Upload
timothy-martin
View
810
Download
2
Tags:
Embed Size (px)
DESCRIPTION
CiscoLive in Milan, Italy (Feb 2014)
Citation preview
Enterprise IPv6 Deployment Strategies BRKRST-2301
Tim Martin CCIE #2020
Solutions Architect @bckcntryskr
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Reference Materials
3
§ IPv6 Knowledge Base Portal: http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html
§ Deploying IPv6 in the Internet Edge: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Internet_Edge/InternetEdgeIPv6.html
§ Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html
§ Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/BrchIPv6.html
§ Smart Business Architecture – IPv6 Guides:http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Recommended Reading
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6-Related Sessions
5
Session Title
BRKRST-2301 Enterprise IPv6 Deployment BRKRST-2311 IPv6 Planning, Deployment and Operation Considerations BRKRST-2022 IPv6 Routing Protocols BRKRST-2044 Enterprise Multi-Homed Internet Edge Architectures BRKRST-2304 Hitchhiker’s Guide to Troubleshooting IPv6 BRKSEC-2003 IPv6 Security Threats and Mitigations BRKSEC-3003 Advanced IPv6 Security: Securing Link Operations at First Hop TECMPL-2192 IPv6 for Dummies PNLCRS-2303 Experiences with Deploying IPv6 COCRST-3464 Inside Cisco IT: Making the Leap to IPv6 LTRSEC-3033 IPv6 Network Threat Defense, Countermeasures and Controls BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers BRKSPG-2603 How to Securely Operate an IPv6 Network BRKSPG-2606 IPv6 Strategies for Addressing IPv4 Address Exhaustion BRKEWN-2010 Design and Deployment of Enterprise WLANs BRKUCC-2699 IPv6 SIP Dual Stack End Node Support for UCM
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Agenda
§ Why are we here? § IPv6 Address Considerations § Planning and Deployment Summary § Infrastructure Deployment
– Access Layer – Multicast – Data Center – Internet Edge
6
Why are we here?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
The Internet of Everything
8
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Market Factors Driving IPv6 Adoption
National IPv6 Strategies
IPv6
IPv4 Address Depletion
Infrastructure Evolution IPv6 OS, Content & Applications
2011 Mandate
Pref. by App’s in W7, S2008, OSX 4G, DOCSIS 3.0, CGN
RFC 6540 - IPv6 support is no longer considered optional.
IPv6 Address Considerations http://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Address Family
IPv6 Address Family
Multicast Anycast Unicast
Assigned Solicited Node
Unique Local Link Local Global Special Embedded
*IPv6 does not use broadcast addressing
Well Known Temp
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Unicast IPv6 Address Types Link-Local – Non routable within layer 2 domain (FE80::/10) FE80:0000:0000:0000::HHHH:HHHH:HHHH:HHHH
Unique-Local – Routable within administrative domain (FC00::/7)
Global – Routable across the Internet (2000::/3)
FC0G:GGGG:GGGG:SSSS::HHHH:HHHH:HHHH:HHHH FD0G:GGGG:GGGG:SSSS::HHHH:HHHH:HHHH:HHHH
2000:NNNN:NNNN:SSSS::HHHH:HHHH:HHHH:HHHH 3FFF:NNNN:NNNN:SSSS::HHHH:HHHH:HHHH:HHHH
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IANA & Regional Internet Registries
13
Registries
Level Four Entity
IANA
ISP Org
PA
/48
2000::/3
/12
/32
2000::/3
/48
/12
PI
/32
• Recommended Alloca,ons • Consumer, SMB /56 /60 /64 • Municipal Government, Enterprise, Single AS /48 • State Governments, Universi,es (LIR) /32 /36 /40 /44 /48
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv4 and IPv6 Header Comparison
Fragment Offset Flags
Total Length Type of Service IHL
Padding Options Destination Address
Source Address
Header Checksum Protocol Time to Live
Identification
Version
IPv4 Header (20)
Next Header Hop Limit
Flow Label Traffic Class
Destination Address
Source Address
