Cisco IOS Advantage WebinarsCisco IOS Advantage Webinars
IP 6 D l t dIPv6 Deployment and Operations ExperiencesOperations ExperiencesKen Hook, Product Line Manager
Gunter Van de Velde, Technical Leader
Date: September 7th, 2011
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
Speakers• Ken Hook• Ken Hook
Product Line Manager, Identity & IPv6 [email protected] t V d V ld• Gunter Van de VeldeTechnical Leader @ CiscoPresident Belgian IPv6 Task ForceIETF Co-chair, OPSEC [email protected]
Cisco Confidential 2© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Submit questions in Q&A panel and send to “All Panelists”
A id CHAT i d f b tt t li tAvoid CHAT window for better access to panelists
• For Webex audio, select COMMUNICATE > Join Audio BroadcastF W b ll b k li k ALLOW Ph b tt t• For Webex call back, click ALLOW Phone button at the bottom of Participants side panel
• Where can I get slides?https://communities.cisco.com/docs/DOC-26134
Or send email to: [email protected]
• Please fill in Survey at end of eventy• Join us on October 5 for our next IOS Advantage
Webinar: Creating Zero-Touch Carrier Ethernet Services
Cisco Confidential 3© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Business Drivers - Enterprise
D l S i Deployment Strategies
Offerings
IPv6 Highlights
Real world “Interop” and “Cisco Live 2011”
Cisco Confidential 4© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Cisco Confidential 5© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Cisco Confidential 6© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Cisco Confidential 6
2010 20122011
NOVEMBER, 2010Globalization: 25% of the world’s population using 100% of IPv4 addressespopulation using 100% of IPv4 addresses
JAN, 2011 Date the last IPv4 addresses was
SEPTEMBER, 2012
Date the last IPv4 addresses was allocated
Civilian US Government Agencies mandated to provide external IPv6 connectivity
SEPTEMBER, 2012
Cisco Confidential 7© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
connectivity
2010 2012 2014
IPv4/IPv6 Co-existence
• 2010: Low Impact – Buying behavior shift limited to mandated and early adopter sites
GlobalizationIPv6 Government
Mandate Deadlines
Co e ste ce
Early Adopters
TransitionPlanning
2011: Internet Evolution begins – “…IPv6 is important to all of us (…) to everyone around the world, It is crucial to our ability to tie together everyone and every device”. John Chambers• 2012: Mandates take effect – Transition to IPv6 forcesPlanning 2012: Mandates take effect Transition to IPv6 forces
customers to acquire product or managed services to sustain business and customer reach
• 2014: IPv6 is mainstream – customers without transition infrastructure experience reduced service levels, diminished
t h i ti l l it
Cisco Confidential 8© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
High RiskLow Risk Moderate Risk
IPv6 Business Impact – The Cost of Waiting Goes Up
customer reach, increase operational complexity
Mobile and the Internet of Things drive growthg g
50 BILLIONIn 2013….There Will Be
Devices Connected to the Network,
up from 35 BILLION in 2010
Cisco Confidential 9© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Source: Forrester, Cisco IBSG
Cisco Confidential 10© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Cisco Confidential 10
P th t ’ i ti i t tPreserve the customer’s existing investment• Audit and leverage existing IPv6 capabilitiesPreserve
Prepare a migration and deployment plan• Identify and enable critical IPv6 functional areasPrepare
Prosper through the transition to IPv6 Internet• Enable all systems with dual-stack capabilitiesProsper Enable all systems with dual stack capabilities• Grow seamlessly as customers transition to IPv6
Prosper
Cisco Confidential 11© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
IPv6 is the foundation of a lifecycle management discussion
IPv6 Over a Decade of Security
v6 CoPPv6 ACLs
IPv6 HAHSRPv6 IPv6
Radius AAA
EIGRPv6
VRF
Cisco Investment -Shipping Since
1996
IPv6 Forwarding
IPv6IPv6 QoS A t
OSPFv3
V6 Netflow
HSRPv6ISSU
IPv6 FirewallBGP
v6
IPv6 Routing IPv6
Management
gIPv6
MulticastIPv6 QoS
Classification, policing
Anycast
Syslog v6
OSPFv3IS-IS
EIGRP
ManagementDHCPv6, SNMP, DNS,
SSH, ICMPv6
Cisco Confidential 12© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
These capabilities and more are already part of your customer’s investment
1 Identify the highest priority IPv6-critical areas in your network
2 Perform IPv6 Assessment on high priority areas to determine scope
3 Develop a design that enables IPv6 without disrupting your IPv4 network
4 Test and implement in pilot mode, then extend over time into production
Cisco Confidential 13© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Repeat for the Next IPv6-Critical Area in Your Network
A wellA well--structured migration plan provides insurance against structured migration plan provides insurance against unexpected costs as customers, partners, and suppliersunexpected costs as customers, partners, and suppliers
L Y
unexpected costs as customers, partners, and suppliers unexpected costs as customers, partners, and suppliers move to IPv4 and IPv6 coexistencemove to IPv4 and IPv6 coexistence
Leverage Your Investment
A Decade of Cisco IPv6 InnovationsIPv6 Innovations
Make a PlanAlign Businessand IT Strategy Invest for
AccelerateProsper through
accelerated globaland IT StrategySuccess
Deploy IPv6 Transition Support
T h l i
accelerated global customer reach.
