Beruflich Dokumente
Kultur Dokumente
Click to "c#arland Edit Master Subtitle Style Shannon CCI$% &2'&, (CP Cor)orate Consulting $ngineer *++ice o+ the C,* shmc+arl-cisco.com
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
Reference Materials
e)loying IPv6 in 4ranch .et/or0s1 htt)122///.cisco.com2en23S2solutions2ns5'02ns'!'2ns6'22ns7 CC* IPv6 "ain Page1 htt)122///.cisco.com2go2i)v6 Cisco .et/or0 esigns1 htt)122///.cisco.com2go2design8one
Presentation_I
Cisco
9ecommended 9eading
e)loying IPv6 in 4roadband .et/or0s : Adeel Ahmed, Salman Asadullah IS4.0'60!;5576, <ohn =iley > Sons Publications?
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
Coming Soon@@
Agenda
,he .eed +or IPv6 Planning and e)loyment Summary Address Considerations Aeneral Conce)ts In+rastructure e)loyment
Cam)us2 ata Center =A.24ranch 9emote Access
Provider Considerations
Presentation_I
Cisco
'
Presentation_I
Cisco
&
IPv
IPv6 "S# Content $ Applications 6 Infrastructure Evolution
SmartArid, SmartCities *CSIS 5.0, 'A2D,$ ,IPS*
2ig'er Education.Researc'
Consumer
Manufacturing
2ealt' Care
1ransportation
Agriculture. 0ildlife
6
Presentation_I
Cisco
Presentation_I
Cisco
Is it real5 J Do I need to deploy every6'ere5 J E7uipment status5 J SP support5 J Addressing J 0'at does it cost5
J
Still fig'ting vendors Content and 6ide%scale app deployment J Revie6 operational cost of ) stacks J Competitive.Strategic advantages of ne6 environment
J J
Presentation_I
Cisco
!0
Deployment P'ases
$stablish the net/or0 starting )oint Im)ortance o+ a net/or0 assessment and available tools e+ining early IPv6 security guidelines and reHuirements Additional IPv6 K)re: de)loymentL tas0s needing consideration
,rans)ort considerations +or integration Cam)us IPv6 integration o)tions =A. IPv6 integration o)tions Advanced IPv6 services o)tions
Presentation_I
Cisco
!!
Start dual:stac0 on the =A.2cam)us core2edge routers .A,6' +or servers2a))s only ca)able o+ IPv' Ftem)orary onlyG
v' and v6
$dge:to:Core
D 2
v6: $nabl ed v6 *nly 200!1126' IPv6 Server IPv':*nly Segment
Presentation_I
1 3
ual:Stac0 IPv':IPv6 Core and $dge
!0.!.'.022' 200!1126'
2 2
v' and v6
!2
Address Considerations
Presentation_I
Cisco
!5
)**+<D(=<***)<***+<<.6; )**+<D(=<***)<***)<<.6;
)**+<D(=<***+<<.;= Site )
ISP 2001:DB8::/32
)**+<D(=<***)<<.;=
Presentation_I
Cisco
!'
Presentation_I
Cisco
!&
Do I ,et PI or PA5
It de)ends PI s)ace is great +or A9I. controlled s)ace Fnot all 9I9s have a))roved PI s)aceG PA is a great s)ace i+ you )lan to use the same SP +or a very long time or you )lan to .A, everything /ith IPv6 Fnot li0elyG "ore im)ortant things to considerCdo you get a )re+iE +or the entire com)any or do you get one )re+iE )er site F/hat de+ines a siteNG
Presentation_I
Cisco
!6
Presentation_I
Cisco
!6
9outing2security control
Sou must al/ays im)lement +ilters2ACDs to bloc0 any )ac0ets going in or out o+ your net/or0 Fat the Internet )erimeterG that contain a SA2 A that is in the 3DA rangeC today this the only /ay the 3DA sco)e : can be en+orced G ener at ed U is LA= f d9c: 58ed: 7d73: / 48
Aenerate your o/n 3DA1 htt)122///.siEEs.net2tools2grh2ula2 * M AC addr ess= 00: 0D : 9D : 93: A0: C3 ( H ew et t !ac"ar d# * $U % &4 addr ess= 0'0D 9D f f f e93A0C3
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!7
?@A%"nly
Internet (ranc' +
!DBC<D=ED<EDE><)=**<<.6;
(ranc' )
Corporate (ackbone
!DBC<D=ED<EDE><>***<<.6;
!DBC<D=ED<EDE><<)<<.6;
$verything internal runs the 3DA s)ace A .A, su))orting IPv6 or a )roEy is reHuired to access IPv6 hosts on the internet C must run +ilters to )revent any SA2 A in 3DA range +rom being +or/arded =or0s as it does today /ith IPv' eEce)t that today, there are no scalable .A,2ProEies +or IPv6 9emoves the advantages o+ not having a .A, Fi.e. a))lication intero)erability, global multicast, end:to:end connectivityG
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!;
?@A A ,lobal
Internet (ranc' +
.ot 9ecommended
,lobal F )**+<D(=<CA!E<<.; =
Corporate (ackbone
Corp 2C
!DBC<D=ED<EDE><)=**<<.6; )**+<D(=<CA!E<)=**<<.6;
(ranc' )
!DBC<D=ED<EDE><>***<<.6; )**+<D(=<CA!E<>***<<.6;
4oth 3DA and Alobal are used internally eEce)t +or internal:only hosts Source Address Selection FSASG is used to determine /hich address to use /hen communicating /ith other nodes internally or eEternally In theory, 3DA tal0s to 3DA and Alobal tal0s to AlobalCSAS QshouldO /or0 this out 3DA:only and Alobal:only hosts can tal0 to one another internal to the net/or0 e+ine a +ilter2)olicy that ensures your 3DA )re+iE does not Qlea0O out onto the Internet and ensure that no tra++ic can come in or out that has a 3DA )re+iE in the SA2 A +ields "anagement overhead +or BCP, .S, routing, security, etcP
2006 Cisco Systems, Inc. All rights reserved. Cisco
Presentation_I
20
ConsiderationsG?@A A ,lobal
3se BCPv6 +or 3DA and AlobalCa))ly di++erent )olicies +or both Fli+etimes, o)tions, etc..G Chec0 routability +or bothCcan you reach an A 2 .S server regardless o+ /hich address you haveN Any )olicy using IPv6 addresses must be con+igured +or the a))ro)riate range FToS, ACD, load:balancers, P49, etc.G I+ using SDAAC +or bothC"icroso+t =indo/s allo/s you to enable2disable )rivacy eEtensions globallyCthis means you are either using them +or both or not at all@@@ *ne o)tion is to use SDAAC +or the Alobal range and enable )rivacy eEtensions and then use BCPv6 +or 3DA /ith another II value F$3I:6', reserved2admin de+ined, etc.G
Tem p orary P referred 6d 23h 59m 55s 23h 59m 55s 2001 : d b 8: cafe: 2: cd 22: 7629: f726: 6a6b D h cp P referred 1 3d 1 h 33m 55s 6d 1 h 33m 55s fd 9c: 58ed : 7d 73: 1 002: 8828: 723c: 275e:846d O th er P referred i fi i te i fi i te fe80: : 8828: 723c: 275e: 846d ! 8
3nli0e Alobal and lin0:local sco)es 3DA is not automatically controlled at the a))ro)riate boundaryCyou must )revent 3DA )re+iE +rom going out or in at your )erimeter SAS behavior is *S de)endent and there have been issues /ith it /or0ing reliably
Presentation_I
Cisco
2!
interface Vlan2 description ACCESS-DATA-2 ipv6 address 2001:DB8:CAFE:2::D6 !6" ipv6 address FD#C:$8ED:%D% :1002::D6 !6" ipv6 nd prefi& 2001:DB8:CAFE:2::!6" no-advertise ipv6 nd prefi& FD#C:$8ED:%D% :1002::!6" no-advertise ipv6 nd 'ana(ed-confi(-fla( ipv6 d)cp rela* destination 2001:DB8:CAFE:11::#
D2CPv6 Server )**+<D(=<CA!E<++<<B D2CPv6 Client Network
Presentation_I
Cisco
22
,lobal%"nly
Internet (ranc' +
9ecommended
,lobal F )**+<D(=<CA!E<<.; =
Corporate (ackbone
Corp 2C
)**+<D(=<CA!E<)=**<<.6;
(ranc' )
,lobal F )**+<D(=<CA!E<<.;=
)**+<D(=<CA!E<>***<<.6; )**+<D(=<CA!E<)<<.6;
Alobal is used every/here .o issues /ith SAS .o reHuirements to have .A, +or 3DA:to:Alobal translationCbut, .A, may be used +or other )ur)oses $asier management o+ BCP, .S, security, etc. *nly do/nside is brea0ing the habit o+ believing that to)ology hiding is a good security method
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
25
Presentation_I
Alternatively, use BCP Fsee laterG to a s)eci+ic )ool 9andomi8ed address are generated +or non:tem)orary autocon+igured addresses including )ublic and lin0:localC used instead o+ $3I:6' addresses 9andomi8ed addresses engage *)timistic A Cli0elihood o+ du)licate DD address is rare so 9S can be sent be+ore +ull A com)letion =indo/s (ista2=622007 send 9S /hile A is being )er+ormed to save time +or inter+ace initiali8ation Fread 9#C'762 on /hy this
2006 Cisco Systems, Inc. All rights reserved. Cisco
2'
I 6; bits
J 6; bits
9ecommended by 9#C5!66 and IA42I$SA Consistency ma0es management easy "3S, +or SDAAC F"S#, BCPv6 alsoG Signi+icant address s)ace loss F!7.'66 TuintillionG
$nables more hosts )er broadcast domain Considered bad )ractice 6' bits o++ers more s)ace +or hosts than the media can su))ort e++iciently
Address s)ace conservation S)ecial cases1 2!26Cvalid +or )2) 2!26Cnot valid +or )2) F9#C5626G 2!27Cloo)bac0 Com)licates management "ust avoid overla) /ith s)eci+ic addresses1 9outer Anycast F9#C5&!5G $mbedded 9P F9#C5;&6G ISA,AP addresses
Presentation_I
Cisco
2&
=hat ha))ens to route +iltersN ACDsNC.othing, unless you are bloc0ing to2+rom the router itsel+ Stu++ to thin0 about1
Al/ays use a 9I Some Cisco devices reHuire Ki)v6 enableL on the inter+ace in order to generate and use a lin0:local address $nable the IAP on each inter+ace used +or routing or that reHuires its )re+iE to be advertised
Presentation_I
Cisco
26
ipv6 .nicast-ro.tin( / interface 0oop+ac10 ipv6 address 2001:DB8:CAFE:##8::1!128 ipv6 ei(rp 10 / interface Vlan200 ipv6 address 2001:DB8:CAFE:200::1!6" ipv6 ei(rp 10 / interface 2i(a+itEt)ernet1!1 ipv6 ena+le ipv6 ei(rp 10 / ipv6 ro.ter ei(rp 10 ro.ter-id 103##3831 no s).tdo4n
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
ipv6 .nicast-ro.tin( / interface 0oop+ac10 ipv6 address 2001:DB8:CAFE:##8::2!128 ipv6 ei(rp 10 / interface 2i(a+itEt)ernet !" ipv6 ei(rp 10 / interface 2i(a+itEt)ernet1!2 ipv6 ei(rp 10 / ipv6 ro.ter ei(rp 10 ro.ter-id 103##3832 no s).tdo4n 56v6-E5276 nei()+ors for process 10 0 0in1-local address: FE80::212:D#FF:FE#2:DE%%
26
2i1!2
Interface%ID Selection
.et/or0 evices 9econnaissance +or net/or0 devicesCthe search +or something to attac0 3se random 6':bit inter+ace:I s +or net/or0 devices
200!1 471CA#$1211!26'CCommon II 200!1 471CA#$1211;A'514C& 26'C9andom II 200!1 471CA#$1211A00!1!0!026'CSemi:random II
Presentation_I
Cisco
27
D2CPv6
3)dated version o+ BCP +or IPv' Client detects the )resence o+ routers on the lin0 I+ +ound, then eEamines router advertisements to determine i+ BCP can or should be used I+ no router +ound or i+ BCP can be used, then
3sing the lin0:local address as the source address BCP Solicit message is sent to the All: BCP:Agents multicast address
Presentation_I
Cisco
2;
D2CPv6 "peration
Client Solicit 9elay Relay%!6d 6.Solicit Advertise Re7uest Relay%!6d 6.Re7uest Relay%Reply 6.Reply Reply All_ BCP_9elay_Agents_and_Servers F##0211!12G All_ BCP_Servers F##0&11!15G
Presentation_I
Server
Relay%Reply 6.Advertise
BCP "essages1 clients listen 3 P )ort &'6R servers and relay agents listen on 3 P )ort &'6
2006 Cisco Systems, Inc. All rights reserved. Cisco
50
Stateful.Stateless D2CPv6
State+ul and stateless BCPv6 server
Cisco .et/or0 9egistrar1 htt)122///.cisco.com2en23S2)roducts2s/2netmgts/2)s!;722
interface FastEt)ernet0!1 description C05E8T 0589 ipv6 address 2001:DB8:CAFE:11::1!6" ipv6 nd prefi& 2001:DB8:CAFE:11::!6" no-advertise ipv6 nd 'ana(ed-confi(-fla( ipv6 nd ot)er-confi(-fla( ipv6 d)cp rela* destination 2001:DB8:CAFE:10::2
D2CPv 6 Server
5!
