Enterprise IPv6 Deployment

Session ID-BRKRST-2301

Reference Materials
 New/Updated IPv6 Cisco Sites: http://www.cisco.com/go/ipv6 http://www.cisco.gom/go/entipv6
 Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterpri se/Campus/CampIPv6.html  Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/solutions/ns340/ns414/ ns742/ns816/landing_br_ipv6.html

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2

Recommended Reading

Deploying IPv6 in Broadband Networks - Adeel Ahmed, Salman Asadullah ISBN0470193387, John Wiley & Sons Publications®
BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Available Now!!
3

Agenda  IPv6 Activity in the Enterprise  Planning and Deployment Summary  IPv6 Address Considerations  General Network Considerations  Infrastructure Deployment Campus/Data Center WAN/Branch Remote Access  Communicating with the Service Providers  Appendix—For Reference Only BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 .

IPv6 Activity in the Enterprise .

enterprise partners. VDI) • SmartGrid BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.Dramatic Increase in Enterprise Activity Why? External Pressure Growth/Protection Partnership • Enterprise that is or will be expanding into new markets • Address exhaustion • Enterprise that partners with other companies/organizations doing IPv6 • Governments. Server 2008 • Microsoft DirectAccess • Mergers & Acquisitions • NAT Overlap • High Density Virtual Machine environments (Server virtualization. Cisco Public 6 . contractors Internal Pressure OS/Apps Fixing Old Problems New Technologies • Microsoft Windows 7.

APNIC BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 .IANA/RIR IPv4 Exhaustion Estimated Registry Exhaustion Dates 100 90 80 70 Probability (%) 60 50 40 30 We already know this is too conservative: APNIC went into ―Stage 3‖ mid-April 2011 20 10 0 Jan 2011 Jul 2011 IANA Jan 2012 Jul 2012 Jan 2013 RIPENCC Jul 2013 ARIN Jan 2014 Jul 2014 Jan 2015 AFRINIC Jul 2015 APNIC LACNIC Source: Geoff Huston.

example...aspx BRKRST-2301 © 2011 Cisco and/or its affiliates.25: bytes=32 time<1ms TTL=128 Upgraded Host to Windows 2008 C:\>ping svr-01 Pinging svr-01 [fe80::c4e2:f21d:d2b3:8463%15] with 32 bytes of data: Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms No.svr-01….938958 ....121.121.121. All rights reserved.com/enus/library/bb878128.com [10.121.25: bytes=32 time<1ms TTL=128 Reply from 10.Innocent W2K3 -to.12.12.252 Protocol UDP UDP Info Source port: 63828 Destination port: llmnr Source port: 53753 Destination port: llmnr  Can happen if the circumstances are right  http://technet.0..121.12..W2K8 Upgrade Windows 2003 C:\>ping svr-01 Pinging svr-01.121..25: bytes=32 time<1ms TTL=128 Reply from 10.12.12..0.25 224. Cisco Public 8 .938775 3970 244..microsoft. Time 3969 244..25] with 32 bytes of data: Reply from 10..25: bytes=32 time<1ms TTL=128 Reply from 10..12.. Source Destination fe80::c4e2:f21d:d2b3:8463 ff02::1:3 10.

All rights reserved. Cisco Public 9 .Mergers & Acquisitions  Unique blend of technical and business problems  Colliding RFC1918 space  Common options If you don‘t collide then leave as-is until renumbering is complete NAT overlap pools (into non-colliding space) until renumbering is complete IPv6 as an overlay network IPv6 added as a native protocol (dual stack)  This is a growing issue and IPv6 ends up being a perfect tool for resolving the technical issues BRKRST-2301 © 2011 Cisco and/or its affiliates.

0. All rights reserved.0.0.0 address space .0.21 .NAT Overlap + IPv6 Overlay Network 10.0 address space Corp HQ 2001:DB8:1:2::3 10.0 address space Sub-Company 1 .0. Cisco Public 10 .3 Corporate Backbone Sub-Company 2 2001:DB8:1:3::21 IPv4 static NAT entries for each server X how many?? 2001:DB8:1:1::3  Build an overlay network to encapsulate IPv6 over IPv4  IPv6 is deployed only at those sites and for specific hosts that need end-to-end routability between entities  Can be very operationally difficult to maintain in large environments  May be a show stopper if you have to get a lot of tunnels past a bunch of IPv4 NAT BRKRST-2301 © 2011 Cisco and/or its affiliates.0.3 IPv6 enables the network to provide access to services between sites 10.

0.0.0.0.0 address space Sub-Company 1 10.3 Stack Corporate Backbone Sub-Company 2 2001:DB8:1:3::21 Dual Stack 2001:DB8:1:1::7  Combine overlay network with dual stack  Build as much dual stack as you can – tunnel only when you have to  You won‘t want to keep this up forever – goal is dual stack to all places that need end-to-end connectivity between sites/orgs BRKRST-2301 © 2011 Cisco and/or its affiliates.0. Cisco Public 11 .0.3 Corp HQ 2001:DB8:1:2::3 Dual 10.0 address space .0 address space . All rights reserved.21 .Partial Overlay + Partial Dual Stack 10.

0.0 address space Corporate Backbone Sub-Company 2 Dual Stack Dual Stack Dual Stack  Dual stack everywhere – there is nothing else to say .0.-)  We will discuss the deployment of dual stack and other end-to-end considerations for the rest of this talk BRKRST-2301 © 2011 Cisco and/or its affiliates.0.0. Cisco Public 12 .0 address space Sub-Company 1 10.0.0 address space Corp HQ Dual Stack 10.0. All rights reserved.Dual Stack Everywhere 10.

Planning and Deployment Summary .

Enterprise Adoption Spectrum • Mostly or completely past the ―why?‖ phase • Assessment (e2e) • Weeding out vendors (features and $) • Focus on training and filling gaps Preliminary Research Production/Looking for parity and beyond Pilot/Early Deployment • Is it real? • Do I need to deploy everywhere? • Equipment status? • SP support? • Addressing • What does it cost? BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public • Still fighting vendors • Content and wide-scale app deployment • Review operational cost of 2 stacks • Competitive/Strategic advantages of new environment 14 .

A Lifecycle Approach Coordinated Planning and Strategy Make Sound Financial Decisions Prepare Operational Excellence Adapt to Changing Business Requirements Optimize Plan Assess Readiness Can Your Network Support the Proposed System? Maintain Network Health Manage.Cisco IPv6 Deployment . All rights reserved. Replace Operate Design Design the Solution Products. Repair. Support Aligned to Requirements Implement Implement the Solution Integrate Without Disruption or Causing Vulnerability BRKRST-2301 © 2011 Cisco and/or its affiliates. Service. Resolve. Cisco Public 15 .

routing changes. Apps) • Campus IPv6 integration options • Data Center integration options • WAN IPv6 integration options • Execute on gaps found in assessment BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 16 .IPv6 Integration Outline Pre-Deployment Phases • Establish the network starting point • Importance of a network assessment and available tools • Build a pilot or lab environment • Obtain addressing or use ULA or documentation prefix (in lab) • Learn the basics (DNS. address assignment) Deployment Phases • Transport considerations for integration • Internet Edge (ISP. All rights reserved.

Where do I start?  Based on Timeframe/Use case  Core-to-Edge – Fewer things to touch Campus Block  Edge-to-Core – Challenging but doable  Internet Edge – Business continuity DC/Campus DC Core Aggregation DC Access Internet Edge ISP ISP WAN Servers Branch Branch BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 17 . All rights reserved.

IPv6 Address Considerations http://bit.ly/IPv6addrplan .

IPv6 Addresses  IPv6 addresses are 128 bits long Segmented into 8 groups of four HEX characters Separated by a colon (:) Global Unicast Identifier Example Network Portion Interface ID gggg:gggg:gggg:ssss: ssss: Global Routing Prefix n <= 48 bits Subnet ID 64 – n bits xxxx:xxxx:xxxx:xxxx Host Full Format 2001:0000:0000:00A1: 0000:0000:0000:1E2A 00A1: 2001:0:0: A1: ::1E2A Abbreviated Format BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 19 . All rights reserved.

All rights reserved. Cisco Public 20 .PI and PA Allocation Process Provider Assigned Provider Independent IANA IPv4 Pool Empty 2000::/3 2000::/3 /12 Registries /12 /32 ISP Org /48 /48 Level Four Enterprise BRKRST-2301 © 2011 Cisco and/or its affiliates.

html BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 21 .html  Provider independent – See Number Resource Policy Manual (NRPM) . All rights reserved.arin.net/policy/nrpm.net/resources/request/ipv6_add_assign.Hierarchical Addressing and Aggregation Site 1 2001:DB8:0001:0001::/64 2001:DB8:0001:0002::/64 ISP 2001:DB8:0002:0001::/64 2001:DB8:0002:0002::/64 Only Announces the /32 Prefix 2001:DB8:0001::/48 Site 2 2001:DB8::/32 IPv6 Internet 2000::/3 2001:DB8:0002::/48  Default is /48 – can be larger: https://www.arin.https://www.

All rights reserved. DNS.ULA. no IPv6 NAT is useable in production so using ULA-only will not work externally to your network ULA + Global allows for the best of both worlds but at a price— much more address management with DHCP. routing and security—SAS does not always work as it should Global-only—Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option  Let‘s explore these options… BRKRST-2301 © 2011 Cisco and/or its affiliates. ULA + Global or Global  What type of addressing should I deploy internal to my network? It depends: ULA-only—Today. Cisco Public 22 .

By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A  Routing/security control You must always implement filters/ACLs to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range— today this is the only way the ULA scope can be enforced  Generate your own ULA: http://www. internal addressing with a slim likelihood of address collisions with M&A. Cisco Public 23 . but with dangers—remember the idea for ULA.sixxs.net/tools/grh/ula/ Generated ULA= fd9c:58ed:7d73::/48 * MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard) * EUI64 address=020D9Dfffe93A0C3 * NTP date=cc5ff71943807789 cc5ff71976b28d86 BRKRST-2301 © 2011 Cisco and/or its affiliates. inter-site VPNs Not routable on the internet—basically RFC1918 for IPv6 only better—less likelihood of collisions  Default prefix is /48 /48 limits use in large organizations that will need more space Semi-random generator prohibits generating sequentially ‗useable‘ prefixes—no easy way to have aggregation when using multiple /48s Why not hack the generator to produce something larger than a /48 or even sequential /48s? Is it ‗legal‘ to use something other than a /48? Perhaps the entire space? Forget legal. is it practical? Probably.Unique-Local Addressing (RFC4193)  Used for internal communications. All rights reserved.

ULA-Only Internet Branch 1 Global – 2001:DB8:CAFE::/48 Not Recommended Today NAT66 Required Corp HQ FD9C:58ED:7D73:2800::/64 Branch 2 Corporate Backbone ULA Space FD9C:58ED:7D73::/48 FD9C:58ED:7D73:3000::/64 FD9C:58ED:7D73::2::/64  Everything internal runs the ULA space  A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the internet  Is there a NAT66? draft-mrw-nat66-xx (Network Prefix Translation (NPTv6)  Removes the advantages of not having a NAT (i. All rights reserved. global multicast.e. Cisco Public 24 . application interoperability. end-to-end connectivity) BRKRST-2301 © 2011 Cisco and/or its affiliates.

Cisco Public 25 . security.Not Recommended ULA + Global Internet Branch 1 Global – 2001:DB8:CAFE::/48 Corp HQ FD9C:58ED:7D73:2800::/64 2001:DB8:CAFE:2800::/64 Branch 2 Corporate Backbone ULA Space FD9C:58ED:7D73::/48 Global – 2001:DB8:CAFE::/48 FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64 FD9C:58ED:7D73::2::/64 2001:DB8:CAFE:2::/64  Both ULA and Global are used internally except for internal-only hosts  Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally  In theory. routing. All rights reserved. DNS. ULA talks to ULA and Global talks to Global—SAS ‗should‘ work this out  ULA-only and Global-only hosts can talk to one another internal to the network  Define a filter/policy that ensures your ULA prefix does not ‗leak‘ out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields  Management NIGHTMARE for DHCP. etc… BRKRST-2301 © 2011 Cisco and/or its affiliates.

etc. All rights reserved. ACL.Considerations—ULA + Global  Use DHCPv6 for ULA and Global—apply different policies for both (lifetimes. etc.) Temporary Dhcp Other Preferred Preferred Preferred 6d23h59m55s 23h59m55s 2001:db8:cafe:2:cd22:7629:f726:6a6b 13d1h33m55s 6d1h33m55s fd9c:58ed:7d73:1002:8828:723c:275e:846d infinite infinite fe80::8828:723c:275e:846d%8  Unlike Global and link-local scopes ULA is not automatically controlled at the appropriate boundary—you must prevent ULA prefix from going out or in at your perimeter  SAS behavior is OS dependent and there have been issues with it working reliably BRKRST-2301 © 2011 Cisco and/or its affiliates. options..)  Check routability for both—can you reach an AD/DNS server regardless of which address you have?  Any policy using IPv6 addresses must be configured for the appropriate range (QoS. PBR. Cisco Public 26 . load-balancers. reserved/admin defined.)  If using SLAAC for both—Microsoft Windows allows you to enable/disable privacy extensions globally—this means you are either using them for both or not at all!!!  One option is to use SLAAC for the Global range and enable privacy extensions and then use DHCPv6 for ULA with another IID value (EUI-64. etc.

