3.Enterprise IPv6 Deployment

8/13/2019 3.Enterprise IPv6 Deployment

1/124

2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Enterprise IPv6 Deployment

BRKCRS-2301


2/124


Housekeeping

We value your feedback- don't forget to complete youronline session evaluations after each session &complete the Overall Conference Evaluation which willbe available online from Thursday

Visit the World of Solutions

Please remember this is a 'non-smoking' venue!

Please switch off your mobile phones

Please make use of the recycling bins provided

Please remember to wear your badge at all times


3/124


Reference Materials

Deploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf

Deploying IPv6 in Branch Networks:http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf

CCO IPv6 Main Page:http://www.cisco.com/go/ipv6

Cisco Network Designs:http://www.cisco.com/go/srnd
http://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/go/ipv6http://www.cisco.com/go/srndhttp://www.cisco.com/go/srndhttp://www.cisco.com/go/ipv6http://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bbrchipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdfhttp://www.cisco.com/univercd/cc/td/doc/solution/%0Bcampipv6.pdf


4/124


BRKCRS-2301 Recommended Reading


5/124


Agenda

The Need for IPv6

Address Considerations

General Concepts

Infrastructure DeploymentCampus/Data Center

WAN/Branch

Remote Access

Planning and Deployment Summary

AppendixFor Reference Only


6/124


The Need for IPv6


7/124


8/124 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 8

Monitoring Market Drivers

http://www.potaroo.net/tools/ipv4/

Impact - slow down of Internetgrowth

Enterprise expanding intoemerging markets

Address space depletion National IT Strategy

MSFT Vista & Server 2008

IPv6 on & preferred by defaultApplications only runningover IPv6 (P2P framework)

U.S. Federal Mandate

IPv6 Task Force and promotion councils:Africa, India, Japan, Korea,

China Next Generation Internet (CNGI)project

European Commission sponsoredprojects

Infrastructure Evolution

IP NGN

DOCSIS 3.0, FTTH, HDTV, Quad

PlayMobile SP 3G, WiMax, PWLAN

Networks in Motion

Networked Sensors, ie: AIRS

NAT Overlap M&A
http://www.potaroo.net/tools/ipv4/http://www.potaroo.net/tools/ipv4/


9/124



Address Considerations



Hierarchical Addressing andAggregation

Prefix assignment can be larger/smallerhttp://www.icann.org/announcements/announcement-12oct06.htm

Provider independent proposal:

http://www.arin.net/policy/proposals/2005_1.html

Be careful when using /127 on P2P links (See RFC 3627)

ISP

2001:DB8::/32Site 2

IPv6 Internet

2000::/32001:DB8:0002::/48

2001:DB8:0001::/48

Site 1

OnlyAnnouncesthe /32 Prefix

2001:DB8:0001:0001::/64

2001:DB8:0001:0002::/64

2001:DB8:0002:0001::/64

2001:DB8:0002:0002::/64
http://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htmhttp://www.icann.org/announcements/announcement-12oct06.htm



ULA, ULA + Global or Global

What type of addressing should I deploy internal to mynetwork? It depends:

ULA-onlyToday, no IPv6 NAT is useable in production sousing ULA-only will not work externally to your network

ULA + Global allows for the best of both worlds but at a pricemuch more address management with DHCP, DNS, routing andsecuritySAS does not always work as it should

Global-onlyRecommended approach but the old-schoolsecurity folks that believe topology hiding is essential in security

will bark at this option

Lets explore these options



Unique-Local Addressing (RFC4193)

Used for internal communications, inter-site VPNsNot routable on the internetbasically RFC1918 for IPv6 only betterless likelihood ofcollisions

Default prefix is /48/48 limits use in large organizations that will need more spaceSemi-random generator prohibits generating sequentially useable prefixesno easy way tohave aggregation when using multiple /48sWhy not hack the generator to produce something larger than a /48 or even sequential /48s?Is it legal to use something other than a /48? Perhaps the entire space? Forget legal, is itpractical? Probably, but with dangersremember the idea for ULA; internal addressing witha slim likelihood of address collisions with M&A. By consuming a larger space or the entireULA space you will significantly increase the chances of pain in the future with M&A

Routing/security controlYou must always implement filters/ACLs to block any packets going in or out of your network

(at the Internet perimeter) that contain a SA/DA that is in the ULA range today this is theonly way the ULA scope can be enforced

Generate your own ULA: http://www.sixxs.net/tools/grh/ula/

Generated ULA= fd9c:58ed:7d73::/48

* MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard)* EUI64 address=020D9Dfffe93A0C3* NTP date=cc5ff71943807789 cc5ff71976b28d86
http://www.sixxs.net/tools/grh/ula/http://www.sixxs.net/tools/grh/ula/



CorporateBackboneBranch 2

Branch 1Corp HQ

ULA-Only

Everything internal runs the ULA space

A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on theinternetmust run filters to prevent any SA/DA in ULA range from beingforwarded

Works as it does today with IPv4 except that today, there are no scalableNAT/Proxies for IPv6

Removes the advantages of not having a NAT (i.e. application

interoperability, global multicast, end-to-end connectivity)

ULA Space FD9C:58ED:7D73::/48

FD9C:58ED:7D73:2800::/64

Internet

FD9C:58ED:7D73:3000::/64 FD9C:58ED:7D73::2::/64

Global2001:DB8:CAFE::/48

Requires NAT for IPv6



CorporateBackboneBranch 2

Branch 1Corp HQ

ULA + Global

Both ULA and Global are used internally except for internal-only hosts

Source Address Selection (SAS) is used to determine which address to use whencommunicating with other nodes internally or externally In theory, ULA talks to ULA and Global talks to GlobalSAS should work this out ULA-only and Global-only hosts can talk to one another internal to the network Define a filter/policy that ensures your ULA prefix does not leak out onto the

Internet and ensure that no traffic can come in or out that has a ULA prefix in theSA/DA fields

Management overhead for DHCP, DNS, routing, security, etc

ULA Space FD9C:58ED:7D73::/48Global 2001:DB8:CAFE::/48

FD9C:58ED:7D73:2800::/642001:DB8:CAFE:2800::/64

Internet

FD9C:58ED:7D73:3000::/642001:DB8:CAFE:3000::/64

FD9C:58ED:7D73::2::/642001:DB8:CAFE:2::/64

Global2001:DB8:CAFE::/48



ConsiderationsULA + Global

Use DHCPv6 for ULA and Globalapply different policies for both (lifetimes,options, etc..)

Check routability for bothcan you reach an AD/DNS server regardless of whichaddress you have?

Any policy using IPv6 addresses must be configured for the appropriate range(QoS, ACL, load-balancers, PBR, etc.)

If using SLAAC for bothMicrosoft Windows allows you to enable/disable privacyextensions globallythis means you are either using them for both or not at all!!! One option is to use SLAAC for the Global range and enable privacy extensions

and then use DHCPv6 for ULA with another IID value (EUI-64, reserved/admindefined, etc.)

