Overcoming Challenges of Deploying IPv6 in the live Enterprise Work Environment by Tina Tsou at gogoNET LIVE! 3 IPv6 Conference

HUAWEI TECHNOLOGIES CO., LTD.

www.huawei.com

Overcoming challenges of deploying IPv6

in the live Enterprise work environment

Tina Tsou (Speaker), Kenneth Durazzo, Wendell Rios

Huawei Technologies

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Agenda

It’s Only IP…Right?

Making the case

Defining success

Testing 360

Planning the Transition

Deployment Details

UCC

Applications / Network

Platforms


Section 1: Best Practices / Overview

Page 3


It’s Only IP… Right?

Should be easy, no?

But what about…

Security policy and devices

Operating systems, Hypervisors

Servers, PCs and smart-devices

Network platforms

Services and Applications

VPN

Application Optimization

UCC

Private and Public Cloud Applications

DNS / DHCP / Printing

Monitoring / Troubleshooting tools


Making the Case

Business Executives

IPv6 will help us increase IT flexibility for

new applications and communications,

for instance BYOD

CAPex cost should be minimal, OPex

should stay the same

Security Operations

IPv6 is here on the network, in fact all

new OS’s already support it, if you don’t

embrace it, how will you protect the

business?

Application / Server Operations

Many applications and tools already

support IPv6, resulting in minor changes

to existing environment and processes

Business Function Leaders

How this will be non-intrusive to their

users and business goals but be an

enabler to their business (eg: BYOD)

IT

Business

Executives

Security

Operations

Application /

Server

Operations

Business

Function

Leaders


Defining Success

Business impact definition

What is the scope of deployment? Entire environment? branch, campus or DC?

Phased deployment?

At the Edge? In the Core?

Timeline for cut-over

User QOE for: Applications

Network

What is the desired successful

outcome (exit criteria)?


Testing 360

Best practices

Set up a lab that mimics your target environment, but not at scale

Perform an inventory of:

Applications

Platforms / Devices

Work with employees to create User-stories / Use-cases for the target

environment

Test, test, test…

Devices / Applications / permutations

Involve security and other operations teams, early and often, even better

if they are part of the testing team


Planning the Transition

Create the scope of work

Environment

Platforms

Applications

Users, etc

Get training for all impacted personnel for support of

IPv6 and any new systems put in place to support

the environment

Inventory all impacted devices and configurations.

Include wiring plant and HVAC, etc

Create clear documentation and points of contact for

transition activities

All OPS teams must be deeply involved (Sec / App /

Server / Network)

Socialize the scope of work and get buy-in / signatures

for cut-over dates / times

Go live!


IPv6 production office networks

Page 9

Enable all

employees to

have IPv6 access

Enable employees

to innovate and

collaborate with

external partners

Explore practical IPv6

deployment and

transition options

Enable product

teams to test

the new

implementations


Section 2: Network Architecture – IPv6 LAB Network

Page 10


IPv6 Network

Page 11

OSPFv3 Static Routing

Santa Clara, CA

CGN @ NE40E

AR

Content Server

CE

Router IPv6

Network

AR

Plano, TX and Santa Clara, CA

IPv6 Network Core


CGN and PCP Layout

Page 12

Internet

Client

IPv6 Internet

IPv4 Internet

Port 3

PCP

Port 3

NATCoord

PCP

Port 2

Port 1

Port 2

NON-PCP

P2P Client-1

P2P Client-2

Web Server (VM)

NATCoord Client

UPnP DS-Lite

Private IPv4 Client/IPv4

Web Server IPv4 over IPv6

NAT44

Public IPv4/Internet Client

UPnP/PCP Interworking

Huawei HG553

CPE1

CPE2 CGN

PCP Server

NE40E-X3


Multicast IPv6 Transition 6-6-4 Case

Page 13

IPv6 IPv6 IPv4

Multicast 4/6 Gateway

Multicast Content Traffic

IPv6

Multicast

Client

RP (IPv4 Multicast

Content Server) IPv6 Multicast

Network

PIM IPv6

IPv6

Receiver

MLD CPE

IPv4 Content Server

IPv4 Multicast Network

IPv4

Content CERNET


LightWeight 4over6

Per-subscriber stateful 4 over 6 solution

No IPv4 and IPv6 address coupling

Adopted by CT, FT and DT.

Page 14


Section 3: Live Production Network

Page 15


Phase 1 Enterprise Network Transition

Page 16

Challenges:

• Security and compliance

• Multi zone networks based on use.

• Intranet networks highly secured and regulated by Corporate HQ.

• Nothing goes on the network unless approved by Information Security and IT.

• Too much “red tape.”

• Technology

• Existing infrastructure not ready, no IPv6 support.

• Support

• Minimal to none local resources.


Phase 1 Enterprise Network Transition – cont.

