You are on page 1of 36

1 2011 Cisco and/or its affiliates. All rights reserved.

Cisco IPv6 for Enterprise.


Its Time !
Beat Baumberger
IT Infrastructure Architect
Feb 3, 14:41:24
UTC
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Many of the products and features described herein
remain in varying stages of development and will be
offered on a when-and-if-available basis. This roadmap
is subject to change at the sole discretion of Cisco, and
Cisco will have no liability for delay in the delivery or
failure to deliver any of the products or features set forth
in this document.
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Ciscos internal
Roadmap on IPv6
What is Cisco s IT
planning / doing internally
IPv6 Enterprise
Deployment
IPv6
Readiness
what's the roadmap with
Cisco's HW/SW today?
where are the traps and gaps?
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
2001:db8:2ef3:a4f0:65b9:e8ff:f36c:84b0
Full IPv6 support in "all of our devices, all of our
applications, all of our services John
Chambers, Google IPv6 Conference, June 2010
IPv6 thought leadership, early-
adopter product development and
standardization
Targeted development based on
deployment models
IPv6 by Default in new development
IPv6
Implementation
Strategy
Foundation
Cisco Public 2011 Cisco and/or its affiliates. All rights reserved. 6
2001:db8:2ef3:a4f0:65b9:e8ff:f36c:84b0
Consumer
Content
Public Sector
Enterprise
Service Provider
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco choose to focus on USGv6 certification
http://www.antd.nist.gov/usgv6/
USGv6 directed the National Institute of Standards and Technology (NIST) to
develop the technical infrastructure (standards and testing) necessary to
support wide scale adoption of IPv6 in the US Government (USG).
The USGv6 tests at UNH also result in IPv6 Ready Logo
http://www.ipv6forum.com
The IPv6 Forum IPv6 Ready Logo Program is a conformance and
interoperability testing program intended to increase user confidence by
demonstrating that IPv6 is available now and is ready to be used.
Cisco is driving the tests that are required for
USGv6 / IPv6 Ready Logo upstream into the development process
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Ciscos internal
Roadmap on IPv6
What is Cisco s IT
planning / doing internally
IPv6 Enterprise
Deployment
IPv6
Readiness
what's the roadmap with
Cisco's HW/SW today?
where are the traps and gaps?
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Business Drivers
1. IPv6 leadership and mindshare
2. IPv6 product and solution readiness
IT Drivers
1. Corporate Growth (Possible IPv4 Address Depletion in the future)
2. Enable IPv6 Infrastructure for development and testing
3. Cisco on Cisco
Goals
1. cisco.com IPv6 Internet presence
2. Enable ubiquitous IPv6-enabled user access in the
network
3. End to end IPv6 (Dual Stack)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
IPv6 Internet Presence (cisco.com)
All Content
and Apps
Separate URL
Separate Web
Front-end
Ubiquitous IPv6 User Access
Limited IPv6
Tunnel Service
Corp and Internet
access on request
Dual Stack
Desktop Networks
SJC and RTP
Corp and Internet
Access
Static Content
Only
Separate URL
Separate Web
Front-end
Limited IPv6
Tunnel Service-
Dual Stack Core
Corp and Internet
access on request
GGSG Dual Stack
NSSTG Alpha
All Content
and Apps
Single URL
Converged
Web Front-End
Dual Stack
Desktop Networks
All global sites,
remote access
Corp and Internet
Access
Long-Term
IPv6
Investments
Apps & services
Collaboration
Communication
Enterprise Apps
Content
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco Roadmap
on IPv6
What is Cisco s IT doing
internally
IPv6 Enterprise
Deployment
IPv6
Readiness
what's the roadmap with
Cisco's HW/SW today?
where are the traps and gaps?
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Must be low-cost and low-risk
Must co-exist with existing IPv4 infrastructure
Must allow access to public Internet
Must be incrementally deployable
Must understand the cost of adding a new service
Must not impact existing services
End-user should not know the integration occurred (seamless)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Our advice to customers is that they should be taking practical
steps to deploy IPv6 in the near term.
Deployment generally takes 1-2 years following the decision; decide now.
This includes
1. Hardware/software audits of their networks and application/services.
2. Upgrade hardware and software for networks and applications/services
Ideally within their normal procurement cycles,
Now plan on it over the next 1-2 years.
3. Procurement policy: only purchase equipment/software that supports or is
software-upgradable to IPv6
4. Establish an IPv6 internet (web, mail, etc) presence in the near term
5. Ensure IPv6 connectivity to neighboring networks upstream, downstream,
and peer.
6. Take steps toward internal IPv6 deployment as well.
Cisco Public 2011 Cisco and/or its affiliates. All rights reserved. 15
Based on Timeframe/Use case
Core-to-Edge Fewer things to touch
Edge-to-Core Challenging but doable
Internet Edge Business continuity
Servers
Branch Branch
WAN
DC
Access
DC
Aggregation
DC/Campus
Core
Campus
Block
ISP ISP
Internet
Edge
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Used for internal communications, inter-site VPNs
Not routable on the internetbasically RFC1918 for IPv6 only betterless likelihood of
collisions
Default prefix is /48
/48 limits use in large organizations that will need more space
Semi-random generator prohibits generating sequentially useable prefixesno easy
way to have aggregation when using multiple /48s