Presentation_I
Cisco
Presentation_I
Cisco
52
C R.0)L=GD2CPv6
Presentation_I
Cisco
55
Presentation_I
Cisco
5'
Presentation_I
Cisco
5&
"odi+ication to .eighbor Advertisement, router Advertisement, and IC"Pv6 redirects (irtual "AC derived +rom BS9P grou) number and virtual IPv6 lin0:local address
AD4P +or v6
AD4P A(A, A(# AD4P A(#, S(#
"odi+ication to .eighbor Advertisement, 9outer AdvertisementCA= is announced via 9As (irtual "AC derived +rom AD4P grou) number and virtual IPv6 lin0:local address
#or rudimentary BA at the +irst B*P Bosts use .3 Kreachable timeL to cycle to neEt 0no/n de+ault gate/ay F50s by de+aultG
.o longer needed
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
56
!irst%2op Redundancy
=hen BS9P,AD4P and (99P +or IPv6 are not available .3 can be used +or rudimentary BA at the +irst:ho) Ftoday this only a))lies to the Cam)us2 CCBS9P is available on routersG
:confi(-if;=ipv6 nd reac)a+le-ti'e $000
Bosts use .3 Kreachable timeL to cycle to neEt 0no/n de+ault gate/ay F50 seconds by de+aultG Can be combined /ith de+ault router )re+erence to determine )rimary g/1
:confi(-if;=ipv6 nd ro.ter-preference >)i() ? 'edi.' ? lo4@ Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : 10312131031 fe80::211:+cff:fec0:d000A" fe80::211:+cff:fec0:c800A"
: 6s : $s
Distribution @ayer
1o Core @ayer
56
BS9P IPv6 3 P Port .umber 202; FIA.Astand+* AssignedG version 2 .o BS9P IPv6 secondary address stand+* 1 ipv6 a.toconfi( .o BS9P IPv6 s)eci+ic debug
stand+* 1 pree'pt
stand+* 1 ti'ers 'sec 2$0 'sec 800 stand+* 1 pree'pt dela* 'ini'.' 180
stand+* 1 trac1 FastEt)ernet0!0 =ro.te -A inet6 ? (rep ::!0 ? (rep et)2 ::!0 fe80::$:% ff:fea0:1 B2DA 102" 0
0 et)2
Presentation_I
Cisco
57
(irtual "AC derived +rom AD4P grou) number and virtual IPv6 lin0:local address
interface FastEt)ernet0!0 ipv6 address 2001:DB8:1::1!6" ipv6 cef (l+p 1 ipv6 a.toconfi( (l+p 1 ti'ers 'sec 2$0 'sec %$0 (l+p 1 pree'pt dela* 'ini'.' 180 (l+p 1 a.t)entication 'd$ 1e*-strin( cisco
5;
PI" Arou) "odes1 S)arse "ode, 4idirectional and Source S)eci+ic "ulticast 9P e)loyment1 Static, $mbedded
S 2ost Multicast Control via M@D
D P D
Presentation_I
Cisco
'0
"D snoo)ing
Presentation_I
Cisco
'!
o S
S
D 2e is t'e RP
ASM Across Single S'ared PIM Domain# "ne RPGEmbedded% RP AlertN I 6ant
,RPMA from RPM(
R
D P
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
'2
Additional su))ort +or IPv6 does not al/ays reHuire ne/ Command Dine Inter+ace FCDIG
E&leG0RED
Presentation_I
Cisco
'5
IPv6 .eighbor Cache entry1 2001:DB8:CAFE:2:28#1:1C0C:F$2A:#DF1 2001:DB8:CAFE:2:%DE$:E2B0:D"DF:#%EC FE80::%DE$:E2B0:D"DF:#%EC " 000d3608"32c%a 16 000d3608"32c%a 16 000d3608"32c%a STA0E Vl2 STA0E Vl2 STA0E Vl2
#ull internet route tablesCensure to account +or ,CA"2memory reHuirements +or both IPv'2IPv6Cnot all vendors can )ro)erly su))ort both "ulti)le routing )rotocolsCIPv' and IPv6 /ill have se)arate routing )rotocols. $nsure enough CP32"emory is )resent Control )lane im)act /hen using tunnelsCterminate ISA,AP2con+igured tunnels in B= )lat+orms /hen attem)ting large scale de)loyments Fhundreds2thousands o+ tunnelsG
Presentation_I
Cisco
''
In+rastructure e)loyment
Start Bere1 Cisco I*S So+t/are 9elease S)eci+ics +or IPv6 #eatures
'ttp<..666OciscoOcom.univercd.cc.td.doc.product.soft6are.ios+)>.+)>cgcr.ipv6Kc.ftipv6sO'tm
Presentation_I
Cisco
'&
,unneling Services
IPv' over IPv6 IPv6 over IPv'
Translation Services
IPv4
IPv6
Business Partners #overnment $%encies International Sites emote !or"ers Internet consumers
'6
'ttp<..666OciscoOcom.univercd.cc.td.doc.solution.campipv6Opdf
'ttp<..666OciscoOcom.en.?S.netsol.ns6D6.net6orkingKsolutionsKdesignKguidancesKlistO'tmlPanc'or)
Presentation_I
Cisco
'6
BybridC ual:stac0 /here )ossible, tunnels +or the rest, but all leveraging the eEisting design2gear
ProCDeverage eEisting gear and net/or0 design Ftraditional D22D5 and routed accessG ConC,unnels Fes)ecially ISA,APG cause unnatural things to be done to in+rastructure Fli0e core acting as access layerG and ISA,AP does not su))ort IPv6 multicast
IPv6 Service 4loc0CA ne/ net/or0 bloc0 used +or interim connectivity +or IPv6 overlay net/or0
ProCSe)aration, control and +leEibility Fstill su))orts traditional D22D5 and routed accessG
Presentation_I 2006 Cisco Systems, Inc. All rights reserved.
ConCCost Fmore gearG, does not +ully leverage eEisting design, still have to )lan +or a real dual:stac0 de)loyment and ISA,AP does not
Cisco
'7
Access @ayer
$E)ect to run the same IAPs as /ith IPv' (SS su))orts IPv6
D u a l S t a c k
D u a l S t a c k
@).@ >
v6% Enab led
Distributio n @ayer
Core @ayer
v6% Enabled
v6% Enabled
';
Catalyst 5&60256&0CIn order to enable IPv6 +unctionality the )ro)er S " tem)late needs to be de+ined F htt)122///.cisco.com2univercd2cc2td2doc2)roduct2lan2cat56&02!222& G
S4itc):confi(;=sd' prefer d.al-ipv"-and-ipv6 defa.lt
I+ using a traditional Dayer:2 access design, the only thing that needs to be enabled on the access s/itch Fmanagement2security discussed laterG is "D snoo)ing1
S4itc):confi(;=ipv6 'ld snoopin( 5&60256&0 non:$ series cannot su))ort both BS9P +or IPv' and BS9P +or IPv6 on the same inter+ace htt)122///.cisco.com2en23S2docs2s/itches2lan2catalyst56&02so+t/ar
Presentation_I
Cisco
&0
&!
Presentation_I
Cisco
&2
?D
interface Vlan2 description Data V0A8 for Access ipv6 address 2001:DB8:CAFE:2::A001:1010!6" ipv6 nd reac)a+le-ti'e $000 ipv6 nd ro.ter-preference )i() no ipv6 redirects ipv6 ospf 1 area 1 / ipv6 ro.ter ospf 1 a.to-cost reference-+and4idt) 10000 ro.ter-id 1031223032$ lo(-adFacenc*-c)an(es area 2 ran(e 2001:DB8:CAFE:&&&&::!&& ti'ers spf 1 $
&5
interface Vlan2 description Data V0A8 for Access ipv6 address 2001:DB8:CAFE:2::CAC1: %$0!6" ipv6 ospf 1 area 2 ipv6 cef / ipv6 ro.ter ospf 1 ro.ter-id 1031203231 lo(-adFacenc*-c)an(es a.to-cost reference-+and4idt) 10000 area 2 st.+ no-s.''ar* passive-interface Vlan2 ti'ers spf 1 $
&'
&&
ISA,APCBost:to:D5
@).@ >
"1 v6% Enab led v6% Enab led
I S ! , I ! S P ! , ! P
"1 v6% Enab led v6% Enab led
Distributio n @ayer
Deverages eEisting net/or0 *++ers natural )rogression to +ull dual:stac0 design "ay reHuire tunneling to less:than:o)timal layers Fi.e. core layerG ISA,AP creates a +lat net/or0 Fall hosts on same tunnel are )eersG
Create tunnels )er (DA.2subnet to 0ee) same segregation as eEisting design Fnot clean todayG
Core @ayer
v6% Enabled
Presentation_I
D u a l S t a c k
D u a l S t a c k
v6% Enabled
&6
In the )resented design the static con+iguration o)tion is used to ensure each host is associated /ith the correct ISA,AP tunnel Can conditionally set the ISA,AP router )er host based on subnet, userid, de)artment and )ossibly other )arameters such as role
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
&6
ISA,AP tunnels +rom PCs in access layer to core s/itches 9edundant tunnels to core or service bloc0 Access @ayer 3se IAP to )re+er one core s/itch over another Fboth v' and v6 routesGC deterministic Distributio Pre+erence is im)ortant due to the reHuirement to have tra++ic FIPv'2IPv6G n @ayer "1 "1 route to the same inter+ace FtunnelG /here host is terminated onC v6% v6% =indo/s WP22005 Enab Enab led led v6% =or0s li0e Anycast:9P /ithCore IPmc @ayer v6% Enab Enab D D led led u u a a Aggregation l l @ayer -DC/ v6% v6% Enabled S S Enabled t t Access a a @ayer -DC/ c c Primary ISA1AP 1unnel IPv6 k k Server
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
ISA1AP Secondary
interface T.nnel2 ipv6 address 2001:DB8:CAFE:2::!6" e.i-6" no ipv6 nd s.ppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 t.nnel so.rce 0oop+ac12 t.nnel 'ode ipv6ip isatap / interface T.nnel ipv6 address 2001:DB8:CAFE: ::!6" e.i-6" no ipv6 nd s.ppress-ra ipv6 ospf 1 area 2 ipv6 ospf cost 10 t.nnel so.rce 0oop+ac1 t.nnel 'ode ipv6ip isatap / interface 0oop+ac12 ip address 1031223103102 2$$32$$32$$32$$ dela* 1000 / interface 0oop+ac1 ip address 103122310310 dela* 1000 2$$32$$32$$32$$
&;
ip address 103122310310 2$$32$$32$$32$$ 2006 Cisco Systems, Inc. All rights reserved. Cisco
,o in+luence IPv' routing to )re+er one ISA,AP tunnel source over anotherCalter delay2cost or mas0 length Do/er timers Ftimers s)+, hello2hold, deadG to reduce convergence times 3se recommended summari8ation and2or use o+ stubs to reduce routes and convergence times
Set RID to ensure redundant loopback addresses do not cause duplicate RID issues
IPv;GEI,RP
ro.ter ei(rp 10 ei(rp ro.ter-id 1031223103
IPv6G"SP!v>
60
@oopback )G+*O+))O+*O+*) ?sed as SEC" DARR ISA1AP tunnel source 3@A ) +*O+)*O)O* .); acc%+ @oopback )G+*O+))O+*O+*) ?sed as PRIMARR ISA1AP tunnel source
ip ro.te ? + 1031223103102! 2
$&ter (ailure
dist-1=s)o4 ip ro.te ? + 1031223103102! 2 D 1031223103102! 2 G#0!2$8816H via 103122303"#< 00:00:08< 2i(a+itEt)ernet1!0!28
Presentation_I
Cisco
6!