Cisco Public 27 .ULA + Global Example Addr Type --------Dhcp Dhcp Other DAD State Valid Life Pref.---------.-----------------------Preferred 13d23h48m24s 6d23h48m24s 2001:db8:cafe:2:c1b5:cc19:f87e:3c41 Preferred 13d23h48m24s 6d23h48m24s fd9c:58ed:7d73:1002:8828:723c:275e:846d Preferred infinite infinite fe80::8828:723c:275e:846d%8 interface Vlan2 description ACCESS-DATA-2 ipv6 address 2001:DB8:CAFE:2::D63/64 ipv6 address FD9C:58ED:7D73:1002::D63/64 ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise DHCPv6 Client Network ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:11::9 DHCPv6 Server 2001:DB8:CAFE:11::9 BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.---------. Life Address ----------.

security. etc. Cisco Public 28 . DNS.  Only downside is breaking the habit of believing that topology hiding is a good security method  BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. NAT may be used for other purposes  Easier management of DHCP.Recommended Global-Only Internet Branch 1 Global – 2001:DB8:CAFE::/48 Corp HQ 2001:DB8:CAFE:2800::/64 Branch 2 Corporate Backbone Global – 2001:DB8:CAFE::/48 2001:DB8:CAFE:3000::/64 2001:DB8:CAFE:2::/64  Global is used everywhere  No issues with SAS  No requirements to have NAT for ULA-to-Global translation—but.

Cisco Public 29 . All rights reserved. use DHCP (see later) to a specific pool  Randomized address are generated for non-temporary autoconfigured addresses including public and link-local— used instead of EUI-64 addresses  Randomized addresses engage Optimistic DAD—likelihood of duplicate LL address is rare so RS can be sent before full DAD completion  Windows Vista/W7/W7/2008 send RS while DAD is being performed to save time for interface initialization (read RFC4862 on why this is ok)  Privacy extensions are used with SLAAC BRKRST-2301 © 2011 Cisco and/or its affiliates.Randomized IID and Privacy Extensions  Enabled by default on Microsoft Windows  Enable/disable via GPO or CLI netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent  Alternatively.

Link Level—Prefix Length Considerations  /64 everywhere 64 bits  Recommended by RFC3177 and IAB/IESG > 64 bits  Address space conservation  Special cases: /126—valid for p2p /127—valid for p2p if you are careful (draft-kohno-ipv6prefixlen-p2p-xx/(RFC3627)) /128—loopback  Must avoid overlap with specific addresses: Router Anycast (RFC3513) Embedded RP (RFC3956) ISATAP addresses Cisco Public  /64 + /126 64 on host networks  Consistency makes management easy  MUST for SLAAC (MSFT DHCPv6 also)  Significant address space loss (18.466 Quintillion) 126 on P2P  /64 + /127 64 on host networks 127 on P2P  Always use /128 on loop 30 BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. .

unless you are blocking to/from the router itself  Stuff to think about: Always use a RID Some Cisco devices require ―ipv6 enable‖ on the interface in order to generate and use a link-local address Enable the IGP on each interface used for routing or that requires its prefix to be advertised BRKRST-2301 © 2011 Cisco and/or its affiliates.Using Link-Local for Non-Access Connections Under Research  What if you did not have to worry about addressing the network infrastructure for the purpose of routing? IPv6 IGPs use LL addressing Only use Global or ULA addresses at the edges for host assignment For IPv6 access to the network device itself use a loopback  What happens to route filters? ACLs?—Nothing. Cisco Public 31 . All rights reserved.

All rights reserved.1 no shutdown 0 no shutdown IPv6-EIGRP neighbors for process 10 Link-local address: FE80::212:D9FF:FE92:DE77 Gi1/2 BRKRST-2301 © 2011 Cisco and/or its affiliates.99.Using LL + Loopback Only 2001:db8:cafe:200::/64 2001:db8:cafe:100::/64 998::1/128 998::2/128 ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:DB8:CAFE:998::1/128 ipv6 eigrp 10 ! interface Vlan200 ipv6 address 2001:DB8:CAFE:200::1/64 ipv6 eigrp 10 ! interface GigabitEthernet1/1 ipv6 enable ipv6 eigrp 10 ! ipv6 unicast-routing ! interface Loopback0 ipv6 address 2001:DB8:CAFE:998::2/128 ipv6 eigrp 10 ! interface GigabitEthernet3/4 ipv6 eigrp 10 ! interface GigabitEthernet1/2 ipv6 eigrp 10 ! ipv6 router eigrp 10 router-id 10.8. Cisco Public 32 .2 ipv6 router eigrp 10 router-id 10.99.8.

ULA + Global. Cisco Public 33 . /128 on loopbacks Variable prefix-lengths on host links BRKRST-2301 © 2011 Cisco and/or its affiliates.Summary of Address Considerations  Provider Independent and/or Provider Assigned  ULA. All rights reserved. /126 on P2P links. Global only  Prefix-length allocation /64 everywhere except loopbacks (/128) /64 on host links.

mspx?mfr=true  DHCPv6 Relay—supported on routers and switches interface FastEthernet0/1 description CLIENT LINK ipv6 address 2001:DB8:CAFE:11::1/64 ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 DHCPv6 Server BRKRST-2301 © 2011 Cisco and/or its affiliates.cisco. Cisco Public IPv6 Enabled Host Network 34 . All rights reserved.com/windowsserver2008/en/library/bab0f 1a1-54aa-4cef-9164-139e8bcc44751033.SLAAC & Stateful/Stateless DHCPv6  StateLess Address AutoConfiguration (SLAAC) – RAbased assignment (a MUST for Mac)  Stateful and stateless DHCPv6 server Cisco Network Registrar: http://www.com/en/US/products/sw/netmgtsw/ps1982/ Microsoft Windows Server 2008: http://technet2.microsoft.

Basic DHCPv6 Message Exchange
DHCPv6 Client DHCPv6 Relay Agent DHCPv6 Server

Solicit(IA_NA)

Relay-Forw(Solicit(IA_NA)) Relay-Repl(Advertise(IA_NA(addr)))

Advertise(IA_NA(addr)) Request(IA_NA)

Relay-Forw(Request(IA_NA)) Relay-Repl(Reply(IA_NA(addr)))

Reply(IA_NA(addr))

Address Assigned Timer Expiring
Renew(IA_NA(addr)) Relay-Forw(Renew(IA_NA(addr))) Relay-Repl(Reply(IA_NA(addr)))

Reply(IA_NA(addr))

Shutdown , link down , Release
Release(IA_NA(addr)) Relay-Forw(Release(IA_NA(addr))) Relay-Repl(Reply(IA_NA(addr)))

Reply(IA_NA(addr))

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

35

CNR/W2K8—DHCPv6

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

IPv6 General Prefix
 Provides an easy/fast way to deploy prefix changes  Example:2001:db8:cafe::/48 = General Prefix  Fill in interface specific fields after prefix

“ESE ::11:0:0:0:1” = 2001:db8:cafe:11::1/64
ipv6 unicast-routing ipv6 cef ipv6 general-prefix ESE 2001:DB8:CAFE::/48 ! interface GigabitEthernet3/2 ipv6 address ESE ::2/126 ! interface GigabitEthernet1/2 ipv6 address ESE ::E/126 interface Vlan11 ipv6 address ESE ::11:0:0:0:1/64 ! interface Vlan12 ipv6 address ESE ::12:0:0:0:1/64

Global unicast address(es): 2001:DB8:CAFE:11::1, subnet is 2001:DB8:CAFE:11::/64

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

Be sure that TCP/53 and UDP/53 can be accessed through IPv6. BRKRST-2301 © 2011 Cisco and/or its affiliates.  Add pointer (PTR) records in your DNS server for the IP addresses of the devices that can be reached through the IPv6 protocol. All rights reserved.1  Add AAAA records in your DNS server for the hostnames of the devices that can be reached through the IPv6 protocol. Cisco Public 38 .DNS Basic Steps .  Enable IPv6 access to the authoritative DNS servers.  Enable IPv6 connectivity to the external full-service resolvers that send DNS queries to authoritative servers in the world.

 Configure the stub resolver on the node that sends queries so that it uses IPv6 to send DNS queries.  Review policies for flows and make sure that both TCP/53 and UDP/53 can be accessed over IPv4 and IPv6 BRKRST-2301 © 2011 Cisco and/or its affiliates.2  Make sure that the full-service resolver is configured with both IPv4 and IPv6 glue for the root servers in the world.  Enable IPv6 on the recursive resolver so that it responds to DNS requests over IPv6 as well as IPv4. Cisco Public 39 . either statically or using Dynamic Host Configuration Protocol Version 6 (DHCPv6).  Enable IPv6 on the node that sends queries so that it can send DNS requests to the recursive resolver. All rights reserved.DNS Basic Steps .

General Network Considerations .

73A0.0FFF (4096 addresses) HSRP Active HSRP Standby track 2 interface FastEthernet0/0 line-protocol interface FastEthernet0/1 ipv6 address 2001:DB8:66:67::2/64 standby version 2 standby 2 ipv6 autoconfig standby 2 timers msec 250 msec 800 standby 2 preempt standby 2 preempt delay minimum 180 standby 2 authentication cisco standby 2 track 2 decrement 10  HSRP IPv6 UDP Port Number 2029 (IANA Assigned) Host with GW of Virtual IP #route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1 UGDA 1024 0 0 eth2 BRKRST-2301 © 2011 Cisco and/or its affiliates.73A0. and ICMPv6 redirects  No need to configure GW on hosts (RAs are sent from HSRP active router)  Virtual MAC derived from HSRP group number and virtual IPv6 linklocal address  IPv6 Virtual MAC range: 0005.0000 . All rights reserved.HSRP for IPv6  Many similarities with HSRP for IPv4  Changes occur in Neighbor Advertisement.0005. Cisco Public 41 . Router Advertisement.

Embedded S DR RP DR Host Multicast Control via MLD BRKRST-2301 © 2011 Cisco and/or its affiliates.IPv6 Multicast Availability  Multicast Listener Discovery (MLD) Equivalent to IGMP  PIM Group Modes: Sparse Mode. All rights reserved. Bidirectional and Source Specific Multicast  RP Deployment: Static. Cisco Public 42 .

Cisco Public 43 .Multicast Listener Discovery: MLD Multicast Host Membership Control  MLD is equivalent to IGMP in IPv4  MLD messages are transported over ICMPv6  MLD uses link local source addresses  MLD packets use ―Router Alert‖ in extension header (RFC2711)  Version number confusion: MLDv1 (RFC2710) like IGMPv2 (RFC2236) MLDv2 (RFC3810) like IGMPv3 (RFC3376) Host Multicast Control via MLD  MLD snooping BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.

All rights reserved. Cisco Public 44 .IPv6 QoS Policy & Syntax  Unified QoS Policy (v4/v6 in same policy) or separate?  IPv4 syntax has used ―ip‖ following match/set statements Example: match ip dscp. set ip dscp  Modification in QoS syntax to support IPv6 and IPv4 New match criteria match dscp — Match DSCP in v4/v6 match precedence — Match Precedence in v4/v6 New set criteria set dscp — Set DSCP in v4/v6 set precedence — Set Precedence in v4/v6  Additional support for IPv6 does not always require new Command Line Interface (CLI) Example—WRED BRKRST-2301 © 2011 Cisco and/or its affiliates.

6084.2c7a STALE Vl2 STALE Vl2 STALE Vl2 16 000d.6084. Cisco Public 45 .6084.200 2 000d.2c7a ARPA IPv6 Neighbor Cache entry: 2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC FE80::7DE5:E2B0:D4DF:97EC 4 000d.2c7a 16 000d. Ensure enough CPU/Memory is present  Control plane impact when using tunnels—terminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/thousands of tunnels) BRKRST-2301 © 2011 Cisco and/or its affiliates.2. All rights reserved.2c7a  Full internet route tables—ensure to account for TCAM/memory requirements for both IPv4/IPv6—not all vendors can properly support both  Multiple routing protocols—IPv4 and IPv6 will have separate routing protocols.6084.120.Scalability and Performance  IPv6 Neighbor Cache = ARP for IPv4 In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries ARP entry for host in the campus distribution layer: Internet Vlan2 10.

cisco.html .Infrastructure Deployment Start Here: Cisco IOS Software Release Specifics for IPv6 Features http://www.com/en/US/docs/ios/ipv6/configuration/guide/ip6roadmap.