Why not hack the generator to produce something larger than a /48 or even sequential
/48s?
Is it legal to use something other than a /48? Perhaps the entire space? Forget legal,
is it practical? Probably, but with dangersremember the idea for ULA; internal
addressing with a slim likelihood of address collisions with M&A. By consuming a
larger space or the entire ULA space you will significantly increase the chances of pain
in the future with M&A
Routing/security control
You must always implement filters/ACLs to block any packets going in or out of your
network (at the Internet perimeter) that contain a SA/DA that is in the ULA range
today this is the only way the ULA scope can be enforced
Generate your own ULA: http://www.sixxs.net/tools/grh/ula/
Generated ULA= fd9c:58ed:7d73::/48
* MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard)
* EUI64 address=020D9Dfffe93A0C3
* NTP date=cc5ff71943807789 cc5ff71976b28d86
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Corporate
Backbone
Branch 2
Branch 1
Corp HQ
Everything internal runs the ULA space
A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the
internet
Is there a NAT66? draft-mrw-nat66-xx (Network Prefix Translation (NPTv6)
Removes the advantages of not having a NAT (i.e. application interoperability,
global multicast, end-to-end connectivity)
ULA Space FD9C:58ED:7D73::/48
FD9C:58ED:7D73:2800::/64
Internet
FD9C:58ED:7D73:3000::/64 FD9C:58ED:7D73::2::/64
Global
2001:DB8:CAFE::/48
NAT66 Required
Not Recommended
Today
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Corporate
Backbone
Branch 2
Branch 1
Corp HQ
Both ULA and Global are used internally except for internal-only hosts
Source Address Selection (SAS) is used to determine which address to use when
communicating with other nodes internally or externally
In theory, ULA talks to ULA and Global talks to GlobalSAS should work this out
ULA-only and Global-only hosts can talk to one another internal to the network
Define a filter/policy that ensures your ULA prefix does not leak out onto the
Internet and ensure that no traffic can come in or out that has a ULA prefix in the
SA/DA fields
Management NIGHTMARE for DHCP, DNS, routing, security, etc
ULA Space FD9C:58ED:7D73::/48
Global 2001:DB8:CAFE::/48
FD9C:58ED:7D73:2800::/64
2001:DB8:CAFE:2800::/64
Internet
FD9C:58ED:7D73:3000::/64
2001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/64
2001:DB8:CAFE:2::/64
Global
2001:DB8:CAFE::/48
Not Recommended
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Corporate
Backbone
Branch 2
Branch 1
Corp HQ
Global 2001:DB8:CAFE::/48
2001:DB8:CAFE:2800::/64
Internet
2001:DB8:CAFE:3000::/64 2001:DB8:CAFE:2::/64
Global 2001:DB8:CAFE::/48
Recommended
Global is used everywhere
No requirements to have NAT for ULA-to-Global translationbut, NAT may be
used for other purposes
Easier management of DHCP, DNS, Security etc.
Your heartburn comes from the security team topology hiding
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
64 Bits Greater than 64 Bits Less than 64 bits
Recommended by RFC
5375 and IAB/IESG
Address space conservation Enables more hosts per
broadcast domain
Consistency makes
management easy
Special cases:
/126 for p2p
/127 for p2p if aware of
overlapping addr. (RFC 3627)
/128 Loopback
Considered bad practice
/64 required for SLAAC,
SEND and Privacy
extensions
Complicates management 64 bits offers more space
for hosts than media can
support efficiently
Significant address space
loss
Must avoid overlap with
specific addresses
- router anycast (RFC 3513)
- Embedded RP (RFC 3956)
No real justifiable use case
for this option
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
StateLess Address AutoConfiguration (SLAAC) RA-based
assignment (a MUST for Mac)
Stateful and stateless DHCPv6 server
Cisco Network Registrar:
http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/
Microsoft Windows Server 2008:
http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-
4cef-9164-139e8bcc44751033.mspx?mfr=true
DHCPv6 Relaysupported on routers and switches
interface FastEthernet0/1
description CLIENT LINK
ipv6 address 2001:DB8:CAFE:11::1/64
ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:10::2
Network
IPv6 Enabled Host
DHCPv6
Server
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
HSRP for v6
Modification to Neighbor Advertisement, router
Advertisement, and ICMPv6 redirects
Virtual MAC derived from HSRP group number
and virtual IPv6 link-local address
HSRP
Standby
HSRP
Active
GLBP for v6
Modification to Neighbor Advertisement, Router
AdvertisementGWis announced via RAs
Virtual MAC derived from GLBP group number
and virtual IPv6 link-local address
GLBP
AVF,
SVF
GLBP
AVG,
AVF
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Tunneling
Services
Connect Islands of IPv6 or IPv4
IPv4 over IPv6 IPv6 over IPv4
Dual Stack
Recommended Enterprise Co-existence strategy
Translation
Services
Connect to the IPv6 community
IPv4
IPv6
Business Partners
Internet consumers
Remote Workers
International Sites
Government Agencies
IPv6
IPv4
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Dual-Stack IPv4/IPv6
Dual Stack = Two protocols running at
the same time (IPv4/IPv6)
#1 requirementswitching / routing
platforms must support hardware
based forwarding for IPv6
3560/3750 +
4500 Sup6E +
6500 Sup32/720 +
IPv6 is transparent on L2 switches but
consider:
L2 multicastMLD snooping
IPv6 management
Telnet/SSH/HTTP/SNMP
Intelligent IP services on WLAN
Expect to run the same IGPs as with
IPv4
Dual-stack
Server
L2/L3
v6-Enabled
v6-
Enabled
v6-Enabled
v6-
Enabled
IPv6/IPv4 Dual Stack Hosts
v6-
Enabled
v6-
Enabled
Aggregation
Layer (DC)
Access
Layer (DC)
Access
Layer
Distribution
Layer
Core Layer
D
u
a
l