+*O+)*O>O+ *+
T.nnel adapter A.to'atic T.nnelin( 6se.do-5nterface: Connection-specific D8S S.ffi& 3 : 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 2001:d+8:cafe: :0:$efe:1031203 3101 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::$efe:1031203 3101A2 Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : fe80::$efe:103122310310 A2
Presentation_I
Cisco
62
interface 2i(a+itEt)ernet1!1 ipv6 address 2001:DB8:CAFE:1 ::"!12% ipv6 ei(rp 10 ipv6 cef / interface 0oop+ac1 ip address 1%23163131 2$$32$$32$$32$2
65
, ' n n e
on
2.
+
Acc ess (lo ck
Presentation_I
Cisco
6'
23!N 2
23!N 3
IS!,! P
2 I n t e r n e t
66
!G Deverage eEisting ISP bloc0 +or both IPv' and IPv6 access 2G 3se dedicated ISP connection Vust +or IPv6CCan use I*S #= or PIW2ASA a))liance Primary ISA1AP 1unnel Secondary ISA1AP 1unnel
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
I1S /0
1
Data .enter B(ock
0!N/ISP B(ock
!. Same )olicy design as Bybrid "odelC,he +irst )lace to im)lement classi+ication and mar0ing +rom the access layer is a+ter deca)sulation FISA,APG /hich is on the egress inter+aces on the service bloc0 s/itches 2. IPv6 )ac0ets received +rom ISA,AP inter+aces /ill have egress )olicies Acc ess Fclassi+ication2 mar0ingG a))lied on the con+igured tunnel inter+aces (lo 1raffic 5. Aggregation2access s/itches can a))ly egress2ingress )olicies Ftrust, Service (lock )olicing, HueuingG to IPv6 )ac0ets headed +or C services
C or e @a ye r Aggregat ion @ayer -DC/ Access @ayer -DC/ IPv6.IP v; Dual% stack Server ck !lo6
Distributi on @ayer
C or e @a ye r
Configured 1unnels
> >
)
Service (lock
Presentation_I
Cisco
Convergence for do6nstream Convergence for -ms/ Recovery -ms/ Server to Client >D>UD>) >=BU+)6+ AvgO Server to Client ;;> =)= upstream do6nstream * *U>> * ++U;>
67
Cisco
Presentation_I
Cisco
6;
Presentation_I
Cisco
60
Presentation_I
Cisco
6!
(irtuali8ation Qshould ma0e Cs sim)ler and more +leEible Dac0 o+ robust C2A))lication management is o+ten the root cause o+ all evil $nsure management systems su))ort IPv6 as /ell as the devices being managed
ata Centers
Presentation_I
Cisco
62
3irtualiHed DC Solutions
DC Core
e&usV E***
DC Aggregation
CiscoV Catalyst V 6D** 3SS !0Ab$ C Services
e&us V E***
DC Access
Cisco Catalyst 6&00 Cisco Catalyst ';EE
t a =h
a e h t t u o ab
e&us 6000 e&u s 2000 e&u s !000 v e&u s &000 MD S ;&0 0
ACE.ASA.0AAS C Services
N s ))
e&u s !000 v ?nified Computing System
DC SA
MD S ;&0 0
,igabit Et'ernet +* ,igabit Et'ernet +* ,igabit DC( ;,b !ibre C'annel +* ,igabit !CoE.DC(
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
65
6'
S/itch
3@A +*> Permit *&=6dd 3@A )*>
S/itch
S/itch
S/itch
3@A +*
3@A ++
,run0
IPv; server
IPv6 server
6&
Port)roEy
*++ered in "icroso+t =indo/s FWP, 2005, (ista2=6, 2007G 4asically, it is )rotocol and )ort +or/arding Allo/s v':to:v6, v6:to:v6 and v6:to:v' Doad is CP3 bound (ery sim)le to con+igure Fon a )er host basis or as an a))lianceG
I(I
dra+t:Eli:behave:ivi:0!.tEt I Pre+iE:s)eci+ic and Stateless Address "a))ing KI(LU', K(ILU6 I 4ased on 9oman numerals
Presentation_I 2006 Cisco Systems, Inc. All rights reserved.
I(I is good at /hat translators due Cisco but it is Vust as bad /ith /hat translators
66
*utside tra++ic comes in on IPv6CPortProEy to v' F(IP address on AC$G ,ra++ic is IPv' to server
Presentation_I
Cisco
66
PortPro&y Configuration.Monitoring
nets) interface portpro&*Js) all 0isten on ipv6: Address 6ort --------------- ---------2001:d+8:cafe:12::2$ 80 Active Connections 6roto TC6 TC6 conn-id 1" 1 0ocal Address 10312131232$:$81"1 Forei(n Address 1031213$320:)ttp State ESTAB05SLED ESTAB05SLED state ESTAB ESTAB Connect to ipv": Address 1031213$320 6ort 80 --------------- ----------
ads+
Presentation_I
Cisco
67
PortPro&y Performance
,hrough)ut $Eam)le
211P 1'roug'put Comparison % Direct vsO PortPro&y
+* B = E 6 D ; > ) + *
1'roug'put -Mbps/
Presentation_I
Cisco
6;
PortPro&y Performance
Presentation_I
Cisco
70
ICMPv6 -R!C );6>/ eig'bor Discovery -R!C );6+/ Stateless Auto%configuration 3RRP for IPv6 for application redundancy -IE1! Draft/
1elnet# 1!1P# !1P# SCP# D S Resolver# 211P# Ping# 1raceroute# SS2 Cisco IP# IP%!or6arding and 3RRP MI(s S MP over IPv6
Security
SA
Applications
IP StorageGiSCSI# IS S# and !CIP Xone Server# !C ame Server IPv6 over !C "t'er modulesGegO 1P# fc% tunnel etcO
7!
)**+<db=<cafe<+*<<+;
$S.SI
MDS%)
Same con+iguration reHuirements and o)eration as /ith IPv' Can use automatic )reem)tionCcon+igure (9 address to be the same as )hysical inter+ace o+ K)rimaryL Bost:side BA uses .IC teaming Fsee slides +or .IC teamingG SA.:*S 5.2 /ill su))ort iSCSI /ith IPsec
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
72
Presentation_I
Cisco
75
2i(a+itEt)ernet2!1
ipv6 address 2001:d+8:cafe:12::$!6" no s).tdo4n vrrp ipv6 1 address 2001:d+8:cafe:12::$ no s).tdo4n 'ds-1= s)o4 vrrp ipv6 vr 1 5nterface 2i(E2!1 V7 5pVersion 6ri 1 56v6 2$$ Ti'e 6re State 100cs 'aster
V7 56 addr 2001:d+8:cafe:12::$
------------------------------------------------------------------
'ds-2= s)o4 vrrp ipv6 vr 1 5nterface 2i(E2!1 V7 5pVersion 6ri 1 56v6 100 Ti'e 6re State 100cs +ac1.p V7 56 addr 2001:d+8:cafe:12::$ ------------------------------------------------------------------
Presentation_I
Cisco
7'
>
interface 2i(a+itEt)ernet2!1 ipv6 address 2001:d+8:cafe:12::$!6" 'ds#216-1= s)o4 fcns data+ase vsan 1 VSA8 1: --------------------------------------------------------------------FC5D 0&6%0"00 0&6%0"0$
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
TP6E 8 8
6NN8 21:00:00:10:86:10:"6:#c
--------------------------------------------------------------------2":01:00:0d:ec:2":%c:"2 :Cisco;
SA %"S >O&G!CIP-v6/
/ . / .
Central Site
/ .
/ .
Remote Sites
/ .
/ . / .