Payload Length
Version
IPv6 Header (40)
• Length is constant in IPv6 • Fragmentation occurs in (EH) • Option’s occur in (EH) • UDP must have valid Checksum, unlike v4. • Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Type Code Data
Checksum
ICMPv6
§ Neighbor Discovery, Router Discovery, Path MTU Discovery and (MLD) – Type – (1-127) = Error Messages, (128-255) = Informational Messages – Code – More Granularity within the Type – Checksum – computed over the entire ICMPv6 – Data - Original Header Return (8 bytes), then fill to Min MTU (1280)
58
1 Destination Unreachable
2 Packet Too Big
3 Time Exceeded
4 Parameter Problem ICMPv6 Header
Next Header 58
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Solicited-Node Multicast Address
§ Every Unicast and Anycast address has a corresponding solicited-node multicast
§ Multicast for resolution, Unicast for reachability
§ Solicited-node multicast consists of FF02::1:FF/104 {lower 24 bits from IPv6 Unicast interface ID}
FF02 0000 0000 0000 0000 0001 FFBC FC0F 0000 0000 0000 1234 5678 9ABC FC0F
FF02 0000 0000 0000 0000 0001 FF23 3544 0DB8 4646 0000 0400 56FF FE23 3544
FE80
2001
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Neighbor Solicitation & Advertisement § Local Link only, Not Routed
§ ARP replacement, Map’s L3 to L2.
§ Multicast for resolution, Unicast for reachability
A! B!
ICMP Type 135 NS IPv6 Source FE80::A
IPv6 Destination B Solicited Node Multicast FF02::1:FF00:B
Target Address 2001:db8:1:46::B Code 0 (need link layer) Query What is B link layer
address?
ICMP Type 136 NA IPv6 Source FE80::B
IPv6 Destination FE80::A Target Type 2
Data Link Layer address of B *Flags R = Router
S = Response to Solicitation O = Override cache information
NS NA
Planning and Deployment Summary
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Integration Outline
19
• Establish the network starting point
• Importance of a network assessment and available tools
• Obtain addressing
• Build initial addressing architecture
• What content are you serving?
Pre-Deployment Phases Deployment
Phases
• Peering capabilities • Internet Edge (ISP, Apps)
• Campus IPv6 integration options
• Data Center integration options
• WAN IPv6 integration options
• Execute on gaps found in assessment
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Architectural Scope of IPv6 Deployment
Planning and coordination is required from many across the organization, including … ü Network engineers & operators ü Security engineers ü Application developers ü Desktop / Server engineers ü Web hosting / content developers ü Business development managers ü …
Moreover, training will be required for all involved in supporting the various IPv6 based network services Build your IPv6 Transition Team
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Building the IPv6 Address Plan
§ Methods – Follow IPv4 (/24 only), Organizational, Location, Function based
§ Hierarchy is key (using 16 bits for subnetting) – 8 bits = (256) Regions (states, counties, agencies, etc..) – 4 more bits = (16) Sub Levels within those Regions – 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)
§ Cisco IPv6 Addressing White Paper – http://www.cisco.com/go/IPv6
§ Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )
21
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Prefix Length Considerations
22
§ /64 everywhere a host
§ /127 Point to Point – out of a single /64 – 1&2 not in same subnet
§ /128 Loopback – out of a single /64
§ /64, /64, /64
Pt 2 Pt /127
WAN
Core /64 or /127
Servers /64
Hosts /64
Loopback /128
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
ULA, ULA or LL + Global, Global-only
23
Corporate Backbone Branch 2
Branch 1 Corp HQ
ULA Space FD9C:58ED:7D73::/48 Global – 2001:DB8:CAFE::/48
FD9C:58ED:7D73:2800::/64 2001:DB8:CAFE:2800::/64
Internet
FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/64 2001:DB8:CAFE:2::/64
Global – 2001:DB8:CAFE::/48
LL – Topology Hiding, Reduces Prefix Count, Need ULA or Global to Manage Devices ULA – Topology Hiding, No External Troubleshooting w/o Global Loopbacks
Global – Enablement of Applications & Management, Requires Good FW Skills
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
RFC 6724 – Default Address Selection
§ Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public
§ Must support application override API, Choice of v6 or v4 is application dependent
§ Network Connection Status Indicator (NCSI)
Application Layer
TCP/UDP
IPv6 IPv4
Network Interface Card
Temporary Preferred 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 DHCP Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Link Preferred fe80::202:8a34:bead:a136
RFC 6555
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
RIPng – UDP 521, 15 hops FE80::/64 Source à FF02::9 Destination
IS-IS – CLNS, Wide Metric Support IPv4 & IPv6 (2 new TLV’s added) Single Topology, Multi Topology, Multi Instance
OSPFv3 – IP 89 FE80::/64 Source à FF02::5 (all), FF02::6 (DR’s) Link-LSA (8) – Local Scope, NH Intra-Area-LSA (9) – Routers Prefix’s Use Inter-Area-Prefix (3) – Between ABR’s
EIGRP – IP 88 FE80::/64 Source à FF02::A Destination 2 New TLV’s – internal-type & external-type No Split Horizon, Auto Summary Disabled
IGP’s
25
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Deployment Options
Translation Services IPv4 IPv6
Tunneling Services
IPv4 over IPv6 IPv6 over IPv4
Dual Stack
Recommended Enterprise Co-existence Strategy
IPv6 IPv4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Where do I start? § Core-to-Access – Gain experience with v6
§ Turn up your servers – Enable the experience
§ Access-to-Core – Securing and monitoring
§ Internet Edge – Business continuity
Servers
Branch Access
WAN
Campus Core ISP ISP
Internet Edge
Access Layer
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6
Manually configured State Less Address Auto Configuration SLAAC EUI64
SLAAC Ephemeral Addressing
Assigned via DHCPv6
*Secure Neighbor Discovery SeND
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Router Solicitation and Advertisement § Router solicitations (RS) are sent by nodes at boot up
§ Host needs an RA to finish building it’s Address’s
RS
ICMP Type 133 IPv6 Source FE80::A IPv6 Destination FF02::2 Option 1 SRC Link Layer Address
RA
ICMP Type 134 IPv6 Source FE80::2
IPv6 Destination FE80::A Data Options, subnet prefix,
lifetime, autoconfig flag
RS RA
A
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
RA Message § M-Flag – Stateful DHCPv6 to acquire an IPv6 address
§ O-Flag – Stateless DHCPv6 in addition to SLAAC
§ H-Flag – Mobile IP home agent
§ Preference Bits – Low, Med, High
§ Router Lifetime – Must be >0 for Default
§ Options - Prefix Information, Prefix Length
§ L bit – Only way a host get a On Link Prefix
§ A bit – Set to 0 for DHCP to work properly
Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: 1800 Reachable time: 60000 Retrans timer: 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .0.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234:: RA
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Disabling Ephemeral Addressing
32
§ Enable DHCPv6 via the M flag § Disable auto configuration via the A bit in option 3 § Enable Router preference to high § Enable DHCPv6 relay
ipv6 unicast-routing ! interface fastEthernet 0/0 ipv6 address 2001:db8:6666:acc1::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd prefix 2001:db8:6666:acc1::/64 no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Snooping
IPv6 First Hop Security (FHS)
IPv6 FHS RA
Guard DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rouge or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
