Inside Cisco IT: Making the Leap to IPv6lisp.cisco.com/docs/COCRST-3464.pdf · Inside Cisco IT:...
Transcript of Inside Cisco IT: Making the Leap to IPv6lisp.cisco.com/docs/COCRST-3464.pdf · Inside Cisco IT:...
Inside Cisco IT: Making the Leap to IPv6 COCRST-3464
Khalid Jawaid
Member of Technical Staff
‟A session focused on the technical/business drivers, successes/challenges and lessons learned around Cisco IT's implementation of IPv6 on internal and customer-facing networks with an insight to how Cisco IT used LISP to accelerate their IPv6 deployment across regions where the architecture does not natively support IPv6 as a transport.
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Visit Inside Cisco IT Booth!
4
Want to find out more?
Just turn up at the Cisco IT booth
Level 1 South, Mezzanine,
next to World of Solutions
Come & experience Cisco IT, talk to our
experts & download related content from the
Content Kiosk
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
EVENT OFFERINGS
“INSIDE CISCO IT” CASE STUDY SESSIONS. Check availability & register via Schedule Builder: http://cs.co/schedulebuilder
Wed 11:30 – Solving real network challenges using
SDN
Thu 11:30 – Evolving to a Cloud Ready Wide Area
Network
Thu 11:30 – The New, Automated, Virtualized Cisco IT
Data Center
Thu 14:30 – Application Centric Design for Cloud
Services
Tue 11:15 – Future Network Management &
Automation Strategy
Tue 11:5 – Engineering Solutions for Monitoring &
Investigations
Tue 16:45 – Making the Leap to IPv6
Wed 16:30 – Mobility Strategy
IT BOOTH DEMOS. Just turn up at the Cisco IT booth (Level 1 South, Mezzanine, next to World of Solutions)
Tue 16:45 – New Collaboration Tools Today &
Tomorrow
Wed 11:30 – Making Video the New Voice – a Cisco IT
Cookbook
Wed 14:30 – Cisco eStore Modernises Shopping &
Automation for IT Services & Mobile Apps
MISSED A PRESENTATION SESSION? Access recordings (including IT Management sessions) via Cisco Live Online. Search “Inside Cisco IT”: http://cs.co/ciscoliveonline
MEET THE ENGINEER. Connect & consult with those who design & develop Cisco IT solutions. Check availability & book slots via Schedule Builder: http://cs.co/schedulebuilder
onePK Traffic Steering
onePK Threat Detection and Mitigation
Cisco ONE ENC EasyQoS (Note: demo available at the
Cisco Campus)
LISP IPv6
Bring Your Own Device (BYOD)
Business Video
estore
ACE
Cisco Maps (Internet of Everything)
N/A
See how Cisco Technology Architectures are transforming IT
into a Service Organization.
Browse your IT Themes of interest below & learn from top Cisco IT experts who share practical
experience, strategies, lessons learned & business results.
IT Themes – “Inside Cisco IT”
Infrastructure Programmability
Data Center & Cloud Automation
Intelligent Networking Collaboration & Pervasive
Video
Developing smarter adaptive enterprise network
utilizing Cisco ONE/SDN & API technologies
Deploying cloud services & virtualization
solutions to simplify DC application provisioning
to reduce costs & achieve business agility
Building a secure network foundation to connect
anyone, anywhere, on any device, at any time
(IPv6, Network Mgmt, Mobility, Security, BYOD)
Enabling organizations to seamlessly
collaborate across borders, helping transform
business and productivity
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
ON DEMAND OFFERINGS
Infrastructure Programmability
Data Center & Cloud Automation
Intelligent Networking Collaboration & Pervasive
Video
Developing smarter adaptive enterprise network utilizing Cisco ONE/SDN & API technologies
Deploying cloud services & virtualization solutions to simplify DC application provisioning to reduce costs & achieve business agility
Building a secure network foundation to connect anyone, anywhere, on any device, at any time (IPv6, Network Mgmt,
Mobility, Security, BYOD)
Enabling organizations to seamlessly collaborate across borders, helping transform business and productivity
Find, Friend, Follow Cisco IT -
Case Study: EIGRP Implementation
Case Study: IPv6 Implementation
Case Study: Unified Access Network
Case Study: BYOD Overview
Case Study: Cisco Ironport
IT Method: Cloud Web Security (NEW!)
vBlog: SDN and Network Programmability
Blog: SDN, 1st 5 Use Cases for Cisco IT
Blog: SDN 101
Case Study: Application Migration
Case Study: Big Data
Case Study: CITEIS Gen 2
Case Study: Tidal Enterprise Scheduler & Big Data (NEW!)
