Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all...
Transcript of Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all...
![Page 1: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/1.jpg)
Loghs Srinivasan Director - SW Dev, Enterprise Network Solutions, Cisco Oct. 2018
Journey to a pure IPv6 Campus
![Page 2: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/2.jpg)
Business rationale to pursue IPv6
Roadblocks to successful adoption
Making it work
IPv6 Readiness – Leap for IT
Trouble shooting & Lesson Learn
Agenda
What Next?
![Page 3: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/3.jpg)
Business rationale to pursue IPv6
Operational simplicity
Migration from VM to containers
Removing multi layer NAT
Single stack (removal of dual stack)
![Page 4: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/4.jpg)
Business rationale to pursue IPv6
Campus is the last frontier in this migration
Campus
![Page 5: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/5.jpg)
Roadblocks to a successful IPv6 adoption
End user mindset (IPv4 literal to host name)
Handling v4 only infrastructure (labs)
Sites that are still v4 only enabled (Eg: bbc.com)
Devices which do not support dhcpv6 (Android)
Applications which are not v6 ready (Eg: TightVNC)
![Page 6: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/6.jpg)
Making it work Pure IPv6 campus journey for IT
One step for IPv6, a leap for IT readiness
Step 2
• External apps are validated separately
• Access Network Dual stack
• 100 V6 only devices/users
• Nat64/DNS64 for applications
• SLAAC/ RDNSS for Android
Step1
• Examine access network
• Building traffic analysis
• Identify Primary applications in building
IT
Tran
sitio
n N
etw
ork
Valid
atio
n E
nd u
ser
Pre
para
tion
• Prepare users for the transition (Dual-stack is common but not 100%)
• Migrate Network (data path to pure V6)
• 100 V6 only devices
• Identify v4 literal hotspots (labs)
• Implement hostname
Step 3
• IPv6 foundations determined healthy
• Migrate the entire building to V6
• War rooms to address any issues/questions
End Goal / Success:
![Page 7: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/7.jpg)
SiSi SiSi
6807
6807
6504E
6504E
vss SiSi SiSi
Site GW’s
SJC23-IPv6 Only Network
eBGP
Po20 Po10
core
distribution
SiSi SiSi SiSiSiSi
3850 3.1 3.2
3850
2.1 2.2 1.2 1.1
4503E 4503E 4507E 4507E
8540
![Page 8: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/8.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SiSi SiSi
6807
6807
9500
9500
SVL SiSi SiSi
Site GW’s
New SJC23-IPv6 Only Network(2018)
eBGP
Po20 Po10
core
distribution
SiSiSiSi
3.1 3.2 9400
2.1 2.2 1.2 1.1
9400 9400 9300 9300
8540
9300
![Page 9: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/9.jpg)
500+ users
500+ switch ports, 120 APs
3 floors, 6 wiring closets
40~ applications
3 months phased approach - IT template
IPv6 in Enterprise - Deployment details San Jose building case study
![Page 10: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/10.jpg)
Supporting wide range of services for the building users
Applications such as VNC, Remote Desktop, Google DOCS, Skype
Collab endpoints on PCs/Laptops such as, Spark Client, Spark Web, Webex
Devices such as: Mac, Windows, iPhone, Android OS
Enterprise services such as CiscoTV, Anyconnect, Outlook, Telepresence, Proximity etc had to be carefully planned for operations
All mgmt configs were done only using IPv6 - SNMP, Netflow, WaaS etc
Network protocols used such as Nat64/DNS64, SLAAC
![Page 11: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/11.jpg)
Understand what people use the network for
Ø Functional groups/Visitors Ø Building Traffic analysis Ø Identify Primary Applications:
• Collaboration • Call/Telepresense • Spark(inc. Video Call) • Jabber
• Business Apps • Exchange/email • http/intranet/wiki • Video/Cisco TV • VNC/Remote Desktop
Prepare Users for IPv6 Ø Build User Profiles
• Engineering Dev/Test(lab dependent)
• Business/Finance/Mgmt • Product Mgmt and Marketing • Engineering Release Mgmt
Ø Workshop and dry runs • Periodic dry runs to enable building
users for transition • War rooms to address any issues/
questions
Building 23 IPv6 Transition: Users Experience
![Page 12: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/12.jpg)
IPv6 - The journey
Few enterprises migrating to single stack
Enterprise products
Mgmt Policy
IPV
6
IPV
6
San Jose building migrated to IPv6
IPv6 Solution Testing
Where We are now
Network Policy
Enterprises Deployed Dual stack
Mgmt Policy
IPV
4 IP
V4
Where We Were (July 2016)
Network Policy
![Page 13: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/13.jpg)
One step for IPv6, a leap for IT readiness
![Page 14: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/14.jpg)
• Keep it simple – L2, routing, DHCPv6, VSS, primarily wireless
The Building Network interface Vlan22 description v6WIRELESS-DATA no ip address ipv6 address FE80::DEF link-local ipv6 address X::1/64 ipv6 nd prefix X::/64 0 0 no-autoconfig ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp relay destination X::12 ipv6 eigrp 233
• SLAAC for Android exception interface Vlan27 description ***SLAAC-VLAN*** no ip address ipv6 address X:Y:Z:H::/64 eui-64 ipv6 enable ipv6 nd ra dns-search-list domain cisco.com ipv6 nd ra dns server A:B:C:D::53 ipv6 nd ra dns server A:B:C:F::53
![Page 15: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/15.jpg)