RA Throttler
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates: • Scale
converting multicast traffic to unicast
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
First Hop Security for Wireless IPv6 Clients
34
IPv6 VLAN
Ethernet
IPv6 802.11
IPv6 RA 802.11
§ RA Guard - enabled at AP by default, always on at the controller § DHCPv6 Guard – blocks client side DHCPv6 Advertise packets § Source Guard – prevents client spoofing, enabled at controller by default § Address Accounting – RADIUS “Framed-IP-Address” attribute
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
ipv6 snooping policy HOST tracking enable limit address-count 2 ! interface GigabitEthernet1/0/2 switchport access vlan 200 switchport mode access ipv6 snooping attach-policy HOST
Access Layer Configuration Example
35
ipv6 nd raguard policy HOST ipv6 nd raguard policy ROUTER device-role router ! interface vlan 200 ipv6 nd raguard attach-policy HOST ! interface GigabitEthernet1/0/0 description Router Port ipv6 nd raguard attach-policy ROUTER
§ RA Guard Host & Router – Host = RA/DHCP Guard, no Redirect
§ IPv6 ND Inspection – Incl. RA/DHCP Guard, Src/Dst Gaurd
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
RA Throttler
Router Solicitation (RS)
Triggered (RA)
§ Scaling the 802.11 multicast reliability issues § NDP process is multicast “chatty”, consumes airtime § Rate limit RA’s from the legitimate router § Inspect the RS, convert the responding RA to L2 Unicast
Periodic (RA’s)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
ND Multicast Suppression
(NS)
00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4
(Unicast NA)
§ Scaling the 802.11 multicast reliability issues § NDP process is multicast “chatty”, consumes airtime § Caching allows the Controller to “proxy” the NA, based on gleaning § Intercepting the NS and unicasting it over L2 to the target
2
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
How Does Cisco Solve IPv6 Mobility?
38
R1
R2
Anchor
Foreign
Mobility Tunnel
Unicast RA
Mcast RA
Roaming Client
§ Roaming client must be able to receive the original router advertisement § Controllers must be part of the same mobility group domain § The anchor controller sends the RA to the foreign in the mobility tunnel § AP convert’s multicast RA to an L2 unicast (MC2UC)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
HSRP for IPv6
First Hop Router Redundancy Options
§ Modification to Neighbor Advertisement, router Advertisement, and ICMPv6 redirects
§ Virtual MAC derived from HSRP group # and virtual IPv6 LLA
HSRP Standby
HSRP Active
Neighbor Unreachability Detection • For rudimentary HA at the first HOP, that is slow to detect
failures
• Hosts use NUD “reachable time” to cycle next known default GW
RA Reach-time
GLBP for IPv6 • Modification to Neighbor Advertisement, Default Gateway is
announced via RA’s from Virtual MAC
• Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF)
GLBP AVG AVF
GLBP AVG AVF
Default Gateway . . . . . . . . . : 10.121.10.1 fe80::211:bcff:fec0:d000%4 fe80::211:bcff:fec0:c800%4
Multicast
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Address Scope Meaning FF01::1 Node-Local This Node
FF05::2 Site-Local All Routers
FF02::1 Link-Local All Nodes
FF02::2 Link-Local All Routers
FF02::5 Link-Local OSPFv3 Routers
FF02::6 Link-Local OSPFv3 DR Routers
FF02::9 Link-Local RIPng
Well Known Multicast Addresses
§ FF02, is a permanent address and has link scope
§ Link Operations, Routing Protocols, Streaming Services
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 over Ethernet
§ IPv6 has a specific Ethernet Protocol ID § IPv6 relies heavily on Multicast
Destination Ethernet Address!
Source Ethernet Address!
0x0800!!
IPv4 Header and Payload!
Destination Ethernet Address!
Source Ethernet Address!
0x86DD!!