Unlike Global and link-local scopes ULA is not automatically controlled at theappropriate boundaryyou must prevent ULA prefix from going out or in at yourperimeter

SAS behavior is OS dependent and there have been issues with it working reliably

Temporary Preferred 6d23h59m55s 23h59m55s 2001:db8:cafe:2:cd22:7629:f726:6a6bDhcp Preferred 13d1h33m55s 6d1h33m55s fd9c:58ed:7d73:1002:8828:723c:275e:846dOther Preferred infinite infinite fe80::8828:723c:275e:846d 8



Randomized IID and Privacy Extensions

Enabled by default on Microsoft Windows Enable/disable via GPO or CLI

Alternatively, use DHCP (see later) to a specific pool

Randomized address are generated for non-temporaryautoconfigured addresses including public and link-localusedinstead of EUI-64 addresses

Randomized addresses engage Optimistic DADlikelihood ofduplicate LL address is rare so RS can be sent before full DADcompletion

Windows Vista/2008 send RS while DAD is being performed tosave time for interface initialization (read RFC4862 on why thisis ok)

Privacy extensions are used with SLAAC

netsh interface ipv6 set global randomizeidentifiers=disabled store=persistentnetsh interface ipv6 set privacy state=disabled store=persistent



ULA + Global Example

interface Vlan2

description ACCESS-DATA-2

ipv6 address 2001:DB8:CAFE:2::D63/64

ipv6 address FD9C:58ED:7D73:1002::D63/64

ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise

ipv6 nd prefix FD9C:58ED:7D73:1002::/64 no-advertise

ipv6 nd managed-config-flag

ipv6 dhcp relay destination 2001:DB8:CAFE:11::9

Network

DHCPv6 Client

DHCPv6 Server

2001:DB8:CAFE:11::9

Addr Type DAD State Valid Life Pref. Life Address--------- ----------- ---------- ---------- ------------------------Dhcp Preferred 13d23h48m24s 6d23h48m24s 2001:db8:cafe:2:c1b5:cc19:f87e:3c41Dhcp Preferred 13d23h48m24s 6d23h48m24s fd9c:58ed:7d73:1002:8828:723c:275e:846dOther Preferred infinite infinite fe80::8828:723c:275e:846d 8


19/124



Link LevelPrefix LengthConsiderations

64 bits

Recommended by

RFC3177 andIAB/IESG

Consistency makesmanagement easy

MUST for SLAAC

(MSFT DHCPv6also)

Significant Addressspace loss

Enables more hosts

per broadcastdomain

Considered badpractice

64 bits offers more

space for hosts thanthe media cansupport efficiently

< 64 bits > 64 bits

Address space conservation

Special cases:/126valid for p2p/127not valid for p2p(RFC3627)/128loopback

Complicates management Must avoid overlap with

specific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses


21/124



Stateful/Stateless DHCPv6

Stateful and stateless DHCPv6 serverCisco Network Registrar:http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/

Microsoft Windows Server 2008:http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-

54aa-4cef-9164-139e8bcc44751033.mspx?mfr=trueDibbler: http://klub.com.pl/dhcpv6/

DHCPv6 Relaysupported on routers and Catalystinterface FastEthernet0/1

description CLIENT LINK

ipv6 address 2001:DB8:CAFE:11::1/64



ipv6 nd other-config-flag

ipv6 dhcp relay destination 2001:DB8:CAFE:10::2

Network

IPv6 Enabled Host

DHCPv6Server
http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://klub.com.pl/dhcpv6/http://klub.com.pl/dhcpv6/http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=truehttp://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/



General ConceptsFHRP, Multicast and QoS


24/124


25/124


HSRP for IPv6

Many similarities with HSRP for IPv4 Changes occur in Neighbor

Advertisement, Router Advertisement,and ICMPv6 redirects

No need to configure GW on hosts(RAs are sent from HSRPactive router)

Virtual MAC derived from HSRP groupnumber and virtual IPv6 link-local address

IPv6 Virtual MAC range:0005.73A0.0000 - 0005.73A0.0FFF(4096 addresses)

HSRP IPv6 UDP Port Number 2029

(IANA Assigned) No HSRP IPv6 secondary address No HSRP IPv6 specific debug

interface FastEthernet0/1

ipv6 address 2001:DB8:66:67::2/64

ipv6 cef

standby version 2

standby 1 ipv6 autoconfig

standby 1 timers msec 250 msec 800

standby 1 preemptstandby 1 preempt delay minimum 180

standby 1 authentication md5 key-string cisco

standby 1 track FastEthernet0/0

HSRPStandby

HSRPActive

Host with GW of Virtual IP

#route -A inet6 | grep ::/0 | grep eth2::/0 fe80::5:73ff:fea0:1 UGDA 1024 0 0 eth2


26/124


IPv6 QoS Syntax Changes

IPv4 syntax has used ip following match/set statementsExample:match ip dscp, set ip dscp

Modification in QoS syntax to support IPv6 and IPv4

Newmatch criteria

match dscpMatch DSCP in v4/v6match precedenceMatch Precedence in v4/v6

New set criteria

set dscpSet DSCP in v4/v6

set precedence

Set Precedence in v4/v6 Additional support for IPv6 does not always require new Command

Line Interface (CLI)ExampleWRED


27/124


Infrastructure Deployment

Start Here: Cisco IOS Software Release Specifics for IPv6 Featureshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123c

gcr/ipv6_c/ftipv6s.htm


28/124


IPv6 Coexistence

IPv6Network

IPv6Network

IPv6Host

ConfiguredTunnel/MPLS(6PE/6VPE)

IPv6Host

MPLS/IPv4

IPv4: 192.168.99.1

IPv6: 2001:db8:1::1/64IPv6/IPv4

Dual Stack

IPv6ISATAPRouter

IPv4 ISATAP Tunneling(Intra-Site Automatic Tunnel Addressing Protocol)

ConfiguredTunnel/MPLS(6PE/6VPE)


29/124


Campus/Data Center

Deploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf

ESE Campus Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_

design_guidances_list.html#anchor2
http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdfhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_%0Bdesign_guidances_list.htmlhttp://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf


30/124


31/124


Campus IPv6 Deployment OptionsDual-Stack IPv4/IPv6

#1 requirementswitching/routing platforms must supporthardware based forwarding forIPv6

IPv6 is transparent on L2

switches butL2 multicastMLD snooping

IPv6 managementTelnet/SSH/HTTP/SNMP

Intelligent IP services on WLAN

Expect to run the same IGPsas with IPv4

Keep featureexpectations simple

Dual-stackServer

L2/L3

v6-Enabled

v6-

Enabled

v6-Enabled

v6-

Enabled

IPv6/IPv4 Dual Stack Hosts

v6-Enabled

v6-Enabled

DualStack

DualStack

AggregationLayer (DC)

AccessLayer (DC)

AccessLayer

DistributionLayer

Core Layer


32/124


Access Layer: Dual Stack

Catalyst 3560/3750In order to enable IPv6 functionalitythe proper SDM template needs to be defined(http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htm# )

If using a traditional Layer-2 access design, the only thingthat needs to be enabled on the access switch(management/security discussed later) is MLD snooping:

3560/3750 non-E series cannot support both HSRP for IPv4and HSRP for IPv6 on the same interfacehttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.html#

wp925898

Switch(config)#ipv6 mld snooping

Switch(config)#sdm prefer dual-ipv4-and-ipv6 default
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htmhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/release/notes/OL16489.htmlhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htmhttp://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swsdm.htm


33/124


Distribution Layer: HSRP, EIGRP andDHCPv6-relay (Layer 2 Access)

ipv6 general-prefix ULA-CORE FD9C:58ED:7D73::/53ipv6 general-prefix ULA-ACC FD9C:58ED:7D73:1000::/53

ipv6 unicast-routing

!

interface GigabitEthernet1/0/1

description To 6k-core-right

ipv6 address ULA-CORE ::3:0:0:0:D63/64

ipv6 eigrp 10

ipv6 hello-interval eigrp 10 1ipv6 hold-time eigrp 10 3

ipv6 authentication mode eigrp 10 md5

ipv6 authentication key-chain eigrp 10 eigrp

ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53

!

interface GigabitEthernet1/0/2

description To 6k-core-left

ipv6 address ULA-CORE ::C:0:0:0:D63/64ipv6 eigrp 10

ipv6 hello-interval eigrp 10 1

ipv6 hold-time eigrp 10 3

ipv6 authentication mode eigrp 10 md5

ipv6 authentication key-chain eigrp 10 eigrp

ipv6 summary-address eigrp 10 FD9C:58ED:7D73:1000::/53

interface Vlan4description Data VLAN for Access

ipv6 address ULA-ACC ::D63/64

ipv6 nd prefix FD9C:58ED:7D73:1002::/64no-advertise


ipv6 dhcp relay destinationfd9c:58ed:7d73:811::9

ipv6 eigrp 10

standby version 2standby 2 ipv6 autoconfig

standby 2 timers msec 250 msec 750

standby 2 priority 110

standby 2 preempt delay minimum 180

standby 2 authentication ese

!

ipv6 router eigrp 10

no shutdownrouter-id 10.122.10.10

passive-interface Vlan4

passive-interface Loopback0


34/124


Campus IPv6 Deployment OptionsHybrid Model

Offers IPv6 connectivity via multipleoptions

Dual-stack

Configured tunnelsL3-to-L3

ISATAPHost-to-L3

Leverages existing network Offers natural progression to

full dual-stack design

May require tunneling toless-than-optimal layers(i.e. core layer)

ISATAP creates a flat network (allhosts on same tunnel are peers)

Create tunnels per VLAN/subnet to keepsame segregation as existing design (notclean today)

Provides basic HA of ISATAP tunnelsvia old Anycast-RP idea

Dual-stackServer

L2/L3

v6-Enabled

NOT v6-

Enabled

v6-Enabled

NOT v6-

Enabled

IPv6/IPv4 Dual Stack Hosts

v6-Enabled

v6-Enabled

Dua

lStack

Dua

lStack

ISATAP

ISATAP


AccessLayer (DC)

AccessLayer

DistributionLayer

Core Layer


35/124


Highly Available ISATAP DesignTopology

ISATAP tunnels from PCs inaccess layer to core switches

Redundant tunnels to core orservice block

Use IGP to prefer one core switchover another (both v4 and v6routes)deterministic

Preference is important due to therequirement to have traffic(IPv4/IPv6) route to the sameinterface (tunnel) where host isterminated onWindows XP/2003

Works like Anycast-RP with IPmc

Primary ISATAP Tunnel

Secondary ISATAP Tunnel

IPv6 Server

v6-Enabled v6-Enabled

NOT v6-

Enabled

v6-Enabled

v6-Enabled

PC1 - Red VLAN 2 PC2 - Blue VLAN 3

NOT v6-Enabled

DualS

tack

DualS

tack


AccessLayer (DC)

AccessLayer

DistributionLayer

Core Layer


36/124


IPv6 Campus ISATAP ConfigurationRedundant Tunnels

interface Tunnel2ipv6 address 2001:DB8:CAFE:2::/64 eui-64

no ipv6 nd suppress-ra

ipv6 ospf 1 area 2

tunnel source Loopback2

tunnel mode ipv6ip isatap

!

interface Tunnel3

ipv6 address 2001:DB8:CAFE:3::/64 eui-64


ipv6 ospf 1 area 2



!

interface Loopback2

description Tunnel source for ISATAP-VLAN2

ip address 10.122.10.102 255.255.255.255

!

interface Loopback3


ip address 10.122.10.103 255.255.255.255

interface Tunnel2ipv6 address 2001:DB8:CAFE:2::/64 eui-64


ipv6 ospf 1 area 2

ipv6 ospf cost 10



!

interface Tunnel3



ipv6 ospf 1 area 2

ipv6 ospf cost 10



!interface Loopback2

ip address 10.122.10.102 255.255.255.255

delay 1000

!

interface Loopback3

ip address 10.122.10.103 255.255.255.255

delay 1000

ISATAP Primary ISATAP Secondary


37/124


IPv6 Campus ISATAP ConfigurationISATAP Client Configuration

C:\>netsh int ipv6 isatap set router 10.122.10.103

Ok.

int lo310.122.10.103

int tu3

int lo310.122.10.103

10.120.3.101

int tu3

Tunnel adapter Automatic Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 2001:db8:cafe:3:0:5efe:10.120.3.101

IP Address. . . . . . . . . . . . : fe80::5efe:10.120.3.101%2

Default Gateway . . . . . . . . . : fe80::5efe:10.122.10.103%2

interface Tunnel3



ipv6 eigrp 10

tunnel source Loopback3tunnel mode ipv6ip isatap

!

interface Loopback3


ip address 10.122.10.103 255.255.255.255

New tunnelcomes upwhen failure

occurs

Windows XP/Vista Host


38/124


DistributionLayer

AccessLayer

CoreLayer


AccessLayer (DC)

IPv6/IPv4Dual-stack

Server

IPv6/IPv4Dual-stack Hosts

Data CenterBlock

AccessBlock

IPv6 and IPv4 Enabled

1

1

2

2

Campus Hybrid Model 1QoS

1. Classification and marking of IPv6 is done on the egress interfaces on the corelayer switches because packets have been tunneled until this pointQoSpolicies for classification and marking cannot be applied to the ISATAP tunnelson ingress

2. The classified and marked IPv6 packets can now be examined by upstreamswitches (e.g. aggregation layer switches) and the appropriate QoS policies canbe applied on ingress. These polices may include trust (ingress), policing

(ingress) and queuing (egress)


39/124


Campus IPv6 Deployment OptionsIPv6 Service Blockan Interim Approach

Provides ability to rapidly deployIPv6 services without touchingexisting network

Provides tight control of where IPv6is deployed and where the trafficflows (maintain separation ofgroups/locations)

Offers the same advantages asHybrid Model without the alterationto existing code/configurations

Configurations are very similar to theHybrid Model

ISATAP tunnels from PCs in access layer toservice block switches (instead of core layerHybrid)

1) Leverage existing ISP block forboth IPv4 and IPv6 access

2) Use dedicated ISP connectionjust for IPv6Can use IOS FW orPIX/ASA appliance

Primary ISATAP Tunnel

Secondary ISATAP Tunnel

ISATAP

IPv6 Service Block

Intern

et

Dedicated FW

IOS FW

Data Center Block

VLAN 2

WAN/ISP Block

IPv4-onlyCampus

Block

AggLayer

VLAN 3

2

1

AccessLayer

Dist.Layer

CoreLayer

AccessLayer


40/124


IPv6 Data Center Integration

The single most overlooked and,potentially, complicated area for IPv6deployment

Front-end design will be similar to campusbased on feature, platform and connectivitysimilarities Nexus, 6500, 4900M

IPv6 for SAN is supported inSAN-OS 3.0

Major issue in DC with IPv6 todayNICTeaming

Watch status of IPv6 support from App,Grid, DB vendors, DC management

Get granulare.g. iLO

Impact on clustersMicrosoft Server 2008 failoverclusters fully support IPv6 (and L3)

Build an IPv6-only server farm?

DataCenterCore

Aggregation

Access

Core

Access

Servers

Storage

CampusCore


41/124


42/124


WAN/BranchDeploying IPv6 in Branch Networks:

http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdfESE WAN/Branch Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor1http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor10
http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdfhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.htmlhttp://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf


43/124


44/124


IPv6 Enabled BranchTake Your PickMix-and-Match

Internet

HQ

Dual-StackIPSec VPN (IPv4/IPv6)IOS Firewall (IPv4/IPv6)Integrated Switch

(MLD-snooping)

Branch

Single Tier

HQ

Internet Frame

Branch

Dual Tier

Dual-StackIPSec VPN or Frame RelayIOS Firewall (IPv4/IPv6)

Switches (MLD-snooping)

Branch

Multi-Tier

Dual-StackIPSec VPN orMPLS (6PE/6VPE)Firewall (IPv4/IPv6)

Switches (MLD-snooping)

HQ

MPLS


45/124


DMVPN with IPv6Example Tunnel Configuration

interface Tunnel0


ipv6 enable

ipv6 mtu 1400

ipv6 eigrp 10

ipv6 nhrp authentication ESE

ipv6 nhrp map multicast 172.17.1.3

ipv6 nhrp map 2001:DB8:CAFE:1261::1/128 172.17.1.3ipv6 nhrp network-id 100000

ipv6 nhrp holdtime 600

ipv6 nhrp nhs 2001:DB8:CAFE:1261::1

ipv6 nhrp cache non-authoritative

tunnel source 172.16.1.2

tunnel mode gre multipoint

tunnel key 100000tunnel protection ipsec profile SPOKE

interface Tunnel0


ipv6 enable

ipv6 mtu 1400

ipv6 eigrp 10

no ipv6 split-horizon eigrp 10

ipv6 hold-time eigrp 10 35

no ipv6 next-hop-self eigrp 10ipv6 nhrp authentication ESE

ipv6 nhrp map multicast dynamic

ipv6 nhrp network-id 100000

ipv6 nhrp holdtime 600

ipv6 nhrp cache non-authoritative

tunnel source GigabitEthernet0/1

tunnel mode gre multipointtunnel key 100000

tunnel protection ipsec profile HUB

HubInternetSpoke

Spoke Router Hub Router


46/124


Headquarters

T1Internet

ADSL

Branch

Dual-Stack Host(IPv4/IPv6)

