how to convince your boss to deploy ipv6

Enterprise IPv6 DeploymentSession ID-BRKRST-2301

Reference Materials New/Updated IPv6 Cisco Sites: http://www.cisco.com/go/ipv6 http://www.cisco.gom/go/entipv6 Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterpri se/Campus/CampIPv6.html Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/solutions/ns340/ns414/ ns742/ns816/landing_br_ipv6.html

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2

Recommended Reading

Deploying IPv6 in Broadband Networks - Adeel Ahmed, Salman Asadullah ISBN0470193387, John Wiley & Sons PublicationsBRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Available Now!!3

Agenda IPv6 Activity in the Enterprise Planning and Deployment Summary IPv6 Address Considerations

General Network Considerations Infrastructure DeploymentCampus/Data Center WAN/Branch Remote Access

Communicating with the Service Providers

AppendixFor Reference OnlyBRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

4

IPv6 Activity in the Enterprise

Dramatic Increase in Enterprise ActivityWhy?External Pressure

Growth/Protection Partnership

Enterprise that is or will be expanding into new markets Address exhaustion Enterprise that partners with other companies/organizations doing IPv6 Governments, enterprise partners, contractors

Internal Pressure

OS/Apps Fixing Old ProblemsNew Technologies

Microsoft Windows 7, Server 2008 Microsoft DirectAccess

Mergers & Acquisitions NAT Overlap High Density Virtual Machine environments (Server virtualization, VDI) SmartGrid

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

6

IANA/RIR IPv4 ExhaustionEstimated Registry Exhaustion Dates

100 90 80 70 Probability (%) 60 50 40 30

We already know this is too conservative: APNIC went into Stage 3 mid-April 2011

2010 0Jan 2011 Jul 2011 IANA Jan 2012 Jul 2012 Jan 2013 RIPENCC Jul 2013 ARIN Jan 2014 Jul 2014 Jan 2015 AFRINIC Jul 2015

APNIC

LACNIC

Source: Geoff Huston, APNICBRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

7

Innocent W2K3 -to- W2K8 UpgradeWindows 2003C:\>ping svr-01 Pinging svr-01.example.com [10.121.12.25] with 32 bytes of data: Reply from 10.121.12.25: bytes=32 time IPv6) Stateful: 100 Dynamic Mapping Statistics v6v4

access-list EDGE_ACL pool EDGE refcount 3pool EDGE: start 10.121.55.1 end 10.121.55.1 total addresses 1, allocated 1 (100%)BRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

*Output reduced for clarity86

Apache2 Reverse ProxyNetstat - ClientTCP TCP [2001:db8:beef:10::16]:54640 [2001:db8:cafe:12::5]:80 ESTABLISHED [2001:db8:beef:10::16]:54641 [2001:db8:cafe:12::5]:80 ESTABLISHED 2001:db8:beef:10::16

Netstat - Proxy2001:db8:cafe:12::5 Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.121.11.125:40475 10.121.11.60:80 ESTABLISHED tcp 0 0 10.121.11.125:40476 10.121.11.60:80 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54640 ESTABLISHED tcp6 0 0 2001:db8:cafe:12::5:80 2001:db8:beef:10::16:54641 ESTABLISHED

10.121.11.125 Apache One-Arm Apache DualAttached TCP TCP IPv4-only Web Server ProxyPass / http://10.121.11.60:80/ ProxyPassReverse / 2011 Cisco and/or its affiliates. All rights reserved. http://10.121.11.60:80/ BRKRST-2301 Cisco Public

Netstat - Server10.121.11.125:40475 10.121.11.125:40476 ESTABLISHED ESTABLISHED

10.121.11.60:80 10.121.11.60:80

87

Microsoft Windows PortProxy Can be treated like an applianceOne-arm2001:db8:cafe:12::25 10.121.12.25 PortProxy One-Arm VIP=10.121.5.20 ACE PortProxy Dual-Attached

Dual-attached (better perf)

Outside traffic comes in on IPv6PortProxy to v4 (VIP address on ACE) Traffic is IPv4 to server

IPv4-only Web Server

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

88

PortProxy Configuration/Monitoringnetsh interface portproxy>sh all Listen on ipv6: Address Port Connect to ipv4: Address 10.121.5.20 Port 80

adsf

--------------- ---------2001:db8:cafe:12::25 80 Active Connections Proto Local Address