IPv6 Header and Payload!
xx 33 33 xx xx xx
I bit = Local Admin, L bit = Multicast/Broadcast
0000 00IL
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Multicast Mapping over Ethernet (RFC 2464) § IPv6 multicast address to Ethernet mapping
§ Destination address based mechanism
FF02:0000:0000:0000:0000:0001:FF17:FC0F IPv6 Solicited Node Multicast Address
Corresponding Ethernet Address 33 33 17 FC 0F FF
FF3E:0040:2001:0DB8:CAFE:0001:11D7:4CD3 IPv6 Temporary Multicast Address
Corresponding Ethernet Address 33 33 D7 4C D3 11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Multicast Address (RFC 4291) § Prefix FF00::/8
8-bit 4-bit 4-bit 112-bit
1111 1111 0 R P T Scope Variable format
Flags
O Reserved
R = 0 R = 1
No embedded RP Embedded RP
P = 0 P = 1
Without Prefix Address based on Prefix
T = 0 T = 1
Well Known Address (IANA assigned) Temporary address (local assigned)
Scope 1 Node
2 Link
3 Subnet
4 Admin
5 Site
8 Organization
E Global
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Multicast Address – Unicast Based (RFC 3306)
§ Every Unicast prefix can build custom multicast addresses
§ Last 32 bits of unicast address mapped into Group ID (112 Bits) 8 Bits 4 Bits 4 Bits 8 Bits 8 Bits 64 Bits 32 Bits
1111 1111 0 0 1 1 1110 Rsvd plen Unicast Prefix Group ID
Example plen 40 = 64 bits
Prefix 2001:db8:cafe:1::
Group ID 11d7:4cd3
FF3E:0040:2001:DB8:CAFE:1:11D7:4CD3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Embedded RP Multicast Address (RFC 3956) § Static mapping of RP into Multicast group
§ Solves MSDP and scaling issues 8 Bits 4 Bits 4 Bits 4 Bits 4 Bits 8 Bits 64 Bits 32 Bits
1111 1111 0 1 1 1 1110 Rsvd RPid plen Unicast Prefix Group ID
Example Rsvd/RPid 0000 | 0101
Prefix 2001:db8:cafe:1::
Group ID 645
FF7E:0540:2001:DB8:CAFE:1:0000:0645
FF7E:540:2001:db8:cafe:1::645
2001:db8:cafe:1::5
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Multicast Listener Discovery (MLD) § MLD uses LL source addresses § 3 msg types: Query, Report, Done
§ MLD packets use “Router Alert” in HBH § MLDv1 = (*,G) shared, MLDv2 = (S,G) source
MLD snooping
MLD IGMP Message Type
ICMPv6 Type Function
MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query
Listener Report
Listener Done
130
131
132
Used to find out if there are any multicast listeners
Response to a query, joins a group
Sent by node to report it has stopped listening
MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query
Listener Report
130
143
Used to find out if there are any multicast listeners
Enhanced reporting, multiple groups and sources
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
MLDv1 Joining a Group (REPORT)
ICMP Type 131 IPv6 Source FE80::A
IPv6 Destination FF38::276 Hop Limit 1
Group Address FF38::276 Hop-by-Hop Header
Router Alert Yes
MLD Report
A
MLD Report
B
ICMP Type 131 IPv6 Source FE80::B
IPv6 Destination FF38::276 Hop Limit 1
Group Address FF38::276 HBH Extension Header
Router Alert Yes (S, G
) Source
FF38::276
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
MLDv1 Leaving a Group (Done)
ICMP Type 132 IPv6 Source FE80::A
IPv6 Dst. FF02::2 Hop Limit 1
Group FF38::276 Hop-by-Hop Header
Router Alert Yes
MLD Done
A
MLD Report
B
ICMP Type 130 IPv6 Source FE80::C
IPv6 Dst. FF38::276 Hop Limit 1
Hop-by-Hop Header Router Alert Yes
Query
C ICMP Type 131
IPv6 Source FE80::B IPv6 Dst. FF38::276 Hop Limit 1
Group FF38::276 Hop-by-Hop Header
Router Alert Yes
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
MLDv2 Joining a Group (Report)
ICMP Type 143 IPv6 Source FE80::A
IPv6 Destination FF02::16 Hop Limit 1
# of Records Include/exclude Group Address FF38::4000:BA11
Hop-by-Hop Header Router Alert Yes
MLD Report
A I wish to receive FF38:4000:BA11
(S, G)
Source FF38::4000:BA11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
MLD Multicast Maintenance (Query)
§ General Query § FF02::1 § Group list empty, who’s listening?
