IPv6: Real World Deployments (From the Trenches) (IOS Advantage Webinar)

Cisco IOS Advantage WebinarsCisco IOS Advantage Webinars

IP 6 D l t dIPv6 Deployment and Operations ExperiencesOperations ExperiencesKen Hook, Product Line Manager

Gunter Van de Velde, Technical Leader

Date: September 7th, 2011

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

Speakers• Ken Hook• Ken Hook

Product Line Manager, Identity & IPv6 [email protected] t V d V ld• Gunter Van de VeldeTechnical Leader @ CiscoPresident Belgian IPv6 Task ForceIETF Co-chair, OPSEC [email protected]

Cisco Confidential 2© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice

• Submit questions in Q&A panel and send to “All Panelists”

A id CHAT i d f b tt t li tAvoid CHAT window for better access to panelists

• For Webex audio, select COMMUNICATE > Join Audio BroadcastF W b ll b k li k ALLOW Ph b tt t• For Webex call back, click ALLOW Phone button at the bottom of Participants side panel

• Where can I get slides?https://communities.cisco.com/docs/DOC-26134

Or send email to: [email protected]

• Please fill in Survey at end of eventy• Join us on October 5 for our next IOS Advantage

Webinar: Creating Zero-Touch Carrier Ethernet Services


Business Drivers - Enterprise

D l S i Deployment Strategies

Offerings

IPv6 Highlights

Real world “Interop” and “Cisco Live 2011”



Cisco Confidential 6

2010 20122011

NOVEMBER, 2010Globalization: 25% of the world’s population using 100% of IPv4 addressespopulation using 100% of IPv4 addresses

JAN, 2011 Date the last IPv4 addresses was

SEPTEMBER, 2012

Date the last IPv4 addresses was allocated

Civilian US Government Agencies mandated to provide external IPv6 connectivity

SEPTEMBER, 2012


connectivity

2010 2012 2014

IPv4/IPv6 Co-existence

• 2010: Low Impact – Buying behavior shift limited to mandated and early adopter sites

GlobalizationIPv6 Government

Mandate Deadlines

Co e ste ce

Early Adopters

TransitionPlanning

2011: Internet Evolution begins – “…IPv6 is important to all of us (…) to everyone around the world, It is crucial to our ability to tie together everyone and every device”. John Chambers• 2012: Mandates take effect – Transition to IPv6 forcesPlanning 2012: Mandates take effect Transition to IPv6 forces

customers to acquire product or managed services to sustain business and customer reach

• 2014: IPv6 is mainstream – customers without transition infrastructure experience reduced service levels, diminished

t h i ti l l it


High RiskLow Risk Moderate Risk

IPv6 Business Impact – The Cost of Waiting Goes Up

customer reach, increase operational complexity

Mobile and the Internet of Things drive growthg g

50 BILLIONIn 2013….There Will Be

Devices Connected to the Network,

up from 35 BILLION in 2010


Source: Forrester, Cisco IBSG


Cisco Confidential 10

P th t ’ i ti i t tPreserve the customer’s existing investment• Audit and leverage existing IPv6 capabilitiesPreserve

Prepare a migration and deployment plan• Identify and enable critical IPv6 functional areasPrepare

Prosper through the transition to IPv6 Internet• Enable all systems with dual-stack capabilitiesProsper Enable all systems with dual stack capabilities• Grow seamlessly as customers transition to IPv6

Prosper


IPv6 is the foundation of a lifecycle management discussion

IPv6 Over a Decade of Security

v6 CoPPv6 ACLs

IPv6 HAHSRPv6 IPv6

Radius AAA

EIGRPv6

VRF

Cisco Investment -Shipping Since

1996

IPv6 Forwarding

IPv6IPv6 QoS A t

OSPFv3

V6 Netflow

HSRPv6ISSU

IPv6 FirewallBGP

v6

IPv6 Routing IPv6

Management

gIPv6

MulticastIPv6 QoS

Classification, policing

Anycast

Syslog v6

OSPFv3IS-IS

EIGRP

ManagementDHCPv6, SNMP, DNS,

SSH, ICMPv6


These capabilities and more are already part of your customer’s investment

1 Identify the highest priority IPv6-critical areas in your network

2 Perform IPv6 Assessment on high priority areas to determine scope

3 Develop a design that enables IPv6 without disrupting your IPv4 network

4 Test and implement in pilot mode, then extend over time into production


Repeat for the Next IPv6-Critical Area in Your Network

A wellA well--structured migration plan provides insurance against structured migration plan provides insurance against unexpected costs as customers, partners, and suppliersunexpected costs as customers, partners, and suppliers

L Y

unexpected costs as customers, partners, and suppliers unexpected costs as customers, partners, and suppliers move to IPv4 and IPv6 coexistencemove to IPv4 and IPv6 coexistence

Leverage Your Investment

A Decade of Cisco IPv6 InnovationsIPv6 Innovations

Make a PlanAlign Businessand IT Strategy Invest for

AccelerateProsper through

accelerated globaland IT StrategySuccess

Deploy IPv6 Transition Support

T h l i

accelerated global customer reach.

