Enterprise IPv6 Design

Enterprise IPv6 Deployment

Shannon McFarland CCIE# 5245, VCP Corporate Consulting Engineer Office of the CTO [email protected]_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

1

Reference Materials Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/ Campus/CampIPv6.html Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/solutions/ns340/ns414/ns7 42/ns816/landing_br_ipv6.html CCO IPv6 Main Page: http://www.cisco.com/go/ipv6 Cisco Network Designs: http://www.cisco.com/go/designzone

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

Recommended Reading

Deploying IPv6 in Broadband Networks - Adeel Ahmed, Salman Asadullah ISBN0470193387, John Wiley & Sons PublicationsPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Coming Soon!!

3

Agenda The Need for IPv6 Planning and Deployment Summary Address Considerations General Concepts

Infrastructure DeploymentCampus/Data Center WAN/Branch Remote Access

Provider Considerations

Presentation_ID


Cisco Public

4

The Need For IPv6

Presentation_ID


Cisco Public

5

Market Factors Driving IPv6 DeploymentAddress Issues National IPv6 Strategies US DoD, China NGI, EU 2011

IPv6IPv6 OS, Content & ApplicationsInfrastructure EvolutionSmartGrid, SmartCities DOCSIS 3.0, 4G/LTE ,IPSO

www.oecd.org: Measuring IPv6 adoptionPresentation_ID C3RS 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2008 Cisco Systems, Inc. All rights reserved. Cisco Highly ConfidentialControlled Access

6

IPv6 Provides Benefits Across the Board Building sensors Media services Collaboration Mobility Set-top boxes Internet gaming Appliances Voice/video Security monitoring

Higher Education/Research

Consumer

Embedded devices Industrial Ethernet IP-enabled components

Manufacturing

DoD WIN-T FCS JTRS GIG-BE

Telematics Traffic control Hotspots Transit services

Animal tags Imagery Botanical Weather

Home care Wireless asset tracking Imaging Mobility

Health Care

Government (Federal/Public Sector)Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Transportation

Agriculture/ Wildlife7

Dramatic Increase in Enterprise ActivityWhy?

Enterprise that is or will be expanding into emerging markets Enterprise that partners with other companies who may use IPv6 (larger enterprise, located in emerging markets, government, service providers) Adoption of Windows 7, Windows 2008, DirectAccess Frequent M&A activity

Energy High density IP-enabled endpoints (SmartGrid)

Presentation_ID


Cisco Public

8

Planning & Deployment Summary

Presentation_ID


Cisco Public

9

Enterprise Adoption Spectrum Mostly or completely past the why? phase Assessment (e2e) Weeding out vendors (features and $) Focus on training and filling gaps

Preliminary Research

Production/Looking for parity and beyond

Pilot/Early Deployment Is it real? Do I need to deploy everywhere? Equipment status? SP support? Addressing What does it cost?Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Still fighting vendors Content and wide-scale app deployment Review operational cost of 2 stacks Competitive/Strategic advantages of new environment10

IPv6 Integration OutlinePre-Deployment Phases Establish the network starting point Importance of a network assessment and available tools Defining early IPv6 security guidelines and requirements Additional IPv6 predeployment tasks needing consideration

Deployment Phases Transport considerations for integration Campus IPv6 integration options WAN IPv6 integration options Advanced IPv6 services options

Presentation_ID


Cisco Public

11

Integration/Coexistence Starting PointsExample: Integration Demarc/Start Points in Campus/WAN1 2

Start dual-stack on hosts/OSStart dual-stack in campus distribution layer (details follow)10.1.3.0/24 2001::/64

3 4

Start dual-stack on the WAN/campus core/edge routersNAT64 for servers/apps only capable of IPv4 (temporary only)v4 and v6

Edge-to-CoreL2v6Enabled

1 3Dual-Stack IPv4-IPv6 Core and Edge

10.1.4.0/24 2001::/64

2 2v4 and v6

v6 Only 2001::/64 IPv6 Server IPv4-Only SegmentPresentation_ID

Start in Core and move to the edge

Dual-Stack IPv4-IPv6 Routers

v4 Only 10.1.2.0/24

NAT64/DNS64

4Cisco Public


12

Address Considerations

Presentation_ID


Cisco Public

13

Hierarchical Addressing and AggregationSite 12001:DB8:0001:0001::/64 2001:DB8:0001:0002::/64

ISP2001:DB8:0002:0001::/64 2001:DB8:0002:0002::/64

Only Announces the /32 Prefix

2001:DB8:0001::/48 Site 2

2001:DB8::/32 IPv6 Internet

2000::/32001:DB8:0002::/48

Default is /48 can be larger End-user Additional Assignment https://www.arin.net/resources/request/ipv6_add_assign.html Provider independent See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html

Presentation_ID


Cisco Public

14

ULA, ULA + Global or Global What type of addressing should I deploy internal to my network? It depends:ULA-onlyToday, no IPv6 NAT is useable in production so using ULA-only will not work externally to your network ULA + Global allows for the best of both worlds but at a price much more address management with DHCP, DNS, routing and securitySAS does not always work as it should Global-onlyRecommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option

Lets explore these options

Presentation_ID


Cisco Public

17

Unique-Local Addressing (RFC4193) Used for internal communications, inter-site VPNsNot routable on the internetbasically RFC1918 for IPv6 only betterless likelihood of collisions

Default prefix is /48/48 limits use in large organizations that will need more space Semi-random generator prohibits generating sequentially useable prefixesno easy way to have aggregation when using multiple /48s Why not hack the generator to produce something larger than a /48 or even sequential /48s? Is it legal to use something other than a /48? Perhaps the entire space? Forget legal, is it practical? Probably, but with dangersremember the idea for ULA; internal addressing with a slim likelihood of address collisions with M&A. By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A

Routing/security controlYou must always implement filters/ACLs to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range today this is the only way the ULA scope can be enforced

Generate your own ULA: http://www.sixxs.net/tools/grh/ula/Generated ULA= fd9c:58ed:7d73::/48 * MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard) * EUI64 address=020D9Dfffe93A0C3 * NTP date=cc5ff71943807789 cc5ff71976b28d86Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

18

ULA-OnlyInternet Branch 1Global 2001:DB8:CAFE::/48

Not Recommended Today

Requires NAT for IPv6

Corp HQ

FD9C:58ED:7D73:2800::/64

Branch 2

Corporate BackboneULA Space FD9C:58ED:7D73::/48

FD9C:58ED:7D73:3000::/64

FD9C:58ED:7D73::2::/64

Everything internal runs the ULA space A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the internet must run filters to prevent any SA/DA in ULA range from being forwarded

Works as it does today with IPv4 except that today, there are no scalable NAT/Proxies for IPv6 Removes the advantages of not having a NAT (i.e. application interoperability, global multicast, end-to-end connectivity)Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

19

Not Recommended

ULA + GlobalInternet Branch 1Global 2001:DB8:CAFE::/48

Corp HQ

FD9C:58ED:7D73:2800::/64 2001:DB8:CAFE:2800::/64

Branch 2

Corporate BackboneULA Space FD9C:58ED:7D73::/48 Global 2001:DB8:CAFE::/48

FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64

FD9C:58ED:7D73::2::/64 2001:DB8:CAFE:2::/64

Both ULA and Global are used internally except for internal-only hosts Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally In theory, ULA talks to ULA and Global talks to GlobalSAS should work this out ULA-only and Global-only hosts can talk to one another internal to the network Define a filter/policy that ensures your ULA prefix does not leak out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields Management overhead for DHCP, DNS, routing, security, etcPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

20

Recommended

Global-OnlyInternet Branch 1Global 2001:DB8:CAFE::/48

Corp HQ

2001:DB8:CAFE:2800::/64

Branch 2

Corporate BackboneGlobal 2001:DB8:CAFE::/48

2001:DB8:CAFE:3000::/64

2001:DB8:CAFE:2::/64

Global is used everywhere No issues with SAS No requirements to have NAT for ULA-to-Global translationbut, NAT may be used for other purposes Easier management of DHCP, DNS, security, etc. Only downside is breaking the habit of believing that topology hiding is a good security method Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

23

Link LevelPrefix Length Considerations64 bits Recommended by RFC3177 and IAB/IESG Consistency makes management easy

< 64 bits Enables more hosts per broadcast domain Considered bad practice

> 64 bits Address space conservation Special cases: /126valid for p2p /127not valid for p2p (RFC3627) /128loopback Complicates management Must avoid overlap with specific addresses: Router Anycast (RFC3513) Embedded RP (RFC3956) ISATAP addresses25

MUST for SLAAC (MSFT DHCPv6 also) Significant address space loss (18.466 Quintillion)

64 bits offers more space for hosts than the media can support efficiently

Presentation_ID


Cisco Public

Stateful/Stateless DHCPv6 Stateful and stateless DHCPv6 serverCisco Network Registrar: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/ Microsoft Windows Server 2008: http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a154aa-4cef-9164-139e8bcc44751033.mspx?mfr=true

DHCPv6 Relaysupported on routers and switchesinterface FastEthernet0/1 description CLIENT LINK ipv6 address 2001:DB8:CAFE:11::1/64 ipv6 nd prefix 2001:DB8:CAFE:11::/64 no-advertise Network IPv6 Enabled Host

ipv6 nd managed-config-flagipv6 nd other-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 DHCPv6 Server

Presentation_ID


Cisco Public

31

General Concepts FHRP, Multicast and QoS

Presentation_ID


Cisco Public

35

First Hop Router RedundancyHSRP for v6HSRP Active HSRP Standby

Modification to Neighbor Advertisement, router Advertisement, and ICMPv6 redirects

