switch (management/security discussed later) is MLD snooping:
Switch(config)#ipv6 mld snooping 3560/3750 non-E series cannot support both HSRP for IPv4 and HSRP for IPv6 on the same interface http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/softwar
Presentation_ID
Cisco
50
51
Presentation_ID
Cisco
52
interface Vlan2 description Data VLAN for Access ipv6 address 2001:DB8:CAFE:2::A001:1010/64 ipv6 nd reachable-time 5000 ipv6 nd router-preference high no ipv6 redirects ipv6 ospf 1 area 1 ! ipv6 router ospf 1 auto-cost reference-bandwidth 10000 router-id 10.122.0.25 log-adjacency-changes area 2 range 2001:DB8:CAFE:xxxx::/xx timers spf 1 5
53
interface Vlan2 description Data VLAN for Access ipv6 address 2001:DB8:CAFE:2::CAC1:3750/64 ipv6 ospf 1 area 2 ipv6 cef ! ipv6 router ospf 1 router-id 10.120.2.1 log-adjacency-changes auto-cost reference-bandwidth 10000 area 2 stub no-summary passive-interface Vlan2 timers spf 1 5
54
55
ISATAPHost-to-L3
L2/L 3
NOT v6Enab led v6Enab led
I S A T I A S P A T A P
NOT v6Enab led v6Enab led
Distributio n Layer
Leverages existing network Offers natural progression to full dual-stack design May require tunneling to less-than-optimal layers (i.e. core layer) ISATAP creates a flat network (all hosts on same tunnel are peers)
Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today)
Core Layer
v6Enabled
Presentation_ID
Dualstack Server
D u a l S t a c k
D u a l S t a c k
v6Enabled
56
In the presented design the static configuration option is used to ensure each host is associated with the correct ISATAP tunnel Can conditionally set the ISATAP router per host based on subnet, userid, department and possibly other parameters such as role
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
57
ISATAP tunnels from PCs in access layer to core switches Redundant tunnels to core or service block Access Layer Use IGP to prefer one core switch over another (both v4 and v6 routes) deterministic Distributio Preference is important due n Layer requirement to have traffic (IPv4/IPv6) to the NOT NOT route to the same interface (tunnel) where host is terminated on v6v6Windows XP/2003 Enab Enab led led v6Works like Anycast-RP withCore Layer IPmc v6Enab Enab D D led led u u a a Aggregation l l Layer (DC) v6v6Enabled S S Enabled t t Access a a Layer (DC) c c Primary ISATAP Tunnel IPv6 k k Server
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
ISATAP Secondary
interface Tunnel2 ipv6 address 2001:DB8:CAFE:2::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback2 tunnel mode ipv6ip isatap ! interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback2 ip address 10.122.10.102 255.255.255.255 delay 1000 ! interface Loopback3 ip address 10.122.10.103 255.255.255.255 delay 1000
59
ip address 2006 Cisco Systems, Inc. All rights 255.255.255.255 10.122.10.103 reserved. Cisco
To influence IPv4 routing to prefer one ISATAP tunnel source over anotheralter delay/cost or mask length Lower timers (timers spf, hello/hold, dead) to reduce convergence times Use recommended summarization and/or use of stubs to reduce routes and convergence times
Set RID to ensure redundant loopback addresses do not cause duplicate RID issues
IPv4EIGRP
router eigrp 10 eigrp router-id 10.122.10.3
IPv6OSPFv3
60
Loopback 210.122.10.102 Used as SECONDARY ISATAP tunnel source VLAN 2 10.120.2.0 /24 acc-1 Loopback 210.122.10.102 Used as PRIMARY ISATAP tunnel source
ip route | b 10.122.10.102/32
After Failure
dist-1#show ip route | b 10.122.10.102/32 D 10.122.10.102/32 [90/258816] via 10.122.0.49, 00:00:08, GigabitEthernet1/0/28
Presentation_ID
Cisco
61
10.120.3.1 01
Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 2001:db8:cafe:3:0:5efe:10.120.3.101 IP Address. . . . . . . . . . . . : fe80::5efe:10.120.3.101%2 Default Gateway . . . . . . . . . : fe80::5efe:10.122.10.103%2
Presentation_ID
Cisco
62
interface GigabitEthernet1/1 ipv6 address 2001:DB8:CAFE:13::4/127 ipv6 eigrp 10 ipv6 cef ! interface Loopback3 ip address 172.16.1.1 255.255.255.252
63
T u n n e
on
2.
1
Acc ess Blo ck
Presentation_ID
Cisco
64
VLAN 2
VLAN 3
ISATA P
2 I n t e r n e t
66
1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6Can use IOS FW or PIX/ASA appliance Primary ISATAP Tunnel Secondary ISATAP Tunnel
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
IOS FW
1
Data Center Block
WAN/ISP Block
1. Same policy design as Hybrid ModelThe first place to implement classification and marking from the access layer is after decapsulation (ISATAP) which is on the egress interfaces on the service block switches 2. IPv6 packets received from ISATAP interfaces will have egress policies Acc ess (classification/ marking) applied on the configured tunnel interfaces Blo Traffic 3. Aggregation/access switches can apply egress/ingress policies (trust, Service Block policing, queuing) to IPv6 packets headed for DC services
C or e La ye r Aggregat ion Layer (DC) Access Layer (DC) IPv6/IP v4 Dualstack Server ck Flow
Distributi on Layer
C or e La ye r
Configured Tunnels
3 3
2
Service Block
Presentation_ID
Cisco
Convergence for downstream Convergence for (ms) Recovery (ms) Server to Client 353~532 389~1261 Avg. Server to Client 443 828 upstream downstream 0 0~33 0 11~43
68
Cisco
Presentation_ID
Cisco
69
Presentation_ID
Cisco
70
Presentation_ID
Cisco
71
Virtualization should make DCs simpler and more flexible Lack of robust DC/Application management is often the root cause of all evil Ensure management systems support IPv6 as well as the devices being managed
Presentation_ID
Cisco
72
Virtualized DC Solutions
DC Core
Nexus 7000
DC Aggregation
Cisco Catalyst 6500 VSS 10GbE DC Services
Nexus 7000
DC Access
Cisco Catalyst 6500 Cisco Catalyst 49xx
at Wh
ea t th ou ab
Nexus 7000 Nexu s 2000 Nexu s 1000 v Nexu s 5000 MD S 950 0
ACE/ASA/WAAS DC Services
s? pp
Nexu s 1000 v Unified Computing System
DC SAN
MD S 950 0
Gigabit Ethernet 10 Gigabit Ethernet 10 Gigabit DCB 4Gb Fibre Channel 10 Gigabit FCoE/DCB
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
73
74
Switch
VLAN103 Permit 0x86dd VLAN203
Switch
Switch
Switch
VLAN10
VLAN11
Trunk
IPv4 server
IPv6 server
75
Portproxy
Offered in Microsoft Windows (XP, 2003, Vista/W7, 2008) Basically, it is protocol and port forwarding Allows v4-to-v6, v6-to-v6 and v6-to-v4 Load is CPU bound Very simple to configure (on a per host basis or as an appliance)
IVI
draft-xli-behave-ivi-01.txt Prefix-specific and Stateless Address Mapping IV=4, VI=6 Based on Roman numerals
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.