IPv6 et6ork
fcip profile 100 ip address 2001:d+8:cafe:$0::1 tcp 'a&-+and4idt)-'+ps 800 'in-availa+le+and4idt)-'+ps $00 ro.nd-trip-ti'e-.s 8" / interface fcip100 .se-profile 100 peer-info ipaddr 2001:d+8:cafe:$0::2 / interface 2i(a+itEt)ernet2!2 ipv6 address 2001:d+8:cafe:$0::1!6"
fcip profile 100 ip address 2001:d+8:cafe:$0::2 tcp 'a&-+and4idt)-'+ps 800 'in-availa+le+and4idt)-'+ps $00 ro.nd-trip-ti'e-.s 8" / interface fcip100 .se-profile 100 peer-info ipaddr 2001:d+8:cafe:$0::1 / interface 2i(a+itEt)ernet2!2 ipv6 address 2001:d+8:cafe:$0::2!6"
Presentation_I
Cisco
76
Data Center
Auto:con+iguration
IC 1eaming Issue
5nterface 10: 0ocal Area Connection =V57TBA0 TEAD 58TE7FACE Addr T*pe --------6.+lic DAD State 6referred Valid 0ife 2#d2 )$8'"1s 6ref3 0ife Address
Static con+iguration
nets) interface ipv6J add address Q0ocal Area ConnectionQ 2001:d+8:cafe:10::% E13 nets) interface ipv6Js) add R.er*in( active state333 5nterface 10: 0ocal Area Connection Addr T*pe --------Dan.al 6.+lic DAD State D.plicate 6referred Valid 0ife infinite 2#d2 )$#'21s 6ref3 0ife Address ---------- ------------ ------------ ----------------------------infinite 2001:d+8:cafe:10::% 6d2 )$#'21s 2001:d+8:cafe:10:20d:#dff:fe# :+2$d
76
Intel A S
Intel IPv6 .IC T>ACProduct su))ort htt)122///.intel.com2su))ort2net/or02sb2cs:00;0;0.htm Intel no/ su))orts IPv6 /ith $E)ress, AD4, and A#, de)loyments
Intel statement o+ su))ort +or 9D4CK9eceive Doad 4alancing F9D4G is not su))orted on IPv6 net/or0 connections. I+ a team has a miE o+ IPv' and IPv6 connections, 9D4 /ill /or0 on the IPv' connections but not on the IPv6 connections. All other teaming +eatures /ill /or0 on the IPv6 connections.L
Presentation_I
Cisco
77
ICs
"ain issue +or .ICs /ith no IPv6 teaming su))ort is A CCauses du)licate chec0s on ,eam and Physical even though the )hysical is not used +or addressing Set A on ,eam inter+ace to K0LC3nderstand /hat you are doing "icroso+t (ista2=62Server 2007 allo/s +or a command line change to reduce the K A transmitsL value +rom ! to 0
nets) interface ipv6 set interface 1# dadtrans'its-0
DinuE
# sysctl -w net/ipv6/conf/bond0/dad_transmits=0 net.ipv6.conf.eth0.dad_transmits = 0
Presentation_I
Cisco
7;
Intel
A.toconfi(.ration 56 Address3 3 3 : 16#32$"32$31#2 S.+net Das1 3 3 3 3 3 3 3 3 3 3 3 : 2$$32$$3030 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::20":2 ff:fec%:+0d%A11 Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : fe80::212:d#ff:fe#2:de%6A11
56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 1038#3"32 0 S.+net Das1 3 3 3 3 3 3 3 3 3 3 3 : 2$$32$$32$$30 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 2001:d+8:cafe:1::2 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::20":2 ff:fec%:+0d6A12 Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : fe80::212:d#ff:fe#2:de%6A12
Presentation_I
Cisco
;0
Intel
Et)ernet adapter TEAD-1: Connection-specific D8S S.ffi& 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 1038#3"32 0 S.+net Das1 3 3 3 3 3 3 3 3 3 3 3 : 2$$32$$32$$30 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : 2001:d+8:cafe:1::2 56 Address3 3 3 3 3 3 3 3 3 3 3 3 : fe80::20":2 ff:fec%:+0d6A1 Defa.lt 2ate4a* 3 3 3 3 3 3 3 3 3 : fe80::212:d#ff:fe#2:de%6A1
5nterface 1 : TEAD-1 Addr T*pe --------6.+lic 0in1 DAD State 6referred 6referred Valid 0ife "'11s infinite 6ref3 0ife Address
Presentation_I
Cisco
;!
31: ; Sconte&tJ
,oday, IPv6 ins)ection is su))orted in the routed +ire/all mode. ,rans)arent mode can allo/ IPv6 tra++ic to be bridged Fno ins)ectionG
Presentation_I
Cisco
;5
=A.24ranch
;'
0A .(ranc' Deployment
Cisco routers have su))orted IPv6 +or a long time ual:stac0 should be the +ocus o+ your im)lementationCbut, some situations still call +or tunneling
Corporat e et6ork
Su))ort +or every media2=A. ty)e you /ant to use F#rame 9elay, leased:line, broadband, "PDS, etc.G onOt assume all +eatures +or every technology are IPv6:enabled
Dual Stack
SP Cloud
Dual Stack
Dual Stack
Presentation_I
Cisco
;&
2 C
2 C
MP@ S
2 C
Internet
Internet
/ra*e
ual:Stac0 IPSec (P. FIPv'2IPv6G I*S #ire/all FIPv'2IPv6G Integrated S/itch F"D :snoo)ingG
Presentation_I 2006 Cisco Systems, Inc. All rights reserved.
ual:Stac0 IPSec (P. or #rame 9elay I*S #ire/all FIPv'2IPv6G S/itches F"D :snoo)ingG
Cisco
ual:Stac0 IPSec (P. or "PDS F6P$26(P$G #ire/all FIPv'2IPv6G S/itches F"D : snoo)ingG
;6
Single%1ier Profile
,otally integrated solutionC4ranch router and integrated $therS/itch moduleCI*S #= and (P. +or IPv6 and IPv' =hen SP does not o++er IPv6 services, use IPv' IPSec (P.s +or manually con+igured tunnels FIPv6:in:IPv'G or "(P. +or IPv6 =hen SP does o++er IPv6 services, use IPv6 IPSec (P.s Flatest AI"2(A" su))orts IPv6 IPSecG
(ranc '
Single% 1ier
2ead7uarter s 1 +
ADS @
0! N
Primary DM3P 1unnel -IPv; Secondary DM3P 1unnel -IPv;/ Primary IPSec%protected configured tunnel -IPv6%in%IPv;/ Secondary IPSec%protected configured tunnel -IPv6%in%IPv;/
Presentation_I
Cisco
;6
Single%1ier Profile
ipv6 .nicast-ro.tin( ipv6 '.lticast-ro.tin( ipv6 cef / ipv6 d)cp pool DATAOV5STA address prefi& 2001:DB8:CAFE:1100::!6"
(ranc' Router
dns-server 2001:DB8:CAFE:10:20D:#DFF:FE# :B2$D do'ain-na'e cisco3co' / interface 2i(a+itEt)ernet1!03100 description DATA V0A8 for Co'p.ters encaps.lation dot1R 100 ipv6 address 2001:DB8:CAFE:1100::BAD1:A001!6" ipv6 nd prefi& 2001:DB8:CAFE:1100::!6" noadvertise ipv6 nd 'ana(ed-confi(-fla( ipv6 d)cp server DATAOV5STA ipv6 'ld snoopin( / interface Vlan100 description V0A8100 for 6Cs and S4itc) 'ana(e'ent ipv6 address 2001:DB8:CAFE:1100::BAD2:F126!6"
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
Et'erS6itc' Module
;7
Single%1ier Profile
IPSec Con+igurationC!
cr*pto isa1'p polic* 1 encr des a.t)entication pre-s)are cr*pto isa1'p 1e* C5SCE address 1%231%313 cr*pto isa1'p 1e* SPSTEDS address 1%231%313" cr*pto isa1'p 1eepalive 10 / cr*pto ipsec transfor'-set LE1 esp- des esp-s)a-)'ac cr*pto ipsec transfor'-set LE2 esp- des esp-s)a-)'ac / cr*pto 'ap 56v6-LE1 local-address Serial0!0!0 cr*pto 'ap 56v6-LE1 1 ipsec-isa1'p set peer 1%231%313 set transfor'-set LE1 'atc) address V68-TE-LE1 / cr*pto 'ap 56v6-LE2 local-address 0oop+ac10 cr*pto 'ap 56v6-LE2 1 ipsec-isa1'p set peer 1%231%313" set transfor'-set LE2 'atc) address V68-TE-LE2
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
(ranc '
Internet
Secondary
Primary
2ead7uarter s
;;
Single%1ier Profile
IPSec Con+igurationC2
interface T.nnel description 56v6 t.nnel to LR Lead-end 1 dela* $00 ipv6 address 2001:DB8:CAFE:1261::BAD1:A001!6" ipv6 't. 1"00 t.nnel so.rce Serial0!0!0 t.nnel destination 1%231%313 t.nnel 'ode ipv6ip / interface T.nnel" description 56v6 t.nnel to LR Lead-end 2 dela* 2000 ipv6 address 2001:DB8:CAFE:12%1::BAD1:A001!6" ipv6 't. 1"00 t.nnel so.rce 0oop+ac10 t.nnel destination 1%231%313" t.nnel 'ode ipv6ip / interface Serial0!0!0 description to T1 0in1 6rovider :675DA7P; cr*pto 'ap 56v6-LE1
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
interface Dialer1 description 666oE to BB provider cr*pto 'ap 56v6-LE2 / ip access-list e&tended V68-TE-LE1 per'it "1 )ost 1%23163132 )ost 1%231%313 ip access-list e&tended V68-TE-LE2 per'it "1 )ost 10312"310031 )ost 1%231%313"
AdVust delay to )re+er ,unnel5 AdVust ",3 to avoid +ragmentation on router FP",3 on client /ill not account +or IPSec2,unnel overheardG Permit K'!L FIPv6G instead o+ KgreL
!00
Single%1ier Profile
9outing
ipv6 cef / 1e* c)ain ESE 1e* 1 1e*-strin( % 111B180B101%1# / interface T.nnel description 56v6 t.nnel to LR Lead-end 1 dela* $00 ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ESE / interface T.nnel" description 56v6 t.nnel to LR Lead-end 2 dela* 2000 ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $
!0!
ipv6 .nicast-ro.tin(
interface 0oop+ac10 ipv6 ei(rp 10 / interface 2i(a+itEt)ernet1!03100 description DATA V0A8 for Co'p.ters ipv6 ei(rp 10 / ipv6 ro.ter ei(rp 10 ro.ter-id 10312"310031 st.+ connected s.''ar* no s).tdo4n passive-interface 2i(a+itEt)ernet1!03100 passive-interface 2i(a+itEt)ernet1!03200 passive-interface 2i(a+itEt)ernet1!03 00 passive-interface 0oop+ac10
$therS/itch "odule
ipv6 ro.te ::!0 Vlan100 FE80::21%:#"FF:FE#0:282#
ipv6 a.t)entication 1e*-c)ain ei(rp 10Cisco ESE 2006 Cisco Systems, Inc. All rights reserved.
Single%1ier Profile
SecurityC!
