Enterprise IPv6 Deployment, Slides of Network Theory

The Need for IPv6  Planning and Deployment Summary  Address Considerations  General Concepts  Infrastructure Deployment Campus/Data Center WAN/Branch Remote Access  Provider Considerations

Typology: Slides

2016/2017

Uploaded on 07/13/2017

ciobysv23
ciobysv23 🇷🇴

1 document

1 / 108

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1
Enterprise IPv6
Deployment
Shannon McFarland
CCIE# 5245, VCP
Corporate Consulting Engineer
Office of the CTO
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Enterprise IPv6 Deployment and more Slides Network Theory in PDF only on Docsity!

Enterprise IPv

Deployment

Shannon McFarland

CCIE# 5245, VCP

Corporate Consulting Engineer

Office of the CTO

Reference Materials  Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/ Campus/CampIPv6.html  Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/solutions/ns340/ns414/ ns742/ns816/landing_br_ipv6.html  CCO IPv6 Main Page: http://www.cisco.com/go/ipv  Cisco Network Designs: http://www.cisco.com/go/designzone

Agenda  The Need for IPv  Planning and Deployment Summary  Address Considerations  General Concepts  Infrastructure Deployment Campus/Data Center WAN/Branch Remote Access  Provider Considerations

  • The Need For IPv

IPv6 Provides Benefits Across the Board Manufacturing Government (Federal/Public Sector) Agriculture/ Transportation Wildlife Health Care Higher Education/Research (^) Consumer

  • Set-top boxes
  • Internet gaming
  • Appliances
  • Voice/video
  • Security monitoring
  • Building sensors
  • Media services
  • Collaboration
  • Mobility
  • Embedded devices
  • Industrial Ethernet
  • IP-enabled components
  • DoD
  • WIN-T
  • FCS
  • JTRS
  • GIG-BE
  • Telematics
  • Traffic control
  • Hotspots
  • Transit services
  • Animal tags
  • Imagery
  • Botanical
  • Weather
  • Home care
  • Wireless asset tracking
  • Imaging
  • Mobility

Dramatic Increase in Enterprise Activity Why?  Enterprise that is or will be expanding into emerging markets  Enterprise that partners with other companies who may use IPv6 (larger enterprise, located in emerging markets, government, service providers)  Adoption of Windows 7, Windows 2008, DirectAccess  Frequent M&A activity  Energy – High density IP-enabled endpoints (SmartGrid)

Enterprise Adoption Spectrum Preliminary Research Pilot/Early Deployment Production/ Looking for parity and beyond

  • Is it real?
  • Do I need to deploy everywhere?
  • Equipment status?
  • SP support?
  • Addressing
  • What does it cost?
    • Mostly or completely past the “why?” phase
    • Assessment (e2e)
    • Weeding out vendors (features and $)
    • Focus on training and filling gaps
      • Still fighting vendors
      • Content and wide-scale app deployment
      • Review operational cost of 2 stacks
      • Competitive/Strategic advantages of new environment

IPv6 Integration Outline

  • Establish the network

starting point

  • Importance of a network

assessment and available tools

  • Defining early IPv6 security

guidelines and requirements

  • Additional IPv6 “pre-

deployment” tasks needing

consideration

Pre-Deployment Phases Deployment Phases

  • Transport considerations

for integration

  • Campus IPv6 integration

options

  • WAN IPv6 integration options
  • Advanced IPv

services options

Address Considerations

Hierarchical Addressing and Aggregation  Default is /48 – can be larger – “End-user Additional Assignment” https://www.arin.net/resources/request/ipv6_add_assign.html  Provider independent – See Number Resource Policy Manual (NRPM) - https://www.arin.net/policy/nrpm.html

