Upload
arnisadoryeskrimador
View
238
Download
0
Embed Size (px)
Citation preview
8/13/2019 3.Enterprise IPv6 Deployment
1/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1
Enterprise IPv6 Deployment
BRKCRS-2301
8/13/2019 3.Enterprise IPv6 Deployment
2/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 2
Housekeeping
We value your feedback- don't forget to complete youronline session evaluations after each session &complete the Overall Conference Evaluation which willbe available online from Thursday
Visit the World of Solutions
Please remember this is a 'non-smoking' venue!
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times
8/13/2019 3.Enterprise IPv6 Deployment
3/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 3
Reference Materials
Deploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf
Deploying IPv6 in Branch Networks:http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf
CCO IPv6 Main Page:http://www.cisco.com/go/ipv6
Cisco Network Designs:http://www.cisco.com/go/srnd
http://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/go/ipv6http://www.cisco.com/go/srndhttp://www.cisco.com/go/srndhttp://www.cisco.com/go/ipv6http://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdf8/13/2019 3.Enterprise IPv6 Deployment
4/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 4
BRKCRS-2301 Recommended Reading
8/13/2019 3.Enterprise IPv6 Deployment
5/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 5
Agenda
The Need for IPv6
Address Considerations
General Concepts
Infrastructure DeploymentCampus/Data Center
WAN/Branch
Remote Access
Planning and Deployment Summary
AppendixFor Reference Only
8/13/2019 3.Enterprise IPv6 Deployment
6/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 6
The Need for IPv6
8/13/2019 3.Enterprise IPv6 Deployment
7/124
8/13/2019 3.Enterprise IPv6 Deployment
8/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 8
Monitoring Market Drivers
http://www.potaroo.net/tools/ipv4/
Impact - slow down of Internetgrowth
Enterprise expanding intoemerging markets
Address space depletion National IT Strategy
MSFT Vista & Server 2008
IPv6 on & preferred by defaultApplications only runningover IPv6 (P2P framework)
U.S. Federal Mandate
IPv6 Task Force and promotion councils:Africa, India, Japan, Korea,
China Next Generation Internet (CNGI)project
European Commission sponsoredprojects
Infrastructure Evolution
IP NGN
DOCSIS 3.0, FTTH, HDTV, Quad
PlayMobile SP 3G, WiMax, PWLAN
Networks in Motion
Networked Sensors, ie: AIRS
NAT Overlap M&A
http://www.potaroo.net/tools/ipv4/http://www.potaroo.net/tools/ipv4/8/13/2019 3.Enterprise IPv6 Deployment
9/124
8/13/2019 3.Enterprise IPv6 Deployment
10/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 12
Address Considerations
8/13/2019 3.Enterprise IPv6 Deployment
11/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 13
Hierarchical Addressing andAggregation
Prefix assignment can be larger/smallerhttp://www.icann.org/announcements/announcement-12oct06.htm
Provider independent proposal:
http://www.arin.net/policy/proposals/2005_1.html
Be careful when using /127 on P2P links (See RFC 3627)
ISP
2001:DB8::/32Site 2
IPv6 Internet
2000::/32001:DB8:0002::/48
2001:DB8:0001::/48
Site 1
OnlyAnnouncesthe /32 Prefix
2001:DB8:0001:0001::/64
2001:DB8:0001:0002::/64
2001:DB8:0002:0001::/64
2001:DB8:0002:0002::/64
http://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htm8/13/2019 3.Enterprise IPv6 Deployment
12/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 15
ULA, ULA + Global or Global
What type of addressing should I deploy internal to mynetwork? It depends:
ULA-onlyToday, no IPv6 NAT is useable in production sousing ULA-only will not work externally to your network
ULA + Global allows for the best of both worlds but at a pricemuch more address management with DHCP, DNS, routing andsecuritySAS does not always work as it should
Global-onlyRecommended approach but the old-schoolsecurity folks that believe topology hiding is essential in security
will bark at this option
Lets explore these options
8/13/2019 3.Enterprise IPv6 Deployment
13/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 16
Unique-Local Addressing (RFC4193)
Used for internal communications, inter-site VPNsNot routable on the internetbasically RFC1918 for IPv6 only betterless likelihood ofcollisions
Default prefix is /48/48 limits use in large organizations that will need more spaceSemi-random generator prohibits generating sequentially useable prefixesno easy way tohave aggregation when using multiple /48sWhy not hack the generator to produce something larger than a /48 or even sequential /48s?Is it legal to use something other than a /48? Perhaps the entire space? Forget legal, is itpractical? Probably, but with dangersremember the idea for ULA; internal addressing witha slim likelihood of address collisions with M&A. By consuming a larger space or the entireULA space you will significantly increase the chances of pain in the future with M&A
Routing/security controlYou must always implement filters/ACLs to block any packets going in or out of your network
(at the Internet perimeter) that contain a SA/DA that is in the ULA range today this is theonly way the ULA scope can be enforced
Generate your own ULA: http://www.sixxs.net/tools/grh/ula/
Generated ULA= fd9c:58ed:7d73::/48
* MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard)* EUI64 address=020D9Dfffe93A0C3* NTP date=cc5ff71943807789 cc5ff71976b28d86
http://www.sixxs.net/tools/grh/ula/http://www.sixxs.net/tools/grh/ula/8/13/2019 3.Enterprise IPv6 Deployment
14/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 17
CorporateBackboneBranch 2
Branch 1Corp HQ
ULA-Only
Everything internal runs the ULA space
A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on theinternetmust run filters to prevent any SA/DA in ULA range from beingforwarded
Works as it does today with IPv4 except that today, there are no scalableNAT/Proxies for IPv6
Removes the advantages of not having a NAT (i.e. application
interoperability, global multicast, end-to-end connectivity)
ULA Space FD9C:58ED:7D73::/48
FD9C:58ED:7D73:2800::/64
Internet
FD9C:58ED:7D73:3000::/64 FD9C:58ED:7D73::2::/64
Global2001:DB8:CAFE::/48
Requires NAT for IPv6
8/13/2019 3.Enterprise IPv6 Deployment
15/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 18
CorporateBackboneBranch 2
Branch 1Corp HQ
ULA + Global
Both ULA and Global are used internally except for internal-only hosts
Source Address Selection (SAS) is used to determine which address to use whencommunicating with other nodes internally or externally In theory, ULA talks to ULA and Global talks to GlobalSAS should work this out ULA-only and Global-only hosts can talk to one another internal to the network Define a filter/policy that ensures your ULA prefix does not leak out onto the
Internet and ensure that no traffic can come in or out that has a ULA prefix in theSA/DA fields
Management overhead for DHCP, DNS, routing, security, etc
ULA Space FD9C:58ED:7D73::/48Global 2001:DB8:CAFE::/48
FD9C:58ED:7D73:2800::/642001:DB8:CAFE:2800::/64
Internet
FD9C:58ED:7D73:3000::/642001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/642001:DB8:CAFE:2::/64
Global2001:DB8:CAFE::/48
8/13/2019 3.Enterprise IPv6 Deployment
16/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 19
ConsiderationsULA + Global
Use DHCPv6 for ULA and Globalapply different policies for both (lifetimes,options, etc..)
Check routability for bothcan you reach an AD/DNS server regardless of whichaddress you have?
Any policy using IPv6 addresses must be configured for the appropriate range(QoS, ACL, load-balancers, PBR, etc.)
If using SLAAC for bothMicrosoft Windows allows you to enable/disable privacyextensions globallythis means you are either using them for both or not at all!!! One option is to use SLAAC for the Global range and enable privacy extensions
and then use DHCPv6 for ULA with another IID value (EUI-64, reserved/admindefined, etc.)
Unlike Global and link-local scopes ULA is not automatically controlled at theappropriate boundaryyou must prevent ULA prefix from going out or in at yourperimeter
SAS behavior is OS dependent and there have been issues with it working reliably
Temporary Preferred 6d23h59m55s 23h59m55s 2001:db8:cafe:2:cd22:7629:f726:6a6bDhcp Preferred 13d1h33m55s 6d1h33m55s fd9c:58ed:7d73:1002:8828:723c:275e:846dOther Preferred infinite infinite fe80::8828:723c:275e:846d 8
8/13/2019 3.Enterprise IPv6 Deployment
17/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 20
Randomized IID and Privacy Extensions
Enabled by default on Microsoft Windows Enable/disable via GPO or CLI
Alternatively, use DHCP (see later) to a specific pool
Randomized address are generated for non-temporaryautoconfigured addresses including public and link-localusedinstead of EUI-64 addresses
Randomized addresses engage Optimistic DADlikelihood ofduplicate LL address is rare so RS can be sent before full DADcompletion
Windows Vista/2008 send RS while DAD is being performed tosave time for interface initialization (read RFC4862 on why thisis ok)
Privacy extensions are used with SLAAC
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistentnetsh interface ipv6 set privacy state=disabled store=persistent
8/13/2019 3.Enterprise IPv6 Deployment
18/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 21
ULA + Global Example
interface Vlan2
description ACCESS-DATA-2
ipv6 address 2001:DB8:CAFE:2::D63/64
ipv6 address FD9C:58ED:7D73:1002::D63/64
ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise
ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:11::9
Network
DHCPv6 Client
DHCPv6 Server
2001:DB8:CAFE:11::9
Addr Type DAD State Valid Life Pref. Life Address--------- ----------- ---------- ---------- ------------------------Dhcp Preferred 13d23h48m24s 6d23h48m24s 2001:db8:cafe:2:c1b5:cc19:f87e:3c41Dhcp Preferred 13d23h48m24s 6d23h48m24s fd9c:58ed:7d73:1002:8828:723c:275e:846dOther Preferred infinite infinite fe80::8828:723c:275e:846d 8
8/13/2019 3.Enterprise IPv6 Deployment
19/124
8/13/2019 3.Enterprise IPv6 Deployment
20/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 23
Link LevelPrefix LengthConsiderations
64 bits
Recommended by
RFC3177 andIAB/IESG
Consistency makesmanagement easy
MUST for SLAAC
(MSFT DHCPv6also)
Significant Addressspace loss
Enables more hosts
per broadcastdomain
Considered badpractice
64 bits offers more
space for hosts thanthe media cansupport efficiently
< 64 bits > 64 bits
Address space conservation
Special cases:/126valid for p2p/127not valid for p2p(RFC3627)/128loopback
Complicates management Must avoid overlap with
specific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses
8/13/2019 3.Enterprise IPv6 Deployment
21/124
8/13/2019 3.Enterprise IPv6 Deployment
22/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 29
Stateful/Stateless DHCPv6
Stateful and stateless DHCPv6 serverCisco Network Registrar:http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/
Microsoft Windows Server 2008:http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-
54aa-4cef-9164-139e8bcc44751033.mspx?mfr=trueDibbler: http://klub.com.pl/dhcpv6/
DHCPv6 Relaysupported on routers and Catalystinterface FastEthernet0/1
description CLIENT LINK
ipv6 address 2001:DB8:CAFE:11::1/64
ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:10::2
Network
IPv6 Enabled Host
DHCPv6Server
http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://klub.com.pl/dhcpv6/http://klub.com.pl/dhcpv6/http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/8/13/2019 3.Enterprise IPv6 Deployment
23/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 33
General ConceptsFHRP, Multicast and QoS
8/13/2019 3.Enterprise IPv6 Deployment
24/124
8/13/2019 3.Enterprise IPv6 Deployment
25/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 36
HSRP for IPv6
Many similarities with HSRP for IPv4 Changes occur in Neighbor
Advertisement, Router Advertisement,and ICMPv6 redirects
No need to configure GW on hosts(RAs are sent from HSRPactive router)
Virtual MAC derived from HSRP groupnumber and virtual IPv6 link-local address
IPv6 Virtual MAC range:0005.73A0.0000 - 0005.73A0.0FFF(4096 addresses)
HSRP IPv6 UDP Port Number 2029
(IANA Assigned) No HSRP IPv6 secondary address No HSRP IPv6 specific debug
interface FastEthernet0/1
ipv6 address 2001:DB8:66:67::2/64
ipv6 cef
standby version 2
standby 1 ipv6 autoconfig
standby 1 timers msec 250 msec 800
standby 1 preemptstandby 1 preempt delay minimum 180
standby 1 authentication md5 key-string cisco
standby 1 track FastEthernet0/0
HSRPStandby
HSRPActive
Host with GW of Virtual IP
#route -A inet6 | grep ::/0 | grep eth2::/0 fe80::5:73ff:fea0:1 UGDA 1024 0 0 eth2
8/13/2019 3.Enterprise IPv6 Deployment
26/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 41
IPv6 QoS Syntax Changes
IPv4 syntax has used ip following match/set statementsExample:match ip dscp, set ip dscp
Modification in QoS syntax to support IPv6 and IPv4
Newmatch criteria
match dscpMatch DSCP in v4/v6match precedenceMatch Precedence in v4/v6
New set criteria
set dscpSet DSCP in v4/v6
set precedence
Set Precedence in v4/v6 Additional support for IPv6 does not always require new Command
Line Interface (CLI)ExampleWRED
8/13/2019 3.Enterprise IPv6 Deployment
27/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 43
Infrastructure Deployment
Start Here: Cisco IOS Software Release Specifics for IPv6 Featureshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123c
gcr/ipv6_c/ftipv6s.htm
8/13/2019 3.Enterprise IPv6 Deployment
28/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 44
IPv6 Coexistence
IPv6Network
IPv6Network
IPv6Host
ConfiguredTunnel/MPLS(6PE/6VPE)
IPv6Host
MPLS/IPv4
IPv4: 192.168.99.1
IPv6: 2001:db8:1::1/64IPv6/IPv4
Dual Stack
IPv6ISATAPRouter
IPv4 ISATAP Tunneling(Intra-Site Automatic Tunnel Addressing Protocol)
ConfiguredTunnel/MPLS(6PE/6VPE)
8/13/2019 3.Enterprise IPv6 Deployment
29/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 45
Campus/Data Center
Deploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf
ESE Campus Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_
design_guidances_list.html#anchor2
http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdfhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf8/13/2019 3.Enterprise IPv6 Deployment
30/124
8/13/2019 3.Enterprise IPv6 Deployment
31/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 47
Campus IPv6 Deployment OptionsDual-Stack IPv4/IPv6
#1 requirementswitching/routing platforms must supporthardware based forwarding forIPv6
IPv6 is transparent on L2
switches butL2 multicastMLD snooping
IPv6 managementTelnet/SSH/HTTP/SNMP
Intelligent IP services on WLAN
Expect to run the same IGPsas with IPv4
Keep featureexpectations simple
Dual-stackServer
L2/L3
v6-Enabled
v6-
Enabled
v6-Enabled
v6-
Enabled
IPv6/IPv4 Dual Stack Hosts
v6-Enabled
v6-Enabled
DualStack
DualStack
AggregationLayer (DC)
AccessLayer (DC)
AccessLayer
DistributionLayer
Core Layer
8/13/2019 3.Enterprise IPv6 Deployment
32/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 48
Access Layer: Dual Stack
Catalyst 3560/3750In order to enable IPv6 functionalitythe proper SDM template needs to be defined(http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htm# )
If using a traditional Layer-2 access design, the only thingthat needs to be enabled on the access switch(management/security discussed later) is MLD snooping:
3560/3750 non-E series cannot support both HSRP for IPv4and HSRP for IPv6 on the same interfacehttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.html#
wp925898
Switch(config)#ipv6 mld snooping
Switch(config)#sdm prefer dual-ipv4-and-ipv6 default
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htmhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htm8/13/2019 3.Enterprise IPv6 Deployment
33/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 49
Distribution Layer: HSRP, EIGRP andDHCPv6-relay (Layer 2 Access)
ipv6 general-prefix ULA-CORE FD9C:58ED:7D73::/53ipv6 general-prefix ULA-ACC FD9C:58ED:7D73:1000::/53
ipv6 unicast-routing
!
interface GigabitEthernet1/0/1
description To 6k-core-right
ipv6 address ULA-CORE ::3:0:0:0:D63/64
ipv6 eigrp 10
ipv6 hello-interval eigrp 10 1ipv6 hold-time eigrp 10 3
ipv6 authentication mode eigrp 10 md5
ipv6 authentication key-chain eigrp 10 eigrp
ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53
!
interface GigabitEthernet1/0/2
description To 6k-core-left
ipv6 address ULA-CORE ::C:0:0:0:D63/64ipv6 eigrp 10
ipv6 hello-interval eigrp 10 1
ipv6 hold-time eigrp 10 3
ipv6 authentication mode eigrp 10 md5
ipv6 authentication key-chain eigrp 10 eigrp
ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53
interface Vlan4description Data VLAN for Access
ipv6 address ULA-ACC ::D63/64
ipv6 nd prefix FD9C:58ED:7D73:1002::/64no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp relay destinationfd9c:58ed:7d73:811::9
ipv6 eigrp 10
standby version 2standby 2 ipv6 autoconfig
standby 2 timers msec 250 msec 750
standby 2 priority 110
standby 2 preempt delay minimum 180
standby 2 authentication ese
!
ipv6 router eigrp 10
no shutdownrouter-id 10.122.10.10
passive-interface Vlan4
passive-interface Loopback0
8/13/2019 3.Enterprise IPv6 Deployment
34/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 53
Campus IPv6 Deployment OptionsHybrid Model
Offers IPv6 connectivity via multipleoptions
Dual-stack
Configured tunnelsL3-to-L3
ISATAPHost-to-L3
Leverages existing network Offers natural progression to
full dual-stack design
May require tunneling toless-than-optimal layers(i.e. core layer)
ISATAP creates a flat network (allhosts on same tunnel are peers)
Create tunnels per VLAN/subnet to keepsame segregation as existing design (notclean today)
Provides basic HA of ISATAP tunnelsvia old Anycast-RP idea
Dual-stackServer
L2/L3
v6-Enabled
NOT v6-
Enabled
v6-Enabled
NOT v6-
Enabled
IPv6/IPv4 Dual Stack Hosts
v6-Enabled
v6-Enabled
Dua
lStack
Dua
lStack
ISATAP
ISATAP
AggregationLayer (DC)
AccessLayer (DC)
AccessLayer
DistributionLayer
Core Layer
8/13/2019 3.Enterprise IPv6 Deployment
35/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 55
Highly Available ISATAP DesignTopology
ISATAP tunnels from PCs inaccess layer to core switches
Redundant tunnels to core orservice block
Use IGP to prefer one core switchover another (both v4 and v6routes)deterministic
Preference is important due to therequirement to have traffic(IPv4/IPv6) route to the sameinterface (tunnel) where host isterminated onWindows XP/2003
Works like Anycast-RP with IPmc
Primary ISATAP Tunnel
Secondary ISATAP Tunnel
IPv6 Server
v6-Enabled v6-Enabled
NOT v6-
Enabled
v6-Enabled
v6-Enabled
PC1 - Red VLAN 2 PC2 - Blue VLAN 3
NOT v6-Enabled
DualS
tack
DualS
tack
AggregationLayer (DC)
AccessLayer (DC)
AccessLayer
DistributionLayer
Core Layer
8/13/2019 3.Enterprise IPv6 Deployment
36/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 56
IPv6 Campus ISATAP ConfigurationRedundant Tunnels
interface Tunnel2ipv6 address 2001:DB8:CAFE:2::/64 eui-64
no ipv6 nd suppress-ra
ipv6 ospf 1 area 2
tunnel source Loopback2
tunnel mode ipv6ip isatap
!
interface Tunnel3
ipv6 address 2001:DB8:CAFE:3::/64 eui-64
no ipv6 nd suppress-ra
ipv6 ospf 1 area 2
tunnel source Loopback3
tunnel mode ipv6ip isatap
!
interface Loopback2
description Tunnel source for ISATAP-VLAN2
ip address 10.122.10.102 255.255.255.255
!
interface Loopback3
description Tunnel source for ISATAP-VLAN3
ip address 10.122.10.103 255.255.255.255
interface Tunnel2ipv6 address 2001:DB8:CAFE:2::/64 eui-64
no ipv6 nd suppress-ra
ipv6 ospf 1 area 2
ipv6 ospf cost 10
tunnel source Loopback2
tunnel mode ipv6ip isatap
!
interface Tunnel3
ipv6 address 2001:DB8:CAFE:3::/64 eui-64
no ipv6 nd suppress-ra
ipv6 ospf 1 area 2
ipv6 ospf cost 10
tunnel source Loopback3
tunnel mode ipv6ip isatap
!interface Loopback2
ip address 10.122.10.102 255.255.255.255
delay 1000
!
interface Loopback3
ip address 10.122.10.103 255.255.255.255
delay 1000
ISATAP Primary ISATAP Secondary
8/13/2019 3.Enterprise IPv6 Deployment
37/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 59
IPv6 Campus ISATAP ConfigurationISATAP Client Configuration
C:\>netsh int ipv6 isatap set router 10.122.10.103
Ok.
int lo310.122.10.103
int tu3
int lo310.122.10.103
10.120.3.101
int tu3
Tunnel adapter Automatic Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 2001:db8:cafe:3:0:5efe:10.120.3.101
IP Address. . . . . . . . . . . . : fe80::5efe:10.120.3.101%2
Default Gateway . . . . . . . . . : fe80::5efe:10.122.10.103%2
interface Tunnel3
ipv6 address 2001:DB8:CAFE:3::/64 eui-64
no ipv6 nd suppress-ra
ipv6 eigrp 10
tunnel source Loopback3tunnel mode ipv6ip isatap
!
interface Loopback3
description Tunnel source for ISATAP-VLAN3
ip address 10.122.10.103 255.255.255.255
New tunnelcomes upwhen failure
occurs
Windows XP/Vista Host
8/13/2019 3.Enterprise IPv6 Deployment
38/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 61
DistributionLayer
AccessLayer
CoreLayer
AggregationLayer (DC)
AccessLayer (DC)
IPv6/IPv4Dual-stack
Server
IPv6/IPv4Dual-stack Hosts
Data CenterBlock
AccessBlock
IPv6 and IPv4 Enabled
1
1
2
2
Campus Hybrid Model 1QoS
1. Classification and marking of IPv6 is done on the egress interfaces on the corelayer switches because packets have been tunneled until this pointQoSpolicies for classification and marking cannot be applied to the ISATAP tunnelson ingress
2. The classified and marked IPv6 packets can now be examined by upstreamswitches (e.g. aggregation layer switches) and the appropriate QoS policies canbe applied on ingress. These polices may include trust (ingress), policing
(ingress) and queuing (egress)
8/13/2019 3.Enterprise IPv6 Deployment
39/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 63
Campus IPv6 Deployment OptionsIPv6 Service Blockan Interim Approach
Provides ability to rapidly deployIPv6 services without touchingexisting network
Provides tight control of where IPv6is deployed and where the trafficflows (maintain separation ofgroups/locations)
Offers the same advantages asHybrid Model without the alterationto existing code/configurations
Configurations are very similar to theHybrid Model
ISATAP tunnels from PCs in access layer toservice block switches (instead of core layerHybrid)
1) Leverage existing ISP block forboth IPv4 and IPv6 access
2) Use dedicated ISP connectionjust for IPv6Can use IOS FW orPIX/ASA appliance
Primary ISATAP Tunnel
Secondary ISATAP Tunnel
ISATAP
IPv6 Service Block
Intern
et
Dedicated FW
IOS FW
Data Center Block
VLAN 2
WAN/ISP Block
IPv4-onlyCampus
Block
AggLayer
VLAN 3
2
1
AccessLayer
Dist.Layer
CoreLayer
AccessLayer
8/13/2019 3.Enterprise IPv6 Deployment
40/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 66
IPv6 Data Center Integration
The single most overlooked and,potentially, complicated area for IPv6deployment
Front-end design will be similar to campusbased on feature, platform and connectivitysimilarities Nexus, 6500, 4900M
IPv6 for SAN is supported inSAN-OS 3.0
Major issue in DC with IPv6 todayNICTeaming
Watch status of IPv6 support from App,Grid, DB vendors, DC management
Get granulare.g. iLO
Impact on clustersMicrosoft Server 2008 failoverclusters fully support IPv6 (and L3)
Build an IPv6-only server farm?
DataCenterCore
Aggregation
Access
Core
Access
Servers
Storage
CampusCore
8/13/2019 3.Enterprise IPv6 Deployment
41/124
8/13/2019 3.Enterprise IPv6 Deployment
42/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 86
WAN/BranchDeploying IPv6 in Branch Networks:
http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdfESE WAN/Branch Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor1http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor10
http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdfhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf8/13/2019 3.Enterprise IPv6 Deployment
43/124
8/13/2019 3.Enterprise IPv6 Deployment
44/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 88
IPv6 Enabled BranchTake Your PickMix-and-Match
Internet
HQ
Dual-StackIPSec VPN (IPv4/IPv6)IOS Firewall (IPv4/IPv6)Integrated Switch
(MLD-snooping)
Branch
Single Tier
HQ
Internet Frame
Branch
Dual Tier
Dual-StackIPSec VPN or Frame RelayIOS Firewall (IPv4/IPv6)
Switches (MLD-snooping)
Branch
Multi-Tier
Dual-StackIPSec VPN orMPLS (6PE/6VPE)Firewall (IPv4/IPv6)
Switches (MLD-snooping)
HQ
MPLS
8/13/2019 3.Enterprise IPv6 Deployment
45/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 89
DMVPN with IPv6Example Tunnel Configuration
interface Tunnel0
ipv6 address 2001:DB8:CAFE:1261::2/64
ipv6 enable
ipv6 mtu 1400
ipv6 eigrp 10
ipv6 nhrp authentication ESE
ipv6 nhrp map multicast 172.17.1.3
ipv6 nhrp map 2001:DB8:CAFE:1261::1/128 172.17.1.3ipv6 nhrp network-id 100000
ipv6 nhrp holdtime 600
ipv6 nhrp nhs 2001:DB8:CAFE:1261::1
ipv6 nhrp cache non-authoritative
tunnel source 172.16.1.2
tunnel mode gre multipoint
tunnel key 100000tunnel protection ipsec profile SPOKE
interface Tunnel0
ipv6 address 2001:DB8:CAFE:1261::1/64
ipv6 enable
ipv6 mtu 1400
ipv6 eigrp 10
no ipv6 split-horizon eigrp 10
ipv6 hold-time eigrp 10 35
no ipv6 next-hop-self eigrp 10ipv6 nhrp authentication ESE
ipv6 nhrp map multicast dynamic
ipv6 nhrp network-id 100000
ipv6 nhrp holdtime 600
ipv6 nhrp cache non-authoritative
tunnel source GigabitEthernet0/1
tunnel mode gre multipointtunnel key 100000
tunnel protection ipsec profile HUB
HubInternetSpoke
Spoke Router Hub Router
8/13/2019 3.Enterprise IPv6 Deployment
46/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 90
Headquarters
T1Internet
ADSL
Branch
Dual-Stack Host(IPv4/IPv6)
Primary IPSec-protected configuredtunnel (IPv6-in-IPv4)
Primary DMVPN Tunnel (IPv4IPv4IPv6
Secondary DMVPN Tunnel (IPv4)
Secondary IPSec-protectedconfigured tunnel (IPv6-in-IPv4)
Single-Tier
Single-Tier Profile
Totally integrated solutionBranch router and integratedEtherSwitch moduleIOS FW and VPN for IPv6 and IPv4
When SP does not offer IPv6 services, use IPv4 IPSec VPNs formanually configured tunnels (IPv6-in-IPv4) or DMVPN for IPv6
When SP does offer IPv6 services, use IPv6 IPSec VPNs (latest
AIM/VAM supports IPv6 IPSec)
8/13/2019 3.Enterprise IPv6 Deployment
47/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 91
Single-Tier ProfileLAN ConfigurationDHCPv6
ipv6 unicast-routing
ipv6 multicast-routing
ipv6 cef
!