Primary IPSec-protected configuredtunnel (IPv6-in-IPv4)

Primary DMVPN Tunnel (IPv4IPv4IPv6

Secondary DMVPN Tunnel (IPv4)

Secondary IPSec-protectedconfigured tunnel (IPv6-in-IPv4)

Single-Tier

Single-Tier Profile

Totally integrated solutionBranch router and integratedEtherSwitch moduleIOS FW and VPN for IPv6 and IPv4

When SP does not offer IPv6 services, use IPv4 IPSec VPNs formanually configured tunnels (IPv6-in-IPv4) or DMVPN for IPv6

When SP does offer IPv6 services, use IPv6 IPSec VPNs (latest

AIM/VAM supports IPv6 IPSec)


47/124


Single-Tier ProfileLAN ConfigurationDHCPv6


ipv6 multicast-routing

ipv6 cef

!

ipv6 dhcp pool DATA_VISTA

address prefix 2001:DB8:CAFE:1100::/64

dns-server 2001:DB8:CAFE:10:20D:9DFF:FE93:B25D

domain-name cisco.com

!interface GigabitEthernet1/0.100

description DATA VLAN for Computers

encapsulation dot1Q 100

ipv6 address 2001:DB8:CAFE:1100::BAD1:A001/64



ipv6 dhcp server DATA_VISTA

ipv6 mld snooping

!

interface Vlan100

description VLAN100 for PCs and Switch management

ipv6 address 2001:DB8:CAFE:1100::BAD2:F126/64

Branch Router

EtherSwitch Module

Si l Ti P fil


48/124


Single-Tier ProfileIPSec Configuration1

crypto isakmp policy 1

encr 3desauthentication pre-share

crypto isakmp key CISCO address 172.17.1.3

crypto isakmp key SYSTEMS address 172.17.1.4

crypto isakmp keepalive 10

!

crypto ipsec transform-set HE1 esp-3des esp-sha-hmac

crypto ipsec transform-set HE2 esp-3des esp-sha-hmac!

crypto map IPv6-HE1 local-address Serial0/0/0

crypto map IPv6-HE1 1 ipsec-isakmp

set peer 172.17.1.3

set transform-set HE1

match address VPN-TO-HE1

!

crypto map IPv6-HE2 local-address Loopback0

crypto map IPv6-HE2 1 ipsec-isakmp

set peer 172.17.1.4

set transform-set HE2

match address VPN-TO-HE2

Peer at HQ (Primary)

Peer at HQ (Secondary)

Internet

Headquarters

Branch

Secondary Primary

Si l Ti P fil


49/124


Single-Tier ProfileIPSec Configuration2

Adjust delay to prefer Tunnel3

Adjust MTU to avoidfragmentation on router(PMTUD on client will not

account for IPSec/Tunneloverheard)

Permit 41 (IPv6) insteadof gre

interface Tunnel3

description IPv6 tunnel to HQ Head-end 1delay 500


ipv6 mtu 1400

tunnel source Serial0/0/0

tunnel destination 172.17.1.3

tunnel mode ipv6ip

!interface Tunnel4

description IPv6 tunnel to HQ Head-end 2

delay 2000


ipv6 mtu 1400


tunnel destination 172.17.1.4

tunnel mode ipv6ip

!

interface Serial0/0/0

description to T1 Link Provider (PRIMARY)

crypto map IPv6-HE1

interface Dialer1

description PPPoE to BB providercrypto map IPv6-HE2

!

ip access-list extended VPN-TO-HE1

permit 41 host 172.16.1.2 host 172.17.1.3

ip access-list extended VPN-TO-HE2

permit 41 host 10.124.100.1 host 172.17.1.4


50/124


51/124


HeadquartersBranch

IPv4IPv6

FrameRelayDual-Stack Host

(IPv4/IPv6)

Dual-Tier

Dual-Tier Profile

Redundant set of branch routersseparate branch switch(multiple switches can use StackWise technology)

Each branch router uses a single frame-relay connection

All dual-stack (branch LAN and WAN)no tunnels needed


52/124

IP 6 IPS E l


53/124


IPv6 IPSec ExampleIKE/IPSec Policies

crypto isakmp policy 1authentication pre-sharecrypto isakmp key CISCOKEY address ipv62001:DB8:CAFE:999::2/128crypto isakmp keepalive 10 2!crypto ipsec transform-set v6STRONG esp-3des esp-sha-hmac

!crypto ipsec profile v6PROset transform-set v6STRONG

2001:DB8:CAFE:999::1 2001:DB8:CAFE:999::2

crypto isakmp policy 1authentication pre-sharecrypto isakmp key CISCOKEY address ipv62001:DB8:CAFE:999::1/128crypto isakmp keepalive 10 2!crypto ipsec transform-set v6STRONG esp-3des esp-sha-hmac!crypto ipsec profile v6PROset transform-set v6STRONG

IPv6Network

Router1 Router2

IPv6Network

IPv6Network

IP 6 IPS E l


54/124


IPv6 IPSec ExampleTunnels

interface Tunnel0ipv6 address 2001:DB8:CAFE:F00D::1/127ipv6 eigrp 10ipv6 mtu 1400tunnel source Serial2/0tunnel destination 2001:DB8:CAFE:999::2tunnel mode ipsec ipv6tunnel protection ipsec profile v6PRO

!interface Ethernet0/0ipv6 address 2001:DB8:CAFE:100::1/64ipv6 eigrp 10!interface Serial2/0ipv6 address 2001:DB8:CAFE:999::1/127

interface Tunnel0ipv6 address 2001:DB8:CAFE:F00D::2/127ipv6 eigrp 10ipv6 mtu 1400tunnel source Serial2/0tunnel destination 2001:DB8:CAFE:999::1tunnel mode ipsec ipv6tunnel protection ipsec profile v6PRO

!interface Ethernet0/0ipv6 address 2001:DB8:CAFE:200::1/64ipv6 eigrp 10!interface Serial2/0ipv6 address 2001:DB8:CAFE:999::2/127

2001:DB8:CAFE:999::1 2001:DB8:CAFE:999::2

IPv6Network

Router1 Router2

IPv6Network

IPv6Network


55/124


Remote Access


56/124


Cisco VPN Client 4.xIPv4 IPSec Termination (PIX/ASA/IOS VPN/Concentrator)

IPv6 Tunnel Termination (IOS ISATAP or ConfiguredTunnels)

AnyConnect Client 2.xSSL/TLS or DTLS (datagram TLS = TLS over UDP

Tunnel transports both IPv4 and IPv6 and thepackets exit the tunnel at the hub ASA as native IPv4and IPv6.

Internet

IPv6 IPSec Tunnels IOS 12.4(4)T IPv6 HW Encryption 7200 VAM2+ SPA ISR AIM VPN

IPv6 Firewall IOS Firewall 12.3T, 12.4, 12.4T FWSM 3.x PIX 7.x +, including ASA 5500 series

Client-based IPsec VPN

Client-based SSL

IOS 12.4(9)TRFC4552OSPFv3Authentication

All IOSpacket

filtering e-ACL IPv6 over DMVPN

Cisco IPv6 Security


57/124


58/124


59/124


Planning and Deployment Summary


60/124


IPv6 Integration Outline

Establish the network

starting point Importance of a network

assessment and available tools

Defining early IPv6 securityguidelines and requirements

Additional IPv6 pre-deployment tasks needingconsideration

Pre-DeploymentPhases

DeploymentPhases

Transport considerations

for integration Campus IPv6 integration

options

WAN IPv6 integration options

Advanced IPv6

services options

Integration/Coexistence Starting Points


61/124


3

4

Integration/Coexistence Starting PointsExample: Integration Demarc/Start Points in Campus/WAN

Start dual-stack on hosts/OSStart dual-stack in campus distributionlayer (details follow)