Cisco Public 47 . All rights reserved.IPv6 Co-existence Solutions Dual Stack IPv4 IPv6 Recommended Enterprise Co-existence strategy Tunneling Services IPv4 over IPv6 IPv6 over IPv4 Connect Islands of IPv6 or IPv4 Translation Services IPv4 IPv6 Business Partners Government Agencies International Sites Remote Workers Internet consumers Connect to the IPv6 community BRKRST-2301 © 2011 Cisco and/or its affiliates.

cisco.pdf .Campus Deploying IPv6 in Campus Networks: http://www.com/univercd/cc/td/doc/solution/campipv6.

security. still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 49 . but all leveraging the existing design/gear Pro—Leverage existing gear and network design (traditional L2/L3 and routed access) Con—Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast  IPv6 Service Block—A new network block used for interim connectivity for IPv6 overlay network Pro—Separation.Campus IPv6 Deployment Three Major Options  Dual-stack—The way to go for obvious reasons: performance. multicast and management Layer 3 switches should support IPv6 forwarding in hardware  Hybrid—Dual-stack where possible. All rights reserved. tunnels for the rest. does not fully leverage existing design. QoS. control and flexibility (still supports traditional L2/L3 and routed access) Con—Cost (more gear).

Cisco Public Access Layer (DC) Dual-stack Server 50 . All rights reserved.Campus IPv6 Deployment Options Dual-Stack IPv4/IPv6  Dual Stack = Two protocols running at the same time (IPv4/IPv6)  #1 requirement—switching/ routing platforms must support hardware based forwarding for IPv6 3560/3750* + 4500 Sup6E + 6500 Sup32/720 + v6Enabled v6Enabled IPv6/IPv4 Dual Stack Hosts Access Layer L2/L3 Distribution Layer Dual Stack Dual Stack  IPv6 is transparent on L2 switches but consider: L2 multicast—MLD snooping IPv6 management— Telnet/SSH/HTTP/SNMP Intelligent IP services on WLAN v6Enabled v6Enabled Core Layer v6-Enabled v6-Enabled Aggregation Layer (DC)  Expect to run the same IGPs as with IPv4 *check HW limitations in non-E/X/C series BRKRST-2301 © 2011 Cisco and/or its affiliates.

10 ipv6 hold-time eigrp 10 3 passive-interface Vlan4 ipv6 authentication mode eigrp 10 md5 passive-interface Loopback0 ipv6 authentication key-chain eigrp 10 eigrp BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.122. Cisco Public 51 . EIGRP and DHCPv6-relay (Layer 2 Access) ipv6 unicast-routing interface Vlan4 ! description Data VLAN for Access interface GigabitEthernet1/0/1 ipv6 address 2001:DB8:CAFE:4::2/64 description To 6k-core-right ipv6 nd managed-config-flag ipv6 address 2001:DB8:CAFE:1105::A001:1010/64 ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 ipv6 eigrp 10 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 standby version 2 ipv6 hold-time eigrp 10 3 standby 2 ipv6 autoconfig ipv6 authentication mode eigrp 10 md5 standby 2 timers msec 250 msec 750 ipv6 authentication key-chain eigrp 10 eigrp standby 2 priority 110 ! standby 2 preempt delay minimum 180 interface GigabitEthernet1/0/2 standby 2 authentication ese description To 6k-core-left ! ipv6 address 2001:DB8:CAFE:1106::A001:1010/64 ipv6 router eigrp 10 ipv6 eigrp 10 no shutdown ipv6 hello-interval eigrp 10 1 router-id 10.10.Distribution Layer: HSRP.

10. Cisco Public 52 . All rights reserved.Distribution Layer: Example with ULA and General Prefix feature ipv6 general-prefix ULA-CORE FD9C:58ED:7D73::/53 ipv6 general-prefix ULA-ACC FD9C:58ED:7D73:1000::/53 ipv6 unicast-routing ! interface GigabitEthernet1/0/1 description To 6k-core-right ipv6 address ULA-CORE ::3:0:0:0:D63/64 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 ipv6 hold-time eigrp 10 3 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 eigrp ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53 ! interface GigabitEthernet1/0/2 description To 6k-core-left ipv6 address ULA-CORE ::C:0:0:0:D63/64 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 ipv6 hold-time eigrp 10 3 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 eigrp ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53 interface Vlan4 description Data VLAN for Access ipv6 address ULA-ACC ::D63/64 ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise ipv6 nd managed-config-flag ipv6 dhcp relay destination fd9c:58ed:7d73:811::9 ipv6 eigrp 10 standby version 2 standby 2 ipv6 autoconfig standby 2 timers msec 250 msec 750 standby 2 priority 110 standby 2 preempt delay minimum 180 standby 2 authentication ese ! ipv6 router eigrp 10 no shutdown router-id 10.122.10 passive-interface Vlan4 passive-interface Loopback0 BRKRST-2301 © 2011 Cisco and/or its affiliates.

Cisco Public 53 .1 log-adjacency-changes auto-cost reference-bandwidth 10000 area 2 stub no-summary passive-interface Vlan2 timers spf 1 5 BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.2.120.Access Layer: Dual Stack (Routed Access) ipv6 unicast-routing ipv6 cef ! interface GigabitEthernet1/0/25 description To 6k-dist-1 ipv6 address 2001:DB8:CAFE:1100::CAC1:3750/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef ! interface GigabitEthernet1/0/26 description To 6k-dist-2 ipv6 address 2001:DB8:CAFE:1101::CAC1:3750/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef interface Vlan2 description Data VLAN for Access ipv6 address 2001:DB8:CAFE:2::CAC1:3750/64 ipv6 ospf 1 area 2 ipv6 cef ! ipv6 router ospf 1 router-id 10.

0.Distribution Layer: Dual Stack (Routed Access) ipv6 unicast-routing ipv6 multicast-routing ipv6 cef distributed ! interface GigabitEthernet3/1 description To 3750-acc-1 ipv6 address 2001:DB8:CAFE:1100::A001:1010/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef ! interface GigabitEthernet1/2 description To 3750-acc-2 ipv6 address 2001:DB8:CAFE:1103::A001:1010/64 no ipv6 redirects ipv6 nd suppress-ra ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ipv6 ospf hello-interval 1 ipv6 ospf dead-interval 3 ipv6 cef BRKRST-2301 © 2011 Cisco and/or its affiliates.25 log-adjacency-changes area 2 stub no-summary passive-interface Vlan2 area 2 range 2001:DB8:CAFE:xxxx::/xx timers spf 1 5 Cisco Public 54 . All rights reserved. ipv6 router ospf 1 auto-cost reference-bandwidth 10000 router-id 10.122.

Legacy Design

Campus IPv6 Deployment Options
Hybrid Model
 Plan ―B‖ if Layer 3 device can‘t support IPv6 but you have to get IPv6 over it  Offers IPv6 connectivity via multiple options
Dual-stack Configured tunnels—L3-to-L3 ISATAP—Host-to-L3

IPv6/IPv4 Dual Stack Hosts

Access Layer

L2/L3
NOT v6Enabled

ISATAP

ISATAP

 Leverages existing network  Offers natural progression to full dual-stack design  May require tunneling to less-than-optimal layers (i.e. core layer)  Any sizable deployment will be an operational management challenge  ISATAP creates a flat network (all hosts on same tunnel are peers)  Provides basic HA of ISATAP tunnels via old Anycast-RP idea

NOT v6Enabled

Distribution Layer

v6Enabled

v6Enabled

Core Layer

Dual Stack

Dual Stack

v6-Enabled

v6-Enabled

Aggregation Layer (DC)

Access Layer (DC)
Dual-stack Server

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

Campus Hybrid Model 1
QoS
1. Classification and marking of IPv6 is done on the egress interfaces on the core layer switches because packets have been tunneled until this point— QoS policies for classification and marking cannot be applied to the ISATAP tunnels on ingress The classified and marked IPv6 packets can now be examined by upstream switches (e.g. aggregation layer switches) and the appropriate QoS policies can be applied on ingress. These polices may include trust (ingress), policing (ingress) and queuing (egress)
Access Layer IPv6/IPv4 Dual-stack Hosts Distribution Layer Core Layer Aggregation Layer (DC) Access Layer (DC) IPv6/IPv4 Dual-stack Server

2.

1

2

1
Access Block

2
Data Center Block

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

IPv6 and IPv4 Enabled

56

IPv6 ISATAP Implementation
ISATAP Host Considerations
 ISATAP is available on Windows XP, Windows 2003, Vista/W7/Server 2008, port for Linux  If Windows host does not detect IPv6 capabilities on the physical interface then an effort to use ISATAP is started  Can learn of ISATAP routers via DNS ―A‖ record lookup ―isatap‖ or via static configuration
If DNS is used then Host/Subnet mapping to certain tunnels cannot be accomplished due to the lack of naming flexibility in ISATAP Two or more ISATAP routers can be added to DNS and ISATAP will determine which one to use and also fail to the other one upon failure of first entry If DNS zoning is used within the enterprise then ISATAP entries for different routers can be used in each zone

 In the presented design the static configuration option is used to ensure each host is associated with the correct ISATAP tunnel  Can conditionally set the ISATAP router per host based on subnet, userid, department and possibly other parameters such as role

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

57

Highly Available ISATAP Design Topology PC1 .Blue VLAN 3  ISATAP tunnels from PCs in access layer to core switches Access Layer  Redundant tunnels to core or service block NOT v6Enabled NOT v6Enabled Distribution Layer  Use IGP to prefer one core switch over another (both v4 and v6 routes)—deterministic  Preference is important due to the requirement to have traffic (IPv4/IPv6) route to the same interface (tunnel)  Works like Anycast-RP with IPmc  v6Enabled v6Enabled Core Layer Dual Stack Dual Stack v6-Enabled v6-Enabled Aggregation Layer (DC) Access Layer (DC) IPv6 Server Primary ISATAP Tunnel Secondary ISATAP Tunnel BRKRST-2301 © 2011 Cisco and/or its affiliates.Red VLAN 2 PC2 . Cisco Public 58 . All rights reserved.

ISATAP Secondary interface Tunnel2 ipv6 address 2001:DB8:CAFE:2::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback2 tunnel mode ipv6ip isatap ! interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback2 ip address 10.103 255.102 255.255.122.255 ! interface Loopback3 description Tunnel source for ISATAP-VLAN3 ip address 10.255 delay 1000 Cisco Public 59 .10.255.122.255 delay 1000 ! interface Loopback3 ip address 10. All rights reserved.255.255.10.122.122.10.255.255.IPv6 Campus ISATAP Configuration Redundant Tunnels ISATAP Primary interface Tunnel2 ipv6 address 2001:DB8:CAFE:2::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 tunnel source Loopback2 tunnel mode ipv6ip isatap ! interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 ospf 1 area 2 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback2 description Tunnel source for ISATAP-VLAN2 ip address 10.10.103 255.255.255 BRKRST-2301 © 2011 Cisco and/or its affiliates.102 255.255.

122.10.3 IPv6—OSPFv3 ipv6 router ospf 1 router-id 10.10. 60 .255.10.122.102 255.255. dead) to reduce convergence times  Use recommended summarization and/or use of stubs to reduce routes and convergence times Set RID to ensure redundant loopback addresses do not cause duplicate RID issues Cisco Public ISATAP Primary—Longest-match adjustment interface Loopback2 ip address 10.3 BRKRST-2301 © 2011 Cisco and/or its affiliates.255.255 delay 1000  To influence IPv4 routing to prefer one ISATAP tunnel source over another—alter delay/cost or mask length  Lower timers (timers spf.255.10.255.IPv6 Campus ISATAP Configuration IPv4 and IPv6 Routing—Options ISATAP Secondary—Bandwidth adjustment interface Loopback2 ip address 10.122. All rights reserved.122.102 255.122.10.255 ISATAP Secondary—Longest-match adjustment interface Loopback2 ip address 10.255.254 IPv4—EIGRP router eigrp 10 eigrp router-id 10. hello/hold.102 255.

102/32 [90/258816] via 10. 00:09:23.102/32 [90/130816] via 10.41.102 Preferred route to 10.122.122.122.0.10.102/32 D 10.0/24 acc-1 dist-1 core-1 Loopback 2—10.122.102/32 D 10.102 on FAILURE Before Failure dist-1#show ip route | b 10. All rights reserved.10. 00:00:08.122. GigabitEthernet1/0/28 BRKRST-2301 © 2011 Cisco and/or its affiliates.Distribution Layer Routes Primary/Secondary Paths to ISATAP Tunnel Sources acc-2 dist-2 core-2 Loopback 2—10.122.2.10.49.10.102 Used as SECONDARY ISATAP tunnel source VLAN 2 10.10.122. Cisco Public 61 .120.122.0.10.10.122. GigabitEthernet1/0/27 After Failure dist-1#show ip route | b 10.10.102 Used as PRIMARY ISATAP tunnel source Preferred route to 10.122.

. : fe80::5efe:10. .120.101%2 Default Gateway .255 Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix .103 Ok.122. . . . : IP Address. . : 2001:db8:cafe:3:0:5efe:10. .101 New tunnel comes up when failure occurs int tu3 int lo3 10.3. . . . All rights reserved.101 IP Address.10.103 ip address 10. .3.255.103 int tu3 int lo3 10. .3.10.IPv6 Campus ISATAP Configuration ISATAP Client Configuration Windows XP/Vista/W7 Host C:\>netsh int ipv6 isatap set router 10. . . .122. . .10. . .10. . . .10. . . . . Cisco Public 62 .255.120. . . .122.120.122. : fe80::5efe:10.122. interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 eigrp 10 tunnel source Loopback3 tunnel mode ipv6ip isatap ! interface Loopback3 description Tunnel source for ISATAP-VLAN3 10. .103%2 BRKRST-2301 © 2011 Cisco and/or its affiliates.103 255.

1. QoS.1 tunnel mode ipv6ip BRKRST-2301 © 2011 Cisco and/or its affiliates.255. All rights reserved.IPv6 Configured Tunnels Think GRE or IP-in-IP Tunnels  Encapsulating IPv6 into IPv4  Used to traverse IPv4 only devices/links/networks  Treat them just like standard IP links (only insure solid IPv4 routing/HA between tunnel interfaces)  Provides for same routing.255. multicast as with dual-stack  In HW. performance should be similar to standard tunnels interface Tunnel0 ipv6 cef ipv6 address 2001:DB8:CAFE:13::1/127 Access Distribution interface GigabitEthernet1/1 ipv6 address 2001:DB8:CAFE:13::4/127 ipv6 eigrp 10 Tunnel Tunnel Core Aggregation ipv6 eigrp 10 tunnel source Loopback3 tunnel destination 172.252 Cisco Public 63 .16.1 255. ipv6 cef ! interface Loopback3 ip address 172.16.2.

All rights reserved.Campus Hybrid Model 1 QoS Configuration Sample—Core Layer mls ipv6 acl compress address unicast mls qos ! class-map match-all CAMPUS-BULK-DATA match access-group name BULK-APPS class-map match-all CAMPUS-TRANSACTIONAL-DATA match access-group name TRANSACTIONAL-APPS ! policy-map IPv6-ISATAP-MARK class CAMPUS-BULK-DATA set dscp af11 class CAMPUS-TRANSACTIONAL-DATA set dscp af21 class class-default set dscp default ! ipv6 access-list BULK-APPS permit tcp any any eq ftp permit tcp any any eq ftp-data ! ipv6 access-list BULK-APPS permit tcp any any eq ftp permit tcp any any eq ftp-data ! ipv6 access-list TRANSACTIONAL-APPS permit tcp any any eq telnet permit tcp any any eq 22 ! interface GigabitEthernet2/1 description to 6k-agg-1 mls qos trust dscp service-policy output IPv6-ISATAP-MARK ! interface GigabitEthernet2/2 description to 6k-agg-2 mls qos trust dscp service-policy output IPv6-ISATAP-MARK ! interface GigabitEthernet2/3 description to 6k-core-1 mls qos trust dscp service-policy output IPv6-ISATAP-MARK Cisco Public ipv6 access-list TRANSACTIONAL-APPS permit tcp any any eq telnet permit tcp any any eq 22 BRKRST-2301 © 2011 Cisco and/or its affiliates. 64 .

All rights reserved. 1 WAN/ISP Block Data Center Block Cisco Public 65 .Campus IPv6 Deployment Options IPv6 Service Block—Rapid Deployment/Pilot VLAN 2 VLAN 3  Provides ability to rapidly deploy IPv6 services without touching existing network  Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations)  Get lots of operational experience with limited impact to existing environment – Ideal for Pilot  Similar challenges as Hybrid Model – Lots of tunneling  Configurations are very similar to the Hybrid Model ISATAP tunnels from PCs in access layer to service block switches (instead of core layer—Hybrid) IPv4-only Campus Block Access Layer ISATAP IPv6 Service Block Dist. Layer Dedicated FW 2 Internet Core Layer  1) Leverage existing ISP block for both IPv4 and IPv6 access  2) Use dedicated ISP connection just for IPv6—Can use IOS Zone FW or ASA Agg Layer Access Layer IOS FW Primary ISATAP Tunnel Secondary ISATAP Tunnel BRKRST-2301 © 2011 Cisco and/or its affiliates.

e. MUCH easier to configure tunnels for HA as only one tunnel configuration is needed  Service Block – Use VSS as the SB pair – again. GREATLY simplified configuration and decrease convergence times!! BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 66 . VSS at core layer).Cisco VSS – DSM / Hybrid / Service Block  Cisco VSS offers a greatly simplified configuration and extremely fast convergence for IPv6 deployment  Dual stack – Place VSS pair in distribution and/or core layers – HA and simplified/reduced IPv6 configuration  Hybrid model – If terminating tunnels against VSS (i. All rights reserved.

Data Center/Internet Edge .

iSCSI. All rights reserved. 6500 4900M  The single most overlooked and potentially complicated area of IPv6 deployment  IPv6 for SAN (FCIP. platform and connectivity similarities – Nexus. iLO. IP KVM.Impact on clusters – Microsoft Server 2008 Failover clusters full support IPv6 (and L3)  Internet-facing Data Center  Most of the internal and Internet DC considerations are the same BRKRST-2301 © 2011 Cisco and/or its affiliates. Management)  Stuff people don‘t think about: NIC Teaming. Cisco Public 68 . Clusters Innocent looking Server OS upgrades – Windows Server 2008 .IPv6 Data Center Integration  Route/Switch design will be similar to campus based on feature. DRAC.

IPv6 Configuration on Nexus interface Vlan114 no shutdown description Outside FW VLAN ipv6 address 2001:0db8:cafe:0114::0002/64 hsrp version 2 hsrp 114 ipv6 preempt delay minimum 180 timers 1 3 ip autoconfig  IP-is-IP – minor syntax changes based on different platforms between campus & data center  Check for the features you need. All rights reserved. platform support. Cisco Public 69 . performance capabilities  Same stuff you do for any new platform you invest in BRKRST-2301 © 2011 Cisco and/or its affiliates.

iSCSI/VRRP for IPv6
 Same configuration requirements and operation as with IPv4  Can use automatic preemption—configure VR address to be the same as physical interface of ―primary‖  Host-side HA uses NIC teaming (see slides for NIC teaming)  Support for iSCSI with IPsec

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

70

iSCSI IPv6 Example—MDS
Initiator/Target
iscsi virtual-target name iscsi-atto-target pWWN 21:00:00:10:86:10:46:9c initiator iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com permit iscsi initiator name iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com static pWWN 24:01:00:0d:ec:24:7c:42

vsan 1
zone default-zone permit vsan 1 zone name iscsi-zone vsan 1 member symbolic-nodename iqn.1991-05.com.microsoft:w2k8-svr-01.cisco.com member pwwn 21:00:00:10:86:10:46:9c member pwwn 24:01:00:0d:ec:24:7c:42 member symbolic-nodename iscsi-atto-target zone name Generic vsan 1 member pwwn 21:00:00:10:86:10:46:9c zoneset name iscsi_zoneset vsan 1 member iscsi-zone zoneset name Generic vsan 1 member Generic

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

71

iSCSI/VRRP IPv6 Example—MDS
Interface
MDS-1
interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::5/64 no shutdown vrrp ipv6 1 address 2001:db8:cafe:12::5 no shutdown mds-1# show vrrp ipv6 vr 1 Interface GigE2/1 VR IpVersion Pri 1 IPv6 255 Time Pre State 100cs master VR IP addr 2001:db8:cafe:12::5 ------------------------------------------------------------------

MDS-2
interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::6/64 no shutdown

vrrp ipv6 1
address 2001:db8:cafe:12::5 no shutdown

mds-2# show vrrp ipv6 vr 1 Interface GigE2/1 VR IpVersion Pri 1 IPv6 100 Time Pre State 100cs backup VR IP addr 2001:db8:cafe:12::5 ------------------------------------------------------------------

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

72

iSCSI Initiator Example—W2K8 IPv6 1 iscsi initiator name iqn.cisco.com.microsoft:w2k8-svr-01.w 73 --------------------------------------------------------------------24:01:00:0d:ec:24:7c:42 (Cisco) Cisco Public . All rights reserved..1991-05. TYPE N N PWWN 21:00:00:10:86:10:46:9c (VENDOR) FC4-TYPE:FEATURE scsi-fcp:target scsi-fcp:init isc.com 2 3 interface GigabitEthernet2/1 ipv6 address 2001:db8:cafe:12::5/64 mds9216-1# show fcns database vsan 1 VSAN 1: --------------------------------------------------------------------FCID 0x670400 0x670405 BRKRST-2301 © 2011 Cisco and/or its affiliates.

All rights reserved. Cisco Public 74 .SAN-OS 3.x—FCIP(v6) fcip profile 100 ip address 2001:db8:cafe:50::1 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100 use-profile 100 peer-info ipaddr 2001:db8:cafe:50::2 fcip profile 100 ip address 2001:db8:cafe:50::2 tcp max-bandwidth-mbps 800 min-availablebandwidth-mbps 500 round-trip-time-us 84 ! interface fcip100 use-profile 100 peer-info ipaddr 2001:db8:cafe:50::1 ! interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::2/64 ! interface GigabitEthernet2/2 ipv6 address 2001:db8:cafe:50::1/64 BRKRST-2301 © 2011 Cisco and/or its affiliates.

Cisco Public 75 .-----------.-----------.----------------------------infinite 2001:db8:cafe:10::7 6d23h59m21s 2001:db8:cafe:10:20d:9dff:fe93:b25d Note: Same Issue Applies to Linux BRKRST-2301 © 2011 Cisco and/or its affiliates.. Interface 10: Local Area Connection Addr Type --------Manual Public DAD State Duplicate Preferred Valid Life infinite 29d23h59m21s Pref.----------------------------6d23h58m41 2001:db8:cafe:10:20d:9dff:fe93:b25d Static configuration netsh interface ipv6> add address "Local Area Connection" 2001:db8:cafe:10::7 Ok. Life Address ---------.-----------. All rights reserved. Life Address ---------. netsh interface ipv6>sh add Querying active state.-----------.Data Center NIC Teaming Issue What Happens If IPv6 Is Unsupported? Auto-configuration Interface 10: Local Area Connection #VIRTUAL TEAM INTERFACE Addr Type --------Public DAD State Preferred Valid Life 29d23h58m41s Pref..

Cisco Public 76 . All other teaming features will work on the IPv6 connections. and AFT deployments Intel statement of support for RLB—―Receive Load Balancing (RLB) is not supported on IPv6 network connections. RLB will work on the IPv4 connections but not on the IPv6 connections.Intel ANS NIC Teaming for IPv6  Intel IPv6 NIC Q&A—Product support  http://www. All rights reserved.‖ BRKRST-2301 © 2011 Cisco and/or its affiliates.com/support/network/sb/cs009090. If a team has a mix of IPv4 and IPv6 connections.intel. ALB.htm  Intel now supports IPv6 with Express.

Cisco Public 77 .dad_transmits = 0 BRKRST-2301 © 2011 Cisco and/or its affiliates.eth0.Interim Hack for Unsupported NICs  Main issue for NICs with no IPv6 teaming support is DAD— Causes duplicate checks on Team and Physical even though the physical is not used for addressing  Set DAD on Team interface to ―0‖—Understand what you are doing   Microsoft Vista/W7/Server 2008 allows for a command line change to reduce the ―DAD transmits‖ value from 1 to 0 netsh interface ipv6 set interface 19 dadtransmits=0  Microsoft Windows 2003—Value is changed via a creation in the registry \\HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces \(InterfaceGUID)\DupAddrDetectTransmits . All rights reserved.Value ―0‖  Linux # sysctl -w net/ipv6/conf/bond0/dad_transmits=0 net.ipv6.conf.

. . : Autoconfiguration IP Address. : 2001:db8:cafe:1::2 IP Address. .0 IP Address. . . .0. : fe80::212:d9ff:fe92:de76%12 BRKRST-2301 © 2011 Cisco and/or its affiliates. . . . . . . . .255. . . . : IP Address. . . . . . . . . . . . . . . : fe80::204:23ff:fec7:b0d7%11 Default Gateway . . . . .255. . .254. .25. . : 10. . : fe80::212:d9ff:fe92:de76%11 Ethernet adapter LAN: Connection-specific DNS Suffix .4. . . . . : fe80::204:23ff:fec7:b0d6%12 Default Gateway . . . . : 255. . . . . . .0 IP Address. . .Intel NIC Teaming—IPv6 (Pre Team) Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . . . . . .192 Subnet Mask . . . All rights reserved. : 169. . . : 255.255. . . . . . . . . . . Cisco Public 78 . . . . . .230 Subnet Mask .89. . . .

