IPv6 for Dummies

Janne Östling janoz@cisco.com

BRKRST-2301 14340_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Agenda
  General Concepts
–  Addressing –  Routing –  QoS –  Tunnels –  NAT

  Infrastructure Deployment
Campus/Data Center WAN/Branch Remote Access

  Planning and Deployment Summary   Appendix & Hidden slides — for Reference Only! (240 slides total so far…)
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

2

Preamble

BRKRST-2301 14340_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

A Need for IPv6?
  IETF IPv6 WG began in early 90s, to solve addressing growth issues, but
CIDR, NAT,…were developed

  IPv4 32 bit address = 4 billion hosts
~40% of the IPv4 address space is still unused which is different from unallocated The rising of Internet connected device and appliance will eventually deplete the IPv4 address space

  IP is everywhere
Data, voice, audio and video integration is a reality Regional registries apply a strict allocation control

  So, only compelling reason: More IP addresses
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

4

infoweapons.pdf BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.cisco. All rights reserved.Denial IPv4 lifetime IANA Pool Jan '00 history basis 128 96 IPv4 lifetime IANA Pool Jan '00 history basis 64 64 32 32 0 jan-99 jan-01 jan-03 jan-05 jan-07 jan-09 jan-11 jan-13 0 jan-11 jan-12 jan-13 jan-14 Update to: http://www.com/pdfs/When_Will_IPv4_Addresses_Run_Out_ver00_rev06.pdf jan-15 Tony Hain jan-15 Day 2011-12-24 Last RIR depleted http://www.com/~stephan/cgi-bin/ipv6/predict.Reflection . Inc. Cisco Public 5 .lagerholm.cgi http://www.com/web/about/ac123/ac147/archived_issues/ipj_8-3/ipj_8-3.

… China Next Generation Internet (CNGI) project European Commission sponsored projects IPv6 “on” & “preferred” by default Applications only running over IPv6 (P2P framework) IP NGN DOCSIS 3. India. Federal Mandate IPv6 Task Force and promotion councils: Africa. PWLAN Networks in Motion Networked Sensors. Japan. Quad Play Mobile SP – 3G. ie: AIRS NAT Overlap – M&A MSFT Vista & Server 2008 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. FTTH. Korea. WiMax. Cisco Public Infrastructure Evolution 6 .S. Inc.Monitoring Market Drivers Address space depletion National IT Strategy U. All rights reserved.0. HDTV.

All rights reserved. double NATing is needed for devices to communicate with each other BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 7 . Inc.Why Not NAT   It was created as a temp solution   NAT breaks the end-to-end model   Growth of NAT has slowed down growth of transparent applications   No easy way to maintain states of NAT in case of node failures   NAT break security   NAT complicates mergers.

com/technet/network/ipv6/default. 6to4. Certificate Services. Windows Deployment Service. Server Clustering. WINS/DNS/DHCP/LDAP. Cisco Public 8 . SharePoint services.Operating System Support   Every major OS supports IPv6 today   Top-to-bottom TCP/IP stack re-design   IPv6 is on by default and preferred over IPv4 (considering network/DNS/application support)   Tunnels will be used before IPv4 if required by IPv6-enabled application ISATAP.mspx BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. File/Print/Fax. Network Access Protection (NAP). Windows Media Services. Terminal Services. Inc.microsoft. All rights reserved. IIS. etc…   http://www. Network Access Services – Remote Access (VPN/Dial-up). Configured   All applications and services that ship with Vista/Server 2008 support IPv4 and IPv6 (IPv6-only is supported) Active Directory. Network Load-Balancing. Internet Authentication Server. Teredo.

Inc. All rights reserved.Header ( General Concepts ) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 9 .

IPv6 Addressing BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Cisco Public 10 . Inc.

Cisco Public 11 .IPv4 and IPv6 Header Comparison IPv4 Header Version IHL Type of Service Total Length Flags Fragment Offset Version IPv6 Header Traffic Class Flow Label Identification Time to Live Protocol Header Checksum Payload Length Next Header Hop Limit Source Address Destination Address Options Padding Source Address Legend Field’s Name Kept from IPv4 to IPv6 Fields Not Kept in IPv6 Name and Position Changed in IPv6 New Field in IPv6 Destination Address BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. All rights reserved.

Inc. each source chooses its own flow label values. routers use source addr + flow label to identify distinct flows   Flow label value of 0 used when no special QoS requested (the common case today) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. encryption or locating them past extension headers   With flow label. All rights reserved.IPv6 Header New Field—Flow Label (RFC3697) 20-Bit Flow Label Field to Identify Specific Flows Needing Special QoS IPv6 Header   Flow classifiers had been based on 5-tuple: Source/destination address. Cisco Public Version Traffic Class Flow Label Next Header Hop Limit Payload Length Source Address Destination Address 12 . protocol type and port numbers of transport   Some of these fields may be unavailable due to fragmentation.

Inc. Cisco Public 13 . All rights reserved.Extension Headers Base header Next Header = 0 1st Extension Header … Next Header = 43 Last Extension Header Next Header = 17 IPv6 Base Header (40 octets) 0 or more Extension Headers Data IPv6 Packet Next Header = 17 Ext Hdr Length Ext Hdr Data BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Inc.Extension Header Order Extension Headers Should Be Constructed in the Following Sequence and Should Be Sequenced in this Order: Hop-by-Hop header Destination options header (w/ routing header) Routing header Fragment header Authentication header ESP header Mobility header Destination options header ICMPv6 No Next header Upper-layer header BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. UDP=17) 14 . Cisco Public (0) (60) (43) (44) (51) (50) (135) (60) (58) (59) (Varies— TCP=6.

Inc. payload is normally 216 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 15 . link-specific fragmentation and reassembly must be used   Implementations are expected to perform path MTU discovery to send packets bigger than 1280   Minimal implementation can omit PMTU discovery as long as all packets kept ≤ 1280 octets   A hop-by-hop option supports transmission of “jumbograms” with up to 232 octets of payload.MTU Issues   Minimum link MTU for IPv6 is 1280 octets (vs. All rights reserved. 68 octets for IPv4) => on links with MTU < 1280.

Addressing Format Representation   16-bit hexadecimal numbers   Numbers are separated by (:)   Hex numbers are not case sensitive   Abbreviations are possible Leading zeros in contiguous block could be represented by (::) Example: 2001:0db8:0000:130F:0000:0000:087C:140B 2001:0db8:0:130F::87C:140B Double colon only appears once in the address BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 16 . All rights reserved. Inc.

Addressing Prefix Representation   Representation of prefix is just like CIDR   In this representation you attach the prefix length   Like v4 address: 198. Inc. Trailing zeros are not omitted 2001:0db8:0012::/48 = 2001:db8:12::/48 2001:db8:1200::/48 ≠ 2001:db8:12::/48 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.0. All rights reserved. Cisco Public 17 .0/16   V6 address is represented the same way: 2001:db8:12::/48   Only leading zeros are omitted.10.

0. Inc. Duplicate Address Detection DAD) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 18 . All rights reserved.0.1 in IPv4 Identifies self   Unspecified address representation 0:0:0:0:0:0:0:0=> :: Used as a placeholder when no address available (Initial DHCP request.IPv6 Address Representation   Loopback address representation 0:0:0:0:0:0:0:1=> ::1 Same as 127.

All rights reserved. Cisco Public 19 . Inc.IPv6—Addressing Model   Addresses are assigned to interfaces Change from IPv4 mode:   Interface “expected” to have multiple addresses   Addresses have scope Link Local Unique Local Global Global Unique Local Link Local   Addresses have lifetime Valid and preferred lifetime BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Inc. One-to-one delivery to single interface   Multicast Address of a set of interfaces. One-to-many delivery to all interfaces in the set   Anycast Address of a set of interfaces. All rights reserved.Types of IPv6 Addresses   Unicast Address of a single interface. Cisco Public 20 . One-to-one-of-many delivery to a single interface in the set that is closest   No more broadcast addresses BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Addressing Some Special Addresses Type Binary Hex Aggregatable Global Unicast Address Link Local Unicast Address Unique Local Unicast Address Multicast Address 001 1111 1110 10 1111 1100 1111 1101 1111 1111 2xxx or 3xxx FE80::/10 FC00::/7 FC00::/8(registry) FD00::/8 (no registry) FF00::/8 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 21 . All rights reserved. Inc.

All rights reserved.Aggregatable Global Unicast Addresses Provider 3 45 Bits Global Routing Prefix 001 Site 16 Bits SLA Host 64 Bits Interface ID Aggregatable Global Unicast Addresses Are:   Addresses for generic use of IPv6   Structured as a hierarchy to keep the aggregation BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 22 .

All rights reserved.Link-Local 128 Bits Remaining 54 Bits 1111 1110 10 FE80::/10 Interface ID 10 Bits Link-Local Addresses Used for:   Mandatory Address for Communication between two IPv6 device (like ARP but at Layer 3)   Automatically assigned by Router as soon as IPv6 is enabled   Also used for Next-Hop calculation in Routing Protocols   Only Link Specific scope   Remaining 54 bits could be Zero or any manual configured value BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 23 . Inc.

Inc. Cisco Public 24 . All rights reserved.Unique-Local 128 Bits Global ID 40 Bits 1111 110 FC00::/7 Subnet ID 16 Bits Interface ID 7 Bits Unique-Local Addresses Used for:   Local communications   Inter-site VPNs   Not routable on the Internet BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Inc. Cisco Public . the second octet defines the lifetime and scope of the multicast address 8-bit 4-bit 4-bit 112-bit 1111 1111 Lifetime 0 1 Lifetime Scope Group-ID Scope If Permanent If Temporary 1 2 5 8 E Node Link Site Organization Global 25 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.IPv6 Multicast Address   IP multicast address has a prefix FF00::/8 (1111 1111). All rights reserved.

All rights reserved.org/assignments/ipv6-multicast-addresses BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.iana.Some Well Known Multicast Addresses Address FF01::1 FF02::1 FF01::2 FF02::2 FF05::2 FF02::1:FFXX:XXXX Scope Node-Local Link-Local Node-Local Link-Local Site-Local Link-Local Meaning All Nodes All Nodes All Routers All Routers All Routers Solicited-Node   Note that 02 means that this is a permanent address and has link scope   More details at http://www. Cisco Public 26 .

All rights reserved.IPv6 Configurations BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 27 .

151.255. All rights reserved. Inc.1 255.1.IOS IPv6 Addressing Examples (1) Manual Interface Identifier Fast0/0 ipv6 unicast-routing ! interface FastEthernet0/0 ip address 10. Cisco Public 28 .255.0 ip pim sparse-mode duplex auto speed auto ipv6 address 2006:1::1/64 ipv6 enable ipv6 nd ra-interval 30 ipv6 nd prefix 2006:1::/64 300 300 ! BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Cisco Public 29 .505e. link-local address is FE80::207:50FF:FE5E:9460 Global unicast address(es): 2006:1::1. line milliseconds Hardware reachable time is 0 milliseconds ND advertisedis AmdFE. subnet is 2006:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 MAC Address : 0007. address is 0007.9460) ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 30 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.9460 (bia 0007.505e. All rights reserved. r1# BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.505e. line protocol is up IPv6 is enabled.9460 FF02::1:FF5E:9460 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled r1#sh int fast0/0 ND DAD is enabled. number of DAD attempts: 1 FastEthernet0/0 is 30000 protocol is up ND reachable time is up. Inc.IOS IPv6 Addressing Examples (1) Manual Interface Identifier r1#sh ipv6 int fast0/0 FastEthernet0/0 is up.

Inc. Cisco Public 30 .IOS IPv6 Addressing Examples (2) EUI-64 Interface Identifier Fast0/0 ipv6 unicast-routing ! interface FastEthernet0/0 ip address 10.1 255.255.255. All rights reserved.1.151.0 ip pim sparse-mode duplex auto speed auto ipv6 address 2006:1::/64 eui-64 ipv6 enable ipv6 nd ra-interval 30 ipv6 nd prefix 2006:1::/64 300 300 ! BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

All rights reserved.IOS IPv6 Addressing Examples (2) EUI-64 Interface Identifier r1#sh ipv6 int fast0/0 FastEthernet0/0 is up. r1# BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. number of DAD attempts: 1 Hardware time is address is 0007. link-local address is FE80::207:50FF:FE5E:9460 Global unicast address(es): 2006:1::207:50FF:FE5E:9460. 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 30 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. line protocol is up ND DAD is enabled.505e.9460 (bia 0007.505e. Inc.9460) ND reachable is AmdFE.505e. subnet is 2006:1::/64 Joined group address(es): FF02::1 MAC Address : 0007.9460 FF02::2 FF02::1:FF5E:9460 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds r1#sh int fast0/0 ICMP redirects are enabled FastEthernet0/0 is up. Cisco Public 31 . line protocol is up IPv6 is enabled.

Inc. All rights reserved.Multicast Mapping over Ethernet IPv6 Multicast Address FF02 0000 0000 0000 0000 0001 FF17 FC0F Corresponding Ethernet Address Multicast Prefix for Ethernet Multicast 33 33 FF 17 FC 0F Mapping of IPv6 multicast address to Ethernet address is: 33:33:<last 32 bits of the IPv6 multicast address> BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 32 .

Cisco Public 33 .Solicited-Node Multicast Address   For each unicast and anycast address configured there is a corresponding solicited-node multicast   This is specially used for two purpose. FF02::1:FF: BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. and DAD   Used in neighbor solicitation messages   Multicast address with a link-local scope   Solicited-node multicast consists of prefix + lower 24 bits from unicast. for the replacement of ARP. Inc. All rights reserved.

R1# BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. line protocol is up IPv6 is enabled. link-local address is FE80::200:CFF:FE3A:8B18 No global unicast address is configured Joined group address(es): FF02::1 FF02::2 Solicited-Node Multicast Address FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled. number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.Router Interface R1#sh ipv6 int e0 Ethernet0 is up. All rights reserved. Cisco Public 34 .

Cisco Public 35 . Inc. All rights reserved.Anycast Anycast Address Assignment   Anycast allows a source node to transmit IP datagrams to a single destination node out of a group destination nodes with same subnet id based on the routing metrics   Only routers should respond to anycast addresses   Routers along the path to the destination just process the packets based on network prefix   Routers configured to respond to anycast packets will do so when they receive a packet send to the anycast address BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Anycast Address Subnet Router Anycast Address (RFC 4291) n bits Prefix 128 bits (128-n) bits 00000 Reserved Subnet Anycast Address (RFC 2526) 128 bits Prefix   Syntactical the same as a Unicast address   Is one-to-nearest type of address   Has a current limited use BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 111111X111111… 111 0 If EUI-64 Format X= 1 If Non-EUI-64 Format Anycast ID 7 bits   Use Example: Mobile IPv6 Home-Agent Anycast Address 36 . Inc. All rights reserved.

Inc. All rights reserved.IPv6 Address Allocation Process Partition of Allocated IPv6 Address Space BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 37 .

IPv6 Address Allocation Process Partition of Allocated IPv6 Address Space (Cont. Cisco Public 38 .. Ethernet address) • Auto-generated pseudo-random number (to address privacy concerns) • Assigned via DHCP • Manually configured BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.g. All rights reserved. or expanded from a 48-bit MAC address (e.)   Lowest-Order 64-bit field of unicast address may be assigned in several different ways: • Auto-configured from a 64-bit EUI-64. Inc.

Inc. Cisco Public 39 . the universal/ local (“u” bit) is set to 1 02 90 27 FF FE 17 FC 0F for global scope and 0 for local scope BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.IPv6 Interface Identifier   Cisco uses the EUI-64 format to do stateless auto-configuration   This format expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits 00 00 90 90 27 FF 00 90 27 FF FE FE 17 FC 0F 27 17 FC 17 0F FC 0F   To make sure that the chosen 1 = Unique address is from 000000U0 Where U= 0 = Not Unique a unique Ethernet MAC U=1 address. All rights reserved.

23 * 10 28 = 52 thousand trillion trillion per person 52 300 Trillion Trillion = 5.IPv6 Addressing = 5. Inc. All rights reserved.23 * 10 17 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 40 .

Inc. All rights reserved.Lots of addresses it is… Milky way ~ 200 to 400 Billion stars… 106 IP addresses per brain cell per sentient being in the galaxy… BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 41 .

Inc. routing. All rights reserved. acl… BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. ND. Cisco Public 42 . dns. dhcp.ICMP.

Inc.ICMPv6   Internet Control Message Protocol version 6   RFC 2463   Modification of ICMP from IPv4   Message types are similar (but different types/codes) Destination unreachable (type 1) Packet too big (type 2) Time exceeded (type 3) Parameter problem (type 4) Echo request/reply (type 128 and 129) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 43 . All rights reserved.

port unreachable. Destination Unreachable can mean no route. etc.   Checksum—computed over the entire ICMPv6 message and prepended with a pseudo-header containing a single-octet   Next Header in ipv6 will have a value of 58 for icmp BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.ICMPv6 Message Fields   Type—identifies the message or action needed   Code—is a type-specific sub-identifier. Cisco Public 44 . Inc. administratively prohibited. For example.

Cisco Public 45 . …) Larger Address Space Enables:   The use of link-layer addresses inside the address space   Autoconfiguration with “no collisions”   Offers “plug and play” BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.Autoconfiguration Mac Address: 00:2c:04:00:FE:56 Host Autoconfigured Address Is: Prefix Received + Link-Layer Address Sends Network-Type Information 
 (Prefix. Default Route. Inc.

Inc.Renumbering Mac Address: 00:2c:04:00:FE:56 Host Autoconfigured Address Is: New Prefix Received + Link-Layer Address Sends New Network-Type Information (Prefix. using autoconfiguration and multiple addresses BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Default Route. All rights reserved. …) Data = Two prefixes: Current prefix (to be deprecated). with short lifetimes New prefix (to be used). Cisco Public 46 . with normal lifetimes Larger Address Space Enables:   Renumbering.

