Transcription
Enterprise IPv6DeploymentMichael De Leo – mdeleo@cisco.comCorporate Consulting Engineer / CTO LATAMDecember 2008Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public1
AgendaGeneral ConceptsInfrastructure DeploymentPlanning and Deployment SummaryPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public2
Reference Materials“Deploying IPv6 Networks” by Ciprian Popoviciu, EricLevy-Abegnoli, Patrick Grossetete—Cisco Press(ISBN: 1587052105)Deploying IPv6 in Campus olution/campipv6.pdfDeploying IPv6 in Branch olution/brchipv6.pdfCCO IPv6 Main Page:http://www.cisco.com/go/ipv6Cisco Network Designs:http://www.cisco.com/go/srndCisco IOS Feature Navigator – What images support IPv6?http://www.cisco.com/go/fn (Registration Required)Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public3
Monitoring Market DriversAddress space depletionhttp://www.potaroo.net/tools/ipv4/Impact being a slow down of theInternet growth and marketpenetrationIPv6 “on” & “preferred” by defaultApplications only runningover IPv6 (P2P framework)MSFT Vista & Server 2008Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco PublicNational IT StrategyU.S. Federal MandateIPv6 Task Force and promotion councils:Africa, India, Japan, Korea, China Next Generation Internet (CNGI)projectEuropean Commission sponsoredprojectsIP NGNDOCSIS 3.0, FTTH, HDTV, QuadPlayMobile SP – 3G, WiMax, PWLANNetworks in MotionNetworked Sensors, ie: AIRSNAT Overlap – M&AInfrastructure Evolution4
Operating System SupportEvery major OS supports IPv6 todayTop-to-bottom TCP/IP stack re-designIPv6 is on by default and preferred over IPv4 (considering network/DNS/applicationsupport)Tunnels will be used before IPv4 if required by IPv6-enabled applicationISATAP, Teredo, 6to4, ConfiguredAll applications and services that ship with Vista/Server 2008 support IPv4 and IPv6(IPv6-only is supported)Active Directory, IIS, File/Print/Fax, WINS/DNS/DHCP/LDAP, Windows Media Services,Terminal Services, Network Access Services – Remote Access (VPN/Dial-up), NetworkAccess Protection (NAP), Windows Deployment Service, Certificate Services, SharePointservices, Network Load-Balancing, Internet Authentication Server, Server Clustering, etc ult.mspxPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public5
NAT Overlap10.0.0.0 address spaceSub-Company 1.3IPv6 enables the network to provideaccess to services between sites10.0.0.0 address spaceCorp HQ2001:DB8:1:2::310.0.0.0 address spaceCorporateBackbone.21.3Sub-Company 22001:DB8:1:3::21Static NAT entries for eachserver X how many?2001:DB8:1:1::3Merger and acquisition complexity force many to leave existingIPv4 address space in place vs. full integration/consolidationWhen server-to-server or client-to-server service is required thensingle/double static NAT translations are often requiredIPv6 can be deployed to enable service access per site and/or perapplicationPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public6
General ConceptsPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public7
Hierarchical Addressingand AggregationSite 2001:DB8:0001::/48Site 2OnlyAnnouncesthe /32 Prefix2001:DB8::/322001:DB8:0002:0001::/64IPv6 002::/48Prefix assignment can be nnouncement-12oct06.htmProvider Independent proposal:http://www.arin.net/policy/proposals/2005 1.htmlBe careful when using /127 on P2P links (See RFC 3627)Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public8
Do I Get PI or PA?It depends PI space is great for ARIN controlled space (not allRIRs have approved PI space)PA is a great space if you plan to use the SAME SP fora very long time OR you plan to NAT everything withIPv6 (not likely)More important things to consider—do you get a prefixfor the entire company or do you get one prefix per site(what defines a site?)Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public9
Link Level Prefix Length Considerations64 bits 64 bitsRecommended byRFC3177 andIAB/IESGEnables more hostsper broadcastdomainConsistency makesmanagement easyConsidered badpracticeMUST for SLAAC64 bits offers morespace for hosts thanthe media cansupport efficientlySignificant Addressspace lossPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 64 bitsAddress space conservationSpecial cases:/126—valid for p2p/127—not valid for p2p(RFC3627)/128—loopbackComplicates managementMust avoid overlap withspecific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses10