Start dual-stack on the WAN/campuscore/edge routers

NAT-PT for servers/apps only capableof IPv4 (temporary only)

2001::/64

v4 and v6

10.1.3.0/24

2001::/64

v6 Only 10.1.2.0/24

v4 OnlyDual-Stack

IPv4-IPv6Routers

v4 and v6

10.1.4.0/24

2001::/64L2

v6-Enabled

IPv6 Server

IPv4-Only

Segment

NAT-PT

Dual-StackIPv4-IPv6

Core and Edge2

1

2

3

4

1

2


62/124


DeploymentScenario

The Scope of IPv6 Deployment

Basic Network Infrastructure

HardwareSupport

IPAddressing

RoutingProtocols

Networked Infrastructure Services

DNS &DHCP

LoadBalancing& ContentSwitching

Security(Firewalls& IDS/IPS)

ContentDistribution

Instrumentation

Optimization(WAAS, SSLacceleration)

StaffTra

iningandOperations

VPNAccess

Networked Device Support

DataCenterServers

ClientAccess(PCs)

PrintersCollaboration

Devices &Gateways

Sensors &Controllers

Applications & Application Suites

Web Content Management

Connectivity

Roll-out

Releases&

Planning

IP Services (QoS, Multicast, Mobility, Translation)

IPv6 over MPLS(6PE/6VPE)

IPv6 over IPv4 Tunnels(Configured, 6to4, ISATAP, GRE)

Dual-Stack

M j SP C f E t i


63/124


Major SP Concerns for EnterpriseAccounts

Port to PortAccess Multi-Homing

Content Provisioning

IPv6


64/124


Port-to-Port Access

Port to Port Access Multi-Homing


IPv6

Dual-stack or native IPv6 at each POP SLA driven just like IPv4 to support VPN, content

accessBasic Internet

6VPE

IPv6 MulticastMPLS IPv6 access to hosted content Cloud migration (move data from Ent DC to Hosted

DC)

Hosted (seecontent)


65/124


Multi-Homing



IPv6

PA is no good for customers with multiple providers or changethem at any pace

PI is new, constantly changing expectations and no guarantee anSP wont do something stupid like not route PI space

Customers fear that RIR will review existing IPv4 space and want itback if they get IPv6 PI (already part of the questionnaire)

PI/PA PolicyConcerns

Religious debate about the security exposure not a multi-homingissue

If customer uses NAT like they do today to prevent address/policyexposure where do they get the technology from no scalableIPv6 NAT exists todayNAT

Is it really different from what we do today with IPv4? Is this policystuff?

Guidance on prefixes per peering point, per theater, per ISP,ingress/egress rules, etc.. this is largely missing today

Routing


66/124


Content



IPv6

IPv6 provisioning and access to hosted or cloud-basedservices today (existing agreements)

Salesforce.com, Microsoft BPOS (Business ProductivityOnline Services)

Hosted/Cloud Appstoday

Movement from internal-only DC services tohosted/cloud-based DC

Provisioning, data/network migration services, DR/HA

Move to

Hosted/Cloud

Third-party marketing, business development,outsourcing

Existing contracts how to offer to connect over IPv6

Contract/ManagedMarketing/Portals


67/124


Provisioning



IPv6

Not a lot of information from accounts on this but it doesconcern them

How can they provision their own services (i.e. cloud) toinclude IPv6 services and do it over IPv6

SP Self-ServicePortals

More of a management topic but the point here is thatcustomers want the ability to alter their services based onviolations, expiration or restrictions on the SLA

Again, how can they do this over IPv6 AND for IPv6services

SLA


68/124


69/124


Q & A


70/124


Complete Your Session Evaluation

Please give us your feedback!!

Complete the evaluation form you weregiven when you entered the room

This is session BRKCRS-2301

Dont forget to complete the overallevent evaluation form included inyour registration kit

YOUR FEEDBACK IS VERYIMPORTANT FOR US!!! THANKS


71/124


72/124


Appendix Slides

For Reference Only


73/124


Appendix: Microsoft WindowsVista//7/Server 2008


74/124


Understand the Behavior of Vista

IPv6 is preferred over IPv4Vista sends IPv6 NA/NS/RS upon link-up

Attempts DHCP for IPv6

If no DHCP or local RA received with Global or ULA, then try

ISATAPIf no ISATAP, then try Teredo

Become familiar with Teredohttp://www.microsoft.com/technet/prodtechnol/winxppro

/maintain/teredo.mspxANY application built on the Peer-to-Peer Framework

REQUIRES IPv6 and will NOT function over IPv4http://www.microsoft.com/technet/network/p2p/default.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxhttp://www.microsoft.com/technet/network/p2p/default.mspxhttp://www.microsoft.com/technet/network/p2p/default.mspxhttp://www.microsoft.com/technet/network/p2p/default.mspxhttp://www.microsoft.com/technet/network/p2p/default.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx


75/124

IPv4 NetworkNo IPv6 Network Services


76/124


IPv4 Network No IPv6 Network ServicesWhat Does Vista Try to Do?

No. Time Source Destination Protocol Info13 8.813509 10.120.2.1 10.120.2.2 DHCP DHCP ACK - Transaction ID 0x2b8af443

....Bootstrap Protocol...Your (client) IP address: 10.120.2.2 (10.120.2.2)...Option: (t=3,l=4) Router = 10.120.2.1Option: (t=6,l=4) Domain Name Server = 10.121.11.4Option: (t=15,l=9) Domain Name = "cisco.com"..

No. Time Source Destination Protocol Info

70 13.360756 10.120.2.2 10.121.11.4 DNS Standard query A isatap.cisco.comNo. Time Source Destination Protocol Info

138 25.362181 10.120.2.2 10.121.11.4 DNS Standard query A teredo.ipv6.microsoft.com

No. Time Source Destination Protocol Info580 296.686197 10.120.2.2 10.120.3.2 TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8581 296.687721 10.120.3.2 10.120.2.2 TCP epmap > 49211 [SYN, ACK] Seq=0 Ack=1 Win=2097152582 296.687794 10.120.2.2 10.120.3.2 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0583 296.687913 10.120.2.2 10.120.3.2 DCERPC Bind: call_id: 1, 2 context items, 1st IOXIDResolver V0.0

10.120.2.2ese-vista1

10.120.3.2ese-vista2

ISATAP??

Teredo??

IPv4-only Router


77/124


What Is Teredo?

RFC4380 Tunnel IPv6 through NATs (NAT types defined in RFC3489)

Full Cone NATs (aka one-to-one)Supported by Teredo

Restricted NATsSupported by Teredo

Symmetric NATsSupported by Teredo with Vista/Server 2008 if only one Teredo client isbehind a Symmetric NATs

Uses UDP port 3544

Is complexmany sequences for communication and has severalattack vectors

Available on:

Microsoft Windows XP SP1 w/Advanced Networking PackMicrosoft Windows Server 2003 SP1

Microsoft Windows Vista (enabled by defaultinactive until application requires it)

Microsoft Server 2008http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx

Linux, BSD and Mac OS XMiredohttp://www.simphalempin.com/dev/miredo/
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxhttp://www.simphalempin.com/dev/miredo/http://www.simphalempin.com/dev/miredo/http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx


78/124


Teredo Components

Teredo ClientDual-stack node that supports Teredo tunneling toother Teredo clients or IPv6 nodes(via a relay)

Teredo ServerDual-stack node connected to IPv4 Internet andIPv6 Internet. Assists in addressing of Teredo clients and initialcommunication between clients and/or IPv6-only hostsListens onUDP port 3544

Teredo RelayDual-stack router that forwards packets betweenTeredo clients and IPv6-only hosts

Teredo Host-Specific RelayDual-stack node that is connected to

IPv4 Internet and IPv6 Internet and can communicate with TeredoClients without the need for a Teredo Relay


79/124


80/124


Teredo Address

Teredo IPv6 prefix (2001::/32previously was 3FFE:831F::/32)

Teredo Server IPv4 address: global address of the server

Flags: defines NAT type (e.g. Cone NAT)

Obfuscated External Port: UDP port number to be used withthe IPv4 address

Obfuscated External Address: contains the global addressof the NAT

Teredoprefix

32 bits

Teredo ServerIPv4 Address

32 bits

Flags

16 bits

ObfuscatedExternal Address

32 bits

ObfuscatedExternal

Port

16 bits


81/124


Initial Configuration for Client

1. RS message sent from Teredo client to serverRS from LL address with Cone flag set

2. Server responds with RARS has Cone flag setserver sends RA from alternate v4addressif client receives the RA, client is behind cone NAT

3. If RA is not received by client, client sends another RA with Cone flag not set

4. Server responds with RA from v4 address = destination v4 address from RSif clientreceives the RA, client is behind restricted NAT

5. To ensure client is not behind symmetric NAT, client sends another RS to secondary server

6. 2nd server sends an RA to clientclient compares mapped address and UDP ports in theOrigin indicators of the RA received by both servers. If different, then the NAT is mappingsame internal address/port to different external address/port and NAT is a symmetric NAT

7. Client constructs Teredo address from RAFirst 64 bits are the value from prefix received in RA (32 bits for IPv6 Teredo prefix + 32 bits of hex representation of IPv4 Teredo

server address)

Next 16 bits are the Flags field (0x0000 = Restricted NAT, 0x8000 = Cone NAT)

Next 16 bits are external obscured UDP port from Origin indicator in RA

Last 32 bits are obscured external IP address from Origin indicator in RA

7 2001:0:4136:e37e:0:fbaa:b97e:fe4e

TeredoPrefix

TeredoServer v4

Flags Ext. UDPPort v4

External v4address

TeredoClient NAT

IPv4Internet

1

2

3

4

5

6

TeredoServer 1

TeredoServer 2


82/124


What Happens on the Wire1No. Time Source Destination Protocol Info

15 25.468050 172.16.1.103 151.164.11.201 DNS Standard query A teredo.ipv6.microsoft.com

No. Time Source Destination Protocol Info16 25.481609 151.164.11.201 172.16.1.103 DNS Standard query response A 65.54.227.126A65.54.227.127 A 65.54.227.120 A 65.54.227.124

netsh interface ipv6>sh teredo

Teredo Parameters---------------------------------------------Type : clientServer Name : teredo.ipv6.microsoft.comClient Refresh Interval : defaultClient Port : defaultState : qualifiedType : teredo clientNetwork : unmanagedNAT : restricted

netsh interface ipv6>sh teredoTeredo Parameters---------------------------------------------Type : clientServer Name : teredo.ipv6.microsoft.com

Client Refresh Interval : defaultClient Port : defaultState :probe(cone)Type : teredo clientNetwork : unmanagedNAT : cone


83/124


What Happens on the Wire2No. Time Source Destination Protocol Info

28 33.595460 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitationInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)

User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)No. Time Source Destination Protocol Info

29 37.593598 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitationInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)

No. Time Source Destination Protocol Info31 45.546052 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation

Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.127 (65.54.227.127)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)

No. Time Source Destination Protocol Info32 46.039706 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisementInternet Protocol, Src: 65.54.227.127 (65.54.227.127), Dst: 172.16.1.103 (172.16.1.103)User Datagram Protocol, Src Port: 3544 (3544), Dst Port: 1109 (1109)Teredo Origin Indication header

Origin UDP port: 1109Origin IPv4 address: 70.120.2.1 (70.120.2.1)

Prefix: 2001:0:4136:e37e::

No. Time Source Destination Protocol Info33 46.093832 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation

Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)

No. Time Source Destination Protocol Info34 46.398745 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement

Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103)Teredo Origin Indication header

Origin UDP port: 1109Origin IPv4 address: 70.120.2.1 (70.120.2.1)

Prefix: 2001:0:4136:e37e::

Send RS ConeFlag=1 (Cone

NAT), every 4seconds

If no reply, sendFlag=0(restricted NAT)

Receive RAwith Originheader andprefix

Send RS to 2ndserver to checkfor symmetric

NAT

Compare 2nd

RAOriginport/addressfrom 2nd server


84/124


What Happens on the Wire3No. Time Source Destination Protocol Info82 139.258206 172.16.1.103 151.164.11.201 DNS Standard query AAAA www.kame.net

No. Time Source Destination Protocol Info83 139.530547 151.164.11.201 172.16.1.103 DNS Standard query response AAAA2001:200:0:8002:203:47ff:fea5:3085

No. Time Source Destination Protocol Info96 148.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 EchorequestInternet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126)User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)

No. Time Source Destination Protocol Info

97 149.405579 fe80::8000:5445:5245:444f 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next headerInternet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103)Teredo IPv6 over UDP tunneling

Teredo Origin Indication headerOrigin UDP port: 50206Origin IPv4 address: 66.117.47.227 (66.117.47.227)

No. Time Source Destination Protocol Info98 149.405916 172.16.1.103 66.117.47.227 UDP Source port: 1109 Destination port: 50206




DNS lookup

Response

ICMP to hostvia TeredoServer

Relay sendsBubblepacket toclient viaserverclientreceives relayaddress-port

Packetsto/from IPv6host andclient traverserelay

According to MSFT, if Teredo is the only IPv6 path, AAAA query should not be sentbeing researched:

http://msdn2.microsoft.com/en-us/library/aa965910.aspx
http://msdn2.microsoft.com/en-us/library/aa965910.aspxhttp://msdn2.microsoft.com/en-us/library/aa965910.aspxhttp://msdn2.microsoft.com/en-us/library/aa965910.aspxhttp://msdn2.microsoft.com/en-us/library/aa965910.aspx


85/124


What Happens on the Wire3 (Cont.)

Interface 7: Teredo Tunneling Pseudo-InterfaceAddr Type DAD State Valid Life Pref. Life Address--------- ---------- ------------ ------------ -----------------------------Public Preferred infinite infinite 2001:0:4136:e37e:0:fbaa:b97e:fe4eLink Preferred infinite infinite fe80::ffff:ffff:fffd

C:\>ping www.kame.net

Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data

Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=829msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=453msReply from 2001:200:0:8002:203:47ff:fea5:3085: time=288ms

Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=438ms


86/124


87/124


Appendix: ISATAP Overview

Intrasite Automatic Tunnel AddressP t l


88/124


Protocol

RFC 4214 This is for enterprise networks such as corporate and

academic networks

Scalable approach for incremental deployment

ISATAP makes your IPv4 infratructure as transport(NBMA) network

Intrasite Automatic TunnelAdd P t l


89/124


Address Protocol

ISATAP is used to tunnel IPv4 within as administrative

domain (a site) to create a virtual IPv6 network over aIPv4 network

Supported in Windows XP Pro SP1 and others

Interface

Identifier(64 bits)

IPv4 Address64-bit Unicast Prefix 0000:5EFE:

32-bit32-bit

Use IANAs OUI 00-00-5E and

Encode IPv4 Address as Part of EUI-64

Automatic Advertisementf ISATAP P fi


90/124


IPv6

Network

IPv4 Network ISATAP Router 1E0

of ISATAP Prefix

ISATAP Tunnel

ISATAP Host A

ICMPv6 Type 133 (RS)IPv4 Source: 206.123.20.100IPv4 Destination: 206.123.31.200IPv6 Source: fe80::5efe:ce7b:1464IPv6 Destination: fe80::5efe:ce7b:1fc8Send me ISATAP Prefix ICMPv6 Type 134 (RA)

IPv4 Source: 206.123.31.200IPv4 Destination: 206.123.20.100IPv6 Source: fe80::5efe:ce7b:1fc8IPv6 Destination: fe80::5efe:ce7b:1464ISATAP Prefix: 2001:db8:ffff :2::/64

Automatic Address Assignmentf H t d R t


91/124


of Host and Router

ISATAP host A receives the ISATAP prefix2001:db8:ffff:2::/64 from ISATAP Router 1

When ISATAP host A wants to send IPv6 packets to

2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host Aencapsulates IPv6 packets in IPv4. The IPv4 packets ofthe IPv6 encapsulated packets use IPv4 source anddestination address.