) Router Configuration after Renumbering: interface Ethernet0 ipv6 nd prefix 2001:db8:c18:1::/64 43200 0 ipv6 nd prefix 2001:db8:c18:2::/64 43200 43200 or: interface Ethernet0 ipv6 nd prefix 2001:db8:c18:1::/64 at Jul 31 2008 23:59 Jul 20 2008 23:59 ipv6 nd prefix 2001:db8:c18:2::/64 43200 43200 New Network Prefix: 2001:db8:c18:2::/64 Deprecated Prefix: 2001:db8:c18:1::/64 Router Advertisements Host Configuration: Autoconfiguring IPv6 Hosts BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.Renumbering (Cont. deprecated address 2001:db8:c18:1:260:8ff:fede:8fbe preferred address 2001:db8:c18:2:260:8ff:fede:8fbe Cisco Public 47 . Inc. All rights reserved.

Cisco Public 48 . All rights reserved. Inc.DHCPv6   Updated version of DHCP for IPv4   Client detects the presence of routers on the link   If found. then DHCP Solicit message is sent to the All-DHCP-Agents multicast address Using the link-local address as the source address BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. then examines router advertisements to determine if DHCP can or should be used   If no router found or if DHCP can be used.

servers and relay agents listen on UDP port 547 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 49 . All rights reserved.DHCPv6 Operation Client Solicit Relay Relay-Fwd w/ Solicit Advertise Server Relay-Reply w/Advertise Request Relay-Fwd w/ Request Reply Relay-Reply w/Reply   All_DHCP_Relay_Agents_and_Servers (FF02::1:2)   All_DHCP_Servers (FF05::1:3)   DHCP Messages: Clients listen UDP port 546.

cisco.2(28)SB and higher interface FastEthernet0/1 description CLIENT LINK ipv6 address 2001:DB8:CAFE:11::1/64 ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 DHCPv6 Server BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Inc.com/en/US/products/sw/netmgtsw/ps1982/ Microsoft Windows Server 2008: http://technet2.mspx?mfr=true Dibbler: http://klub.Stateful/Stateless DHCPv6   Stateful and Stateless DHCPv6 Server Cisco Network Registrar: http://www.3(11)T/12.microsoft.com.com/windowsserver2008/en/library/ bab0f1a1-54aa-4cef-9164-139e8bcc44751033.pl/dhcpv6/   DHCPv6 Relay—12. Cisco Public IPv6 Enabled Host Network 50 .

Basic DHCPv6 Message Exchange DHCPv6 Client DHCPv6 Relay Agent DHCPv6 Server Solicit(IA_NA) Advertise(IA_NA(addr)) Request(IA_NA) Reply(IA_NA(addr)) Relay-Forw(Solicit(IA_NA)) Relay-Repl(Advertise(IA_NA(addr))) Relay-Forw(Request(IA_NA)) Relay-Repl(Reply(IA_NA(addr))) Address Assigned Timer Expiring Renew(IA_NA(addr)) Reply(IA_NA(addr)) Relay-Forw(Renew(IA_NA(addr))) Relay-Repl(Reply(IA_NA(addr))) Shutdown . All rights reserved. link down . Cisco Public 51 . Inc. Release Release(IA_NA(addr)) Reply(IA_NA(addr)) Relay-Forw(Release(IA_NA(addr))) Relay-Repl(Reply(IA_NA(addr))) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

CNR/W2K8—DHCPv6 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Inc. Cisco Public 52 .

Cisco Public 53 .IPv6 General Prefix   Provides an easy/fast way to deploy prefix changes   Example:2001:db8:cafe::/48 = General Prefix   Fill in interface specific fields after prefix “ESE ::11:0:0:0:1” = 2001:db8:cafe:11::1/64 ipv6 unicast-routing ipv6 cef ipv6 general-prefix ESE 2001:DB8:CAFE::/48 ! interface GigabitEthernet3/2 ipv6 address ESE ::2/126 ipv6 cef ! interface GigabitEthernet1/2 ipv6 address ESE ::E/126 ipv6 cef interface Vlan11 ipv6 address ESE ::11:0:0:0:1/64 ipv6 cef ! interface Vlan12 ipv6 address ESE ::12:0:0:0:1/64 ipv6 cef Global unicast address(es): 2001:DB8:CAFE:11::1. subnet is 2001:DB8:CAFE:11::/64 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. All rights reserved.

auto configuration of addresses   Duplicate Address Detection (DAD) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. router discovery)   Reachability of neighbors   Hosts use it to discover routers. Cisco Public 54 . Inc.Neighbor Discovery   Replaces ARP. All rights reserved. ICMP (redirects.

ICMPv6 header. and neighbor discovery options   Five neighbor discovery messages 1. neighbor discovery header. Inc.Neighbor Discovery   Neighbor discovery uses ICMPv6 messages.  Neighbor advertisement (ICMPv6 type 136) 5. originated from node on link local with hop limit of 255   Consists of IPv6 header.  Router solicitation (ICMPv6 type 133) 2.  Neighbor solicitation (ICMPv6 type 135) 4.  Redirect (ICMPV6 type 137) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.  Router advertisement (ICMPv6 type 134) 3. Cisco Public 55 . All rights reserved.

lifetime. RA 2—ICMP Type = 134 (RA) Src = link-local address (FE80::2/10) Dst = all-nodes multicast address (FF02::1) Data = options. RS 1—ICMP Type = 133 (RS) Src = link-local address (FE80::1/10) Dst = all-routers multicast address (FF02::2) Query = please send RA 2. Inc. Cisco Public 56 .Router Solicitation and Advertisement 1. autoconfig flag   Router solicitations (RS) are sent by booting nodes to request RAs for configuring the interfaces   Routers send periodic Router Advertisements (RA) to the all-nodes multicast address BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. subnet prefix. All rights reserved.

Neighbor Solicitation and Advertisement A B Neighbor Solicitation ICMP type = 135 Src = A Dst = Solicited-node multicast of B Data = link-layer address of A Query = what is your link address? Neighbor Advertisement ICMP type = 136 Src = B Dst = A Data = link-layer address of B A and B can now exchange packets on this link BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. All rights reserved. Cisco Public 57 .

1 AAAA record: www.168.test.0.0.192.0.0.0.b. All rights reserved.0.0.0.test.0.8.0.0.ip6.1.e.test.f. PTR record: 2.0. Inc. A 192.30.0. PTR www. BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.arpa PTR www. Cisco Public 58 .3.in-addr.abc.0.0.30.0.test AAAA 3FFE:B00:C18:1::2 IP address to hostname PTR record: 1.0.c.arpa.f.0.0.abc.1.168. 0.abc.0.IPv6 and DNS IPv4 IPv6 Hostname to IP address A record: www.abc.0.

MP_UNREACH_NLRI. All rights reserved.Routing: The IPv4 – IPv6 Parallel slalom RIP RIPv2 for IPv4 RIPng for IPv6 Distinct but similar protocols with RIPng taking advantage of IPv6 specificities OSPFv2 for IPv4 OSPFv3 for IPv6 Distinct but similar protocols with OSPFv3 being a cleaner implementation that takes advantage of IPv6 specificities Extended to support IPv6 Natural fit to some of the IPv6 foundational concepts Supports Single and Multi Topology operation Extended to support IPv6 (IPv6_REQUEST_TYPE. Inc. IPv6_EXTERIOR_TYPE) Some changes reflecting IPv6 characteristics New MP_REACH_NLRI. Cisco Public 59 . AFI=2 with SAFI for Unicast/ Multicast/Label/VPN Peering over IPv6 or IPv4 (route maps) OSPF IS-IS EIGRP BGP     For all intents and purposes. IPv6_METRIC_TYPE. IPv6 IGPs are similar to their IPv4 counterparts IPv6 IGPs have additional features that could lead to new designs BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Inc. All rights reserved. Cisco Public 60 .RIPng (RFC 2080) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

All rights reserved. hop limit of 15. NH must be link local BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. multicast based (FF02::9). Inc. Metric will have 0xFF.   Updated features for IPv6 IPv6 prefix & prefix len   Special Handling for the NH Route tag and prefix len for NH is all 0. split-horizon.Enhanced Routing Protocol Support RIPng Overview RFC 2080 command version must be zero Route Tag IPv6 prefix command version must be zero Address Family Identifier IPv4 Address Subnet Mask Next Hop Metric route tag prefix len metric   Similar characteristics as IPv4 Distance-vector. UDP port (521) etc. Cisco Public 61 .

Inc. #rte=1 tag=0. Cisco Public Link-Local src Address 62 . metric=1. version=1. dport=521. length=32 command=2. All rights reserved. mbz=0.Enhanced Routing Protocol Support RIPng Configuration and Display ::/0 Router 2 Ethernet0 = 2001:db8:c18:1:260:3eff:fe47:1530 LAN1: 2001:db8:c18:1::/64 Ethernet0 Router 1 Ethernet1 LAN2: 2001:db8:c18:2::/64 Router1# ipv6 router rip RT0 interface Ethernet0 ipv6 address 2001:db8:c18:1::/64 eui-64 ipv6 rip RT0 enable Interface Ethernet1 ipv6 address 2001:db8:c18:2::/64 eui-64 ipv6 rip RT0 enable Router2# ipv6 router rip RT0 interface Ethernet0 ipv6 address 2001:db8:c18:1::/64 eui-64 ipv6 rip RT0 enable ipv6 rip RT0 default-information originate Router2# debug ipv6 rip RIPng: Sending multicast update on Ethernet0 for RT0 src=FE80::260:3eff:fe47:1530 dst=FF02::9 (Ethernet0) sport=521. prefix=::/0 Multicast All 
 RIP-Routers BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Inc. All rights reserved. Cisco Public 63 .Access Lists BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Cisco Public 64 . All rights reserved. Inc.Cisco IOS Standard Access Lists When Used for Traffic Filtering. IPv6 Standard Access Control Lists (ACL) Offers the Following Functions:   Can filter traffic based on source and destination address   Can filter traffic inbound or outbound on a specific interface   Can add priority to the ACL   Implicit “deny all” at the end of access list BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Cisco Public 65 . Inc. All rights reserved.IPv6 Access-List Example   Filtering outgoing traffic from unique-local source addresses 2001:0db8:c18:2::/64 fc00:0:0:2::/64 ipv6 access-list blocksite deny fc00:0:0:2::/64 any ipv6 access-list blocksite permit any any interface Ethernet0 ipv6 traffic-filter blocksite out IPv6 Internet Ethernet0 Global prefix: 2001:0db8:c18:2::/64 Unique-local prefix: fc00:0:0:2::/64 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Coexistence BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 66 . All rights reserved.

to avoid order dependencies when upgrading hosts. Cisco Public 67 . All rights reserved.  Tunneling techniques. basically falling into three categories: 1. routers. in combination BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. to allow IPv4 and IPv6 to co-exist in the same devices and networks 2.  Dual-stack techniques. to allow IPv6-only devices to communicate with IPv4-only devices   Expect all of these to be used. or regions 3.  Translation techniques.IPv4-IPv6 Transition/Coexistence   A wide range of techniques have been identified and implemented.

Cisco Public 68 .Dual Stack Approach Application IPv6-enabled Application TCP UDP TCP UDP IPv4 IPv6 IPv4 IPv6 0x0800 0x86dd 0x0800 0x86dd Frame Protocol ID Data Link (Ethernet) Data Link (Ethernet)   Dual stack node means: – Both IPv4 and IPv6 stacks enabled – Applications can talk to both – Choice of the IP version is based on name lookup and application preference BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Inc.

1.com =*? 2001:db8::1 10.Host Running Dual Stack www.a.1 DNS Server IPv6 2001:db8::1 IPv4 In a Dual Stack Case. All rights reserved.1. an Application that:   Is IPv4 and IPv6-enabled   Asks the DNS for all types of addresses   Chooses one address and. Cisco Public 69 . Inc. connects to the IPv6 address BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. for example.

All rights reserved. the router is dual-stacked   Telnet.1 255.0 ipv6 address 2001:db8:213:1::/64 eui-64 IPv4: 192.99. Inc.99.Cisco IOS Dual Stack Configuration router# ipv6 unicast-routing IPv6 and IPv4 Network Dual-Stack Router interface Ethernet0 ip address 192.1 IPv6: 2001:db8:213:1::/64 eui-64 Cisco IOS® Is IPv6-Enable:   If IPv4 and IPv6 are configured on one interface.168. TFTP. SSH. Ping. etc. Traceroute.255. BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.255. DNS client.168. Cisco Public 70 .

Cisco Public 71 . All rights reserved.Tunneling BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.

Cisco Public 72 . Sonet/ SDH. Inc. Frame Relay PVC. MPLS.Tunneling Many Ways to Do Tunneling   Some ideas same as before GRE. IP   Native IP over data link layers ATM PVC. 6to4. compatible IPv6 address. Serial. All rights reserved. ISATAP BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. dWDM Lambda. Ethernet   Some new techniques Automatic tunnels using IPv4 .

Inc. Cisco Public 73 . All rights reserved.Using Tunnels for IPv6 Deployment   Many techniques are available to establish a tunnel: – Manually configured • Manual Tunnel (RFC 2893) • GRE (RFC 2473) – Automatic • Compatible IPv4 (RFC 2893): Deprecated • 6to4 (RFC 3056) • 6over4: Deprecated • ISATAP (RFC 4214) • Teredo (RFC 4380) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

1 tunnel destination 192.168.1 IPv6: 2001:db8:800:1::3 router1# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::3/128 tunnel source 192.99.168.1 tunnel mode gre ipv6 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 74 .168.99.30. All rights reserved.30.Manually Configured GRE Tunnel Dual-Stack Router1 IPv6 Network Dual-Stack Router2 IPv6 Network IPv4: 192.168.99.168.1 tunnel destination 192.168. Inc.30.1 IPv6: 2001:db8:800:1::2 IPv4 IPv4: 192.1 tunnel mode gre ipv6 router2# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::2/128 tunnel source 192.

30.99.99.168. Cisco Public router2# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::2/127 tunnel source 192.168.1 tunnel mode ipv6ip BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.168.Manually Configured IPv6 over IPv4 Tunnel Dual-Stack Router1 IPv6 network IPv4 Dual-Stack Router2 IPv6 network IPv4: 192.30.168.1 tunnel destination 192.99.1 tunnel mode ipv6ip 75 .1 IPv6: 2001:db8:800:1::2 router1# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::3/127 tunnel source 192.1 tunnel destination 192. All rights reserved.168.168. Inc.30.1 IPv6: 2001:db8:800:1::3 IPv4: 192.

All rights reserved. Cisco Public 76 . Inc.6to4 Tunneling BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

All rights reserved. they are multipoint tunnels   IPv4 is embedded in the IPv6 address is used to find the other end of the tunnel   Address format is 2002:IPv4 address:: BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 77 .Automatic 6to4 Tunnels   Automatic 6to4 tunnel allows isolated IPv6 domains to connect over an IPv4 network   Unlike the manual 6to4 the tunnels are not point-topoint. Inc.

Public IPv4
 Address /48 SLA /64 Interface ID Cisco Public 78 .Automatic 6to4 Tunnel (RFC 3056) IPv6 Host A IPv6 Network Network Prefix: 2002:c0a8:6301::/48 = = 192.168. All rights reserved. Inc.168.99.30.1 6to4 Router IPv4 192.1 6to4 Router IPv6 Network Network Prefix: IPv6 Host B 2002:c0a8:1e01::/48 6to4:   Is an automatic tunnel method   Gives a prefix to the attached IPv6 network 2002 /16 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Automatic 6to4 Tunnel (RFC 3056) S=2002:c0a8:6301::1 D=2002:c0a8:1e01::2 IPv6 Header IPv6 Host A IPv6 Data 6to4 Router S=2002:c0a8:6301::1 D=2002:c0a8:1e01::2 IPv6 Header 6to4 Router IPv6 Data IPv6 Host B IPv6 Network 2002:c0a88:6301::1 192.1 IPv4 IPv6 Network 192. All rights reserved.99.99.168.168.30.168. Inc.1 D(v4)=192.1 S(v6)=2002:c0a8:6301::1 D(v6)=2002:c0a8:1e01::2 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.30.168. Cisco Public 79 .1 2002:c0a8:1e01::2 Tunnel: IPv6 in IPv4 Packet IPv4 Header IPv6 Header IPv6 Data S(v4)=192.

168.30.Automatic 6to4 Configuration 6to4 Router1 IPv6 Network Network Prefix: 2002:c0a8:6301::/48 = router1# interface Ethernet0 ipv6 address 2002:c0a8:6301:1::/64 eui-64 Interface Ethernet1 ip address 192.99.0. Inc.1 255.1 2002:c0a8:1e01::/48 = router2# interface Ethernet0 ipv6 address 2002:c0a8:1e01:1::/64 eui-64 Interface Ethernet1 ip address 192.1 255. Cisco Public 80 .0 interface Tunnel0 ipv6 unnumbered Ethernet0 tunnel source Ethernet1 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.99.255.168.0.255. All rights reserved.30.168.1 192.0 interface Tunnel0 ipv6 unnumbered Ethernet0 tunnel source Ethernet1 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 E0 IPv4 6to4 Router2 E0 IPv6 Network Network Prefix: 192.168.

168. Cisco Public 81 .168.168.0 interface Tunnel0 ipv6 unnumbered Ethernet0 tunnel source Ethernet1 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.20. All rights reserved.255.0 interface Tunnel0 ipv6 unnumbered Ethernet0 tunnel source Ethernet1 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 router3# interface Ethernet0 ipv6 address 2002:c0a8:1401:1::/64 eui-64 Interface Ethernet1 ip address 192.1 E0 IPv4 6to4 Router2 E0 IPv6 Network Network Prefix: 192.99.168.30.1 6to4 Router3 2002:c0a8:1e01::/48 router1# interface Ethernet0 ipv6 address 2002:c0a8:6301:1::/64 eui-64 Interface Ethernet1 ip address 192.255.1 IPv6 Network 192. Inc.Automatic 6to4 Configuration 6to4 Router1 IPv6 Network Network Prefix: 2002:c0a8:6301::/48 2002:c0a8:1401::/48= 192.0.20.99.1 255.168.0.1 255.