Interface-ID SelectionNetwork DevicesReconnaissance for network devices—the search forsomething to attackUse random 64-bit interface-IDs for network devices2001:DB8:CAFE:2::1/64—Common IID2001:DB8:CAFE:2::9A43:BC5D/64—Random IID2001:DB8:CAFE:2::A001:1010/64—Semi-random IIDOperational management challenges with this type ofnumbering schemePresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public11
First-Hop Router RedundancyHSRP for v6HSRPActiveModification to Neighbor Advertisement, RouterAdvertisement, and ICMPv6 redirectsHSRPStandbyVirtual MAC derived from HSRP group numberand virtual IPv6 link-local addressGLBP for v6GLBPAVG,AVFRA SentReach-time 5,000 msecPresentation IDModification to Neighbor Advertisement, RouterAdvertisement—GW is announced via RAsGLBPAVF,SVF 2007 Cisco Systems, Inc. All rights reserved.Virtual MAC derived from GLBP group number andvirtual IPv6 link-local addressNeighbor Unreachability DetectionFor rudimentary HA at the first HOPHosts use NUD “reachable time” to cycle to nextknown default gateway (30s by default)Cisco Public12
First-Hop RedundancyWhen HSRP,GLBP and VRRP for IPv6 are not availableNUD can be used for rudimentary HA at the first-hop (today this onlyapplies to the Campus/DC HSRP is available on routers)(config-if)#ipv6 nd reachable-time 5000Hosts use NUD “reachable time” to cycle to next known default gateway(30 seconds by default)Can be combined with default router preference to determine primary gw:(config-if)#ipv6 nd router-preference {high medium low}Default Gateway . . . . . . . . . : f:fec0:c800%4Reachable TimeBase Reachable Time: 6s: 5sDistributionLayerAccessLayerRAHSRPIPv4HSRP for IPv4RA’s with adjusted reachable-time for IPv6Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco PublicTo Core LayerRA13
HSRP for IPv6Many similarities with HSRP for IPv4Changes occur in Neighbor Advertisement,Router Advertisement, and ICMPv6redirectsHSRPStandbyHSRPActiveNo need to configure GW on hosts (RAs aresent from HSRP Active router)Virtual MAC derived from HSRP groupnumber and virtual IPv6Link-local addressIPv6 Virtual MAC range:interface FastEthernet0/1ipv6 address 2001:DB8:66:67::2/64ipv6 cef0005.73A0.0000—0005.73A0.0FFF(4096 addresses)standby version 2HSRP IPv6 UDP Port Number 2029 (IANAAssigned)standby 1 ipv6 autoconfigNo HSRP IPv6 secondary addressstandby 1 preemptstandby 1 timers msec 250 msec 800standby 1 preempt delay minimum 180No HSRP IPv6 specific debugstandby 1 authentication md5 key-string ciscoHost with GW of Virtual IPstandby 1 track FastEthernet0/0#route -A inet6 grep ::/0 grep eth2::/0fe80::5:73ff:fea0:1Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco PublicUGDA102400 eth214
GLBP for IPv6Many similarities with GLBPfor IPv4 (CLI, Load-balancing)Modification to NeighborAdvertisement, RouterAdvertisementGLBPAVG, AVFGLBPAVF, SVFGW is announced via RAsVirtual MAC derived fromGLBP group number andvirtual IPv6Link-local addressinterface FastEthernet0/0ipv6 address 2001:DB8:1::1/64ipv6 cefglbp 1 ipv6 autoconfigglbp 1 timers msec 250 msec 750glbp 1 preempt delay minimum 180glbp 1 authentication md5 key-string ciscoAVG Active Virtual GatewayAVF Active Virtual ForwarderSVF Standby Virtual ForwarderPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public15
DHCPv6Updated version of DHCP for IPv4Client detects the presence of routers on the linkIf found, then examines router advertisements todetermine if DHCP can or should be usedIf no router found or if DHCP can be used, thenDHCP Solicit message is sent to the All-DHCP-Agentsmulticast addressUsing the link-local address as the source addressPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public16
DHCPv6 RequestReplyRelay-Replyw/ReplyAll DHCP Relay Agents and Servers (FF02::1:2)All DHCP Servers (FF05::1:3)DHCP Messages: Clients listen UDP port 546; servers and relay agents listen onUDP port 547Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public17