Unleash new business models
Cisco Confidential 14© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Technologies
IPv6 Pilot and Basic Infrastructure
Sales Certs (USGv6, JITC UCR2008)12
IPv6 Internet Presence (websites, remote users, B2B …)
IPv6 Islands (Wireless/Consumer devices, Labs …)
234
Internal Data Center, Enterprise Apps
Ubiquitous Dual-Stack
56
IPv4 EOL
“Mandated”1 2 3
“Motivated”2 3 4
“Early Ad t ”
“Mainstream”2
7
1, 2, 3Who?• Government Agencies• Customers who sell to
government agencies
2 3 4Who?•Customers with IPv4 address exhaustion
•Global Enterprises with
Adopter”2 4 3 5 6 7Who?•Companies looking for
2Who?•Large US/European Enterprises
•Small Medium Enterprises
Cisco Confidential 15© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
government agencies •Global Enterprises with consumer or business interaction on the public internet
•Customers with user-provided devices on their
t k
competitive advantage•Companies using IPv6 to solve business problems
•Early adopters preparing for coexistence
•Small-Medium Enterprises
Prioritize Critical Areas of Your Business and Network A Y S l B d IP 4 Li i iAs You Scale Beyond IPv4 Limitations
Solution Overview Through a Phased Approach, We Help You to:
1. Identify the highest priority IPv6-critical areas in your network.
2. Assess those areas to determine the scope of your IPv6 design.
By the end of 2011, Internet traffic will be using the next-generation Internet protocol: IPv6.
3. Develop a design that enables IPv6 to be introduced without disrupting your IPv4 network.
4. Test and implement IPv6 in pilot mode, then extend over time into production deployment.
IPv6 adoption must be addressed using a phased approach with careful validation and testing to avoid disrupting the IPv4 network or introducing
5. Repeat steps for subsequent areas of your network through ongoing optimization.
the IPv4 network or introducing vulnerabilities.
Cisco Confidential 16© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Proactively Budget Time, Money, and Resources
Use Case IPv6 Technology Relevant Products
Dual Stack Use Case• Set up devices to run IPv4 and IPv6 in parallel
IPv6 and IPv4• IPv6 switching and
routing stacks
• Catalyst 6K, 4K, 3K, 2K• Nexus 7K, ASA Security ApplianceIPv4 and IPv6 in parallel
• Link hosts and islands of IPv6 devices together
routing stacks• IPv6 over IPv4
tunneling protocols• First Hop Security
• AnyConnect VPN client• ASR 1000• ISR G2
IPv6 Internet Presence Use Case
Stateless NAT64
• Allows IPv6 or dual-• Get started on the IPv6 Internet Edge forOutside – In deployment
• Allows IPv6 or dual-stack hosts to talk to IPv4 infrastructure (for example, web content)
• Stateful NAT on ASR-1000
NEW
Cisco Confidential 17© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
content)
NEW
Solution CharacteristicsSolution Characteristics
• Expected Scale: 1.3 Million Stateful NAT Translations with HA enabled
• Expected Performance: 78K Translations per Second with HA enabled, with integrated IP ServicesIP Services
• IPv6 adoption: Allows connectivity between IPv6 internet and IPv4 network
• Position on Internet Edge with Stateful NAT64 functionality or as dedicated translation devicedevice
IPv6 InternetASR1K St t f l NAT64 T l tASR1K St t f l NAT64 T l t
Data Center
ASR1K Stateful NAT64 TranslatorASR1K Stateful NAT64 Translator
IPv6 Prefix IPv4 pool
IPv4 packet
IPv6 Packet
Enterprise Edge
Cisco Confidential 18© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
IPv6 DevicesIPv6 Prefix IPv4 pool
Any type of IPv6 Prefix is allowed
IPv6 Packet
IPv6 IPv4
IPv4Content
Hosting/CDNISPV6-only
End User ISP
Subscribers
4 6
Considerations:
46
Cisco Confidential 19© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Experience, Scale, Cost, Operations, Technology…
Optimized IPv6 Transition
• EIGRPv6, OSPFv3,
BGPv6
• IPv6 IPsec
• IPv6 Firewall Security
IP 6 IDS
• Dual Stack IPv4/IPv6
• V6 over v4 tunnels:
6 PE/6PE L3VPN MGREdge
SecurityOptimized IPv6 Delivery
Transition Technologies MPLS/ IPv4/IPv6
CoreInternet
• PBR • IPv6 IDS 6vPE/6PE, L3VPNoMGRE,
DMVPNv6, Static tunnels
• 6 to 4 translation
Edre • EIGRPv6, OSPFv3, IS-IS
IP 6 t f VSS• IPv6 CoPP • Dual Stack IPv4/IPv6
6t 4 t li
• IPv6 PIM-SSM, MLDv2,
Embedded RP
• Dual Stack IPv4/IPv6
• 6vPE/6PE
• IPv6 ACL
• IPv6 ACL Atomic ion
Co • IPv6 support for VSS
• ECMP, OSPFv3 GR
• 6to4 tunneling• ISATAP
• IPv6 QoS
• DHCPv6 Relay Agent
• HSRPv6/GLBPv6
• IPv6 support for VSS
• 6to4 tunneling
• ISATAP tunnels
Commit/Dry Run
• uRPF
• IPv6 Ingress Netflow
• IPv6 Flexible NetflowDis
trib
uti
pp
• Stateless Auto configuration
• IPv6 management:
SNMP Syslog SSH
• IGMPv3/MLDv2 Snooping
• IPv6 First Hop Security
• IPv6 PACL/RA Guard
• Dual Stack IPv4/IPv6
• ISATAP and static Tunnelsce
ssD
Cisco Confidential 20© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
SNMP, Syslog, SSH,
NTPv4, Tacacs+
• IPv6 interface stats
IPv6 PACL/RA Guard Tunnels
Acc
“Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of
the products or features set forth in this document.” All Specifications Subject to Change Without Notice
Translation Point
DC EdgeDistribution/Core
• Dual StackR ti t l
Internet
…DC Core
• Routing protocols (OPSFv3, ISISv6, BGPv6..)
• IPv6 Mcast• IPv6 security:
classification, ACL & policing CoPP& policing,CoPP
• BFD• Flexible Netflow• 6VPE• ECMP• Interface stats• uRPF
Firewall
Firewall
DC AggTowards Access
• Dual Stack• HSRPv6/VRRPv3
BFD
L2/L3 Boundary
1x10GE per Agg SW
Rack R k
ToRAccess
Loadbalancers
IPv4
IPv6
IPv4
IPv6
• BFD• SVI• Snooping (MLDv2)• IGMPv3• First Hop Security
(RA guard)• PACL/VACL
…..R k
Cisco Confidential 21© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
1Racks Access
………………..
PACL/VACL• IPv6 Management Racks
June 8 2011 – 00h00-23h59 (UTC)24-hr IPv6 “Test Flight”
http://isoc.org/wp/worldipv6day/
gIPv6 access on website’s “front door”
(DNS AAAA Record on www.company.com)Note: This is not about turning off IPv4!p g p p y
Coordinated by:
http://isoc.org/wp/worldipv6dayp g p p y
http://isoc.org/wp/worldipv6day/participantshttp://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition
World IPv6 Day: Cisco Confidential 22© 2011 Cisco and/or its affiliates. All rights reserved.
All Specifications Subject to Change Without Notice
yJumping In Together
• No issue on cisco.com
• No Security issue
• Performance within predicted range
• NO TAC case
• And that seems to be consistent across the industry
Cisco Confidential 23© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Source: Arbor Networks
http://hide.dnsalias.net/aaaa/worldipv6day.cgiy g
Cisco Confidential 24© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Business Drivers - Enterprise
D l S i Deployment Strategies
Offerings
IPv6 Highlights
Real world “Interop” and “Cisco Live 2011”
Cisco Confidential 25© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Interop 2011Interop 2011Gunter Van de VeldeGunter Van de Velde
Sr. Technical Leader
NOSTG
Cisco Confidential 26© 2011 Cisco and/or its affiliates. All rights reserved.