. Life Address ---------. . . . . : fe80::212:d9ff:fe92:de76%13 Interface 13: TEAM-1 Addr Type --------Public Link DAD State Preferred Preferred Valid Life 4m11s infinite Pref. . . .255. . . . . . All rights reserved. . . .255. : IP Address. . . . . . .4. . : 10. : 2001:db8:cafe:1::2 IP Address. . . . .230 Subnet Mask . . .-----------. . . Cisco Public 79 . .-----------. . . .----------------------------4m11s 2001:db8:cafe:1::2 infinite fe80::204:23ff:fec7:b0d6 BRKRST-2301 © 2011 Cisco and/or its affiliates. .89. . . . . . .Intel NIC Teaming—IPv6 (Post Team) Ethernet adapter TEAM-1: Connection-specific DNS Suffix . : fe80::204:23ff:fec7:b0d6%13 Default Gateway . . .0 IP Address. . . . . . . : 255. .

All rights reserved.IPv6 in the Enterprise Data Center Biggest Challenges Today  Application support for IPv6 – Know what you don‘t know If an application is protocol centric (IPv4): Needs to be rewritten Needs to be translated until it is replaced Wait and pressure vendors to move to protocol agnostic framework  Deployment of translation NAT64 (Stateful for most enterprises) Apache Reverse Proxy Windows Port Proxy 3rd party proxy solutions  Network services above L3 (A short-term challenge) SLB. SSL-Offload. application monitoring (probes) Application Optimization High-speed security inspection/perimeter protection BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 80 .

All rights reserved.Commonly Deployed IPv6-enabled OS/Apps Operating Systems  Windows 7  SUSE Virtualization & Applications  VMware vSphere 4. Cisco Public 81 .1  Microsoft Exchange 2007 SP1/2010  Apache/IIS Web Services  Windows Media Services  Windows Server 2008/R2  Microsoft Hyper-V  Red Hat  Ubuntu  The list goes on  Multiple Line of Business apps Most commercial applications won‘t be your problem – it will be the custom/home-grown apps BRKRST-2301 © 2011 Cisco and/or its affiliates.

All rights reserved. Cisco Public 82 . ACE4710) Stateful NAT64 + SLB44 v6 v4 v4 server BRKRST-2301 © 2011 Cisco and/or its affiliates.ACE + IPv6 / ASR + NAT64 ACE SLB66 v6 ACE SLB64 v4 v6 v6 v6 v6 v4 v4 SW coming (ACE30. ACE4710) SW coming (ACE30.

Cisco Public 83 . Static. Dynamic 1:1.e. etc…) This is what you will use to translate from IPv6 hosts (internal or Internet) to IPv4-only servers (internal DC or Internet Edge) BRKRST-2301 © 2011 Cisco and/or its affiliates.NAT64  Lots of RFCs to check out: RFC 6144 – Framework for IPv4/IPv6 Translation RFC 6052 – IPv6 Addressing of IPv4/IPv6 Translators RFC 6145 – IP/ICMP Translation Algorithm RFC 6146 – Stateful NAT64 RFC 6147 – DNS64  Stateless – Not your friend in the enterprise (corner case deployment) 1:1 mapping between IPv6 and IPv4 addresses (i. 254 IPv6 hosts-to-254 IPv4 hosts) Requires the IPv6-only hosts to use an ―IPv4 translatable‖ address format  Stateful – What we are after for translating IPv6-only hosts to IPv4-only host(s) It is what it sounds like – keeps state between translated hosts Several deployment models (PAT/Overload. All rights reserved.

121.255.121.1 10.220.1 255.Stateful NAT64 – Example Topology Static Example 10.12.70 2001:DB8:CAFE:BEEF::46 nat64 v4v6 static 10.1/24 10.255.13.121.52 DMZ/DC Internet IPv6 Host: 2001:db8:c150:10::16 G0/0/0: 2001:DB8:CAFE:5555::1/64 G0/0/1: 10.121.55.220.121.0 nat64 enable BRKRST-2301 ipv6 ASR access-list EDGE_ACL permit ipv6 any host 2001:DB8:CAFE:BEEF::46 permit ipv6 any host 2001:DB8:CAFE:BEEF::48 ! nat64 prefix stateful 2001:DB8:CAFE:BEEF::/96 nat64 v4 pool EDGE 10.55.121.12.121.13.121.1 nat64 v4v6 static 10.52 2001:DB8:CAFE:BEEF::48 nat64 v6v4 list EDGE_ACL pool EDGE overload © 2011 Cisco and/or its affiliates.70 interface GigabitEthernet0/0/0 description to 6k-dmz-1 Outside no ip address ipv6 address 2001:DB8:CAFE:5555::1/64 ipv6 eigrp 10 nat64 enable ! interface GigabitEthernet0/0/1 description to 6k-dmz-1 Inside ip address 10. All rights reserved. Cisco Public 84 8 .

12.121.121.55.12.70 --10.1:1025 10.121.70:443 10.121.1:1027 [2001:db8:cafe:beef::46]:80 [2001:db8:cafe:10::16]:53598 Total number of translations: 9 BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.121.121.1:1026 Translated IPv4 Original IPv6 2001:db8:cafe:beef::48 --2001:db8:cafe:beef::46 --[2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53601 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53600 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53599 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53593 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53596 [2001:db8:cafe:beef::46]:443 [2001:db8:cafe:10::16]:53597 Reference ---------------------------------------------------------------------------- Static Entries Dynamic Overloaded Entries tcp 10.70:443 10.121.121.55.70:443 10.70:80 10.121.121.52 --10.13.1:1024 10.121.12.1:1030 10.12.55.NAT64 Translations ASR1k#sh nat64 translations Proto Original IPv4 Translated IPv6 ----tcp tcp tcp tcp tcp tcp 10.12.121.70:443 10.70:443 10.121.55.12.55.121.55.55.1:1029 10.12. Cisco Public 85 .1:1028 10.70:443 10.121.12.121.

All rights reserved. Cisco Public *Output reduced for clarity 86 .1 total addresses 1. 3 extended) Packets translated (IPv4 -> IPv6) Stateless: 0 Stateful: 100 Packets translated (IPv6 -> IPv4) Stateless: 0 Stateful: 74 Interface Statistics GigabitEthernet0/0/0 (IPv4 not configured.ASR1k#show nat64 statistics Sessions found: 171 Sessions created: 3 Global Stats: NAT64 Statistics Reference Total active translations: 6 (3 static. 3 dynamic.121. allocated 1 (100%) BRKRST-2301 © 2011 Cisco and/or its affiliates.1 end 10.55.55. IPv6 configured): Packets translated (IPv6 -> IPv4) Stateless: 0 Stateful: 74 GigabitEthernet0/0/1 (IPv4 configured.121. IPv6 not configured): Packets translated (IPv4 -> IPv6) Stateful: 100 Dynamic Mapping Statistics v6v4 access-list EDGE_ACL pool EDGE refcount 3 pool EDGE: start 10.

11.11.11.Proxy 2001:db8:cafe:12::5 Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.121.60:80/ BRKRST-2301 © Cisco Public Netstat .125:40475 10.125:40476 ESTABLISHED ESTABLISHED 10.60:80 ESTABLISHED tcp 0 0 10.121.60:80 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED 10.121.121.11.121. All rights reserved.11.11.60:80/ ProxyPassReverse / 2011 Cisco and/or its affiliates.125:40475 10.121.121.Apache2 Reverse Proxy Netstat .121.11.11.121.11.11.Server 10.121.11.121.125 Apache One-Arm Apache DualAttached TCP TCP IPv4-only Web Server <VirtualHost *:80> ProxyPass / http://10. http://10.125:40476 10.60:80 87 .Client TCP TCP [2001:db8:beef:10::16]:54640 [2001:db8:cafe:12::5]:80 ESTABLISHED [2001:db8:beef:10::16]:54641 [2001:db8:cafe:12::5]:80 ESTABLISHED 2001:db8:beef:10::16 Netstat .60:80 10.

20 ACE PortProxy Dual-Attached Dual-attached (better perf)  Outside traffic comes in on IPv6—PortProxy to v4 (VIP address on ACE)  Traffic is IPv4 to server IPv4-only Web Server BRKRST-2301 © 2011 Cisco and/or its affiliates.5. All rights reserved.12.25 PortProxy One-Arm VIP=10.121. Cisco Public 88 .Microsoft Windows PortProxy  Can be treated like an appliance One-arm 2001:db8:cafe:12::25 10.121.

5.121.12:1062 state ESTAB ESTAB ----------+--+---+-----+----+---------------------+---------------------+------+ out TCP BRKRST-2301 © 2011 Cisco and/or its affiliates.PortProxy Configuration/Monitoring netsh interface portproxy>sh all Listen on ipv6: Address Port Connect to ipv4: Address 10.20:http ESTABLISHED ESTABLISHED [2001:db8:cafe:12::25]:80 [2001:db8:cafe:10::17]:52047 conn-id 14 13 np dir proto vlan source 1 1 in TCP 5 5 10.---------- Foreign Address State TCP TCP 10.121.121.12.---------2001:db8:cafe:12::25 80 Active Connections Proto Local Address --------------. Cisco Public 89 .5.25:58141 10. All rights reserved.20 Port 80  adsf --------------.121.20:80 10.121.25:58573 10.14.5.121.5.15:80 destination 10.12.121.

4 Throughput (Mbps) Direct v6-v6 150 PortProxy v6v4 PortProxy v6v6 100 50 0 download-1gig (1. PortProxy 247.2 250 200 192 206. Cisco Public 90 . All rights reserved.2G) BRKRST-2301 © 2011 Cisco and/or its affiliates.PortProxy Performance Throughput Example HTTP Throughput Comparison .Direct vs.

All rights reserved. Cisco Public 91 .PortProxy Performance CPU Utilization on PortProxy Server BRKRST-2301 © 2011 Cisco and/or its affiliates.

Cisco Public Web. All rights reserved. Other 92 . Email.Dual Stack the Internet Edge Internet  Dual stack the same network you have  If not. do just enough IPv6-only to get you going  Most design elements should be the same as with IPv4 (minus pure NAT/PAT) Edge Router ISP 1 ISP 2 Outer Switch  You may have to embrace SLB64/Proxy/NAT64 for IPv4only apps Security Services Enterprise Core DMZ/Server Farm Inner switching/ SLB/Proxy/ Compute Internal Enterprise BRKRST-2301 © 2011 Cisco and/or its affiliates.

All rights reserved.What if I Can‘t Dual Stack My Edge? Server Load Balancer IPv6 Internet IPv6 Stateful NAT64 IPv6 Internet IPv6 -Apache -MSFT PortProxy Proxy IPv6 Internet IPv6 IPv4 IPv4 IPv4 IPv4-only Host IPv4-only Host IPv4-only Host BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 93 .

to .Internet Edge .ISP Boatloads of options Single Link Single ISP ISP 1 POP1 Dual Links Single ISP ISP 1 POP2 Multi-Homed Multi-Region USA ISP 1 ISP2 Default Route IPv4-only BGP IPv6 Tunnel BGP Enterprise Enterprise Enterprise ISP3 ISP4 Europe 94 Your ISP may not have IPv6 at the local POP BRKRST-2044 Enterprise Multi-homed Internet Architectures BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public .

com/univercd/cc/td/doc/solution/brchipv6.pdf .cisco.WAN/Branch Deploying IPv6 in Branch Networks: http://www.

All rights reserved. etc. some situations still call for tunneling  Support for every media/WAN type you want to use (Frame Relay. leased-line.WAN/Branch Deployment  Cisco routers have supported IPv6 for a long time  Dual-stack should be the focus of your implementation—but. Cisco Public 96 . MPLS.) Corporate Network  Don‘t assume all features for every technology are IPv6-enabled  Better feature support in WAN/branch than in campus/DC Dual Stack SP Cloud Dual Stack Dual Stack BRKRST-2301 © 2011 Cisco and/or its affiliates. broadband.

.IPv6 Enabled Branch Focus more on the provider and less on the gear Branch Single Tier Branch Dual Tier SP support for various WAN types? Branch Multi-Tier HQ SP support for port-toport IPv6? HQ MPLS HQ Internet Frame Internet Dual-Stack IPSec VPN (IPv4/IPv6) Firewall (IPv4/IPv6) Integrated Switch (MLD-snooping) BRKRST-2301 Dual-Stack IPSec VPN or Frame Relay Firewall (IPv4/IPv6) Switches (MLD-snooping) Cisco Public Dual-Stack IPSec VPN or MPLS (6PE/6VPE) Firewall (IPv4/IPv6) Switches (MLD-snooping) 97 © 2011 Cisco and/or its affiliates. All rights reserved.