ipv6 inspect na'e v6FN tcp ipv6 inspect na'e v6FN ic'p ipv6 inspect na'e v6FN ftp ipv6 inspect na'e v6FN .dp / interface T.nnel ipv6 traffic-filter 58ET-NA8-v6 in no ipv6 redirects no ipv6 .nreac)a+les ipv6 inspect v6FN o.t ipv6 virt.al-reasse'+l* / interface 2i(a+itEt)ernet1!03100 ipv6 traffic-filter DATAO0A8-v6 in / line vt* 0 " ipv6 access-class D2DT-58 in
AC@ used by I"S !0 for dynamic entries Apply fire6all inspection !or egress trafficto create ?sed by fire6all dynamic AC@s and protect against various fragmentation attacks Apply @A AC@ -ne&t slide/ AC@ used to restrict management access
Presentation_I
Cisco
!02
Single%1ier Profile
SecurityC2
ipv6 access-list D2DT-58 re'ar1 per'it '('t onl* to loop+ac1 per'it tcp 2001:DB8:CAFE::!"8 )ost 2001:DB8:CAFE:1000::BAD1:A001 den* ipv6 an* an* lo(-inp.t / ipv6 access-list DATAO0A8-v6 re'ar1 6E7D5T 5CD6v6 6AC9ETS F7ED LESTS N5TL 67EF5T CAFE:1100::!6" per'it ic'p 2001:DB8:CAFE:1100::!6" an* re'ar1 6E7D5T 56v6 6AC9ETS F7ED LESTS N5TL 67EF5T CAFE:1100::6" per'it ipv6 2001:DB8:CAFE:1100::!6" an*
Sample "nly
re'ar1 6E7D5T A00 5CD6v6 6AC9ETS SEB7CED BP LESTS BS582 TLE 0589-0ECA0 67EF5T per'it ic'p FE80::!10 an* re'ar1 6E7D5T DLC6v6 A00-DLC6-A2E8TS 7ERBESTS F7ED LESTS per'it .dp an* eK $"6 an* eK $"% re'ar1 DE8P A00 ETLE7 56v6 6AC9ETS A8D 0E2 den* ipv6 an* an* lo(-inp.t
Presentation_I
Cisco
!05
Single%1ier Profile
SecurityC5
ipv6 access-list 58ET-NA8-v6 re'ar1 6E7D5T E5276 for 56v6 per'it 88 an* an* re'ar1 6E7D5T 65D for 56v6 per'it 10 an* an*
Sample "nly
re'ar1 6E7D5T A00 5CD6v6 6AC9ETS SEB7CED BS582 TLE 0589-0ECA0 67EF5T per'it ic'p FE80::!10 an* re'ar1 6E7D5T SSL TE 0ECA0 0EE6BAC9 per'it tcp an* )ost 2001:DB8:CAFE:1000::BAD1:A001 eK 22 re'ar1 6E7D5T A00 5CD6v6 6AC9ETS TE 0ECA0 0EE6BAC9<V68 t.nnels<V0A8s per'it ic'p an* )ost 2001:DB8:CAFE:1000::BAD1:A001 per'it ic'p an* )ost 2001:DB8:CAFE:1261::BAD1:A001 per'it ic'p an* )ost 2001:DB8:CAFE:12%1::BAD1:A001 per'it ic'p an* 2001:DB8:CAFE:1100::!6" per'it ic'p an* 2001:DB8:CAFE:1200::!6" per'it ic'p an* 2001:DB8:CAFE:1 00::!6" re'ar1 6E7D5T A00 56v6 6AC9ETS TE V0A8s per'it ipv6 an* 2001:DB8:CAFE:1100::!6" per'it ipv6 an* 2001:DB8:CAFE:1200::!6" per'it ipv6 an* 2001:DB8:CAFE:1 00::!6" den* ipv6 an* an* lo(
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!0'
Single%1ier Profile
ToS
class-'ap 'atc)-an* B7A8CL-T7A8SACT5E8A0-DATA 'atc) protocol citri& 'atc) protocol ldap 'atc) protocol sKlnet 'atc) protocol )ttp .rl QUcisco3co'Q 'atc) access-(ro.p na'e B7A8CL-T7A8SACT5E8A0-V6 / polic*-'ap B7A8CL-NA8-ED2E class T7A8SACT5E8A0-DATA +and4idt) percent 12 rando'-detect dscp-+ased / polic*-'ap B7A8CL-0A8-ED2E-58 class B7A8CL-T7A8SACT5E8A0-DATA set dscp af21 / ipv6 access-list B7A8CL-T7A8SACT5E8A0-V6 re'ar1 Dicrosoft 7D6 traffic-'ar1 dscp af21 per'it tcp an* an* eK per'it .dp an* an* eK 8# 8#
!0&
interface 2i(a+itEt)ernet1!03100 description DATA V0A8 for Co'p.ters service-polic* inp.t B7A8CL-0A8-ED2E58 / interface Serial0!0!0 description to T1 0in1 6rovider 'a&-reserved-+and4idt) 100 service-polic* o.tp.t B7A8CL-NA8-ED2E
Some +eatures o+ ToS do not yet su))ort IPv6 .4A9 is used +or IPv', but ACDs must be used +or IPv6 Funtil .4A9 su))orts IPv6G "atch2Set v'2v6 )ac0ets in same )olicy
Presentation_I
Cisco
Dual%1ier Profile
9edundant set o+ branch routersCse)arate branch s/itch Fmulti)le s/itches can use Stac0=ise technologyG Can be dual:stac0 i+ using #rame 9elay or other D2 =A. ty)e
(ranc '
Dual% 1ier
2ead7uarter s 0A
Presentation_I
Cisco
!06
Dual%1ier Profile
Con+iguration
(ranc' Router +
interface Serial0!1!031% point-to-point description TE F7ADE-7E0AP 67EV5DE7 ipv6 address 2001:DB8:CAFE:1262::BAD1:1010!6" ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ESE fra'e-rela* interface-dlci 1% class RES-B72-DA6 / interface FastEt)ernet0!03100 ipv6 address 2001:DB8:CAFE:2100::BAD1:1010!6" ipv6 traffic-filter DATAO0A8-v6 in ipv6 nd ot)er-confi(-fla( ipv6 d)cp server DATAOV5STA ipv6 ei(rp 10 stand+* version 2 stand+* 201 ipv6 a.toconfi( stand+* 201 priorit* 120 stand+* 201 pree'pt dela* 'ini'.' stand+* 201 a.t)entication ese
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
(ranc' Router )
interface Serial0!2!0318 point-to-point description TE F7ADE-7E0AP 67EV5DE7 ipv6 address 2001:DB8:CAFE:12%2::BAD1:1020!6" ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ ipv6 a.t)entication 'ode ei(rp 10 'd$ ipv6 a.t)entication 1e*-c)ain ei(rp 10 ESE fra'e-rela* interface-dlci 18 class RES-B72-DA6 / interface FastEt)ernet0!03100 ipv6 address 2001:DB8:CAFE:2100::BAD1:1020!6" ipv6 traffic-filter DATAO0A8-v6 in ipv6 nd ot)er-confi(-fla( ipv6 ei(rp 10 stand+* version 2 stand+* 201 ipv6 a.toconfi( stand+* 201 pree'pt 0 stand+* 201 a.t)entication ese
!06
Multi%1ier Profile
All branch elements are redundant and se)arate
=A. tierC=A. connectionsCcan be anything F+rame2IPSecGC "PDS sho/n here #ire/all tierCredundant ASA +ire/alls Access tierCinternal services routers Fli0e a cam)us distribution layerG DA. tierCaccess s/itches Fli0e a cam)us access layer
ual:stac0 is used on every tierCI+ SP )rovides IPv6 services via "PDS. I+ not, tunnels can be used +rom =A. tier to BT Multi% 1ier site
@A 1ier Access 1ier !ire6al l 1ier 0A 1ier
2ead7uarter s 0A
IPv; IPv6
Cisco
(ranc '
!07
BeadHuarters
Primary DM3P 1unnel )**+<D(=<CA!E<)*A<<.6; (ackup DM3P 1unnel -das'ed/ )**+<D(=<CA!E<)*(<<.6; )**+<D(=<CA!E<)*)<<.6 ;
49!:! 112
11! B$!
112 115
49!:DA.:S=
115
115
49!:2 115
=A .
11!
B$2
3@A Interfaces< +*; % )**+<D(=<CA!E<+**;<<.6; F PC +*D % )**+<D(=<CA!E<+**D<<.6; F 3oice +*6 % )**+<D(=<CA!E<+**6<<.6; F Printer
Presentation_I
Cisco
!0;
DM3P
encr aes 2$6
6it' IPv6
interface T.nnel0 description DDV68 T.nnel 1 ip address 1031263131 2$$32$$32$$30 ipv6 address 2001:DB8:CAFE:20A::1!6" ipv6 't. 1"16 ipv6 ei(rp 10 ipv6 )old-ti'e ei(rp 10 $ no ipv6 ne&t-)op-self ei(rp 10 no ipv6 split-)ori,on ei(rp 10 ipv6 n)rp a.t)entication C5SCE ipv6 n)rp 'ap '.lticast d*na'ic ipv6 n)rp net4or1-id 10 ipv6 n)rp )oldti'e 600 ipv6 n)rp redirect t.nnel so.rce Serial1!0 t.nnel 'ode (re '.ltipoint t.nnel 1e* 10 t.nnel protection ipsec profile LBB
49!:! 112
11! B$!
112 115
49!:2 115
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
=A .
11!
B$2
!!0
DM3P
6it' IPv6
!!!
Presentation_I
Cisco
!!2
(ranc' @A
Connecting Bosts
ipv6 d)cp pool DATAON% dns-server 2001:DB8:CAFE:102::8 do'ain-na'e cisco3co' / interface 2i(a+itEt)ernet0!0 description to B71-0A8-SN no ip address d.ple& a.to speed a.to / interface 2i(a+itEt)ernet0!0310" description V0A8-6C encaps.lation dot1R 10" ip address 10312"310"31 2$$32$$32$$30 ipv6 address 2001:DB8:CAFE:100"::1!6" ipv6 nd ot)er-confi(-fla( ipv6 d)cp server DATAON% ipv6 ei(rp 10 / interface 2i(a+itEt)ernet0!0310$ description V0A8-6LE8E encaps.lation dot1R 10$ ip address 10312"310$31 2$$32$$32$$30 ipv6 address 2001:DB8:CAFE:100$::1!6" ipv6 nd prefi& 2001:DB8:CAFE:100$::!6" 0 0 no-a.toconfi( ipv6 nd 'ana(ed-confi(-fla( ipv6 d)cp rela* destination 2001:DB8:CAFE:102::# ipv6 ei(rp 10
49!:DA.
49!:DA.:S=
3@A Interfaces< +*; % )**+<D(=<CA!E<+**;<<.6; F PC +*D % )**+<D(=<CA!E<+**D<<.6; F 3oice +*6 % )**+<D(=<CA!E<+**6<<.6; F Printer
Presentation_I
Cisco
!!5
9emote Access
Presentation_I
Cisco
!!'
Cisco Remote 3P
Client%based IPsec 3P
F IPv6
Client%based SS@
Interne t
Presentation_I
Cisco
!!&
AnyConnect )O&GSS@ 3P
asa-ed(e-1=s)o4 vpn-sessiond+ svc Session T*pe: SVC Bserna'e : ciscoese 5nde& : Assi(ned 56 : 10312 323200 6.+lic 56 : 10312"32318 Assi(ned 56v6: 2001:d+8:cafe:101::101 6rotocol : Clientless SS0-T.nnel DT0S-T.nnel 0icense : SS0 V68 Encr*ption : 7C" AES128 Las)in( : B*tes T& : %#%6 B*tes 7& : 2ro.p 6olic* : An*2rp6olic* T.nnel 2ro.p: 0o(in Ti'e : 1":0#:2$ DST Don Dec 1% 200% D.ration : 0):"%':"8s 8AC 7es.lt : Bn1no4n V0A8 Dappin( : 8!A V0A8 : 1"
none
Cisco ASA
!!6
"utside
)**+<db=<cafe<+*+<<ffff
Inside
'ttp<..666OciscoOcom.en.?S.docs.security.vpnKclient.a
!!6
IPv; @ink
Presentation_I
Cisco
!!7
Considerations
Cisco I*S? version su))orting IPv6 con+igured2 ISA,AP tunnels
Con+iguredC!2.5F!G"2!2.5F2G,2!2.2F!'GS and above F!2.'"2!2.',G ISA,APC!2.5F!G", !2.5F2G,, !2.2F!'GS and above F!2.'"2!2.',G Catalyst? 6&00 /ith Su)620252C!2.2F!6aGSW!CB= +or/arding
Attac0er can come in IPv6 inter+ace and Vum) on the IPv' inter+ace Fencry)ted to enter)riseG $.S )ac0ets +rom one inter+ace
9emember that the IPv6 tunneled tra++ic is still enca)sulated as a tunnel 6'en it leaves the (P. device Allo/ IPv6 tunneled tra++ic across access lists FProtocol '!G
Presentation_I
Cisco
!!;
Does It 0ork5
0indo6s SP Client 3P >*** Catalyst 6D**.Sup E)* Dual%Stack
5nterface 2: A.to'atic T.nnelin( 6se.do-5nterface Addr T*pe --------6.+lic 0in1 DAD State Valid 0ife 6ref3 0ife Address ---------- ------------ ------------ ----------------------------6referred 2#d2 )$6'$s 6d2 )$6'$s 2001:d+8:c00 :1101:0:$efe:10313##3102 6referred infinite infinite fe80::$efe:10313##3102
Det ---# 1
5d& --2 2
Provider Considerations
Presentation_I
Cisco
!2!