99.30. Inc.1 192. Cisco Public 82 .1 Network Prefix: 2002:c0a8:1e01::/48 = = 6to4 Relay:   Is a gateway to the rest of the IPv6 Internet   Is a default router BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.168.Automatic 6to4 Relay IPv6 Internet 6to4 Router1 IPv6 Network 6to4 Relay IPv6 Site Network IPv4 Network Prefix: 2002:c0a8:6301::/48 192. All rights reserved.168.

255.168. All rights reserved. Cisco Public 83 .99.99.0.0 interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet1 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:c0a8:1e01::1 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.Automatic 6to4 Relay Configuration 6to4 
 Router1 IPv6 Network E0 IPv4 6to4 Relay IPv6 Internet IPv6 Network Network Prefix: 2002:c0a8:6301::/48 192.1 = IPv6 Address: 2002:c0a8:1e01::1 router1# interface Ethernet0 ipv6 address 2002:c0a8:6301:1::/64 eui-64 Interface Ethernet1 ip address 192.168.1 255.

Cisco Public 84 . Inc. All rights reserved.Automatic 6to4 Tunnels Requirements for 6to4   Border router must be dual stack with a global IPv4 address   Interior routing protocol for IPv6 is required   DNS for IPv6 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

ISATAP Tunneling BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Cisco Public 85 . Inc.

Intrasite Automatic Tunnel Address Protocol   RFC 4214   This is for enterprise networks such as corporate and academic networks   Scalable approach for incremental deployment   ISATAP makes your IPv4 infratructure as transport (NBMA) network BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. All rights reserved. Cisco Public 86 .

Inc. All rights reserved.Intrasite Automatic Tunnel Address Protocol   RFC 4214   To deploy a router is identified that carries ISATAP services   ISATAP routers need to have at least one IPv4 interface and 0 or more IPv6 interface   DNS entries are created for each of the ISATAP routers IPv4 addresses   Hosts will automatically discover ISATAP routers and can get access to global IPv6 network   Host can apply the ISATAP service before all this operation but its interface will only have a link local v6 address until the first router appears BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 87 .

All rights reserved. Cisco Public 88 .Intrasite Automatic Tunnel Address Protocol Use IANA’s OUI 00-00-5E and Encode IPv4 Address as Part of EUI-64 64-bit Unicast Prefix 0000:5EFE: 32-bit IPv4 Address 32-bit Interface Identifier (64 bits)   ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network   Supported in Windows XP Pro SP1 and others BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.

1   Use Static Config if DNS use is not desired: C:\>netsh interface ipv6 isatap set router 10. Inc.2.1   Currently ISATAP does not support multicast!! ISATAP Address Format: 64-bit Unicast Prefix 0000:5EFE: 32-bit Interface ID IPv4 Address 32-bit 2001:DB8:C003:111F:0:5EFE:10.1.1. All rights reserved. Cisco Public 89 .1.IPv6 Campus ISATAP Configuration   Supported in Windows XP Pro SP1 and others   ISATAP connections look like one flat network   Create DNS “A” record for “ISATAP” = 10.1.1.100 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Cisco Public 90 . Inc.1 ttl 64 # ip link set is0 up BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.100—Client IPv4 address 2001:DB8:C003:111f:0:5efe:10.1.1.1.1.1.1. All rights reserved.100 v4any 30.Client Configuration (Linux): ISATAP Tunnels Linux Client L3 Switch IPv6 L3 IPv6 Not Supported Switch/Router   IPv6-enabled   Requires Kernel support for ISATAP—USAGI   Modified IProute package—USAGI   Must configure ISATAP router —not automatic 10.100—IPv6 address Host IP Router IP # ip tunnel add is0 mode isatap 10.1.1.

123.Automatic Advertisement of ISATAP Prefix ISATAP Host A IPv4 Network ISATAP Tunnel ISATAP Router 1 E0 IPv6 Network ICMPv6 Type 133 (RS) IPv4 Source: 206.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix ICMPv6 Type 134 (RA) IPv4 Source: 206.123.200 IPv4 Destination: 206.31. Inc.20.31.20.100 IPv4 Destination: 206.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.123. Cisco Public 91 .123.

BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.200 fe80::5efe:ce7b: 1fc8 2001:db8:ffff:2::5efe:ce7b: 1fc8   ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1   When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8.Automatic Address Assignment of Host and Router ISATAP Host A IPv4 Network ISATAP Tunnel 206. Cisco Public 92 .100 fe80::5efe:ce7b: 1464 2001:db8:ffff:2::5efe:ce7b: 1464 ISATAP Router 1 E0 IPv6 Network 206. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.123. All rights reserved.123. ISATAP host A encapsulates IPv6 packets in IPv4.20.31. Inc.

31.123.123. Inc.255.255.31.123.Automatic Configuring ISATAP ISATAP Host A IPv4 Network ISATAP Tunnel 206.0 ! interface Tunnel0 ipv6 address 2001:db8:ffff:2::/64 eui-64 no ipv6 nd suppress-ra tunnel source Ethernet0 tunnel mode ipv6ip isatap ISATAP Router 1 E0 IPv6 Network 206. All rights reserved.200 fe80::5efe:ce7b: 1fc8 2001:db8:ffff:2::5efe:ce7b: 1fc8   The tunnel source command must point to an interface with an IPv4 address configured   Configure the ISATAP IPv6 address. and prefixes to be advertised just as you would with a native IPv6 interface   The IPv6 address has to be configured as an EUI-64 address since the last 32 bits in the interface identifier is used as the IPv4 destination address BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 93 .200 255.20.100 fe80::5efe:ce7b: 1464 2001:db8:ffff:2::5efe:ce7b: 1464 ISATAP-router1# ! interface Ethernet0 ip address 206.

255.0 ! interface Tunnel0 ipv6 address 2001:db8:ffff:2::/64 eui-64 no ipv6 nd suppress-ra tunnel source Ethernet0 tunnel mode ipv6ip isatap BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.123.100 fe80::5efe:ce7b: 1464 2001:db8:ffff:2::5efe:ce7b: 1464 ISATAP Router 1 E0 IPv6 Network 206.255. All rights reserved.31.200 fe80::5efe:ce7b: 1fc8 2001:db8:ffff:2::5efe:ce7b: 1fc8   The tunnel source command must ISATAP Host B point to an interface with an IPv4 address configured 206.200 255.100 fe80::5efe:ce7b:a64 2001:db8:ffff:   Configure the ISATAP IPv6 address.20.10. Cisco Public 94 . Inc.Automatic Configuring ISATAP ISATAP Host A IPv4 Network ISATAP Tunnel 206.31. 2::5efe:ce7b:a64 and prefixes to be advertised just as you would with a native IPv6 interface   The IPv6 address has to be configured as an EUI-64 address since the last 32 bits in the interface identifier is used as the IPv4 destination address ISATAP-router1# ! interface Ethernet0 ip address 206.123.123.123.

microsoft.mspx Linux. BSD and Mac OS X—“Miredo” http://www. All rights reserved.com/dev/miredo/ BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.com/technet/prodtechnol/winxppro/maintain/teredo. Inc.simphalempin. Cisco Public 95 .What Is Teredo?   RFC4380   Tunnel IPv6 through NATs (NAT types defined in RFC3489) Full Cone NATs (aka one-to-one)—Supported by Teredo Restricted NATs—Supported by Teredo Symmetric NATs—Supported by Teredo with Vista/Server 2008 if only one Teredo client is behind a Symmetric NATs   Uses UDP port 3544   Is complex—many sequences for communication and has several attack vectors   Available on: Microsoft Windows XP SP1 w/Advanced Networking Pack Microsoft Windows Server 2003 SP1 Microsoft Windows Vista (enabled by default—inactive until application requires it) Microsoft Server 2008 http://www.

Cisco Public 96 . Inc.Teredo Components   Teredo Client—Dual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay)   Teredo Server—Dual-stack node connected to IPv4 Internet and IPv6 Internet. Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hosts—Listens on UDP port 3544   Teredo Relay—Dual-stack router that forwards packets between Teredo clients and IPv6-only hosts   Teredo Host-Specific Relay—Dual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.

Teredo Overview IPv6 or IPv6 over IPv4 traffic IPv6 over IPv4 traffic Teredo host-specific relay Teredo client IPv6-only host IPv4 Internet NAT Teredo server IPv6 Internet Teredo relay NAT IPv6 traffic Teredo client *From Microsoft “Teredo Overview” paper BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Inc. Cisco Public 97 .

Inc. redundancy. mld BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.Translation. All rights reserved. Cisco Public 98 .

content switching modules)   NAT-PT (Network Address Translation–Protocol Translation) as an option to front-end IPv4-only server—Note: NAT-PT IS being moved to experimental   Place NAT-PT box as close to IPv4 only server as possible   Be very aware of performance and manageability issues BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 99 ..Legacy Services (IPv4 Only) NAT–PT IPv6-Only Segment IPv6-only Host IPv4-Only Segment Legacy IPv4 Server IPv6-Enabled Network IPv6 Server   Many of the non-routing/switching products do not yet support IPv6 (i. Inc. All rights reserved.e.

255.1.100 2010::100 ipv6 nat v4v6 source 192.255.168.Configuring Cisco IOS NAT-PT   NAT-PT enables communication between IPv6-only and IPv4-only nodes   CEF switching in 12.3(14)T DNS interface FastEthernet0/0 ipv6 address 2001:DB8:C003:1::1/64 ipv6 cef ipv6 nat ! interface FastEthernet0/1 ip address 192.1.10 2010::10 ! ipv6 nat v6v4 source route-map MAP1 pool V4POOL ipv6 nat v6v4 pool V4POOL 192.100 F0/1 NAT Prefix 2010::/96 F0/0 2001:DB8:C003:1::/64 2001:DB8:C003:1::10 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. 100 .2.168.1 192.0 ipv6 nat prefix 2010::/96 ipv6 nat ! ipv6 nat v4v6 source 192. All rights reserved.10 192.168.1.1 255.2.168.0/24 . Inc.168.10 prefix-length 24 ! route-map MAP1 permit 10 match interface FastEthernet0/0 Cisco Public .168.1.

168.2.1.168.10 3 Src: 192.168.10 2 Src: 192.10 Dst: 192. .2.168. All rights reserved.168.NAT-PT Packet Flow IPv4 Interface DNS 192. Inc.1.1.10 Dst: 192.10 Cisco Public NAT-PT IPv6 Interface IPv6 Host 2001:DB8:C003:1::10 1 Src: 2001:DB8:C003:1::10 Dst: 2010::10 4 Src: 2010::10 Dst: 2001:DB8:C003:1::10 101 Dynamic Static BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

SVF   Modification to Neighbor Advertisement. Inc. Router Advertisement. All rights reserved. Router Advertisement—GW is announced via RAs   Virtual MAC derived from GLBP group number and virtual IPv6 link-local address RA Sent Reach-time = 5.First-Hop Router Redundancy HSRP for v6 HSRP Active HSRP Standby   Modification to Neighbor Advertisement. and ICMPv6 redirects   Virtual MAC derived from HSRP group number and virtual IPv6 link-local address GLBP for v6 GLBP AVG. 102 .000 msec Neighbor Unreachability Detection   For rudimentary HA at the first HOP   Hosts use NUD “reachable time” to cycle to next known default gateway (30s by default) Cisco Public BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. AVF GLBP AVF.

Inc. . All rights reserved. .First-Hop Redundancy   When HSRP.1 fe80::211:bcff:fec0:d000%4 fe80::211:bcff:fec0:c800%4 Reachable Time Base Reachable Time : 6s : 5s Access Layer RA Distribution Layer HSRP IPv4 To Core Layer HSRP for IPv4 RA’s with adjusted reachable-time for IPv6 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. . .121. .10. Cisco Public RA 103 .GLBP and VRRP for IPv6 are not available   NUD can be used for rudimentary HA at the first-hop (today this only applies to the Campus/DC…HSRP is available on routers) (config-if)#ipv6 nd reachable-time 5000   Hosts use NUD “reachable time” to cycle to next known default gateway (30 seconds by default)   Can be combined with default router preference to determine primary gw: (config-if)#ipv6 nd router-preference {high | medium | low} Default Gateway . . : 10. . .

0FFF (4096 addresses) HSRP Active HSRP Standby interface FastEthernet0/1 ipv6 address 2001:DB8:66:67::2/64 ipv6 cef standby version 2 standby 1 ipv6 autoconfig standby 1 timers msec 250 msec 800 standby 1 preempt standby 1 preempt delay minimum 180 standby 1 authentication md5 key-string cisco standby 1 track FastEthernet0/0   HSRP IPv6 UDP Port Number 2029 (IANA Assigned)   No HSRP IPv6 secondary address   No HSRP IPv6 specific debug Host with GW of Virtual IP #route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1 BRKRST-2301 14340_04_2008_c2 UGDA 1024 0 0 eth2 © 2008 Cisco Systems.73A0. Inc.HSRP for IPv6   Many similarities with HSRP for IPv4   Changes occur in Neighbor Advertisement. Cisco Public 104 . Router Advertisement.73A0. and ICMPv6 redirects   No need to configure GW on hosts (RAs are sent from HSRP Active router)   Virtual MAC derived from HSRP group number and virtual IPv6 Link-local address   IPv6 Virtual MAC range: 0005.0000—0005. All rights reserved.

All rights reserved. Inc. Router Advertisement   GW is announced via RAs   Virtual MAC derived from GLBP group number and virtual IPv6 Link-local address interface FastEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 cef glbp 1 ipv6 autoconfig glbp 1 timers msec 250 msec 750 glbp 1 preempt delay minimum 180 glbp 1 authentication md5 key-string cisco GLBP AVG. Cisco Public 105 . AVF GLBP AVF. Load-balancing)   Modification to Neighbor Advertisement. SVF AVG=Active Virtual Gateway AVF=Active Virtual Forwarder SVF=Standby Virtual Forwarder BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.GLBP for IPv6   Many similarities with GLBP for IPv4 (CLI.

Bidirectional and Source Specific Multicast   RP Deployment: Static. Embedded – NO Anycast-RP Yet Host Multicast Control via MLD DR RP DR S BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Cisco Public 106 .IPv6 Multicast Availability   Multicast Listener Discovery (MLD) – Equivalent to IGMP   PIM Group Modes: Sparse Mode. Inc.

All rights reserved. Cisco Public 107 . Inc.Multicast Listener Discovery: MLD Multicast Host Membership Control   MLD is equivalent to IGMP in IPv4   MLD messages are transported over ICMPv6   MLD uses link local source addresses   MLD packets use “Router Alert” in extension header (RFC2711)   Version number confusion: MLDv1 (RFC2710) like IGMPv2 (RFC2236) MLDv2 (RFC3810) like IGMPv3 (RFC3376) Host Multicast Control via MLD   MLD snooping BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

All rights reserved. Inc.Multicast Deployment Options With and Without Rendezvous Points (RP) SSM. No RPs R S DR ASM Single RP—Static definitions S DR He is the RP RP He is the RP DR He is the RP R ASM Across Single Shared PIM Domain. One RP—Embedded-RP Alert! I want GRP=A from RP=B R S DR RP BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 108 .

Flow Label must not be modified by intermediate routers Payload Length Next Header Hop Limit Source Address   Keep an eye out for work being doing to leverage the flow label BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.IPv6 QoS: Header Fields   IPv6 traffic class Exactly the same as TOS field in IPv4 Version Traffic Class Flow Label   IPv6 Flow Label (RFC 3697) A new 20-bit field in the IPv6 basic header which: Labels packets belonging to particular flows Can be used for special sender requests Per RFC. Inc. Cisco Public Destination Address 109 . All rights reserved.

Inc. All rights reserved. set ip dscp   Modification in QoS syntax to support IPv6 and IPv4 New match criteria match dscp — Match DSCP in v4/v6 match precedence — Match Precedence in v4/v6 New set criteria set dscp — Set DSCP in v4/v6 set precedence — Set Precedence in v4/v6   Additional support for IPv6 does not always require new Command Line Interface (CLI) Example—WRED BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.IPv6 QoS Syntax Changes   IPv4 syntax has used “ip” following match/set statements Example: match ip dscp. Cisco Public 110 .

6084.6084.2c7a 16 000d.120. Cisco Public 111 .2c7a STALE Vl2 STALE Vl2 STALE Vl2   Full Internet route tables—ensure to account for TCAM/Memory requirements for both IPv4/IPv6—Not all vendors can properly support both   Multiple routing protocols—IPv4 and IPv6 will have separate routing protocols.Scalability and Performance   IPv6 Neighbor Cache = ARP for IPv4 In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries ARP entry for host in the campus distribution layer: Internet 10. All rights reserved.2c7a 16 000d.6084.2c7a ARPA Vlan2 IPv6 Neighbor Cache entry: 2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC FE80::7DE5:E2B0:D4DF:97EC 4 000d.6084.200 2 000d. Inc.2. Ensure enough CPU/Memory is present   Control Plane impact when using tunnels—Terminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/ thousands of tunnels) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

All rights reserved. Inc.IPv4 to IPv6 transition and the stages of grief Denial Negotiation Acceptance Anger Depression BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 112 .

Inc. Cisco Public 113 .cisco.Data ( Infrastructure Deployment ) Start Here: Cisco IOS Software Release Specifics for IPv6 Features http://www. All rights reserved.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

99. Cisco Public 114 .168. All rights reserved.IPv6 Coexistence Dual Stack IPv6/IPv4 IPv4: 192.1 IPv6: 2001:db8:1::1/64 IPv6 Host IPv6 Network Configured Tunnel/MPLS (6PE/6VPE) MPLS/IPv4 Configured Tunnel/MPLS (6PE/6VPE) IPv6 Host IPv6 Network IPv4 IPv6 ISATAP Tunneling (Intra-Site Automatic Tunnel Addressing Protocol) ISATAP Router BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.