• Background and Goals
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Results and Statistics
• Conclusions
Cisco Confidential 27© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• It is all about the Network
• Multivendor was the key element
• It is a conference
• +15k people attend this event in Las Vegas
• There is a show-floor
• There is a breakout floor
• More then 30 vendors participate (network, fiber, monitoring, operation etc )operation, etc…)
Cisco Confidential 28© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Network must be fully dual stack (IPv4+IPv6)
All IPv4 services should be reachable over IPv6• All IPv4 services should be reachable over IPv6
• Connections to IPv6-enabled websites should use IPv6 by default
• Demonstrate and experiment with newer technologies like DHCP PD• Demonstrate and experiment with newer technologies like DHCP-PD
• Nothing should break
Cisco Confidential 29© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Mandalay Bay Conference CenterMandalay Bay Conference Center
Show FloorShow FloorShow FloorShow Floor Off ShowOff ShowOff ShowOff Show Off ShowOff ShowOff ShowOff Show 2nd Floor2nd Floor2nd Floor2nd Floor NOCNOCNOCNOCShow FloorShow FloorShow FloorShow Floor Off ShowOff ShowFloor and Press roomFloor and Press room
Off ShowOff ShowFloor and Press roomFloor and Press room
Off ShowOff ShowOff ShowOff Show 2nd Floor2nd Floor2nd Floor2nd Floor
AccessAccess
NOCNOCNOCNOC
3rd Party 3rd Party
DistributionDistribution 3rd Party
CoreCore
InternetInternetCoCo--locationslocations
ColoColo 1: Sunnyvale1: SunnyvaleColoColo 1: Sunnyvale1: Sunnyvale ColoColo--2: Denver2: DenverColoColo--2: Denver2: Denver Backup: NewarkBackup: NewarkBackup: NewarkBackup: Newark
Primary Primary InteropInterop ColoColoPrimary Primary InteropInterop ColoColo
3rd Party 3rd Party
Cisco Confidential 30© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
ColoColo--1: Sunnyvale1: SunnyvaleColoColo--1: Sunnyvale1: Sunnyvale ColoColo 2: Denver2: DenverColoColo 2: Denver2: Denver Backup: NewarkBackup: NewarkBackup: NewarkBackup: Newark
Cisco Confidential 31© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Off Show FloorOff Show FloorOff Show FloorOff Show Floor NOCNOCNOCNOCClean Air WirelessClean Air WirelessClean Air WirelessClean Air Wireless
Show FloorShow FloorShow FloorShow Floor4510R+E4510R+E
3750X
Off Show FloorOff Show FloorOff Show FloorOff Show Floor
Press Room
Cat2960C-8 2960C2960C--88 PoEPoE++
NOC desktopsNOC desktops
CNR CNR –– DHCP/DNSDHCP/DNSLMS CMS MCSLMS CMS MCS
ServicesServices
NOCNOCNOCNOCClean Air WirelessClean Air Wireless802.11n802.11n
Clean Air WirelessClean Air Wireless802.11n802.11n
VSSVSS
4510R+E
4510 R+E4510 R+E
LMS, CMS, MCSLMS, CMS, MCSCUCM, CUC, CUPCUCM, CUC, CUP
VSSVSS((20GigE20GigE))
((20GigE20GigE))
20GigE20GigE 20GigE20GigE6513E6513E 6513E6513E
6506E6506E 6506E6506EIDSIDS
49484948
Wireless
Wireless
VSSVSS((20GigE20GigE))2 * 80GigE2 * 80GigE
6513E6513E
6509E6509E 6509E6509E
2 * 20GigE2 * 20GigE
WISMWISM
ASA 5585ASA 5585
6509E6509E
s and Security
s and Security2nd floor
ASAASA
((20GigE20GigE))2 80GigE2 80GigE
Las Vegas - MBCC6509E6509E 6509E6509E
ASA5585ASA5585--XX
VSSVSS((20GigE20GigE))
6503E6503EIPSIPS--42704270
WISMWISM6509E6509E
ASA5585ASA5585--XX
Cisco Confidential 32© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
DenverDenverDenverDenver NewarkNewarkNewarkNewarkPrimary Primary ColoColo: Sunnyvale: Sunnyvale
ASR1004ASR1004DMZDMZ((20GigE20GigE))
6503E6503E
IPS 4270IPS 4270
Application
LMS Management and LMS Management and configconfig managementmanagement
Dual Stack DNS with Dual Stack DNS with CNRCNRHD Video between HD Video between IPv6 & IPv6 & IPv4IPv4 endend--pointspoints Dual Stack Dual Stack DHCPDHCP with with CNRCNR
Cisco WCSCisco WCS Cisco Security ManagerCisco Security ManagerMediaNETMediaNET Collaboration Collaboration ManagerManager
Unified CommunicationUnified Communicationin a dual stack environmentin a dual stack environment
ns
Security: ASA and IDSSecurity: ASA and IDSTransparent firewallTransparent firewall
Serv
ManagerManager
NAM3NAM3
Security: IDSSecurity: IDSfull IPv4/IPv6 application full IPv4/IPv6 application
I ti dI ti d
Wireless with WISM2Wireless with WISM2Centralized wirelessCentralized wireless contralcontralpp
application inspectionapplication inspectionCentrally managedCentrally managed
vicesN
Infr
NAM3NAM3Inspection and Inspection and intrusion detection, , intrusion detection, , centrally centrally managedmanaged
Centralized wireless Centralized wireless contralcontralRF Optimization with RF Optimization with
clean airclean air
Full IPv4/IPv6 Full IPv4/IPv6 Internet PeeringInternet Peering
VSSVSS--Quad SupQuad SupRouting Fast ConvergenceRouting Fast Convergence
Flexible NetFlowFlexible NetFlowNetw
ork rastructure
S
Internet PeeringInternet Peering
Control Plane SecurityControl Plane Security
Routing Fast Convergence Routing Fast Convergence OSPFOSPF and and BGPBGP
ISSUISSU
ECMPECMPLoadLoad--BalancingBalancing
QoSQoS ImplementationImplementation
SNMPv3SNMPv3
First Hop SecurityFirst Hop Security
MulticastMulticastMediaNETMediaNET
Performance MonitorPerformance Monitor
MultiMulti--chassis chassis EtherchannelEtherchannelDHCPv4DHCPv4/6/6
Speeds&
FeedsE
40G core IPv4/IPv6 Hardware-based Acceleration
802.11N 40G Firewall Services
TP: EX90SCEC3750X IPS4270-20 WISM2 NAM3 Aironet 3500 CP-9971 CTS500
Cisco Confidential 33© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Cisco
Equipment
TP: EX90SCEC3750X IPS4270 20 WISM2 NAM3 Aironet 3500 CP 9971 CTS500
C6500 C4500 ASA5585 C2960C-8 ASR1k MXE-5600 TP: EX90 TelepresenceServer
Fi l DFi l D
Day1, 2, 3 and 4
Day1, 2, 3 and 4
Day1, 2, 3 and 4
Day1, 2, 3 and 4
Main Conference
days
Main Conference
days
Final DayFinal Day
First First
daysdays
classes and
registration
classes and
registration
Cisco Confidential 34© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Fi l DFi l D
Day1, 2, 3 and 4
Day1, 2, 3 and 4
Day1, 2, 3 and 4
Day1, 2, 3 and 4
Main Conference
days
Main Conference
days
Final DayFinal Day
First First
daysdays
classes and
registration
classes and
registration
Cisco Confidential 35© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Top 10 DNS lookups - provided by Dyn DNS • Top AAAA DNS lookups
• 1 l.google.com
• 2 daccess.microsoft.com
• 3 ak.fbcdn.net
• 1 daccess.microsoft.com
• 2 enet.interop.net
• 3 l.google.com
• 4 NYAPPMSGVS02.zbinet.com.
• 5 com.akadns.net
• 6 g.akamai.net
• 4 ak.fbcdn.net
• 5 www.google.com.
• 6 push.apple.com
• 7 push.apple.com
• 8 www.google.com.
• 9 www.facebook.com.
• 7 www.apple.com.
• 8 clients.google.com
• 9 imap.gmail.com.
• 10 clients.google.com • 10 mail.google.com.
Cisco Confidential 36© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Background and Goals
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Results and Statistics
• Conclusions
Cisco Confidential 37© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Qwest provides IPv4 and IPv6 connectivity to Interop, via links and BGP sessions to colos in SFO, DEN, and EWR
• GigE links from SFO and DEN to Las Vegas are dual stack, with IPv4 and IPv6 eBGP sessions
• OSPFv3 is used for IPv6 routing between the colos and within the show network
• We had 2620:144::/32 at our availabilityy
Cisco Confidential 38© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• All client-facing networks use SLAAC to allow clients to auto-assign themselves an IPv6 address and default gateway on the correct subnetg y
Supported by all IPv6-capable devices
Auto-assigned IPv6 address
Default Gateway (Link-local from RA)
Cisco Confidential 39© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• In addition, DHCPv6 is enabled, to provide IPv6 DNS information (and another working IPv6 address)g )
Devices that don’t support DHCPv6 (Windows XP and Mac OS X) must use IPv4 DNS, but can still resolve AAAA records
DHCPv6-assignedDHCPv6 assigned IPv6 address
DHCPv6-assigned DNS server
Cisco Confidential 40© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• All DNS services were provided by DynDNS and CNR
In order to connect to Google and Facebook over IPv6 we arranged to• In order to connect to Google and Facebook over IPv6, we arranged to whitelist the InteropNET DNS servers (Thank you Mark Townsley.)
As a result, DNS requests for google.com and facebook.com receive AAAA (IPv6) responses(IPv6) responsesOn World IPv6 Day (June 8th) those AAAAs were visible to everyone
Cisco Confidential 41© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Goal was to provide all internal services over IPv6 as well as IPv4
This required coordination with vendors to enable IPv6 make sure• This required coordination with vendors to enable IPv6, make sure services were bound to their IPv6 ports, and publish AAAA records
• Most (but not all) services ended up reachable over IPv6
• Cisco ASA5585 was used in transparant mode for Firewall services
Cisco Confidential 42© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• InteropNET wireless is provided by a 3rd party vendor (2nd floor) and Cisco (3rd floor)( )
• Off show floor, 3rd floor, all wireless arrays on each floor are part of a single VLAN, so roaming occurs at layer 2
• On the show floor, 2th floor, each wireless array is on a different VLAN. When roaming occurs, a tunnel is dynamically built back to the first AP the user associated with
Cisco Confidential 43© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Background and Goals
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Results and Statistics
• Conclusions
Cisco Confidential 44© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
All of the registries for the most part assign initial blocks for• All of the registries, for the most part, assign initial blocks forService provider /32Enterprise /48
Cisco Confidential 45© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Depends on the type of network, the size of the network, and problem to be solved
• Points of considerationDocumentationEase of troubleshootingAggregationStandards complianceGrowthSLAACExisting IPv4 addressing planExisting IPv4 addressing planHuman factors
Cisco Confidential 46© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Encode every IPv4 address in your network in an IPv6 address
At first it seems relatively simple:• At first it seems relatively simple:
10.10.10.10 (0A0A0A0A)
2001:DB8:A0A:A0A::
Easy, right?
Cisco Confidential 47© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Requires a /32 assignment if a minimum subnet size of /64 is to be preservedDo you have or can you get a /32?Provides no information about the subnet maskResults in very large subnetsResults in very large subnetsLight documentation requirements as your existing IPv4 documentation is your IPv6 documentation
Cisco Confidential 48© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Subnetting issue
10 10 10 0/24 (A0A0A0)10.10.10.0/24 (A0A0A0)
2001:DB8:A0A:A00::/562001:DB8:A0A:A00::/56
Do we count the significant digits for the subnet?Do we count the significant digits for the subnet?
2001:DB8:A0A:A00::/56
Cisco Confidential 49© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• What if we “round down” to /64?
10 10 10 17/24 (0A0A0A10)10.10.10.17/24 (0A0A0A10)
2001:DB8:A0A:A00::10/64?2001:DB8:A0A:A00::10/64?
Better but let’s look at a point to point linkBetter, but let s look at a point to point link.
Cisco Confidential 50© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Point to Point Link:
10 10 10 1/30 (A0A0A01) for the remote site10.10.10.1/30 (A0A0A01) for the remote site
10.10.10.2/30 (A0A0A02) for the local site
If we follow the previous rule to the letter we get:
2001:DB8:A0A0:A000::1/642001:DB8:A0A0:A000::1/64
2001:DB8:A0A0:A000::2/64
But using /64s on router-to-router links can be dangerous, causing potential ping-pong problem issues on the point-2-point interface
Cisco Confidential 51© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Better to use a /127:
2001:DB8:AAA0::1/1272001:DB8:AAA0::1/127
2001:DB8:AAA0::2/127
Um, wait a minute. What’s wrong here?
Cisco Confidential 52© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
2001:DB8:AAA0::1/127
2001:DB8:AAA0::2/1272001:DB8:AAA0::2/127
• Those are NOT in the same subnet!! A /127 could be ::0 and ::1 or ::2• Those are NOT in the same subnet!! A /127 could be ::0 and ::1, or ::2 and ::3, but NEVER ::1 and ::2!!
• As a matter of fact, NO IPv4 /30 can ever cleanly map into a /127!!
Cisco Confidential 53© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Networks smaller than /64 can be desirable, especially using /127s for point to point links, and /128 for Loopback
Be conservative in what you consume, be liberate in what you allocate:To avoid future breakage, allocate a /64 in your documentation but use the smaller blocksmaller blockSimilarly, reserve /48s for EVERYTHING you can, there’s no reason to allocate densely, there’s plenty of spaceIf you have a complex network allocate in a sparse way to enable easyIf you have a complex network, allocate in a sparse way to enable easy aggregation
Cisco Confidential 54© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• You can indeed add convenience and save on documentation by using an algorithmic approachg
• But ONLY if you have reasonably few IPv4 blocks, if you have 100s, you’ll probably need a different approach unless you can get a large enough v6 allocationenough v6 allocation
• You DON’T want to reproduce IPv4 “cruft” into IPv6. If your IPv4 subnetting is a mess, it’s best to re-do it for IPv6.
Cisco Confidential 55© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Background and Goals
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Results and Statistics
• Conclusions
Cisco Confidential 56© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• On the show floor, each AP is homed to a different IPv6 subnet
• To support SLAAC, the router sends out RAs on each VLAN
• These RAs are IPv6 multicast packets, and are broadcast by the local radio to all clients (local or roaming)local radio to all clients (local or roaming)
• When roaming tunnels are built, the client receives both the local RA and the one from its home AP
• As a result, the client gets two IPv6 addresses from SLAAC. If it tries to use the wrong one, it will be unable to connect over IPv6
• Primary impact (as discovered at the Tuesday class) is to iPadsPrimary impact (as discovered at the Tuesday class) is to iPads, which support IPv6 and stay online while roaming
Cisco Confidential 57© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• When a Windows machine is cloned, you can get two or more machines with the same DHCPv6 Unique IDentifier (DUID)( )
• This DUID is used by the DHCPv6 server to identify the client, so when two clients with the same DUID request IPv6 addresses with DHCPv6, they will both be given the same addressthey will both be given the same address
• When the second machine receives its address from the DHCPv6 server, it does IPv6 Duplicate Address Detection, determines there is an IP address conflict and refuses the leaseIP address conflict, and refuses the lease
Cisco Confidential 58© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• When a client is configured to run 6to4 (an automatic tunneling protocol) and Internet Connection Sharing, it will advertise itself as an IPv6 router gby sending out RAs on its wireless interface
• Clients receiving such RAs will auto-assign themselves an address in the wrong subnetthe wrong subnet
• Switches are generally configured with RA guard or equivalent on their wired ports
• Unfortunately there is no way to block rogue RAs over wireless APs (and some wired switches)
Cisco Confidential 59© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• All modern operating systems work well in a dual stack environment, and properly prefer IPv6 when availabley
• Older OSes continue working fine on IPv4, and never see IPv6
• Mac OS X and iPhones don’t work on NAT64 and IPv6-OnlyOS X doesn’t support DHCPv6All Mac products try to be too “helpful” and refuse to use an IPv6-only connection if they think an IPv4-capable connection is available (e.g. 3G on iPhone)Latest iOS & macOSX (Lion) does work in this environment as the DHCPv6 is supported
• Wifi-only iPads etc. work fine
Cisco Confidential 60© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Background and Goals
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Results and Statistics
• Conclusions
Cisco Confidential 61© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• IPv6 inbound usage on averaged ~2Mbps, vs. ~100Mbps for IPv4• That’s 2% of Interop’s traffic from servers on the Internet
• Outbound traffic, by contrast, is dominated by IPv4Even though most InteropNET services (such as webcams) were IPv6
Cisco Confidential 62© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Even though most InteropNET services (such as webcams) were IPv6-enabled, it appears that most end users on the Internet are not yet IPv6-connected
• Users inside the InteropNET preferred IPv6 to reach www.interop.com• 34.4 GB delivered over IPv6• 22.4 GB delivered over IPv4
Cisco Confidential 63© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• That’s 61% IPv6!
• Dual stack worked perfectly: no help desk complaints about IPv6 (or problems reaching Google/Facebook)g g )
• NAT64 worked well on supported devices
• DHCP-PD worked well on show floor with consumer device capable doing DHCP-PD
Required manual configuration of DHCPv6 pool on inside interface: couldn’t use SLAAC
Cisco Confidential 64© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Background and Goals
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Results and Statistics
• Conclusions
Cisco Confidential 65© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• IPv6 works in the real world• Over 60% of Interop attendees were using IPv6 to
reach interop.com without even knowing it• There are challenges to implementing IPv6, but
nothing show-stopping• About 2% of the Internet’s content is reachable
over IPv6 (and growing fast)• A much smaller percentage of Internet users have
IPv6 connectivity (though this may change quickly ith IP 4 d l ti )
Cisco Confidential 66© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
with IPv4 depletion)
The NOC at CiscoLive
Cisco Confidential 67© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Mandalay Bay Conference CenterMandalay Bay Conference Center
World of SolutionsWorld of SolutionsWorld of SolutionsWorld of Solutions Breakouts RegistrationBreakouts Registration NOCNOCBreakouts RegistrationBreakouts Registration NOCNOCWorld of SolutionsWorld of SolutionsWorld of SolutionsWorld of Solutions Breakouts, Registration, Breakouts, Registration, NOCNOCBreakouts, Registration, Breakouts, Registration, NOCNOC