All rights reserved.Hybrid Branch Example  Mixture of attributes from each profile  An example to show configuration for different tiers  Basic HA in critical roles is the goal Branch VLAN 101: 2001:DB8:CAFE:1002::/64 2001:DB8:CAFE:1000::/64 Headquarters Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64 2001:DB8:CAFE:202::/64 ASA-1 BR1-LAN ::1 ::2 ::4 ::2 BR1-1 ::2 ::1 HE1 ::2 ::3 BR1-LAN-SW WAN ::5 ::3 BR1-2 ::3 ::1 HE2 HSRP for IPv6 VIP Address .FE80::5:73FF:FEA0:2 Enterprise Campus Data Center ::3 VLAN Interfaces: 104 . Cisco Public 98 .2001:DB8:CAFE:1004::/64 – PC 105 .2001:DB8:CAFE:1005::/64 – Voice 106 .2001:DB8:CAFE:1006::/64 – Printer BRKRST-2301 © 2011 Cisco and/or its affiliates.

1 255.255.255.DMVPN with IPv6 Hub Configuration Example crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0 ! crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac ! crypto ipsec profile HUB set transform-set HUB interface Tunnel0 description DMVPN Tunnel 1 ip address 10.0. ::1 Cisco Public HE2 99 .1.0.0.0 ipv6 address 2001:DB8:CAFE:20A::1/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp redirect tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile HUB Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64 BR1-1 ::2 ::1 HE1 ::2 ::3 WAN BR1-2 ::3 BRKRST-2301 © 2011 Cisco and/or its affiliates.126. All rights reserved.0.0 0.

255.255.0.126.1 ::2 ipv6 nhrp map multicast 172.1.16.0. Cisco Public 100 .0 0.1. All rights reserved.1.0 ipv6 address 2001:DB8:CAFE:20A::2/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 no ipv6 next-hop-self eigrp 10 Backup DMVPN Tunnel (dashed) no ipv6 split-horizon eigrp 10 2001:DB8:CAFE:20B::/64 ipv6 nhrp authentication CISCO BR1-1 ::2 ::1 HE1 ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.0 ! crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac ! crypto ipsec profile SPOKE interface Tunnel0 set transform-set SPOKE description to HUB ip address 10.0.1 ipv6 nhrp network-id 10 WAN ::3 ipv6 nhrp holdtime 600 ipv6 nhrp nhs 2001:DB8:CAFE:20A::1 HE2 ::1 BR1-2 ::3 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile SPOKE BRKRST-2301 © 2011 Cisco and/or its affiliates.16.DMVPN with IPv6 Spoke Configuration Example crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.2 255.0.

1 255.0 standby 10.124. All rights reserved.255.0 standby 10.4 255.255.3. Cisco Public 101 .1.ASA with IPv6 Snippet of full config – examples of IPv6 usage name 2001:db8:cafe:1003:: BR1-LAN description VLAN on EtherSwitch name 2001:db8:cafe:1004:9db8:3df1:814c:d3bc Br1-v6-Server ! interface GigabitEthernet0/0 description TO WAN nameif outside security-level 0 ip address 10.2 ipv6 address 2001:db8:cafe:1002::1/64 standby 2001:db8:cafe:1002::2 ! ipv6 route inside BR1-LAN/64 2001:db8:cafe:1002::3 ipv6 route outside ::/0 fe80::5:73ff:fea0:2 ! ipv6 access-list v6-ALLOW permit icmp6 any any ipv6 access-list v6-ALLOW permit tcp 2001:db8:cafe::/48 host Br1-v6-Server object-group RDP ! failover failover lan unit primary failover lan interface FO-LINK GigabitEthernet0/3 failover interface ip FO-LINK 2001:db8:cafe:1001::1/64 standby 2001:db8:cafe:1001::2 access-group v6-ALLOW in interface outside BRKRST-2301 © 2011 Cisco and/or its affiliates.255.255.124.124.124.3.1.5 ipv6 address 2001:db8:cafe:1000::4/64 standby 2001:db8:cafe:1000::5 ! interface GigabitEthernet0/1 description TO BRANCH LAN nameif inside security-level 100 ip address 10.

105 description VLAN-PHONE encapsulation dot1Q 105 ip address 10. Cisco Public BR1-LAN BR1-LAN-SW VLAN Interfaces: 104 .2001:DB8:CAFE:1005::/64 – Voice 106 .104 description VLAN-PC encapsulation dot1Q 104 ip address 10.105.255.Branch LAN Connecting Hosts ipv6 dhcp pool DATA_W7 dns-server 2001:DB8:CAFE:102::8 domain-name cisco.104.255.124.255.0 ipv6 address 2001:DB8:CAFE:1004::1/64 ipv6 nd other-config-flag ipv6 dhcp server DATA_W7 ipv6 eigrp 10 ! interface GigabitEthernet0/0.1 255.2001:DB8:CAFE:1004::/64 – PC 105 .com ! interface GigabitEthernet0/0 description to BR1-LAN-SW no ip address duplex auto speed auto ! interface GigabitEthernet0/0.255. All rights reserved.124.1 255.0 ipv6 address 2001:DB8:CAFE:1005::1/64 ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:102::9 ipv6 eigrp 10 BRKRST-2301 © 2011 Cisco and/or its affiliates.2001:DB8:CAFE:1006::/64 – Printer 102 .

Remote Access .

BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 104 .Cisco Remote VPN – IPv6 Client-based SSL Internet  AnyConnect Client 2. All rights reserved.x and higher SSL/TLS or DTLS (datagram TLS = TLS over UDP) Tunnel transports both IPv4 and IPv6 and the packets exit the tunnel at the hub ASA as native IPv4 and IPv6.

2.x—SSL VPN asa-edge-1#show vpn-sessiondb svc Session Type: SVC Username : ciscoese Index : Assigned IP : 10.AnyConnect 2.2.18 SHA1 176080 ANYCONNECT none Cisco ASA Dual-Stack Host AnyConnect Client BRKRST-2301 © 2011 Cisco and/or its affiliates.124.200 Public IP : Assigned IPv6: 2001:db8:cafe:101::101 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : SSL VPN Encryption : RC4 AES128 Hashing : Bytes Tx : 79763 Bytes Rx : Group Policy : AnyGrpPolicy Tunnel Group: Login Time : 14:09:25 MST Mon Dec 17 2007 Duration : 0h:47m:48s NAC Result : Unknown VLAN Mapping : N/A VLAN : 14 10. All rights reserved. Cisco Public 105 .123.

123.AnyConnect 2. Outside 2001:db8:cafe:101::ffff Inside http://www.4 255.com address-pools value AnyPool tunnel-group ANYCONNECT type remote-access tunnel-group ANYCONNECT general-attributes address-pool AnyPool ipv6-address-pool ANYv6POOL default-group-policy AnyGrpPolicy tunnel-group ANYCONNECT webvpn-attributes group-alias ANYCONNECT enable BRKRST-2301 © 2011 Cisco and/or its affiliates.255.123.com/en/US/docs/security/vp n_client/anyconnect/anyconnect20/administra tive/guide/admin6.1.255.255. All rights reserved.4 255.0 ipv6 address 2001:db8:cafe:101::ffff/64 ! ipv6 local pool ANYv6POOL 2001:db8:cafe:101::101/64 200 webvpn enable outside svc enable tunnel-group-list enable group-policy AnyGrpPolicy internal group-policy AnyGrpPolicy attributes vpn-tunnel-protocol svc default-domain value cisco.cisco.html#wp1002258 Cisco Public 106 .x—Summary Configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.255.2.0 ipv6 enable ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.

Communicating with the Service Provider .

Top SP Concerns for Enterprise Accounts Port to Port Access IPv6 Content Multi-Homing Provisioning BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 .

content access • 6VPE • IPv6 Multicast • End-to-End traceability • IPv6 access to hosted content • Cloud migration (move data from Ent DC to Hosted DC) © 2011 Cisco and/or its affiliates.Port-to-Port Access Port to Port Access IPv6 Content Provisioning Multi-Homing Basic Internet* MPLS Hosted (see content) BRKRST-2301 • Dual-stack or native IPv6 at each POP • SLA driven just like IPv4 to support VPN. Cisco Public * = most common issue 109 . All rights reserved.

. Cisco Public 110 . where do they get the technology from – no scalable IPv6 NAT exists today • Is it really different from what we do today with IPv4? Is this policy stuff? • Guidance on prefixes per peering point. All rights reserved.Multi-Homing Port to Port Access IPv6 Content Provisioning Multi-Homing PI/PA Policy * Concerns NAT Routing BRKRST-2301 • PA is no good for customers with multiple providers or change them at any pace • PI is new. ingress/egress rules. etc. – this is largely missing today © 2011 Cisco and/or its affiliates. constantly changing expectations and no ―guarantee‖ an SP won‘t do something stupid like not route PI space • Customers fear that RIR will review existing IPv4 space and want it back if they get IPv6 PI • Religious debate about the security exposure – not a multi-homing issue • If customer uses NAT like they do today to prevent address/policy exposure. per theater. per ISP.

business development. Google Apps • Movement from internal-only DC services to hosted/cloud-based DC • Provisioning. Cisco Public 111 . Microsoft BPOS (Business Productivity Online Services).com. outsourcing • Existing contracts – connect over IPv6 © 2011 Cisco and/or its affiliates. Amazon. DR/HA • Third-party marketing. data/network migration services. All rights reserved.Content Port to Port Access IPv6 Content Provisioning Multi-Homing Hosted/Cloud Apps today Move to Hosted/Cloud Contract/Managed Marketing/Portals BRKRST-2301 * • IPv6 provisioning and access to hosted or cloud-based services today (existing agreements) • Salesforce.

Provisioning Port to Port Access IPv6 Content Provisioning Multi-Homing SP SelfService Portals SLA BRKRST-2301 • Not a lot of information from accounts on this but it does concern them • How can they provision their own services (i. cloud) to include IPv6 services and do it over IPv6 * • More of a management topic but the point here is that customers want the ability to alter their services based on violations. how can they do this over IPv6 AND for IPv6 services © 2011 Cisco and/or its affiliates.e. expiration or restrictions on the SLA • Again. All rights reserved. Cisco Public 112 .

including …        Network engineers & operators Security engineers Application developers Desktop (Office Automation) / Server engineers Web hosting / content developers Business development managers … Moreover. involving many elements and capabilities which evolve over time. training will be required for all involved in supporting the various IPv6 based network services BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 . Planning and coordination is required from many across the organisation. rather than changing all at once.IPv6 integration should be managed from a broad architectural / ‗systems-wide‘ perspective… IPv6 integration is not ‗just a network upgrade‘ but complex endeavour.

" . Cisco Public 114 . Army BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved. Shinseki. Network and Operations/Management • Now is your time to build a network your way – don‘t carry the IPv4 mindset forward with IPv6 unless it makes sense • Deploy it – at least in a lab – IPv6 won‘t bite "If you don't like change.Conclusion • ―Dual stack where you can – Tunnel where you must – Translate when you have a gun to your head‖ • Create a virtual team of IT representatives from every area of IT to ensure coverage for OS.S. you're going to like irrelevance even less. Apps. U. Chief of Staff.Gen.

Activate your account at any internet station or visit www.  Don‘t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials. Points are calculated on a daily basis. communities. All rights reserved.  Give us your feedback and you could win fabulous prizes. Presentation_ID © 2011 Cisco and/or its affiliates. and ondemand and live activities throughout the year. Winners will be notified by email after July 22nd.Complete Your Online Session Evaluation  Receive 25 Cisco Preferred Access points for each session evaluation you complete. Cisco Public 115 1 .ciscolivevirtual.  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.com.

Thank you. BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 116 . All rights reserved.

Reference Slides .

Reference Slides: Microsoft Windows Vista/Windows 7/Server 2008 .

microsoft.mspx  ANY application built on the Peer-to-Peer Framework REQUIRES IPv6 and will NOT function over IPv4— http://www. then try ISATAP If no ISATAP. Cisco Public 119 .microsoft. All rights reserved.mspx BRKRST-2301 © 2011 Cisco and/or its affiliates.Understand the Behavior of Vista/W7  IPv6 is preferred over IPv4 Vista/W7 sends IPv6 NA/NS/RS upon link-up Attempts DHCP for IPv6 If no DHCP or local RA received with Global or ULA.com/technet/prodtechnol/winx ppro/maintain/teredo.com/technet/network/p2p/defa ult. then try Teredo  Become familiar with Teredo http://www.