• Despite dual-stack, v6 native internal apps/services are still not the norm
• DNS64/NAT64 is a critical enterprise service
How to deal with IPv6 islands Islands aren’t always relaxing
Campus IP Core
FW
CampusAccess
ENG Labs
DataCenters
Internet
v6
v4
v4
v4
4
6
4
6v6
v6
![Page 16: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/16.jpg)
ASR 1002-X
example.cisco.com192.0.2.10
v6
v4
V4 NAT Pool
v6 only host
DNS64 bind9 server
Corp DNS
/56 map pool
NAT64/DNS64 holds it all together
• BIND9 as DNS64 • can be added to existing
• ASR1002-X NAT64 with HA
• Simple config and stable
DNS64/NAT64
DNS makes every service appear to be v6
nat64 prefix stateful 2001:X::/96nat64 v4 pool NAT64-IPv4 10.x.y.z 10.x.y.zznat64 v6v4 list NAT64 pool NAT64-IPv4 overload redundancy 1 mapping-id 1
NAT makes every service function as v6
![Page 17: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/17.jpg)
Tapestry of supporting apps/tools to validate Priority Impact Level Service Application Parity Status High Medium Client CiscoTV/IPTV Yellow
Medium High Client File transfer FTP, TFTP, SSH, SCP Yellow Low Low Client Anyconnect Yellow High High Client Jabber Green High High Client Webex Green High High Client Outlook Green Medium Medium Client VNC Green Low Low Client Remote Desktop Green Medium High Client Telepresence Green Low Low Client App Store Green Medium Medium Client IP Phone Yellow High High Client public web Green Medium Medium Client wwwin.cisco.com Green Low Low Client Proximity Red Low Low Client Google Docs Green Low Low Client skype Yellow Medium Low Client dropbox Yellow High Medium Client Cisco Print Green Client AnyConnect (SSL) through NAT64 Yellow Client Cisco DayCare Video Monitor Yellow High High Collab Spark Client Green High High Collab Spark Web Green High High Facilities CCTV, Badge, Phy Security Infra Yellow Medium Low Mgmt RCMD Mgmt Yellow Mgmt SNMP Green Mgmt Netflow Yellow Mgmt NTP Green Mgmt LDAP/AD Green High High Network IPv6 Multicast Red High Medium Network WaaS Yellow High Medium Network ACNS Yellow High Medium Network ACS Radius Yellow Medium Low Network dACLS/802.1x Red Network OSPFv3 routing, mult platforms Green Network NAT64 on ASR/CSR Green Network NAT64 on ASA Green Network DNS64 on bind9 Green Network CAPWAP over v6 Green
![Page 18: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/18.jpg)
Trouble shooting Case study & Lessons learn
![Page 19: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/19.jpg)
This is why the journey matters • Real experience shows what matters to users
• Real data provides comparisons
• Real impact incentives app/services owners
Enterprise complexity
![Page 20: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/20.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• IPv4 targets with host name, will be resolved by DNS64 – No problem
• But engineers are used to connecting to lab devices using IPv4 address,
e.g. 172.16.32.1
• Facilitate easy naming using a script to convert IPv4 address to host name:
e.g. 172.16.32.1 à 172-16-32-1.cisco.com
Named based access - As much behavioral as technical
![Page 21: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/21.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NAT64/DNS64 issues encountered • Incorrect AAAA responses
e.g. :: ::1 fe80::x 64:ff9b::x 2001:DB8::x
• Workaround is to set exclude rule for prefixes other than 2000::/3 in DNS64 server.
• AAAA query returns SERVFAIL causing DNS64 synthesis failure even though A query was successful • Workaround is to create zone for the offending service on DNS64 which
returns a synthesized answer. Artificially forcing the client through NAT64.
![Page 22: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/22.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Case Study – Hot topic for IPv6 War Room
• VMware Fusion • VMware fusion on Mac doesn't work on IPv6 Only Network
with NAT66 between VM and host machine. • Workaround is to change network settings to bridge mode
to make it work.
• Oracle Virtual Box on Mac doesn’t work • As per Oracle, Virtual box requires a SLAAC IPv6 Network
• Android doesn’t support DHCPv6 • Used SLAAC+RDNSS+DNSSL for android clients
![Page 23: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/23.jpg)
• SoftPhone does not register • Details: SoftPhone requires port 8443. This is not enabled for IPv6. • Workaround: Development team is engaged to patch or upgrade
their Call Manager as a verification mechanism in the short term.
• Outlook on mac • Outlook for Mac v15 and above supports IPv6
Case Study – Hot Topic for IPv6 War Room
![Page 24: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/24.jpg)
• Working with leading enterprise partners to enable more IPv6 only
deployments
• DC migration to IPv6-only to expand more buildings to IPv6
• Development process change for new features. Parity between v4
and v6 for new development
• Working with industry leaders to drive V6 readiness for apps
What Next?
![Page 25: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/25.jpg)
![Page 26: Journey to a pure IPv6 Campus...DNS64 bind9 server Corp DNS /56 map pool NAT64/DNS64 holds it all together • BIND9 as DNS64 • can be added to existing • ASR1002-X NAT64 with](https://reader033.fdocuments.net/reader033/viewer/2022042011/5e7254c9ff8dbe4d757feef0/html5/thumbnails/26.jpg)