Unleash new business models


Technologies

IPv6 Pilot and Basic Infrastructure

Sales Certs (USGv6, JITC UCR2008)12

IPv6 Internet Presence (websites, remote users, B2B …)

IPv6 Islands (Wireless/Consumer devices, Labs …)

234

Internal Data Center, Enterprise Apps

Ubiquitous Dual-Stack

56

IPv4 EOL

“Mandated”1 2 3

“Motivated”2 3 4

“Early Ad t ”

“Mainstream”2

7

1, 2, 3Who?• Government Agencies• Customers who sell to

government agencies

2 3 4Who?•Customers with IPv4 address exhaustion

•Global Enterprises with

Adopter”2 4 3 5 6 7Who?•Companies looking for

2Who?•Large US/European Enterprises

•Small Medium Enterprises


government agencies •Global Enterprises with consumer or business interaction on the public internet

•Customers with user-provided devices on their

t k

competitive advantage•Companies using IPv6 to solve business problems

•Early adopters preparing for coexistence

•Small-Medium Enterprises

Prioritize Critical Areas of Your Business and Network A Y S l B d IP 4 Li i iAs You Scale Beyond IPv4 Limitations

Solution Overview Through a Phased Approach, We Help You to:

1. Identify the highest priority IPv6-critical areas in your network.

2. Assess those areas to determine the scope of your IPv6 design.

By the end of 2011, Internet traffic will be using the next-generation Internet protocol: IPv6.

3. Develop a design that enables IPv6 to be introduced without disrupting your IPv4 network.

4. Test and implement IPv6 in pilot mode, then extend over time into production deployment.

IPv6 adoption must be addressed using a phased approach with careful validation and testing to avoid disrupting the IPv4 network or introducing

5. Repeat steps for subsequent areas of your network through ongoing optimization.

the IPv4 network or introducing vulnerabilities.


Proactively Budget Time, Money, and Resources

Use Case IPv6 Technology Relevant Products

Dual Stack Use Case• Set up devices to run IPv4 and IPv6 in parallel

IPv6 and IPv4• IPv6 switching and

routing stacks

• Catalyst 6K, 4K, 3K, 2K• Nexus 7K, ASA Security ApplianceIPv4 and IPv6 in parallel

• Link hosts and islands of IPv6 devices together

routing stacks• IPv6 over IPv4

tunneling protocols• First Hop Security

• AnyConnect VPN client• ASR 1000• ISR G2

IPv6 Internet Presence Use Case

Stateless NAT64

• Allows IPv6 or dual-• Get started on the IPv6 Internet Edge forOutside – In deployment

• Allows IPv6 or dual-stack hosts to talk to IPv4 infrastructure (for example, web content)

• Stateful NAT on ASR-1000

NEW


content)

NEW

Solution CharacteristicsSolution Characteristics

• Expected Scale: 1.3 Million Stateful NAT Translations with HA enabled

• Expected Performance: 78K Translations per Second with HA enabled, with integrated IP ServicesIP Services

• IPv6 adoption: Allows connectivity between IPv6 internet and IPv4 network

• Position on Internet Edge with Stateful NAT64 functionality or as dedicated translation devicedevice

IPv6 InternetASR1K St t f l NAT64 T l tASR1K St t f l NAT64 T l t

Data Center

ASR1K Stateful NAT64 TranslatorASR1K Stateful NAT64 Translator

IPv6 Prefix IPv4 pool

IPv4 packet

IPv6 Packet

Enterprise Edge


IPv6 DevicesIPv6 Prefix IPv4 pool

Any type of IPv6 Prefix is allowed

IPv6 Packet

IPv6 IPv4

IPv4Content

Hosting/CDNISPV6-only

End User ISP

Subscribers

4 6

Considerations:

