Module 6: IPv6 Fundamentals. Introduction to IPv6 Unicast IPv6 Addresses Configuring IPv6.
Enterprise IPv6 Deployment - Cisco - Global Home Page · 2008. 3. 16. · IPv6 Coexistence in the...
Transcript of Enterprise IPv6 Deployment - Cisco - Global Home Page · 2008. 3. 16. · IPv6 Coexistence in the...
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Enterprise IPv6 Deployment
Gunter Van de VeldeCCIE# 3741Technical LeaderNSSTG
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Agenda
Address Plan Considerations & Strategies
Enterprise Deployment Considerations
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Address Plan Considerations and Strategies
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Address Plan Perspectives
Network LevelAddress Selection
Global Unicast AddressesUnique Local Addresses (ULA)
Network level design considerations
Link Level – Prefix length selection
Interface Level – Address assignment
http://tools.ietf.org/wg/v6ops/draft-ietf-v6ops-addcon/draft-ietf-v6ops-addcon-05.txt
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Address Allocation Model for Aggregation
/12 /32
/32
/32
/32
/3 /48
/48
/48
/48
/64
/64
/64
/64
/12
/12
/12
AllocationGlobal
AddressesRIR Range ISP Range Enterprise
RangeSingle
LAN Range
/128
/128
/128
/128
SingleIPv6 Address
2000::/3
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
IPv6 Address Assignment• Lowest-order 64-bit field of unicast addresses may be assigned in
several different ways
Manually configured
Stateless configuration
Assigned via DHCP
Auto-generated pseudo-random number (rfc3041)
DHCPv6 Request
DHCPv6 Reply
Router Solicitation
Router Announcement2
1 Router Solicitation
Router Announcement2
1
(/64 prefix, timers, etc…)
IPv6 Address = /64 prefix + EUI64 (e.g. MAC address) IPv6 Address = /64 prefix + Random 64 bits (rfc3041)
RS
RA2
1
4
3
IPv4
& IP
v6IP
v6 O
nly
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Enterprise Deployment Considerations
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
IPv6 Coexistence in the Enterprise
IPv6 Network
IPv6 Network
IPv6 Host
Configured/6to4 Tunnel
Configured/6to4 Tunnel
IPv6 Host
IPv4
IPv4: 192.168.99.1
IPv6: 2001:db8:1::1/64IPv6/IPv4
Dual Stack
IPv6
NAT-PT
IPv6Dual Stack
IPv4 and IPv6 AddressesISATAPRouter
IPv4 ISATAPTunneling
IPv4 only Server
IPv4-Only Segment
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Campus IPv6 DeploymentThree Major Options
Dual-stack – The way to go for obvious reasons: performance, security, QoS, Multicast and management
Hardware-based IPv6 forwarding in L3 switches is the biggest challenge
Hybrid – Dual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear
Pro – Leverage existing gear and network design (traditional L2/L3 and Routed Access) Con – Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like Core acting as Access layer) and ISATAP does not support IPv6 multicast
IPv6 Service Block – A new network block used for interim connectivity for IPv6 overlay network
Pro – Separation, control and flexibility (still supports traditional L2/L3 and Routed Access)Con – Cost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Campus IPv6 Deployment OptionsDual-stack IPv4/IPv6
Requires switching/routing platforms to support hardwarebased forwarding for IPv4 and IPv6
IPv6 is transparent on L2 switches except for multicast -MLD snooping
IPv6 management —Telnet/SSH/HTTP/SNMP
Intelligent services on WLAN
Do not expect feature parity with IPv4 today – focus on the basic necessities
- Routing/forwarding, QoS, Multicast, etc…
DistributionLayer
AccessLayer
CoreLayer
AggregationLayer (DC)
Dual-stackServer
L2/L3
v6-Enabled
v6-Enabled
v6-Enabled
v6-Enabled
IPv6/IPv4 Dual Stack Hosts
AccessLayer (DC)
DualStack
Dual Stack
Dual Stack
Dual Stack
Dual Stack
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Campus IPv6 Deployment OptionsHybrid Model
Offers IPv6 connectivity via multiple options
Dual-stackConfigured tunnels – L3-to-L3ISATAP – Host-to-L3
Leverages existing networkOffers natural progression to full dual-stack designMay require tunneling to less-than-optimal layers (i.e. Core layer)ISATAP creates a flat network (all hosts on same tunnel are peers)
Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today)
Provides basic HA of ISATAP tunnels via old Anycast-RP ideaISATAP does not support IPv6 MulticastConfigured tunnels do support IPv6 Multicast
Dual-stackServer
L2/L3
v6-Enabled
v6-Enabled
v6-Enabled
Not v6-Enabled
v6-Enabled
Not v6-Enabled
Hybrid Model
DistributionLayer
AccessLayer
CoreLayer
AggregationLayer (DC)
AccessLayer (DC)
Dual Stack
ISATA
P TunnelD
ual Stack
ISATA
P Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Hybrid Model ExamplesHybrid Model Example #2
Dual-stackServer
L2/L3
v6-Enabled
Not v6-Enabled
v6-Enabled
Not v6-Enabled
v6-Enabled
v6-Enabled
Hybrid Model Example #1
DistributionLayer
AccessLayer
CoreLayer
AggregationLayer (DC)