ipv6 dhcp pool DATA_VISTA
address prefix 2001:DB8:CAFE:1100::/64
dns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25D
domain-name cisco.com
!interface GigabitEthernet1/0.100
description DATA VLAN for Computers
encapsulation dot1Q 100
ipv6 address 2001:DB8:CAFE:1100::BAD1:A001/64
ipv6 nd prefix 2001:DB8:CAFE:1100::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 dhcp server DATA_VISTA
ipv6 mld snooping
!
interface Vlan100
description VLAN100 for PCs and Switch management
ipv6 address 2001:DB8:CAFE:1100::BAD2:F126/64
Branch Router
EtherSwitch Module
Si l Ti P fil
8/13/2019 3.Enterprise IPv6 Deployment
48/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 92
Single-Tier ProfileIPSec Configuration1
crypto isakmp policy 1
encr 3desauthentication pre-share
crypto isakmp key CISCO address 172.17.1.3
crypto isakmp key SYSTEMS address 172.17.1.4
crypto isakmp keepalive 10
!
crypto ipsec transform-set HE1 esp-3des esp-sha-hmac
crypto ipsec transform-set HE2 esp-3des esp-sha-hmac!
crypto map IPv6-HE1 local-address Serial0/0/0
crypto map IPv6-HE1 1 ipsec-isakmp
set peer 172.17.1.3
set transform-set HE1
match address VPN-TO-HE1
!
crypto map IPv6-HE2 local-address Loopback0
crypto map IPv6-HE2 1 ipsec-isakmp
set peer 172.17.1.4
set transform-set HE2
match address VPN-TO-HE2
Peer at HQ (Primary)
Peer at HQ (Secondary)
Internet
Headquarters
Branch
Secondary Primary
Si l Ti P fil
8/13/2019 3.Enterprise IPv6 Deployment
49/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 93
Single-Tier ProfileIPSec Configuration2
Adjust delay to prefer Tunnel3
Adjust MTU to avoidfragmentation on router(PMTUD on client will not
account for IPSec/Tunneloverheard)
Permit 41 (IPv6) insteadof gre
interface Tunnel3
description IPv6 tunnel to HQ Head-end 1delay 500
ipv6 address 2001:DB8:CAFE:1261::BAD1:A001/64
ipv6 mtu 1400
tunnel source Serial0/0/0
tunnel destination 172.17.1.3
tunnel mode ipv6ip
!interface Tunnel4
description IPv6 tunnel to HQ Head-end 2
delay 2000
ipv6 address 2001:DB8:CAFE:1271::BAD1:A001/64
ipv6 mtu 1400
tunnel source Loopback0
tunnel destination 172.17.1.4
tunnel mode ipv6ip
!
interface Serial0/0/0
description to T1 Link Provider (PRIMARY)
crypto map IPv6-HE1
interface Dialer1
description PPPoE to BB providercrypto map IPv6-HE2
!
ip access-list extended VPN-TO-HE1
permit 41 host 172.16.1.2 host 172.17.1.3
ip access-list extended VPN-TO-HE2
permit 41 host 10.124.100.1 host 172.17.1.4
8/13/2019 3.Enterprise IPv6 Deployment
50/124
8/13/2019 3.Enterprise IPv6 Deployment
51/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 99
HeadquartersBranch
IPv4IPv6
FrameRelayDual-Stack Host
(IPv4/IPv6)
Dual-Tier
Dual-Tier Profile
Redundant set of branch routersseparate branch switch(multiple switches can use StackWise technology)
Each branch router uses a single frame-relay connection
All dual-stack (branch LAN and WAN)no tunnels needed
8/13/2019 3.Enterprise IPv6 Deployment
52/124
IP 6 IPS E l
8/13/2019 3.Enterprise IPv6 Deployment
53/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 102
IPv6 IPSec ExampleIKE/IPSec Policies
crypto isakmp policy 1authentication pre-sharecrypto isakmp key CISCOKEY address ipv62001:DB8:CAFE:999::2/128crypto isakmp keepalive 10 2!crypto ipsec transform-set v6STRONG esp-3des esp-sha-hmac
!crypto ipsec profile v6PROset transform-set v6STRONG
2001:DB8:CAFE:999::1 2001:DB8:CAFE:999::2
crypto isakmp policy 1authentication pre-sharecrypto isakmp key CISCOKEY address ipv62001:DB8:CAFE:999::1/128crypto isakmp keepalive 10 2!crypto ipsec transform-set v6STRONG esp-3des esp-sha-hmac!crypto ipsec profile v6PROset transform-set v6STRONG
IPv6Network
Router1 Router2
IPv6Network
IPv6Network
IP 6 IPS E l
8/13/2019 3.Enterprise IPv6 Deployment
54/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 103
IPv6 IPSec ExampleTunnels
interface Tunnel0ipv6 address 2001:DB8:CAFE:F00D::1/127ipv6 eigrp 10ipv6 mtu 1400tunnel source Serial2/0tunnel destination 2001:DB8:CAFE:999::2tunnel mode ipsec ipv6tunnel protection ipsec profile v6PRO
!interface Ethernet0/0ipv6 address 2001:DB8:CAFE:100::1/64ipv6 eigrp 10!interface Serial2/0ipv6 address 2001:DB8:CAFE:999::1/127
interface Tunnel0ipv6 address 2001:DB8:CAFE:F00D::2/127ipv6 eigrp 10ipv6 mtu 1400tunnel source Serial2/0tunnel destination 2001:DB8:CAFE:999::1tunnel mode ipsec ipv6tunnel protection ipsec profile v6PRO
!interface Ethernet0/0ipv6 address 2001:DB8:CAFE:200::1/64ipv6 eigrp 10!interface Serial2/0ipv6 address 2001:DB8:CAFE:999::2/127
2001:DB8:CAFE:999::1 2001:DB8:CAFE:999::2
IPv6Network
Router1 Router2
IPv6Network
IPv6Network
8/13/2019 3.Enterprise IPv6 Deployment
55/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 105
Remote Access
8/13/2019 3.Enterprise IPv6 Deployment
56/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 106
Cisco VPN Client 4.xIPv4 IPSec Termination (PIX/ASA/IOS VPN/Concentrator)
IPv6 Tunnel Termination (IOS ISATAP or ConfiguredTunnels)
AnyConnect Client 2.xSSL/TLS or DTLS (datagram TLS = TLS over UDP
Tunnel transports both IPv4 and IPv6 and thepackets exit the tunnel at the hub ASA as native IPv4and IPv6.