Virtual MAC derived from HSRP group number and virtual IPv6 link-local address

GLBP for v6GLBP AVG, AVF GLBP AVF, SVF

Modification to Neighbor Advertisement, Router AdvertisementGW is announced via RAs Virtual MAC derived from GLBP group number and virtual IPv6 link-local address

Neighbor Unreachability DetectionRA Sent Reach-time = 5,000 msec

For rudimentary HA at the first HOP Hosts use NUD reachable time to cycle to next known default gateway (30s by default)

No longer neededPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

36

HSRP for IPv6 Many similarities with HSRP for IPv4 Changes occur in Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects No need to configure GW on hosts (RAs are sent from HSRP active router) Virtual MAC derived from HSRP group number and virtual IPv6 linklocal address IPv6 Virtual MAC range:0005.73A0.0000 - 0005.73A0.0FFF (4096 addresses)

HSRP Active

HSRP Standby

interface FastEthernet0/1 ipv6 address 2001:DB8:66:67::2/64 ipv6 cef standby version 2 standby 1 ipv6 autoconfig standby 1 timers msec 250 msec 800

HSRP IPv6 UDP Port Number 2029 (IANA Assigned) No HSRP IPv6 secondary address No HSRP IPv6 specific debug

standby 1 preemptstandby 1 preempt delay minimum 180 standby 1 authentication md5 key-string cisco standby 1 track FastEthernet0/0

Host with GW of Virtual IP#route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1

UGDA

1024

0

0 eth2

Presentation_ID


Cisco Public

38

IPv6 QoS Syntax Changes IPv4 syntax has used ip following match/set statementsExample: match ip dscp, set ip dscp

Modification in QoS syntax to support IPv6 and IPv4New match criteria match dscp Match DSCP in v4/v6 match precedence Match Precedence in v4/v6 New set criteria set dscp Set DSCP in v4/v6 set precedence Set Precedence in v4/v6

Additional support for IPv6 does not always require new Command Line Interface (CLI)ExampleWRED

Presentation_ID


Cisco Public

43

Infrastructure Deployment

Start Here: Cisco IOS Software Release Specifics for IPv6 Featureshttp://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_c/ftipv6s.htm

Presentation_ID


Cisco Public

45

IPv6 Co-existence SolutionsDual StackIPv4 IPv6

Recommended Enterprise Co-existence strategy

Tunneling ServicesIPv4 over IPv6 IPv6 over IPv4

Connect Islands of IPv6 or IPv4

Translation ServicesIPv4

IPv6

Business Partners Government Agencies International Sites Remote Workers Internet consumers

Connect to the IPv6 communityPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

46

Campus/Data Center

Deploying IPv6 in Campus Networks:http://www.cisco.com/univercd/cc/td/doc/solution/campipv6.pdf

ESE Campus Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor2

Presentation_ID


Cisco Public

47

Campus IPv6 DeploymentThree Major Options Dual-stackThe way to go for obvious reasons: performance, security, QoS, multicast and managementLayer 3 switches should support IPv6 forwarding in hardware

HybridDual-stack where possible, tunnels for the rest, but all leveraging the existing design/gearProLeverage existing gear and network design (traditional L2/L3 and routed access) ConTunnels (especially ISATAP) cause unnatural things to be done to infrastructure (like core acting as access layer) and ISATAP does not support IPv6 multicast

IPv6 Service BlockA new network block used for interim connectivity for IPv6 overlay networkProSeparation, control and flexibility (still supports traditional L2/L3 and routed access) ConCost (more gear), does not fully leverage existing design, still have to plan for a real dual-stack deployment and ISATAP does not support IPv6 multicast

Presentation_ID


Cisco Public

48

Campus IPv6 Deployment OptionsDual-Stack IPv4/IPv6 #1 requirementswitching/ routing platforms must support hardware based forwarding for IPv6 IPv6 is transparent on L2 switches butL2 multicastMLD snooping IPv6 management Telnet/SSH/HTTP/SNMP Intelligent IP services on WLANv6Enabled

IPv6/IPv4 Dual Stack Hosts

Access Layer

L2/L3v6Enabled v6Enabled

Distribution Layer

Dual Stack

Dual Stack

v6Enabled

Core Layer

Expect to run the same IGPs as with IPv4 VSS supports IPv6

v6-Enabled

v6-Enabled

Aggregation Layer (DC)

Access Layer (DC)

Dual-stack ServerPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

49

Access Layer: Dual Stack Catalyst 3560/3750In order to enable IPv6 functionality the proper SDM template needs to be defined (http://www.cisco.com/univercd/cc/td/doc/product/lan/cat375 0/12225see/scg/swsdm.htm# )Switch(config)#sdm prefer dual-ipv4-and-ipv6 default

If using a traditional Layer-2 access design, the only thing that needs to be enabled on the access switch (management/security discussed later) is MLD snooping:Switch(config)#ipv6 mld snooping

3560/3750 non-E series cannot support both HSRP for IPv4 and HSRP for IPv6 on the same interface http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/ software/release/12.2_46_se/release/notes/OL16489.html# wp925898Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

50

Distribution Layer: HSRP, EIGRP and DHCPv6-relay (Layer 2 Access)ipv6 unicast-routing interface Vlan4 ! description Data VLAN for Access interface GigabitEthernet1/0/1 ipv6 address 2001:DB8:CAFE:4::2/64 description To 6k-core-right ipv6 nd prefix 2001:DB8:CAFE:4::/64 no-advertise ipv6 address 2001:DB8:CAFE:1105::A001:1010/64 ipv6 nd managed-config-flag ipv6 eigrp 10 ipv6 dhcp relay destination 2001:DB8:CAFE:10::2 ipv6 hello-interval eigrp 10 1 ipv6 eigrp 10 ipv6 hold-time eigrp 10 3 standby version 2 ipv6 authentication mode eigrp 10 md5 standby 2 ipv6 autoconfig ipv6 authentication key-chain eigrp 10 eigrp standby 2 timers msec 250 msec 750 ! standby 2 priority 110 interface GigabitEthernet1/0/2 standby 2 preempt delay minimum 180 description To 6k-core-left standby 2 authentication ese ipv6 address 2001:DB8:CAFE:1106::A001:1010/64 ! ipv6 eigrp 10 ipv6 router eigrp 10 ipv6 hello-interval eigrp 10 1 no shutdown ipv6 hold-time eigrp 10 3 router-id 10.122.10.10 ipv6 authentication mode eigrp 10 md5 passive-interface Vlan4 ipv6 authentication key-chain eigrp 10 eigrp passive-interface Loopback0

Some OS/patches may need no-autoconfigPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

51

Campus IPv6 Deployment OptionsHybrid Model Offers IPv6 connectivity via multiple optionsDual-stack Configured tunnelsL3-to-L3 ISATAPHost-to-L3

IPv6/IPv4 Dual Stack Hosts

Access Layer

L2/L3NOT v6Enabled

ISATAP

ISATAP

Leverages existing network

Offers natural progression to full dual-stack design May require tunneling to less-than-optimal layers (i.e. core layer) ISATAP creates a flat network (all hosts on same tunnel are peers)Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today)

NOT v6Enabled

Distribution Layer

v6Enabled

v6Enabled

Core Layer

Dual Stack

Dual Stack

v6-Enabled

v6-Enabled

Aggregation Layer (DC)

Provides basic HA of ISATAP tunnels via old Anycast-RP ideaPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Access Layer (DC)Dual-stack Server 56

IPv6 Campus ISATAP ConfigurationISATAP Client ConfigurationWindows XP/Vista Host C:\>netsh int ipv6 isatap set router 10.122.10.103 Ok.interface Tunnel3 ipv6 address 2001:DB8:CAFE:3::/64 eui-64 no ipv6 nd suppress-ra ipv6 eigrp 10 tunnel source Loopback3 tunnel mode ipv6ip isatap

10.120.3.101

New tunnel comes up when failure occurs

!interface Loopback3 description Tunnel source for ISATAP-VLAN3 ip address 10.122.10.103 255.255.255.255

int tu3 int lo3 10.122.10.103

int tu3 int lo3 10.122.10.103

Tunnel adapter Automatic Tunneling Pseudo-Interface:Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 2001:db8:cafe:3:0:5efe:10.120.3.101 IP Address. . . . . . . . . . . . : fe80::5efe:10.120.3.101%2 Default Gateway . . . . . . . . . : fe80::5efe:10.122.10.103%262

Presentation_ID


Cisco Public

Campus Hybrid Model 1QoS1. Classification and marking of IPv6 is done on the egress interfaces on the core layer switches because packets have been tunneled until this point QoS policies for classification and marking cannot be applied to the ISATAP tunnels on ingress The classified and marked IPv6 packets can now be examined by upstream switches (e.g. aggregation layer switches) and the appropriate QoS policies can be applied on ingress. These polices may include trust (ingress), policing (ingress) and queuing (egress)Access Layer IPv6/IPv4 Dual-stack Hosts Distribution Layer Core Layer Aggregation Layer (DC) Access Layer (DC) IPv6/IPv4 Dual-stack Server

2.