AccessLayer (DC)
Dual Stack
ISATA
P TunnelD
ual Stack
ISATA
P Tunnel
Dual-stackServer
L2/L3
v6-Enabled
v6-Enabled
v6-Enabled
v6-Enabled
Not v6-Enabled
Not v6-Enabled
DistributionLayer
AccessLayer
CoreLayer
AggregationLayer (DC)
AccessLayer (DC)
Configured Tunnel
Dual Stack
Dual Stack
Configured Tunnel
Dual Stack
Dual Stack
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Campus IPv6 Deployment OptionsIPv6 Service Block – An Interim Approach
ISATAP
IPv6 Service Block
Internet
Dedicated FW
IOS FW
Data Center Block
VLAN 2
WAN/ISP Block
Provides ability to rapidly deploy IPv6 services without touching existing networkProvides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations)Offers the same advantages as Hybrid Model without the alteration to existing code/configurationsConfigurations are very similar to the Hybrid Model
ISATAP tunnels from PCs in Access layer to Service Block switches (instead of core layer – Hybrid)
1) Leverage existing ISP block for both IPv4 and IPv6 access2) Use dedicated ISP connection just for IPv6 – Can use IOS FW or PIX/ASA appliance
Primary ISATAP TunnelSecondary ISATAP TunnelEqual-cost Configured
Tunnel (Mesh)
IPv4-onlyCampusBlock
AggLayer
VLAN 3
2
1
AccessLayer
DistributionLayer
CoreLayer
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
IPv6 ISATAP ImplementationISATAP Host Considerations
ISATAP is available on Windows XP, Windows 2003, Vista/Server 2008, port for LinuxIf Windows host does not detect IPv6 capabilities on the physical interface then an effort to use ISATAP is startedCan learn of ISATAP routers via DNS “A” record lookup “isatap”or via static configuration
If DNS is used then Host/Subnet mapping to certain tunnels cannot be accomplished due to the lack of naming flexibility in ISATAPTwo or more ISATAP routers can be added to DNS and ISATAP will determine which one to use and also fail to the other one upon failure of first entryIf DNS zoning is used within the Enterprise then ISATAP entries for different routers can be used in each zone
Can conditionally set the ISATAP router per host based on subnet, userid, department and possibly other parameters such as role
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
First-Hop RedundancyWhen HSRP,GLBP and VRRP for IPv6 are not availableNUD can be used for rudimentary HA at the first-hop (today this only applies to the Campus/DC…HSRP is available on routers)
(config-if)#ipv6 nd reachable-time 5000
Hosts use NUD “reachable time” to cycle to next known default gateway (30 seconds by default)Can be combined with default router preference to determine primary gw:
(config-if)#ipv6 nd router-preference {high | medium | low}
Reachable Time : 6sBase Reachable Time : 5s
Default Gateway . . . . . . . . . : 10.121.10.1fe80::211:bcff:fec0:d000%4fe80::211:bcff:fec0:c800%4
DistributionLayer
AccessLayer
HSRP for IPv4RA’s with adjusted reachable-time for IPv6
HSRPIPv4 To Core Layer
RA
RA
1
12
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
DualStack
SPCloud
CorporateNetwork
WAN/Branch Deployment
Cisco routers have supported IPv6 for a long timeDual-stack should be the focus of your implementation…but, some situations still call for tunnelingSupport for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc…)Don’t assume all features for every technology are IPv6-enabledBetter feature support in WAN/Branch than in Campus/DC Dual
StackDual Stack
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
What next?Start now rather than later
Purchase for the future – Include IPv6 requirements in your vendor RFI/RFP
Absolute minimal is to have IPv6 security awareness
Start moving legacy application towards IPv6 support – Use protocol agnostic model when possible
Test, test and then test some more! – Validate your applications over IPv6 enabled network
Dual-stack in Campus and Branch is the target deployment modelDeployment option depend on current infrastructureMany customers may require some level of tunneling support to begin with, but the mandate may confuse people on whether they can use tunnels in certain areas of the network
Design guides available from www.cisco.com –Campus:http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a00807753a6.pdfBranch:http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a00807753ad.pdf
Things to consider:Full parity between IPv4 and IPv6 is the goal, but not a reality today
IPv6 Start Here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_c/ftipv6s.htm
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
References
ESE Campus Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor2
Deploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf
ESE WAN/Branch Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor1
http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor10
Deploying IPv6 in Branch Networks:http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20