All rights reserved.cisco. Cisco Public 115 .TCP ( Campus/Data Center ) Deploying IPv6 in Campus Networks: http://www.com/univercd/cc/td/doc/solution/campipv6. Inc.pdf ESE Campus Design and Implementation Guides: http://www.html#anchor2 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.

Cisco Public 116 . security. tunnels for the rest. All rights reserved. still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Multicast and management Layer 3 switches should support IPv6 forwarding in hardware   Hybrid—Dual-stack where possible. Inc. but all leveraging the existing design/gear Pro—Leverage existing gear and network design (traditional L2/L3 and Routed Access) Con—Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like Core acting as Access layer) and ISATAP does not support IPv6 multicast   IPv6 Service Block—A new network block used for interim connectivity for IPv6 overlay network Pro—Separation.Campus IPv6 Deployment Three Major Options   Dual-stack—The way to go for obvious reasons: performance. control and flexibility (still supports traditional L2/L3 and Routed Access) Con—Cost (more gear). does not fully leverage existing design. QoS.

All rights reserved.MLD snooping IPv6 management —Telnet/SSH/ HTTP/SNMP Intelligent IP services on WLAN v6Enabled IPv6/IPv4 Dual Stack Hosts Access Layer L2/L3 v6Enabled Distribution Layer Dual Stack Dual Stack v6Enabled v6Enabled Core Layer   Expect to run the same IGPs as with IPv4   Keep feature expectations simple v6-Enabled v6-Enabled Aggregation Layer (DC) Access Layer (DC) Dual-stack Server BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 117 .switching/routing platforms must support hardware based forwarding for IPv6   IPv6 is transparent on L2 switches but… L2 multicast . Inc.Campus IPv6 Deployment Options Dual-stack IPv4/IPv6   #1 requirement .

Access Layer: Dual Stack (Layer 2 Access)   Catalyst 3560/3750—In order to enable IPv6 functionality. All rights reserved. Inc.htm# ) Switch(config)#sdm prefer dual-ipv4-and-ipv6 default   If using a traditional Layer-2 access design. the only thing that needs to be enabled on the access switch (management/security discussed later) is MLD snooping: Switch(config)#ipv6 mld snooping BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. the proper SDM template needs to be defined ( http://www. Cisco Public 118 .cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/ scg/swsdm.

122. Cisco Public 119 . Inc.0. All rights reserved.2(33)SXG BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.Distribution Layer: Dual Stack (Layer 2 Access) ipv6 unicast-routing ipv6 multicast-routing ipv6 cef distributed ! interface GigabitEthernet1/1 description To 6k-core-right ipv6 address 2001:DB8:CAFE:1105::A001:1010/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 0 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ! interface GigabitEthernet1/2 description To 6k-core-left ipv6 address 2001:DB8:CAFE:1106::A001:1010/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 0 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 interface Vlan2 description Data VLAN for Access ipv6 address 2001:DB8:CAFE:2::A001:1010/64 ipv6 nd reachable-time 5000 ipv6 nd router-preference high no ipv6 redirects ipv6 ospf 1 area 1 ! ipv6 router ospf 1 auto-cost reference-bandwidth 10000 router-id 10.25 log-adjacency-changes area 2 range 2001:DB8:CAFE:xxxx::/xx timers spf 1 5 May optionally configure default router preference—ipv6 nd router-preference {high | medium | low}—12.

Access Layer: Dual Stack (Routed Access) ipv6 unicast-routing ipv6 cef ! interface GigabitEthernet1/0/25 description To 6k-dist-1 ipv6 address 2001:DB8:CAFE:1100::CAC1:3750/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef ! interface GigabitEthernet1/0/26 description To 6k-dist-2 ipv6 address 2001:DB8:CAFE:1101::CAC1:3750/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public interface Vlan2 description Data VLAN for Access ipv6 address 2001:DB8:CAFE:2::CAC1:3750/64 ipv6 ospf 1 area 2 ipv6 cef ! ipv6 router ospf 1 router-id 10. Inc. All rights reserved.2.1 log-adjacency-changes auto-cost reference-bandwidth 10000 area 2 stub no-summary passive-interface Vlan2 timers spf 1 5 120 .120.

Cisco Public ipv6 router ospf 1 auto-cost reference-bandwidth 10000 router-id 10.Distribution Layer: Dual Stack (Routed Access) ipv6 unicast-routing ipv6 multicast-routing ipv6 cef distributed ! interface GigabitEthernet3/1 description To 3750-acc-1 ipv6 address 2001:DB8:CAFE:1100::A001:1010/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef ! interface GigabitEthernet1/2 description To 3750-acc-2 ipv6 address 2001:DB8:CAFE:1103::A001:1010/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.122.25 log-adjacency-changes area 2 stub no-summary passive-interface Vlan2 area 2 range 2001:DB8:CAFE:xxxx::/xx timers spf 1 5 121 .0. Inc.

Cisco Public 122 . Core layer)   ISATAP creates a flat network (all hosts on same tunnel are peers) Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today) NOT v6Enabled Distribution Layer v6Enabled v6Enabled Core Layer Dual Stack Dual Stack v6-Enabled v6-Enabled Aggregation Layer (DC)   Provides basic HA of ISATAP tunnels via old Anycast-RP idea Access Layer (DC) Dual-stack Server BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.Campus IPv6 Deployment Options Hybrid Model   Offers IPv6 connectivity via multiple options Dual-stack Configured tunnels – L3-to-L3 ISATAP – Host-to-L3 IPv6/IPv4 Dual Stack Hosts Access Layer L2/L3 NOT v6Enabled ISATAP ISATAP   Leverages existing network   Offers natural progression to full dualstack design   May require tunneling to less-thanoptimal layers (i. All rights reserved.e.

Cisco Public Dual-stack Server 123 .Hybrid Model Examples Hybrid Model Example #1 Access Layer Hybrid Model Example #2 Dual Stack Dual Stack L2/L3 NOT v6Enabled L2/L3 v6Enabled ISATAP ISATAP NOT v6Enabled Distribution Layer v6Enabled ISATAP ISATAP v6Enabled v6Enabled Core Layer NOT v6Enabled NOT v6Enabled Dual Stack Dual Stack v6-Enabled v6-Enabled Aggregation Layer (DC) v6-Enabled v6-Enabled Dual Stack Dual Stack Access Layer (DC) Dual-stack Server BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Inc.

IPv6 ISATAP Implementation ISATAP Host Considerations   ISATAP is available on Windows XP. department and possibly other parameters such as role BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. port for Linux   If Windows host does not detect IPv6 capabilities on the physical interface then an effort to use ISATAP is started   Can learn of ISATAP routers via DNS “A” record lookup “isatap” or via static configuration If DNS is used then Host/Subnet mapping to certain tunnels cannot be accomplished due to the lack of naming flexibility in ISATAP Two or more ISATAP routers can be added to DNS and ISATAP will determine which one to use and also fail to the other one upon failure of first entry If DNS zoning is used within the Enterprise then ISATAP entries for different routers can be used in each zone   In the presented design the static configuration option is used to ensure each host is associated with the correct ISATAP tunnel   Can conditionally set the ISATAP router per host based on subnet. Cisco Public 124 . All rights reserved. Vista/Server 2008. Inc. Windows 2003. userid.

Inc. Cisco Public 125 .Blue VLAN 3 Access Layer   ISATAP tunnels from PCs in Access layer to Core switches   Redundant tunnels to Core or Service block   Use IGP to prefer one Core switch over another (both v4 and v6 routes) .Windows XP/2003   Works like Anycast-RP with IPmc  Primary ISATAP Tunnel Secondary ISATAP Tunnel NOT v6Enabled NOT v6Enabled Distribution Layer v6Enabled v6Enabled Core Layer Dual Stack Dual Stack v6-Enabled v6-Enabled Aggregation Layer (DC) Access Layer (DC) IPv6 Server BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.Red VLAN 2 PC2 .deterministic   Preference is important due to the requirement to have traffic (IPv4/ IPv6) route to the same interface (tunnel) where host is terminated on . All rights reserved.Highly Available ISATAP Design Topology PC1 .

10.255.255. Inc.255.IPv6 Campus ISATAP Configuration Redundant Tunnels ISATAP Primary interface Tunnel2 ipv6 address 2001:DB8:CAFE:2::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 tunnel source Loopback2 tunnel mode ipv6ip isatap ! interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback2 description Tunnel source for ISATAP-VLAN2 ip address 10.10.255.255.255 delay 1000 ! interface Loopback3 ip address 10.103 255.255 ! interface Loopback3 description Tunnel source for ISATAP-VLAN3 ip address 10.10.255.10.102 255.102 255.122.255 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.255.255.122.122.103 255.255 delay 1000 126 . All rights reserved.122. Cisco Public ISATAP Secondary interface Tunnel2 ipv6 address 2001:DB8:CAFE:2::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback2 tunnel mode ipv6ip isatap ! interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback2 ip address 10.

102 255.102 255. Cisco Public 127 .10.255.10. hello/hold.10.IPv6 Campus ISATAP Configuration IPv4 and IPv6 Routing—Options ISATAP Secondary—Bandwidth adjustment interface Loopback2 ip address 10.122.122.255.10.3 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.102 255.254 IPv4—EIGRP router eigrp 10 eigrp router-id 10.255. All rights reserved.3 IPv6—OSPFv3 ipv6 router ospf 1 router-id 10.255.255.122. dead) to reduce convergence times   Use recommended summarization and/or use of stubs to reduce routes and convergence times Set RID to ensure redundant loopback addresses do not cause duplicate RID issues ISATAP Primary—Longest-match adjustment interface Loopback2 ip address 10.122.10.255 ISATAP Secondary—Longest-match adjustment interface Loopback2 ip address 10.255 delay 1000   To influence IPv4 routing to prefer one ISATAP tunnel source over another—alter delay/cost or mask length   Lower timers (timers spf.122.255. Inc.

102/32 D 10.102 Used as PRIMARY ISATAP tunnel source Preferred route to 10.102 Preferred route to 10. All rights reserved.122.10.122.0.10.102/32 D 10. Cisco Public 128 .10.10.122.120.102 on FAILURE Before Failure dist-1#show ip route | b 10.122. GigabitEthernet1/0/27 After Failure dist-1#show ip route | b 10. 00:09:23.49.41.122.122.122.122.122.10.Distribution Layer Routes acc-2 dist-2 core-2 Primary/Secondary Paths to ISATAP Tunnel Sources Loopback 2—10.0.0/24 acc-1 dist-1 core-1 Loopback 2—10.10. Inc.10.2. 00:00:08.102/32 [90/130816] via 10. GigabitEthernet1/0/28 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.102/32 [90/258816] via 10.10.102 Used as SECONDARY ISATAP tunnel source VLAN 2 10.122.

. All rights reserved.103 10.101%2 Default Gateway . .103%2 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.255.122. Cisco Public 129 . . . .3. .122. . .10. .101 New tunnel comes up when failure occurs int tu3 int lo3 10.120.10. . .122. . : fe80::5efe:10. . . . .122.120. . .103 int tu3 int lo3 10.10. . . .3.10. .255 Windows XP/Vista Host C:\>netsh int ipv6 isatap set router 10. . : 2001:db8:cafe:3:0:5efe:10.103 255. . . Inc. .IPv6 Campus ISATAP Configuration ISATAP Client Configuration Ok. . : fe80::5efe:10. .10. .255.122. .3. : IP Address.101 IP Address.103 Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix .120. interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback3 description Tunnel source for ISATAP-VLAN3 ip address 10.

Cisco Public Access Distribution interface GigabitEthernet1/1 ipv6 address 2001:DB8:CAFE:13::4/127 ipv6 ospf 1 area 0 ipv6 cef ! interface Loopback3 ip address 172.1 tunnel mode ipv6ip BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.16. Multicast as with Dual-stack   In HW.255. performance should be similar to standard tunnels interface Tunnel0 ipv6 cef ipv6 address 2001:DB8:CAFE:13::1/127 ipv6 ospf 1 area 0 tunnel source Loopback3 tunnel destination 172. QoS.16. Inc.1 255.2.1.252 130 Tunnel Tunnel Core Aggregation .255.IPv6 Configured Tunnels Think GRE or IP-in-IP Tunnels   Encapsulating IPv6 into IPv4   Used to traverse IPv4 only devices/ links/networks   Treat them just like standard IP links (only insure solid IPv4 routing/HA between tunnel interfaces)   Provides for same routing.

QoS policies for classification and marking cannot be applied to the ISATAP tunnels on ingress 2.g. policing (ingress) and queuing (egress). aggregation layer switches) and the appropriate QoS policies can be applied on ingress. These polices may include trust (ingress). Inc.Campus Hybrid Model 1 QoS 1.  The classified and marked IPv6 packets can now be examined by upstream switches (e.  Classification and marking of IPv6 is done on the egress interfaces on the core layer switches because packets have been tunneled until this point . Cisco Public 131 . All rights reserved. Access Layer IPv6/IPv4 Dual-stack Hosts Distribution Layer Core Layer Aggregation Layer (DC) Access Layer (DC) IPv6/IPv4 Dual-stack Server 1 2 1 Access Block 2 Data Center Block BRKRST-2301 14340_04_2008_c2 IPv6 and IPv4 Enabled © 2008 Cisco Systems.

Inc.Campus Hybrid Model 1 mls qos ! class-map match-all CAMPUS-BULK-DATA match access-group name BULK-APPS class-map match-all CAMPUS-TRANSACTIONAL-DATA match access-group name TRANSACTIONAL-APPS ! policy-map IPv6-ISATAP-MARK class CAMPUS-BULK-DATA set dscp af11 class CAMPUS-TRANSACTIONAL-DATA set dscp af21 class class-default set dscp default ! ipv6 access-list BULK-APPS permit tcp any any eq ftp permit tcp any any eq ftp-data ! ipv6 access-list TRANSACTIONAL-APPS permit tcp any any eq telnet permit tcp any any eq 22 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public QoS Configuration Sample—Core Layer ipv6 access-list BULK-APPS permit tcp any any eq ftp permit tcp any any eq ftp-data ! ipv6 access-list TRANSACTIONAL-APPS permit tcp any any eq telnet permit tcp any any eq 22 ! interface GigabitEthernet2/1 description to 6k-agg-1 mls qos trust dscp service-policy output IPv6-ISATAP-MARK ! interface GigabitEthernet2/2 description to 6k-agg-2 mls qos trust dscp service-policy output IPv6-ISATAP-MARK ! interface GigabitEthernet2/3 description to 6k-core-1 mls qos trust dscp service-policy output IPv6-ISATAP-MARK 132 . All rights reserved.

Layer 2 Dedicated FW Core Layer Internet   1) Leverage existing ISP block for both IPv4 and IPv6 access   2) Use dedicated ISP connection just for IPv6 – Can use IOS FW or PIX/ASA appliance Primary ISATAP Tunnel Secondary ISATAP Tunnel BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.Campus IPv6 Deployment Options IPv6 Service Block – An Interim Approach   Provides ability to rapidly deploy IPv6 services without touching existing network   Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations)   Offers the same advantages as Hybrid Model without the alteration to existing code/configurations   Configurations are very similar to the Hybrid Model ISATAP tunnels from PCs in Access layer to Service Block switches (instead of core layer – Hybrid) VLAN 2 VLAN 3 IPv4-only Campus Block Access Layer ISATAP IPv6 Service Block Dist. Inc. All rights reserved. Cisco Public Agg Layer Access Layer IOS FW Data Center Block 1 WAN/ISP Block 133 .

  Aggregation/Access switches can apply egress/ingress policies (trust.  Same policy design as Hybrid Model—The first place to implement classification and marking from the access layer is after decapsulation (ISATAP) which is on the egress interfaces on the Service Block switches 2. Cisco Public 134 . policing.  IPv6 packets received from ISATAP interfaces will have egress policies (classification/marking) applied on the configured tunnel interfaces 3.Campus Service Block QoS From Access Layer 1. queuing) to IPv6 packets headed for DC services ISATAP Tunnels Access Distribution Core Layer Layer Layer IPv6/IPv4 Dualstack Hosts Access Block Traffic Flow Service Block 1 1 Core Layer Aggregation Access Layer (DC) Layer (DC) IPv6/IPv4 Dual-stack Server Configured Tunnels 3 3 Data Center Block IPv6 and IPv4 Enabled Traffic Flow 2 BRKRST-2301 14340_04_2008_c2 2 Service Block © 2008 Cisco Systems. All rights reserved. Inc.

Inc. CPU % After 2 2 4 845246288 839256168 8278904 Free Memory   Traffic convergence for each tunnel # of Tunnel 100 tunnel 500 tunnel BRKRST-2301 14340_04_2008_c2 Convergence for upstream (ms) Client to Server 208~369 365~780 Avg. All rights reserved. . Client to Server 350 603 Cisco Public Convergence for downstream (ms) Server to Client 353~532 389~1261 Avg.ISATAP Scalability Testing Result   CPU and memory utilization during scale of ISATAP tunnels # of Tunnels Before 100 tunnel 200 tunnel 500 tunnel 2 2 2 1 min. Server to Client 443 828 Convergence for Recovery (ms) upstream downstream 0 0~33 0 11~43 135 © 2008 Cisco Systems.

All rights reserved. potentially. 136 . platform and connectivity similarities   IPv6 for SAN is supported in SAN-OS 3. complicated area for IPv6 deployment   Front-end design will be similar to Campus based on feature.IPv6 Data Center Integration Campus Core   The single most overlooked and.g. DC management Get granular—e. iLO Impact on clusters—Microsoft Server 2008 failover clusters fully support IPv6 (and L3) Data Center Core Aggregation Access Servers Access Core Storage   Your favorite appliance/module may not be ready today Cisco Public BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.0   Major issue in DC with IPv6 today—NIC Teaming (missing in some NIC/Server vendor implementations)   Watch status of IPv6 support from App. Grid. DB vendors. Inc.