--------------- ----------

Foreign Address

State

TCPTCP

10.121.12.25:58141

10.121.5.20:http

ESTABLISHEDESTABLISHED

[2001:db8:cafe:12::25]:80

[2001:db8:cafe:10::17]:52047

conn-id 14 13

np dir proto vlan source 1 1 in TCP 5 5 10.121.12.25:58573 10.121.14.15:80

destination 10.121.5.20:80 10.121.5.12:1062

state ESTAB ESTAB

----------+--+---+-----+----+---------------------+---------------------+------+ out TCP

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

89

PortProxy PerformanceThroughput ExampleHTTP Throughput Comparison - Direct vs. PortProxy247.2250

200

192

206.4

Throughput (Mbps)

Direct v6-v6150

PortProxy v6v4 PortProxy v6v6

100

50

0

download-1gig (1.2G)

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

90

PortProxy PerformanceCPU Utilization on PortProxy Server

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

91

Dual Stack the Internet EdgeInternet

Dual stack the same network you have If not, do just enough IPv6-only to get you going Most design elements should be the same as with IPv4 (minus pure NAT/PAT)Edge Router

ISP 1

ISP 2

Outer Switch

You may have to embrace SLB64/Proxy/NAT64 for IPv4only apps

Security Services

Enterprise Core

DMZ/Server Farm

Inner switching/ SLB/Proxy/ Compute

Internal Enterprise

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Web, Email, Other

92

What if I Cant Dual Stack My Edge?Server Load BalancerIPv6 InternetIPv6

Stateful NAT64IPv6 InternetIPv6 -Apache -MSFT PortProxy

ProxyIPv6 InternetIPv6

IPv4

IPv4

IPv4

IPv4-only Host

IPv4-only Host

IPv4-only Host

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

93

Internet Edge - to - ISPBoatloads of optionsSingle Link Single ISPISP 1POP1

Dual Links Single ISPISP 1 POP2

Multi-Homed Multi-RegionUSA ISP 1 ISP2

Default Route

IPv4-only

BGP

IPv6 Tunnel

BGP

Enterprise

Enterprise

Enterprise

ISP3

ISP4 Europe94

Your ISP may not have IPv6 at the local POP BRKRST-2044 Enterprise Multi-homed Internet ArchitecturesBRKRST-2301 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

WAN/BranchDeploying IPv6 in Branch Networks: http://www.cisco.com/univercd/cc/td/doc/solution/brchipv6.pdf

WAN/Branch Deployment Cisco routers have supported IPv6 for a long time Dual-stack should be the focus of your implementationbut, some situations still call for tunneling Support for every media/WAN type you want to use (Frame Relay, leased-line, broadband, MPLS, etc.)Corporate Network

Dont assume all features for every technology are IPv6-enabled Better feature support in WAN/branch than in campus/DCDual Stack

SP Cloud

Dual StackDual Stack

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

96

IPv6 Enabled BranchFocus more on the provider and less on the gearBranch Single TierBranch Dual TierSP support for various WAN types?

Branch Multi-Tier

HQSP support for port-toport IPv6?

HQMPLS

HQ

Internet

Frame

Internet

Dual-Stack IPSec VPN (IPv4/IPv6) Firewall (IPv4/IPv6) Integrated Switch (MLD-snooping)BRKRST-2301

Dual-Stack IPSec VPN or Frame Relay Firewall (IPv4/IPv6) Switches (MLD-snooping)Cisco Public

Dual-Stack IPSec VPN or MPLS (6PE/6VPE) Firewall (IPv4/IPv6) Switches (MLD-snooping)97

2011 Cisco and/or its affiliates. All rights reserved.

Hybrid Branch Example Mixture of attributes from each profile An example to show configuration for different tiers Basic HA in critical roles is the goalBranchVLAN 101: 2001:DB8:CAFE:1002::/64 2001:DB8:CAFE:1000::/64

HeadquartersPrimary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel (dashed) 2001:DB8:CAFE:20B::/64 2001:DB8:CAFE:202::/64

ASA-1 BR1-LAN ::1 ::2 ::4 ::2

BR1-1 ::2

::1 HE1

::2 ::3

BR1-LAN-SW

WAN::5 ::3 BR1-2 ::3 ::1 HE2HSRP for IPv6 VIP Address - FE80::5:73FF:FEA0:2

Enterprise Campus Data Center

::3

VLAN Interfaces: 104 - 2001:DB8:CAFE:1004::/64 PC 105 - 2001:DB8:CAFE:1005::/64 Voice 106 - 2001:DB8:CAFE:1006::/64 Printer

BRKRST-2301

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Public

98

DMVPN with IPv6Hub Configuration Examplecrypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac ! crypto ipsec profile HUB set transform-set HUB interface Tunnel0 description DMVPN Tunnel 1 ip address 10.126.1.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::1/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp