Professional Documents
Culture Documents
Jean-Marc Barozet
jmb@cisco.com
IOS Technology Group
April, 2011
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Enterprise Deployment
Considerations
Network and Application
Performance
Conclusion
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Planning & Deployment
Summary
Campus Deployment
Datacenter Deployment
Self Deployed WAN
SP Managed WAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Planning & Deployment
Summary
Campus Deployment
Datacenter/Internet Edge
Deployment
Self Deployed WAN
SP Managed WAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Start with a Phased Plan Aligned with Your Business Strategy
3 Develop a design that enables IPv6 without disrupting your IPv4 network
4 Test and implement in pilot mode, then extend over time into production
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Campus
• Based on Timeframe/Use case
Block
• Core-to-Edge – Fewer things to touch
• Edge-to-Core – Challenging but doable
• Internet Edge – Business continuity
Internet
DC DC/Campus Edge
Aggregation Core
DC
Access ISP ISP
WAN
Servers
Branch Branch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Dual Stack IPv4
IPv6
Recommended Enterprise
Co-existence strategy
Tunneling Services
Connect Islands of IPv6 or
IPv4 IPv4 over IPv6 IPv6 over IPv4
Business Partners
Translation Services Government Agencies
IPv6 International Sites
Connect to the IPv6 Remote Workers
community IPv4 Internet consumers
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
IPv4 IPv6
Internet Internet
IPv4 Core Dual Stack Core Dual Stack Core
Dual Stack Core
Dual Stack
4rd or DS-Lite
over
6rd or L2TP
Network
Network
v4
v6
PE
PE
NAT CE CE CE CE
Carrier Grade NAT IPv6 Rapid Deployment Native IPv6-Only Access Network
IPv6-Only Subscriber
Dual Stack
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Dual-Stack IPv4/IPv6
IPv6/IPv4 Dual Stack Hosts
• Dual Stack = Two protocols running at the
same time (IPv4/IPv6)
Access
• #1 requirement—switching/ routing Layer
platforms must support hardware based L2/L3
forwarding for IPv6
Distribution
3560/3750 + Layer
v6- v6-
4500 Sup6E + Enabled Enabled
6500 Sup32/720 +
Dual Stack
Dual Stack
• IPv6 is transparent on L2 switches but v6-
Enabled
v6-
Enabled
Core Layer
consider:
L2 multicast—MLD snooping
IPv6 management—Telnet/SSH/HTTP/SNMP v6- v6-
Aggregation
Enabled Enabled Layer (DC)
Intelligent IP services on WLAN
Dual-stack
Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Hybrid Model
IPv6/IPv4 Dual Stack Hosts
• Plan “B” if Layer 3 device can’t support IPv6
but you have to get IPv6 over it
Access
• Offers IPv6 connectivity via multiple options Layer
Dual-stack
L2/L3
ISATAP
ISATAP
Configured tunnels—L3-to-L3
Distribution
ISATAP—Host-to-L3 Layer
NOT v6- NOT v6-
• Leverages existing network Enabled Enabled
Dual Stack
Dual Stack
(i.e. core layer)
• Any sizable deployment will be an v6-Enabled v6-Enabled
Aggregation
Layer (DC)
operational management challenge
• ISATAP creates a flat network (all hosts on
same tunnel are peers) Access
Layer (DC)
• Provides basic HA of ISATAP tunnels via old
Anycast-RP idea Dual-stack
Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
IPv6 Service Block—Rapid Deployment/Pilot
VLAN 2 VLAN 3 IPv4-only
Campus
• Provides ability to rapidly deploy IPv6 Block
services without touching existing
network ISATAP
Access
• Provides tight control of where IPv6 is Layer
deployed and where the traffic flows
(maintain separation of groups/
locations) IPv6 Service Block
• Get lots of operational experience with
limited impact to existing environment –
Dist.