2) SAN Applications   IP Storage—iSCSI. HTTP. NTP.x Core (Host Implementation)   IPv6 (RFC 2460)         ICMPv6 (RFC 2463) Neighbor Discovery (RFC 2461) Stateless Auto-configuration VRRP for IPv6 for application redundancy (IETF Draft) Applications and Mgmt   Telnet. Traceroute. FC Name Server   IPv6 over FC   Other modules—eg. All rights reserved. Ping. DNS Resolver. and FCIP   Zone Server. SCP. Cisco Public 137 . SSH   Cisco IP. Inc.Cisco IPv6 Storage Networking SAN-OS 3. ISNS. FTP. BRKRST-2301 14340_04_2008_c2 MDS 9500 Family © 2008 Cisco Systems. fctunnel etc. TFTP. IP-Forwarding and VRRP MIBs   SNMP over IPv6 Security   IPv6 Access Control lists   IPv6 IPsec (3.

All rights reserved.2 will support iSCSI with IPsec BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 138 .iSCSI/VRRP for IPv6 Initiator Configured to See Targets at Virtual Address IPv6 Network Real GigE Address IPv6: 2001:db8:cafe:12::5 MDS-1 Storage Array FC SAN pWWN a 2001:db8:cafe:10::14 iSCSI Virtual Address IPv6: 2001:db8:cafe:12::5 Real GigE Address IP: 2001:db8:cafe:12::6 Initiator with NIC Teaming MDS-2   Same configuration requirements and operation as with IPv4   Can use automatic preemption—configure VR address to be the same as physical interface of “primary”   Host-side HA uses NIC teaming (see slides for NIC teaming)   SAN-OS 3.

com.1991-05.com.com member pwwn 21:00:00:10:86:10:46:9c member pwwn 24:01:00:0d:ec:24:7c:42 member symbolic-nodename iscsi-atto-target zone name Generic vsan 1 member pwwn 21:00:00:10:86:10:46:9c zoneset name iscsi_zoneset vsan 1 member iscsi-zone zoneset name Generic vsan 1 member Generic BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.1991-05.com static pWWN 24:01:00:0d:ec:24:7c:42 vsan 1 zone default-zone permit vsan 1 zone name iscsi-zone vsan 1 member symbolic-nodename iqn.cisco.microsoft:w2k8-svr-01. Cisco Public 139 . Inc.1991-05.cisco.com.microsoft:w2k8-svr-01.iSCSI IPv6 Example—MDS Initiator/Target iscsi virtual-target name iscsi-atto-target pWWN 21:00:00:10:86:10:46:9c initiator iqn.microsoft:w2k8-svr-01.cisco.com permit iscsi initiator name iqn. All rights reserved.

Inc. Cisco Public 140 . All rights reserved.iSCSI/VRRP IPv6 Example—MDS Interface MDS-1 interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::5/64 no shutdown vrrp ipv6 1 address 2001:db8:cafe:12::5 no shutdown mds-1# show vrrp ipv6 vr 1 Interface VR IpVersion Pri Time Pre State VR IP addr -----------------------------------------------------------------GigE2/1 1 IPv6 255 100cs master 2001:db8:cafe:12::5 MDS-2 interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::6/64 no shutdown vrrp ipv6 1 address 2001:db8:cafe:12::5 no shutdown mds-2# show vrrp ipv6 vr 1 Interface VR IpVersion Pri Time Pre State VR IP addr -----------------------------------------------------------------GigE2/1 1 IPv6 100 100cs backup 2001:db8:cafe:12::5 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

com.1991-05.iSCSI Initiator Example—W2K8 IPv6 1 iscsi initiator name iqn.microsoft:w2k8-svr-01.. Cisco Public N N 21:00:00:10:86:10:46:9c 24:01:00:0d:ec:24:7c:42 (Cisco) scsi-fcp:target scsi-fcp:init isc. All rights reserved.w 141 .cisco.com 2 3 interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::5/64 mds9216-1# show fcns database vsan 1 VSAN 1: --------------------------------------------------------------------FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE --------------------------------------------------------------------0x670400 0x670405 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.

x—FCIP(v6) FC FC FC FC Central Site FC Remote Sites FC FC IPv6 Network fcip profile 100 ip address 2001:db8:cafe:50::1 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100 use-profile 100 peer-info ipaddr 2001:db8:cafe:50::2 ! interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::1/64 fcip profile 100 ip address 2001:db8:cafe:50::2 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100 use-profile 100 peer-info ipaddr 2001:db8:cafe:50::1 ! interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::2/64 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 142 .SAN-OS 3. All rights reserved.

Life Address ---------. Inc.----------------------------6d23h58m41 2001:db8:cafe:10:20d:9dff:fe93:b25d Static configuration netsh interface ipv6> add address "Local Area Connection" 2001:db8:cafe:10::7 Ok.----------------------------infinite 2001:db8:cafe:10::7 6d23h59m21s 2001:db8:cafe:10:20d:9dff:fe93:b25d Note: Same Issue Applies to Linux BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. netsh interface ipv6>sh add Querying active state.Data Center NIC Teaming Issue What Happens if IPv6 is Unsupported? Auto-configuration Addr Type --------Public DAD State Preferred Valid Life 29d23h58m41s Pref.-----------..-----------. Interface 10: Local Area Connection Addr Type --------Manual Public DAD State Duplicate Preferred Valid Life infinite 29d23h59m21s Pref.-----------. Life Address Interface 10: Local Area Connection #VIRTUAL TEAM INTERFACE ---------. Cisco Public 143 .-----------.. All rights reserved.

All rights reserved.htm   Intel now supports IPv6 with Express.” BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 144 .com/support/network/sb/cs-009090. Inc. RLB will work on the IPv4 connections but not on the IPv6 connections.intel.Intel ANS NIC Teaming for IPv6   Intel IPv6 NIC Q&A—Product support   http://www. and AFT deployments Intel statement of support for RLB—“Receive Load Balancing (RLB) is not supported on IPv6 network connections. If a team has a mix of IPv4 and IPv6 connections. ALB. All other teaming features will work on the IPv6 connections.

Inc.Value “0”   Linux # sysctl -w net/ipv6/conf/bond0/dad_transmits=0 net. Cisco Public 145 .eth0.dad_transmits = 0 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.ipv6. All rights reserved.Interim Hack for Unsupported NICs   Main issue for NICs with no IPv6 teaming support is DAD—Causes duplicate checks on Team and Physical even though the physical is not used for addressing   Set DAD on Team interface to “0”—Understand what you are doing    Microsoft Vista/Server 2008 allows for a command line change to reduce the “DAD transmits” value from 1 to 0 netsh interface ipv6 set interface 19 dadtransmits=0   Microsoft Windows 2003—Value is changed via a creation in the registry \\HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters \Interfaces\(InterfaceGUID)\DupAddrDetectTransmits .conf.

. . . . : fe80::212:d9ff:fe92:de76%11 Ethernet adapter LAN: Connection-specific DNS Suffix . : fe80::212:d9ff:fe92:de76%12 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. . . . . .25. . . . .0 IP Address. . . . . . . . . . . . .255. . . . : 169. . . . Inc. . . : fe80::204:23ff:fec7:b0d7%11 Default Gateway .0 IP Address. . . Cisco Public 146 . : fe80::204:23ff:fec7:b0d6%12 Default Gateway .Intel NIC Teaming—IPv6 (Pre Team) Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . . . . . . : 2001:db8:cafe:1::2 IP Address. . . . . . .255. .230 Subnet Mask . . . . . . . : 255. . . . . . . . : Autoconfiguration IP Address. . .4. . . . . .255. : 255. . : 10. . . . . . . . .192 Subnet Mask . : IP Address. . . .89. All rights reserved. . .254.0. .

. . . . Cisco Public 147 . . : fe80::204:23ff:fec7:b0d6%13 Default Gateway . . . : fe80::212:d9ff:fe92:de76%13 Interface 13: TEAM-1 Addr Type --------Public Link DAD State Preferred Preferred Valid Life 4m11s infinite Pref. .0 IP Address. . . . . . . . . . . : 10. . . . : 2001:db8:cafe:1::2 IP Address. .----------------------------4m11s 2001:db8:cafe:1::2 infinite fe80::204:23ff:fec7:b0d6 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. . . . : IP Address. . . . . .255. . . .4.-----------. Inc. . . .230 Subnet Mask . .-----------. . . : 255. . . All rights reserved.255. Life Address ---------. . . .89. . . . . . . .Intel NIC Teaming—IPv6 (Post Team) Ethernet adapter TEAM-1: Connection-specific DNS Suffix .

Data Center—IPv6 on FWSM
Transparent Firewall Mode—Example
FWSM Version 3.1(3) <context> ! firewall transparent hostname WEBAPP ! interface inside nameif inside bridge-group 1 security-level 100 ! interface outside nameif outside bridge-group 1 security-level 0 ! interface BVI1 ip address 10.121.10.254 255.255.255.0 ! access-list BRIDGE_TRAFFIC ethertype permit bpdu access-list BRIDGE_TRAFFIC ethertype permit 86dd ! access-group BRIDGE_TRAFFIC in interface inside
BRKRST-2301 14340_04_2008_c2

  Today, IPv6 inspection is supported in the routed firewall mode.   Transparent mode can allow IPv6 traffic to be bridged (no inspection)

Permit ethertype 0x86dd (IPv6 ethertype)
148

access-group BRIDGE_TRAFFIC in interface outside
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Data Center—IPv6 on FWSM
Routed Firewall Mode—Example
FWSM Version 3.1(3) <context> ! hostname WEBAPP ! interface inside nameif inside security-level 100 ipv6 address 2001:db8:cafe:10::f00d:1/64 ! interface outside nameif outside security-level 0 ipv6 address 2001:db8:cafe:101::f00d:1/64 ! ipv6 route outside ::/0 2001:db8:cafe:101::1

GW to MSFC outside VLAN intf.

ipv6 access-list IPv6_1 permit icmp6 any 2001:db8:cafe:10::/64 ipv6 access-list IPv6_1 permit tcp 2001:db8:cafe:2::/64 host 2001:db8:cafe:10::7 eq www access-group IPv6_1 in interface outside

BRKRST-2301 14340_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

149

Legacy Services (IPv4 Only)
NAT–PT IPv6-Only Segment IPv6-only Host IPv4-Only Segment Legacy IPv4 Server

IPv6-Enabled Network

IPv6 Server

  There will be many in-house developed applications that will never support IPv6—Move them to a legacy VLAN or server farm   NAT-PT (Network Address Translation–Protocol Translation) as an option to front-end IPv4-only Server—Note: NAT-PT has been moved to experimental   Place NAT-PT box as close to IPv4 only server as possible   Be VERY aware of performance and manageability issues
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

150

Still TCP…
( WAN/Branch )

Deploying IPv6 in Branch Networks:

http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf

ESE WAN/Branch Design and Implementation Guides:

http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor1 http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor10
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

151

leased-line. MPLS. Inc. some situations still call for tunneling   Support for every media/WAN type you want to use (Frame Relay. All rights reserved. broadband. etc…)   Don’t assume all features for every technology are IPv6enabled   Better feature support in WAN/ Branch than in Campus/DC SP Cloud Corporate Network Dual Stack Dual Stack Dual Stack BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.WAN/Branch Deployment   Cisco routers have supported IPv6 for a long time   Dual-stack should be the focus of your implementation…but. Cisco Public 152 .

IPv6 Enabled Branch
Branch Single Tier

Take Your Pick—Mix-and-Match
Branch Dual Tier Branch Multi-Tier

HQ

HQ
MPLS

HQ

Internet

Internet

Frame

Dual-Stack IPSec VPN (IPv4/IPv6) IOS Firewall (IPv4/IPv6) Integrated Switch (MLD-snooping)
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

Dual-Stack IPSec VPN or Frame Relay IOS Firewall (IPv4/IPv6) Switches (MLD-snooping)
Cisco Public

Dual-Stack IPSec VPN or MPLS (6PE/6VPE) Firewall (IPv4/IPv6) Switches (MLD-snooping)
153

DMVPN with IPv6—12.4(20)T Feature
Example Tunnel Configuration
Spoke Router interface Tunnel0 ipv6 address 2001:DB8:CAFE:1261::2/64 ipv6 enable ipv6 mtu 1400 ipv6 eigrp 1 ipv6 nhrp authentication ESE ipv6 nhrp map multicast 172.17.1.3 ipv6 nhrp map 2001:DB8:CAFE:1261::1/128 172.17.1.3 ipv6 nhrp network-id 100000 ipv6 nhrp holdtime 600 ipv6 nhrp nhs 2001:DB8:CAFE:1261::1 ipv6 nhrp cache non-authoritative tunnel source 172.16.1.2 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile SPOKE Hub Router interface Tunnel0 ipv6 address 2001:DB8:CAFE:1261::1/64 ipv6 enable ipv6 mtu 1400 ipv6 eigrp 1 no ipv6 split-horizon eigrp 1 ipv6 hold-time eigrp 1 35 no ipv6 next-hop-self eigrp 1 ipv6 nhrp authentication ESE ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100000 ipv6 nhrp holdtime 600 ipv6 nhrp cache non-authoritative tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile HUB

Spoke
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Internet

Hub
154

Single-Tier Profile
  Totally integrated solution – Branch router and integrated EtherSwitch module – IOS FW and VPN for IPv6 and IPv4   When SP does not offer IPv6 services, use IPv4 IPSec VPNs for manually configured tunnels (IPv6-in-IPv4) or DMVPN for IPv6   When SP does offer IPv6 services, use IPv6 IPSec VPNs (Latest AIM/VAM supports IPv6 IPSec)
Single-Tier

Headquarters T1
ADSL

Branch Internet

Dual-Stack Host (IPv4/IPv6) IPv4 IPv6
Primary DMVPN Tunnel (IPv4 Secondary DMVPN Tunnel (IPv4) Primary IPSec-protected configured tunnel (IPv6-in-IPv4) Secondary IPSec-protected configured tunnel (IPv6-in-IPv4)
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

155

Single-Tier Profile
LAN Configuration
ipv6 unicast-routing ipv6 multicast-routing ipv6 cef ! ipv6 dhcp pool DATA_VISTA dns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25D domain-name cisco.com ! interface GigabitEthernet1/0.100 description DATA VLAN for Computers encapsulation dot1Q 100 ipv6 address 2001:DB8:CAFE:1100::BAD1:A001/64 ipv6 nd other-config-flag ipv6 dhcp server DATA_VISTA

Router

Obtain “other” info Enable DHCP

ipv6 mld snooping ! interface Vlan100 description VLAN100 for PCs and Switch management ipv6 address 2001:DB8:CAFE:1100::BAD2:F126/64
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

EtherSwitch Module

156

17.1.1.4 crypto isakmp keepalive 10 ! crypto ipsec transform-set HE1 esp-3des esp-sha-hmac crypto ipsec transform-set HE2 esp-3des esp-sha-hmac ! crypto map IPv6-HE1 local-address Serial0/0/0 crypto map IPv6-HE1 1 ipsec-isakmp set peer 172.17.4 set transform-set HE2 match address VPN-TO-HE2 BRKRST-2301 14340_04_2008_c2 Peer at HQ (Primary) Peer at HQ (Secondary) Branch Internet Secondary Primary Headquarters Cisco Public © 2008 Cisco Systems.3 crypto isakmp key SYSTEMS address 172. All rights reserved.17. Inc.1.Single-Tier Profile IPSec Configuration—1 crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key CISCO address 172.17.3 set transform-set HE1 match address VPN-TO-HE1 ! crypto map IPv6-HE2 local-address Loopback0 crypto map IPv6-HE2 1 ipsec-isakmp set peer 172. 157 .1.

1.1.4   Adjust delay to prefer Tunnel3   Adjust MTU to avoid fragmentation on router (PMTUD on client will not account for IPSec/Tunnel overheard)   Permit “41” (IPv6) instead of “gre” © 2008 Cisco Systems.3 tunnel mode ipv6ip ! interface Tunnel4 description IPv6 tunnel to HQ Head-end 2 delay 2000 ipv6 address 2001:DB8:CAFE:1271::BAD1:A001/64 ipv6 mtu 1400 tunnel source Loopback0 tunnel destination 172.17.2 host 172.Single-Tier Profile IPSec Configuration—2 interface Tunnel3 description IPv6 tunnel to HQ Head-end 1 delay 500 ipv6 address 2001:DB8:CAFE:1261::BAD1:A001/64 ipv6 mtu 1400 tunnel source Serial0/0/0 tunnel destination 172. All rights reserved.17.124.1.3 ip access-list extended VPN-TO-HE2 permit 41 host 10. Cisco Public 158 .100.17.1. Inc.1 host 172.4 tunnel mode ipv6ip ! interface Serial0/0/0 description to T1 Link Provider (PRIMARY) crypto map IPv6-HE1 BRKRST-2301 14340_04_2008_c2 interface Dialer1 description PPPoE to BB provider crypto map IPv6-HE2 ! ip access-list extended VPN-TO-HE1 permit 41 host 172.1.16.17.

Single-Tier Profile Routing ipv6 cef ! key chain ESE key 1 key-string 7 111B180B101719 ! interface Tunnel3 description IPv6 tunnel to HQ Head-end 1 delay 500 ipv6 eigrp 1 ipv6 hold-time eigrp 1 35 ipv6 authentication mode eigrp 1 md5 ipv6 authentication key-chain eigrp 1 ESE ! interface Tunnel4 description IPv6 tunnel to HQ Head-end 2 delay 2000 ipv6 eigrp 1 ipv6 hold-time eigrp 1 35 ipv6 authentication mode eigrp 1 md5 ipv6 authentication key-chain eigrp 1 ESE BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.100. Cisco Public ipv6 unicast-routing interface Loopback0 ipv6 eigrp 1 ! interface GigabitEthernet1/0.300 passive-interface Loopback0 EtherSwitch Module ipv6 route ::/0 Vlan100 FE80::217:94FF:FE90:2829 159 . All rights reserved.200 passive-interface GigabitEthernet1/0.100 description DATA VLAN for Computers ipv6 eigrp 1 ! ipv6 router eigrp 1 router-id 10.124.1 stub connected summary no shutdown passive-interface GigabitEthernet1/0. Inc.100 passive-interface GigabitEthernet1/0.