46


Experience, Scale, Cost, Operations, Technology…

Optimized IPv6 Transition

• EIGRPv6, OSPFv3,

BGPv6

• IPv6 IPsec

• IPv6 Firewall Security

IP 6 IDS

• Dual Stack IPv4/IPv6

• V6 over v4 tunnels:

6 PE/6PE L3VPN MGREdge

SecurityOptimized IPv6 Delivery

Transition Technologies MPLS/ IPv4/IPv6

CoreInternet

• PBR • IPv6 IDS 6vPE/6PE, L3VPNoMGRE,

DMVPNv6, Static tunnels

• 6 to 4 translation

Edre • EIGRPv6, OSPFv3, IS-IS

IP 6 t f VSS• IPv6 CoPP • Dual Stack IPv4/IPv6

6t 4 t li

• IPv6 PIM-SSM, MLDv2,

Embedded RP


• 6vPE/6PE

• IPv6 ACL

• IPv6 ACL Atomic ion

Co • IPv6 support for VSS

• ECMP, OSPFv3 GR

• 6to4 tunneling• ISATAP

• IPv6 QoS

• DHCPv6 Relay Agent

• HSRPv6/GLBPv6

• IPv6 support for VSS

• 6to4 tunneling

• ISATAP tunnels

Commit/Dry Run

• uRPF

• IPv6 Ingress Netflow

• IPv6 Flexible NetflowDis

trib

uti

pp

• Stateless Auto configuration

• IPv6 management:

SNMP Syslog SSH

• IGMPv3/MLDv2 Snooping

• IPv6 First Hop Security

• IPv6 PACL/RA Guard


• ISATAP and static Tunnelsce

ssD


SNMP, Syslog, SSH,

NTPv4, Tacacs+

• IPv6 interface stats

IPv6 PACL/RA Guard Tunnels

Acc

“Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of

the products or features set forth in this document.” All Specifications Subject to Change Without Notice

Translation Point

DC EdgeDistribution/Core

• Dual StackR ti t l

Internet

…DC Core

• Routing protocols (OPSFv3, ISISv6, BGPv6..)

• IPv6 Mcast• IPv6 security:

classification, ACL & policing CoPP& policing,CoPP

• BFD• Flexible Netflow• 6VPE• ECMP• Interface stats• uRPF

Firewall

Firewall

DC AggTowards Access

• Dual Stack• HSRPv6/VRRPv3

BFD

L2/L3 Boundary

1x10GE per Agg SW

Rack R k

ToRAccess

Loadbalancers

IPv4

IPv6

IPv4

IPv6

• BFD• SVI• Snooping (MLDv2)• IGMPv3• First Hop Security

(RA guard)• PACL/VACL

…..R k


1Racks Access

………………..

PACL/VACL• IPv6 Management Racks

June 8 2011 – 00h00-23h59 (UTC)24-hr IPv6 “Test Flight”

http://isoc.org/wp/worldipv6day/

gIPv6 access on website’s “front door”

(DNS AAAA Record on www.company.com)Note: This is not about turning off IPv4!p g p p y

Coordinated by:

http://isoc.org/wp/worldipv6dayp g p p y

http://isoc.org/wp/worldipv6day/participantshttp://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition

World IPv6 Day: Cisco Confidential 22© 2011 Cisco and/or its affiliates. All rights reserved.

All Specifications Subject to Change Without Notice

yJumping In Together

• No issue on cisco.com

• No Security issue

• Performance within predicted range

• NO TAC case

• And that seems to be consistent across the industry


Source: Arbor Networks

http://hide.dnsalias.net/aaaa/worldipv6day.cgiy g


Business Drivers - Enterprise

D l S i Deployment Strategies

Offerings

IPv6 Highlights

Real world “Interop” and “Cisco Live 2011”


Interop 2011Interop 2011Gunter Van de VeldeGunter Van de Velde

Sr. Technical Leader

NOSTG

Cisco Confidential 26© 2011 Cisco and/or its affiliates. All rights reserved.