Internet
IPv6 IPSec Tunnels IOS 12.4(4)T IPv6 HW Encryption 7200 VAM2+ SPA ISR AIM VPN
IPv6 Firewall IOS Firewall 12.3T, 12.4, 12.4T FWSM 3.x PIX 7.x +, including ASA 5500 series
Client-based IPsec VPN
Client-based SSL
IOS 12.4(9)TRFC4552OSPFv3Authentication
All IOSpacket
filtering e-ACL IPv6 over DMVPN
Cisco IPv6 Security
8/13/2019 3.Enterprise IPv6 Deployment
57/124
8/13/2019 3.Enterprise IPv6 Deployment
58/124
8/13/2019 3.Enterprise IPv6 Deployment
59/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 116
Planning and Deployment Summary
8/13/2019 3.Enterprise IPv6 Deployment
60/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 117
IPv6 Integration Outline
Establish the network
starting point Importance of a network
assessment and available tools
Defining early IPv6 securityguidelines and requirements
Additional IPv6 pre-deployment tasks needingconsideration
Pre-DeploymentPhases
DeploymentPhases
Transport considerations
for integration Campus IPv6 integration
options
WAN IPv6 integration options
Advanced IPv6
services options
Integration/Coexistence Starting Points
8/13/2019 3.Enterprise IPv6 Deployment
61/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 118
3
4
Integration/Coexistence Starting PointsExample: Integration Demarc/Start Points in Campus/WAN
Start dual-stack on hosts/OSStart dual-stack in campus distributionlayer (details follow)
Start dual-stack on the WAN/campuscore/edge routers
NAT-PT for servers/apps only capableof IPv4 (temporary only)
2001::/64
v4 and v6
10.1.3.0/24
2001::/64
v6 Only 10.1.2.0/24
v4 OnlyDual-Stack
IPv4-IPv6Routers
v4 and v6
10.1.4.0/24
2001::/64L2
v6-Enabled
IPv6 Server
IPv4-Only
Segment
NAT-PT
Dual-StackIPv4-IPv6
Core and Edge2
1
2
3
4
1
2
8/13/2019 3.Enterprise IPv6 Deployment
62/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 122
DeploymentScenario
The Scope of IPv6 Deployment
Basic Network Infrastructure
HardwareSupport
IPAddressing
RoutingProtocols
Networked Infrastructure Services
DNS &DHCP
LoadBalancing& ContentSwitching
Security(Firewalls& IDS/IPS)
ContentDistribution
Instrumentation
Optimization(WAAS, SSLacceleration)
StaffTra
iningandOperations
VPNAccess
Networked Device Support
DataCenterServers
ClientAccess(PCs)
PrintersCollaboration
Devices &Gateways
Sensors &Controllers
Applications & Application Suites
Web Content Management
Connectivity
Roll-out
Releases&
Planning
IP Services (QoS, Multicast, Mobility, Translation)
IPv6 over MPLS(6PE/6VPE)
IPv6 over IPv4 Tunnels(Configured, 6to4, ISATAP, GRE)
Dual-Stack
M j SP C f E t i
8/13/2019 3.Enterprise IPv6 Deployment
63/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 123
Major SP Concerns for EnterpriseAccounts
Port to PortAccess Multi-Homing
Content Provisioning
IPv6
8/13/2019 3.Enterprise IPv6 Deployment
64/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 124
Port-to-Port Access
Port to Port Access Multi-Homing
Content Provisioning
IPv6
Dual-stack or native IPv6 at each POP SLA driven just like IPv4 to support VPN, content
accessBasic Internet
6VPE
IPv6 MulticastMPLS IPv6 access to hosted content Cloud migration (move data from Ent DC to Hosted
DC)
Hosted (seecontent)
8/13/2019 3.Enterprise IPv6 Deployment
65/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 125
Multi-Homing
Port to Port Access Multi-Homing
Content Provisioning
IPv6
PA is no good for customers with multiple providers or changethem at any pace
PI is new, constantly changing expectations and no guarantee anSP wont do something stupid like not route PI space
Customers fear that RIR will review existing IPv4 space and want itback if they get IPv6 PI (already part of the questionnaire)
PI/PA PolicyConcerns
Religious debate about the security exposure not a multi-homingissue
If customer uses NAT like they do today to prevent address/policyexposure where do they get the technology from no scalableIPv6 NAT exists todayNAT
Is it really different from what we do today with IPv4? Is this policystuff?
Guidance on prefixes per peering point, per theater, per ISP,ingress/egress rules, etc.. this is largely missing today
Routing
8/13/2019 3.Enterprise IPv6 Deployment
66/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 126
Content
Port to Port Access Multi-Homing
Content Provisioning
IPv6
IPv6 provisioning and access to hosted or cloud-basedservices today (existing agreements)
Salesforce.com, Microsoft BPOS (Business ProductivityOnline Services)
Hosted/Cloud Appstoday
Movement from internal-only DC services tohosted/cloud-based DC
Provisioning, data/network migration services, DR/HA
Move to
Hosted/Cloud
Third-party marketing, business development,outsourcing
Existing contracts how to offer to connect over IPv6
Contract/ManagedMarketing/Portals
8/13/2019 3.Enterprise IPv6 Deployment
67/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 127
Provisioning
Port to Port Access Multi-Homing
Content Provisioning
IPv6
Not a lot of information from accounts on this but it doesconcern them
How can they provision their own services (i.e. cloud) toinclude IPv6 services and do it over IPv6
SP Self-ServicePortals
More of a management topic but the point here is thatcustomers want the ability to alter their services based onviolations, expiration or restrictions on the SLA
Again, how can they do this over IPv6 AND for IPv6services
SLA
8/13/2019 3.Enterprise IPv6 Deployment
68/124
8/13/2019 3.Enterprise IPv6 Deployment
69/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 129
Q & A
8/13/2019 3.Enterprise IPv6 Deployment
70/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 130
Complete Your Session Evaluation
Please give us your feedback!!
Complete the evaluation form you weregiven when you entered the room
This is session BRKCRS-2301
Dont forget to complete the overallevent evaluation form included inyour registration kit
YOUR FEEDBACK IS VERYIMPORTANT FOR US!!! THANKS
8/13/2019 3.Enterprise IPv6 Deployment
71/124
8/13/2019 3.Enterprise IPv6 Deployment
72/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 132
Appendix Slides
For Reference Only
8/13/2019 3.Enterprise IPv6 Deployment
73/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 133
Appendix: Microsoft WindowsVista//7/Server 2008
8/13/2019 3.Enterprise IPv6 Deployment
74/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 134
Understand the Behavior of Vista
IPv6 is preferred over IPv4Vista sends IPv6 NA/NS/RS upon link-up
Attempts DHCP for IPv6
If no DHCP or local RA received with Global or ULA, then try
ISATAPIf no ISATAP, then try Teredo
Become familiar with Teredohttp://www.microsoft.com/technet/prodtechnol/winxppro
/maintain/teredo.mspxANY application built on the Peer-to-Peer Framework
REQUIRES IPv6 and will NOT function over IPv4http://www.microsoft.com/technet/network/p2p/default.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxhttp://www.microsoft.com/technet/network/p2p/default.mspxhttp://www.microsoft.com/technet/network/p2p/default.mspxhttp://www.microsoft.com/technet/network/p2p/default.mspxhttp://www.microsoft.com/technet/network/p2p/default.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx8/13/2019 3.Enterprise IPv6 Deployment
75/124
IPv4 NetworkNo IPv6 Network Services
8/13/2019 3.Enterprise IPv6 Deployment
76/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 136
IPv4 Network No IPv6 Network ServicesWhat Does Vista Try to Do?
No. Time Source Destination Protocol Info13 8.813509 10.120.2.1 10.120.2.2 DHCP DHCP ACK - Transaction ID 0x2b8af443
....Bootstrap Protocol...Your (client) IP address: 10.120.2.2 (10.120.2.2)...Option: (t=3,l=4) Router = 10.120.2.1Option: (t=6,l=4) Domain Name Server = 10.121.11.4Option: (t=15,l=9) Domain Name = "cisco.com"..
No. Time Source Destination Protocol Info
70 13.360756 10.120.2.2 10.121.11.4 DNS Standard query A isatap.cisco.comNo. Time Source Destination Protocol Info
138 25.362181 10.120.2.2 10.121.11.4 DNS Standard query A teredo.ipv6.microsoft.com
No. Time Source Destination Protocol Info580 296.686197 10.120.2.2 10.120.3.2 TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8581 296.687721 10.120.3.2 10.120.2.2 TCP epmap > 49211 [SYN, ACK] Seq=0 Ack=1 Win=2097152582 296.687794 10.120.2.2 10.120.3.2 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0583 296.687913 10.120.2.2 10.120.3.2 DCERPC Bind: call_id: 1, 2 context items, 1st IOXIDResolver V0.0
10.120.2.2ese-vista1
10.120.3.2ese-vista2
ISATAP??
Teredo??
IPv4-only Router
8/13/2019 3.Enterprise IPv6 Deployment
77/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 137
What Is Teredo?