IVI is good at what translators due but it is just as bad with what translators Cisco
76
Outside traffic comes in on IPv6PortProxy to v4 (VIP address on ACE) Traffic is IPv4 to server
Presentation_ID
Cisco
77
PortProxy Configuration/Monitoring
netsh interface portproxy>sh all Listen on ipv6: Address Port --------------- ---------2001:db8:cafe:12::25 80 Active Connections Proto TCP TCP conn-id 14 13 Local Address 10.121.12.25:58141 Foreign Address 10.121.5.20:http State ESTABLISHED ESTABLISHED state ESTAB ESTAB Connect to ipv4: Address 10.121.5.20 Port 80 --------------- ----------
adsf
Presentation_ID
Cisco
78
PortProxy Performance
Throughput Example
HTTP Throughput Comparison - Direct vs. PortProxy
10 9 8 7 6 5 4 3 2 1 0
Throughput (Mbps)
Presentation_ID
Cisco
79
PortProxy Performance
Presentation_ID
Cisco
80
ICMPv6 (RFC 2463) Neighbor Discovery (RFC 2461) Stateless Auto-configuration VRRP for IPv6 for application redundancy (IETF Draft)
Telnet, TFTP, FTP, SCP, DNS Resolver, HTTP, Ping, Traceroute, SSH Cisco IP, IP-Forwarding and VRRP MIBs SNMP over IPv6
Security
SAN Applications
IP StorageiSCSI, ISNS, and FCIP Zone Server, FC Name Server IPv6 over FC Other moduleseg. NTP, fctunnel etc.
81
2001:db8:cafe:10::14
iSCSI
MDS-2
Same configuration requirements and operation as with IPv4 Can use automatic preemptionconfigure VR address to be the same as physical interface of primary Host-side HA uses NIC teaming (see slides for NIC teaming) SAN-OS 3.2 will support iSCSI with IPsec
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
82
Presentation_ID
Cisco
83
GigabitEthernet2/1
ipv6 address 2001:db8:cafe:12::5/64 no shutdown vrrp ipv6 1 address 2001:db8:cafe:12::5 no shutdown mds-1# show vrrp ipv6 vr 1 Interface GigE2/1 VR IpVersion Pri 1 IPv6 255 Time Pre State 100cs master
VR IP addr 2001:db8:cafe:12::5
------------------------------------------------------------------
mds-2# show vrrp ipv6 vr 1 Interface GigE2/1 VR IpVersion Pri 1 IPv6 100 Time Pre State 100cs backup VR IP addr 2001:db8:cafe:12::5 ------------------------------------------------------------------
Presentation_ID
Cisco
84
interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::5/64 mds9216-1# show fcns database vsan 1 VSAN 1: --------------------------------------------------------------------FCID 0x670400 0x670405
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
TYPE N N
PWWN 21:00:00:10:86:10:46:9c
--------------------------------------------------------------------24:01:00:0d:ec:24:7c:42 (Cisco)
SAN-OS 3.xFCIP(v6)
F C F C
Central Site
F C
F C
Remote Sites
F C
F C F C
IPv6 Network
fcip profile 100 ip address 2001:db8:cafe:50::1 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100 use-profile 100 peer-info ipaddr 2001:db8:cafe:50::2 ! interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::1/64
fcip profile 100 ip address 2001:db8:cafe:50::2 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100 use-profile 100 peer-info ipaddr 2001:db8:cafe:50::1 ! interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::2/64
Presentation_ID
Cisco
86
Static configuration
netsh interface ipv6> add address "Local Area Connection" 2001:db8:cafe:10::7 Ok. netsh interface ipv6>sh add Querying active state... Interface 10: Local Area Connection Addr Type --------Manual Public DAD State Duplicate Preferred Valid Life infinite 29d23h59m21s Pref. Life Address ---------- ------------ ------------ ----------------------------infinite 2001:db8:cafe:10::7 6d23h59m21s 2001:db8:cafe:10:20d:9dff:fe93:b25d
87
Intel statement of support for RLBReceive Load Balancing (RLB) is not supported on IPv6 network connections. If a team has a mix of IPv4 and IPv6 connections, RLB will work on the IPv4 connections but not on the IPv6 connections. All other teaming features will work on the IPv6 connections.