§ Group Specific Query § FF38::4000:BA11 § Anyone still interested in this stream?
§ Group & Source Specific Query § 2001:DB8:CAFÉ::1, FF38::4000:BA11
§ Filter Mode, Change Record
§ Multiple routers on link § Lowest address value assumes Querier role
A Q
uery
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Anycast RP Redundancy
§ Designate a primary and a secondary RP for the Anycast group.
§ Configure Primary RP with longest prefix, secondary has the shorter prefix
§ Distribute loopback interfaces routes into IGP
Primary RP Secondary RP
Loopback 1 2001:db8:fab0::1/48
Loopback 1 2001:db8:fab0::1/47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Zeroconf over IPv6 § Apple (Bonjour) has a light weight approach, adopted quicker
§ FF02::FB – Multicast DNS – mDNS
§ Microsoft (Rally) has a more robust, heavier implementation, has moved slower
§ FF02::C – Simple Service Discovery Protocol – SSDP, UPnP
§ FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing enabled)
Personal Computer Operating Systems • Windows • Mac OS X • Linux
Appliances & Networking • Printers • Access Points • Switches • Routers
AV Equipment • Speakers • Cameras • Displays • AV Receivers
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Why Service Discovery Gateway
Same L2 Domain
Where’s my Printer?
Different L2 Domain
I’m here! Talk to me...
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Why Service Discovery Gateway
L2 Domain
Where’s my
Printer?
Different L2 Domain
Nobody's talking to
me!?
Service Browsing
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Service Discovery GW
§ Cached at Gateway. Service, Type, Location
§ Service Discovery & Access Control = Better Together
VLAN 200 Training ATV RAOP VLAN 100
CTO Office IPP VLAN 200
name Other VLAN XYZ R
AO
P!
IPP
!
VLAN 200
VLAN 100
Data Center
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Migrating Applications to IPv6
58
§ If an application is protocol centric (IPv4): § Needs to be rewritten – Probably not going to happen
§ Pressure vendors to move to protocol agnostic framework § RFC 3493 – Open Socket Call, 64 bit structure align to HW § RFC 3542 – Raw Socket, ping, Traceroute, r commands § Know whether your app displays or accept an IPv6 address § 198.51.100.44:8080 à [2001:db8:café:64::26]:8080
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
NDP Scaling Issues in the DC
§ Large DCs with very dense hosts populations can cause severe performance problems on the control plane of switches due to IPv4 and IPv6 ‘control’ traffic
§ NDP scaling paper (Lessons learned from production deployments)
59
§ NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds
§ NUD Retry Interval: ipv6 nd nud retry base interval-in-milliseconds max-attempts
§ Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds § Unsolicited NA Glean: ipv6 nd na glean § Glean rate limiter: mls rate-limit unicast cef glean <pps> <burst>
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
DHCPv6 Protocol Details
DHCP Messages IPv4 IPv6 Client à Server (1) DISCOVER SOLICIT Server à Client (2) OFFER ADVERTISE Client à Server (3) REQUEST REQUEST Server à Client (4) ACK REPLY
§ FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) § FF05::1:3 = All DHCP Servers (Site-local scope) § Clients listen on UDP port 546; Servers/relays on UDP port 547 § Rapid Commit, 2 packet exchange. Solicit/Reply, client sets for options § ipv6 dhcp relay destination replaces ip helper address
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 and DNS
Function IPv4 IPv6
Hostname to
IP Address
A Record www.abc.test. A 192.168.30.1
AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2
IP Address To
Hostname
PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
§ Add AAAA records in DNS server for hostnames that have IPv6 enabled