Blog: Private Cloud Best Practices
Blog: CITEIS Private Cloud Use
IT Method: CITEIS (NEW!)
Case Study: WebEx Cloud Connected Audio
Case Study: UC on UCS
Blog: Making Video Calls Easy for Users
Blog: Why So Many CUCM Clusters
Blog: The Road to UC – Flexibility, Mobility, Simplicity (NEW!)
Blog: What is Cisco IT’s UC Global Cluster Architecture (NEW!)
http://cs.co/itblog http://cs.co/facebookciscoi t http://cs.co/twitterciscoit http://cs.co/youtubeciscoit
REQUEST A CISCO IT BRIEFING. For a deeper conversation with Cisco IT, please contact your local briefing centre: http://cs.co/ciscoitbriefing
See how Cisco Technology Architectures are transforming IT
into a Service Organization.
Browse your IT Themes of interest below & learn from top Cisco IT experts who share practical
experience, strategies, lessons learned & business results.
IT Themes – “Inside Cisco IT”
CISCO IT LIVE WEBINARS. Join Cisco IT experts for 1 hour sessions on Cisco IT’s strategy on a variety of topics.
Email [email protected] for upcoming webinars.
TOP CISCO IT CONTENT. Search for & Download Case Studies via our App, search "Cisco Customer Success Stories" from App Store, or from our website: http://cs.co/ciscoitonline
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Agenda
Overview
– Introduction to Cisco IT
– Making the case for IPv6
– IPv6 Journey
– Target State
Preparation
Implementation Tracks
– Ubiquitous IPv6 Access
– IPv6 Internet Presence
LISP as an IPv6 Transition Mechanism
Lessons Learned
7
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco IT Network - Technology and People
8
More Than 180,000
People Worldwide in the
Extended Cisco Family
• 369 locations in 90 countries
• 450+ buildings
• 51 data centers and
server rooms
• 1500+ labs worldwide (500+ in San Jose)
• 66,000+ employees
• 30,000 contractors
• 20,000 channel partners
• 110+ application
service providers
• 210+ business and support
development partners
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco IT Global Tier One WAN Backbone
OC3 / STM1
OC12 / STM4
OC48 / STM16
Europe N. America ASIAPAC
New York
LAX
Sao Paulo
Orlando
Bangalore
LATAM Middle East
Tokyo
Singapore
Bangalore
Sydney
Amsterdam
London Brussels Shanghai
San Jose
RTP
Hong Kong
10GigE
9
Core BB/Campus
ASR1K - 532
C6k - 1700
4500-X - 50
C6k(L2) -1650
C4k(L2) - 291
Branch Office
ISR(3845) – 1778
ISR(3945) – 1265
3750* - 2912
3850 - 18
Evolving to a Cloud Ready
Wide Area Network Thursday, Jan 3011:30 AM - 1:00 PM
Dipesh Patel Snr IT Architect
Chris Herl Design Manager
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
IPv4 Exhaustion
10
APNIC RIPE ARIN LACNIC AFRINIC
IANA
19-04-11 14-09-12 13-01-15 17-02-15 17-01-22
https://ipv6.he.net/statistics/
http://www.potaroo.net/tools/ipv4/index.html
Date
0.8 0.85 1.3 1.4 3.34 % Left
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
IPv6
Making the Case for IPv6
11
Business Drivers
Leadership and Mindshare
Product Readiness
Internet Evolution
IT Drivers
Product Development and Testing
Continuity and Growth
Cisco On Cisco
Constraints
Maintain IPv4 SLA & Security Posture
Funding & Resourcing
Product & Service Gaps
Goals
IPv6 Internet Presence
Ubiquitous IPv6 Access
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco IT “Stack”
DC (Compute,
Storage, VDI)
Client
Access
(PCs) Printers
VOIP,
Collaboration
Devices &
Gateways
Sensors &
Controllers
DNS &
DHCP
Load Balancing
&
Content
Switching
Security
(Firewall &
IDS/IPS)
Content
Distribution
Optimization
(WAAS, SSL
Acceleration)
VPN
Access
IP Services (QoS, Multicast, Mobility, Translation)
Hardware
Support Connectivity
IP
Addressing
Routing
Protocols Instrumentation
Infrastructure Devices and Services
Network-embedded Services
Basic Network Infrastructure
Sta
ff Tra
inin
g &
Opera
tions
Security
Inspectio
n &
Monito
ring
Middleware and Databases
Application Environments
Mobility,
ASP Integration
(Salesforce.com)
Internal Apps (CEC,
IWE, etc.)
Cisco.com
and DMZ
Apps
Web Servers
(Apache, IIS)
Application Servers
(Weblogic/ Liferay)
Middleware
(Messaging, Web
Services
Gateway)
Databases (Oracle, MY
SQL, MS SQL)
12
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Setting IPv6 Scope
DC (Compute,
Storage, VDI)
Client
Access
(PCs) Printers
VOIP,
Collaboration
Devices &
Gateways
Sensors &
Controllers
DNS &
DHCP
Load Balancing
&
Content
Switching
Security
(Firewall &
IDS/IPS)
Content
Distribution
Optimisation
(WAAS, SSL
Acceleration)
VPN
Access
IP Services (QoS, Multicast, Mobility, Translation)
Hardware
Support Connectivity
IP
Addressing
Routing
Protocols Instrumentation
Infrastructure Devices
Network-embedded Services
Basic Network Infrastructure
Sta
ff Tra
inin
g &
Opera
tions
Security
Inspectio
n &
Monito
ring
Middleware and Databases
Application Environments
Mobility,
ASP Integration
(Salesforce.com)
Internal Apps (CEC,
IWE, etc.)
Cisco.com
and DMZ
Apps
Web Servers
(Apache, IIS)
Application Servers
(Weblogic/ Liferay)
Middleware
(Messaging, Web
Services
Gateway)
Databases (Oracle, MY
SQL, MS SQL)
Pervasive IPv6 adoption
with IPv4 co-existence
13
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco IT’s IPv6 Target State
Ubiquitous IPv6 Access • Globalization
• Technology Leadership
• Product Development
Dual-Stack Enterprise
IPv6 Internet Presence • Internet Evolution
• Business Continuity
• Customers, partners,
employees IPv6 Internet
14
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
The IPv6 Journey – A High Level View
IPv4-only IPv4 and IPv6 co-exist IPv6-only
2014 2013 2012 2011 2010 2002-2009
Ubiquitous IPv6 Access (Inside-Out)
IPv6 Internet Presence (Outside-In) www.ipv6.cisco.com www.cisco.com
accessible over IPv6
Entire cisco.com platform
accessible over IPv6
On-demand tunnel services
Dual stack “alpha” networks
Dual stack global core
Resilient tunnel services
Dual stack user
access (pilot)
Dual stack user access (prod)
Dual stack internal DC and apps
!
15
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Agenda
Overview
– Introduction to Cisco IT
– Making the case for IPv6
– IPv6 Journey
– Target State
Preparation
Implementation Tracks
– Ubiquitous IPv6 Access
– IPv6 Internet Presence
LISP as an IPv6 Transition Mechanism
Lessons Learned
16
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Preparation
17
Cross
Functional
Collaboration
Assessment Architect &
Design
Address
Planning
Implementation
Strategy & Plan
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
IPv6
Preparation Cross Functional Collaboration
Example of the need for wide cross functional collaboration across IT on IPv6
Preparation and execution required participation of team members from 7 of 9 of CIO’s direct reports
18
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Preparation
Cisco products, features
– Engaged Advanced Services for network IPv6 readiness report
Other vendors
Tools
– Security
– Network management
Service providers
Applications behind www.cisco.com
Assessment
19
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Preparation
Architectural decisions
– Which routing protocol?
– SLAAC vs DHCPv6?
– Which IPv6 transition technologies?
– Code selection and qualification
Documentation
– Any new documentation required?
– Assess which existing designs are impacted and assign owners
– Extra review board resources
Architect and Design
20
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Preparation
Address management tool support for IPv6
Established IPv6 Addressing policy
Hierarchical Model – Global, Regional, Sub-Regional and Site levels
Template-based addressing - easy for Implementation and Operations Teams
IPv6 Address Planning
21
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
/34 Global Level
(50% spares)
/35 - /36
per Region
/37 - /39
per Sub-Region
/40 per Campus
(256 Buildings)
/48 per Building/Branch
(16 PINs per Building/Branch)
PIN = Place In the Network A framework to classify functional areas of the network
eg, Lab, Desktop, DC, DMZ etc
/52 per PIN
(4096 Subnets / PIN)
Preparation IPv6 Address Planning
22
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Preparation IPv6 Address Planning
23
/52 /48 Building PIN
/64 Subnets / PIN
0 = Infra
1 = Desktop / Wireless
2 = Lab
3 = Guest
4 = Voice
D = Building DC
... etc 2001:0420:028C:1000::/52 - Desktop PIN
2001:0420:028C:1300::/64 – Desktop VLAN 300
2001:0420:028C:1301::/64 – Desktop VLAN 301
2001:0420:028C:2000::/52 - Lab PIN 2001:0420:028C:2001::/64 – Lab Subnet 1
2001:0420:028C:2002::/64 – Lab Subnet 2
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Preparation IPv6 Address Planning
24
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Preparation
Long term plan that absorbs cost in established lifecycle process
Have a quick and scalable solution in hand to relieve delivery pressure
Rip and replace only where necessary (Fast track projects)
Management via IPv4 with IPv6 service monitoring
On going training and exposure for implementation and operations teams
25
“Dual stack where you can, tunnel where you can’t
and NAT only when you have no choice”
Implementation Strategy and Plan
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Agenda
Overview
– Introduction to Cisco IT
– Making the case for IPv6
– IPv6 Journey
– Target State
Preparation
Implementation Tracks
– Ubiquitous IPv6 Access
– IPv6 Internet Presence
LISP as an IPv6 Transition Mechanism
Lessons Learned
26
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
The IPv6 Journey – A High Level View
IPv4-only IPv4 and IPv6 co-exist IPv6-only
2014 2013 2012 2011 2010 2002-2009
Ubiquitous IPv6 Access (Inside-Out)
IPv6 Internet Presence (Outside-In) www.ipv6.cisco.com www.cisco.com
accessible over IPv6
Entire cisco.com platform
accessible over IPv6
On-demand tunnel services
Dual stack “alpha” networks
Dual stack global core
Resilient tunnel services
Dual stack user
access (pilot)
Dual stack user access (prod)
Dual stack internal DC and apps
!
27
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Ubiquitous IPv6 Access
Core to edge rollout
Multi-year plan absorbed into existing lifecycle management
– Simultaneous projects across Desktop, DC, Remote Access, iPoPs
– Accelerated deployment for select remote sites / services
Dual stacked services
– DNS, IP address management, DHCPv6
Routing protocol same as IPv4 - EIGRP
SLA same as IPv4
Long Term Plan - Dual Stack the Network
28
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
IPv6 Tunnel
Overlay
Ubiquitous IPv6 Access Short Term Plan – Tunnel Infrastructure
29
Building / Lab = Manual 6in4 tunnels
User = Anycast ISATAP
SLA same as IPv4
Dual stacked core + Global tunnel infrastructure
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Ubiquitous IPv6 Access Dual Stack Deployment Status
30
85%
DMZ
Complete
In Process 100%
DCs
Complete
38%
DNS
Complete
In Process
49%
Offices
Complete
In Process
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Ubiquitous IPv6 Access Dual Stack Deployment Status
31
71%
Labs
Complete
In Process100%
External E-mail
Complete
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Ubiquitous IPv6 Access
Google is seeing about 8% of traffic from Cisco using IPv6
Performance is increasing significantly
Adoption Metrics
Source: Google
32
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Agenda
33
Overview
– Introduction to Cisco IT
– Making the case for IPv6
– IPv6 Journey
– Target State
Preparation
Implementation Tracks
– Ubiquitous IPv6 Access
– IPv6 Internet Presence
LISP as an IPv6 Transition Mechanism
Lessons Learned
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
The IPv6 Journey – A High Level View
IPv4-only IPv4 and IPv6 co-exist IPv6-only
2014 2013 2012 2011 2010 2002-2009
Ubiquitous IPv6 Access (Inside-Out)
IPv6 Internet Presence (Outside-In) www.ipv6.cisco.com www.cisco.com
accessible over IPv6
Entire cisco.com platform
accessible over IPv6
On-demand tunnel services
Dual stack “alpha” networks
Dual stack global core
Resilient tunnel services
Dual stack user
access (pilot)
Dual stack user access (prod)
Dual stack internal DC and apps
!
