Enterprise IPv6 Design

Enterprise IPv6 Deployment
Click to "c#arland Edit Master Subtitle Style Shannon CCI$% &2'&, (CP Cor)orate Consulting $ngineer *++ice o+ the C,* shmc+arl-cisco.com
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
Reference Materials
e)loying IPv6 in Cam)us .et/or0s1 htt)122///.cisco.com2en23S2docs2solutions2$nter)rise2Cam)u
e)loying IPv6 in 4ranch .et/or0s1 htt)122///.cisco.com2en23S2solutions2ns5'02ns'!'2ns6'22ns7 CC* IPv6 "ain Page1 htt)122///.cisco.com2go2i)v6 Cisco .et/or0 esigns1 htt)122///.cisco.com2go2design8one
Presentation_I
2006 Cisco Systems, Inc. All rights reserved.
Cisco
9ecommended 9eading
e)loying IPv6 in 4roadband .et/or0s : Adeel Ahmed, Salman Asadullah IS4.0'60!;5576, <ohn =iley > Sons Publications?
Coming Soon@@
Agenda
,he .eed +or IPv6 Planning and e)loyment Summary Address Considerations Aeneral Conce)ts In+rastructure e)loyment
Cam)us2 ata Center =A.24ranch 9emote Access
Provider Considerations
Presentation_I
Cisco
'
,he .eed #or IPv6
Presentation_I
Cisco
&
Market !actors Driving IPv6 Deployment

Address Issues %E&'austion %M$A %(usiness )*++ Development
ational IPv6 Strategies 3S o , China .AI, $3
IPv
IPv6 "S# Content $ Applications 6 Infrastructure Evolution
SmartArid, SmartCities *CSIS 5.0, 'A2D,$ ,IPS*
///.oecd.org1 "easuring IPv6 ado)tion

Presentation_I C59S 2006 Cisco Systems, Inc. All rights reserved. 2007 Cisco Systems, Inc. All rights Cisco Cisco Bighly Con+identialCControlled
IPv6 Provides (enefits Across t'e (oard

(uilding sensors Media services Collaboration Mobility
2ig'er Education.Researc'
Set%top bo&es Internet gaming Appliances 3oice.video Security monitoring
Consumer
Embedded devices Industrial Et'ernet IP%enabled components
Manufacturing
DoD 0I %1 !CS 41RS ,I,%(E
,overnment -!ederal.Public Sector/

1elematics 1raffic control 2otspots 1ransit services
Animal tags Imagery (otanical 0eat'er
2ome care 0ireless asset tracking Imaging Mobility
2ealt' Care
1ransportation
Agriculture. 0ildlife
6
Dramatic Increase in Enterprise Activity

0'y5 $nter)rise that is or /ill be eE)anding into emerging mar0ets $nter)rise that )artners /ith other com)anies /ho may use IPv6 Flarger enter)rise, located in emerging mar0ets, government, service )rovidersG Ado)tion o+ =indo/s 6, =indo/s 2007, irectAccess #reHuent ">A activity $nergy I Bigh density IP:enabled end)oints FSmartAridG
Presentation_I
Cisco
Planning > e)loyment Summary
Presentation_I
Cisco
Enterprise Adoption Spectrum

Mostly or completely past t'e 86'y59 p'ase J Assessment -e)e/ J 0eeding out vendors -features and :/ J !ocus on training and filling gaps
J
Is it real5 J Do I need to deploy every6'ere5 J E7uipment status5 J SP support5 J Addressing J 0'at does it cost5
J
Still fig'ting vendors Content and 6ide%scale app deployment J Revie6 operational cost of ) stacks J Competitive.Strategic advantages of ne6 environment
J J
Presentation_I
Cisco
!0
IPv6 Integration "utline

Pre%Deployment P'ases
Deployment P'ases
$stablish the net/or0 starting )oint Im)ortance o+ a net/or0 assessment and available tools e+ining early IPv6 security guidelines and reHuirements Additional IPv6 K)re: de)loymentL tas0s needing consideration
,rans)ort considerations +or integration Cam)us IPv6 integration o)tions =A. IPv6 integration o)tions Advanced IPv6 services o)tions
Presentation_I
Cisco
!!
Integration.Coe&istence Starting Points

1 2
$Eam)le1 Integration emarc2Start Points in Cam)us2=A.

Start dual:stac0 on hosts2*S Start dual:stac0 in cam)us distribution layer Fdetails +ollo/G
10.1.3.0/24 2001::/64 3 ;
Start dual:stac0 on the =A.2cam)us core2edge routers .A,6' +or servers2a))s only ca)able o+ IPv' Ftem)orary onlyG
v' and v6
$dge:to:Core
D 2
v6: $nabl ed v6 *nly 200!1126' IPv6 Server IPv':*nly Segment
Presentation_I
1 3
ual:Stac0 IPv':IPv6 Core and $dge
!0.!.'.022' 200!1126'
2 2
v' and v6
Start in Core and move to the edge

4
Cisco
ual:Stac0 IPv':IPv6 9outers
v' *nly !0.!.2.022'
.A,6'2 .S6 '
!2
Address Considerations
Presentation_I
Cisco
!5
2ierarc'ical Addressing and Aggregation

Site +
)**+<D(=<***+<***+<<.6; )**+<D(=<***+<***)<<.6;
)**+<D(=<***)<***+<<.6; )**+<D(=<***)<***)<<.6;
)**+<D(=<***+<<.;= Site )
ISP 2001:DB8::/32
"nly Announces t'e .>) Prefi&
IPv6 Internet 2000::/3
)**+<D(=<***)<<.;=
e+ault is 2'7 I can be larger I K$nd:user Additional AssignmentL htt)s122///.arin.net2resources2reHuest2i)v6_add_assign.html
Provider inde)endent I See .umber 9esource Policy "anual F.9P"G : htt)s122///.arin.net2)olicy2nr)m.html
Presentation_I
Cisco
!'
Summary of Address Considerations

Provider Inde)endent and2or Provider Assigned 3DA, 3DA M Alobal, Alobal only Pre+iE:length allocation
26' every/here eEce)t loo)bac0s F2!27G 26' on host lin0s, 2!26 on P2P lin0s, 2!27 on loo)bac0s (ariable )re+iE:lengths on host lin0s
Presentation_I
Cisco
!&
Do I ,et PI or PA5
It de)ends PI s)ace is great +or A9I. controlled s)ace Fnot all 9I9s have a))roved PI s)aceG PA is a great s)ace i+ you )lan to use the same SP +or a very long time or you )lan to .A, everything /ith IPv6 Fnot li0elyG "ore im)ortant things to considerCdo you get a )re+iE +or the entire com)any or do you get one )re+iE )er site F/hat de+ines a siteNG
Presentation_I
Cisco
!6
?@A# ?@A A ,lobal or ,lobal

=hat ty)e o+ addressing should I de)loy internal to my net/or0N It de)ends1
3DA:onlyC,oday, no IPv6 .A, is useable in )roduction so using 3DA:only /ill not /or0 eEternally to your net/or0 3DA M Alobal allo/s +or the best o+ both /orlds but at a )riceC much more address management /ith BCP, .S, routing and securityCSAS does not al/ays /or0 as it should Alobal:onlyC9ecommended a))roach but the old:school security +ol0s that believe to)ology hiding is essential in security /ill bar0 at this o)tion
DetOs eE)lore these o)tionsP
Presentation_I
Cisco
!6
?ni7ue%@ocal Addressing -R!C;+B>/

3sed +or internal communications, inter:site (P.s
.ot routable on the internetCbasically 9#C!;!7 +or IPv6 only betterCless li0elihood o+ collisions
e+ault )re+iE is 2'7

2'7 limits use in large organi8ations that /ill need more s)ace Semi:random generator )rohibits generating seHuentially QuseableO )re+iEesCno easy /ay to have aggregation /hen using multi)le 2'7s =hy not hac0 the generator to )roduce something larger than a 2'7 or even seHuential 2'7sN Is it QlegalO to use something other than a 2'7N Perha)s the entire s)aceN #orget legal, is it )racticalN Probably, but /ith dangersCremember the idea +or 3DAR internal addressing /ith a slim li0elihood o+ address collisions /ith ">A. 4y consuming a larger s)ace or the entire 3DA s)ace you /ill signi+icantly increase the chances o+ )ain in the +uture /ith ">A
9outing2security control
Sou must al/ays im)lement +ilters2ACDs to bloc0 any )ac0ets going in or out o+ your net/or0 Fat the Internet )erimeterG that contain a SA2 A that is in the 3DA rangeC today this the only /ay the 3DA sco)e : can be en+orced G ener at ed U is LA= f d9c: 58ed: 7d73: / 48
Aenerate your o/n 3DA1 htt)122///.siEEs.net2tools2grh2ula2 * M AC addr ess= 00: 0D : 9D : 93: A0: C3 ( H ew et t !ac"ar d# * $U % &4 addr ess= 0'0D 9D f f f e93A0C3
!7
?@A%"nly
Internet (ranc' +
.ot 9ecommended ,oday
Re7uires A1 for IPv6 ,lobal F l a rn )**+<D(=<CA!E<<.; E&te l a Corp 2C b ,lo = nal

Inter ?@A
!DBC<D=ED<EDE><)=**<<.6;
(ranc' )
Corporate (ackbone
!DBC<D=ED<EDE><>***<<.6;
?@A Space !DBC<D=ED<EDE><<.;=
!DBC<D=ED<EDE><<)<<.6;
$verything internal runs the 3DA s)ace A .A, su))orting IPv6 or a )roEy is reHuired to access IPv6 hosts on the internet C must run +ilters to )revent any SA2 A in 3DA range +rom being +or/arded =or0s as it does today /ith IPv' eEce)t that today, there are no scalable .A,2ProEies +or IPv6 9emoves the advantages o+ not having a .A, Fi.e. a))lication intero)erability, global multicast, end:to:end connectivityG
!;
?@A A ,lobal
Internet (ranc' +
.ot 9ecommended
,lobal F )**+<D(=<CA!E<<.; =
Corporate (ackbone
Corp 2C
!DBC<D=ED<EDE><)=**<<.6; )**+<D(=<CA!E<)=**<<.6;
(ranc' )
!DBC<D=ED<EDE><>***<<.6; )**+<D(=<CA!E<>***<<.6;
4oth 3DA and Alobal are used internally eEce)t +or internal:only hosts Source Address Selection FSASG is used to determine /hich address to use /hen communicating /ith other nodes internally or eEternally In theory, 3DA tal0s to 3DA and Alobal tal0s to AlobalCSAS QshouldO /or0 this out 3DA:only and Alobal:only hosts can tal0 to one another internal to the net/or0 e+ine a +ilter2)olicy that ensures your 3DA )re+iE does not Qlea0O out onto the Internet and ensure that no tra++ic can come in or out that has a 3DA )re+iE in the SA2 A +ields "anagement overhead +or BCP, .S, routing, security, etcP
2006 Cisco Systems, Inc. All rights reserved. Cisco
?@A Space !DBC<D=ED<EDE><<.;= !DBC<D=ED<EDE><<)<<.6; ,lobal F )**+<D(=<CA!E<<.;= )**+<D(=<CA!E<)<<.6;
Presentation_I
20
ConsiderationsG?@A A ,lobal
3se BCPv6 +or 3DA and AlobalCa))ly di++erent )olicies +or both Fli+etimes, o)tions, etc..G Chec0 routability +or bothCcan you reach an A 2 .S server regardless o+ /hich address you haveN Any )olicy using IPv6 addresses must be con+igured +or the a))ro)riate range FToS, ACD, load:balancers, P49, etc.G I+ using SDAAC +or bothC"icroso+t =indo/s allo/s you to enable2disable )rivacy eEtensions globallyCthis means you are either using them +or both or not at all@@@ *ne o)tion is to use SDAAC +or the Alobal range and enable )rivacy eEtensions and then use BCPv6 +or 3DA /ith another II value F$3I:6', reserved2admin de+ined, etc.G
Tem p orary P referred 6d 23h 59m 55s 23h 59m 55s 2001 : d b 8: cafe: 2: cd 22: 7629: f726: 6a6b D h cp P referred 1 3d 1 h 33m 55s 6d 1 h 33m 55s fd 9c: 58ed : 7d 73: 1 002: 8828: 723c: 275e:846d O th er P referred i fi i te i fi i te fe80: : 8828: 723c: 275e: 846d ! 8
3nli0e Alobal and lin0:local sco)es 3DA is not automatically controlled at the a))ro)riate boundaryCyou must )revent 3DA )re+iE +rom going out or in at your )erimeter SAS behavior is *S de)endent and there have been issues /ith it /or0ing reliably
Presentation_I
Cisco
2!
?@A A ,lobal E&ample

" d d r Typ e D " D # tate $ a% i d &i fe P ref' &i fe " d d ress ((((((((( ((((((((((( (((((((((( (((((((((( (((((((((((((((((((((((( D h cp P referred 1 3d 23h 48m 24s 6d 23h 48m 24s 2001 : d b 8: cafe: 2: c1 b 5: cc1 9: f87e: 3c41 D h cp P referred 1 3d 23h 48m 24s 6d 23h 48m 24s fd 9c: 58ed : 7d 73: 1 002: 8828: 723c: 275e: 846d O th er P referred i fi i te i fi i te fe80: : 8828: 723c: 275e: 846d ! 8
interface Vlan2 description ACCESS-DATA-2 ipv6 address 2001:DB8:CAFE:2::D6 !6" ipv6 address FD#C:$8ED:%D% :1002::D6 !6" ipv6 nd prefi& 2001:DB8:CAFE:2::!6" no-advertise ipv6 nd prefi& FD#C:$8ED:%D% :1002::!6" no-advertise ipv6 nd 'ana(ed-confi(-fla( ipv6 d)cp rela* destination 2001:DB8:CAFE:11::#
D2CPv6 Server )**+<D(=<CA!E<++<<B D2CPv6 Client Network
Presentation_I
Cisco
22
,lobal%"nly
Internet (ranc' +
9ecommended
,lobal F )**+<D(=<CA!E<<.; =
Corporate (ackbone
Corp 2C
)**+<D(=<CA!E<)=**<<.6;
(ranc' )
,lobal F )**+<D(=<CA!E<<.;=
)**+<D(=<CA!E<>***<<.6; )**+<D(=<CA!E<)<<.6;
Alobal is used every/here .o issues /ith SAS .o reHuirements to have .A, +or 3DA:to:Alobal translationCbut, .A, may be used +or other )ur)oses $asier management o+ BCP, .S, security, etc. *nly do/nside is brea0ing the habit o+ believing that to)ology hiding is a good security method
25
RandomiHed IID and Privacy E&tensions

$nabled by de+ault on "icroso+t =indo/s $nable2disable via AP* or CDI
nets) interface ipv6 set (lo+al rando'i,eidentifiers-disa+led store-persistent nets) interface ipv6 set privac* state-disa+led store-persistent
Presentation_I
Alternatively, use BCP Fsee laterG to a s)eci+ic )ool 9andomi8ed address are generated +or non:tem)orary autocon+igured addresses including )ublic and lin0:localC used instead o+ $3I:6' addresses 9andomi8ed addresses engage *)timistic A Cli0elihood o+ du)licate DD address is rare so 9S can be sent be+ore +ull A com)letion =indo/s (ista2=622007 send 9S /hile A is being )er+ormed to save time +or inter+ace initiali8ation Fread 9#C'762 on /hy this
2'
@ink @evelGPrefi& @engt' Considerations

6; bits
I 6; bits
J 6; bits

9ecommended by 9#C5!66 and IA42I$SA Consistency ma0es management easy "3S, +or SDAAC F"S#, BCPv6 alsoG Signi+icant address s)ace loss F!7.'66 TuintillionG
$nables more hosts )er broadcast domain Considered bad )ractice 6' bits o++ers more s)ace +or hosts than the media can su))ort e++iciently
Address s)ace conservation S)ecial cases1 2!26Cvalid +or )2) 2!26Cnot valid +or )2) F9#C5626G 2!27Cloo)bac0 Com)licates management "ust avoid overla) /ith s)eci+ic addresses1 9outer Anycast F9#C5&!5G $mbedded 9P F9#C5;&6G ISA,AP addresses
Presentation_I
Cisco
2&
?sing @ink%@ocal for on%Access Connections

3nder 9esearch
=hat i+ you did not have to /orry about addressing the net/or0 in+rastructure +or the )ur)ose o+ routingN
IPv6 IAPs use DD addressing *nly use Alobal or 3DA addresses at the edges +or host assignment #or IPv6 access to the net/or0 device itsel+ use a loo)bac0
=hat ha))ens to route +iltersN ACDsNC.othing, unless you are bloc0ing to2+rom the router itsel+ Stu++ to thin0 about1
Al/ays use a 9I Some Cisco devices reHuire Ki)v6 enableL on the inter+ace in order to generate and use a lin0:local address $nable the IAP on each inter+ace used +or routing or that reHuires its )re+iE to be advertised
Presentation_I
Cisco
26
?sing @@ A @oopback "nly

2001:db8:cafe:200::/6 4 998::1/1 28 998::2/1 28 2001:db8:cafe:100::/6 4
ipv6 .nicast-ro.tin( / interface 0oop+ac10 ipv6 address 2001:DB8:CAFE:##8::1!128 ipv6 ei(rp 10 / interface Vlan200 ipv6 address 2001:DB8:CAFE:200::1!6" ipv6 ei(rp 10 / interface 2i(a+itEt)ernet1!1 ipv6 ena+le ipv6 ei(rp 10 / ipv6 ro.ter ei(rp 10 ro.ter-id 103##3831 no s).tdo4n
ipv6 .nicast-ro.tin( / interface 0oop+ac10 ipv6 address 2001:DB8:CAFE:##8::2!128 ipv6 ei(rp 10 / interface 2i(a+itEt)ernet !" ipv6 ei(rp 10 / interface 2i(a+itEt)ernet1!2 ipv6 ei(rp 10 / ipv6 ro.ter ei(rp 10 ro.ter-id 103##3832 no s).tdo4n 56v6-E5276 nei()+ors for process 10 0 0in1-local address: FE80::212:D#FF:FE#2:DE%%
26
2i1!2
Interface%ID Selection
.et/or0 evices 9econnaissance +or net/or0 devicesCthe search +or something to attac0 3se random 6':bit inter+ace:I s +or net/or0 devices
200!1 471CA#$1211!26'CCommon II 200!1 471CA#$1211;A'514C& 26'C9andom II 200!1 471CA#$1211A00!1!0!026'CSemi:random II
*)erational management challenges /ith this ty)e o+ numbering scheme
Presentation_I
Cisco
27
D2CPv6
3)dated version o+ BCP +or IPv' Client detects the )resence o+ routers on the lin0 I+ +ound, then eEamines router advertisements to determine i+ BCP can or should be used I+ no router +ound or i+ BCP can be used, then
3sing the lin0:local address as the source address BCP Solicit message is sent to the All: BCP:Agents multicast address
Presentation_I
Cisco
2;
D2CPv6 "peration
Client Solicit 9elay Relay%!6d 6.Solicit Advertise Re7uest Relay%!6d 6.Re7uest Relay%Reply 6.Reply Reply All_ BCP_9elay_Agents_and_Servers F##0211!12G All_ BCP_Servers F##0&11!15G
Presentation_I
Server
Relay%Reply 6.Advertise
BCP "essages1 clients listen 3 P )ort &'6R servers and relay agents listen on 3 P )ort &'6
50
Stateful.Stateless D2CPv6
State+ul and stateless BCPv6 server
Cisco .et/or0 9egistrar1 htt)122///.cisco.com2en23S2)roducts2s/2netmgts/2)s!;722
"icroso+t =indo/s Server 20071 htt)122technet2.microso+t.com2/indo/sserver20072en2library2bab0+!a!:&'aa:'
BCPv6 9elayCsu))orted on routers and s/itches

IPv6 Enabled 2ost Network
interface FastEt)ernet0!1 description C05E8T 0589 ipv6 address 2001:DB8:CAFE:11::1!6" ipv6 nd prefi& 2001:DB8:CAFE:11::!6" no-advertise ipv6 nd 'ana(ed-confi(-fla( ipv6 nd ot)er-confi(-fla( ipv6 d)cp rela* destination 2001:DB8:CAFE:10::2
D2CPv 6 Server
5!
Presentation_I
Cisco
(asic D2CPv6 Message E&c'ange

D2CPv6 Client D2CPv6 Relay Agent D2CPv6 Server
Solicit-IAK A/ Advertise-IAK A-addr// Re7uest-IAK A/ Reply-IAK A-addr//
Relay%!or6-Solicit-IAK A// Relay%Repl-Advertise-IAK A-addr///
Relay%!or6-Re7uest-IAK A// Relay%Repl-Reply-IAK A-addr///
Address Assigned 1imer E&piring