1

2

1Access Block

2Data Center Block

IPv6 and IPv4 EnabledPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

64

Campus IPv6 Deployment OptionsIPv6 Service Blockan Interim ApproachVLAN 2 VLAN 3

Provides ability to rapidly deploy IPv6 services without touching existing network Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations) Offers the same advantages as Hybrid Model without the alteration to existing code/configurations Configurations are very similar to the Hybrid ModelISATAP tunnels from PCs in access layer to service block switches (instead of core layer Hybrid)

IPv4-only Campus Block

Access Layer

ISATAP

IPv6 Service BlockDist. Layer

Dedicated FW

2 Internet

Core Layer

1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6Can use IOS FW or PIX/ASA appliance

Agg Layer Access Layer

IOS FW

Primary ISATAP Tunnel Secondary ISATAP TunnelPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

1WAN/ISP Block Data Center Block66

Cisco VSS DSM / Hybrid / Service Block Cisco VSS offers a greatly simplified configuration and extremely fast convergence for IPv6 deployment Dual stack Place VSS pair in distribution and/or core layers HA and simplified/reduced IPv6 configuration

Hybrid model If terminating tunnels against VSS (i.e. VSS at core layer), MUCH easier to configure tunnels for HA as only one tunnel configuration is needed Service Block Use VSS as the SB pair again, GREATLY simplified configuration and decrease convergence times!!

Presentation_ID


Cisco Public

69

IPv6 Data Center Integration The single most overlooked and potentially complicated area of IPv6 deployment Front-end design will be similar to campus based on feature, platform and connectivity similarities Nexus, 6500 4900M IPv6 for SAN is supported in SAN-OS 3.0

Major issue in DC with IPv6 today- NIC Teaming Watch status of IPv6 support from App, Grid, DB vendors, DC managementGet granular e.g. iLO Impact on clusters Microsoft Server 2008 Failover clusters full support IPv6 (and L3)

Build an IPv6-only server farm?

Presentation_ID


Cisco Public

70

IPv6 Data Center Integration Front-end design will be similar to campus based on feature, platform and connectivity similarities Nexus, 6500 4900M The single most overlooked and potentially complicated area of IPv6 deployment IPv6 for SAN is supported in SAN-OS 3.0

Stuff people dont think about:NIC Teaming, iLO, DRAC, IP KVM, Clusters Innocent looking Server OS upgrades Windows Server 2008 - Impact on clusters Microsoft Server 2008 Failover clusters full support IPv6 (and L3)

Build an IPv6-only server farm?

Presentation_ID


Cisco Public

71

IPv6 in the Enterprise Data CenterBiggest Challenges Today Network services above L3SLB, SSL-Offload, application monitoring (probes) Application Optimization High-speed security inspection/perimeter protection

Application support for IPv6 Know what you dont knowIf an application is protocol centric (IPv4): Needs to be rewritten Needs to be translated until it is replaced Wait and pressure vendors to move to protocol agnostic framework

Virtualized and Consolidated Data CentersVirtualization should make DCs simpler and more flexible Lack of robust DC/Application management is often the root cause of all evil Ensure management systems support IPv6 as well as the devices being managed

Presentation_ID


Cisco Public

72

Virtualized DC SolutionsDC CoreNexus 7000

DC AggregationCisco Catalyst 6500 VSS 10GbE DC Services

Nexus 7000 ACE/ASA/WAAS DC Services

DC AccessCisco Catalyst 6500 Cisco Catalyst 49xx CBS 3100 MDS 9124e

Nexus 7000

Nexus 2000Nexus 1000v

Nexus 5000

Nexus 1000v

Unified Computing System

DC SANMDS 9500 MDS 9500Gigabit Ethernet

10 Gigabit Ethernet10 Gigabit DCB 4Gb Fibre Channel 10 Gigabit FCoE/DCB

Presentation_ID


Cisco Public

73

Commonly Deployed IPv6-enabled OS/AppsOperating Systems Windows 7 SUSE Red Hat Ubuntu Virtualization & Applications VMware vSphere 4.1 Microsoft Exchange 2007 SP1/2010 Apache/IIS Web Services Windows Media Services Multiple Line of Business appsMost commercial applications wont be your problem it will be the custom/home-grown appsPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Windows Server 2008/R2 Microsoft Hyper-V

The list goes on

74

IPv6 Deployment in the Data CenterServices/Appliances Do Not Support IPv6Transparent IPv6 traffic is bridged between VLANs Permit Ethertype 0x86dd (IPv6) One-Armed IPv6 traffic bypasses services IPv4 traffic is sent to one-arm attached module/appliance Routed Create trunk between switch and server IPv4 has default gateway on service module IPv6 on separate VLAN to MSFC SwitchVLAN103 Permit 0x86dd VLAN203

Dedicated Server Farm New IPv6 only servers can be connected to existing access/agg pair on different VLANs New access/agg switches just for IPv6 servers Switch

Switch

Switch

VLAN10

VLAN11

Trunk

Dual stack server IPv4Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Dual stack server IPv6Cisco Public

Dual stack server

IPv4 server

IPv6 server75

WAN/Branch

Deploying IPv6 in Branch Networks:http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf

ESE WAN/Branch Design and Implementation Guides:http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor1 http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor10Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

94

WAN/Branch Deployment Cisco routers have supported IPv6 for a long time Dual-stack should be the focus of your implementationbut, some situations still call for tunneling Support for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc.) Dont assume all features for every technology are IPv6-enabled Better feature support in WAN/branch than in campus/DCDual Stack Corporate Network

SP Cloud

Dual StackDual Stack

Presentation_ID


Cisco Public

95

IPv6 Enabled BranchTake Your PickMix-and-MatchBranch Single Tier Branch Dual Tier Branch Multi-Tier

HQ

HQMPLS Internet Frame

HQ

Internet

Dual-Stack IPSec VPN (IPv4/IPv6) IOS Firewall (IPv4/IPv6) Integrated Switch (MLD-snooping)Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Dual-Stack IPSec VPN or Frame Relay IOS Firewall (IPv4/IPv6) Switches (MLD-snooping)Cisco Public

Dual-Stack IPSec VPN or MPLS (6PE/6VPE) Firewall (IPv4/IPv6) Switches (MLD-snooping)96

Single-Tier Profile Totally integrated solutionBranch router and integrated EtherSwitch moduleIOS FW and VPN for IPv6 and IPv4 When SP does not offer IPv6 services, use IPv4 IPSec VPNs for manually configured tunnels (IPv6-in-IPv4) or DMVPN for IPv6 When SP does offer IPv6 services, use IPv6 IPSec VPNs (latest AIM/VAM supports IPv6 IPSec)Single-Tier

Headquarters T1 WANADSL

Branch

Dual-Stack Host (IPv4/IPv6) IPv4 IPv6Primary DMVPN Tunnel (IPv4 Secondary DMVPN Tunnel (IPv4) Primary IPSec-protected configured tunnel (IPv6-in-IPv4) Secondary IPSec-protected configured tunnel (IPv6-in-IPv4)Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

97

Dual-Tier Profile Redundant set of branch routersseparate branch switch (multiple switches can use StackWise technology) Can be dual-stack if using Frame Relay or other L2 WAN typeBranchDual-Tier

Headquarters

WANDual-Stack Host (IPv4/IPv6) IPv4 IPv6

Presentation_ID


Cisco Public

106

Multi-Tier Profile All branch elements are redundant and separateWAN tierWAN connectionscan be anything (frame/IPSec) MPLS shown here Firewall tierredundant ASA firewalls Access tierinternal services routers (like a campus distribution layer) LAN tieraccess switches (like a campus access layer

Dual-stack is used on every tierIf SP provides IPv6 services via MPLS. If not, tunnels can be used from WAN tier to HQ siteMulti-Tier

LAN Tier

Access Tier

Firewall Tier

WAN Tier

Headquarters

WANDual-Stack Host (IPv4/IPv6)Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

IPv4 IPv6Cisco Public

Branch108

Hybrid Branch Example Mixture of attributes from each profile An example to show configuration for different tiers

Basic HA in critical roles is the goalBranchVLAN 101: 2001:DB8:CAFE:1002::/64 2001:DB8:CAFE:1000::/64

HeadquartersPrimary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64

2001:DB8:CAFE:202::/64

ASA-1 BR1-LAN ::1 ::2 ::4 ::2

BR1-1 ::2

::1 HE1

::2::3

BR1-LAN-SW

WAN::5 ::3 BR1-2 ::3 ::1 HE2HSRP for IPv6 VIP Address - FE80::5:73FF:FEA0:2

Enterprise Campus Data Center

::3

VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer

Presentation_ID


Cisco Public

109

DMVPN with IPv6Hub Configuration Examplecrypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 crypto isakmp key CISCO address ipv6 ::/0 ! crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac ! crypto ipsec profile HUB set transform-set HUB interface Tunnel0 description DMVPN Tunnel 1 ip address 10.126.1.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::1/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp redirect tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile HUB

Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64

BR1-1 ::2

::1 HE1

::2 ::3

WANBR1-2 ::3Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

::1

HE2110

DMVPN with IPv6Spoke Configuration Examplecrypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 crypto isakmp key CISCO address ipv6 ::/0 ! crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac ! interface Tunnel0 crypto ipsec profile SPOKE description to HUB set transform-set SPOKE ip address 10.126.1.2 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::2/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 no ipv6 next-hop-self eigrp 10 Backup DMVPN Tunnel (dashed) no ipv6 split-horizon eigrp 10 2001:DB8:CAFE:20B::/64 ipv6 nhrp authentication CISCO BR1-1 ::2 ::1 HE1 ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1 ::2 ipv6 nhrp map multicast 172.16.1.1 ipv6 nhrp network-id 10 WAN ::3 ipv6 nhrp holdtime 600 ipv6 nhrp nhs 2001:DB8:CAFE:20A::1 HE2 ::1 BR1-2 ::3 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile SPOKEPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