S
t
a
c
k
D
u
a
l

S
t
a
c
k
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Hybrid Model
Plan B if Layer 3 device cant support
IPv6 but you have to get IPv6 over it
Offers IPv6 connectivity via multiple
options
Dual-stack
Configured tunnelsL3-to-L3
ISATAPHost-to-L3
Leverages existing network
Offers natural progression to
full dual-stack design
May require tunneling to
less-than-optimal layers
(i.e. core layer)
Any sizable deployment will be an
operational management challenge
ISATAP creates a flat network (all hosts
on same tunnel are peers)
Provides basic HA of ISATAP tunnels
via old Anycast-RP idea
Dual-stack
Server
L2/L3
v6-Enabled
NOT v6-
Enabled
v6-Enabled
NOT v6-
Enabled
IPv6/IPv4 Dual Stack Hosts
v6-
Enabled
v6-
Enabled
I
S
A
T
A
P
I
S
A
T
A
P
Aggregation
Layer (DC)
Access
Layer (DC)
Access
Layer
Distribution
Layer
Core Layer
D
u
a
l

S
t
a
c
k
D
u
a
l

S
t
a
c
k
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
IPv6 Service BlockRapid Deployment/Pilot
Provides ability to rapidly deploy IPv6
services without touching existing
network
Provides tight control of where IPv6 is
deployed and where the traffic flows
(maintain separation of
groups/locations)
Get lots of operational experience with
limited impact to existing environment
Ideal for Pilot
Similar challenges as Hybrid Model
Lots of tunneling
Configurations are very similar to the
Hybrid Model
ISATAP tunnels from PCs in access layer to service
block switches (instead of core layerHybrid)
1) Leverage existing ISP block for both
IPv4 and IPv6 access
2) Use dedicated ISP connection just
for IPv6Can use IOS FW or ASA
appliance
Primary ISATAP Tunnel
Secondary ISATAP Tunnel
ISATAP
IPv6 Service Block
I
n
t
e
r
n
e
t
Dedicated FW
IOS FW
Data Center Block
VLAN 2
WAN/ISP Block
IPv4-only
Campus
Block
Agg
Layer
VLAN 3
2
1
Access
Layer
Dist.
Layer
Core
Layer
Access
Layer
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Model Benefit Challenges
Dual Stack model
(DSM)
No tunnelling required
No dependency on IPv4
Superior performance and highest
availability for IPv6 unicast and
multicast, scalable
Requires IPv6 HWenabled campus
switching equipment. Operational
challenges with supporting dual
protocols
Hybrid model
(HM)
Most of the existing IPv4 only
campus equipment can be used
(access and distribution layer)
Per-user or per-application control
for IPv6 service delivery. Provide
HA for IPv6 access over ISATAP
tunnels
Tunneling is required; increase in
operation and management. Scale
factors (number of tunnels, hosts
per tunnel) IPv6 multicast is not
supported. Tunnel termination in the
core
Service block
model (SBM)
Highly reduce time to delivery for
IPv6 enabled services. Requires
no changes to existing campus
infrastructure. Similar to HM mode
New IPv6 HW capable campus
switches are required. All cons from
the HM mode.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
The single most overlooked and
potentially complicated area of IPv6
deployment
Route/Switch design will be similar to
campus based on feature, platform and
connectivity similarities Nexus,
Cat6500, Cat4900M
IPv6 for SAN is supported in SAN-OS 3.0
Stuff people dont think about:
NIC Teaming, iLO, DRAC, IP KVM, Clusters
Innocent looking Server OS upgrades Windows
Server 2008 - Impact on clusters Microsoft