Rene6-IAK A-addr// Reply-IAK A-addr// Relay%!or6-Rene6-IAK A-addr/// Relay%Repl-Reply-IAK A-addr///
S'utdo6n # link do6n # Release

Release-IAK A-addr// Reply-IAK A-addr// Relay%!or6-Release-IAK A-addr/// Relay%Repl-Reply-IAK A-addr///
Presentation_I
Cisco
52
C R.0)L=GD2CPv6
Presentation_I
Cisco
55
IPv6 ,eneral Prefi&

Provides an easy2+ast /ay to de)loy )re+iE changes $Eam)le1200!1db71ca+e112'7 U Aeneral Pre+iE #ill in inter+ace s)eci+ic +ields a+ter )re+iE
ipv6 .nicast-ro.tin( ipv6 cef ipv6 (eneral-prefi& ESE 2001:DB8:CAFE::!"8 / interface 2i(a+itEt)ernet !2 ipv6 address ESE ::2!126 ipv6 cef / interface 2i(a+itEt)ernet1!2 ipv6 address ESE ::E!126 ipv6 cef
ESE ::11:0:0:0:1 U 200!1db71ca+e1!!11!26'

interface Vlan11 ipv6 address ESE ::11:0:0:0:1!6" ipv6 cef / interface Vlan12 ipv6 address ESE ::12:0:0:0:1!6" ipv6 cef
2lo+al .nicast address:es;: 2001:DB8:CAFE:11::1< s.+net is 2001:DB8:CAFE:11::!6"
Presentation_I
Cisco
5'
Aeneral Conce)ts I #B9P, "ulticast and ToS
Presentation_I
Cisco
5&
!irst 2op Router Redundancy

BS9P +or v6
BS9 P Active BS9P Standb y
"odi+ication to .eighbor Advertisement, router Advertisement, and IC"Pv6 redirects (irtual "AC derived +rom BS9P grou) number and virtual IPv6 lin0:local address
AD4P +or v6
AD4P A(A, A(# AD4P A(#, S(#
"odi+ication to .eighbor Advertisement, 9outer AdvertisementCA= is announced via 9As (irtual "AC derived +rom AD4P grou) number and virtual IPv6 lin0:local address
eighbor ?nreachability Detection

9A Sent 9each:time U &,000 msec
#or rudimentary BA at the +irst B*P Bosts use .3 Kreachable timeL to cycle to neEt 0no/n de+ault gate/ay F50s by de+aultG
.o longer needed
56
!irst%2op Redundancy
=hen BS9P,AD4P and (99P +or IPv6 are not available .3 can be used +or rudimentary BA at the +irst:ho) Ftoday this only a))lies to the Cam)us2 CCBS9P is available on routersG
:confi(-if;=ipv6 nd reac)a+le-ti'e $000
Bosts use .3 Kreachable timeL to cycle to neEt 0no/n de+ault gate/ay F50 seconds by de+aultG Can be combined /ith de+ault router )re+erence to determine )rimary g/1
:confi(-if;=ipv6 nd ro.ter-preference >)i() ? 'edi.' ? lo4@ Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : 10312131031 fe80::211:+cff:fec0:d000A" fe80::211:+cff:fec0:c800A"
7eac)a+le Ti'e Base 7eac)a+le Ti'e
: 6s : $s
Acc ess @ay er R A 2 S R P R IP A v;
Distribution @ayer
1o Core @ayer
HS P for IPv4 !"# w$t% ad&'#ted reac%ab(e)t$*e for IPv6

56
2SRP for IPv6

"any similarities /ith BS9P +or IPv' Changes occur in .eighbor Advertisement, 9outer Advertisement, and IC"Pv6 HS P HS P redirects Standb+ !ct$ve .o need to con+igure A= on hosts F9As are sent +rom BS9P active routerG (irtual "AC derived +rom BS9P grou) number and virtual IPv6 lin0: local address IPv6 (irtual "AC range1 interface FastEt)ernet0!1
000&.65A0.0000 : 000&.65A0.0### F'0;6 addressesG ipv6 address 2001:DB8:66:6%::2!6" ipv6 cef
BS9P IPv6 3 P Port .umber 202; FIA.Astand+* AssignedG version 2 .o BS9P IPv6 secondary address stand+* 1 ipv6 a.toconfi( .o BS9P IPv6 s)eci+ic debug
stand+* 1 pree'pt
stand+* 1 ti'ers 'sec 2$0 'sec 800 stand+* 1 pree'pt dela* 'ini'.' 180
2ost 6it' ,0 of 3irtual IP
stand+* 1 a.t)entication 'd$ 1e*-strin( cisco
stand+* 1 trac1 FastEt)ernet0!0 =ro.te -A inet6 ? (rep ::!0 ? (rep et)2 ::!0 fe80::$:% ff:fea0:1 B2DA 102" 0
0 et)2
Presentation_I
Cisco
57
,@(P for IPv6

"any similarities /ith AD4P +or IPv' FCDI, load:balancingG "odi+ication to .eighbor Advertisement, 9outer Advertisement,@(P A= is announced via 9As
,@(P A3,# A3! A3!# S3!
(irtual "AC derived +rom AD4P grou) number and virtual IPv6 lin0:local address
interface FastEt)ernet0!0 ipv6 address 2001:DB8:1::1!6" ipv6 cef (l+p 1 ipv6 a.toconfi( (l+p 1 ti'ers 'sec 2$0 'sec %$0 (l+p 1 pree'pt dela* 'ini'.' 180 (l+p 1 a.t)entication 'd$ 1e*-strin( cisco
A3,MActive 3irtual ,ate6ay A3!MActive 3irtual !or6arder S3!MStandby 3irtual !or6arder

5;
IPv6 Multicast Availability

"ulticast Distener iscovery F"D G
$Huivalent to IA"P
PI" Arou) "odes1 S)arse "ode, 4idirectional and Source S)eci+ic "ulticast 9P e)loyment1 Static, $mbedded
S 2ost Multicast Control via M@D
D P D
Presentation_I
Cisco
'0
Multicast @istener Discovery< M@D

"ulticast Bost "embershi) Control
"D is eHuivalent to IA"P in IPv' "D messages are trans)orted over IC"Pv6 "D uses lin0 local source addresses "D )ac0ets use K9outer AlertL in eEtension header F9#C26!!G (ersion number con+usion1
"D v! F9#C26!0G li0e IA"Pv2 F9#C2256G "D v2 F9#C57!0G li0e IA"Pv5 F9#C5566G
2ost Multicast Control via M@D
"D snoo)ing
Presentation_I
Cisco
'!
Multicast Deployment "ptions

=ith and =ithout 9ende8vous Points F9PG
SSM# RPs R
D R
o S
ASM Single RPGStatic definitions R

D 2e is t'e RP P 2e is t'e RP
S
D 2e is t'e RP
ASM Across Single S'ared PIM Domain# "ne RPGEmbedded% RP AlertN I 6ant
,RPMA from RPM(
R
D P
'2
IPv6 CoS Synta& C'anges

IPv' syntaE has used Ki)L +ollo/ing match2set statements
E&ample< 'atc) ip dscp< set ip dscp
"odi+ication in ToS syntaE to su))ort IPv6 and IPv'

8e4 'atc) criteria 'atc) dscp C Datc) DSC6 in v"!v6 'atc) precedence C Datc) 6recedence in v"!v6 8e4 set criteria set dscp C Set DSC6 in v"!v6 set precedence C Set 6recedence in v"!v6
Additional su))ort +or IPv6 does not al/ays reHuire ne/ Command Dine Inter+ace FCDIG
E&ampleG0RED
Presentation_I
Cisco
'5
Scalability and Performance

IPv6 .eighbor Cache U A9P +or IPv'
In dual:stac0 net/or0s the +irst ho) routers2s/itches /ill no/ have more memory consum)tion due to IPv6 neighbor entries Fcan be multi)le )er hostG M A9P entries A9P entry +or host in the cam)us distribution layer1 5nternet 103120323200 2 000d3608"32c%a A76A Vlan2
IPv6 .eighbor Cache entry1 2001:DB8:CAFE:2:28#1:1C0C:F$2A:#DF1 2001:DB8:CAFE:2:%DE$:E2B0:D"DF:#%EC FE80::%DE$:E2B0:D"DF:#%EC " 000d3608"32c%a 16 000d3608"32c%a 16 000d3608"32c%a STA0E Vl2 STA0E Vl2 STA0E Vl2
#ull internet route tablesCensure to account +or ,CA"2memory reHuirements +or both IPv'2IPv6Cnot all vendors can )ro)erly su))ort both "ulti)le routing )rotocolsCIPv' and IPv6 /ill have se)arate routing )rotocols. $nsure enough CP32"emory is )resent Control )lane im)act /hen using tunnelsCterminate ISA,AP2con+igured tunnels in B= )lat+orms /hen attem)ting large scale de)loyments Fhundreds2thousands o+ tunnelsG
Presentation_I
Cisco
''
In+rastructure e)loyment
Start Bere1 Cisco I*S So+t/are 9elease S)eci+ics +or IPv6 #eatures
'ttp<..666OciscoOcom.univercd.cc.td.doc.product.soft6are.ios+)>.+)>cgcr.ipv6Kc.ftipv6sO'tm
Presentation_I
Cisco
'&
IPv6 Co%e&istence Solutions

ual Stac0
IPv' IPv6
9ecommended $nter)rise Co:eEistence strategy
,unneling Services
IPv' over IPv6 IPv6 over IPv'
Connect Islands o+ IPv6 or IPv'
Translation Services
IPv4
IPv6
Business Partners #overnment $%encies International Sites emote !or"ers Internet consumers
Connect to the IPv6 community

'6
Cam)us2 ata Center
'ttp<..666OciscoOcom.univercd.cc.td.doc.solution.campipv6Opdf
e)loying IPv6 in Cam)us .et/or0s1
$S$ Cam)us esign and Im)lementation Auides1
'ttp<..666OciscoOcom.en.?S.netsol.ns6D6.net6orkingKsolutionsKdesignKguidancesKlistO'tmlPanc'or)
Presentation_I
Cisco
'6
Campus IPv6 Deployment

,hree "aVor *)tions
ual:stac0C,he /ay to go +or obvious reasons1 )er+ormance, security, ToS, multicast and management
Dayer 5 s/itches should su))ort IPv6 +or/arding in hard/are
BybridC ual:stac0 /here )ossible, tunnels +or the rest, but all leveraging the eEisting design2gear
ProCDeverage eEisting gear and net/or0 design Ftraditional D22D5 and routed accessG ConC,unnels Fes)ecially ISA,APG cause unnatural things to be done to in+rastructure Fli0e core acting as access layerG and ISA,AP does not su))ort IPv6 multicast
IPv6 Service 4loc0CA ne/ net/or0 bloc0 used +or interim connectivity +or IPv6 overlay net/or0
ProCSe)aration, control and +leEibility Fstill su))orts traditional D22D5 and routed accessG
Presentation_I 2006 Cisco Systems, Inc. All rights reserved.
ConCCost Fmore gearG, does not +ully leverage eEisting design, still have to )lan +or a real dual:stac0 de)loyment and ISA,AP does not
Cisco
'7
Campus IPv6 Deployment "ptions

ual:Stac0 IPv'2IPv6
IPv6.IPv; Dual Stack 2osts %! reHuirementCs/itching2 routing )lat+orms must su))ort hard/are
based +or/arding +or IPv6
IPv6 is trans)arent on D2 s/itches butC

D2 multicastC"D snoo)ing IPv6 managementC,elnet2SSB2B,,P2S."P Intelligent IP services on =DA.
v6% Enab led
Access @ayer
$E)ect to run the same IAPs as /ith IPv' (SS su))orts IPv6
v6% Enab led
D u a l S t a c k
D u a l S t a c k
@).@ >
v6% Enab led
Distributio n @ayer
v6% Enab led
Core @ayer
v6% Enabled
v6% Enabled
Aggregation @ayer -DC/
Access @ayer -DC/
Dual% stack Server

';
Access @ayer< Dual Stack
Catalyst 5&60256&0CIn order to enable IPv6 +unctionality the )ro)er S " tem)late needs to be de+ined F htt)122///.cisco.com2univercd2cc2td2doc2)roduct2lan2cat56&02!222& G
S4itc):confi(;=sd' prefer d.al-ipv"-and-ipv6 defa.lt
I+ using a traditional Dayer:2 access design, the only thing that needs to be enabled on the access s/itch Fmanagement2security discussed laterG is "D snoo)ing1
S4itc):confi(;=ipv6 'ld snoopin( 5&60256&0 non:$ series cannot su))ort both BS9P +or IPv' and BS9P +or IPv6 on the same inter+ace htt)122///.cisco.com2en23S2docs2s/itches2lan2catalyst56&02so+t/ar
Presentation_I
Cisco
&0
Distribution @ayer< 2SRP# EI,RP and D2CPv6%relay -@ayer ) Access/

ipv6 .nicast-ro.tin( / interface 2i(a+itEt)ernet1!0!1 description To 61-core-ri()t ipv6 address 2001:DB8:CAFE:110$::A001:1010!6" ipv6 ei(rp 10 ipv6 )ello-interval ei(rp 10 1 ipv6 )old-ti'e ei(rp 10 ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ei(rp / interface 2i(a+itEt)ernet1!0!2 description To 61-core-left ipv6 address 2001:DB8:CAFE:1106::A001:1010!6" ipv6 ei(rp 10 ipv6 )ello-interval ei(rp 10 1 ipv6 )old-ti'e ei(rp 10 ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ei(rp interface Vlan" description Data V0A8 for Access ipv6 address 2001:DB8:CAFE:"::2!6" ipv6 nd prefi& 2001:DB8:CAFE:"::!6" no-advertise ipv6 nd 'ana(ed-confi(-fla( ipv6 d)cp rela* destination 2001:DB8:CAFE:10::2 ipv6 ei(rp 10 stand+* version 2 stand+* 2 ipv6 a.toconfi( stand+* 2 ti'ers 'sec 2$0 'sec %$0 stand+* 2 priorit* 110 stand+* 2 pree'pt dela* 'ini'.' 180 stand+* 2 a.t)entication ese / ipv6 ro.ter ei(rp 10 no s).tdo4n ro.ter-id 103122310310 passive-interface Vlan" passive-interface 0oop+ac10
Some *S2)atches may need Kno:autocon+igL

&!
Distribution @ayer< E&ample 6it' ?@A and ,eneral Prefi& feature

ipv6 (eneral-prefi& B0A-CE7E FD#C:$8ED:%D% ::!$ ipv6 (eneral-prefi& B0A-ACC FD#C:$8ED:%D% :1000::!$ ipv6 .nicast-ro.tin( / interface 2i(a+itEt)ernet1!0!1 description To 61-core-ri()t ipv6 address B0A-CE7E :: :0:0:0:D6 !6" ipv6 ei(rp 10 ipv6 )ello-interval ei(rp 10 1 ipv6 )old-ti'e ei(rp 10 ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ei(rp ipv6 s.''ar*-address ei(rp 10 FD#C:$8ED:%D% :1000::!$ / interface 2i(a+itEt)ernet1!0!2 description To 61-core-left ipv6 address B0A-CE7E ::C:0:0:0:D6 !6" ipv6 ei(rp 10 ipv6 )ello-interval ei(rp 10 1 ipv6 )old-ti'e ei(rp 10 ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ei(rp ipv6 s.''ar*-address ei(rp 10 FD#C:$8ED:%D% :1000::!$ interface Vlan" description Data V0A8 for Access ipv6 address B0A-ACC ::D6 !6" ipv6 nd prefi& FD#C:$8ED:%D% :1002::!6" no-advertise ipv6 nd 'ana(ed-confi(-fla( ipv6 d)cp rela* destination fd#c:$8ed:%d% :811::# ipv6 ei(rp 10 stand+* version 2 stand+* 2 ipv6 a.toconfi( stand+* 2 ti'ers 'sec 2$0 'sec %$0 stand+* 2 priorit* 110 stand+* 2 pree'pt dela* 'ini'.' 180 stand+* 2 a.t)entication ese / ipv6 ro.ter ei(rp 10 no s).tdo4n ro.ter-id 103122310310 passive-interface Vlan" passive-interface 0oop+ac10
Presentation_I
Cisco
&2
Distribution @ayer< "SP! 6it' -@ayer ) Access/

ipv6 .nicast-ro.tin( ipv6 '.lticast-ro.tin( ipv6 cef distri+.ted / interface 2i(a+itEt)ernet1!1 description To 61-core-ri()t ipv6 address 2001:DB8:CAFE:110$::A001:1010!6" no ipv6 redirects ipv6 nd s.ppress-ra ipv6 ospf net4or1 point-to-point ipv6 ospf 1 area 0 ipv6 ospf )ello-interval 1 ipv6 ospf dead-interval / interface 2i(a+itEt)ernet1!2 description To 61-core-left ipv6 address 2001:DB8:CAFE:1106::A001:1010!6" no ipv6 redirects ipv6 nd s.ppress-ra ipv6 ospf net4or1 point-to-point ipv6 ospf 1 area 0 ipv6 ospf )ello-interval 1 ipv6 ospf dead-interval
?D
interface Vlan2 description Data V0A8 for Access ipv6 address 2001:DB8:CAFE:2::A001:1010!6" ipv6 nd reac)a+le-ti'e $000 ipv6 nd ro.ter-preference )i() no ipv6 redirects ipv6 ospf 1 area 1 / ipv6 ro.ter ospf 1 a.to-cost reference-+and4idt) 10000 ro.ter-id 1031223032$ lo(-adFacenc*-c)an(es area 2 ran(e 2001:DB8:CAFE:&&&&::!&& ti'ers spf 1 $
&5
Access @ayer< Dual Stack -Routed Access/

ipv6 .nicast-ro.tin( ipv6 cef / interface 2i(a+itEt)ernet1!0!2$ description To 61-dist-1 ipv6 address 2001:DB8:CAFE:1100::CAC1: %$0!6" no ipv6 redirects ipv6 nd s.ppress-ra ipv6 ospf net4or1 point-to-point ipv6 ospf 1 area 2 ipv6 ospf )ello-interval 1 ipv6 ospf dead-interval ipv6 cef / interface 2i(a+itEt)ernet1!0!26 description To 61-dist-2 ipv6 address 2001:DB8:CAFE:1101::CAC1: %$0!6" no ipv6 redirects ipv6 nd s.ppress-ra ipv6 ospf net4or1 point-to-point ipv6 ospf 1 area 2 ipv6 ospf )ello-interval 1 ipv6 ospf dead-interval ipv6 cef
interface Vlan2 description Data V0A8 for Access ipv6 address 2001:DB8:CAFE:2::CAC1: %$0!6" ipv6 ospf 1 area 2 ipv6 cef / ipv6 ro.ter ospf 1 ro.ter-id 1031203231 lo(-adFacenc*-c)an(es a.to-cost reference-+and4idt) 10000 area 2 st.+ no-s.''ar* passive-interface Vlan2 ti'ers spf 1 $
&'
Distribution @ayer< Dual Stack -Routed Access/

ipv6 .nicast-ro.tin( ipv6 '.lticast-ro.tin( ipv6 cef distri+.ted / interface 2i(a+itEt)ernet !1 description To %$0-acc-1 ipv6 address 2001:DB8:CAFE:1100::A001:1010!6" no ipv6 redirects ipv6 nd s.ppress-ra ipv6 ospf net4or1 point-to-point ipv6 ospf 1 area 2 ipv6 ospf )ello-interval 1 ipv6 ospf dead-interval ipv6 cef / interface 2i(a+itEt)ernet1!2 description To %$0-acc-2 ipv6 address 2001:DB8:CAFE:110 ::A001:1010!6" no ipv6 redirects ipv6 nd s.ppress-ra ipv6 ospf net4or1 point-to-point ipv6 ospf 1 area 2 ipv6 ospf )ello-interval 1 ipv6 ospf dead-interval ipv6 cef Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco ipv6 ro.ter ospf 1 a.to-cost reference-+and4idt) 10000 ro.ter-id 1031223032$ lo(-adFacenc*-c)an(es area 2 st.+ no-s.''ar* passive-interface Vlan2 area 2 ran(e 2001:DB8:CAFE:&&&&::!&& ti'ers spf 1 $
&&

Bybrid "odel
*++ers IPv6 connectivity via multi)le o)tions
ual:stac0 Con+igured tunnelsCD5:to:D5
IPv6.IPv; Dual Stack 2osts