Stateful/Stateless DHCPv6Stateful and Stateless DHCPv6 ServerCisco Network etmgtsw/ps1982/Microsoft Windows Server 033.mspx?mfr trueDibbler: http://klub.com.pl/dhcpv6/DHCPv6 Relay—12.3(11)T/12.2(28)SB and higherIPv6 Enabled Hostinterface FastEthernet0/1description CLIENT LINKipv6 address 2001:DB8:CAFE:11::1/64Networkipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertiseipv6 nd managed-config-flagipv6 nd other-config-flagipv6 dhcp relay destination 2001:DB8:CAFE:10::2DHCPv6ServerPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public18
Basic DHCPv6 Message ExchangeDHCPv6 ClientDHCPv6 Relay AgentSolicit(IA NA)DHCPv6 ServerRelay-Forw(Solicit(IA NA))Relay-Repl(Advertise(IA NA(addr)))Advertise(IA NA(addr))Request(IA NA)Relay-Forw(Request(IA NA))Relay-Repl(Reply(IA NA(addr)))Reply(IA NA(addr))Address AssignedTimer ExpiringRenew(IA NA(addr))Relay-Forw(Renew(IA NA(addr)))Relay-Repl(Reply(IA NA(addr)))Reply(IA NA(addr))Shutdown , link down , ReleaseRelease(IA NA(addr))Relay-Forw(Release(IA NA(addr)))Relay-Repl(Reply(IA NA(addr)))Reply(IA NA(addr))Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public19
CNR/W2K8—DHCPv6Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public20
IPv6 General PrefixProvides an easy/fast way to deploy prefix changesExample:2001:db8:cafe::/48 General PrefixFill in interface specific fields after prefix“ESE ::11:0:0:0:1” 2001:db8:cafe:11::1/64ipv6 unicast-routingipv6 cefipv6 general-prefix ESE 2001:DB8:CAFE::/48!interface GigabitEthernet3/2ipv6 address ESE ::2/126ipv6 cef!interface GigabitEthernet1/2ipv6 address ESE ::E/126ipv6 cefinterface Vlan11ipv6 address ESE ::11:0:0:0:1/64ipv6 cef!interface Vlan12ipv6 address ESE ::12:0:0:0:1/64ipv6 cefGlobal unicast address(es):2001:DB8:CAFE:11::1, subnet is 2001:DB8:CAFE:11::/64Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public21
IPv6 Multicast AvailabilityMulticast Listener Discovery (MLD)– Equivalent to IGMPPIM Group Modes: Sparse Mode,Bidirectional and Source SpecificMulticastRP Deployment: Static, Embedded– NO Anycast-RP YetSHostMulticastControlvia MLDPresentation IDDR 2007 Cisco Systems, Inc. All rights reserved.RPCisco PublicDR22
Multicast Listener Discovery: MLDMulticast Host Membership ControlMLD is equivalent to IGMP in IPv4MLD messages are transportedover ICMPv6MLD uses link local source addressesMLD packets use “Router Alert”in extension header (RFC2711)HostMulticastControlvia MLDVersion number confusion:MLDv1 (RFC2710) like IGMPv2 (RFC2236)MLDv2 (RFC3810) like IGMPv3 (RFC3376)MLD snoopingPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public23
Multicast Deployment OptionsWith and Without Rendezvous Points (RP)SSM, No RPsSRDRASM Single RP—Static definitionsSRDRHe is the RPRPHe is the RPDRHe is the RPASM Across Single Shared PIM Domain, One RP—Embedded-RPAlert! I wantGRP A fromRP BSRDRPresentation ID 2007 Cisco Systems, Inc. All rights reserved.RPCisco Public24
IPv6 QoS Syntax ChangesIPv4 syntax has used “ip” following match/set statementsExample: match ip dscp, set ip dscpModification in QoS syntax to support IPv6 and IPv4New match criteriamatch dscp — Match DSCP in v4/v6match precedence — Match Precedence in v4/v6New set criteriaset dscp — Set DSCP in v4/v6set precedence — Set Precedence in v4/v6Additional support for IPv6 does not always require newCommand Line Interface (CLI)Example—WREDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public25
Scalability and PerformanceIPv6 Neighbor Cache ARP for IPv4In dual-stack networks the first hop routers/switches will now have more memoryconsumption due to IPv6 neighbor entries (can be multiple per host) ARP entriesARP entry for host in the campus distribution layer:Internet 10.120.2.2002IPv6 Neighbor Cache entry:2001:DB8:CAFE:2:2891:1C0C:F52A:9DF14 6 000d.6084.2c7aSTALE Vl2FE80::7DE5:E2B0:D4DF:97EC16 000d.6084.2c7aSTALE Vl2000d.6084.2c7aARPAVlan2STALE Vl2Full Internet route tables—ensure to account for TCAM/Memory requirementsfor both IPv4/IPv6—Not all vendors can properly support bothMultiple routing protocols—IPv4 and IPv6 will have separate routing protocols.Ensure enough CPU/Memory is presentControl Plane impact when using tunnels—Terminate ISATAP/configuredtunnels in HW platforms when attempting large scale deployments(hundreds/thousands of tunnels)Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public26
