Enterprise IPv6 Deployment - Cisco - Global Home Page · 2008. 3. 16. · IPv6 Coexistence in the...

© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Enterprise IPv6 Deployment

Gunter Van de VeldeCCIE# 3741Technical LeaderNSSTG


Agenda

Address Plan Considerations & Strategies

Enterprise Deployment Considerations


Address Plan Considerations and Strategies


Address Plan Perspectives

Network LevelAddress Selection

Global Unicast AddressesUnique Local Addresses (ULA)

Network level design considerations

Link Level – Prefix length selection

Interface Level – Address assignment

http://tools.ietf.org/wg/v6ops/draft-ietf-v6ops-addcon/draft-ietf-v6ops-addcon-05.txt


Address Allocation Model for Aggregation

/12 /32

/32

/32

/32

/3 /48

/48

/48

/48

/64

/64

/64

/64

/12

/12

/12

AllocationGlobal

AddressesRIR Range ISP Range Enterprise

RangeSingle

LAN Range

/128

/128

/128

/128

SingleIPv6 Address

2000::/3


IPv6 Address Assignment• Lowest-order 64-bit field of unicast addresses may be assigned in

several different ways

Manually configured

Stateless configuration

Assigned via DHCP

Auto-generated pseudo-random number (rfc3041)

DHCPv6 Request

DHCPv6 Reply

Router Solicitation

Router Announcement2

1 Router Solicitation

Router Announcement2

1

(/64 prefix, timers, etc…)

IPv6 Address = /64 prefix + EUI64 (e.g. MAC address) IPv6 Address = /64 prefix + Random 64 bits (rfc3041)

RS

RA2

1

4

3

IPv4

& IP

v6IP

v6 O

nly


Enterprise Deployment Considerations


IPv6 Coexistence in the Enterprise

IPv6 Network

IPv6 Network

IPv6 Host

Configured/6to4 Tunnel

Configured/6to4 Tunnel

IPv6 Host

IPv4

IPv4: 192.168.99.1

IPv6: 2001:db8:1::1/64IPv6/IPv4

Dual Stack

IPv6

NAT-PT

IPv6Dual Stack

IPv4 and IPv6 AddressesISATAPRouter

IPv4 ISATAPTunneling

IPv4 only Server

IPv4-Only Segment


Campus IPv6 DeploymentThree Major Options

Dual-stack – The way to go for obvious reasons: performance, security, QoS, Multicast and management

Hardware-based IPv6 forwarding in L3 switches is the biggest challenge

Hybrid – Dual-stack where possible, tunnels for the rest, but all leveraging the existing design/gear

Pro – Leverage existing gear and network design (traditional L2/L3 and Routed Access) Con – Tunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like Core acting as Access layer) and ISATAP does not support IPv6 multicast

IPv6 Service Block – A new network block used for interim connectivity for IPv6 overlay network

Pro – Separation, control and flexibility (still supports traditional L2/L3 and Routed Access)Con – Cost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast


Campus IPv6 Deployment OptionsDual-stack IPv4/IPv6

Requires switching/routing platforms to support hardwarebased forwarding for IPv4 and IPv6

IPv6 is transparent on L2 switches except for multicast -MLD snooping

IPv6 management —Telnet/SSH/HTTP/SNMP

Intelligent services on WLAN

Do not expect feature parity with IPv4 today – focus on the basic necessities

- Routing/forwarding, QoS, Multicast, etc…

DistributionLayer

AccessLayer

CoreLayer

AggregationLayer (DC)

Dual-stackServer

L2/L3

v6-Enabled

v6-Enabled

v6-Enabled

v6-Enabled

IPv6/IPv4 Dual Stack Hosts

AccessLayer (DC)

DualStack

Dual Stack

Dual Stack

Dual Stack

Dual Stack


Campus IPv6 Deployment OptionsHybrid Model

Offers IPv6 connectivity via multiple options

Dual-stackConfigured tunnels – L3-to-L3ISATAP – Host-to-L3

Leverages existing networkOffers natural progression to full dual-stack designMay require tunneling to less-than-optimal layers (i.e. Core layer)ISATAP creates a flat network (all hosts on same tunnel are peers)

Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today)

Provides basic HA of ISATAP tunnels via old Anycast-RP ideaISATAP does not support IPv6 MulticastConfigured tunnels do support IPv6 Multicast

Dual-stackServer

L2/L3

v6-Enabled

v6-Enabled

v6-Enabled

Not v6-Enabled

v6-Enabled

Not v6-Enabled

Hybrid Model

DistributionLayer

AccessLayer

CoreLayer


AccessLayer (DC)

Dual Stack

ISATA

P TunnelD

ual Stack

ISATA

P Tunnel


Hybrid Model ExamplesHybrid Model Example #2

Dual-stackServer

L2/L3

v6-Enabled

Not v6-Enabled

v6-Enabled

Not v6-Enabled

v6-Enabled

v6-Enabled

Hybrid Model Example #1

DistributionLayer

AccessLayer

CoreLayer


AccessLayer (DC)