Presentation_ID
Cisco
88
Linux
# sysctl -w net/ipv6/conf/bond0/dad_transmits=0 net.ipv6.conf.eth0.dad_transmits = 0
Presentation_ID
Cisco
89
Autoconfiguration IP Address. . . : 169.254.25.192 Subnet Mask . . . . . . . . . . . : 255.255.0.0 IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d7%11 Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%11
IP Address. . . . . . . . . . . . : 10.89.4.230 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : 2001:db8:cafe:1::2 IP Address. . . . . . . . . . . . : fe80::204:23ff:fec7:b0d6%12 Default Gateway . . . . . . . . . : fe80::212:d9ff:fe92:de76%12
Presentation_ID
Cisco
90
Interface 13: TEAM-1 Addr Type --------Public Link DAD State Preferred Preferred Valid Life 4m11s infinite Pref. Life Address
Presentation_ID
Cisco
91
Today, IPv6 inspection is supported in the routed firewall mode. Transparent mode can allow IPv6 traffic to be bridged (no inspection)
Presentation_ID
Cisco
93
WAN/Branch
94
WAN/Branch Deployment
Cisco routers have supported IPv6 for a long time Dual-stack should be the focus of your implementationbut, some situations still call for tunneling Support for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc.) Dont assume all features for every technology are IPv6-enabled Better feature support in WAN/branch than in campus/DC
Corporat e Network
Dual Stack
SP Cloud
Dual Stack
Dual Stack
Presentation_ID
Cisco
95
H Q
H Q
MPL S
H Q
Internet
Internet
Frame
Dual-Stack IPSec VPN (IPv4/IPv6) IOS Firewall (IPv4/IPv6) Integrated Switch (MLD-snooping)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.
Dual-Stack IPSec VPN or Frame Relay IOS Firewall (IPv4/IPv6) Switches (MLD-snooping)
Cisco
96
Single-Tier Profile
Totally integrated solutionBranch router and integrated EtherSwitch moduleIOS FW and VPN for IPv6 and IPv4 When SP does not offer IPv6 services, use IPv4 IPSec VPNs for manually configured tunnels (IPv6-in-IPv4) or DMVPN for IPv6 When SP does offer IPv6 services, use IPv6 IPSec VPNs (latest AIM/VAM supports IPv6 IPSec)
Branc h
SingleTier
Headquarter s T 1
ADS L
WA N
Primary DMVPN Tunnel (IPv4 Secondary DMVPN Tunnel (IPv4) Primary IPSec-protected configured tunnel (IPv6-in-IPv4) Secondary IPSec-protected configured tunnel (IPv6-in-IPv4)
Presentation_ID
Cisco
97
Single-Tier Profile
ipv6 unicast-routing ipv6 multicast-routing ipv6 cef ! ipv6 dhcp pool DATA_VISTA address prefix 2001:DB8:CAFE:1100::/64
LAN ConfigurationDHCPv6
Branch Router
dns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25D domain-name cisco.com ! interface GigabitEthernet1/0.100 description DATA VLAN for Computers encapsulation dot1Q 100 ipv6 address 2001:DB8:CAFE:1100::BAD1:A001/64 ipv6 nd prefix 2001:DB8:CAFE:1100::/64 noadvertise ipv6 nd managed-config-flag ipv6 dhcp server DATA_VISTA ipv6 mld snooping ! interface Vlan100 description VLAN100 for PCs and Switch management ipv6 address 2001:DB8:CAFE:1100::BAD2:F126/64
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
EtherSwitch Module
98
Single-Tier Profile
IPSec Configuration1
crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key CISCO address 172.17.1.3 crypto isakmp key SYSTEMS address 172.17.1.4 crypto isakmp keepalive 10 ! crypto ipsec transform-set HE1 esp-3des esp-sha-hmac crypto ipsec transform-set HE2 esp-3des esp-sha-hmac ! crypto map IPv6-HE1 local-address Serial0/0/0 crypto map IPv6-HE1 1 ipsec-isakmp set peer 172.17.1.3 set transform-set HE1 match address VPN-TO-HE1 ! crypto map IPv6-HE2 local-address Loopback0 crypto map IPv6-HE2 1 ipsec-isakmp set peer 172.17.1.4 set transform-set HE2 match address VPN-TO-HE2
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
Branc h
Internet
Secondary
Primary
Headquarter s
99
Single-Tier Profile
IPSec Configuration2
interface Tunnel3 description IPv6 tunnel to HQ Head-end 1 delay 500 ipv6 address 2001:DB8:CAFE:1261::BAD1:A001/64 ipv6 mtu 1400 tunnel source Serial0/0/0 tunnel destination 172.17.1.3 tunnel mode ipv6ip ! interface Tunnel4 description IPv6 tunnel to HQ Head-end 2 delay 2000 ipv6 address 2001:DB8:CAFE:1271::BAD1:A001/64 ipv6 mtu 1400 tunnel source Loopback0 tunnel destination 172.17.1.4 tunnel mode ipv6ip ! interface Serial0/0/0 description to T1 Link Provider (PRIMARY) crypto map IPv6-HE1
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
interface Dialer1 description PPPoE to BB provider crypto map IPv6-HE2 ! ip access-list extended VPN-TO-HE1 permit 41 host 172.16.1.2 host 172.17.1.3 ip access-list extended VPN-TO-HE2 permit 41 host 10.124.100.1 host 172.17.1.4
Adjust delay to prefer Tunnel3 Adjust MTU to avoid fragmentation on router (PMTUD on client will not account for IPSec/Tunnel overheard) Permit 41 (IPv6) instead of gre
100
Single-Tier Profile
Routing
ipv6 cef ! key chain ESE key 1 key-string 7 111B180B101719 ! interface Tunnel3 description IPv6 tunnel to HQ Head-end 1 delay 500 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 ESE ! interface Tunnel4 description IPv6 tunnel to HQ Head-end 2 delay 2000 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 ipv6 authentication mode eigrp 10 md5
Presentation_ID
ipv6 unicast-routing
interface Loopback0 ipv6 eigrp 10 ! interface GigabitEthernet1/0.100 description DATA VLAN for Computers ipv6 eigrp 10 ! ipv6 router eigrp 10 router-id 10.124.100.1 stub connected summary no shutdown passive-interface GigabitEthernet1/0.100 passive-interface GigabitEthernet1/0.200 passive-interface GigabitEthernet1/0.300 passive-interface Loopback0
EtherSwitch Module
ipv6 route ::/0 Vlan100 FE80::217:94FF:FE90:2829
ipv6 authentication key-chain eigrp 10Cisco ESE 2006 Cisco Systems, Inc. All rights reserved.
101
Single-Tier Profile
Security1
ipv6 inspect name v6FW tcp ipv6 inspect name v6FW icmp ipv6 inspect name v6FW ftp ipv6 inspect name v6FW udp ! interface Tunnel3 ipv6 traffic-filter INET-WAN-v6 in no ipv6 redirects no ipv6 unreachables ipv6 inspect v6FW out ipv6 virtual-reassembly ! interface GigabitEthernet1/0.100 ipv6 traffic-filter DATA_LAN-v6 in ! line vty 0 4 ipv6 access-class MGMT-IN in
ACL used by IOS FW for dynamic entries Apply firewall inspection For egress trafficto create Used by firewall dynamic ACLs and protect against various fragmentation attacks Apply LAN ACL (next slide) ACL used to restrict management access
Presentation_ID
Cisco
102
Single-Tier Profile
Security2
ipv6 access-list MGMT-IN remark permit mgmt only to loopback permit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:1000::BAD1:A001 deny ipv6 any any log-input ! ipv6 access-list DATA_LAN-v6 remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:1100::/64 permit icmp 2001:DB8:CAFE:1100::/64 any remark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:1100::64 permit ipv6 2001:DB8:CAFE:1100::/64 any
Sample Only
remark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIX permit icmp FE80::/10 any remark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTS permit udp any eq 546 any eq 547 remark DENY ALL OTHER IPv6 PACKETS AND LOG deny ipv6 any any log-input
Presentation_ID
Cisco
103
Single-Tier Profile
Security3
ipv6 access-list INET-WAN-v6 remark PERMIT EIGRP for IPv6 permit 88 any any remark PERMIT PIM for IPv6 permit 103 any any
Sample Only
remark PERMIT ALL ICMPv6 PACKETS SOURCED USING THE LINK-LOCAL PREFIX permit icmp FE80::/10 any remark PERMIT SSH TO LOCAL LOOPBACK permit tcp any host 2001:DB8:CAFE:1000::BAD1:A001 eq 22 remark PERMIT ALL ICMPv6 PACKETS TO LOCAL LOOPBACK,VPN tunnels,VLANs permit icmp any host 2001:DB8:CAFE:1000::BAD1:A001 permit icmp any host 2001:DB8:CAFE:1261::BAD1:A001 permit icmp any host 2001:DB8:CAFE:1271::BAD1:A001 permit icmp any 2001:DB8:CAFE:1100::/64 permit icmp any 2001:DB8:CAFE:1200::/64 permit icmp any 2001:DB8:CAFE:1300::/64 remark PERMIT ALL IPv6 PACKETS TO VLANs permit ipv6 any 2001:DB8:CAFE:1100::/64 permit ipv6 any 2001:DB8:CAFE:1200::/64 permit ipv6 any 2001:DB8:CAFE:1300::/64 deny ipv6 any any log
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
104
Single-Tier Profile
QoS
class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol sqlnet match protocol http url "*cisco.com" match access-group name BRANCH-TRANSACTIONAL-V6 ! policy-map BRANCH-WAN-EDGE class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based ! policy-map BRANCH-LAN-EDGE-IN class BRANCH-TRANSACTIONAL-DATA set dscp af21 ! ipv6 access-list BRANCH-TRANSACTIONAL-V6 remark Microsoft RDP traffic-mark dscp af21 permit tcp any any eq 3389 permit udp any any eq 3389
105
interface GigabitEthernet1/0.100 description DATA VLAN for Computers service-policy input BRANCH-LAN-EDGEIN ! interface Serial0/0/0 description to T1 Link Provider max-reserved-bandwidth 100 service-policy output BRANCH-WAN-EDGE
Some features of QoS do not yet support IPv6 NBAR is used for IPv4, but ACLs must be used for IPv6 (until NBAR supports IPv6) Match/Set v4/v6 packets in same policy
Presentation_ID
Cisco
Dual-Tier Profile
Redundant set of branch routersseparate branch switch (multiple switches can use StackWise technology) Can be dual-stack if using Frame Relay or other L2 WAN type
Branc h
DualTier
Headquarter s WA N
IPv4 IPv6
Presentation_ID
Cisco
106
Dual-Tier Profile
Configuration
Branch Router 1
interface Serial0/1/0.17 point-to-point description TO FRAME-RELAY PROVIDER ipv6 address 2001:DB8:CAFE:1262::BAD1:1010/64 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 ESE frame-relay interface-dlci 17 class QOS-BR2-MAP ! interface FastEthernet0/0.100 ipv6 address 2001:DB8:CAFE:2100::BAD1:1010/64 ipv6 traffic-filter DATA_LAN-v6 in ipv6 nd other-config-flag ipv6 dhcp server DATA_VISTA ipv6 eigrp 10 standby version 2 standby 201 ipv6 autoconfig standby 201 priority 120 standby 201 preempt delay minimum 30 standby 201 authentication ese
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
Branch Router 2
interface Serial0/2/0.18 point-to-point description TO FRAME-RELAY PROVIDER ipv6 address 2001:DB8:CAFE:1272::BAD1:1020/64 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 ESE frame-relay interface-dlci 18 class QOS-BR2-MAP ! interface FastEthernet0/0.100 ipv6 address 2001:DB8:CAFE:2100::BAD1:1020/64 ipv6 traffic-filter DATA_LAN-v6 in ipv6 nd other-config-flag ipv6 eigrp 10 standby version 2 standby 201 ipv6 autoconfig standby 201 preempt standby 201 authentication ese
107
Multi-Tier Profile
All branch elements are redundant and separate
WAN tierWAN connectionscan be anything (frame/IPSec) MPLS shown here Firewall tierredundant ASA firewalls Access tierinternal services routers (like a campus distribution layer) LAN tieraccess switches (like a campus access layer
Dual-stack is used on every tierIf SP provides IPv6 services via MPLS. If not, tunnels can be used from WAN tier to HQ MultiTier site
LAN Tier Access Tier Firewal l Tier WAN Tier