Page 17

Strategy:

• Security and compliance

• Solution or Proof of Concept implementation that does not break the rules.

• Technology

• Solution that utilizes existing network – no change in IT infrastructure.

• Support

• Get local Regional IT buy in.



Page 18

Solution and scope: • Deploy IPv6 stub network with dual nic Linux host runing NAT64/DNS64 service.

• IPv6 only host able to access IPv4 rfc1918 resources, i.e. Sharepoint portal, Proxy web server,

and etc; by utilizing NAT64 and DNS64 gateway.

Technology and resources: • Allocate IPv4 rfc1918 network prefix for IPv4 dynamic mapping pool.

• Allocate IPv6 network prefixes:

• 2001:db8:1:ffff::/96 for NAT64/DNS64 service.

• Redhat Linux host with dual network adapters running NAT64/DNS64 service.

• Tayga stateless NAT64 open source application was installed and tested.

• TOTD DNS64 open source application was installed and tested.



cont.

Page 19

• IPv6 NAT64 prefix (well-known or network-specific) is dedicated to mapped IPv4 addresses.

• NAT64 and DNS64 processes use the same prefix.

• Default gateway and DNS server of IPv6 host is the NAT64/DNS64 gateway.



Page 20

Results:

• IPv6 host able to ping and telnet to network devices in IPv4 domain using NAT64 IPv6 prefix.

• IPv6 host able to access resources in IPv4 only domain using Fully Qualified Domain Names.

• IPv6 host able to use web proxy in IPv4 only domain to access Internet websites.

• Web proxy FQDN was hard set in host browser settings.

• IPv6 host able to browse and utilize Sharepoint portal/collaboration tool.

Next Steps:

• Explore and incorporate additional IPv6 technologies.

• DHCPv6

• Deploy architecture to larger scope – Phase 2.


B R A N C H B

Analog

Fax

IP Phone

PC Client

PSTN/PLMN

EGW

WiFi

ATO

eSpace UC

Page 21

U1980

E1/T1

B R A N C H A

PSTN/PLMN

Analog

Fax

IP Phone

PC Client

IAD

WiFi

P U B L I C N E T W O R K

SSL VPN

SBC

Proxy

PC Client

Soft Phone

Internet

SBC Firewall

IPV4/IPV6

SVN

H E A D Q U A R T E R S

Analog

Fax

IP Phone

PC Client / Soft Phone

PSTN/PLMN

PSTN Gateway

UC Server

U2990 (CALL Control)

Soft

Console

IP

E1/ATO

WiFi/3G

POTS


I P v 6 B R A N C H

PSTN/PLMN

EGW

eSpace UC – SIP, RTP(VOIP 1)

Page 22

U1980

I P v 4 B R A N C H

PSTN/PLMN


SSL VPN Internet

SBC Firewall

IPV4/IPV6

SVN


PSTN/PLMN

UC Server

IPv4/IPv6 dual-stack

IPv4/IPv6 dual-stack SIP

RTP

U29XX


I P v 6 B R A N C H

PSTN/PLMN

EGW

eSpace UC – SIP, RTP(VOIP 2)

Page 23

U1980

I P v 4 B R A N C H

PSTN/PLMN


SSL VPN Internet

SBC Firewall

IPV4/IPV6

SVN


PSTN/PLMN

UC Server



RTP

U29XX


I P v 6 B R A N C H

PSTN/PLMN

EGW

eSpace UC – SIP, RTP(Conference)

Page 24

U1980

I P v 4 B R A N C H

PSTN/PLMN


SSL VPN Internet

SBC Firewall

IPV4/IPV6

SVN


PSTN/PLMN

UC Server



RTP

U29XX


SIP and RTP

Page 25

U29XX

eSpace eSpace

Intranet(IPv6)

UC Server

P2P VOIP

Intranet(IPv6)

U29XX

eSpace eSpace

Intranet(IPv6)

UC Server

Conference

Intranet(IPv6)

SIP

RTP

SIP


Section 4: Additional Use-Cases

Page 26


www.huawei.com permanently launched v6

Page 27

http://www.huawei.com/


Huawei: IPv6 Deployment used by IEEE meeting

Page 28

IEEE HOT INTERCONNECT CONFERENCE, Aug 22-24, hosted by Huawei at

Huawei campus on Santa Clara, CA, USA

IPv4/IPv6 Internet

IPv4 AC （Standby）

IPv4 AP

IPv4/IPv6 STA

IPv4/IPv6 Core&Aggregation （Gateway，iStack）

Access Layer

IPv4 AC （Active）

IPv4/IPv6 Firewall (support NAT

for IPv4)

IPv4 IPS/IDS


http://www.huawei.com/en/solutions/broader-smarter/hw-

092950-ipv6.htm

Page 29

Additional Reference

Thank you www.huawei.com

Copyright©2011 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.