• Background and Goals

• How IPv6 works on the InteropNET

• Subnetting and Addressing

• Challenges and Lessons Learned

• Results and Statistics

• Conclusions


• It is all about the Network

• Multivendor was the key element

• It is a conference

• +15k people attend this event in Las Vegas

• There is a show-floor

• There is a breakout floor

• More then 30 vendors participate (network, fiber, monitoring, operation etc )operation, etc…)


• Network must be fully dual stack (IPv4+IPv6)

All IPv4 services should be reachable over IPv6• All IPv4 services should be reachable over IPv6

• Connections to IPv6-enabled websites should use IPv6 by default

• Demonstrate and experiment with newer technologies like DHCP PD• Demonstrate and experiment with newer technologies like DHCP-PD

• Nothing should break


Mandalay Bay Conference CenterMandalay Bay Conference Center

Show FloorShow FloorShow FloorShow Floor Off ShowOff ShowOff ShowOff Show Off ShowOff ShowOff ShowOff Show 2nd Floor2nd Floor2nd Floor2nd Floor NOCNOCNOCNOCShow FloorShow FloorShow FloorShow Floor Off ShowOff ShowFloor and Press roomFloor and Press room

Off ShowOff ShowFloor and Press roomFloor and Press room

Off ShowOff ShowOff ShowOff Show 2nd Floor2nd Floor2nd Floor2nd Floor

AccessAccess

NOCNOCNOCNOC

3rd Party 3rd Party

DistributionDistribution 3rd Party

CoreCore

InternetInternetCoCo--locationslocations

ColoColo 1: Sunnyvale1: SunnyvaleColoColo 1: Sunnyvale1: Sunnyvale ColoColo--2: Denver2: DenverColoColo--2: Denver2: Denver Backup: NewarkBackup: NewarkBackup: NewarkBackup: Newark

Primary Primary InteropInterop ColoColoPrimary Primary InteropInterop ColoColo

3rd Party 3rd Party


ColoColo--1: Sunnyvale1: SunnyvaleColoColo--1: Sunnyvale1: Sunnyvale ColoColo 2: Denver2: DenverColoColo 2: Denver2: Denver Backup: NewarkBackup: NewarkBackup: NewarkBackup: Newark

Off Show FloorOff Show FloorOff Show FloorOff Show Floor NOCNOCNOCNOCClean Air WirelessClean Air WirelessClean Air WirelessClean Air Wireless

Show FloorShow FloorShow FloorShow Floor4510R+E4510R+E

3750X

Off Show FloorOff Show FloorOff Show FloorOff Show Floor

Press Room

Cat2960C-8 2960C2960C--88 PoEPoE++

NOC desktopsNOC desktops

CNR CNR –– DHCP/DNSDHCP/DNSLMS CMS MCSLMS CMS MCS

ServicesServices

NOCNOCNOCNOCClean Air WirelessClean Air Wireless802.11n802.11n

Clean Air WirelessClean Air Wireless802.11n802.11n

VSSVSS

4510R+E

4510 R+E4510 R+E

LMS, CMS, MCSLMS, CMS, MCSCUCM, CUC, CUPCUCM, CUC, CUP

VSSVSS((20GigE20GigE))

((20GigE20GigE))

20GigE20GigE 20GigE20GigE6513E6513E 6513E6513E

6506E6506E 6506E6506EIDSIDS

49484948

Wireless

Wireless

VSSVSS((20GigE20GigE))2 * 80GigE2 * 80GigE

6513E6513E

6509E6509E 6509E6509E

2 * 20GigE2 * 20GigE

WISMWISM

ASA 5585ASA 5585

6509E6509E

s and Security

s and Security2nd floor

ASAASA

((20GigE20GigE))2 80GigE2 80GigE

Las Vegas - MBCC6509E6509E 6509E6509E

ASA5585ASA5585--XX

VSSVSS((20GigE20GigE))

6503E6503EIPSIPS--42704270

WISMWISM6509E6509E

ASA5585ASA5585--XX


DenverDenverDenverDenver NewarkNewarkNewarkNewarkPrimary Primary ColoColo: Sunnyvale: Sunnyvale

ASR1004ASR1004DMZDMZ((20GigE20GigE))

6503E6503E

IPS 4270IPS 4270

Application

LMS Management and LMS Management and configconfig managementmanagement

Dual Stack DNS with Dual Stack DNS with CNRCNRHD Video between HD Video between IPv6 & IPv6 & IPv4IPv4 endend--pointspoints Dual Stack Dual Stack DHCPDHCP with with CNRCNR

Cisco WCSCisco WCS Cisco Security ManagerCisco Security ManagerMediaNETMediaNET Collaboration Collaboration ManagerManager

Unified CommunicationUnified Communicationin a dual stack environmentin a dual stack environment

ns

Security: ASA and IDSSecurity: ASA and IDSTransparent firewallTransparent firewall