Selecting an IPv6IGPPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public27
“IPv6is an Evolutionary not a Revolutionarystep and this is very clear in the case ofrouting which saw minor changes eventhough most of the Routing Protocols werecompletely rebuilt.”Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public28
IPv6 Challenges to Router PerformanceAddressing DrivenForwarding Challenges—lookup not impacted as muchas originally thought, different size prefixes typically seelittle difference in forwarding performance.Control Plane Challenges—routing table sizes:IPv6 supports multiple addresses per interface (not the mostsignificant concern at this time but it could be in the future)IPv6 can have a lot more prefixes due to a significantly largeraddress spacePresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public29
IPv6 Routing ProtocolsStatic RoutingRIPngRIPv2.IPv6 EIGRPEIGRPIPv6 IS-ISOSPFv3OSFPv2IPv6 extensions for BGPRemember: ipv6 unicast-routing (for IOS not for IOSXR)Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public30
The Questions Are the Same as for IPv4 AlmostIs one routing protocol betterthan any other routingprotocol?Converges faster?Define “Better!”Easier to troubleshoot?Uses less resources?Easier to configure?Scales to a larger number ofrouters, routes, or neighbors?More flexible?Degrades more gracefully? Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public31
IPv6 IGP Selection in TheoryIn Theory:The similarity between the IPv6 and IPv4 routingprotocols leads to similar behaviour and expectationsTo select the IPv6 IGP, start by using the IPv4 IGPrules of thumbPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public32
IPv4 IGP Selection Rules—TopologyRules of ThumbMeshLinkStateFlat 2007 Cisco Systems, Inc. All rights reserved.HierarchyEIGRPFlatPresentation IDHub and SpokeCisco PublicAggregated33
IPv6 IGP Selection in PracticeIn Practice:The IPv6 IGP implementations might not be fullyoptimized yet so there is a bit more uncertaintyNot all Fast Convergence optimizations might beavailableOperational experience with large scale IPv6 networksis still being developedPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public34
IGP ConclusionsSame topology considerations as for IPv4Convergence timeWhen comparing apples to apples the convergence times arevery similarOther tools are also leveraged: Bidirectional ForwardingDetection (BFD)There are HW and SW dependenciesPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public35
DeploymentConsiderations:CoexistenceStart Here: Cisco IOS Software Release Specifics for IPv6 oduct/software/ios123/123cgcr/ipv6 c/ftipv6s.htmPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public36
IPv6 CoexistenceDual PE)IPv6NetworkIPv4: 192.168.99.1IPv6: MPLS(6PE/6VPE)IPv6NetworkISATAP TunnelingIPv4(Intra-Site Automatic Tunnel Addressing Protocol)IPv6ISATAPRouterPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public37
Planning andDeploymentSummaryPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public38
IPv6 Integration OutlinePre-DeploymentPhasesEstablish the networkstarting pointTransport considerationsfor integrationImportance of a networkassessment and available toolsCampus IPv6 integrationoptionsDefining early IPv6 securityguidelines and requirementsWAN IPv6 integration optionsAdditional IPv6 “predeployment” tasks needingconsiderationPresentation IDDeploymentPhases 2007 Cisco Systems, Inc. All rights reserved.Cisco PublicAdvanced IPv6services options39
Integration/Coexistence Starting PointsExample: Integration Demarc/Start Points in Campus/WAN1Start dual-stack on hosts/OS32Start dual-stack in campus distributionlayer (details follow)Start dual-stack on the WAN/campuscore/edge routers4NAT-PT for servers/apps only capableof IPv4 (temporary only)10.1.3.0/241v4 and v62001::/64L2Dual-StackIPv4-IPv6Core and Edge32v6Enabledv4 and v610.1.4.0/242001::/64Dual-StackIPv4-IPv6Routersv6 Onlyv4 Only10.1.2.0/242001::/64IPv6 ServerIPv4-OnlySegmentPresentation IDNAT-PT4 2007 Cisco Systems, Inc. All rights reserved.Cisco Public40