111

ASA with IPv6

Snippet of full config examples of IPv6 usagename 2001:db8:cafe:1003:: BR1-LAN description VLAN on EtherSwitch name 2001:db8:cafe:1004:9db8:3df1:814c:d3bc Br1-v6-Server ! interface GigabitEthernet0/0 description TO WAN nameif outside security-level 0 ip address 10.124.1.4 255.255.255.0 standby 10.124.1.5 ipv6 address 2001:db8:cafe:1000::4/64 standby 2001:db8:cafe:1000::5 ! interface GigabitEthernet0/1 description TO BRANCH LAN nameif inside security-level 100 ip address 10.124.3.1 255.255.255.0 standby 10.124.3.2 ipv6 address 2001:db8:cafe:1002::1/64 standby 2001:db8:cafe:1002::2 ! ipv6 route inside BR1-LAN/64 2001:db8:cafe:1002::3 ipv6 route outside ::/0 fe80::5:73ff:fea0:2 ! ipv6 access-list v6-ALLOW permit icmp6 any any ipv6 access-list v6-ALLOW permit tcp 2001:db8:cafe::/48 host Br1-v6-Server object-group RDP ! failover failover lan unit primary failover lan interface FO-LINK GigabitEthernet0/3 failover interface ip FO-LINK 2001:db8:cafe:1001::1/64 standby 2001:db8:cafe:1001::2 access-group v6-ALLOW in interface outside112

Presentation_ID


Cisco Public

Branch LANConnecting Hostsipv6 dhcp pool DATA_W7 dns-server 2001:DB8:CAFE:102::8 domain-name cisco.com ! interface GigabitEthernet0/0 description to BR1-LAN-SW no ip address duplex auto speed auto ! interface GigabitEthernet0/0.104 description VLAN-PC encapsulation dot1Q 104 ip address 10.124.104.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:1004::1/64 ipv6 nd other-config-flag ipv6 dhcp server DATA_W7 ipv6 eigrp 10 ! interface GigabitEthernet0/0.105 description VLAN-PHONE encapsulation dot1Q 105 ip address 10.124.105.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:1005::1/64 ipv6 nd prefix 2001:DB8:CAFE:1005::/64 0 0 no-autoconfig ipv6 nd managed-config-flag ipv6 dhcp relay destination 2001:DB8:CAFE:102::9 ipv6 eigrp 10Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

BR1-LAN

BR1-LAN-SW

VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer

113

Cisco Remote VPN IPv6Client-based IPsec VPN

Client-based SSL

Internet

Cisco VPN Client 4.xIPv4 IPSec Termination (PIX/ASA/IOS VPN/ Concentrator) IPv6 Tunnel Termination (IOS ISATAP or Configured Tunnels)

AnyConnect Client 2.xSSL/TLS or DTLS (datagram TLS = TLS over UDP) Tunnel transports both IPv4 and IPv6 and the packets exit the tunnel at the hub ASA as native IPv4 and IPv6.115

Presentation_ID


Cisco Public

AnyConnect 2.xSSL VPNasa-edge-1#show vpn-sessiondb svc Session Type: SVC Username : ciscoese Index : Assigned IP : 10.123.2.200 Public IP : Assigned IPv6: 2001:db8:cafe:101::101 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : SSL VPN Encryption : RC4 AES128 Hashing : Bytes Tx : 79763 Bytes Rx : Group Policy : AnyGrpPolicy Tunnel Group: Login Time : 14:09:25 MST Mon Dec 17 2007 Duration : 0h:47m:48s NAC Result : Unknown VLAN Mapping : N/A VLAN : 14 10.124.2.18

SHA1 176080 ANYCONNECT

none

Cisco ASA

Dual-Stack Host AnyConnect ClientPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

116

AnyConnect 2.xSummary Configurationinterface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.123.1.4 255.255.255.0 ipv6 enable ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.123.2.4 255.255.255.0 ipv6 address 2001:db8:cafe:101::ffff/64 ! ipv6 local pool ANYv6POOL 2001:db8:cafe:101::101/64 200 webvpn enable outside svc enable tunnel-group-list enable group-policy AnyGrpPolicy internal group-policy AnyGrpPolicy attributes vpn-tunnel-protocol svc default-domain value cisco.com address-pools value AnyPool tunnel-group ANYCONNECT type remote-access tunnel-group ANYCONNECT general-attributes address-pool AnyPool ipv6-address-pool ANYv6POOL default-group-policy AnyGrpPolicy tunnel-group ANYCONNECT webvpn-attributes group-alias ANYCONNECT enablePresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Outside

2001:db8:cafe:101::ffff

Inside

http://www.cisco.com/en/US/docs/security/vp n_client/anyconnect/anyconnect20/administra tive/guide/admin6.html#wp1002258

117

Top SP Concerns for Enterprise Accounts

Port to Port Access IPv6

Multi-Homing

Content

Provisioning

Presentation_ID


Cisco Public

122

Port-to-Port AccessPort to Port Access IPv6 Content Provisioning Multi-Homing

Basic Internet*

Dual-stack or native IPv6 at each POP SLA driven just like IPv4 to support VPN, content access

MPLSHosted (see content)Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

6VPE IPv6 Multicast End-to-End traceability

IPv6 access to hosted content Cloud migration (move data from Ent DC to Hosted DC)

Cisco Public

* = most common issue

123

Multi-HomingPort to Port AccessIPv6 Content Provisioning

Multi-Homing

PI/PA Policy * ConcernsNAT RoutingPresentation_ID 2006 Cisco Systems, Inc. All rights reserved.

PA is no good for customers with multiple providers or change them at any pace PI is new, constantly changing expectations and no guarantee an SP wont do something stupid like not route PI space Customers fear that RIR will review existing IPv4 space and want it back if they get IPv6 PI Religious debate about the security exposure not a multi-homing issue If customer uses NAT like they do today to prevent address/policy exposure, where do they get the technology from no scalable IPv6 NAT exists today Is it really different from what we do today with IPv4? Is this policy stuff? Guidance on prefixes per peering point, per theater, per ISP, ingress/egress rules, etc.. this is largely missing today

Cisco Public

124

ContentPort to Port AccessIPv6 Content Provisioning

Multi-Homing

Hosted/Cloud Apps todayMove to Hosted/Cloud Contract/Managed Marketing/PortalsPresentation_ID 2006 Cisco Systems, Inc. All rights reserved.

*

IPv6 provisioning and access to hosted or cloud-based services today (existing agreements) Salesforce.com, Microsoft BPOS (Business Productivity Online Services), Amazon, Google Apps Movement from internal-only DC services to hosted/cloud-based DC Provisioning, data/network migration services, DR/HA

Third-party marketing, business development, outsourcing Existing contracts connect over IPv6

Cisco Public

125

ProvisioningPort to Port AccessIPv6 Content Provisioning

Multi-Homing

SP SelfService Portals SLAPresentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Not a lot of information from accounts on this but it does concern them How can they provision their own services (i.e. cloud) to include IPv6 services and do it over IPv6

*

More of a management topic but the point here is that customers want the ability to alter their services based on violations, expiration or restrictions on the SLA Again, how can they do this over IPv6 AND for IPv6 services

Cisco Public

126

The Scope of IPv6 DeploymentWeb Content Management Applications & Application SuitesData Center Servers Client Access (PCs)Printers

Collaboration Devices & Gateways

Sensors & Controllers

Roll-out Releases & Planning

Staff Training and Operations

Networked Device SupportDNS & DHCP Load Balancing & Content Switching Security (Firewalls & IDS/IPS) Content Distribution Optimization (WAAS, SSL acceleration) VPN Access

Networked Infrastructure ServicesDeployment Scenario Hardware SupportPresentation_ID

(Configured, 6to4, ISATAP, GRE)

IPv6 over IPv4 Tunnels

Dual-Stack

IPv6 over MPLS (6PE/6VPE)

IP Services (QoS, Multicast, Mobility, Translation) Connectivity IP AddressingCisco Public

Routing Protocols

Instrumentation

Basic Network Infrastructure 2006 Cisco Systems, Inc. All rights reserved.

127

Conclusion Dual stack where you can Tunnel where you must Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management Microsoft Windows Vista, 7 and Server 2008 will have IPv6 enabled by defaultunderstand what impact any OS has on the network Deploy it at least in a lab IPv6 wont bite Things to consider:Focus on what you must have in the near-term (lower your expectations) but pound your vendors and others to support your long-term goals Dont be too late to the party anything done in a panic is likely going to go badly

Presentation_ID


Cisco Public

128

Presentation_ID


Cisco Public

129

Appendix SlidesFor Reference Only

Presentation_ID


Cisco Public

130

Appendix: Microsoft Windows Vista/W7/Server 2008

Presentation_ID


Cisco Public

131

Understand the Behavior of Vista/W7 IPv6 is preferred over IPv4Vista/W7 sends IPv6 NA/NS/RS upon link-up Attempts DHCP for IPv6 If no DHCP or local RA received with Global or ULA, then try ISATAP If no ISATAP, then try Teredo

Become familiar with Teredo http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/te redo.mspx ANY application built on the Peer-to-Peer Framework REQUIRES IPv6 and will NOT function over IPv4 http://www.microsoft.com/technet/network/p2p/default.mspx

Presentation_ID


Cisco Public

132

In More DetailVista/W7 on Link-UpNo Network ServicesNo. Time 1 0.000000 2 0.000030 3 0.000080 4 1.155917 5 1.156683 6 3.484709 7 126.409530 8 128.886397 Source :: fe80::80aa:fd5:f7ae:4361 fe80::80aa:fd5:f7ae:4361 fe80::80aa:fd5:f7ae:4361 169.254.67.97 169.254.67.97 fe80::80aa:fd5:f7ae:4361 0.0.0.0 Destination ff02::1:ffae:4361 ff02::2 ff02::16 ff02::1:3 224.0.0.252 169.254.255.255 ff02::1:2 255.255.255.255 Protocol Info ICMPv6 Neighbor solicitation ICMPv6 Router solicitation ICMPv6 Multicast Listener Report Message v2 UDP Source port: 49722 Destination port: 5355 UDP Source port: 49723 Destination port: 5355 NBNS Name query NB ISATAP DHCPv6 Information-request DHCP DHCP DiscoverTransaction ID 0x6c8d6efa

1. 2. 3. 4. 5. 6. 7. 8.Presentation_ID

Unspecified address :: Solicited node address NS/DAD Looking for a local router ff02::2 RS Looking for MLD enabled routers ff02::16 MLDv2 report LLMNR for IPv6ff02::1:3advertise hostname LLMNR for IPv4224.0.0.252 from RFC 3927 address No global or ULA received via step 1/2Try ISATAP Try DHCP for IPv6ff02::1:2 Try DHCP for IPv4 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

fe80::80aa:fd5:f7ae:4361 ese-vista1

133

IPv4 NetworkNo IPv6 Network ServicesWhat Does Vista/W7 Try to Do?No. Time Source Destination Protocol Info 13 8.813509 10.120.2.1 10.120.2.2 DHCP DHCP ACK .... Bootstrap Protocol ... Your (client) IP address: 10.120.2.2 (10.120.2.2) ... Option: (t=3,l=4) Router = 10.120.2.1 Option: (t=6,l=4) Domain Name Server = 10.121.11.4 Option: (t=15,l=9) Domain Name = "cisco.com" .. No. Time Source 70 13.360756 10.120.2.2 No. Time Source 138 25.362181 10.120.2.2 Destination 10.121.11.4 Destination 10.121.11.4 - Transaction ID 0x2b8af443

Protocol Info DNS Standard query A isatap.cisco.com Protocol Info DNS Standard query A teredo.ipv6.microsoft.com

No. Time Source 580 296.686197 10.120.2.2 581 296.687721 10.120.3.2 582 296.687794 10.120.2.2 583 296.687913 10.120.2.2

Destination 10.120.3.2 10.120.2.2 10.120.3.2 10.120.3.2

Protocol Info TCP 49211 > epmap [SYN] Seq=0 Len=0 MSS=1460 WS=8 TCP epmap > 49211 [SYN, ACK] Seq=0 Ack=1 Win=2097152 TCP 49211 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0 DCERPC Bind: call_id: 1, 2 context items, 1st IOXIDResolver V0.0

IPv4-only Router 10.120.2.2 ese-vista-1 ISATAP?? Teredo??Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

10.120.3.2 ese-vista-2

134

What Is Teredo? RFC4380 Tunnel IPv6 through NATs (NAT types defined in RFC3489)Full Cone NATs (aka one-to-one)Supported by Teredo Restricted NATsSupported by Teredo Symmetric NATsSupported by Teredo with Vista/W7/Server 2008 if only one Teredo client is behind a Symmetric NATs

Uses UDP port 3544 Is complexmany sequences for communication and has several attack vectors Available on:Microsoft Windows XP SP1 w/Advanced Networking PackMicrosoft Windows Server 2003 SP1 Microsoft Windows Vista/W7 (enabled by defaultinactive until application requires it) Microsoft Server 2008 http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx Linux, BSD and Mac OS XMiredo http://www.simphalempin.com/dev/miredo/Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

135

Teredo Components Teredo ClientDual-stack node that supports Teredo tunneling to other Teredo clients or IPv6 nodes (via a relay) Teredo ServerDual-stack node connected to IPv4 Internet and IPv6 Internet. Assists in addressing of Teredo clients and initial communication between clients and/or IPv6-only hostsListens on UDP port 3544 Teredo RelayDual-stack router that forwards packets between Teredo clients and IPv6-only hosts Teredo Host-Specific RelayDual-stack node that is connected to IPv4 Internet and IPv6 Internet and can communicate with Teredo Clients without the need for a Teredo Relay

Presentation_ID


Cisco Public

136

Teredo OverviewIPv6 or IPv6 over IPv4 traffic IPv6 over IPv4 traffic

Teredo host-specific relayTeredo client

IPv6-only host

IPv4 InternetNAT

Teredo server

IPv6 Internet

Teredo relay NAT IPv6 traffic Teredo client *From Microsoft Teredo Overview paperPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

137

Teredo Address32 bits 32 bits 16 bits 16 bits 32 bits

Teredo prefix

Teredo Server IPv4 Address

Flags

Obfuscated Obfuscated External External Address Port

Teredo IPv6 prefix (2001::/32previously was 3FFE:831F::/32) Teredo Server IPv4 address: global address of the server

Flags: defines NAT type (e.g. Cone NAT) Obfuscated External Port: UDP port number to be used with the IPv4 address Obfuscated External Address: contains the global address of the NAT

Presentation_ID


Cisco Public

138

Initial Configuration for Client1. RS message sent from Teredo client to serverRS from LL address with Cone flag set 2. Server responds with RARS has Cone flag setserver sends RA from alternate v4 addressif client receives the RA, client is behind cone NAT 3. If RA is not received by client, client sends another RA with Cone flag not set 4. Server responds with RA from v4 address = destination v4 address from RSif client receives the RA, client is behind restricted NAT 5. To ensure client is not behind symmetric NAT, client sends another RS to secondary server 6. 2nd server sends an RA to clientclient compares mapped address and UDP ports in the Origin indicators of the RA received by both servers. If different, then the NAT is mapping same internal address/port to different external address/port and NAT is a symmetric NAT 7. Client constructs Teredo address from RAFirst 64 bits are the value from prefix received in RA (32 bits for IPv6 Teredo prefix + 32 bits of hex representation of IPv4 Teredo server address) Next 16 bits are the Flags field (0x0000 = Restricted NAT, 0x8000 = Cone NAT) Next 16 bits are external obscured UDP port from Origin indicator in RA Teredo Last 32 bits are obscured external IP address from Origin indicator in RA

6

Server 2

Teredo Client7 2001:0:4136:e37e:0:fbaa:b97e:fe4eTeredo Prefix Teredo Server v4 Flags Ext. UDP External v4 Port v4 address

5 3 1

NAT

IPv4 Internet4

2

Teredo Server 1139

Presentation_ID


Cisco Public

What Happens on the Wire1No. Time Source Destination Protocol Info 15 25.468050 172.16.1.103 151.164.11.201 DNS No. Time Source Destination Protocol Info 16 25.481609 151.164.11.201 172.16.1.103 DNS 65.54.227.127 A 65.54.227.120 A 65.54.227.124 Standard query A teredo.ipv6.microsoft.com Standard query response A 65.54.227.126 A

netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.ipv6.microsoft.com Client Refresh Interval : default Client Port : default State : probe(cone) Type : teredo client Network : unmanaged NAT : cone netsh interface ipv6>sh teredo Teredo Parameters --------------------------------------------Type : client Server Name : teredo.ipv6.microsoft.com Client Refresh Interval : default Client Port : default State : qualified Type : teredo client Network : unmanaged NAT : restrictedPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

140

What Happens on the Wire2No. Time Source Destination Protocol Info 28 33.595460 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source Destination Protocol Info 29 37.593598 fe80::8000:ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) No. Time Source Destination Protocol Info 31 45.546052 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.127 (65.54.227.127) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544)

Send RS Cone Flag=1 (Cone NAT), every 4 seconds

If no reply, send Flag=0 (restricted NAT) Receive RA with Origin header and prefix

No. Time Source Destination Protocol Info 32 46.039706 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement Internet Protocol, Src: 65.54.227.127 (65.54.227.127), Dst: 172.16.1.103 (172.16.1.103) User Datagram Protocol, Src Port: 3544 (3544), Dst Port: 1109 (1109) Teredo Origin Indication header Origin UDP port: 1109 Origin IPv4 address: 70.120.2.1 (70.120.2.1) Prefix: 2001:0:4136:e37e::No. Time Source Destination Protocol Info 33 46.093832 fe80::ffff:ffff:fffd ff02::2 ICMPv6 Router solicitation Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source Destination Protocol Info 34 46.398745 fe80::8000:f227:bec9:1c81 fe80::ffff:ffff:fffd ICMPv6 Router advertisement Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103) Teredo Origin Indication header Origin UDP port: 1109 Origin IPv4 address: 70.120.2.1 (70.120.2.1) Prefix: 2001:0:4136:e37e::Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Send RS to 2nd server to check for symmetric NAT Compare 2nd RAOrigin port/address from 2nd server141

What Happens on the Wire3No. Time Source 82 139.258206 172.16.1.103 Destination 151.164.11.201 Protocol Info DNS Standard query AAAA www.kame.net Protocol Info DNS Standard query response AAAA

DNS lookup Response

No. Time Source Destination 83 139.530547 151.164.11.201 172.16.1.103 2001:200:0:8002:203:47ff:fea5:3085

No. Time Source Destination Protocol Info 96 148.960607 2001:0:4136:e37e:0:fbaa:b97e:fe4e 2001:200:0:8002:203:47ff:fea5:3085 ICMPv6 Echo request Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 65.54.227.126 (65.54.227.126) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) No. Time Source 97 149.405579 fe80::8000:5445:5245:444f Destination Protocol Info 2001:0:4136:e37e:0:fbaa:b97e:fe4e IPv6 IPv6 no next header