Headquarter s WA N
IPv4 IPv6
Cisco
Branc h
108
Headquarters
Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64 2001:DB8:CAFE:202::/6 4
BR1-1 ::2
::1 HE1
::2 ::3
BR1-LAN-SW
::3
::3
BR1-2 ::3
WA N
::1
HE2
VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer
Presentation_ID
Cisco
109
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 crypto isakmp key CISCO address ipv6 ::/0 ! crypto ipsec transform-set HUB esp-aes 256 esp-shahmac ! crypto ipsec profile HUB set transform-set HUB
Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64
BR1-1 ::2
::1 HE1
::2 ::3
BR1-2 ::3
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
WA N
::1
HE2
110
111
Presentation_ID
Cisco
112
Branch LAN
Connecting Hosts
ipv6 dhcp pool DATA_W7 dns-server 2001:DB8:CAFE:102::8 domain-name cisco.com ! interface GigabitEthernet0/0 description to BR1-LAN-SW no ip address duplex auto speed auto ! interface GigabitEthernet0/0.104 description VLAN-PC encapsulation dot1Q 104 ip address 10.124.104.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:1004::1/64 ipv6 nd other-config-flag ipv6 dhcp server DATA_W7 ipv6 eigrp 10 ! interface GigabitEthernet0/0.105 description VLAN-PHONE encapsulation dot1Q 105 ip address 10.124.105.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:1005::1/64 ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:102::9 ipv6 eigrp 10
BR1-LAN
BR1-LAN-SW
VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer
Presentation_ID
Cisco
113
Remote Access
Presentation_ID
Cisco
114
Client-based SSL
Interne t
Presentation_ID
Cisco
115
none
Cisco ASA
116
Outside
2001:db8:cafe:101::ffff
Inside
http://www.cisco.com/en/US/docs/security/vpn_client/a
117
IPv4 Link
Presentation_ID
Cisco
118
Considerations
Cisco IOS version supporting IPv6 configured/ ISATAP tunnels
Configured12.3(1)M/12.3(2)T/12.2(14)S and above (12.4M/12.4T) ISATAP12.3(1)M, 12.3(2)T, 12.2(14)S and above (12.4M/12.4T) Catalyst 6500 with Sup720/3212.2(17a)SX1HW forwarding
Attacker can come in IPv6 interface and jump on the IPv4 interface (encrypted to enterprise) In Windows Firewalldefault policy is to DENY packets from one interface to another
Remember that the IPv6 tunneled traffic is still encapsulated as a tunnel when it leaves the VPN device Allow IPv6 tunneled traffic across access lists (Protocol 41)
Presentation_ID
Cisco
119
Does It Work?
Windows XP Client VPN 3000 Catalyst 6500/Sup 720 Dual-Stack
Interface 2: Automatic Tunneling Pseudo-Interface Addr Type --------Public Link DAD State Valid Life Pref. Life Address ---------- ------------ ------------ ----------------------------Preferred 29d23h56m5s 6d23h56m5s 2001:db8:c003:1101:0:5efe:10.1.99.102 Preferred infinite infinite fe80::5efe:10.1.99.102
Met ---9 1
Idx --2 2
Provider Considerations
Presentation_ID
Cisco
121
Presentation_ID
Cisco
122
Port-to-Port Access
Presentation_ID
Cisco
123
Multi-Homing
Presentation_ID
Cisco
124
Content
Presentation_ID
Cisco
125
Provisioning
*
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
126
St aff Tr ai ni ng an d O pe rat io ns
R oll ou t R el ea se s & Pl an ni ng
Dual-Stack
Routing Protocols
Instrumentation
127
Conclusion
Dual stack where you can Tunnel where you must Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management Microsoft Windows Vista, 7 and Server 2008 will have IPv6 enabled by defaultunderstand what impact any OS has on the network Deploy it at least in a lab IPv6 wont bite Things to consider:
Focus on what you must have in the near-term (lower your expectations) but pound your vendors and others to support your long-term goals Dont be too late to the party anything done in a panic is likely going to go badly
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
128
Presentation_ID
Cisco
129
Appendix Slides
For Reference Only
Presentation_ID
Cisco
130
Presentation_ID
Cisco
131
Become familiar with Teredo http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.m ANY application built on the Peer-to-Peer Framework REQUIRES IPv6 and will NOT function over IPv4 http://www.microsoft.com/technet/network/p2p/default.mspx
Presentation_ID
Cisco
132
1. 2. 3. 4. 5. 6. 7. 8.
Presentation_ID
Unspecified address :: Solicited node address NS/DAD Looking for a local router ff02::2 RS Looking for MLD enabled routers ff02::16 MLDv2 report LLMNR for IPv6ff02::1:3advertise hostname LLMNR for IPv4224.0.0.252 from RFC 3927 address No global or ULA received via step 1/2Try ISATAP Try DHCP for IPv6ff02::1:2 Try DHCP for IPv4
2006 Cisco Systems, Inc. All rights reserved. Cisco
fe80::80aa:fd5:f7ae:4361 ese-vista1
133
Protocol Info DNS Standard query A isatap.cisco.com Protocol Info DNS Standard query A teredo.ipv6.microsoft.com Protocol Info TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8 TCP epmap > 49211 [SYN, ACK] Seq=0 Ack=1 Win=2097152 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0 DCERPC Bind: call_id: 1, 2 context items, 1st IOXIDResolver V0.0
IPv4-only Router 10.120.2.2 ese-vista-1 ISATAP?? Teredo? ? 2006 Cisco Systems, Inc. All rights reserved. Some Apps Break 10.120.3.2 ese-vista-2
Presentation_ID
Cisco
134
What Is Teredo?