Presentation_I
Cisco
!22
Port%to%Port Access
Presentation_I
Cisco
!25
Multi%2oming
Presentation_I
Cisco
!2'
Content
Presentation_I
Cisco
!2&
Provisioning
Y
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!26
St a++ ,r ai ni ng an d * )e rat io ns
9 oll : ou t 9 el ea se s > Pl an ni ng
!u"l#St"$%
9outing Protocols
Instrumentation
!26
Conclusion
K ual stac0 /here you can I ,unnel /here you mustL Create a virtual team o+ I, re)resentatives +rom every area o+ I, to ensure coverage +or *S, A))s, .et/or0 and *)erations2"anagement "icroso+t =indo/s (ista, 6 and Server 2007 /ill have IPv6 enabled by de+aultCunderstand /hat im)act any *S has on the net/or0 e)loy it I at least in a lab I IPv6 /onOt bite ,hings to consider1
#ocus on /hat you must have in the near:term Flo/er your eE)ectationsG but )ound your vendors and others to su))ort your long:term goals onOt be too late to the )arty I anything done in a )anic is li0ely going to go badly
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!27
Presentation_I
Cisco
!2;
A))endiE Slides
#or 9e+erence *nly
Presentation_I
Cisco
!50
Presentation_I
Cisco
!5!
4ecome +amiliar /ith ,eredo htt)122///.microso+t.com2technet2)rodtechnol2/inE))ro2maintain2teredo.m A.S a))lication built on the Peer:to:Peer #rame/or0 9$T3I9$S IPv6 and /ill .*, +unction over IPv' : htt)122///.microso+t.com2technet2net/or02)2)2de+ault.ms)E
Presentation_I
Cisco
!52
!. 2. 5. '. &. 6. 6. 7.
Presentation_I
3ns)eci+ied address 11 Solicited node address .S2 A Doo0ing +or a local router ++02112 9S Doo0ing +or "D enabled routers ++0211!6 "D v2 re)ort DD".9 +or IPv6C++0211!15Cadvertise hostname DD".9 +or IPv'C22'.0.0.2&2 +rom 9#C 5;26 address .o global or 3DA received via ste) !22C,ry ISA,AP ,ry ,ry BCP +or IPv6C++0211!12 BCP +or IPv'
Cisco
fe=*<<=*aa<fdD<fEae<;>6+ ese:vista!
!55
IPv;
et6orkG o IPv6
et6ork Services
: ,ransaction I 0E2b7a+''5
.o. ,ime Source estination Protocol In+o !5 7.7!5&0; !0.!20.2.! !0.!20.2.2 BCP BCP ACX .... 4ootstra) Protocol ... Sour FclientG IP address1 +*O+)*O)O) F!0.!20.2.2G ... *)tion1 FtU5,lU'G 9outer U +*O+)*O)O+ *)tion1 FtU6,lU'G omain .ame Server U +*O+)+O++O; *)tion1 FtU!&,lU;G omain .ame U \ciscoOcom\ .. .o. ,ime Source 60 !5.5606&6 !0.!20.2.2 .o. ,ime Source !57 2&.562!7! !0.!20.2.2 .o. ,ime Source &70 2;6.676!;6 +*O+)*O)O) &7! 2;6.67662! !0.!20.5.2 &72 2;6.6766;' !0.!20.2.2 &75 2;6.676;!5 !0.!20.2.2 estination +*O+)+O++O; estination +*O+)+O++O; estination +*O+)*O>O) !0.!20.2.2 !0.!20.5.2 !0.!20.5.2
Protocol In+o .S Standard Huery A isatapOciscoOcom Protocol In+o .S Standard Huery A teredoOipv6OmicrosoftOcom Protocol In+o ,CP ';2!! [ e)ma) ]SS.^ SeHU0 DenU0 "SSU!'60 =SU7 ,CP e)ma) [ ';2!! ]SS., ACX^ SeHU0 Ac0U! =inU20;6!&2 ,CP ';2!! [ e)ma) ]ACX^ SeHU! Ac0U! =inU6&&56 DenU0 C$9PC 4ind1 call_id1 !, 2 conteEt items, !st I*WI 9esolver (0.0
IPv;%only Router +*O+)*O)O) ese:vista:! ISA1AP55 1eredo5 5 2006 Cisco Systems, Inc. All rights reserved. Some Apps Break +*O+)*O>O) ese:vista:2
Presentation_I
Cisco
!5'
0'at Is 1eredo5
9#C'570 ,unnel IPv6 through .A,s F.A, ty)es de+ined in 9#C5'7;G
#ull Cone .A,s Fa0a one:to:oneGCSu))orted by ,eredo 9estricted .A,sCSu))orted by ,eredo Symmetric .A,sCSu))orted by ,eredo /ith (ista2=62Server 2007 i+ only one ,eredo client is behind a Symmetric .A,s
3ses 3 P )ort 5&'' Is com)leECmany seHuences +or communication and has several attac0 vectors Available on1
"icroso+t =indo/s WP SP! /2Advanced .et/or0ing Pac0 "icroso+t =indo/s Server 2005 SP! "icroso+t =indo/s (ista2=6 Fenabled by de+aultCinactive until a))lication reHuires itG "icroso+t Server 2007 htt)122///.microso+t.com2technet2)rodtechnol2/inE))ro2maintain2teredo.ms)E DinuE, 4S and "ac *S WCK"iredoL htt)122///.sim)halem)in.com2dev2miredo2
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!5&
1eredo Components
,eredo ClientC ual:stac0 node that su))orts ,eredo tunneling to other ,eredo clients or IPv6 nodes Fvia a relayG ,eredo ServerC ual:stac0 node connected to IPv' Internet and IPv6 Internet. Assists in addressing o+ ,eredo clients and initial communication bet/een clients and2or IPv6:only hostsCDistens on 3 P )ort 5&'' ,eredo 9elayC ual:stac0 router that +or/ards )ac0ets bet/een ,eredo clients and IPv6:only hosts ,eredo Bost:S)eci+ic 9elayC ual:stac0 node that is connected to IPv' Internet and IPv6 Internet and can communicate /ith ,eredo Clients /ithout the need +or a ,eredo 9elay
Presentation_I
Cisco
!56
1eredo "vervie6
IPv6 or IPv6 over IPv' tra++ic IPv6 over IPv' tra++ic ,eredo host:s)eci+ic relay ,eredo client IPv6:only host
IPv; Internet
.A,
,eredo server
IPv6 Internet
,eredo relay .A, IPv6 tra++ic ,eredo client Y#rom "icroso+t K,eredo *vervie/L )a)er
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!56
1eredo Address
52 bits 52 bits !6 bits !6 bits 52 bits
1eredo prefi&
!lags
,eredo IPv6 )re+iE F200!11252C)reviously /as 5##$175!#11252G ,eredo Server IPv' address1 global address o+ the server #lags1 de+ines .A, ty)e Fe.g. Cone .A,G *b+uscated $Eternal Port1 3 P )ort number to be used /ith the IPv' address *b+uscated $Eternal Address1 contains the global address o+ the .A,
Presentation_I
Cisco
!57
,eredo Server 2
,eredo .($ent
: 2001:0:4136:e3:e:0:fbaa:b9:e:fe4e
,eredo Pref$; ,eredo Server v4 /(a-# <;t5 =DP <;terna( v4 Port v4 addre##
7 3 1
N! ,
IPv4 Internet
4 2
,eredo Server 1
!5;
Presentation_I
Cisco
nets) interface ipv6Js) teredo Teredo 6ara'eters --------------------------------------------T*pe : client Server 8a'e : teredo3ipv63'icrosoft3co' Client 7efres) 5nterval : defa.lt Client 6ort : defa.lt State : pro+e:cone; T*pe : teredo client 8et4or1 : .n'ana(ed 8AT : cone nets) interface ipv6Js) teredo Teredo 6ara'eters --------------------------------------------T*pe : client Server 8a'e : teredo3ipv63'icrosoft3co' Client 7efres) 5nterval : defa.lt Client 6ort : defa.lt State : K.alified T*pe : teredo client 8et4or1 : .n'ana(ed 8AT : restricted
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!'0
Send 9S Cone #lagU! FCone .A,G, every ' seconds I+ no re)ly, send #lagU0 Frestricted .A,G 9eceive 9A /ith *rigin header and )re+iE Send 9S to 2nd server to chec0 +or symmetric .A, Com)are 2nd 9AC*rigin )ort2address +rom 2nd server
!'!
Presentation_I
Cisco
.S loo0u) 9es)onse IC"P to host via ,eredo Server 9elay sends 4ubble )ac0et to client via serverCclient receives relay address:)ort Pac0ets to2+rom IPv6 host and client traverse relay
.o. ,ime Source estination Protocol In+o ;6 !'7.;60606 )**+<*<;+>6<e>Ee<*<fbaa<bBEe<fe;e )**+<)**<*<=**)<)*><;Eff<feaD<>*=D ICMPv6 Ec'o re7uest Internet Protocol, Src1 +E)O+6O+O+*> F!62.!6.!.!05G, st1 6DOD;O))EO+)6 F6&.&'.226.!26G 3ser atagram Protocol, Src Port1 ++*B F!!0;G, st Port1 >D;; F5&''G .o. ,ime Source ;6 !';.'0&&6; fe=*<<=***<D;;D<D);D<;;;f estination Protocol In+o )**+<*<;+>6<e>Ee<*<fbaa<bBEe<fe;e IPv6 IPv6 no ne&t 'eader
Internet Protocol, Src1 6DOD;O))EO+)6 F6&.&'.226.!26G, st1 +E)O+6O+O+*> F!62.!6.!.!05G ,eredo IPv6 over 3 P tunneling 1eredo "rigin Indication 'eader *rigin 3 P )ort1 D*)*6 *rigin IPv' address1 66O++EO;EO))E F66.!!6.'6.226G .o. ,ime Source ;7 !';.'0&;!6 +E)O+6O+O+*> .o. ,ime Source ;; !';.'656!; 66O++EO;EO))E .o. ,ime Source !00 !';.'6'!00 +E)O+6O+O+*> .o. ,ime Source !0! !';.67;';5 66O++EO;EO))E PPP estination 66O++EO;EO))E estination +E)O+6O+O+*> estination 66O++EO;EO))E estination +E)O+6O+O+*> Protocol In+o 3 P Source )ort1 !!0; Protocol In+o 3 P Source )ort1 &0206 Protocol In+o 3 P Source )ort1 !!0; Protocol In+o 3 P Source )ort1 &0206 estination )ort1 &0206 estination )ort1 !!0; estination )ort1 &0206 estination )ort1 !!0;
According to "S#,, i+ ,eredo is the only IPv6 )ath, AAAA Huery should not be sentCbeing researched1 'ttp<..msdn)OmicrosoftOcom.en%us.library.aaB6DB+*Oasp&
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!'2
C:IJpin( 44431a'e3net 6in(in( 44431a'e3net G2001:200:0:8002:20 :"%ff:fea$: 08$H 4it) 7epl* 7epl* 7epl* 7epl* fro' fro' fro' fro' 2001:200:0:8002:20 2001:200:0:8002:20 2001:200:0:8002:20 2001:200:0:8002:20 :"%ff:fea$: :"%ff:fea$: :"%ff:fea$: :"%ff:fea$: 08$: 08$: 08$: 08$: ti'e-82#'s ti'e-"$ 's ti'e-288's ti'e-" 8's 2 +*tes of data
Presentation_I
Cisco
!'5
Maintaining
A1 Mapping
$very 50 seconds FadVustableG clients send a single bubble )ac0et to ,eredo server to re+resh .A, state
4ubble )ac0et U 3sed to create and maintain .A, ma))ing and consists o+ an IPv6 header /ith no IPv6 )ayload FPayload &;C.o neEt headerG
.o. ,ime Source estination Protocol In+o 5& '6.5;;062 )**+<*<;+>6<e>Ee<*<fbaa<bBEe<fe;e ff*)<<+ IPv6
#rame 5& F72 bytes on /ire, 72 bytes ca)turedG $thernet II, Src1 #oEconn_2d1a!1'e F001!&1&712d1a!1'eG, st1 0!1001&e1001001+d F0!1001&e1001001+dG Internet Protocol, Src1 !62.!6.!.!05 F!62.!6.!.!05G, st1 22'.0.0.2&5 F22'.0.0.2&5G 3ser atagram Protocol, Src Port1 !!0; F!!0;G, st Port1 5&'' F5&''G 1eredo IPv6 over ?DP tunneling Internet Protocol (ersion 6 (ersion1 6 ,ra++ic class1 0E00 #lo/label1 0E00000 Payload length1 0 e&t 'eader< IPv6 no ne&t 'eader -*&>b/ Bo) limit1 2! Source address1 200!101'!561e56e101+baa1b;6e1+e'e estination address1 ++0211!