Layer
Dedicated FW
2
Ideal for Pilot
• Similar challenges as Hybrid Model –
Lots of tunneling
Core
• Configurations are very similar to the Layer
Internet
Hybrid Model
ISATAP tunnels from PCs in access layer to service
block switches (instead of core layer—Hybrid)
• 1) Leverage existing ISP block for both
IPv4 and IPv6 access Agg IOS FW
Layer
• 2) Use dedicated ISP connection just
for IPv6—Can use IOS FW or PIX/ASA Access
appliance Layer
Wireless Controller
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Route/Switch design will be similar to
campus based on feature, platform and
connectivity similarities – Nexus, 6500
4900M
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Biggest Challenges Today
• Application support for IPv6 – Know what you don’t know
If an application is protocol centric (IPv4):
Needs to be rewritten
Needs to be translated until it is replaced
Wait and pressure vendors to move to protocol agnostic framework
• Deployment of translation
NAT64 (Stateful for most enterprises)
Apache Reverse Proxy
Windows Port Proxy
3rd party proxy solutions
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Operating Systems Virtualization & Applications
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
IPv6 IPv4
V6-only Hosting/ IPv4
ISP ISP
End User CDN Content
4 6
6 4
An enterprise with a critical Internet presence, must perform their own dual-stacking or
translation…. Short term, not much traffic (so load-balancing not as critical for v6), but
longer term full SLB 4<->6 or 6<->6 will be necessary… 60% moving to v6 by 2012…
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Server Load Balancer Stateful NAT64 Proxy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Two flavors – Stateless and Stateful
draft-ietf-behave-v6v4-xlate-xx (and others associated with that draft)
draft-ietf-behave-v6v4-xlate-stateful-xx
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
NAT64 Service using
Stateless: Available ASR1000
Stateful: Future
Enterprise
Subscribers Datacenters
Provider IP NGN Internet
Private NAT44
IPv4
IPv6
IPv6
XX Millions
of IPv6
GGSN
Smartphones
by 2014
(3G & 4G)
IPv6 Moves out to Subscribers IPv6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
IPv6/IPv4 Service
Future using ACE appliance/
module
Enterprise
Subscribers Datacenters
Provider IP NGN Internet
Private NAT44
IPv4
IPv6
IPv6
XX Millions
of IPv6
GGSN
Smartphones
by 2014
(3G & 4G)
IPv6 Moves out to Subscribers IPv6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
At a concept level … enable customer to load balance IPv6 client traffic HTTP/s
services that are resolved to IPv6 addresses.
Server farm
IPv4-to-IPv4 2 interface functionality ACE through
ACE
1 • CLI on Module/Appliance
• DM for ACE 4710
• ANM for ACE-30 and
2 IPv6-to-IPv6 ACE-4710
ANM
3 Enable load balancing of IPv6
3 servers with
i. Sticky
ii. ACLs
iii. Health checks
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
A dual-stack approach to IPv6 enables ACE to support all deployment models
(NAT, Bridge Mode) with minimal loss of performance for IPv4 traffic.
Server Farm –V4 Server Farm – V6 • IPv6 on ACE (Earth Release) – Q4/CY11
• No IPv6 Management
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• Program Execution Committed: March 2011
• SW version: 4.1
• FCS: 4QCY2011
GSS
- AAAA support (DNS Record for Network
IPv6)
- IPv6 proximity & Sticky
- KAL User
2001:0DB8:AC10:FE01::
SLB
Datacenter B
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Netstat - Client
TCP [2001:db8:beef:10::16]:54640 [2001:db8:cafe:12::5]:80 ESTABLISHED
TCP [2001:db8:beef:10::16]:54641 [2001:db8:cafe:12::5]:80 ESTABLISHED
2001:db8:beef:10::16
Netstat - Proxy
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.121.11.125:40475 10.121.11.60:80 ESTABLISHED
2001:db8:cafe:12::5 tcp 0 0 10.121.11.125:40476 10.121.11.60:80 ESTABLISHED
tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED
tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED
10.121.11.125
Apache
One-Arm
Apache Dual-Attached
Netstat - Server
TCP 10.121.11.60:80 10.121.11.125:40475 ESTABLISHED
TCP 10.121.11.60:80 10.121.11.125:40476 ESTABLISHED