34
35
24 hour IPv6 “test flight” 8th June 2011
http://www.internetsociety.org/ipv6/archive-2011-world-ipv6-day
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
World IPv6 Day
36
6to4 reverse proxy solution
Returned A and AAAA records for www.cisco.com
CDN
Production
Network
Non-production Sandbox
Network
WWW
6to4
Proxy HTTP/S
HTTP/S
IPv6
IPv4 DNS
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
World IPv6 Day
Network traffic volume based on NetFlow data
– 1.11% of all traffic to/from www.cisco.com was IPv6
Support Cases
– No support cases for www.cisco.com related to World IPv6 Day
Our Experience
37
SanFrancisco
London Melbourne
IPv4 Latency
IPv6 Latency
IPv6 performance - Content served over IPv6 was NOT cached/accelerated by CDN. All content was served from a single origin in San Jose.
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
www.worldipv6launch.org 3000+ WEB sites, 50+ Operators, 4 RHG vendors
38
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
World IPv6 Launch @ Cisco
www.cisco.com
www.webex.com
home.cisco.com
39
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco’s IPv6 Web Presence Architecture for www.cisco.com
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security, Proxy
Database
App Platforms
Data Centre Network
Svc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.c
isco.c
om
ww
w.c
isco.c
om
Model 1 – 6to4 Proxy at
Internet Edge
Dual Stack Component
IPv4-only Component
IPv4 Traffic Flow
IPv6 Traffic Flow
Legend
40
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Model 1 – 6to4 Proxy
at Internet Edge
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Centre Network
Svc
Assu
ran
ce
Svc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.c
isco.c
om
ww
w.c
isco.c
om
Model 2 – SLB64
Cisco’s IPv6 Web Presence Architecture for www.cisco.com
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security, Proxy
Database
App Platforms
Data Centre Network
Svc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.c
isco.c
om
ww
w.c
isco.c
om
41
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Model 2 – SLB64 Model 3 – Dual Stack
Web Servers
IPv6 IPv4
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Centre Network
Internet
Svc A
ssu
ran
ce
S
vc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
ww
w.c
isco.c
om
ww
w.c
isco.c
om
Cisco’s IPv6 Web Presence Architecture for www.cisco.com
Model 1 – 6to4 Proxy
at Internet Edge
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Centre Network
Svc
Assu
ran
ce
Svc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.c
isco.c
om
ww
w.c
isco.c
om
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security, Proxy
Database
App Platforms
Data Centre Network
Svc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.c
isco.c
om
ww
w.c
isco.c
om
42
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco’s IPv6 Web Presence Architecture for www.cisco.com
Model 2 – SLB64 Model 3 – Dual Stack
Web Servers
IPv6 IPv4
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Centre Network
Internet
Svc A
ssu
ran
ce
S
vc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
ww
w.c
isco.c
om
ww
w.c
isco.c
om
Model 1 – 6to4 Proxy
at Internet Edge
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Centre Network
Svc
Assu
ran
ce
Svc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.c
isco.c
om
ww
w.c
isco.c
om
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security, Proxy
Database
App Platforms
Data Centre Network
Svc
Assu
ran
ce
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.c
isco.c
om
ww
w.c
isco.c
om
43
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco’s IPv6 Web Presence Design for www.cisco.com
Intrusion Detection & Prevention
(IPS 4260)
Internet
Edge (ASR
1000)
6to4 Load Balancer
ACE 30 origin-www.cisco.com
2001:420:1101:1::a
Internet
IPv4 Load Balancer