206.123.20.100fe80::5efe:ce7b:14642001:db8:ffff:2::5efe:ce7b:1464

206.123.31.200fe80::5efe:ce7b:1fc82001:db8:ffff:2::5efe:ce7b:1fc8

IPv6

Network

IPv4 Network ISATAP Router 1E0

ISATAP Tunnel

ISATAP Host A


92/124

IP 4 d IP 6 M lti t C i


93/124


IPv4 and IPv6 Multicast Comparison

Service IPv4 Solution IPv6 Solution

Addressing Range 32-bit, Class D 128-bit (112-bit Group)

Routing

Protocol Independent,

All IGPs and MBGP

Protocol Independent,

All IGPs and MBGPwith v6 mcast SAFI

ForwardingPIM-DM, PIM-SM,

PIM-SSM, PIM-bidir,PIM-BSR

PIM-SM, PIM-SSM,PIM-bidir, PIM-BSR

Group Management IGMPv1, v2, v3 MLDv1, v2

Domain Control Boundary, Border Scope Identifier

Interdomain SolutionsMSDP Across Independent

PIM DomainsSingle RP Within Globally

Shared Domains

MLD 1 J i i G (REPORT)


94/124


MLDv1: Joining a Group (REPORT)

Destination:FF3E:40:2001:DB8:C003:1109:1111:1111ICMPv6 Type: 131

FE80::207:85FF:FE80:692

FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE

rtr-a

Source

Group:FF3E:40:2001:DB8:C003:1109:1111:1111

H1

1

1 Destination:FF3E:40:2001:DB8:C003:1109:1111:1111ICMPv6 Type: 131

2

2

H1 sends a REPORT for the group

H2 sends a REPORT for the group

1

2

H2

MLDv1: Host Management


95/124


H1 sends DONE to FF02::2

RTR-A sends Group-Specific Query

H2 sends REPORT for the group3

1

1 2

(Group-Specific Query)

FE80::207:85FF:FE80:692

FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE

rtr-a

Group:FF3E:40:2001:DB8:C003:1109:1111:1111

H1

3 REPORT to groupICMPv6 Type: 131

12

Destination:FF02::2ICMPv6 Type: 132

Destination:FF3E:40:2001:DB8:C003:1109:1111:1111ICMPv6 Type: 130

H2

Source

Other MLD Operations


96/124


Other MLD Operations

Leave/DONELast host leavessends DONE (Type 132)

Router will respond with group-specific query (Type 130)

Router will use the last member query response interval

(Default=1 sec) for each queryQuery is sent twice and if no reports occur then entry is removed(2 seconds)

General Query (Type 130)

Sent to learn of listeners on the attached link

Sets the multicast address field to zero

Sent every 125 seconds (configurable)

A Few Notes on Tunnels


97/124


A Few Notes on Tunnels

PIM uses tunnels when RPs/sources are known Source registering (on first-hop router)

Uses virtual tunnel interface (appear in OIL for [S,G])

Created automatically on first-hop router when

RP is known

Cisco IOS keeps tunnel as long as RP is known

Unidirectional (transmit only) tunnels

PIM Register-Stop messages are sent directly from RP

to registering router (not through tunnel!)

PIM Tunnels (DR to RP)


98/124


PIM Tunnels (DR-to-RP)

branch#show interface tunnel 1Tunnel1 is up, line protocol is up

Hardware is TunnelMTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255Encapsulation TUNNEL, loopback not setKeepalive not setTunnel source 2001:DB8:C003:111E::2 (Serial0/2),

destination 2001:DB8:C003:1116::2

Tunnel protocol/transport PIM/IPv6, key disabled,sequencing disabledChecksumming of packets disabledTunnel is transmit onlyLast input never, output never, output hang neverLast clearing of "show interface" counters never

output truncated

branch#show ipv6 pim tunnel

Tunnel1*Type : PIM EncapRP : 2001:DB8:C003:1116::2Source: 2001:DB8:C003:111E::2

RP

L0

CorporateNetwork

Source

DR

PIM Tunnels (RP)


99/124


PIM Tunnels (RP)

Source registering (on RP) two virtual tunnelsare created

One transmit only for registering sources locally connectedto the RP

One receive only for decapsulation of incoming registersfrom remote designated routers

No one-to-one relationship between virtual tunnels ondesignated routers and RP!

PIM Tunnels (RP for Source)


100/124


PIM Tunnels (RP-for-Source)

RP-router#show interface tunnel 1Tunnel1 is up, line protocol is upHardware is TunnelMTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255Encapsulation TUNNEL, loopback not setKeepalive not set

Tunnel source 2001:DB8:C003:1116::2(FastEthernet0/0), destination 2001:DB8:C003:1116::2Tunnel protocol/transport PIM/IPv6, key disabled,

sequencing disabledChecksumming of packets disabledTunnel is receive only

output truncated

RP-router#show ipv6 pim tunnelTunnel0*

Type : PIM EncapRP : 2001:DB8:C003:1116::2Source: 2001:DB8:C003:1116::2

Tunnel1*Type : PIM DecapRP : 2001:DB8:C003:1116::2Source: - RP

L0

CorporateNetwork

SourceTu

Tunneling v6 Multicast


101/124


Tunneling v6 Multicast

v6 in v4 v6 in v4 most widely used

tunnel mode ipv6ip


102/124


Source Specific Multicast (SSM)

No configuration requiredother than enabling

ipv6 multicast-routing

SSM group ranges areautomatically defined

Requires MLDv2on host or SSMMapping feature

router#show ipv6 pim range-listconfig SSM Exp: never Learnt from : ::

FF33::/32 Up: 1d00h

FF34::/32 Up: 1d00h

FF35::/32 Up: 1d00h

FF36::/32 Up: 1d00h

FF37::/32 Up: 1d00h

FF38::/32 Up: 1d00h

FF39::/32 Up: 1d00h

FF3A::/32 Up: 1d00h

FF3B::/32 Up: 1d00h

FF3C::/32 Up: 1d00hFF3D::/32 Up: 1d00h

FF3E::/32 Up: 1d00h

FF3F::/32 Up: 1d00h

SSM Mapping


103/124


SSM-Mapping

Delay in SSM deployment (both IPv4 and IPv6) isbased mainly on lack of IGMPv3 and MLDv2 availabilityon the endpoints

SSM-Mapping allows for the deployment of SSM in

the network infrastructure without requiring MLDv2(for IPv6) on the endpoint

SSM-Mapping enabled router will map MLDv1 reportsto a source (which do not natively include the source

like with MLDv2)Range of groups can be statically defined or used with DNS

Wildcards can be used to define range of groups

SSM-Mapping


104/124


SSM-Mapping

CorporateNetwork

2001:DB8:CAFE:11::11

ipv6 multicast-routing!ipv6 mld ssm-map enableipv6 mld ssm-map staticMAP 2001:DB8:CAFE:11::11no ipv6 mld ssm-map query dns!ipv6 access-listMAPpermit ipv6 any host FF33::DEAD

MLDv1

Source

FF33::DEAD

SSM

core-1#show ipv6 mroute | begin 2001:DB8:CAFE:11::11

(2001:DB8:CAFE:11::11, FF33::DEAD), 00:01:20/00:03:06, flags: sTIncoming interface: GigabitEthernet3/3RPF nbr: FE80::20E:39FF:FEAD:9B00Immediate Outgoing interface list:GigabitEthernet5/1, Forward, 00:01:20/00:03:06

ipv6 multicast-routing!ipv6 mld ssm-map enable!ip domain multicast ssm-map.cisco.comip name-server 10.1.1.1

Static Mapping:

DNS Mapping (the default):


105/124

IPv6 Multicast PIM BSR: Configuration


106/124


IPv6 Multicast PIM BSR: Configuration

RP2001:DB8:C003:1116::2

Source

CorporateNetwork

IPWAN

RP2001:DB8:C003:110A::1

wan-bottom#sh run | incl ipv6 pim bsr

ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1

wan-top#sh run | incl ipv6 pim bsr

ipv6 pim bsr candidate-bsr 2001:DB8:C003:1116::2ipv6 pim bsr candidate-rp 2001:DB8:C003:1116::2

Bidirectional PIM (Bidir)


107/124


Bidirectional PIM (Bidir)

The same many-to-many model as before Configure Bidir RP and range via the usualip pim rp-address syntax with the optional bidirkeyword

!ipv6 pim rp-address 2001:DB8:C003:110A::1bidir!#show ipv6 pim range | include BD

Static BD RP: 2001:DB8:C003:110A::1 Exp: never Learnt from : ::

Embedded-RP Addressing Overview


108/124


Embedded-RP Addressing Overview

RFC 3956 Relies on a subset of RFC3306IPv6 unicast-

prefix-based multicast group addresses withspecial encoding rules:

Group address carries the RP address for the group!