3. Unspecified address :: Solicited node address NS/DAD Looking for a local router ff02::2 RS Looking for MLD enabled routers ff02::16 MLDv2 report 4. 8.254. 5.255 Protocol Info ICMPv6 Neighbor solicitation ICMPv6 Router solicitation ICMPv6 Multicast Listener Report Message v2 UDP Source port: 49722 Destination port: 5355 UDP Source port: 49723 Destination port: 5355 NBNS Name query NB ISATAP<00> DHCPv6 Information-request DHCP DHCP Discover—Transaction ID 0x6c8d6efa 1.255 ff02::1:2 255. 6.0 Destination ff02::1:ffae:4361 ff02::2 ff02::16 ff02::1:3 224.0. 2.0.000030 3 0.000080 4 1.255.886397 Source :: fe80::80aa:fd5:f7ae:4361 fe80::80aa:fd5:f7ae:4361 fe80::80aa:fd5:f7ae:4361 169.255.97 fe80::80aa:fd5:f7ae:4361 0. Cisco Public fe80::80aa:fd5:f7ae:4361 120 .0.156683 6 3. LLMNR for IPv6—ff02::1:3—advertise hostname LLMNR for IPv4—224.255.67.67.252 from RFC 3927 address No global or ULA received via step 1/2—Try ISATAP Try DHCP for IPv6—ff02::1:2 Try DHCP for IPv4 BRKRST-2301 © 2011 Cisco and/or its affiliates.155917 5 1.97 169.0.0.252 169. All rights reserved.254. 7. Time 1 0.254.000000 2 0.409530 8 128.484709 7 126.In More Detail—Vista/W7 on Link-Up No Network Services No.0.

11.2.1 10.2) .Transaction ID 0x2b8af443 Protocol Info DNS Standard query A isatap.120.2 ISATAP?? Teredo?? BRKRST-2301 © 2011 Cisco and/or its affiliates.0 IPv4-only Router 10.120.2 10.2.362181 10.2.2 Destination 10.2 No. 2 context items. Time Source 580 296.3.2.2.cisco.3...2.l=9) Domain Name = "cisco.2 582 296.2 No. Bootstrap Protocol .2 581 296.3.121.2.120.120.2.2.com" ..2 121 .120.l=4) Router = 10.120.4 Destination 10.2 .2 10..121.11.2 (10.120.687913 10. Your (client) IP address: 10.120.687721 10.120.l=4) Domain Name Server = 10.3.. Time Source 70 13.2.813509 10.120.360756 10.2 583 296.microsoft.120. No.120.1 Option: (t=6. All rights reserved. ACK] Seq=0 Ack=1 Win=2097152 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0 DCERPC Bind: call_id: 1. Time Source Destination Protocol Info 13 8.com Protocol Info DNS Standard query A teredo. 1st IOXIDResolver V0.2 10.686197 10.. Time Source 138 25.ipv6.120.120. Cisco Public 10.3.120.4 Destination 10.com Protocol Info TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8 TCP epmap > 49211 [SYN.121..2 DHCP DHCP ACK .2.120. Option: (t=3.687794 10.11.2..4 Option: (t=15.120.IPv4 Network—No IPv6 Network Services What Does Vista/W7 Try to Do? No.

All rights reserved.com/dev/miredo/ BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 122 . BSD and Mac OS X—―Miredo‖ http://www.microsoft.What Is Teredo?  RFC4380  Tunnel IPv6 through NATs (NAT types defined in RFC3489) Full Cone NATs (aka one-to-one)—Supported by Teredo Restricted NATs—Supported by Teredo Symmetric NATs—Supported by Teredo with Vista/W7/Server 2008 if only one Teredo client is behind a Symmetric NATs  Uses UDP port 3544  Is complex—many sequences for communication and has several attack vectors  Available on: Microsoft Windows XP SP1 w/Advanced Networking Pack Microsoft Windows Server 2003 SP1 Microsoft Windows Vista/W7 (enabled by default—inactive until application requires it) Microsoft Server 2008 http://www.mspx Linux.com/technet/prodtechnol/winxppro/maintain/teredo.simphalempin.

Cisco Public 123 . Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hosts—Listens on UDP port 3544  Teredo Relay—Dual-stack router that forwards packets between Teredo clients and IPv6-only hosts  Teredo Host-Specific Relay—Dual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.Teredo Components  Teredo Client—Dual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay)  Teredo Server—Dual-stack node connected to IPv4 Internet and IPv6 Internet.

Cisco Public 124 . All rights reserved.Teredo Overview IPv6 or IPv6 over IPv4 traffic IPv6 over IPv4 traffic Teredo host-specific relay IPv6-only host Teredo client IPv4 Internet NAT Teredo server IPv6 Internet Teredo relay NAT IPv6 traffic Teredo client *From Microsoft ―Teredo Overview‖ paper BRKRST-2301 © 2011 Cisco and/or its affiliates.

Cone NAT)  Obfuscated External Port: UDP port number to be used with the IPv4 address  Obfuscated External Address: contains the global address of the NAT BRKRST-2301 © 2011 Cisco and/or its affiliates.g. Cisco Public 125 . All rights reserved.Teredo Address 32 bits 32 bits 16 bits 16 bits 32 bits Teredo prefix Teredo Server IPv4 Address Flags Obfuscated External Port Obfuscated External Address  Teredo IPv6 prefix (2001::/32—previously was 3FFE:831F::/32)  Teredo Server IPv4 address: global address of the server  Flags: defines NAT type (e.

0x8000 = Cone NAT) Next 16 bits are external obscured UDP port from Origin indicator in RA Last 32 bits are obscured external IP address from Origin indicator in RA 7. Cisco Public 126 . then the NAT is mapping same internal address/port to different external address/port and NAT is a symmetric NAT Client constructs Teredo address from RA First 64 bits are the value from prefix received in RA (32 bits for IPv6 Teredo prefix + 32 bits of hex representation of IPv4 Teredo server address) Next 16 bits are the Flags field (0x0000 = Restricted NAT. client is behind restricted NAT To ensure client is not behind symmetric NAT. 5. 4. client sends another RA with Cone flag not set Server responds with RA from v4 address = destination v4 address from RS—if client receives the RA.Initial Configuration for Client 1. client sends another RS to secondary server 2nd server sends an RA to client—client compares mapped address and UDP ports in the Origin indicators of the RA received by both servers. If different. 3. All rights reserved. UDP External v4 Port v4 address NAT IPv4 Internet 4 2 Teredo Server 1 BRKRST-2301 © 2011 Cisco and/or its affiliates. 2. 6 5 3 1 Teredo Server 2 Teredo Client 7 2001:0:4136:e37e:0:fbaa:b97e:fe4e Teredo Prefix Teredo Server v4 Flags Ext. RS message sent from Teredo client to server—RS from LL address with Cone flag set Server responds with RA—RS has Cone flag set—server sends RA from alternate v4 address—if client receives the RA. 6. client is behind cone NAT If RA is not received by client.

227.ipv6.126 A netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.54.481609 151.com Standard query response A 65.com Client Refresh Interval : default Client Port : default State : qualified Type : teredo client Network : unmanaged NAT : restricted BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.16.11.ipv6.164.103 DNS 65.microsoft.227. Cisco Public 127 .127 A 65.16.201 DNS No. Time Source Destination Protocol Info 15 25.ipv6.What Happens on the Wire—1 No.164.1.227.54.227.com Client Refresh Interval : default Client Port : default State : probe(cone) Type : teredo client Network : unmanaged NAT : cone netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.468050 172.11.microsoft.54.54.201 172.120 A 65.microsoft.124 Standard query A teredo.103 151. Time Source Destination Protocol Info 16 25.1.

Src Port: 1109 (1109).1.1. send Flag=0 (restricted NAT) Receive RA with Origin header and prefix Send RS to 2nd server to check for symmetric NAT Compare 2nd RA—Origin port/address from 2nd server 128 .126 (65.16. Dst: 65.126) User Datagram Protocol.593598 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol.127 (65.126 (65. Dst Port: 3544 (3544) No.1 (70.127).16.227.2.103) Teredo Origin Indication header Origin UDP port: 1109 Origin IPv4 address: 70.1) Prefix: 2001:0:4136:e37e:: No.227.103 (172.54.16.16.2. Time Source Destination Protocol Info 28 33. Src Port: 3544 (3544).1. Src: 172. Time Source Destination Protocol Info 33 46.54. Cisco Public Send RS Cone Flag=1 (Cone NAT).1.1. Dst: 65.227.16.1.54.54. Src: 172.54.103 (172.127) User Datagram Protocol.120. Src Port: 1109 (1109).120.16.16.103).103 (172.595460 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol.1 (70.227. Dst: 65.54.1) Prefix: 2001:0:4136:e37e:: BRKRST-2301 © 2011 Cisco and/or its affiliates. Time Source Destination Protocol Info 34 46.120.227.546052 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol.1.103 (172.227.103 (172.127 (65. Time Source Destination Protocol Info 31 45.54.16.16.227.227.227.54.54. Dst Port: 1109 (1109) Teredo Origin Indication header Origin UDP port: 1109 Origin IPv4 address: 70. Src: 172.1.2.126 (65.227.103 (172.227. Dst: 172.16. Time Source Destination Protocol Info 32 46.What Happens on the Wire—2 No.227. Src Port: 1109 (1109).1.039706 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement Internet Protocol.16.126) No. Src: 172. Time Source Destination Protocol Info 29 37.120.54.1. Src: 65.103).1.54. Src: 65.126).398745 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement Internet Protocol. every 4 seconds If no reply.1.54.103) User Datagram Protocol.103).103).093832 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol. Dst: 172. All rights reserved.126 (65.126) User Datagram Protocol.2. Dst Port: 3544 (3544) No. Dst Port: 3544 (3544) No. Dst: 65.16.

126 (65.201 172. AAAA query should not be sent—being researched: http://msdn2. Src: 65. Src Port: 1109 (1109).54. Time Source 98 149.103 (172.16. Dst: 172.1.227 No. Time Source Destination Protocol Info 96 148. Time Source Destination 83 139.530547 151.16.227.117.103 Destination 66.126 (65.16. Time Source 100 149. if Teredo is the only IPv6 path.kame.103).54. Time Source 82 139.117. Dst: 65.1.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 Echo request Internet Protocol.201 Protocol Info DNS Standard query AAAA www.What Happens on the Wire—3 No. Time Source 99 149. Cisco Public 129 .aspx BRKRST-2301 © 2011 Cisco and/or its affiliates. Dst Port: 3544 (3544) No.47.16. Src: 172.16.463719 66. Time Source 101 149.227) No.103 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109 receives relay address-port Packets to/from IPv6 host and client traverse relay According to MSFT.1.126).16.227 ……… Destination 66.227 Destination 172.103 Destination 151. Time Source 97 149.1.1.103 2001:200:0:8002:203:47ff:fea5:3085 No.164.126) User Datagram Protocol.103 No.117.164.16.117.227.54.16.11.227 (66.47.47.789493 66.1.47.405916 172.microsoft.464100 172.1.net Protocol Info DNS Standard query response AAAA DNS lookup Response ICMP to host via Teredo Server No.16.103) Teredo IPv6 over UDP tunneling packet to Teredo Origin Indication header client via Origin UDP port: 50206 server—client Origin IPv4 address: 66.103 No.227 Destination 172.117. All rights reserved.227.258206 172.47.1.11.1.103 (172.54.47.117.1.com/en-us/library/aa965910.405579 fe80::8000:5445:5245:444f Destination Protocol Info 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next header Relay sends Bubble Internet Protocol.227.16.

net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data Reply Reply Reply Reply from from from from 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: time=829ms time=453ms time=288ms time=438ms BRKRST-2301 © 2011 Cisco and/or its affiliates.-----------Preferred infinite infinite Preferred infinite infinite Address ----------------------------2001:0:4136:e37e:0:fbaa:b97e:fe4e fe80::ffff:ffff:fffd C:\>ping www.-----------.kame. All rights reserved.net Pinging www.kame.) Interface 7: Teredo Tunneling Pseudo-Interface Addr Type --------Public Link DAD State Valid Life Pref.What Happens on the Wire—3 (Cont. Life ---------. Cisco Public 130 .

82 bytes captured) Ethernet II.1.0.0. Dst: 01:00:5e:00:00:fd (01:00:5e:00:00:fd) Internet Protocol. Src: 172.399072 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination ff02::1 Protocol Info IPv6 IPv6 no next header Frame 35 (82 bytes on wire.103). Dst: 224.16.Maintaining NAT Mapping  Every 30 seconds (adjustable) clients send a single bubble packet to Teredo server to refresh NAT state Bubble packet = Used to create and maintain NAT mapping and consists of an IPv6 header with no IPv6 payload (Payload 59—No next header) No.103 (172. All rights reserved.253 (224.16.1. Cisco Public 131 . Dst Port: 3544 (3544) Teredo IPv6 over UDP tunneling Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 0 Next header: IPv6 no next header (0x3b) Hop limit: 21 Source address: 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination address: ff02::1 BRKRST-2301 © 2011 Cisco and/or its affiliates.0. Src: Foxconn_2d:a1:4e (00:15:58:2d:a1:4e). Time Source 35 46. Src Port: 1109 (1109).253) User Datagram Protocol.0.

Reference Slides: ISATAP Overview .

All rights reserved.Intrasite Automatic Tunnel Address Protocol  RFC 4214  This is for enterprise networks such as corporate and academic networks  Scalable approach for incremental deployment  ISATAP makes your IPv4 infratructure as transport (NBMA) network BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 133 .