RFC4380 Tunnel IPv6 through NATs (NAT types defined in RFC3489)
Full Cone NATs (aka one-to-one)Supported by Teredo Restricted NATsSupported by Teredo Symmetric NATsSupported by Teredo with Vista/W7/Server 2008 if only one Teredo client is behind a Symmetric NATs
Uses UDP port 3544 Is complexmany sequences for communication and has several attack vectors Available on:
Microsoft Windows XP SP1 w/Advanced Networking Pack Microsoft Windows Server 2003 SP1 Microsoft Windows Vista/W7 (enabled by defaultinactive until application requires it) Microsoft Server 2008 http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx Linux, BSD and Mac OS XMiredo http://www.simphalempin.com/dev/miredo/
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
135
Teredo Components
Teredo ClientDual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay) Teredo ServerDual-stack node connected to IPv4 Internet and IPv6 Internet. Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hostsListens on UDP port 3544 Teredo RelayDual-stack router that forwards packets between Teredo clients and IPv6-only hosts Teredo Host-Specific RelayDual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay
Presentation_ID
Cisco
136
Teredo Overview
IPv6 or IPv6 over IPv4 traffic IPv6 over IPv4 traffic Teredo host-specific relay Teredo client IPv6-only host
IPv4 Internet
NAT
Teredo server
IPv6 Internet
Teredo relay NAT IPv6 traffic Teredo client *From Microsoft Teredo Overview paper
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
137
Teredo Address
32 bits 32 bits 16 bits 16 bits 32 bits
Teredo prefix
Flags
Teredo IPv6 prefix (2001::/32previously was 3FFE:831F::/32) Teredo Server IPv4 address: global address of the server Flags: defines NAT type (e.g. Cone NAT) Obfuscated External Port: UDP port number to be used with the IPv4 address Obfuscated External Address: contains the global address of the NAT
Presentation_ID
Cisco
138
Teredo Server 2
Teredo Client
7 2001:0:4136:e37e:0:fbaa:b97e:fe4e
Teredo Prefix Teredo Server v4 Flags Ext. UDP External v4 Port v4 address
5 3 1
NA T
IPv4 Internet
4 2
Teredo Server 1
139
Presentation_ID
Cisco
netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.ipv6.microsoft.com Client Refresh Interval : default Client Port : default State : probe(cone) Type : teredo client Network : unmanaged NAT : cone netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.ipv6.microsoft.com Client Refresh Interval : default Client Port : default State : qualified Type : teredo client Network : unmanaged NAT : restricted
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
140
Send RS Cone Flag=1 (Cone NAT), every 4 seconds If no reply, send Flag=0 (restricted NAT) Receive RA with Origin header and prefix Send RS to 2nd server to check for symmetric NAT Compare 2nd RAOrigin port/address from 2nd server
141
Presentation_ID
Cisco
DNS lookup Response ICMP to host via Teredo Server Relay sends Bubble packet to client via serverclient receives relay address-port Packets to/from IPv6 host and client traverse relay
No. Time Source Destination Protocol Info 96 148.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 Echo request Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source 97 149.405579 fe80::8000:5445:5245:444f Destination Protocol Info 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next header
Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103) Teredo IPv6 over UDP tunneling Teredo Origin Indication header Origin UDP port: 50206 Origin IPv4 address: 66.117.47.227 (66.117.47.227) No. Time Source 98 149.405916 172.16.1.103 No. Time Source 99 149.463719 66.117.47.227 No. Time Source 100 149.464100 172.16.1.103 No. Time Source 101 149.789493 66.117.47.227 Destination 66.117.47.227 Destination 172.16.1.103 Destination 66.117.47.227 Destination 172.16.1.103 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109
According to MSFT, if Teredo is the only IPv6 path, AAAA query should not be sentbeing researched: http://msdn2.microsoft.com/en-us/library/aa965910.aspx
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
142
C:\>ping www.kame.net Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data Reply Reply Reply Reply from from from from 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: time=829ms time=453ms time=288ms time=438ms
Presentation_ID
Cisco
143
Bubble packet = Used to create and maintain NAT mapping and consists of an IPv6 header with no IPv6 payload (Payload 59No next header)
No. Time Source Destination Protocol Info 35 46.399072 2001:0:4136:e37e:0:fbaa:b97e:fe4e ff02::1 IPv6
Frame 35 (82 bytes on wire, 82 bytes captured) Ethernet II, Src: Foxconn_2d:a1:4e (00:15:58:2d:a1:4e), Dst: 01:00:5e:00:00:fd (01:00:5e:00:00:fd) Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 224.0.0.253 (224.0.0.253) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) Teredo IPv6 over UDP tunneling Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 0 Next header: IPv6 no next header (0x3b) Hop limit: 21 Source address: 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination address: ff02::1
Presentation_ID
Cisco
144
Presentation_ID
Cisco
145
Presentation_ID
Cisco
146
IPv4 Address
32-bit
ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network Supported in Windows XP Pro SP1 and others
Presentation_ID
Cisco
147
ICMPv6 Type 133 (RS) IPv4 Source: 206.123.20.100 IPv4 Destination: 206.123.31.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix ICMPv6 Type 134 (RA) IPv4 Source: 206.123.31.200 IPv4 Destination: 206.123.20.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
148
ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1 When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host A encapsulates IPv6 packets in IPv4. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.
Presentation_ID
Cisco
149
Appendix: Multicast
Presentation_ID
Cisco
150
IPv6 Solution 128-bit (112-bit Group) Protocol Independent, All IGPs and MBGP with v6 mcast SAFI PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR MLDv1, v2 Scope Identifier Single RP Within Globally Shared Domains
151
Presentation_ID
H1
H2
1 1 FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 131 Destination:
2 2 FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 131 Destination:
1 2
H1 sends a REPORT for the group H2 sends a REPORT for the group
rtra
FE80::207:85FF:FE80:692
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
152
H1
3 ICMPv6 Type: 131
REPORT to group
H2
1 1 FF02::2
Destination: ICMPv6 Type: 132
2 FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 130
Destination:
1 2 3
H1 sends DONE to FF02::2 RTR-A sends Group-Specific Query H2 sends REPORT for the group
rtra
FE80::207:85FF:FE80:692
Source
Presentation_ID
Group:FF3E:40:2001:DB8:C003:1109:1111:111 1
Cisco
153
Sent to learn of listeners on the attached link Sets the multicast address field to zero Sent every 125 seconds (configurable)
Presentation_ID
Cisco
154
Presentation_ID
Cisco
155
Source RP
branch#show interface tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 2001:DB8:C003:111E::2 (Serial0/2), destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6, key disabled, sequencing disabled Checksumming of packets disabled Tunnel is transmit only Last input never, output never, output hang never Last clearing of "show interface" counters never output truncated
D R
Presentation_ID
Cisco
156
One transmit only for registering sources locally connected to the RP One receive only for decapsulation of incoming registers from remote designated routers No one-to-one relationship between virtual tunnels on designated routers and RP!