RFC4380 Tunnel IPv6 through NATs (NAT types defined in RFC3489)
Full Cone NATs (aka one-to-one)Supported by Teredo
Restricted NATsSupported by Teredo
Symmetric NATsSupported by Teredo with Vista/Server 2008 if only one Teredo client isbehind a Symmetric NATs
Uses UDP port 3544
Is complexmany sequences for communication and has severalattack vectors
Available on:
Microsoft Windows XP SP1 w/Advanced Networking PackMicrosoft Windows Server 2003 SP1
Microsoft Windows Vista (enabled by defaultinactive until application requires it)
Microsoft Server 2008http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx
Linux, BSD and Mac OS XMiredohttp://www.simphalempin.com/dev/miredo/
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxhttp://www.simphalempin.com/dev/miredo/http://www.simphalempin.com/dev/miredo/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx8/13/2019 3.Enterprise IPv6 Deployment
78/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 138
Teredo Components
Teredo ClientDual-stack node that supports Teredo tunneling toother Teredo clients or IPv6 nodes(via a relay)
Teredo ServerDual-stack node connected to IPv4 Internet andIPv6 Internet. Assists in addressing of Teredo clients and initialcommunication between clients and/or IPv6-only hostsListens onUDP port 3544
Teredo RelayDual-stack router that forwards packets betweenTeredo clients and IPv6-only hosts
Teredo Host-Specific RelayDual-stack node that is connected to
IPv4 Internet and IPv6 Internet and can communicate with TeredoClients without the need for a Teredo Relay
8/13/2019 3.Enterprise IPv6 Deployment
79/124
8/13/2019 3.Enterprise IPv6 Deployment
80/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 140
Teredo Address
Teredo IPv6 prefix (2001::/32previously was 3FFE:831F::/32)
Teredo Server IPv4 address: global address of the server
Flags: defines NAT type (e.g. Cone NAT)
Obfuscated External Port: UDP port number to be used withthe IPv4 address
Obfuscated External Address: contains the global addressof the NAT
Teredoprefix
32 bits
Teredo ServerIPv4 Address
32 bits
Flags
16 bits
ObfuscatedExternal Address
32 bits
ObfuscatedExternal
Port
16 bits
8/13/2019 3.Enterprise IPv6 Deployment
81/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 141
Initial Configuration for Client
1. RS message sent from Teredo client to serverRS from LL address with Cone flag set
2. Server responds with RARS has Cone flag setserver sends RA from alternate v4addressif client receives the RA, client is behind cone NAT
3. If RA is not received by client, client sends another RA with Cone flag not set
4. Server responds with RA from v4 address = destination v4 address from RSif clientreceives the RA, client is behind restricted NAT
5. To ensure client is not behind symmetric NAT, client sends another RS to secondary server
6. 2nd server sends an RA to clientclient compares mapped address and UDP ports in theOrigin indicators of the RA received by both servers. If different, then the NAT is mappingsame internal address/port to different external address/port and NAT is a symmetric NAT
7. Client constructs Teredo address from RAFirst 64 bits are the value from prefix received in RA (32 bits for IPv6 Teredo prefix + 32 bits of hex representation of IPv4 Teredo
server address)
Next 16 bits are the Flags field (0x0000 = Restricted NAT, 0x8000 = Cone NAT)
Next 16 bits are external obscured UDP port from Origin indicator in RA
Last 32 bits are obscured external IP address from Origin indicator in RA
7 2001:0:4136:e37e:0:fbaa:b97e:fe4e
TeredoPrefix
TeredoServer v4
Flags Ext. UDPPort v4
External v4address
TeredoClient NAT
IPv4Internet
1
2
3
4
5
6
TeredoServer 1
TeredoServer 2
8/13/2019 3.Enterprise IPv6 Deployment
82/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 142
What Happens on the Wire1No. Time Source Destination Protocol Info
15 25.468050 172.16.1.103 151.164.11.201 DNS Standard query A teredo.ipv6.microsoft.com
No. Time Source Destination Protocol Info16 25.481609 151.164.11.201 172.16.1.103 DNS Standard query response A 65.54.227.126A65.54.227.127 A 65.54.227.120 A 65.54.227.124
netsh interface ipv6>sh teredo
Teredo Parameters---------------------------------------------Type : clientServer Name : teredo.ipv6.microsoft.comClient Refresh Interval : defaultClient Port : defaultState : qualifiedType : teredo clientNetwork : unmanagedNAT : restricted
netsh interface ipv6>sh teredoTeredo Parameters---------------------------------------------Type : clientServer Name : teredo.ipv6.microsoft.com
Client Refresh Interval : defaultClient Port : defaultState :probe(cone)Type : teredo clientNetwork : unmanagedNAT : cone
8/13/2019 3.Enterprise IPv6 Deployment
83/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 143
What Happens on the Wire2No. Time Source Destination Protocol Info
28 33.595460 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitationInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)
User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)No. Time Source Destination Protocol Info
29 37.593598 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitationInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)
No. Time Source Destination Protocol Info31 45.546052 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation
Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.127 (65.54.227.127)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)
No. Time Source Destination Protocol Info32 46.039706 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisementInternet Protocol, Src: 65.54.227.127 (65.54.227.127), Dst: 172.16.1.103 (172.16.1.103)User Datagram Protocol, Src Port: 3544 (3544), Dst Port: 1109 (1109)Teredo Origin Indication header
Origin UDP port: 1109Origin IPv4 address: 70.120.2.1 (70.120.2.1)
Prefix: 2001:0:4136:e37e::
No. Time Source Destination Protocol Info33 46.093832 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation
Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)
No. Time Source Destination Protocol Info34 46.398745 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement
Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103)Teredo Origin Indication header
Origin UDP port: 1109Origin IPv4 address: 70.120.2.1 (70.120.2.1)
Prefix: 2001:0:4136:e37e::
Send RS ConeFlag=1 (Cone
NAT), every 4seconds
If no reply, sendFlag=0(restricted NAT)
Receive RAwith Originheader andprefix
Send RS to 2ndserver to checkfor symmetric
NAT
Compare 2nd
RAOriginport/addressfrom 2nd server
8/13/2019 3.Enterprise IPv6 Deployment
84/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 144
What Happens on the Wire3No. Time Source Destination Protocol Info82 139.258206 172.16.1.103 151.164.11.201 DNS Standard query AAAA www.kame.net
No. Time Source Destination Protocol Info83 139.530547 151.164.11.201 172.16.1.103 DNS Standard query response AAAA2001:200:0:8002:203:47ff:fea5:3085
No. Time Source Destination Protocol Info96 148.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 EchorequestInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)
No. Time Source Destination Protocol Info
97 149.405579 fe80::8000:5445:5245:444f 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next headerInternet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103)Teredo IPv6 over UDP tunneling
Teredo Origin Indication headerOrigin UDP port: 50206Origin IPv4 address: 66.117.47.227 (66.117.47.227)
No. Time Source Destination Protocol Info98 149.405916 172.16.1.103 66.117.47.227 UDP Source port: 1109 Destination port: 50206
No. Time Source Destination Protocol Info99 149.463719 66.117.47.227 172.16.1.103 UDP Source port: 50206 Destination port: 1109
No. Time Source Destination Protocol Info100 149.464100 172.16.1.103 66.117.47.227 UDP Source port: 1109 Destination port: 50206
No. Time Source Destination Protocol Info101 149.789493 66.117.47.227 172.16.1.103 UDP Source port: 50206 Destination port: 1109
DNS lookup
Response
ICMP to hostvia TeredoServer
Relay sendsBubblepacket toclient viaserverclientreceives relayaddress-port
Packetsto/from IPv6host andclient traverserelay
According to MSFT, if Teredo is the only IPv6 path, AAAA query should not be sentbeing researched:
http://msdn2.microsoft.com/en-us/library/aa965910.aspx
http://msdn2.microsoft.com/en-us/library/aa965910.aspxhttp://msdn2.microsoft.com/en-us/library/aa965910.aspxhttp://msdn2.microsoft.com/en-us/library/aa965910.aspxhttp://msdn2.microsoft.com/en-us/library/aa965910.aspx8/13/2019 3.Enterprise IPv6 Deployment
85/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 145
What Happens on the Wire3 (Cont.)
Interface 7: Teredo Tunneling Pseudo-InterfaceAddr Type DAD State Valid Life Pref. Life Address--------- ---------- ------------ ------------ -----------------------------Public Preferred infinite infinite 2001:0:4136:e37e:0:fbaa:b97e:fe4eLink Preferred infinite infinite fe80::ffff:ffff:fffd
C:\>ping www.kame.net
Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data
Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=829msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=453msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=288ms
Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=438ms
8/13/2019 3.Enterprise IPv6 Deployment
86/124
8/13/2019 3.Enterprise IPv6 Deployment
87/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 147
Appendix: ISATAP Overview
Intrasite Automatic Tunnel AddressP t l
8/13/2019 3.Enterprise IPv6 Deployment
88/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 148
Protocol
RFC 4214 This is for enterprise networks such as corporate and
academic networks
Scalable approach for incremental deployment
ISATAP makes your IPv4 infratructure as transport(NBMA) network
Intrasite Automatic TunnelAdd P t l
8/13/2019 3.Enterprise IPv6 Deployment
89/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 149
Address Protocol
ISATAP is used to tunnel IPv4 within as administrative
domain (a site) to create a virtual IPv6 network over aIPv4 network
Supported in Windows XP Pro SP1 and others
Interface
Identifier(64 bits)
IPv4 Address64-bit Unicast Prefix 0000:5EFE:
32-bit32-bit
Use IANAs OUI 00-00-5E and
Encode IPv4 Address as Part of EUI-64
Automatic Advertisementf ISATAP P fi
8/13/2019 3.Enterprise IPv6 Deployment
90/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 150
IPv6
Network
IPv4 Network ISATAP Router 1E0
of ISATAP Prefix
ISATAP Tunnel
ISATAP Host A
ICMPv6 Type 133 (RS)IPv4 Source: 206.123.20.100IPv4 Destination: 206.123.31.200IPv6 Source: fe80::5efe:ce7b:1464IPv6 Destination: fe80::5efe:ce7b:1fc8Send me ISATAP Prefix ICMPv6 Type 134 (RA)
IPv4 Source: 206.123.31.200IPv4 Destination: 206.123.20.100IPv6 Source: fe80::5efe:ce7b:1fc8IPv6 Destination: fe80::5efe:ce7b:1464ISATAP Prefix: 2001:db8:ffff :2::/64
Automatic Address Assignmentf H t d R t
8/13/2019 3.Enterprise IPv6 Deployment
91/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 151
of Host and Router
ISATAP host A receives the ISATAP prefix2001:db8:ffff:2::/64 from ISATAP Router 1
When ISATAP host A wants to send IPv6 packets to
2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host Aencapsulates IPv6 packets in IPv4. The IPv4 packets ofthe IPv6 encapsulated packets use IPv4 source anddestination address.