All rights reserved.Intrasite Automatic Tunnel Address Protocol Use IANA‘s OUI 00-00-5E and Encode IPv4 Address as Part of EUI-64 64-bit Unicast Prefix 0000:5EFE: 32-bit IPv4 Address 32-bit Interface Identifier (64 bits)  ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network  Supported in Windows XP Pro SP1 and others BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 134 .

123.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64 BRKRST-2301 © 2011 Cisco and/or its affiliates.31.31.20.123.100 IPv4 Destination: 206.20.123.123.Automatic Advertisement of ISATAP Prefix ISATAP Host A IPv4 Network ISATAP Tunnel ISATAP Router 1 E0 IPv6 Network ICMPv6 Type 133 (RS) IPv4 Source: 206.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix ICMPv6 Type 134 (RA) IPv4 Source: 206. All rights reserved. Cisco Public 135 .200 IPv4 Destination: 206.

Cisco Public 136 . ISATAP host A encapsulates IPv6 packets in IPv4.31.20.100 fe80::5efe:ce7b:1464 2001:db8:ffff:2::5efe:ce7b:1464 ISATAP Router 1 E0 IPv6 Network 206.123.200 fe80::5efe:ce7b:1fc8 2001:db8:ffff:2::5efe:ce7b:1fc8  ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1  When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8. All rights reserved. BRKRST-2301 © 2011 Cisco and/or its affiliates.Automatic Address Assignment of Host and Router ISATAP Host A IPv4 Network ISATAP Tunnel 206. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.123.

Reference Slides: Multicast .

PIM-bidir. PIM-bidir. v2. Class D Protocol Independent. PIM-SM. PIM-SSM. All rights reserved. PIM-BSR IGMPv1. Border MSDP Across Independent PIM Domains Cisco Public IPv6 Solution 128-bit (112-bit Group) Routing Protocol Independent.IPv4 and IPv6 Multicast Comparison Service Addressing Range IPv4 Solution 32-bit. v3 Boundary. . All IGPs and MBGP PIM-DM. v2 Scope Identifier Single RP Within Globally Shared Domains 138 Forwarding Group Management Domain Control Interdomain Solutions BRKRST-2301 © 2011 Cisco and/or its affiliates. PIM-BSR MLDv1. PIM-SSM. All IGPs and MBGP with v6 mcast SAFI PIM-SM.

Cisco Public 139 .MLDv1: Joining a Group (REPORT) FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE H1 H2 1 1 Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131 2 2 Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131 FE80::207:85FF:FE80:692 1 2 H1 sends a REPORT for the group H2 sends a REPORT for the group rtr-a Source Group:FF3E:40:2001:DB8:C003:1109:1111:1111 BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.

MLDv1: Host Management (Group-Specific Query) FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE H1 3 REPORT to group 1 1 Destination: FF02::2 ICMPv6 Type: 132 ICMPv6 Type: 131 H2 2 Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 130 1 H1 sends DONE to FF02::2 2 RTR-A sends Group-Specific Query 3 H2 sends REPORT for the group rtr-a FE80::207:85FF:FE80:692 Source Group:FF3E:40:2001:DB8:C003:1109:1111:1111 BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 140 . All rights reserved.

Cisco Public 141 . All rights reserved.Other MLD Operations  Leave/DONE Last host leaves—sends DONE (Type 132) Router will respond with group-specific query (Type 130) Router will use the last member query response interval (Default=1 sec) for each query Query is sent twice and if no reports occur then entry is removed (2 seconds)  General Query (Type 130) Sent to learn of listeners on the attached link Sets the multicast address field to zero Sent every 125 seconds (configurable) BRKRST-2301 © 2011 Cisco and/or its affiliates.

All rights reserved.A Few Notes on Tunnels—  PIM uses tunnels when RPs/sources are known  Source registering (on first-hop router) Uses virtual tunnel interface (appear in OIL for [S. Cisco Public 142 .G]) Created automatically on first-hop router when RP is known Cisco IOS® keeps tunnel as long as RP is known Unidirectional (transmit only) tunnels PIM Register-Stop messages are sent directly from RP to registering router (not through tunnel!) BRKRST-2301 © 2011 Cisco and/or its affiliates.

key disabled. output hang never Last clearing of "show interface" counters never … output truncated… BRKRST-2301 © 2011 Cisco and/or its affiliates.PIM Tunnels (DR-to-RP) branch#show ipv6 pim tunnel Tunnel1* Type : PIM Encap RP : 2001:DB8:C003:1116::2 Source: 2001:DB8:C003:111E::2 branch#show interface tunnel 1 Tunnel1 is up. destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6. loopback not set Keepalive not set Tunnel source 2001:DB8:C003:111E::2 (Serial0/2). rxload 1/255 Encapsulation TUNNEL. reliability 255/255. DLY 500000 usec. sequencing disabled Checksumming of packets disabled Tunnel is transmit only Last input never. BW 9 Kbit. line protocol is up Hardware is Tunnel MTU 1514 bytes. output never. Cisco Public Corporate Network Source L0 RP DR 143 . txload 1/255. All rights reserved.

All rights reserved. Cisco Public 144 .PIM Tunnels (RP)  Source registering (on RP)  two virtual tunnels are created One transmit only for registering sources locally connected to the RP One receive only for decapsulation of incoming registers from remote designated routers No one-to-one relationship between virtual tunnels on designated routers and RP! BRKRST-2301 © 2011 Cisco and/or its affiliates.

line protocol is up Hardware is Tunnel MTU 1514 bytes. key disabled. Cisco Public Corporate Network Source Tu RP L0 145 .PIM Tunnels (RP-for-Source) RP-router#show ipv6 pim tunnel Tunnel0* Type : PIM Encap RP : 2001:DB8:C003:1116::2 Source: 2001:DB8:C003:1116::2 Tunnel1* Type : PIM Decap RP : 2001:DB8:C003:1116::2 Source: RP-router#show interface tunnel 1 Tunnel1 is up. BW 9 Kbit. reliability 255/255. destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6. txload 1/255. All rights reserved. DLY 500000 usec. sequencing disabled Checksumming of packets disabled Tunnel is receive only … output truncated… BRKRST-2301 © 2011 Cisco and/or its affiliates. loopback not set Keepalive not set Tunnel source 2001:DB8:C003:1116::2 (FastEthernet0/0). rxload 1/255 Encapsulation TUNNEL.

All rights reserved. Cisco Public 146 .Tunneling v6 Multicast v6 in v4  v6 in v4 most widely used tunnel mode ipv6ip <----.IS-IS cannot traverse  v6 in v4 GRE (IS-IS can traverse) tunnel mode gre ip  ISATAP/6to4 do not support IPv6 multicast v6 in v6  v6 in v6 tunnel mode ipv6  v6 in v6 GRE tunnel mode gre ipv6 BRKRST-2301 © 2011 Cisco and/or its affiliates.

Cisco Public 147 . All rights reserved.Source Specific Multicast (SSM)  No configuration required other than enabling ipv6 multicast-routing router#show ipv6 pim range-list config SSM Exp: never Learnt from : :: FF33::/32 Up: 1d00h FF34::/32 Up: 1d00h FF35::/32 Up: 1d00h FF36::/32 Up: 1d00h FF37::/32 Up: 1d00h FF38::/32 Up: 1d00h FF39::/32 Up: 1d00h FF3A::/32 Up: 1d00h FF3B::/32 Up: 1d00h FF3C::/32 Up: 1d00h FF3D::/32 Up: 1d00h FF3E::/32 Up: 1d00h FF3F::/32 Up: 1d00h  SSM group ranges are automatically defined  Requires MLDv2 on host or SSM Mapping feature BRKRST-2301 © 2011 Cisco and/or its affiliates.

All rights reserved. Cisco Public 148 .SSM-Mapping  Delay in SSM deployment (both IPv4 and IPv6) is based mainly on lack of IGMPv3 and MLDv2 availability on the endpoints  SSM-Mapping allows for the deployment of SSM in the network infrastructure without requiring MLDv2 (for IPv6) on the endpoint  SSM-Mapping enabled router will map MLDv1 reports to a source (which do not natively include the source like with MLDv2) Range of groups can be statically defined or used with DNS Wildcards can be used to define range of groups BRKRST-2301 © 2011 Cisco and/or its affiliates.

SSM-Mapping core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11 (2001:DB8:CAFE:11::11. 00:01:20/00:03:06.cisco. Forward.com ip name-server 10.1. 00:01:20/00:03:06 2001:DB8:CAFE:11::11 FF33::DEAD Corporate Network Source Static Mapping: ipv6 multicast-routing ! ipv6 mld ssm-map enable ipv6 mld ssm-map static MAP 2001:DB8:CAFE:11::11 no ipv6 mld ssm-map query dns ! ipv6 access-list MAP permit ipv6 any host FF33::DEAD SSM DNS Mapping (the default): ipv6 multicast-routing ! ipv6 mld ssm-map enable ! ip domain multicast ssm-map.1. FF33::DEAD). flags: sT Incoming interface: GigabitEthernet3/3 RPF nbr: FE80::20E:39FF:FEAD:9B00 Immediate Outgoing interface list: GigabitEthernet5/1. All rights reserved.1 BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public MLDv1 149 .

Cisco Public 150 . All rights reserved.IPv6 Multicast Static RP  Easier than before as PIM is auto-enabled on every interface Source ipv6 multicast-routing ! interface Loopback0 description IPV6 IPmc RP no ip address ipv6 address 2001:DB8:C003:110A::1/64 ! ipv6 pim rp-address 2001:DB8:C003:110A::1/64 ipv6 multicast-routing ! ipv6 pim rp-address 2001:DB8:C003:110A::1/64 L0 Corporate Network RP IP WAN BRKRST-2301 © 2011 Cisco and/or its affiliates.

Cisco Public 151 .IPv6 Multicast PIM BSR: Configuration wan-top#sh run | incl ipv6 pim bsr ipv6 pim bsr candidate-bsr 2001:DB8:C003:1116::2 ipv6 pim bsr candidate-rp 2001:DB8:C003:1116::2 RP—2001:DB8:C003:1116::2 Corporate Network IP WAN Source RP—2001:DB8:C003:110A::1 wan-bottom#sh run | incl ipv6 pim bsr ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1 ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1 BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.

Bidirectional PIM (Bidir)
 The same many-to-many model as before
 Configure Bidir RP and range via the usual ip pim rp-address syntax with the optional bidir keyword
! ipv6 pim rp-address 2001:DB8:C003:110A::1 bidir ! #show ipv6 pim range | include BD Static BD RP: 2001:DB8:C003:110A::1 Exp: never Learnt from : ::

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

152

Embedded-RP Addressing Overview
 RFC 3956
 Relies on a subset of RFC3306—IPv6 unicastprefix-based multicast group addresses with special encoding rules:
Group address carries the RP address for the group!
8 4 4 4 4 8 64 32 FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID

New Address format defined :
Flags = 0RPT, R = 1, P = 1, T = 1=> RP address embedded (0111 = 7) Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112

Embedded RP: 2001:0DB8:C003:111D::1

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

153

Embedded-RP
 PIM-SM protocol operations with embedded-RP:
Intradomain transition into embedded-RP is easy:
Non-supporting routers simply need to be configured statically or via BSR for the embedded-RPs!

 Embedded-RP is just a method to learn ONE RP address for a multicast group:
It can not replace RP-redundancy as possible with BSR or MSDP/Anycast-RP

 Embedded-RP does not (yet) support Bidir-PIM
Simply extending the mapping function to define Bidir-PIM RPs is not sufficient:
In Bidir-PIM routers carry per-RP state (DF per interface) prior to any data packet arriving; this would need to be changed in Bidir-PIM if Embedded-RP was to be supported

BRKRST-2301

© 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

154

Cisco Public 155 .Embedded-RP Configuration Example Corporate Network Source L0  RP to be used as an Embedded-RP needs to be configured with address/group range RP  All other non-RP routers require no special configuration IP WAN ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP ! ipv6 access-list ERP permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96 BRKRST-2301 © 2011 Cisco and/or its affiliates. All rights reserved.

Embedded RP—Does It Work? branch#show ipv6 pim group FF7E:140:2001:DB8:C003:111D ::/96* RP : 2001:DB8:C003:111D::1 Protocol: SM Client : Embedded Groups : 1 Info : RPF: Se0/0.sending >= 4 kbps Group: FF7E:140:2001:DB8:C003:111D:0:1112 Source: 2001:DB8:C003:1109::2 Rate: 21 pps/122 kbps(1sec). Cisco Public 156 . All rights reserved.1. 124 kbps(last 100 sec) branch#show ipv6 pim range | include Embedded Receiver Sends Report Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : :: FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24 BRKRST-2301 © 2011 Cisco and/or its affiliates.FE80::210:7FF:FEDD:40 IP WAN To RP branch#show ipv6 mroute active Active IPv6 Multicast Sources .

BRKRST-2301 © 2011 Cisco and/or its affiliates. Cisco Public 157 . All rights reserved.

Sign up to vote on this title
UsefulNot useful