Access @ayer
ISA,APCBost:to:D5
@).@ >
"1 v6% Enab led v6% Enab led
I S ! , I ! S P ! , ! P
"1 v6% Enab led v6% Enab led
Distributio n @ayer
Deverages eEisting net/or0 *++ers natural )rogression to +ull dual:stac0 design "ay reHuire tunneling to less:than:o)timal layers Fi.e. core layerG ISA,AP creates a +lat net/or0 Fall hosts on same tunnel are )eersG
Create tunnels )er (DA.2subnet to 0ee) same segregation as eEisting design Fnot clean todayG
Core @ayer
v6% Enabled
Presentation_I
Provides basic BA o+ ISA,AP tunnels via old Anycast:9P idea

Dual% stack Server
D u a l S t a c k
D u a l S t a c k
v6% Enabled
Aggregation @ayer -DC/
Access @ayer -DC/
&6
IPv6 ISA1AP Implementation

ISA,AP Bost Considerations
ISA,AP is available on =indo/s WP, =indo/s 2005, (ista2Server 2007, )ort +or DinuE I+ =indo/s host does not detect IPv6 ca)abilities on the )hysical inter+ace then an e++ort to use ISA,AP is started Can learn o+ ISA,AP routers via .S KAL record loo0u) Kisata)L or via static con+iguration
I+ .S is used then Bost2Subnet ma))ing to certain tunnels cannot be accom)lished due to the lac0 o+ naming +leEibility in ISA,AP ,/o or more ISA,AP routers can be added to .S and ISA,AP /ill determine /hich one to use and also +ail to the other one u)on +ailure o+ +irst entry I+ .S 8oning is used /ithin the enter)rise then ISA,AP entries +or di++erent routers can be used in each 8one
In the )resented design the static con+iguration o)tion is used to ensure each host is associated /ith the correct ISA,AP tunnel Can conditionally set the ISA,AP router )er host based on subnet, userid, de)artment and )ossibly other )arameters such as role
&6
2ig'ly Available ISA1AP Design

,o)ology
PC+ % Red 3@A )
ISA,AP tunnels +rom PCs in access layer to core s/itches 9edundant tunnels to core or service bloc0 Access @ayer 3se IAP to )re+er one core s/itch over another Fboth v' and v6 routesGC deterministic Distributio Pre+erence is im)ortant due to the reHuirement to have tra++ic FIPv'2IPv6G n @ayer "1 "1 route to the same inter+ace FtunnelG /here host is terminated onC v6% v6% =indo/s WP22005 Enab Enab led led v6% =or0s li0e Anycast:9P /ithCore IPmc @ayer v6% Enab Enab D D led led u u a a Aggregation l l @ayer -DC/ v6% v6% Enabled S S Enabled t t Access a a @ayer -DC/ c c Primary ISA1AP 1unnel IPv6 k k Server
PC) % (lue 3@A >
Secondary ISA1AP 1unnel

&7
IPv6 Campus ISA1AP Configuration

9edundant ,unnels
ISA1AP Primary
interface T.nnel2 ipv6 address 2001:DB8:CAFE:2::!6" e.i-6" no ipv6 nd s.ppress-ra ipv6 ospf 1 area 2 t.nnel so.rce 0oop+ac12 t.nnel 'ode ipv6ip isatap / interface T.nnel ipv6 address 2001:DB8:CAFE: ::!6" e.i-6" no ipv6 nd s.ppress-ra ipv6 ospf 1 area 2 t.nnel so.rce 0oop+ac1 t.nnel 'ode ipv6ip isatap / interface 0oop+ac12 description T.nnel so.rce for 5SATA6-V0A82 ip address 1031223103102 2$$32$$32$$32$$ / interface 0oop+ac1 description T.nnel so.rce for 5SATA6-V0A8
Presentation_I
ISA1AP Secondary
interface T.nnel2 ipv6 address 2001:DB8:CAFE:2::!6" e.i-6" no ipv6 nd s.ppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 t.nnel so.rce 0oop+ac12 t.nnel 'ode ipv6ip isatap / interface T.nnel ipv6 address 2001:DB8:CAFE: ::!6" e.i-6" no ipv6 nd s.ppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 t.nnel so.rce 0oop+ac1 t.nnel 'ode ipv6ip isatap / interface 0oop+ac12 ip address 1031223103102 2$$32$$32$$32$$ dela* 1000 / interface 0oop+ac1 ip address 103122310310 dela* 1000 2$$32$$32$$32$$
&;
ip address 103122310310 2$$32$$32$$32$$ 2006 Cisco Systems, Inc. All rights reserved. Cisco

IPv' and IPv6 9outingC*)tions
ISA1AP SecondaryG(and6idt' adQustment
interface 0oop+ac12 ip address 1031223103102 2$$32$$32$$32$$ dela* 1000
,o in+luence IPv' routing to )re+er one ISA,AP tunnel source over anotherCalter delay2cost or mas0 length Do/er timers Ftimers s)+, hello2hold, deadG to reduce convergence times 3se recommended summari8ation and2or use o+ stubs to reduce routes and convergence times
Set RID to ensure redundant loopback addresses do not cause duplicate RID issues
ISA1AP PrimaryG@ongest%matc' adQustment

interface 0oop+ac12 ip address 1031223103102 2$$32$$32$$32$$
ISA1AP SecondaryG@ongest%matc' adQustment

interface 0oop+ac12 ip address 1031223103102 2$$32$$32$$32$"
IPv;GEI,RP
ro.ter ei(rp 10 ei(rp ro.ter-id 1031223103
IPv6G"SP!v>
ipv6 ro.ter ospf 1 ro.ter-id 1031223103

60
Distribution @ayer Routes

acc%) dis t%) cor e%)
Primary2Secondary Paths to ISA,AP ,unnel Sources
@oopback )G+*O+))O+*O+*) ?sed as SEC" DARR ISA1AP tunnel source 3@A ) +*O+)*O)O* .); acc%+ @oopback )G+*O+))O+*O+*) ?sed as PRIMARR ISA1AP tunnel source
cor dis e%+ t%+ Preferred route to +*O+))O+*O+*)
Pre&erre' route to 10.122.10.102 on ($I)* +
4e+ore dist-1=s)o4 #ailure

D
ip ro.te ? + 1031223103102! 2
1031223103102! 2 G#0!1 0816H via 103122303"1< 00:0#:2 < 2i(a+itEt)ernet1!0!2%
$&ter (ailure
dist-1=s)o4 ip ro.te ? + 1031223103102! 2 D 1031223103102! 2 G#0!2$8816H via 103122303"#< 00:00:08< 2i(a+itEt)ernet1!0!28
Presentation_I
Cisco
6!

ISA,AP Client Con+iguration
0indo6s SP.3ista 2ost C:IJnets) int ipv6 isatap set ro.ter 103122310310 E13
interface T.nnel ipv6 address 2001:DB8:CAFE: ::!6" e.i-6" no ipv6 nd s.ppress-ra ipv6 ei(rp 10 t.nnel so.rce 0oop+ac1 t.nnel 'ode ipv6ip isatap / interface 0oop+ac1 description T.nnel so.rce for 5SATA6-V0A8 ip address 103122310310 2$$32$$32$$32$$
+*O+)*O>O+ *+
e6 tunnel comes up 6'en failure occurs
int tu> int lo> +*O+))O+*O+*>
int tu> int lo> +*O+))O+*O+* >
T.nnel adapter A.to'atic T.nnelin( 6se.do-5nterface: Connection-specific D8S S.ffi& 3 : 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 2001:d+8:cafe: :0:$efe:1031203 3101 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::$efe:1031203 3101A2 Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : fe80::$efe:103122310310 A2
Presentation_I
Cisco
62
IPv6 Configured 1unnels

,hin0 A9$ or IP:in:IP ,unnels
$nca)sulating IPv6 into IPv' !cce 3sed to traverse IPv' only devices2lin0s2net/or0s ## ,reat them Vust li0e standard IP lin0s Fonly insure solid IPv' routing2BA bet/een tunnel inter+acesG D$#tr$b't$ on Provides +or same routing, ToS, multicast as /ith dual:stac0 In B=, )er+ormance should be similar to standard tunnels ,, , . ' ' ' o r n n n e n n n ee e (( ( !--re-at$
interface T.nnel0 ipv6 cef ipv6 address 2001:DB8:CAFE:1 ::1!12% ipv6 ei(rp 10 t.nnel so.rce 0oop+ac1 t.nnel destination 1%23163231 t.nnel 'ode ipv6ip
interface 2i(a+itEt)ernet1!1 ipv6 address 2001:DB8:CAFE:1 ::"!12% ipv6 ei(rp 10 ipv6 cef / interface 0oop+ac1 ip address 1%23163131 2$$32$$32$$32$2
65
, ' n n e
on
Campus 2ybrid Model +

ToS
!. Classi+ication and mar0ing o+ IPv6 is done on the egress inter+aces on the core layer s/itches because )ac0ets have been tunneled until this )ointC ToS )olicies +or classi+ication and mar0ing cannot be a))lied to the ISA,AP tunnels on ingress ,he classi+ied and mar0ed IPv6 )ac0ets can no/ be eEamined by u)stream s/itches Fe.g. aggregation layer s/itchesG and the a))ro)riate ToS )olicies can be a))lied on ingress. ,hese )olices may include trust FingressG, )olicing FingressG and Hueuing FegressG
Acc ess @ay er Distribution @ayer C or e @a ye r Aggregat ion @ayer -DC/ Access @ayer -DC/ IPv6.IP v; Dual% stack Server
2.
IPv6.IPv; Dual%stack 2osts
+
Acc ess (lo ck
Data Center (lock
Presentation_I
Cisco
IPv6 and IPv;
6'
Campus 2ybrid Model +

'ls Kos / class-'ap 'atc)-all CAD6BS-BB09-DATA 'atc) access-(ro.p na'e BB09-A66S class-'ap 'atc)-all CAD6BS-T7A8SACT5E8A0-DATA 'atc) access-(ro.p na'e T7A8SACT5E8A0-A66S / polic*-'ap 56v6-5SATA6-DA79 class CAD6BS-BB09-DATA set dscp af11 class CAD6BS-T7A8SACT5E8A0-DATA set dscp af21 class class-defa.lt set dscp defa.lt / ipv6 access-list BB09-A66S per'it tcp an* an* eK ftp per'it tcp an* an* eK ftp-data / ipv6 access-list T7A8SACT5E8A0-A66S per'it tcp an* an* eK telnet
Presentation_I 2006 Cisco Systems, All rights per'it tcp an* an* Inc. eK 22 reserved. Cisco
ToS Con+iguration Sam)leCCore Dayer

ipv6 access-list BB09-A66S per'it tcp an* an* eK ftp per'it tcp an* an* eK ftp-data / ipv6 access-list T7A8SACT5E8A0-A66S per'it tcp an* an* eK telnet per'it tcp an* an* eK 22 / interface 2i(a+itEt)ernet2!1 description to 61-a((-1 'ls Kos tr.st dscp service-polic* o.tp.t 56v6-5SATA6-DA79 / interface 2i(a+itEt)ernet2!2 description to 61-a((-2 'ls Kos tr.st dscp service-polic* o.tp.t 56v6-5SATA6-DA79 / interface 2i(a+itEt)ernet2! description to 61-core-1 'ls Kos tr.st dscp service-polic* o.tp.t 56v6-5SATA6-DA79
6&

IPv6 Service 4loc0Can Interim A))roach
Provides ability to ra)idly de)loy IPv6 services /ithout touching eEisting net/or0 Provides tight control o+ /here IPv6 is de)loyed and /here the tra++ic +lo/s Fmaintain se)aration o+ grou)s2locationsG *++ers the same advantages as Bybrid "odel /ithout the alteration to eEisting code2con+igurations Con+igurations are very similar to the Bybrid "odel
ISA,AP tunnels +rom PCs in access layer to service bloc0 s/itches Finstead o+ core layerC BybridG
23!N 2
23!N 3
IPv4) on(+ .a*4 '# B(ock
!cce ## 3a+ er D$ #t5 3a +e r .o re 3a +e r !3a +e !cce r ## 3a+ er
IS!,! P
IPv6 Serv$ce B(ock

Ded$cated /0
2 I n t e r n e t
66
!G Deverage eEisting ISP bloc0 +or both IPv' and IPv6 access 2G 3se dedicated ISP connection Vust +or IPv6CCan use I*S #= or PIW2ASA a))liance Primary ISA1AP 1unnel Secondary ISA1AP 1unnel
I1S /0
1
Data .enter B(ock
0!N/ISP B(ock
Campus Service (lock

ToS +rom Access Dayer
ISA1AP 1unnels
!. Same )olicy design as Bybrid "odelC,he +irst )lace to im)lement classi+ication and mar0ing +rom the access layer is a+ter deca)sulation FISA,APG /hich is on the egress inter+aces on the service bloc0 s/itches 2. IPv6 )ac0ets received +rom ISA,AP inter+aces /ill have egress )olicies Acc ess Fclassi+ication2 mar0ingG a))lied on the con+igured tunnel inter+aces (lo 1raffic 5. Aggregation2access s/itches can a))ly egress2ingress )olicies Ftrust, Service (lock )olicing, HueuingG to IPv6 )ac0ets headed +or C services
C or e @a ye r Aggregat ion @ayer -DC/ Access @ayer -DC/ IPv6.IP v; Dual% stack Server ck !lo6
Acc ess @ay IPv6.IPv; Dual%stack er 2osts
Distributi on @ayer
C or e @a ye r
Configured 1unnels
> >
Data Center (lock IPv6 and IPv; 1raffic Enabled !lo6 66
)
Service (lock
Presentation_I
Cisco
ISA1AP Scalability 1esting Results

CP3 and memory utili8ation during scale o+ ISA,AP tunnels
P of 1unnels (efore !00 tunnel 200 tunnel &00 tunnel 2 2 2 + minO CP? T After 2 2 ' 7'&2'6277 75;2&6!67 726'!7;0' !ree Memory
,ra++ic convergence +or each tunnel

Convergence for upstream -ms/ Client to Server )*=U>6B >6DUE=*
P of 1unnel +** tunnel D** tunnel

Presentation_I
Convergence for do6nstream Convergence for -ms/ Recovery -ms/ Server to Client >D>UD>) >=BU+)6+ AvgO Server to Client ;;> =)= upstream do6nstream * *U>> * ++U;>
67
AvgO Client to Server >D* 6*>
Cisco
Cisco 3SS F DSM . 2ybrid . Service (lock

Cisco (SS o++ers a greatly sim)li+ied con+iguration and eEtremely +ast convergence +or IPv6 de)loyment ual stac0 I Place (SS )air in distribution and2or core layers I BA and sim)li+ied2reduced IPv6 con+iguration Bybrid model I I+ terminating tunnels against (SS Fi.e. (SS at core layerG, "3CB easier to con+igure tunnels +or BA as only one tunnel con+iguration is needed Service 4loc0 I 3se (SS as the S4 )air I again, A9$A,DS sim)li+ied con+iguration and decrease convergence times@@
Presentation_I
Cisco
6;
IPv6 Data Center Integration

,he single most overloo0ed and )otentially com)licated area o+ IPv6 de)loyment #ront:end design /ill be similar to cam)us based on +eature, )lat+orm and connectivity similarities I .eEus, 6&00 ';00" IPv6 +or SA. is su))orted in SA.:*S 5.0 "aVor issue in C /ith IPv6 today: .IC ,eaming =atch status o+ IPv6 su))ort +rom A)), Arid, 4 vendors, C management
Aet granular I e.g. iD* Im)act on clusters I "icroso+t Server 2007 #ailover clusters +ull su))ort IPv6 Fand D5G
4uild an IPv6:only server +armN
Presentation_I
Cisco
60
IPv6 Data Center Integration

#ront:end design /ill be similar to cam)us based on +eature, )lat+orm and connectivity similarities I .eEus, 6&00 ';00" ,he single most overloo0ed and )otentially com)licated area o+ IPv6 de)loyment IPv6 +or SA. is su))orted in SA.:*S 5.0 Stu++ )eo)le donOt thin0 about1
.IC ,eaming, iD*, 9AC, IP X(", Clusters Innocent loo0ing Server *S u)grades I =indo/s Server 2007 : Im)act on clusters I "icroso+t Server 2007 #ailover clusters +ull su))ort IPv6 Fand D5G
4uild an IPv6:only server +armN
Presentation_I
Cisco
6!
IPv6 in t'e Enterprise Data Center

(iggest C'allenges 1oday
.et/or0 services above D5
A))lication *)timi8ation Bigh:s)eed security ins)ection2)erimeter )rotection SD4, SSD:*++load, a))lication monitoring F)robesG
A))lication su))ort +or IPv6 I Xno/ /hat you donOt 0no/

I+ an a))lication is )rotocol centric FIPv'G1 .eeds to be re/ritten .eeds to be translated until it is re)laced =ait and )ressure vendors to move to )rotocol agnostic +rame/or0
(irtuali8ed and Consolidated
(irtuali8ation Qshould ma0e Cs sim)ler and more +leEible Dac0 o+ robust C2A))lication management is o+ten the root cause o+ all evil $nsure management systems su))ort IPv6 as /ell as the devices being managed
ata Centers
Presentation_I
Cisco
62
3irtualiHed DC Solutions
DC Core
e&usV E***
DC Aggregation
CiscoV Catalyst V 6D** 3SS !0Ab$ C Services
e&us V E***
DC Access
Cisco Catalyst 6&00 Cisco Catalyst ';EE
t a =h
C(S 5!00 MDS ;!2' e
a e h t t u o ab
e&us 6000 e&u s 2000 e&u s !000 v e&u s &000 MD S ;&0 0
ACE.ASA.0AAS C Services
N s ))
e&u s !000 v ?nified Computing System
DC SA
MD S ;&0 0
,igabit Et'ernet +* ,igabit Et'ernet +* ,igabit DC( ;,b !ibre C'annel +* ,igabit !CoE.DC(
65
Commonly Deployed IPv6%enabled "S.Apps

(irtuali8ation =indo/s *)erating6 Systems > A))lications =indo/s Server 2007292 ("/are vS)here '.! S3S$ "icroso+t By)er:( 9ed Bat "icroso+t $Echange 2006 3buntu SP!220!0 ,he list goes A)ache2IIS =ebon Services =indo/s "edia Services "ulti)le Dine o+ 4usiness a))s
Most commercial applications 6onWt be your problem F it 6ill be t'e custom.'ome%gro6n apps
6'
IPv6 Deployment in t'e Data Center

Services2A))liances o .ot Su))ort IPv6
,rans)arent IPv6 tra++ic is bridged bet/een (DA.s *ne:Armed IPv6 tra++ic by)asses services 9outed Create trun0 bet/een s/itch and server edicated Server #arm .e/ IPv6 only servers can be connected to eEisting access2agg )air on Permit $therty)e 0E76dd IPv' tra++ic is sent to one: IPv' has de+ault gate/ay di++erent (DA.s FIPv6G arm attached on service module module2a))liance .e/ access2agg s/itches IPv6 on se)arate (DA. to Vust +or IPv6 servers "S#C
S/itch
3@A +*> Permit *&=6dd 3@A )*>
S/itch
S/itch
S/itch
3@A +*
3@A ++
,run0
Dual stack server IPv4

Dual stack server IPv6

Cisco
Dual stack server
IPv; server
IPv6 server
6&
0'at About 1ranslation5

.A,:P,
"oved to Bistoric in I$,# F9#C';66G *nly in I*S Fno B= su))ort +or .A,:P,G Dimited ADA su))ort Can be com)leE to con+igure and troubleshoot
Port)roEy
*++ered in "icroso+t =indo/s FWP, 2005, (ista2=6, 2007G 4asically, it is )rotocol and )ort +or/arding Allo/s v':to:v6, v6:to:v6 and v6:to:v' Doad is CP3 bound (ery sim)le to con+igure Fon a )er host basis or as an a))lianceG
I(I
dra+t:Eli:behave:ivi:0!.tEt I Pre+iE:s)eci+ic and Stateless Address "a))ing KI(LU', K(ILU6 I 4ased on 9oman numerals
I(I is good at /hat translators due Cisco but it is Vust as bad /ith /hat translators
66
Microsoft 0indo6s PortPro&y

Can be treated li0e an a))liance
*ne:arm ual:attached Fbetter )er+G
)**+<db=<cafe<+)<<)D +*O+)+O+)O)D PortPro&y "ne%Arm 3IPM+*O+)+ODO)* ACE PortPro&y Dual%Attac'ed
*utside tra++ic comes in on IPv6CPortProEy to v' F(IP address on AC$G ,ra++ic is IPv' to server
IPv;%only 0eb Server
Presentation_I
Cisco
66
PortPro&y Configuration.Monitoring
nets) interface portpro&*Js) all 0isten on ipv6: Address 6ort --------------- ---------2001:d+8:cafe:12::2$ 80 Active Connections 6roto TC6 TC6 conn-id 1" 1 0ocal Address 10312131232$:$81"1 Forei(n Address 1031213$320:)ttp State ESTAB05SLED ESTAB05SLED state ESTAB ESTAB Connect to ipv": Address 1031213$320 6ort 80 --------------- ----------
ads+
G2001:d+8:cafe:12::2$H:80 np dir proto vlan so.rce 1 1 in TC6 $ $
G2001:d+8:cafe:10::1%H:$20"% destination 1031213$320:80 1031213$312:1062
----------M--M---M-----M----M---------------------M---------------------M------M 10312131232$:$8$% 10312131"31$:80 o.t TC6
Presentation_I
Cisco
67
PortPro&y Performance
,hrough)ut $Eam)le
211P 1'roug'put Comparison % Direct vsO PortPro&y
+* B = E 6 D ; > ) + *
1'roug'put -Mbps/
Presentation_I
Cisco
6;
PortPro&y Performance
CP3 3tili8ation on PortProEy Server
Presentation_I
Cisco
70
Cisco IPv6 Storage et6orking

SA %"S >O&
Core -2ost Implementation/

Applications and Mgmt
IPv6 -R!C );6*/
ICMPv6 -R!C );6>/ eig'bor Discovery -R!C );6+/ Stateless Auto%configuration 3RRP for IPv6 for application redundancy -IE1! Draft/
1elnet# 1!1P# !1P# SCP# D S Resolver# 211P# Ping# 1raceroute# SS2 Cisco IP# IP%!or6arding and 3RRP MI(s S MP over IPv6
Security
IPv6 Access Control lists IPv6 IPsec ->O)/
SA
Applications
IP StorageGiSCSI# IS S# and !CIP Xone Server# !C ame Server IPv6 over !C "t'er modulesGegO 1P# fc% tunnel etcO
6DS 9700 /a*$(+

7!
iSCSI.3RRP for IPv6

Initiator Configured to See 1argets at 3irtual Address
IPv6 et6ork
3irtual Address IPv6< )**+<db=<cafe<+)<<D Real ,igE Address IPv6< )**+<db=<cafe<+)<<D
MDS%+ !C SA p00 a Storage Array
)**+<db=<cafe<+*<<+;
$S.SI
Real ,igE Address IP< )**+<db=<cafe<+)<<6
Initiator 6it' IC 1eaming
MDS%)
Same con+iguration reHuirements and o)eration as /ith IPv' Can use automatic )reem)tionCcon+igure (9 address to be the same as )hysical inter+ace o+ K)rimaryL Bost:side BA uses .IC teaming Fsee slides +or .IC teamingG SA.:*S 5.2 /ill su))ort iSCSI /ith IPsec
72
iSCSI IPv6 E&ampleGMDS

Initiator2,arget
iscsi virt.al-tar(et na'e iscsi-atto-tar(et pNN8 21:00:00:10:86:10:"6:#c initiator iKn31##1-0$3co'3'icrosoft:4218-svr-013cisco3co' per'it iscsi initiator na'e iKn31##1-0$3co'3'icrosoft:4218-svr-013cisco3co' static pNN8 2":01:00:0d:ec:2":%c:"2 vsan 1 ,one defa.lt-,one per'it vsan 1 ,one na'e iscsi-,one vsan 1 'e'+er s*'+olic-nodena'e iKn31##1-0$3co'3'icrosoft:4218-svr-013cisco3co' 'e'+er p44n 21:00:00:10:86:10:"6:#c 'e'+er p44n 2":01:00:0d:ec:2":%c:"2 'e'+er s*'+olic-nodena'e iscsi-atto-tar(et ,one na'e 2eneric vsan 1 'e'+er p44n 21:00:00:10:86:10:"6:#c ,oneset na'e iscsiO,oneset vsan 1 'e'+er iscsi-,one ,oneset na'e 2eneric vsan 1 'e'+er 2eneric
Presentation_I
Cisco
75
iSCSI.3RRP IPv6 E&ampleGMDS

Inter+ace
6DS) interface 1 6DS) interface 2
2i(a+itEt)ernet2!1
2i(a+itEt)ernet2!1
ipv6 address 2001:d+8:cafe:12::$!6" no s).tdo4n vrrp ipv6 1 address 2001:d+8:cafe:12::$ no s).tdo4n 'ds-1= s)o4 vrrp ipv6 vr 1 5nterface 2i(E2!1 V7 5pVersion 6ri 1 56v6 2$$ Ti'e 6re State 100cs 'aster
ipv6 address 2001:d+8:cafe:12::6!6" no s).tdo4n vrrp ipv6 1 address 2001:d+8:cafe:12::$ no s).tdo4n
V7 56 addr 2001:d+8:cafe:12::$
------------------------------------------------------------------
'ds-2= s)o4 vrrp ipv6 vr 1 5nterface 2i(E2!1 V7 5pVersion 6ri 1 56v6 100 Ti'e 6re State 100cs +ac1.p V7 56 addr 2001:d+8:cafe:12::$ ------------------------------------------------------------------
Presentation_I
Cisco
7'
iSCSI Initiator E&ampleG0)L= IPv6

+
iscsi initiator na'e iKn31##1-0$3co'3'icrosoft:4218-svr-013cisco3co'
>
interface 2i(a+itEt)ernet2!1 ipv6 address 2001:d+8:cafe:12::$!6" 'ds#216-1= s)o4 fcns data+ase vsan 1 VSA8 1: --------------------------------------------------------------------FC5D 0&6%0"00 0&6%0"0$
TP6E 8 8
6NN8 21:00:00:10:86:10:"6:#c
:VE8DE7; FC"-TP6E:FEATB7E scsi-fcp:tar(et scsi-fcp:init isc334 7&
--------------------------------------------------------------------2":01:00:0d:ec:2":%c:"2 :Cisco;
SA %"S >O&G!CIP-v6/
/ . / .
Central Site
/ .
/ .
Remote Sites
/ .
/ . / .
IPv6 et6ork
fcip profile 100 ip address 2001:d+8:cafe:$0::1 tcp 'a&-+and4idt)-'+ps 800 'in-availa+le+and4idt)-'+ps $00 ro.nd-trip-ti'e-.s 8" / interface fcip100 .se-profile 100 peer-info ipaddr 2001:d+8:cafe:$0::2 / interface 2i(a+itEt)ernet2!2 ipv6 address 2001:d+8:cafe:$0::1!6"
fcip profile 100 ip address 2001:d+8:cafe:$0::2 tcp 'a&-+and4idt)-'+ps 800 'in-availa+le+and4idt)-'+ps $00 ro.nd-trip-ti'e-.s 8" / interface fcip100 .se-profile 100 peer-info ipaddr 2001:d+8:cafe:$0::1 / interface 2i(a+itEt)ernet2!2 ipv6 address 2001:d+8:cafe:$0::2!6"
Presentation_I
Cisco
76
Data Center
Auto:con+iguration
=hat Ba))ens i+ IPv6 is 3nsu))ortedN
IC 1eaming Issue
5nterface 10: 0ocal Area Connection =V57TBA0 TEAD 58TE7FACE Addr T*pe --------6.+lic DAD State 6referred Valid 0ife 2#d2 )$8'"1s 6ref3 0ife Address
---------- ------------ ------------ ----------------------------6d2 )$8'"1 2001:d+8:cafe:10:20d:#dff:fe# :+2$d
Static con+iguration
nets) interface ipv6J add address Q0ocal Area ConnectionQ 2001:d+8:cafe:10::% E13 nets) interface ipv6Js) add R.er*in( active state333 5nterface 10: 0ocal Area Connection Addr T*pe --------Dan.al 6.+lic DAD State D.plicate 6referred Valid 0ife infinite 2#d2 )$#'21s 6ref3 0ife Address ---------- ------------ ------------ ----------------------------infinite 2001:d+8:cafe:10::% 6d2 )$#'21s 2001:d+8:cafe:10:20d:#dff:fe# :+2$d
76
.ote1 Same Issue A))lies to DinuE

Intel A S
IC 1eaming for IPv6
Intel IPv6 .IC T>ACProduct su))ort htt)122///.intel.com2su))ort2net/or02sb2cs:00;0;0.htm Intel no/ su))orts IPv6 /ith $E)ress, AD4, and A#, de)loyments
Intel statement o+ su))ort +or 9D4CK9eceive Doad 4alancing F9D4G is not su))orted on IPv6 net/or0 connections. I+ a team has a miE o+ IPv' and IPv6 connections, 9D4 /ill /or0 on the IPv' connections but not on the IPv6 connections. All other teaming +eatures /ill /or0 on the IPv6 connections.L
Presentation_I
Cisco
77
Interim 2ack for ?nsupported
ICs
"ain issue +or .ICs /ith no IPv6 teaming su))ort is A CCauses du)licate chec0s on ,eam and Physical even though the )hysical is not used +or addressing Set A on ,eam inter+ace to K0LC3nderstand /hat you are doing "icroso+t (ista2=62Server 2007 allo/s +or a command line change to reduce the K A transmitsL value +rom ! to 0
nets) interface ipv6 set interface 1# dadtrans'its-0
"icroso+t =indo/s 2005C(alue is changed via a creation in the registry

IIL90DIS*ste'IC.rrentControlSetIServicesITcpip6I6ara'etersI5nterfaces I:5nterface2B5D;ID.pAddrDetectTrans'its % 3alue 8*9
DinuE
# sysctl -w net/ipv6/conf/bond0/dad_transmits=0 net.ipv6.conf.eth0.dad_transmits = 0
Presentation_I
Cisco
7;
Intel
IC 1eamingGIPv6 -Pre 1eam/

: 3 :
Et)ernet adapter 0ocal Area Connection Connection-specific D8S S.ffi&
A.toconfi(.ration 56 Address3 3 3 : 16#32$"32$31#2 S.+net Das1 3 3 3 3 3 3 3 3 3 3 3 : 2$$32$$3030 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::20":2 ff:fec%:+0d%A11 Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : fe80::212:d#ff:fe#2:de%6A11
Et)ernet adapter 0A8: Connection-specific D8S S.ffi& 3 :
56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 1038#3"32 0 S.+net Das1 3 3 3 3 3 3 3 3 3 3 3 : 2$$32$$32$$30 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 2001:d+8:cafe:1::2 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::20":2 ff:fec%:+0d6A12 Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : fe80::212:d#ff:fe#2:de%6A12
Presentation_I
Cisco
;0
Intel
IC 1eamingGIPv6 -Post 1eam/

3 :
Et)ernet adapter TEAD-1: Connection-specific D8S S.ffi& 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 1038#3"32 0 S.+net Das1 3 3 3 3 3 3 3 3 3 3 3 : 2$$32$$32$$30 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 2001:d+8:cafe:1::2 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::20":2 ff:fec%:+0d6A1 Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : fe80::212:d#ff:fe#2:de%6A1
5nterface 1 : TEAD-1 Addr T*pe --------6.+lic 0in1 DAD State 6referred 6referred Valid 0ife "'11s infinite 6ref3 0ife Address
---------- ------------ ------------ ----------------------------"'11s 2001:d+8:cafe:1::2 infinite fe80::20":2 ff:fec%:+0d6
Presentation_I
Cisco
;!
Data CenterGIPv6 on !0SM

,rans)arent #ire/all "odeC$Eam)le
FNSD Version / fire4all transparent )ostna'e NEBA66 / interface inside na'eif inside +rid(e-(ro.p 1 sec.rit*-level 100 / interface o.tside na'eif o.tside +rid(e-(ro.p 1 sec.rit*-level 0 / interface BV51 ip address 10312131032$" 2$$32$$32$$30 / access-list B75D2EOT7AFF5C et)ert*pe per'it +pd. access-list B75D2EOT7AFF5C et)ert*pe per'it 86dd /
Presentation_I
31: ; Sconte&tJ
,oday, IPv6 ins)ection is su))orted in the routed +ire/all mode. ,rans)arent mode can allo/ IPv6 tra++ic to be bridged Fno ins)ectionG
Permit et'ertype *&=6dd -IPv6 et'ertype/

;2
access-(ro.p B75D2EOT7AFF5C in interface inside

Data CenterGIPv6 on !0SM

9outed #ire/all "odeC$Eam)le
FNSD Version / )ostna'e NEBA66 / interface inside na'eif inside sec.rit*-level 100 ipv6 address 2001:d+8:cafe:10::f00d:1!6" / interface o.tside na'eif o.tside sec.rit*-level 0 ipv6 address 2001:d+8:cafe:101::f00d:1!6" / ipv6 ro.te o.tside ::!0 2001:d+8:cafe:101::1 ipv6 access-list 56v6O1 per'it ic'p6 an* 2001:d+8:cafe:10::!6" ipv6 access-list 56v6O1 per'it tcp 2001:d+8:cafe:2::!6" )ost 2001:d+8:cafe:10::% eK 444 access-(ro.p 56v6O1 in interface o.tside 31: ; Sconte&tJ
,0 to MS!C outside 3@A intfO
Presentation_I
Cisco
;5
=A.24ranch
e)loying IPv6 in 4ranch .et/or0s1

'ttp<..666OciscoOcom.univercd.cc.td.doc.solution.brc'ipv6Opdf
$S$ =A.24ranch esign and Im)lementation Auides1

'ttp<..666OciscoOcom.en.?S.netsol.ns6D6.net6orkingKsolutionsKdesignKguidancesKlistO'tmlPanc'or+ 'ttp<..666OciscoOcom.en.?S.netsol.ns6D6.net6orkingKsolutionsKdesignKguidancesKlistO'tmlPanc'or+*
;'
0A .(ranc' Deployment
Cisco routers have su))orted IPv6 +or a long time ual:stac0 should be the +ocus o+ your im)lementationCbut, some situations still call +or tunneling
Corporat e et6ork
Su))ort +or every media2=A. ty)e you /ant to use F#rame 9elay, leased:line, broadband, "PDS, etc.G onOt assume all +eatures +or every technology are IPv6:enabled
Dual Stack
SP Cloud
4etter +eature su))ort in =A.2branch than in cam)us2 C
Dual Stack
Dual Stack
Presentation_I
Cisco
;&
IPv6 Enabled (ranc'

(ranc' Single 1ier
,a0e Sour Pic0C"iE:and:"atch

(ranc' Dual 1ier (ranc' Multi% 1ier
2 C
2 C
MP@ S
2 C
Internet
Internet
/ra*e
ual:Stac0 IPSec (P. FIPv'2IPv6G I*S #ire/all FIPv'2IPv6G Integrated S/itch F"D :snoo)ingG
ual:Stac0 IPSec (P. or #rame 9elay I*S #ire/all FIPv'2IPv6G S/itches F"D :snoo)ingG
Cisco
ual:Stac0 IPSec (P. or "PDS F6P$26(P$G #ire/all FIPv'2IPv6G S/itches F"D : snoo)ingG
;6
Single%1ier Profile
,otally integrated solutionC4ranch router and integrated $therS/itch moduleCI*S #= and (P. +or IPv6 and IPv' =hen SP does not o++er IPv6 services, use IPv' IPSec (P.s +or manually con+igured tunnels FIPv6:in:IPv'G or "(P. +or IPv6 =hen SP does o++er IPv6 services, use IPv6 IPSec (P.s Flatest AI"2(A" su))orts IPv6 IPSecG
(ranc '
Single% 1ier
2ead7uarter s 1 +
Dual%Stack 2ost -IPv;.IPv6/ IPv; IPv6
ADS @
0! N
Primary DM3P 1unnel -IPv; Secondary DM3P 1unnel -IPv;/ Primary IPSec%protected configured tunnel -IPv6%in%IPv;/ Secondary IPSec%protected configured tunnel -IPv6%in%IPv;/
Presentation_I
Cisco
;6
Single%1ier Profile
ipv6 .nicast-ro.tin( ipv6 '.lticast-ro.tin( ipv6 cef / ipv6 d)cp pool DATAOV5STA address prefi& 2001:DB8:CAFE:1100::!6"
DA. Con+igurationC BCPv6
(ranc' Router
dns-server 2001:DB8:CAFE:10:20D:#DFF:FE# :B2$D do'ain-na'e cisco3co' / interface 2i(a+itEt)ernet1!03100 description DATA V0A8 for Co'p.ters encaps.lation dot1R 100 ipv6 address 2001:DB8:CAFE:1100::BAD1:A001!6" ipv6 nd prefi& 2001:DB8:CAFE:1100::!6" noadvertise ipv6 nd 'ana(ed-confi(-fla( ipv6 d)cp server DATAOV5STA ipv6 'ld snoopin( / interface Vlan100 description V0A8100 for 6Cs and S4itc) 'ana(e'ent ipv6 address 2001:DB8:CAFE:1100::BAD2:F126!6"
Et'erS6itc' Module
;7
Single%1ier Profile
IPSec Con+igurationC!
cr*pto isa1'p polic* 1 encr des a.t)entication pre-s)are cr*pto isa1'p 1e* C5SCE address 1%231%313 cr*pto isa1'p 1e* SPSTEDS address 1%231%313" cr*pto isa1'p 1eepalive 10 / cr*pto ipsec transfor'-set LE1 esp- des esp-s)a-)'ac cr*pto ipsec transfor'-set LE2 esp- des esp-s)a-)'ac / cr*pto 'ap 56v6-LE1 local-address Serial0!0!0 cr*pto 'ap 56v6-LE1 1 ipsec-isa1'p set peer 1%231%313 set transfor'-set LE1 'atc) address V68-TE-LE1 / cr*pto 'ap 56v6-LE2 local-address 0oop+ac10 cr*pto 'ap 56v6-LE2 1 ipsec-isa1'p set peer 1%231%313" set transfor'-set LE2 'atc) address V68-TE-LE2
Peer at 2C -Primary/ Peer at 2C -Secondary/
(ranc '
Internet
Secondary
Primary
2ead7uarter s
;;
Single%1ier Profile
IPSec Con+igurationC2
interface T.nnel description 56v6 t.nnel to LR Lead-end 1 dela* $00 ipv6 address 2001:DB8:CAFE:1261::BAD1:A001!6" ipv6 't. 1"00 t.nnel so.rce Serial0!0!0 t.nnel destination 1%231%313 t.nnel 'ode ipv6ip / interface T.nnel" description 56v6 t.nnel to LR Lead-end 2 dela* 2000 ipv6 address 2001:DB8:CAFE:12%1::BAD1:A001!6" ipv6 't. 1"00 t.nnel so.rce 0oop+ac10 t.nnel destination 1%231%313" t.nnel 'ode ipv6ip / interface Serial0!0!0 description to T1 0in1 6rovider :675DA7P; cr*pto 'ap 56v6-LE1
interface Dialer1 description 666oE to BB provider cr*pto 'ap 56v6-LE2 / ip access-list e&tended V68-TE-LE1 per'it "1 )ost 1%23163132 )ost 1%231%313 ip access-list e&tended V68-TE-LE2 per'it "1 )ost 10312"310031 )ost 1%231%313"
AdVust delay to )re+er ,unnel5 AdVust ",3 to avoid +ragmentation on router FP",3 on client /ill not account +or IPSec2,unnel overheardG Permit K'!L FIPv6G instead o+ KgreL
!00
Single%1ier Profile
9outing
ipv6 cef / 1e* c)ain ESE 1e* 1 1e*-strin( % 111B180B101%1# / interface T.nnel description 56v6 t.nnel to LR Lead-end 1 dela* $00 ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ESE / interface T.nnel" description 56v6 t.nnel to LR Lead-end 2 dela* 2000 ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $
!0!
ipv6 .nicast-ro.tin(
interface 0oop+ac10 ipv6 ei(rp 10 / interface 2i(a+itEt)ernet1!03100 description DATA V0A8 for Co'p.ters ipv6 ei(rp 10 / ipv6 ro.ter ei(rp 10 ro.ter-id 10312"310031 st.+ connected s.''ar* no s).tdo4n passive-interface 2i(a+itEt)ernet1!03100 passive-interface 2i(a+itEt)ernet1!03200 passive-interface 2i(a+itEt)ernet1!03 00 passive-interface 0oop+ac10
$therS/itch "odule
ipv6 ro.te ::!0 Vlan100 FE80::21%:#"FF:FE#0:282#
ipv6 a.t)entication 'ode ei(rp 10 'd$