ICMP to host via Teredo Server

Internet Protocol, Src: 65.54.227.126 (65.54.227.126), Dst: 172.16.1.103 (172.16.1.103) Teredo IPv6 over UDP tunneling Teredo Origin Indication header Origin UDP port: 50206 Origin IPv4 address: 66.117.47.227 (66.117.47.227) No. Time Source 98 149.405916 172.16.1.103 No. Time Source 99 149.463719 66.117.47.227 No. Time Source 100 149.464100 172.16.1.103 Destination 66.117.47.227 Destination 172.16.1.103 Destination 66.117.47.227 Protocol Info UDP Source port: 1109 Destination port: 50206 Protocol Info UDP Source port: 50206 Destination port: 1109 Protocol Info UDP Source port: 1109 Destination port: 50206

Relay sends Bubble packet to client via serverclient receives relay address-port Packets to/from IPv6 host and client traverse relay142

No. Time Source 101 149.789493 66.117.47.227

Destination 172.16.1.103

Protocol Info UDP Source port: 50206 Destination port: 1109

According to MSFT, if Teredo is the only IPv6 path, AAAA query should not be sentbeing researched: http://msdn2.microsoft.com/en-us/library/aa965910.aspxPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

What Happens on the Wire3 (Cont.)Interface 7: Teredo Tunneling Pseudo-Interface Addr Type --------Public Link DAD State Valid Life Pref. Life ---------- ------------ -----------Preferred infinite infinite Preferred infinite infinite Address ----------------------------2001:0:4136:e37e:0:fbaa:b97e:fe4e fe80::ffff:ffff:fffd

C:\>ping www.kame.net Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data Reply Reply Reply Reply from from from from 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: 2001:200:0:8002:203:47ff:fea5:3085: time=829ms time=453ms time=288ms time=438ms

Presentation_ID


Cisco Public

143

Maintaining NAT Mapping Every 30 seconds (adjustable) clients send a single bubble packet to Teredo server to refresh NAT stateBubble packet = Used to create and maintain NAT mapping and consists of an IPv6 header with no IPv6 payload (Payload 59No next header)No. Time Source 35 46.399072 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination ff02::1 Protocol Info IPv6 IPv6 no next header

Frame 35 (82 bytes on wire, 82 bytes captured) Ethernet II, Src: Foxconn_2d:a1:4e (00:15:58:2d:a1:4e), Dst: 01:00:5e:00:00:fd (01:00:5e:00:00:fd) Internet Protocol, Src: 172.16.1.103 (172.16.1.103), Dst: 224.0.0.253 (224.0.0.253) User Datagram Protocol, Src Port: 1109 (1109), Dst Port: 3544 (3544) Teredo IPv6 over UDP tunneling Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 0 Next header: IPv6 no next header (0x3b) Hop limit: 21 Source address: 2001:0:4136:e37e:0:fbaa:b97e:fe4e Destination address: ff02::1

Presentation_ID


Cisco Public

144

Appendix: ISATAP Overview

Presentation_ID


Cisco Public

145

Intrasite Automatic Tunnel Address Protocol RFC 4214 This is for enterprise networks such as corporate and academic networks Scalable approach for incremental deployment ISATAP makes your IPv4 infratructure as transport (NBMA) network

Presentation_ID


Cisco Public

146

Intrasite Automatic Tunnel Address ProtocolUse IANAs OUI 00-00-5E and Encode IPv4 Address as Part of EUI-6464-bit Unicast Prefix 0000:5EFE:32-bit

IPv4 Address32-bit

Interface Identifier (64 bits)

ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network

Supported in Windows XP Pro SP1 and others

Presentation_ID


Cisco Public

147

Automatic Advertisement of ISATAP PrefixISATAP Host A IPv4 Network ISATAP Router 1 E0 IPv6 Network

ISATAP Tunnel

ICMPv6 Type 133 (RS) IPv4 Source: 206.123.20.100 IPv4 Destination: 206.123.31.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix

ICMPv6 Type 134 (RA) IPv4 Source: 206.123.31.200 IPv4 Destination: 206.123.20.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64

Presentation_ID


Cisco Public

148

Automatic Address Assignment of Host and RouterISATAP Host A IPv4 Network ISATAP Router 1 E0 IPv6 Network

ISATAP Tunnel206.123.20.100 fe80::5efe:ce7b:1464 2001:db8:ffff:2::5efe:ce7b:1464

206.123.31.200 fe80::5efe:ce7b:1fc8 2001:db8:ffff:2::5efe:ce7b:1fc8

ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1 When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host A encapsulates IPv6 packets in IPv4. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.

Presentation_ID


Cisco Public

149

Appendix: Multicast

Presentation_ID


Cisco Public

150

IPv4 and IPv6 Multicast ComparisonService Addressing Range IPv4 Solution 32-bit, Class D Protocol Independent, All IGPs and MBGP PIM-DM, PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR IGMPv1, v2, v3 Boundary, Border MSDP Across Independent PIM DomainsCisco Public

IPv6 Solution 128-bit (112-bit Group) Protocol Independent, All IGPs and MBGP with v6 mcast SAFI PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR MLDv1, v2 Scope Identifier Single RP Within Globally Shared Domains151

Routing

Forwarding

Group Management Domain Control Interdomain Solutions

Presentation_ID


MLDv1: Joining a Group (REPORT)FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE

H1

H2

1

2 2 Destination:FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131

1

Destination: FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 131

1 2

H1 sends a REPORT for the group H2 sends a REPORT for the group

rtr-a

FE80::207:85FF:FE80:692

SourceGroup:FF3E:40:2001:DB8:C003:1109:1111:1111Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

152

MLDv1: Host Management(Group-Specific Query)FE80::209:5BFF:FE08:A674 FE80::250:8BFF:FE55:78DE

H13 REPORT to group 1 1 Destination:FF02::2 ICMPv6 Type: 132 ICMPv6 Type: 131

H2

2 Destination:

FF3E:40:2001:DB8:C003:1109:1111:1111 ICMPv6 Type: 130

1 H1 sends DONE to FF02::2 2 RTR-A sends Group-Specific Query 3 H2 sends REPORT for the group

rtr-a

FE80::207:85FF:FE80:692

SourceGroup:FF3E:40:2001:DB8:C003:1109:1111:1111

Presentation_ID


Cisco Public

153

Other MLD Operations Leave/DONELast host leavessends DONE (Type 132) Router will respond with group-specific query (Type 130) Router will use the last member query response interval (Default=1 sec) for each query Query is sent twice and if no reports occur then entry is removed (2 seconds)

General Query (Type 130)Sent to learn of listeners on the attached linkSets the multicast address field to zero Sent every 125 seconds (configurable)

Presentation_ID


Cisco Public

154

A Few Notes on Tunnels PIM uses tunnels when RPs/sources are known Source registering (on first-hop router)Uses virtual tunnel interface (appear in OIL for [S,G]) Created automatically on first-hop router when RP is known Cisco IOS keeps tunnel as long as RP is known Unidirectional (transmit only) tunnels PIM Register-Stop messages are sent directly from RP to registering router (not through tunnel!)

Presentation_ID


Cisco Public

155

PIM Tunnels (DR-to-RP)branch#show ipv6 pim tunnel Tunnel1* Type : PIM Encap RP : 2001:DB8:C003:1116::2 Source: 2001:DB8:C003:111E::2 branch#show interface tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 2001:DB8:C003:111E::2 (Serial0/2), destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6, key disabled, sequencing disabled Checksumming of packets disabled Tunnel is transmit only Last input never, output never, output hang never Last clearing of "show interface" counters never output truncatedPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Corporate Network

SourceL0

RP

DR

156

PIM Tunnels (RP) Source registering (on RP) two virtual tunnels are createdOne transmit only for registering sources locally connected to the RP One receive only for decapsulation of incoming registers from remote designated routers No one-to-one relationship between virtual tunnels on designated routers and RP!

Presentation_ID


Cisco Public

157

PIM Tunnels (RP-for-Source)RP-router#show ipv6 pim tunnel Tunnel0* Type : PIM Encap RP : 2001:DB8:C003:1116::2 Source: 2001:DB8:C003:1116::2 Tunnel1* Type : PIM Decap RP : 2001:DB8:C003:1116::2 Source: RP-router#show interface tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 2001:DB8:C003:1116::2 (FastEthernet0/0), destination 2001:DB8:C003:1116::2 Tunnel protocol/transport PIM/IPv6, key disabled, sequencing disabled Checksumming of packets disabled Tunnel is receive only output truncatedPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Corporate Network

Source Tu RPL0

158

Tunneling v6 Multicastv6 in v4 v6 in v4 most widely usedtunnel mode ipv6ip RP address embedded (0111 = 7) Example Group: FF7E:0140:2001:0DB8:C003:111D:0000:1112 Embedded RP: 2001:0DB8:C003:111D::1

Presentation_ID


Cisco Public

166

Embedded-RP PIM-SM protocol operations with embedded-RP:Intradomain transition into embedded-RP is easy: Non-supporting routers simply need to be configured statically or via BSR for the embedded-RPs!