100 ipv6 traffic-filter DATA_LAN-v6 in ! line vty 0 4 ipv6 access-class MGMT-IN in Inspection profile for TCP. Inc. FTP and UDP ACL used by IOS FW for dynamic entries Apply firewall inspection For egress traffic Used by firewall to create dynamic ACLs and protect against various fragmentation attacks Apply LAN ACL (next slide) ACL used to restrict management access BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 160 .Single-Tier Profile Security—1 ipv6 inspect name v6FW tcp ipv6 inspect name v6FW icmp ipv6 inspect name v6FW ftp ipv6 inspect name v6FW udp ! interface Tunnel3 ipv6 traffic-filter INET-WAN-v6 in no ipv6 redirects no ipv6 unreachables ipv6 inspect v6FW out ipv6 virtual-reassembly ! interface GigabitEthernet1/0. All rights reserved. ICMP.

Cisco Public 161 . All rights reserved.Single-Tier Profile Security—2 ipv6 access-list MGMT-IN remark permit mgmt only to loopback permit tcp 2001:DB8:CAFE::/48 host 2001:DB8:CAFE:1000::BAD1:A001 deny ipv6 any any log-input ! ipv6 access-list DATA_LAN-v6 remark PERMIT ICMPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:1100::/64 permit icmp 2001:DB8:CAFE:1100::/64 any remark PERMIT IPv6 PACKETS FROM HOSTS WITH PREFIX CAFE:1100::64 permit ipv6 2001:DB8:CAFE:1100::/64 any Sample Only remark PERMIT ALL ICMPv6 PACKETS SOURCED BY HOSTS USING THE LINK-LOCAL PREFIX permit icmp FE80::/10 any remark PERMIT DHCPv6 ALL-DHCP-AGENTS REQUESTS FROM HOSTS permit udp any eq 546 any eq 547 remark DENY ALL OTHER IPv6 PACKETS AND LOG deny ipv6 any any log-input BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.

Inc.VLANs permit icmp any host 2001:DB8:CAFE:1000::BAD1:A001 permit icmp any host 2001:DB8:CAFE:1261::BAD1:A001 permit icmp any host 2001:DB8:CAFE:1271::BAD1:A001 permit icmp any 2001:DB8:CAFE:1100::/64 permit icmp any 2001:DB8:CAFE:1200::/64 permit icmp any 2001:DB8:CAFE:1300::/64 remark PERMIT ALL IPv6 PACKETS TO VLANs permit ipv6 any 2001:DB8:CAFE:1100::/64 permit ipv6 any 2001:DB8:CAFE:1200::/64 permit ipv6 any 2001:DB8:CAFE:1300::/64 deny ipv6 any any log BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.VPN tunnels.Single-Tier Profile Security—3 ipv6 access-list INET-WAN-v6 remark PERMIT EIGRP for IPv6 permit 88 any any remark PERMIT PIM for IPv6 Sample Only permit 103 any any remark PERMIT ALL ICMPv6 PACKETS SOURCED USING THE LINK-LOCAL PREFIX permit icmp FE80::/10 any remark PERMIT SSH TO LOCAL LOOPBACK permit tcp any host 2001:DB8:CAFE:1000::BAD1:A001 eq 22 remark PERMIT ALL ICMPv6 PACKETS TO LOCAL LOOPBACK. All rights reserved. Cisco Public 162 .

Inc. but ACLs must be used for IPv6 (until NBAR supports IPv6)   Match/Set v4/v6 packets in same policy 163 © 2008 Cisco Systems.com" match access-group name BRANCH-TRANSACTIONAL-V6 ! policy-map BRANCH-WAN-EDGE class TRANSACTIONAL-DATA bandwidth percent 12 random-detect dscp-based ! policy-map BRANCH-LAN-EDGE-IN class BRANCH-TRANSACTIONAL-DATA set dscp af21 ! ipv6 access-list BRANCH-TRANSACTIONAL-V6 remark Microsoft RDP traffic-mark dscp af21 permit tcp any any eq 3389 permit udp any any eq 3389 BRKRST-2301 14340_04_2008_c2 interface GigabitEthernet1/0.100 description DATA VLAN for Computers service-policy input BRANCH-LAN-EDGE-IN ! interface Serial0/0/0 description to T1 Link Provider max-reserved-bandwidth 100 service-policy output BRANCH-WAN-EDGE   Some features of QoS do not yet support IPv6   NBAR is used for IPv4. Cisco Public . All rights reserved.Single-Tier Profile QoS class-map match-any BRANCH-TRANSACTIONAL-DATA match protocol citrix match protocol ldap match protocol sqlnet match protocol http url "*cisco.

Dual-Tier Profile   Redundant set of branch routers—Separate branch switch (multiple switches can use StackWise technology)   Each branch router uses a single frame-relay connection   All dual-stack (branch LAN and WAN)—no tunnels needed Branch Dual-Tier Headquarters Frame Relay Dual-Stack Host (IPv4/IPv6) IPv4 IPv6 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Inc. Cisco Public 164 .

All rights reserved.100 ipv6 address 2001:DB8:CAFE:2100::BAD1:1010/64 ipv6 traffic-filter DATA_LAN-v6 in ipv6 nd other-config-flag ipv6 dhcp server DATA_VISTA ipv6 eigrp 1 standby version 2 standby 201 ipv6 autoconfig standby 201 priority 120 standby 201 preempt delay minimum 30 standby 201 authentication ese standby 201 track Serial0/1/0. Inc.18 point-to-point description TO FRAME-RELAY PROVIDER ipv6 address 2001:DB8:CAFE:1272::BAD1:1020/64 ipv6 eigrp 1 ipv6 hold-time eigrp 1 35 ipv6 authentication mode eigrp 1 md5 ipv6 authentication key-chain eigrp 1 ESE frame-relay interface-dlci 18 class QOS-BR2-MAP ! interface FastEthernet0/0.17 90 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.17 point-to-point description TO FRAME-RELAY PROVIDER ipv6 address 2001:DB8:CAFE:1262::BAD1:1010/64 ipv6 eigrp 1 ipv6 hold-time eigrp 1 35 ipv6 authentication mode eigrp 1 md5 ipv6 authentication key-chain eigrp 1 ESE frame-relay interface-dlci 17 class QOS-BR2-MAP ! interface FastEthernet0/0.100 ipv6 address 2001:DB8:CAFE:2100::BAD1:1020/64 ipv6 traffic-filter DATA_LAN-v6 in ipv6 nd other-config-flag ipv6 eigrp 1 standby version 2 standby 201 ipv6 autoconfig standby 201 preempt standby 201 authentication ese 165 .Dual-Tier Profile Configuration Branch Router 1 interface Serial0/1/0. Cisco Public Branch Router 2 interface Serial0/2/0.

All rights reserved. Inc. tunnels can be used from WAN tier to HQ site Multi-Tier WAN Tier LAN Tier Access Tier Firewall Tier Headquarters MPLS Dual-Stack Host (IPv4/IPv6) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. IPv4 IPv6 Cisco Public Branch 166 .Multi-Tier Profile   All branch elements are redundant and separate WAN Tier—WAN connections—Can be anything (Frame/IPSec)—MPLS shown here Firewall Tier—Redundant ASA Firewalls Access Tier—Internal services routers (like a campus distribution layer) LAN Tier—Access switches (like a campus access layer   Dual-stack is used on every tier—If SP provides IPv6 services via MPLS. If not.

Cisco Public 167 . Inc.IPv6 IPSec Example IKE/IPSec Policies 2001:DB8:CAFE:999::1 IPv6 Network IPv6 Network 2001:DB8:CAFE:999::2 IPv6 Network Router1 crypto isakmp policy 1 authentication pre-share crypto isakmp key CISCOKEY address ipv6 2001:DB8:CAFE:999::2/128 crypto isakmp keepalive 10 2 ! crypto ipsec transform-set v6STRONG esp-3des esp-sha-hmac ! crypto ipsec profile v6PRO set transform-set v6STRONG Router2 crypto isakmp policy 1 authentication pre-share crypto isakmp key CISCOKEY address ipv6 2001:DB8:CAFE:999::1/128 crypto isakmp keepalive 10 2 ! crypto ipsec transform-set v6STRONG esp-3des esp-sha-hmac ! crypto ipsec profile v6PRO set transform-set v6STRONG BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.

Inc. Cisco Public Router2 interface Tunnel0 ipv6 address 2001:DB8:CAFE:F00D::2/127 ipv6 eigrp 1 ipv6 mtu 1400 tunnel source Serial2/0 tunnel destination 2001:DB8:CAFE: 999::1 tunnel mode ipsec ipv6 tunnel protection ipsec profile v6PRO ! interface Ethernet0/0 ipv6 address 2001:DB8:CAFE:200::1/64 ipv6 eigrp 1 ! interface Serial2/0 ipv6 address 2001:DB8:CAFE:999::2/127 168 .IPv6 IPSec Example Tunnels 2001:DB8:CAFE:999::1 IPv6 Network IPv6 Network 2001:DB8:CAFE:999::2 IPv6 Network Router1 interface Tunnel0 ipv6 address 2001:DB8:CAFE:F00D::1/127 ipv6 eigrp 1 ipv6 mtu 1400 tunnel source Serial2/0 tunnel destination 2001:DB8:CAFE: 999::2 tunnel mode ipsec ipv6 tunnel protection ipsec profile v6PRO ! interface Ethernet0/0 ipv6 address 2001:DB8:CAFE:100::1/64 ipv6 eigrp 1 ! interface Serial2/0 ipv6 address 2001:DB8:CAFE:999::1/127 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.

IPv6 IPSec Example Show Output 2001:DB8:CAFE:999::1 IPv6 Network IPv6 Network 2001:DB8:CAFE:999::2 IPv6 Network Router1 Router1#show crypto engine connections active Crypto Engine Connections ID Intfc Type Algorithm Encrypt 3 Tu0 ipsec 3DES+SHA 0 4 Tu0 ipsec 3DES+SHA 16 1006 Tu0 IKE SHA+DES 0 Router1#show crypto sessions Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 2001:DB8:CAFE:999::2 port 500 IKE SA: local 2001:DB8:CAFE:999::1/500 remote 2001:DB8:CAFE:999::2/500 Active ipsec FLOW: permit 41 ::/0 ::/0 Active SAs: 2. Cisco Public 169 . All rights reserved. origin: crypto map Router2 Decrypt 17 0 0 IP-Address 2001:DB8:CAFE:999::1 2001:DB8:CAFE:999::1 2001:DB8:CAFE:999::1 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.

Remote Access BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 170 . Inc. All rights reserved.

including ASA 5500 series 171   Cisco VPN Client 4.4(4)T IPv6 HW Encryption •  7200 VAM2+ SPA •  ISR AIM VPN Client-based SSL Internet   IOS 12.3T.x   PIX 7. BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.x SSL/TLS or DTLS (datagram TLS = TLS over UDP Tunnel transports both IPv4 and IPv6 and the packets exit the tunnel at the hub ASA as native IPv4 and IPv6. All rights reserved.4.4(9)T—RFC 4552—OSPFv3 Authentication   All IOS—packet filtering e-ACL   IPv6 over DMVPN IPv6 Firewall   IOS Firewall 12.x IPv4 IPSec Termination (PIX/ASA/IOS VPN/ Concentrator) IPv6 Tunnel Termination (IOS ISATAP or Configured Tunnels)   AnyConnect Client 2. Inc. 12.4T   FWSM 3. 12.Cisco IPv6 Security Client-based IPsec VPN IPv6 IPSec Tunnels •  IOS 12.x +. Cisco Public .

AnyConnect 2.x—SSL VPN
asa-edge-1#show vpn-sessiondb svc Session Type: SVC Username : ciscoese Index : Assigned IP : 10.123.2.200 Public IP : Assigned IPv6: 2001:db8:cafe:101::101 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : SSL VPN Encryption : RC4 AES128 Hashing : Bytes Tx : 79763 Bytes Rx : Group Policy : AnyGrpPolicy Tunnel Group: Login Time : 14:09:25 MST Mon Dec 17 2007 Duration : 0h:47m:48s NAC Result : Unknown VLAN Mapping : N/A VLAN : 14 10.124.2.18

SHA1 176080 ANYCONNECT

none

Cisco ASA

Dual-Stack Host AnyConnect Client
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

172

AnyConnect 2.x—Summary Configuration
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.123.1.4 255.255.255.0 ipv6 enable ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.123.2.4 255.255.255.0 ipv6 address 2001:db8:cafe:101::ffff/64 ! ipv6 local pool ANYv6POOL 2001:db8:cafe:101::101/64 200 webvpn enable outside svc enable tunnel-group-list enable group-policy AnyGrpPolicy internal group-policy AnyGrpPolicy attributes vpn-tunnel-protocol svc default-domain value cisco.com address-pools value AnyPool tunnel-group ANYCONNECT type remote-access tunnel-group ANYCONNECT general-attributes address-pool AnyPool ipv6-address-pool ANYv6POOL default-group-policy AnyGrpPolicy tunnel-group ANYCONNECT webvpn-attributes group-alias ANYCONNECT enable
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Outside

2001:db8:cafe:101::ffff

Inside

crypto ca trustpoint ASDM_TrustPoint0 enrollment self fqdn asa-edge-1.cisco.com subject-name CN=asa-edge-1 keypair esevpnkeypair no client-types crl configure ssl trust-point ASDM_TrustPoint0 outside

http://www.cisco.com/en/US/docs/security/ vpn_client/anyconnect/anyconnect20/ administrative/guide/admin6.html#wp1002258

173

IPv6 for Remote Devices
  Remote hosts can use a VPN client or router to establish connectivity back to enterprise   Possible over IPv4 today, not possible over IPv6…yet   How you allow access to IPv6 services at central site or Internet in a secure fashion?
Enabling IPv6 traffic inside the Cisco VPN client tunnel Allow remote host to establish a v6-in-v4 tunnel either automatically or manually ISATAP—Intra Site Automatic Tunnel Addressing Protocol Configured—Static configuration for each side of tunnel Same split-tunneling issues exists
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Internet

Corporate Network

174

IPv6-in-IPv4 Tunnel Example— Cisco VPN Client
IPv4 IPSec Termination (PIX/ASA/IOS VPN/ Concentrator)

Tunnel(s) Remote User

IPv6 Tunnel Termination

IPv6 Traffic IPv4 Traffic
IPv4 Link

IPv6 Link Corporate Network

Internet
Firewall

Dual-Stack server

IPSec VPN IPv6-in-IPv4 Tunnel

BRKRST-2301 14340_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

175

Considerations
  Cisco IOS® version supporting IPv6 configured/ ISATAP tunnels
Configured—12.3(1)M/12.3(2)T/12.2(14)S and above (12.4M/12.4T) ISATAP—12.3(1)M, 12.3(2)T, 12.2(14)S and above (12.4M/12.4T) Catalyst® 6500 with Sup720/32—12.2(17a)SX1—HW forwarding

  Be aware of the security issues if split-tunneling is used
Attacker can come in IPv6 interface and jump on the IPv4 interface (encrypted to enterprise) In Windows Firewall—default policy is to DENY packets from one interface to another

  Remember that the IPv6 tunneled traffic is still encapsulated as a tunnel WHEN it leaves the VPN device   Allow IPv6 tunneled traffic across access lists (Protocol 41)
BRKRST-2301 14340_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

176

Split Tunneling
  Ensure that the IPv6 traffic is properly routed through the IPv4 IPSec tunnel   IPv6 traffic MAY take a path via the clear (unencrypted) route   This is bad if you are unaware that it is happening Without Split Tunneling
http://www.cisco.com/

With Split Tunneling
http://www.cisco.com/

Central Site

Central Site Clear IPv6 Traffic

VPN Head End VPN Host
BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

VPN Head End Encrypted IPv4 Traffic VPN Host
177

Required Stuff: Client Side
  Client operating system with IPv6
Microsoft Windows XP SP1/2003 and Vista/Server 2008 (Supports Configured/ISATAP) Linux (7.3 or higher)—USAGI port required for ISATAP Mac OS X (10.2 or higher)—Currently need a VPN device on client network SunOS (8 or higher)—Currently need a VPN device on client network See reference slide for links/OS listing

  Cisco VPN Client 4.0.1 and higher for configured/ISATAP
BRKRST-2301 14340_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

178

1   Key fact here is that NO additional configuration on the client is needed again!   Use previous ISATAP configurations shown for router-side Note: ISATAP is supported on some versions of Linux/BSD (manual router entry is required) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc.IPv6 Using Cisco VPN Client   Microsoft Windows XP (SP1 or higher)   IPv6 must be installed Example: Client Configuration (Windows XP): ISATAP   XP will automatically attempt to resolve the name “ISATAP” Local host name Hosts file—SystemRoot\system32\drivers\etc DNS name query NetBIOS and Lmhosts   Manual ISATAP router entry can be made netsh interface ipv6 isatap set router 20.1.1. Cisco Public 179 . All rights reserved.

----------------------------Preferred 29d23h56m5s 6d23h56m5s 2001:db8:c003:1101:0:5efe:10.Does It Work? Windows XP Client VPN 3000 Catalyst 6500/Sup 720 Dual-Stack 10.1.102 Preferred infinite infinite fe80::5efe:10.102—VPN Address 2001:DB8:c003:1101:0:5efe:10.102—IPv6 address Interface 2: Automatic Tunneling Pseudo-Interface Addr Type --------Public Link DAD State Valid Life Pref.. Publish ------no no BRKRST-2301 14340_04_2008_c2 Type -------Autoconf Manual Met ---9 1 Prefix -----------------------2001:db8:c003:1101::/64 ::/0 Cisco Public Idx --2 2 Gateway/Interface Name --------------------Automatic Tunneling Pseudo-Interface fe80::5efe:20.-----------.99.99. Life Address ---------.99.99. All rights reserved..1.-----------.1.102 netsh interface ipv6>show route Querying active state.1.1. . Inc.1 180 © 2008 Cisco Systems.1.