206.123.20.100fe80::5efe:ce7b:14642001:db8:ffff:2::5efe:ce7b:1464
206.123.31.200fe80::5efe:ce7b:1fc82001:db8:ffff:2::5efe:ce7b:1fc8
IPv6
Network
IPv4 Network ISATAP Router 1E0
ISATAP Tunnel
ISATAP Host A
8/13/2019 3.Enterprise IPv6 Deployment
92/124
IP 4 d IP 6 M lti t C i
8/13/2019 3.Enterprise IPv6 Deployment
93/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 153
IPv4 and IPv6 Multicast Comparison
Service IPv4 Solution IPv6 Solution
Addressing Range 32-bit, Class D 128-bit (112-bit Group)
Routing
Protocol Independent,
All IGPs and MBGP
Protocol Independent,
All IGPs and MBGPwith v6 mcast SAFI
ForwardingPIM-DM, PIM-SM,
PIM-SSM, PIM-bidir,PIM-BSR
PIM-SM, PIM-SSM,PIM-bidir, PIM-BSR
Group Management IGMPv1, v2, v3 MLDv1, v2
Domain Control Boundary, Border Scope Identifier
Interdomain SolutionsMSDP Across Independent
PIM DomainsSingle RP Within Globally
Shared Domains
MLD 1 J i i G (REPORT)
8/13/2019 3.Enterprise IPv6 Deployment
94/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 154
MLDv1: Joining a Group (REPORT)
Destination:FF3E:40:2001:DB8:C003:1109:1111:1111ICMPv6 Type: 131
FE80::207:85FF:FE80:692
FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE
rtr-a
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
H1
1
1 Destination:FF3E:40:2001:DB8:C003:1109:1111:1111ICMPv6 Type: 131
2
2
H1 sends a REPORT for the group
H2 sends a REPORT for the group
1
2
H2
MLDv1: Host Management
8/13/2019 3.Enterprise IPv6 Deployment
95/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 155
H1 sends DONE to FF02::2
RTR-A sends Group-Specific Query
H2 sends REPORT for the group3
1
1 2
(Group-Specific Query)
FE80::207:85FF:FE80:692
FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE
rtr-a
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
H1
3 REPORT to groupICMPv6 Type: 131
12
Destination:FF02::2ICMPv6 Type: 132
Destination:FF3E:40:2001:DB8:C003:1109:1111:1111ICMPv6 Type: 130
H2
Source
Other MLD Operations
8/13/2019 3.Enterprise IPv6 Deployment
96/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 156
Other MLD Operations
Leave/DONELast host leavessends DONE (Type 132)
Router will respond with group-specific query (Type 130)
Router will use the last member query response interval
(Default=1 sec) for each queryQuery is sent twice and if no reports occur then entry is removed(2 seconds)
General Query (Type 130)
Sent to learn of listeners on the attached link
Sets the multicast address field to zero
Sent every 125 seconds (configurable)
A Few Notes on Tunnels
8/13/2019 3.Enterprise IPv6 Deployment
97/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 157
A Few Notes on Tunnels
PIM uses tunnels when RPs/sources are known Source registering (on first-hop router)
Uses virtual tunnel interface (appear in OIL for [S,G])
Created automatically on first-hop router when
RP is known
Cisco IOS keeps tunnel as long as RP is known
Unidirectional (transmit only) tunnels
PIM Register-Stop messages are sent directly from RP
to registering router (not through tunnel!)
PIM Tunnels (DR to RP)
8/13/2019 3.Enterprise IPv6 Deployment
98/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 158
PIM Tunnels (DR-to-RP)
branch#show interface tunnel 1Tunnel1 is up, line protocol is up
Hardware is TunnelMTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255Encapsulation TUNNEL, loopback not setKeepalive not setTunnel source 2001:DB8:C003:111E::2 (Serial0/2),
destination 2001:DB8:C003:1116::2
Tunnel protocol/transport PIM/IPv6, key disabled,sequencing disabledChecksumming of packets disabledTunnel is transmit onlyLast input never, output never, output hang neverLast clearing of "show interface" counters never
output truncated
branch#show ipv6 pim tunnel
Tunnel1*Type : PIM EncapRP : 2001:DB8:C003:1116::2Source: 2001:DB8:C003:111E::2
RP
L0
CorporateNetwork
Source
DR
PIM Tunnels (RP)
8/13/2019 3.Enterprise IPv6 Deployment
99/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 159
PIM Tunnels (RP)
Source registering (on RP) two virtual tunnelsare created
One transmit only for registering sources locally connectedto the RP
One receive only for decapsulation of incoming registersfrom remote designated routers
No one-to-one relationship between virtual tunnels ondesignated routers and RP!
PIM Tunnels (RP for Source)
8/13/2019 3.Enterprise IPv6 Deployment
100/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 160
PIM Tunnels (RP-for-Source)
RP-router#show interface tunnel 1Tunnel1 is up, line protocol is upHardware is TunnelMTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255Encapsulation TUNNEL, loopback not setKeepalive not set
Tunnel source 2001:DB8:C003:1116::2(FastEthernet0/0), destination 2001:DB8:C003:1116::2Tunnel protocol/transport PIM/IPv6, key disabled,
sequencing disabledChecksumming of packets disabledTunnel is receive only
output truncated
RP-router#show ipv6 pim tunnelTunnel0*
Type : PIM EncapRP : 2001:DB8:C003:1116::2Source: 2001:DB8:C003:1116::2
Tunnel1*Type : PIM DecapRP : 2001:DB8:C003:1116::2Source: - RP
L0
CorporateNetwork
SourceTu
Tunneling v6 Multicast
8/13/2019 3.Enterprise IPv6 Deployment
101/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 161
Tunneling v6 Multicast
v6 in v4 v6 in v4 most widely used
tunnel mode ipv6ip
8/13/2019 3.Enterprise IPv6 Deployment
102/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 162
Source Specific Multicast (SSM)
No configuration requiredother than enabling
ipv6 multicast-routing
SSM group ranges areautomatically defined
Requires MLDv2on host or SSMMapping feature
router#show ipv6 pim range-listconfig SSM Exp: never Learnt from : ::
FF33::/32 Up: 1d00h
FF34::/32 Up: 1d00h
FF35::/32 Up: 1d00h
FF36::/32 Up: 1d00h
FF37::/32 Up: 1d00h
FF38::/32 Up: 1d00h
FF39::/32 Up: 1d00h
FF3A::/32 Up: 1d00h
FF3B::/32 Up: 1d00h
FF3C::/32 Up: 1d00hFF3D::/32 Up: 1d00h
FF3E::/32 Up: 1d00h
FF3F::/32 Up: 1d00h
SSM Mapping
8/13/2019 3.Enterprise IPv6 Deployment
103/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 163
SSM-Mapping
Delay in SSM deployment (both IPv4 and IPv6) isbased mainly on lack of IGMPv3 and MLDv2 availabilityon the endpoints
SSM-Mapping allows for the deployment of SSM in
the network infrastructure without requiring MLDv2(for IPv6) on the endpoint
SSM-Mapping enabled router will map MLDv1 reportsto a source (which do not natively include the source
like with MLDv2)Range of groups can be statically defined or used with DNS
Wildcards can be used to define range of groups
SSM-Mapping
8/13/2019 3.Enterprise IPv6 Deployment
104/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 164
SSM-Mapping
CorporateNetwork
2001:DB8:CAFE:11::11
ipv6 multicast-routing!ipv6 mld ssm-map enableipv6 mld ssm-map staticMAP 2001:DB8:CAFE:11::11no ipv6 mld ssm-map query dns!ipv6 access-listMAPpermit ipv6 any host FF33::DEAD
MLDv1
Source
FF33::DEAD
SSM
core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11
(2001:DB8:CAFE:11::11, FF33::DEAD), 00:01:20/00:03:06, flags: sTIncoming interface: GigabitEthernet3/3RPF nbr: FE80::20E:39FF:FEAD:9B00Immediate Outgoing interface list:GigabitEthernet5/1, Forward, 00:01:20/00:03:06
ipv6 multicast-routing!ipv6 mld ssm-map enable!ip domain multicast ssm-map.cisco.comip name-server 10.1.1.1
Static Mapping:
DNS Mapping (the default):
8/13/2019 3.Enterprise IPv6 Deployment
105/124
IPv6 Multicast PIM BSR: Configuration
8/13/2019 3.Enterprise IPv6 Deployment
106/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 166
IPv6 Multicast PIM BSR: Configuration
RP2001:DB8:C003:1116::2
Source
CorporateNetwork
IPWAN
RP2001:DB8:C003:110A::1
wan-bottom#sh run | incl ipv6 pim bsr
ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1
wan-top#sh run | incl ipv6 pim bsr
ipv6 pim bsr candidate-bsr 2001:DB8:C003:1116::2ipv6 pim bsr candidate-rp 2001:DB8:C003:1116::2
Bidirectional PIM (Bidir)
8/13/2019 3.Enterprise IPv6 Deployment
107/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 167
Bidirectional PIM (Bidir)
The same many-to-many model as before Configure Bidir RP and range via the usualip pim rp-address syntax with the optional bidirkeyword
!ipv6 pim rp-address 2001:DB8:C003:110A::1bidir!#show ipv6 pim range | include BD
Static BD RP: 2001:DB8:C003:110A::1 Exp: never Learnt from : ::
Embedded-RP Addressing Overview
8/13/2019 3.Enterprise IPv6 Deployment
108/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 168
Embedded-RP Addressing Overview
RFC 3956 Relies on a subset of RFC3306IPv6 unicast-
prefix-based multicast group addresses withspecial encoding rules:
Group address carries the RP address for the group!