§ Automatically generate accompanying (PTR) records
§ Enable IPv6 access to the authoritative DNS servers
§ Be sure that TCP/53 and UDP/53 can be accessed through IPv6
§ Enable IPv6 connectivity to external resolvers that send DNS queries
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
FCIPv6
62
§ Tunnel Protocol for Fiber Channel over an IP infrastructure
§ RFC 4404 – Entity Address Size IPv4 (4) or IPv6 (16)
§ MDS 9x00 Series – out-of-order delivery, jumbo frames, traffic shaping, TCP optimization
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
iSCSI/VRRP for IPv6
§ Same configuration requirements and operation as with IPv4
§ Configure VRRP address to be the same as physical interface of “primary”
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
• Server supports IPv4 and IPv6
• Internal & external
• Server supports IPv4 & IPv6
• Standards compliant
• Integrated DNS and DHCP
• Configuration and reporting
• DNSSEC caching • DNS64 support
DHCP DNS IPAM DNS Caching
§ SNMPv3 over IPv6 and managing IPv6 MIB’s § Protocol Version Independent (PVI) manage the same OID’s (RFC’s 4292, 4293) § NetFlow, Deep Packet Inspection, IPSLA, all work with IPv6 § Wireshark, Packet analysis, MRTG, Netflow collectors, etc..
Network Management
Internet Edge
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Internet Edge to ISP § Do you support dual stack peering? § Do you have a separate (SLA) for IPv6? § Do you support BGP peering over IPv6? § What is the maximum prefix length?
§ What about DNS…
Hosted Cloud Service § Maximum prefix length offered by the cloud provider? § Access to provisioning and billing portal over IPv6? § Global IPv6 addressing for VM’s in your environment?
ISP-A ISP-B
Routing
Switching
Services
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Internet Edge to ISP
67
Single Link Single ISP
Dual Links Single ISP
Multi-Homed Multi-Region
Enterprise
ISP 1
Default Route
Enterprise
POP1
POP2
ISP 1
Enterprise
ISP 1
ISP2
USA
ISP4
ISP3
BGP BGP IPv6
Tunnel IPv4-only
Your ISP may not have IPv6 at the local POP Europe
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Dual Stack the Internet Edge
§ Most design elements should be like IPv4
§ No translation in this design
§ Single ISP or multi-ISP will change BGP slightly
§ Keep a careful eye out on limitations in SW/HW and/or security details
§ You may have to embrace SLB64/Proxy/NAT64 for IPv4-only apps
§ Dual stack along the traffic flow from client-to-server
§ LISP (Locator/ID Separation Protocol) as a means to deal with non-IPv6 capable ISPs
ISP 1 ISP 2 Internet
Enterprise Core
Web, Email, Other
Internal Enterprise
Edge Router
Outer Switch
Security Services
Inner switching/ SLB/Proxy/ Compute
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Translation Techniques
69
Application Support
Server Load Balancer Stateful NAT64
IPv6
IPv4
Client Visibility
IPv4
IPv6
SW = Poor Performance
Proxy
IPv6
IPv4
IPv6 Internet
IPv4 Internet
IPv6 Internet
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6/IPv4 Translation
70
§ Easy to get – Router, Firewall, SLB, Proxies § Instantly hooked – Fastest path to delivering
apps over IPv6 § Both methods are useful with caution
§ Need to examine the best location for translation
§ Put translation as deep into DC/IE as possible (get full visibility of IPv6)
SLB64 v6 v4 v4
v4
v4
v6 v4
Stateful NAT64
NAT64 – Routers/ASA
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
ISP-A
Enterprise Core
N5k
Servers WWW
ISP-B
UCS Servers
SLB64 – Citrix Netscaler
§ OS/App dictate design parameters
§ Time to deploy
§ IPv6 North
SLB Boundary
§ IPv4 South
§ Translation & SLB are done on same platform
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
X-Forwarded-For (XFF)
72
§ Source IP of client requests will be logged as the SNAT or other NAT’ed address
§ You want to log the real source address – X-Forwarded-For (XFF) in HTTP
cisco@ie-web-01:/$ tail -f /var/log/apache2/access.log 10.140.19.250 - - [25/Oct/2011:11:41:03 -0600] "GET / HTTP/1.1" 304 210 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)”
Hypertext Transfer Protocol GET / HTTP/1.1\r\n x-forward: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5\r\n
serverfarm WEB_V6_V4_SF
insert-http x-forward header-value "%is" ACE Policy Map – “is” = Source IP Address
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
NAT64
73
§ Stateless NAT (~ASA static) – RFC 6145 (IP/ICMP Translation Algorithm) – Consumes an IPv4 address for each IPv6-only device
§ Stateful NAT (~ASA dynamic) – RFC 6146 (Framework for IPv4/IPv6 Translation) – Can aggregate many IPv6 users to single (or more) IPv4 address – Used mainly where IPv6-only clients need to access IPv4 servers – Only supports IPv6-initiated flows – Similar as IPv4-to-IPv4 PAT works, a translation table is required
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
§ TCP/UDP/ICMP Unicast traffic only
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
To NAT or NOT
74
§ Today, NAT44 & RFC1918 § All PA or all PI and peering in multiple regions
– PI from one region and run it everywhere? – ISP in one region reject PI block from another? – What about translation?
§ NPTv6 – Translating your prefix for multi-homing – RFC6296 – IPv6-to-IPv6 Network Prefix Translation – STUN, TURN, ICE will all be used like with IPv4
§ NAT ≠ Firewall – RFC 4864 (Local Network Protection)
§ NAT ≠ Firewall – RFC 7021 (Impact of CGN on Applications)
Firewall+NAT Internet
Some enterprises are getting a prefix per RIR and only deploying one.
Building backup plans with the others
Available on ASR, ISR G2 and more in the future
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
IPv6 Bogon and Anti-Spoofing Filtering
75
§ Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt
§ Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84)
§ uRPF – Unicast Reverse Path Forwarding
IPv6 Intranet
Inter-Networking Device with uRPF Enabled
XIPv6 Intranet/Internet
No Route to SrcAddr => Drop
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Securing the Edge, FW and/or Perimeter Router
§ Address Range – Source of 2000::/3 at minimum vs. “any”
§ ICMPv6 – Error types thru, NDP too, RFC 4890
§ Extension Headers – Allow Fragmentation, block HBH, block RH type 0, others as needed
§ Ingress Filter – RFC 2827, BCP 38
§ IPv6 ACL’s
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Key Take Away
77
§ Gain Operational Experience now
§ Security enforcement is possible
§ Control IPv6 traffic as you would IPv4
§ “Poke” your Provider’s
§ IPv6 is here now are you?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Call to Action… § Visit the Cisco Campus at the World of Solutions to experience the following
demos/solutions in action: Speaker to add relevant demos/areas to visit from the campus demos list
§ Get hands-on experience with the following Walk-in Labs Speaker to add the relevant walk in labs from the list
§ Meet the Engineer Speaker to specify when will they be available for ad-hoc meetings at the MTE village, and provide other recommended names…
§ Discuss your project’s challenges at the Technical Solutions Clinics § Attend one of the Lunch Time Table Topics, held in the main Catering Hall § Recommended Reading: For reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan2014 § CL365 -Visit us online after the event for updated PDFs and on-demand
session videos. www.CiscoLiveEU.com
78
© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public
Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in.
Complete Your Online Session Evaluation
§ Complete your session evaluation online now through either the mobile app or internet kiosk stations.
79