Inc. Cisco Public 181 . All rights reserved.Checksum ( Planning and Deployment Summary ) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

All rights reserved. Cisco Public 182 . Inc.IPv6 Integration Outline Pre-Deployment Phases   Establish the network starting point   Importance of a network assessment and available tools   Defining early IPv6 security guidelines and requirements   Additional IPv6 “predeployment” tasks needing consideration Deployment Phases   Transport considerations for integration   Campus IPv6 integration options   WAN IPv6 integration options   Advanced IPv6 services options BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

1.1.4.0/24 NAT-PT 4 Cisco Public © 2008 Cisco Systems.0/24 2001::/64 3 4 Start dual-stack on the WAN/campus core/edge routers NAT-PT for servers/apps only capable of IPv4 (temporary only) v4 and v6 1 3 Dual-Stack IPv4-IPv6 Core and Edge L2 v6Enabled 10.1.2. Inc.Integration/Coexistence Starting Points 1 2 Example: Integration Demarc/Start Points in Campus/WAN Start dual-stack on hosts/OS Start dual-stack in campus distribution layer (details follow) 10. 183 .0/24 2001::/64 2 v4 and v6 v6 Only 2001::/64 IPv6 Server IPv4-Only Segment BRKRST-2301 14340_04_2008_c2 Dual-Stack IPv4-IPv6 Routers v4 Only 10. All rights reserved.3.

etc. OS)   Upgrade DNS server to support IPv6   Establish network management considerations (hardware.Pre-Deployment Checklist Other Critical Network Planning Requirements   Establish starting point. switches. network assessment. not before Does L3 VPN service support QoS? Dual-homing? Security at NAP? BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. security guidelines   Acquire IPv6 address block and create IPv6 addressing scheme   Create and budget for an IPv6 lab that closely emulates all network elements (routers. hosts.)   Routing and multicast protocol and selection/evaluation process (align with IPv4 choice is possible)   Consider options for centralized ISATAP router (see campus example)   Evaluate IPv6-capable transport services available from current Service Provider (SP) Link support to timeline needed. MIBs required for v6. Cisco Public 184 . All rights reserved.

All rights reserved. ISATAP) Services block (dedicated for IPv6 ISATAP tunnel termination)   WAN (used for core or branch interconnect) Dual-stack core/edge WAN L2 transport (IPv4/v6 over ATM/FR. internet (as transport). VPN client-based using ISATAP IPv6 over WiFi (802.Transport Deployment Options for Integration Applied to Campus. Inc. Branch. point-to-multipoint)   VPN/transport considerations Self-deployed MPLS VPNs: PE to PE (VPN or non-VPN service) SP Offering L3 VPN service: CE to CE (encryption? QoS? multicast?) Overlay 6 over 4 IPSec: site-to-site. OC-x) Metro Service (Ethernet. tunnels. T1/T3.1x is not required to be supported over IPv6)   Other service options Broadband. PPP/HDLC. and Other   Campus (also applies to Data Center) Dual-stack (IPv4/v6 enabled on all L3 devices—core/distr/access) Hybrid (combination dual-stack. remote access supporting IPv6 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. WAN. Cisco Public 185 . point-to-point.

All rights reserved.General IPv6 Requirements   General Coexistence IPv4 and IPv6 coexist with no impact on performance Flexible integration tools Considered in Each Place in the Network   IP Multicast Optimize traffic utilization with a broad range of deployment types   Security User-based policy enforcement Stress Host-based features Privacy extensions Monitoring and reporting   Routing High-performance IPv6-aware routing protocols   QoS Identify and prioritize traffic based upon a wide-variety of criteria Contiguous over campus. Inc. Branch. WAN. Other BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. WAN. Cisco Public 186 . branch SP offered   Mobility Access to applications and services while in motion Design into core infrastructure for IPv4 and IPv6 Each Category Applied to Campus.

Industry’s Broadest Platform Support BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 187 . All rights reserved. Inc.

Inc.High Capacity Forwarding Cisco IPv6 Solutions BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 188 . All rights reserved.

Other Security Products   ASA Firewall Since version 7.   Cisco Security Agent Needs CSA 6. IPv6 only. Cisco Public 189 .. Inc.2 (not yet FCS. No header extension parsing. no stateful-failover (coming)   FWSM IPv6 in software.0 for IPv6 network protection   IPS Needs 6..) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.. All rights reserved..0 Dual stack.

IOS Firewall achieved JITC certification Cisco IOS 12. Inc.3.2SX.html Cable Labs DOCSIS 3.0 conformance Microsoft Vista/Server 2008 interoperability – Vista logo   Cisco IOS Release certification Cisco IOS 12.0S and XR (3. Cisco Public 190 .2) are compliant with the IPv6 Ready Logo Phase I Cisco IOS 12.4(9)T is compliant with IPv6 Ready Logo Phase II core specs DOCSIS 3.3T. C4500.mil/apl/ipv6. 12.Cisco IPv6 compliance   Conformance tests + Interoperability tests IPv6 Ready Logo – www.fhu.org US DoD JITC conformance .0 Bronze qualified BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. C7600.disa. 12.4(11)T.http://jitc. C6500.ipv6ready. All rights reserved. 12.

Issues for success Focus on Business Value… Most early success has been in closed environments. The current retail rate is ~$1/day/ address. Inc. Cisco Public 191 . Dual stack simplifies the overall task of transition by allowing graceful one-application-at-a-time deployments. and the cost of scarce commodities generally does not go down… BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Carriers will be required to support IPv4 until their customers move. All rights reserved. There will be a panic in the press once the IPv4 pool is depleted. BUT that can't happen without IPv4.

All rights reserved. Cisco Public 192 . presentations. your own pilot lab   Create a virtual team of IT representatives from every area of IT to ensure coverage for OS. but not a reality today Watch the standards and policies BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Apps. Inc.Conclusion   Start learning now—Books. Network and Operations/Management   Microsoft Windows Vista and Server 2008 will have IPv6 enabled by default—Understand what impact any OS has on the network   Things to consider: Full parity between IPv4 and IPv6 is the goal.

com BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 193 .html   IPv6 e-Learning [requires CCO username/password] http://www.com/warp/customer/105/icmpv6codes.com/ipv6   The ABC of IPv6 http://www.pdf   ICMPv6 Packet Types and Codes TechNote http://www.cisco. All rights reserved.cisco.com/en/US/products/sw/iosswrel/products_abc_ios_overview.com/warp/public/732/Tech/ipv6/docs/ipv6_access_wp_v2.cisco.More Information   CCO IPv6 http://www.cisco.html   Cisco IOS IPv6 Product Manager pgrosset@cisco.cisco.com/warp/customer/732/Tech/ipv6/elearning/   IPv6 Access Services http://www.

pdf   Deploying IPv6 in Branch Networks: http://www. Inc.pdf   CCO IPv6 Main Page: http://www.com/go/srnd BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.cisco.cisco.com/univercd/cc/td/doc/solution/brchipv6.cisco.Reference Materials “Deploying IPv6 Networks” by Ciprian Popoviciu.com/univercd/cc/td/doc/solution/campipv6. Eric Levy-Abegnoli. Patrick Grossetete—Cisco Press (ISBN: 1587052105)   Deploying IPv6 in Campus Networks: http://www.cisco. Cisco Public 194 .com/go/ipv6   Cisco Network Designs: http://www.

Famous last words… BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 195 . Inc. All rights reserved.

Cisco Public 196 . Inc.BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.

Appendix Slides For Reference Only BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 197 . Inc. All rights reserved.

Inc.Appendix: Microsoft Windows Vista/Server 2008 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 198 . All rights reserved.

All rights reserved. Inc. then try ISATAP If no ISATAP.com/technet/prodtechnol/winxppro/maintain/ teredo. then try Teredo   Become familiar with Teredo http://www.mspx   ANY application built on the Peer-to-Peer Framework REQUIRES IPv6 and will NOT function over IPv4 http://www. Cisco Public 199 .com/technet/network/p2p/default.Understand the Behavior of Vista   IPv6 is preferred over IPv4 Vista sends IPv6 NA/NS/RS upon link-up Attempts DHCP for IPv6 If no DHCP or local RA received with Global or ULA.mspx BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.microsoft.microsoft.

254.97 fe80::80aa:fd5:f7ae:4361 0.67.0 Destination ff02::1:ffae:4361 ff02::2 ff02::16 ff02::1:3 224.156683 6 3.  7.In More Detail—Vista on Link-Up No Network Services No.155917 5 1.97 169.255 Protocol Info ICMPv6 Neighbor solicitation ICMPv6 Router solicitation ICMPv6 Multicast Listener Report Message v2 UDP Source port: 49722 Destination port: 5355 UDP Source port: 49723 Destination port: 5355 NBNS Name query NB ISATAP<00> DHCPv6 Information-request DHCP DHCP Discover—Transaction ID 0x6c8d6efa 1.0.  8. Time 1 0.254.409530 8 128.  2.  4.252 169.254.255 ff02::1:2 255.  6.255.886397 Source :: fe80::80aa:fd5:f7ae:4361 fe80::80aa:fd5:f7ae:4361 fe80::80aa:fd5:f7ae:4361 169.255.0. All rights reserved.0.67.  5.0.000030 3 0. Inc.0. Cisco Public fe80::80aa:fd5:f7ae:4361 ese-vista1 200 .0.000080 4 1.484709 7 126.255.252 from RFC 3927 address No global or ULA received via step 1/2—Try ISATAP Try DHCP for IPv6—ff02::1:2 Try DHCP for IPv4 © 2008 Cisco Systems.000000 2 0.  BRKRST-2301 14340_04_2008_c2 Unspecified address ::  Solicited node address NS/DAD Looking for a local router  ff02::2 RS Looking for MLD enabled routers  ff02::16 MLDv2 report LLMNR for IPv6—ff02::1:3—advertise hostname LLMNR for IPv4—224.  3.

4 Destination 10. Bootstrap Protocol ..687721 10.120.microsoft.l=4) Domain Name Server = 10.1 Option: (t=6.2 DHCP DHCP ACK . 2 context items.Transaction ID 0x2b8af443 Protocol Info DNS Standard query A isatap.2 10.2.2 582 296.686197 10.4 Destination 10.2.2...2) .2.1 10.cisco.813509 10.120.120.120.2 10.3.2 (10.120.2.120.2 .3. Time Source 70 13.11.120.com Protocol Info TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8 TCP epmap > 49211 [SYN. 1st IOXIDResolver V0.2 10.2..2 No.2.362181 10.2.4 Option: (t=15.3..3..121.120.2.2 No. No.2 ese-vista1 ISATAP?? Teredo?? BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.120.2. Your (client) IP address: 10.com" .l=9) Domain Name = "cisco.2.687794 10.120. Inc.0 IPv4-only Router 10.120.l=4) Router = 10. Option: (t=3.com Protocol Info DNS Standard query A teredo.2 583 296.3.120.11.2..IPv4 Network—No IPv6 Network Services What Does Vista Try to Do? No.120. Time Source 580 296.2 581 296. All rights reserved.360756 10.120. ACK] Seq=0 Ack=1 Win=2097152 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0 DCERPC Bind: call_id: 1.687913 10.121.11.2 Destination 10.120.ipv6.2 ese-vista2 201 . Time Source Destination Protocol Info 13 8.120. Time Source 138 25.120.121. Cisco Public 10..

com/dev/miredo/ BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.What Is Teredo?   RFC4380   Tunnel IPv6 through NATs (NAT types defined in RFC3489) Full Cone NATs (aka one-to-one)—Supported by Teredo Restricted NATs—Supported by Teredo Symmetric NATs—Supported by Teredo with Vista/Server 2008 if only one Teredo client is behind a Symmetric NATs   Uses UDP port 3544   Is complex—many sequences for communication and has several attack vectors   Available on: Microsoft Windows XP SP1 w/Advanced Networking Pack Microsoft Windows Server 2003 SP1 Microsoft Windows Vista (enabled by default—inactive until application requires it) Microsoft Server 2008 http://www. Inc. BSD and Mac OS X—“Miredo” http://www.microsoft. All rights reserved.com/technet/prodtechnol/winxppro/maintain/teredo. Cisco Public 202 .mspx Linux.simphalempin.

Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hosts—Listens on UDP port 3544   Teredo Relay—Dual-stack router that forwards packets between Teredo clients and IPv6-only hosts   Teredo Host-Specific Relay—Dual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 203 . All rights reserved. Inc.Teredo Components   Teredo Client—Dual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay)   Teredo Server—Dual-stack node connected to IPv4 Internet and IPv6 Internet.

Cisco Public 204 . All rights reserved. Inc.Teredo Overview IPv6 or IPv6 over IPv4 traffic IPv6 over IPv4 traffic Teredo host-specific relay Teredo client IPv6-only host IPv4 Internet NAT Teredo server IPv6 Internet Teredo relay NAT IPv6 traffic Teredo client *From Microsoft “Teredo Overview” paper BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

All rights reserved.Teredo Address 32 bits 32 bits 16 bits 16 bits 32 bits Teredo prefix Teredo Server IPv4 Address Flags Obfuscated External Port Obfuscated External Address   Teredo IPv6 prefix (2001::/32—previously was 3FFE:831F::/32)   Teredo Server IPv4 address: global address of the server   Flags: defines NAT type (e. Inc. Cone NAT)   Obfuscated External Port: UDP port number to be used with the IPv4 address   Obfuscated External Address: contains the global address of the NAT BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.g. Cisco Public 205 .

  If RA is not received by client. UDP External v4 Port v4 address 5 3 1 NAT IPv4 Internet 4 2 Teredo Server 1 © 2008 Cisco Systems.Initial Configuration for Client 1. then the NAT is mapping same internal address/port to different external address/port and NAT is a symmetric NAT 7.  RS message sent from Teredo client to server—RS from LL address with Cone flag set 2. 0x8000 = Cone NAT) Next 16 bits are external obscured UDP port from Origin indicator in RA Teredo Last 32 bits are obscured external IP address from Origin indicator in RA 6 Server 2 Teredo Client 7 2001:0:4136:e37e:0:fbaa:b97e:fe4e Teredo Prefix BRKRST-2301 14340_04_2008_c2 Teredo Server v4 Flags Ext.  Server responds with RA—RS has Cone flag set—server sends RA from alternate v4 address —if client receives the RA.  Client constructs Teredo address from RA First 64 bits are the value from prefix received in RA (32 bits for IPv6 Teredo prefix + 32 bits of hex representation of IPv4 Teredo server address) Next 16 bits are the Flags field (0x0000 = Restricted NAT. client is behind restricted NAT 5. client sends another RS to secondary server 6. client is behind cone NAT 3. All rights reserved.  2nd server sends an RA to client—client compares mapped address and UDP ports in the Origin indicators of the RA received by both servers. client sends another RA with Cone flag not set 4.  Server responds with RA from v4 address = destination v4 address from RS—if client receives the RA.  To ensure client is not behind symmetric NAT. If different. Inc. Cisco Public 206 .

120 A 65.com Client Refresh Interval : default Client Port : default State : qualified Type : teredo client Network : unmanaged NAT : restricted BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.126 A netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.microsoft. Time Source Destination Protocol Info 15 25.201 DNS No.127 A 65.201 172.1.microsoft.1.227.54. Inc.103 DNS 65. All rights reserved.54.11.com Client Refresh Interval : default Client Port : default State : probe(cone) Type : teredo client Network : unmanaged NAT : cone netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.468050 172.164.What Happens on the Wire—1 No. Time Source Destination Protocol Info 16 25.227. Cisco Public 207 .16.54.164.481609 151.ipv6.103 151.ipv6.com Standard query response A 65.microsoft.124 Standard query A teredo.16.227.ipv6.227.11.54.

every 4 seconds If no reply. Dst: 65.227. Time Source Destination Protocol Info 28 33.54. Src Port: 1109 (1109).127 (65.16. Src: 65.2.2.1.126 (65. Src: 65.1.227.103).120.103) User Datagram Protocol. Time Source Destination Protocol Info 33 46.1.126 (65.126).546052 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol. Src: 172.54.103).2.16.103 (172.103).103) Teredo Origin Indication header Origin UDP port: 1109 Origin IPv4 address: 70. Dst: 65. Dst Port: 1109 (1109) Teredo Origin Indication header Origin UDP port: 1109 Origin IPv4 address: 70. Dst: 65. Inc.1. Time Source Destination Protocol Info 31 45. Cisco Public Send RS Cone Flag=1 (Cone NAT).1.398745 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement Internet Protocol.227. send Flag=0 (restricted NAT) Receive RA with Origin header and prefix Send RS to 2nd server to check for symmetric NAT Compare 2nd RA—Origin port/address from 2nd server 208 .120. Dst Port: 3544 (3544) No.227.126) User Datagram Protocol.120.039706 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement Internet Protocol.1. Time Source Destination Protocol Info 34 46.16. Dst: 172.1.What Happens on the Wire—2 No.1 (70.16.127) User Datagram Protocol. Src Port: 1109 (1109). Src Port: 1109 (1109).126) No.126 (65.227. All rights reserved.227.1) Prefix: 2001:0:4136:e37e:: No.1.103 (172.54.54.16.1.54.593598 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol.54.227. Src: 172.1.227. Src Port: 3544 (3544).127).1 (70.54.103 (172.54. Time Source Destination Protocol Info 29 37.227.16.54.126 (65.54.16.16. Dst Port: 3544 (3544) No. Dst: 65.1.54.1) Prefix: 2001:0:4136:e37e:: BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.093832 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol.227.126) User Datagram Protocol. Dst Port: 3544 (3544) No.16.103 (172.227.103 (172. Time Source Destination Protocol Info 32 46.1. Src: 172. Dst: 172.103).103 (172.16.127 (65.595460 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol.54. Src: 172.16.227.120.2.16.