Presentation_I
Cisco
!''
Presentation_I
Cisco
!'&
Presentation_I
Cisco
!'6
IPv; Address
>)%bit
ISA,AP is used to tunnel IPv' /ithin as administrative domain Fa siteG to create a virtual IPv6 net/or0 over a IPv' net/or0 Su))orted in =indo/s WP Pro SP! and others
Presentation_I
Cisco
!'6
ICMPv6 Type 133 (RS) IPv4 Source: 206.123.20.100 IPv4 Destination: 206.123.31.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8 Send me ISATAP Prefix ICMPv6 Type 134 (RA) IPv4 Source: 206.123.31.200 IPv4 Destination: 206.123.20.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464 ISATAP Prefix: 2001:db8:ffff :2::/64
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!'7
ISA,AP host A receives the ISA,AP )re+iE 200!1db71++++121126' +rom ISA,AP 9outer ! =hen ISA,AP host A /ants to send IPv6 )ac0ets to 200!1db71++++1211&e+e1ce6b1!+c7, ISA,AP host A enca)sulates IPv6 )ac0ets in IPv'. ,he IPv' )ac0ets o+ the IPv6 enca)sulated )ac0ets use IPv' source and destination address.
Presentation_I
Cisco
!';
A))endiE1 "ulticast
Presentation_I
Cisco
!&0
IPv6 Solution !27:bit F!!2:bit Arou)G Protocol Inde)endent, All IAPs and "4AP /ith v6 mcast SA#I PI":S", PI":SS", PI":bidir, PI":4S9 "D v!, v2 Sco)e Identi+ier Single 9P =ithin Alobally Shared omains
!&!
Presentation_I
2+
2)
+ + !!>E<;*<)**+<D(=<C**><++*B<++++<++++
ICMPv6 1ype< +>+ Destination<
) ) !!>E<;*<)**+<D(=<C**><++*B<++++<++++
ICMPv6 1ype< +>+ Destination<
+ )
2+ sends a REP"R1 for t'e group 2) sends a REP"R1 for t'e group
rtr% a
!E=*<<)*E<=D!!<!E=*<6B)
Source
,roup<!!>E<;*<)**+<D(=<C**><++*B<++++<++++
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!&2
2+
> ICMPv6 1ype< +>+
REP"R1 to group
2)
+ + !!*)<<)
Destination< ICMPv6 1ype< +>)
) !!>E<;*<)**+<D(=<C**><++*B<++++<++++
ICMPv6 1ype< +>*
Destination<
+ ) >
2+ sends D" E to !!*)<<) R1R%A sends ,roup%Specific Cuery 2) sends REP"R1 for t'e group
rtr% a
#$701120617&##1#$7016;2
Source
Presentation_I
,roup<!!>E<;*<)**+<D(=<C**><++*B<++++<+++ +
Cisco
!&5
9outer /ill res)ond /ith grou):s)eci+ic Huery F,y)e !50G 9outer /ill use the last member Huery res)onse interval F e+aultU! secG +or each Huery Tuery is sent t/ice and i+ no re)orts occur then entry is removed F2 secondsG
Sent to learn o+ listeners on the attached lin0 Sets the multicast address +ield to 8ero Sent every !2& seconds Fcon+igurableG
Presentation_I
Cisco
!&'
A !e6
otes on 1unnelsY
PI" uses tunnels /hen 9Ps2sources are 0no/n Source registering Fon +irst:ho) routerG
3ses virtual tunnel inter+ace Fa))ear in *ID +or ]S,A^G Created automatically on +irst:ho) router /hen 9P is 0no/n Cisco I*S? 0ee)s tunnel as long as 9P is 0no/n 3nidirectional Ftransmit onlyG tunnels PI" 9egister:Sto) messages are sent directly +rom 9P to registering router Fnot through tunnel@G
Presentation_I
Cisco
!&&
Source RP
+ranc)=s)o4 interface t.nnel 1 T.nnel1 is .p< line protocol is .p Lard4are is T.nnel DTB 1$1" +*tes< BN # 9+it< D0P $00000 .sec< relia+ilit* 2$$!2$$< t&load 1!2$$< r&load 1!2$$ Encaps.lation TB88E0< loop+ac1 not set 9eepalive not set T.nnel so.rce 2001:DB8:C00 :111E::2 :Serial0!2;< destination 2001:DB8:C00 :1116::2 T.nnel protocol!transport 65D!56v6< 1e* disa+led< seK.encin( disa+led C)ec1s.''in( of pac1ets disa+led T.nnel is trans'it onl* 0ast inp.t never< o.tp.t never< o.tp.t )an( never 0ast clearin( of Qs)o4 interfaceQ co.nters never V o.tp.t tr.ncatedV
D R
Presentation_I
Cisco
!&6
*ne transmit only +or registering sources locally connected to the 9P *ne receive only +or deca)sulation o+ incoming registers +rom remote designated routers .o one:to:one relationshi) bet/een virtual tunnels on designated routers and 9P@
Presentation_I
Cisco
!&6
Source RP
Cor)orat e .et/or0
1 u
@ *
!&7
1unneling v6 Multicast
v6 in v;
v6 in v' most /idely used
tunnel mode ipv6ip <----- IS-IS cannot traverse
v6 in v6
v6 in v6
tunnel mode ipv6
v6 in v6 A9$
tunnel mode gre ipv6
Presentation_I
Cisco
!&;
ipv6 multicast-routing
SS" grou) ranges are automatically de+ined 9eHuires "D v2 on host or SS" "a))ing +eature
Presentation_I
Cisco
!60
SSM%Mapping
elay in SS" de)loyment Fboth IPv' and IPv6G is based mainly on lac0 o+ IA"Pv5 and "D v2 availability on the end)oints SS":"a))ing allo/s +or the de)loyment o+ SS" in the net/or0 in+rastructure /ithout reHuiring "D v2 F+or IPv6G on the end)oint SS":"a))ing enabled router /ill ma) "D v! re)orts to a source F/hich do not natively include the source li0e /ith "D v2G
9ange o+ grou)s can be statically de+ined or used /ith =ildcards can be used to de+ine range o+ grou)s .S
Presentation_I
Cisco
!6!
SSM%Mapping
core-1=s)o4 ipv6 'ro.te ? +e(in 2001:DB8:CAFE:11::11 :2001:DB8:CAFE:11::11< FF ::DEAD;< 00:01:20!00:0 :06< fla(s: sT 5nco'in( interface: 2i(a+itEt)ernet ! 76F n+r: FE80::20E: #FF:FEAD:#B00 5''ediate E.t(oin( interface list: 2i(a+itEt)ernet$!1< For4ard< 00:01:20!00:0 :06 )**+<D(=<CA!E<++<<++ !!>><<DEAD Corporat e et6ork
Source
/ ipv6 'ld ss'-'ap ena+le ipv6 'ld ss'-'ap static DA6 2001:DB8:CAFE:11::11 no ipv6 'ld ss'-'ap K.er* dns / ipv6 access-list DA6 per'it ipv6 an* )ost FF ::DEAD
SSM
M@Dv+
Presentation_I
!62
Corporat e et6ork @ *
RP IP 0A
Presentation_I
Cisco
!65
RPG)**+<D(=<C**><+++6<<)
Corporat e et6ork IP 0A
Source RPG)**+<D(=<C**><++*A<<+
4an-+otto'=s) r.n ? incl ipv6 pi' +sr ipv6 pi' +sr candidate-+sr 2001:DB8:C00 :110A::1 ipv6 pi' +sr candidate-rp 2001:DB8:C00 :110A::1
Presentation_I
Cisco
!6'
Presentation_I
Cisco
!6&
7 ' ' ' ' 7 6' 52 ## _ #lags_ Sco)e _9svd _ 9Paddr_ Plen _ .et/or0 Pre+iE _ Arou) I .e/ Address +ormat de+ined 1 #lags U 09P,, 9 U !, P U !, , U !U[ 9P address embedded F0!!! U 6G $Eam)le Arou)1 ##6$10!'01200!10 471C0051!!! 100001!!!2 $mbedded 9P1 200!10 471C0051!!! 11!
Presentation_I
Cisco
!66
Embedded%RP
PI":S" )rotocol o)erations /ith embedded:9P1
Intradomain transition into embedded:9P is easy1 .on:su))orting routers sim)ly need to be con+igured statically or via 4S9 +or the embedded:9Ps@
!66
Source RP
Corporat e et6ork @ *
IP 0A
ipv6 pi' rp-address 2001:DB8:C00 :111D::1 E76 / ipv6 access-list E76 per'it ipv6 an* FF%E:1"0:2001:DB8:C00 :111D::!#6
Presentation_I
Cisco
!67
IP 0A
1o RP
Presentation_I
Cisco
!6;
Multicast Applications
"icroso+t =indo/s "edia Server2Player F; :!!G (ideoDA.
///.videolan.org htt)122///.s+c./ide.ad.V)2 (,S2htt)122///.dvts.V)2en2dvts.html htt)122///.i)v6.ecs.soton.ac.u02virginradio2 Su))orted on i,unes '.&, =indo/s "edia Player, W""S !.2.7, etcP htt)122///.microso+t.com2/indo/s2/indo/smedia2de+ault.as)E
(,S F igital (ideo ,rans)ort SystemG Internet radio stations over IPv6
Presentation_I
Cisco
!60
A))endiE1 ToS
Presentation_I
Cisco
!6!