Serv

ManagerManager

NAM3NAM3

Security: IDSSecurity: IDSfull IPv4/IPv6 application full IPv4/IPv6 application

I ti dI ti d

Wireless with WISM2Wireless with WISM2Centralized wirelessCentralized wireless contralcontralpp

application inspectionapplication inspectionCentrally managedCentrally managed

vicesN

Infr

NAM3NAM3Inspection and Inspection and intrusion detection, , intrusion detection, , centrally centrally managedmanaged

Centralized wireless Centralized wireless contralcontralRF Optimization with RF Optimization with

clean airclean air

Full IPv4/IPv6 Full IPv4/IPv6 Internet PeeringInternet Peering

VSSVSS--Quad SupQuad SupRouting Fast ConvergenceRouting Fast Convergence

Flexible NetFlowFlexible NetFlowNetw

ork rastructure

S

Internet PeeringInternet Peering

Control Plane SecurityControl Plane Security

Routing Fast Convergence Routing Fast Convergence OSPFOSPF and and BGPBGP

ISSUISSU

ECMPECMPLoadLoad--BalancingBalancing

QoSQoS ImplementationImplementation

SNMPv3SNMPv3

First Hop SecurityFirst Hop Security

MulticastMulticastMediaNETMediaNET

Performance MonitorPerformance Monitor

MultiMulti--chassis chassis EtherchannelEtherchannelDHCPv4DHCPv4/6/6

Speeds&

FeedsE

40G core IPv4/IPv6 Hardware-based Acceleration

802.11N 40G Firewall Services

TP: EX90SCEC3750X IPS4270-20 WISM2 NAM3 Aironet 3500 CP-9971 CTS500


Cisco

Equipment

TP: EX90SCEC3750X IPS4270 20 WISM2 NAM3 Aironet 3500 CP 9971 CTS500

C6500 C4500 ASA5585 C2960C-8 ASR1k MXE-5600 TP: EX90 TelepresenceServer

Fi l DFi l D

Day1, 2, 3 and 4

Day1, 2, 3 and 4

Day1, 2, 3 and 4

Day1, 2, 3 and 4

Main Conference

days

Main Conference

days

Final DayFinal Day

First First

daysdays

classes and

registration

classes and

registration


• Top 10 DNS lookups - provided by Dyn DNS • Top AAAA DNS lookups

• 1 l.google.com

• 2 daccess.microsoft.com

• 3 ak.fbcdn.net

• 1 daccess.microsoft.com

• 2 enet.interop.net

• 3 l.google.com

• 4 NYAPPMSGVS02.zbinet.com.

• 5 com.akadns.net

• 6 g.akamai.net

• 4 ak.fbcdn.net

• 5 www.google.com.

• 6 push.apple.com

• 7 push.apple.com

• 8 www.google.com.

• 9 www.facebook.com.

• 7 www.apple.com.

• 8 clients.google.com

• 9 imap.gmail.com.

• 10 clients.google.com • 10 mail.google.com.







• Conclusions


• Qwest provides IPv4 and IPv6 connectivity to Interop, via links and BGP sessions to colos in SFO, DEN, and EWR

• GigE links from SFO and DEN to Las Vegas are dual stack, with IPv4 and IPv6 eBGP sessions

• OSPFv3 is used for IPv6 routing between the colos and within the show network

• We had 2620:144::/32 at our availabilityy


• All client-facing networks use SLAAC to allow clients to auto-assign themselves an IPv6 address and default gateway on the correct subnetg y

Supported by all IPv6-capable devices

Auto-assigned IPv6 address

Default Gateway (Link-local from RA)


• In addition, DHCPv6 is enabled, to provide IPv6 DNS information (and another working IPv6 address)g )

Devices that don’t support DHCPv6 (Windows XP and Mac OS X) must use IPv4 DNS, but can still resolve AAAA records

DHCPv6-assignedDHCPv6 assigned IPv6 address

DHCPv6-assigned DNS server


• All DNS services were provided by DynDNS and CNR

In order to connect to Google and Facebook over IPv6 we arranged to• In order to connect to Google and Facebook over IPv6, we arranged to whitelist the InteropNET DNS servers (Thank you Mark Townsley.)