Dual Stack

ISATA

P TunnelD

ual Stack

ISATA

P Tunnel

Dual-stackServer

L2/L3

v6-Enabled

v6-Enabled

v6-Enabled

v6-Enabled

Not v6-Enabled

Not v6-Enabled

DistributionLayer

AccessLayer

CoreLayer


AccessLayer (DC)

Configured Tunnel

Dual Stack

Dual Stack

Configured Tunnel

Dual Stack

Dual Stack


Campus IPv6 Deployment OptionsIPv6 Service Block – An Interim Approach

ISATAP

IPv6 Service Block

Internet

Dedicated FW

IOS FW

Data Center Block

VLAN 2

WAN/ISP Block

Provides ability to rapidly deploy IPv6 services without touching existing networkProvides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations)Offers the same advantages as Hybrid Model without the alteration to existing code/configurationsConfigurations are very similar to the Hybrid Model

ISATAP tunnels from PCs in Access layer to Service Block switches (instead of core layer – Hybrid)

1) Leverage existing ISP block for both IPv4 and IPv6 access2) Use dedicated ISP connection just for IPv6 – Can use IOS FW or PIX/ASA appliance

Primary ISATAP TunnelSecondary ISATAP TunnelEqual-cost Configured

Tunnel (Mesh)

IPv4-onlyCampusBlock

AggLayer

VLAN 3

2

1

AccessLayer

DistributionLayer

CoreLayer


IPv6 ISATAP ImplementationISATAP Host Considerations

ISATAP is available on Windows XP, Windows 2003, Vista/Server 2008, port for LinuxIf Windows host does not detect IPv6 capabilities on the physical interface then an effort to use ISATAP is startedCan learn of ISATAP routers via DNS “A” record lookup “isatap”or via static configuration

If DNS is used then Host/Subnet mapping to certain tunnels cannot be accomplished due to the lack of naming flexibility in ISATAPTwo or more ISATAP routers can be added to DNS and ISATAP will determine which one to use and also fail to the other one upon failure of first entryIf DNS zoning is used within the Enterprise then ISATAP entries for different routers can be used in each zone

Can conditionally set the ISATAP router per host based on subnet, userid, department and possibly other parameters such as role


First-Hop RedundancyWhen HSRP,GLBP and VRRP for IPv6 are not availableNUD can be used for rudimentary HA at the first-hop (today this only applies to the Campus/DC…HSRP is available on routers)

(config-if)#ipv6 nd reachable-time 5000

Hosts use NUD “reachable time” to cycle to next known default gateway (30 seconds by default)Can be combined with default router preference to determine primary gw:

(config-if)#ipv6 nd router-preference {high | medium | low}

Reachable Time : 6sBase Reachable Time : 5s

Default Gateway . . . . . . . . . : 10.121.10.1fe80::211:bcff:fec0:d000%4fe80::211:bcff:fec0:c800%4

DistributionLayer

AccessLayer

HSRP for IPv4RA’s with adjusted reachable-time for IPv6

HSRPIPv4 To Core Layer

RA

RA

1

12


DualStack

SPCloud

CorporateNetwork

WAN/Branch Deployment

Cisco routers have supported IPv6 for a long timeDual-stack should be the focus of your implementation…but, some situations still call for tunnelingSupport for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc…)Don’t assume all features for every technology are IPv6-enabledBetter feature support in WAN/Branch than in Campus/DC Dual

StackDual Stack


What next?Start now rather than later

Purchase for the future – Include IPv6 requirements in your vendor RFI/RFP

Absolute minimal is to have IPv6 security awareness

Start moving legacy application towards IPv6 support – Use protocol agnostic model when possible

Test, test and then test some more! – Validate your applications over IPv6 enabled network

Dual-stack in Campus and Branch is the target deployment modelDeployment option depend on current infrastructureMany customers may require some level of tunneling support to begin with, but the mandate may confuse people on whether they can use tunnels in certain areas of the network

Design guides available from www.cisco.com –Campus:http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a00807753a6.pdfBranch:http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a00807753ad.pdf

Things to consider:Full parity between IPv4 and IPv6 is the goal, but not a reality today

IPv6 Start Here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_c/ftipv6s.htm


References

ESE Campus Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor2

Deploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf

ESE WAN/Branch Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor1

http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor10

Deploying IPv6 in Branch Networks:http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf

Enterprise IPv6 Deployment - Cisco - Global Home Page · 2008. 3. 16. · IPv6 Coexistence in the...

Documents

Transcript of Enterprise IPv6 Deployment - Cisco - Global Home Page · 2008. 3. 16. · IPv6 Coexistence in the...