Presentation_I
ipv6 a.t)entication 1e*-c)ain ei(rp 10Cisco ESE 2006 Cisco Systems, Inc. All rights reserved.
Single%1ier Profile
SecurityC!
ipv6 inspect na'e v6FN tcp ipv6 inspect na'e v6FN ic'p ipv6 inspect na'e v6FN ftp ipv6 inspect na'e v6FN .dp / interface T.nnel ipv6 traffic-filter 58ET-NA8-v6 in no ipv6 redirects no ipv6 .nreac)a+les ipv6 inspect v6FN o.t ipv6 virt.al-reasse'+l* / interface 2i(a+itEt)ernet1!03100 ipv6 traffic-filter DATAO0A8-v6 in / line vt* 0 " ipv6 access-class D2DT-58 in
Inspection profile for 1CP# ICMP# !1P and ?DP
AC@ used by I"S !0 for dynamic entries Apply fire6all inspection !or egress trafficto create ?sed by fire6all dynamic AC@s and protect against various fragmentation attacks Apply @A AC@ -ne&t slide/ AC@ used to restrict management access
Presentation_I
Cisco
!02
Single%1ier Profile
SecurityC2
ipv6 access-list D2DT-58 re'ar1 per'it '('t onl* to loop+ac1 per'it tcp 2001:DB8:CAFE::!"8 )ost 2001:DB8:CAFE:1000::BAD1:A001 den* ipv6 an* an* lo(-inp.t / ipv6 access-list DATAO0A8-v6 re'ar1 6E7D5T 5CD6v6 6AC9ETS F7ED LESTS N5TL 67EF5T CAFE:1100::!6" per'it ic'p 2001:DB8:CAFE:1100::!6" an* re'ar1 6E7D5T 56v6 6AC9ETS F7ED LESTS N5TL 67EF5T CAFE:1100::6" per'it ipv6 2001:DB8:CAFE:1100::!6" an*
Sample "nly
re'ar1 6E7D5T A00 5CD6v6 6AC9ETS SEB7CED BP LESTS BS582 TLE 0589-0ECA0 67EF5T per'it ic'p FE80::!10 an* re'ar1 6E7D5T DLC6v6 A00-DLC6-A2E8TS 7ERBESTS F7ED LESTS per'it .dp an* eK $"6 an* eK $"% re'ar1 DE8P A00 ETLE7 56v6 6AC9ETS A8D 0E2 den* ipv6 an* an* lo(-inp.t
Presentation_I
Cisco
!05
Single%1ier Profile
SecurityC5
ipv6 access-list 58ET-NA8-v6 re'ar1 6E7D5T E5276 for 56v6 per'it 88 an* an* re'ar1 6E7D5T 65D for 56v6 per'it 10 an* an*
Sample "nly
re'ar1 6E7D5T A00 5CD6v6 6AC9ETS SEB7CED BS582 TLE 0589-0ECA0 67EF5T per'it ic'p FE80::!10 an* re'ar1 6E7D5T SSL TE 0ECA0 0EE6BAC9 per'it tcp an* )ost 2001:DB8:CAFE:1000::BAD1:A001 eK 22 re'ar1 6E7D5T A00 5CD6v6 6AC9ETS TE 0ECA0 0EE6BAC9<V68 t.nnels<V0A8s per'it ic'p an* )ost 2001:DB8:CAFE:1000::BAD1:A001 per'it ic'p an* )ost 2001:DB8:CAFE:1261::BAD1:A001 per'it ic'p an* )ost 2001:DB8:CAFE:12%1::BAD1:A001 per'it ic'p an* 2001:DB8:CAFE:1100::!6" per'it ic'p an* 2001:DB8:CAFE:1200::!6" per'it ic'p an* 2001:DB8:CAFE:1 00::!6" re'ar1 6E7D5T A00 56v6 6AC9ETS TE V0A8s per'it ipv6 an* 2001:DB8:CAFE:1100::!6" per'it ipv6 an* 2001:DB8:CAFE:1200::!6" per'it ipv6 an* 2001:DB8:CAFE:1 00::!6" den* ipv6 an* an* lo(
!0'
Single%1ier Profile
ToS
class-'ap 'atc)-an* B7A8CL-T7A8SACT5E8A0-DATA 'atc) protocol citri& 'atc) protocol ldap 'atc) protocol sKlnet 'atc) protocol )ttp .rl QUcisco3co'Q 'atc) access-(ro.p na'e B7A8CL-T7A8SACT5E8A0-V6 / polic*-'ap B7A8CL-NA8-ED2E class T7A8SACT5E8A0-DATA +and4idt) percent 12 rando'-detect dscp-+ased / polic*-'ap B7A8CL-0A8-ED2E-58 class B7A8CL-T7A8SACT5E8A0-DATA set dscp af21 / ipv6 access-list B7A8CL-T7A8SACT5E8A0-V6 re'ar1 Dicrosoft 7D6 traffic-'ar1 dscp af21 per'it tcp an* an* eK per'it .dp an* an* eK 8# 8#
!0&
interface 2i(a+itEt)ernet1!03100 description DATA V0A8 for Co'p.ters service-polic* inp.t B7A8CL-0A8-ED2E58 / interface Serial0!0!0 description to T1 0in1 6rovider 'a&-reserved-+and4idt) 100 service-polic* o.tp.t B7A8CL-NA8-ED2E
Some +eatures o+ ToS do not yet su))ort IPv6 .4A9 is used +or IPv', but ACDs must be used +or IPv6 Funtil .4A9 su))orts IPv6G "atch2Set v'2v6 )ac0ets in same )olicy
Presentation_I
Cisco
Dual%1ier Profile
9edundant set o+ branch routersCse)arate branch s/itch Fmulti)le s/itches can use Stac0=ise technologyG Can be dual:stac0 i+ using #rame 9elay or other D2 =A. ty)e
(ranc '
Dual% 1ier
2ead7uarter s 0A
Dual%Stack 2ost -IPv;.IPv6/ IPv; IPv6
Presentation_I
Cisco
!06
Dual%1ier Profile
Con+iguration
(ranc' Router +
interface Serial0!1!031% point-to-point description TE F7ADE-7E0AP 67EV5DE7 ipv6 address 2001:DB8:CAFE:1262::BAD1:1010!6" ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ESE fra'e-rela* interface-dlci 1% class RES-B72-DA6 / interface FastEt)ernet0!03100 ipv6 address 2001:DB8:CAFE:2100::BAD1:1010!6" ipv6 traffic-filter DATAO0A8-v6 in ipv6 nd ot)er-confi(-fla( ipv6 d)cp server DATAOV5STA ipv6 ei(rp 10 stand+* version 2 stand+* 201 ipv6 a.toconfi( stand+* 201 priorit* 120 stand+* 201 pree'pt dela* 'ini'.' stand+* 201 a.t)entication ese
(ranc' Router )
interface Serial0!2!0318 point-to-point description TE F7ADE-7E0AP 67EV5DE7 ipv6 address 2001:DB8:CAFE:12%2::BAD1:1020!6" ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ESE fra'e-rela* interface-dlci 18 class RES-B72-DA6 / interface FastEt)ernet0!03100 ipv6 address 2001:DB8:CAFE:2100::BAD1:1020!6" ipv6 traffic-filter DATAO0A8-v6 in ipv6 nd ot)er-confi(-fla( ipv6 ei(rp 10 stand+* version 2 stand+* 201 ipv6 a.toconfi( stand+* 201 pree'pt 0 stand+* 201 a.t)entication ese
!06
Multi%1ier Profile
All branch elements are redundant and se)arate
=A. tierC=A. connectionsCcan be anything F+rame2IPSecGC "PDS sho/n here #ire/all tierCredundant ASA +ire/alls Access tierCinternal services routers Fli0e a cam)us distribution layerG DA. tierCaccess s/itches Fli0e a cam)us access layer
ual:stac0 is used on every tierCI+ SP )rovides IPv6 services via "PDS. I+ not, tunnels can be used +rom =A. tier to BT Multi% 1ier site
@A 1ier Access 1ier !ire6al l 1ier 0A 1ier
2ead7uarter s 0A
Dual%Stack 2ost -IPv;.IPv6/

IPv; IPv6
Cisco
(ranc '
!07
2ybrid (ranc' E&ample

"iEture o+ attributes +rom each )ro+ile An eEam)le to sho/ con+iguration +or di++erent tiers 4asic BA in critical roles is the goal
4ranch
3@A +*+< )**+<D(=<CA!E<+**)<<.6; )**+<D(=<CA!E<+***<<.6 ;
BeadHuarters
Primary DM3P 1unnel )**+<D(=<CA!E<)*A<<.6; (ackup DM3P 1unnel -das'ed/ )**+<D(=<CA!E<)*(<<.6; )**+<D(=<CA!E<)*)<<.6 ;
ASA:! 49!:DA. 11! 112 11' 11& 112
49!:! 112
11! B$!
112 115
49!:DA.:S=
115
115
49!:2 115
=A .
$nter)rise Cam)us ata Center
11!
B$2
3@A Interfaces< +*; % )**+<D(=<CA!E<+**;<<.6; F PC +*D % )**+<D(=<CA!E<+**D<<.6; F 3oice +*6 % )**+<D(=<CA!E<+**6<<.6; F Printer
2SRP for IPv6 3IP Address % !E=*<<D<E>!!<!EA*<)
Presentation_I
Cisco
!0;
DM3P
encr aes 2$6
Bub Con+iguration $Eam)le

cr*pto isa1'p polic* 1 a.t)entication pre-s)are (ro.p 2 / cr*pto isa1'p 1e* C5SCE address 0303030 0303030 cr*pto isa1'p 1e* C5SCE address ipv6 ::!0 / cr*pto ipsec transfor'-set LBB esp-aes 2$6 esp-s)a)'ac / cr*pto ipsec profile LBB set transfor'-set LBB
Primary DM3P 1unnel )**+<D(=<CA!E<)*A<<.6; (ackup DM3P 1unnel -das'ed/ )**+<D(=<CA!E<)*(<<.6;
6it' IPv6
interface T.nnel0 description DDV68 T.nnel 1 ip address 1031263131 2$$32$$32$$30 ipv6 address 2001:DB8:CAFE:20A::1!6" ipv6 't. 1"16 ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ no ipv6 ne&t-)op-self ei(rp 10 no ipv6 split-)ori,on ei(rp 10 ipv6 n)rp a.t)entication C5SCE ipv6 n)rp 'ap '.lticast d*na'ic ipv6 n)rp net4or1-id 10 ipv6 n)rp )oldti'e 600 ipv6 n)rp redirect t.nnel so.rce Serial1!0 t.nnel 'ode (re '.ltipoint t.nnel 1e* 10 t.nnel protection ipsec profile LBB
49!:! 112
11! B$!
112 115
49!:2 115
=A .
11!
B$2
!!0
DM3P
S)o0e Con+iguration $Eam)le

cr*pto isa1'p polic* 1 encr aes 2$6 a.t)entication pre-s)are (ro.p 2 / cr*pto isa1'p 1e* C5SCE address 0303030 0303030 cr*pto isa1'p 1e* C5SCE address ipv6 ::!0 / cr*pto ipsec transfor'-set S6E9E esp-aes 2$6 esp-s)a-)'ac / cr*pto ipsec profile S6E9E interface T.nnel0 set transfor'-set S6E9E description to LBB ip address 1031263132 2$$32$$32$$30 ipv6 address 2001:DB8:CAFE:20A::2!6" ipv6 't. 1"16 ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ Primary DM3P 1unnel no ipv6 ne&t-)op-self ei(rp 10 )**+<D(=<CA!E<)*A<<.6; (ackup DM3P 1unnel no ipv6 split-)ori,on ei(rp 10 -das'ed/ ipv6 n)rp a.t)entication C5SCE )**+<D(=<CA!E<)*(<<.6; B$! 49!:! 112 ipv6 n)rp 'ap 2001:DB8:CAFE:20A::1!6" 11! 112 1%23163131 ipv6 n)rp 'ap '.lticast 1%23163131 ipv6 n)rp net4or1-id 10 =A 115 ipv6 n)rp )oldti'e 600 . ipv6 n)rp n)s 2001:DB8:CAFE:20A::1 B$2 11! 49!:2 115 ipv6 n)rp s)ortc.t t.nnel so.rce Serial1!0 t.nnel 'ode (re '.ltipoint t.nnel 1e* 10 t.nnel protection ipsec profile S6E9E
6it' IPv6
!!!
ASA 6it' IPv6
Sni))et o+ +ull con+ig I eEam)les o+ IPv6 usage

na'e 2001:d+8:cafe:100 :: B71-0A8 description V0A8 on Et)erS4itc) na'e 2001:d+8:cafe:100":#d+8: df1:81"c:d +c Br1-v6-Server / interface 2i(a+itEt)ernet0!0 description TE NA8 na'eif o.tside sec.rit*-level 0 ip address 10312"313" 2$$32$$32$$30 stand+* 10312"313$ ipv6 address 2001:d+8:cafe:1000::"!6" stand+* 2001:d+8:cafe:1000::$ / interface 2i(a+itEt)ernet0!1 description TE B7A8CL 0A8 na'eif inside sec.rit*-level 100 ip address 10312"3 31 2$$32$$32$$30 stand+* 10312"3 32 ipv6 address 2001:d+8:cafe:1002::1!6" stand+* 2001:d+8:cafe:1002::2 / ipv6 ro.te inside B71-0A8!6" 2001:d+8:cafe:1002:: ipv6 ro.te o.tside ::!0 fe80::$:% ff:fea0:2 / ipv6 access-list v6-A00EN per'it ic'p6 an* an* ipv6 access-list v6-A00EN per'it tcp 2001:d+8:cafe::!"8 )ost Br1-v6-Server o+Fect-(ro.p 7D6 / failover failover lan .nit pri'ar* failover lan interface FE-0589 2i(a+itEt)ernet0! failover interface ip FE-0589 2001:d+8:cafe:1001::1!6" stand+* 2001:d+8:cafe:1001::2 access-(ro.p v6-A00EN in interface o.tside
Presentation_I
Cisco
!!2
(ranc' @A
Connecting Bosts
ipv6 d)cp pool DATAON% dns-server 2001:DB8:CAFE:102::8 do'ain-na'e cisco3co' / interface 2i(a+itEt)ernet0!0 description to B71-0A8-SN no ip address d.ple& a.to speed a.to / interface 2i(a+itEt)ernet0!0310" description V0A8-6C encaps.lation dot1R 10" ip address 10312"310"31 2$$32$$32$$30 ipv6 address 2001:DB8:CAFE:100"::1!6" ipv6 nd ot)er-confi(-fla( ipv6 d)cp server DATAON% ipv6 ei(rp 10 / interface 2i(a+itEt)ernet0!0310$ description V0A8-6LE8E encaps.lation dot1R 10$ ip address 10312"310$31 2$$32$$32$$30 ipv6 address 2001:DB8:CAFE:100$::1!6" ipv6 nd prefi& 2001:DB8:CAFE:100$::!6" 0 0 no-a.toconfi( ipv6 nd 'ana(ed-confi(-fla( ipv6 d)cp rela* destination 2001:DB8:CAFE:102::# ipv6 ei(rp 10
49!:DA.
49!:DA.:S=
3@A Interfaces< +*; % )**+<D(=<CA!E<+**;<<.6; F PC +*D % )**+<D(=<CA!E<+**D<<.6; F 3oice +*6 % )**+<D(=<CA!E<+**6<<.6; F Printer
Presentation_I
Cisco
!!5
9emote Access
Presentation_I
Cisco
!!'
Cisco Remote 3P
Client%based IPsec 3P
F IPv6
Client%based SS@
Interne t
Cisco (P. Client '.E

IPv' IPSec ,ermination FPIW2ASA2I*S (P.2 ConcentratorG IPv6 ,unnel ,ermination FI*S ISA,AP or Con+igured ,unnelsG
AnyConnect Client 2.E

SSD2,DS or ,DS Fdatagram ,DS U ,DS over 3 PG ,unnel trans)orts both IPv' and IPv6 and the )ac0ets eEit the tunnel at the hub ASA as native IPv' and IPv6.
Presentation_I
Cisco
!!&
AnyConnect )O&GSS@ 3P
asa-ed(e-1=s)o4 vpn-sessiond+ svc Session T*pe: SVC Bserna'e : ciscoese 5nde& : Assi(ned 56 : 10312 323200 6.+lic 56 : 10312"32318 Assi(ned 56v6: 2001:d+8:cafe:101::101 6rotocol : Clientless SS0-T.nnel DT0S-T.nnel 0icense : SS0 V68 Encr*ption : 7C" AES128 Las)in( : B*tes T& : %#%6 B*tes 7& : 2ro.p 6olic* : An*2rp6olic* T.nnel 2ro.p: 0o(in Ti'e : 1":0#:2$ DST Don Dec 1% 200% D.ration : 0):"%':"8s 8AC 7es.lt : Bn1no4n V0A8 Dappin( : 8!A V0A8 : 1"
SLA1 1%6080 A8PCE88ECT
none
Cisco ASA
Dual%Stack 2ost AnyConnect Client

!!6
AnyConnect )O&GSummary Configuration

interface 2i(a+itEt)ernet0!0 na'eif o.tside sec.rit*-level 0 ip address 10312 313" 2$$32$$32$$30 ipv6 ena+le / interface 2i(a+itEt)ernet0!1 na'eif inside sec.rit*-level 100 ip address 10312 323" 2$$32$$32$$30 ipv6 address 2001:d+8:cafe:101::ffff!6" / ipv6 local pool A8Pv66EE0 2001:d+8:cafe:101::101!6" 200 4e+vpn ena+le o.tside svc ena+le t.nnel-(ro.p-list ena+le (ro.p-polic* An*2rp6olic* internal (ro.p-polic* An*2rp6olic* attri+.tes vpn-t.nnel-protocol svc defa.lt-do'ain val.e cisco3co' address-pools val.e An*6ool t.nnel-(ro.p A8PCE88ECT t*pe re'ote-access t.nnel-(ro.p A8PCE88ECT (eneral-attri+.tes address-pool An*6ool ipv6-address-pool A8Pv66EE0 defa.lt-(ro.p-polic* An*2rp6olic* t.nnel-(ro.p A8PCE88ECT 4e+vpn-attri+.tes (ro.p-alias A8PCE88ECT ena+le
"utside
)**+<db=<cafe<+*+<<ffff
Inside
'ttp<..666OciscoOcom.en.?S.docs.security.vpnKclient.a
!!6
IPv6%in%IPv; 1unnel E&ampleG Cisco 3P Client

IPv; IPSec 1ermination -PIS.ASA.I"S 3P . Concentrator/
,'nne(8#9 Remote ?ser
IPv6 1unnel 1erminatio n
IPv6 1raffic IPv; 1raffic

Internet
!ire6al l IPSec 3P IPv6%in%IPv; 1unnel
IPv; @ink
IPv6 @ink Corporate et6ork Dual%Stack server
Presentation_I
Cisco
!!7
Considerations
Cisco I*S? version su))orting IPv6 con+igured2 ISA,AP tunnels
Con+iguredC!2.5F!G"2!2.5F2G,2!2.2F!'GS and above F!2.'"2!2.',G ISA,APC!2.5F!G", !2.5F2G,, !2.2F!'GS and above F!2.'"2!2.',G Catalyst? 6&00 /ith Su)620252C!2.2F!6aGSW!CB= +or/arding
4e a/are o+ the security issues i+ s)lit:tunneling is used

In =indo/s #ire/allCde+ault )olicy is to to another
Attac0er can come in IPv6 inter+ace and Vum) on the IPv' inter+ace Fencry)ted to enter)riseG $.S )ac0ets +rom one inter+ace
9emember that the IPv6 tunneled tra++ic is still enca)sulated as a tunnel 6'en it leaves the (P. device Allo/ IPv6 tunneled tra++ic across access lists FProtocol '!G
Presentation_I
Cisco
!!;
Does It 0ork5
0indo6s SP Client 3P >*** Catalyst 6D**.Sup E)* Dual%Stack
+*O+OBBO+*)G3P Address )**+<D(=<c**><++*+<*<Defe<+*O+OBBO+*)GIPv6 address
5nterface 2: A.to'atic T.nnelin( 6se.do-5nterface Addr T*pe --------6.+lic 0in1 DAD State Valid 0ife 6ref3 0ife Address ---------- ------------ ------------ ----------------------------6referred 2#d2 )$6'$s 6d2 )$6'$s 2001:d+8:c00 :1101:0:$efe:10313##3102 6referred infinite infinite fe80::$efe:10313##3102
nets) interface ipv6Js)o4 ro.te R.er*in( active state333 6.+lis) ------no no

Presentation_I
T*pe -------A.toconf Dan.al
Det ---# 1
6refi& -----------------------2001:d+8:c00 :1101::!6" ::!0

Cisco
5d& --2 2
2ate4a*!5nterface 8a'e --------------------A.to'atic T.nnelin( 6se.do-5nterface fe80::$efe:20313131

!20
Provider Considerations
Presentation_I
Cisco
!2!
1op SP Concerns for Enterprise Accounts
Presentation_I
Cisco
!22
Port%to%Port Access
Presentation_I
Cisco
Y U most common issue
!25
Multi%2oming
Presentation_I
Cisco
!2'
Content
Presentation_I
Cisco
!2&
Provisioning
Y
!26
1'e Scope of IPv6 Deployment