As a result, DNS requests for google.com and facebook.com receive AAAA (IPv6) responses(IPv6) responsesOn World IPv6 Day (June 8th) those AAAAs were visible to everyone


• Goal was to provide all internal services over IPv6 as well as IPv4

This required coordination with vendors to enable IPv6 make sure• This required coordination with vendors to enable IPv6, make sure services were bound to their IPv6 ports, and publish AAAA records

• Most (but not all) services ended up reachable over IPv6

• Cisco ASA5585 was used in transparant mode for Firewall services


• InteropNET wireless is provided by a 3rd party vendor (2nd floor) and Cisco (3rd floor)( )

• Off show floor, 3rd floor, all wireless arrays on each floor are part of a single VLAN, so roaming occurs at layer 2

• On the show floor, 2th floor, each wireless array is on a different VLAN. When roaming occurs, a tunnel is dynamically built back to the first AP the user associated with







• Conclusions


All of the registries for the most part assign initial blocks for• All of the registries, for the most part, assign initial blocks forService provider /32Enterprise /48


• Depends on the type of network, the size of the network, and problem to be solved

• Points of considerationDocumentationEase of troubleshootingAggregationStandards complianceGrowthSLAACExisting IPv4 addressing planExisting IPv4 addressing planHuman factors


• Encode every IPv4 address in your network in an IPv6 address

At first it seems relatively simple:• At first it seems relatively simple:

10.10.10.10 (0A0A0A0A)

2001:DB8:A0A:A0A::

Easy, right?


• Requires a /32 assignment if a minimum subnet size of /64 is to be preservedDo you have or can you get a /32?Provides no information about the subnet maskResults in very large subnetsResults in very large subnetsLight documentation requirements as your existing IPv4 documentation is your IPv6 documentation


• Subnetting issue

10 10 10 0/24 (A0A0A0)10.10.10.0/24 (A0A0A0)

2001:DB8:A0A:A00::/562001:DB8:A0A:A00::/56

Do we count the significant digits for the subnet?Do we count the significant digits for the subnet?

2001:DB8:A0A:A00::/56


• What if we “round down” to /64?

10 10 10 17/24 (0A0A0A10)10.10.10.17/24 (0A0A0A10)

2001:DB8:A0A:A00::10/64?2001:DB8:A0A:A00::10/64?

Better but let’s look at a point to point linkBetter, but let s look at a point to point link.


• Point to Point Link:

10 10 10 1/30 (A0A0A01) for the remote site10.10.10.1/30 (A0A0A01) for the remote site

10.10.10.2/30 (A0A0A02) for the local site

If we follow the previous rule to the letter we get:

2001:DB8:A0A0:A000::1/642001:DB8:A0A0:A000::1/64

2001:DB8:A0A0:A000::2/64

But using /64s on router-to-router links can be dangerous, causing potential ping-pong problem issues on the point-2-point interface


Better to use a /127:

2001:DB8:AAA0::1/1272001:DB8:AAA0::1/127

2001:DB8:AAA0::2/127

Um, wait a minute. What’s wrong here?


2001:DB8:AAA0::1/127

2001:DB8:AAA0::2/1272001:DB8:AAA0::2/127

• Those are NOT in the same subnet!! A /127 could be ::0 and ::1 or ::2• Those are NOT in the same subnet!! A /127 could be ::0 and ::1, or ::2 and ::3, but NEVER ::1 and ::2!!

• As a matter of fact, NO IPv4 /30 can ever cleanly map into a /127!!


Networks smaller than /64 can be desirable, especially using /127s for point to point links, and /128 for Loopback

Be conservative in what you consume, be liberate in what you allocate:To avoid future breakage, allocate a /64 in your documentation but use the smaller blocksmaller blockSimilarly, reserve /48s for EVERYTHING you can, there’s no reason to allocate densely, there’s plenty of spaceIf you have a complex network allocate in a sparse way to enable easyIf you have a complex network, allocate in a sparse way to enable easy aggregation


• You can indeed add convenience and save on documentation by using an algorithmic approachg

• But ONLY if you have reasonably few IPv4 blocks, if you have 100s, you’ll probably need a different approach unless you can get a large enough v6 allocationenough v6 allocation

• You DON’T want to reproduce IPv4 “cruft” into IPv6. If your IPv4 subnetting is a mess, it’s best to re-do it for IPv6.







• Conclusions


• On the show floor, each AP is homed to a different IPv6 subnet

• To support SLAAC, the router sends out RAs on each VLAN

• These RAs are IPv6 multicast packets, and are broadcast by the local radio to all clients (local or roaming)local radio to all clients (local or roaming)

• When roaming tunnels are built, the client receives both the local RA and the one from its home AP

• As a result, the client gets two IPv6 addresses from SLAAC. If it tries to use the wrong one, it will be unable to connect over IPv6

• Primary impact (as discovered at the Tuesday class) is to iPadsPrimary impact (as discovered at the Tuesday class) is to iPads, which support IPv6 and stay online while roaming


• When a Windows machine is cloned, you can get two or more machines with the same DHCPv6 Unique IDentifier (DUID)( )

• This DUID is used by the DHCPv6 server to identify the client, so when two clients with the same DUID request IPv6 addresses with DHCPv6, they will both be given the same addressthey will both be given the same address

• When the second machine receives its address from the DHCPv6 server, it does IPv6 Duplicate Address Detection, determines there is an IP address conflict and refuses the leaseIP address conflict, and refuses the lease


• When a client is configured to run 6to4 (an automatic tunneling protocol) and Internet Connection Sharing, it will advertise itself as an IPv6 router gby sending out RAs on its wireless interface

• Clients receiving such RAs will auto-assign themselves an address in the wrong subnetthe wrong subnet

• Switches are generally configured with RA guard or equivalent on their wired ports

• Unfortunately there is no way to block rogue RAs over wireless APs (and some wired switches)


• All modern operating systems work well in a dual stack environment, and properly prefer IPv6 when availabley

• Older OSes continue working fine on IPv4, and never see IPv6

• Mac OS X and iPhones don’t work on NAT64 and IPv6-OnlyOS X doesn’t support DHCPv6All Mac products try to be too “helpful” and refuse to use an IPv6-only connection if they think an IPv4-capable connection is available (e.g. 3G on iPhone)Latest iOS & macOSX (Lion) does work in this environment as the DHCPv6 is supported

• Wifi-only iPads etc. work fine







• Conclusions


• IPv6 inbound usage on averaged ~2Mbps, vs. ~100Mbps for IPv4• That’s 2% of Interop’s traffic from servers on the Internet

• Outbound traffic, by contrast, is dominated by IPv4Even though most InteropNET services (such as webcams) were IPv6


• Even though most InteropNET services (such as webcams) were IPv6-enabled, it appears that most end users on the Internet are not yet IPv6-connected

• Users inside the InteropNET preferred IPv6 to reach www.interop.com• 34.4 GB delivered over IPv6• 22.4 GB delivered over IPv4


• That’s 61% IPv6!

• Dual stack worked perfectly: no help desk complaints about IPv6 (or problems reaching Google/Facebook)g g )

• NAT64 worked well on supported devices

• DHCP-PD worked well on show floor with consumer device capable doing DHCP-PD

Required manual configuration of DHCPv6 pool on inside interface: couldn’t use SLAAC







• Conclusions


• IPv6 works in the real world• Over 60% of Interop attendees were using IPv6 to

reach interop.com without even knowing it• There are challenges to implementing IPv6, but

nothing show-stopping• About 2% of the Internet’s content is reachable

over IPv6 (and growing fast)• A much smaller percentage of Internet users have

IPv6 connectivity (though this may change quickly ith IP 4 d l ti )


with IPv4 depletion)

The NOC at CiscoLive


Mandalay Bay Conference CenterMandalay Bay Conference Center

World of SolutionsWorld of SolutionsWorld of SolutionsWorld of Solutions Breakouts RegistrationBreakouts Registration NOCNOCBreakouts RegistrationBreakouts Registration NOCNOCWorld of SolutionsWorld of SolutionsWorld of SolutionsWorld of Solutions Breakouts, Registration, Breakouts, Registration, NOCNOCBreakouts, Registration, Breakouts, Registration, NOCNOC

AccessAccess

DistributionDistribution Cat6500 Cat4500E

CoreCore Cat6500

InternetInternetCoCo--locationslocations

ColoColo 1: Sunnyvale1: SunnyvaleColoColo 1: Sunnyvale1: Sunnyvale ColoColo--2: Denver2: DenverColoColo--2: Denver2: Denver

Primary Cisco Live Primary Cisco Live ColoColoPrimary Cisco Live Primary Cisco Live ColoColo

Secondary Secondary InteropInteropColoColo

Secondary Secondary InteropInteropColoColoCat6500 ASR1k


ColoColo--1: Sunnyvale1: SunnyvaleColoColo--1: Sunnyvale1: Sunnyvale

• Cisco UCS C-Series for NM Apps (Qty 4)

N 5010• Nexus 5010

• NetApp FAS3420 x 2; DS2246 (~14TB storage)

• Wireless 5508; APs 3500 Series (CleanAir); MSE; Cisco Prime NCS; ISE

• Switches : Catalyst 3560E; 6513E; 4507R+E; 6509E

• Routers: ASR1000, 2851 (IPSLA)

• CiscoWorks LMS 4 0 1 (Windows) and 4 1 Beta (Linux)• CiscoWorks LMS 4.0.1 (Windows) and 4.1 Beta (Linux)

• CiscoSecure ACS 5.2

• CNR 7.2 (IPv4 and v6 DNS/DHCP)

• Security : ASA5585-X-S60 (Qty 3); IDS-4270

• Physical Security: Cisco 4500 and 5000 IP Cameras, Cisco Physical Access Control, Cisco Counting Suite (Video Analytics)


• VXI, IP Phones, Unified Call Manager, various TP and Tandberg

The Hotel Meeting Room

South Level Two South Level 3South Level One3560

E3560

E3560

E

SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSiSiSiSiSiSiSi

3560E 16 Switches

3560E

SiSiSiSiSiSiSiSiSiSiSiSi

3560E 9 Switches

3560E


3560E8 Switches

3560E


3560E

NOCDIST

6509E SUP720IN QUAD SUPVSS MODE

Wireless ctrl

North Level One3560

E3560

E3560

E3560

E

2 x 10

GE

2 x 10GE

VSS MODE

ASA5585-

ct5508

3750-X

ASA-5585

SiSiSiSiSiSi

3750-X

SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSiSiSiSiSiSiSi

ASA5585-X-

CORE 6513E

SUP2T

X

6509E

DHCP/DNS

LMS/FnF/EWise

X5585 5550 SiSiSiSiSiSi

5585S60

4 x 10GE

Sunnyvale

1GE

Denver

IN VSS MODE

1GEIPS-4270

6509EDual Sup720

NOCUsersSiSiSiSiSiSiNOC


© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

SunnyvaleColo

DenverColo 3750-X

4507R+E

IPv4 Address Range - 45.0.0.0/15IPv6 Address Range - 2620:144::/32

L2-Access350.000 IPv4 prefixes from each eBGP peer – dedicated IPv4 session6500 IPv6 prefixes from each eBGP peer – dedicated IPv6 session

QwestAS 53692

MBCC – Cisco LiveAS 290

6500-VSS6500-VSS

OSPF Default Route

Multicast RP

4500 Dual SUP

OSPFv2 for IPv4 – Single AreaOSPFv3 for IPv6 – Single Area

Full BGP Routing Table for both IPv4

and IPv6

Full BGP Routing Table for both IPv4

and IPv6


Core Switch

Dirty-Net Servers

Sunnyvale COLO

CS1-VTG-VMC

UCS1-VTG-CIMC

Colo-IDSCOLO-6503E

VSS

Colo-ASA1

Colo-ASA2

Colo Denver

Colo EWR


Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 72

IPv4 Internet IPv4 Internet IPv6 Internet Brisbane, CA

Per


Joe

Total Number of unique DHCP Leases 28,298

Highest number of Active MACs (wired)Highest Daily number of active leases

1028

16 000Highest Daily number of active leases 16,000

Managed Routers and SwitchesWireless Access PointsAverage number of clients / AP

170190290g


• IPv6 worked as well as the IPv4 Infrastructure

Don’t re IP 3 weeks before a major show• Don’t re-IP 3 weeks before a major show

• Geolocation by IP is not precise – Mandalay 3rd floor users going to Google were sent to Google.co.jp – at some point this InterOp address block existed in Japan.

• Don’t stage in a rain-stormIf you do, leave the equipment outside in Las Vegas because it will dry y , q p g yin 2 minutes – do not leave equipment outside in Las Vegas more than 10 minutes or it will melt


• Start now and position for growth

N S• Next Steps: Assess, Plan, Design Trial, Train, Roll out

• Map out opportunities to be IPv6 ready in planned technology refresh cyclesy

Reference certification requirements

• Enable your network evolution to IP 6 ith th Ci B d lIPv6 with the Cisco Borderless Network Architecture


http://www.cisco.com/go/ipv6

• Thank you! • Please complete the post event survey• Please complete the post-event survey.

J i O t b 5 2011 f t• Join us October 5, 2011 for our next IOS Advantage Webinar:

“Creating Zero Touch Carrier Ethernet Services”Creating Zero-Touch Carrier Ethernet Serviceshttps://cisco.webex.com/cisco/onstage/g.php?d=20

7140763&t=a7140763&t a


Thank you.


IPv6: Real World Deployments (From the Trenches) (IOS Advantage Webinar)

Technology

Transcript of IPv6: Real World Deployments (From the Trenches) (IOS Advantage Webinar)