8 4 4 4 4 8 64 32

FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID

New Address format defined :

Flags = 0RPT, R = 1, P = 1, T = 1=> RP address embedded(0111 = 7)

Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112

Embedded RP: 2001:0DB8:C003:111D::1


109/124

Embedded-RP Configuration Example


110/124


RPL0

CorporateNetwork

Source

IPWAN

Embedded-RP Configuration Example

RP to be used as anEmbedded-RP needs to beconfigured with address/grouprange

All other non-RP routers

require no specialconfiguration

ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP

!ipv6 access-list ERPpermit ipv6 any FF7E:140:2001:DB8:C003:111D::/96

Embedded RPDoes It Work?


111/124


Embedded RP Does It Work?

branch#show ipv6 pim range | include Embedded

Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : ::

FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24

IPWAN

To RP

ReceiverSendsReport

branch#show ipv6 pim group

FF7E:140:2001:DB8:C003:111D ::/96*RP : 2001:DB8:C003:111D::1Protocol: SMClient : EmbeddedGroups : 1Info : RPF: Se0/0.1,FE80::210:7FF:FEDD:40

branch#show ipv6 mroute active

Active IPv6 Multicast Sources - sending >= 4 kbpsGroup: FF7E:140:2001:DB8:C003:111D:0:1112Source: 2001:DB8:C003:1109::2Rate: 21 pps/122 kbps(1sec), 124 kbps(last 100 sec)


112/124


113/124

IPv6 QoS: Header Fields


114/124


IPv6 QoS: Header Fields

IPv6 traffic class

Exactly the same as TOS fieldin IPv4

IPv6 Flow Label (RFC 3697)

A new 20-bit field in the IPv6basic header which:

Labels packets belongingto particular flows

Can be used for specialsender requests

Per RFC, Flow Label mustnot be modified byintermediate routers

Keep an eye out for workbeing doing to leverage theflow label

Version Traffic Class Flow Label

Payload LengthNext

HeaderHop Limit

Source Address

Destination Address

Simple QoS Example: IPv4 and IPv6


115/124


Simple QoS Example: IPv4 and IPv6

class-map match-any BRANCH-BULK-DATAmatch access-group name BULK-DATA-IPV6match access-group name BULK-DATAclass-map match-all BULK-DATAmatch dscp af11!policy-map RBR-WAN-EDGEclass BULK-DATAbandwidth percent 4random-detect

!policy-map RBR-LAN-EDGE-INclass BRANCH-BULK-DATAset dscp af11

!ip access-list extended BULK-DATA

permit tcp any any eq ftppermit tcp any any eq ftp-data!ipv6 access-list BULK-DATA-IPV6permit tcp any any eq ftppermit tcp any any eq ftp-data

service-policy output RBR-WAN-EDGE

service-policy input RBR-LAN-EDGE-IN

ACL Match To Set DSCP(If Packets Are Not Already Marked)

ACLs to Match for BothIPv4 and IPv6 Packets

Configuring Cisco IOS NAT-PT


116/124


Configuring Cisco IOS NAT PT

192.168.1.0/24

2001:DB8:C003:1::/64

F0/1

F0/0

NAT Prefix 2010::/96

.10

DNS

.100

2001:DB8:C003:1::10

interface FastEthernet0/0ipv6 address 2001:DB8:C003:1::1/64ipv6 cefipv6 nat

!interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0ipv6 nat prefix 2010::/96ipv6 nat

!ipv6 nat v4v6 source 192.168.1.100 2010::100

!ipv6 nat v6v4 source route-map MAP1 pool V4POOLipv6 nat v6v4 pool V4POOL 192.168.2.1192.168.2.10prefix-length 24!route-map MAP1 permit 10match interface FastEthernet0/1

IPv6 Security


117/124


IPv6 Security

RFC mandates privacy and encryption

Same IPSec you already know

Two security extension headers defined; all implementationsrequired to support (IPSec)

Authentication Header (AH)

Encapsulating Security Payload (ESP)

Key distribution protocols are under development

Support for manual key configuration required

IPv6 Security is more than IPSec!

New concept of privacy addressingOn by default in Microsoft XP SP1+

Randomly generated address

Nearly impossible to perform successful network scans

IPv6 Protocol Challenges


118/124


IPv6 Protocol Challenges

Inherits many challenges found in IPv4Same applications

Same TCP, UDP layers

Many new features

Autoconfiguration (router advertisements)

NDNeighbor Discovery (altering ICMPv6 packets)

DADMultiple (bad) addresses

Mobile IPv6binding update, etc.


119/124

IPv6 Transition Mechanism Challenges


120/124


g

Dual stackConsider security for both protocols

Cross v4/v6 abuse

Resiliency (shared resources)

Tunnels

Bypass firewalls (protocol 41)

Relayed DoS attacks from v6 to v4 and vice versa

Translation mechanismsPrevent end-to-end network and transport layer security

Basic IPv6 Packet Filtering(Access Control List)


121/124


(Access Control List)

Every IPv6 ACL has implicit permit icmp any any nd-naand permit icmp any any nd-ns

Implicit deny all at the end of access list

Web Server

2001:DB8:C003:1102::10/64

IPv6 Internet

F0/0

interface FastEthernet0/0ipv6 address 2001:DB8:C003:1101::1/64ipv6 traffic-filter V6FILTER in!ipv6 access-list V6FILTERpermit tcp any host 2001:DB8:C003:1102::10 eq web!

HTTPANY

When Used for Traffic Filtering, IPv6 AccessControl Lists (ACL) Offers the Same Level ofSupport as in IPv4

Cisco IOS IPv6 Firewall Feature SetExample: Nothing New from IPv4


122/124


a p e ot g e o

ipv6 unicast-routingipv6 cef!ipv6 inspect audit-trailipv6 inspect max-incomplete low 150ipv6 inspect max-incomplete high 250ipv6 inspect one-minute low 100ipv6 inspect one-minute high 200

ipv6 inspect name V6FW tcp timeout 300ipv6 inspect name V6FW udpipv6 inspect name V6FW icmp!interface FastEthernet0/0ipv6 address 2001:DB8:C003:1112::2/64ipv6 cefipv6 traffic-filter EXAMPLE inipv6 inspect V6FW in!ipv6 access-list EXAMPLEpermit tcp any host 2001:DB8:C003:1113::2 eq wwwpermit tcp any host 2001:DB8:C003:1113::2 eq ftpdeny ipv6 any any log

Web/FTP Server2001:DB8:C003:1113::2

IPv6Internet

F0/0

HTTP

ANY

FTP

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/ps5761/index.html

Cisco IOS Firewall Released 12.3(7)T

PIX/ASA: ACLVery Similar to Cisco IOS
http://www.microsoft.com/technet/windowsvista/library/8a70907e-9137-4426-a46f-a2d1eeadbd5a.mspxhttp://www.microsoft.com/technet/windowsvista/library/8a70907e-9137-4426-a46f-a2d1eeadbd5a.mspx


123/124


y

interface Ethernet0nameif outsideipv6 address 2001:db8:c000:1051::37/64ipv6 enableinterface Ethernet1nameif insideipv6 address 2001:db8:c000:1052::1/64ipv6 enable


ipv6 route outside ::/0 2001:db8:c000:1051::1

ipv6 access-list SECURE permit tcp any host 2001:db8:c000:1052::7 eq telnetipv6 access-list SECURE permit icmp6 any 2001:db8:c000:1052::/64

access-group SECURE in interface outside


124/124

Documents

3.Enterprise IPv6 Deployment