Pre-Deployment ChecklistOther Critical Network Planning RequirementsEstablish starting point, network assessment, security guidelinesAcquire IPv6 address block and create IPv6 addressing schemeCreate and budget for an IPv6 lab that closely emulates all networkelements (routers, switches, hosts, OS)Upgrade DNS server to support IPv6Establish network management considerations (hardware, MIBs requiredfor v6, etc.)Routing and multicast protocol and selection/evaluation process (alignwith IPv4 choice is possible)Consider options for centralized ISATAP router (see campus example)Evaluate IPv6-capable transport services available from current ServiceProvider (SP)Link support to timeline needed, not beforeDoes L3 VPN service support QoS? Dual-homing? Security at NAP?Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public41
Transport Deployment Optionsfor IntegrationApplied to Campus, WAN, Branch, and OtherCampus (also applies to Data Center)Dual-stack (IPv4/v6 enabled on all L3 devices—core/distr/access)Hybrid (combination dual-stack, tunnels, ISATAP)Services block (dedicated for IPv6 ISATAP tunnel termination)WAN (used for core or branch interconnect)Dual-stack core/edgeWAN L2 transport (IPv4/v6 over ATM/FR, PPP/HDLC, T1/T3, OC-x)Metro Service (Ethernet, point-to-point, point-to-multipoint)VPN/transport considerationsSelf-deployed MPLS VPNs: PE to PE (VPN or non-VPN service)SP Offering L3 VPN service: CE to CE (encryption? QoS? multicast?)Overlay 6 over 4 IPSec: site-to-site, VPN client-based using ISATAPIPv6 over WiFi (802.1x is not required to be supported over IPv6)Other service optionsBroadband, internet (as transport), remote access supporting IPv6Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public42
General IPv6 RequirementsConsidered in Each Place in the NetworkGeneral CoexistenceIP MulticastIPv4 and IPv6 coexist with noimpact on performanceFlexible integration toolsRoutingOptimize traffic utilization with abroad range of deployment typesSecurityUser-based policy enforcementHigh-performance IPv6-awarerouting protocolsQoSStress Host-based featuresPrivacy extensionsMonitoring and reportingIdentify and prioritize traffic basedupon a wide-variety of criteriaContiguous over campus,WAN, branchMobilityAccess to applications andservices while in motionDesign into core infrastructure forIPv4 and IPv6SP offeredEach Category Applied to Campus, WAN, Branch, OtherPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public43
The Scope of IPv6 nDevices &GatewaysSensors &ControllersNetworked Device SupportDNS &DHCPLoadBalancing& ContentSwitchingSecurity(Firewalls& IDS/IPS)ContentDistributionOptimization(WAAS, SSLacceleration)VPNAccessRoll-out Releases & PlanningDataCenterServersStaff Training and OperationsWeb Content ManagementApplications & Application SuitesNetworked Infrastructure ServicesDeploymentIPv6 over IPv4 Tunnels(Configured, 6to4, ISATAP, GRE)Dual-StackScenarioIP Services (QoS, Multicast, Mobility, gRoutingProtocolsIPv6 over MPLS(6PE/6VPE)InstrumentationBasic Network InfrastructurePresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public44
ConclusionStart learning now—Books, presentations, your ownpilot labCreate a virtual team of IT representatives from everyarea of IT to ensure coverage for OS, Apps, Networkand Operations/ManagementMicrosoft Windows Vista and Server 2008 will haveIPv6 enabled by default—Understand what impact anyOS has on the networkThings to consider:Full parity between IPv4 and IPv6 is the goal, but not areality todayWatch the standards and policiesPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public45
Q and APresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public46
Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public47
Many similarities with GLBP for IPv4 (CLI, Load-balancing) Modification to Neighbor Advertisement, Router Advertisement GW is announced via RAs Virtual MAC derived from GLBP group number and virtual IPv6 Link-local address interface FastEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 cef glbp 1 ipv6 autoconfig glbp 1 timers msec 250 msec 750