ISP

2001:DB8::/

Site 2

IPv6 Internet

2001:DB8:0002::/

2001:DB8:0001::/

Site 1

Only

Announces

the /32 Prefix

2001:DB8:0001:0001::/
2001:DB8:0001:0002::/
2001:DB8:0002:0001::/
2001:DB8:0002:0002::/

ULA, ULA + Global or Global  What type of addressing should I deploy internal to my network? It depends: ULA-only—Today, no IPv6 NAT is useable in production so using ULA-only will not work externally to your network ULA + Global allows for the best of both worlds but at a price— much more address management with DHCP, DNS, routing and security—SAS does not always work as it should Global-only—Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option  Let’s explore these options…

Unique-Local Addressing (RFC4193)

 Used for internal communications, inter-site VPNs

Not routable on the internet—basically RFC1918 for IPv6 only better—less likelihood of collisions

 Default prefix is /

/48 limits use in large organizations that will need more space Semi-random generator prohibits generating sequentially ‘useable’ prefixes—no easy way to have aggregation when using multiple /48s Why not hack the generator to produce something larger than a /48 or even sequential /48s? Is it ‘legal’ to use something other than a /48? Perhaps the entire space? Forget legal, is it practical? Probably, but with dangers—remember the idea for ULA; internal addressing with a slim likelihood of address collisions with M&A. By consuming a larger space or the entire ULA space you will significantly increase the chances of pain in the future with M&A

 Routing/security control

You must always implement filters/ACLs to block any packets going in or out of your network (at the Internet perimeter) that contain a SA/DA that is in the ULA range— today this is the only way the ULA scope can be enforced

 Generate your own ULA: http://www.sixxs.net/tools/grh/ula/

Generated ULA= fd9c:58ed:7d73::/

  • MAC address=00:0D:9D:93:A0:C3 (Hewlett Packard)
  • EUI64 address=020D9Dfffe93A0C
  • NTP date=cc5ff71943807789 cc5ff71976b28d

Corporate

Backbone

Branch 2

Branch 1

Corp HQ

ULA + Global

 Both ULA and Global are used internally except for internal-only hosts

 Source Address Selection (SAS) is used to determine which address to use when

communicating with other nodes internally or externally

 In theory, ULA talks to ULA and Global talks to Global—SAS ‘should’ work this out

 ULA-only and Global-only hosts can talk to one another internal to the network

 Define a filter/policy that ensures your ULA prefix does not ‘leak’ out onto the

Internet and ensure that no traffic can come in or out that has a ULA prefix in the

SA/DA fields

 Management overhead for DHCP, DNS, routing, security, etc…

ULA Space FD9C:58ED:7D73::/ Global – 2001:DB8:CAFE::/

FD9C:58ED:7D73: 2800 ::/
2001:DB8:CAFE: 2800 ::/

Internet

FD9C:58ED:7D73: 3000 ::/
2001:DB8:CAFE: 3000 ::/
FD9C:58ED:7D73::2::/
2001:DB8:CAFE: 2 ::/

Global – 2001:DB8:CAFE::/

Not Recommended

Considerations—ULA + Global

 Use DHCPv6 for ULA and Global—apply different policies for both (lifetimes, options,
etc..)
 Check routability for both—can you reach an AD/DNS server regardless of which address
you have?
 Any policy using IPv6 addresses must be configured for the appropriate range (QoS,
ACL, load-balancers, PBR, etc.)
 If using SLAAC for both—Microsoft Windows allows you to enable/disable privacy
extensions globally—this means you are either using them for both or not at all!!!
 One option is to use SLAAC for the Global range and enable privacy extensions and then
use DHCPv6 for ULA with another IID value (EUI-64, reserved/admin defined, etc.)
 Unlike Global and link-local scopes ULA is not automatically controlled at the appropriate
boundary—you must prevent ULA prefix from going out or in at your perimeter
 SAS behavior is OS dependent and there have been issues with it working reliably

Temporary Preferred 6d23h59m55s 23h59m55s 2001:db8:cafe:2:cd22:7629:f726:6a6b Dhcp Preferred 13d1h33m55s 6d1h33m55s fd9c:58ed:7d73:1002:8828:723c:275e:846d Other Preferred infinite infinite fe80::8828:723c:275e:846d%