AccessAccess
DistributionDistribution Cat6500 Cat4500E
CoreCore Cat6500
InternetInternetCoCo--locationslocations
ColoColo 1: Sunnyvale1: SunnyvaleColoColo 1: Sunnyvale1: Sunnyvale ColoColo--2: Denver2: DenverColoColo--2: Denver2: Denver
Primary Cisco Live Primary Cisco Live ColoColoPrimary Cisco Live Primary Cisco Live ColoColo
Secondary Secondary InteropInteropColoColo
Secondary Secondary InteropInteropColoColoCat6500 ASR1k
Cisco Confidential 68© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
ColoColo--1: Sunnyvale1: SunnyvaleColoColo--1: Sunnyvale1: Sunnyvale
• Cisco UCS C-Series for NM Apps (Qty 4)
N 5010• Nexus 5010
• NetApp FAS3420 x 2; DS2246 (~14TB storage)
• Wireless 5508; APs 3500 Series (CleanAir); MSE; Cisco Prime NCS; ISE
• Switches : Catalyst 3560E; 6513E; 4507R+E; 6509E
• Routers: ASR1000, 2851 (IPSLA)
• CiscoWorks LMS 4 0 1 (Windows) and 4 1 Beta (Linux)• CiscoWorks LMS 4.0.1 (Windows) and 4.1 Beta (Linux)
• CiscoSecure ACS 5.2
• CNR 7.2 (IPv4 and v6 DNS/DHCP)
• Security : ASA5585-X-S60 (Qty 3); IDS-4270
• Physical Security: Cisco 4500 and 5000 IP Cameras, Cisco Physical Access Control, Cisco Counting Suite (Video Analytics)
Cisco Confidential 69© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• VXI, IP Phones, Unified Call Manager, various TP and Tandberg
The Hotel Meeting Room
South Level Two South Level 3South Level One3560
E3560
E3560
E
SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSiSiSiSiSiSiSi
3560E 16 Switches
3560E
SiSiSiSiSiSiSiSiSiSiSiSi
3560E 9 Switches
3560E
SiSiSiSiSiSiSiSiSiSiSiSi
3560E8 Switches
3560E
SiSiSiSiSiSiSiSiSiSiSiSi
3560E
NOCDIST
6509E SUP720IN QUAD SUPVSS MODE
Wireless ctrl
North Level One3560
E3560
E3560
E3560
E
2 x 10
GE
2 x 10GE
VSS MODE
ASA5585-
ct5508
3750-X
ASA-5585
SiSiSiSiSiSi
3750-X
SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSiSiSiSiSiSiSi
ASA5585-X-
CORE 6513E
SUP2T
X
6509E
DHCP/DNS
LMS/FnF/EWise
X5585 5550 SiSiSiSiSiSi
5585S60
4 x 10GE
Sunnyvale
1GE
Denver
IN VSS MODE
1GEIPS-4270
6509EDual Sup720
NOCUsersSiSiSiSiSiSiNOC
Cisco Confidential 70© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SunnyvaleColo
DenverColo 3750-X
4507R+E
IPv4 Address Range - 45.0.0.0/15IPv6 Address Range - 2620:144::/32
L2-Access350.000 IPv4 prefixes from each eBGP peer – dedicated IPv4 session6500 IPv6 prefixes from each eBGP peer – dedicated IPv6 session
QwestAS 53692
MBCC – Cisco LiveAS 290
6500-VSS6500-VSS
OSPF Default Route
Multicast RP
4500 Dual SUP
OSPFv2 for IPv4 – Single AreaOSPFv3 for IPv6 – Single Area
Full BGP Routing Table for both IPv4
and IPv6
Full BGP Routing Table for both IPv4
and IPv6
Cisco Confidential 71© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Core Switch
Dirty-Net Servers
Sunnyvale COLO
CS1-VTG-VMC
UCS1-VTG-CIMC
Colo-IDSCOLO-6503E
VSS
Colo-ASA1
Colo-ASA2
Colo Denver
Colo EWR
Cisco Confidential 72© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 72
IPv4 Internet IPv4 Internet IPv6 Internet Brisbane, CA
Cisco Confidential 73© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Per
Cisco Confidential 74© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Joe
Total Number of unique DHCP Leases 28,298
Highest number of Active MACs (wired)Highest Daily number of active leases
1028
16 000Highest Daily number of active leases 16,000
Managed Routers and SwitchesWireless Access PointsAverage number of clients / AP
170190290g
Cisco Confidential 75© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Cisco Confidential 76© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
As of Thursday Noon 13 2 TB of trafficAs of Thursday Noon 13.2 TB of traffic
Cisco Confidential 77© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
© 2011 Cisco and/or its affiliates.
77
• IPv6 worked as well as the IPv4 Infrastructure
Don’t re IP 3 weeks before a major show• Don’t re-IP 3 weeks before a major show
• Geolocation by IP is not precise – Mandalay 3rd floor users going to Google were sent to Google.co.jp – at some point this InterOp address block existed in Japan.
• Don’t stage in a rain-stormIf you do, leave the equipment outside in Las Vegas because it will dry y , q p g yin 2 minutes – do not leave equipment outside in Las Vegas more than 10 minutes or it will melt
Cisco Confidential 78© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
• Start now and position for growth
N S• Next Steps: Assess, Plan, Design Trial, Train, Roll out
• Map out opportunities to be IPv6 ready in planned technology refresh cyclesy
Reference certification requirements
• Enable your network evolution to IP 6 ith th Ci B d lIPv6 with the Cisco Borderless Network Architecture
Cisco Confidential 79© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
http://www.cisco.com/go/ipv6
• Thank you! • Please complete the post event survey• Please complete the post-event survey.
J i O t b 5 2011 f t• Join us October 5, 2011 for our next IOS Advantage Webinar:
“Creating Zero Touch Carrier Ethernet Services”Creating Zero-Touch Carrier Ethernet Serviceshttps://cisco.webex.com/cisco/onstage/g.php?d=20
7140763&t=a7140763&t a
Cisco Confidential 80© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Thank you.
Cisco Confidential 81© 2011 Cisco and/or its affiliates. All rights reserved.All Specifications Subject to Change Without Notice
Top Related