8 4 4 4 4 8 64 32
FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID
New Address format defined :
Flags = 0RPT, R = 1, P = 1, T = 1=> RP address embedded(0111 = 7)
Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112
Embedded RP: 2001:0DB8:C003:111D::1
8/13/2019 3.Enterprise IPv6 Deployment
109/124
Embedded-RP Configuration Example
8/13/2019 3.Enterprise IPv6 Deployment
110/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 170
RPL0
CorporateNetwork
Source
IPWAN
Embedded-RP Configuration Example
RP to be used as anEmbedded-RP needs to beconfigured with address/grouprange
All other non-RP routers
require no specialconfiguration
ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP
!ipv6 access-list ERPpermit ipv6 any FF7E:140:2001:DB8:C003:111D::/96
Embedded RPDoes It Work?
8/13/2019 3.Enterprise IPv6 Deployment
111/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 171
Embedded RP Does It Work?
branch#show ipv6 pim range | include Embedded
Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : ::
FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24
IPWAN
To RP
ReceiverSendsReport
branch#show ipv6 pim group
FF7E:140:2001:DB8:C003:111D ::/96*RP : 2001:DB8:C003:111D::1Protocol: SMClient : EmbeddedGroups : 1Info : RPF: Se0/0.1,FE80::210:7FF:FEDD:40
branch#show ipv6 mroute active
Active IPv6 Multicast Sources - sending >= 4 kbpsGroup: FF7E:140:2001:DB8:C003:111D:0:1112Source: 2001:DB8:C003:1109::2Rate: 21 pps/122 kbps(1sec), 124 kbps(last 100 sec)
8/13/2019 3.Enterprise IPv6 Deployment
112/124
8/13/2019 3.Enterprise IPv6 Deployment
113/124
IPv6 QoS: Header Fields
8/13/2019 3.Enterprise IPv6 Deployment
114/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 174
IPv6 QoS: Header Fields
IPv6 traffic class
Exactly the same as TOS fieldin IPv4
IPv6 Flow Label (RFC 3697)
A new 20-bit field in the IPv6basic header which:
Labels packets belongingto particular flows
Can be used for specialsender requests
Per RFC, Flow Label mustnot be modified byintermediate routers
Keep an eye out for workbeing doing to leverage theflow label
Version Traffic Class Flow Label
Payload LengthNext
HeaderHop Limit
Source Address
Destination Address
Simple QoS Example: IPv4 and IPv6
8/13/2019 3.Enterprise IPv6 Deployment
115/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 175
Simple QoS Example: IPv4 and IPv6
class-map match-any BRANCH-BULK-DATAmatch access-group name BULK-DATA-IPV6match access-group name BULK-DATAclass-map match-all BULK-DATAmatch dscp af11!policy-map RBR-WAN-EDGEclass BULK-DATAbandwidth percent 4random-detect
!policy-map RBR-LAN-EDGE-INclass BRANCH-BULK-DATAset dscp af11
!ip access-list extended BULK-DATA
permit tcp any any eq ftppermit tcp any any eq ftp-data!ipv6 access-list BULK-DATA-IPV6permit tcp any any eq ftppermit tcp any any eq ftp-data
service-policy output RBR-WAN-EDGE
service-policy input RBR-LAN-EDGE-IN
ACL Match To Set DSCP(If Packets Are Not Already Marked)
ACLs to Match for BothIPv4 and IPv6 Packets
Configuring Cisco IOS NAT-PT
8/13/2019 3.Enterprise IPv6 Deployment
116/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 176
Configuring Cisco IOS NAT PT
192.168.1.0/24
2001:DB8:C003:1::/64
F0/1
F0/0
NAT Prefix 2010::/96
.10
DNS
.100
2001:DB8:C003:1::10
interface FastEthernet0/0ipv6 address 2001:DB8:C003:1::1/64ipv6 cefipv6 nat
!interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0ipv6 nat prefix 2010::/96ipv6 nat
!ipv6 nat v4v6 source 192.168.1.100 2010::100
!ipv6 nat v6v4 source route-map MAP1 pool V4POOLipv6 nat v6v4 pool V4POOL 192.168.2.1192.168.2.10prefix-length 24!route-map MAP1 permit 10match interface FastEthernet0/1
IPv6 Security
8/13/2019 3.Enterprise IPv6 Deployment
117/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 177
IPv6 Security
RFC mandates privacy and encryption
Same IPSec you already know
Two security extension headers defined; all implementationsrequired to support (IPSec)
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Key distribution protocols are under development
Support for manual key configuration required
IPv6 Security is more than IPSec!
New concept of privacy addressingOn by default in Microsoft XP SP1+
Randomly generated address
Nearly impossible to perform successful network scans
IPv6 Protocol Challenges
8/13/2019 3.Enterprise IPv6 Deployment
118/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 178
IPv6 Protocol Challenges
Inherits many challenges found in IPv4Same applications
Same TCP, UDP layers
Many new features
Autoconfiguration (router advertisements)
NDNeighbor Discovery (altering ICMPv6 packets)
DADMultiple (bad) addresses
Mobile IPv6binding update, etc.
8/13/2019 3.Enterprise IPv6 Deployment
119/124
IPv6 Transition Mechanism Challenges
8/13/2019 3.Enterprise IPv6 Deployment
120/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 180
g
Dual stackConsider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)
Tunnels
Bypass firewalls (protocol 41)
Relayed DoS attacks from v6 to v4 and vice versa
Translation mechanismsPrevent end-to-end network and transport layer security
Basic IPv6 Packet Filtering(Access Control List)
8/13/2019 3.Enterprise IPv6 Deployment
121/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 181
(Access Control List)
Every IPv6 ACL has implicit permit icmp any any nd-naand permit icmp any any nd-ns
Implicit deny all at the end of access list
Web Server
2001:DB8:C003:1102::10/64
IPv6 Internet
F0/0
interface FastEthernet0/0ipv6 address 2001:DB8:C003:1101::1/64ipv6 traffic-filter V6FILTER in!ipv6 access-list V6FILTERpermit tcp any host 2001:DB8:C003:1102::10 eq web!
HTTPANY
When Used for Traffic Filtering, IPv6 AccessControl Lists (ACL) Offers the Same Level ofSupport as in IPv4
Cisco IOS IPv6 Firewall Feature SetExample: Nothing New from IPv4
8/13/2019 3.Enterprise IPv6 Deployment
122/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 182
a p e ot g e o
ipv6 unicast-routingipv6 cef!ipv6 inspect audit-trailipv6 inspect max-incomplete low 150ipv6 inspect max-incomplete high 250ipv6 inspect one-minute low 100ipv6 inspect one-minute high 200
ipv6 inspect name V6FW tcp timeout 300ipv6 inspect name V6FW udpipv6 inspect name V6FW icmp!interface FastEthernet0/0ipv6 address 2001:DB8:C003:1112::2/64ipv6 cefipv6 traffic-filter EXAMPLE inipv6 inspect V6FW in!ipv6 access-list EXAMPLEpermit tcp any host 2001:DB8:C003:1113::2 eq wwwpermit tcp any host 2001:DB8:C003:1113::2 eq ftpdeny ipv6 any any log
Web/FTP Server2001:DB8:C003:1113::2
IPv6Internet
F0/0
HTTP
ANY
FTP
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/ps5761/index.html
Cisco IOS Firewall Released 12.3(7)T
PIX/ASA: ACLVery Similar to Cisco IOS
http://www.microsoft.com/technet/windowsvista/library/8a70907e-9137-4426-a46f-a2d1eeadbd5a.mspxhttp://www.microsoft.com/technet/windowsvista/library/8a70907e-9137-4426-a46f-a2d1eeadbd5a.mspx8/13/2019 3.Enterprise IPv6 Deployment
123/124
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 183
y
interface Ethernet0nameif outsideipv6 address 2001:db8:c000:1051::37/64ipv6 enableinterface Ethernet1nameif insideipv6 address 2001:db8:c000:1052::1/64ipv6 enable
ipv6 unicast-routing
ipv6 route outside ::/0 2001:db8:c000:1051::1
ipv6 access-list SECURE permit tcp any host 2001:db8:c000:1052::7 eq telnetipv6 access-list SECURE permit icmp6 any 2001:db8:c000:1052::/64
access-group SECURE in interface outside
8/13/2019 3.Enterprise IPv6 Deployment
124/124