117.1.103 (172. Cisco Public 209 .16.227.1.227 (66.103 2001:200:0:8002:203:47ff:fea5:3085 Protocol Info DNS Standard query response AAAA No. Time Source Destination Protocol Info 101 149.16.What Happens on the Wire—3 No.103 Destination 66.11.227 No.54.103 Destination 66.47.117.net Destination Protocol Info 151.16.405916 172. Time Source 98 149.227.com/en-us/library/aa965910.126 (65. AAAA query should not be sent—being researched: http://msdn2.103 www.227 Destination 172.16.227 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109 Protocol Info UDP Source port: 1109 Destination port: 50206 Bubble packet to client via server—client receives relay address-port Packets to/ from IPv6 host and client traverse relay No.16.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 Echo request Internet Protocol.1. Dst: 172.47.47. Time Source 82 139.103).11.1.405579 fe80::8000:5445:5245:444f Destination Protocol Info Relay sends 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next header Internet Protocol.1. Time Source 97 149.54.789493 66.463719 66.103) Teredo IPv6 over UDP tunneling Teredo Origin Indication header Origin UDP port: 50206 Origin IPv4 address: 66.16.103 (172. Time Source Destination Protocol Info 96 148.kame.117.1.117.47. Src: 65.1.126) User Datagram Protocol. Dst Port: 3544 (3544) No.126).1.464100 172.microsoft. Inc.16.227. Time Source 100 149.16.117.1.164. Time Source Destination 83 139. Time Source 99 149.103 UDP Source port: 50206 Destination port: 1109 ……… According to MSFT.227. Dst: 65.201 172.227 172.530547 151.103 No.201 DNS Standard query AAAA DNS lookup Response ICMP to host via Teredo Server No.126 (65.16. Src Port: 1109 (1109).16.227) No.164.aspx BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.1.47. if Teredo is the only IPv6 path.117.54.258206 172. Src: 172.47.54.

What Happens on the Wire—3 (Cont. Cisco Public 210 .net Pinging www. Inc.-----------Preferred infinite infinite Preferred infinite infinite Address ----------------------------2001:0:4136:e37e:0:fbaa:b97e:fe4e fe80::ffff:ffff:fffd C:\>ping www.-----------.) Interface 7: Teredo Tunneling Pseudo-Interface Addr Type --------Public Link DAD State Valid Life Pref. Life ---------.kame. All rights reserved.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data Reply Reply Reply Reply from from from from 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: time=829ms time=453ms time=288ms time=438ms BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Cisco Public 211 .253 (224. Inc.Maintaining NAT Mapping   Every 30 seconds (adjustable) clients send a single bubble packet to Teredo server to refresh NAT state Bubble packet = Used to create and maintain NAT mapping and consists of an IPv6 header with no IPv6 payload (Payload 59—No next header) No.16. 82 bytes captured) Ethernet II. Src: 172.1. All rights reserved. Dst Port: 3544 (3544) Teredo IPv6 over UDP tunneling Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 0 Next header: IPv6 no next header (0x3b) Hop limit: 21 Source address: 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination address: ff02::1 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.1. Dst: 01:00:5e:00:00:fd (01:00:5e:00:00:fd) Internet Protocol.103 (172.0.103).0.399072 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination ff02::1 Protocol Info IPv6 IPv6 no next header Frame 35 (82 bytes on wire.16. Dst: 224. Src: Foxconn_2d:a1:4e (00:15:58:2d:a1:4e).0. Src Port: 1109 (1109).253) User Datagram Protocol. Time Source 35 46.0.

Appendix: ISATAP Overview BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 212 . Inc. All rights reserved.

Intrasite Automatic Tunnel Address Protocol   RFC 4214   This is for enterprise networks such as corporate and academic networks   Scalable approach for incremental deployment   ISATAP makes your IPv4 infratructure as transport (NBMA) network BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 213 . All rights reserved.

Intrasite Automatic Tunnel Address Protocol Use IANA’s OUI 00-00-5E and Encode IPv4 Address as Part of EUI-64 64-bit Unicast Prefix 0000:5EFE: 32-bit IPv4 Address 32-bit Interface Identifier (64 bits)   ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network   Supported in Windows XP Pro SP1 and others BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 214 . All rights reserved.

All rights reserved. Cisco Public 215 .20.123. Inc.31.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.123.20.123.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix ICMPv6 Type 134 (RA) IPv4 Source: 206.123.31.100 IPv4 Destination: 206.Automatic Advertisement of ISATAP Prefix ISATAP Host A IPv4 Network ISATAP Tunnel ISATAP Router 1 E0 IPv6 Network ICMPv6 Type 133 (RS) IPv4 Source: 206.200 IPv4 Destination: 206.

20. BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.31.123.123.100 fe80::5efe:ce7b: 1464 2001:db8:ffff:2::5efe:ce7b: 1464 ISATAP Router 1 E0 IPv6 Network 206. All rights reserved. Cisco Public 216 .Automatic Address Assignment of Host and Router ISATAP Host A IPv4 Network ISATAP Tunnel 206.200 fe80::5efe:ce7b: 1fc8 2001:db8:ffff:2::5efe:ce7b: 1fc8   ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1   When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8. Inc. ISATAP host A encapsulates IPv6 packets in IPv4.

All rights reserved. Inc.Appendix: Multicast BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 217 .

v3 Boundary. . All rights reserved. PIM-bidir. v2.IPv4 and IPv6 Multicast Comparison Service Addressing Range Routing IPv4 Solution 32-bit. PIM-bidir. v2 Scope Identifier Single RP Within Globally Shared Domains 218 Forwarding Group Management Domain Control Interdomain Solutions BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. PIM-SSM. All IGPs and MBGP with v6 mcast SAFI PIM-SM. PIM-SM. PIM-SSM. Class D Protocol Independent. Inc. All IGPs and MBGP PIM-DM. PIM-BSR MLDv1. PIM-BSR IGMPv1. Border MSDP Across Independent PIM Domains Cisco Public IPv6 Solution 128-bit (112-bit Group) Protocol Independent.

Cisco Public 219 .MLDv1: Joining a Group (REPORT) FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE H1 H2 1 1 Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131 2 2 Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131 FE80::207:85FF:FE80:692 1 2 H1 sends a REPORT for the group H2 sends a REPORT for the group rtr-a Source Group:FF3E:40:2001:DB8:C003:1109:1111:1111 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Inc.

Cisco Public 220 .MLDv1: Host Management (Group-Specific Query) FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE H1 3 REPORT to group 1 1 Destination: FF02::2 ICMPv6 Type: 132 ICMPv6 Type: 131 H2 2 Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 130 1 H1 sends DONE to FF02::2 2 RTR-A sends Group-Specific Query 3 H2 sends REPORT for the group rtr-a FE80::207:85FF:FE80:692 Source Group:FF3E:40:2001:DB8:C003:1109:1111:1111 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. All rights reserved.

All rights reserved. Inc.Other MLD Operations   Leave/DONE Last host leaves—sends DONE (Type 132) Router will respond with group-specific query (Type 130) Router will use the last member query response interval (Default=1 sec) for each query Query is sent twice and if no reports occur then entry is removed (2 seconds)   General Query (Type 130) Sent to learn of listeners on the attached link Sets the multicast address field to zero Sent every 125 seconds (configurable) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 221 .

G]) Created automatically on first-hop router when RP is known Cisco IOS® keeps tunnel as long as RP is known Unidirectional (transmit only) tunnels PIM Register-Stop messages are sent directly from RP to registering router (not through tunnel!) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 222 . Inc. All rights reserved.A Few Notes on Tunnels…   PIM uses tunnels when RPs/sources are known   Source registering (on first-hop router) Uses virtual tunnel interface (appear in OIL for [S.

line protocol is up Hardware is Tunnel MTU 1514 bytes. txload 1/255. output hang never Last clearing of "show interface" counters never … output truncated… BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. sequencing disabled Checksumming of packets disabled Tunnel is transmit only Last input never. reliability 255/255. key disabled. output never. Cisco Public Corporate Network Source L0 RP DR 223 . All rights reserved. destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6. loopback not set Keepalive not set Tunnel source 2001:DB8:C003:111E::2 (Serial0/2).PIM Tunnels (DR-to-RP) branch#show ipv6 pim tunnel Tunnel1* Type : PIM Encap RP : 2001:DB8:C003:1116::2 Source: 2001:DB8:C003:111E::2 branch#show interface tunnel 1 Tunnel1 is up. rxload 1/255 Encapsulation TUNNEL. DLY 500000 usec. BW 9 Kbit.

PIM Tunnels (RP)   Source registering (on RP)  two virtual tunnels are created One transmit only for registering sources locally connected to the RP One receive only for decapsulation of incoming registers from remote designated routers No one-to-one relationship between virtual tunnels on designated routers and RP! BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. Cisco Public 224 . Inc.

DLY 500000 usec. key disabled. txload 1/255. BW 9 Kbit. Cisco Public Corporate Network Source RP Tu L0 225 . sequencing disabled Checksumming of packets disabled Tunnel is receive only … output truncated… BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6.PIM Tunnels (RP-for-Source) RP-router#show ipv6 pim tunnel Tunnel0* Type : PIM Encap RP : 2001:DB8:C003:1116::2 Source: 2001:DB8:C003:1116::2 Tunnel1* Type : PIM Decap RP : 2001:DB8:C003:1116::2 Source: RP-router#show interface tunnel 1 Tunnel1 is up. All rights reserved. reliability 255/255. rxload 1/255 Encapsulation TUNNEL. line protocol is up Hardware is Tunnel MTU 1514 bytes. loopback not set Keepalive not set Tunnel source 2001:DB8:C003:1116::2 (FastEthernet0/0). Inc.

IS-IS cannot traverse   v6 in v4 GRE (IS-IS can traverse) tunnel mode gre ip   ISATAP/6to4 do not support IPv6 multicast v6 in v6   v6 in v6 tunnel mode ipv6   v6 in v6 GRE tunnel mode gre ipv6 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 226 .Tunneling v6 Multicast v6 in v4   v6 in v4 most widely used tunnel mode ipv6ip <----. All rights reserved.

Source Specific Multicast (SSM)   No configuration required other than enabling ipv6 multicast-routing router#show ipv6 pim range-list config SSM Exp: never Learnt from : :: FF33::/32 Up: 1d00h FF34::/32 Up: 1d00h FF35::/32 Up: 1d00h FF36::/32 Up: 1d00h FF37::/32 Up: 1d00h FF38::/32 Up: 1d00h FF39::/32 Up: 1d00h FF3A::/32 Up: 1d00h FF3B::/32 Up: 1d00h FF3C::/32 Up: 1d00h FF3D::/32 Up: 1d00h FF3E::/32 Up: 1d00h FF3F::/32 Up: 1d00h   SSM group ranges are automatically defined   Requires MLDv2 on host or SSM Mapping feature BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 227 . All rights reserved.

SSM-Mapping   Delay in SSM deployment (both IPv4 and IPv6) is based mainly on lack of IGMPv3 and MLDv2 availability on the endpoints   SSM-Mapping allows for the deployment of SSM in the network infrastructure without requiring MLDv2 (for IPv6) on the endpoint   SSM-Mapping enabled router will map MLDv1 reports to a source (which do not natively include the source like with MLDv2) Range of groups can be statically defined or used with DNS Wildcards can be used to define range of groups BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 228 . Inc. All rights reserved.

All rights reserved.1. Forward.SSM-Mapping core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11 (2001:DB8:CAFE:11::11.com ip name-server 10. flags: sT Incoming interface: GigabitEthernet3/3 RPF nbr: FE80::20E:39FF:FEAD:9B00 Immediate Outgoing interface list: GigabitEthernet5/1. Inc.1 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.cisco. 00:01:20/00:03:06. 00:01:20/00:03:06 2001:DB8:CAFE:11::11 FF33::DEAD Corporate Network Source Static Mapping: ipv6 multicast-routing ! ipv6 mld ssm-map enable ipv6 mld ssm-map static MAP 2001:DB8:CAFE:11::11 no ipv6 mld ssm-map query dns ! ipv6 access-list MAP permit ipv6 any host FF33::DEAD SSM DNS Mapping (the default): ipv6 multicast-routing ! ipv6 mld ssm-map enable ! ip domain multicast ssm-map. FF33::DEAD). Cisco Public MLDv1 229 .1.

All rights reserved.IPv6 Multicast Static RP   Easier than before as PIM is auto-enabled on every interface Source ipv6 multicast-routing ! interface Loopback0 description IPV6 IPmc RP no ip address ipv6 address 2001:DB8:C003:110A::1/64 ! ipv6 pim rp-address 2001:DB8:C003:110A::1/64 ipv6 multicast-routing ! ipv6 pim rp-address 2001:DB8:C003:110A::1/64 L0 Corporate Network RP IP WAN BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Inc. Cisco Public 230 .

Cisco Public 231 . Inc. All rights reserved.IPv6 Multicast PIM BSR: Configuration wan-top#sh run | incl ipv6 pim bsr ipv6 pim bsr candidate-bsr 2001:DB8:C003:1116::2 ipv6 pim bsr candidate-rp 2001:DB8:C003:1116::2 RP—2001:DB8:C003:1116::2 Corporate Network IP WAN Source RP—2001:DB8:C003:110A::1 wan-bottom#sh run | incl ipv6 pim bsr ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1 ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Bidirectional PIM (Bidir)   The same many-to-many model as before   Configure Bidir RP and range via the usual ip pim rp-address syntax with the optional bidir keyword ! ipv6 pim rp-address 2001:DB8:C003:110A::1 bidir ! #show ipv6 pim range | include BD Static BD RP: 2001:DB8:C003:110A::1 Exp: never Learnt from : :: BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 232 . All rights reserved. Inc.

P = 1. Cisco Public 233 . T = 1=> RP address embedded (0111 = 7) Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112 Embedded RP: 2001:0DB8:C003:111D::1 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved. R = 1. Inc.Embedded-RP Addressing Overview   RFC 3956   Relies on a subset of RFC3306—IPv6 unicastprefix-based multicast group addresses with special encoding rules: Group address carries the RP address for the group! 8 4 4 4 4 8 64 32 FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID New Address format defined : Flags = 0RPT.

All rights reserved. Cisco Public 234 . Inc. this would need to be changed in BidirPIM if Embedded-RP was to be supported BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.Embedded-RP   PIM-SM protocol operations with embedded-RP: Intradomain transition into embedded-RP is easy: Non-supporting routers simply need to be configured statically or via BSR for the embedded-RPs!   Embedded-RP is just a method to learn ONE RP address for a multicast group: It can not replace RP-redundancy as possible with BSR or MSDP/Anycast-RP   Embedded-RP does not (yet) support Bidir-PIM Simply extending the mapping function to define Bidir-PIM RPs is not sufficient: In Bidir-PIM routers carry per-RP state (DF per interface) prior to any data packet arriving.

Cisco Public 235 . Inc.Embedded-RP Configuration Example Corporate Network   RP to be used as an Embedded-RP needs to be configured with address/ group range   All other non-RP routers require no special configuration Source L0 RP IP WAN ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP ! ipv6 access-list ERP permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.

sending >= 4 kbps Group: FF7E:140:2001:DB8:C003:111D:0:1112 Source: 2001:DB8:C003:1109::2 Rate: 21 pps/122 kbps(1sec). Cisco Public Receiver Sends Report 236 .Embedded RP—Does It Work? branch#show ipv6 pim group FF7E:140:2001:DB8:C003:111D ::/96* RP : 2001:DB8:C003:111D::1 Protocol: SM Client : Embedded Groups : 1 Info : RPF: Se0/0. 124 kbps(last 100 sec) branch#show ipv6 pim range | include Embedded Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : :: FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24 BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.1. Inc.FE80::210:7FF:FEDD:40 IP WAN To RP branch#show ipv6 mroute active Active IPv6 Multicast Sources .

5.Multicast Applications   Microsoft Windows Media Server/Player (9 -11) http://www.org   DVTS (Digital Video Transport System) http://www.jp/DVTS/http://www.ipv6.sfc.8.wide.com/windows/windowsmedia/default.videolan.aspx   VideoLAN www. XMMS 1.ac. etc…   Many more applications…Google is your friend :-) BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. Cisco Public 237 .ad.html   Internet radio stations over IPv6 http://www.2.jp/en/dvts.ecs.uk/virginradio/ Supported on iTunes 4. All rights reserved.dvts. Inc.soton. Windows Media Player.microsoft.

Inc. Cisco Public 238 .Appendix: QoS BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems. All rights reserved.

Cisco Public Destination Address 239 .IPv6 QoS: Header Fields   IPv6 traffic class Exactly the same as TOS field in IPv4 Version Traffic Class Flow Label   IPv6 Flow Label (RFC 3697) A new 20-bit field in the IPv6 basic header which: Labels packets belonging to particular flows Can be used for special sender requests Per RFC. Inc. All rights reserved. Flow Label must not be modified by intermediate routers Payload Length Next Header Hop Limit Source Address   Keep an eye out for work being doing to leverage the flow label BRKRST-2301 14340_04_2008_c2 © 2008 Cisco Systems.

Cisco Public . Inc. All rights reserved.Simple QoS Example: IPv4 and IPv6 class-map match-any BRANCH-BULK-DATA match access-group name BULK-DATA-IPV6 match access-group name BULK-DATA class-map match-all BULK-DATA match dscp af11 ! policy-map RBR-WAN-EDGE class BULK-DATA bandwidth percent 4 random-detect ! policy-map RBR-LAN-EDGE-IN class BRANCH-BULK-DATA set dscp af11 ! ip access-list extended BULK-DATA permit tcp any any eq ftp permit tcp any any eq ftp-data ! ipv6 access-list BULK-DATA-IPV6 permit tcp any any eq ftp permit tcp any any eq ftp-data BRKRST-2301 14340_04_2008_c2 ACL Match To Set DSCP (If Packets Are Not Already Marked) service-policy input RBR-LAN-EDGE-IN service-policy output RBR-WAN-EDGE ACLs to Match for Both IPv4 and IPv6 Packets 240 © 2008 Cisco Systems.

Sign up to vote on this title
UsefulNot useful