<VirtualHost *:80>
ProxyPass / http://10.121.11.60:80/
ProxyPassReverse / http://10.121.11.60:80/
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Can be treated like an
appliance
One-arm
2001:db8:cafe:12::25
Dual-attached (better perf)
10.121.12.25
Outside traffic comes in PortProxy
on IPv6—PortProxy to One-Arm
VIP=10.121.5.20
v4 (VIP address on ACE) ACE PortProxy
Dual-Attached
Traffic is IPv4 to server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Boatloads of options
Single Link Dual Links Multi-Homed
Single ISP Single ISP Multi-Region
ISP 1 USA
ISP 1
POP1 POP2 ISP 1 ISP2
Default IPv6
IPv4-only
Route BGP Tunnel BGP
ISP3 ISP4
Your ISP may not have
IPv6 at the local POP Europe
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Planning & Deployment
Summary
Campus Deployment
Datacenter/Internet Edge
Deployment
Self Deployed WAN
SP Managed WAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Non Redundant Redundant Redundant
Links Links & Routers
WAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Customer Customer Subscriber
Network
Network
Network
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
IPv6 IPv6 VPN LDP IPv6
Packet Packet Label Label Packet
10.1.1.0/24 10.1.2.0/24
2001:db8:beef:1::/64 P 2001:db8:beef:2::/64
200.10.10.1 P 200.11.11.1
IPv4 VRF
IPv4
VRF IPv4
IPv6 MPLS IPv6
CE1 6VPE1 6VPE2 CE2
172.16.1.0.0/30 172.16.3.0/30
2001:db8:cafe:1::/64 P P 2001:db8:cafe:3::/64
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
SP LISP infrastructure
MR MS
IPv6 IPv6
ETR/ ITR CE
LISP encapsulated
ETR/ ITR CE
Internet IPv4
IPv6 IPv6
• LISP is an alternative to connect islands of IPv6 network over IPv4 network infrastructure
• No change to existing IPv4-based access infrastructure, allow to transport IPv6 over
existing IPv4 architecture (Broadband, cable, Mobile …)
• Service components:
• Managed CE router at customer premise: performing ITR/ETR function
• SP infrastructure component: hosted Map Resolver, Map Servers
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Connecting IPv6 Islands v6
v6
IPv4 Enterprise IPv4 island
Needs: Core Internet xTR IPv4
Enterprise
v6 Core
xTR
Rapid IPv6 Deployment island v4 v6
v6
Minimal Infrastructure disruption
v6
PxTR
No core network changes IPv4
v6 home
Network
v6
PxTR xTR
v6 site access & .
Can be used as a transitional or permanent Internet .
solution IPv6 Internet
PxTR
v6 home
xTR Network
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
AnyConnect 3.x
For PC, Mac
For Mobile Client
Internet
Client-based SSL
Client-based IPSec
ASA 8.3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Planning & Deployment
Summary
Campus Deployment
Datacenter/Internet Edge
Deployment
Self Deployed WAN
SP Managed WAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Non Redundant Redundant Redundant
Links Links & Routers
MPLS WAN
MPLS + Internet
WAN
Internet WAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Customer Customer Subscriber
Network
Network
Network
MPLS pseudowire
IPv4 Internet MPLS IPv4 Core
or VPLS
PE
VPN A
Customer A
ISP head office
MPLS-‐VPN
Service
Cable/DSL/
Wifi / 3G
VPN B
Remote Users/ IPSec / SSL
Aggregator PE
Telecommuters
AnyConnect 3.x
Cable/DSL/ Customer B
Wifi / 3G
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
• Using tunnel interface only (ASWAN w/ crypto-map not used
anymore)
Multipoint GRE (mGRE) tunnels - Single mGRE interface supports all spokes
(many logical tunnels)
Next Hop Resolution Protocol (NHRP) - Resolves Private IPv6 address to
Public IPv4 NBMA address
IP Security (IPSec) - Optional encryption on mGRE tunnel
• Future:
IPv6 on IPv6 with Windows Client and PI15
All IPv6 over IPv4 with FlexVPN in PI18 – Beginning 2012
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
• Application Performance monitoring is a great differentiator for IPv6
• IPv6 support added as part of Flexible NetFlow (metering) and NetFlow
v9 (exporting) Monitors the IPv6 traffic.
• Export is over an IPv4 Transport
• Exporting: NetFlow version 9
Advantages: extensibility
Integrate new technologies/data types quicker (MPLS, IPv6, BGP next hop, etc.)