ACE 20 origin-www.cisco.com
72.163.4.161
IPv4 IPv6
IPv6
IPv4
Internal Edge
Firewall
(ASA 5585)
DMZ Core
(6500) DC Gateway
(N7000)
44
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco’s IPv6 Web Presence Design for www.cisco.com
IPS 4260
ASR 1000 ACE 30 origin-www.cisco.com
2001:420:1101:1::a
ACE 20 origin-www.cisco.com
72.163.4.161
www.cisco.co
m
www.cisco.com
ASA 5585
6500 N7000
Akamai
Internet
IPv4 IPv6
IPv6
IPv4
45
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco’s IPv6 Web Presence Design for www.cisco.com
IPS 4260
ASR 1000 ACE 30 origin-www.cisco.com
2001:420:1101:1::a
ACE 20 origin-www.cisco.com
72.163.4.161
ASA 5585
6500 N7000
Akamai
Internal
IPv6
IPv4
Internet
IPv4 IPv6
IPv6
IPv4
46
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco’s IPv6 Web Presence Design for www.cisco.com
IPS 4260
ASR 1002 ACE 30 origin-www.cisco.com
2001:420:1101:1::a
ACE 20 origin-www.cisco.com
72.163.4.161
ASA 5585
6500 N7000
Akamai
Internal
IPv6 IPv4 In-band HTTP/S probes for
monitoring availability and
performance over IPv6
Internet
IPv4 IPv6
IPv6
IPv4
47
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco’s IPv6 Web Presence Security
IPS 4260
ASR 1002
Internet
IPv6
IPv4
ASA 5585
6500 N7000 ACE30
ACE20
Firewall Policy
Anti-Spoofing
NetFlow v9
- forensic records
- Arbor (anomaly detection)
Firewall Policy
V6-only signatures
V4+V6 signatures
SLB64 Logging
BGP Blackhole
BGP Sinkhole (Arbor)
48
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
World IPv6 Launch Metrics for www.cisco.com
On June 6, 2012, IPv6 page views for www.cisco.com accounted for about 0.6% of all page views
As of April 1, 2013, this number had increased to 1%
Let’s compare this to what Google sees…
0.00%
0.20%
0.40%
0.60%
0.80%
1.00%
1.20%
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
20/05/2012
Pag
e V
iew
s
IPv6…IPv6…
Source: Cisco IT web analytics
49
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Google Traffic Metrics Since World IPv6 Launch
50
Source: http://www.google.com/intl/en/ipv6/statistics.html
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Agenda
51
Overview
– Introduction to Cisco IT
– Making the case for IPv6
– IPv6 Journey
– Target State
Preparation
Implementation Tracks
– Ubiquitous IPv6 Access
– IPv6 Internet Presence
LISP as an IPv6 Transition Mechanism
Lessons Learned
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco IT LISP Use-case IPv6 Transition Support
52
IPv6 Deployment
strategy
Dual stack
Overlay
Long term plan that absorbs cost in
established lifecycle process
Have a quick and scalable solution in
hand to relieve delivery pressure
IPv6 deployment
challenges
Financial investment required Migration to L2 VPN
Anycast ISATAP Manual 6in4 Tunnel
Business Impact
Next-Generation overlay architecture
Locator/ID Separation Protocol
IPv4 only WAN Backbone
L3 MPLS VPN
Day-1 tunneling techniques
do not scale very well
Delayed deployment of IPv6
affects product development/testing
and IPv6 adoption.
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Why LISP ?
Anycast ISATAP
End-Client centric solution
Support challenge
Manual 6in4 tunnels
Configuration overhead
Performance impact (Hub & Spoke)
Locator/ID Separation Protocol
Configuration & Troubleshooting simplicity
Any-to-any traffic flows
IPv4 exit-strategy (IPv4 over IPv6)
New capabilities (Mobility, Virtualization)
DMVPN
Potential routing challenges when multi-homing
Scalability concerns
Any-to-any traffic flows
Day-1 tunneling techniques Next-Generation overlay
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Mapping System
Proxy Tunnel Router ASR1006
EMEAR LISP IPv6 Deployment overview
Cisco Managed CE
Map-Resolver, Map-Server, Proxy Ingress/Egress Tunnel Router
Cisco Managed CE Ingress/Egress Tunnel Router
IPSEC VPN Tunnel head-end
From an interim to permanent solution ?