Embedded-RP is just a method to learn ONE RP address for a multicast group:It can not replace RP-redundancy as possible with BSR or MSDP/Anycast-RP

Embedded-RP does not (yet) support Bidir-PIMSimply extending the mapping function to define Bidir-PIM RPs is not sufficient: In Bidir-PIM routers carry per-RP state (DF per interface) prior to any data packet arriving; this would need to be changed in BidirPIM if Embedded-RP was to be supportedPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

167

Embedded-RP Configuration ExampleCorporate Network

RP to be used as an Embedded-RP needs to be configured with address/group range All other non-RP routers require no special configuration

SourceL0

RP

IP WANipv6 pim rp-address 2001:DB8:C003:111D::1 ERP ! ipv6 access-list ERP permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96

Presentation_ID


Cisco Public

168

Embedded RPDoes It Work?branch#show ipv6 pim group FF7E:140:2001:DB8:C003:111D ::/96* RP : 2001:DB8:C003:111D::1 Protocol: SM Client : Embedded Groups : 1 Info : RPF: Se0/0.1,FE80::210:7FF:FEDD:40

IP WAN

To RP

branch#show ipv6 mroute active Active IPv6 Multicast Sources - sending >= 4 kbps Group: FF7E:140:2001:DB8:C003:111D:0:1112 Source: 2001:DB8:C003:1109::2 Rate: 21 pps/122 kbps(1sec), 124 kbps(last 100 sec) branch#show ipv6 pim range | include Embedded Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : :: FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24

Receiver Sends Report

Presentation_ID


Cisco Public

169

Multicast Applications Microsoft Windows Media Server/Player (9 -11)http://www.microsoft.com/windows/windowsmedia/default.aspx

VideoLANwww.videolan.org

DVTS (Digital Video Transport System)http://www.sfc.wide.ad.jp/DVTS/http://www.dvts.jp/en/dvts.html

Internet radio stations over IPv6http://www.ipv6.ecs.soton.ac.uk/virginradio/

Supported on iTunes 4.5, Windows Media Player, XMMS 1.2.8, etc

Many more applicationsGoogle is your friend :-)

Presentation_ID


Cisco Public

170

Appendix: QoS

Presentation_ID


Cisco Public

171

IPv6 QoS: Header Fields IPv6 traffic classExactly the same as TOS field in IPv4Version Traffic Class Flow Label

IPv6 Flow Label (RFC 3697)A new 20-bit field in the IPv6 basic header which: Labels packets belonging to particular flows Can be used for special sender requestsPayload Length

Next Header

Hop Limit

Source Address

Per RFC, Flow Label must not be modified by intermediate routers

Keep an eye out for work being doing to leverage the flow label

Destination Address

Presentation_ID


Cisco Public

172

Simple QoS Example: IPv4 and IPv6class-map match-any BRANCH-BULK-DATA match access-group name BULK-DATA-IPV6 match access-group name BULK-DATA class-map match-all BULK-DATA match dscp af11 ! policy-map RBR-WAN-EDGE class BULK-DATA bandwidth percent 4 random-detect ! policy-map RBR-LAN-EDGE-IN class BRANCH-BULK-DATA set dscp af11 ! ip access-list extended BULK-DATA permit tcp any any eq ftp permit tcp any any eq ftp-data ! ipv6 access-list BULK-DATA-IPV6 permit tcp any any eq ftp permit tcp any any eq ftp-dataPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

ACL Match To Set DSCP (If Packets Are Not Already Marked)service-policy input RBR-LAN-EDGE-IN

service-policy output RBR-WAN-EDGE

ACLs to Match for Both IPv4 and IPv6 Packets173

IPv6 OVER CLIENT VPN: REFERENCE SLIDES FOR NON-WINDOWS PLATFORMS

Presentation_ID


Cisco Public

174

Router Configuration: Configured TunnelsVPN 3000 Concentrator F3/1 G2/1 Corporate Network VPN Client Catalyst 6500 Supervisor 720 Dual-stackipv6 unicast-routing ! interface FastEthernet3/1 description TO VPN 3000 ip address 20.1.1.1 255.255.255.0 ! interface GigabitEthernet2/1 description TO Campus Network ipv6 address 2001:DB8:C003:111C::2/64 ! interface Tunnel1 description Configured Tunnel for Client1 no ip address ipv6 address 2001:DB8:C003:1123::1/64

tunnel source FastEthernet3/1tunnel destination 10.1.99.103 tunnel mode ipv6ipPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

175

Client Configuration (Windows XP/Vista/W7): Configured TunnelsVPN 3000 Concentrator F3/1 G2/1 Corporate Network Windows XP VPN Client Catalyst 6500 Supervisor 720 Dual-stack

Create v6v4tunnel Add IPv6 address to tunnel interface Create a default route (::/0) for the tunnel

VPN IP

Router IP

netsh interface ipv6>add v6v4tunnel CISCO 10.1.99.103 20.1.1.1 Ok. netsh interface ipv6>add address CISCO 2001:DB8:c003:1123::2 Ok. netsh interface ipv6>add route ::/0 CISCO Ok.

Presentation_ID


Cisco Public

176

Does It Work?Windows XP Client VPN 3000 Catalyst 6500 Supervisor 720 Dual-stack 10.1.99.103 - VPN address 2001:DB8:c003:1123::2IPv6 address Interface 21: CISCO Addr Type --------Manual Link DAD State Valid Life Pref. Life ---------- ------------ -----------Preferred infinite infinite Preferred infinite infinite Address ----------------------------2001:DB8:c003:1123::2 fe80::a01:6368 20.1.1.1 - IPv4 address 2001:DB8:c003:1123::1IPv6 address

netsh interface ipv6>show neighbors 21 Interface 2: Automatic Tunneling Pseudo-Interface Internet Address --------------------------------------------2001:DB8:c003:1123::1 fe80::1401:0101Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Physical Address ----------------20.1.1.1 20.1.1.1

Type ----------Permanent Permanent177

Client Configuration (Linux): ISATAP TunnelsF3/1 Catalyst 6500 Supervisor 720 Dual-stack G2/1

IPv6-enabled Requires Kernel support for ISATAP Some kernels may not have native support for ISATAP (Debian) Must configure ISATAP routerNOT automatic

Corporate Network

Linux VPN Client

VPN IP

Router IP

# ip tunnel add is0 mode isatap 10.1.99.104 v4any 20.1.1.1 ttl 64 # ip link set is0 up

*See notes for full instructions for enabling IPv6 on LinuxPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

178

Client Configuration (Sun Solaris): Configured Tunnels With 3002 ClientF3/1 Catalyst 6500 Supervisor 720 Dual-stack G2/1

IPv6-enabled Example of Solaris behind a 3002 VPN Client Basic configured tunnelmanual commands given

Corporate Network 3002 VPN Client

Can maintain configuration permanently using /etc/hostname6.ip.tunN (where N is 0, 1, 2, and so on)

Sun Solaris

Local LAN IP

Router IP

# ifconfig ip.tun0 inet6 plumb # ifconfig ip.tun0 inet6 tsrc 192.168.0.1 tdst 20.1.1.1 up # ifconfig ip.tun0 inet6 addif 2001:DB8:c003:1123::2/64 2001:DB8:c003:1123::1 up Created new logical interface ip.tun0:2 *See notes for full instructions for enabling IPv6 on SolarisPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

179

Client Configuration (Mac): Configured Tunnels With 3002 HW ClientF3/1 Catalyst 6500 Supervisor 720 Dual-stack G2/1

IPv6-enabled Have permissions (root user) Example of Mac behind a 3002 VPN Client

Corporate Network 3002 VPN Client

MAC OS X Client

Local LAN IP Router IP# # # # ifconfig gif0 tunnel create ifconfig gif0 tunnel 192.168.0.1 20.1.1.1 ifconfig gif0 inet6 alias 2001:DB8:c003:1123::2 route add -inet6 default -interface gif0

Presentation_ID


Cisco Public

180

OPERATING SYSTEM CONFIGURATION REFERENCE

Presentation_ID


Cisco Public

181

Microsoft

Presentation_ID


Cisco Public

182

Client Configuration Dual-Stack Required

Windows Client

Dual-stack Router

Microsoft Windows XP (SP1 or higher), Server 2003, Vista/W7, Server 2008

IPv6 must be installed on XP and 2003 (enabled by default on Vista/W7/2008)C:\>ipv6 install

Have network (Routers/Switches) configured for IPv6Stateless autoconfiguration and/or DHCPv6C:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection-specific IP Address. . . . . Subnet Mask . . . . IP Address. . . . . IP Address. . . . . Default Gateway . .Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Connection 1: DNS Suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco Public

: : : : : :

10.1.1.100 255.255.255.0 2001:db8:cafe:1122:203:ffff:fe81:d6da fe80::203:ffff:fe81:d6da%4 10.1.1.1 fe80::201:42ff:fe2d:9580183

ISATAP Refresher Intra-Site Automatic Tunnel Addressing Protocol RFC 4214 Host-to-router Tunnel ISATAP connections look like one flat network Create DNS A record for ISATAP = 10.120.4.1 Use Static Config if DNS use is not desired: C:\>netsh interface ipv6 isatap set router 10.120.4.1 Recommendation: Deploy ISATAP endpoints via policy distributionL3 device with IPv4 address (10.120.4.1) and IPv6 dual-stack IPv6 Network

ISATAP Tunnel

IPv4 Network

Host with IPv4 address (10.120.2.2) and IPv6 enabled

Presentation_ID


Cisco Public

184

IPv4 Network ISATAP Enabled RouterNo. Time Source Destination Protocol Info 302 48.129716 fe80::5efe:a78:202 fe80::5efe:a78:401 ICMPv6 Router solicitation Internet Protocol, Src: 10.120.2.2 (10.120.2.2), Dst: 10.120.4.1 (10.120.4.1) No. Time Source Destination Protocol Info 871 480.607899 fe80::5efe:a78:401 fe80::5efe:a78:202 ICMPv6 Router advertisement Internet Protocol, Src: 10.120.4.1 (10.120.4.1), Dst: 10.120.2.2 (10.120.2.2) No. Time Source Destination Protocol Info 1235 675.685012 2001:db8:cafe:1010:0:5efe:a78:302 2001:db8:cafe:1010:0:5efe:a78:202 ICMPv6 Echo request Internet Protocol, Src: 10.120.3.2 (10.120.3.2), Dst: 10.120.2.2 (10.120.2.2) No. Time Source Destination Protocol Info 1236 675.685259 2001:db8:cafe:1010:0:5efe:a78:202 2001:db8:cafe:1010:0:5efe:a78:302 ICMPv6 Echo reply Internet Protocol, Src: 10.120.2.2 (10.120.2.2), Dst: 10.120.3.2 (10.120.3.2)