Integrate new aggregations quicker
Note: for now, the template definitions are fixed
• Metering: Flexible NetFlow
Advantages: cache and export content flexibility
User selection of flow keys
User definition of the records
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Enterprise & aggregation/edge Core
Release 12.0S/
Cisco IOS Software Release 12.2S
FNF IOS-XR
TNF TNF TNF FNF FNF
TNF
FNF
TNF FNF
TNF FNF
Cisco 12000 ASR9000
Catalyst 6K
Catalyst 6K Series CRS-1
Cisco 4500 Cisco Sup2T
Cisco 4500
Cisco 7x00 ASR1000 Sup7 <= Sup5 7600 Series < Sup2T ASIC ASIC
Series QFP based TNF: Traditional NetFlow
NO FNF support Hardware limitation FNF: Flexible NetFlow
Access DataCenter
FNF
Cisco IOS Software Releases FNF
TNF FNF Catalyst 3750X
TNF FNF Next Gen Cat3K
TNF FNF FNF
TNF FNF
TNF FNF
FNF
TNF FNF Cat 6K
Cisco 2800 Cisco 3800 Cisco 7200/ ASR1000 Catalyst 29xx Sup2T
Cisco 18002900 7300 Series QFP based Catalyst 3750
3900 Nexus 7000
Cisco 8001900 Series NO FNF support
Series
Series Series Hardware limitation Nexus 1000V
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Flexible NetFlow Routing
Record 1
WAAS Express
PfR
MediaNet PerfMon
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
SCE Classification
+1200 signatures
Advanced Classification techniques
Innovations
IOS NBAR Classification of IPv6 Native traffic
+150 signatures NBAR2 Classification of Nested IPv6 traffic
Open API 3rd party integration..
Next Generation DPI engine for Cisco platforms that will provide
advanced application classification and fields extraction capabilities.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
• Common Protocol Library across platforms
Platform independent signatures, combine NBAR and SCE Protocol Library (1200+)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
• NBAR2 allows network managers to detect native IPv6 traffic as well as
IPv6 traffic encapsulated in IPv4 in their network, in order to apply QOS
policies and to enable advanced IPv6 reporting.
• NBAR2 can detect IPv6 in IPv4 traffic
Support of ISATAP, 6to4, Teredo, Generic IPv6 in IPv4
Supported on ISR-G2 (15.1(4)M) and ASR1K (IOS XE 3.3.0S)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
IPv6 IPv6 IPv4 IPv6
Packet Packet Header Packet
IPv4 Network IPv6 Network
IPv4
Backbone Network
PE PE
IPv6
CE
P P ISATAP www.mycompany.com
Router
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
IPv6 IPv6 IPv4 IPv6
Packet Packet Header Packet
IPv4 Network IPv6 Network
IPv4
Backbone Network
PE PE
IPv6
CE
P P ISATAP www.mycompany.com
Router
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
IPv6 IPv4
Packet Header
IPv6 Network IPv4 Network
IPv4
NAT64 www.mycompany.com
router
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
IPv6 IPv4
Packet Header
IPv6 Network IPv4 Network
IPv4
NAT64 www.mycompany.com
router
Flows added: 7
Updates sent ( 1800 secs) 1
IPV6 SOURCE ADDRESS IPV6 DESTINATION ADDRESS APPLICATION NAME counter bytes long
2A01:E35:8ABF:9510:FA1E:DFFF:FEE1:E789 2A01:E35:8ABF:9510:222:55FF:FEE6:BA98 http 1933
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Router 1 Router 2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
WAAS
Branch Office on SRE
WAAS
WAN Appliances Data Center
WAN
WAN
Internet WAAS
VPN
WAAS
Branch Office Express
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
NAM Traffic Analyzer
Integrated Management
& Reporting Console
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
IPv6 Discovery Service
Guidance in the early stages of considering a transition to IPv6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
• Free for anyone with Cisco.com IPv6 Support Community
registration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
• New/Updated IPv6 Cisco Sites
http://www.cisco.com/ipv6
http://www.cisco.com/go/ipv6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
• Deploying IPv6 in Campus Networks (Just updated):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html
• Deploying IPv6 in Branch Networks (Just updated):
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns816/
landing_br_ipv6.html
• SRND: Deploying IPv6 in Unified Communications Networks
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/ipv6/ipv6srnd.html
• DNS and BIND, 5th Edition, by Cricket Liu and Paul Albitz, O'Reilly Media, May
2006
• RFC 3596: DNS Extensions to Support IP Version 6, by S. Thomson, C.
Huitema, V. Ksinant, and M. Souissi, October 2003 (format: TXT=14093 bytes)
(obsoletes RFC 3152 and RFC 1886) (status: Draft Standard)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Coming Soon!!