0eb Content Management Applications $ Application Suites
Data Center Servers Client Access -PCWs/ Printers Collaboration Devices $ ,ate6ays Sensors $ Controllers
et6orked Device Support

D S$ D2CP @oad (alancing $ Content S6itc'ing Security -!ire6alls $ IDS.IPS/ Content Distribution "ptimiHation -0AAS# SS@ acceleration/ 3P Access
St a++ ,r ai ni ng an d * )e rat io ns
Deployment Scenario Bard/are Su))ort

Presentation_I
et6orked Infrastructure Services

(Configured, 6to4, ISATAP, G E)
9 oll : ou t 9 el ea se s > Pl an ni ng
IPv6 over IPv4 Tunnels
!u"l#St"$%
IPv6 over MPLS (6PE/6VPE)
IP Services FToS, "ulticast, "obility, ,ranslationG Connectivity IP Addressing

Cisco
9outing Protocols
Instrumentation
(asic et6ork Infrastructure

!26
Conclusion
K ual stac0 /here you can I ,unnel /here you mustL Create a virtual team o+ I, re)resentatives +rom every area o+ I, to ensure coverage +or *S, A))s, .et/or0 and *)erations2"anagement "icroso+t =indo/s (ista, 6 and Server 2007 /ill have IPv6 enabled by de+aultCunderstand /hat im)act any *S has on the net/or0 e)loy it I at least in a lab I IPv6 /onOt bite ,hings to consider1
#ocus on /hat you must have in the near:term Flo/er your eE)ectationsG but )ound your vendors and others to su))ort your long:term goals onOt be too late to the )arty I anything done in a )anic is li0ely going to go badly
!27
Presentation_I
Cisco
!2;
A))endiE Slides
#or 9e+erence *nly
Presentation_I
Cisco
!50
A))endiE1 "icroso+t =indo/s (ista2=62Server 2007
Presentation_I
Cisco
!5!
?nderstand t'e (e'avior of 3ista.0E

IPv6 is )re+erred over IPv'
Attem)ts BCP +or IPv6 I+ no BCP or local 9A received /ith Alobal or 3DA, then try ISA,AP I+ no ISA,AP, then try ,eredo (ista2=6 sends IPv6 .A2.S29S u)on lin0:u)
4ecome +amiliar /ith ,eredo htt)122///.microso+t.com2technet2)rodtechnol2/inE))ro2maintain2teredo.m A.S a))lication built on the Peer:to:Peer #rame/or0 9$T3I9$S IPv6 and /ill .*, +unction over IPv' : htt)122///.microso+t.com2technet2net/or02)2)2de+ault.ms)E
Presentation_I
Cisco
!52
In More DetailG3ista.0E on @ink%?p

.o .et/or0 Services
.o. ,ime ! 0.000000 2 0.000050 5 0.000070 ' !.!&&;!6 & !.!&6675 6 5.'7'60; 6 !26.'0;&50 7 !27.7765;6 Source estination Protocol In+o 11 ++0211!1++ae1'56! IC"Pv6 .eighbor solicitation +e701170aa1+d&1+6ae1'56! ++02112 IC"Pv6 9outer solicitation +e701170aa1+d&1+6ae1'56! ++0211!6 IC"Pv6 "ulticast Distener 9e)ort "essage v2 +e701170aa1+d&1+6ae1'56! ++0211!15 3 P Source )ort1 ';622 estination )ort1 &5&& !6;.2&'.66.;6 22'.0.0.2&2 3 P Source )ort1 ';625 estination )ort1 &5&& !6;.2&'.66.;6 !6;.2&'.2&&.2&& .4.S .ame Huery .4 ISA1APZ00[ +e701170aa1+d&1+6ae1'56! ++0211!12 BCPv6 In+ormation:reHuest 0.0.0.0 2&&.2&&.2&&.2&& BCP BCP iscoverC,ransaction I 0E6c7d6e+a
!. 2. 5. '. &. 6. 6. 7.
Presentation_I
3ns)eci+ied address 11 Solicited node address .S2 A Doo0ing +or a local router ++02112 9S Doo0ing +or "D enabled routers ++0211!6 "D v2 re)ort DD".9 +or IPv6C++0211!15Cadvertise hostname DD".9 +or IPv'C22'.0.0.2&2 +rom 9#C 5;26 address .o global or 3DA received via ste) !22C,ry ISA,AP ,ry ,ry BCP +or IPv6C++0211!12 BCP +or IPv'
Cisco
fe=*<<=*aa<fdD<fEae<;>6+ ese:vista!
!55
IPv;
=hat oes (ista2=6 ,ry to oN
et6orkG o IPv6
et6ork Services
: ,ransaction I 0E2b7a+''5
.o. ,ime Source estination Protocol In+o !5 7.7!5&0; !0.!20.2.! !0.!20.2.2 BCP BCP ACX .... 4ootstra) Protocol ... Sour FclientG IP address1 +*O+)*O)O) F!0.!20.2.2G ... *)tion1 FtU5,lU'G 9outer U +*O+)*O)O+ *)tion1 FtU6,lU'G omain .ame Server U +*O+)+O++O; *)tion1 FtU!&,lU;G omain .ame U \ciscoOcom\ .. .o. ,ime Source 60 !5.5606&6 !0.!20.2.2 .o. ,ime Source !57 2&.562!7! !0.!20.2.2 .o. ,ime Source &70 2;6.676!;6 +*O+)*O)O) &7! 2;6.67662! !0.!20.5.2 &72 2;6.6766;' !0.!20.2.2 &75 2;6.676;!5 !0.!20.2.2 estination +*O+)+O++O; estination +*O+)+O++O; estination +*O+)*O>O) !0.!20.2.2 !0.!20.5.2 !0.!20.5.2
Protocol In+o .S Standard Huery A isatapOciscoOcom Protocol In+o .S Standard Huery A teredoOipv6OmicrosoftOcom Protocol In+o ,CP ';2!! [ e)ma) ]SS.^ SeHU0 DenU0 "SSU!'60 =SU7 ,CP e)ma) [ ';2!! ]SS., ACX^ SeHU0 Ac0U! =inU20;6!&2 ,CP ';2!! [ e)ma) ]ACX^ SeHU! Ac0U! =inU6&&56 DenU0 C$9PC 4ind1 call_id1 !, 2 conteEt items, !st I*WI 9esolver (0.0
IPv;%only Router +*O+)*O)O) ese:vista:! ISA1AP55 1eredo5 5 2006 Cisco Systems, Inc. All rights reserved. Some Apps Break +*O+)*O>O) ese:vista:2
Presentation_I
Cisco
!5'
0'at Is 1eredo5
9#C'570 ,unnel IPv6 through .A,s F.A, ty)es de+ined in 9#C5'7;G
#ull Cone .A,s Fa0a one:to:oneGCSu))orted by ,eredo 9estricted .A,sCSu))orted by ,eredo Symmetric .A,sCSu))orted by ,eredo /ith (ista2=62Server 2007 i+ only one ,eredo client is behind a Symmetric .A,s
3ses 3 P )ort 5&'' Is com)leECmany seHuences +or communication and has several attac0 vectors Available on1
"icroso+t =indo/s WP SP! /2Advanced .et/or0ing Pac0 "icroso+t =indo/s Server 2005 SP! "icroso+t =indo/s (ista2=6 Fenabled by de+aultCinactive until a))lication reHuires itG "icroso+t Server 2007 htt)122///.microso+t.com2technet2)rodtechnol2/inE))ro2maintain2teredo.ms)E DinuE, 4S and "ac *S WCK"iredoL htt)122///.sim)halem)in.com2dev2miredo2
!5&
1eredo Components
,eredo ClientC ual:stac0 node that su))orts ,eredo tunneling to other ,eredo clients or IPv6 nodes Fvia a relayG ,eredo ServerC ual:stac0 node connected to IPv' Internet and IPv6 Internet. Assists in addressing o+ ,eredo clients and initial communication bet/een clients and2or IPv6:only hostsCDistens on 3 P )ort 5&'' ,eredo 9elayC ual:stac0 router that +or/ards )ac0ets bet/een ,eredo clients and IPv6:only hosts ,eredo Bost:S)eci+ic 9elayC ual:stac0 node that is connected to IPv' Internet and IPv6 Internet and can communicate /ith ,eredo Clients /ithout the need +or a ,eredo 9elay
Presentation_I
Cisco
!56
1eredo "vervie6
IPv6 or IPv6 over IPv' tra++ic IPv6 over IPv' tra++ic ,eredo host:s)eci+ic relay ,eredo client IPv6:only host
IPv; Internet
.A,
,eredo server
IPv6 Internet
,eredo relay .A, IPv6 tra++ic ,eredo client Y#rom "icroso+t K,eredo *vervie/L )a)er
!56
1eredo Address
52 bits 52 bits !6 bits !6 bits 52 bits
1eredo prefi&
1eredo Server IPv; Address
!lags
"bfuscated "bfuscated E&ternal E&ternal Address Port
,eredo IPv6 )re+iE F200!11252C)reviously /as 5##$175!#11252G ,eredo Server IPv' address1 global address o+ the server #lags1 de+ines .A, ty)e Fe.g. Cone .A,G *b+uscated $Eternal Port1 3 P )ort number to be used /ith the IPv' address *b+uscated $Eternal Address1 contains the global address o+ the .A,
Presentation_I
Cisco
!57
Initial Configuration for Client

!. 9S message sent +rom ,eredo client to serverC9S +rom DD address /ith Cone +lag set 2. Server res)onds /ith 9AC9S has Cone +lag setCserver sends 9A +rom alternate v' addressC i+ client receives the 9A, client is behind cone .A, 5. I+ 9A is not received by client, client sends another 9A /ith Cone +lag not set '. Server res)onds /ith 9A +rom v' address U destination v' address +rom 9SCi+ client receives the 9A, client is behind restricted .A, &. ,o ensure client is not behind symmetric .A,, client sends another 9S to secondary server 6. 2nd server sends an 9A to clientCclient com)ares ma))ed address and 3 P )orts in the *rigin indicators o+ the 9A received by both servers. I+ di++erent, then the .A, is ma))ing same internal address2)ort to di++erent eEternal address2)ort and .A, is a symmetric .A, 6. Client constructs ,eredo address +rom 9A
#irst 6' bits are the value +rom )re+iE received in 9A F52 bits +or IPv6 ,eredo )re+iE M 52 bits o+ heE re)resentation o+ IPv' ,eredo server addressG .eEt !6 bits are the #lags +ield F0E0000 U 9estricted .A,, 0E7000 U Cone .A,G .eEt !6 bits are eEternal obscured 3 P )ort +rom *rigin indicator in 9A Dast 52 bits are obscured eEternal IP address +rom *rigin indicator in 9A
,eredo Server 2
,eredo .($ent
: 2001:0:4136:e3:e:0:fbaa:b9:e:fe4e
,eredo Pref$; ,eredo Server v4 /(a-# <;t5 =DP <;terna( v4 Port v4 addre##
7 3 1
N! ,
IPv4 Internet
4 2
,eredo Server 1
!5;
Presentation_I
Cisco
0'at 2appens on t'e 0ireG+

.o. ,ime Source !& 2&.'670&0 !62.!6.!.!05 estination Protocol In+o !&!.!6'.!!.20! .S Standard Huery A teredoOipv6OmicrosoftOcom Standard Huery res)onse A 6DOD;O))EO+)6 A .o. ,ime Source estination Protocol In+o !6 2&.'7!60; !&!.!6'.!!.20! !62.!6.!.!05 .S 6&.&'.226.!26 A 6&.&'.226.!20 A 6&.&'.226.!2'
nets) interface ipv6Js) teredo Teredo 6ara'eters --------------------------------------------T*pe : client Server 8a'e : teredo3ipv63'icrosoft3co' Client 7efres) 5nterval : defa.lt Client 6ort : defa.lt State : pro+e:cone; T*pe : teredo client 8et4or1 : .n'ana(ed 8AT : cone nets) interface ipv6Js) teredo Teredo 6ara'eters --------------------------------------------T*pe : client Server 8a'e : teredo3ipv63'icrosoft3co' Client 7efres) 5nterval : defa.lt Client 6ort : defa.lt State : K.alified T*pe : teredo client 8et4or1 : .n'ana(ed 8AT : restricted
!'0
0'at 2appens on t'e 0ireG)

.o. ,ime Source estination Protocol In+o 27 >>.&;&'60 fe=*<<=***<ffff<ffff<fffd ff*)<<) IC"Pv6 Router solicitation Internet Protocol, Src1 +E)O+6O+O+*> F!62.!6.!.!05G, st1 6DOD;O))EO+)6 F6&.&'.226.!26G 3ser atagram Protocol, Src Port1 !!0; F!!0;G, st Port1 >D;; F5&''G .o. ,ime Source estination Protocol In+o 2; >E.&;5&;7 fe=*<<=***<ffff<ffff<fffd ff*)<<) IC"Pv6 Router solicitation Internet Protocol, Src1 +E)O+6O+O+*> F!62.!6.!.!05G, st1 6DOD;O))EO+)6 F6&.&'.226.!26G .o. ,ime Source estination Protocol In+o 5! '&.&'60&2 fe=*<<ffff<ffff<fffd ff*)<<) IC"Pv6 Router solicitation Internet Protocol, Src1 +E)O+6O+O+*> F!62.!6.!.!05G, st1 6DOD;O))EO+)E F6&.&'.226.!26G 3ser atagram Protocol, Src Port1 !!0; F!!0;G, st Port1 5&'' F5&''G .o. ,ime Source estination Protocol In+o 52 '6.05;606 fe=*<<=***<f))E<becB<+c=+ fe=*<<ffff<ffff<fffd IC"Pv6 Router advertisement Internet Protocol, Src1 6DOD;O))EO+)E F6&.&'.226.!26G, st1 +E)O+6O+O+*> F!62.!6.!.!05G 3ser atagram Protocol, Src Port1 5&'' F5&''G, st Port1 !!0; F!!0;G ,eredo *rigin Indication header *rigin 3 P )ort1 ++*B *rigin IPv' address1 E*O+)*O)O+ F60.!20.2.!G Pre+iE1 )**+<*<;+>6<e>Ee<< .o. ,ime Source estination Protocol In+o 55 '6.0;5752 fe=*<<ffff<ffff<fffd ff*)<<) IC"Pv6 Router solicitation Internet Protocol, Src1 +E)O+6O+O+*> F!62.!6.!.!05G, st1 6DOD;O))EO+)6 F6&.&'.226.!26G 3ser atagram Protocol, Src Port1 !!0; F!!0;G, st Port1 5&'' F5&''G .o. ,ime Source estination Protocol In+o 5' '6.5;76'& fe=*<<=***<f))E<becB<+c=+ fe=*<<ffff<ffff<fffd IC"Pv6 Router advertisement Internet Protocol, Src1 6DOD;O))EO+)6 F6&.&'.226.!26G, st1 +E)O+6O+O+*> F!62.!6.!.!05G ,eredo *rigin Indication header *rigin 3 P )ort1 ++*B *rigin IPv' address1 E*O+)*O)O+ F60.!20.2.!G Pre+iE1 )**+<*<;+>6<e>Ee<<
Send 9S Cone #lagU! FCone .A,G, every ' seconds I+ no re)ly, send #lagU0 Frestricted .A,G 9eceive 9A /ith *rigin header and )re+iE Send 9S to 2nd server to chec0 +or symmetric .A, Com)are 2nd 9AC*rigin )ort2address +rom 2nd server
!'!
Presentation_I
Cisco
0'at 2appens on t'e 0ireG>

.o. ,ime Source 72 !5;.2&7206 !62.!6.!.!05 estination Protocol In+o !&!.!6'.!!.20! .S Standard 7uery AAAA 666OkameOnet
.S loo0u) 9es)onse IC"P to host via ,eredo Server 9elay sends 4ubble )ac0et to client via serverCclient receives relay address:)ort Pac0ets to2+rom IPv6 host and client traverse relay
.o. ,ime Source estination 75 !5;.&50&'6 !&!.!6'.!!.20! !62.!6.!.!05 )**+<)**<*<=**)<)*><;Eff<feaD<>*=D
Protocol In+o .S Standard 7uery response AAAA
.o. ,ime Source estination Protocol In+o ;6 !'7.;60606 )**+<*<;+>6<e>Ee<*<fbaa<bBEe<fe;e )**+<)**<*<=**)<)*><;Eff<feaD<>*=D ICMPv6 Ec'o re7uest Internet Protocol, Src1 +E)O+6O+O+*> F!62.!6.!.!05G, st1 6DOD;O))EO+)6 F6&.&'.226.!26G 3ser atagram Protocol, Src Port1 ++*B F!!0;G, st Port1 >D;; F5&''G .o. ,ime Source ;6 !';.'0&&6; fe=*<<=***<D;;D<D);D<;;;f estination Protocol In+o )**+<*<;+>6<e>Ee<*<fbaa<bBEe<fe;e IPv6 IPv6 no ne&t 'eader
Internet Protocol, Src1 6DOD;O))EO+)6 F6&.&'.226.!26G, st1 +E)O+6O+O+*> F!62.!6.!.!05G ,eredo IPv6 over 3 P tunneling 1eredo "rigin Indication 'eader *rigin 3 P )ort1 D*)*6 *rigin IPv' address1 66O++EO;EO))E F66.!!6.'6.226G .o. ,ime Source ;7 !';.'0&;!6 +E)O+6O+O+*> .o. ,ime Source ;; !';.'656!; 66O++EO;EO))E .o. ,ime Source !00 !';.'6'!00 +E)O+6O+O+*> .o. ,ime Source !0! !';.67;';5 66O++EO;EO))E PPP estination 66O++EO;EO))E estination +E)O+6O+O+*> estination 66O++EO;EO))E estination +E)O+6O+O+*> Protocol In+o 3 P Source )ort1 !!0; Protocol In+o 3 P Source )ort1 &0206 Protocol In+o 3 P Source )ort1 !!0; Protocol In+o 3 P Source )ort1 &0206 estination )ort1 &0206 estination )ort1 !!0; estination )ort1 &0206 estination )ort1 !!0;
According to "S#,, i+ ,eredo is the only IPv6 )ath, AAAA Huery should not be sentCbeing researched1 'ttp<..msdn)OmicrosoftOcom.en%us.library.aaB6DB+*Oasp&
!'2
0'at 2appens on t'e 0ireG> -ContO/

5nterface %: Teredo T.nnelin( 6se.do-5nterface Addr T*pe --------6.+lic 0in1 DAD State Valid 0ife 6ref3 0ife ---------- ------------ -----------6referred infinite infinite 6referred infinite infinite Address ----------------------------2001:0:"1 6:e %e:0:f+aa:+#%e:fe"e fe80::ffff:ffff:fffd
C:IJpin( 44431a'e3net 6in(in( 44431a'e3net G2001:200:0:8002:20 :"%ff:fea$: 08$H 4it) 7epl* 7epl* 7epl* 7epl* fro' fro' fro' fro' 2001:200:0:8002:20 2001:200:0:8002:20 2001:200:0:8002:20 2001:200:0:8002:20 :"%ff:fea$: :"%ff:fea$: :"%ff:fea$: :"%ff:fea$: 08$: 08$: 08$: 08$: ti'e-82#'s ti'e-"$ 's ti'e-288's ti'e-" 8's 2 +*tes of data
Presentation_I
Cisco
!'5
Maintaining
A1 Mapping
$very 50 seconds FadVustableG clients send a single bubble )ac0et to ,eredo server to re+resh .A, state
4ubble )ac0et U 3sed to create and maintain .A, ma))ing and consists o+ an IPv6 header /ith no IPv6 )ayload FPayload &;C.o neEt headerG
.o. ,ime Source estination Protocol In+o 5& '6.5;;062 )**+<*<;+>6<e>Ee<*<fbaa<bBEe<fe;e ff*)<<+ IPv6
IPv6 no ne&t 'eader
#rame 5& F72 bytes on /ire, 72 bytes ca)turedG $thernet II, Src1 #oEconn_2d1a!1'e F001!&1&712d1a!1'eG, st1 0!1001&e1001001+d F0!1001&e1001001+dG Internet Protocol, Src1 !62.!6.!.!05 F!62.!6.!.!05G, st1 22'.0.0.2&5 F22'.0.0.2&5G 3ser atagram Protocol, Src Port1 !!0; F!!0;G, st Port1 5&'' F5&''G 1eredo IPv6 over ?DP tunneling Internet Protocol (ersion 6 (ersion1 6 ,ra++ic class1 0E00 #lo/label1 0E00000 Payload length1 0 e&t 'eader< IPv6 no ne&t 'eader -*&>b/ Bo) limit1 2! Source address1 200!101'!561e56e101+baa1b;6e1+e'e estination address1 ++0211!
Presentation_I
Cisco
!''
A))endiE1 ISA,AP *vervie/
Presentation_I
Cisco
!'&
Intrasite Automatic 1unnel Address Protocol