Server 2008 Failover clusters full support IPv6
(and L3)
Build an IPv6-only server farm?
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Biggest Challenges Today
Application support for IPv6 Know what you dont know
If an application is protocol centric (IPv4):
Needs to be rewritten
Needs to be translated until it is replaced
Wait and pressure vendors to move to protocol agnostic framework
Deployment of translation
NAT64 (Stateful for most enterprises)
Apache Reverse Proxy
Windows Port Proxy
3
rd
party proxy solutions
Network services above L3 (A short-term challenge)
SLB, SSL-Offload, application monitoring (probes)
Application Optimization
High-speed security inspection/perimeter protection
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
IPv6
Internet
IPv4-only Host
Server Load Balancer
Stateful NAT64
IPv6
IPv4
IPv6
Internet
IPv4-only Host
IPv6
IPv4
IPv6
Internet
IPv4-only Host
Proxy
IPv6
IPv4
-Apache
-MSFT
PortProxy
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Applications on IPv6 have the same vulnerabilities as on IPv4
Require similar mitigations
Issue with Rogue Route Advertisements, usually from 6to4
routers that default on but whose users have no such intention.
RA Guard designed to detect and prevent distribution of their RAs in switch
Secure Neighbor Discovery implemented in Catalyst products, not hosts
Issue with 6to4 and other prototyping mechanisms for IPv6
Relatively high probability of failure or unpredictable operation
6to4 return path management
Turn them off
Path MTU issues
People often disable ICMPv6, but require Path MTU ( min. 1280 )
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
High scalable and feature rich architecture: LISP
Locator ID Separation Protocol
IEFT RFC Draft
Code available for ISR, ASR, N7K,
For more infos:
www.lisp4.net
www.cisco.com/go/lisp
Use cases:
- IP address portability
- L3 VPN on IP
- VM mobility
- IPv6 migration
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
LISP encap/decap
Needs:
Rapid IPv6 Deployment
Minimal Infrastructure disruption
LISP Solution:
LISP encapsulation is Address Family
agnostic
IPv6 segments interconnected over
an IPv4 core
IPv4 segments interconnected over
an IPv6 core
Benefits:
Accelerated IPv6 adoption
Minimal added configurations
No core network changes
Can be used as a transitional
or permanent solution
Encapsulation ! = Tunnel
(no scaling issues)
EID Space
RLOC Space
Cisco Public 2011 Cisco and/or its affiliates. All rights reserved. 34
Deploying IPv6 in Broadband
Networks - Adeel Ahmed, Salman
Asadullah ISBN0470193387, John
Wiley & Sons Publications

NEW !
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
CCO IPv6
http://www.cisco.com/ipv6
IPv6 White Papers
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_C11-472610.html
ICMPv6 Packet Types and Codes TechNote
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080113b1c.shtml
Design Guides
http://www.cisco.com/en/US/netsol/ns815/networking_solutions_design_guidances_list.html
Enterprise and SP Deployment Scenarios RFCs:
ISP IPv6 Deployment Scenarios in Broadband Access Networks (RFC 4779)
Scenarios and Analysis for Introducing IPv6 into ISP Networks (RFC 4029)
IPv6 Enterprise Network Scenarios (RFC 4057)
Procedures for Renumbering an IPv6 Network without a Flag Day (RFC 4192)
Thank you.