“LISP allows us to postpone some of our WAN
migrations in locations where services are not
available or cost inefficient “
Tunnel Router ASR 1006 & ISR 3945
London Amsterdam
Carrier Managed
L3VPN MPLS Internet
Load Sharing Primary/Backup Primary/Backup
Cisco Enterprise Backbone Network DC Internet
DC
DC
DS3 DS3 DS3 E1 E1 BB
Dual Stack
Dual Stack
Geographically diverse
Standalone / Self-managed
Primary / Backup PxTR
Default Route / HSRPv6 to attract traffic
Load sharing defined by WAN topology
Liveliness features
RLOC route-loss detection
RLOC probing
Locator Status Bits (LSB)
Solicited Map-Request (SMR)
LISP IPv6 in IPv4
Cisco Remote Offices
IPv4 Only
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Deployment Status
Istanbul
(Turkey)
Pilot Deployment (Completed September 2013)
Accelerated Deployment (Completed November 2013)
General Deployment (Target completion May 2014)
Greenpark
(UK)
Galway
(Ireland)
Munich
(Germany)
Vimercatie
(Italy)
Moscow
(Russia)
Dubai
(UAE)
80+ Remote Offices
7000+ end-users
3 Engineering Data Centers
Target = IPv6 configuration
automation via scripts !
LISP is the easy part !
1700 end-users
1300 IPv6 endpoints
+ 30 Mbps IPv6 peak BW
0 LISP related cases opened !!!
Internal LISP Design (Guidelines, Cut-sheet, test plan)
Resource training (Configuration & Troubleshooting)
Implementation (Test plan execution and monitoring)
Operational support
In numbers …
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lesson learned
Network convergence
Minor routing architecture changes required to match IPv4 convergence SLA
RLOC route-down detection provides fastest convergence (/32 Prefix leakage)
RLOC Probing detects all other failures
MTU handling
Only stateful fragmentation (pMTU) supported as per IPv6 best practices
Previous overlay solutions provided stateful fragmentation
Our LISP implementation uncovered some pMTU support problems
Feature Support
Most exciting capabilities/enhancements included in more recent versions of code
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
LISP across European MPLS Network
1
2
EID RLOC
2001:420:8000::/3
4
172.16.0.5
3
4
5
6
7
8
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Agenda
58
Overview
– Introduction to Cisco IT
– Making the case for IPv6
– IPv6 Journey
– Target State
Preparation
Implementation Tracks
– Ubiquitous IPv6 Access
– IPv6 Internet Presence
LISP as an IPv6 Transition Mechanism
Lessons Learned
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
Making the case
– Business case for IPv6 internet presence is simpler to articulate
– Business case for IPv6 on internal corporate network may be more difficult to justify
Cross functional effort across the IT Stack
– Starts with networking team taking the lead
– Early engagement of security team, infrastructure and application teams follow
Early planning is key
Absorb the IPv6 effort into existing network lifecycle management process
– Hardware upgrades
– Software image upgrades
– Configuration (automate where you can)
Creating The IPv6 Program
59
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
Network hardware, software, functionality
– Routers, server load balancers
– Wireless, switches
Network management and service assurance
– External and internal availability and performance monitoring
Security
– Firewalls, IDS/IPS, security event management and forensics logging
Product Support
60
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
The goal is security parity with IPv4
– User attribution (IPv6-to-MAC binding), custom Internal tools, third party vendors, incident response playbook, firewalls, anomaly detection, netflow, IDS, log data, pen testing, transparent proxy with anti-malware
Opportunities to improve security as IPv6 is introduced
– First hop security in our access networks
Unique security considerations with IPv6
– ICMPv6
– Privacy extensions for SLAAC
– Hop by hop extension header
Security
61
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
IPv6 requires NetFlow v9 – Some collectors cannot receive/process NetFlow v9
– Some routing platforms don’t support for both NetFlow v5 and NetFlow v9
– Some routing platforms are constrained to two export destinations
We had to shift NetFlow collection in our DMZ devices to deal with the constraints above
Use of NetFlow reflectors can bring some relief
Product Support - Netflow
62
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
Will the same SLA apply for IPv6?
Can the circuit that services the existing IPv4 connection be converted to dual-stack without the physical changes?
Are full IPv6 global routes available to end customers?
Is there an IPv6 “looking glass”?
Are there any restrictions on prefix advertisements?
What percentage of your IPv4 peers to you currently peer with for IPv6
Are you partitioned from any other major networks? (i.e. lacking global reach-ability to other major networks)
Service Provider Support - ISP
63
See http://docwiki.cisco.com/wiki/What_To_Ask_From_Your_Service_Provider_About_IPv6
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
ISPs
IP WAN providers
External content monitoring providers
Content distribution providers
Service Provider Support
64
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
Geo-location and web analytics Client_IpAddress := X-forwarded-for address first address;
If null then
Client_IpAddress := remoteAddress
end if;
use Client_IpAddress for IPCheck
Development, testing, and QA teams require IPv6 access
– How will they get IPv6 access from within the corporate network?
– Supports the business case for an internal corporate network IPv6 deployment
IPv6 Implications for Applications
65
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
Allow PMTUD across the network
– PMTUD allows devices to negotiate the MTU size between hosts
– PTB (Packet Too Big) messages must be permitted
PTB for hosts behind Tunnels (IPSec/GRE) with reduced MTU
PMTUD works between hosts for end-to-end communication. If this is broken, hosts may not be able to communicate over IPv6
IPv6 Path MTU Issues
66
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned
Many of our end devices are already IPv6 enabled
– From Microsoft Vista and Server 2008
– From OS X Lion (10.7)
“Happy Eyeballs” can mask IPv6 connectivity issues
Cisco traffic to Facebook, Yahoo! and Google:
End Devices
67
Source: http://www.worldipv6launch.org/measurements/
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Lessons Learned IPv6 Growth
68
Source: Google World IPv6 Day
World IPv6
Launch
IPv4 / IPv6 Co-existence
IPv6 Transition Technologies
IPv4 Prevalence
Dual Stack
IPv6 Prevalence
IPv4 as a Service
IPv6-Only
IPv4-Only
We’re Here!
69
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
$40 Billion annual run rate for the main web portal for quoting,
configuring and buying Cisco solutions (CCW)
$1.3 Billion annual run rate of IPv6 traffic on
tools.cisco.com
By The Numbers
3.37%* = IPv6 traffic on tools.cisco.com**
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
By The Numbers
529 eman application monitors
18 extranet partner access
3,420 infrastructure hours
DCNI (1520), GNIS (100), GFS (1800)
33 Cisco Teams
285 vanity domains dual stacked
364 apps prod testing
119 Akamai
edge servers
260 apps dual stacked
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Conclusion
Build the case and create the program
IPv6 affects everyone across IT but is led by the network team
Multi-year effort with early planning key
Assessment of product and service gaps
Dual stack where you can, tunnel where you can’t and NAT only when you have to
Take iterative steps on our way to the target state
72
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Cisco IT IPv6 Case Study
73
http://www.cisco.com/en/US/solutions/collateral/ns340/ns1176/borderless-networks/IPv6-Implementation_CS.html
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Join Cisco IPv6 Support Community!
Free for anyone with Cisco.com registration
Get timely answers to your technical questions
Find relevant technical documentation
Engage with over 200,000 top technical experts
Seamless transition from discussion to TAC Service Request (Cisco customers and partners only)
Visit the Cisco Support Community booth in the World of Solutions for more information supportforums.cisco.com
supportforums.cisco.mobi
The Cisco Support Community is your one-stop
community destination from Cisco for sharing
current, real-world technical support knowledge
with peers and experts.
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Ubiquitous IPv6 Access IPv6 Access to WebEx collaboration services from within Cisco
75
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
World of Solutions – IPv6 enabled demonstrations: look for the badges
IP Video - Application Metadata correlation to Prefix coloring
Autonomic Networking
Cisco Modeling Labs (based on Virtual Internet Routing Lab technology)
nLight/GMPLS UNI
ASR9k nV Satellite
Transition the Campus for IPv6 using LISP
Location Analytics with Mobile App Engage
High Speed Wireless Connectivity (802.11AC)
VSS Quad Sup SSO plus IA
Data center core
UCS on a IPV6 environment
Touch, see and feel IPv6 in action in the World of Solutions
76
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Call to Action…
Visit the World of Solutions:-
Cisco Campus
Walk-in Labs
Technical Solutions Clinics
Meet the Engineer
Lunch Time Table Topics, held in the main Catering Hall
Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014
77
© 2014 Cisco and/or its affiliates. All rights reserved. COCRST-3464 Cisco Public
Complete your online session evaluation
Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt
Complete Your Online Session Evaluation
78