9#C '2!' ,his is +or enter)rise net/or0s such as cor)orate and academic net/or0s Scalable a))roach +or incremental de)loyment ISA,AP ma0es your IPv' in+ratructure as trans)ort F.4"AG net/or0
Presentation_I
Cisco
!'6
Intrasite Automatic 1unnel Address Protocol

3se IA.AOs *3I 00:00:&$ and $ncode IPv' Address as Part o+ $3I:6'
6;%bit ?nicast Prefi& ****<DE!E<
>)%bit
IPv; Address
>)%bit
Interface Identifie r -6; bits/
ISA,AP is used to tunnel IPv' /ithin as administrative domain Fa siteG to create a virtual IPv6 net/or0 over a IPv' net/or0 Su))orted in =indo/s WP Pro SP! and others
Presentation_I
Cisco
!'6
Automatic Advertisement of ISA1AP Prefi&

ISA1AP 2ost A IPv; et6ork ISA1AP 1unnel ISA1AP Router + E0 IPv6 et6ork
ICMPv6 Type 133 (RS) IPv4 Source: 206.123.20.100 IPv4 Destination: 206.123.31.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix ICMPv6 Type 134 (RA) IPv4 Source: 206.123.31.200 IPv4 Destination: 206.123.20.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64
!'7
Automatic Address Assignment of 2ost and Router

ISA1AP 2ost A IPv; et6ork ISA1AP 1unnel )*6O+)>O)*O+** fe=*<<Defe<ceEb<+;6; )**+<db=<ffff<)<<Defe<ceEb<+;6; ISA1AP Router + E0 IPv6 et6ork
)*6O+)>O>+O)** fe=*<<Defe<ceEb<+fc= )**+<db=<ffff<)<<Defe<ceEb<+fc=
ISA,AP host A receives the ISA,AP )re+iE 200!1db71++++121126' +rom ISA,AP 9outer ! =hen ISA,AP host A /ants to send IPv6 )ac0ets to 200!1db71++++1211&e+e1ce6b1!+c7, ISA,AP host A enca)sulates IPv6 )ac0ets in IPv'. ,he IPv' )ac0ets o+ the IPv6 enca)sulated )ac0ets use IPv' source and destination address.
Presentation_I
Cisco
!';
A))endiE1 "ulticast
Presentation_I
Cisco
!&0
IPv; and IPv6 Multicast Comparison

Service Addressing 9ange 9outing IPv' Solution 52:bit, Class Protocol Inde)endent, All IAPs and "4AP PI": ", PI":S", PI":SS", PI":bidir, PI":4S9 IA"Pv!, v2, v5 4oundary, 4order "S P Across Inde)endent PI" omains
Cisco
IPv6 Solution !27:bit F!!2:bit Arou)G Protocol Inde)endent, All IAPs and "4AP /ith v6 mcast SA#I PI":S", PI":SS", PI":bidir, PI":4S9 "D v!, v2 Sco)e Identi+ier Single 9P =ithin Alobally Shared omains
!&!
#or/arding Arou) "anagement omain Control Interdomain Solutions
Presentation_I
M@Dv+< 4oining a ,roup -REP"R1/

!E=*<<)*B<D(!!<!E*=<A6E; !E=*<<)D*<=(!!<!EDD<E=DE
2+
2)
+ + !!>E<;*<)**+<D(=<C**><++*B<++++<++++
ICMPv6 1ype< +>+ Destination<
) ) !!>E<;*<)**+<D(=<C**><++*B<++++<++++
ICMPv6 1ype< +>+ Destination<
+ )
2+ sends a REP"R1 for t'e group 2) sends a REP"R1 for t'e group
rtr% a
!E=*<<)*E<=D!!<!E=*<6B)
Source
,roup<!!>E<;*<)**+<D(=<C**><++*B<++++<++++
!&2
M@Dv+< 2ost Management

FArou):S)eci+ic TueryG
!E=*<<)*B<D(!!<!E*=<A6E; !E=*<<)D*<=(!!<!EDD<E=DE
2+
> ICMPv6 1ype< +>+
REP"R1 to group
2)
+ + !!*)<<)
Destination< ICMPv6 1ype< +>)
) !!>E<;*<)**+<D(=<C**><++*B<++++<++++
ICMPv6 1ype< +>*
Destination<
+ ) >
2+ sends D" E to !!*)<<) R1R%A sends ,roup%Specific Cuery 2) sends REP"R1 for t'e group
rtr% a
#$701120617&##1#$7016;2
Source
Presentation_I
,roup<!!>E<;*<)**+<D(=<C**><++*B<++++<+++ +
Cisco
!&5
"t'er M@D "perations

Deave2 *.$
Dast host leavesCsends *.$ F,y)e !52G
9outer /ill res)ond /ith grou):s)eci+ic Huery F,y)e !50G 9outer /ill use the last member Huery res)onse interval F e+aultU! secG +or each Huery Tuery is sent t/ice and i+ no re)orts occur then entry is removed F2 secondsG
Aeneral Tuery F,y)e !50G
Sent to learn o+ listeners on the attached lin0 Sets the multicast address +ield to 8ero Sent every !2& seconds Fcon+igurableG
Presentation_I
Cisco
!&'
A !e6
otes on 1unnelsY
PI" uses tunnels /hen 9Ps2sources are 0no/n Source registering Fon +irst:ho) routerG
3ses virtual tunnel inter+ace Fa))ear in *ID +or ]S,A^G Created automatically on +irst:ho) router /hen 9P is 0no/n Cisco I*S? 0ee)s tunnel as long as 9P is 0no/n 3nidirectional Ftransmit onlyG tunnels PI" 9egister:Sto) messages are sent directly +rom 9P to registering router Fnot through tunnel@G
Presentation_I
Cisco
!&&
PIM 1unnels -DR%to%RP/

+ranc)=s)o4 ipv6 pi' t.nnel T.nnel1U T*pe : 65D Encap 76 : 2001:DB8:C00 :1116::2 So.rce: 2001:DB8:C00 :111E::2 Cor)orat e .et/or0
@ *
Source RP
+ranc)=s)o4 interface t.nnel 1 T.nnel1 is .p< line protocol is .p Lard4are is T.nnel DTB 1$1" +*tes< BN # 9+it< D0P $00000 .sec< relia+ilit* 2$$!2$$< t&load 1!2$$< r&load 1!2$$ Encaps.lation TB88E0< loop+ac1 not set 9eepalive not set T.nnel so.rce 2001:DB8:C00 :111E::2 :Serial0!2;< destination 2001:DB8:C00 :1116::2 T.nnel protocol!transport 65D!56v6< 1e* disa+led< seK.encin( disa+led C)ec1s.''in( of pac1ets disa+led T.nnel is trans'it onl* 0ast inp.t never< o.tp.t never< o.tp.t )an( never 0ast clearin( of Qs)o4 interfaceQ co.nters never V o.tp.t tr.ncatedV
D R
Presentation_I
Cisco
!&6
PIM 1unnels -RP/

Source registering Fon 9PG t/o virtual tunnels are created
*ne transmit only +or registering sources locally connected to the 9P *ne receive only +or deca)sulation o+ incoming registers +rom remote designated routers .o one:to:one relationshi) bet/een virtual tunnels on designated routers and 9P@
Presentation_I
Cisco
!&6
PIM 1unnels -RP%for%Source/

76-ro.ter=s)o4 ipv6 pi' t.nnel T.nnel0U T*pe : 65D Encap 76 : 2001:DB8:C00 :1116::2 So.rce: 2001:DB8:C00 :1116::2 T.nnel1U T*pe : 65D Decap 76 : 2001:DB8:C00 :1116::2 So.rce: 76-ro.ter=s)o4 interface t.nnel 1 T.nnel1 is .p< line protocol is .p Lard4are is T.nnel DTB 1$1" +*tes< BN # 9+it< D0P $00000 .sec< relia+ilit* 2$$!2$$< t&load 1!2$$< r&load 1!2$$ Encaps.lation TB88E0< loop+ac1 not set 9eepalive not set T.nnel so.rce 2001:DB8:C00 :1116::2 :FastEt)ernet0!0;< destination 2001:DB8:C00 :1116::2 T.nnel protocol!transport 65D!56v6< 1e* disa+led< seK.encin( disa+led C)ec1s.''in( of pac1ets disa+led T.nnel is receive onl* V o.tp.t tr.ncatedV
Source RP
Cor)orat e .et/or0
1 u
@ *
!&7
1unneling v6 Multicast
v6 in v;
v6 in v' most /idely used
tunnel mode ipv6ip <----- IS-IS cannot traverse
v6 in v' A9$ FIS:IS can traverseG

tunnel mode gre ip
ISA,AP26to' do not su))ort IPv6 multicast
v6 in v6
v6 in v6
tunnel mode ipv6
v6 in v6 A9$
tunnel mode gre ipv6
Presentation_I
Cisco
!&;
Source Specific Multicast -SSM/

o con+iguration reHuired other than enabling
ro.ter=s)o4 ipv6 pi' ran(e-list confi( SSD E&p: never 0earnt fro' : :: FF ::! 2 Bp: 1d00) FF "::! 2 Bp: 1d00) FF $::! 2 Bp: 1d00) FF 6::! 2 Bp: 1d00) FF %::! 2 Bp: 1d00) FF 8::! 2 Bp: 1d00) FF #::! 2 Bp: 1d00) FF A::! 2 Bp: 1d00) FF B::! 2 Bp: 1d00) FF C::! 2 Bp: 1d00) FF D::! 2 Bp: 1d00) FF E::! 2 Bp: 1d00) FF F::! 2 Bp: 1d00)
ipv6 multicast-routing
SS" grou) ranges are automatically de+ined 9eHuires "D v2 on host or SS" "a))ing +eature
Presentation_I
Cisco
!60
SSM%Mapping
elay in SS" de)loyment Fboth IPv' and IPv6G is based mainly on lac0 o+ IA"Pv5 and "D v2 availability on the end)oints SS":"a))ing allo/s +or the de)loyment o+ SS" in the net/or0 in+rastructure /ithout reHuiring "D v2 F+or IPv6G on the end)oint SS":"a))ing enabled router /ill ma) "D v! re)orts to a source F/hich do not natively include the source li0e /ith "D v2G
9ange o+ grou)s can be statically de+ined or used /ith =ildcards can be used to de+ine range o+ grou)s .S
Presentation_I
Cisco
!6!
SSM%Mapping
core-1=s)o4 ipv6 'ro.te ? +e(in 2001:DB8:CAFE:11::11 :2001:DB8:CAFE:11::11< FF ::DEAD;< 00:01:20!00:0 :06< fla(s: sT 5nco'in( interface: 2i(a+itEt)ernet ! 76F n+r: FE80::20E: #FF:FEAD:#B00 5''ediate E.t(oin( interface list: 2i(a+itEt)ernet$!1< For4ard< 00:01:20!00:0 :06 )**+<D(=<CA!E<++<<++ !!>><<DEAD Corporat e et6ork
Source
Static Mapping< ipv6 '.lticast-ro.tin(
/ ipv6 'ld ss'-'ap ena+le ipv6 'ld ss'-'ap static DA6 2001:DB8:CAFE:11::11 no ipv6 'ld ss'-'ap K.er* dns / ipv6 access-list DA6 per'it ipv6 an* )ost FF ::DEAD
SSM
D S Mapping -t'e ipv6 '.lticast-ro.tin( default/<
/ ipv6 'ld ss'-'ap ena+le / ip do'ain '.lticast ss'-'ap3cisco3co' ip na'e-server 10313131

M@Dv+
Presentation_I
!62
IPv6 Multicast Static RP

$asier than be+ore as PI" is auto:enabled on every inter+ace
Source ipv6 '.lticast-ro.tin( / interface 0oop+ac10 description 56V6 56'c 76 no ip address ipv6 address 2001:DB8:C00 :110A::1!6" / ipv6 pi' rp-address 2001:DB8:C00 :110A::1!6" ipv6 '.lticast-ro.tin( / ipv6 pi' rp-address 2001:DB8:C00 :110A::1!6"
Corporat e et6ork @ *
RP IP 0A
Presentation_I
Cisco
!65
IPv6 Multicast PIM (SR< Configuration

4an-top=s) r.n ? incl ipv6 pi' +sr ipv6 pi' +sr candidate-+sr 2001:DB8:C00 :1116::2 ipv6 pi' +sr candidate-rp 2001:DB8:C00 :1116::2
RPG)**+<D(=<C**><+++6<<)
Corporat e et6ork IP 0A
Source RPG)**+<D(=<C**><++*A<<+
4an-+otto'=s) r.n ? incl ipv6 pi' +sr ipv6 pi' +sr candidate-+sr 2001:DB8:C00 :110A::1 ipv6 pi' +sr candidate-rp 2001:DB8:C00 :110A::1
Presentation_I
Cisco
!6'
(idirectional PIM -(idir/

,he same many:to:many model as be+ore Con+igure 4idir 9P and range via the usual ip pim rp-address syntaE /ith the o)tional bidir 0ey/ord
/ ipv6 pi' rp-address 2001:DB8:C00 :110A::1 +idir / =s)o4 ipv6 pi' ran(e ? incl.de BD Static BD 76: 2001:DB8:C00 :110A::1 E&p: never 0earnt fro' : ::
Presentation_I
Cisco
!6&
Embedded%RP Addressing "vervie6

9#C 5;&6 9elies on a subset o+ 9#C5506CIPv6 unicast: )re+iE:based multicast grou) addresses /ith s)ecial encoding rules1
Arou) address carries the 9P address +or the grou)@
7 ' ' ' ' 7 6' 52 ## _ #lags_ Sco)e _9svd _ 9Paddr_ Plen _ .et/or0 Pre+iE _ Arou) I .e/ Address +ormat de+ined 1 #lags U 09P,, 9 U !, P U !, , U !U[ 9P address embedded F0!!! U 6G $Eam)le Arou)1 ##6$10!'01200!10 471C0051!!! 100001!!!2 $mbedded 9P1 200!10 471C0051!!! 11!
Presentation_I
Cisco
!66
Embedded%RP
PI":S" )rotocol o)erations /ith embedded:9P1
Intradomain transition into embedded:9P is easy1 .on:su))orting routers sim)ly need to be con+igured statically or via 4S9 +or the embedded:9Ps@
$mbedded:9P is Vust a method to learn *.$ 9P address +or a multicast grou)1

It can not re)lace 9P:redundancy as )ossible /ith 4S9 or "S P2Anycast:9P
$mbedded:9P does not FyetG su))ort 4idir:PI"

Sim)ly eEtending the ma))ing +unction to de+ine 4idir:PI" 9Ps is not su++icient1 In 4idir:PI" routers carry )er:9P state F # )er inter+aceG )rior to any data )ac0et arrivingR this /ould need to be changed in 4idir: PI" i+ $mbedded:9P /as to be su))orted
!66
Embedded%RP Configuration E&ample

9P to be used as an $mbedded:9P needs to be con+igured /ith address2grou) range All other non:9P routers reHuire no s)ecial con+iguration
Source RP
Corporat e et6ork @ *
IP 0A
ipv6 pi' rp-address 2001:DB8:C00 :111D::1 E76 / ipv6 access-list E76 per'it ipv6 an* FF%E:1"0:2001:DB8:C00 :111D::!#6
Presentation_I
Cisco
!67
Embedded RPGDoes It 0ork5

+ranc)=s)o4 ipv6 pi' (ro.p FF%E:1"0:2001:DB8:C00 :111D ::!#6U 76 : 2001:DB8:C00 :111D::1 6rotocol: SD Client : E'+edded 2ro.ps : 1 5nfo : 76F: Se0!031<FE80::210:%FF:FEDD:"0 +ranc)=s)o4 ipv6 'ro.te active Active 56v6 D.lticast So.rces - sendin( J- " 1+ps 2ro.p: FF%E:1"0:2001:DB8:C00 :111D:0:1112 So.rce: 2001:DB8:C00 :110#::2 7ate: 21 pps!122 1+ps:1sec;< 12" 1+ps:last 100 sec; +ranc)=s)o4 ipv6 pi' ran(e ? incl.de E'+edded E'+edded SD 76: 2001:DB8:C00 :111D::1 E&p: never 0earnt fro' : :: FF%E:1"0:2001:DB8:C00 :111D::!#6 Bp: 00:00:2"
IP 0A
1o RP
Receive r Sends Report
Presentation_I
Cisco
!6;
Multicast Applications
"icroso+t =indo/s "edia Server2Player F; :!!G (ideoDA.
///.videolan.org htt)122///.s+c./ide.ad.V)2 (,S2htt)122///.dvts.V)2en2dvts.html htt)122///.i)v6.ecs.soton.ac.u02virginradio2 Su))orted on i,unes '.&, =indo/s "edia Player, W""S !.2.7, etcP htt)122///.microso+t.com2/indo/s2/indo/smedia2de+ault.as)E
(,S F igital (ideo ,rans)ort SystemG Internet radio stations over IPv6
"any more a))licationsPAoogle is your +riend 1:G
Presentation_I
Cisco
!60
A))endiE1 ToS
Presentation_I
Cisco
!6!
IPv6 CoS< 2eader !ields

IPv6 tra++ic class
$Eactly the same as ,*S +ield in IPv'
(ersion ,ra++ic Class
#lo/ Dabel
IPv6 #lo/ Dabel F9#C 56;6G
A ne/ 20:bit +ield in the IPv6 basic header /hich1 Dabels )ac0ets belonging to )articular +lo/s Can be used +or s)ecial sender reHuests
Payload Dength
.eEt Beader Bo) Dimit
Per 9#C, #lo/ Dabel must not be modi+ied by intermediate routers Source Address
Xee) an eye out +or /or0 being doing to leverage the +lo/ label
estination Address
Presentation_I
Cisco
!62
Simple CoS E&ample< IPv; and IPv6

class-'ap 'atc)-an* B7A8CL-BB09-DATA 'atc) access-(ro.p na'e BB09-DATA-56V6 'atc) access-(ro.p na'e BB09-DATA class-'ap 'atc)-all BB09-DATA 'atc) dscp af11 / polic*-'ap 7B7-NA8-ED2E class BB09-DATA +and4idt) percent " rando'-detect / polic*-'ap 7B7-0A8-ED2E-58 class B7A8CL-BB09-DATA set dscp af11 / ip access-list e&tended BB09-DATA per'it tcp an* an* eK ftp per'it tcp an* an* eK ftp-data / ipv6 access-list BB09-DATA-56V6 per'it tcp an* an* eK ftp per'it tcp an* an* eK ftp-data
service-polic* inp.t 7B7-0A8-ED2E-58
AC@ Matc' 1o Set DSCP -If Packets Are ot Already Marked/
service-polic* o.tp.t 7B7-NA8-ED2E
AC@s to Matc' for (ot' IPv; and IPv6 Packets

!65
Presentation_I
Cisco
IPv6 "3ER C@IE 1 3P < RE!ERE CE S@IDES !"R " %0I D"0S P@A1!"RMS
Presentation_I
Cisco
!6'
Router Configuration< Configured 1unnels

3P >*** Concentrator !>. + ,). + Corporate et6ork 3P Client Catalyst 6D** Supervisor E)* Dual%stack
ipv6 .nicast-ro.tin( / interface FastEt)ernet !1 description TE V68 / interface 2i(a+itEt)ernet2!1 description TE Ca'p.s 8et4or1 ipv6 address 2001:DB8:C00 :111C::2!6" / interface T.nnel1 description Confi(.red T.nnel for Client1 no ip address ipv6 address 2001:DB8:C00 :112 ::1!6" t.nnel so.rce FastEt)ernet !1 t.nnel destination 10313##310
000
ip address 20313131 2$$32$$32$$30
t.nnel 'ode ipv6ip
!6&
Client Configuration -0indo6s SP.3ista.0E/< Configured 1unnels

3P >*** Concentrator
Create v6v'tunnel Add

!>. IPv6+ address +
to
,). Create a de+ault route F1120G +or the tunnel Corporate et6ork 0indo6s SP 3P Client
Catalyst 6D** Supervisor tunnel inter+ace E)* Dual%stack
nets) interface ipv6Jadd v6v"t.nnel WC5SCEX 10313##310 20313131 E13 nets) interface ipv6Jadd address WC5SCEX 2001:DB8:c00 :112 ::2 E13 nets) interface ipv6Jadd ro.te ::!0 WC5SCEX E13
3P IP
Router IP
Presentation_I
Cisco
!66
Does It 0ork5
0indo6s SP Client 3P >*** Catalyst 6D** Supervisor E)* Dual%stack )*O+O+O+ % IPv; address )**+<D(=<c**><++)><<+GIPv6 address
+*O+OBBO+*> % 3P address )**+<D(=<c**><++)><<)GIPv6 address 5nterface 21: C5SCE Addr T*pe --------Dan.al 0in1
DAD State Valid 0ife 6ref3 0ife ---------- ------------ -----------6referred infinite infinite 6referred infinite infinite
Address ----------------------------2001:DB8:c00 :112 ::2 fe80::a01:6 68
nets) interface ipv6Js)o4 nei()+ors 21 5nterface 2: A.to'atic T.nnelin( 6se.do-5nterface 5nternet Address 6)*sical Address T*pe --------------------------------------------- ----------------- ----------2001:DB8:c00 :112 ::1 20313131 6er'anent fe80::1"01:0101 20313131 6er'anent
!66
Client Configuration -@inu&/< ISA1AP 1unnels

IPv6:enabled native su))ort
!>. 9eHuires+Xernel Catalyst 6D** Supervisor su))ort +or ISA,AP E)* +or ISA,AP F ebianG ,). Dual%stack +
I Some 0ernels may not have
"ust con+igure ISA,AP routerC.*, automatic

Corporate et6ork
@inu& 3P Client
= ip t.nnel add is0 'ode isatap 10313##310" v"an* 20313131 ttl 6" = ip lin1 set is0 .p
3P IP
Router IP
ZSee notes for full instructions for enabling IPv6 on @inu&

!67
Client Configuration -Sun Solaris/< Configured 1unnels 0it' >**) Client

IPv6:enabled $Eam)le 4asic con+igured
!>. o+ + Solaris Catalyst 6D** Supervisor behind a 5002 (P. Client E)* tunnelCmanual commands given ,). Dual%stack +
Can maintain con+iguration )ermanently using 2etc2hostname6.i).tun. Corporate F/here . is 0, !, 2, and so onG
et6ork >**) 3P Client
Sun Solaris
= ifconfi( ip3t.n0 inet6 = ifconfi( ip3t.n0 inet6 tsrc 1#231683031 tdst 20313131 .p = ifconfi( ip3t.n0 inet6 addif 2001:DB8:c00 :112 ::2!6" 2001:DB8:c00 :112 ::1 .p Created ne4 lo(ical interface ip3t.n0:2 ZSee notes for full instructions for enabling IPv6 on Solaris
@ocal @A pl.'+ IP
Router IP
!6;
Client Configuration -Mac/< Configured 1unnels 0it' >**) 20 Client

IPv6:enabled Bave Froot userG
!>. )ermissions + Catalyst 6D** Supervisor E)* ,). Dual%stack +
$Eam)le o+ "ac behind Corporate a 5002 (P. Client

et6ork >**) 3P Client
MAC "S S Client
= = = =
ifconfi( (if0 t.nnel ifconfi( (if0 t.nnel 1#231683031 20313131 ifconfi( (if0 inet6 alias 2001:DB8:c00 :112 ::2 ro.te add -inet6 defa.lt -interface (if0
!70
@ocal @A IP create
Router IP
Presentation_I
Cisco
"PERA1I , SRS1EM C" !I,?RA1I" RE!ERE CE
Presentation_I
Cisco
!7!
Microsoft
Presentation_I
Cisco
!72
Client Configuration % Dual%Stack

9eHuired
=indo/s Client
ual: stac0 9outer
"icroso+t =indo/s WP FSP! or higherG, Server 2005, (ista2=6, Server 2007
IPv6 must be installed on WP and 2005 Fenabled by de+ault on (ista2=622007G

C:\>ipv6 install
Bave net/or0 F9outers2S/itchesG con+igured +or IPv6

Stateless autocon+iguration and2or BCPv6
C:IJipconfi( Nindo4s 56 Confi(.ration Et)ernet adapter 0ocal Area Connection 1: Connection-specific D8S S.ffi& 3 : 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 1031313100 S.+net Das1 3 3 3 3 3 3 3 3 3 3 3 : 2$$32$$32$$30 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 2001:d+8:cafe:1122:20 :ffff:fe81:d6da 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::20 :ffff:fe81:d6daA" Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : 10313131 fe80::201:"2ff:fe2d:#$80
!75
ISA1AP Refres'er
Intra:Site Automatic ,unnel Addressing Protocol 9#C '2!' Bost:to:router ,unnel ISA,AP connections loo0 li0e one +lat net/or0 Create .S KAL record +or KISA,APL U !0.!20.'.! 3se Static Con+ig i+ .S use is not desired1 C:\>netsh interface ipv6 isatap set router !" #!"$" 9ecommendation1 e)loy ISA,AP end)oints via )olicy distribution
@> device 6it' IPv; address -+*O+)*O;O+/ and IPv6 dual%stack IPv6 Network
ISA1AP 1unnel
IPv4 Network
2ost 6it' IPv; address -+*O+)*O)O)/ and IPv6 enabled
Presentation_I
Cisco
!7'
IPv;
et6ork F ISA1AP Enabled Router
.o. ,ime Source estination Protocol In+o 502 '7.!2;6!6 fe=*<<Defe<aE=<)*) fe=*<<Defe<aE=<;*+ IC"Pv6 9outer solicitation Internet Protocol, Src1 +*O+)*O)O) F!0.!20.2.2G, st1 +*O+)*O;O+ F!0.!20.'.!G .o. ,ime Source estination Protocol In+o 76! '70.6067;; fe=*<<Defe<aE=<;*+ fe=*<<Defe<aE=<)*) IC"Pv6 9outer advertisement Internet Protocol, Src1 +*O+)*O;O+ F!0.!20.'.!G, st1 +*O+)*O)O) F!0.!20.2.2G .o. ,ime Source estination Protocol In+o !25& 66&.67&0!2 )**+<db=<cafe<+*+*<*<Defe<aE=<>*) )**+<db=<cafe<+*+*<*<Defe<aE=<)*) IC"Pv6 $cho reHuest Internet Protocol, Src1 +*O+)*O>O) F!0.!20.5.2G, st1 +*O+)*O)O) F!0.!20.2.2G .o. ,ime Source estination Protocol In+o !256 66&.67&2&; )**+<db=<cafe<+*+*<*<Defe<aE=<)*) )**+<db=<cafe<+*+*<*<Defe<aE=<>*) IC"Pv6 $cho re)ly Internet Protocol, Src1 +*O+)*O)O) F!0.!20.2.2G, st1 +*O+)*O>O) F!0.!20.5.2G
+*O+)*O)O) fe=*<<Defe<aE=<)*) )**+<D(=<CA!E<+*+*<DE!E<AE=<)*) ese:(ista2=6!
+*O+)*O>O) fe=*<<Defe<aE=<>*) )**+<D(=<CA!E<+*+*<DE!E<AE=<>*) ese:(ista2=62
ISA1AP 1unnel
Presentation_I
+*O+)*O;O+ fe=*<<Defe<aE=<;*+ )**+<D(=<CA!E<+*+*<<.6; ISA1AP router Cisco
ISA1AP 1unnel
!7&
Client Configuration % ISA1AP

"icroso+t WP /ill automatically attem)t to resolve the name KISA,APL
Docal host name Bosts +ile : SystemRoot`system52`drivers`etc .S name Huery FKAL recordG .et4I*S and Dmhosts
"anual ISA,AP router entry can be made
netsh interface ipv6 isatap set router #!" " "
Xey +act here is that .* additional con+iguration on the client is needed again@@@
ote<ISA1AP is supported on some versions of @inu&.(SD -manual router entry is re7uired/
!76
Client Configuration -0indo6s SP.3ista.0E/ % Configured 1unnels

=indo/s WP Client D5 S/itch IPv6 not su))orted IPv6 D5 S/itch29oute r
Create v6v'tunnel Add IPv6 address to tunnel inter+ace Create a de+ault route F1120G +or the tunnel
+*O+O+O+** % Client IPv; address )**+<db=<cafe<++)><<) % IPv6 address
nets) interface ipv6Jadd v6v"t.nnel WC5SCEX 1031313100 0313131 E13 nets) interface ipv6Jadd address WC5SCEX 2001:d+8:cafe:112 ::2 E13 nets) interface ipv6Jadd ro.te ::!0 WC5SCEX E13
2ost IP
Router IP
Presentation_I
Cisco
!76
Router Configuration % Configured 1unnels

=indo/s WP Client D5 S/itch IPv6 not su))orted IPv6 D5 S/itch29oute r
ipv6 .nicast-ro.tin( ipv6 cef
+*O+O+O+** % Client IPv; address )**+<db=<cafe<++)><<) % IPv6 address
/ interface 0oop+ac11 description T.nnel for 56v6 Clients ip address / interface 2i(a+itEt)ernet2!10 description TE Ca'p.s Core 8et4or1 ipv6 address 2001:DB8:CAFE:111C::2!6" / interface T.nnel1 description Confi(.red T.nnel for Client1 ipv6 address 2001:DB8:CAFE:112 ::1!6" t.nnel so.rce 0oop+ac11 t.nnel destination 1031313100 t.nnel 'ode ipv6ip 0313131 2$$32$$32$$32$$
Presentation_I
Cisco
!77
@inu&
Presentation_I
Cisco
!7;
0'at Is Re7uired
9ed Bat 6.2 and higher
#edora )roVect builds 9B 7, ;, =S, and $S )re+erred
"andra0e 7.0 and higher SuS$ 6.! and higher ebian 2.2 and higher ISA,AP su))ort may not be native in all distribution 0ernels
Presentation_I
Cisco
!;0
Client Configuration -@inu&/< Dual%Stack

$.A4D$ IPv6 su))ort on DinuE
$ditC2etc2syscon+ig2net/or0 Add entryC.$,=*9XI.A_IP(6Uyes 9estart net/or0ing or reboot
= ifconfi( et)0 et)0 0in1 encap:Et)ernet LNaddr 00:"0:F":6C:C8:AF inet addr:1031313100 Bcast:10313132$$ Das1:2$$32$$32$$30 inet6 addr: 2001:DB8:C00 :1122:2"0:f"ff:fe6c:c8af!6" Scope:2lo+al inet6 addr: fe80::2"0:f"ff:fe6c:c8af!10 Scope:0in1 B6 B7EADCAST 7B88582 DB0T5CAST DTB:1$00 Detric:1 7T pac1ets:28#22 errors:0 dropped:0 overr.ns:0 fra'e:0 TT pac1ets:1 "$2 errors:0 dropped:0 overr.ns:0 carrier:0 collisions:0 t&K.e.elen:100 7T +*tes:$ "2$%%% :$03# D+; TT +*tes: 81080 : 32 D+; 5nterr.pt:$ Base address:0&f000
Presentation_I
Cisco
!;!
Client Configuration -@inu&/< ISA1AP 1unnels

@> S6itc' @inu& IPv6 @> IPv6:enabled IPv6 ot Supported S6itc'.Route Client r
9eHuires Xernel su))ort +or ISA,AP I Some 0ernels may not have native su))ort +or ISA,AP F ebianG automatic
"ust con+igure ISA,AP routerC.*, +*O+O+O+**GClient IPv; address )**+<D(=<C**><+++f<*<Defe<+*O+O+O+**GIPv6 address
2ost IP
= ip t.nnel add is0 'ode isatap 1031313100 v"an* = ip lin1 set is0 .p
0313131 ttl 6"
Router IP
Presentation_I
Cisco
!;2
Client Configuration -@inu&/< Configured 1unnels

@> S6itc' @inu& IPv6 @> Create tunnel IPv6 ot Supported S6itc'.Route Client r
$nable the tunnel inter+ace
Add IPv6 address to tunnel inter+ace

+*O+O+O+**GClient IPv; address Create a de+ault route F1120G )**+<D(=<C**><++)><<)GIPv6 address
+or the tunnel
Router IP
= = = = ip ip ip ip
2ost IP
t.nnel add sit1 'ode sit re'ote 0313131 local 1031313100 lin1 set sit1 .p address add dev sit1 2001:DB8:C00 :112 ::2!6" ro.te add ::!0 dev sit1
Presentation_I
Cisco
!;5
Does It 0ork5
=ip t.nnel s)o4 sit1 sit1: ipv6!ip re'ote 0313131 local 1031313100 ttl in)erit
=ro.te -A inet6 ? (rep sit1 9ernel 56v6 ro.tin( ta+le Destination 2001:DB8:C00 :112 ::!6" fe80::!10 ff02::#!128 ff00::!8 ::!0
8e&t Lop :: :: ff02::# :: ::
Fla(s BA BA BAC BA B
Detric 2$6 2$6 0 2$6 102"
7ef 10 6 1 0 0
Bse 0 0 0 0 0
5face sit1 sit1 sit1 sit1 sit1
= ip -6 addr s)o4 sit1 6: sit1Y8E8E: S6E58TE6E58T<8EA76<B6J 't. 1"80 Kdisc noK.e.e inet6 fe80::a$e:a6"d!128 scope lin1 inet6 2001:DB8:C00 :112 ::2!6" scope (lo+al =pin(6 -5 sit1 2001:DB8:C00 :112 ::1 6582 2001:DB8:C00 :112 ::1 fro' 2001:DB8:C00 :112 ::2 sit1: 6" +*tes fro' 2001:DB8:C00 :112 ::1: ic'pOseK-1 ttl-6" ti'e-03"$" 6" +*tes fro' 2001:DB8:C00 :112 ::1: ic'pOseK-2 ttl-6" ti'e-03 %1 6" +*tes fro' 2001:DB8:C00 :112 ::1: ic'pOseK- ttl-6" ti'e-03 #2 6" +*tes fro' 2001:DB8:C00 :112 ::1: ic'pOseK-" ttl-6" ti'e-03 %%
's 's 's 's

!;'
Presentation_I
Cisco
Apple Mac "S S
Presentation_I
Cisco
!;&
Client Configuration -Mac "S S +*O) A/< Dual%Stack via ,?I
Presentation_I
Cisco
!;6
Client Configuration -Mac/< Configured 1unnels

Mac Client @> S6itc' IPv6 @> IPv6 ot Supported S6itc'.Route r
Create tunnel inter+ace Set tunnel end:)oints Add IPv6 address to tunnel Set de+ault route 6to' also an o)tion
Router IP
>*O+O>O)*+GClient IPv; address )**+<D(=<C**><++);<<)GIPv6 address
= = = =
ifconfi( (if0 t.nnel ifconfi( (if0 t.nnel 0313 3201 0313131 ifconfi( (if0 inet6 alias 2001:DB8:C00 :112"::2 ro.te add -inet6 defa.lt -interface (if0
@ocal @A IP create
= ifconfi( (if0 (if0: fla(s-80$1SB6<6E58TE6E58T<7B88582<DB0T5CASTJ 't. 1280 t.nnel inet 0313 3201 --J 0313131 inet6 fe80::20 :# ff:feee:#f1f prefi&len 6" scopeid 0&2 inet6 2001:DB8:C00 :112"::2 prefi&len 6"
Presentation_I
Cisco
!;6
Sun Solaris
Presentation_I
Cisco
!;7
1'ings to Lno6
Sun Solaris 7 and above /ill )rom)t +or IPv6 activation during the installation )rocess
Say yes and you /ill be ready +or dual:stac0 /ith autocon+iguration
Sou can also create the 2etc2hostname6.Zinter+ace[ +ile manually

#or eEam)le i+ your )hysical $thernet ada)ter is eri0 then you /ill +ind a 2etc2hostname.eri0 +ile Sou can create a 2etc2hostname6.eri0 +ile manually or i+ you o)ted to have IPv6 su))ort during installation then the +ile /ill already eEist
%touch &etc&hostname6"eri! reboot ifconfig -a and you /ill see a lin0 local address on the inter+aces
Presentation_I
Cisco
!;;
Client Configuration -Sun Solaris/< Configured 1unnels

@> S6itc' Mac IPv6 @> Create tunnel inter+aceS6itc'.Route IPv6 ot Supported Client r Create tunnel end:)oints
Add IPv6 address to inter+ace Can maintain con+iguration )ermanently using 2etc2hostname6.i).tun. F/here . is address 0, !, 2, and so onG +*O+O+O+**GClient IPv;
)**+<D(=<C**><++)><<)GIPv6 address
= ifconfi( ip3t.n0 inet6 = ifconfi( ip3t.n0 inet6 tsrc 1031313100 tdst 0313131 .p = ifconfi( ip3t.n0 inet6 addif 2001:DB8:C00 :112 ::2!6" 2001:DB8:C00 :112 ::1 .p Created ne4 lo(ical interface ip3t.n0:2 ip3t.n0: fla(s-22008$1SB6<6E58TE6E58T<7B88582<DB0T5CAST<8E8BD<56v6J 't. 1"80 inde& inet t.nnel src 1031313100 t.nnel dst 0313131 t.nnel )op li'it 60 inet6 fe80::"06$:"06a!10 --J fe80::a$e:a6"" ip3t.n0:1: fla(s-22008$1SB6<6E58TE6E58T<7B88582<DB0T5CAST<8E8BD<56v6J 't. 1"80 inde& inet6 2001:DB8:C00 :112 ::2!6" --J 2001:DB8:C00 :112 ::1
@ocal @A IP pl.'+
Router IP
200
Presentation_I
Cisco
20!

Enterprise IPv6 Design

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Enterprise IPv6 Design

Hochgeladen von

Copyright:

Verfügbare Formate

Enterprise IPv6 Deployment

e)loying IPv6 in Cam)us .et/or0s1 htt)122///.cisco.com2en23S2docs2solutions2$nter)rise2Cam)u

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

,he .eed #or IPv6

2006 Cisco Systems, Inc. All rights reserved.

Market !actors Driving IPv6 Deployment

ational IPv6 Strategies 3S o , China .AI, $3

///.oecd.org1 "easuring IPv6 ado)tion

IPv6 Provides (enefits Across t'e (oard

(uilding sensors Media services Collaboration Mobility

Set%top bo&es Internet gaming Appliances 3oice.video Security monitoring

Embedded devices Industrial Et'ernet IP%enabled components

DoD 0I %1 !CS 41RS ,I,%(E

,overnment -!ederal.Public Sector/

1elematics 1raffic control 2otspots 1ransit services

Animal tags Imagery (otanical 0eat'er

2ome care 0ireless asset tracking Imaging Mobility

Dramatic Increase in Enterprise Activity

2006 Cisco Systems, Inc. All rights reserved.

Planning > e)loyment Summary

2006 Cisco Systems, Inc. All rights reserved.

Enterprise Adoption Spectrum

2006 Cisco Systems, Inc. All rights reserved.

IPv6 Integration "utline

2006 Cisco Systems, Inc. All rights reserved.

Integration.Coe&istence Starting Points

$Eam)le1 Integration emarc2Start Points in Cam)us2=A.

Start in Core and move to the edge

ual:Stac0 IPv':IPv6 9outers

v' *nly !0.!.2.022'

.A,6'2 .S6 '

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

2ierarc'ical Addressing and Aggregation

"nly Announces t'e .>) Prefi&

IPv6 Internet 2000::/3

e+ault is 2'7 I can be larger I K$nd:user Additional AssignmentL htt)s122///.arin.net2resources2reHuest2i)v6_add_assign.html

Provider inde)endent I See .umber 9esource Policy "anual F.9P"G : htt)s122///.arin.net2)olicy2nr)m.html

2006 Cisco Systems, Inc. All rights reserved.

Summary of Address Considerations

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

?@A# ?@A A ,lobal or ,lobal

DetOs eE)lore these o)tionsP

2006 Cisco Systems, Inc. All rights reserved.

?ni7ue%@ocal Addressing -R!C;+B>/

e+ault )re+iE is 2'7

.ot 9ecommended ,oday

Re7uires A1 for IPv6 ,lobal F l a rn )**+<D(=<CA!E<<.; E&te l a Corp 2C b ,lo = nal

?@A Space !DBC<D=ED<EDE><<.;=

?@A Space !DBC<D=ED<EDE><<.;= !DBC<D=ED<EDE><<)<<.6; ,lobal F )**+<D(=<CA!E<<.;= )**+<D(=<CA!E<)<<.6;

2006 Cisco Systems, Inc. All rights reserved.

?@A A ,lobal E&ample

2006 Cisco Systems, Inc. All rights reserved.

RandomiHed IID and Privacy E&tensions

@ink @evelGPrefi& @engt' Considerations

2006 Cisco Systems, Inc. All rights reserved.

?sing @ink%@ocal for on%Access Connections

2006 Cisco Systems, Inc. All rights reserved.

?sing @@ A @oopback "nly

*)erational management challenges /ith this ty)e o+ numbering scheme

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

?@A Space !DBC<D=ED<EDE><<.;= !DBC<D=ED<EDE><<)<<.6; ,lobal F )+<D(=<CA!E<<.;= )+<D(=<CA!E<)<<.6;