10.120.2.2 fe80::5efe:a78:202 2001:DB8:CAFE:1010:5EFE:A78:202 ese-Vista/W71

10.120.3.2 fe80::5efe:a78:302 2001:DB8:CAFE:1010:5EFE:A78:302 ese-Vista/W72

ISATAP Tunnel

Presentation_ID


10.120.4.1 fe80::5efe:a78:401 2001:DB8:CAFE:1010::/64 ISATAP router Cisco Public

ISATAP Tunnel

185

Client Configuration - ISATAPMicrosoft XP will automatically attempt to resolve the name ISATAPLocal host name Hosts file - SystemRoot\system32\drivers\etc

DNS name query (A record)NetBIOS and Lmhosts

Manual ISATAP router entry can be madenetsh interface ipv6 isatap set router 20.1.1.1

Key fact here is that NO additional configuration on the client is needed again!!!Note:ISATAP is supported on some versions of Linux/BSD (manual router entry is required)Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

186

Client Configuration (Windows XP/Vista/W7) - Configured TunnelsWindows XP Client L3 Switch IPv6 not supported IPv6 L3 Switch/Router

Create v6v4tunnel Add IPv6 address to tunnel interface Create a default route (::/0) for the tunnel

10.1.1.100 - Client IPv4 address 2001:db8:cafe:1123::2 - IPv6 address

Host IP

Router IP

netsh interface ipv6>add v6v4tunnel CISCO 10.1.1.100 30.1.1.1 Ok. netsh interface ipv6>add address CISCO 2001:db8:cafe:1123::2 Ok. netsh interface ipv6>add route ::/0 CISCO Ok.

Presentation_ID


Cisco Public

187

Router Configuration - Configured TunnelsWindows XP Client L3 Switch IPv6 not supported IPv6 L3 Switch/Routeripv6 unicast-routing ipv6 cef !

10.1.1.100 - Client IPv4 address 2001:db8:cafe:1123::2 - IPv6 address

interface Loopback1description Tunnel for IPv6 Clients ip address 30.1.1.1 255.255.255.255 ! interface GigabitEthernet2/10 description TO Campus Core Network ipv6 address 2001:DB8:CAFE:111C::2/64 ! interface Tunnel1 description Configured Tunnel for Client1 ipv6 address 2001:DB8:CAFE:1123::1/64 tunnel source Loopback1 tunnel destination 10.1.1.100 tunnel mode ipv6ip

Presentation_ID


Cisco Public

188

Linux

Presentation_ID


Cisco Public

189

What Is Required Red Hat 6.2 and higherRH 8, 9, WS, and ES preferred Fedora project builds

Mandrake 8.0 and higher SuSE 7.1 and higher Debian 2.2 and higher ISATAP support may not be native in all distribution kernels

Presentation_ID


Cisco Public

190

Client Configuration (Linux): Dual-Stack ENABLE IPv6 support on LinuxEdit/etc/sysconfig/network Add entryNETWORKING_IPV6=yes Restart networking or reboot# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:40:F4:6C:C8:AF inet addr:10.1.1.100 Bcast:10.1.1.255 Mask:255.255.255.0 inet6 addr: 2001:DB8:C003:1122:240:f4ff:fe6c:c8af/64 Scope:Global inet6 addr: fe80::240:f4ff:fe6c:c8af/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:289223 errors:0 dropped:0 overruns:0 frame:0 TX packets:13452 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:53425777 (50.9 Mb) TX bytes:3381080 (3.2 Mb) Interrupt:5 Base address:0xf000

Presentation_ID


Cisco Public

191

Client Configuration (Linux): ISATAP TunnelsLinux Client L3 Switch IPv6 L3 IPv6 Not Supported Switch/Router

IPv6-enabled Requires Kernel support for ISATAP Some kernels may not have native support for ISATAP (Debian) Must configure ISATAP routerNOT automatic

10.1.1.100Client IPv4 address 2001:DB8:C003:111f:0:5efe:10.1.1.100IPv6 address

Host IP

Router IP

# ip tunnel add is0 mode isatap 10.1.1.100 v4any 30.1.1.1 ttl 64 # ip link set is0 up

Presentation_ID


Cisco Public

192

Client Configuration (Linux): Configured TunnelsLinux Client L3 Switch IPv6 L3 IPv6 Not Supported Switch/Router

Create tunnel Enable the tunnel interface Add IPv6 address to tunnel interface Create a default route (::/0) for the tunnel

10.1.1.100Client IPv4 address 2001:DB8:C003:1123::2IPv6 address

Router IP# # # # ip ip ip ip

Host IP

tunnel add sit1 mode sit remote 30.1.1.1 local 10.1.1.100 link set sit1 up address add dev sit1 2001:DB8:C003:1123::2/64 route add ::/0 dev sit1

Presentation_ID


Cisco Public

193

Does It Work?#ip tunnel show sit1 sit1: ipv6/ip remote 30.1.1.1 #route -A inet6 | grep sit1 Kernel IPv6 routing table Destination 2001:DB8:C003:1123::/64 fe80::/10 ff02::9/128 ff00::/8 ::/0 local 10.1.1.100 ttl inherit

Next Hop :: :: ff02::9 :: ::

Flags UA UA UAC UA U

Metric 256 256 0 256 1024

Ref 10 6 1 0 0

Use 0 0 0 0 0

Iface sit1 sit1 sit1 sit1 sit1

# ip -6 addr show sit1 6: sit1@NONE: mtu 1480 qdisc noqueue inet6 fe80::a5e:a64d/128 scope link inet6 2001:DB8:C003:1123::2/64 scope global

#ping6 -I sit1 2001:DB8:C003:1123::1 PING 2001:DB8:C003:1123::1 from 2001:DB8:C003:1123::2 sit1: 64 bytes from 2001:DB8:C003:1123::1: icmp_seq=1 ttl=64 time=0.454 64 bytes from 2001:DB8:C003:1123::1: icmp_seq=2 ttl=64 time=0.371 64 bytes from 2001:DB8:C003:1123::1: icmp_seq=3 ttl=64 time=0.392 64 bytes from 2001:DB8:C003:1123::1: icmp_seq=4 ttl=64 time=0.377Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

ms ms ms ms194

Apple Mac OS X

Presentation_ID


Cisco Public

195

Client Configuration (Mac OS X 10.2 +): Dual-Stack via GUI

Presentation_ID


Cisco Public

196

Client Configuration (Mac): Configured TunnelsMac Client L3 Switch IPv6 L3 IPv6 Not Supported Switch/Router

Create tunnel interface Set tunnel end-points

Add IPv6 address to tunnel30.1.3.201Client IPv4 address 2001:DB8:C003:1124::2IPv6 address

Set default route 6to4 also an option

Local LAN IP Router IP# # # # ifconfig gif0 tunnel create ifconfig gif0 tunnel 30.1.3.201 30.1.1.1 ifconfig gif0 inet6 alias 2001:DB8:C003:1124::2 route add -inet6 default -interface gif0

# ifconfig gif0 gif0: flags=8051 mtu 1280 tunnel inet 30.1.3.201 --> 30.1.1.1 inet6 fe80::203:93ff:feee:9f1f prefixlen 64 scopeid 0x2 inet6 2001:DB8:C003:1124::2 prefixlen 64197

Presentation_ID


Cisco Public

Sun Solaris

Presentation_ID


Cisco Public

198

Things to Know Sun Solaris 8 and above will prompt for IPv6 activation during the installation processSay yes and you will be ready for dual-stack with autoconfiguration

You can also create the /etc/hostname6. file manuallyFor example if your physical Ethernet adapter is eri0 then you will find a /etc/hostname.eri0 file You can create a /etc/hostname6.eri0 file manually or if you opted to have IPv6 support during installation then the file will already exist#touch /etc/hostname6.eri0 reboot ifconfig -a and you will see a link local address on the interfaces

Presentation_ID


Cisco Public

199

Client Configuration (Sun Solaris): Configured TunnelsMac Client L3 Switch IPv6 L3 IPv6 Not Supported Switch/Router

10.1.1.100Client IPv4 address 2001:DB8:C003:1123::2IPv6 address

Create tunnel interface Create tunnel end-points Add IPv6 address to interface Can maintain configuration permanently using /etc/hostname6.ip.tunN (where N is 0, 1, 2, and so on) Router IP

Local LAN IP

# ifconfig ip.tun0 inet6 plumb # ifconfig ip.tun0 inet6 tsrc 10.1.1.100 tdst 30.1.1.1 up # ifconfig ip.tun0 inet6 addif 2001:DB8:C003:1123::2/64 2001:DB8:C003:1123::1 up Created new logical interface ip.tun0:2 ip.tun0: flags=2200851 mtu 1480 index 3 inet tunnel src 10.1.1.100 tunnel dst 30.1.1.1 tunnel hop limit 60 inet6 fe80::4065:406a/10 --> fe80::a5e:a644 ip.tun0:1: flags=2200851 mtu 1480 index 3 inet6 2001:DB8:C003:1123::2/64 --> 2001:DB8:C003:1123::1Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Public

200

Presentation_ID


Cisco Public

201

Documents

Enterprise IPv6 Design