Presentation_ID
Cisco
157
Source RP
Corporat e Network
T u
L 0
158
Tunneling v6 Multicast
v6 in v4
v6 in v4 most widely used
tunnel mode ipv6ip <----- IS-IS cannot traverse
v6 in v6
v6 in v6
tunnel mode ipv6
v6 in v6 GRE
tunnel mode gre ipv6
Presentation_ID
Cisco
159
ipv6 multicast-routing
Presentation_ID
Cisco
160
SSM-Mapping
Delay in SSM deployment (both IPv4 and IPv6) is based mainly on lack of IGMPv3 and MLDv2 availability on the endpoints SSM-Mapping allows for the deployment of SSM in the network infrastructure without requiring MLDv2 (for IPv6) on the endpoint SSM-Mapping enabled router will map MLDv1 reports to a source (which do not natively include the source like with MLDv2)
Range of groups can be statically defined or used with DNS Wildcards can be used to define range of groups
Presentation_ID
Cisco
161
SSM-Mapping
core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11 (2001:DB8:CAFE:11::11, FF33::DEAD), 00:01:20/00:03:06, flags: sT Incoming interface: GigabitEthernet3/3 RPF nbr: FE80::20E:39FF:FEAD:9B00 Immediate Outgoing interface list: GigabitEthernet5/1, Forward, 00:01:20/00:03:06 2001:DB8:CAFE:11::11 FF33::DEAD Corporat e Network
Source
! ipv6 mld ssm-map enable ipv6 mld ssm-map static MAP 2001:DB8:CAFE:11::11 no ipv6 mld ssm-map query dns ! ipv6 access-list MAP permit ipv6 any host FF33::DEAD
SSM
MLDv1
Presentation_ID
162
Corporat e Network L 0
RP IP WA N
Presentation_ID
Cisco
163
RP2001:DB8:C003:1116::2
Corporat e Network IP WA N
Source
RP2001:DB8:C003:110A::1
wan-bottom#sh run | incl ipv6 pim bsr ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1 ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1
Presentation_ID
Cisco
164
Presentation_ID
Cisco
165
8 4 4 4 4 8 64 32 FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID New Address format defined : Flags = 0RPT, R = 1, P = 1, T = 1=> RP address embedded (0111 = 7) Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112 Embedded RP: 2001:0DB8:C003:111D::1
Presentation_ID
Cisco
166
Embedded-RP
PIM-SM protocol operations with embedded-RP:
Intradomain transition into embedded-RP is easy: Non-supporting routers simply need to be configured statically or via BSR for the embedded-RPs!
167
Source RP
Corporat e Network L 0
IP WA N
ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP ! ipv6 access-list ERP permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96
Presentation_ID
Cisco
168
IP WA N
To RP
Presentation_ID
Cisco
169
Multicast Applications
Microsoft Windows Media Server/Player (9 -11) VideoLAN
www.videolan.org http://www.sfc.wide.ad.jp/DVTS/http://www.dvts.jp/en/dvts.html http://www.ipv6.ecs.soton.ac.uk/virginradio/ Supported on iTunes 4.5, Windows Media Player, XMMS 1.2.8, etc http://www.microsoft.com/windows/windowsmedia/default.aspx
DVTS (Digital Video Transport System) Internet radio stations over IPv6
Presentation_ID
Cisco
170
Appendix: QoS
Presentation_ID
Cisco
171
Flow Label
A new 20-bit field in the IPv6 basic header which: Labels packets belonging to particular flows Can be used for special sender requests
Payload Length
Per RFC, Flow Label must not be modified by intermediate routers Source Address
Keep an eye out for work being doing to leverage the flow label
Destination Address
Presentation_ID
Cisco
172
ACL Match To Set DSCP (If Packets Are Not Already Marked)
Presentation_ID
Cisco
Presentation_ID
Cisco
174
175
to
G2/ Create a default route (::/0) for the tunnel Corporate Network Windows XP VPN Client
netsh interface ipv6>add v6v4tunnel CISCO 10.1.99.103 20.1.1.1 Ok. netsh interface ipv6>add address CISCO 2001:DB8:c003:1123::2 Ok. netsh interface ipv6>add route ::/0 CISCO Ok.
VPN IP
Router IP
Presentation_ID
Cisco
176
Does It Work?
Windows XP Client VPN 3000 Catalyst 6500 Supervisor 720 Dual-stack 20.1.1.1 - IPv4 address 2001:DB8:c003:1123::1IPv6 address
10.1.99.103 - VPN address 2001:DB8:c003:1123::2IPv6 address Interface 21: CISCO Addr Type --------Manual Link
DAD State Valid Life Pref. Life ---------- ------------ -----------Preferred infinite infinite Preferred infinite infinite
netsh interface ipv6>show neighbors 21 Interface 2: Automatic Tunneling Pseudo-Interface Internet Address Physical Address Type --------------------------------------------- ----------------- ----------2001:DB8:c003:1123::1 20.1.1.1 Permanent fe80::1401:0101 20.1.1.1 Permanent
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
177
# ip tunnel add is0 mode isatap 10.1.99.104 v4any 20.1.1.1 ttl 64 # ip link set is0 up
VPN IP
Router IP
178
Can maintain configuration permanently using /etc/hostname6.ip.tunN Corporate (where N is 0, 1, 2, and so on)
Network 3002 VPN Client
Sun Solaris
# ifconfig ip.tun0 inet6 # ifconfig ip.tun0 inet6 tsrc 192.168.0.1 tdst 20.1.1.1 up # ifconfig ip.tun0 inet6 addif 2001:DB8:c003:1123::2/64 2001:DB8:c003:1123::1 up Created new logical interface ip.tun0:2 *See notes for full instructions for enabling IPv6 on Solaris
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
Router IP
179
MAC OS X Client
# # # #
ifconfig gif0 tunnel ifconfig gif0 tunnel 192.168.0.1 20.1.1.1 ifconfig gif0 inet6 alias 2001:DB8:c003:1123::2 route add -inet6 default -interface gif0
180
Router IP
Presentation_ID
Cisco
Presentation_ID
Cisco
181
Microsoft
Presentation_ID
Cisco
182
Windows Client
Dualstack Router
183
ISATAP Refresher
Intra-Site Automatic Tunnel Addressing Protocol RFC 4214 Host-to-router Tunnel ISATAP connections look like one flat network Create DNS A record for ISATAP = 10.120.4.1 Use Static Config if DNS use is not desired: C:\>netsh interface ipv6 isatap set router 10.120.4.1 Recommendation: Deploy ISATAP endpoints via policy distribution
L3 device with IPv4 address (10.120.4.1) and IPv6 dual-stack IPv6 Network
ISATAP Tunnel
IPv4 Network
Presentation_ID
Cisco
184
ISATAP Tunnel
Presentation_ID
ISATAP Tunnel
185
Key fact here is that NO additional configuration on the client is needed again!!!