#lo/ Dabel
A ne/ 20:bit +ield in the IPv6 basic header /hich1 Dabels )ac0ets belonging to )articular +lo/s Can be used +or s)ecial sender reHuests
Payload Dength
Per 9#C, #lo/ Dabel must not be modi+ied by intermediate routers Source Address
Xee) an eye out +or /or0 being doing to leverage the +lo/ label
estination Address
Presentation_I
Cisco
!62
Presentation_I
Cisco
IPv6 "3ER C@IE 1 3P < RE!ERE CE S@IDES !"R " %0I D"0S P@A1!"RMS
Presentation_I
Cisco
!6'
000
!6&
to
,). Create a de+ault route F1120G +or the tunnel Corporate et6ork 0indo6s SP 3P Client
nets) interface ipv6Jadd v6v"t.nnel WC5SCEX 10313##310 20313131 E13 nets) interface ipv6Jadd address WC5SCEX 2001:DB8:c00 :112 ::2 E13 nets) interface ipv6Jadd ro.te ::!0 WC5SCEX E13
3P IP
Router IP
Presentation_I
Cisco
!66
Does It 0ork5
0indo6s SP Client 3P >*** Catalyst 6D** Supervisor E)* Dual%stack )*O+O+O+ % IPv; address )**+<D(=<c**><++)><<+GIPv6 address
+*O+OBBO+*> % 3P address )**+<D(=<c**><++)><<)GIPv6 address 5nterface 21: C5SCE Addr T*pe --------Dan.al 0in1
DAD State Valid 0ife 6ref3 0ife ---------- ------------ -----------6referred infinite infinite 6referred infinite infinite
nets) interface ipv6Js)o4 nei()+ors 21 5nterface 2: A.to'atic T.nnelin( 6se.do-5nterface 5nternet Address 6)*sical Address T*pe --------------------------------------------- ----------------- ----------2001:DB8:c00 :112 ::1 20313131 6er'anent fe80::1"01:0101 20313131 6er'anent
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!66
@inu& 3P Client
= ip t.nnel add is0 'ode isatap 10313##310" v"an* 20313131 ttl 6" = ip lin1 set is0 .p
3P IP
Router IP
!67
Can maintain con+iguration )ermanently using 2etc2hostname6.i).tun. Corporate F/here . is 0, !, 2, and so onG
et6ork >**) 3P Client
Sun Solaris
= ifconfi( ip3t.n0 inet6 = ifconfi( ip3t.n0 inet6 tsrc 1#231683031 tdst 20313131 .p = ifconfi( ip3t.n0 inet6 addif 2001:DB8:c00 :112 ::2!6" 2001:DB8:c00 :112 ::1 .p Created ne4 lo(ical interface ip3t.n0:2 ZSee notes for full instructions for enabling IPv6 on Solaris
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
@ocal @A pl.'+ IP
Router IP
!6;
= = = =
ifconfi( (if0 t.nnel ifconfi( (if0 t.nnel 1#231683031 20313131 ifconfi( (if0 inet6 alias 2001:DB8:c00 :112 ::2 ro.te add -inet6 defa.lt -interface (if0
!70
@ocal @A IP create
Router IP
Presentation_I
Cisco
Presentation_I
Cisco
!7!
Microsoft
Presentation_I
Cisco
!72
=indo/s Client
!75
ISA1AP Refres'er
Intra:Site Automatic ,unnel Addressing Protocol 9#C '2!' Bost:to:router ,unnel ISA,AP connections loo0 li0e one +lat net/or0 Create .S KAL record +or KISA,APL U !0.!20.'.! 3se Static Con+ig i+ .S use is not desired1 C:\>netsh interface ipv6 isatap set router !" #!"$" 9ecommendation1 e)loy ISA,AP end)oints via )olicy distribution
@> device 6it' IPv; address -+*O+)*O;O+/ and IPv6 dual%stack IPv6 Network
ISA1AP 1unnel
IPv4 Network
Presentation_I
Cisco
!7'
IPv;
.o. ,ime Source estination Protocol In+o 502 '7.!2;6!6 fe=*<<Defe<aE=<)*) fe=*<<Defe<aE=<;*+ IC"Pv6 9outer solicitation Internet Protocol, Src1 +*O+)*O)O) F!0.!20.2.2G, st1 +*O+)*O;O+ F!0.!20.'.!G .o. ,ime Source estination Protocol In+o 76! '70.6067;; fe=*<<Defe<aE=<;*+ fe=*<<Defe<aE=<)*) IC"Pv6 9outer advertisement Internet Protocol, Src1 +*O+)*O;O+ F!0.!20.'.!G, st1 +*O+)*O)O) F!0.!20.2.2G .o. ,ime Source estination Protocol In+o !25& 66&.67&0!2 )**+<db=<cafe<+*+*<*<Defe<aE=<>*) )**+<db=<cafe<+*+*<*<Defe<aE=<)*) IC"Pv6 $cho reHuest Internet Protocol, Src1 +*O+)*O>O) F!0.!20.5.2G, st1 +*O+)*O)O) F!0.!20.2.2G .o. ,ime Source estination Protocol In+o !256 66&.67&2&; )**+<db=<cafe<+*+*<*<Defe<aE=<)*) )**+<db=<cafe<+*+*<*<Defe<aE=<>*) IC"Pv6 $cho re)ly Internet Protocol, Src1 +*O+)*O)O) F!0.!20.2.2G, st1 +*O+)*O>O) F!0.!20.5.2G
ISA1AP 1unnel
Presentation_I
ISA1AP 1unnel
!7&
Xey +act here is that .* additional con+iguration on the client is needed again@@@
ote<ISA1AP is supported on some versions of @inu&.(SD -manual router entry is re7uired/
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
!76
Create v6v'tunnel Add IPv6 address to tunnel inter+ace Create a de+ault route F1120G +or the tunnel
nets) interface ipv6Jadd v6v"t.nnel WC5SCEX 1031313100 0313131 E13 nets) interface ipv6Jadd address WC5SCEX 2001:d+8:cafe:112 ::2 E13 nets) interface ipv6Jadd ro.te ::!0 WC5SCEX E13
2ost IP
Router IP
Presentation_I
Cisco
!76
/ interface 0oop+ac11 description T.nnel for 56v6 Clients ip address / interface 2i(a+itEt)ernet2!10 description TE Ca'p.s Core 8et4or1 ipv6 address 2001:DB8:CAFE:111C::2!6" / interface T.nnel1 description Confi(.red T.nnel for Client1 ipv6 address 2001:DB8:CAFE:112 ::1!6" t.nnel so.rce 0oop+ac11 t.nnel destination 1031313100 t.nnel 'ode ipv6ip 0313131 2$$32$$32$$32$$
Presentation_I
Cisco
!77
@inu&
Presentation_I
Cisco
!7;
0'at Is Re7uired
9ed Bat 6.2 and higher
#edora )roVect builds 9B 7, ;, =S, and $S )re+erred
"andra0e 7.0 and higher SuS$ 6.! and higher ebian 2.2 and higher ISA,AP su))ort may not be native in all distribution 0ernels
Presentation_I
Cisco
!;0
Presentation_I
Cisco
!;!
9eHuires Xernel su))ort +or ISA,AP I Some 0ernels may not have native su))ort +or ISA,AP F ebianG automatic
2ost IP
= ip t.nnel add is0 'ode isatap 1031313100 v"an* = ip lin1 set is0 .p
Router IP
Presentation_I
Cisco
!;2
Router IP
= = = = ip ip ip ip
2ost IP
t.nnel add sit1 'ode sit re'ote 0313131 local 1031313100 lin1 set sit1 .p address add dev sit1 2001:DB8:C00 :112 ::2!6" ro.te add ::!0 dev sit1
Presentation_I
Cisco
!;5
Does It 0ork5
=ip t.nnel s)o4 sit1 sit1: ipv6!ip re'ote 0313131 local 1031313100 ttl in)erit
=ro.te -A inet6 ? (rep sit1 9ernel 56v6 ro.tin( ta+le Destination 2001:DB8:C00 :112 ::!6" fe80::!10 ff02::#!128 ff00::!8 ::!0
Fla(s BA BA BAC BA B
7ef 10 6 1 0 0
Bse 0 0 0 0 0
= ip -6 addr s)o4 sit1 6: sit1Y8E8E: S6E58TE6E58T<8EA76<B6J 't. 1"80 Kdisc noK.e.e inet6 fe80::a$e:a6"d!128 scope lin1 inet6 2001:DB8:C00 :112 ::2!6" scope (lo+al =pin(6 -5 sit1 2001:DB8:C00 :112 ::1 6582 2001:DB8:C00 :112 ::1 fro' 2001:DB8:C00 :112 ::2 sit1: 6" +*tes fro' 2001:DB8:C00 :112 ::1: ic'pOseK-1 ttl-6" ti'e-03"$" 6" +*tes fro' 2001:DB8:C00 :112 ::1: ic'pOseK-2 ttl-6" ti'e-03 %1 6" +*tes fro' 2001:DB8:C00 :112 ::1: ic'pOseK- ttl-6" ti'e-03 #2 6" +*tes fro' 2001:DB8:C00 :112 ::1: ic'pOseK-" ttl-6" ti'e-03 %%
Presentation_I
Cisco
Presentation_I
Cisco
!;&
Presentation_I
Cisco
!;6
Create tunnel inter+ace Set tunnel end:)oints Add IPv6 address to tunnel Set de+ault route 6to' also an o)tion
Router IP
= = = =
ifconfi( (if0 t.nnel ifconfi( (if0 t.nnel 0313 3201 0313131 ifconfi( (if0 inet6 alias 2001:DB8:C00 :112"::2 ro.te add -inet6 defa.lt -interface (if0
@ocal @A IP create
= ifconfi( (if0 (if0: fla(s-80$1SB6<6E58TE6E58T<7B88582<DB0T5CASTJ 't. 1280 t.nnel inet 0313 3201 --J 0313131 inet6 fe80::20 :# ff:feee:#f1f prefi&len 6" scopeid 0&2 inet6 2001:DB8:C00 :112"::2 prefi&len 6"
Presentation_I
Cisco
!;6
Sun Solaris
Presentation_I
Cisco
!;7
1'ings to Lno6
Sun Solaris 7 and above /ill )rom)t +or IPv6 activation during the installation )rocess
Say yes and you /ill be ready +or dual:stac0 /ith autocon+iguration
Presentation_I
Cisco
!;;
Add IPv6 address to inter+ace Can maintain con+iguration )ermanently using 2etc2hostname6.i).tun. F/here . is address 0, !, 2, and so onG +*O+O+O+**GClient IPv;
)**+<D(=<C**><++)><<)GIPv6 address
= ifconfi( ip3t.n0 inet6 = ifconfi( ip3t.n0 inet6 tsrc 1031313100 tdst 0313131 .p = ifconfi( ip3t.n0 inet6 addif 2001:DB8:C00 :112 ::2!6" 2001:DB8:C00 :112 ::1 .p Created ne4 lo(ical interface ip3t.n0:2 ip3t.n0: fla(s-22008$1SB6<6E58TE6E58T<7B88582<DB0T5CAST<8E8BD<56v6J 't. 1"80 inde& inet t.nnel src 1031313100 t.nnel dst 0313131 t.nnel )op li'it 60 inet6 fe80::"06$:"06a!10 --J fe80::a$e:a6"" ip3t.n0:1: fla(s-22008$1SB6<6E58TE6E58T<7B88582<DB0T5CAST<8E8BD<56v6J 't. 1"80 inde& inet6 2001:DB8:C00 :112 ::2!6" --J 2001:DB8:C00 :112 ::1
Presentation_I 2006 Cisco Systems, Inc. All rights reserved. Cisco
@ocal @A IP pl.'+
Router IP
200
Presentation_I
Cisco
20!