Note:ISATAP is supported on some versions of Linux/BSD (manual router entry is required)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
186
Create v6v4tunnel Add IPv6 address to tunnel interface Create a default route (::/0) for the tunnel
netsh interface ipv6>add v6v4tunnel CISCO 10.1.1.100 30.1.1.1 Ok. netsh interface ipv6>add address CISCO 2001:db8:cafe:1123::2 Ok. netsh interface ipv6>add route ::/0 CISCO Ok.
Host IP
Router IP
Presentation_ID
Cisco
187
! interface Loopback1 description Tunnel for IPv6 Clients ip address 30.1.1.1 255.255.255.255 ! interface GigabitEthernet2/10 description TO Campus Core Network ipv6 address 2001:DB8:CAFE:111C::2/64 ! interface Tunnel1 description Configured Tunnel for Client1 ipv6 address 2001:DB8:CAFE:1123::1/64 tunnel source Loopback1 tunnel destination 10.1.1.100 tunnel mode ipv6ip
Presentation_ID
Cisco
188
Linux
Presentation_ID
Cisco
189
What Is Required
Red Hat 6.2 and higher
Fedora project builds RH 8, 9, WS, and ES preferred
Mandrake 8.0 and higher SuSE 7.1 and higher Debian 2.2 and higher ISATAP support may not be native in all distribution kernels
Presentation_ID
Cisco
190
Presentation_ID
Cisco
191
Requires Kernel support for ISATAP Some kernels may not have native support for ISATAP (Debian) automatic
Host IP
# ip tunnel add is0 mode isatap 10.1.1.100 v4any 30.1.1.1 ttl 64 # ip link set is0 up
Router IP
Presentation_ID
Cisco
192
Router IP
# # # # ip ip ip ip
Host IP
tunnel add sit1 mode sit remote 30.1.1.1 local 10.1.1.100 link set sit1 up address add dev sit1 2001:DB8:C003:1123::2/64 route add ::/0 dev sit1
Presentation_ID
Cisco
193
Does It Work?
#ip tunnel show sit1 sit1: ipv6/ip remote 30.1.1.1 #route -A inet6 | grep sit1 Kernel IPv6 routing table Destination 2001:DB8:C003:1123::/64 fe80::/10 ff02::9/128 ff00::/8 ::/0 local 10.1.1.100 ttl inherit
Flags UA UA UAC UA U
Ref 10 6 1 0 0
Use 0 0 0 0 0
# ip -6 addr show sit1 6: sit1@NONE: <POINTOPOINT,NOARP,UP> mtu 1480 qdisc noqueue inet6 fe80::a5e:a64d/128 scope link inet6 2001:DB8:C003:1123::2/64 scope global #ping6 -I sit1 2001:DB8:C003:1123::1 PING 2001:DB8:C003:1123::1 from 2001:DB8:C003:1123::2 sit1: 64 bytes from 2001:DB8:C003:1123::1: icmp_seq=1 ttl=64 time=0.454 64 bytes from 2001:DB8:C003:1123::1: icmp_seq=2 ttl=64 time=0.371 64 bytes from 2001:DB8:C003:1123::1: icmp_seq=3 ttl=64 time=0.392 64 bytes from 2001:DB8:C003:1123::1: icmp_seq=4 ttl=64 time=0.377
ms ms ms ms
194
Presentation_ID
Cisco
Apple Mac OS X
Presentation_ID
Cisco
195
Presentation_ID
Cisco
196
Create tunnel interface Set tunnel end-points Add IPv6 address to tunnel Set default route 6to4 also an option
Router IP
# # # #
ifconfig gif0 tunnel ifconfig gif0 tunnel 30.1.3.201 30.1.1.1 ifconfig gif0 inet6 alias 2001:DB8:C003:1124::2 route add -inet6 default -interface gif0
# ifconfig gif0 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 30.1.3.201 --> 30.1.1.1 inet6 fe80::203:93ff:feee:9f1f prefixlen 64 scopeid 0x2 inet6 2001:DB8:C003:1124::2 prefixlen 64
Presentation_ID
Cisco
197
Sun Solaris
Presentation_ID
Cisco
198
Things to Know
Sun Solaris 8 and above will prompt for IPv6 activation during the installation process
Say yes and you will be ready for dual-stack with autoconfiguration
Presentation_ID
Cisco
199
Add IPv6 address to interface Can maintain configuration permanently using /etc/hostname6.ip.tunN (where IPv4 0, 1, 2, 10.1.1.100Client N is address and so on)
2001:DB8:C003:1123::2IPv6 address
# ifconfig ip.tun0 inet6 # ifconfig ip.tun0 inet6 tsrc 10.1.1.100 tdst 30.1.1.1 up # ifconfig ip.tun0 inet6 addif 2001:DB8:C003:1123::2/64 2001:DB8:C003:1123::1 up Created new logical interface ip.tun0:2 ip.tun0: flags=2200851<UP,POINTOPOINT,RUNNING,MULTICAST,NONUD,IPv6> mtu 1480 index 3 inet tunnel src 10.1.1.100 tunnel dst 30.1.1.1 tunnel hop limit 60 inet6 fe80::4065:406a/10 --> fe80::a5e:a644 ip.tun0:1: flags=2200851<UP,POINTOPOINT,RUNNING,MULTICAST,NONUD,IPv6> mtu 1480 index 3 inet6 2001:DB8:C003:1123::2/64 --> 2001:DB8:C003:1123::1
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco
Router IP
200
Presentation_ID
Cisco
201